843bd0dac31c4e1fd34c7cf373d5c53fc69026e6896eedee9e56fd301a2a3d48

General

Target

script.vbs
Size

1KB
MD5

b056bf0e28a5c63527653902895ae65c
SHA1

3e58ad1839ce25e27cabf9f854edae192a0249b4
SHA256

843bd0dac31c4e1fd34c7cf373d5c53fc69026e6896eedee9e56fd301a2a3d48
SHA512

f7cc7227acd2aaa68387614b3dae397adb6c201d40cd52b33683875d97ca1ff789bbf7d876fcadc9882aa9046064b274f761f73b9ed574ae6560cde12b5b961a

Score

10^/10

Malware Config

Extracted

Language

xlm4.0

Source

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings	WScript.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1148	EXCEL.EXE

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
1148	EXCEL.EXE
1148	EXCEL.EXE
1148	EXCEL.EXE
1148	EXCEL.EXE
4308	EXCEL.EXE
4308	EXCEL.EXE
3180	OpenWith.exe
4308	EXCEL.EXE
4308	EXCEL.EXE
3580	EXCEL.EXE
3580	EXCEL.EXE
3580	EXCEL.EXE
3580	EXCEL.EXE
3220	EXCEL.EXE
3220	EXCEL.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3956 wrote to memory of 1944	3956	WScript.exe	79
PID 3956 wrote to memory of 1944	3956	WScript.exe	79
PID 1944 wrote to memory of 3224	1944	WScript.exe	83
PID 1944 wrote to memory of 3224	1944	WScript.exe	83
PID 3224 wrote to memory of 2444	3224	WScript.exe	85
PID 3224 wrote to memory of 2444	3224	WScript.exe	85

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3956
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs"
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs"
    3⤵
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3224
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs"
      4⤵
      PID:2444
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs"
        5⤵
        
        PID:1512
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs"
        6⤵
        
        PID:756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs"
        7⤵
        
        PID:3128
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs"
        8⤵
        
        PID:1356
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs"
        9⤵
        
        PID:1764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs"
        10⤵
        
        PID:4976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs"
        11⤵
        
        PID:1188
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs"
        12⤵
        
        PID:1896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs"
        13⤵
        
        PID:3736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs"
        14⤵
        
        PID:2704

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1148

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4308

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3180

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3580

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3220

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:912

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:3232

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:908

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:3624

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:3556

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:1900

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:5108

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:2636

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:2196

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:1640

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:5148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\CompleteBackup.odp

Filesize
535KB

MD5
ca0357fee69e0d6f6bd139c9f4c37e9a

SHA1
ac8831364015a8ed1f36104aa43141852fb05ac8

SHA256
c34833d857276cba83afa38f1b8c6f16441960aea555c383527b78715ead4a13

SHA512
da81a5cbd7fa82d7eaaba0ba35f96620f3fc8c218c20c1a142de0bc0224d7a3f48a3ea49b62972ea8b56242a894ee3c0bfc2581e9a0aa5253e9d45f98dbb9a61

Download Submit
C:\Users\Admin\Desktop\MoveWrite.M2V

Filesize
674KB

MD5
ab12255982049598b24c7c4c3399c539

SHA1
9bf7ff656fe5400ee5045f00e8bc06ad1026bf75

SHA256
4ef4aeb0e14ce8a6e244409e2e3bdf23e2da6c2f7b1e3ba0899f9cd0783e381b

SHA512
c7e018d6e65241136219f8fba822e8caa23471ff0fd777bbe9cf4f597bb71da1b37b3611e81d62d292df4317c62653567a6f075fa8a3738cc8e7b03a9d1c874c

Download Submit
memory/1148-7-0x00007FFA41E20000-0x00007FFA42029000-memory.dmp

Filesize
2.0MB

Download
memory/1148-6-0x00007FFA41E20000-0x00007FFA42029000-memory.dmp

Filesize
2.0MB

Download
memory/1148-5-0x00007FFA41EC3000-0x00007FFA41EC4000-memory.dmp

Filesize
4KB

Download
memory/1148-1-0x00007FFA01EB0000-0x00007FFA01EC0000-memory.dmp

Filesize
64KB

Download
memory/1148-10-0x00007FFA41E20000-0x00007FFA42029000-memory.dmp

Filesize
2.0MB

Download
memory/1148-11-0x00007FFA41E20000-0x00007FFA42029000-memory.dmp

Filesize
2.0MB

Download
memory/1148-9-0x00007FFA41E20000-0x00007FFA42029000-memory.dmp

Filesize
2.0MB

Download
memory/1148-8-0x00007FFA41E20000-0x00007FFA42029000-memory.dmp

Filesize
2.0MB

Download
memory/1148-0-0x00007FFA01EB0000-0x00007FFA01EC0000-memory.dmp

Filesize
64KB

Download
memory/1148-4-0x00007FFA01EB0000-0x00007FFA01EC0000-memory.dmp

Filesize
64KB

Download
memory/1148-13-0x00007FF9FFC90000-0x00007FF9FFCA0000-memory.dmp

Filesize
64KB

Download
memory/1148-12-0x00007FFA41E20000-0x00007FFA42029000-memory.dmp

Filesize
2.0MB

Download
memory/1148-14-0x00007FFA41E20000-0x00007FFA42029000-memory.dmp

Filesize
2.0MB

Download
memory/1148-16-0x00007FFA41E20000-0x00007FFA42029000-memory.dmp

Filesize
2.0MB

Download
memory/1148-15-0x00007FF9FFC90000-0x00007FF9FFCA0000-memory.dmp

Filesize
64KB

Download
memory/1148-17-0x00007FFA41E20000-0x00007FFA42029000-memory.dmp

Filesize
2.0MB

Download
memory/1148-19-0x00007FFA41E20000-0x00007FFA42029000-memory.dmp

Filesize
2.0MB

Download
memory/1148-18-0x00007FFA41E20000-0x00007FFA42029000-memory.dmp

Filesize
2.0MB

Download
memory/1148-3-0x00007FFA01EB0000-0x00007FFA01EC0000-memory.dmp

Filesize
64KB

Download
memory/1148-2-0x00007FFA01EB0000-0x00007FFA01EC0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing