Overview

overview

10

Static

static

63ba6db8c8...06.ps1

windows7_x64

10

63ba6db8c8...06.ps1

windows10_x64

1

Analysis

  • max time kernel
    55s
  • max time network
    59s
  • platform
    windows7_x64
  • resource
    win7v200722
  • submitted
    01-10-2020 09:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    63ba6db8c81c60dd9f1a0c7c4a4c51e2e56883f063509ed7b543ad7651fd8806.ps1

  • Size

    1.6MB

  • MD5

    c171bcd34151cbcd48edbce13796e0ed

  • SHA1

    2770fec86275dfb1a4a05e2d56bc27a089197666

  • SHA256

    63ba6db8c81c60dd9f1a0c7c4a4c51e2e56883f063509ed7b543ad7651fd8806

  • SHA512

    d25cbb70dae9bcc49d32c15300734879fe4c1b7ae35cb5affab50e8a61ae7226832b278d846f76f7eedc3a1baf35e2aec4e8c364eab99cddb00c2ffeb97283da

Score
10/10
spywareransomwaresuncryptpersistence

Malware Config

Signatures

  • SunCrypt Ransomware

    Family which threatens to leak data alongside encrypting files. Has claimed to be collaborating with the Maze ransomware group.

    ransomwaresuncrypt
  • Blacklisted process makes network request 1 IoCs
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Drops desktop.ini file(s) 35 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies service 2 TTPs 5 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\63ba6db8c81c60dd9f1a0c7c4a4c51e2e56883f063509ed7b543ad7651fd8806.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1060
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kanxfn4j\kanxfn4j.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1640
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAE2A.tmp" "c:\Users\Admin\AppData\Local\Temp\kanxfn4j\CSC3803EA387B204457907E8AF0E88EF45.TMP"
        3⤵
          PID:1592
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file "C:\Users\Admin\AppData\Local\Temp\63ba6db8c81c60dd9f1a0c7c4a4c51e2e56883f063509ed7b543ad7651fd8806.ps1"
        2⤵
        • Blacklisted process makes network request
        • Modifies extensions of user files
        • Drops startup file
        • Drops desktop.ini file(s)
        • Enumerates connected drives
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1624
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5zkexmo5\5zkexmo5.cmdline"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:300
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDAB5.tmp" "c:\Users\Admin\AppData\Local\Temp\5zkexmo5\CSCF6992802BB794E728A3F355E58ADEB6F.TMP"
            4⤵
              PID:600
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Modifies service
        • Suspicious use of AdjustPrivilegeToken
        PID:2024

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
        MD5

        03b807e272239f76e5a650327d007451

        SHA1

        800be0462ea733f4176d5be26a69566d4dde4738

        SHA256

        845bb4d5134c4b9ba90197251de4c4d82013b61c221ebb0aa8e883804bf3462a

        SHA512

        c962947c059e6541e6ab6f898c78aa5f5356068227f37d6cfe091073044f6ef195b5868a8ce5a4eed5b2415594cbd5d3d9611b8e1729e5413ce33a90581ff8e5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\5zkexmo5\5zkexmo5.dll
        MD5

        0387c71e3abfcd55084234021c3578c7

        SHA1

        2c9feca7cafa961978a14ef7167f4256c150aaf5

        SHA256

        bed0125dc0af7604ad83564dc3602b6b45b11db84f40c943280a3fd120a84cb2

        SHA512

        3e33b53ff4eaf932885a295fef4e5e9a21ba68bc7db29e465a70b34673bef39bf999cefabbf3091b1946874a157fed8c915c4909f02575b1bd8232e742a20a22

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RESAE2A.tmp
        MD5

        51107da116bd856d65113d0fa8d40007

        SHA1

        2565126018f2437cac0c51a2be73cc8df0ad811f

        SHA256

        5d812fb294a5db0d8561a2842bf75da270076b6417eb7742d7c24b002b125df4

        SHA512

        6eec39f0929f8c35507bc9ade66fbe4a35eb313c6f7f7c8b87cc8dae3a8be6d5a4b8c152e0f7ac1f9579c31b56acf52ed628520c988bdc63b0cd274390dbfc9c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RESDAB5.tmp
        MD5

        55e325abc22041a3e79762423adc7ca6

        SHA1

        c6221c55cea38290987f9ba7c21d43044701c8b9

        SHA256

        78d8f6ba49d2077c1555a74d86fd17c0a6db94a626b9d40c0be35d72ca687f51

        SHA512

        c6b35d934d36664ead9d3cdc9d2da1d933152cf1b6b8eb863632672b4c3e080b8a8cce26241ff7b2561c7c245cd16131a2f6068c8f6ddc525c8df7162835041d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\kanxfn4j\kanxfn4j.dll
        MD5

        9675764cc3e2b9d009d884059875e19b

        SHA1

        253a0f4ef1639cdfe54166ae598610077a7bfd13

        SHA256

        6630d791d1488bd573e650e3fcc030e5be4adea0282b375d2228eee2ca630efe

        SHA512

        96a1d99d6cb9eb543e25fecbb595bd236a45a692fbbc0df9a7780b5f819c62fa70398ff962cafff99c37ac053c8f129e905c3cd08ed6ac952670045af737c1b9

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\5zkexmo5\5zkexmo5.0.cs
        MD5

        caf98c9f9cc2c02cdc79eb3409a36bc5

        SHA1

        aae6131763eaace982ee93fb15ee0eff45a034d2

        SHA256

        dc072944363d6db027de28c9412f96e4655e460989789c99e3a1992daded7499

        SHA512

        74845d305b1de1a0decaca325bc98de0cebaee677b6a70d492a0ba3ade21e9f9f0e145687a1f6ff89ada6657f77c47a8f140bf1d610c661738a2c64ada3a132f

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\5zkexmo5\5zkexmo5.cmdline
        MD5

        e94f18d8885b39fc50aa5db19ebafcb9

        SHA1

        851057e65b4c965b5a414969ac503197a513c5db

        SHA256

        35b67bfb4821c8f55c19075e6b391deaa2b77bd801480cf6077f5048e521fc72

        SHA512

        07fcc3f0e12323cde1b2f05232148b4cedf34a656873fd72a10620d59ad7012a504559e822390b9cf6f615c584a1de7465893cc577096e7886e38edb489c470e

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\5zkexmo5\CSCF6992802BB794E728A3F355E58ADEB6F.TMP
        MD5

        a28db0eb47ce0d9f9ed406b596669c7c

        SHA1

        7395481cd3c793497ad9d9e7420baf0c64ada20b

        SHA256

        43758145413e824d12ba2cc32aba2b1ab08b023ccc51d97d0a11e74156176bac

        SHA512

        c1b0a6dc92e28ec233fd21019308c80dfd597fafef034ddb80fa3d444aa372a4d5243c47fbe19b2933fb327ecd0a1933894d35039f7b7af9753a4f00c7c06d4d

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\kanxfn4j\CSC3803EA387B204457907E8AF0E88EF45.TMP
        MD5

        bacc9d8d3ffa3aabd1d9df4513a900ee

        SHA1

        2d316b0038a5a3360e881ac8d62f17a86e4643b7

        SHA256

        642ff26e8cc206ae40d5511f0feefa011f0320f249c7ca3c7f61d6ca08396e8c

        SHA512

        776a23b10e39204585193ae4bcc50ffce4aa75c3f4c5c4d389745dbd8648e01adc14a3ce9d701fc8185f702fb88d700c162e0240055262cf9d165576474c329a

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\kanxfn4j\kanxfn4j.0.cs
        MD5

        caf98c9f9cc2c02cdc79eb3409a36bc5

        SHA1

        aae6131763eaace982ee93fb15ee0eff45a034d2

        SHA256

        dc072944363d6db027de28c9412f96e4655e460989789c99e3a1992daded7499

        SHA512

        74845d305b1de1a0decaca325bc98de0cebaee677b6a70d492a0ba3ade21e9f9f0e145687a1f6ff89ada6657f77c47a8f140bf1d610c661738a2c64ada3a132f

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\kanxfn4j\kanxfn4j.cmdline
        MD5

        ff9e7d081dcc1a1e0f2fc8fe6101581d

        SHA1

        37db234eceb2b17cc2554d644db6926d8d390ec8

        SHA256

        ac2c2bf0249eb70e8c1ce36023494ec6e609e7231182788456675d57f4ccfc10

        SHA512

        69ea3ca0863d69bb6397203b6b0bb7ecb873fbf8df9c6d6043663da7591c1a8a275cb4c3d30ea6140d03841a9c5419f815eb0cecb88bec2c1132cc54ebe0406b

        Download Submit

      • memory/300-44-0x0000000000000000-mapping.dmp

        Download

      • memory/600-47-0x0000000000000000-mapping.dmp

        Download

      • memory/1060-13-0x0000000001F40000-0x0000000001F41000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1060-5-0x000000001B970000-0x000000001B971000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1060-4-0x0000000001F20000-0x0000000001F21000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1060-0-0x000007FEF5B20000-0x000007FEF650C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1060-3-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1060-2-0x000000001AD00000-0x000000001AD01000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1060-1-0x0000000002350000-0x0000000002351000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1592-9-0x0000000000000000-mapping.dmp

        Download

      • memory/1624-16-0x0000000000690000-0x0000000000691000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1624-18-0x0000000000C80000-0x0000000000C81000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1624-33-0x0000000006450000-0x0000000006451000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1624-40-0x00000000064F0000-0x00000000064F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1624-41-0x0000000006590000-0x0000000006591000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1624-27-0x0000000005850000-0x0000000005851000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1624-19-0x0000000001250000-0x0000000001251000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1624-32-0x00000000062F0000-0x00000000062F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1624-17-0x0000000004C20000-0x0000000004C21000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1624-15-0x0000000073A20000-0x000000007410E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/1624-14-0x0000000000000000-mapping.dmp

        Download

      • memory/1624-51-0x0000000006530000-0x0000000006531000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1640-6-0x0000000000000000-mapping.dmp

        Download

      • memory/1640-53-0x000007FEF6510000-0x000007FEF678A000-memory.dmp

        Filesize

        2.5MB

        Download