Overview

overview

10

Static

static

load.ps1

windows7-x64

8

load.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    115s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220722-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-07-2022 23:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    load.ps1

  • Size

    1.4MB

  • MD5

    09a05a2212bd2c0fe0e2881401fbff17

  • SHA1

    fbb6f8dae1753cd2a282ee161bc5496486cc06f7

  • SHA256

    b41a303a4caa71fa260dd601a796033d8bfebcaa6bd9dfd7ad956fac5229a735

  • SHA512

    8d0dd3a7d6adaa690a3f7625a573b8c50cfa9d40fa17836b7e8ab8a10bfe67f4eaf0720cedda0c1d2986e7e70770a097ad8af2a9e24ccd595514a0384cbc275f

Score
10/10
suncryptransomware

Malware Config

Signatures

  • SunCrypt Ransomware

    Family which threatens to leak data alongside encrypting files. Has claimed to be collaborating with the Maze ransomware group.

    ransomwaresuncrypt
  • Blocklisted process makes network request 1 IoCs
  • Modifies extensions of user files 9 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 1 IoCs
  • Drops desktop.ini file(s) 28 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\load.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4672
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pev0h0it\pev0h0it.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:972
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES631F.tmp" "c:\Users\Admin\AppData\Local\Temp\pev0h0it\CSC6AFAC74B115247B98AFB99757B928D66.TMP"
        3⤵
          PID:716
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file "C:\Users\Admin\AppData\Local\Temp\load.ps1"
        2⤵
        • Blocklisted process makes network request
        • Modifies extensions of user files
        • Drops startup file
        • Drops desktop.ini file(s)
        • Enumerates connected drives
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2292
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ne5e2fbq\ne5e2fbq.cmdline"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:536
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9182.tmp" "c:\Users\Admin\AppData\Local\Temp\ne5e2fbq\CSCC4CB164B576B442AA090D8F0816D22AC.TMP"
            4⤵
              PID:1196
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4876

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        2f57fde6b33e89a63cf0dfdd6e60a351

        SHA1

        445bf1b07223a04f8a159581a3d37d630273010f

        SHA256

        3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

        SHA512

        42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        58b97594c4d764d5d99a459fbee0fd33

        SHA1

        4d1f8f4f5bbf87a6ea3ae7b7be623542377365da

        SHA256

        8001b17515105615ae767a048f98b1c1d211130f7c8c7e9bb585cf063b0c6db2

        SHA512

        874c700052930cfc7bc99e3e0353bf3a3891e45854df7982f73a2fa4d8a60546d683fae0163104e047991955d7d6b8950447be83a93d99ae9d9931a1e13e3cf7

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RES631F.tmp
        Filesize

        1KB

        MD5

        20e0ca6944a63dfd5e8fce3348a8711c

        SHA1

        35edfd203f130931d79a679d7cb0aee125a31155

        SHA256

        ff545be53fa32218560310b01807d1b5d0f1222c4fbb0351393b2c5b70c32d3b

        SHA512

        406256f2173e4d60a1d9efeaa1ba51bd4e03c60430fd076ba19ab947622ae5c4cbae4b1cbcb66cec5a2a0341598ebd4f18825bdc6734488f9f2a3dbe95d7555e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RES9182.tmp
        Filesize

        1KB

        MD5

        bb7e281318c4e2574d8dc1bc449a70d8

        SHA1

        181af2320e20186c50b10c8343ea4c15430bd2ee

        SHA256

        f6355ee6602b56c60a4c13a8fe4f8c78025663a31b04b89bee2329c55f3fc71a

        SHA512

        68b71cfc674c94ff52b0d9dcb11277e8b1d422d2e981ee14548db015a3685533e5bca6b4b3b56abfa7f9fa3ffc79b52be56c21c1839c4ba9eb2d3d5e7f8565ce

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\ne5e2fbq\ne5e2fbq.dll
        Filesize

        3KB

        MD5

        ee26103f0c3fd9126ecd5b71242aecd5

        SHA1

        d118c8fcf4f4fb6940dc55c01742bb07024435a5

        SHA256

        6a4501218959c66582043695282b38f3ff45ff1514c0e62c0024ce4de45ff2e5

        SHA512

        9fcec73da8ec10965f8eb287d3b6b5e2518fba1999e4ee9a284a2006f898a87d620dc9f6505481a6429db0732a8a871918b98d3c12885c720d44e2f22301af1c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\pev0h0it\pev0h0it.dll
        Filesize

        3KB

        MD5

        d127c91de3d70c6ed87c10ea8831ceb0

        SHA1

        1743a8aaefb3d43a67d93068ef979b61712f9198

        SHA256

        e40882bc25d08f8f45a0face430fc4b4570778d79026a8f7dc368f4c61a840a9

        SHA512

        0f4d3ca10331dc82e63ce490b0822ba83c875db32f6c4e208fa050ca0fa6fa30f51aa0a470854cddb2ea962d2c7f9653dc20d3b08670e972318c6c4e2b88ddf7

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\ne5e2fbq\CSCC4CB164B576B442AA090D8F0816D22AC.TMP
        Filesize

        652B

        MD5

        807506a7d24c640f9a898ed163022265

        SHA1

        c587bdd8d5763e0de8da36f7d376498db689e281

        SHA256

        46103f935b28f09636711226c763d02e0bbb9ebdf3fdf61d7557dd80e4c76f32

        SHA512

        0720bd405d9e9da55a0423b87ad9e75e3d8c3cf9e3e434f158821b3d08c138ba1b750c45b446393ed7c04e5108fdad92b0436fb5430cf4dd3f1c5aadfe917234

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\ne5e2fbq\ne5e2fbq.0.cs
        Filesize

        468B

        MD5

        caf98c9f9cc2c02cdc79eb3409a36bc5

        SHA1

        aae6131763eaace982ee93fb15ee0eff45a034d2

        SHA256

        dc072944363d6db027de28c9412f96e4655e460989789c99e3a1992daded7499

        SHA512

        74845d305b1de1a0decaca325bc98de0cebaee677b6a70d492a0ba3ade21e9f9f0e145687a1f6ff89ada6657f77c47a8f140bf1d610c661738a2c64ada3a132f

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\ne5e2fbq\ne5e2fbq.cmdline
        Filesize

        369B

        MD5

        6029c96db0f78f77671d92d00a0ce8e6

        SHA1

        5c8ea918a95b43275e4ed15c8523cdb852502748

        SHA256

        38ea56bb066d9ca3ca1a25bf237fd7f22f067231e6f50fc50c539c2645dc6f0d

        SHA512

        22f0ef880257699d1e8ea95c7a211ecd88a5a92c6fddea092436ab15c0ae1d220530df509ac3d5ad3a569f8eaa18bf6e7873b3baf9eadc99321c2d64c7be1a40

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\pev0h0it\CSC6AFAC74B115247B98AFB99757B928D66.TMP
        Filesize

        652B

        MD5

        7a5cece84fb71d1d0f9118b902331612

        SHA1

        ceec6ba5b24b0c5e3217f154232e38d91937a3d7

        SHA256

        289998ea6561ab164104d8e3dbfbea9e133e62f8781bd2395ee3f48f68bcf2c3

        SHA512

        f5db6285445b590b75fc15eeb7e6fff3ac3d807b74d9329af86dcadd081fc7cdacdc06bea9bfd7f39a9adb91114b9958fa04a2bb616aa79833dbe238c201901b

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\pev0h0it\pev0h0it.0.cs
        Filesize

        468B

        MD5

        caf98c9f9cc2c02cdc79eb3409a36bc5

        SHA1

        aae6131763eaace982ee93fb15ee0eff45a034d2

        SHA256

        dc072944363d6db027de28c9412f96e4655e460989789c99e3a1992daded7499

        SHA512

        74845d305b1de1a0decaca325bc98de0cebaee677b6a70d492a0ba3ade21e9f9f0e145687a1f6ff89ada6657f77c47a8f140bf1d610c661738a2c64ada3a132f

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\pev0h0it\pev0h0it.cmdline
        Filesize

        369B

        MD5

        9f6170853db7680783727665f8bb4b84

        SHA1

        279848fb30535637b93637e854d681d1121439cc

        SHA256

        0932cd04683bad0cf33fbf2694de176e232523b11f26c09962809a01f93d315a

        SHA512

        6f40cd25c98fd640fd3df36d07868132898403ba136d3fb543a578f44eaf5ee62476e25935d17d77d7efbda56444beaa2137fd6bbacc79f215e7e668800a8307

        Download Submit

      • memory/2292-146-0x0000000005F40000-0x0000000005FA6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2292-145-0x0000000005760000-0x0000000005782000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2292-150-0x000000000AE70000-0x000000000B4EA000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/2292-151-0x0000000006B20000-0x0000000006B3A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2292-147-0x0000000005FB0000-0x0000000006016000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2292-160-0x0000000000400000-0x000000000042D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/2292-149-0x0000000006610000-0x000000000662E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2292-144-0x0000000005910000-0x0000000005F38000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/2292-143-0x0000000003270000-0x00000000032A6000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2292-159-0x0000000000400000-0x000000000042D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/4672-142-0x00007FFF7E460000-0x00007FFF7EF21000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4672-132-0x00000204A2A20000-0x00000204A2A42000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4672-133-0x00007FFF7E460000-0x00007FFF7EF21000-memory.dmp

        Filesize

        10.8MB

        Download