e035120e306bff36a148c0358cbdf2f340389807441c9943e6d8e3607e2e7de7

General

Target

e035120e306bff36a148c0358cbdf2f340389807441c9943e6d8e3607e2e7de7.exe
Size

141KB
MD5

4afd266114ab51e9fa789bd361e30de0
SHA1

70e478e45704138b583ddad898a1ae019871d8f5
SHA256

e035120e306bff36a148c0358cbdf2f340389807441c9943e6d8e3607e2e7de7
SHA512

0fc0a6c7ee2a461f19ae8a9730d6297195c11790fc88a2aedc46c31220adc510be9d9301b454afb10bfdef0a055026a3d0003d68043aced9fc64f7f83b514bdc
SSDEEP

3072:Bz+92mhTMMJ/cPiq5bVin8/eqLjqxgnwp:Bz+92mhAMJ/cPl3i8/lKunwp

Score

7^/10

persistence

Malware Config

Signatures

Drops startup file 2 IoCs

Processes:

WScript.exewscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\22.vbe	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\22.vbe	wscript.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exeWScript.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\22 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\22.vbe\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\22 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\22.vbe\""	WScript.exe
Key created	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\22 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\22.vbe\""	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\22 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\22.vbe\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run	wscript.exe

Drops file in System32 directory 3 IoCs

Processes:

e035120e306bff36a148c0358cbdf2f340389807441c9943e6d8e3607e2e7de7.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\22.vbe	e035120e306bff36a148c0358cbdf2f340389807441c9943e6d8e3607e2e7de7.exe
File created	C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_7120213	e035120e306bff36a148c0358cbdf2f340389807441c9943e6d8e3607e2e7de7.exe
File created	C:\Windows\SysWOW64\22.vbe	e035120e306bff36a148c0358cbdf2f340389807441c9943e6d8e3607e2e7de7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

e035120e306bff36a148c0358cbdf2f340389807441c9943e6d8e3607e2e7de7.exeWScript.exe

description	pid	process	target process
PID 1476 wrote to memory of 936	1476	e035120e306bff36a148c0358cbdf2f340389807441c9943e6d8e3607e2e7de7.exe	WScript.exe
PID 1476 wrote to memory of 936	1476	e035120e306bff36a148c0358cbdf2f340389807441c9943e6d8e3607e2e7de7.exe	WScript.exe
PID 1476 wrote to memory of 936	1476	e035120e306bff36a148c0358cbdf2f340389807441c9943e6d8e3607e2e7de7.exe	WScript.exe
PID 1476 wrote to memory of 936	1476	e035120e306bff36a148c0358cbdf2f340389807441c9943e6d8e3607e2e7de7.exe	WScript.exe
PID 1476 wrote to memory of 936	1476	e035120e306bff36a148c0358cbdf2f340389807441c9943e6d8e3607e2e7de7.exe	WScript.exe
PID 1476 wrote to memory of 936	1476	e035120e306bff36a148c0358cbdf2f340389807441c9943e6d8e3607e2e7de7.exe	WScript.exe
PID 1476 wrote to memory of 936	1476	e035120e306bff36a148c0358cbdf2f340389807441c9943e6d8e3607e2e7de7.exe	WScript.exe
PID 936 wrote to memory of 1860	936	WScript.exe	wscript.exe
PID 936 wrote to memory of 1860	936	WScript.exe	wscript.exe
PID 936 wrote to memory of 1860	936	WScript.exe	wscript.exe
PID 936 wrote to memory of 1860	936	WScript.exe	wscript.exe
PID 936 wrote to memory of 1860	936	WScript.exe	wscript.exe
PID 936 wrote to memory of 1860	936	WScript.exe	wscript.exe
PID 936 wrote to memory of 1860	936	WScript.exe	wscript.exe

C:\Users\Admin\AppData\Local\Temp\e035120e306bff36a148c0358cbdf2f340389807441c9943e6d8e3607e2e7de7.exe
"C:\Users\Admin\AppData\Local\Temp\e035120e306bff36a148c0358cbdf2f340389807441c9943e6d8e3607e2e7de7.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\System32\22.vbe"
2⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:936

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\22.vbe"
3⤵
- Drops startup file
- Adds Run key to start application
PID:1860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\22.vbe

Filesize
549KB

MD5
177b2ab407f01088401fd90a01800e3f

SHA1
db3476b6096850be246e4e972707958e1ba2e38a

SHA256
7dfb85a962143aca2f849931d65875e63ca24b12472d790e35c5f919e64395ae

SHA512
ad75d3a4a0d0723ada08c219f157f5c7db3a745346f028bc213fa2997fabd7916e4c4e51847ee6ba2aa1459053e0ec1855950cc4fb2b0193283cadb8f33160f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\22.vbe

Filesize
549KB

MD5
6a72e2b1184ea4c9e1b6da94391440cb

SHA1
7ee6af8f8c42f8e297a2daa4a2bba1373d44d532

SHA256
52fafa33c694c929ada1c3ed730bcf92e7ae50c1247bfed4800a75d608c5e0ab

SHA512
fba4ec5da0a54890c06f7fe30f891095b227aabdd108e65d9f2a7422e4b2e305e876625baa00d4d006512aa47076b32d98e0d82ee3c55862df776808959dbb0d

Download Submit
C:\Windows\SysWOW64\22.vbe

Filesize
549KB

MD5
177b2ab407f01088401fd90a01800e3f

SHA1
db3476b6096850be246e4e972707958e1ba2e38a

SHA256
7dfb85a962143aca2f849931d65875e63ca24b12472d790e35c5f919e64395ae

SHA512
ad75d3a4a0d0723ada08c219f157f5c7db3a745346f028bc213fa2997fabd7916e4c4e51847ee6ba2aa1459053e0ec1855950cc4fb2b0193283cadb8f33160f2

Download Submit
memory/936-55-0x0000000000000000-mapping.dmp

Download
memory/1476-54-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download
memory/1860-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads