Analysis
-
max time kernel
96s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21/09/2024, 14:12
Static task
static1
Behavioral task
behavioral1
Sample
file.vbs
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
file.vbs
Resource
win10v2004-20240802-en
General
-
Target
file.vbs
-
Size
561B
-
MD5
db61fb8acb8e3cda1942e9ded99d8ba8
-
SHA1
f8495b7a9d23d48a10b9ce10442544a7824642e1
-
SHA256
1ff5e36a587225e3f74f4b51ef29164a2e3807a32183a18eba9261a69c093634
-
SHA512
82e74cf57ea89bedbdccd6991c09cb5edcfd38d5f9a5ef0ed85906fab9716e10626132592da67c2f268bce2311e56835803a71337123ddd7891d5028e194a2f4
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: WScript.exe File opened (read-only) \??\T: WScript.exe File opened (read-only) \??\U: WScript.exe File opened (read-only) \??\X: WScript.exe File opened (read-only) \??\E: WScript.exe File opened (read-only) \??\K: WScript.exe File opened (read-only) \??\M: WScript.exe File opened (read-only) \??\N: WScript.exe File opened (read-only) \??\Y: WScript.exe File opened (read-only) \??\W: WScript.exe File opened (read-only) \??\Z: WScript.exe File opened (read-only) \??\A: WScript.exe File opened (read-only) \??\H: WScript.exe File opened (read-only) \??\I: WScript.exe File opened (read-only) \??\V: WScript.exe File opened (read-only) \??\J: WScript.exe File opened (read-only) \??\Q: WScript.exe File opened (read-only) \??\R: WScript.exe File opened (read-only) \??\S: WScript.exe File opened (read-only) \??\B: WScript.exe File opened (read-only) \??\G: WScript.exe File opened (read-only) \??\L: WScript.exe File opened (read-only) \??\P: WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeShutdownPrivilege 1892 WScript.exe Token: SeCreatePagefilePrivilege 1892 WScript.exe Token: 33 3264 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3264 AUDIODG.EXE Token: SeShutdownPrivilege 1892 WScript.exe Token: SeCreatePagefilePrivilege 1892 WScript.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:1892
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4a0 0x4981⤵
- Suspicious use of AdjustPrivilegeToken
PID:3264
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5987a07b978cfe12e4ce45e513ef86619
SHA122eec9a9b2e83ad33bedc59e3205f86590b7d40c
SHA256f1a4a978ce1c4731df1594043135cf58d084fdf129dd1c8e4507c9e06eac5ea8
SHA51239b86540e4d35c84609ef66537b5aa02058e3d4293f902127c7d4eac8ffc65920cb5c69a77552fc085687eed66e38367f83c177046d0ecb8e6d135463cc142aa
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b