efb698c07f2e043c03aa5661a6cbeb2d6b2889d295d857ccd0679f5cdd3ca678

Resubmissions

04/05/2023, 11:29

230504-nlv8sadg6z 7

04/05/2023, 09:42

230504-lps7gsbd42 7

Analysis

max time kernel
33s
max time network
135s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
04/05/2023, 09:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

253c19f1078fd5ec04602276f8f1ca1aab6bd4349b75e4052cdbf78cb1bd9767.vbs
Size

927B
MD5

984572d249eddd2e08c4575ab0b26eb7
SHA1

f031a105ca244c8a4ec91aefedbecedd79651361
SHA256

253c19f1078fd5ec04602276f8f1ca1aab6bd4349b75e4052cdbf78cb1bd9767
SHA512

8e2976de35f5eb0695848d6ec044a192e0902ff976eab08221b6e11d156669237fc717396c0c1224803c1a5146a002ce98931cb43816173b1c425163fb0731ba

Score

4^/10

Malware Config

Signatures

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_debug.log	chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
784	PING.EXE

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 924 wrote to memory of 784	924	WScript.exe	27
PID 924 wrote to memory of 784	924	WScript.exe	27
PID 924 wrote to memory of 784	924	WScript.exe	27
PID 924 wrote to memory of 572	924	WScript.exe	29
PID 924 wrote to memory of 572	924	WScript.exe	29
PID 924 wrote to memory of 572	924	WScript.exe	29
PID 572 wrote to memory of 980	572	chrome.exe	30
PID 572 wrote to memory of 980	572	chrome.exe	30
PID 572 wrote to memory of 980	572	chrome.exe	30
PID 572 wrote to memory of 1316	572	chrome.exe	31
PID 572 wrote to memory of 1316	572	chrome.exe	31
PID 572 wrote to memory of 1316	572	chrome.exe	31
PID 572 wrote to memory of 1316	572	chrome.exe	31
PID 572 wrote to memory of 1316	572	chrome.exe	31
PID 572 wrote to memory of 1316	572	chrome.exe	31
PID 572 wrote to memory of 1316	572	chrome.exe	31
PID 572 wrote to memory of 1316	572	chrome.exe	31
PID 572 wrote to memory of 1316	572	chrome.exe	31
PID 572 wrote to memory of 1316	572	chrome.exe	31
PID 572 wrote to memory of 1316	572	chrome.exe	31
PID 572 wrote to memory of 1316	572	chrome.exe	31
PID 572 wrote to memory of 1316	572	chrome.exe	31
PID 572 wrote to memory of 1316	572	chrome.exe	31
PID 572 wrote to memory of 1316	572	chrome.exe	31
PID 572 wrote to memory of 1316	572	chrome.exe	31
PID 572 wrote to memory of 1316	572	chrome.exe	31
PID 572 wrote to memory of 1316	572	chrome.exe	31
PID 572 wrote to memory of 1316	572	chrome.exe	31
PID 572 wrote to memory of 1316	572	chrome.exe	31
PID 572 wrote to memory of 1316	572	chrome.exe	31
PID 572 wrote to memory of 1316	572	chrome.exe	31
PID 572 wrote to memory of 1316	572	chrome.exe	31
PID 572 wrote to memory of 1316	572	chrome.exe	31
PID 572 wrote to memory of 1316	572	chrome.exe	31
PID 572 wrote to memory of 1316	572	chrome.exe	31
PID 572 wrote to memory of 1316	572	chrome.exe	31
PID 572 wrote to memory of 1316	572	chrome.exe	31
PID 572 wrote to memory of 1316	572	chrome.exe	31
PID 572 wrote to memory of 1316	572	chrome.exe	31
PID 572 wrote to memory of 1316	572	chrome.exe	31
PID 572 wrote to memory of 1316	572	chrome.exe	31
PID 572 wrote to memory of 1316	572	chrome.exe	31
PID 572 wrote to memory of 1316	572	chrome.exe	31
PID 572 wrote to memory of 1316	572	chrome.exe	31
PID 572 wrote to memory of 1316	572	chrome.exe	31
PID 572 wrote to memory of 1316	572	chrome.exe	31
PID 572 wrote to memory of 1316	572	chrome.exe	31
PID 572 wrote to memory of 1316	572	chrome.exe	31
PID 572 wrote to memory of 1316	572	chrome.exe	31
PID 572 wrote to memory of 1316	572	chrome.exe	31
PID 572 wrote to memory of 1400	572	chrome.exe	32
PID 572 wrote to memory of 1400	572	chrome.exe	32
PID 572 wrote to memory of 1400	572	chrome.exe	32
PID 572 wrote to memory of 748	572	chrome.exe	33
PID 572 wrote to memory of 748	572	chrome.exe	33
PID 572 wrote to memory of 748	572	chrome.exe	33
PID 572 wrote to memory of 748	572	chrome.exe	33
PID 572 wrote to memory of 748	572	chrome.exe	33
PID 572 wrote to memory of 748	572	chrome.exe	33
PID 572 wrote to memory of 748	572	chrome.exe	33
PID 572 wrote to memory of 748	572	chrome.exe	33
PID 572 wrote to memory of 748	572	chrome.exe	33
PID 572 wrote to memory of 748	572	chrome.exe	33
PID 572 wrote to memory of 748	572	chrome.exe	33

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\253c19f1078fd5ec04602276f8f1ca1aab6bd4349b75e4052cdbf78cb1bd9767.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:924
- C:\Windows\System32\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 300 www.google.com.822357336680094.windows-display-service.com
  2⤵
  - Runs ping.exe
  PID:784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --headless --disable-gpu --remote-debugging-port=9222 http://www.google.com.822357336680094.windows-display-service.com
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:572
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6fc9758,0x7fef6fc9768,0x7fef6fc9778
    3⤵
    PID:980
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=832 --field-trial-handle=1008,i,15689614104436888929,1656352768768389384,131072 --disable-features=PaintHolding /prefetch:2
    3⤵
    PID:1316
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1232 --field-trial-handle=1008,i,15689614104436888929,1656352768768389384,131072 --disable-features=PaintHolding /prefetch:8
    3⤵
    PID:1400
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --first-renderer-process --remote-debugging-port=9222 --allow-pre-commit-input --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1496 --field-trial-handle=1008,i,15689614104436888929,1656352768768389384,131072 --disable-features=PaintHolding /prefetch:1
    3⤵
    PID:748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e4cea8d4371f5988d0853b4823f3dc4e

SHA1
618a76ca274b1be3a2bc85d0eceda3ac884e4efd

SHA256
f2e209e4fdc02b70ef49668848faf899d3b86bf2635ae22aef0d66bce1d71bca

SHA512
4d50875c6f1f21879d766a88b65057dbfa76b9710a53e1c6ad89deb3a713bfe7003289156b9040c3db3575cf34fbe97bf6c3539a6f3d85cf2d125e5205aeaed0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
11f185da5bbe8b4a479e23ad054b4982

SHA1
f8bccf8f5d81f958267bf49c5b938481f7724e86

SHA256
e901b700f6e4994bbf96b1bada50497137f6c55f7f0b13448c942304e4732e56

SHA512
ce6963c7073a8ec417a1f540eb7fde756ea41b0784c569ae30bfb155c24e930a99671832213e6811072654f42310f9909b32efcf1dd7c54e4ba2a9fc161b7773

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4894ecde42adac7d5d3a782f4113f88b

SHA1
1fe355c02686f5836a72a60323b6e6b730d3ac23

SHA256
f16f4a48910c63dca68887f61d52bdced0c2ff4f6aa1d05f630eba3a8a1b387e

SHA512
b8610b8a3c9bdc71ab4b378e0a6d49c36faf302f98bcee93b76122b594f476377f027ec61c810402e9de7d60d697b0157f8b45cdf3718b926cdc0094bfab62fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
51e3c6a80dbdb50415c2ffaf04a5b22a

SHA1
383f01cb29ab1d98a8f63ee9c8cdc7c28841a470

SHA256
fd743ad754a2f66bc6ed09a93384f4599a24cab6a6f187b0780de7ea504b85a6

SHA512
3a703a97320b8d07e25cad0515944449342f2588b30cdfa5351bda80ec2ee2e3fab29e9620ae00d4b43f0e10e41db19a1145901ac22aa301364fca8b8bbcbdca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e572592d670bbf1961eed6c43357c206

SHA1
c9004c6dade149e4755c86b7173a38c4c215ad99

SHA256
6ba11e9b33ae7e1af20f0f4e177d5f959e5ca39158195fa637b8ef8d3b1a34b0

SHA512
2b2e339d58c35d3dbfdecbf0f20bff9cd1392760a947d8a45507794d378982e4fd81b792b6557b16024a8778141403a82e09a0c7d14c34fdfa919f48da9830ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9094.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit