Analysis
-
max time kernel
614s -
max time network
618s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
-
submitted
09-08-2024 12:32
General
-
Target
mal.vbs
-
Size
23KB
-
MD5
c697283f6d4effbc73365f1e6ce56754
-
SHA1
35f538451885c8d0ab49431df3e6d78deadb4bbe
-
SHA256
c5eaf4973b45ebcb1e10afc0f49d5b84c4d4214103c4b77a0263a6510f2d9ac0
-
SHA512
c5699a35e1c1b9a28dcc96088e8ff07e625436d0a6bcb0a869f13dff998fb4fcef02f15d275c8f1064a4d2685cd349ff80f506d7db69bcd72049e209922fac79
-
SSDEEP
384:oAuL8pGgtbsDFC70X0kNMthfiFQS/Lo/GY0XkUoJbG3gYgd1YQ+gNIINVS0AgAxw:LuL8pbsZCiMthqFQOLo/GY0L4p2O5d4Q
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Detected Nirsoft tools 3 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
-
Blocklisted process makes network request 3 IoCs
-
Drops startup file 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of FindShellTrayWindow 7 IoCs
-
Suspicious use of SendNotifyMessage 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 6 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\mal.vbs"1⤵
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\nn6qi26\j0286yhmbf7ai.exe"C:\nn6qi26\j0286yhmbf7ai.exe" j0286yhmbf72⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\attrib.exe"c:/windows/SysWOW64/attrib.exe"3⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
- Views/modifies file attributes
-
\??\c:\windows\SysWOW64\attrib.exec:\windows\SysWOW64\attrib.exe j0286yhmbf7 ##14⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- Views/modifies file attributes
-
\??\c:\windows\SysWOW64\attrib.exe"c:\windows\SysWOW64\attrib.exe" /stext "WWy1"5⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
\??\c:\windows\SysWOW64\attrib.exe"c:\windows\SysWOW64\attrib.exe" /stext "WWy1"5⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
\??\c:\windows\SysWOW64\attrib.exec:\windows\SysWOW64\attrib.exe j0286yhmbf7 ##34⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- Views/modifies file attributes
-
\??\c:\windows\SysWOW64\attrib.exe"c:\windows\SysWOW64\attrib.exe" /stext "WWy0"5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Views/modifies file attributes
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
142B
MD59a2e9394c545807936b1fb93820d11b6
SHA1ee54eb3a02b1bc6a692acedc257c7dab0ed9b80e
SHA256669b8c66b782dcf3ed93cffbb82ff67b4c16442693bef598f59c135e70e62ca0
SHA5124082f0b8120836a4055bb7b11cd17bc95b7b4256a0ed185dd06a3ff056a2614d002fc3de212ff3eee58fbdfeaac53d422424f46bbc1001476d3a75f0a39e47ff
-
Filesize
277KB
MD5efca48f79b8b46a4b36b3e4a4a9473b2
SHA160d7955cb8d72e836f00229e40ad117791c44797
SHA2563fbfbd042455269a51fbf8b9d067b8b7f0a939fd7fcc7d16bff4282e898691fe
SHA512ca90b7d8dc53cc90e1d75a53802bdbc3bdc7709e59997f3714dc4a73ab10cbbc6e1d8f47427c7a08a285bb273358d4c26bd69a1567151499c2369ca24dc05052
-
Filesize
475KB
MD5431ea22dfc9161171857a4b4b0d654cb
SHA134122f53d97032a44a33794dd6473b1afee0e4ba
SHA2569ecc9ae104e55639818b5fbc7b20c2360fdb38c590e976f9ee249375d8e08208
SHA51239e21d684f2c90ccd569cb6b3dc2f105b58f213c06fdae6ed9d730902b91c4dd9df618864451901780af23a17f5e34328477a3cb74f2c8363e00497358a38e95
-
Filesize
4.5MB
MD5fcf95a673fc6f66144fda45cf4178878
SHA17045244c1614b33ce9268ff204b29f335995e574
SHA2561d2d800a6f1cf902a5b62fc93ca26dd9e73e654c76a65e35a034e6c9e12fbc79
SHA512ed28d2428b5401b3a14ddb206f257e7678a6ced31cef034963b718b5dcd68699b1e55a535f5d73653df205e3527786e7823e90496384f1b9307edb7dfe7936ef
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
6.4MB
MD5f1bdba8ededc7120f738b69aeacab588
SHA1ab925af5329bfd4fed9ad7e4fbf882e7eae0c9df
SHA25677a7a093f93dd177213ca0cda1d8b88b3aecc24317a68a798bcb843462ac5a4a
SHA512e37702f0b535e595d43e9ef790f2b75e9755544b47f87ddecaa98cba6cae5daab70880de4c4a164c8b9ee90fb25e8900975591d96562c82acf32dd36d32b9a71
-
Filesize
925KB
MD50adb9b817f1df7807576c2d7068dd931
SHA14a1b94a9a5113106f40cd8ea724703734d15f118
SHA25698e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b
SHA512883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a
-
Filesize
277KB
MD5cf0dbc1c057c44e0f053db964e83507f
SHA18a6b1f26ed64406c3628ba547508cc88a517a202
SHA2562eafe832a8d61339b1d552adea62cc54fcfbef6e62dda5e29c131c70aaacc379
SHA51275431f5674866c5a735a9f68ab5210cd0ab7ce8d10bd9aed53dfc7de8e8d4def5c9489226573c2a27b3c932589f17f3b8c703bc9f4693d50a27b8203e7bc0a7f
-
Filesize
232KB
-
Filesize
112KB
-
Filesize
4KB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
4KB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
4KB
-
Filesize
6.5MB
-
Filesize
4KB
-
Filesize
6.5MB
-
Filesize
6.5MB