e0a1b6e2efc496d31187a85565ed59a54b47df4f0666285d3e6bf6fc4d372f46

General

Target

ev.ps1
Size

1KB
MD5

9830264dcac9b966dcdc809527689262
SHA1

9733c49c7f5026d6b51683f8781b6ba27fdcc541
SHA256

e0a1b6e2efc496d31187a85565ed59a54b47df4f0666285d3e6bf6fc4d372f46
SHA512

b613a9298d1f878ae8efb1b5e790954d08e1e6ebc3aeb3b0434dc6ad54605710a56e045315a4f601cffb61285c44278b15a8ea892ded6c96aca2e11822e22650

Score

9^/10

evasion ransomware

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

powershell.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

description	pid	process
Token: SeDebugPrivilege	640	powershell.exe
Token: SeSecurityPrivilege	1148	wevtutil.exe
Token: SeBackupPrivilege	1148	wevtutil.exe
Token: SeSecurityPrivilege	1244	wevtutil.exe
Token: SeBackupPrivilege	1244	wevtutil.exe
Token: SeSecurityPrivilege	1312	wevtutil.exe
Token: SeBackupPrivilege	1312	wevtutil.exe
Token: SeSecurityPrivilege	1452	wevtutil.exe
Token: SeBackupPrivilege	1452	wevtutil.exe
Token: SeSecurityPrivilege	1556	wevtutil.exe
Token: SeBackupPrivilege	1556	wevtutil.exe
Token: SeSecurityPrivilege	1676	wevtutil.exe
Token: SeBackupPrivilege	1676	wevtutil.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

640 powershell.exe
640 powershell.exe
640 powershell.exe

pid	process
640	powershell.exe
640	powershell.exe
640	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 640 wrote to memory of 1148	640	powershell.exe	wevtutil.exe
PID 640 wrote to memory of 1148	640	powershell.exe	wevtutil.exe
PID 640 wrote to memory of 1244	640	powershell.exe	wevtutil.exe
PID 640 wrote to memory of 1244	640	powershell.exe	wevtutil.exe
PID 640 wrote to memory of 1312	640	powershell.exe	wevtutil.exe
PID 640 wrote to memory of 1312	640	powershell.exe	wevtutil.exe
PID 640 wrote to memory of 1452	640	powershell.exe	wevtutil.exe
PID 640 wrote to memory of 1452	640	powershell.exe	wevtutil.exe
PID 640 wrote to memory of 1556	640	powershell.exe	wevtutil.exe
PID 640 wrote to memory of 1556	640	powershell.exe	wevtutil.exe
PID 640 wrote to memory of 1676	640	powershell.exe	wevtutil.exe
PID 640 wrote to memory of 1676	640	powershell.exe	wevtutil.exe

Clears Windows event logs 1 TTPs
evasion ransomware

Indicator Removal on Host
T1070

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ev.ps1
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" epl System "D:\WindowsEventLogs\OWZMOTQA-System-07/12/2020 14:41:46.evtx"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1148

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl System
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1244

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" epl Security "D:\WindowsEventLogs\OWZMOTQA-Security-07/12/2020 14:41:46.evtx"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1312

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Security
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1452

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" epl Application "D:\WindowsEventLogs\OWZMOTQA-Application-07/12/2020 14:41:46.evtx"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" cl Application
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal on Host

1

T1070

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1148-0-0x0000000000000000-mapping.dmp

Download
memory/1244-1-0x0000000000000000-mapping.dmp

Download
memory/1312-2-0x0000000000000000-mapping.dmp

Download
memory/1452-3-0x0000000000000000-mapping.dmp

Download
memory/1556-4-0x0000000000000000-mapping.dmp

Download
memory/1676-5-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing