Analysis
-
max time kernel
30s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
22-03-2023 13:58
General
-
Target
390Z21.ps1
-
Size
206KB
-
MD5
7f42335561e2adb6a744f1dcb02b1505
-
SHA1
415e34780b8e144c28995e611117d7d0182f3b22
-
SHA256
c671d25e21e83929c1853e697f29b0e8ed3b69edc6add61d4d8b8bc2018afe14
-
SHA512
442c90c2f926480beb001ed1ae45bf4f9893988d135367bf51c1a8ab7f27e4a11cbec1a9fea5f6897c1dc15cbc33fa7e0f027199c281107e7c5536a63aa2058c
-
SSDEEP
3072:RO2MjmUvLcSRr0zELowmGcAK3ApfJo74Pda:RpMjbYYowmGcAK3Apxm1
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\390Z21.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Document\BT.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$BLNLS='ReadAllText';$T='C:\ProgramData\Document\BT.ps1';IEx([<#1#>IO.File<#1#>]::$BLNLS($T))}3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Document\BT.vbsFilesize
482B
MD5d81d9785f8a33a52adbf7761bb81483c
SHA1c7f97c27e4ad633369c9eca1be36335356486727
SHA256cd30619863fb29e056c285521902eda2d820052f5cbc7a5d92ad331eab6460c4
SHA5120c08b68c6b64a57ba4494e20b5c840f3f013aa2873d03aa1d2a017c707614479afe024cfd1cdde17851d0f36cfc34a895eea1e41d4a4118067ec366c19bf41cf
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5fad44b01e866d0051a92d87f4efdcd11
SHA15621d7f2112244eeddeb808c90228f186912f104
SHA2566773394ae74f2281eec983ab592741f74ee367457111687bd3298fbf2d061c4b
SHA512de7f1db7409a0315c0b36001435a8dc2e03789b8b37b2a11adc9a85919a6f06901a7c975a864f2303ca1b5136e51ba534f38ffc8046d5c0b2993574cb84a4c16
-
memory/920-58-0x000000001B210000-0x000000001B4F2000-memory.dmpFilesize
2.9MB
-
memory/920-59-0x0000000001F50000-0x0000000001F58000-memory.dmpFilesize
32KB
-
memory/920-60-0x0000000002860000-0x00000000028E0000-memory.dmpFilesize
512KB
-
memory/920-61-0x0000000002860000-0x00000000028E0000-memory.dmpFilesize
512KB
-
memory/920-62-0x0000000002860000-0x00000000028E0000-memory.dmpFilesize
512KB
-
memory/920-63-0x0000000002860000-0x00000000028E0000-memory.dmpFilesize
512KB
-
memory/1928-76-0x000000001B0A0000-0x000000001B382000-memory.dmpFilesize
2.9MB
-
memory/1928-77-0x0000000002420000-0x0000000002428000-memory.dmpFilesize
32KB
-
memory/1928-78-0x0000000002894000-0x0000000002897000-memory.dmpFilesize
12KB
-
memory/1928-79-0x000000000289B000-0x00000000028D2000-memory.dmpFilesize
220KB