d0eacc86ba243aa25112dfdbe4c11b1bc7e90a50921e2dccaefa65e626484a1c

Analysis

max time kernel
117s
max time network
132s
platform
windows7_x64
resource
win7-en-20211208
submitted
19-02-2022 09:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0eacc86ba243aa25112dfdbe4c11b1bc7e90a50921e2dccaefa65e626484a1c.vbs
Size

160KB
MD5

2f4b0aaefc5a69aad3be2795c45e97d7
SHA1

b40b2a3afad0f04934e3892a23fa320fbbe85ec5
SHA256

d0eacc86ba243aa25112dfdbe4c11b1bc7e90a50921e2dccaefa65e626484a1c
SHA512

4e5113ad23bc3a1242f47d9d03a319bd921e3016a8527637aabbb390045f7559609cd478dad8500745a457636360822de5d9f51f2a11e6a13ed76b44d8ad3b8a

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1324 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1324 powershell.exe

pid	process
1324	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1324	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

WScript.exe

description	pid	process	target process
PID 1740 wrote to memory of 1324	1740	WScript.exe	powershell.exe
PID 1740 wrote to memory of 1324	1740	WScript.exe	powershell.exe
PID 1740 wrote to memory of 1324	1740	WScript.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0eacc86ba243aa25112dfdbe4c11b1bc7e90a50921e2dccaefa65e626484a1c.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eXEcUTiONpOLicY rEmOtEsIgNeD -FILE C:\Users\Admin\AppData\Local\Temp\OS64Bits.PS1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1324

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OS64Bits.PS1
MD5
71d07a62e6a9f93697bee333cf33cb43

SHA1
314e0556f14615f249e76c399fbd352a57c8b854

SHA256
28551c51fc1cb17cfe2f238acc467e8264a01c8262911250634be617a9e16b91

SHA512
e0dcee489be5c9d73adf7bd373dc5d998bd0be8e1d51857081d8764278e73433ba5f0885a2492b9fdcd7bccc4d7c83e9e5c3316f1b19c80dca413913ad82555e

Download Submit
memory/1324-56-0x000007FEF56DE000-0x000007FEF56DF000-memory.dmp

Filesize
4KB

Download
memory/1324-59-0x00000000026C0000-0x00000000026C2000-memory.dmp

Filesize
8KB

Download
memory/1324-58-0x00000000026C2000-0x00000000026C4000-memory.dmp

Filesize
8KB

Download
memory/1324-60-0x00000000026C4000-0x00000000026C7000-memory.dmp

Filesize
12KB

Download
memory/1324-57-0x000007FEF2FB0000-0x000007FEF3B0D000-memory.dmp

Filesize
11.4MB

Download
memory/1324-61-0x000000001B7E0000-0x000000001BADF000-memory.dmp

Filesize
3.0MB

Download
memory/1324-63-0x00000000026CB000-0x00000000026EA000-memory.dmp

Filesize
124KB

Download
memory/1740-54-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmp

Filesize
8KB

Download