Analysis
-
max time kernel
30s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
21/03/2023, 13:26
Static task
static1
Behavioral task
behavioral1
Sample
3cb8519b3d33b567e68289dd057629c12388ca19ee2cd0bfd2dcbefe8728402d.ps1
Resource
win7-20230220-en
General
-
Target
3cb8519b3d33b567e68289dd057629c12388ca19ee2cd0bfd2dcbefe8728402d.ps1
-
Size
226KB
-
MD5
ca7205724f31290cdef29a7e0f0743d0
-
SHA1
e7dbb3b8bd7a31698f97a21b25cd03e67f8be91f
-
SHA256
3cb8519b3d33b567e68289dd057629c12388ca19ee2cd0bfd2dcbefe8728402d
-
SHA512
661e18b9d63c8ff1849f7b6ba81b5d44a68fc3e605c207d965a7e4841e244a114881a6f0ca77e1ad18fbef2d881327ea460333e27741521107bf2314e7b65c98
-
SSDEEP
1536:vNUP7fvRYjFYFWPApqqPDXdkSajySbVeJ+ARXqX3XXSX3XHCyyvL93yVxgQ51kIN:G+/mjLnfhUd3tNTrrD4Qzxu
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2044 powershell.exe 2044 powershell.exe 980 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2044 powershell.exe Token: SeDebugPrivilege 980 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2044 wrote to memory of 1852 2044 powershell.exe 29 PID 2044 wrote to memory of 1852 2044 powershell.exe 29 PID 2044 wrote to memory of 1852 2044 powershell.exe 29 PID 1852 wrote to memory of 980 1852 WScript.exe 30 PID 1852 wrote to memory of 980 1852 WScript.exe 30 PID 1852 wrote to memory of 980 1852 WScript.exe 30
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\3cb8519b3d33b567e68289dd057629c12388ca19ee2cd0bfd2dcbefe8728402d.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Document\BT.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" &{$a='ReadAllText';$T='C:\ProgramData\Document\BT.ps1';IEx([<#1#>IO.File<#1#>]::$a($T))}3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:980
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
433B
MD5f7da689911a44bf28a2908f1522267f6
SHA18a07c961848dcbc095e22edeab099ef3f36ab2b6
SHA25660e6a5212c5d64aa96bcb296aeb044067a6c8910b39e84b6b36eec74c3a1d834
SHA5128dee32c503a4b516e8d8e4e8eefe3fb166c8abd4a49d294e583a5847030048fad0b2a90043252563d49a55978dad475ff6d5a4b215feed9b2b3d82a9b4674dbd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5a236dce757b2beab4ea96c2aaf10e57e
SHA1d9f6028f889db0250269630bcf0854808d75ed6e
SHA2567da78e09b156e8a9fa296ae83d9f226a77ed7297ea6d7b16d5246e64eb773a43
SHA512bd5ed07812188016d3d147d673d3885245fd1c08025e6c1b111adc40f847090cdfc03ad4f796dda95980ce1153a37c9085fd6aa2d1baad763907bb70b69c4b55