3cdadd4d8492cfe342f9f74529566ed6c1b451ba669509b59ffaf2965bce0750

Resubmissions

09-08-2024 08:38

240809-kjxr2sycnr 10

27-07-2020 18:35

200727-l5jrnfh3sx 8

Analysis

max time kernel
150s
max time network
148s
platform
windows10_x64
resource
win10
submitted
27-07-2020 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ACCORD POUR COMMISSION A PRELEVER.PDF.vbs
Size

246KB
MD5

6b23cda6ddc86713d63e5b6bb853a909
SHA1

7c12556e23a5b283846572fc9a1d70b01d306c1d
SHA256

3cdadd4d8492cfe342f9f74529566ed6c1b451ba669509b59ffaf2965bce0750
SHA512

9bd88a406202b539ec6cfb271c7c02b0ac2659d3c925aed20d1680d919f841fbef89566d33f29cca2fd1ebd5641b5a7ee17562eaa5dce447f89256cc470f1eeb

Score

8^/10

persistence

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
3560	java.exe
716	java.exe
1004	java.exe

Suspicious use of AdjustPrivilegeToken 168 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	912	WMIC.exe
Token: SeSecurityPrivilege	912	WMIC.exe
Token: SeTakeOwnershipPrivilege	912	WMIC.exe
Token: SeLoadDriverPrivilege	912	WMIC.exe
Token: SeSystemProfilePrivilege	912	WMIC.exe
Token: SeSystemtimePrivilege	912	WMIC.exe
Token: SeProfSingleProcessPrivilege	912	WMIC.exe
Token: SeIncBasePriorityPrivilege	912	WMIC.exe
Token: SeCreatePagefilePrivilege	912	WMIC.exe
Token: SeBackupPrivilege	912	WMIC.exe
Token: SeRestorePrivilege	912	WMIC.exe
Token: SeShutdownPrivilege	912	WMIC.exe
Token: SeDebugPrivilege	912	WMIC.exe
Token: SeSystemEnvironmentPrivilege	912	WMIC.exe
Token: SeRemoteShutdownPrivilege	912	WMIC.exe
Token: SeUndockPrivilege	912	WMIC.exe
Token: SeManageVolumePrivilege	912	WMIC.exe
Token: 33	912	WMIC.exe
Token: 34	912	WMIC.exe
Token: 35	912	WMIC.exe
Token: 36	912	WMIC.exe
Token: SeIncreaseQuotaPrivilege	912	WMIC.exe
Token: SeSecurityPrivilege	912	WMIC.exe
Token: SeTakeOwnershipPrivilege	912	WMIC.exe
Token: SeLoadDriverPrivilege	912	WMIC.exe
Token: SeSystemProfilePrivilege	912	WMIC.exe
Token: SeSystemtimePrivilege	912	WMIC.exe
Token: SeProfSingleProcessPrivilege	912	WMIC.exe
Token: SeIncBasePriorityPrivilege	912	WMIC.exe
Token: SeCreatePagefilePrivilege	912	WMIC.exe
Token: SeBackupPrivilege	912	WMIC.exe
Token: SeRestorePrivilege	912	WMIC.exe
Token: SeShutdownPrivilege	912	WMIC.exe
Token: SeDebugPrivilege	912	WMIC.exe
Token: SeSystemEnvironmentPrivilege	912	WMIC.exe
Token: SeRemoteShutdownPrivilege	912	WMIC.exe
Token: SeUndockPrivilege	912	WMIC.exe
Token: SeManageVolumePrivilege	912	WMIC.exe
Token: 33	912	WMIC.exe
Token: 34	912	WMIC.exe
Token: 35	912	WMIC.exe
Token: 36	912	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1464	WMIC.exe
Token: SeSecurityPrivilege	1464	WMIC.exe
Token: SeTakeOwnershipPrivilege	1464	WMIC.exe
Token: SeLoadDriverPrivilege	1464	WMIC.exe
Token: SeSystemProfilePrivilege	1464	WMIC.exe
Token: SeSystemtimePrivilege	1464	WMIC.exe
Token: SeProfSingleProcessPrivilege	1464	WMIC.exe
Token: SeIncBasePriorityPrivilege	1464	WMIC.exe
Token: SeCreatePagefilePrivilege	1464	WMIC.exe
Token: SeBackupPrivilege	1464	WMIC.exe
Token: SeRestorePrivilege	1464	WMIC.exe
Token: SeShutdownPrivilege	1464	WMIC.exe
Token: SeDebugPrivilege	1464	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1464	WMIC.exe
Token: SeRemoteShutdownPrivilege	1464	WMIC.exe
Token: SeUndockPrivilege	1464	WMIC.exe
Token: SeManageVolumePrivilege	1464	WMIC.exe
Token: 33	1464	WMIC.exe
Token: 34	1464	WMIC.exe
Token: 35	1464	WMIC.exe
Token: 36	1464	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1464	WMIC.exe
Token: SeSecurityPrivilege	1464	WMIC.exe
Token: SeTakeOwnershipPrivilege	1464	WMIC.exe
Token: SeLoadDriverPrivilege	1464	WMIC.exe
Token: SeSystemProfilePrivilege	1464	WMIC.exe
Token: SeSystemtimePrivilege	1464	WMIC.exe
Token: SeProfSingleProcessPrivilege	1464	WMIC.exe
Token: SeIncBasePriorityPrivilege	1464	WMIC.exe
Token: SeCreatePagefilePrivilege	1464	WMIC.exe
Token: SeBackupPrivilege	1464	WMIC.exe
Token: SeRestorePrivilege	1464	WMIC.exe
Token: SeShutdownPrivilege	1464	WMIC.exe
Token: SeDebugPrivilege	1464	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1464	WMIC.exe
Token: SeRemoteShutdownPrivilege	1464	WMIC.exe
Token: SeUndockPrivilege	1464	WMIC.exe
Token: SeManageVolumePrivilege	1464	WMIC.exe
Token: 33	1464	WMIC.exe
Token: 34	1464	WMIC.exe
Token: 35	1464	WMIC.exe
Token: 36	1464	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1924	WMIC.exe
Token: SeSecurityPrivilege	1924	WMIC.exe
Token: SeTakeOwnershipPrivilege	1924	WMIC.exe
Token: SeLoadDriverPrivilege	1924	WMIC.exe
Token: SeSystemProfilePrivilege	1924	WMIC.exe
Token: SeSystemtimePrivilege	1924	WMIC.exe
Token: SeProfSingleProcessPrivilege	1924	WMIC.exe
Token: SeIncBasePriorityPrivilege	1924	WMIC.exe
Token: SeCreatePagefilePrivilege	1924	WMIC.exe
Token: SeBackupPrivilege	1924	WMIC.exe
Token: SeRestorePrivilege	1924	WMIC.exe
Token: SeShutdownPrivilege	1924	WMIC.exe
Token: SeDebugPrivilege	1924	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1924	WMIC.exe
Token: SeRemoteShutdownPrivilege	1924	WMIC.exe
Token: SeUndockPrivilege	1924	WMIC.exe
Token: SeManageVolumePrivilege	1924	WMIC.exe
Token: 33	1924	WMIC.exe
Token: 34	1924	WMIC.exe
Token: 35	1924	WMIC.exe
Token: 36	1924	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1924	WMIC.exe
Token: SeSecurityPrivilege	1924	WMIC.exe
Token: SeTakeOwnershipPrivilege	1924	WMIC.exe
Token: SeLoadDriverPrivilege	1924	WMIC.exe
Token: SeSystemProfilePrivilege	1924	WMIC.exe
Token: SeSystemtimePrivilege	1924	WMIC.exe
Token: SeProfSingleProcessPrivilege	1924	WMIC.exe
Token: SeIncBasePriorityPrivilege	1924	WMIC.exe
Token: SeCreatePagefilePrivilege	1924	WMIC.exe
Token: SeBackupPrivilege	1924	WMIC.exe
Token: SeRestorePrivilege	1924	WMIC.exe
Token: SeShutdownPrivilege	1924	WMIC.exe
Token: SeDebugPrivilege	1924	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1924	WMIC.exe
Token: SeRemoteShutdownPrivilege	1924	WMIC.exe
Token: SeUndockPrivilege	1924	WMIC.exe
Token: SeManageVolumePrivilege	1924	WMIC.exe
Token: 33	1924	WMIC.exe
Token: 34	1924	WMIC.exe
Token: 35	1924	WMIC.exe
Token: 36	1924	WMIC.exe
Token: SeIncreaseQuotaPrivilege	732	WMIC.exe
Token: SeSecurityPrivilege	732	WMIC.exe
Token: SeTakeOwnershipPrivilege	732	WMIC.exe
Token: SeLoadDriverPrivilege	732	WMIC.exe
Token: SeSystemProfilePrivilege	732	WMIC.exe
Token: SeSystemtimePrivilege	732	WMIC.exe
Token: SeProfSingleProcessPrivilege	732	WMIC.exe
Token: SeIncBasePriorityPrivilege	732	WMIC.exe
Token: SeCreatePagefilePrivilege	732	WMIC.exe
Token: SeBackupPrivilege	732	WMIC.exe
Token: SeRestorePrivilege	732	WMIC.exe
Token: SeShutdownPrivilege	732	WMIC.exe
Token: SeDebugPrivilege	732	WMIC.exe
Token: SeSystemEnvironmentPrivilege	732	WMIC.exe
Token: SeRemoteShutdownPrivilege	732	WMIC.exe
Token: SeUndockPrivilege	732	WMIC.exe
Token: SeManageVolumePrivilege	732	WMIC.exe
Token: 33	732	WMIC.exe
Token: 34	732	WMIC.exe
Token: 35	732	WMIC.exe
Token: 36	732	WMIC.exe
Token: SeIncreaseQuotaPrivilege	732	WMIC.exe
Token: SeSecurityPrivilege	732	WMIC.exe
Token: SeTakeOwnershipPrivilege	732	WMIC.exe
Token: SeLoadDriverPrivilege	732	WMIC.exe
Token: SeSystemProfilePrivilege	732	WMIC.exe
Token: SeSystemtimePrivilege	732	WMIC.exe
Token: SeProfSingleProcessPrivilege	732	WMIC.exe
Token: SeIncBasePriorityPrivilege	732	WMIC.exe
Token: SeCreatePagefilePrivilege	732	WMIC.exe
Token: SeBackupPrivilege	732	WMIC.exe
Token: SeRestorePrivilege	732	WMIC.exe
Token: SeShutdownPrivilege	732	WMIC.exe
Token: SeDebugPrivilege	732	WMIC.exe
Token: SeSystemEnvironmentPrivilege	732	WMIC.exe
Token: SeRemoteShutdownPrivilege	732	WMIC.exe
Token: SeUndockPrivilege	732	WMIC.exe
Token: SeManageVolumePrivilege	732	WMIC.exe
Token: 33	732	WMIC.exe
Token: 34	732	WMIC.exe
Token: 35	732	WMIC.exe
Token: 36	732	WMIC.exe

JavaScript code in executable 2 IoCs

resource	yara_rule
behavioral2/files/0x000100000001ad96-44.dat	js
behavioral2/files/0x000100000001ad9f-62.dat	js

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mZIHvZJhYf.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mZIHvZJhYf.vbs	WScript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ntfsmgr.jar	java.exe

Blacklisted process makes network request 27 IoCs

flow	pid	Process
3	364	WScript.exe
12	364	WScript.exe
22	364	WScript.exe
25	364	WScript.exe
27	364	WScript.exe
28	364	WScript.exe
29	364	WScript.exe
30	364	WScript.exe
31	364	WScript.exe
32	364	WScript.exe
33	364	WScript.exe
34	364	WScript.exe
38	364	WScript.exe
41	364	WScript.exe
42	364	WScript.exe
43	364	WScript.exe
44	364	WScript.exe
45	364	WScript.exe
46	364	WScript.exe
47	364	WScript.exe
48	364	WScript.exe
49	364	WScript.exe
50	364	WScript.exe
51	364	WScript.exe
52	364	WScript.exe
53	364	WScript.exe
54	364	WScript.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings	WScript.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\mZIHvZJhYf = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\mZIHvZJhYf.vbs\""	WScript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntfsmgr = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\ntfsmgr.jar\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntfsmgr = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\ntfsmgr.jar\""	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntfsmgr = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\ntfsmgr.jar\""	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\plugins = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\plugins.jar\" mp"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mZIHvZJhYf = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\mZIHvZJhYf.vbs\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\plugins = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\plugins.jar\" mp"	java.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2160	schtasks.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
20	ip-api.com

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 716 wrote to memory of 364	716	WScript.exe	67
PID 716 wrote to memory of 364	716	WScript.exe	67
PID 716 wrote to memory of 3728	716	WScript.exe	68
PID 716 wrote to memory of 3728	716	WScript.exe	68
PID 3728 wrote to memory of 3808	3728	cmd.exe	70
PID 3728 wrote to memory of 3808	3728	cmd.exe	70
PID 716 wrote to memory of 3328	716	WScript.exe	71
PID 716 wrote to memory of 3328	716	WScript.exe	71
PID 3328 wrote to memory of 3560	3328	javaw.exe	73
PID 3328 wrote to memory of 3560	3328	javaw.exe	73
PID 3560 wrote to memory of 3840	3560	java.exe	75
PID 3560 wrote to memory of 3840	3560	java.exe	75
PID 3560 wrote to memory of 716	3560	java.exe	76
PID 3560 wrote to memory of 716	3560	java.exe	76
PID 3840 wrote to memory of 2160	3840	cmd.exe	79
PID 3840 wrote to memory of 2160	3840	cmd.exe	79
PID 716 wrote to memory of 1004	716	java.exe	80
PID 716 wrote to memory of 1004	716	java.exe	80
PID 716 wrote to memory of 1628	716	java.exe	82
PID 716 wrote to memory of 1628	716	java.exe	82
PID 1628 wrote to memory of 912	1628	cmd.exe	84
PID 1628 wrote to memory of 912	1628	cmd.exe	84
PID 716 wrote to memory of 1240	716	java.exe	85
PID 716 wrote to memory of 1240	716	java.exe	85
PID 1240 wrote to memory of 1464	1240	cmd.exe	87
PID 1240 wrote to memory of 1464	1240	cmd.exe	87
PID 716 wrote to memory of 1696	716	java.exe	88
PID 716 wrote to memory of 1696	716	java.exe	88
PID 1696 wrote to memory of 1924	1696	cmd.exe	90
PID 1696 wrote to memory of 1924	1696	cmd.exe	90
PID 716 wrote to memory of 2068	716	java.exe	91
PID 716 wrote to memory of 2068	716	java.exe	91
PID 2068 wrote to memory of 732	2068	cmd.exe	93
PID 2068 wrote to memory of 732	2068	cmd.exe	93

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ACCORD POUR COMMISSION A PRELEVER.PDF.vbs"
1⤵
- Modifies registry class
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:716
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\mZIHvZJhYf.vbs"
  2⤵
  - Drops startup file
  - Blacklisted process makes network request
  - Adds Run key to start application
  PID:364
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -version 2> C:\Users\Admin\AppData\Local\Temp\output.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3728
- - C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
    "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -version
    3⤵
    PID:3808
- C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
  "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ntfsmgr.jar"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3328
- - C:\Program Files\Java\jre1.8.0_66\bin\java.exe
    "C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\ntfsmgr.jar"
    3⤵
    - Loads dropped DLL
    - Drops startup file
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3560
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\ntfsmgr.jar"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3840
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\ntfsmgr.jar"
        5⤵
        Creates scheduled task(s)
        
        PID:2160
  - - C:\Program Files\Java\jre1.8.0_66\bin\java.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\ntfsmgr.jar"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:716
    - - C:\Program Files\Java\jre1.8.0_66\bin\java.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\plugins.jar" mp
        5⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1004
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1628
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:912
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1240
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1464
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1696
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
        6⤵
        
        PID:1924
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2068
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list
        6⤵
        
        PID:732