Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
10-05-2024 16:23
Static task
static1
Behavioral task
behavioral1
Sample
OSCE-CUR1202069986.vbs
Resource
win7-20240508-en
General
-
Target
OSCE-CUR1202069986.vbs
-
Size
2.2MB
-
MD5
bafce37d28a61cc064beeb186de90d78
-
SHA1
0d2bc349c0da8f5a92df71e9cb34d92b4bb6e70c
-
SHA256
4a2e30d454a2c64df5eeea0a038d86dc0d230faf595efc7c9fc4773d083348a9
-
SHA512
9044e58359b2e1c9ecaa04807b3332bd654a34426047f71494ac74ecec56915a1278ec8a5c7648aa873985af919012ada47943c0b3eed030b5adf06e02cad040
-
SSDEEP
3072:opDhIAeifbWm7bDBuaQc1DAjTMTNoA5mky0S+/8Zi5XY+2h+/GOwmNLgR5btVVW7:oX8sBP0tmjoPJwbxYNWQcVZA2+vZ4qC
Malware Config
Extracted
dridex
104.131.41.185:443
178.62.75.204:1443
138.201.138.91:3389
62.75.191.14:3389
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2824 2288 regsvr32.exe -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 2544 regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
WScript.exepid process 3016 WScript.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
regsvr32.exedescription pid process target process PID 2824 wrote to memory of 2544 2824 regsvr32.exe regsvr32.exe PID 2824 wrote to memory of 2544 2824 regsvr32.exe regsvr32.exe PID 2824 wrote to memory of 2544 2824 regsvr32.exe regsvr32.exe PID 2824 wrote to memory of 2544 2824 regsvr32.exe regsvr32.exe PID 2824 wrote to memory of 2544 2824 regsvr32.exe regsvr32.exe PID 2824 wrote to memory of 2544 2824 regsvr32.exe regsvr32.exe PID 2824 wrote to memory of 2544 2824 regsvr32.exe regsvr32.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\OSCE-CUR1202069986.vbs"1⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\regsvr32.exeregsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\VozQAgGH.txt1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe-s C:\Users\Admin\AppData\Local\Temp\VozQAgGH.txt2⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RDGFSF~1.ZIPFilesize
173KB
MD51a06a9ee708aedc9262e0deb92a6d96c
SHA19b19d73ae13951b7841f3d0df907c078a037e57b
SHA25652707f6fa67030ab19ff2c3ccac34fcb0ebdc82ef38a462980d28ffe785abe4f
SHA512869c5adc3e55aef45438113492343c5268c350c7bf32a1870d2b4db3d35ae500f69f916597a35888b17b0f3760c613b10a946a92f6527626181be3893a16721a
-
C:\Users\Admin\AppData\Local\Temp\VozQAgGH.txtFilesize
234KB
MD5dcc0d174cb7fec609f31c0f95347f913
SHA1d77a6c10f9538ccd630d437390e69471cbc3cebb
SHA25656b8f57264cd5747a3282754601387cf860eab9c18d1c14bcdd6074c88c5a0e0
SHA512d626c4a4b42d7ffd68fb2433943e3657add9ac69f13ec2dd6233ee58ea041179c8a2795212baeb895f56f9c04a2a66035652ca24f0d0eff127ee2d06187924e0
-
memory/2544-25-0x0000000074810000-0x0000000074862000-memory.dmpFilesize
328KB
-
memory/2544-27-0x000000007484B000-0x000000007484E000-memory.dmpFilesize
12KB
-
memory/2544-28-0x0000000074810000-0x0000000074862000-memory.dmpFilesize
328KB
-
memory/3016-9-0x0000000002240000-0x0000000002241000-memory.dmpFilesize
4KB