b6791e467a88b94a403ca0a73bfbe5ede7016c526c7ce04d83bc1add3deb0686

Analysis

max time kernel
46s
max time network
53s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
30-11-2022 14:26

Target

fix/suspended.js
Size

136B
MD5

80afc673645a4f84c6625c4bb179ec6e
SHA1

9a5591b968fbb5965c8cec44a3222e4fdd5eb691
SHA256

a6a5982619a54a95cc57eca09559c1e21fc272f27489a7f88c68d55dcf0f5267
SHA512

bf351bebe654abb6952a5b8d923b1c0850a7b188f26471d18a2a14413af37a8154f66c8831aef7d0955bad3069d49e016e5bf491b503f31947d217b11344aeb1

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1872 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1872 powershell.exe

pid	process
1872	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1872	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 1364 wrote to memory of 1872	1364	wscript.exe	powershell.exe
PID 1364 wrote to memory of 1872	1364	wscript.exe	powershell.exe
PID 1364 wrote to memory of 1872	1364	wscript.exe	powershell.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\fix\suspended.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass fix\overheating.ps1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1872

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1364-54-0x000007FEFBD91000-0x000007FEFBD93000-memory.dmp

Filesize
8KB

Download
memory/1872-55-0x0000000000000000-mapping.dmp

Download
memory/1872-57-0x000007FEF41A0000-0x000007FEF4BC3000-memory.dmp

Filesize
10.1MB

Download
memory/1872-58-0x000007FEF3640000-0x000007FEF419D000-memory.dmp

Filesize
11.4MB

Download
memory/1872-59-0x0000000002944000-0x0000000002947000-memory.dmp

Filesize
12KB

Download
memory/1872-61-0x000000000294B000-0x000000000296A000-memory.dmp

Filesize
124KB

Download
memory/1872-60-0x0000000002944000-0x0000000002947000-memory.dmp

Filesize
12KB

Download