Overview

overview

10

Static

static

63ba6db8c8...06.ps1

windows7_x64

10

63ba6db8c8...06.ps1

windows10_x64

1

Analysis

  • max time kernel
    57s
  • max time network
    66s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    05-10-2020 08:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    63ba6db8c81c60dd9f1a0c7c4a4c51e2e56883f063509ed7b543ad7651fd8806.ps1

  • Size

    1.6MB

  • MD5

    c171bcd34151cbcd48edbce13796e0ed

  • SHA1

    2770fec86275dfb1a4a05e2d56bc27a089197666

  • SHA256

    63ba6db8c81c60dd9f1a0c7c4a4c51e2e56883f063509ed7b543ad7651fd8806

  • SHA512

    d25cbb70dae9bcc49d32c15300734879fe4c1b7ae35cb5affab50e8a61ae7226832b278d846f76f7eedc3a1baf35e2aec4e8c364eab99cddb00c2ffeb97283da

Score
10/10
persistencespywareransomwaresuncrypt

Malware Config

Signatures

  • SunCrypt Ransomware

    Family which threatens to leak data alongside encrypting files. Has claimed to be collaborating with the Maze ransomware group.

    ransomwaresuncrypt
  • Blacklisted process makes network request 1 IoCs
  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Drops desktop.ini file(s) 35 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies service 2 TTPs 5 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\63ba6db8c81c60dd9f1a0c7c4a4c51e2e56883f063509ed7b543ad7651fd8806.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1588
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bvehgn3m\bvehgn3m.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1596
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A14.tmp" "c:\Users\Admin\AppData\Local\Temp\bvehgn3m\CSC56FDA1B0416C46DD8AEABF87D0ACF5C6.TMP"
        3⤵
          PID:1532
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file "C:\Users\Admin\AppData\Local\Temp\63ba6db8c81c60dd9f1a0c7c4a4c51e2e56883f063509ed7b543ad7651fd8806.ps1"
        2⤵
        • Blacklisted process makes network request
        • Modifies extensions of user files
        • Drops startup file
        • Drops desktop.ini file(s)
        • Enumerates connected drives
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1988
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g1nrnwn5\g1nrnwn5.cmdline"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1484
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES56A8.tmp" "c:\Users\Admin\AppData\Local\Temp\g1nrnwn5\CSC6E1FD697DD4B431B843A58F8EAFD5D4.TMP"
            4⤵
              PID:1376
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Modifies service
        • Suspicious use of AdjustPrivilegeToken
        PID:1184

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Modify Existing Service

      1
      T1031

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Credentials in Files

      1
      T1081

      Discovery

      Query Registry

      1
      T1012

      Peripheral Device Discovery

      1
      T1120

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
        MD5

        21215953575820289a959e33c7099940

        SHA1

        0a20f40e3d2792fd7c8709391288e7991a513758

        SHA256

        afb16c997347f2d10e443c8a2e4f99590859a388590d8a2df094066046c817cd

        SHA512

        6bf3dde536ec8861fac00e27f7c919b41245cb03c664f8de08de1b5c4a684fc6a4c6b4f1e2fce1a05b8cedea4ee2c2a0e08b15c0635c595116dedb85e189752f

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\RES3A14.tmp
        MD5

        d5a17dab73bfacd3ee9335eac321c062

        SHA1

        8992c75337d830dd70baa1af85812c7239d9bc61

        SHA256

        afbf9b66413f9a58a3e557aae2c66d9eedb714068b2adff09dd0634a3f7ec6d1

        SHA512

        e85af0aa847ef53aeda37038f0df5d57d4d4cc00967e6a59d80a338741a76a1795b26c7f4cd5c0891cf33ceb17d95cbdd1c105097196784aa84d594c9e7f8af9

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\RES56A8.tmp
        MD5

        48a936a5d03bac512c78b482bc6e7a26

        SHA1

        423a201ab07b0281ee6b81c43d16734854aa1e08

        SHA256

        97d8e3d24fc7b7d1eaa2b155773073992379eb7a1dcb8d9785f51878a7a540f2

        SHA512

        0118c290ee753eab0ebe712af2f92c0462afae9ad33d0ae6036a9c8cfc86e8f43dd64ab08b191f0285b2baa144b2721e6876f39629a7d93f03fa09571255d6ef

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\bvehgn3m\bvehgn3m.dll
        MD5

        5a3b22bc45cf8b1af2a0e93205946026

        SHA1

        c16974ce0708d8bf74def64c37072ad4b4e396b9

        SHA256

        a19c80ee4b60967f36a304e47357f2b03ecd5b07846cc16f97b2876f036f4b77

        SHA512

        157659367f205368d125b6740d414f1945fe2697f14e888191d723cfafb8c98f57031d920e20c75615317d2d96fc03a6a57bf1bc503c43643215dc6afc17cccd

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\g1nrnwn5\g1nrnwn5.dll
        MD5

        0f6d6faa8416a832c764eb04416098a1

        SHA1

        7906af553448f7ee4dca88178d05eedd6ae7a428

        SHA256

        0c0f4fc7024234ac40c0d9b1a669d9f3dfd32f4a2afca85e0c5f0b649195d0f9

        SHA512

        35c6c823629d22c0a0e20a6ecc3f4bef7e6be1c3c7ba42d9cd46555d74530c6c98c83a3d81482350235bc76d28083e3890e7c19c6b0109d6f06590bc53e82fa2

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\bvehgn3m\CSC56FDA1B0416C46DD8AEABF87D0ACF5C6.TMP
        MD5

        34989d9d7296e063fabdc6208c9edade

        SHA1

        269749eb6d3513b4726c0a0a941ffcf4d0bd270b

        SHA256

        cd7d89165c81335051d18192478270c82dc7a20e39f70d1f48b2d2ca4428b475

        SHA512

        827c902f216a665603be59a23a3407a472941952399e5ba81265822c050dc6fd3cd510d53abdc1c18abbcdc689f2229bf3090ddb3cc1bbcc62ab8ba8e9e6ec7b

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\bvehgn3m\bvehgn3m.0.cs
        MD5

        caf98c9f9cc2c02cdc79eb3409a36bc5

        SHA1

        aae6131763eaace982ee93fb15ee0eff45a034d2

        SHA256

        dc072944363d6db027de28c9412f96e4655e460989789c99e3a1992daded7499

        SHA512

        74845d305b1de1a0decaca325bc98de0cebaee677b6a70d492a0ba3ade21e9f9f0e145687a1f6ff89ada6657f77c47a8f140bf1d610c661738a2c64ada3a132f

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\bvehgn3m\bvehgn3m.cmdline
        MD5

        c498bf5a6c07852023930b44040d6419

        SHA1

        a99f60e258b3ac26ed153382829a867365713e14

        SHA256

        8761b478b4dad44fefef01eb41c03adb4a5f894679cc0732cf7ac6d276c094ef

        SHA512

        3757ef4736dcbbccf09bae8ec0c9a2bd9866822b50c65a159e831bf1a847911c3edba231958811d5345e90792cfcf63c2d4f4ce2e78fcdf87854547a43e029ae

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\g1nrnwn5\CSC6E1FD697DD4B431B843A58F8EAFD5D4.TMP
        MD5

        d5b4f33aa7d442e08b95ef9d98edf150

        SHA1

        ea5bce7ccccb4500ae11cc750c904f7d44c69109

        SHA256

        9ff80c802a55ad6142760e60d68cf28035712d82d9867fa51e71bcef3f948388

        SHA512

        4382d1c6ff44b17f3096e291d67bded42119debd4570dc869bf39c3738ff207b713b3aff3231382451c360e53168917d06632053db77ec8f53c63ced35ebec49

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\g1nrnwn5\g1nrnwn5.0.cs
        MD5

        caf98c9f9cc2c02cdc79eb3409a36bc5

        SHA1

        aae6131763eaace982ee93fb15ee0eff45a034d2

        SHA256

        dc072944363d6db027de28c9412f96e4655e460989789c99e3a1992daded7499

        SHA512

        74845d305b1de1a0decaca325bc98de0cebaee677b6a70d492a0ba3ade21e9f9f0e145687a1f6ff89ada6657f77c47a8f140bf1d610c661738a2c64ada3a132f

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\g1nrnwn5\g1nrnwn5.cmdline
        MD5

        ccea24f816e0c0767b9b4ea0a8be08ed

        SHA1

        0e262511106de511d2f0f5e916fefd061a1444d7

        SHA256

        3d25943de22c2b53b26e1d53266f2bcd69e907a234a9ae9b1d56dcec27fcd58a

        SHA512

        cc37ddc439d2b18b311686ad32411d546cdf34346cc05798bb8b4260eeb73cd98c0a93169196744d101d2e10a9cd53406644a58e1029f4826951e73714b268fe

        Download Submit
      • memory/1376-47-0x0000000000000000-mapping.dmp
        Download
      • memory/1484-44-0x0000000000000000-mapping.dmp
        Download
      • memory/1532-9-0x0000000000000000-mapping.dmp
        Download
      • memory/1588-0-0x000007FEF6160000-0x000007FEF6B4C000-memory.dmp
        Filesize

        9.9MB

        Download
      • memory/1588-1-0x00000000023C0000-0x00000000023C1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1588-2-0x000000001AD60000-0x000000001AD61000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1588-3-0x0000000001E60000-0x0000000001E61000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1588-4-0x0000000001DC0000-0x0000000001DC1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1588-13-0x0000000002330000-0x0000000002331000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1588-5-0x000000001C5B0000-0x000000001C5B1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1596-6-0x0000000000000000-mapping.dmp
        Download
      • memory/1788-54-0x000007FEF8040000-0x000007FEF82BA000-memory.dmp
        Filesize

        2.5MB

        Download
      • memory/1988-19-0x0000000005240000-0x0000000005241000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1988-18-0x00000000024D0000-0x00000000024D1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1988-41-0x00000000065D0000-0x00000000065D1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1988-33-0x00000000064B0000-0x00000000064B1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1988-32-0x0000000006210000-0x0000000006211000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1988-27-0x00000000061A0000-0x00000000061A1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1988-14-0x0000000000000000-mapping.dmp
        Download
      • memory/1988-40-0x0000000006420000-0x0000000006421000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1988-17-0x0000000004870000-0x0000000004871000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1988-16-0x0000000002090000-0x0000000002091000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1988-51-0x0000000006460000-0x0000000006461000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1988-52-0x00000000068E0000-0x000000000690E000-memory.dmp
        Filesize

        184KB

        Download
      • memory/1988-15-0x0000000073680000-0x0000000073D6E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/1988-56-0x00000000061F0000-0x00000000061F1000-memory.dmp
        Filesize

        4KB

        Download