Overview

overview

10

Static

static

10

WinRing0x64.sys

windows7-x64

1

WinRing0x64.sys

windows10-2004-x64

1

go.exe

windows7-x64

9

go.exe

windows10-2004-x64

9

mozilla.vbs

windows7-x64

8

mozilla.vbs

windows10-2004-x64

8

mservice.exe

windows7-x64

1

mservice.exe

windows10-2004-x64

1

mservice.vbs

windows7-x64

3

mservice.vbs

windows10-2004-x64

3

ps.exe

windows7-x64

7

ps.exe

windows10-2004-x64

7

sarmat.vbs

windows7-x64

1

sarmat.vbs

windows10-2004-x64

1

Analysis

  • max time kernel
    122s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    28/03/2025, 15:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    mozilla.vbs

  • Size

    7KB

  • MD5

    671e707199d3342bf92ea40a36d5d072

  • SHA1

    47a49a50bc92c99c9808dfb1bf598bc3b13c8a48

  • SHA256

    2d64444b089d1115af57105c0b9e5645872267ce89ec2a6c9b16975412f7769d

  • SHA512

    a9ebbfcf718ddf49ae6219e22b51a1022f1d9af6dcb0dc68000bace40e5b6f5269ae5dc9f2be8f09765b199eb04f9cefde55b9b1ac9107b2f11b175a81cd1895

  • SSDEEP

    96:GFEXrCYXpuO8AN/YdD/9dwwmX+5/KoSOnSb2E9IfOun82p4643YEjTn45LNftoNE:GFEXrd518+/m5/Kjun8Hf+LLNEJM0nwn

Score
8/10
spywarestealer

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
    defense_evasion
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\mozilla.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2392
    • C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /f /im chrome.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1764

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\OTHERS~1.ZIP
    Filesize

    22B

    MD5

    76cdb2bad9582d23c1f6f4d868218d6c

    SHA1

    b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

    SHA256

    8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

    SHA512

    5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

    Download Submit