Analysis
-
max time kernel
31s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
21/03/2023, 01:24
Static task
static1
Behavioral task
behavioral1
Sample
ca7205724f31290cdef29a7e0f0743d0.ps1
Resource
win7-20230220-en
General
-
Target
ca7205724f31290cdef29a7e0f0743d0.ps1
-
Size
226KB
-
MD5
ca7205724f31290cdef29a7e0f0743d0
-
SHA1
e7dbb3b8bd7a31698f97a21b25cd03e67f8be91f
-
SHA256
3cb8519b3d33b567e68289dd057629c12388ca19ee2cd0bfd2dcbefe8728402d
-
SHA512
661e18b9d63c8ff1849f7b6ba81b5d44a68fc3e605c207d965a7e4841e244a114881a6f0ca77e1ad18fbef2d881327ea460333e27741521107bf2314e7b65c98
-
SSDEEP
1536:vNUP7fvRYjFYFWPApqqPDXdkSajySbVeJ+ARXqX3XXSX3XHCyyvL93yVxgQ51kIN:G+/mjLnfhUd3tNTrrD4Qzxu
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 1500 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1424 powershell.exe Token: SeDebugPrivilege 1500 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1424 wrote to memory of 468 1424 powershell.exe 29 PID 1424 wrote to memory of 468 1424 powershell.exe 29 PID 1424 wrote to memory of 468 1424 powershell.exe 29 PID 468 wrote to memory of 1500 468 WScript.exe 30 PID 468 wrote to memory of 1500 468 WScript.exe 30 PID 468 wrote to memory of 1500 468 WScript.exe 30
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ca7205724f31290cdef29a7e0f0743d0.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Document\BT.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" &{$a='ReadAllText';$T='C:\ProgramData\Document\BT.ps1';IEx([<#1#>IO.File<#1#>]::$a($T))}3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1500
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
433B
MD5f7da689911a44bf28a2908f1522267f6
SHA18a07c961848dcbc095e22edeab099ef3f36ab2b6
SHA25660e6a5212c5d64aa96bcb296aeb044067a6c8910b39e84b6b36eec74c3a1d834
SHA5128dee32c503a4b516e8d8e4e8eefe3fb166c8abd4a49d294e583a5847030048fad0b2a90043252563d49a55978dad475ff6d5a4b215feed9b2b3d82a9b4674dbd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5066bbfb429fcd13827c5742f31c6b4f1
SHA1e0d2a4e7de3ec6fec146cc762ce18330e366bd65
SHA256537e7bdd396f377d9741b091141f349ad64eaebdcda0a46b5f71ae9b8cf33ac9
SHA512d7a846d841a55e511298655fbe4e3c890840e16e5d51b7cad2205d6bf83c77423f8f9db63c5cbb48a0053c6a271ebb5425ad815d46a8a20c61a3a2897dcc35f2