107f096f783d657963bd20bb6fec8b13c9b3a06df1778a0298ec577bd4c5650c

Analysis

max time kernel
114s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
28/08/2023, 14:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

informacje_dla_odbiorcy.vbs
Size

118KB
MD5

a94dde694f3f5945b27e4ff2e498cd5c
SHA1

21e4a8cfe9753ace59c4c838c71709a1ffd876ec
SHA256

107f096f783d657963bd20bb6fec8b13c9b3a06df1778a0298ec577bd4c5650c
SHA512

47a32deedb692589c0a5cf18cb4a2f6d47905d2a78080957388c4fd3701b2a37156dfce7e6608b2e296531ad691a82eed65a00161a20b34588839c3e3d6b9f14
SSDEEP

1536:ELlS2iigReDA/DAWu2uT6StMExVr9/kucUOgc9q/Kv7TfDSQEAmWW+DK/yfPo03m:LV19QS3BwJh05Jg

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
19	1012	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1012	powershell.exe
1012	powershell.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	1012	powershell.exe
Token: SeDebugPrivilege	3800	whoami.exe
Token: SeDebugPrivilege	3800	whoami.exe
Token: SeDebugPrivilege	3800	whoami.exe
Token: SeDebugPrivilege	3800	whoami.exe
Token: SeDebugPrivilege	3800	whoami.exe
Token: SeDebugPrivilege	3800	whoami.exe
Token: SeDebugPrivilege	3800	whoami.exe
Token: SeDebugPrivilege	3800	whoami.exe
Token: SeDebugPrivilege	3800	whoami.exe
Token: SeDebugPrivilege	3800	whoami.exe
Token: SeDebugPrivilege	3800	whoami.exe
Token: SeDebugPrivilege	3800	whoami.exe
Token: SeDebugPrivilege	3800	whoami.exe
Token: SeDebugPrivilege	3800	whoami.exe
Token: SeDebugPrivilege	3800	whoami.exe
Token: SeDebugPrivilege	3800	whoami.exe
Token: SeDebugPrivilege	3800	whoami.exe
Token: SeDebugPrivilege	3800	whoami.exe
Token: SeDebugPrivilege	3800	whoami.exe
Token: SeDebugPrivilege	3800	whoami.exe
Token: SeDebugPrivilege	3800	whoami.exe
Token: SeDebugPrivilege	3800	whoami.exe
Token: SeDebugPrivilege	3800	whoami.exe
Token: SeDebugPrivilege	3800	whoami.exe
Token: SeDebugPrivilege	3800	whoami.exe
Token: SeDebugPrivilege	3800	whoami.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 4668	4028	WScript.exe	83
PID 4028 wrote to memory of 4668	4028	WScript.exe	83
PID 4668 wrote to memory of 3004	4668	cmd.exe	88
PID 4028 wrote to memory of 2144	4028	WScript.exe	85
PID 4028 wrote to memory of 2144	4028	WScript.exe	85
PID 4668 wrote to memory of 3004	4668	cmd.exe	88
PID 4668 wrote to memory of 1012	4668	cmd.exe	87
PID 4668 wrote to memory of 1012	4668	cmd.exe	87
PID 4668 wrote to memory of 1012	4668	cmd.exe	87
PID 1012 wrote to memory of 3600	1012	powershell.exe	93
PID 1012 wrote to memory of 3600	1012	powershell.exe	93
PID 1012 wrote to memory of 3600	1012	powershell.exe	93
PID 1012 wrote to memory of 2920	1012	powershell.exe	95
PID 1012 wrote to memory of 2920	1012	powershell.exe	95
PID 1012 wrote to memory of 2920	1012	powershell.exe	95
PID 2920 wrote to memory of 1944	2920	csc.exe	96
PID 2920 wrote to memory of 1944	2920	csc.exe	96
PID 2920 wrote to memory of 1944	2920	csc.exe	96
PID 1012 wrote to memory of 3800	1012	powershell.exe	97
PID 1012 wrote to memory of 3800	1012	powershell.exe	97
PID 1012 wrote to memory of 3800	1012	powershell.exe	97
PID 1012 wrote to memory of 1956	1012	powershell.exe	100
PID 1012 wrote to memory of 1956	1012	powershell.exe	100
PID 1012 wrote to memory of 1956	1012	powershell.exe	100

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\informacje_dla_odbiorcy.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C type "C:\Users\Admin\AppData\Local\Temp\tmp_0000190000" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -c - & del /F "C:\Users\Admin\AppData\Local\Temp\tmp_000000007" & del /F "C:\Users\Admin\AppData\Local\Temp\tmp_0000190000"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4668
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -c -
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1012
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C type C:\Users\Admin\AppData\Local\Temp\tmp_000000007
      4⤵
      PID:3600
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qxogrqo0\qxogrqo0.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2920
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA6A0.tmp" "c:\Users\Admin\AppData\Local\Temp\qxogrqo0\CSC89E70EFFE83A4D94A9282113EB71E325.TMP"
        5⤵
        
        PID:1944
  - - C:\Windows\SysWOW64\whoami.exe
      "C:\Windows\system32\whoami.exe" /groups /fo csv
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3800
  - - C:\Windows\SysWOW64\HOSTNAME.EXE
      "C:\Windows\system32\HOSTNAME.EXE"
      4⤵
      PID:1956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Local\Temp\tmp_0000190000" "
    3⤵
    PID:3004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp_0000000024.bat" "
  2⤵
  PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA6A0.tmp

Filesize
1KB

MD5
25faaa803d6b865986d5400aff9260da

SHA1
35cdbf64f0363bd8632261c34281c1620cba5eb0

SHA256
5e6a1ea0f692d17ac9781c29c5c0543e6ff5955cb6b91f8ee308835c9239322c

SHA512
05911f25b135e5e47e2833037260891bb93f640fdc01d0b145bc323fdae706a00a23a5eb27cfe703df498c19f33f9513e31ca50b0c9afc9099cbcf208019438f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qjbsngjn.ego.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\qxogrqo0\qxogrqo0.dll

Filesize
3KB

MD5
f9e69b7fa754b3f19076c8b54fb04c90

SHA1
b8b464beccba4d13b3175356a37d24e5b00f0e1e

SHA256
032cf83d8d63597c847414dfc6ec1f3adf43daef64f69c908575bd7b9a53dd85

SHA512
fb93ce84c68ab8f446b354471fa10bc6f8550eefc5623949fed39a8367db4d67ccef39eb323483f0a730b18c8e7a229c383943015a75785e86d5445c19a0ba3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_0000000024.bat

Filesize
226B

MD5
cd823a4db2fb870ea2e983faa9644200

SHA1
ef92355c24fbb0a7e023588952eeaf96f8fd5f72

SHA256
900266cf668139e547c9dcc6bc7edd29312ae77403677268ffadf423c2037d94

SHA512
02960eb8ade22debb540381c2963e48de827a48bf2a6138158ce2c72f8a500079f0e6d6cb5640cd9efae973c68e06765060e52b8784ac3276d4b70c07225c10e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_000000007

Filesize
11KB

MD5
db2581ddf91bc900a33c8b1a5ae056be

SHA1
3e17bdc1d1179727223cf15034a259b2c50cca0d

SHA256
e3d74d151907e1746b17712763e3fc520961df6099fd36b64dca3ea89c52d40d

SHA512
a3efec4e6c6e6caf38ffefab98b2d895f45e3e2d32e26bc8bf9416b59e858f60cd598a222db8c4e83a735975537512ccb2d202c0f69c3ed798a63702a3b3bead

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_0000190000

Filesize
256B

MD5
0f4084b03c944fcb5d95a0ff136df032

SHA1
ab885e39092a9569049ffd0442c0758ee1b42563

SHA256
327e82c702ee10d8c5d2a244eda6d4f6ff35620d64c194366c90321ab311dd79

SHA512
fed0492fce24ee3642a5b1f5c5801000925478dba5044b1cb5ee14966d56a4c8ecdd6b6c0af19b5efe26c40eeb90e464bca62711164fe613e7dbc72ea6fc08aa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qxogrqo0\CSC89E70EFFE83A4D94A9282113EB71E325.TMP

Filesize
652B

MD5
16e93f06e4db831333e72b850f10ccbd

SHA1
73daa828ed11602cbba5d4f5fe275b99831a590b

SHA256
d2dc23418d851407503c3d70a5b1ac604b1fc8dd9d8455df9d5fbef82e198f9e

SHA512
90093fe300670dc8659a1696edd4da90d050c3a27fe340e13e0d0eb20e2cc7c6e2eae4752522e734bcfdbcb6a52ceea926522089869b8746b2e30122b2fae2ae

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qxogrqo0\qxogrqo0.0.cs

Filesize
898B

MD5
b43e69d49838de1e4bb370d7a36f3b8c

SHA1
b1978904857f608d6405207f0745b1e281ec2a6e

SHA256
ac96c2503551af5bbe56e8d23a3f3d2793a6a9141a99768ce3879784357943fe

SHA512
582cb2c72a233d73c3e1267d8b4c6942f9ee8a30fb5670eff9e8a98357569f65bb13f7f2c795ebac8c77ee86f2f0f35e68c4dd444b66dbb1ee58179666756458

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qxogrqo0\qxogrqo0.cmdline

Filesize
369B

MD5
15f81da13df0d3fd492195c062b444b2

SHA1
e7893f2f7851f7fbf32be67a07ef08ac9e56d546

SHA256
581f9efedcb70b3b89d2684269d6f9861758beacaf54a9b5fac3c93a109b969b

SHA512
36b77eb35ce199307e98376219e9c94cf249cebd26e27393a57a499d87a0ab617a1f7376d65e47b2cc0586510212d8f2c402c5c975929c52818a0131521c3176

Download Submit
memory/1012-29-0x0000000007D40000-0x0000000007D5A000-memory.dmp

Filesize
104KB

Download
memory/1012-36-0x00000000747B0000-0x0000000074F60000-memory.dmp

Filesize
7.7MB

Download
memory/1012-24-0x00000000069C0000-0x00000000069DE000-memory.dmp

Filesize
120KB

Download
memory/1012-25-0x0000000007B20000-0x0000000007B64000-memory.dmp

Filesize
272KB

Download
memory/1012-26-0x0000000007CA0000-0x0000000007D16000-memory.dmp

Filesize
472KB

Download
memory/1012-27-0x0000000005430000-0x0000000005440000-memory.dmp

Filesize
64KB

Download
memory/1012-28-0x00000000083A0000-0x0000000008A1A000-memory.dmp

Filesize
6.5MB

Download
memory/1012-13-0x0000000006190000-0x00000000061F6000-memory.dmp

Filesize
408KB

Download
memory/1012-12-0x00000000060F0000-0x0000000006112000-memory.dmp

Filesize
136KB

Download
memory/1012-11-0x0000000005A70000-0x0000000006098000-memory.dmp

Filesize
6.2MB

Download
memory/1012-10-0x0000000005430000-0x0000000005440000-memory.dmp

Filesize
64KB

Download
memory/1012-14-0x0000000006270000-0x00000000062D6000-memory.dmp

Filesize
408KB

Download
memory/1012-9-0x0000000005430000-0x0000000005440000-memory.dmp

Filesize
64KB

Download
memory/1012-7-0x00000000053C0000-0x00000000053F6000-memory.dmp

Filesize
216KB

Download
memory/1012-8-0x00000000747B0000-0x0000000074F60000-memory.dmp

Filesize
7.7MB

Download
memory/1012-45-0x0000000007F80000-0x0000000008016000-memory.dmp

Filesize
600KB

Download
memory/1012-46-0x0000000007F10000-0x0000000007F32000-memory.dmp

Filesize
136KB

Download
memory/1012-47-0x0000000008FD0000-0x0000000009574000-memory.dmp

Filesize
5.6MB

Download
memory/1012-48-0x0000000005430000-0x0000000005440000-memory.dmp

Filesize
64KB

Download
memory/1012-49-0x0000000008220000-0x00000000082B2000-memory.dmp

Filesize
584KB

Download
memory/1012-50-0x0000000005430000-0x0000000005440000-memory.dmp

Filesize
64KB

Download
memory/1012-51-0x0000000005430000-0x0000000005440000-memory.dmp

Filesize
64KB

Download
memory/1012-54-0x00000000747B0000-0x0000000074F60000-memory.dmp

Filesize
7.7MB

Download