Overview

overview

7

Static

static

1

1791446800.vbs

windows7-x64

7

1791446800.vbs

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    24/12/2023, 16:26

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    1791446800.vbs

  • Size

    19KB

  • MD5

    ad448a55619de168d83350b48674eec1

  • SHA1

    5bdc44fa234a7a9d537ec826d3b693f60619b5a4

  • SHA256

    cea3b4531fc22f9190ffd3fd40240d557451727b9284f6bfb68206e7782c80c7

  • SHA512

    2145fb55402fc67bb592e61e5dd68552b2c9203449c9c57670f1eaf36ffcd69ce5899f5db974708427316b61377c1949b87ed6d36d2965c08adb18c1687d098c

  • SSDEEP

    384:4ASQR03s4s/0sFo6uETr5LzNx8Z8aeoapoMcuyipkBb4hS5vnruW2+iFJseyIR6T:lv0stNNxWTeoa1cuzgb4he12j7Ry46iK

Score
7/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 26 IoCs
  • Loads dropped DLL 26 IoCs
  • Modifies system executable filetype association 2 TTPs 2 IoCs
    persistence
  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 37 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1791446800.vbs"
    1⤵
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • NTFS ADS
    • Suspicious use of WriteProcessMemory
    PID:3004
    • C:\Windows\system\svchost.exe
      "C:\Windows\system\svchost.exe" C:\Windows\System32\smss.exe:1946101404.vbs
      2⤵
      • Executes dropped EXE
      PID:2736
    • C:\Windows\system\svchost.exe
      "C:\Windows\system\svchost.exe" C:\Windows\System32\smss.exe:1946101404.vbs
      2⤵
      • Executes dropped EXE
      PID:2696
    • C:\Windows\system\svchost.exe
      "C:\Windows\system\svchost.exe" C:\Windows\System32\smss.exe:1946101404.vbs
      2⤵
      • Executes dropped EXE
      PID:1976
    • C:\Windows\system\svchost.exe
      "C:\Windows\system\svchost.exe" C:\Windows\System32\smss.exe:1946101404.vbs
      2⤵
      • Executes dropped EXE
      PID:1628
    • C:\Windows\system\svchost.exe
      "C:\Windows\system\svchost.exe" C:\Windows\System32\smss.exe:1946101404.vbs
      2⤵
      • Executes dropped EXE
      PID:460
    • C:\Windows\system\svchost.exe
      "C:\Windows\system\svchost.exe" C:\Windows\System32\smss.exe:1946101404.vbs
      2⤵
      • Executes dropped EXE
      PID:2088
    • C:\Windows\system\svchost.exe
      "C:\Windows\system\svchost.exe" C:\Windows\System32\smss.exe:1946101404.vbs
      2⤵
      • Executes dropped EXE
      PID:1708
    • C:\Windows\system\svchost.exe
      "C:\Windows\system\svchost.exe" C:\Windows\System32\smss.exe:1946101404.vbs
      2⤵
      • Executes dropped EXE
      PID:2660
    • C:\Windows\system\svchost.exe
      "C:\Windows\system\svchost.exe" C:\Windows\System32\smss.exe:1946101404.vbs
      2⤵
      • Executes dropped EXE
      PID:2808
    • C:\Windows\system\svchost.exe
      "C:\Windows\system\svchost.exe" C:\Windows\System32\smss.exe:1946101404.vbs
      2⤵
      • Executes dropped EXE
      PID:2788
    • C:\Windows\system\svchost.exe
      "C:\Windows\system\svchost.exe" C:\Windows\System32\smss.exe:1946101404.vbs
      2⤵
      • Executes dropped EXE
      PID:2916
    • C:\Windows\system\svchost.exe
      "C:\Windows\system\svchost.exe" C:\Windows\System32\smss.exe:1946101404.vbs
      2⤵
      • Executes dropped EXE
      PID:1676
    • C:\Windows\system\svchost.exe
      "C:\Windows\system\svchost.exe" C:\Windows\System32\smss.exe:1946101404.vbs
      2⤵
      • Executes dropped EXE
      PID:2332
    • C:\Windows\system\svchost.exe
      "C:\Windows\system\svchost.exe" C:\Windows\System32\smss.exe:1946101404.vbs
      2⤵
      • Executes dropped EXE
      PID:2160
    • C:\Windows\system\svchost.exe
      "C:\Windows\system\svchost.exe" C:\Windows\System32\smss.exe:1946101404.vbs
      2⤵
      • Executes dropped EXE
      PID:1900
    • C:\Windows\system\svchost.exe
      "C:\Windows\system\svchost.exe" C:\Windows\System32\smss.exe:1946101404.vbs
      2⤵
      • Executes dropped EXE
      PID:884
    • C:\Windows\system\svchost.exe
      "C:\Windows\system\svchost.exe" C:\Windows\System32\smss.exe:1946101404.vbs
      2⤵
      • Executes dropped EXE
      PID:2164
    • C:\Windows\system\svchost.exe
      "C:\Windows\system\svchost.exe" C:\Windows\System32\smss.exe:1946101404.vbs
      2⤵
      • Executes dropped EXE
      PID:1508
    • C:\Windows\system\svchost.exe
      "C:\Windows\system\svchost.exe" C:\Windows\System32\smss.exe:1946101404.vbs
      2⤵
      • Executes dropped EXE
      PID:1608
    • C:\Windows\system\svchost.exe
      "C:\Windows\system\svchost.exe" C:\Windows\System32\smss.exe:1946101404.vbs
      2⤵
      • Executes dropped EXE
      PID:992
    • C:\Windows\system\svchost.exe
      "C:\Windows\system\svchost.exe" C:\Windows\System32\smss.exe:1946101404.vbs
      2⤵
      • Executes dropped EXE
      PID:1964
    • C:\Windows\system\svchost.exe
      "C:\Windows\system\svchost.exe" C:\Windows\System32\smss.exe:1946101404.vbs
      2⤵
      • Executes dropped EXE
      PID:2964
    • C:\Windows\system\svchost.exe
      "C:\Windows\system\svchost.exe" C:\Windows\System32\smss.exe:1946101404.vbs
      2⤵
      • Executes dropped EXE
      PID:1356
    • C:\Windows\system\svchost.exe
      "C:\Windows\system\svchost.exe" C:\Windows\System32\smss.exe:1946101404.vbs
      2⤵
      • Executes dropped EXE
      PID:2452
    • C:\Windows\system\svchost.exe
      "C:\Windows\system\svchost.exe" C:\Windows\System32\smss.exe:1946101404.vbs
      2⤵
      • Executes dropped EXE
      PID:2240

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin.lnk
          Filesize

          584B

          MD5

          9cb7a331a364d8aba71ff91bb24aae55

          SHA1

          1829d4891ec28c6cd2b995e14a27842e7b01a1c4

          SHA256

          11e5102c75584e3dea8283c08177a8adc07657a694304a5953a8023739fc9fa1

          SHA512

          a7ae5c77a1ed2ef558ebbb0b3ad4aa02e2edb14dad30840a48277535aa6fa22bc24631094dba25ee9f994eea2ff053e2cb070b712ff933b2647528b88533064b

          Download Submit

        • C:\1946101404.vbs
          Filesize

          19KB

          MD5

          4ceee2ec3f97d4d261550b75401b2c6d

          SHA1

          b844d1393721927a1d57c9c2c8c41435eec0a1d8

          SHA256

          ef4aa052238424015a2ca1178aa3508e38a535506b9359564e7fa35b8d8defba

          SHA512

          5b3105e0423187f579ce5ee3762146e73a54ce8ab826da8fae69c8556bf06608adf818f73f561f6e73d5ad0ceca710aac19211efb7839b18b5e5c473f81aa8f0

          Download Submit

        • C:\Documents and Settings.lnk
          Filesize

          604B

          MD5

          1bbf2e52097400c57b80bf6af1879eca

          SHA1

          9826869d47ca925f367dc091a208d65ef0dbd2d6

          SHA256

          1670bf5ace046e36d020570b1d3b59f524a561b5279951fee79747afa58bf19b

          SHA512

          5971d043f5d97bb1f217640943baf735f2bd49f055975feec35532b8026a5909dab4ebfb1c2f16bb7bcf9359bd7b547a4432133e4631c9591ca46327d27f7c3e

          Download Submit

        • C:\MSOCache.lnk
          Filesize

          576B

          MD5

          bcbe0e498a35afc237a1a34fd8d9311b

          SHA1

          9b50a5a8fe950256540f25a49b958439eb44ba94

          SHA256

          8497283b502f6f68723d89c3ea1ba0cef714a3c7a68aa884457421e5cc533ca8

          SHA512

          aa9be3ccafadd4acf03ce9938aea8817e7e3a63b3373d1f9b5b5752ab596e3551cd0e0950f1d03c78932b723a4580f7e299e2d6dd3e59d84ff0468eea37a32f5

          Download Submit

        • C:\PerfLogs.lnk
          Filesize

          576B

          MD5

          59ab92d48fbc576076712996a2001312

          SHA1

          4105260bc4181664689c1962c48a82c72b1916ad

          SHA256

          3f25ce3efafaf12d1446a5799a792ee04f0e819e64da97ff9f7ff545d5d343a2

          SHA512

          82628512eaeb06f3cbb2949098b3b1d0f3e10a02a080c8969ca4def0a1b1dfcddedc9d0fbfee5b7cc0c385a50766781b8a44bda79d0611a25d2dc7b33e73fcce

          Download Submit

        • C:\Program Files (x86).lnk
          Filesize

          598B

          MD5

          f64febab25ecd9a3ac8959ba3d4e3c14

          SHA1

          8270f79abf7672949f070361a411658382eff313

          SHA256

          a253a00d16b7db152cff8dada915b91cdf696e9e1066d236eb350e10a4b48317

          SHA512

          2fee3414fe15c28ae7a943c282884feefa0237e1118f56a9ae735e3b1ffde8f558c65d7d66d68f12bcaca4fa08d7bfb281ca122902901ed9baf61f3c0538d68b

          Download Submit

        • C:\Program Files.lnk
          Filesize

          586B

          MD5

          9c838842a0ebc15fd6b8dc3fb1ac391b

          SHA1

          e4e6240cbc76f1770e2fe05ed0cbc6db91170330

          SHA256

          8c4b0021b8f16ee929c236f290aeb2b6072cccc4a04a91723fa09898b3b298ed

          SHA512

          987a3c8a747521a484877d9fcba3eee49fbe69b349a60a19049c36c54568bfc1d5260d65bc1330deaccd8de52f223754aa6b7617fe6bdf08136e5373355571ad

          Download Submit

        • C:\ProgramData.lnk
          Filesize

          582B

          MD5

          c4f8bb50db9bd1f3b7be25d00cb86d1b

          SHA1

          c43466b53880ff29174fed006a6e6218231e566d

          SHA256

          3a02f3b8157ec87a7ff3a1e570afe40ffd67d8f5b066d07c3da065be21ed8ea0

          SHA512

          8b9b34e3d0da62ce66023f6323d981a883826cb7e5be63e2b0e64bba626a46d688ae7ec44d910403c5f7dcbde2336a175f11eba6634e9c0f23752755222c69cc

          Download Submit

        • C:\Recovery.lnk
          Filesize

          576B

          MD5

          4d79cf22b49f1b845452a7b1cb8f3508

          SHA1

          36415d3e903c2aa2b4ad4c7f9d28fabf2423092c

          SHA256

          a0da47f741f8f35fbcb88fdd6fa3f22f8eceb8e61e51dc9a5f3c8ab1b74dbd72

          SHA512

          3b447b5d934cd31eb27f0547b2aafc4df434ec569c03f28524bf4cb4b3bb34cac4b40ab2bb07394f56fe3636e3facfafad4f240d6547e1a7fb8e7097466a58eb

          Download Submit

        • C:\System Volume Information.lnk
          Filesize

          610B

          MD5

          740691de69f0b59074a84c216c13aa60

          SHA1

          601f4a814cb3452cdea08eca4bfe3f858c42e4bb

          SHA256

          1799f04047c306233be06f80427d63b0f7de6fbfb5e5c9cfe3ad709231aa0310

          SHA512

          22c36e42f3657ff55300ab0c03539068ebd42cc2d381d498d4622febff4a46edba92bbad135cf336361bc1036e076f3071289be6efba8e877f2a6aa018eb572c

          Download Submit

        • C:\Users.lnk
          Filesize

          570B

          MD5

          ef41975c6de63bda2c88e536920b8d9b

          SHA1

          11dde96caf2835e300edca656a5a368d4dfe0861

          SHA256

          8054631061e10268b4fe3c5543a1b82203191decabf27b5cdd6ffbf108c39b42

          SHA512

          5867460261abb208fd662f7a360d7827b9607c042a9598947a94374c83cdfb73647fcc633c52c2309143c29a8099d54de0c19ac67276d8b3782d8690ec9d4df1

          Download Submit

        • C:\Windows.lnk
          Filesize

          574B

          MD5

          1f3c0b0da48908e2f279f78d6c9dd5b4

          SHA1

          b2fec1cca4236ba0280c3a75670c6ec2d3fe1f08

          SHA256

          6956f3ab9e11cee40935035060bfedf30d661e6e769cc9f285451905d078e01b

          SHA512

          5f418754a8de706e137594e08239f595a2618a7d8393b5d42679def9d1f9bf8aac6d379edf38383eb22fae36000ae0f2ecdc902c72ce82593daf427be9c46a69

          Download Submit

        • F:\$RECYCLE.BIN.lnk
          Filesize

          578B

          MD5

          2e3774805bcd64de1dfae5e58d9566ae

          SHA1

          2ed7b3640143ab70758ca49c5fb3df41478032c5

          SHA256

          8b47d7b60031ac31b853263e65eda3be68954a4f793af4dc0bd8df9ea40ab766

          SHA512

          72c04342adac2787eaa5379c687ddff41a0f70149018109d1382fa9bc5f575311fcc72fc40c36548812be38d1ed7272f949d2844f06a413b063c3658fb5ca9b1

          Download Submit

        • \Windows\system\svchost.exe
          Filesize

          165KB

          MD5

          8886e0697b0a93c521f99099ef643450

          SHA1

          851bd390bf559e702b8323062dbeb251d9f2f6f7

          SHA256

          d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

          SHA512

          fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

          Download Submit