Overview

overview

10

Static

static

10

wscript.exe

windows7-x64

8

wscript.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    33s
  • max time network
    51s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    23-04-2024 00:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    wscript.exe

  • Size

    93KB

  • MD5

    50af5e7d5d665f6e9cca447af7e8b1e5

  • SHA1

    8cde307749103cf895cd8c2d87a8a73aa1017fa8

  • SHA256

    c7cc2d0b72eba9ef36f0ec9ad721b8a9e0dbaacb9121ccbead85b9751eb6f45b

  • SHA512

    abdcb709f2c1c7e951b9f4a61b0766db965376476043fba7c8f182740ece3e2be6ca2e7a66e09c1327274af2f507fb2cf3f5e39b2b80619f5aa33b8fb28117e2

  • SSDEEP

    768:QY3CUfhWXxyFcxovUKUJuROprXtWNEpeYhYbmXxrjEtCdnl2pi1Rz4Rk3lsGdpc3:KU5WhIUKcuOJRpPhBjEwzGi1dD1DcgS

Score
8/10
evasion

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Drops startup file 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\wscript.exe
    "C:\Users\Admin\AppData\Local\Temp\wscript.exe"
    1⤵
    • Drops startup file
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2220
    • C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\wscript.exe" "wscript.exe" ENABLE
      2⤵
      • Modifies Windows Firewall
      PID:2176
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
    1⤵
      PID:2528

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Privilege Escalation

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Defense Evasion

    Impair Defenses

    1
    T1562

    Disable or Modify System Firewall

    1
    T1562.004

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Explower.exe
      Filesize

      93KB

      MD5

      50af5e7d5d665f6e9cca447af7e8b1e5

      SHA1

      8cde307749103cf895cd8c2d87a8a73aa1017fa8

      SHA256

      c7cc2d0b72eba9ef36f0ec9ad721b8a9e0dbaacb9121ccbead85b9751eb6f45b

      SHA512

      abdcb709f2c1c7e951b9f4a61b0766db965376476043fba7c8f182740ece3e2be6ca2e7a66e09c1327274af2f507fb2cf3f5e39b2b80619f5aa33b8fb28117e2

      Download Submit
    • memory/2220-0-0x0000000074BC0000-0x000000007516B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2220-1-0x0000000000C30000-0x0000000000C70000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2220-2-0x0000000074BC0000-0x000000007516B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2220-13-0x0000000074BC0000-0x000000007516B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2220-14-0x0000000000C30000-0x0000000000C70000-memory.dmp
      Filesize

      256KB

      Download