Overview

overview

10

Static

static

63ba6db8c8...06.ps1

windows7_x64

10

63ba6db8c8...06.ps1

windows10_x64

1

Analysis

  • max time kernel
    57s
  • max time network
    66s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    05-10-2020 08:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    63ba6db8c81c60dd9f1a0c7c4a4c51e2e56883f063509ed7b543ad7651fd8806.ps1

  • Size

    1.6MB

  • MD5

    c171bcd34151cbcd48edbce13796e0ed

  • SHA1

    2770fec86275dfb1a4a05e2d56bc27a089197666

  • SHA256

    63ba6db8c81c60dd9f1a0c7c4a4c51e2e56883f063509ed7b543ad7651fd8806

  • SHA512

    d25cbb70dae9bcc49d32c15300734879fe4c1b7ae35cb5affab50e8a61ae7226832b278d846f76f7eedc3a1baf35e2aec4e8c364eab99cddb00c2ffeb97283da

Score
10/10
persistencespywareransomwaresuncrypt

Malware Config

Signatures

  • SunCrypt Ransomware

    Family which threatens to leak data alongside encrypting files. Has claimed to be collaborating with the Maze ransomware group.

    ransomwaresuncrypt
  • Blacklisted process makes network request 1 IoCs
  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Drops desktop.ini file(s) 35 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies service 2 TTPs 5 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\63ba6db8c81c60dd9f1a0c7c4a4c51e2e56883f063509ed7b543ad7651fd8806.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1588
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bvehgn3m\bvehgn3m.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1596
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A14.tmp" "c:\Users\Admin\AppData\Local\Temp\bvehgn3m\CSC56FDA1B0416C46DD8AEABF87D0ACF5C6.TMP"
        3⤵
          PID:1532
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file "C:\Users\Admin\AppData\Local\Temp\63ba6db8c81c60dd9f1a0c7c4a4c51e2e56883f063509ed7b543ad7651fd8806.ps1"
        2⤵
        • Blacklisted process makes network request
        • Modifies extensions of user files
        • Drops startup file
        • Drops desktop.ini file(s)
        • Enumerates connected drives
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1988
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g1nrnwn5\g1nrnwn5.cmdline"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1484
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES56A8.tmp" "c:\Users\Admin\AppData\Local\Temp\g1nrnwn5\CSC6E1FD697DD4B431B843A58F8EAFD5D4.TMP"
            4⤵
              PID:1376
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Modifies service
        • Suspicious use of AdjustPrivilegeToken
        PID:1184

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1588-0-0x000007FEF6160000-0x000007FEF6B4C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1588-1-0x00000000023C0000-0x00000000023C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1588-2-0x000000001AD60000-0x000000001AD61000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1588-3-0x0000000001E60000-0x0000000001E61000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1588-4-0x0000000001DC0000-0x0000000001DC1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1588-13-0x0000000002330000-0x0000000002331000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1588-5-0x000000001C5B0000-0x000000001C5B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1788-54-0x000007FEF8040000-0x000007FEF82BA000-memory.dmp

        Filesize

        2.5MB

        Download

      • memory/1988-19-0x0000000005240000-0x0000000005241000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1988-18-0x00000000024D0000-0x00000000024D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1988-41-0x00000000065D0000-0x00000000065D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1988-33-0x00000000064B0000-0x00000000064B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1988-32-0x0000000006210000-0x0000000006211000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1988-27-0x00000000061A0000-0x00000000061A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1988-40-0x0000000006420000-0x0000000006421000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1988-17-0x0000000004870000-0x0000000004871000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1988-16-0x0000000002090000-0x0000000002091000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1988-51-0x0000000006460000-0x0000000006461000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1988-52-0x00000000068E0000-0x000000000690E000-memory.dmp

        Filesize

        184KB

        Download

      • memory/1988-15-0x0000000073680000-0x0000000073D6E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/1988-56-0x00000000061F0000-0x00000000061F1000-memory.dmp

        Filesize

        4KB

        Download