c83bb3ba68f3f4fde63abea1a95a89566c4a8b75bac40d47b8733a1dac0d1658

Analysis

max time kernel
27s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
17/03/2023, 06:18

Target

service.exe
Size

283KB
MD5

c801ed2ca1f4f204ca5d28a6ab366949
SHA1

781f35df9b44560982623ef0259a05fbf99b8fcc
SHA256

c83bb3ba68f3f4fde63abea1a95a89566c4a8b75bac40d47b8733a1dac0d1658
SHA512

2d910f09aaeaf0ad6e769f5148ce61f4d284468da1f109434602e2e4c7ddd567d41cd6dae95aba72133dc77fcf35d9814be6c645d05f40d8268ab9036adce45b
SSDEEP

6144:7gZiAEAO0sByNsAal3gVAWgS7/OhwjKfqZr:7gZXEAO/BUdG3gVdt7KnfqZr

Score

10^/10

Language

ps1

Source

URLs

exe.dropper

https://pastebin.com/raw/vNcCt60A

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1204	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1204	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 528	1972	service.exe	28
PID 1972 wrote to memory of 528	1972	service.exe	28
PID 1972 wrote to memory of 528	1972	service.exe	28
PID 1972 wrote to memory of 528	1972	service.exe	28
PID 528 wrote to memory of 1204	528	WScript.exe	29
PID 528 wrote to memory of 1204	528	WScript.exe	29
PID 528 wrote to memory of 1204	528	WScript.exe	29
PID 528 wrote to memory of 1204	528	WScript.exe	29

C:\Users\Admin\AppData\Local\Temp\service.exe
"C:\Users\Admin\AppData\Local\Temp\service.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\config.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:528
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Unrestricted -nologo -command .\service.ps1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1204

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\RarSFX0\config.vbs

Filesize
149B

MD5
a5871da9a2df94e7f9e631b8d88db6f2

SHA1
0fe4a2d4ee43f0ddd04fdf6fcf18ea157f197b6b

SHA256
c3da432bc28fc4cd5346b0b1350217dbc1fb5939dd3436a1a1415d5f5a4c821d

SHA512
4c31e60bd2d823eec6f3c83973b0845c104632006877e3960ff3c7abc69b05f41d09a2dcede557d642b5e74a128800dfd543f2f88026a1400172ec4ea850084c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\service.ps1

Filesize
949B

MD5
8a97b217587bf21df5b6be29428a1251

SHA1
33bc1ad54acc40f29d1b09767811c4a9f779f9a5

SHA256
ac975c8129b58f138e0f9880d5d63e6ca9e350c875e09a6dd5c16b40eaa9ea0d

SHA512
944c4fbbb3e92afad4cb4fc9f675cbe0b12ff3ef371fa1a5acdffb8489d7c7dde6e2cb8c2a1e194db9eba8e7c74db82b91ceaa40bc3f189924adaeae01cc2409

Download Submit
memory/1204-63-0x0000000002630000-0x0000000002670000-memory.dmp

Filesize
256KB

Download
memory/1204-64-0x0000000002630000-0x0000000002670000-memory.dmp

Filesize
256KB

Download