Analysis
-
max time kernel
41s -
max time network
46s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
07-01-2023 08:59
Behavioral task
behavioral1
Sample
Resource.bin
Resource
win10-20220812-en
Behavioral task
behavioral2
Sample
Run.vbs
Resource
win10-20220812-en
Behavioral task
behavioral3
Sample
WindowsService.exe
Resource
win10-20220901-en
Behavioral task
behavioral4
Sample
import.reg
Resource
win10-20220812-en
Behavioral task
behavioral5
Sample
md5.txt
Resource
win10-20220812-en
Behavioral task
behavioral6
Sample
updatebackend.log
Resource
win10-20220812-en
General
-
Target
Run.vbs
-
Size
1015B
-
MD5
2945c117350c3403f73f6e6a32a30a77
-
SHA1
cbd5c7d85d7d2204000e79ba8b144e40ffcaf6b7
-
SHA256
5fd291193f2735fb5f3dcece48f542f897d56532b153b174455db19d183ea6a4
-
SHA512
3faec7d84284b3ec7b9e832b239bf51cb6a4300aa3d5763bd0dff0f929a3fa1964ecfd70e8c72955443bf24e62875d1ca241d8a7868e5e0e399fc7d81538e621
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WScript.exedescription pid process target process PID 3516 wrote to memory of 3860 3516 WScript.exe wscript.exe PID 3516 wrote to memory of 3860 3516 WScript.exe wscript.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Run.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\Run.vbs" uac2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3860-116-0x0000000000000000-mapping.dmp