1e7e0d2b2619a52cc94cefc60755d39d6bc83014b8c529e775e0841f877380bd

Analysis

max time kernel
142s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/03/2025, 11:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1408036046_2025-03-24-69425519059_5415R.vbs
Size

3.8MB
MD5

3dcba98fd36ce6f61df7bd91b2668304
SHA1

fd8e65ef8cf6e31577484bb68a1c3ac982bb9332
SHA256

8a4c7895114c65d9174ae744aeff93024214d9bbc76cafd3e9f21ffbce8efdf4
SHA512

c228b56cf36965d80d50da174be04b7de84e7c84e00a5d208658b307420e51be13475396912ea1d319a3fd40df8abede2efdf0d4aedf202b7ad75565a6bc6a1c
SSDEEP

49152:Q1QY2iFJjh0Aw01drLTN79ei3nWWWyHIqTPjRqge6J3SVOASE93:B

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2604	olVOmhtvnufD.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	olVOmhtvnufD.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2604	olVOmhtvnufD.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 2604	2720	WScript.exe	30
PID 2720 wrote to memory of 2604	2720	WScript.exe	30
PID 2720 wrote to memory of 2604	2720	WScript.exe	30
PID 2720 wrote to memory of 2604	2720	WScript.exe	30

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1408036046_2025-03-24-69425519059_5415R.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Users\Public\olVOmhtvnufD.exe
  "C:\Users\Public\olVOmhtvnufD.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\OLVOMH~1.ZIP

Filesize
2.4MB

MD5
c251e2e9c2dba46764178ab1ba1e7a7d

SHA1
2f5f6ba4b831f344ca71573de4a03c6fb2d61abb

SHA256
b2219dafcd42d0587618afe8518d965fb81f07e64328159c9923743be176003d

SHA512
25e41eeb4af0c5f46a46dccda4570b0cf7f24f2b1cd70d795ade60ac9c0709e33aaf1b23244bf84dbe1471ceb07cb8de8b447551008fc68120adde62dfd95db0

Download Submit
memory/2604-28-0x00000000001B0000-0x0000000005ED0000-memory.dmp

Filesize
93.1MB

Download