Overview

overview

10

Static

static

1

emotet_v6

windows10-1703-x64

8

emotet_doc

windows10-1703-x64

10

Analysis

  • max time kernel
    52s
  • max time network
    64s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    23-03-2023 17:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    de53c5ea5dee3fcc8b6a9f8a6926aa84d1434408e968205f0e8ef94250c8f3a8.vbs

  • Size

    93KB

  • MD5

    4452f951ec5390c7cd0397d659717b4d

  • SHA1

    1ddf3284b015fb3e7dba3157ba6c81511a9c9402

  • SHA256

    de53c5ea5dee3fcc8b6a9f8a6926aa84d1434408e968205f0e8ef94250c8f3a8

  • SHA512

    9f72c23a9975d1745b97a8b454695ffd6272410acb9d71ec7e1c5d479cfce6deb09aecd2f3cc49ed1c5307d0f5be788498e9c01876cbfc2b2255c38ff4b549bd

  • SSDEEP

    1536:fh7OdS2cokRMkxS8qDAHfhhBqrHBsNZqHqbuh7jGMkVh7Ufqjx3RFtDGXo6BICuQ:fh7OdS2cokRMkxS8qDAHJhorHBsNZqHB

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Script User-Agent 7 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de53c5ea5dee3fcc8b6a9f8a6926aa84d1434408e968205f0e8ef94250c8f3a8.vbs"
    • Suspicious use of WriteProcessMemory
    PID:3436
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //E:vbscript C:\Users\Admin\AppData\Local\Temp\radCA54FDA02darrad09F3E6174dar.txt
      • Blocklisted process makes network request
      PID:2600

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

00:00 00:00

Downloads

  • C:\Users\Admin\AppData\Local\Temp\radCA54FDA02darrad09F3E6174dar.txt
    Filesize

    63KB

    MD5

    384b4dde80c6f5394f440b6951da895b

    SHA1

    585664d227f8aac1a367e8630f15cedafd1de131

    SHA256

    bdb582b55ecd8f46bd0795e7acc9c6c2fe8f2f871f617be0804becb8ed789c50

    SHA512

    6f7f3d76e54f1cc900a914be8ea82050fda02a054f3df6c8b4bb19a3519aa8ac6098c4790d893854615b47c60e2e9b183e076a3a909c6b1cc5c1d35012d526e5

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\radF627B.tmp.zip
    Filesize

    10B

    MD5

    7605968e79d0ca095ab1231486d2b814

    SHA1

    a007b420d19ceefa840f0373e050e3b51a4ab480

    SHA256

    493fda53120050f85836032324409be6c6484f90a0755ae0c6a673ba7626818b

    SHA512

    769249da7ed6c6bf5671bbc2371a6453b433226ceb8c4c2aa3604000d66647bcec83dee1ab64c0262fa40f923d77e23bad2c47274d339effc51d904ce77072a6

    Download Submit