Analysis

  • max time kernel
    27s
  • max time network
    30s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    17/03/2023, 06:22

General

  • Target

    service.exe

  • Size

    237KB

  • MD5

    ab439c03eb89bc15757588b7b030bea6

  • SHA1

    50411b04ba6c51aab0f706e3a54fc548b5f8df0f

  • SHA256

    be067c2c7c5a474442339d8adc999a0a288d56890d9781e88f536b6183cd398c

  • SHA512

    7784fb618db8f2951bd8032154da86c9f139d51a4e541c9924cfccab99862efbcf92b8cbd582714e5f243d2cd5ee1b9fa2bb076f7d9b683e4b57e7b9e347c9a7

  • SSDEEP

    3072:r4tWK9YMDbz6fV/NpbnyAGJwhOnQdT1MgvAOdj8MXoiTYfSHw69pJZXAqacHy1ly:m9j76xnImFZ1MmF8QTU/urSiLfTP8U

Score
10/10

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://pastebin.com/raw/vNcCt60A

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\service.exe
    "C:\Users\Admin\AppData\Local\Temp\service.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1716
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\config.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1276
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Unrestricted -nologo -command .\service.ps1
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:376

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\config.vbs

          Filesize

          147B

          MD5

          e04e55d2e6cc3d920631fdc5d6dcc1ce

          SHA1

          2c4dbcff71f8678623a7c197440ec281804dc5a5

          SHA256

          f641a99ec7e549970c81d724766f2a60ff031a5ec92aa6fc84228c82eeb4b4eb

          SHA512

          9511fe4dc599187f4539b8cda476550c54e86cbfcaca339a5db12e980ec322bf488d7458bf76089aa1d845f164f7ddb8adea017923d9a4930b9e821b7a4ae998

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\service.ps1

          Filesize

          949B

          MD5

          8a97b217587bf21df5b6be29428a1251

          SHA1

          33bc1ad54acc40f29d1b09767811c4a9f779f9a5

          SHA256

          ac975c8129b58f138e0f9880d5d63e6ca9e350c875e09a6dd5c16b40eaa9ea0d

          SHA512

          944c4fbbb3e92afad4cb4fc9f675cbe0b12ff3ef371fa1a5acdffb8489d7c7dde6e2cb8c2a1e194db9eba8e7c74db82b91ceaa40bc3f189924adaeae01cc2409

        • memory/376-64-0x0000000002890000-0x00000000028D0000-memory.dmp

          Filesize

          256KB

        • memory/376-65-0x0000000002890000-0x00000000028D0000-memory.dmp

          Filesize

          256KB