78f357f61ed20344d27a1323e6a5a87e2f9ac140064d7e57a77d195e599f6e4b

General

Target

JVC_47247.vbs
Size

4.3MB
MD5

2e5d0c5ceac5c6111a9ec881f7e4f3f4
SHA1

ba8a9af53583a01a0c4c49bf827a3433c203a983
SHA256

78f357f61ed20344d27a1323e6a5a87e2f9ac140064d7e57a77d195e599f6e4b
SHA512

1097085efc7bb40e55c1095b7b5c4ed3aecb9ab7d803cc91e9e042efee2cecc896643823ed0ade4017a228805ce5ed11881506d3742fc89ed72e9b05acd32745

Score

8^/10

Malware Config

Signatures

Blacklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

2 1852 WScript.exe

flow	pid	process
2	1852	WScript.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

WScript.exeColorPick.exeylisaz.exe

description	pid	process	target process
PID 1852 wrote to memory of 1996	1852	WScript.exe	ColorPick.exe
PID 1852 wrote to memory of 1996	1852	WScript.exe	ColorPick.exe
PID 1852 wrote to memory of 1996	1852	WScript.exe	ColorPick.exe
PID 1852 wrote to memory of 1996	1852	WScript.exe	ColorPick.exe
PID 1996 wrote to memory of 2040	1996	ColorPick.exe	ColorPick.exe
PID 1996 wrote to memory of 2040	1996	ColorPick.exe	ColorPick.exe
PID 1996 wrote to memory of 2040	1996	ColorPick.exe	ColorPick.exe
PID 1996 wrote to memory of 2040	1996	ColorPick.exe	ColorPick.exe
PID 1996 wrote to memory of 1560	1996	ColorPick.exe	ylisaz.exe
PID 1996 wrote to memory of 1560	1996	ColorPick.exe	ylisaz.exe
PID 1996 wrote to memory of 1560	1996	ColorPick.exe	ylisaz.exe
PID 1996 wrote to memory of 1560	1996	ColorPick.exe	ylisaz.exe
PID 1996 wrote to memory of 1544	1996	ColorPick.exe	schtasks.exe
PID 1996 wrote to memory of 1544	1996	ColorPick.exe	schtasks.exe
PID 1996 wrote to memory of 1544	1996	ColorPick.exe	schtasks.exe
PID 1996 wrote to memory of 1544	1996	ColorPick.exe	schtasks.exe
PID 1560 wrote to memory of 1592	1560	ylisaz.exe	ylisaz.exe
PID 1560 wrote to memory of 1592	1560	ylisaz.exe	ylisaz.exe
PID 1560 wrote to memory of 1592	1560	ylisaz.exe	ylisaz.exe
PID 1560 wrote to memory of 1592	1560	ylisaz.exe	ylisaz.exe
PID 1560 wrote to memory of 1568	1560	ylisaz.exe	explorer.exe
PID 1560 wrote to memory of 1568	1560	ylisaz.exe	explorer.exe
PID 1560 wrote to memory of 1568	1560	ylisaz.exe	explorer.exe
PID 1560 wrote to memory of 1568	1560	ylisaz.exe	explorer.exe
PID 1560 wrote to memory of 1568	1560	ylisaz.exe	explorer.exe

Executes dropped EXE 4 IoCs

Processes:

ColorPick.exeColorPick.exeylisaz.exeylisaz.exe

pid process

1996 ColorPick.exe
2040 ColorPick.exe
1560 ylisaz.exe
1592 ylisaz.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

ColorPick.exeColorPick.exeylisaz.exeylisaz.exeexplorer.exe

pid process

1996 ColorPick.exe
2040 ColorPick.exe
2040 ColorPick.exe
1560 ylisaz.exe
1592 ylisaz.exe
1592 ylisaz.exe
1568 explorer.exe
1568 explorer.exe
Loads dropped DLL 3 IoCs

Processes:

ColorPick.exe

pid process

1996 ColorPick.exe
1996 ColorPick.exe
1996 ColorPick.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

ylisaz.exe

pid process

1560 ylisaz.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1544 schtasks.exe

pid	process
1996	ColorPick.exe
2040	ColorPick.exe
1560	ylisaz.exe
1592	ylisaz.exe

pid	process
1996	ColorPick.exe
2040	ColorPick.exe
2040	ColorPick.exe
1560	ylisaz.exe
1592	ylisaz.exe
1592	ylisaz.exe
1568	explorer.exe
1568	explorer.exe

pid	process
1996	ColorPick.exe
1996	ColorPick.exe
1996	ColorPick.exe

pid	process
1560	ylisaz.exe

pid	process
1544	schtasks.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\JVC_47247.vbs"
1⤵
- Blacklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1852

C:\Users\Admin\AppData\Local\Temp\ColorPick.exe
C:\Users\Admin\AppData\Local\Temp\ColorPick.exe
2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Loads dropped DLL
PID:1996

C:\Users\Admin\AppData\Local\Temp\ColorPick.exe
C:\Users\Admin\AppData\Local\Temp\ColorPick.exe /C
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2040

C:\Users\Admin\AppData\Roaming\Microsoft\Nrylysyyjdnp\ylisaz.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Nrylysyyjdnp\ylisaz.exe
3⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1560

C:\Users\Admin\AppData\Roaming\Microsoft\Nrylysyyjdnp\ylisaz.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Nrylysyyjdnp\ylisaz.exe /C
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1592

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1568

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn uqsvvbbbpw /tr "\"C:\Users\Admin\AppData\Local\Temp\ColorPick.exe\" /I uqsvvbbbpw" /SC ONCE /Z /ST 21:15 /ET 21:27
3⤵
- Creates scheduled task(s)
PID:1544

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ColorPick.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ColorPick.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ColorPick.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Nrylysyyjdnp\ylisaz.dat

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Nrylysyyjdnp\ylisaz.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Nrylysyyjdnp\ylisaz.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Nrylysyyjdnp\ylisaz.exe

Download Submit
\Users\Admin\AppData\Local\Temp\ColorPick.exe

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Nrylysyyjdnp\ylisaz.exe

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Nrylysyyjdnp\ylisaz.exe

Download Submit
memory/1560-13-0x0000000000310000-0x000000000034B000-memory.dmp

Filesize
236KB

Download
memory/1592-12-0x0000000002460000-0x0000000002471000-memory.dmp

Filesize
68KB

Download
memory/1852-2-0x00000000034A0000-0x00000000034A4000-memory.dmp

Filesize
16KB

Download
memory/1852-1-0x0000000001B40000-0x0000000001B42000-memory.dmp

Filesize
8KB

Download
memory/2040-6-0x0000000002390000-0x00000000023A1000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads