d89f8d317cf5f8600cc5abe52846f38bf191ecbfb841817696d89d59dbca03c1

General

Target

other malware cuz why not/loveletterworm fixed.vbs
Size

4KB
MD5

5c5cfc1e6e91a733e225cf6f39d74623
SHA1

f0d2fc4eff812edb4e40db5c155b95aa9575e472
SHA256

3fb3b4aa431e328c471b7fc814e662ffed93132209fffce2b996eb9ada66e727
SHA512

ad42b84774fafd7363218e874b35aae6d3355efb442b036e6d7d0fed18ab665c5de5ef3bc84b8f13fee79f17ebd57b299dd2ac14401a33d897d5bffe46f8a3af
SSDEEP

96:ekmO+aYCe4pz7A9dYaG+GrQU18YDMjryGvGdeVYPGFwrCZ76QJakfExKdy:1gCnpz7A9bvzEDgnVegYVqepkGOy

Score

9^/10

persistence ransomware spyware stealer

Malware Config

Signatures

Renames multiple (335) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL = "C:\\Windows\\Win32DLL.vbs"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX = "\\WIN-BUGSFIX.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSKernel32 = "C:\\Windows\\System32\\MSKernel32.vbs"	WScript.exe

Drops file in System32 directory 64 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Windows\System32\Printing_Admin_Scripts\de-DE\prndrvr.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\de-DE\prnjobs.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\de-DE\prnqctl.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\fr-FR\prnqctl.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\ja-JP\prnjobs.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\ja-JP\prnqctl.vbs	WScript.exe
File created	C:\Windows\SysWOW64\slmgr.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\prndrvr.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\prncnfg.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\prnport.vbs	WScript.exe
File created	C:\Windows\System32\LOVE-LETTER-FOR-YOU.TXT.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\prncnfg.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prnjobs.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\prnqctl.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\prncnfg.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\prnport.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\pubprn.vbs	WScript.exe
File created	C:\Windows\System32\gatherNetworkInfo.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\es-ES\prncnfg.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\fr-FR\prncnfg.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\it-IT\prnport.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\it-IT\prnqctl.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\ja-JP\pubprn.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prncnfg.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\prnmngr.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\prnqctl.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\prnqctl.vbs	WScript.exe
File created	C:\Windows\System32\MSKernel32.vbs	WScript.exe
File created	C:\Windows\System32\migwiz\PostMigRes\Web\reportapi.js	WScript.exe
File created	C:\Windows\System32\Msdtc\Trace\msdtcvtr.bat	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\fr-FR\prnjobs.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\it-IT\prndrvr.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\prnqctl.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\pubprn.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prnport.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\prnjobs.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\prndrvr.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\de-DE\prnmngr.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\es-ES\prnmngr.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\fr-FR\prnmngr.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\fr-FR\prnport.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\it-IT\prnjobs.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\it-IT\prnmngr.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\ja-JP\prncnfg.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prnqctl.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\de-DE\pubprn.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\en-US\prncnfg.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\es-ES\pubprn.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\pubprn.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\pubprn.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\en-US\prnmngr.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\es-ES\prnjobs.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\es-ES\prnport.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\it-IT\prncnfg.vbs	WScript.exe
File created	C:\Windows\SysWOW64\migwiz\PostMigRes\Web\reportapi.js	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\prnmngr.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\prndrvr.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\prnport.vbs	WScript.exe
File opened for modification	C:\Windows\System32\MSKernel32.vbs	WScript.exe
File created	C:\Windows\System32\Printing_Admin_Scripts\fr-FR\prndrvr.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\prnjobs.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\pubprn.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prnmngr.vbs	WScript.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\prndrvr.vbs	WScript.exe

Drops file in Program Files directory 64 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387882.JPG.vbs	WScript.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME37.CSS	WScript.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\PASSWORD.JPG	WScript.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg	WScript.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\cpu.js	WScript.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386270.JPG	WScript.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\settings.js	WScript.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\localizedStrings.js	WScript.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309567.JPG	WScript.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03041I.JPG.vbs	WScript.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Sts.css	WScript.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME46.CSS	WScript.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\cpu.css	WScript.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\LINE.JPG	WScript.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\PASSWORD.JPG.vbs	WScript.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue.css	WScript.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\COMBOBOX.JPG	WScript.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382969.JPG	WScript.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME03.CSS	WScript.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\settings.css	WScript.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\timeZones.js	WScript.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileOff.jpg.vbs	WScript.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsHomePageScript.js	WScript.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\VelvetRose.css	WScript.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\library.js	WScript.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\settings.css	WScript.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color32.jpg	WScript.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\service.js	WScript.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\picturePuzzle.css	WScript.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02567J.JPG.vbs	WScript.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightYellow.css	WScript.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\RSSFeeds.css	WScript.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\weather.css	WScript.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\currency.js	WScript.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02069J.JPG	WScript.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0284916.JPG.vbs	WScript.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactLow.jpg.vbs	WScript.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\timeZones.js	WScript.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME23.CSS	WScript.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME55.CSS	WScript.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\service.js	WScript.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\picturePuzzle.js	WScript.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME35.CSS	WScript.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\js\calendar.js	WScript.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\currency.js	WScript.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\weather.js	WScript.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178523.JPG	WScript.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mru_on_win7.css	WScript.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\weather.css	WScript.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099188.JPG.vbs	WScript.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341455.JPG	WScript.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME42.CSS	WScript.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImage.jpg.vbs	WScript.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\settings.css	WScript.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Pine_Lumber.jpg	WScript.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\CircleIcons.jpg	WScript.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341448.JPG	WScript.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0149018.JPG.vbs	WScript.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0177257.JPG.vbs	WScript.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0177806.JPG	WScript.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\weather.css	WScript.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\ShadesOfBlue.jpg	WScript.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\settings.js	WScript.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145810.JPG.vbs	WScript.exe

Drops file in Windows directory 64 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Windows\Web\Wallpaper\Architecture\img18.jpg	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_es-es_92a65a18e6532ae7\localizedStrings.js	WScript.exe
File created	C:\Windows\winsxs\amd64_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.1.7600.16385_none_3b995fcfc0e586ab\topGradRepeat.jpg.vbs	WScript.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b7c1292c822004f6\flyout.css	WScript.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3687be952df5b9b1\library.js	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\ShadesOfBlue.jpg.vbs	WScript.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d158ae10876efd6d\currency.js	WScript.exe
File created	C:\Windows\Globalization\MCT\MCT-US\Wallpaper\US-wp3.jpg	WScript.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_en-us_36bc61b12dcec80c\weather.js	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..inscripts.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6aa2519d66015923\prnport.vbs	WScript.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_f35f9773adf74c06\Bears.jpg	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-shell-wallpaper-nature_31bf3856ad364e35_6.1.7600.16385_none_d5909570704a09c0\img2.jpg	WScript.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3687be952df5b9b1\localizedStrings.js	WScript.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-gadgets-cpu.resources_31bf3856ad364e35_6.1.7600.16385_it-it_da156c29d2de7a95\cpu.js	WScript.exe
File created	C:\Windows\Web\Wallpaper\Windows\img0.jpg	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..-calendar.resources_31bf3856ad364e35_6.1.7600.16385_es-es_397fc58b493f7a97\calendar.js	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_en-us_dbfc68edd3137610\clock.css	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..howgadget.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c99bfc6ddd1bf1d2\slideShow.js	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_it-it_1f85c65eb05726c7\weather.js	WScript.exe
File created	C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\GB-wp3.jpg	WScript.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg	WScript.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-security-spp-tools_31bf3856ad364e35_6.1.7600.16385_none_456f9c422073f3b7\slmgr.vbs	WScript.exe
File created	C:\Windows\Web\Wallpaper\Landscapes\img7.jpg.vbs	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_c1ab456ba37238a2\highDpiImageSwap.js	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-e..ebargadgetresources_31bf3856ad364e35_6.1.7600.16385_none_88767a95b8bbf001\settings.js	WScript.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-p..inscripts.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_b10688fca09ceff4\pubprn.vbs	WScript.exe
File created	C:\Windows\Globalization\MCT\MCT-US\Wallpaper\US-wp5.jpg.vbs	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..zlegadget.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5956204d6dda4df5\settings.css	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..inscripts.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6aa2519d66015923\prndrvr.vbs	WScript.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_f35f9773adf74c06\SoftBlue.jpg.vbs	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..inscripts.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6a6dae8166284ac8\pubprn.vbs	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-characters_31bf3856ad364e35_6.1.7600.16385_none_bde0eaed84920a21\img23.jpg.vbs	WScript.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d158ae10876efd6d\init.js	WScript.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_73db80f37a680574\currency.js	WScript.exe
File created	C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\ZA-wp6.jpg.vbs	WScript.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\security_watermark.jpg	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-za-component_31bf3856ad364e35_6.1.7601.17514_none_a5926b147a413e6a\ZA-wp6.jpg.vbs	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-characters_31bf3856ad364e35_6.1.7600.16385_none_bde0eaed84920a21\img20.jpg.vbs	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..for-management-core_31bf3856ad364e35_6.1.7601.17514_none_288b7acec3a75696\winrm.vbs	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..inscripts.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f74d1ac7302c46a8\prndrvr.vbs	WScript.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..zlegadget.resources_31bf3856ad364e35_6.1.7600.16385_it-it_32d323ec6e85d609\settings.css	WScript.exe
File created	C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\CA-wp1.jpg.vbs	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-gb-component_31bf3856ad364e35_6.1.7601.17514_none_92d51a492ae12096\GB-wp5.jpg.vbs	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-characters_31bf3856ad364e35_6.1.7600.16385_none_bde0eaed84920a21\img19.jpg	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-shell-wallpaper-scenes_31bf3856ad364e35_6.1.7600.16385_none_a4393b1a254aeaee\img30.jpg	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-photosamples_31bf3856ad364e35_6.1.7600.16385_none_f36e0e659b8042be\Koala.jpg.vbs	WScript.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-gadgets-cpu.resources_31bf3856ad364e35_6.1.7600.16385_de-de_a479cd0719d5814b\cpu.css	WScript.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-gadgets-cpu.resources_31bf3856ad364e35_6.1.7600.16385_es-es_4d35ffe408da7eb5\cpu.css	WScript.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-p..inscripts.resources_31bf3856ad364e35_6.1.7600.16385_it-it_9b2e7f4377ced572\prnqctl.vbs	WScript.exe
File created	C:\Windows\Web\Wallpaper\Nature\img6.jpg	WScript.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_59e6a839753b16d1\settings.css	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-characters_31bf3856ad364e35_6.1.7600.16385_none_bde0eaed84920a21\img21.jpg.vbs	WScript.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..-calendar.resources_31bf3856ad364e35_6.1.7600.16385_de-de_34a4f72aa1dd0bf7\calendar.css	WScript.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3687be952df5b9b1\settings.js	WScript.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-p..inscripts.resources_31bf3856ad364e35_6.1.7600.16385_it-it_9b2e7f4377ced572\prncnfg.vbs	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8700586a70797a4c\settings.js	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-ca-component_31bf3856ad364e35_6.1.7601.17514_none_fae061a2e0ae5019\CA-wp2.jpg	WScript.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..-calendar.resources_31bf3856ad364e35_6.1.7600.16385_it-it_6a40964d5ae60541\calendar.css	WScript.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..ets-slideshowgadget_31bf3856ad364e35_6.1.7600.16385_none_253e8c58002c48e1\Tulip.jpg.vbs	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ba2212be09f75c28\service.js	WScript.exe
File created	C:\Windows\winsxs\amd64_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.1.7600.16385_none_3b995fcfc0e586ab\darkBlue_GRAD.jpg	WScript.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_it-it_0c889693e4e0f25f\clock.css	WScript.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_en-us_36bc61b12dcec80c\settings.js	WScript.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-e..ebargadgetresources_31bf3856ad364e35_6.1.7600.16385_none_88767a95b8bbf001\settings.css	WScript.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

WScript.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main WScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	WScript.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "about:blank"	WScript.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\other malware cuz why not\loveletterworm fixed.vbs"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
PID:1596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\db\bin\derby_common.bat

Filesize
4KB

MD5
5c5cfc1e6e91a733e225cf6f39d74623

SHA1
f0d2fc4eff812edb4e40db5c155b95aa9575e472

SHA256
3fb3b4aa431e328c471b7fc814e662ffed93132209fffce2b996eb9ada66e727

SHA512
ad42b84774fafd7363218e874b35aae6d3355efb442b036e6d7d0fed18ab665c5de5ef3bc84b8f13fee79f17ebd57b299dd2ac14401a33d897d5bffe46f8a3af

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads