Overview

overview

10

Static

static

1

Spedizione.vbs

windows7-x64

10

Spedizione.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    43s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    21-10-2024 09:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Spedizione.vbs

  • Size

    4.4MB

  • MD5

    afaefcfba4a6f5052383156ce7f88efd

  • SHA1

    ac99a4ba88364136174b70b226881297144de96e

  • SHA256

    29a2f380dca14716c3e3c53da12df3d0b1fb5c3efd0d2b711d3de523a7273836

  • SHA512

    4fdb773189b885e11ce669b711c04777d8b29ab4a409e2a470fb13b37404eba02b8a9d55aada3a6c64df421d0ec0d7288acc4727055274945d17483cd5710e73

  • SSDEEP

    24576:lemjem3emOemsemyemDemTemHemnemmem2em+emTemXemBem6emFemWemRemiemH:i

Score
10/10
execution

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://rentry.co/m7ebw9yf/raw

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Deletes itself 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Spedizione.vbs"
    1⤵
    • Blocklisted process makes network request
    • Deletes itself
    • Suspicious use of WriteProcessMemory
    PID:2412
    • C:\Windows\System32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\WindowsUpdate\OOWZL.cmd" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2292
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        PowerShell.exe -NoProfile -ExecutionPolicy Bypass -Command C:\Users\Admin\AppData\Roaming\WindowsUpdate\ZARTD.ps1
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2396

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EDVRD.vbs
    Filesize

    274B

    MD5

    195a41212cca0c31b543169d52fe6074

    SHA1

    f55095c2b3d168f0e838532f1f27c59e054881d7

    SHA256

    ebc6fee593edbc90c45ea6abb4eec4aafa7691bd6b97ccf3526ce6d346d32beb

    SHA512

    6d4878fcf9c018cb6a1187b283668bd0fab1aaf1546cc17bcdf3fa1e9f79da0f2ab0d8ca70e683f6c8a502565e7536c3ae469c17379d7fa255c8172c30233fe3

    Download Submit

  • C:\Users\Admin\AppData\Roaming\WindowsUpdate\OOWZL.cmd
    Filesize

    75B

    MD5

    c561282ed942d23889d0a4ed1222b87d

    SHA1

    3a201c4bbb160ee5c7089da864e018a1cdd2d02e

    SHA256

    c9b0ba912bfafe244f38d31f13070116bb105123083ff1f05ed6cad9eaa626fe

    SHA512

    bfc021f5d48d55aba88416340e996d7127993a349d23806fb64e715ad4840886e8d3af5a74745453f2d00e3b6fce22d8a34c312e2b3202bf6602be33b20067b3

    Download Submit

  • C:\Users\Admin\AppData\Roaming\WindowsUpdate\ZARTD.ps1
    Filesize

    44KB

    MD5

    da1cd4da7e21802269e159912b864ee4

    SHA1

    d46e5ff9db8a7ac43555d2fd5607230209578c48

    SHA256

    2a1a67c8cf9037b6da4ebd9cfe8c1c076f7a6211dd4eba150f1df36a0450a39b

    SHA512

    788d55920f2cd21650baf4d4a54422e26b3edf374a1a4a438fd217930f4d66e3e8985e263a41586f6fa3fd2f032f9fa4e2fd41ba3067911781217da18d43bd44

    Download Submit

  • memory/2396-50-0x0000000002620000-0x00000000026A0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2396-51-0x000000001B1D0000-0x000000001B4B2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2396-52-0x00000000025E0000-0x00000000025E8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2396-54-0x0000000002620000-0x00000000026A0000-memory.dmp

    Filesize

    512KB

    Download