efb698c07f2e043c03aa5661a6cbeb2d6b2889d295d857ccd0679f5cdd3ca678

Resubmissions

04/05/2023, 11:29

230504-nlv8sadg6z 7

04/05/2023, 09:42

230504-lps7gsbd42 7

Analysis

max time kernel
24s
max time network
151s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
04/05/2023, 11:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

253c19f1078fd5ec04602276f8f1ca1aab6bd4349b75e4052cdbf78cb1bd9767.vbs
Size

927B
MD5

984572d249eddd2e08c4575ab0b26eb7
SHA1

f031a105ca244c8a4ec91aefedbecedd79651361
SHA256

253c19f1078fd5ec04602276f8f1ca1aab6bd4349b75e4052cdbf78cb1bd9767
SHA512

8e2976de35f5eb0695848d6ec044a192e0902ff976eab08221b6e11d156669237fc717396c0c1224803c1a5146a002ce98931cb43816173b1c425163fb0731ba

Score

4^/10

Malware Config

Signatures

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_debug.log	chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1240	PING.EXE

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1588 wrote to memory of 1240	1588	WScript.exe	26
PID 1588 wrote to memory of 1240	1588	WScript.exe	26
PID 1588 wrote to memory of 1240	1588	WScript.exe	26
PID 1588 wrote to memory of 532	1588	WScript.exe	28
PID 1588 wrote to memory of 532	1588	WScript.exe	28
PID 1588 wrote to memory of 532	1588	WScript.exe	28
PID 532 wrote to memory of 1696	532	chrome.exe	29
PID 532 wrote to memory of 1696	532	chrome.exe	29
PID 532 wrote to memory of 1696	532	chrome.exe	29
PID 532 wrote to memory of 1800	532	chrome.exe	30
PID 532 wrote to memory of 1800	532	chrome.exe	30
PID 532 wrote to memory of 1800	532	chrome.exe	30
PID 532 wrote to memory of 1800	532	chrome.exe	30
PID 532 wrote to memory of 1800	532	chrome.exe	30
PID 532 wrote to memory of 1800	532	chrome.exe	30
PID 532 wrote to memory of 1800	532	chrome.exe	30
PID 532 wrote to memory of 1800	532	chrome.exe	30
PID 532 wrote to memory of 1800	532	chrome.exe	30
PID 532 wrote to memory of 1800	532	chrome.exe	30
PID 532 wrote to memory of 1800	532	chrome.exe	30
PID 532 wrote to memory of 1800	532	chrome.exe	30
PID 532 wrote to memory of 1800	532	chrome.exe	30
PID 532 wrote to memory of 1800	532	chrome.exe	30
PID 532 wrote to memory of 1800	532	chrome.exe	30
PID 532 wrote to memory of 1800	532	chrome.exe	30
PID 532 wrote to memory of 1800	532	chrome.exe	30
PID 532 wrote to memory of 1800	532	chrome.exe	30
PID 532 wrote to memory of 1800	532	chrome.exe	30
PID 532 wrote to memory of 1800	532	chrome.exe	30
PID 532 wrote to memory of 1800	532	chrome.exe	30
PID 532 wrote to memory of 1800	532	chrome.exe	30
PID 532 wrote to memory of 1800	532	chrome.exe	30
PID 532 wrote to memory of 1800	532	chrome.exe	30
PID 532 wrote to memory of 1800	532	chrome.exe	30
PID 532 wrote to memory of 1800	532	chrome.exe	30
PID 532 wrote to memory of 1800	532	chrome.exe	30
PID 532 wrote to memory of 1800	532	chrome.exe	30
PID 532 wrote to memory of 1800	532	chrome.exe	30
PID 532 wrote to memory of 1800	532	chrome.exe	30
PID 532 wrote to memory of 1800	532	chrome.exe	30
PID 532 wrote to memory of 1800	532	chrome.exe	30
PID 532 wrote to memory of 1800	532	chrome.exe	30
PID 532 wrote to memory of 1800	532	chrome.exe	30
PID 532 wrote to memory of 1800	532	chrome.exe	30
PID 532 wrote to memory of 1800	532	chrome.exe	30
PID 532 wrote to memory of 1800	532	chrome.exe	30
PID 532 wrote to memory of 1800	532	chrome.exe	30
PID 532 wrote to memory of 1800	532	chrome.exe	30
PID 532 wrote to memory of 1800	532	chrome.exe	30
PID 532 wrote to memory of 1800	532	chrome.exe	30
PID 532 wrote to memory of 1640	532	chrome.exe	31
PID 532 wrote to memory of 1640	532	chrome.exe	31
PID 532 wrote to memory of 1640	532	chrome.exe	31
PID 532 wrote to memory of 1292	532	chrome.exe	32
PID 532 wrote to memory of 1292	532	chrome.exe	32
PID 532 wrote to memory of 1292	532	chrome.exe	32
PID 532 wrote to memory of 1292	532	chrome.exe	32
PID 532 wrote to memory of 1292	532	chrome.exe	32
PID 532 wrote to memory of 1292	532	chrome.exe	32
PID 532 wrote to memory of 1292	532	chrome.exe	32
PID 532 wrote to memory of 1292	532	chrome.exe	32
PID 532 wrote to memory of 1292	532	chrome.exe	32
PID 532 wrote to memory of 1292	532	chrome.exe	32
PID 532 wrote to memory of 1292	532	chrome.exe	32

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\253c19f1078fd5ec04602276f8f1ca1aab6bd4349b75e4052cdbf78cb1bd9767.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Windows\System32\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 300 www.google.com.822357336680094.windows-display-service.com
  2⤵
  - Runs ping.exe
  PID:1240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --headless --disable-gpu --remote-debugging-port=9222 http://www.google.com.822357336680094.windows-display-service.com
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:532
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef69a9758,0x7fef69a9768,0x7fef69a9778
    3⤵
    PID:1696
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=916 --field-trial-handle=952,i,2908174505909689651,13049988788428791077,131072 --disable-features=PaintHolding /prefetch:2
    3⤵
    PID:1800
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1224 --field-trial-handle=952,i,2908174505909689651,13049988788428791077,131072 --disable-features=PaintHolding /prefetch:8
    3⤵
    PID:1640
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --first-renderer-process --remote-debugging-port=9222 --allow-pre-commit-input --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1524 --field-trial-handle=952,i,2908174505909689651,13049988788428791077,131072 --disable-features=PaintHolding /prefetch:1
    3⤵
    PID:1292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4558a418d05927452eef8886beb517ce

SHA1
3370e4506b3d70efd1c022adc47dd160d8aef9b0

SHA256
6a07e28ede04e3716f603c4528feef2a6b990c7967957bcf7344d461f00d1b5e

SHA512
883a26f2570382b210d931c6c9bd48098ce3a490f7cbfdbd24b61907ac26f3ced080ce51de4818ac64240635788d7191ae481676b187994fa5171e1634473402

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bfe42cdc33a1a3af1b48f87f974450eb

SHA1
92d93cb449845bd4d6ca61e738e3289b4a315146

SHA256
ab73676ad8876c8fd3890be5587ed1ca96b1b3ec58ef3fead6026e936f5eb94b

SHA512
aed38f91082b9f57f60c21fa8918f738607b92ad60b9a18ea8ad27212197818419293a86c67a7620959f01553288546ecb1e6ac69abdb48fe0cae6ef426d8fa8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8c047016c72a24b1d86d9166f3ef2e34

SHA1
ab426dd14874843add0b0887bd20161df8daa383

SHA256
9d8ca6ba345f7beffb4ca472ba8b13af68d9f97285673a71607a920db20ccd9e

SHA512
2202960d428421bb306411550a9ab5929a0f3b8b1537b17f73cbba0cd51c562ada7a635123e1f5c5fbe3b8b856b2e088c897e8de1d1e25960ef1a3d2bc01e986

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
22e0723d104f2f1d32aff0dec6a03d40

SHA1
7c8fc3cd1312c3da8da5edba2d58268c97cd1e13

SHA256
9c3792f1ad970f8fb65126b0d95836fbcf3eb4fa3c9170ba8d2eadaf18d25570

SHA512
81289c1930b82e9e32ff5f394f8e485d154b682229972f36ae370b35e9681fcac517005c832802d4586849c7fe41637b13fb67d7189bf3e7c3529e52cbf8637c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b7fdd3936fe5c37dcd1006036ca29c34

SHA1
8203d355a309bdedb0cbf76b99966b79776d766d

SHA256
ddcac46f4c646d416991181f4b8d3d5ffa2a410bab106618430a26e6d4adb2fb

SHA512
a3c972a37490340ef71372133387b146a7383b1722f233eb262baa65cbb10bdc84961254a5adb60ce619b402f5bcd84ea9e9a296b732b6f6c357ab184bc07234

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCE7E.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit