Analysis
-
max time kernel
84s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17-09-2024 07:24
Static task
static1
Behavioral task
behavioral1
Sample
HG987654567000.vbs
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
HG987654567000.vbs
Resource
win10v2004-20240802-en
General
-
Target
HG987654567000.vbs
-
Size
33KB
-
MD5
59a24e918603e8e13baece1f49ccb169
-
SHA1
84e045dcf3e4c49445abe4e61af4795e8091d5de
-
SHA256
c83fa0fe8fcce8c22dc31440b883ee13badb2438f6a35ddd56a7b8c7e03c335c
-
SHA512
85561f9127d28e46ccb0a7329892cece142e817f77dbe77e1d2583ba4b29bf234c8334fe5596e30fe08d3edb1d615cbc9c8da8790f037c065664f0c29dd68c86
-
SSDEEP
384:ljD6h5upiUy+I4B8Gyh6r4x8yGNy0wVS2fwspQsFXkInOEZfDBEwA0QmKCp:45uhyt4Xyh6r4x8ygGnusS3EZrp4ep
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2816 x.exe -
Loads dropped DLL 1 IoCs
pid Process 3020 WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2816 x.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3020 wrote to memory of 2816 3020 WScript.exe 29 PID 3020 wrote to memory of 2816 3020 WScript.exe 29 PID 3020 wrote to memory of 2816 3020 WScript.exe 29
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\HG987654567000.vbs"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Users\Admin\AppData\Local\Temp\x.exe"C:\Users\Admin\AppData\Local\Temp\x.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2816
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD50895a48b8b3050333df73cab2c249efb
SHA197701a825d6c4462774ac1a7f98984c9a6a94c86
SHA256c8abfe8f42fa396f48b01eb6612c5620ae198a13ac8e2aa1f47a1e277d704c48
SHA5125bd55439b142d5f3145b7a952d1f964e963d89e47930c7616e7eaea244e3fd8e792b056d62c48bdcf9f5ba188949e0a81058bfcd355d89b87c7b8973b2e13ddc