Overview

overview

10

Static

static

0681c37cfb...82.ps1

windows7_x64

8

0681c37cfb...82.ps1

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    20-05-2022 13:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0681c37cfbb640a08028c3ba49e92dc82268f8ad2aa865b86efafc834ade3682.ps1

  • Size

    903KB

  • MD5

    55e24e49a28d1c65ef535778982d0854

  • SHA1

    368b76cfca253c01675533f1a9ba4756eab239b1

  • SHA256

    0681c37cfbb640a08028c3ba49e92dc82268f8ad2aa865b86efafc834ade3682

  • SHA512

    6aecf6a9a90083d8599da9fc1c68d9783942b6819739ceb8f03a4df58f20a92addba17561969b0e85d2243a33eceb2b28ca9571c782abc746e7f298734577067

Score
8/10
ransomware

Malware Config

Signatures

  • Modifies extensions of user files 8 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\0681c37cfbb640a08028c3ba49e92dc82268f8ad2aa865b86efafc834ade3682.ps1
    1⤵
    • Modifies extensions of user files
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1828
    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wgvymfoi.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1984
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES403D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC403C.tmp"
        3⤵
          PID:956
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bwyxoonm.cmdline"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1620
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4156.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4136.tmp"
          3⤵
            PID:1812

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\RES403D.tmp
        Filesize

        1KB

        MD5

        e0e91f62e1e8b956f187f3039160a3ad

        SHA1

        a978ad1e4bee908e7da8866b6bb9d89b6256dead

        SHA256

        715b149a112bf6ea8760faf43a5574b0846b61d6a1f042464f885b14a9be35e9

        SHA512

        7ac1061e696a39618e1d2d63927191db028315e4751b2ee585b3c477f617718bae14b4ce96020abc9f9d0cf13e19d2234edccc358e99f6bbb8772a284cdd10f5

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\RES4156.tmp
        Filesize

        1KB

        MD5

        ad2f6fbf23eb3bbb9a6d488ddd538903

        SHA1

        011b986f790a64f9e1c54104f2f1e2dd5c69c1cf

        SHA256

        dba9380c92359475a282238eccad918ac5656ec5e78b871e0eb755a2693ff578

        SHA512

        dbb547eed10caa975f02637df0fea17aab305f43d2692cb5d99951ad2f2bbef1a4557583f69c1b3bd1422b2d3986a75bf028da59e936c5a88427b3a62cef40d6

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\bwyxoonm.dll
        Filesize

        4KB

        MD5

        b91954dd5e56c6bde0144ad38f09dead

        SHA1

        d2bf5a55c057da73e49e4a99135a3f23e266f908

        SHA256

        be8a0a60c39cb437421fc5de1b2b53ffe103d70aeb119e5998368855c7cbdb64

        SHA512

        79050e0b0b3991b3b230568496af08f7dcb2a89c9b63e3e0fafeae018eec69741204736f5fd650942a01b19d8a79d0f2ee2534cf7cce7e74330e5b3aaa2fdee2

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\bwyxoonm.pdb
        Filesize

        7KB

        MD5

        e6c982737655392cdae8f622e395ce0d

        SHA1

        bb4210faa39e9a98e822e9e3741050a2bb60fcf6

        SHA256

        68ad3daabdce0073d08048c1de13e3f8bf0d61a5165276be025ea6b93490285c

        SHA512

        6757743e49f7dcb51dd82f1b33ae0c7465d37c94f4aadf7abd3688248451f69b0f44bb66a1258c1d66226af64603969388b24e56e83e65a7c6d8d0c05afa9842

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\wgvymfoi.dll
        Filesize

        6KB

        MD5

        2ff543077bb57e7968f3f2290cf014d3

        SHA1

        64fd2cc98ebea780184eec554b4fac16da82111d

        SHA256

        d32de2dc841d7ab40efb09320d52eba6a93004dfd1711c3ef452a107697c5618

        SHA512

        ddea7ac437212b8facf84baca33adb6d6abeb574550651bc1786d6475aab73c575e1ef52c4ceeb384b73dd232d4ec41858ff9c13898a489a3a196b1710b0f4a2

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\wgvymfoi.pdb
        Filesize

        7KB

        MD5

        32bf465dbfbcbcd78fea65ed75ca997b

        SHA1

        38cb6c6f922a629340e1a63b84975f7abab2e85d

        SHA256

        ad246f16e723fc98d39ee9ea5f99e3d3804d0f0adc68178d8a46f9c1c211e0ca

        SHA512

        4a6ad171c0e00a9062e0e4164f2beee30d92dba5c91f14c1075b900cf3397b5aa8b5fca8bbbe3c5bee0c71e6ba14436077bcb5552bfa23410ed9e0870e24b39e

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\CSC403C.tmp
        Filesize

        652B

        MD5

        86dd1a97f3f5f5b748cfcab807eb3789

        SHA1

        f53852d99e32ea5b794f6ea2cbc5c59e6d9b11c1

        SHA256

        28ea289524d64a8ef6a84dcf9ee75b92b14bfc0bfc1463aeb409030e020c5b5b

        SHA512

        08b0c285030458bf857e84d4bcbf6e38388d290ec4eef067652c749d7ebe8d0317a4a42356613bd81c06f0c4ad6839fc65d33e1815dbd4413c993121a888f1fa

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\CSC4136.tmp
        Filesize

        652B

        MD5

        a1b323c77955cecc9d47f4337821320a

        SHA1

        15c4a604a7b8609cfcf3a19fb3cf8855d4397305

        SHA256

        4875eacfb7d2a5dff2b9b7275a4991c9f4c5e4f944652dfb29cb7ded9f265ac6

        SHA512

        e06d16a439b62bb56e64dd6a3925b6287f832b25674ec9eb6b1d4804ad7d820dc6e705313758f053533896e94407485caba39d42e1d9ed57fa061d0a59c586e3

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\bwyxoonm.0.cs
        Filesize

        2KB

        MD5

        c97bbb0991bdcc70f6cd23e863029f03

        SHA1

        3f21d01b0970a323b090056e285b4261c784cb19

        SHA256

        c59ec8f208e5dd9e310b3ca6a2148c22ff52ada68d15e2cd0ade4a819a20208a

        SHA512

        436100ea9f52ae49a6c5179d12464a1e18bb0cbfddb4545774d582fe2d5c269efdf6bce97ad84deb3419f29f4ba0572a1ccebd5beb70ecd98c7c59ed77f4196d

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\bwyxoonm.cmdline
        Filesize

        309B

        MD5

        744bad5a189211c941eef767580a98e4

        SHA1

        fa2225f7d52ace6a735cc51358a0836742b2ee36

        SHA256

        c02c8a86df117a716b1ec0eb79e16837df43afb6a1f6fe9570a6e16f72b3e4e9

        SHA512

        11f16cf716ffb8cf8657246f597b3a914c3a7999e8d59d1965f997f85dc6846984783965dc14f3c16e8818ce2660da86d6b8be6ca3f5b58a948d205095f90bbe

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\wgvymfoi.0.cs
        Filesize

        8KB

        MD5

        07086ea98fed0079427b7f0710fe62e0

        SHA1

        8bd780bdb9a03d88f32ebef8549509a697fe0102

        SHA256

        eab011089366b76f3f371a62efbe22340ed3adbd2cd5a46a5558c3faac101fff

        SHA512

        d1b4741ca1d09f5b8e72e43c6d08a8f6d69d14cac46bf3c42004e0105e18e892f2ea44f3b28a984779c3c047f5641431148c39bf0eb09093473d2c105c4d2d97

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\wgvymfoi.cmdline
        Filesize

        309B

        MD5

        0718b03e390643aae7134c47ac91909e

        SHA1

        46004811f414a4d707de28187cb4ab76704e59a1

        SHA256

        8237c765fde85cf0143f515489971d988e981f466c08676710b7cd386d89df86

        SHA512

        f1f5402fe3e3abbbe31bd11b8741ab72094e93038c162f2113f535686b7cf670e31b8eae7b2c89a34beed7e8b47c3bfa866191040c6920e64897df6057e423f7

        Download Submit
      • memory/956-63-0x0000000000000000-mapping.dmp
        Download
      • memory/1620-68-0x0000000000000000-mapping.dmp
        Download
      • memory/1812-71-0x0000000000000000-mapping.dmp
        Download
      • memory/1828-56-0x000007FEF3900000-0x000007FEF445D000-memory.dmp
        Filesize

        11.4MB

        Download
      • memory/1828-59-0x00000000028AB000-0x00000000028CA000-memory.dmp
        Filesize

        124KB

        Download
      • memory/1828-54-0x000007FEFC4B1000-0x000007FEFC4B3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1828-58-0x000000001B7B0000-0x000000001BAAF000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/1828-57-0x00000000028A4000-0x00000000028A7000-memory.dmp
        Filesize

        12KB

        Download
      • memory/1828-55-0x000007FEF4460000-0x000007FEF4E83000-memory.dmp
        Filesize

        10.1MB

        Download
      • memory/1828-76-0x0000000002621000-0x0000000002639000-memory.dmp
        Filesize

        96KB

        Download
      • memory/1984-60-0x0000000000000000-mapping.dmp
        Download