4ffa4a112e32582fcb724f4feb263d935c7230b76031ac372a0a5c0a9bf36157

Resubmissions

21/11/2023, 07:01

231121-htfkeadf5s 8

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2023, 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Photo.vbs
Size

278KB
MD5

54fc0bbff5ede27bcf1e0c69e0f82285
SHA1

0150600a3a51beb27d20ec2f58edca7693050f12
SHA256

4ffa4a112e32582fcb724f4feb263d935c7230b76031ac372a0a5c0a9bf36157
SHA512

d68c339a3a5ba4fc973611872857de66f21405dcd50d53980e10f9f4724bf19151503f5a5b684fc15c8bbd9c777a8a0e1f20555061be524c1ac0eaff3e8829fd
SSDEEP

1536:l6pXKvd4afHosQrOyfgyVUJtAsHIA1dXBeyTw/B/6bF4pCw37uRfF618F7k7w/+Z:R+RotDqjGsU5GGFsU5zs

Score

8^/10

evasion persistence trojan

Malware Config

Signatures

Blocklisted process makes network request 6 IoCs

flow	pid	Process
42	2660	WScript.exe
70	2660	WScript.exe
80	2660	WScript.exe
82	2660	WScript.exe
84	2660	WScript.exe
86	2660	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe PhotoShop = "\"C:\\Users\\Admin\\AppData\\Roaming\\Adobe PhotoShop\\Startrun.pif\" /E:vbScript.enCode \"C:\\Users\\Admin\\AppData\\Roaming\\Adobe PhotoShop\\Photo.Jpeg\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Adobe PhotoShop = "\"C:\\Users\\Admin\\AppData\\Roaming\\Adobe PhotoShop\\Startrun.pif\" /E:vbScript.enCode \"C:\\Users\\Admin\\AppData\\Roaming\\Adobe PhotoShop\\Photo.Jpeg\""	WScript.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Photo.vbs"
1⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Checks whether UAC is enabled
PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DCIM.lnk

Filesize
722B

MD5
276e0cd7fb3c225ef52a267237d44cf4

SHA1
0b796c0528a1c219d211ce116505801e3465910f

SHA256
dddbe8c6919c81f71e45f8cc6026f853057e3c9a294e3762ee6e895afec66485

SHA512
2799cde2964fab5f21fe6c9acad3d56804a865856b1fb618b8fe49ac32c373f3bfe9726400732ea0cdafbb918476dd93c09f4d53cceb787eaef9464ecd018628

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe PhotoShop\Share\MUSIC\Photo.Jpeg

Filesize
278KB

MD5
54fc0bbff5ede27bcf1e0c69e0f82285

SHA1
0150600a3a51beb27d20ec2f58edca7693050f12

SHA256
4ffa4a112e32582fcb724f4feb263d935c7230b76031ac372a0a5c0a9bf36157

SHA512
d68c339a3a5ba4fc973611872857de66f21405dcd50d53980e10f9f4724bf19151503f5a5b684fc15c8bbd9c777a8a0e1f20555061be524c1ac0eaff3e8829fd

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe PhotoShop\Share\VIDEO\YouTube.Flv.lnk

Filesize
1KB

MD5
fbb7c86a647396e1ecd6d0ca446e96b5

SHA1
2afa70f82cc6a60d84f82d15a1fcc0793aaee772

SHA256
024c6971cc409a1207ac27a2f5d97506e6f64fb79e4e7e35fc9fb47cae885181

SHA512
afc600434c84a0499a18e64e3f4dc4c01fbf468d3c305d8768cd0428046462002d56e0bfd2285e8e3cc5c14ae97c3157164720dcd5f08cf8290293fbcee47a23

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe PhotoShop\runsc.exe

Filesize
166KB

MD5
a47cbe969ea935bdd3ab568bb126bc80

SHA1
15f2facfd05daf46d2c63912916bf2887cebd98a

SHA256
34008e2057df8842df210246995385a0441dc1e081d60ad15bd481e062e7f100

SHA512
f5c81e6dc4d916944304fc85136e1ff6dee29a21e50a54fe6280a475343eccbfe094171d62475db5f38e07898c061126158c34d48b9d8f4f57f76d49e564e3fc

Download Submit
F:\DCIM.lnk

Filesize
716B

MD5
acd9fdf7b8f0f09ec5065557dff63fa4

SHA1
167dfd381dc2b68858cc3ec419e692223d7b0019

SHA256
5ec0b21232720a058b77f258e3974608d0e5c712b90cb181b8eb105c28d34385

SHA512
ba7bb53c815789748526f928de0def87c716c134c575ff45965867f24c8df7d327c40b80c17699412e45466694072a4912e25509607bff68e21fc49820ffba7d

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads