Overview

overview

10

Static

static

13efa382b1...c4.vbs

windows7_x64

3

13efa382b1...c4.vbs

windows10-2004_x64

10

Analysis

  • max time kernel
    118s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    19-02-2022 09:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    13efa382b10defb99bd1415a12ab885da5ba6773bd651f2a983239bf10bcd5c4.vbs

  • Size

    151KB

  • MD5

    2617fabde3d4865c6838626ff1f08dd4

  • SHA1

    1b30dd98a97c25f898b9a90765b9da65e5f59a85

  • SHA256

    13efa382b10defb99bd1415a12ab885da5ba6773bd651f2a983239bf10bcd5c4

  • SHA512

    10e525b6fd13fc268e4eecad4abe1ee5d81fb0ebba701c522b6ff2485954477ccdb9810ceb06d51183469f3e5f5e0af8935d20156e25d601d14e371d040af8b8

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13efa382b10defb99bd1415a12ab885da5ba6773bd651f2a983239bf10bcd5c4.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1672
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EXECUTIONPOLICY REMOTESIGNED -FILE C:\Users\Admin\AppData\Local\Temp\Systray64.PS1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Systray64.PS1
    MD5

    3bf84ac22ea91f5dab4a2e743ecee16d

    SHA1

    8bcc6a36b44413266bd44915aa2af7198045d0bb

    SHA256

    5482d824e6edc8cd2237aad6b99ad5f7b5bb7676bd3fee92f295707c3db32d10

    SHA512

    b0905a70c14a780674781db670a6f89bd85564f38601eb3e50bffcaa8e23079b68281d51c38f5679b8fa5796a798714990bc2f3fb4aade2f814416ebc6cd2d8f

    Download Submit
  • memory/1672-55-0x000007FEFC2D1000-0x000007FEFC2D3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2044-57-0x000007FEF5C5E000-0x000007FEF5C5F000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2044-58-0x0000000002460000-0x0000000002462000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2044-60-0x000007FEF5C5E000-0x000007FEF5C5F000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2044-61-0x0000000002462000-0x0000000002464000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2044-62-0x0000000002464000-0x0000000002467000-memory.dmp
    Filesize

    12KB

    Download
  • memory/2044-59-0x000007FEF3530000-0x000007FEF408D000-memory.dmp
    Filesize

    11.4MB

    Download
  • memory/2044-64-0x000000000246B000-0x000000000248A000-memory.dmp
    Filesize

    124KB

    Download