Analysis
-
max time kernel
150s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 12:44
Static task
static1
Behavioral task
behavioral1
Sample
fcfe225907bea80d5f79c4c14fc308d1f0ea3cfdc5787a6612b1659bd183d15f.vbs
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
fcfe225907bea80d5f79c4c14fc308d1f0ea3cfdc5787a6612b1659bd183d15f.vbs
Resource
win10v2004-20220812-en
General
-
Target
fcfe225907bea80d5f79c4c14fc308d1f0ea3cfdc5787a6612b1659bd183d15f.vbs
-
Size
13KB
-
MD5
5e85e7b008985337fe6e8466ce17aa20
-
SHA1
bf958051f89193ec06fe1af85a93642d66404e6b
-
SHA256
fcfe225907bea80d5f79c4c14fc308d1f0ea3cfdc5787a6612b1659bd183d15f
-
SHA512
ee4c3117e47d8f290fb8c563d8ee623457386f7730ee132e63bd95e6af80d67c2944c4d0f1125dacab5d10ffcee8a4bc75ce6e33d707f6b4aff3bfc1e84303f9
-
SSDEEP
384:+zzVqiGagRYwZSFFOECXCghDSHXWmZg1r+9f7qN:+zxqagRYwZSGECXCgMmsgV/N
Malware Config
Signatures
-
Drops startup file 2 IoCs
Processes:
WScript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fcfe225907bea80d5f79c4c14fc308d1f0ea3cfdc5787a6612b1659bd183d15f.vbs WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fcfe225907bea80d5f79c4c14fc308d1f0ea3cfdc5787a6612b1659bd183d15f.vbs WScript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
WScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\software\microsoft\windows\currentversion\run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fcfe225907bea80d5f79c4c14fc308d1f0ea3cfdc5787a6612b1659bd183d15f = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\fcfe225907bea80d5f79c4c14fc308d1f0ea3cfdc5787a6612b1659bd183d15f.vbs\"" WScript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fcfe225907bea80d5f79c4c14fc308d1f0ea3cfdc5787a6612b1659bd183d15f = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\fcfe225907bea80d5f79c4c14fc308d1f0ea3cfdc5787a6612b1659bd183d15f.vbs\"" WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.