Overview
overview
10Static
static
10The-MALWAR...2aed41
windows10-ltsc 2021-x64
3The-MALWAR...b54692
windows10-ltsc 2021-x64
3The-MALWAR...00f6c1
windows10-ltsc 2021-x64
3The-MALWAR...ka.exe
windows10-ltsc 2021-x64
7The-MALWAR...te.apk
windows10-ltsc 2021-x64
3The-MALWAR...en.apk
windows10-ltsc 2021-x64
3The-MALWAR...4a.apk
windows10-ltsc 2021-x64
3The-MALWAR...if.exe
windows10-ltsc 2021-x64
10The-MALWAR...il.exe
windows10-ltsc 2021-x64
8The-MALWAR...at.exe
windows10-ltsc 2021-x64
3The-MALWAR...an.exe
windows10-ltsc 2021-x64
The-MALWAR...sa.doc
windows10-ltsc 2021-x64
1The-MALWAR...er.com
windows10-ltsc 2021-x64
The-MALWAR...98.exe
windows10-ltsc 2021-x64
3The-MALWAR...aj.exe
windows10-ltsc 2021-x64
7The-MALWAR...jB.exe
windows10-ltsc 2021-x64
7The-MALWAR...om.exe
windows10-ltsc 2021-x64
6The-MALWAR...1C.exe
windows10-ltsc 2021-x64
5The-MALWAR...90.exe
windows10-ltsc 2021-x64
9The-MALWAR...6a.exe
windows10-ltsc 2021-x64
9The-MALWAR...it.exe
windows10-ltsc 2021-x64
3The-MALWAR...ng.exe
windows10-ltsc 2021-x64
7The-MALWAR....a.exe
windows10-ltsc 2021-x64
10The-MALWAR...il.vbs
windows10-ltsc 2021-x64
10The-MALWAR...1A.exe
windows10-ltsc 2021-x64
8The-MALWAR...as.exe
windows10-ltsc 2021-x64
6The-MALWAR...te.exe
windows10-ltsc 2021-x64
7The-MALWAR....a.exe
windows10-ltsc 2021-x64
3The-MALWAR...le.exe
windows10-ltsc 2021-x64
3The-MALWAR...us.exe
windows10-ltsc 2021-x64
10The-MALWAR...er.exe
windows10-ltsc 2021-x64
7The-MALWAR...ff.exe
windows10-ltsc 2021-x64
3Analysis
-
max time kernel
1797s -
max time network
1808s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
13-12-2024 18:01
Static task
static1
Behavioral task
behavioral1
Sample
The-MALWARE-Repo-master/Trojan/XCSSETMacMalware/TrojanSpy.MacOS.XCSSET.A.6fa938770e83ef2e177e8adf4a2ea3d2d5b26107c30f9d85c3d1a557db2aed41
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
Behavioral task
behavioral2
Sample
The-MALWARE-Repo-master/Trojan/XCSSETMacMalware/TrojanSpy.MacOS.XCSSET.A.ac3467a04eeb552d92651af1187bdc795100ea77a7a1ac755b4681c654b54692
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral3
Sample
The-MALWARE-Repo-master/Trojan/XCSSETMacMalware/TrojanSpy.MacOS.XCSSET.A.d11a549e6bc913c78673f4e142e577f372311404766be8a3153792de9f00f6c1
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral4
Sample
The-MALWARE-Repo-master/Trojan/Zika.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral5
Sample
The-MALWARE-Repo-master/Trojan/elite.apk
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral6
Sample
The-MALWARE-Repo-master/Trojan/mobelejen.apk
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral7
Sample
The-MALWARE-Repo-master/Trojan/vi4a.apk
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral8
Sample
The-MALWARE-Repo-master/Virus/Floxif/Floxif.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral9
Sample
The-MALWARE-Repo-master/Virus/Gnil/Gnil.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral10
Sample
The-MALWARE-Repo-master/Virus/Mabezat/Mabezat.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral11
Sample
The-MALWARE-Repo-master/Virus/MadMan.exe
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
Behavioral task
behavioral12
Sample
The-MALWARE-Repo-master/Virus/Melissa.doc
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral13
Sample
The-MALWARE-Repo-master/Virus/Walker.com
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral14
Sample
The-MALWARE-Repo-master/Virus/WinNuke.98.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral15
Sample
The-MALWARE-Repo-master/Virus/Xpaj/xpaj.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral16
Sample
The-MALWARE-Repo-master/Virus/Xpaj/xpajB.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral17
Sample
The-MALWARE-Repo-master/Worm/Bezilom.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral18
Sample
The-MALWARE-Repo-master/Worm/Blaster/607B60AD512C50B7D71DCCC057E85F1C.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral19
Sample
The-MALWARE-Repo-master/Worm/Blaster/8676210e6246948201aa014db471de90.exe
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
Behavioral task
behavioral20
Sample
The-MALWARE-Repo-master/Worm/Blaster/8a17f336f86e81f04d8e66fa23f9b36a.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral21
Sample
The-MALWARE-Repo-master/Worm/Blaster/DComExploit.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral22
Sample
The-MALWARE-Repo-master/Worm/Bumerang.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral23
Sample
The-MALWARE-Repo-master/Worm/Fagot.a.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral24
Sample
The-MALWARE-Repo-master/Worm/HeadTail.vbs
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral25
Sample
The-MALWARE-Repo-master/Worm/Heap41A.exe
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
Behavioral task
behavioral26
Sample
The-MALWARE-Repo-master/Worm/Mantas.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral27
Sample
The-MALWARE-Repo-master/Worm/NadIote/Nadlote.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral28
Sample
The-MALWARE-Repo-master/Worm/Netres.a.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral29
Sample
The-MALWARE-Repo-master/Worm/Nople.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral30
Sample
The-MALWARE-Repo-master/Worm/Vobfus/Vobus.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral31
Sample
The-MALWARE-Repo-master/rogues/AdwereCleaner.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
Behavioral task
behavioral32
Sample
The-MALWARE-Repo-master/rogues/SpySheriff.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
General
-
Target
The-MALWARE-Repo-master/Worm/HeadTail.vbs
-
Size
33KB
-
MD5
e0a3ab130609c80b452ee423d3a55355
-
SHA1
f5408df5f8d2765738db8f5080bb88cab105c038
-
SHA256
af1de4b7c65071f490cfd1425c45c9538fd7888cb7dc509304d8ec11cb046649
-
SHA512
9326653d66a9866d517cdcdeb1abdf3fb8fdb2a8bc8c2324c916c10aabc7d5ca417c54c7409f0df6454041ad4c446b06b56510e7cc1eaa2b3cf54ec47cb79ae4
-
SSDEEP
384:qKNaNYf1S4FeNnbtFrN+rSNENOfX1h8Z6SLWqnLTNgH1N+qN+u0gjL7N:bGYf1S4YnJFZ+r+kOflh8fLBQ+2+uL7N
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" WScript.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\AutoRun.inf WScript.exe File created C:\AutoRun.inf WScript.exe File opened for modification C:\AutoRun.inf WScript.exe File created F:\AutoRun.inf WScript.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\System32\Printing_Admin_Scripts\es-ES\prnjobs.vbs WScript.exe File created C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\prnjobs.vbs WScript.exe File created C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prnqctl.vbs WScript.exe File created C:\Windows\System32\Printing_Admin_Scripts\ja-JP\prndrvr.vbs WScript.exe File created C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\prnmngr.vbs WScript.exe File created C:\Windows\System32\oobe\fr-FR\OOBE_HELP_Opt_in_Details.htm WScript.exe File created C:\Windows\System32\Printing_Admin_Scripts\de-DE\prnport.vbs WScript.exe File created C:\Windows\System32\Printing_Admin_Scripts\en-US\prncnfg.vbs WScript.exe File created C:\Windows\System32\Printing_Admin_Scripts\es-ES\prnmngr.vbs WScript.exe File created C:\Windows\System32\Printing_Admin_Scripts\es-ES\prnport.vbs WScript.exe File created C:\Windows\System32\Printing_Admin_Scripts\es-ES\prnqctl.vbs WScript.exe File created C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\prnqctl.vbs WScript.exe File created C:\Windows\System32\oobe\es-ES\oobe_learn_more_activity_history.htm WScript.exe File created C:\Windows\System32\Printing_Admin_Scripts\fr-FR\prnport.vbs WScript.exe File created C:\Windows\System32\Printing_Admin_Scripts\fr-FR\prnqctl.vbs WScript.exe File created C:\Windows\System32\Printing_Admin_Scripts\fr-FR\prncnfg.vbs WScript.exe File created C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prncnfg.vbs WScript.exe File created C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\prndrvr.vbs WScript.exe File created C:\Windows\System32\Printing_Admin_Scripts\de-DE\prnjobs.vbs WScript.exe File created C:\Windows\System32\Printing_Admin_Scripts\de-DE\prnmngr.vbs WScript.exe File created C:\Windows\System32\Printing_Admin_Scripts\en-US\prnjobs.vbs WScript.exe File created C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\prnport.vbs WScript.exe File created C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\pubprn.vbs WScript.exe File created C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\prnqctl.vbs WScript.exe File created C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\pubprn.vbs WScript.exe File created C:\Windows\System32\oobe\uk-UA\oobe_learn_more_activity_history.htm WScript.exe File created C:\Windows\System32\Printing_Admin_Scripts\fr-FR\prnmngr.vbs WScript.exe File created C:\Windows\System32\Printing_Admin_Scripts\it-IT\pubprn.vbs WScript.exe File created C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\prnport.vbs WScript.exe File created C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\prnjobs.vbs WScript.exe File created C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\pubprn.vbs WScript.exe File created C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\prnport.vbs WScript.exe File created C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs WScript.exe File created C:\Windows\System32\Printing_Admin_Scripts\de-DE\prncnfg.vbs WScript.exe File created C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\prncnfg.vbs WScript.exe File created C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\prnqctl.vbs WScript.exe File created C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prnjobs.vbs WScript.exe File created C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\prnjobs.vbs WScript.exe File created C:\Windows\System32\Printing_Admin_Scripts\de-DE\pubprn.vbs WScript.exe File created C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\prndrvr.vbs WScript.exe File created C:\Windows\System32\oobe\it-IT\oobe_learn_more_activity_history.htm WScript.exe File created C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\prnjobs.vbs WScript.exe File created C:\Windows\System32\Administrator.ini WScript.exe File created C:\Windows\System32\Printing_Admin_Scripts\fr-FR\pubprn.vbs WScript.exe File created C:\Windows\System32\Printing_Admin_Scripts\en-US\prndrvr.vbs WScript.exe File created C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prnport.vbs WScript.exe File created C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\prnjobs.vbs WScript.exe File created C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\prnqctl.vbs WScript.exe File created C:\Windows\System32\Printing_Admin_Scripts\ja-JP\prnqctl.vbs WScript.exe File created C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\prnport.vbs WScript.exe File created C:\Windows\System32\SyncAppvPublishingServer.vbs WScript.exe File created C:\Windows\System32\Printing_Admin_Scripts\fr-FR\prnjobs.vbs WScript.exe File created C:\Windows\System32\Printing_Admin_Scripts\it-IT\prnport.vbs WScript.exe File created C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\prnmngr.vbs WScript.exe File created C:\Windows\System32\oobe\en-US\oobe_learn_more_activity_history.htm WScript.exe File created C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\prncnfg.vbs WScript.exe File created C:\Windows\System32\oobe\it-IT\OOBE_HELP_Opt_in_Details.htm WScript.exe File created C:\Windows\System32\oobe\en-US\OOBE_HELP_Opt_in_Details.htm WScript.exe File created C:\Windows\System32\Printing_Admin_Scripts\en-US\prnport.vbs WScript.exe File created C:\Windows\System32\Printing_Admin_Scripts\it-IT\prnjobs.vbs WScript.exe File created C:\Windows\System32\Printing_Admin_Scripts\it-IT\prnqctl.vbs WScript.exe File created C:\Windows\System32\Printing_Admin_Scripts\ja-JP\prnmngr.vbs WScript.exe File created C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prndrvr.vbs WScript.exe File opened for modification C:\Windows\System32\Administrator.ini WScript.exe -
Drops file in Program Files directory 28 IoCs
description ioc Process File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\view.html WScript.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\vlm_export.html WScript.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\index.html WScript.exe File opened for modification C:\Program Files\Microsoft Office\Office16\OSPP.VBS WScript.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile_view.html WScript.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\vlm.html WScript.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\mosaic_window.html WScript.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\MCABOUT.HTM WScript.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\batch_window.html WScript.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_config_window.html WScript.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\offset_window.html WScript.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\Welcome.html WScript.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\README.HTM WScript.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile.html WScript.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile_browse.html WScript.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\ReadMe.htm WScript.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\license.html WScript.exe File opened for modification C:\Program Files\Java\jdk-1.8\README.html WScript.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\index.html WScript.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile_equalizer.html WScript.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\browse_window.html WScript.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\error_window.html WScript.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\equalizer_window.html WScript.exe File opened for modification C:\Program Files\Java\jre-1.8\Welcome.html WScript.exe File opened for modification C:\Program Files\Microsoft Office\Office16\OSPP.HTM WScript.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\PersonaSpy.html WScript.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\create_stream.html WScript.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_window.html WScript.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_it-it_9f248a35f7c12459\500-13.htm WScript.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.4474_none_7769e00c02e06184\f\default-contentview-template.html WScript.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.4474_none_7769e00c02e06184\f\retaildemoadmin.html WScript.exe File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\views\sqsaLocalAccount.html WScript.exe File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\enterpriseNgcEnrollment\views\enterpriseNgcEnrollment.html WScript.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.4474_none_7769e00c02e06184\oobenetworklossaversion-main.html WScript.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_en-us_1279c10c2d9636d4\404-6.htm WScript.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_en-us_1279c10c2d9636d4\405.htm WScript.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.4474_none_7769e00c02e06184\f\cortana.html WScript.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_es-es_12451df02dbd2879\404-6.htm WScript.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_it-it_9f248a35f7c12459\500-19.htm WScript.exe File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\autopilot\autopilotespprogress-main.html WScript.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b4fc93ef208f3edb\404-14.htm WScript.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.4474_none_7769e00c02e06184\f\test.html WScript.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.4474_none_7769e00c02e06184\unifiedEnrollmentOnPremAuth.html WScript.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_de-de_6988eb133eb82b0f\403-16.htm WScript.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_en-us_1279c10c2d9636d4\404-5.htm WScript.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.4474_none_7769e00c02e06184\oobeeula-hololens.html WScript.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b4fc93ef208f3edb\403-11.htm WScript.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_it-it_9f248a35f7c12459\401-3.htm WScript.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.4474_none_7769e00c02e06184\f\errorhandler.html WScript.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.4474_none_7769e00c02e06184\f\oobezdp-main.html WScript.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.4474_none_7769e00c02e06184\f\retaildemomsa.html WScript.exe File created C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Error.htm WScript.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobeeula-main.html WScript.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-c..ppxmain.teamedition_31bf3856ad364e35_10.0.19041.3636_none_abb707641b322d8e\n\teamdeviceaccountpageselector-main.html WScript.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_414a0942eadc3634\401-2.htm WScript.exe File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\view\common-listview-template.html WScript.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobe-chrome-contentview-template.html WScript.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_en-us_1279c10c2d9636d4\403-3.htm WScript.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-o..documents.resources_31bf3856ad364e35_10.0.19041.3636_cs-cz_43b386eff96e9d33\f\oobe_help_opt_in_details.htm WScript.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.4474_none_7769e00c02e06184\f\retaildemoshutdowns.html WScript.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_de-de_6988eb133eb82b0f\404-15.htm WScript.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_en-us_1279c10c2d9636d4\500-100.asp WScript.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.4474_none_7769e00c02e06184\unifiedEnrollmentDiscovery.html WScript.exe File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\core\view\oobe-light-frame-template.html WScript.exe File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\oobeoemregistration-main.html WScript.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobesettings-main.html WScript.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_de-de_6988eb133eb82b0f\405.htm WScript.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_en-us_1279c10c2d9636d4\401-1.htm WScript.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-o..documents.resources_31bf3856ad364e35_10.0.19041.3636_hr-hr_6fc8ffb0b8846f4c\f\oobe_help_opt_in_details.htm WScript.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-o..documents.resources_31bf3856ad364e35_10.0.19041.3636_th-th_112ff62819dbbcd4\f\oobe_help_opt_in_details.htm WScript.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-o..documents.resources_31bf3856ad364e35_10.0.19041.3636_pt-pt_8987d83c4c8c670c\f\oobe_help_opt_in_details.htm WScript.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_es-es_12451df02dbd2879\500-13.htm WScript.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_it-it_9f248a35f7c12459\500-18.htm WScript.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_de-de_6988eb133eb82b0f\404-2.htm WScript.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.4474_none_7769e00c02e06184\retailDemoLocal.html WScript.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_es-es_12451df02dbd2879\404-4.htm WScript.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_it-it_9f248a35f7c12459\404-5.htm WScript.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-o..documents.resources_31bf3856ad364e35_10.0.19041.3636_it-it_13b49b75aa93e716\f\oobe_help_opt_in_details.htm WScript.exe File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\oobezdp-main.html WScript.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_es-es_12451df02dbd2879\403-19.htm WScript.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_it-it_9f248a35f7c12459\403-11.htm WScript.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-o..documents.resources_31bf3856ad364e35_10.0.19041.3636_he-il_6dac4cd0b9d10286\f\oobe_help_opt_in_details.htm WScript.exe File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\RetailDemo\retailDemoMsa.html WScript.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_en-us_1279c10c2d9636d4\403-6.htm WScript.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-c..ppxmain.teamedition_31bf3856ad364e35_10.0.19041.3636_none_abb707641b322d8e\n\teamdomainjoin-main.html WScript.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b4fc93ef208f3edb\401-2.htm WScript.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.3636_none_3473be4cdeacc98a\f\network.html WScript.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-o..documents.resources_31bf3856ad364e35_10.0.19041.3636_ja-jp_b5da1a829daef8f1\f\oobe_learn_more_activity_history.htm WScript.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-c..ppxmain.teamedition_31bf3856ad364e35_10.0.19041.3636_none_abb707641b322d8e\n\teamgroupadminaccount-main.html WScript.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_de-de_6988eb133eb82b0f\403-19.htm WScript.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-iis-startclient_31bf3856ad364e35_10.0.19041.3693_none_27473b9963a5a2cc\f\iisstart.htm WScript.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-o..documents.resources_31bf3856ad364e35_10.0.19041.3636_hu-hu_70fd2576b7c1d0b4\f\oobe_help_opt_in_details.htm WScript.exe -
Modifies registry class 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open\command WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\hlpfile\shell\open\command WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\hlpfile\shell\open\command\ = "%SystemRoot%\\System32\\WScript.exe \"C:\\Windows\\Administrator.vbs\" %1 %* " WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\System32\\WScript.exe \"C:\\Windows\\Administrator.vbs\" %1 %* " WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "%SystemRoot%\\System32\\WScript.exe \"C:\\Windows\\Administrator.vbs\" %1 %* " WScript.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Worm\HeadTail.vbs"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:3228
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\README.HTM
Filesize33KB
MD5bef172f88a10b228d511bfd99ce87ceb
SHA12c5f91cbaf0fefce1d7b223f669f78288135de3a
SHA2566adc90bc3991aabdee692a200a7f3ac55bd0380ab630950c76e07d8f325afc9a
SHA512acab512911bf0fa46ebd00b13968b42c932d3f6e70e2df230a5a044847d3464367b61416388fb932bb58d1a65cbdb0979d43cccedfc619c30460fd2e149d268b
-
Filesize
80KB
MD57109abdb84ee6b4118467813c7ad3f85
SHA13e00fbe41f70d439c07158a59ad507540ce1144f
SHA2563e0c9f0807ded7c4a188a8a86592ffd7e607cea13e21449b4ca6df52033708de
SHA5129d7211fbc6147805e0e797c6de911a20bb9810efa4087888373c7801f5057d3e326866e7ada93ae705a6502e08f272d42389c666c4e717739e7e0a95a9a5c405
-
Filesize
33KB
MD5d832f8583530055db484e3f99011500c
SHA1c3b90874bd371f5b79451f807c6ce2836ceb2067
SHA256ae3b9ca35308d8f8963642b3886ae4094ab6903f96f7ccb74886ddcbb349a832
SHA512c8785d19928a84268f5c0cb4d31f55dc65ad058fe61ec3093528b61ad18f9c79c2e6091ef2879f93e2e7bd607c7152440c2e2843b5ddf7cf8a93bd7697959002