611240aac244644d45c51422581837adea4624f130a238a4742646e83aa70c03

General

Target

PI 74995.vbs
Size

3.9MB
MD5

563105db91d8994ab88f7d73a64ad368
SHA1

bc9342d184d8e994bc971555c359435750a6fafa
SHA256

611240aac244644d45c51422581837adea4624f130a238a4742646e83aa70c03
SHA512

253a3154b4f02b8bce65cf2ccc147acaff8248220c2d92a5b18cca8db1017c9073bb897fe7df68c37821619dede586b5eab925f9b8e95301757d59023a7d06fb
SSDEEP

6144:wocsGPLYBciclsEveCx0ewEvagIXOJl8zjmQagZTR4RQlLCKqshj4Bz78i7Dlxr2:BcsGP8BciclBeq0envagfo

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	2040	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1492	powershell.exe
1260	powershell.exe
1308	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1492	powershell.exe
Token: SeDebugPrivilege	1260	powershell.exe
Token: SeDebugPrivilege	1308	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 2040	1172	WScript.exe	27
PID 1172 wrote to memory of 2040	1172	WScript.exe	27
PID 1172 wrote to memory of 2040	1172	WScript.exe	27
PID 2040 wrote to memory of 1492	2040	WScript.exe	28
PID 2040 wrote to memory of 1492	2040	WScript.exe	28
PID 2040 wrote to memory of 1492	2040	WScript.exe	28
PID 2040 wrote to memory of 1260	2040	WScript.exe	30
PID 2040 wrote to memory of 1260	2040	WScript.exe	30
PID 2040 wrote to memory of 1260	2040	WScript.exe	30
PID 2040 wrote to memory of 1784	2040	WScript.exe	34
PID 2040 wrote to memory of 1784	2040	WScript.exe	34
PID 2040 wrote to memory of 1784	2040	WScript.exe	34
PID 1784 wrote to memory of 1308	1784	cmd.exe	36
PID 1784 wrote to memory of 1308	1784	cmd.exe	36
PID 1784 wrote to memory of 1308	1784	cmd.exe	36

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PI 74995.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PI 74995.vbs" /elevate
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1492
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension '.vbs'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1260
- - C:\Windows\System32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Roaming\WindowsServices\HGBJQ.cmd" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1784
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      PowerShell.exe -NoProfile -ExecutionPolicy Bypass -Command C:\Users\Admin\AppData\Roaming\WindowsServices\TLGOV.ps1
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d6f827a6aebc744eadbe0d1b0df4d792

SHA1
85feaf5268b5395a29714777b4c36d4370209fce

SHA256
c7f642ceba952fe68b31381cf4017bead585b503a575aeaeb0ddd5b05f5bd1b1

SHA512
07ccaa66d1aadadf5bbf24bdd363e58470c4aff9599bb660e4484ee6970c2910691b81a34aa801a6e0dcdd902e9b11929b23fd473f91c1e3c7f8ddc71912f437

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d6f827a6aebc744eadbe0d1b0df4d792

SHA1
85feaf5268b5395a29714777b4c36d4370209fce

SHA256
c7f642ceba952fe68b31381cf4017bead585b503a575aeaeb0ddd5b05f5bd1b1

SHA512
07ccaa66d1aadadf5bbf24bdd363e58470c4aff9599bb660e4484ee6970c2910691b81a34aa801a6e0dcdd902e9b11929b23fd473f91c1e3c7f8ddc71912f437

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BL99HU6FI7KRS5VWHEQG.temp

Filesize
7KB

MD5
d6f827a6aebc744eadbe0d1b0df4d792

SHA1
85feaf5268b5395a29714777b4c36d4370209fce

SHA256
c7f642ceba952fe68b31381cf4017bead585b503a575aeaeb0ddd5b05f5bd1b1

SHA512
07ccaa66d1aadadf5bbf24bdd363e58470c4aff9599bb660e4484ee6970c2910691b81a34aa801a6e0dcdd902e9b11929b23fd473f91c1e3c7f8ddc71912f437

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsServices\HGBJQ.cmd

Filesize
75B

MD5
c5b2a746a94b4cf0c9a40ed8885a3908

SHA1
36931a0308e8c3e0e2c1edf662dcf6ab776003fe

SHA256
6404bd84c173172805708cbf2787e2ebb77bd103749de3ca478f64cf4fa83ad7

SHA512
2a8cebe735af3978dfa2f08a52ec1b838503d49b50f4db53e67ee3d1b2624f64a3698c246bccfdfa14b88f87c308c7e887fa5e9027a39cef64f1160ec7482b0f

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsServices\HGBJQ.cmd

Filesize
75B

MD5
c5b2a746a94b4cf0c9a40ed8885a3908

SHA1
36931a0308e8c3e0e2c1edf662dcf6ab776003fe

SHA256
6404bd84c173172805708cbf2787e2ebb77bd103749de3ca478f64cf4fa83ad7

SHA512
2a8cebe735af3978dfa2f08a52ec1b838503d49b50f4db53e67ee3d1b2624f64a3698c246bccfdfa14b88f87c308c7e887fa5e9027a39cef64f1160ec7482b0f

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsServices\TLGOV.ps1

Filesize
465KB

MD5
89fe9611fe7be49531c043b617ddfdb9

SHA1
d174cedd5a7500c9692617004056448f79fea621

SHA256
d2cedd8d441c33fb80ca2d7b78b4d9a25805ac2fd6b7c743b7c0ad4865233364

SHA512
51bf5e0fd7ddcbf0ebdceaac1c2a730229278035ecf158e09831f535b44303e41c7cd7400bab1187e14f0cd2aafa12a1d430aca7e894736223e31b61fc81298e

Download Submit
memory/1260-69-0x000000001B170000-0x000000001B452000-memory.dmp

Filesize
2.9MB

Download
memory/1260-70-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/1260-71-0x00000000028C4000-0x00000000028C7000-memory.dmp

Filesize
12KB

Download
memory/1260-72-0x00000000028CB000-0x0000000002902000-memory.dmp

Filesize
220KB

Download
memory/1308-111-0x00000000025C4000-0x00000000025C7000-memory.dmp

Filesize
12KB

Download
memory/1308-112-0x00000000025CB000-0x0000000002602000-memory.dmp

Filesize
220KB

Download
memory/1492-58-0x000000001B1B0000-0x000000001B492000-memory.dmp

Filesize
2.9MB

Download
memory/1492-63-0x000000000295B000-0x0000000002992000-memory.dmp

Filesize
220KB

Download
memory/1492-59-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download
memory/1492-62-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download
memory/1492-61-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download
memory/1492-60-0x0000000002360000-0x0000000002368000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing