guloader | 48b07fec2d947bc75df7b3f4af67f51ceeb1a5956097442d9bafc7ee027237e8

General

Target

ap_remittance.exe
Size

390KB
MD5

2469f8893f0b33e769b1a8cdb84baa57
SHA1

d64d31c1312ce383bcfe24714309a1bd0fa63067
SHA256

48b07fec2d947bc75df7b3f4af67f51ceeb1a5956097442d9bafc7ee027237e8
SHA512

af1fdd170170f1b59571d1a4a5b2d8cc66bb002c76eaa92ea540591a18a0225d47a6015cf94976edb544de96625c0eebd54f39ddb401d9fc024026f2773e40ad
SSDEEP

6144:wY2Celn4yXJReJ9hoFVZv/qeYDPM17by0A3J2V5eIU2k1XziFLq+E:3yXJM5oFVZv/rKMbyDgVxsF

Score

10^/10

guloader discovery downloader spyware stealer

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Blocklisted process makes network request 1 IoCs

Processes:

cmstp.exe

flow pid process

18 1276 cmstp.exe

flow	pid	process
18	1276	cmstp.exe

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ap_remittance.exeap_remittance.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	ap_remittance.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	ap_remittance.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ap_remittance.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation	ap_remittance.exe

Loads dropped DLL 2 IoCs

Processes:

ap_remittance.execmstp.exe

pid process

2004 ap_remittance.exe
1276 cmstp.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops file in System32 directory 1 IoCs

Processes:

ap_remittance.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\Vehikel\Unitternes.ini ap_remittance.exe
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

ap_remittance.exe

pid process

1124 ap_remittance.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

ap_remittance.exeap_remittance.exe

pid process

2004 ap_remittance.exe
1124 ap_remittance.exe

pid	process
2004	ap_remittance.exe
1276	cmstp.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Vehikel\Unitternes.ini	ap_remittance.exe

pid	process
2004	ap_remittance.exe
1124	ap_remittance.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

ap_remittance.exeap_remittance.execmstp.exe

description	pid	process	target process
PID 2004 set thread context of 1124	2004	ap_remittance.exe	ap_remittance.exe
PID 1124 set thread context of 1372	1124	ap_remittance.exe	Explorer.EXE
PID 1276 set thread context of 1372	1276	cmstp.exe	Explorer.EXE

Drops file in Windows directory 1 IoCs

Processes:

ap_remittance.exe

description ioc process

File opened for modification C:\Windows\Wiros\Slippages\Propyls.ini ap_remittance.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\Wiros\Slippages\Propyls.ini	ap_remittance.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

cmstp.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cmstp.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

ap_remittance.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	ap_remittance.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	ap_remittance.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	ap_remittance.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	ap_remittance.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	ap_remittance.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	ap_remittance.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ap_remittance.execmstp.exe

pid	process
1124	ap_remittance.exe
1124	ap_remittance.exe
1124	ap_remittance.exe
1124	ap_remittance.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1372 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

ap_remittance.exeap_remittance.execmstp.exe

pid process

2004 ap_remittance.exe
1124 ap_remittance.exe
1124 ap_remittance.exe
1124 ap_remittance.exe
1276 cmstp.exe
1276 cmstp.exe
1276 cmstp.exe
1276 cmstp.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

ap_remittance.execmstp.exeExplorer.EXE

description pid process

Token: SeDebugPrivilege 1124 ap_remittance.exe
Token: SeDebugPrivilege 1276 cmstp.exe
Token: SeShutdownPrivilege 1372 Explorer.EXE

pid	process
1372	Explorer.EXE

pid	process
2004	ap_remittance.exe
1124	ap_remittance.exe
1124	ap_remittance.exe
1124	ap_remittance.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe
1276	cmstp.exe

description	pid	process
Token: SeDebugPrivilege	1124	ap_remittance.exe
Token: SeDebugPrivilege	1276	cmstp.exe
Token: SeShutdownPrivilege	1372	Explorer.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

ap_remittance.exeExplorer.EXEcmstp.exe

description	pid	process	target process
PID 2004 wrote to memory of 1124	2004	ap_remittance.exe	ap_remittance.exe
PID 2004 wrote to memory of 1124	2004	ap_remittance.exe	ap_remittance.exe
PID 2004 wrote to memory of 1124	2004	ap_remittance.exe	ap_remittance.exe
PID 2004 wrote to memory of 1124	2004	ap_remittance.exe	ap_remittance.exe
PID 2004 wrote to memory of 1124	2004	ap_remittance.exe	ap_remittance.exe
PID 1372 wrote to memory of 1276	1372	Explorer.EXE	cmstp.exe
PID 1372 wrote to memory of 1276	1372	Explorer.EXE	cmstp.exe
PID 1372 wrote to memory of 1276	1372	Explorer.EXE	cmstp.exe
PID 1372 wrote to memory of 1276	1372	Explorer.EXE	cmstp.exe
PID 1372 wrote to memory of 1276	1372	Explorer.EXE	cmstp.exe
PID 1372 wrote to memory of 1276	1372	Explorer.EXE	cmstp.exe
PID 1372 wrote to memory of 1276	1372	Explorer.EXE	cmstp.exe
PID 1276 wrote to memory of 888	1276	cmstp.exe	Firefox.exe
PID 1276 wrote to memory of 888	1276	cmstp.exe	Firefox.exe
PID 1276 wrote to memory of 888	1276	cmstp.exe	Firefox.exe
PID 1276 wrote to memory of 888	1276	cmstp.exe	Firefox.exe
PID 1276 wrote to memory of 888	1276	cmstp.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1372

C:\Users\Admin\AppData\Local\Temp\ap_remittance.exe
"C:\Users\Admin\AppData\Local\Temp\ap_remittance.exe"
2⤵
- Checks QEMU agent file
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2004

C:\Users\Admin\AppData\Local\Temp\ap_remittance.exe
"C:\Users\Admin\AppData\Local\Temp\ap_remittance.exe"
3⤵
- Checks QEMU agent file
- Checks computer location settings
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1124

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1276

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:888

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Install Root Certificate

1

T1130

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nstED8C.tmp\System.dll
Filesize
11KB

MD5
b8992e497d57001ddf100f9c397fcef5

SHA1
e26ddf101a2ec5027975d2909306457c6f61cfbd

SHA256
98bcd1dd88642f4dd36a300c76ebb1ddfbbbc5bfc7e3b6d7435dc6d6e030c13b

SHA512
8823b1904dccfaf031068102cb1def7958a057f49ff369f0e061f1b4db2090021aa620bb8442a2a6ac9355bb74ee54371dc2599c20dc723755a46ede81533a3c

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
849KB

MD5
87f9e5a6318ac1ec5ee05aa94a919d7a

SHA1
7a9956e8de89603dba99772da29493d3fd0fe37d

SHA256
7705b87603e0d772e1753441001fcf1ac2643ee41bf14a8177de2c056628665c

SHA512
c45c03176142918e34f746711e83384572bd6a8ed0a005600aa4a18cf22eade06c76eda190b37db49ec1971c4649e086affd19eee108c5f405df27c0c8cb23d2

Download Submit
memory/1124-79-0x0000000031950000-0x0000000031960000-memory.dmp

Filesize
64KB

Download
memory/1124-85-0x0000000001470000-0x0000000001EFD000-memory.dmp

Filesize
10.6MB

Download
memory/1124-60-0x00000000004030D9-mapping.dmp

Download
memory/1124-84-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1124-83-0x0000000077290000-0x0000000077410000-memory.dmp

Filesize
1.5MB

Download
memory/1124-63-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1124-76-0x0000000077290000-0x0000000077410000-memory.dmp

Filesize
1.5MB

Download
memory/1124-65-0x0000000001470000-0x0000000001EFD000-memory.dmp

Filesize
10.6MB

Download
memory/1124-66-0x00000000770B0000-0x0000000077259000-memory.dmp

Filesize
1.7MB

Download
memory/1124-69-0x0000000077290000-0x0000000077410000-memory.dmp

Filesize
1.5MB

Download
memory/1124-78-0x00000000324D0000-0x00000000327D3000-memory.dmp

Filesize
3.0MB

Download
memory/1124-71-0x0000000001470000-0x0000000001EFD000-memory.dmp

Filesize
10.6MB

Download
memory/1124-72-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1124-73-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1124-74-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1124-77-0x0000000000401000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1276-81-0x0000000000000000-mapping.dmp

Download
memory/1276-86-0x00000000009C0000-0x00000000009D8000-memory.dmp

Filesize
96KB

Download
memory/1276-91-0x0000000000090000-0x00000000000BD000-memory.dmp

Filesize
180KB

Download
memory/1276-89-0x0000000000910000-0x000000000099F000-memory.dmp

Filesize
572KB

Download
memory/1276-88-0x0000000001F70000-0x0000000002273000-memory.dmp

Filesize
3.0MB

Download
memory/1276-87-0x0000000000090000-0x00000000000BD000-memory.dmp

Filesize
180KB

Download
memory/1372-90-0x00000000063F0000-0x00000000064C8000-memory.dmp

Filesize
864KB

Download
memory/1372-80-0x0000000007180000-0x0000000007272000-memory.dmp

Filesize
968KB

Download
memory/1372-93-0x00000000063F0000-0x00000000064C8000-memory.dmp

Filesize
864KB

Download
memory/2004-61-0x0000000077290000-0x0000000077410000-memory.dmp

Filesize
1.5MB

Download
memory/2004-57-0x00000000770B0000-0x0000000077259000-memory.dmp

Filesize
1.7MB

Download
memory/2004-54-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download
memory/2004-62-0x0000000077290000-0x0000000077410000-memory.dmp

Filesize
1.5MB

Download
memory/2004-64-0x0000000003F30000-0x00000000049BD000-memory.dmp

Filesize
10.6MB

Download
memory/2004-75-0x0000000077290000-0x0000000077410000-memory.dmp

Filesize
1.5MB

Download
memory/2004-70-0x0000000077290000-0x0000000077410000-memory.dmp

Filesize
1.5MB

Download
memory/2004-56-0x0000000003F30000-0x00000000049BD000-memory.dmp

Filesize
10.6MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads