Overview

overview

6

Static

static

3

Scriptus.exe

windows7-x64

6

Scriptus.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    148s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/08/2023, 16:46

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Scriptus.exe

  • Size

    174KB

  • MD5

    be501d9b6c56b4c16f9749b64ad9258f

  • SHA1

    9072b0348ae6b81c39ef2b37d42ad3508744366c

  • SHA256

    169d98de38d93a0c8796fd1fa9be035fa32977e2d20bed4284230ac6689d6af3

  • SHA512

    697571100f27a3e50996bb50b46ef879f1ca7649678e5d9290a54f737e1562e77dc161321a414e67c23e4ce38967ec2702e05dc135bbce970f9900a6c2b45583

  • SSDEEP

    3072:1HlM7TYmySIQIvuxi5GWp1icKAArDZz4N9GhbkrNEkQN7A68X4lJozNnw:1z7tp0yN90QEf

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 1 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Scriptus.exe
    "C:\Users\Admin\AppData\Local\Temp\Scriptus.exe"
    1⤵
    • Adds Run key to start application
    PID:2776
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
    1⤵
    • Drops desktop.ini file(s)
    • Modifies registry class
    PID:2336
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4664
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5056
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5056.0.1366014627\1732782665" -parentBuildID 20221007134813 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e19a637-dc77-46d7-8505-8ba9a5b691ac} 5056 "\\.\pipe\gecko-crash-server-pipe.5056" 1996 21ff7825b58 gpu
        3⤵
          PID:1076
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5056.1.1557755139\1993897418" -parentBuildID 20221007134813 -prefsHandle 2376 -prefMapHandle 2372 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {087caa4c-b1a7-4dc4-b556-6bd086ad7373} 5056 "\\.\pipe\gecko-crash-server-pipe.5056" 2388 21fe9d71958 socket
          3⤵
            PID:2676
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5056.2.846674330\311061984" -childID 1 -isForBrowser -prefsHandle 3148 -prefMapHandle 3276 -prefsLen 21077 -prefMapSize 232675 -jsInitHandle 1424 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {57f1462f-dd8d-43c6-95d8-375ae4625aa1} 5056 "\\.\pipe\gecko-crash-server-pipe.5056" 2968 21ffa4b5858 tab
            3⤵
              PID:3508
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5056.3.1114213880\1989915005" -childID 2 -isForBrowser -prefsHandle 3556 -prefMapHandle 2876 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1424 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {304669b6-c1ff-4bb9-8e0e-52e24e1b80af} 5056 "\\.\pipe\gecko-crash-server-pipe.5056" 3568 21ff8efee58 tab
              3⤵
                PID:3860
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5056.4.14019512\677209175" -childID 3 -isForBrowser -prefsHandle 3772 -prefMapHandle 3776 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1424 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {22392ad1-48e4-4d0e-b73a-113d3108e9a1} 5056 "\\.\pipe\gecko-crash-server-pipe.5056" 3908 21fe9d65958 tab
                3⤵
                  PID:4516
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5056.7.1923111493\1923533032" -childID 6 -isForBrowser -prefsHandle 5472 -prefMapHandle 5476 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1424 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8637f01-ffd7-4685-9270-f7819f9b9ddf} 5056 "\\.\pipe\gecko-crash-server-pipe.5056" 5464 21ffcb28658 tab
                  3⤵
                    PID:3892
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5056.6.1882384468\540800047" -childID 5 -isForBrowser -prefsHandle 5284 -prefMapHandle 5124 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1424 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c892e403-6be1-48e9-b6f7-d6239b8c3b8d} 5056 "\\.\pipe\gecko-crash-server-pipe.5056" 5272 21ffcb28f58 tab
                    3⤵
                      PID:2656
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5056.5.1605777568\978607075" -childID 4 -isForBrowser -prefsHandle 5132 -prefMapHandle 5092 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1424 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {acfc56b5-7d98-40f6-b924-cd1a80079dfc} 5056 "\\.\pipe\gecko-crash-server-pipe.5056" 5124 21ffcaa5e58 tab
                      3⤵
                        PID:3076

                  Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ob0k9snf.default-release\activity-stream.discovery_stream.json.tmp
                          Filesize

                          165KB

                          MD5

                          912770e3387122316f261fb1ae755c78

                          SHA1

                          f749871eb06deeb9505a08bc33e80ede86547464

                          SHA256

                          9bad98bfcf0fcd89f321fc9b5f9862f529e115aad557e12db245e90f7e722ef1

                          SHA512

                          6e631c83ff45a18a8b8f87d0874ea7dec639eb9bcb8f865755584051ef2789350e15d4fec8d1703343b861582aae27ff597e26dd7ff2ee6b6d825df03ea06926

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ob0k9snf.default-release\prefs-1.js
                          Filesize

                          6KB

                          MD5

                          cd09cc133549bf60768cd689364a8e9e

                          SHA1

                          358018530413fdc395bf29c97ed509dc7758877a

                          SHA256

                          acd7f9e68f2a6f41a05571053c989e05f1c139633bd75131fb4fd923962c6501

                          SHA512

                          3d8054921fbc4d51aa6c54473f5a282f97c623eec392dc9752ab2915d5d6d256d36f24e3c6baaae29ec6830707a7d3a705291ef584bd295aef6a06689cfed108

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ob0k9snf.default-release\prefs-1.js
                          Filesize

                          6KB

                          MD5

                          e4d1fba93c839cea39b7595a790cc91a

                          SHA1

                          106b5d39e28bd5ec08bcc6b11eacd4424ff6602f

                          SHA256

                          343f5980d5304f2fe7abaff5bcdce53354d4d47a7c7342738a70499b2900d526

                          SHA512

                          80474fc37820fef5f9b22b19c5de8e40a698a59e186405cd6e18fb64a92a9373409406e8d0aca562717a885d41d3f96757c962f12dfb708626f29b67fb091584

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ob0k9snf.default-release\sessionstore-backups\recovery.jsonlz4
                          Filesize

                          1KB

                          MD5

                          79b390a9c78504e62af7c90600bfc227

                          SHA1

                          17d5025b6e313cc45764fc2ed2827c08d1750389

                          SHA256

                          2ee9ce57dcafd44b9981d40e2ba9f3b9785f444b8d79d8217e0fb72acd18607d

                          SHA512

                          efa2fa5ccf5b2f4ae71f34605441494aacbd444b8482ba97c454d3409cef24b98f13326bc393c9d1f4a935fc15de588ed1af4f62085d56511dd3b17537db1579

                          Download Submit

                        • C:\Users\Admin\Videos\Captures\desktop.ini
                          Filesize

                          190B

                          MD5

                          b0d27eaec71f1cd73b015f5ceeb15f9d

                          SHA1

                          62264f8b5c2f5034a1e4143df6e8c787165fbc2f

                          SHA256

                          86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

                          SHA512

                          7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

                          Download Submit