Overview

overview

10

Static

static

load.ps1

windows7-x64

8

load.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    40s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    29-07-2022 23:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    load.ps1

  • Size

    1.4MB

  • MD5

    09a05a2212bd2c0fe0e2881401fbff17

  • SHA1

    fbb6f8dae1753cd2a282ee161bc5496486cc06f7

  • SHA256

    b41a303a4caa71fa260dd601a796033d8bfebcaa6bd9dfd7ad956fac5229a735

  • SHA512

    8d0dd3a7d6adaa690a3f7625a573b8c50cfa9d40fa17836b7e8ab8a10bfe67f4eaf0720cedda0c1d2986e7e70770a097ad8af2a9e24ccd595514a0384cbc275f

Score
8/10
ransomware

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Modifies extensions of user files 7 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops desktop.ini file(s) 35 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\load.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1764
    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\khee07li.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:952
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1B50.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1B3F.tmp"
        3⤵
          PID:1412
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file "C:\Users\Admin\AppData\Local\Temp\load.ps1"
        2⤵
        • Blocklisted process makes network request
        • Modifies extensions of user files
        • Drops desktop.ini file(s)
        • Enumerates connected drives
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1552
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\etrtmo0c.cmdline"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1612
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES29B1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC29B0.tmp"
            4⤵
              PID:1576
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1992

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\RES1B50.tmp
        Filesize

        1KB

        MD5

        b1e901a3f93128f66436e5e1b015b5be

        SHA1

        42f11a82899096748017059979669102586ee874

        SHA256

        fdd049b7e09916ad45e1757c2b007bf3e37dc80e1251132b627ea75fa360036e

        SHA512

        cca4e20ff763e0dab199fd8cf5e64f79a67f9518a088ac447859b73275795735897b9d1e821c29b9fe2e2ed71d235a6ff2bc95f1ee24a02c479f5863648b2ef9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RES29B1.tmp
        Filesize

        1KB

        MD5

        80852ad66c2e84bb07ca52bb8566eec6

        SHA1

        b2d4891bc677b8965db38aa118bdafce251bb861

        SHA256

        82431bb3de07cd599d337f9b8f529ac0a055c8c03329230c2bfb9623701944a5

        SHA512

        4cfda37cb71dd12f95183131602d54a4195ea276ccf6c9d77ae8036e97ddc0f69c42ea2baf0536c8bc3816615f43cb545ce3352abb0b7f18e0dff3fb38fde386

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\etrtmo0c.dll
        Filesize

        3KB

        MD5

        911d2b98e8a2837e28b11fcbae0f0db4

        SHA1

        356ceb219798b75efea3e153b8d07ac659554cd3

        SHA256

        7f18a7d6d980a4770676df8cb89096537cfdec289c2586f78b1d0b3559bdea03

        SHA512

        b6381b5218ebeefd545b834423ae0e57d57231edfb847cf839484e98c32418931126a96d6547996e0188ab3beea54075806c6f03bfa69d6425e3eb06f3068ff0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\etrtmo0c.pdb
        Filesize

        7KB

        MD5

        115d6d65f44a1924b2a77cdb2b90e046

        SHA1

        e61c51a188c46bdfc44738d986639c97e180fbd5

        SHA256

        34aff5085deeedf181d9e17b4113aa66d50db8d940dd9c007455f0745abb0f9f

        SHA512

        7a0c58e26675d01b68b095a88e4acafb6ec167d913809df29d0c65f88614775df81d33991586b581bded4c4f6dd3a4237462ceadd0a63cf145797c166f3bb3f9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\khee07li.dll
        Filesize

        3KB

        MD5

        3ee5fe5559cbe8d53cb4c47ad25f3c28

        SHA1

        764b465ed6d74da017149725c08aba71f63af4ac

        SHA256

        a41dc23387ccac9037dea92576317d373b4c3d18dafee2e9fb4f11a556ec538b

        SHA512

        7ff69ab3c5d005912a239f06806aaf894fb7d7b9f6ca2b4b33ef6457ef087b953e4e8389f37c7762cbe9624bed0b581d29e20676ac8c8bd3d986139c5ac48333

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\khee07li.pdb
        Filesize

        7KB

        MD5

        5c231dfbfcb9a3da5e2063c2c6b33649

        SHA1

        34325093b7aa33c5bb10ac711111d7a668a6a4a4

        SHA256

        1b6f09939b4ebf3d61dce421c98b10baac85a83be9326bcc937a0673e3d14ba6

        SHA512

        29a0b2147c956a84152f13bd4353927ca9517a20f9ecaff474bf1595fb28124891b3123e3e491568f6f498f12b7f256d85878d7edc28c05cf822ac513c02e71a

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\CSC1B3F.tmp
        Filesize

        652B

        MD5

        fe2784a8acfc764efa33b1ba5c3c1765

        SHA1

        c3caaf2d419ceea08c20745cafb9d33215e11984

        SHA256

        5c997224f991307217de38a55b1d43617f8a548cc11f9114d4296426816b2ae8

        SHA512

        29a976df0c5f8d90f8c82b840ddfb59e8cca792ac10e275886bbb1754f8c29e08c2e851d9258d04ed8b98e2d51d7ccd6d948c425c7bb7cb8408ecaa4d55737eb

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\CSC29B0.tmp
        Filesize

        652B

        MD5

        4ea664e8d3c8467cca58ba1bd35daa64

        SHA1

        74b1bb337f4362a9805d6069117dbe04eba03acf

        SHA256

        fa333c0cdde2e01d58df8c3f3d4e7eae459c330426467b0b16c6ee90712818dc

        SHA512

        e6266813daa24a4fb2e86e4b983ac4d4291d37bd5bfd5174c2fc4c9789700ae64bc237a00bbe5d10b9577b43668c81cb8fa82d75c5a05c06c6aec297713f43a7

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\etrtmo0c.0.cs
        Filesize

        468B

        MD5

        caf98c9f9cc2c02cdc79eb3409a36bc5

        SHA1

        aae6131763eaace982ee93fb15ee0eff45a034d2

        SHA256

        dc072944363d6db027de28c9412f96e4655e460989789c99e3a1992daded7499

        SHA512

        74845d305b1de1a0decaca325bc98de0cebaee677b6a70d492a0ba3ade21e9f9f0e145687a1f6ff89ada6657f77c47a8f140bf1d610c661738a2c64ada3a132f

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\etrtmo0c.cmdline
        Filesize

        309B

        MD5

        ed41e8f433dbe8bff0e7a1d572544869

        SHA1

        7556cda612925c7c2a191d3242f445ae8b483e70

        SHA256

        3a70a0dc98b70ce9fc584bbefcca879b4862dfeb131cd1abbdda3aecefd7a20a

        SHA512

        a7ee36d8f3723b00dd0207b02657ba48da02061bf785f8d069424a913d51ebd000d635c98c0e85df531c184258e09a2f8c1a6e854ae3da3fa1db8ae5a0fac87c

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\khee07li.0.cs
        Filesize

        468B

        MD5

        caf98c9f9cc2c02cdc79eb3409a36bc5

        SHA1

        aae6131763eaace982ee93fb15ee0eff45a034d2

        SHA256

        dc072944363d6db027de28c9412f96e4655e460989789c99e3a1992daded7499

        SHA512

        74845d305b1de1a0decaca325bc98de0cebaee677b6a70d492a0ba3ade21e9f9f0e145687a1f6ff89ada6657f77c47a8f140bf1d610c661738a2c64ada3a132f

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\khee07li.cmdline
        Filesize

        309B

        MD5

        4d749bad2cbefd079fba1fed431e7ca2

        SHA1

        bf2fe523f1ff6993aad6b454387339254dae3b19

        SHA256

        c37afe69af6c2e0a480920121e9e2c92581b0572e4e895defd31e8619288c0fd

        SHA512

        6629c35dc4c2d94a090ce10106d411e035966e629aa878274a1969ac8ca3498b5bddd93a8d2a5a4ab2eb77760c6806438c1e8614aaaede2f9cfd8e38ac5e55a0

        Download Submit

      • memory/1552-83-0x00000000023D0000-0x00000000023FD000-memory.dmp

        Filesize

        180KB

        Download

      • memory/1552-69-0x0000000074D61000-0x0000000074D63000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1552-82-0x0000000072B60000-0x000000007310B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1552-72-0x0000000072B60000-0x000000007310B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1552-81-0x00000000023D0000-0x00000000023FD000-memory.dmp

        Filesize

        180KB

        Download

      • memory/1764-70-0x0000000002954000-0x0000000002957000-memory.dmp

        Filesize

        12KB

        Download

      • memory/1764-58-0x000000001B760000-0x000000001BA5F000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/1764-57-0x0000000002954000-0x0000000002957000-memory.dmp

        Filesize

        12KB

        Download

      • memory/1764-56-0x000007FEF2EF0000-0x000007FEF3A4D000-memory.dmp

        Filesize

        11.4MB

        Download

      • memory/1764-55-0x000007FEF3A50000-0x000007FEF4473000-memory.dmp

        Filesize

        10.1MB

        Download

      • memory/1764-59-0x000000000295B000-0x000000000297A000-memory.dmp

        Filesize

        124KB

        Download

      • memory/1764-71-0x000000000295B000-0x000000000297A000-memory.dmp

        Filesize

        124KB

        Download

      • memory/1764-54-0x000007FEFB541000-0x000007FEFB543000-memory.dmp

        Filesize

        8KB

        Download