afaeaeaf6c92fea88f20d826a28a0f2bb0124146c91b1f7877de4b89c4133b8f

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04/06/2024, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

update_task.vbs
Size

630B
MD5

bfe9fe92e21ce31902de4ae152744674
SHA1

70ea30e26fd362dbb24c43a7bbc0d54bc00a6863
SHA256

afaeaeaf6c92fea88f20d826a28a0f2bb0124146c91b1f7877de4b89c4133b8f
SHA512

09120e6221f23573690760ce00696e7f21f0f6abed5d75fe4e08e0787efb96b7877b083538315f9e2c9087e189e92c8c98a0d516bfbe7aa1381347cc86cf0190

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 2420	1952	WScript.exe	28
PID 1952 wrote to memory of 2420	1952	WScript.exe	28
PID 1952 wrote to memory of 2420	1952	WScript.exe	28
PID 1952 wrote to memory of 2116	1952	WScript.exe	30
PID 1952 wrote to memory of 2116	1952	WScript.exe	30
PID 1952 wrote to memory of 2116	1952	WScript.exe	30
PID 1952 wrote to memory of 2568	1952	WScript.exe	32
PID 1952 wrote to memory of 2568	1952	WScript.exe	32
PID 1952 wrote to memory of 2568	1952	WScript.exe	32
PID 1952 wrote to memory of 2672	1952	WScript.exe	34
PID 1952 wrote to memory of 2672	1952	WScript.exe	34
PID 1952 wrote to memory of 2672	1952	WScript.exe	34
PID 1952 wrote to memory of 2660	1952	WScript.exe	36
PID 1952 wrote to memory of 2660	1952	WScript.exe	36
PID 1952 wrote to memory of 2660	1952	WScript.exe	36

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2116	attrib.exe
2672	attrib.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\update_task.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Windows\System32\certutil.exe
  "C:\Windows\System32\certutil.exe" -decode .\e.txt .\PasswordSlip.exe
  2⤵
  PID:2420
- C:\Windows\System32\attrib.exe
  "C:\Windows\System32\attrib.exe" +h .\PasswordSlip.exe
  2⤵
  - Views/modifies file attributes
  PID:2116
- C:\Windows\System32\expand.exe
  "C:\Windows\System32\expand.exe" C:\Windows\System32\notepad.exe .
  2⤵
  PID:2568
- C:\Windows\System32\attrib.exe
  "C:\Windows\System32\attrib.exe" +h .\notepad.exe
  2⤵
  - Views/modifies file attributes
  PID:2672
- C:\Windows\System32\forfiles.exe
  "C:\Windows\System32\forfiles.exe" /p . /m notepad.exe /c .\PasswordSlip.exe
  2⤵
  PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\notepad.exe

Filesize
189KB

MD5
f2c7bb8acc97f92e987a2d4087d021b1

SHA1
7eb0139d2175739b3ccb0d1110067820be6abd29

SHA256
142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2

SHA512
2f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8

Download Submit