Analysis
-
max time kernel
134s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-it -
resource tags
arch:x64arch:x86image:win10v2004-20230220-itlocale:it-itos:windows10-2004-x64systemwindows -
submitted
23-03-2023 09:20
Static task
static1
General
-
Target
file_0.wsf
-
Size
53KB
-
MD5
ae25f2104967b2708ac9dba80aac52fd
-
SHA1
7ac0150b43cbb5eeba9a0f956e1291df6790f3bf
-
SHA256
11b3d1564b12934489281250c9a683f076fe10254bfdd7da72307e538838ec56
-
SHA512
d4a7f95631e7eb88fdadbe66d31bf9c7459d0f80ca2c9174952aad42bff6262241b25916e6a089f778990be981a2cf220baa69ad261314247c286397553decca
-
SSDEEP
768:n9Te2jdcdTeNtu1t/nl8BFWVyeaNhvsbsS:9TVdaeNtuXndH
Malware Config
Extracted
emotet
Epoch4
164.68.99.3:8080
164.90.222.65:443
186.194.240.217:443
1.234.2.232:8080
103.75.201.2:443
187.63.160.88:80
147.139.166.154:8080
91.207.28.33:8080
5.135.159.50:443
153.92.5.27:8080
213.239.212.5:443
103.43.75.120:443
159.65.88.10:8080
167.172.253.162:8080
153.126.146.25:7080
119.59.103.152:8080
107.170.39.149:8080
183.111.227.137:8080
159.89.202.34:443
110.232.117.186:8080
129.232.188.93:443
172.105.226.75:8080
197.242.150.244:8080
188.44.20.25:443
66.228.32.31:7080
91.121.146.47:8080
202.129.205.3:8080
45.176.232.124:443
160.16.142.56:8080
94.23.45.86:4143
95.217.221.146:8080
72.15.201.15:8080
167.172.199.165:8080
115.68.227.76:8080
139.59.126.41:443
185.4.135.165:8080
79.137.35.198:8080
206.189.28.199:8080
163.44.196.120:8080
201.94.166.162:443
104.168.155.143:8080
173.212.193.249:8080
45.235.8.30:8080
169.57.156.166:8080
149.56.131.28:8080
182.162.143.56:443
103.132.242.26:8080
82.223.21.224:8080
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
WScript.exeflow pid process 12 5096 WScript.exe 34 5096 WScript.exe 42 5096 WScript.exe 46 5096 WScript.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation WScript.exe -
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 1776 regsvr32.exe 4592 regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 3 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 12 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 34 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 46 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 1776 regsvr32.exe 1776 regsvr32.exe 4592 regsvr32.exe 4592 regsvr32.exe 4592 regsvr32.exe 4592 regsvr32.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WScript.exeregsvr32.exedescription pid process target process PID 5096 wrote to memory of 1776 5096 WScript.exe regsvr32.exe PID 5096 wrote to memory of 1776 5096 WScript.exe regsvr32.exe PID 1776 wrote to memory of 4592 1776 regsvr32.exe regsvr32.exe PID 1776 wrote to memory of 4592 1776 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\file_0.wsf"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" "C:\Users\Admin\AppData\Local\Temp\rad03D9E.tmp.dll"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\QesLGz\wlYBVCf.dll"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4592
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
309KB
MD5bfc060937dc90b273eccb6825145f298
SHA1c156c00c7e918f0cb7363614fb1f177c90d8108a
SHA2562f39c2879989ddd7f9ecf52b6232598e5595f8bf367846ff188c9dfbf1251253
SHA512cc1fee19314b0a0f9e292fa84f6e98f087033d77db937848dda1da0c88f49997866cba5465df04bf929b810b42fdb81481341064c4565c9b6272fa7f3b473ac5
-
Filesize
309KB
MD5bfc060937dc90b273eccb6825145f298
SHA1c156c00c7e918f0cb7363614fb1f177c90d8108a
SHA2562f39c2879989ddd7f9ecf52b6232598e5595f8bf367846ff188c9dfbf1251253
SHA512cc1fee19314b0a0f9e292fa84f6e98f087033d77db937848dda1da0c88f49997866cba5465df04bf929b810b42fdb81481341064c4565c9b6272fa7f3b473ac5
-
Filesize
309KB
MD5bfc060937dc90b273eccb6825145f298
SHA1c156c00c7e918f0cb7363614fb1f177c90d8108a
SHA2562f39c2879989ddd7f9ecf52b6232598e5595f8bf367846ff188c9dfbf1251253
SHA512cc1fee19314b0a0f9e292fa84f6e98f087033d77db937848dda1da0c88f49997866cba5465df04bf929b810b42fdb81481341064c4565c9b6272fa7f3b473ac5