Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19-05-2024 01:31
Static task
static1
Behavioral task
behavioral1
Sample
mea_1900896332082.vbs
Resource
win7-20240221-en
General
-
Target
mea_1900896332082.vbs
-
Size
1.4MB
-
MD5
29d21d21ef6b4a52c649053bbc3a7ec9
-
SHA1
0e5afb55e844aa0d77f7582271f7be13e5f28098
-
SHA256
55df7615b08d6a53ffb0297d21870a31b4db316290d605e3b0864cd1aa765932
-
SHA512
4470741448d0e112e955a78805de4237046753b62c42da1da12a39dda31efbf44d56af80f29f3af1a7fed32dcf268638173387016ef4747a2e2175e7bb1bc635
-
SSDEEP
12288:Bg0It4oS5BVgf7UCahK7Kp7/RY0x1ue0rDxpKtABX0yeiL6iwDN/aXK8j4Rqnnqg:s
Malware Config
Extracted
dridex
37.247.54.134:443
192.232.207.243:8443
82.165.38.218:691
188.166.73.181:1443
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1604 2800 regsvr32.exe -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 2692 regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
WScript.exepid process 2012 WScript.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
regsvr32.exedescription pid process target process PID 1604 wrote to memory of 2692 1604 regsvr32.exe regsvr32.exe PID 1604 wrote to memory of 2692 1604 regsvr32.exe regsvr32.exe PID 1604 wrote to memory of 2692 1604 regsvr32.exe regsvr32.exe PID 1604 wrote to memory of 2692 1604 regsvr32.exe regsvr32.exe PID 1604 wrote to memory of 2692 1604 regsvr32.exe regsvr32.exe PID 1604 wrote to memory of 2692 1604 regsvr32.exe regsvr32.exe PID 1604 wrote to memory of 2692 1604 regsvr32.exe regsvr32.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\mea_1900896332082.vbs"1⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\regsvr32.exeregsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\fucHQLpjPW.txt1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe-s C:\Users\Admin\AppData\Local\Temp\fucHQLpjPW.txt2⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\QEVSQO~1.ZIPFilesize
213KB
MD533e41c38d7aca9d8ddf6750f2ca06fb4
SHA13b2c99bfd5c4b86151d515bea28d6f4e96c6b286
SHA2565ec41267d282964106408d631bb9d0506e33d14bd8fd955ab841b1f7d8071fb6
SHA5127a14f365aac399e80338d64a351a18667f296eb7dca2a9ee18aae4949675aaa5aadcf4caf84d8071ee3031d761164dc6bf8557750d433affff23433bae9f1789
-
C:\Users\Admin\AppData\Local\Temp\fucHQLpjPW.txtFilesize
368KB
MD5291cc6e829519b5a980e5338621dcedb
SHA1101098e15d6528da2f2be5b65b38c9a49608c22c
SHA25692bdad4e9b6c4077ed84b4cb2d278650002660aa387a677bde64c4d4f6d8e01d
SHA51222e23bba678ba7a7730a59b0be2e4d86faa0fe1810fea4f7e91fc48bf8cb12090bbbd4abb18afe9b2111ac71bd666470f6cdb9bd94f81163b8341c5804d5d933
-
memory/2012-9-0x0000000000470000-0x0000000000471000-memory.dmpFilesize
4KB
-
memory/2692-26-0x0000000074ED0000-0x0000000074F3D000-memory.dmpFilesize
436KB
-
memory/2692-27-0x0000000074F2B000-0x0000000074F2E000-memory.dmpFilesize
12KB
-
memory/2692-28-0x0000000074ED0000-0x0000000074F3D000-memory.dmpFilesize
436KB