Overview

overview

10

Static

static

J3m1a_Paym...py.vbs

windows7_x64

3

J3m1a_Paym...py.vbs

windows10_x64

10

Analysis

  • max time kernel
    119s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    18-11-2021 19:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    J3m1a_Payment_Copy.vbs

  • Size

    2KB

  • MD5

    69cb30fd3d94cfcc7c89a1f41a47d8dd

  • SHA1

    5cc7c867d8b5238fa7ad4718c5ba5d105e72cd22

  • SHA256

    6cb5a93eec2726f651d8a61a9e865d46a93324992d9a2467edb6b83b64789985

  • SHA512

    02a96d4ecfda83233a557ac3cf94629ee251ed9ecef775bd697d371091c5c03fb48aacb4640770fdd9fd097f1cd118b62053c0f26183e08062ede68a6c4b8d5a

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\J3m1a_Payment_Copy.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:892
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $cc = 'by------------s'.Replace('------------','pas');$bb = '-ex++++++++++++++++icy'.Replace('++++++++++++++++','ecutionpol');$aa = '-no--------------le'.Replace('--------------','profi');$dd = 'C:\Us<<<<<<<<<>>>>>>>>>ar.ps1'.Replace('<<<<<<<<<>>>>>>>>>','ers\Public\Downloads\HB');$Run = 'Powers-----------------dd'.Replace('-----------------','hell $aa $bb $cc -file $');($Run -Join '')|&('I'+'eX')
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:620
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -file C:\Users\Public\Downloads\HBar.ps1
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:524

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    MD5

    8a3b2f5dd6c4dbe15c05c95d1901737d

    SHA1

    360a38027ce3a0551dd6f699531dbeb9df522644

    SHA256

    fba1e10505e01591f971d9b5f789643e1dd033ed7d5e8275cd0d7baf4d33d73b

    SHA512

    c433ac6f240fc5188af02314475f901b73c683c6d08136393a3a1234cd8427d32830703e6e596b4ca2f55239406e114f746a0245649e2fe16bdbeb58066f7992

    Download Submit
  • C:\Users\Public\Downloads\HBar.ps1
    MD5

    337541d9757cb9a63d85337a2f1a4f27

    SHA1

    377ed9d80c26e3d0f3d6f943fa773a3ff83fe242

    SHA256

    867cca9a95ed015d4a227078782bf495af80c6101d0085eddcfe8aecc6284bef

    SHA512

    9e98ac416efd807434386942b6f3fb938a384479a0703e89324b769053eaf72ecd609cc826f172227ad93e7efd5e90caeb0ebca939bbec53981244013bb31031

    Download Submit
  • memory/524-66-0x000007FEF24B0000-0x000007FEF300D000-memory.dmp
    Filesize

    11.4MB

    Download
  • memory/524-68-0x0000000002460000-0x0000000002462000-memory.dmp
    Filesize

    8KB

    Download
  • memory/524-72-0x000000000246B000-0x000000000248A000-memory.dmp
    Filesize

    124KB

    Download
  • memory/524-70-0x0000000002464000-0x0000000002467000-memory.dmp
    Filesize

    12KB

    Download
  • memory/524-69-0x0000000002462000-0x0000000002464000-memory.dmp
    Filesize

    8KB

    Download
  • memory/524-63-0x0000000000000000-mapping.dmp
    Download
  • memory/620-67-0x000000000283B000-0x000000000285A000-memory.dmp
    Filesize

    124KB

    Download
  • memory/620-60-0x0000000002832000-0x0000000002834000-memory.dmp
    Filesize

    8KB

    Download
  • memory/620-59-0x0000000002830000-0x0000000002832000-memory.dmp
    Filesize

    8KB

    Download
  • memory/620-62-0x000000001B7C0000-0x000000001BABF000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/620-58-0x000007FEF24B0000-0x000007FEF300D000-memory.dmp
    Filesize

    11.4MB

    Download
  • memory/620-56-0x0000000000000000-mapping.dmp
    Download
  • memory/620-61-0x0000000002834000-0x0000000002837000-memory.dmp
    Filesize

    12KB

    Download
  • memory/892-55-0x000007FEFBA81000-0x000007FEFBA83000-memory.dmp
    Filesize

    8KB

    Download