cfb3a1ff4101d761ef1f2c1e63fbb6e82587c520caa1c7915d86c912a6f4b424

General

Target

Comprovativo-de-transferencia-ID-yq5da6zfj6h-PDF-23/Comprovativo-de-transferencia-ID-yq5da6zfj6h-PDF-23.vbs
Size

24KB
MD5

c66f748e72e6070e0e7a99f1e9b3e29c
SHA1

5f1342f7d84032945cb2cfc0935e2c0a1229d3e8
SHA256

6be47a0e90c156e136a72dd94af8d0217fb4152c0dc6171702ceaa306d62e857
SHA512

153ccaf14b33c62be399db5e05463914b7361ed077f80c821d348639f11c6fa228aa31dda6e7ed9064c63f23715bb28190f92dc838de3a969cf5f9a03b3ab10e

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

WScript.exe

flow pid process

4 1884 WScript.exe
7 1884 WScript.exe
Drops startup file 1 IoCs

Processes:

wscript.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\idksdhiayxw.lnk wscript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

shutdown.exe

description pid process

Token: SeShutdownPrivilege 1344 shutdown.exe
Token: SeRemoteShutdownPrivilege 1344 shutdown.exe

flow	pid	process
4	1884	WScript.exe
7	1884	WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\idksdhiayxw.lnk	wscript.exe

description	pid	process
Token: SeShutdownPrivilege	1344	shutdown.exe
Token: SeRemoteShutdownPrivilege	1344	shutdown.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

WScript.exewscript.execmd.exe

description	pid	process	target process
PID 1884 wrote to memory of 632	1884	WScript.exe	wscript.exe
PID 1884 wrote to memory of 632	1884	WScript.exe	wscript.exe
PID 1884 wrote to memory of 632	1884	WScript.exe	wscript.exe
PID 632 wrote to memory of 364	632	wscript.exe	cmd.exe
PID 632 wrote to memory of 364	632	wscript.exe	cmd.exe
PID 632 wrote to memory of 364	632	wscript.exe	cmd.exe
PID 364 wrote to memory of 1344	364	cmd.exe	shutdown.exe
PID 364 wrote to memory of 1344	364	cmd.exe	shutdown.exe
PID 364 wrote to memory of 1344	364	cmd.exe	shutdown.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Comprovativo-de-transferencia-ID-yq5da6zfj6h-PDF-23\Comprovativo-de-transferencia-ID-yq5da6zfj6h-PDF-23.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Windows\System32\wscript.exe
  wscript.exe C:\Users\Admin\AppData\Roaming\idksdhiayxw.vbs
  2⤵
  - Drops startup file
  - Suspicious use of WriteProcessMemory
  PID:632
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c shutdown /r /t 0 /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:364
  - - C:\Windows\system32\shutdown.exe
      shutdown /r /t 0 /f
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1344

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1520

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\20487217843531\smwdpktubzihcoseo1500829577444.exe

Filesize
133B

MD5
31b3fa3be13c3eca988b6647cf274003

SHA1
713779818be4a9956a02f8e16231750a9e0c3eb8

SHA256
881aa5538ac02efb941f6cbef4e784f5e4a4a0c70611cc6b7e7e461f21c65f97

SHA512
ba1fddaaa64e0bdc2418d615b2a34683167fc336d12109e29574c3cec51a93d16908bf155b96d0d8c4537b185caa7ee29c3eb6a84074ef366cd161b0fe8eb1bf

Download Submit
C:\Users\Admin\AppData\Roaming\idksdhiayxw.vbs

Filesize
498B

MD5
cfe14b1176b0bf7bc919dce07e8e5d11

SHA1
211c33f9579b9eac8a8edd5abd6d50c473f516d5

SHA256
60132889c2fa79618829daf8f1c3ee25b971944d5685522db5230de8b2cc639a

SHA512
df0024f53f2c5207a319aea7692d2927f85450b040e3e44a398c1529348ac1d0b639cea46e6699fbbeee54a17fb5d3893d00c6b68fec803f4cfb068f24df22dd

Download Submit
memory/364-59-0x0000000000000000-mapping.dmp

Download
memory/632-55-0x0000000000000000-mapping.dmp

Download
memory/1344-60-0x0000000000000000-mapping.dmp

Download
memory/1884-54-0x000007FEFB741000-0x000007FEFB743000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing