f759299c255908d9dc75e0a65c7abd3598835c7e29c911f238a2df2b77703db5

Analysis

Target

f759299c255908d9dc75e0a65c7abd3598835c7e29c911f238a2df2b77703db5.vbs
Size

162KB
MD5

066033d8f2c588fbb53efe7eb7a320da
SHA1

95466ba7d5566315e84b023f618926647c414a8c
SHA256

f759299c255908d9dc75e0a65c7abd3598835c7e29c911f238a2df2b77703db5
SHA512

4df815cb9e1777e6352af216ed34c9b0a9b4c8b0be1ff1e6d4ed67716eca4350dbcd354534f56eafcb894968d7fcd7340d918d71efaf843bdc403d9ebb00f2d0

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

540 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 540 powershell.exe

pid	process
540	powershell.exe

description	pid	process
Token: SeDebugPrivilege	540	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

WScript.exe

description	pid	process	target process
PID 1160 wrote to memory of 540	1160	WScript.exe	powershell.exe
PID 1160 wrote to memory of 540	1160	WScript.exe	powershell.exe
PID 1160 wrote to memory of 540	1160	WScript.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f759299c255908d9dc75e0a65c7abd3598835c7e29c911f238a2df2b77703db5.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EXECUTIONPOLICY remotesigned -fILe C:\Users\Admin\AppData\Local\Temp\OS64Bits.PS1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:540

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\OS64Bits.PS1

MD5
59ef366b87424b895d42c829d7e409a5

SHA1
cca0c3bc1470b6daaf3178fac34bb44fa63d3c2d

SHA256
ba7b4d62901d894172cb0d2c36bed465943541e3e47fa4d182cb9c5c245350a9

SHA512
2b96b39bcd98b71bd28e19236a5568f279caf66661ca220cda33502d255b9906821e7170462258d8445180e9fcf29df8e8bf50bc25587977980c930458b9757d

Download Submit
memory/540-58-0x000007FEF5E9E000-0x000007FEF5E9F000-memory.dmp

Filesize
4KB

Download
memory/540-59-0x00000000024E0000-0x00000000024E2000-memory.dmp

Filesize
8KB

Download
memory/540-60-0x00000000024E2000-0x00000000024E4000-memory.dmp

Filesize
8KB

Download
memory/540-61-0x00000000024E4000-0x00000000024E7000-memory.dmp

Filesize
12KB

Download
memory/540-57-0x000007FEF3770000-0x000007FEF42CD000-memory.dmp

Filesize
11.4MB

Download
memory/540-62-0x000000001B700000-0x000000001B9FF000-memory.dmp

Filesize
3.0MB

Download
memory/540-64-0x00000000024EB000-0x000000000250A000-memory.dmp

Filesize
124KB

Download
memory/1160-55-0x000007FEFC3A1000-0x000007FEFC3A3000-memory.dmp

Filesize
8KB

Download