Overview

overview

10

Static

static

63ba6db8c8...06.ps1

windows7_x64

10

63ba6db8c8...06.ps1

windows10_x64

1

Analysis

  • max time kernel
    55s
  • max time network
    59s
  • platform
    windows7_x64
  • resource
    win7v200722
  • submitted
    01-10-2020 09:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    63ba6db8c81c60dd9f1a0c7c4a4c51e2e56883f063509ed7b543ad7651fd8806.ps1

  • Size

    1.6MB

  • MD5

    c171bcd34151cbcd48edbce13796e0ed

  • SHA1

    2770fec86275dfb1a4a05e2d56bc27a089197666

  • SHA256

    63ba6db8c81c60dd9f1a0c7c4a4c51e2e56883f063509ed7b543ad7651fd8806

  • SHA512

    d25cbb70dae9bcc49d32c15300734879fe4c1b7ae35cb5affab50e8a61ae7226832b278d846f76f7eedc3a1baf35e2aec4e8c364eab99cddb00c2ffeb97283da

Score
10/10
spywareransomwaresuncryptpersistence

Malware Config

Signatures

  • SunCrypt Ransomware

    Family which threatens to leak data alongside encrypting files. Has claimed to be collaborating with the Maze ransomware group.

    ransomwaresuncrypt
  • Blacklisted process makes network request 1 IoCs
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Drops desktop.ini file(s) 35 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies service 2 TTPs 5 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\63ba6db8c81c60dd9f1a0c7c4a4c51e2e56883f063509ed7b543ad7651fd8806.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1060
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kanxfn4j\kanxfn4j.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1640
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAE2A.tmp" "c:\Users\Admin\AppData\Local\Temp\kanxfn4j\CSC3803EA387B204457907E8AF0E88EF45.TMP"
        3⤵
          PID:1592
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file "C:\Users\Admin\AppData\Local\Temp\63ba6db8c81c60dd9f1a0c7c4a4c51e2e56883f063509ed7b543ad7651fd8806.ps1"
        2⤵
        • Blacklisted process makes network request
        • Modifies extensions of user files
        • Drops startup file
        • Drops desktop.ini file(s)
        • Enumerates connected drives
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1624
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5zkexmo5\5zkexmo5.cmdline"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:300
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDAB5.tmp" "c:\Users\Admin\AppData\Local\Temp\5zkexmo5\CSCF6992802BB794E728A3F355E58ADEB6F.TMP"
            4⤵
              PID:600
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Modifies service
        • Suspicious use of AdjustPrivilegeToken
        PID:2024

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1060-13-0x0000000001F40000-0x0000000001F41000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1060-5-0x000000001B970000-0x000000001B971000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1060-4-0x0000000001F20000-0x0000000001F21000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1060-0-0x000007FEF5B20000-0x000007FEF650C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1060-3-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1060-2-0x000000001AD00000-0x000000001AD01000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1060-1-0x0000000002350000-0x0000000002351000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1624-16-0x0000000000690000-0x0000000000691000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1624-18-0x0000000000C80000-0x0000000000C81000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1624-33-0x0000000006450000-0x0000000006451000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1624-40-0x00000000064F0000-0x00000000064F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1624-41-0x0000000006590000-0x0000000006591000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1624-27-0x0000000005850000-0x0000000005851000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1624-19-0x0000000001250000-0x0000000001251000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1624-32-0x00000000062F0000-0x00000000062F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1624-17-0x0000000004C20000-0x0000000004C21000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1624-15-0x0000000073A20000-0x000000007410E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/1624-51-0x0000000006530000-0x0000000006531000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1640-53-0x000007FEF6510000-0x000007FEF678A000-memory.dmp

        Filesize

        2.5MB

        Download