e0b6143f82a2ce66cb8e7650ac158e58776f0d77f25845c97f7112a14de858a5

Analysis

max time kernel
47s
max time network
55s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01/10/2022, 23:45

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

e0b6143f82a2ce66cb8e7650ac158e58776f0d77f25845c97f7112a14de858a5.vbs
Size

11.1MB
MD5

dda79de36584b80911786c1f328d7d27
SHA1

35091e642f4bdb1bd8a44dc7c31f5c33b1f29cbe
SHA256

e0b6143f82a2ce66cb8e7650ac158e58776f0d77f25845c97f7112a14de858a5
SHA512

f4874a846561dbb281b95e7c854f05e20b9b67bc91e079816809132ec53494ac139656aafc8c4e0a7e997ba198ee9ad3595597ebedb6d1d1a7dfc7a4ff2baf55
SSDEEP

24:/vD+PfeXp7bixsaFOp7bixsmV8+Py0111111111111111111111111111111111V:/vufypiCaFOpiCSy4

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1972	shutdown.exe
Token: SeRemoteShutdownPrivilege	1972	shutdown.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 1048	1916	WScript.exe	27
PID 1916 wrote to memory of 1048	1916	WScript.exe	27
PID 1916 wrote to memory of 1048	1916	WScript.exe	27
PID 1048 wrote to memory of 1972	1048	cmd.exe	29
PID 1048 wrote to memory of 1972	1048	cmd.exe	29
PID 1048 wrote to memory of 1972	1048	cmd.exe	29

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0b6143f82a2ce66cb8e7650ac158e58776f0d77f25845c97f7112a14de858a5.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c shutdown -r -t 30 -c "Ëµ1£¡²»£¬ËµÎÒºÜ2£¬Ëµ3£¬ËµÎÒÊÇÖí¡£¡£¡£¡£¡£¡£²»£¬ÎÒÍüÁË¸ÃËµÊ²Ã´£¬ÍêÁË£¬ºÙºÙ£¬30ÃëºóÄãµÄµçÄÔ¾Í»á¹Ø»ú£¬ÎÒËµµ½×öµ½£¡"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1048
- - C:\Windows\system32\shutdown.exe
    shutdown -r -t 30 -c "Ëµ1£¡²»£¬ËµÎÒºÜ2£¬Ëµ3£¬ËµÎÒÊÇÖí¡£¡£¡£¡£¡£¡£²»£¬ÎÒÍüÁË¸ÃËµÊ²Ã´£¬ÍêÁË£¬ºÙºÙ£¬30ÃëºóÄãµÄµçÄÔ¾Í»á¹Ø»ú£¬ÎÒËµµ½×öµ½£¡"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1972

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1704

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1704-56-0x000007FEFB9B1000-0x000007FEFB9B3000-memory.dmp

Filesize
8KB

Download