86eee51af9498987431daf99abce4788d07980de30d20a594dd7d464210b35db

Resubmissions

25/02/2025, 18:32

250225-w6rp4a1jw6 7

02/08/2023, 16:00

230802-tfr7tsfd97 8

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
02/08/2023, 16:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

invert.vbs
Size

2KB
MD5

87dad74ca7c9ce18220fc3414a28e021
SHA1

749b73dd6aa8dfe3bd529a015506c8784f825a3e
SHA256

86eee51af9498987431daf99abce4788d07980de30d20a594dd7d464210b35db
SHA512

5f2e31ac56c12e906f40c1ea56fa6c5791846558ae3be174b40f1f03a00fc3539a997f3b9ebd6c6705476099987264d48dada7aee68bc8c7ea86dae940fdc916

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 8 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Control Panel\Colors\Background = "0 0 0"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Control Panel\Colors\ActiveTitle = "255 255 255"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Control Panel\Colors\InactiveTitle = "255 255 255"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Control Panel\Colors\Menu = "0 0 0"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Control Panel\Colors\Window = "0 0 0"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Control Panel\Colors\WindowText = "255 255 255"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Control Panel\Colors\MenuText = "255 255 255"	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Control Panel\Colors	WScript.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2256	2208	WScript.exe	28
PID 2208 wrote to memory of 2256	2208	WScript.exe	28
PID 2208 wrote to memory of 2256	2208	WScript.exe	28

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\invert.vbs"
1⤵
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" user32.dll,UpdatePerUserSystemParameters
  2⤵
  PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...