e0a1b6e2efc496d31187a85565ed59a54b47df4f0666285d3e6bf6fc4d372f46

General

Target

ev.ps1
Size

1KB
MD5

9830264dcac9b966dcdc809527689262
SHA1

9733c49c7f5026d6b51683f8781b6ba27fdcc541
SHA256

e0a1b6e2efc496d31187a85565ed59a54b47df4f0666285d3e6bf6fc4d372f46
SHA512

b613a9298d1f878ae8efb1b5e790954d08e1e6ebc3aeb3b0434dc6ad54605710a56e045315a4f601cffb61285c44278b15a8ea892ded6c96aca2e11822e22650

Score

9^/10

evasion ransomware

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

powershell.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

description	pid	process
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeSecurityPrivilege	1888	wevtutil.exe
Token: SeBackupPrivilege	1888	wevtutil.exe
Token: SeSecurityPrivilege	1896	wevtutil.exe
Token: SeBackupPrivilege	1896	wevtutil.exe
Token: SeSecurityPrivilege	1904	wevtutil.exe
Token: SeBackupPrivilege	1904	wevtutil.exe
Token: SeSecurityPrivilege	1940	wevtutil.exe
Token: SeBackupPrivilege	1940	wevtutil.exe
Token: SeSecurityPrivilege	1956	wevtutil.exe
Token: SeBackupPrivilege	1956	wevtutil.exe
Token: SeSecurityPrivilege	1968	wevtutil.exe
Token: SeBackupPrivilege	1968	wevtutil.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1768 powershell.exe

pid	process
1768	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 1768 wrote to memory of 1888	1768	powershell.exe	wevtutil.exe
PID 1768 wrote to memory of 1888	1768	powershell.exe	wevtutil.exe
PID 1768 wrote to memory of 1888	1768	powershell.exe	wevtutil.exe
PID 1768 wrote to memory of 1896	1768	powershell.exe	wevtutil.exe
PID 1768 wrote to memory of 1896	1768	powershell.exe	wevtutil.exe
PID 1768 wrote to memory of 1896	1768	powershell.exe	wevtutil.exe
PID 1768 wrote to memory of 1904	1768	powershell.exe	wevtutil.exe
PID 1768 wrote to memory of 1904	1768	powershell.exe	wevtutil.exe
PID 1768 wrote to memory of 1904	1768	powershell.exe	wevtutil.exe
PID 1768 wrote to memory of 1940	1768	powershell.exe	wevtutil.exe
PID 1768 wrote to memory of 1940	1768	powershell.exe	wevtutil.exe
PID 1768 wrote to memory of 1940	1768	powershell.exe	wevtutil.exe
PID 1768 wrote to memory of 1956	1768	powershell.exe	wevtutil.exe
PID 1768 wrote to memory of 1956	1768	powershell.exe	wevtutil.exe
PID 1768 wrote to memory of 1956	1768	powershell.exe	wevtutil.exe
PID 1768 wrote to memory of 1968	1768	powershell.exe	wevtutil.exe
PID 1768 wrote to memory of 1968	1768	powershell.exe	wevtutil.exe
PID 1768 wrote to memory of 1968	1768	powershell.exe	wevtutil.exe

Clears Windows event logs 1 TTPs
evasion ransomware

Indicator Removal on Host
T1070

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ev.ps1
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" epl System "D:\WindowsEventLogs\AVGLFESB-System-07/12/2020 12:42:33.evtx"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1888

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl System
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1896

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" epl Security "D:\WindowsEventLogs\AVGLFESB-Security-07/12/2020 12:42:33.evtx"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1904

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Security
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1940

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" epl Application "D:\WindowsEventLogs\AVGLFESB-Application-07/12/2020 12:42:33.evtx"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Application
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal on Host

1

T1070

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1888-0-0x0000000000000000-mapping.dmp

Download
memory/1896-1-0x0000000000000000-mapping.dmp

Download
memory/1904-2-0x0000000000000000-mapping.dmp

Download
memory/1940-3-0x0000000000000000-mapping.dmp

Download
memory/1956-4-0x0000000000000000-mapping.dmp

Download
memory/1968-5-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing