Overview

overview

10

Static

static

1

29a2f380dc...36.vbs

windows7-x64

10

29a2f380dc...36.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-10-2024 01:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    29a2f380dca14716c3e3c53da12df3d0b1fb5c3efd0d2b711d3de523a7273836.vbs

  • Size

    4.4MB

  • MD5

    afaefcfba4a6f5052383156ce7f88efd

  • SHA1

    ac99a4ba88364136174b70b226881297144de96e

  • SHA256

    29a2f380dca14716c3e3c53da12df3d0b1fb5c3efd0d2b711d3de523a7273836

  • SHA512

    4fdb773189b885e11ce669b711c04777d8b29ab4a409e2a470fb13b37404eba02b8a9d55aada3a6c64df421d0ec0d7288acc4727055274945d17483cd5710e73

  • SSDEEP

    24576:lemjem3emOemsemyemDemTemHemnemmem2em+emTemXemBem6emFemWemRemiemH:i

Score
10/10
execution

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://rentry.co/m7ebw9yf/raw

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Deletes itself 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29a2f380dca14716c3e3c53da12df3d0b1fb5c3efd0d2b711d3de523a7273836.vbs"
    1⤵
    • Blocklisted process makes network request
    • Deletes itself
    • Suspicious use of WriteProcessMemory
    PID:2400
    • C:\Windows\System32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\WindowsUpdate\OOWZL.cmd" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2460
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        PowerShell.exe -NoProfile -ExecutionPolicy Bypass -Command C:\Users\Admin\AppData\Roaming\WindowsUpdate\ZARTD.ps1
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2212

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\WindowsUpdate\OOWZL.cmd
    Filesize

    75B

    MD5

    c561282ed942d23889d0a4ed1222b87d

    SHA1

    3a201c4bbb160ee5c7089da864e018a1cdd2d02e

    SHA256

    c9b0ba912bfafe244f38d31f13070116bb105123083ff1f05ed6cad9eaa626fe

    SHA512

    bfc021f5d48d55aba88416340e996d7127993a349d23806fb64e715ad4840886e8d3af5a74745453f2d00e3b6fce22d8a34c312e2b3202bf6602be33b20067b3

    Download Submit

  • C:\Users\Admin\AppData\Roaming\WindowsUpdate\ZARTD.ps1
    Filesize

    44KB

    MD5

    da1cd4da7e21802269e159912b864ee4

    SHA1

    d46e5ff9db8a7ac43555d2fd5607230209578c48

    SHA256

    2a1a67c8cf9037b6da4ebd9cfe8c1c076f7a6211dd4eba150f1df36a0450a39b

    SHA512

    788d55920f2cd21650baf4d4a54422e26b3edf374a1a4a438fd217930f4d66e3e8985e263a41586f6fa3fd2f032f9fa4e2fd41ba3067911781217da18d43bd44

    Download Submit

  • memory/2212-52-0x0000000002960000-0x00000000029E0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2212-53-0x000000001B440000-0x000000001B722000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2212-54-0x0000000002910000-0x0000000002918000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2212-56-0x0000000002960000-0x00000000029E0000-memory.dmp

    Filesize

    512KB

    Download