81561f8e9a046561703b3bd09e1af1b474d1202208bf0b4ba638d740a9ed8d2d

General

Target

81561f8e9a046561703b3bd09e1af1b474d1202208bf0b4ba638d740a9ed8d2d.exe
Size

1.1MB
MD5

522a2716cf311d615039b17deff1630c
SHA1

cb8ece346bfad9a7c9a3f75c7e4882a20fbf0353
SHA256

81561f8e9a046561703b3bd09e1af1b474d1202208bf0b4ba638d740a9ed8d2d
SHA512

e188e52e3a44e46be784e77c6bb344af0afb6f6292de511ca0d30607728d6a06bdfa68cb599f161a5bd097c2760bb3ee39c6146600885240e850dfb499f531b7
SSDEEP

24576:IRW3N/0f/oAPoRBchI5anfOlAUAi1K6oElG4lBujFAiCyRS:I5ApamAUAQ/lG4lBmFAiZS

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings	81561f8e9a046561703b3bd09e1af1b474d1202208bf0b4ba638d740a9ed8d2d.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1436	81561f8e9a046561703b3bd09e1af1b474d1202208bf0b4ba638d740a9ed8d2d.exe
1436	81561f8e9a046561703b3bd09e1af1b474d1202208bf0b4ba638d740a9ed8d2d.exe
1436	81561f8e9a046561703b3bd09e1af1b474d1202208bf0b4ba638d740a9ed8d2d.exe
1436	81561f8e9a046561703b3bd09e1af1b474d1202208bf0b4ba638d740a9ed8d2d.exe
1436	81561f8e9a046561703b3bd09e1af1b474d1202208bf0b4ba638d740a9ed8d2d.exe
1436	81561f8e9a046561703b3bd09e1af1b474d1202208bf0b4ba638d740a9ed8d2d.exe
1436	81561f8e9a046561703b3bd09e1af1b474d1202208bf0b4ba638d740a9ed8d2d.exe
1436	81561f8e9a046561703b3bd09e1af1b474d1202208bf0b4ba638d740a9ed8d2d.exe
1436	81561f8e9a046561703b3bd09e1af1b474d1202208bf0b4ba638d740a9ed8d2d.exe
1436	81561f8e9a046561703b3bd09e1af1b474d1202208bf0b4ba638d740a9ed8d2d.exe
1436	81561f8e9a046561703b3bd09e1af1b474d1202208bf0b4ba638d740a9ed8d2d.exe
1436	81561f8e9a046561703b3bd09e1af1b474d1202208bf0b4ba638d740a9ed8d2d.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1436	81561f8e9a046561703b3bd09e1af1b474d1202208bf0b4ba638d740a9ed8d2d.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1436	81561f8e9a046561703b3bd09e1af1b474d1202208bf0b4ba638d740a9ed8d2d.exe
1436	81561f8e9a046561703b3bd09e1af1b474d1202208bf0b4ba638d740a9ed8d2d.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1436 wrote to memory of 1876	1436	81561f8e9a046561703b3bd09e1af1b474d1202208bf0b4ba638d740a9ed8d2d.exe	83
PID 1436 wrote to memory of 1876	1436	81561f8e9a046561703b3bd09e1af1b474d1202208bf0b4ba638d740a9ed8d2d.exe	83
PID 1436 wrote to memory of 1876	1436	81561f8e9a046561703b3bd09e1af1b474d1202208bf0b4ba638d740a9ed8d2d.exe	83
PID 1436 wrote to memory of 2928	1436	81561f8e9a046561703b3bd09e1af1b474d1202208bf0b4ba638d740a9ed8d2d.exe	84
PID 1436 wrote to memory of 2928	1436	81561f8e9a046561703b3bd09e1af1b474d1202208bf0b4ba638d740a9ed8d2d.exe	84
PID 1436 wrote to memory of 2928	1436	81561f8e9a046561703b3bd09e1af1b474d1202208bf0b4ba638d740a9ed8d2d.exe	84
PID 1436 wrote to memory of 2000	1436	81561f8e9a046561703b3bd09e1af1b474d1202208bf0b4ba638d740a9ed8d2d.exe	82
PID 1436 wrote to memory of 2000	1436	81561f8e9a046561703b3bd09e1af1b474d1202208bf0b4ba638d740a9ed8d2d.exe	82
PID 1436 wrote to memory of 2000	1436	81561f8e9a046561703b3bd09e1af1b474d1202208bf0b4ba638d740a9ed8d2d.exe	82
PID 1436 wrote to memory of 1492	1436	81561f8e9a046561703b3bd09e1af1b474d1202208bf0b4ba638d740a9ed8d2d.exe	81
PID 1436 wrote to memory of 1492	1436	81561f8e9a046561703b3bd09e1af1b474d1202208bf0b4ba638d740a9ed8d2d.exe	81
PID 1436 wrote to memory of 1492	1436	81561f8e9a046561703b3bd09e1af1b474d1202208bf0b4ba638d740a9ed8d2d.exe	81
PID 1436 wrote to memory of 5024	1436	81561f8e9a046561703b3bd09e1af1b474d1202208bf0b4ba638d740a9ed8d2d.exe	85
PID 1436 wrote to memory of 5024	1436	81561f8e9a046561703b3bd09e1af1b474d1202208bf0b4ba638d740a9ed8d2d.exe	85
PID 1436 wrote to memory of 5024	1436	81561f8e9a046561703b3bd09e1af1b474d1202208bf0b4ba638d740a9ed8d2d.exe	85

C:\Users\Admin\AppData\Local\Temp\81561f8e9a046561703b3bd09e1af1b474d1202208bf0b4ba638d740a9ed8d2d.exe
"C:\Users\Admin\AppData\Local\Temp\81561f8e9a046561703b3bd09e1af1b474d1202208bf0b4ba638d740a9ed8d2d.exe"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:1492
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:2000
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:1876
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:2928
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:5024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
3af60b9721ab2950705b75fe4c2e2059

SHA1
9766ee43f32bde57ca08301fb1b318acf7b875fb

SHA256
1c295097974803940bae6aedbba7acb041dfd9509c1ce5c105070ba2ad64e7ee

SHA512
f9914754e2da99ce01120d3f46767a65c9e4e693c0d015c87b3ce10369a2fc7067e4cc4ac165c073d0ae0d9c010b620d8317790e139b345f03c71cf7c67751d2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
0870eec1aff5333e7b80b3116a102a68

SHA1
69e583db00d14c638a37499573719495c1e2ae94

SHA256
72e0a8f9f393529c5fc41e403ea2a4c92a2b26529285e97272fb4eaa0102ede1

SHA512
2ca7861e3879c7d3c7c1ffd6049a0293bc8cc326708b93eaa0c7b0e6c2f6442363014b26f8da006b1f123d0c650b90d704978af1001cb73f04fd6be0468f56f5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
0870eec1aff5333e7b80b3116a102a68

SHA1
69e583db00d14c638a37499573719495c1e2ae94

SHA256
72e0a8f9f393529c5fc41e403ea2a4c92a2b26529285e97272fb4eaa0102ede1

SHA512
2ca7861e3879c7d3c7c1ffd6049a0293bc8cc326708b93eaa0c7b0e6c2f6442363014b26f8da006b1f123d0c650b90d704978af1001cb73f04fd6be0468f56f5

Download Submit

Analysis

Sharing